oss-security mailing list

Follow @Openwall on Twitter for new release announcements and other news

oss-security mailing list

	Jan	Feb	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2025	92	75	93	49
2024	80	100	178	197	72	47	128	107	58	52	87	44
2023	69	62	100	107	99	78	87	60	122	198	86	101
2022	116	50	47	79	83	58	77	86	76	70	95	108
2021	92	91	98	90	88	59	61	82	49	76	60	47
2020	52	47	38	82	70	67	76	64	71	85	90	66
2019	102	48	49	86	51	103	107	80	71	75	67	70
2018	122	81	84	81	71	104	71	135	78	120	75	84
2017	252	278	171	171	209	278	225	157	214	162	196	93
2016	258	207	271	183	267	193	214	184	287	294	257	241
2015	377	336	355	319	277	243	266	197	195	206	205	208
2014	214	252	249	211	183	317	273	201	413	485	382	318
2013	217	323	246	258	200	201	260	265	163	203	182	199
2012	333	189	294	216	234	128	150	207	234	192	191	161
2011	153	169	318	354	159	224	258	164	137	203	241	146
2010	72	96	123	118	115	142	119	144	203	84	187	139
2009	89	81	75	114	96	59	84	99	102	122	108	74
2008		104	103	143	136	112	150	125	127	123	128	107

Recent messages:

