oss-security mailing list
Recent messages:
- 2025/09/23 #4:
Re: process exit statuses (was: CVE-2023-51767) (Simon McVittie <smcv@...ian.org>)
- 2025/09/23 #3:
Re: CVE-2023-51767: a bogus CVE in OpenSSH (Jacob Bachmeyer <jcb62281@...il.com>)
- 2025/09/23 #2:
Re: CVE-2023-51767: a bogus CVE in OpenSSH (Solar Designer <solar@...nwall.com>)
- 2025/09/23 #1:
Re: CVE-2023-51767: a bogus CVE in OpenSSH (Pedro Sampaio <psampaio@...hat.com>)
- 2025/09/22 #3:
WebKitGTK and WPE WebKit Security Advisory WSA-2025-0006 (Adrian Perez de Castro <aperez@...lia.com>)
- 2025/09/22 #2:
Re: CVE-2023-51767: a bogus CVE in OpenSSH (Stuart D Gathman <stuart@...hman.org>)
- 2025/09/22 #1:
CVE-2023-51767: a bogus CVE in OpenSSH (Damien Miller <djm@...drot.org>)
- 2025/09/19 #2:
CVE-2025-29847: Apache Linkis: Arbitrary File Read via Double URL
Encoding Bypass (Chen Xia <casion@...che.org>)
- 2025/09/19 #1:
CVE-2025-59355: Apache Linkis: Password Exposure (Chen Xia <casion@...che.org>)
- 2025/09/18 #1:
PowerDNS Security Advisory 2025-05 for DNSdist: Denial of service via
crafted DoH exchange (Remi Gacogne <remi.gacogne@...erdns.com>)
- 2025/09/17 #1:
Multiple vulnerabilities in Jenkins (Daniel Beck <dbeck@...udbees.com>)
- 2025/09/16 #2:
libexpat 2.7.2 fixes CVE-2025-59375 (DoS, CWE-770) (Sebastian Pipping <sebastian@...ping.org>)
- 2025/09/16 #1:
[kubernetes] CVE-2025-9708: Kubernetes C# Client: improper
certificate validation in custom CA mode may lead to man-in-the-… (Rita Zhang <rita.z.zhang@...il.com>)
- 2025/09/15 #2:
[CVE-2025-38501] Linux kernel: KSMBD service DoS by TCP handshake (tianshuo han <hantianshuo233@...il.com>)
- 2025/09/15 #1:
CVE-2025-59328: Apache Fory: Denial of Service (DoS) due to
Deserialization of Untrusted malicious large Data (Chaokun Yang <chaokunyang@...che.org>)
- 2025/09/11 #2:
CVE-2025-58364 cups: Remote DoS via null dereference (Zdenek Dohnal <zdohnal@...hat.com>)
- 2025/09/11 #1:
CVE-2025-58060 cups: Authentication bypass with AuthType Negotiate (Zdenek Dohnal <zdohnal@...hat.com>)
- 2025/09/10 #5:
ISC has disclosed one vulnerability in Stork (CVE-2025-8696) (Ben Scott <bscott@....org>)
- 2025/09/10 #4:
Re: [SECURITY ADVISORY] curl: CVE-2025-10148:
predictable WebSocket mask (Emilio Pozuelo Monfort <pochu27@...il.com>)
- 2025/09/10 #3:
Re: [SECURITY ADVISORY] curl: CVE-2025-10148:
predictable WebSocket mask (Daniel Stenberg <daniel@...x.se>)
- 2025/09/10 #2:
[SECURITY ADVISORY] curl: CVE-2025-10148: predictable WebSocket
mask (Daniel Stenberg <daniel@...x.se>)
- 2025/09/10 #1:
[SECURITY ADVISORY] curl: CVE-2025-9086: Out of bounds read for
cookie path (Daniel Stenberg <daniel@...x.se>)
- 2025/09/09 #3:
Xen Security Advisory 474 v2 (CVE-2025-58146) - XAPI UTF-8 string
handling (Xen.org security team <security@....org>)
- 2025/09/09 #2:
Xen Security Advisory 473 v2 (CVE-2025-58144,CVE-2025-58145) -
Arm issues with page refcounting (Xen.org security team <security@....org>)
- 2025/09/09 #1:
Xen Security Advisory 472 v2 (CVE-2025-27466,CVE-2025-58142,CVE-2025-58143)
- Mutiple vulnerabilities in the Viridian i… (Xen.org security team <security@....org…)
- 2025/09/08 #3:
CVE-2025-40930: JSON::SIMD before version 1.07 and earlier for Perl
has an integer buffer overflow causing a segfault when… (Robert Rothenberg <rob@...tmail.net>)
- 2025/09/08 #2:
CVE-2025-40928: JSON::XS before version 4.04 for Perl has an integer
buffer overflow causing a segfault when parsing crafted … (Robert Rothenberg <rrwo@...n.org>)
- 2025/09/08 #1:
CVE-2025-40929: Cpanel::JSON::XS before version 4.40 for Perl has an
integer buffer overflow causing a segfault when parsing … (Robert Rothenberg <rrwo@...n.org>)
- 2025/09/06 #5:
CVE-2025-48208: Apache HertzBeat (incubating): Jmx JNDI injection
vulnerability (Chao Gong <gongchao@...che.org>)
- 2025/09/06 #4:
CVE-2025-24404: Apache HertzBeat (incubating): RCE by parse http
sitemap xml response (Chao Gong <gongchao@...che.org>)
- 2025/09/06 #3:
CVE-2025-58782: Apache Jackrabbit Core, Apache Jackrabbit JCR
Commons: JNDI injection risk with JndiRepositoryFactory (Marcel Reutegger <mreutegg@...che.org>)
- 2025/09/06 #2:
SQLite - Integer Overflow in FTS5 Extension
[CVE-2025-7709] (Alan Coopersmith <alan.coopersmith@...cle.com>)
- 2025/09/06 #1:
SQLite: Integer truncation in
findOrCreateAggInfoColumn [CVE-2025-6965] (Alan Coopersmith <alan.coopersmith@...cle.com>)
- 2025/09/04 #1:
CVE-2025-30001: Apache StreamPark: Authenticated users can trigger
remote command execution (Huajie Wang <benjobs@...che.org>)
- 2025/09/03 #4:
Multiple vulnerabilities in Jenkins plugins (Kevin Guerroudj <kguerroudj@...udbees.com>)
- 2025/09/03 #3:
CVE-2025-57833: Django: Potential SQL injection in FilteredRelation column aliases (Sarah Boyce <sarahboyce@...ngoproject.com>)
- 2025/09/03 #2:
CVE-2024-43166: Apache DolphinScheduler: CWE-276 Incorrect Default
Permissions (Lidong Dai <lidongdai@...che.org>)
- 2025/09/03 #1:
CVE-2024-43115: Apache DolphinScheduler: Alert Script Attack (Lidong Dai <lidongdai@...che.org>)
- 2025/08/28 #4:
Re: CVE-2025-8067 - UDisks (Solar Designer <solar@...nwall.com>)
- 2025/08/28 #3:
CVE-2025-58047: DoS in Volto (Plone CMS) ("Maurits van Rees (Plone)" <maurits@...ne.org>)
- 2025/08/28 #2:
Xen Security Advisory 471 v2 (CVE-2024-36350,CVE-2024-36357) -
x86: Transitive Scheduler Attacks (Xen.org security team <security@....org>)
- 2025/08/28 #1:
CVE-2025-8067 - UDisks (Marco Benatto <mbenatto@...hat.com>)
- 2025/08/27 #1:
ISC has disclosed one vulnerability in Kea (CVE-2025-40779) (Ben Scott <bscott@....org>)
- 2025/08/26 #2:
Re: libssh2 Base64 Encoding Heap Overflow in Known Hosts SHA1 Hash Processing (Solar Designer <solar@...nwall.com>)
- 2025/08/26 #1:
libssh2 Base64 Encoding Heap Overflow in Known Hosts SHA1 Hash Processing (Dhiraj Mishra <mishra.dhiraj95@...il.com>)
- 2025/08/22 #4:
CVE-2025-43023 in HPLIP for Use of 1024-bit DSA Key (Alan Coopersmith <alan.coopersmith@...cle.com>)
- 2025/08/22 #3:
CVE-2025-54813: Apache Log4cxx: Improper escaping with JSONLayout (Piotr Karwasz <pkarwasz@...che.org>)
- 2025/08/22 #2:
CVE-2025-54812: Apache Log4cxx: Improper HTML escaping in
HTMLLayout (Piotr Karwasz <pkarwasz@...che.org>)
- 2025/08/22 #1:
CVE-2024-48988: Apache StreamPark: SQL injection vulnerability (Huajie Wang <benjobs@...che.org>)
- 2025/08/21 #1:
Re: CVE-2025-54988: Apache Tika PDF parser module:
XXE vulnerability in PDFParser's handling of XFA (Hanno Böck <hanno@...eck.de>)
- 2025/08/20 #4:
Re: HTTP/2 implementations are vulnerable to
"MadeYouReset" DoS attack through HTTP/2 control frames (Nick Tait <ntait@...hat.com>)
- 2025/08/20 #3:
CVE-2025-54988: Apache Tika PDF parser module: XXE vulnerability
