oss-security mailing list

Follow @Openwall on Twitter for new release announcements and other news

oss-security mailing list

	Jan	Feb	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2025	92	75	93	105	94	100	69	75
2024	80	100	178	197	72	47	128	107	58	52	87	44
2023	69	62	100	107	99	78	87	60	122	198	86	101
2022	116	50	47	79	83	58	77	86	76	70	95	108
2021	92	91	98	90	88	59	61	82	49	76	60	47
2020	52	47	38	82	70	67	76	64	71	85	90	66
2019	102	48	49	86	51	103	107	80	71	75	67	70
2018	122	81	84	81	71	104	71	135	78	120	75	84
2017	252	278	171	171	209	278	225	157	214	162	196	93
2016	258	207	271	183	267	193	214	184	287	294	257	241
2015	377	336	355	319	277	243	266	197	195	206	205	208
2014	214	252	249	211	183	317	273	201	413	485	382	318
2013	217	323	246	258	200	201	260	265	163	203	182	199
2012	333	189	294	216	234	128	150	207	234	192	191	161
2011	153	169	318	354	159	224	258	164	137	203	241	146
2010	72	96	123	118	115	142	119	144	203	84	187	139
2009	89	81	75	114	96	59	84	99	102	122	108	74
2008		104	103	143	136	112	150	125	127	123	128	107

Recent messages:

2025/08/28 #4: Re: CVE-2025-8067 - UDisks (Solar Designer <solar@...nwall.com>)
2025/08/28 #3: CVE-2025-58047: DoS in Volto (Plone CMS) ("Maurits van Rees (Plone)" <maurits@...ne.org>)
2025/08/28 #2: Xen Security Advisory 471 v2 (CVE-2024-36350,CVE-2024-36357) - x86: Transitive Scheduler Attacks (Xen.org security team <security@....org>)
2025/08/28 #1: CVE-2025-8067 - UDisks (Marco Benatto <mbenatto@...hat.com>)
2025/08/27 #1: ISC has disclosed one vulnerability in Kea (CVE-2025-40779) (Ben Scott <bscott@....org>)
2025/08/26 #2: Re: libssh2 Base64 Encoding Heap Overflow in Known Hosts SHA1 Hash Processing (Solar Designer <solar@...nwall.com>)
2025/08/26 #1: libssh2 Base64 Encoding Heap Overflow in Known Hosts SHA1 Hash Processing (Dhiraj Mishra <mishra.dhiraj95@...il.com>)
2025/08/22 #4: CVE-2025-43023 in HPLIP for Use of 1024-bit DSA Key (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/08/22 #3: CVE-2025-54813: Apache Log4cxx: Improper escaping with JSONLayout (Piotr Karwasz <pkarwasz@...che.org>)
2025/08/22 #2: CVE-2025-54812: Apache Log4cxx: Improper HTML escaping in HTMLLayout (Piotr Karwasz <pkarwasz@...che.org>)
2025/08/22 #1: CVE-2024-48988: Apache StreamPark: SQL injection vulnerability (Huajie Wang <benjobs@...che.org>)
2025/08/21 #1: Re: CVE-2025-54988: Apache Tika PDF parser module: XXE vulnerability in PDFParser's handling of XFA (Hanno Böck <hanno@...eck.de>)
2025/08/20 #4: Re: HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames (Nick Tait <ntait@...hat.com>)
2025/08/20 #3: CVE-2025-54988: Apache Tika PDF parser module: XXE vulnerability in PDFParser's handling of XFA (Tim Allison <tallison@...che.org>)
2025/08/20 #2: CVE-2025-54988: Apache Tika PDF parser module: XXE vulnerability in PDFParser's handling of XFA (Tim Allison <tallison@...che.org>)
2025/08/20 #1: Security pre-notification policy for vLLM project (Huzaifa Sidhpurwala <huzaifas@...hat.com>)
2025/08/19 #6: Re: Question about (in)security of fdk-aac-free in linux distros (Demi Marie Obenour <demiobenour@...il.com>)
2025/08/19 #5: Re: Question about (in)security of fdk-aac-free in linux distros (Martin Storsjö <martin@...tin.st>)
2025/08/19 #4: Re: blocking weird file names (was: xterm terminal crash due to malicious character sequences in file name) (Ali Polatel <alip@...sys.org>)
2025/08/19 #3: Re: blocking weird file names (was: xterm terminal crash due to malicious character sequences in file name) (Simon McVittie <smcv@...ian.org>)
2025/08/19 #2: Re: blocking weird file names (was: xterm terminal crash due to malicious character sequences in file name) (Jacob Bachmeyer <jcb62281@...il.com>)
2025/08/19 #1: Re: RSYNC: 6 vulnerabilities (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/08/18 #4: CVE-2025-53192: Apache Commons OGNL: Expression Injection leading to RCE (Arnout Engelen <engelen@...che.org>)
2025/08/18 #3: Re: Local information disclosure in apport and systemd-coredump (Solar Designer <solar@...nwall.com>)
2025/08/18 #2: Re: xterm terminal crash due to malicious character sequences in file name ("David A. Wheeler" <dwheeler@...eeler.com>)
2025/08/18 #1: Re: xterm terminal crash due to malicious character sequences in file name (Vincent Lefevre <vincent@...c17.net>)
2025/08/17 #3: Re: xterm terminal crash due to malicious character sequences in file name (Erik Auerswald <auerswal@...x-ag.uni-kl.de>)
2025/08/17 #2: Re: xterm terminal crash due to malicious character sequences in file name (Solar Designer <solar@...nwall.com>)
2025/08/17 #1: Re: xterm terminal crash due to malicious character sequences in file name (Vincent Lefevre <vincent@...c17.net>)
2025/08/16 #2: Re: xterm terminal crash due to malicious character sequences in file name (Collin Funk <collin.funk1@...il.com>)
2025/08/16 #1: Re: HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/08/15 #2: Re: Question about (in)security of fdk-aac-free in linux distros (Jordan Glover <Golden_Miller83@...tonmail.ch>)
2025/08/15 #1: Re: Question about (in)security of fdk-aac-free in linux distros (Demi Marie Obenour <demiobenour@...il.com>)
2025/08/14 #8: CVE-2025-54409 - aide (>= 0.13 <= 0.19.1): null pointer dereference after reading incorrectly encoded xattr attributes … (Hannes von Haugwitz <hannes@...haugwitz…)