2025/04/13 #1: Re: CVE-2025-0395: Buffer overflow in the GNU C Library's assert() (Solar Designer <solar@...nwall.com>)
2025/04/12 #2: Security audit of PHP (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/04/12 #1: CVE-2025-32896: Apache SeaTunnel: Unauthenticated insecure access (Hailin Wang <wanghailin@...che.org>)
2025/04/11 #1: CVE-2025-24859: Apache Roller: Insufficient Session Expiration on Password Change ("David M. Johnson" <snoopdave@...che.org>)
2025/04/10 #6: Re: CVE-2024-50217: Linux kernel: btrfs: Use-after-free of block device file in __btrfs_free_extra_devids() (Demi Marie Obenour <demiobenour@...il.com>)
2025/04/10 #5: Re: CVE-2024-50217: Linux kernel: btrfs: Use-after-free of block device file in __btrfs_free_extra_devids() (Greg KH <gregkh@...uxfoundation.org>)
2025/04/10 #4: CVE-2024-50217: Linux kernel: btrfs: Use-after-free of block device file in __btrfs_free_extra_devids() ("akendo@...ndo.eu" <akendo@...ndo.eu>)
2025/04/10 #3: Re: CVE-2025-29868: Apache Answer: Using externally referenced images can leak user privacy. (LinkinStar <linkinstar@...che.org>)
2025/04/10 #2: Vulnerabilities in Jenkins Docker images (Daniel Beck <ml@...kweb.net>)
2025/04/10 #1: Re: CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. (Sebastian Pipping <sebastian@...ping.org>)
2025/04/09 #7: Re: CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. (Bernhard Rosenkränzer <bero@...dev.ch>)
2025/04/09 #6: Re: Announce: OpenSSH 10.0 released (Damien Miller <djm@....openbsd.org>)
2025/04/09 #5: Re: CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. (Sebastian Pipping <sebastian@...ping.org>)
2025/04/09 #4: xmlrpc-c bundles a (very old and) vulnerable copy of libexpat (Sebastian Pipping <sebastian@...ping.org>)
2025/04/09 #3: CVE-2025-27391: Apache ActiveMQ Artemis: Passwords leaking from broker properties in the debug log (Domenico Francesco Bruscino <brusdev@...che.org>)
2025/04/09 #2: CVE-2025-30677: Apache Pulsar IO Kafka Connector, Apache Pulsar IO Kafka Connect Adaptor: Sensitive information logged in Puls… (Lari Hotari <lhotari@...che.org>)
2025/04/09 #1: Announce: OpenSSH 10.0 released (Damien Miller <djm@....openbsd.org>)
2025/04/08 #5: CVE-2025-30215: nats-server: Missing access controls for JS API (Phil Pennock <oss-security-phil@...dhuis.org>)
2025/04/08 #4: Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability (Andrew Cooper <andrew.cooper3@...rix.com>)
2025/04/08 #3: CVE-2025-31498: c-ares use-after-free (Brad House <brad@...d-house.com>)
2025/04/08 #2: CVE-2025-31672: Apache POI: parsing OOXML based files (xlsx, docx, etc.), poi-ooxml could read unexpected data if underlying … (PJ Fanning <fanningpj@...che.org>)
2025/04/08 #1: Re: CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. (李亚杰 <liyajie@...neuler.sh>)
2025/04/07 #6: Re: CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. (Bernhard Rosenkränzer <bero@...dev.ch>)
2025/04/07 #5: Re: CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. (Hanno Böck <hanno@...eck.de>)
2025/04/07 #4: Re: CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. (Mingcong Bai <jeffbai@...c.io>)
2025/04/07 #3: CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. (李亚杰 <liyajie@...neuler.sh>)
2025/04/07 #2: WebKitGTK and WPE WebKit Security Advisory WSA-2025-0003 (Adrian Perez de Castro <aperez@...lia.com>)
2025/04/07 #1: PowerDNS Recursor Security Advisory 2025-01 regarding PowerDNS Recusor 5.2.0 (Otto Moerbeek <otto.moerbeek@...erdns.com>)
2025/04/06 #3: Re: CVE-2025-30473: Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection (Jeffrey Walton <noloader@...il.com>)
2025/04/06 #2: Re: CVE-2025-30473: Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection (Solar Designer <solar@...nwall.com>)
2025/04/06 #1: Re: CVE-2025-30473: Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection (Hanno Böck <hanno@...eck.de>)
2025/04/04 #4: CVE-2025-22871 : Go net/http: request smuggling through invalid chunked data (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/04/04 #3: pgAdmin 4 v9.2 fixes CVE-2025-2945 & CVE-2025-2946 (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/04/04 #2: CVE-2025-30473: Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection (Elad Kalif <eladkal@...che.org>)