in PDFParser's handling of XFA (Tim Allison <tallison@...che.org>)
- 2025/08/20 #2:
CVE-2025-54988: Apache Tika PDF parser module: XXE vulnerability in
PDFParser's handling of XFA (Tim Allison <tallison@...che.org>)
- 2025/08/20 #1:
Security pre-notification policy for vLLM project (Huzaifa Sidhpurwala <huzaifas@...hat.com>)
- 2025/08/19 #6:
Re: Question about (in)security of fdk-aac-free in
linux distros (Demi Marie Obenour <demiobenour@...il.com>)
- 2025/08/19 #5:
Re: Question about (in)security of fdk-aac-free in
linux distros (Martin Storsjö <martin@...tin.st>)
- 2025/08/19 #4:
Re: blocking weird file names (was: xterm terminal crash due to malicious character sequences in file name) (Ali Polatel <alip@...sys.org>)
- 2025/08/19 #3:
Re: blocking weird file names (was: xterm terminal
crash due to malicious character sequences in file name) (Simon McVittie <smcv@...ian.org>)
- 2025/08/19 #2:
Re: blocking weird file names (was: xterm terminal
crash due to malicious character sequences in file name) (Jacob Bachmeyer <jcb62281@...il.com>)
- 2025/08/19 #1:
Re: RSYNC: 6 vulnerabilities (Alan Coopersmith <alan.coopersmith@...cle.com>)
- 2025/08/18 #4:
CVE-2025-53192: Apache Commons OGNL: Expression Injection leading
to RCE (Arnout Engelen <engelen@...che.org>)
- 2025/08/18 #3:
Re: Local information disclosure in apport and systemd-coredump (Solar Designer <solar@...nwall.com>)
- 2025/08/18 #2:
Re: xterm terminal crash due to malicious character
sequences in file name ("David A. Wheeler" <dwheeler@...eeler.com>)
- 2025/08/18 #1:
Re: xterm terminal crash due to malicious character
sequences in file name (Vincent Lefevre <vincent@...c17.net>)
- 2025/08/17 #3:
Re: xterm terminal crash due to malicious character
sequences in file name (Erik Auerswald <auerswal@...x-ag.uni-kl.de>)
- 2025/08/17 #2:
Re: xterm terminal crash due to malicious character sequences in file name (Solar Designer <solar@...nwall.com>)
- 2025/08/17 #1:
Re: xterm terminal crash due to malicious character
sequences in file name (Vincent Lefevre <vincent@...c17.net>)
- 2025/08/16 #2:
Re: xterm terminal crash due to malicious character
sequences in file name (Collin Funk <collin.funk1@...il.com>)
- 2025/08/16 #1:
Re: HTTP/2 implementations are vulnerable to
"MadeYouReset" DoS attack through HTTP/2 control frames (Alan Coopersmith <alan.coopersmith@...cle.com>)
- 2025/08/15 #2:
Re: Question about (in)security of fdk-aac-free in linux distros (Jordan Glover <Golden_Miller83@...tonmail.ch>)
- 2025/08/15 #1:
Re: Question about (in)security of fdk-aac-free in
linux distros (Demi Marie Obenour <demiobenour@...il.com>)
- 2025/08/14 #8:
CVE-2025-54409 - aide (>= 0.13 <= 0.19.1): null pointer dereference
after reading incorrectly encoded xattr attributes … (Hannes von Haugwitz <hannes@...haugwitz…)
- 2025/08/14 #7:
CVE-2025-54389 - aide (<= 0.19.1): improper output neutralization
(potential AIDE detection bypass) (Hannes von Haugwitz <hannes@...haugwitz.com>)
- 2025/08/14 #6:
CVE-2025-55675: Apache Superset: Incorrect datasource
authorization on REST API (Daniel Gaspar <dpgaspar@...che.org>)
- 2025/08/14 #5:
CVE-2025-55674: Apache Superset: Improper SQL authorisation, parse
not checking for specific engine functions (Daniel Gaspar <dpgaspar@...che.org>)
- 2025/08/14 #4:
CVE-2025-55672: Apache Superset: Store XSS on charts metadata (Daniel Gaspar <dpgaspar@...che.org>)
