oss-security mailing list

Follow @Openwall on Twitter for new release announcements and other news

oss-security mailing list

	Jan	Feb	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2026	141	103	190	311	164
2025	92	75	93	105	94	100	69	75	107	112	106	140
2024	80	100	178	197	72	47	128	107	58	52	87	44
2023	69	62	100	107	99	78	87	60	122	198	86	101
2022	116	50	47	79	83	58	77	86	76	70	95	108
2021	92	91	98	90	88	59	61	82	49	76	60	47
2020	52	47	38	82	70	67	76	64	71	85	90	66
2019	102	48	49	86	51	103	107	80	71	75	67	70
2018	122	81	84	81	71	104	71	135	78	120	75	84
2017	252	278	171	171	209	278	225	157	214	162	196	93
2016	258	207	271	183	267	193	214	184	287	294	257	241
2015	377	336	355	319	277	243	266	197	195	206	205	208
2014	214	252	249	211	183	317	273	201	413	485	382	318
2013	217	323	246	258	200	201	260	265	163	203	182	199
2012	333	189	294	216	234	128	150	207	234	192	191	161
2011	153	169	318	354	159	224	258	164	137	203	241	146
2010	72	96	123	118	115	142	119	144	203	84	187	139
2009	89	81	75	114	96	59	84	99	102	122	108	74
2008		104	103	143	136	112	150	125	127	123	128	107

Recent messages:

2026/05/10 #8: CVE-2026-8177: XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing… (Stig Palmquist <stig@...g.io>)
2026/05/10 #7: CVE-2026-45191: Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask … (Stig Palmquist <stig@...g.io>)
2026/05/10 #6: CVE-2026-45190: Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which m… (Stig Palmquist <stig@...g.io>)
2026/05/10 #5: CVE-2026-45180: Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids (Robert Rothenberg <rrwo@...nsec.org>)
2026/05/10 #4: CVE-2026-45179: Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses (Robert Rothenberg <rrwo@...nsec.org>)
2026/05/10 #3: CVE-2026-41018: Apache Airflow Providers Elasticsearch: Elasticsearch task-log handlers leak credentials embedded in the hos… (Shahar Epstein <shahar@...che.org>)
2026/05/10 #2: CVE-2026-43826: Apache Airflow Providers OpenSearch: OpenSearch task-log handler leaks credentials embedded in the host URL (Shahar Epstein <shahar@...che.org>)
2026/05/10 #1: Re: uriparser 1.0.2 fixes CVE-2026-44927 and CVE-2026-44928 (Solar Designer <solar@...nwall.com>)
2026/05/09 #8: uriparser 1.0.2 fixes CVE-2026-44927 and CVE-2026-44928 (Sebastian Pipping <sebastian@...ping.org>)
2026/05/09 #7: CVE-2026-25199: Apache CloudStack: Proxmox Extension Allows Unauthorized Cross-Tenant Instance Access ("Piotr P. Karwasz" <pkarwasz@...che.org>)
2026/05/09 #6: CVE-2026-25077: Apache CloudStack: Unauthenticated Command Injection in Direct Download Templates ("Piotr P. Karwasz" <pkarwasz@...che.org>)
2026/05/09 #5: CVE-2025-69233: Apache CloudStack: Domain/account resources limits not honored ("Piotr P. Karwasz" <pkarwasz@...che.org>)
2026/05/09 #4: CVE-2025-66467: Apache CloudStack: MinIO policy remains intact on bucket deletion ("Piotr P. Karwasz" <pkarwasz@...che.org>)
2026/05/09 #3: CVE-2025-66172: Apache CloudStack: Any user can attach a volume in their VMs from backups they should not have access t… ("Piotr P. Karwasz" <pkarwasz@...che.org…)
2026/05/09 #2: CVE-2025-66171: Apache CloudStack: Any user can create a new VM from backups they should not have access to ("Piotr P. Karwasz" <pkarwasz@...che.org>)
2026/05/09 #1: CVE-2025-66170: Apache CloudStack: Any user can list backups that they should not have access to ("Piotr P. Karwasz" <pkarwasz@...che.org>)
2026/05/08 #20: Go 1.26.3 and Go 1.25.10 are released with 11 security fixes (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/05/08 #19: Re: Re: Dirty Frag: Universal Linux LPE ("Emily Shepherd" <emily@...coat.dev>)
2026/05/08 #18: Re: Re: Dirty Frag: Universal Linux LPE (Greg Dahlman <dahlman@...il.com>)
2026/05/08 #17: CVE-2026-6659: Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts (Robert Rothenberg <rrwo@...nsec.org>)
2026/05/08 #16: BioPython 1.87 fixes CVE-2025-68463 (XXE, SSRF) (Sebastian Pipping <sebastian@...ping.org>)
2026/05/08 #15: Re: Re: Dirty Frag: Universal Linux LPE (Kalin KOZHUHAROV <kalin@...nrope.net>)
2026/05/08 #14: Re: CVE request: io_uring zcrx freelist OOB write (Jens Axboe <axboe@...nel.dk>)
2026/05/08 #13: Re: Copy Fail 2 / Dirty Frag — n-day from public commit, not embargo break (Sam James <sam@...too.org>)
2026/05/08 #12: CVE-2013-10075: Apache::Session versions through 1.94 for Perl re-creates deleted sessions (Robert Rothenberg <rrwo@...nsec.org>)
2026/05/08 #11: Re: Dirty Frag: Universal Linux LPE ("Bernhard R. Link" <brl+oss@...l.brlink.eu>)
2026/05/08 #10: Re: CVE request: io_uring zcrx freelist OOB write (Mohamed salem Eddah <medsalemeddah@...il.com>)
2026/05/08 #9: Re: XSS in Postorius (Mailman 3) 1.3.13 and earlier (Sebastian Pipping <sebastian@...ping.org>)
2026/05/08 #8: Re: Dirty Frag: Universal Linux LPE (Greg KH <greg@...ah.com>)
2026/05/08 #7: Re: Dirty Frag: Universal Linux LPE (Greg KH <greg@...ah.com>)
2026/05/08 #6: Re: Dirty Frag: Universal Linux LPE (Daniel Tang <danielzgtg.opensource@...il.com>)
2026/05/08 #5: Re: XSS in Postorius (Mailman 3) 1.3.13 and earlier (Demi Marie Obenour <demiobenour@...il.com>)
2026/05/08 #4: Re: CVE request: io_uring zcrx freelist OOB write (Solar Designer <solar@...nwall.com>)
2026/05/08 #3: Re: CVE request: io_uring zcrx freelist OOB write (Jens Axboe <axboe@...nel.dk>)
