oss-security mailing list

Follow @Openwall on Twitter for new release announcements and other news

oss-security mailing list

	Jan	Feb	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2024	80	100	178	197	72	47	128	107	58	52	59
2023	69	62	100	107	99	78	87	60	122	198	86	101
2022	116	50	47	79	83	58	77	86	76	70	95	108
2021	92	91	98	90	88	59	61	82	49	76	60	47
2020	52	47	38	82	70	67	76	64	71	85	90	66
2019	102	48	49	86	51	103	107	80	71	75	67	70
2018	122	81	84	81	71	104	71	135	78	120	75	84
2017	252	278	171	171	209	278	225	157	214	162	196	93
2016	258	207	271	183	267	193	214	184	287	294	257	241
2015	377	336	355	319	277	243	266	197	195	206	205	208
2014	214	252	249	211	183	317	273	201	413	485	382	318
2013	217	323	246	258	200	201	260	265	163	203	182	199
2012	333	189	294	216	234	128	150	207	234	192	191	161
2011	153	169	318	354	159	224	258	164	137	203	241	146
2010	72	96	123	118	115	142	119	144	203	84	187	139
2009	89	81	75	114	96	59	84	99	102	122	108	74
2008		104	103	143	136	112	150	125	127	123	128	107

Recent messages:

2024/11/20 #2: CVE-2024-52067: Apache NiFi: Potential Insertion of Sensitive Parameter Values in Debug Log (David Handermann <exceptionfactory@...che.org>)
2024/11/20 #1: [kubernetes] CVE-2024-10220: Arbitrary command execution through gitRepo volume (Craig Ingram <cjingram@...gle.com>)
2024/11/19 #1: Local Privilege Escalations in needrestart (Qualys Security Advisory <qsa@...lys.com>)
2024/11/18 #6: Fwd: wget-1.25.0 released [fixes CVE-2024-10524] (Alan Coopersmith <alan.coopersmith@...cle.com>)
2024/11/18 #5: CVE-2024-31141: Apache Kafka Clients: Privilege escalation to filesystem read-access via automatic ConfigProvider (Greg Harris <gharris@...che.org>)
2024/11/18 #4: CVE-2024-52318: Apache Tomcat: Incorrect JSP tag recycling leads to XSS (Mark Thomas <markt@...che.org>)
2024/11/18 #3: CVE-2024-52317: Apache Tomcat: Request/response mix-up with HTTP/2 (Mark Thomas <markt@...che.org>)
2024/11/18 #2: CVE-2024-52316: Apache Tomcat: Authentication bypass when using Jakarta Authentication API (Mark Thomas <markt@...che.org>)
2024/11/18 #1: Re: shell wildcard expansion (un)safety (Sean Whitton <spwhitton@...hitton.name>)
2024/11/17 #1: Re: PostgreSQL: 4 CVEs fixed in 17.1, 16.5, 15.9, 14.14, 13.17, 12.21 (Solar Designer <solar@...nwall.com>)
2024/11/16 #7: PostgreSQL: 4 CVEs fixed in 17.1, 16.5, 15.9, 14.14, 13.17, 12.21 (Solar Designer <solar@...nwall.com>)
2024/11/16 #6: CVE-2024-41151: Apache HertzBeat: RCE by notice template injection vulnerability (Chao Gong <gongchao@...che.org>)
2024/11/16 #5: CVE-2024-45791: Apache HertzBeat: Exposure sensitive token via http GET method with query string (Chao Gong <gongchao@...che.org>)
2024/11/16 #4: CVE-2024-45505: Apache HertzBeat (incubating): Exists Native Deser RCE and file writing vulnerabilities (Chao Gong <gongchao@...che.org>)
2024/11/16 #3: CVE-2024-47208: Apache OFBiz: URLs allowing remote use of Groovy expressions, leading to RCE (Jacques Le Roux <jleroux@...che.org>)
2024/11/16 #2: CVE-2024-48962: Apache OFBiz: Bypass SameSite restrictions with target redirection using URL parameters (SSTI and CSRF lea… (Jacques Le Roux <jleroux@...che.org>)
2024/11/16 #1: Re: shell wildcard expansion (un)safety (Steffen Nurpmeso <steffen@...oden.eu>)
2024/11/15 #1: CVE-2024-45784: Apache Airflow: Sensitive configuration values are not masked in the logs by default (Ephraim Anierobi <ephraimanierobi@...che.org>)
2024/11/13 #2: Multiple vulnerabilities in Jenkins plugins (Daniel Beck <ml@...kweb.net>)
2024/11/13 #1: [ANNOUNCE] Apache Traffic Server is vulnerable to specific user inputs (Masakazu Kitajo <maskit@...che.org>)
2024/11/12 #11: CVE-2024-52533: Buffer overflow in socks proxy code in glib < 2.82.1 (Alan Coopersmith <alan.coopersmith@...cle.com>)
2024/11/12 #10: Re: Xen Security Advisory 464 v2 (CVE-2024-45819) - libxl leaks data to PVH guests via ACPI tables (Demi Marie Obenour <demi@...isiblethingslab.com>)
2024/11/12 #9: Re: shell wildcard expansion (un)safety (Ali Polatel <alip@...sys.org>)
2024/11/12 #8: Re: 4 recent security bugs in GNOME's libsoup (Alan Coopersmith <alan.coopersmith@...cle.com>)
2024/11/12 #7: Re: Xen Security Advisory 464 v2 (CVE-2024-45819) - libxl leaks data to PVH guests via ACPI tables (Andrew Cooper <andrew.cooper3@...rix.com>)
2024/11/12 #6: RE: CVE-2024-36905: Linux kernel: Divide-by-zero on shutdown of TCP_SYN_RECV sockets (Joel GUITTET <jguittet.opensource@...ekio.com>)
2024/11/12 #5: Re: CVE-2024-36905: Linux kernel: Divide-by-zero on shutdown of TCP_SYN_RECV sockets (Clemens Lang <cllang@...hat.com>)
2024/11/12 #4: Re: CVE-2024-36905: Linux kernel: Divide-by-zero on shutdown of TCP_SYN_RECV sockets (Solar Designer <solar@...nwall.com>)
2024/11/12 #3: CVE-2024-50386: Apache CloudStack: Directly downloaded templates can be used to abuse KVM-based infrastructure (Daniel Augusto Veronezi Salvador <gutoveronezi…)
2024/11/12 #2: Xen Security Advisory 463 v2 (CVE-2024-45818) - Deadlock in x86 HVM standard VGA handling (Xen.org security team <security@....org>)
2024/11/12 #1: Xen Security Advisory 464 v2 (CVE-2024-45819) - libxl leaks data to PVH guests via ACPI tables (Xen.org security team <security@....org>)
2024/11/10 #4: Re: shell wildcard expansion (un)safety (Fay Stegerman <flx@...usk.net>)
