oss-security mailing list

Follow @Openwall on Twitter for new release announcements and other news

oss-security mailing list

	Jan	Feb	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2026	141	103	153
2025	92	75	93	105	94	100	69	75	107	112	106	140
2024	80	100	178	197	72	47	128	107	58	52	87	44
2023	69	62	100	107	99	78	87	60	122	198	86	101
2022	116	50	47	79	83	58	77	86	76	70	95	108
2021	92	91	98	90	88	59	61	82	49	76	60	47
2020	52	47	38	82	70	67	76	64	71	85	90	66
2019	102	48	49	86	51	103	107	80	71	75	67	70
2018	122	81	84	81	71	104	71	135	78	120	75	84
2017	252	278	171	171	209	278	225	157	214	162	196	93
2016	258	207	271	183	267	193	214	184	287	294	257	241
2015	377	336	355	319	277	243	266	197	195	206	205	208
2014	214	252	249	211	183	317	273	201	413	485	382	318
2013	217	323	246	258	200	201	260	265	163	203	182	199
2012	333	189	294	216	234	128	150	207	234	192	191	161
2011	153	169	318	354	159	224	258	164	137	203	241	146
2010	72	96	123	118	115	142	119	144	203	84	187	139
2009	89	81	75	114	96	59	84	99	102	122	108	74
2008		104	103	143	136	112	150	125	127	123	128	107

Recent messages:

2026/03/26 #7: TigerVNC 1.16.2 security release (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/03/26 #6: CVE-2026-4851: remote-to-local code execution in GRID::Machine (piedcrow@...eup.net)
2026/03/26 #5: Re: Multiple vulnerabilities in AppArmor (Qualys Security Advisory <qsa@...lys.com>)
2026/03/26 #4: Re: Xen Security Advisory 482 v2 - Linux privcmd driver can circumvent kernel lockdown (Juergen Gross <jgross@...e.com>)
2026/03/26 #3: 7 CVEs fixed in nginx (Solar Designer <solar@...nwall.com>)
2026/03/26 #2: CVE-2014-125112: Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution (Timothy Legge <timlegge@...nsec.org>)
2026/03/26 #1: libpng 1.6.56: Two high-severity vulnerabilities fixed: CVE-2026-33416, CVE-2026-33636 (Cosmin Truta <ctruta@...il.com>)
2026/03/25 #8: Re: CVE-2026-33150, CVE-2026-33179: libfuse io_uring memory safety vulnerabilities (use-after-free, NULL deref) (Abhinav Agarwal <abhinavagarwal1996@...il.com>)
2026/03/25 #7: ISC has disclosed four vulnerabilities in BIND 9 (CVE-2026-1519, CVE-2026-3104, CVE-2026-3119, CVE-2026-3591) (Nicki Křížek <nicki@....org>)
2026/03/25 #6: ISC has disclosed one vulnerability in Kea (CVE-2026-3608) (Peter Davies <peterd@....org>)
2026/03/25 #5: backdoor in litellm version 1.82.7 (Jan Schaumann <jschauma@...meister.org>)
2026/03/25 #4: [ADVISORY] SQUID-2026:3 Out of Bounds Read in ICP message handling (CVE-2026-33515) (Amos Jeffries <squid3@...enet.co.nz>)
2026/03/25 #3: [ADVISORY] SQUID-2026:2 Denial of Service in ICP Request handling (CVE-2026-32748) (Amos Jeffries <squid3@...enet.co.nz>)
2026/03/25 #2: [ADVISORY] SQUID-2026:1 Denial of Service in ICP Request handling (CVE-2026-33526) (Amos Jeffries <squid3@...enet.co.nz>)
2026/03/25 #1: NodeJS Security Releases fixes High, 5 Medium, 2 Low severity issues (Jan Schaumann <jschauma@...meister.org>)
2026/03/24 #6: litellm pypi packages compromised, infostealer added (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/03/24 #5: Re: Xen Security Advisory 482 v2 - Linux privcmd driver can circumvent kernel lockdown (Andrew Cooper <andrew.cooper3@...rix.com>)
2026/03/24 #4: Re: Xen Security Advisory 482 v2 - Linux privcmd driver can circumvent kernel lockdown (Greg KH <greg@...ah.com>)
2026/03/24 #3: Xen Security Advisory 482 v3 (CVE-2026-31788) - Linux privcmd driver can circumvent kernel lockdown (Xen.org security team <security@....org>)
2026/03/24 #2: Re: Xen Security Advisory 482 v2 - Linux privcmd driver can circumvent kernel lockdown (Greg KH <greg@...ah.com>)
2026/03/24 #1: Xen Security Advisory 482 v2 - Linux privcmd driver can circumvent kernel lockdown (Xen.org security team <security@....org>)
2026/03/23 #2: The GNU C Library security advisories update for 2026-03-23 (Carlos O'Donell <carlos@...hat.com>)
2026/03/23 #1: Re: Trivy github actions repo compromised, infostealer added (Jeremy Utiera <jeremyutiera@...il.com>)
2026/03/22 #3: Re: CVE-2006-10002: XML::Parser versions through 2.47 for Perl could overflow the pre-allocated buffer size cause a hea… (Salvatore Bonaccorso <carnil@...ian.org…)
2026/03/22 #2: Re: Buffer overflow in /bin/su from UNIX v4 (Peter Gutmann <pgut001@...auckland.ac.nz>)
2026/03/22 #1: Re: Buffer overflow in /bin/su from UNIX v4 (Steffen Nurpmeso <steffen@...oden.eu>)
2026/03/21 #7: Re: Buffer overflow in /bin/su from UNIX v4 (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/03/21 #6: Re: Buffer overflow in /bin/su from UNIX v4 (Justin Swartz <justin.swartz@...ingedge.co.za>)
2026/03/21 #5: Re: Buffer overflow in /bin/su from UNIX v4 (Solar Designer <solar@...nwall.com>)
2026/03/21 #4: Re: Buffer overflow in /bin/su from UNIX v4 (kf503bla@...k.com)
2026/03/21 #3: Re: pyOpenSSL 26.0.0 released with two CVE fixes (Alex Gaynor <alex.gaynor@...il.com>)
2026/03/21 #2: CVE-2026-33150, CVE-2026-33179: libfuse io_uring memory safety vulnerabilities (use-after-free, NULL deref) (Abhinav Agarwal <abhinavagarwal1996@...il.com>)
