oss-security mailing list

Follow @Openwall on Twitter for new release announcements and other news

oss-security mailing list

	Jan	Feb	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2025	79
2024	80	100	178	197	72	47	128	107	58	52	87	44
2023	69	62	100	107	99	78	87	60	122	198	86	101
2022	116	50	47	79	83	58	77	86	76	70	95	108
2021	92	91	98	90	88	59	61	82	49	76	60	47
2020	52	47	38	82	70	67	76	64	71	85	90	66
2019	102	48	49	86	51	103	107	80	71	75	67	70
2018	122	81	84	81	71	104	71	135	78	120	75	84
2017	252	278	171	171	209	278	225	157	214	162	196	93
2016	258	207	271	183	267	193	214	184	287	294	257	241
2015	377	336	355	319	277	243	266	197	195	206	205	208
2014	214	252	249	211	183	317	273	201	413	485	382	318
2013	217	323	246	258	200	201	260	265	163	203	182	199
2012	333	189	294	216	234	128	150	207	234	192	191	161
2011	153	169	318	354	159	224	258	164	137	203	241	146
2010	72	96	123	118	115	142	119	144	203	84	187	139
2009	89	81	75	114	96	59	84	99	102	122	108	74
2008		104	103	143	136	112	150	125	127	123	128	107

Recent messages:

2025/01/26 #2: CVE-2024-52012: Apache Solr: Configset upload on Windows allows arbitrary path write-access (Jason Gerlowski <gerlowskija@...che.org>)
2025/01/26 #1: CVE-2025-24814: Apache Solr: Core-creation with "trusted" configset can use arbitrary untrusted files (Jason Gerlowski <gerlowskija@...che.org>)
2025/01/25 #6: Re: Oracle January 2025 Critical Patch Update (Sam James <sam@...too.org>)
2025/01/25 #5: Re: Re: [External] : Fwd: Oracle January 2025 Critical Patch Update ("Douglas R. Reno" <renodr@...uxfromscratch.org>)
2025/01/25 #4: Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 (Pete Allor <pallor@...hat.com>)
2025/01/25 #3: Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 (Greg KH <greg@...ah.com>)
2025/01/25 #2: Re: Re: [External] : Fwd: Oracle January 2025 Critical Patch Update (Solar Designer <solar@...nwall.com>)
2025/01/25 #1: Re: issue with stuck Mitre CVE requests (Mark Esler <mark.esler@...onical.com>)
2025/01/24 #6: 7-Zip Mark-of-the-Web Bypass Vulnerability on Windows platforms (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/01/24 #5: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/01/24 #4: Re: [External] : Fwd: Oracle January 2025 Critical Patch Update (Bruce Lowenthal <bruce.lowenthal@...cle.com>)
2025/01/24 #3: dde-api-proxy: Authentication Bypass in Deepin D-Bus Proxy Service (CVE-2025-23222) (Matthias Gerstner <mgerstner@...e.de>)
2025/01/24 #2: Re: Re: [External] : Fwd: Oracle January 2025 Critical Patch Update ("Douglas R. Reno" <renodr@...uxfromscratch.org>)
2025/01/24 #1: Re: Oracle January 2025 Critical Patch Update (Solar Designer <solar@...nwall.com>)
2025/01/23 #8: Re: [External] : Fwd: Oracle January 2025 Critical Patch Update (Solar Designer <solar@...nwall.com>)
2025/01/23 #7: Re: issue with stuck Mitre CVE requests (Pete Allor <pallor@...hat.com>)
2025/01/23 #6: Re: Oracle January 2025 Critical Patch Update (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/01/23 #5: Re: [External] : Fwd: Oracle January 2025 Critical Patch Update (Bruce Lowenthal <bruce.lowenthal@...cle.com>)
2025/01/23 #4: Re: Oracle January 2025 Critical Patch Update (John Haxby <john.haxby@...cle.com>)
2025/01/23 #3: Re: issue with stuck Mitre CVE requests (Matthias Gerstner <mgerstner@...e.de>)
2025/01/23 #2: Re: CVE-2025-0395: Buffer overflow in the GNU C Library's assert() (Qualys Security Advisory <qsa@...lys.com>)
2025/01/23 #1: Oracle January 2025 Critical Patch Update (Solar Designer <solar@...nwall.com>)
2025/01/22 #12: CVE-2024-53299: Apache Wicket: An attacker can intentionally trigger a memory leak (Pedro Henrique Oliveira dos Santos <pedro@...che.org>)
2025/01/22 #11: Re: Open Virtual Network egress access control list bypass. (Mark Michelson <mmichels@...hat.com>)
2025/01/22 #10: Multiple vulnerabilities in Jenkins plugins (Kevin Guerroudj <kguerroudj@...udbees.com>)
2025/01/22 #9: Re: AMD Microcode Signature Verification Vulnerability (Tavis Ormandy <taviso@...il.com>)
2025/01/22 #8: Re: issue with stuck Mitre CVE requests (Pedro Sampaio <psampaio@...hat.com>)
2025/01/22 #7: Re: issue with stuck Mitre CVE requests (Johannes Segitz <jsegitz@...e.de>)
2025/01/22 #6: Re: AMD Microcode Signature Verification Vulnerability (Demi Marie Obenour <demi@...isiblethingslab.com>)
2025/01/22 #5: Open Virtual Network egress access control list bypass. (Mark Michelson <mmichels@...hat.com>)
2025/01/22 #4: CVE-2025-0395: Buffer overflow in the GNU C Library's assert() (Qualys Security Advisory <qsa@...lys.com>)
2025/01/22 #3: Re: issue with stuck Mitre CVE requests (Greg KH <greg@...ah.com>)
2025/01/22 #2: issue with stuck Mitre CVE requests (Matthias Gerstner <mgerstner@...e.de>)
2025/01/22 #1: AMD Microcode Signature Verification Vulnerability (Tavis Ormandy <taviso@...il.com>)
2025/01/21 #10: CERT/CC VU#199397 - Insecure Implementation of Tunneling Protocols (GRE/IPIP/4in6/6in4) (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/01/21 #9: CVE-2024-51941: Apache Ambari: Remote Code Injection in Ambari Metrics and AMS Alerts (Viraj Jasani <vjasani@...che.org>)
