oss-security mailing list
Recent messages:
- 2024/12/23 #6:
Re: Re: Out-of-bounds read & write in the glibc's qsort() (Yuri Gribov <tetra2005@...il.com>)
- 2024/12/23 #5:
Re: Re: Out-of-bounds read & write in the glibc's
qsort() (Florian Weimer <fweimer@...hat.com>)
- 2024/12/23 #4:
Re: Re: Out-of-bounds read & write in the glibc's
qsort() (Florian Weimer <fweimer@...hat.com>)
- 2024/12/23 #3:
CVE-2024-45387: Apache Traffic Control: SQL Injection in Traffic
Ops endpoint PUT deliveryservice_request_comments (Eric Friedrich <friede@...che.org>)
- 2024/12/23 #2:
CVE-2024-23945: Apache Hive and Spark: CookieSigner exposes the
correct signature when message verification fails (Stamatis Zampetakis <zabetak@...che.org>)
- 2024/12/23 #1:
Re: Xen Security Advisory 466 v3 (CVE-2024-53241) - Xen hypercall
page unsafe against speculative attacks (David Woodhouse <dwmw2@...radead.org>)
- 2024/12/22 #1:
WebKitGTK and WPE WebKit Security Advisory WSA-2024-0008 (Adrian Perez de Castro <aperez@...lia.com>)
- 2024/12/21 #3:
Re: Re: Out-of-bounds read & write in the glibc's
qsort() (Jan Engelhardt <ej@...i.de>)
- 2024/12/21 #2:
Re: Out-of-bounds read & write in the glibc's qsort() (Yuri Gribov <tetra2005@...il.com>)
- 2024/12/21 #1:
Fwd: Operational Notification: BIND 9.20 defect in QPzone implementation (Solar Designer <solar@...nwall.com>)
- 2024/12/20 #1:
CVE-2024-56337: Apache Tomcat: RCE due to TOCTOU issue in JSP
compilation - CVE-2024-50379 mitigation was incomplete (Mark Thomas <markt@...che.org>)
- 2024/12/19 #1:
SSSD: Weaknesses in Privilege Separation due to Issues in Privileged
Helper Programs (Matthias Gerstner <mgerstner@...e.de>)
- 2024/12/18 #3:
CVE-2024-56128: Apache Kafka: SCRAM authentication vulnerable to
replay attacks when used without encryption (Manikumar <manikumar@...che.org>)
- 2024/12/18 #2:
Re: CVE-2024-50379: Apache Tomcat: RCE due to TOCTOU
issue in JSP compilation (Nick Boyce <nick.boyce@...il.com>)
- 2024/12/18 #1:
Re: CVE-2024-54677: Apache Tomcat: DoS in examples web
application (Mark Thomas <markt@...che.org>)
- 2024/12/17 #6:
Re: CVE-2024-54677: Apache Tomcat: DoS in examples web
application (Agostino Sarubbo <ago@...too.org>)
- 2024/12/17 #5:
CVE-2024-54677: Apache Tomcat: DoS in examples web application (Mark Thomas <markt@...che.org>)
- 2024/12/17 #4:
CVE-2024-50379: Apache Tomcat: RCE due to TOCTOU issue in JSP
compilation (Mark Thomas <markt@...che.org>)
- 2024/12/17 #3:
CVE-2024-11614: DPDK Vhost Rx checksum vulnerability (Maxime Coquelin <maxime.coquelin@...hat.com>)
- 2024/12/17 #2:
Xen Security Advisory 466 v3 (CVE-2024-53241) - Xen hypercall
page unsafe against speculative attacks (Xen.org security team <security@....org>)
- 2024/12/17 #1:
Xen Security Advisory 465 v3 (CVE-2024-53240) - Backend can crash
Linux netfront (Xen.org security team <security@....org>)
- 2024/12/13 #1:
GStreamer 1.24.10 stable security bug-fix release (Alan Coopersmith <alan.coopersmith@...cle.com>)
- 2024/12/12 #1:
CVE-2024-55633: Apache Superset: SQLLab Improper readonly query
validation allows unauthorized write access (Daniel Gaspar <dpgaspar@...che.org>)
- 2024/12/11 #2:
Vulnerability in golang.org/x/crypto [CVE-2024-45337: misuse of
ServerConfig.PublicKeyCallback may cause authorization … (Jan Schaumann <jschauma@...meister.org>)
- 2024/12/11 #1:
[SECURITY ADVISORY] curl: CVE-2024-11053: netrc and redirect credential
leak (Daniel Stenberg <daniel@...x.se>)
- 2024/12/09 #4:
CVE-2024-53949: Apache Superset: Lower privilege users are able to
create Role when FAB_ADD_SECURITY_API is enabled (Daniel Gaspar <dpgaspar@...che.org>)
- 2024/12/09 #3:
CVE-2024-53948: Apache Superset: Error verbosity exposes metadata
in analytics databases (Daniel Gaspar <dpgaspar@...che.org>)
- 2024/12/09 #2:
CVE-2024-53947: Apache Superset: Improper SQL authorisation, parse
not checking for specific postgres functions (Daniel Gaspar <dpgaspar@...che.org>)
- 2024/12/09 #1:
[SECURITY][ANNOUNCE] Apache Subversion 1.14.5 released (Daniel Sahlberg <dsahlberg@...che.org>)
- 2024/12/06 #1:
Fwd: [Security-announce][CVE-2024-12254] Unbounded memory buffering
in SelectorSocketTransport.writelines() (Alan Coopersmith <alan.coopersmith@...cle.com>)
- 2024/12/04 #3:
Django CVE-2024-53907 and CVE-2024-53908 (Sarah Boyce <sarahboyce@...ngoproject.com>)
- 2024/12/04 #2:
CVE-2022-41137: Apache Hive: Deserialization of untrusted data
when fetching partitions from the Metastore (Stamatis Zampetakis <zabetak@...che.org>)
- 2024/12/04 #1:
Re: Local Privilege Escalations in needrestart (Jakub Wilk <jwilk@...lk.net>)
- 2024/12/03 #1:
[OSSA-2024-005] Neutron: Authorization bypassed when setting tags on
Neutron networks (CVE-2024-53916) (Jay Faulkner <jay@....cc>)
- 2024/12/02 #1:
CVE-2024-45106: Apache Ozone: Improper authentication when
generating S3 secrets (Ethan Rose <erose@...che.org>)
- 2024/12/01 #1:
Re: Linux: Race can lead to UAF in net/bluetooth/sco.c:
sco_sock_connect() (tianshu qiu <jimuchutianshu97@...il.com>)
- 2024/11/30 #6:
Re: Linux: Race can lead to UAF in
net/bluetooth/sco.c: sco_sock_connect() (Jeroen Roovers <jer@...all.nl>)
- 2024/11/30 #5:
Re: Linux: Race can lead to UAF in net/bluetooth/sco.c:
sco_sock_connect() (tianshu qiu <jimuchutianshu97@...il.com>)
- 2024/11/30 #4:
Re: Local Privilege Escalations in needrestart (Salvatore Bonaccorso <carnil@...ian.org>)
- 2024/11/30 #3:
Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() (Solar Designer <solar@...nwall.com>)
- 2024/11/30 #2:
Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() (tianshu qiu <jimuchutianshu97@...il.com>)
- 2024/11/30 #1:
Re: Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() (Luiz Augusto von Dentz <luiz.dentz@...il.com>)
- 2024/11/29 #3:
stalld: unpatched fixed temporary file use and other issues (Matthias Gerstner <mgerstner@...e.de>)
- 2024/11/29 #2:
Re: tuned: local root exploit in D-Bus method
instance_create and other issues in tuned >= 2.23 (CVE-2024-52336,
CVE-202… (Matthias Gerstner <mgerstner@...e.de>)
- 2024/11/29 #1:
Linux: Race can lead to UAF in net/bluetooth/sco.c: sco_sock_connect() (Solar Designer <solar@...nwall.com>)
- 2024/11/28 #3:
CVE-2024-52338: Apache Arrow R package: Arbitrary code execution
when loading a malicious data file (Dewey Dunnington <paleolimbot@...che.org>)
- 2024/11/28 #2:
Re: tuned: local root exploit in D-Bus method
instance_create and other issues in tuned >= 2.23 (CVE-2024-52336,
CVE-2024-523… (Simon McVittie <smcv@...ian.org>)
- 2024/11/28 #1:
tuned: local root exploit in D-Bus method instance_create and other
issues in tuned >= 2.23 (CVE-2024-52336, CVE-2024-523… (Matthias Gerstner <mgerstner@...e.de>)
- 2024/11/27 #3:
Multiple vulnerabilities in Jenkins and Jenkins plugins (Daniel Beck <ml@...kweb.net>)
- 2024/11/27 #2:
WebKitGTK and WPE WebKit Security Advisory WSA-2024-0007 (Adrian Perez de Castro <aperez@...lia.com>)
- 2024/11/27 #1:
authentik: remote timing attack in MetricsView HTTP Basic Auth
(CVE-2024-52307) (Matthias Gerstner <mgerstner@...e.de>)
- 2024/11/26 #6:
Re: Local Privilege Escalations in needrestart (Mark Esler <mark.esler@...onical.com>)
- 2024/11/26 #5:
CVE-2024-51569: Apache NimBLE: Lack of input sanitization leading
to out-of-bound reads in Number of Completed Packets HCI event … (Szymon Janc <janc@...che.org>)
- 2024/11/26 #4:
CVE-2024-47250: Apache NimBLE: Lack of input validation in HCI
advertising report could lead to potential out-of-bound access (Szymon Janc <janc@...che.org>)
- 2024/11/26 #3:
CVE-2024-47249: Apache NimBLE: Lack of input sanitization leading
to out-of-bound reads in multiple advertisement handler (Szymon Janc <janc@...che.org>)
- 2024/11/26 #2:
CVE-2024-47248: Apache NimBLE: Buffer overflow in NimBLE MESH
Bluetooth stack (Szymon Janc <janc@...che.org>)
- 2024/11/26 #1:
Re: Article: State of Sandboxing in Linux (Ali Polatel <alip@...sys.org>)
- 2024/11/25 #5:
Re: Article: State of Sandboxing in Linux (Evan Carroll <me@...ncarroll.com>)
- 2024/11/25 #4:
Re: Article: State of Sandboxing in Linux (Ali Polatel <alip@...sys.org>)
- 2024/11/25 #3:
Re: Article: State of Sandboxing in Linux (Ali Polatel <alip@...sys.org>)
- 2024/11/25 #2:
Re: Article: State of Sandboxing in Linux (Eli Schwartz <eschwartz@...too.org>)
- 2024/11/25 #1:
Re: Article: State of Sandboxing in Linux (Evan Carroll <me@...ncarroll.com>)
- 2024/11/24 #1:
Re: Article: State of Sandboxing in Linux (Mickaël Salaün <mic@...ikod.net>)
- 2024/11/22 #1:
CVE-2024-45719: Apache Answer: Predictable Authorization Token
Using UUIDv1 (Enxin Xie <linkinstar@...che.org>)
- 2024/11/20 #2:
CVE-2024-52067: Apache NiFi: Potential Insertion of Sensitive
Parameter Values in Debug Log (David Handermann <exceptionfactory@...che.org>)
- 2024/11/20 #1:
[kubernetes] CVE-2024-10220: Arbitrary command execution through
gitRepo volume (Craig Ingram <cjingram@...gle.com>)
- 2024/11/19 #1:
Local Privilege Escalations in needrestart (Qualys Security Advisory <qsa@...lys.com>)
- 2024/11/18 #6:
Fwd: wget-1.25.0 released [fixes CVE-2024-10524] (Alan Coopersmith <alan.coopersmith@...cle.com>)
- 2024/11/18 #5:
CVE-2024-31141: Apache Kafka Clients: Privilege escalation to
filesystem read-access via automatic ConfigProvider (Greg Harris <gharris@...che.org>)
- 2024/11/18 #4:
CVE-2024-52318: Apache Tomcat: Incorrect JSP tag recycling leads to
XSS (Mark Thomas <markt@...che.org>)
- 2024/11/18 #3:
CVE-2024-52317: Apache Tomcat: Request/response mix-up with HTTP/2 (Mark Thomas <markt@...che.org>)
- 2024/11/18 #2:
CVE-2024-52316: Apache Tomcat: Authentication bypass when using
Jakarta Authentication API (Mark Thomas <markt@...che.org>)
- 2024/11/18 #1:
Re: shell wildcard expansion (un)safety (Sean Whitton <spwhitton@...hitton.name>)
- 2024/11/17 #1:
Re: PostgreSQL: 4 CVEs fixed in 17.1, 16.5, 15.9, 14.14, 13.17, 12.21 (Solar Designer <solar@...nwall.com>)
- 2024/11/16 #7:
PostgreSQL: 4 CVEs fixed in 17.1, 16.5, 15.9, 14.14, 13.17, 12.21 (Solar Designer <solar@...nwall.com>)
- 2024/11/16 #6:
CVE-2024-41151: Apache HertzBeat: RCE by notice template injection
vulnerability (Chao Gong <gongchao@...che.org>)
- 2024/11/16 #5:
CVE-2024-45791: Apache HertzBeat: Exposure sensitive token via
http GET method with query string (Chao Gong <gongchao@...che.org>)
- 2024/11/16 #4:
CVE-2024-45505: Apache HertzBeat (incubating): Exists Native Deser
RCE and file writing vulnerabilities (Chao Gong <gongchao@...che.org>)
- 2024/11/16 #3:
CVE-2024-47208: Apache OFBiz: URLs allowing remote use of Groovy
expressions, leading to RCE (Jacques Le Roux <jleroux@...che.org>)
- 2024/11/16 #2:
CVE-2024-48962: Apache OFBiz: Bypass SameSite restrictions with
target redirection using URL parameters (SSTI and CSRF lea… (Jacques Le Roux <jleroux@...che.org>)
- 2024/11/16 #1:
Re: shell wildcard expansion (un)safety (Steffen Nurpmeso <steffen@...oden.eu>)
- 2024/11/15 #1:
CVE-2024-45784: Apache Airflow: Sensitive configuration values are
not masked in the logs by default (Ephraim Anierobi <ephraimanierobi@...che.org>)
- 2024/11/13 #2:
Multiple vulnerabilities in Jenkins plugins (Daniel Beck <ml@...kweb.net>)
- 2024/11/13 #1:
[ANNOUNCE] Apache Traffic Server is vulnerable to specific user inputs (Masakazu Kitajo <maskit@...che.org>)
- 2024/11/12 #11:
CVE-2024-52533: Buffer overflow in socks proxy code in glib < 2.82.1 (Alan Coopersmith <alan.coopersmith@...cle.com>)
- 2024/11/12 #10:
Re: Xen Security Advisory 464 v2 (CVE-2024-45819) -
libxl leaks data to PVH guests via ACPI tables (Demi Marie Obenour <demi@...isiblethingslab.com>)
- 2024/11/12 #9:
Re: shell wildcard expansion (un)safety (Ali Polatel <alip@...sys.org>)
- 2024/11/12 #8:
Re: 4 recent security bugs in GNOME's libsoup (Alan Coopersmith <alan.coopersmith@...cle.com>)
- 2024/11/12 #7:
Re: Xen Security Advisory 464 v2 (CVE-2024-45819) -
libxl leaks data to PVH guests via ACPI tables (Andrew Cooper <andrew.cooper3@...rix.com>)
- 2024/11/12 #6:
RE: CVE-2024-36905: Linux kernel: Divide-by-zero on
shutdown of TCP_SYN_RECV sockets (Joel GUITTET <jguittet.opensource@...ekio.com>)
- 2024/11/12 #5:
Re: CVE-2024-36905: Linux kernel: Divide-by-zero on
shutdown of TCP_SYN_RECV sockets (Clemens Lang <cllang@...hat.com>)
- 2024/11/12 #4:
Re: CVE-2024-36905: Linux kernel: Divide-by-zero on shutdown of TCP_SYN_RECV sockets (Solar Designer <solar@...nwall.com>)
- 2024/11/12 #3:
CVE-2024-50386: Apache CloudStack: Directly downloaded templates
can be used to abuse KVM-based infrastructure (Daniel Augusto Veronezi Salvador <gutoveronezi…)
- 2024/11/12 #2:
Xen Security Advisory 463 v2 (CVE-2024-45818) - Deadlock in x86
HVM standard VGA handling (Xen.org security team <security@....org>)
- 2024/11/12 #1:
Xen Security Advisory 464 v2 (CVE-2024-45819) - libxl leaks data
to PVH guests via ACPI tables (Xen.org security team <security@....org>)
- 2024/11/10 #4:
Re: shell wildcard expansion (un)safety (Fay Stegerman <flx@...usk.net>)
- 2024/11/10 #3:
Re: shell wildcard expansion (un)safety (Jeroen Roovers <jer@...all.nl>)
- 2024/11/10 #2:
Re: shell wildcard expansion (un)safety (lists@...atla.org.uk)
- 2024/11/10 #1:
Re: shell wildcard expansion (un)safety (Eli Schwartz <eschwartz@...too.org>)
- 2024/11/09 #2:
4 recent security bugs in GNOME's libsoup (Alan Coopersmith <alan.coopersmith@...cle.com>)
30691 messages
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.