oss-security mailing list - 2014/11

Follow @Openwall on Twitter for new release announcements and other news

[<prev month] [next month>] [year] [list]

oss-security mailing list - 2014/11

Mon	Tue	Wed	Thu	Fri	Sat	Sun
					¹ 3	² 5
³ 19	⁴ 10	⁵ 16	⁶ 12	⁷ 28	⁸	⁹ 1
¹⁰ 3	¹¹ 6	¹² 11	¹³ 10	¹⁴ 9	¹⁵ 11	¹⁶ 6
¹⁷ 23	¹⁸ 14	¹⁹ 23	²⁰ 46	²¹ 16	²² 11	²³ 9
²⁴ 5	²⁵ 17	²⁶ 28	²⁷ 20	²⁸ 12	²⁹ 6	³⁰ 2

Messages by day:

November 1 (3 messages)

tnftp 20141031 released to resolve CVE-2014-8517. (Luke Mewburn <lukem@...BSD.org>)
Re: Some weird Apache redirection exploit? (Dave Horsfall <dave@...sfall.org>)
Re: SQL injection vulnerability in MantisBT SOAP API [CVE-2014-8554] (Damien Regad <dregad@...tisbt.org>)

November 2 (5 messages)

CVE-2014-7207 assignment: Debian-specific Linux 3.2 backport issue (Florian Weimer <fw@...eb.enyo.de>)
unzip -t crasher (Jakub Wilk <jwilk@...lk.net>)
Re: unzip -t crasher (Dave Horsfall <dave@...sfall.org>)
Re: Re: strings / libbfd crasher (Alexander Cherepanov <cherepan@...me.ru>)
Re: Re: strings / libbfd crasher (Hanno Böck <hanno@...eck.de>)

November 3 (19 messages)

Re: Re: strings / libbfd crasher (Michal Zalewski <lcamtuf@...edump.cx>)
Re: Re: strings / libbfd crasher (Jann Horn <jann@...jh.net>)
Re: unzip -t crasher (Murray McAllister <mmcallis@...hat.com>)
Re: unzip -t crasher (mancha <mancha1@...o.com>)
unzip -l crasher (Martin Carpenter <mcarpenter@...e.fr>)
Re: unzip -l crasher (Martin Carpenter <mcarpenter@...e.fr>)
Re: unzip -l crasher (Felix Eckhofer <felix@...but.de>)
Re: unzip -l crasher (Hanno Böck <hanno@...eck.de>)
Re: unzip -l crasher (Dave Horsfall <dave@...sfall.org>)
Re: unzip -t crasher (mancha <mancha1@...o.com>)
more unzip issues (Hanno Böck <hanno@...eck.de>)
Re: more unzip issues (Alexander Cherepanov <cherepan@...me.ru>)
Re: unzip -l crasher (Martin Carpenter <mcarpenter@...e.fr>)
Re: unzip -l crasher (Dave Horsfall <dave@...sfall.org>)
Re: unzip -t crasher (mancha <mancha1@...o.com>)
RE: strings /libbfd crash (Joshua Rogers <oss@...ernot.info>)
Re: RE: strings /libbfd crash (Hanno Böck <hanno@...eck.de>)
Re: RE: strings /libbfd crash (mancha <mancha1@...o.com>)
Re: Re: strings / libbfd crasher (mancha <mancha1@...o.com>)

November 4 (10 messages)

Re: Re: strings / libbfd crasher (Michal Zalewski <lcamtuf@...edump.cx>)
CVE-2014-8566 and CVE-2014-8567: mod_auth_mellon issues affecting users of 0.8.0 (Murray McAllister <mmcallis@...hat.com>)
Re: Re: strings / libbfd crasher (mancha <mancha1@...o.com>)
Re: list policy (Re: Truly scary SSL 3.0 vuln to be revealed soon:) (Solar Designer <solar@...nwall.com>)
ping on CVE request: mod_wsgi group privilege dropping [was Re: Security release for mod_wsgi (version 3.5)] (Kurt Seifried <kseifried@...hat.com>)
CVE Request: polarssl (Marcus Meissner <meissner@...e.de>)
Re: strings / libbfd crasher (cve-assign@...re.org)
Re: CVE request: mod_wsgi group privilege dropping [was Re: Security release for mod_wsgi (version 3.5)] (cve-assign@...re.org)
Privilege Escalation via KDE Clock KCM polkit helper (David Edmundson <davidedmundson@....org>)
CVE Request: binutils -- directory traversal (Alexander Cherepanov <cherepan@...me.ru>)

November 5 (16 messages)