2026/05/08 #2: Re: CVE request: io_uring zcrx freelist OOB write (Pavel Begunkov <asml.silence@...il.com>)
2026/05/08 #1: Re: CVE request: io_uring zcrx freelist OOB write (Benjamin Hays <ben@...hays.org>)
2026/05/07 #12: Copy Fail 2 / Dirty Frag — n-day from public commit, not embargo break (SiCk <sick@...licted.sh>)
2026/05/07 #11: Re: CVE request: io_uring zcrx freelist OOB write (Jens Axboe <axboe@...nel.dk>)
2026/05/07 #10: Re: Dirty Frag: Universal Linux LPE (Sandipan Roy <saroy@...hat.com>)
2026/05/07 #9: [vim-security] Heap Buffer Overflow in spell file loading affects Vim < 9.2.0450 (Christian Brabandt <cb@...bit.org>)
2026/05/07 #8: Dirty Frag: Universal Linux LPE (Hyunwoo Kim <imv4bel@...il.com>)
2026/05/07 #7: Re: CVE request: io_uring zcrx freelist OOB write (Mohamed salem Eddah <medsalemeddah@...il.com>)
2026/05/07 #6: [OSSA-2026-011] OpenStack Cyborg: Multiple access control vulnerabilities in Cyborg accelerator management (CVE-2026-40… (Goutham Pacha Ravi <gouthampravi@...il.…)
2026/05/07 #5: Re: CVE request: io_uring zcrx freelist OOB write (Solar Designer <solar@...nwall.com>)
2026/05/07 #4: Re: Linux kernel: KTLS + sockmap "Reverse Order" Use-After-Free / Data Corruption (Sam James <sam@...too.org>)
2026/05/07 #3: XSS in Postorius (Mailman 3) 1.3.13 and earlier (Alyssa Ross <hi@...ssa.is>)
2026/05/07 #2: Re: Precise disclosure contents for copyfail (Re: CVE-2026-31431: CopyFail: linux local privilege scalation) (Greg KH <greg@...ah.com>)
2026/05/07 #1: Linux kernel: KTLS + sockmap "Reverse Order" Use-After-Free / Data Corruption (Solar Designer <solar@...nwall.com>)
2026/05/06 #8: Vulnerability fixes in Tor 0.4.9.7 (Sam James <sam@...too.org>)
2026/05/06 #7: CVE-2026-40562: Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence (Robert Rothenberg <rrwo@...nsec.org>)
2026/05/06 #6: CVE-2026-5081: Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure (Robert Rothenberg <rrwo@...nsec.org>)
2026/05/06 #5: Re: CVE-2026-31431: CopyFail: linux local privilege scalation (Eric Biggers <ebiggers@...nel.org>)
2026/05/06 #4: CVE-2026-43975: Apache Wicket: Possible malicious path traversal in FolderUploadsFileManager (Pedro Henrique Oliveira dos Santos <pedro@...che.org>)
2026/05/06 #3: CVE-2026-43646: Apache Wicket: crafted URLs can bypass PackageResourceGuard (Pedro Henrique Oliveira dos Santos <pedro@...che.org>)
2026/05/06 #2: CVE-2026-42509: Apache Wicket: crafted strings can break out of the JavaScript sequence (Pedro Henrique Oliveira dos Santos <pedro@...che.org>)
2026/05/06 #1: CVE-2026-40010: Apache Wicket: possible session fixation using AuthenticatedWebSession (Pedro Henrique Oliveira dos Santos <pedro@...che.org>)
2026/05/05 #13: Security audit of Paramiko completed, fixes coming in 5.0 release (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/05/05 #12: Re: CVE-2026-29169: Apache HTTP Server: mod_dav_lock indirect lock crash (Solar Designer <solar@...nwall.com>)
2026/05/05 #11: vm2: sandbox escape in NodeVM with nesting:true (CVE-2026-44007) (Akshat Sinha <akshat.snh@...il.com>)
2026/05/05 #10: [OSSA-2026-010] Ironic: Credential Forwarding to Arbitrary Endpoints via iDrac Configuration Molds Feature (CVE-2026-42997) (Jay Faulkner <jay@....cc>)
2026/05/05 #9: CVE-2026-28780: Apache HTTP Server: buffer overflow in mod_proxy_ajp via ajp_msg_check_header() (Eric Covener <covener@...che.org>)
2026/05/05 #8: Django CVE-2026-5766, CVE-2026-35192, and CVE-2026-6907 (Sarah Boyce <sarahboyce@...ngoproject.com>)
2026/05/05 #7: [OSSA-2026-009] Horizon: Unauthenticated session flood via login redirect storage (CVE-2026-43002) (Goutham Pacha Ravi <gouthampravi@...il.com>)
2026/05/05 #6: CVE-2026-29168: Apache HTTP Server: mod_md unrestricted OCSP response (Eric Covener <covener@...che.org>)
2026/05/05 #5: Re: [pfx] Postfix stable release 3.11.2 and legacy releases 3.10.9, 3.9.10, 3.8.16 (Solar Designer <solar@...nwall.com>)
2026/05/05 #4: CVE-2026-43870: Apache Thrift: Node.js web_server.js multi-vulnerability (Jens Geyer <jensg@...che.org>)
2026/05/05 #3: CVE-2026-43869: Apache Thrift: TSSLTransportFactory.java hostname verification (Jens Geyer <jensg@...che.org>)