2025/04/04 #1: CVE-2025-3155 GNOME Yelp: Arbitrary file read by abusing ghelp scheme (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/04/03 #3: Re: XZ Utils: Threaded decoder frees memory too early (CVE-2025-31115) (Sam James <sam@...too.org>)
2025/04/03 #2: Re: XZ Utils: Threaded decoder frees memory too early (CVE-2025-31115) (Sam James <sam@...too.org>)
2025/04/03 #1: XZ Utils: Threaded decoder frees memory too early (CVE-2025-31115) (Sam James <sam@...too.org>)
2025/04/02 #5: CVE-2025-2704 - OpenVPN 2.6.1 through 2.6.13 with possible DoS (David Sommerseth <dazo@...ephia.org>)
2025/04/02 #4: [ANNOUNCE] ATS is vulnerable to request smuggling via chunked messages (Masakazu Kitajo <maskit@...che.org>)
2025/04/02 #3: Multiple vulnerabilities in Jenkins and Jenkins plugins (Kevin Guerroudj <kguerroudj@...udbees.com>)
2025/04/02 #2: CVE-2025-27556: Django: Potential DoS in LoginView, LogoutView, and set_language() on Windows (Natalia Bidart <nataliabidart@...ngoproject.com>)
2025/04/02 #1: Re: CVE-2025-29868: Apache Answer: Using externally referenced images can leak user privacy. (Jacob Bachmeyer <jcb62281@...il.com>)
2025/04/01 #6: Re: Linux kernel: CVE-2024-57882 fix did not prevent data stream corruption in the MPTCP protocol (Solar Designer <solar@...nwall.com>)
2025/04/01 #5: CVE-2025-30676: Apache OFBiz: Stored XSS Vulnerability (Jacques Le Roux <jleroux@...che.org>)
2025/04/01 #4: CVE-2025-30177: Apache Camel: Camel-Undertow Message Header Injection via Improper Filtering (Andrea Cosentino <acosentino@...che.org>)
2025/04/01 #3: Linux kernel: CVE-2024-57882 fix did not prevent data stream corruption in the MPTCP protocol (Arthur Mongodin <amongodin@...dorisec.fr>)
2025/04/01 #2: CVE-2025-29868: Apache Answer: Using externally referenced images can leak user privacy. (Enxin Xie <linkinstar@...che.org>)
2025/04/01 #1: CVE-2025-30065: Apache Parquet Java: Arbitrary code execution in the parquet-avro module when reading an Avro schema from a Parquet… (Gang Wu <gangwu@...che.org>)
2025/03/31 #1: CVE-2025-27427: Apache ActiveMQ Artemis: Address routing-type can be updated by user without the createAddress permission (Justin Bertram <jbertram@...che.org>)
2025/03/29 #1: CVE-2025-31160 Atop 2.11 heap problems (Gerlof Langeveld <gerlof.langeveld@...ptool.nl>)
2025/03/28 #2: Re: atop: Heap corruption (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/03/28 #1: use-after-free (maybe?) in libspf2 (Hanno Böck <hanno@...eck.de>)
2025/03/27 #8: CVE-2024-56325: Apache Pinot: Authentication bypass issue. If the path does not contain / and contain . authentication … (siddharth teotia <siddharthteotia@...il…)
2025/03/27 #7: wait3() system call as a side-channel in setuid programs (nvidia-modprobe CVE-2024-0149) (Wolfgang Frisch <wfrisch@...e.de>)
2025/03/27 #6: Three bypasses of Ubuntu's unprivileged user namespace restrictions (Qualys Security Advisory <qsa@...lys.com>)
2025/03/27 #5: CVE-2024-48944: Apache Kylin: SSRF vulnerability in the diagnosis api (Li Yang <liyang@...che.org>)
2025/03/27 #4: CVE-2025-30067: Apache Kylin: The remote code execution via jdbc url (Li Yang <liyang@...che.org>)
2025/03/27 #3: Re: atop: Heap corruption (Solar Designer <solar@...nwall.com>)
2025/03/27 #2: Re: atop: Heap corruption (Mark Steward <marksteward@...il.com>)
2025/03/27 #1: Re: atop: Heap corruption (Thomas Ward <teward@...mas-ward.net>)
2025/03/26 #3: Re: atop: Heap corruption (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/03/26 #2: atop: Heap corruption (Solar Designer <solar@...nwall.com>)
2025/03/26 #1: CVE-2025-30232: UAF in Exim 4.96 to 4.98.1 (Valtteri Vuorikoski <vuori@...com.org>)
2025/03/24 #4: Re: [kubernetes] Multiple vulnerabilities in ingress-nginx (Kevin Daudt <me@...e.info>)
2025/03/24 #3: [kubernetes] Multiple vulnerabilities in ingress-nginx (Tabitha Sable <tabitha.c.sable@...il.com>)
2025/03/24 #2: CVE-2024-53679: Apache VCL: XSS vulnerability in User Lookup impacting user privileges (Josh Thompson <jfthomps@...che.org>)
2025/03/24 #1: CVE-2024-53678: Apache VCL: SQL injection vulnerability in New Block Allocation form (Josh Thompson <jfthomps@...che.org>)