Re: Re: strings / libbfd crasher (Alexander Cherepanov <cherepan@...me.ru>)
CVE Request for requests-kerberos (Ian Cordasco <graffatcolmingov@...il.com>)
Re: CVE Request for requests-kerberos (Kurt Seifried <kseifried@...hat.com>)
Re: CVE Request for requests-kerberos (Ian Cordasco <graffatcolmingov@...il.com>)
Re: Re: strings / libbfd crasher (Michal Zalewski <lcamtuf@...edump.cx>)
Re: Re: strings / libbfd crasher (Alexander Cherepanov <cherepan@...me.ru>)
Re: Re: strings / libbfd crasher (Alexander Cherepanov <cherepan@...me.ru>)
is MD5 finally dead? (Kurt Seifried <kseifried@...hat.com>)
Re: is MD5 finally dead? (Michael Samuel <mik@...net.net>)
Re: is MD5 finally dead? (Alex Gaynor <alex.gaynor@...il.com>)
Re: is MD5 finally dead? (Michael Samuel <mik@...net.net>)
Re: is MD5 finally dead? (Solar Designer <solar@...nwall.com>)
Re: is MD5 finally dead? (coderman <coderman@...il.com>)
CVE request: PHP xmlrpc date_from_ISO8601() buffer overflow (in php < 5.2.7) (Tomas Hoger <thoger@...hat.com>)
CVE-2014-7828 FreeIPA 4.0/4.1 does not require password when OTP used ("Vincent Danen" <vdanen@...hat.com>)
Re: Re: strings / libbfd crasher (mancha <mancha1@...o.com>)

November 6 (12 messages)

XCloner Wordpress/Joomla! backup Plugin v3.1.1 (Wordpress) v3.5.1 (Joomla!) Vulnerabilities ("Larry W. Cashdollar" <larry0@...com>)
CVE-Request: dpkg handling of 'control' and warnings format string vulnerability (Joshua Rogers <oss@...ernot.info>)
Re: CVE request: PHP xmlrpc date_from_ISO8601() buffer overflow (in php < 5.2.7) (cve-assign@...re.org)
Re: CVE Request: polarssl (cve-assign@...re.org)
CVE Request: Qt Creator fails to verify SSH host key ("Jason A. Donenfeld" <Jason@...c4.com>)
Re: Bug#742140: libpam-oath: PAM module does not check whether strdup allocations succeeded (Andreas Barth <aba@...us.org>)
CVE Request: Linux kernel mac80211 plain text leak (Marcus Meissner <meissner@...e.de>)
CVE request for Apache Traffic Server (Javier Nieto <jnietotn@...il.com>)
Stack smashing in libjpeg-turbo (Bastien ROUCARIES <roucaries.bastien@...il.com>)
Re: Stack smashing in libjpeg-turbo (Michal Zalewski <lcamtuf@...edump.cx>)
Exploitable issues in Linux perf/ftrace subsystems (Robert Święcki <robert@...ecki.net>)
Re: CVE Request: Qt Creator fails to verify SSH host key (Michael Samuel <mik@...net.net>)

November 7 (28 messages)

Re: CVE Request for requests-kerberos (cve-assign@...re.org)
Re: CVE-Request: dpkg handling of 'control' and warnings format string vulnerability (cve-assign@...re.org)
Re: Privilege Escalation via KDE Clock KCM polkit helper (cve-assign@...re.org)
Re: Re: CVE-Request: dpkg handling of 'control' and warnings format string vulnerability (Seth Arnold <seth.arnold@...onical.com>)
Re: CVE Request: Qt Creator fails to verify SSH host key ("Jason A. Donenfeld" <Jason@...c4.com>)
Re: CVE Request: Qt Creator fails to verify SSH host key ("Jason A. Donenfeld" <Jason@...c4.com>)
Re: Re: CVE-Request: dpkg handling of 'control' and warnings format string vulnerability (Joshua Rogers <oss@...ernot.info>)
Re: Stack smashing in libjpeg-turbo (Michal Zalewski <lcamtuf@...edump.cx>)
Re: Re: Bug#742140: libpam-oath: PAM module does not check whether strdup allocations succeeded (Russ Allbery <eagle@...ie.org>)
Fuzzing objdump (PR 17512) and readelf (PR 17531) (Alexander Cherepanov <cherepan@...me.ru>)
Re: Fuzzing objdump (PR 17512) and readelf (PR 17531) (Yury Gribov <y.gribov@...sung.com>)
Re: Re: Fuzzing objdump (PR 17512) and readelf (PR 17531) (Hanno Böck <hanno@...eck.de>)
Re: Re: Fuzzing objdump (PR 17512) and readelf (PR 17531) (Yury Gribov <y.gribov@...sung.com>)
Re: Re: Fuzzing objdump (PR 17512) and readelf (PR 17531) (Alexander Cherepanov <cherepan@...me.ru>)
Re: Re: Fuzzing objdump (PR 17512) and readelf (PR 17531) (Alexander Cherepanov <cherepan@...me.ru>)
Re: Re: CVE-Request: dpkg handling of 'control' and warnings format string vulnerability (Sven Kieske <s.kieske@...twald.de>)
Re: Re: CVE-Request: dpkg handling of 'control' and warnings format string vulnerability (Joshua Rogers <oss@...ernot.info>)
Re: Re: Fuzzing objdump (PR 17512) and readelf (PR 17531) (Robert Święcki <robert@...ecki.net>)
Re: Re: Fuzzing objdump (PR 17512) and readelf (PR 17531) (Michal Zalewski <lcamtuf@...edump.cx>)
Asking for CVE for imagemagick (Bastien ROUCARIES <roucaries.bastien@...il.com>)
Re: Asking for CVE for imagemagick (Bastien ROUCARIES <roucaries.bastien@...il.com>)
random number generators - rand(), random(), etc (jb <jb.1234abcd@...il.com>)
Re: random number generators - rand(), random(), etc (Michal Zalewski <lcamtuf@...edump.cx>)
Re: random number generators - rand(), random(), etc (Eric Blake <eblake@...hat.com>)
Re: random number generators - rand(), random(), etc (jb <jb.1234abcd@...il.com>)
Re: Re: random number generators - rand(), random(), etc (Eric Blake <eblake@...hat.com>)
CVE-2014-7146: MantisBT XmlImportExport plugin PHP Code Injection Vulnerability (Damien Regad <dregad@...tisbt.org>)
CVE-2014-8598: MantisBT XML Import/Export plugin unrestricted access (Damien Regad <dregad@...tisbt.org>)