2024/11/10 #3: Re: shell wildcard expansion (un)safety (Jeroen Roovers <jer@...all.nl>)
2024/11/10 #2: Re: shell wildcard expansion (un)safety (lists@...atla.org.uk)
2024/11/10 #1: Re: shell wildcard expansion (un)safety (Eli Schwartz <eschwartz@...too.org>)
2024/11/09 #2: 4 recent security bugs in GNOME's libsoup (Alan Coopersmith <alan.coopersmith@...cle.com>)
2024/11/09 #1: Re: shell wildcard expansion (un)safety (Dominik Czarnota <dominik.b.czarnota@...il.com>)
2024/11/08 #5: CVE-2024-50378: Apache Airflow: Secrets not masked in UI when sensitive variables are set via Airflow cli (Ephraim Anierobi <ephraimanierobi@...che.org>)
2024/11/08 #4: Re: shell wildcard expansion (un)safety (Georgi Guninski <gguninski@...il.com>)
2024/11/08 #3: Re: CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777 (Solar Designer <solar@...nwall.com>)
2024/11/08 #2: Re: shell wildcard expansion (un)safety (Steffen Nurpmeso <steffen@...oden.eu>)
2024/11/08 #1: Re: shell wildcard expansion (un)safety (Solar Designer <solar@...nwall.com>)
2024/11/07 #7: Re: shell wildcard expansion (un)safety (Mats Wichmann <mats@...hmann.us>)
2024/11/07 #6: Re: shell wildcard expansion (un)safety (Steffen Nurpmeso <steffen@...oden.eu>)
2024/11/07 #5: Re: shell wildcard expansion (un)safety (Steffen Nurpmeso <steffen@...oden.eu>)
2024/11/07 #4: Re: shell wildcard expansion (un)safety (Max Nikulin <manikulin@...il.com>)
2024/11/07 #3: Re: shell wildcard expansion (un)safety (Jakub Wilk <jwilk@...lk.net>)
2024/11/07 #2: Re: shell wildcard expansion (un)safety (Solar Designer <solar@...nwall.com>)
2024/11/07 #1: Re: shell wildcard expansion (un)safety (Steffen Nurpmeso <steffen@...oden.eu>)
2024/11/06 #6: Re: shell wildcard expansion (un)safety (Fay Stegerman <flx@...usk.net>)
2024/11/06 #5: CVE-2024-51504: Apache ZooKeeper: Authentication bypass with IP-based authentication in Admin Server (Andor Molnar <andor@...che.org>)
2024/11/06 #4: Re: shell wildcard expansion (un)safety (Eli Schwartz <eschwartz@...too.org>)
2024/11/06 #3: Re: shell wildcard expansion (un)safety ("David A. Wheeler" <dwheeler@...eeler.com>)
2024/11/06 #2: [SECURITY ADVISTORY] curl: CVE-2024-9681 HSTS subdomain overwrites parent cache entry (Daniel Stenberg <daniel@...x.se>)
2024/11/06 #1: shell wildcard expansion (un)safety (Solar Designer <solar@...nwall.com>)
2024/11/03 #1: CVE-2024-23590: Apache Kylin: Session fixation in web interface (Li Yang <liyang@...che.org>)
2024/11/01 #3: Re: mpg123 buffer overflow in versions before 1.32.8 (Frankenstein's Monster) ("Dr. Thomas Orgis" <thomas.orgis@...-hamburg.de>)
2024/11/01 #2: Re: mpg123 buffer overflow in versions before 1.32.8 (Frankenstein's Monster) ("Dr. Thomas Orgis" <thomas.orgis@...-hamburg.de>)
2024/11/01 #1: Re: mpg123 buffer overflow in versions before 1.32.8 (Frankenstein's Monster) (Alexander Patrakov <patrakov@...il.com>)
2024/10/31 #4: Re: mpg123 buffer overflow in versions before 1.32.8 (Frankenstein's Monster) (Marco Benatto <mbenatto@...hat.com>)
2024/10/31 #3: Re: qBittorrent RCE, Browser Hijacking vulnerabilities (Eli Schwartz <eschwartz@...too.org>)
2024/10/31 #2: CVE-2024-43383: Apache Lucene.Net.Replicator: Remote Code Execution in Lucene.Net.Replicator (Paul Irwin <paulirwin@...che.org>)
2024/10/31 #1: WebKitGTK and WPE WebKit Security Advisory WSA-2024-0006 (Adrian Perez de Castro <aperez@...lia.com>)
2024/10/30 #4: qBittorrent RCE, Browser Hijacking vulnerabilities (Sec Guy <0xsee4@...il.com>)
2024/10/30 #3: Re: mpg123 buffer overflow in versions before 1.32.8 (Frankenstein's Monster) (Marco Benatto <mbenatto@...hat.com>)
2024/10/30 #2: mpg123 buffer overflow in versions before 1.32.8 (Frankenstein's Monster) ("Dr. Thomas Orgis" <thomas.orgis@...-hamburg.de>)
2024/10/30 #1: Re: CVE-2024-36905: Linux kernel: Divide-by-zero on shutdown of TCP_SYN_RECV sockets (Jacob Bachmeyer <jcb62281@...il.com>)
2024/10/29 #2: CVE-2024-9632: X.Org X server and Xwayland: Heap-based buffer overflow privilege escalation in _XkbSetCompatMap (Jose Exposito Quintana <jexposit@...hat.com>)
2024/10/29 #1: CVE-2024-36905: Linux kernel: Divide-by-zero on shutdown of TCP_SYN_RECV sockets (Joel GUITTET <jguittet.opensource@...ekio.com>)
