oss-security mailing list

Follow @Openwall on Twitter for new release announcements and other news

oss-security mailing list

	Jan	Feb	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2025	92	75	93	105	94	100	69	75	107	112	106	73
2024	80	100	178	197	72	47	128	107	58	52	87	44
2023	69	62	100	107	99	78	87	60	122	198	86	101
2022	116	50	47	79	83	58	77	86	76	70	95	108
2021	92	91	98	90	88	59	61	82	49	76	60	47
2020	52	47	38	82	70	67	76	64	71	85	90	66
2019	102	48	49	86	51	103	107	80	71	75	67	70
2018	122	81	84	81	71	104	71	135	78	120	75	84
2017	252	278	171	171	209	278	225	157	214	162	196	93
2016	258	207	271	183	267	193	214	184	287	294	257	241
2015	377	336	355	319	277	243	266	197	195	206	205	208
2014	214	252	249	211	183	317	273	201	413	485	382	318
2013	217	323	246	258	200	201	260	265	163	203	182	199
2012	333	189	294	216	234	128	150	207	234	192	191	161
2011	153	169	318	354	159	224	258	164	137	203	241	146
2010	72	96	123	118	115	142	119	144	203	84	187	139
2009	89	81	75	114	96	59	84	99	102	122	108	74
2008		104	103	143	136	112	150	125	127	123	128	107

Recent messages:

2025/12/20 #2: A couple of security issues? ("Artem S. Tashkinov" <aros@....com>)
2025/12/20 #1: Re: A couple of security issues? (Greg KH <greg@...ah.com>)
2025/12/19 #1: Avahi simple protocol server accepts unlimited connections [CVE-2025-59529] (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/12/18 #3: Release: CVE-2025-67896: EXIM-Security-2025-12-09.1: Exim 4.99.1 released (Heiko Schlittermann <hs@...marc.schlittermann.de>)
2025/12/18 #2: CVE-2025-66524: Apache NiFi: Deserialization of Untrusted Data in GetAsanaObject Processor (David Handermann <exceptionfactory@...che.org>)
2025/12/18 #1: CVE-2025-68161: Apache Log4j Core: Missing TLS hostname verification in Socket appender (Piotr Karwasz <pkarwasz@...che.org>)
2025/12/17 #3: [kubernetes] CVE-2025-14269: Credential caching in Headlamp with Helm enabled (Craig Ingram <cjingram@...gle.com>)
2025/12/17 #2: WebKitGTK and WPE WebKit Security Advisory WSA-2025-0010 (Adrian Perez de Castro <aperez@...lia.com>)
2025/12/17 #1: Re: [CVE-2025-14282] dropbear: privilege escalation via unix domain socket forwardings (Jacob Bachmeyer <jcb62281@...il.com>)
2025/12/16 #4: [CVE-2025-14282] dropbear: privilege escalation via unix domain socket forwardings (turistu@...il.com)
2025/12/16 #3: CVE-2025-67895: Apache Airflow Providers Edge3: Edge3 Worker RPC RCE on Airflow 2 (Jarek Potiuk <potiuk@...che.org>)
2025/12/16 #2: Dropbear 2025.89 fixes privilege escalation, CVE-2025-14282 (Matt Johnston <matt@....asn.au>)
2025/12/16 #1: XXE vulnerabilities in electronic invoicing software (Kivitendo, peppol-py, ZUV) (Hanno Böck <hanno@...eck.de>)
2025/12/15 #1: uriparser 1.0.0 fixes CVE-2025-67899 (DoS, CWE-674) (Sebastian Pipping <sebastian@...ping.org>)
2025/12/14 #2: additional React vulnerabilities (CVE-2025-55183, CVE-2025-55184, CVE-2025-67779) (Jan Schaumann <jschauma@...meister.org>)
2025/12/14 #1: Re: Update: CVE-2025-67896: EXIM-Security-2025-12-09.1: Exim 4.99: Remote heap corruption (Heiko Schlittermann <hs@...marc.schlittermann.de>)
2025/12/12 #5: Re: CVE-2025-54947: Apache StreamPark: Use hard-coded key vulnerability (Solar Designer <solar@...nwall.com>)
2025/12/12 #4: CVE-2025-54981: Apache StreamPark: Weak Encryption Algorithm in StreamPark (Huajie Wang <benjobs@...che.org>)
2025/12/12 #3: CVE-2025-54947: Apache StreamPark: Use hard-coded key vulnerability (Huajie Wang <benjobs@...che.org>)
2025/12/12 #2: CVE-2025-65995: Apache Airflow: Disclosure of secrets to UI via kwargs (Ephraim Anierobi <ephraimanierobi@...che.org>)
2025/12/12 #1: CVE-2025-66388: Apache Airflow: Secrets in rendered templates not redacted properly and exposed in the UI (Ephraim Anierobi <ephraimanierobi@...che.org>)
2025/12/11 #7: CVE-2025-58137: Apache Fineract: IDOR via self-service API (Adam Monsen <meonkeys@...che.org>)
2025/12/11 #6: CVE-2025-58130: Apache Fineract: Server Key not masked (Adam Monsen <meonkeys@...che.org>)
2025/12/11 #5: CVE-2025-23408: Apache Fineract: weak password policy (Adam Monsen <meonkeys@...che.org>)
2025/12/11 #4: Re: CVE-2025-8110 in Gogs self-hosted git service (Martin Weinelt <martin@...uxlounge.net>)
2025/12/11 #3: Re: CVE-2025-8110 in Gogs self-hosted git service (Jakub Wilk <jwilk@...lk.net>)
2025/12/11 #2: Update: EXIM-Security-2025-12-09.1: Exim 4.99: Remote heap corruption (Heiko Schlittermann <hs@...marc.schlittermann.de>)
2025/12/11 #1: Re: LibreOffice puts searched text into the PRIMARY selection (Linux, X11) (Vincent Lefevre <vincent@...c17.net>)
2025/12/10 #7: CVE-2025-8110 in Gogs self-hosted git service (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/12/10 #6: smb4k: Major Vulnerabilities in KAuth Helper (CVE-2025-66002, CVE-2025-66003) (Matthias Gerstner <mgerstner@...e.de>)
2025/12/10 #5: Re: LibreOffice puts searched text into the PRIMARY selection (Linux, X11) (Marco Moock <mm@...fdsl.de>)
2025/12/10 #4: Multiple vulnerabilities in Jenkins and Jenkins plugins (Kevin Guerroudj <kguerroudj@...udbees.com>)
2025/12/10 #3: LibreOffice puts searched text into the PRIMARY selection (Linux, X11) (Vincent Lefevre <vincent@...c17.net>)
2025/12/10 #2: CVE-2025-66675: Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS) - version ranges … (Lukasz Lenart <lukaszlenart@...che.org>)