2025/03/23 #4: Re: CVE-2025-29927: Authorization Bypass in Next.js Middleware (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/03/23 #3: CVE-2025-29927: Authorization Bypass in Next.js Middleware (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/03/23 #2: CVE-2025-30474: Apache Commons VFS: Failing to find an FTP file can reveal the URI's password in an error message ("Gary D. Gregory" <ggregory@...che.org>)
2025/03/23 #1: CVE-2025-27553: Apache Commons VFS: Possible path traversal issue when using NameScope.DESCENDENT ("Gary D. Gregory" <ggregory@...che.org>)
2025/03/21 #2: Mercurial 6.9.4 fixes CVE-2025-2361: XSS in hgweb (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/03/21 #1: CVE-2025-26796: Apache Oozie: XSS in Oozie Web Console (Arnout Engelen <engelen@...che.org>)
2025/03/20 #2: [kubernetes] CVE-2024-7598: Network restriction bypass via race condition during namespace termination (Craig Ingram <cjingram@...gle.com>)
2025/03/20 #1: WebKitGTK and WPE WebKit Security Advisory WSA-2025-0002 (Adrian Perez de Castro <aperez@...lia.com>)
2025/03/19 #7: CVE-2025-27888: Apache Druid: Server-Side Request Forgery and Cross-Site Scripting (Adarsh Sanjeev <adarshsanjeev@...che.org>)
2025/03/19 #6: CVE-2024-54016: compression bomb attack in Apache Seata Server (Min Ji <jimin@...che.org>)
2025/03/19 #5: CVE-2024-47552: Apache Seata (incubating): Deserialization of untrusted Data in jraft mode in Apache Seata Server (Min Ji <jimin@...che.org>)
2025/03/19 #4: CVE-2025-27018: Apache Airflow MySQL Provider: SQL injection in MySQL provider core function (Elad Kalif <eladkal@...che.org>)
2025/03/19 #3: Multiple vulnerabilities in Jenkins plugins (Daniel Beck <ml@...kweb.net>)
2025/03/19 #2: Re: tj-action/changed-files GitHub action was compromised (Jacob Bachmeyer <jcb62281@...il.com>)
2025/03/19 #1: Re: tj-action/changed-files GitHub action was compromised (Mark Esler <mark.esler@...inguard.dev>)
2025/03/15 #2: tj-action/changed-files GitHub action was compromised (Mark Esler <mark.esler@...inguard.dev>)
2025/03/15 #1: Re: expat vulnerability CVE-2024-8176 / impact of recursion stack overflow vulnerabilities (Qualys Security Advisory <qsa@...lys.com>)
2025/03/14 #7: expat vulnerability CVE-2024-8176 / impact of recursion stack overflow vulnerabilities (Hanno Böck <hanno@...eck.de>)
2025/03/14 #6: PHP security releases 8.4.5, 8.3.19, 8.2.28, 8.1.32 (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/03/14 #5: [CVE-2024-8176] Long linear chains of entities crash Expat with stack overflow due to use of unlimited recursion (Alan Coopersmith <alan.coopersmith@...cle.com…)
2025/03/14 #4: Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 ("Michel Lind" <michel@...hel-slm.name>)
2025/03/14 #3: Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 (Marc Deslauriers <marc.deslauriers@...onical.com>)
2025/03/14 #2: Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 (Marc Deslauriers <marc.deslauriers@...onical.com>)
2025/03/14 #1: Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 (Michel Lind <michel@...hel-slm.name>)
2025/03/13 #12: Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 (Vulnerability Disclosure <vulns@...a.com>)
2025/03/13 #11: Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 (Salvatore Bonaccorso <carnil@...ian.org>)
2025/03/13 #10: Triton Product Security announcement: Debian 12 LX image from 2024-07 has static SSH keys (Dan McDonald <danmcd@....io>)
2025/03/13 #9: [kubernetes] CVE-2025-1767: GitRepo Volume Inadvertent Local Repository Access ("Vellore Rajakumar, Sri Saran Balaji" <srajakum@...zon.com>)
2025/03/13 #8: Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 (Marc Deslauriers <marc.deslauriers@...onical.com>)
2025/03/13 #7: Re: [vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 (Christian Brabandt <cb@...bit.org>)
2025/03/13 #6: Re: [vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 (Eli Schwartz <eschwartz@...too.org>)
2025/03/13 #5: Re: [vim-security] potential data loss with zip.vim and special crafted zip files in Vim < v9.1.1198 (Solar Designer <solar@...nwall.com>)

31008 messages

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.