2025/01/21 #8: CVE-2025-23196: Apache Ambari: Code Injection Vulnerability in Ambari Alert Definition (Viraj Jasani <vjasani@...che.org>)
2025/01/21 #7: CVE-2025-23195: Apache Ambari: XML External Entity (XXE) Vulnerability in Ambari/Oozie (Viraj Jasani <vjasani@...che.org>)
2025/01/21 #6: Fwd: Node.js security updates for all active release lines, January 2025 (Rafael Gonzaga <work@...aelgss.dev>)
2025/01/21 #5: Node.js security updates: CVE-2025-23083, CVE-2025-23084, CVE-2025-23085 (Jan Schaumann <jschauma@...meister.org>)
2025/01/21 #4: CVE-2024-45479: Apache Ranger: SSRF in Edit Service page - Add logic to filter requests to localhost (Velmurugan Periasamy <vel@...che.org>)
2025/01/21 #3: CVE-2024-45478: Apache Ranger: Stored XSS in Edit Service page - Add logic to validate user input (Velmurugan Periasamy <vel@...che.org>)
2025/01/21 #2: Re: Subject: [vim-security] segmentation fault in win_line() in Vim < 9.1.1043 (Christian Brabandt <cb@...bit.org>)
2025/01/21 #1: Re: Subject: [vim-security] segmentation fault in win_line() in Vim < 9.1.1043 (Eli Schwartz <eschwartz@...too.org>)
2025/01/20 #4: Subject: [vim-security] segmentation fault in win_line() in Vim < 9.1.1043 (Christian Brabandt <cb@...bit.org>)
2025/01/20 #3: CVE-2025-23184: Apache CXF: Denial of Service vulnerability with temporary files (Colm O hEigeartaigh <coheigea@...che.org>)
2025/01/20 #2: CVE-2024-13176: OpenSSL: Timing side-channel in ECDSA signature computation (Tomas Mraz <tomas@...nssl.org>)
2025/01/20 #1: fdroidserver AllowedAPKSigningKeys certificate pinning fundamentally unreliable (Fay Stegerman <flx@...usk.net>)
2025/01/18 #2: Re: git: 2 vulnerabilities fixed (Salvatore Bonaccorso <carnil@...ian.org>)
2025/01/18 #1: WriteFreely exposes database credentials though insecure file permissions (Fay Stegerman <flx@...usk.net>)
2025/01/17 #1: Go 1.23.5 and Go 1.22.11 are released with 2 security fixes (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/01/16 #5: Re: Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) (Russ Allbery <eagle@...ie.org>)
2025/01/16 #4: Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) (Steffen Nurpmeso <steffen@...oden.eu>)
2025/01/16 #3: Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) (Matthias Gerstner <mgerstner@...e.de>)
2025/01/16 #2: Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) (Jacob Bachmeyer <jcb62281@...il.com>)
2025/01/16 #1: [kubernetes] CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API ("Vellore Rajakumar, Sri Saran Balaji" <srajakum@...zon.com>)
2025/01/15 #2: Session (a fork of the Signal private messaging app) is sus (Soatok Dreamseeker <soatok.dhole@...il.com>)
2025/01/15 #1: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013) (Matthias Gerstner <mgerstner@...e.de>)
2025/01/14 #7: Re: RSYNC: 6 vulnerabilities (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/01/14 #6: Re: RSYNC: 6 vulnerabilities (Jan Schaumann <jschauma@...meister.org>)
2025/01/14 #5: Fwd: Node.js security updates for all active release lines, January 2025 (Rafael Gonzaga <work@...aelgss.dev>)
2025/01/14 #4: git: 2 vulnerabilities fixed (Johannes Schindelin <Johannes.Schindelin@....de>)
2025/01/14 #3: RSYNC: 6 vulnerabilities (Nick Tait <ntait@...hat.com>)
2025/01/14 #2: CVE-2024-56374: Django: Potential denial-of-service vulnerability in IPv6 validation (Natalia Bidart <nataliabidart@...ngoproject.com>)
2025/01/14 #1: CVE-2024-45627: Apache Linkis Metadata Query Service JDBC: JDBC Datasource Module with Mysql has file read vulnerability (Heping Wang <peacewong@...che.org>)
2025/01/13 #1: CVE-2025-22828: Apache CloudStack: Unauthorised access to annotations (Nux <nux@...che.org>)
2025/01/11 #1: [vim-security] heap-buffer-overflow in Vim < 9.1.1003 (Christian Brabandt <cb@...bit.org>)
2025/01/08 #3: "/bin/sh: The Biggest Unix Security Loophole" paper from 1984 (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/01/08 #2: CVE-2024-45033: Apache Airflow Fab Provider: Application does not invalidate session after password change via Airflow cli (Elad Kalif <eladkal@...che.org>)