2025/12/10 #1: EXIM-Security-2025-12-09.1: Exim 4.99: Remote heap corruption (Heiko Schlittermann <hs@...marc.schlittermann.de>)
2025/12/09 #1: CVE-2025-26866: Apache HugeGraph-Server: RAFT and deserialization vulnerability (VGalaxies <vgalaxies@...che.org>)
2025/12/08 #3: Re: CVE-2025-62408: c-ares 1.32.3-1.34.5 use after free() (Demi Marie Obenour <demiobenour@...il.com>)
2025/12/08 #2: CVE-2025-62408: c-ares 1.32.3-1.34.5 use after free() (Brad House <brad@...d-house.com>)
2025/12/08 #1: PowerDNS Security Announcement 2025-07 and 2025-08 regarding PowerDNS Recursor (Otto Moerbeek <otto.moerbeek@...erdns.com>)
2025/12/05 #5: CPython vulnerable to CVE-2025-13836, CVE-2025-13837, & CVE-2025-12084 (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/12/05 #4: CVE-2025-66418 & CVE-2025-66471 fixed in urllib3 2.6.0 (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/12/05 #3: Go 1.25.5 and Go 1.24.11 are released - fix CVE-2025-61729 & CVE-2025-61727 (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/12/05 #2: CVE-2025-66566 fixed in lz4-java 1.10.1 (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/12/05 #1: Island: Sandboxing tool powered by Landlock (Mickaël Salaün <mic@...ikod.net>)
2025/12/04 #10: React2Shell (CVE-2025-55182/CVE-2025-66478) (Jeffrey Walton <noloader@...il.com>)
2025/12/04 #9: Re: [webkit-gtk] WebKitGTK and WPE WebKit Security Advisory WSA-2025-0009 (Adrian Perez de Castro <aperez@...lia.com>)
2025/12/04 #8: CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo (Eric Covener <covener@...che.org>)
2025/12/04 #7: CVE-2025-65082: Apache HTTP Server: CGI environment variable override (Eric Covener <covener@...che.org>)
2025/12/04 #6: CVE-2025-59775: Apache HTTP Server: NTLM Leakage on Windows through UNC SSRF (Eric Covener <covener@...che.org>)
2025/12/04 #5: CVE-2025-58098: Apache HTTP Server: Server Side Includes adds query string to #exec cmd=... (Eric Covener <covener@...che.org>)
2025/12/04 #4: CVE-2025-55753: Apache HTTP Server: mod_md (ACME), unintended retry intervals (Eric Covener <covener@...che.org>)
2025/12/04 #3: WebKitGTK and WPE WebKit Security Advisory WSA-2025-0009 (Adrian Perez de Castro <aperez@...lia.com>)
2025/12/04 #2: CVE-2025-66516: Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scop… (Tim Allison <tallison@...che.org>)
2025/12/04 #1: CVE-2025-53960: Apache StreamPark: Use the user’s password as the secret key Vulnerability (Huajie Wang <benjobs@...che.org>)
2025/12/03 #8: Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 (Greg Roelofs <roelofs@...ix.com>)
2025/12/03 #7: Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 (Cosmin Truta <ctruta@...il.com>)
2025/12/03 #6: Re: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/12/03 #5: libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 (Cosmin Truta <ctruta@...il.com>)
2025/12/03 #4: CVE-2025-55182: RCE in React Server Components (Jan Schaumann <jschauma@...meister.org>)
2025/12/03 #3: Re: 5 CVE's fixed in Fluent Bit (Christian Fischer <christian.fischer@...enbone.net>)
2025/12/03 #2: Re: Questionable CVE's reported against dnsmasq (Christian Fischer <christian.fischer@...enbone.net>)
2025/12/03 #1: FW: X.Org Security Advisory: multiple security issues in xkbcomp (Peter Hutterer <peter.hutterer@...-t.net>)
2025/12/02 #5: [vim-security] A Windows uncontrolled search path vulnerability affects Vim < 9.1.1947 (Christian Brabandt <cb@...bit.org>)
2025/12/02 #4: Re: 5 CVE's fixed in Fluent Bit (Christian Brabandt <cb@...bit.org>)
2025/12/02 #3: Django CVE-2025-13372 and CVE-2025-64460 (Natalia Bidart <nataliabidart@...ngoproject.com>)
2025/12/02 #2: Re: 5 CVE's fixed in Fluent Bit (Christian Fischer <christian.fischer@...enbone.net>)
2025/12/02 #1: expat looking for help with another unfixed non-public denial-of-service vulnerability [CVE-2025-66382] (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/12/01 #6: Re: 5 CVE's fixed in Fluent Bit (Christian Brabandt <cb@...bit.org>)
2025/12/01 #5: CVE-2025-12183 in lz4-java, fixed in new fork (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/12/01 #4: [kubernetes] CVE-2025-13281: Portworx Half-Blind SSRF in kube-controller-manager (Nathan Herz <nathan.herz97@...il.com>)