2025/08/14 #7: CVE-2025-54389 - aide (<= 0.19.1): improper output neutralization (potential AIDE detection bypass) (Hannes von Haugwitz <hannes@...haugwitz.com>)
2025/08/14 #6: CVE-2025-55675: Apache Superset: Incorrect datasource authorization on REST API (Daniel Gaspar <dpgaspar@...che.org>)
2025/08/14 #5: CVE-2025-55674: Apache Superset: Improper SQL authorisation, parse not checking for specific engine functions (Daniel Gaspar <dpgaspar@...che.org>)
2025/08/14 #4: CVE-2025-55672: Apache Superset: Store XSS on charts metadata (Daniel Gaspar <dpgaspar@...che.org>)
2025/08/14 #3: CVE-2025-55673: Apache Superset: Metadata exposure in embedded charts (Daniel Gaspar <dpgaspar@...che.org>)
2025/08/14 #2: Re: Question about (in)security of fdk-aac-free in linux distros (Martin Storsjö <martin@...tin.st>)
2025/08/14 #1: Re: Question about (in)security of fdk-aac-free in linux distros (Sam James <sam@...too.org>)
2025/08/13 #9: Question about (in)security of fdk-aac-free in linux distros (Jordan Glover <Golden_Miller83@...tonmail.ch>)
2025/08/13 #8: Re: xterm terminal crash due to malicious character sequences in file name (Erik Auerswald <auerswal@...x-ag.uni-kl.de>)
2025/08/13 #7: Re: xterm terminal crash due to malicious character sequences in file name (Thomas Dickey <dickey@....com>)
2025/08/13 #6: HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/08/13 #5: CVE-2025-53859: nginx: ngx_mail_smtp_module buffer over-read potentially resulting in sensitive information leak (Solar Designer <solar@...nwall.com>)
2025/08/13 #4: xterm terminal crash due to malicious character sequences in file name (Vincent Lefevre <vincent@...c17.net>)
2025/08/13 #3: CVE-2025-55668: Apache Tomcat: session fixation via rewrite valve (Mark Thomas <markt@...che.org>)
2025/08/13 #2: CVE-2025-48989: Apache Tomcat: h2 DoS - Made You Reset (Mark Thomas <markt@...che.org>)
2025/08/13 #1: Re: CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code execution (Jens-Wolfhard Schicke-Uffmann <drahflow@....de>)
2025/08/12 #2: CVE-2025-54472: Apache bRPC: Redis Parser Remote Denial of Service (Wang Weibing <wwbmmm@...che.org>)
2025/08/12 #1: CVE-2025-40920: Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl use insecurely generated nonce… (Robert Rothenberg <rrwo@...n.org>)
2025/08/11 #4: Re: CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code execution (lunbun <lunbun021@...il.com>)
2025/08/11 #3: Re: CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code execution (Vincent Lefevre <vincent@...c17.net>)
2025/08/11 #2: Re: CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code execution (Jacob Bachmeyer <jcb62281@...il.com>)
2025/08/11 #1: Re: CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code execution (lunbun <lunbun021@...il.com>)
2025/08/10 #5: Re: CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code execution (Jacob Bachmeyer <jcb62281@...il.com>)
2025/08/10 #4: [vim-security] A double-free was found in Vim >v9.1.1231 and < 9.1.1406 (Christian Brabandt <cb@...bit.org>)
2025/08/10 #3: [vim-security] heap use-after-free was found in Vim < 9.1.1400 (Christian Brabandt <cb@...bit.org>)
2025/08/10 #2: Re: CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code execution (lunbun <lunbun021@...il.com>)
2025/08/10 #1: Re: CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code execution (Jacob Bachmeyer <jcb62281@...il.com>)
2025/08/09 #1: CVE-2025-55188: 7-Zip: Arbitrary file write on extraction, may lead to code execution (lunbun <lunbun021@...il.com>)
2025/08/08 #2: Re: StarDict sends the user's X11 selection to the network (Maytham Alsudany <maytham@...ian.org>)
2025/08/08 #1: Re: Five new CVEs published for Cyberark Conjur OSS (Solar Designer <solar@...nwall.com>)
2025/08/07 #2: CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE (Colm O hEigeartaigh <coheigea@...che.org>)
2025/08/07 #1: CVE-2025-53606: Apache Seata (incubating): Deserialization of untrusted Data in Apache Seata Server (Min Ji <jimin@...che.org>)
2025/08/06 #1: CVE-2025-47906 & CVE-2025-47907 fixed in Go 1.24.6 & 1.23.12 (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/08/05 #1: CVE-2025-54466: Apache OFBiz: RCE Vulnerability in scrum plugin (Nicolas Malin <nmalin@...che.org>)