2024/10/28 #1: CVE-2024-45477: Apache NiFi: Improper Neutralization of Input in Parameter Description (David Handermann <exceptionfactory@...che.org>)
2024/10/25 #1: CVE-2024-9050: NetworkManager-libreswan IPSec VPN plugin local code execution (Lubomir Rintel <lrintel@...hat.com>)
2024/10/24 #2: CVE-2024-45031: Apache Syncope: Stored XSS in Console and Enduser (Francesco Chicchiriccò <ilgrosso@...che.org>)
2024/10/24 #1: Re: CVE-2024-9143: OpenSSL: Low-level invalid GF(2^m) parameters lead to OOB memory access ("Dr. Christopher Kunz" <info@...istopher-kunz.de>)
2024/10/23 #1: Re: CVE-2024-9143: OpenSSL: Low-level invalid GF(2^m) parameters lead to OOB memory access ("Dr. Christopher Kunz" <info@...istopher-kunz.de>)
2024/10/18 #2: Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so (Solar Designer <solar@...nwall.com>)
2024/10/18 #1: Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so (Steffen Nurpmeso <steffen@...oden.eu>)
2024/10/17 #1: Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so (Matthias Gerstner <mgerstner@...e.de>)
2024/10/16 #1: CVE-2024-9143: OpenSSL: Low-level invalid GF(2^m) parameters lead to OOB memory access (Tomas Mraz <tomas@...nssl.org>)
2024/10/15 #9: CVE-2024-45217: Apache Solr: ConfigSets created during a backup restore command are trusted implicitly (Houston Putman <houston@...che.org>)
2024/10/15 #8: CVE-2024-45216: Apache Solr: Authentication bypass possible using a fake URL Path ending (Houston Putman <houston@...che.org>)
2024/10/15 #7: Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so (Solar Designer <solar@...nwall.com>)
2024/10/15 #6: Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so (Demi Marie Obenour <demi@...isiblethingslab.com>)
2024/10/15 #5: CVE-2024-45693: Apache CloudStack: Request origin validation bypass makes account takeover possible (Daniel Augusto Veronezi Salvador <gutoveronezi@...che.org…)
2024/10/15 #4: CVE-2024-45462: Apache CloudStack: Incomplete session invalidation on web interface logout (Daniel Augusto Veronezi Salvador <gutoveronezi@...che.org>)
2024/10/15 #3: CVE-2024-45461: Apache CloudStack Quota plugin: Access checks not enforced in Quota (Daniel Augusto Veronezi Salvador <gutoveronezi@...che.org>)
2024/10/15 #2: CVE-2024-45219: Apache CloudStack: Uploaded and registered templates and volumes can be used to abuse KVM-based infrast… (Daniel Augusto Veronezi Salvador <gutov…)
2024/10/15 #1: Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so (Matthias Gerstner <mgerstner@...e.de>)
2024/10/14 #2: CVE-2023-50780: Apache ActiveMQ Artemis: Authenticated users could perform RCE via Jolokia MBeans (Justin Bertram <jbertram@...che.org>)
2024/10/14 #1: [kubernetes] CVE-2024-9486 and CVE-2024-9594: VM images built with Kubernetes Image Builder use default credentials (Joel Smith <joelsmith@...hat.com>)
2024/10/12 #1: CVE-2024-46911: Apache Roller: Weakness in CSRF protection allows privilege escalation ("David M. Johnson" <snoopdave@...che.org>)
2024/10/10 #1: libarchive 3.7.5 released with security fixes (Alan Coopersmith <alan.coopersmith@...cle.com>)
2024/10/09 #1: CVE-2024-28168: Apache XML Graphics FOP: XML External Entity (XXE) Processing (Simon Steiner <ssteiner@...che.org>)
2024/10/08 #4: Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so (Solar Designer <solar@...nwall.com>)
2024/10/08 #3: CVE-2024-45720: Apache Subversion: Command line argument injection on Windows platforms (Stefan Sperling <stsp@...che.org>)
2024/10/08 #2: Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so (Simon Josefsson <simon@...efsson.org>)
2024/10/08 #1: Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so (Solar Designer <solar@...nwall.com>)
2024/10/06 #1: [vim-security] use-after-free when closing buffers in Vim < 9.1.0764 (Christian Brabandt <cb@...bit.org>)
2024/10/05 #2: OSSA-2024-004 / CVE-2024-47211: OpenStack Ironic <26.1.1 fails to verify checksums of supplied image_source URLs when configured to c… (Jay Faulkner <jay@....cc>)
2024/10/05 #1: Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so (Simon Josefsson <simon@...efsson.org>)
2024/10/04 #5: CVE-2024-8508 in Unbound DNS server prior to 1.21.1 (Alan Coopersmith <alan.coopersmith@...cle.com>)

30627 messages

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.