2026/05/05 #2: CVE-2026-43868: Apache Thrift: Rust implementation vulnerable to CVE-2020-13949 pattern (Jens Geyer <jensg@...che.org>)
2026/05/05 #1: Re: systemd-journald in systemd 259 does not escape characters in emerg messages that are wall'd to other user's termina… (Aaron Rainbolt <arraybolt3@...eup.net>)
2026/05/04 #33: Local privilege escalation in Lix and Nix (Thomas GERBET <thomas@...bet.me>)
2026/05/04 #32: Nix/Lix: local privilege escalation in daemon process (Martin Weinelt <martin@...uxlounge.net>)
2026/05/04 #31: Re: Precise disclosure contents for copyfail (Re: CVE-2026-31431: CopyFail: linux local privilege scalation) ("Emily Shepherd" <emily@...coat.dev>)
2026/05/04 #30: Re: Fwd: [pfx] Postfix stable release 3.11.2 and legacy releases 3.10.9, 3.9.10, 3.8.16 (Salvatore Bonaccorso <carnil@...ian.org>)
2026/05/04 #29: Re: CVE-2026-31431: CopyFail: linux local privilege scalation (Solar Designer <solar@...nwall.com>)
2026/05/04 #28: Re: CVE-2026-31431: CopyFail: linux local privilege scalation (Demi Marie Obenour <demiobenour@...il.com>)
2026/05/04 #27: Re: Precise disclosure contents for copyfail (Re: CVE-2026-31431: CopyFail: linux local privilege scalation) (Greg KH <greg@...ah.com>)
2026/05/04 #26: Re: [pfx] Postfix stable release 3.11.2 and legacy releases 3.10.9, 3.9.10, 3.8.16 (Sam James <sam@...too.org>)
2026/05/04 #25: Fwd: [pfx] Postfix stable release 3.11.2 and legacy releases 3.10.9, 3.9.10, 3.8.16 (Sam James <sam@...too.org>)
2026/05/04 #24: Re: Precise disclosure contents for copyfail (Re: CVE-2026-31431: CopyFail: linux local privilege scalation) (Emily Shepherd <emily@...coat.dev>)
2026/05/04 #23: CVE-2026-33523: Apache HTTP Server: multiple modules: HTTP response splitting forwarding malicious status line (Eric Covener <covener@...che.org>)
2026/05/04 #22: CVE-2026-33007: Apache HTTP Server: mod_authn_socache crash (Eric Covener <covener@...che.org>)
2026/05/04 #21: CVE-2026-33006: Apache HTTP Server: mod_auth_digest timing attack (Eric Covener <covener@...che.org>)
2026/05/04 #20: CVE-2026-29169: Apache HTTP Server: mod_dav_lock indirect lock crash (Eric Covener <covener@...che.org>)
2026/05/04 #19: CVE-2026-23918: Apache HTTP Server: http2: double free and possible RCE on early reset (Eric Covener <covener@...che.org>)
2026/05/04 #18: CVE-2026-24072: Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr (Eric Covener <covener@...che.org>)
2026/05/04 #17: CVE-2026-34059: Apache HTTP Server: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data() (Eric Covener <covener@...che.org>)
2026/05/04 #16: CVE-2026-34032: Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_s… (Eric Covener <covener@...che.org>)
2026/05/04 #15: CVE-2026-33857: Apache HTTP Server: Off-by-one OOB reads in AJP getter functions (Eric Covener <covener@...che.org>)
2026/05/04 #14: Re: CVE-2026-31431: CopyFail: linux local privilege scalation (Richard Kettlewell <rjk@...raraq.uk>)
2026/05/04 #13: Re: CVE-2026-31431: CopyFail: linux local privilege scalation (Milan Broz <gmazyland@...il.com>)
2026/05/04 #12: Re: CVE-2026-31431: CopyFail: linux local privilege scalation (Eric Biggers <ebiggers@...nel.org>)
2026/05/04 #11: Re: CVE-2026-31431: CopyFail: linux local privilege scalation (Demi Marie Obenour <demiobenour@...il.com>)
2026/05/04 #10: Re: CVE-2026-31431: CopyFail: linux local privilege scalation (Milan Broz <gmazyland@...il.com>)
2026/05/04 #9: Re: Precise disclosure contents for copyfail (Re: CVE-2026-31431: CopyFail: linux local privilege scalation) (Jeroen Roovers <jer@...all.nl>)
2026/05/04 #8: Re: Precise disclosure contents for copyfail (Re: CVE-2026-31431: CopyFail: linux local privilege scalation) (Greg Kroah-Hartman <gregkh@...uxfoundation.org>)
2026/05/04 #7: Re: CVE request: io_uring zcrx freelist OOB write (Pavel Begunkov <asml.silence@...il.com>)
2026/05/04 #6: Re: uutils coreutils CVEs (Eli Schwartz <eschwartz@...too.org>)
2026/05/04 #5: Re: uutils coreutils CVEs (cyber security <cs7778503@...il.com>)
2026/05/04 #4: Re: uutils coreutils CVEs (Jakub Wilk <jwilk@...lk.net>)
2026/05/04 #3: Fwd: mutt 2.3.2 released (Sam James <sam@...too.org>)

32776 messages

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.