2026/03/21 #1: Trivy github actions repo compromised, infostealer added (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/03/20 #6: Re: Buffer overflow in /bin/su from UNIX v4 (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/03/20 #5: pyOpenSSL 26.0.0 released with two CVE fixes (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/03/20 #4: [CVE-2026-30922] Denial of Service in pyasn1 via Unbounded Recursion (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/03/20 #3: nghttp2 Denial of service: Assertion failure due to the missing state validation (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/03/20 #2: CVE-2026-32642: Apache Artemis, Apache ActiveMQ Artemis: Temporary address auto-created for OpenWire consumer without crea… (Justin Bertram <jbertram@...che.org>)
2026/03/20 #1: Fwd: [CPython][CVE-2026-4519] webbrowser.open() API allows leading dashes (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/03/19 #10: [vim-security]: Command injection via newline in glob() affects Vim < 9.2.0202 (Christian Brabandt <cb@...bit.org>)
2026/03/19 #9: [kubernetes] CVE-2026-4342: ingress-nginx comment-based nginx configuration injection (Tabitha Sable <tabitha.c.sable@...il.com>)
2026/03/19 #8: Re: Off-by-one heap buffer overflow in libuv (Ali Raza <elirazamumtaz@...il.com>)
2026/03/19 #7: Re: Off-by-one heap buffer overflow in libuv (Stuart Henderson <stu@...cehopper.org>)
2026/03/19 #6: Re: Off-by-one heap buffer overflow in libuv (Ali Raza <elirazamumtaz@...il.com>)
2026/03/19 #5: Re: Off-by-one heap buffer overflow in libuv (Ali Raza <elirazamumtaz@...il.com>)
2026/03/19 #4: Off-by-one heap buffer overflow in libuv (Ali Raza <elirazamumtaz@...il.com>)
2026/03/19 #3: [OSSA-2026-004] Glance: Server-Side Request Forgery (SSRF) vulnerabilities in OpenStack Glance image import functionali… (Brian Rosmaita <rosmaita.fossdev@...il.…)
2026/03/19 #2: CVE-2006-10003: XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack (Timothy Legge <timlegge@...nsec.org>)
2026/03/19 #1: CVE-2006-10002: XML::Parser versions through 2.47 for Perl could overflow the pre-allocated buffer size cause a heap corru… (Timothy Legge <timlegge@...nsec.org>)
2026/03/18 #12: CVE-2026-31973: samtools <= 1.23 NULL pointer dereference in cram-size (Robert Davies <rmd@...ger.ac.uk>)
2026/03/18 #11: CVE-2026-31972: samtools <= 1.21 Use-after-free in mpileup leading to an invalid read (Robert Davies <rmd@...ger.ac.uk>)
2026/03/18 #10: HTSlib <= 1.23 Multiple vulnerabilities in the CRAM file reader (Robert Davies <rmd@...ger.ac.uk>)
2026/03/18 #9: CVE-2026-31970: HTSlib <= 1.23 heap buffer overflow in the BGZF index file reader (Robert Davies <rmd@...ger.ac.uk>)
2026/03/18 #8: WebKitGTK and WPE WebKit Security Advisory WSA-2026-0001 (Adrian Perez de Castro <aperez@...lia.com>)
2026/03/18 #7: Re: OpenSSH GSSAPI keyex patch issue (Jeffrey Walton <noloader@...il.com>)
2026/03/18 #6: Multiple vulnerabilities in Jenkins and Jenkins plugins (Daniel Beck <ml@...kweb.net>)
2026/03/18 #5: Re: OpenSSH GSSAPI keyex patch issue (Dmitry Belyavskiy <dbelyavs@...hat.com>)
2026/03/18 #4: Re: OpenSSH GSSAPI keyex patch issue (Solar Designer <solar@...nwall.com>)
2026/03/18 #3: [SBA-ADV-20251205-01] LibreChat 0.8.1-rc2 RAG API Authentication Bypass (SBA Research Security Advisory <advisory@...-research.org>)
2026/03/18 #2: Re: OpenSSH GSSAPI keyex patch issue (Dmitry Belyavskiy <dbelyavs@...hat.com>)
2026/03/18 #1: Re: snap-confine + systemd-tmpfiles = root (CVE-2026-3888) (Michael Orlitzky <michael@...itzky.com>)
2026/03/17 #11: Re: libexpat 2.7.5 fixes three vulnerabilities (2x null deref, 1x infinite loop) (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/03/17 #10: libexpat 2.7.5 fixes three vulnerabilities (2x null deref, 1x infinite loop) (Sebastian Pipping <sebastian@...ping.org>)
2026/03/17 #9: Re: snap-confine + systemd-tmpfiles = root (CVE-2026-3888) (Michal Zalewski <lcamtuf@...edump.cx>)
2026/03/17 #8: snap-confine + systemd-tmpfiles = root (CVE-2026-3888) (Qualys Security Advisory <qsa@...lys.com>)
2026/03/17 #7: Xen Security Advisory 481 v2 (CVE-2026-23555) - Xenstored DoS by unprivileged domain (Xen.org security team <security@....org>)