2025/01/08 #1: CVE-2024-54676: Apache OpenMeetings: Deserialisation of untrusted data in cluster mode (Maxim Solodovnik <solomax@...che.org>)
2025/01/07 #1: Re: Linux: general protection fault in __vmx_vcpu_run with nested virtualization (Solar Designer <solar@...nwall.com>)
2025/01/06 #3: Re: Linux: general protection fault in __vmx_vcpu_run with nested virtualization (Demi Marie Obenour <demi@...isiblethingslab.com>)
2025/01/06 #2: Re: Linux: general protection fault in __vmx_vcpu_run with nested virtualization (Greg KH <greg@...ah.com>)
2025/01/06 #1: Linux: general protection fault in __vmx_vcpu_run with nested virtualization (Linfeng Sun <slf@....edu.cn>)
2025/01/05 #2: Re: Xen Security Advisory 466 v3 (CVE-2024-53241) - Xen hypercall page unsafe against speculative attacks (Solar Designer <solar@...nwall.com>)
2025/01/05 #1: Re: Xen Security Advisory 466 v3 (CVE-2024-53241) - Xen hypercall page unsafe against speculative attacks (Jürgen Groß <jgross@...e.com>)
2025/01/03 #3: Re: GStreamer 1.24.10 stable security bug-fix release (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/01/03 #2: iTerm2 < 3.5.11 logs input/ouput to /tmp/framer.txt on remote host (Jan Schaumann <jschauma@...meister.org>)
2025/01/03 #1: Another fdroidserver AllowedAPKSigningKeys certificate pinning bypass (Fay Stegerman <flx@...usk.net>)
2024/12/28 #1: CVE-2024-56512: Apache NiFi: Missing Complete Authorization for Parameter and Service References (David Handermann <exceptionfactory@...che.org>)
2024/12/26 #2: Re: CVE-2024-40896 Analysis: libxml2 XXE due to type confusion (Solar Designer <solar@...nwall.com>)
2024/12/26 #1: Re: CVE-2024-40896 Analysis: libxml2 XXE due to type confusion (Demi Marie Obenour <demi@...isiblethingslab.com>)
2024/12/25 #3: Re: CVE-2024-40896 Analysis: libxml2 XXE due to type confusion (Solar Designer <solar@...nwall.com>)
2024/12/25 #2: CVE-2024-40896 Analysis: libxml2 XXE due to type confusion (Yair Mizrahi <yairm@...og.com>)
2024/12/25 #1: CVE-2024-52046: Apache MINA: MINA applications using unbounded deserialization may allow RCE (Emmanuel Lécharny <elecharny@...che.org>)
2024/12/24 #2: CVE-2024-43441: Apache HugeGraph-Server: Fixed JWT Token(Secret) (Imba Jin <jin@...che.org>)
2024/12/24 #1: Re: Re: Out-of-bounds read & write in the glibc's qsort() (Yuri Gribov <tetra2005@...il.com>)
2024/12/23 #6: Re: Re: Out-of-bounds read & write in the glibc's qsort() (Yuri Gribov <tetra2005@...il.com>)
2024/12/23 #5: Re: Re: Out-of-bounds read & write in the glibc's qsort() (Florian Weimer <fweimer@...hat.com>)
2024/12/23 #4: Re: Re: Out-of-bounds read & write in the glibc's qsort() (Florian Weimer <fweimer@...hat.com>)
2024/12/23 #3: CVE-2024-45387: Apache Traffic Control: SQL Injection in Traffic Ops endpoint PUT deliveryservice_request_comments (Eric Friedrich <friede@...che.org>)
2024/12/23 #2: CVE-2024-23945: Apache Hive and Spark: CookieSigner exposes the correct signature when message verification fails (Stamatis Zampetakis <zabetak@...che.org>)
2024/12/23 #1: Re: Xen Security Advisory 466 v3 (CVE-2024-53241) - Xen hypercall page unsafe against speculative attacks (David Woodhouse <dwmw2@...radead.org>)
2024/12/22 #1: WebKitGTK and WPE WebKit Security Advisory WSA-2024-0008 (Adrian Perez de Castro <aperez@...lia.com>)
2024/12/21 #3: Re: Re: Out-of-bounds read & write in the glibc's qsort() (Jan Engelhardt <ej@...i.de>)
2024/12/21 #2: Re: Out-of-bounds read & write in the glibc's qsort() (Yuri Gribov <tetra2005@...il.com>)
2024/12/21 #1: Fwd: Operational Notification: BIND 9.20 defect in QPzone implementation (Solar Designer <solar@...nwall.com>)
2024/12/20 #1: CVE-2024-56337: Apache Tomcat: RCE due to TOCTOU issue in JSP compilation - CVE-2024-50379 mitigation was incomplete (Mark Thomas <markt@...che.org>)
2024/12/19 #1: SSSD: Weaknesses in Privilege Separation due to Issues in Privileged Helper Programs (Matthias Gerstner <mgerstner@...e.de>)
2024/12/18 #3: CVE-2024-56128: Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption (Manikumar <manikumar@...che.org>)

30778 messages

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.