- 2025/08/14 #3:
CVE-2025-55673: Apache Superset: Metadata exposure in embedded
charts (Daniel Gaspar <dpgaspar@...che.org>)
- 2025/08/14 #2:
Re: Question about (in)security of fdk-aac-free in
linux distros (Martin Storsjö <martin@...tin.st>)
- 2025/08/14 #1:
Re: Question about (in)security of fdk-aac-free in
linux distros (Sam James <sam@...too.org>)
- 2025/08/13 #9:
Question about (in)security of fdk-aac-free in linux distros (Jordan Glover <Golden_Miller83@...tonmail.ch>)
- 2025/08/13 #8:
Re: xterm terminal crash due to malicious character
sequences in file name (Erik Auerswald <auerswal@...x-ag.uni-kl.de>)
- 2025/08/13 #7:
Re: xterm terminal crash due to malicious character
sequences in file name (Thomas Dickey <dickey@....com>)
- 2025/08/13 #6:
HTTP/2 implementations are vulnerable to
"MadeYouReset" DoS attack through HTTP/2 control frames (Alan Coopersmith <alan.coopersmith@...cle.com>)
- 2025/08/13 #5:
CVE-2025-53859: nginx: ngx_mail_smtp_module buffer over-read potentially resulting in sensitive information leak (Solar Designer <solar@...nwall.com>)
- 2025/08/13 #4:
xterm terminal crash due to malicious character sequences in file
name (Vincent Lefevre <vincent@...c17.net>)
- 2025/08/13 #3:
CVE-2025-55668: Apache Tomcat: session fixation via rewrite valve (Mark Thomas <markt@...che.org>)
- 2025/08/13 #2:
CVE-2025-48989: Apache Tomcat: h2 DoS - Made You Reset (Mark Thomas <markt@...che.org>)
- 2025/08/13 #1:
Re: CVE-2025-55188: 7-Zip: Arbitrary file write on
extraction, may lead to code execution (Jens-Wolfhard Schicke-Uffmann <drahflow@....de>)
- 2025/08/12 #2:
CVE-2025-54472: Apache bRPC: Redis Parser Remote Denial of Service
(Wang Weibing <wwbmmm@...che.org>)
- 2025/08/12 #1:
CVE-2025-40920: Catalyst::Authentication::Credential::HTTP versions
1.018 and earlier for Perl use insecurely generated nonce… (Robert Rothenberg <rrwo@...n.org>)
- 2025/08/11 #4:
Re: CVE-2025-55188: 7-Zip: Arbitrary file write on
extraction, may lead to code execution (lunbun <lunbun021@...il.com>)
- 2025/08/11 #3:
Re: CVE-2025-55188: 7-Zip: Arbitrary file write on
extraction, may lead to code execution (Vincent Lefevre <vincent@...c17.net>)
- 2025/08/11 #2:
Re: CVE-2025-55188: 7-Zip: Arbitrary file write on
extraction, may lead to code execution (Jacob Bachmeyer <jcb62281@...il.com>)
- 2025/08/11 #1:
Re: CVE-2025-55188: 7-Zip: Arbitrary file write on
extraction, may lead to code execution (lunbun <lunbun021@...il.com>)
- 2025/08/10 #5:
Re: CVE-2025-55188: 7-Zip: Arbitrary file write on
extraction, may lead to code execution (Jacob Bachmeyer <jcb62281@...il.com>)
- 2025/08/10 #4:
[vim-security] A double-free was found in Vim >v9.1.1231 and <
9.1.1406 (Christian Brabandt <cb@...bit.org>)
- 2025/08/10 #3:
[vim-security] heap use-after-free was found in Vim < 9.1.1400 (Christian Brabandt <cb@...bit.org>)
- 2025/08/10 #2:
Re: CVE-2025-55188: 7-Zip: Arbitrary file write on
extraction, may lead to code execution (lunbun <lunbun021@...il.com>)
- 2025/08/10 #1:
Re: CVE-2025-55188: 7-Zip: Arbitrary file write on
extraction, may lead to code execution (Jacob Bachmeyer <jcb62281@...il.com>)
- 2025/08/09 #1:
CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead
to code execution (lunbun <lunbun021@...il.com>)
31440 messages
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