2025/08/04 #1: StarDict sends the user's X11 selection to the network (Vincent Lefevre <vincent@...c17.net>)
2025/08/03 #5: CVE-2024-51775: Apache Zeppelin: Command Injection via CSWSH (PJ Fanning <fanningpj@...che.org>)
2025/08/03 #4: CVE-2024-41177: Apache Zeppelin: XSS in the Helium module (PJ Fanning <fanningpj@...che.org>)
2025/08/03 #3: CVE-2024-52279: Apache Zeppelin: Arbitrary file read by adding malicious JDBC connection string (PJ Fanning <fanningpj@...che.org>)
2025/08/03 #2: Re: Linux kernel: eBPF vulnerabilities (Demi Marie Obenour <demiobenour@...il.com>)
2025/08/03 #1: Linux kernel: eBPF vulnerabilities (Solar Designer <solar@...nwall.com>)
2025/08/02 #1: WebKitGTK and WPE WebKit Security Advisory WSA-2025-0005 (Adrian Perez de Castro <aperez@...lia.com>)
2025/07/31 #1: Rtpengine: RTP Inject and RTP Bleed vulnerabilities despite proper configuration (CVSS v4.0 Score: 9.3 / Critical) ("Sandro Gauci" <sandro@...blesecurity.com>)
2025/07/30 #3: CVE-2025-24854: Apache JSPWiki: Cross-Site Scripting (XSS) in JSPWiki Image plugin (Juan Pablo Santos Rodríguez <juanpablo@...che.org>)
2025/07/30 #2: CVE-2025-24853: Apache JSPWiki: Cross-Site Scripting (XSS) in JSPWiki Header Link processing (Juan Pablo Santos Rodríguez <juanpablo@...che.org>)
2025/07/30 #1: CVE-2025-54656: Apache Struts Extras: Improper Output Neutralization for Logs (Arnout Engelen <engelen@...che.org>)
2025/07/29 #1: Re: Fwd:[CVE-2025-8194] Cpython Tarfile infinite loop during parsing with negative member offset (Seth Larson <seth@...hon.org>)
2025/07/28 #2: Re: Fwd:[CVE-2025-8194] Cpython Tarfile infinite loop during parsing with negative member offset (Mats Wichmann <mats@...hmann.us>)
2025/07/28 #1: Fwd:[CVE-2025-8194] Cpython Tarfile infinite loop during parsing with negative member offset (Alan Coopersmith <alan.coopersmith@...cle.com>)
2025/07/24 #2: CVE-2025-54090: Apache HTTP Server: 'RewriteCond expr' always evaluates to true in 2.4.64 (Eric Covener <covener@...che.org>)
2025/07/24 #1: Re: CVE-2025-30761：A vulnerability in JDK's Nashorn Allows for Arbitrary Code Execution ("liyajie" <liyajie@...neuler.sh>)
2025/07/23 #1: The GNU C Library security advisories update for 2025-07-23 (Adhemerval Zanella Netto <adhemerval.zanella@...aro.org>)
2025/07/22 #3: non-issues in dailyaidecheck script in Debian's packaging of AIDE (Solar Designer <solar@...nwall.com>)
2025/07/22 #2: Re: Fwd: Node.js security updates for all active release lines, July 2025 (Solar Designer <solar@...nwall.com>)
2025/07/22 #1: [kubernetes] CVE-2025-7342: VM images built with Kubernetes Image Builder Nutanix or OVA providers use default credentials … (Rita Zhang <rita.z.zhang@...il.com>)
2025/07/21 #3: Re: CVE-2025-30761：A vulnerability in JDK's Nashorn Allows for Arbitrary Code Execution (Moritz Bechler <mbechler@...terphace.org>)
2025/07/21 #2: CVE-2025-50151: Apache Jena: Configuration files uploaded by administrative users are not check properly (Andy Seaborne <andy@...che.org>)
2025/07/21 #1: CVE-2025-49656: Apache Jena: Administrative users can create files outside the server directory space via the admin UI (Andy Seaborne <andy@...che.org>)
2025/07/18 #3: Re: CVE-2025-53367: An exploitable OOB write in DjVuLibre (Kevin Backhouse <kevinbackhouse@...hub.com>)
2025/07/18 #2: CVE-2025-53817: Null pointer dereference in 7-Zip before 25.00 (Jaras <jarlob@...il.com>)
2025/07/18 #1: CVE-2025-53816: Memory corruption in 7-Zip before 25.00 (Jaras <jarlob@...il.com>)
2025/07/16 #7: Five new CVEs published for Cyberark Conjur OSS (Andy Tinkham <andy.tinkham@...erark.com>)
2025/07/16 #6: ISC has disclosed one vulnerability in BIND 9 (CVE-2025-40777) ("Everett B. Fulton" <ebf@....org>)
2025/07/16 #5: CVE-2025-40918: Authen::SASL::Perl::DIGEST_MD5 versions 2.04 through 2.1800 for Perl generates the cnonce insecurely (Robert Rothenberg <rrwo@...n.org>)
2025/07/16 #4: CVE-2025-40923: Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely (Robert Rothenberg <rrwo@...n.org>)
2025/07/16 #3: CVE-2025-23267：A vulnerability in NVIDIA Container Toolkit can lead to container escape. ("liyajie" <liyajie@...neuler.sh>)
2025/07/16 #2: Fwd: Node.js security updates for all active release lines, July 2025 (Rafael Gonzaga <work@...aelgss.dev>)

31402 messages

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.