2026/03/17 #6: Xen Security Advisory 480 v3 (CVE-2026-23554) - Use after free of paging structures in EPT (Xen.org security team <security@....org>)
2026/03/17 #5: CVE-2026-28563: Apache Airflow: DAG authorization bypass (Rahul Vats <rahulvats@...che.org>)
2026/03/17 #4: CVE-2026-26929: Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata (Rahul Vats <rahulvats@...che.org>)
2026/03/17 #3: CVE-2026-28779: Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted … (Rahul Vats <rahulvats@...che.org>)
2026/03/17 #2: CVE-2026-30911: Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization (Rahul Vats <rahulvats@...che.org>)
2026/03/17 #1: [kubernetes] CVE-2026-3864: CSI Driver for NFS path traversal via subDir may delete unintended directories on the NFS serve… (Rita Zhang <rita.z.zhang@...il.com>)
2026/03/16 #6: CVE-2026-4177: YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-s… (Timothy Legge <timlegge@...nsec.org>)
2026/03/16 #5: [CVE-2026-3644] CPython Incomplete control character validation in http.cookies (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/03/16 #4: [CVE-2026-4224] CPython Stack overflow parsing XML with deeply nested DTD content models (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/03/16 #3: Re: Foswiki 2.1.11 is released, fixes CVE-2026-2861 (Michael Daum <foswiki@...haeldaumconsulting.com>)
2026/03/16 #2: 10+ CVEs in GStreamer (Solar Designer <solar@...nwall.com>)
2026/03/16 #1: Re: Foswiki 2.1.11 is released, fixes CVE-2026-2861 (Solar Designer <solar@...nwall.com>)
2026/03/15 #1: Foswiki 2.1.11 is released, fixes CVE-2026-2861 (Michael Daum <foswiki@...haeldaumconsulting.com>)
2026/03/14 #4: Re: OpenSSH GSSAPI keyex patch issue (Dmitry Belyavskiy <dbelyavs@...hat.com>)
2026/03/14 #3: Re: OpenSSH GSSAPI keyex patch issue (Solar Designer <solar@...nwall.com>)
2026/03/14 #2: Re: Some telnet clients leak environment variables (Solar Designer <solar@...nwall.com>)
2026/03/14 #1: Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) (Collin Funk <collin.funk1@...il.com>)
2026/03/13 #4: CVE-2025-54920: Apache Spark: Spark History Server Code Execution Vulnerability (Holden Karau <holden@...che.org>)
2026/03/13 #3: OpenSSL Security Advisory (Tomas Mraz <tomas@...nssl.foundation>)
2026/03/13 #2: Re: Some telnet clients leak environment variables (Stuart Henderson <stu@...cehopper.org>)
2026/03/13 #1: Some telnet clients leak environment variables (Justin Swartz <justin.swartz@...ingedge.co.za>)
2026/03/12 #10: Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) (Solar Designer <solar@...nwall.com>)
2026/03/12 #9: Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) (Paul Eggert <eggert@...ucla.edu>)
2026/03/12 #8: Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) (Collin Funk <collin.funk1@...il.com>)
2026/03/12 #7: Re: Multiple vulnerabilities in AppArmor (Qualys Security Advisory <qsa@...lys.com>)
2026/03/12 #6: Multiple vulnerabilities in AppArmor (Qualys Security Advisory <qsa@...lys.com>)
2026/03/12 #5: Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) (Solar Designer <solar@...nwall.com>)
2026/03/12 #4: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) (Justin Swartz <justin.swartz@...ingedge.co.za>)
2026/03/12 #3: OpenSSH GSSAPI keyex patch issue (Marc Deslauriers <marc.deslauriers@...onical.com>)
2026/03/12 #2: CVE-2025-66249: Apache Livy: Unauthorized directory access (György Gál <ggal@...che.org>)
2026/03/12 #1: CVE-2025-60012: Apache Livy: Restrict file access (György Gál <ggal@...che.org>)
2026/03/11 #6: [vim-security] NFA regex engine NULL pointer dereference affects Vim < 9.2.0137 (Christian Brabandt <cb@...bit.org>)
2026/03/11 #5: The GNU C Library security advisory update for 2026-03-11 (Siddhesh Poyarekar <siddhesh.poyarekar@...il.com>)
2026/03/11 #4: [ADVISORY] curl: CVE-2026-3805: use after free in SMB connection reuse (Daniel Stenberg <daniel@...x.se>)

32264 messages

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.