2025/12/01 #3: WebKitGTK and WPE WebKit Security Advisory WSA-2025-0008 (Adrian Perez de Castro <aperez@...lia.com>)
2025/12/01 #2: CVE-2025-64775: Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS) - S2-068 (Lukasz Lenart <lukaszlenart@...che.org>)
2025/12/01 #1: CVE-2025-59789: Apache bRPC: Stack Exhaustion via Unbounded Recursion in JSON Parser (Wang Weibing <wwbmmm@...che.org>)
2025/11/28 #3: CVE-2025-59792: Apache Kvrocks: MONITOR command reveals plaintext credentials to non-admins (Hulk Lin <hulk@...che.org>)
2025/11/28 #2: CVE-2025-59790: Apache Kvrocks: RESET command grants admin privileges (Hulk Lin <hulk@...che.org>)
2025/11/28 #1: CVE-2023-48796: Apache DolphinScheduler: Sensitive information disclosure (Lidong Dai <lidongdai@...che.org>)
2025/11/27 #5: CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues (Zdenek Dohnal <zdohnal@...hat.com>)
2025/11/27 #4: CVE-2025-58436 cups: Slow client communication leads to a possible DoS attack (Zdenek Dohnal <zdohnal@...hat.com>)
2025/11/27 #3: CVE-2025-59454: Apache CloudStack: Lack of user permission validation leading to data leak for few APIs (Harikrishna Patnala <harikrishna@...che.org>)
2025/11/27 #2: CVE-2025-59302: Apache CloudStack: Potential remote code execution on Javascript engine defined rules (Harikrishna Patnala <harikrishna@...che.org>)
2025/11/27 #1: CVE-2025-54057: Apache SkyWalking: Stored XSS vulnerability (Zhenxu Ke <kezhenxu94@...che.org>)
2025/11/26 #4: Unbound: 1.24.2 addresses CVE-2025-11411 (again) (Yorgos Thessalonikefs <yorgos@...etlabs.nl>)
2025/11/26 #3: CVE-2025-62728: Apache Hive: SQL injection vulnerability when processing delete column statistics requests via the HMS … (Stamatis Zampetakis <zabetak@...che.org…)
2025/11/26 #2: 5 CVE's fixed in Fluent Bit (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/11/26 #1: CVE-2025-59390: Apache Druid: Kerberos authenticaton chooses a cryptographically unsecure secret if not configured explicitly. (Karan Kumar <karan@...che.org>)
2025/11/24 #1: CVE-2025-65998: Apache Syncope: Default AES key used for internal password encryption (Francesco Chicchiriccò <ilgrosso@...che.org>)
2025/11/22 #1: libpng 1.6.51: Four buffer overflow vulnerabilities fixed: CVE-2025-64505, CVE-2025-64506, CVE-2025-64720, CVE-2025-65018 (Cosmin Truta <ctruta@...il.com>)
2025/11/20 #2: gnutls 3.8.11 released with fix for CVE-2025-9820 (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/11/20 #1: CVE-2025-64524 cups-filters: Heap Buffer Overflow in rastertopclx Filter Leading to Potential Arbitrary Code Execution (Zdenek Dohnal <zdohnal@...hat.com>)
2025/11/19 #1: CVE-2025-64408: Apache Causeway: Java deserialization vulnerability to authenticated attackers (Dan Haywood <danhaywood@...che.org>)
2025/11/18 #10: Re: SQLite - Integer Overflow in FTS5 Extension [CVE-2025-7709] ("John Hein" <josec-ml0@...mail.com>)
2025/11/18 #9: [SECURITY PATCH 8/8] commands/usbtest: Ensure string length is sufficient in usb string processing (Daniel Kiper <daniel.kiper@...cle.com>)
2025/11/18 #8: [SECURITY PATCH 7/8] commands/usbtest: Use correct string length field (Daniel Kiper <daniel.kiper@...cle.com>)
2025/11/18 #7: [SECURITY PATCH 6/8] tests/lib/functional_test: Unregister commands on module unload (Daniel Kiper <daniel.kiper@...cle.com>)
2025/11/18 #6: [SECURITY PATCH 5/8] normal/main: Unregister commands on module unload (Daniel Kiper <daniel.kiper@...cle.com>)
2025/11/18 #5: [SECURITY PATCH 4/8] gettext/gettext: Unregister gettext command on module unload (Daniel Kiper <daniel.kiper@...cle.com>)
2025/11/18 #4: [SECURITY PATCH 3/8] net/net: Unregister net_set_vlan command on unload (Daniel Kiper <daniel.kiper@...cle.com>)
2025/11/18 #3: [SECURITY PATCH 2/8] kern/file: Call grub_dl_unref() after fs->fs_close() (Daniel Kiper <daniel.kiper@...cle.com>)
2025/11/18 #2: [SECURITY PATCH 1/8] commands/test: Fix error in recursion depth calculation (Daniel Kiper <daniel.kiper@...cle.com>)
2025/11/18 #1: [SECURITY PATCH 0/8] GRUB2 vulnerabilities - 2025/11/18 (Daniel Kiper <daniel.kiper@...cle.com>)

31800 messages

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.