November 9 (1 message)

Re: CVE Request: Linux kernel mac80211 plain text leak (cve-assign@...re.org)

November 10 (3 messages)

CVE Request: Multiple Vulnerabilities - XSS/Remote Code Injection in MODX (Karthik Rangarajan <rangarajan.karthik@...il.com>)
CVE-2014-7824: D-Bus denial of service via incomplete fix for CVE-2014-3636 (Simon McVittie <simon.mcvittie@...labora.co.uk>)
Re: CVE Request: Qt Creator fails to verify SSH host key (cve-assign@...re.org)

November 11 (6 messages)

Re: CVE Request: Qt Creator fails to verify SSH host key ("Jason A. Donenfeld" <Jason@...c4.com>)
Re: cve request: libbfd? (Vasyl Kaigorodov <vkaigoro@...hat.com>)
Re: Re: Fuzzing objdump (PR 17512) and readelf (PR 17531) (Nicholas Clifton <nickc@...hat.com>)
CVE request: Joomla component com_sexycontactform and WordPress plugin sexy-contact-form unrestricted file upload (Henri Salo <henri@...v.fi>)
Re: CVE request: Joomla component com_sexycontactform and WordPress plugin sexy-contact-form unrestricted file upload (Henri Salo <henri@...v.fi>)
CVE Request - dns-sync node module (Steve Kemp <steve@...ve.org.uk>)

November 12 (11 messages)

Re: Re: strings / libbfd crasher (Alexander Cherepanov <cherepan@...me.ru>)
Re: Re: strings / libbfd crasher (Michal Zalewski <lcamtuf@...edump.cx>)
Re: Re: strings / libbfd crasher (Michal Zalewski <lcamtuf@...edump.cx>)
Re: Asking for CVE for imagemagick (cve-assign@...re.org)
CVE-request: systemd-resolved DNS cache poisoning (Sebastian Krahmer <krahmer@...e.de>)
Re: CVE-request: systemd-resolved DNS cache poisoning (Florian Weimer <fweimer@...hat.com>)
Re: CVE-request: systemd-resolved DNS cache poisoning (Sebastian Krahmer <krahmer@...e.de>)
Re: CVE-request: systemd-resolved DNS cache poisoning (cve-assign@...re.org)
Additional authority files (Florian Weimer <fw@...eb.enyo.de>)
RE: [security-vendor] Additional authority files ("Radzykewycz, T (Radzy)" <radzy@...driver.com>)
Re: CVE Request: Multiple Vulnerabilities - XSS/Remote Code Injection in MODX (Karthik Rangarajan <rangarajan.karthik@...il.com>)

November 13 (10 messages)

Re: CVE Request: binutils -- directory traversal (cve-assign@...re.org)
Re: strings / libbfd crasher (cve-assign@...re.org)
Re: CVE request: Joomla component com_sexycontactform and WordPress plugin sexy-contact-form unrestricted file upload (cve-assign@...re.org)
Re: Re: CVE-request: systemd-resolved DNS cache poisoning (Florian Weimer <fweimer@...hat.com>)
CVE-2014-7843 Linux kernel: aarch64: copying from /dev/zero causes local DoS (Petr Matousek <pmatouse@...hat.com>)
CVE-2014-7841 Linux kernel: net: sctp: NULL pointer dereference in af->from_addr_param on malformed packet (Petr Matousek <pmatouse@...hat.com>)
CVE-2014-7842 Linux kernel: kvm: reporting emulation failures to userspace (Petr Matousek <pmatouse@...hat.com>)
Linux kernel: SCTP issues (Petr Matousek <pmatouse@...hat.com>)
Re: Re: CVE-request: systemd-resolved DNS cache poisoning (Daniel Kahn Gillmor <dkg@...thhorseman.net>)
Re: Re: CVE-request: systemd-resolved DNS cache poisoning (Jeremy Stanley <fungi@...goth.org>)

November 14 (9 messages)

Re: Re: CVE-request: systemd-resolved DNS cache poisoning (Sebastian Krahmer <krahmer@...e.de>)
Re: CVE-2014-8598: MantisBT XML Import/Export plugin unrestricted access (Hanno Böck <hanno@...eck.de>)
CVE Request: Linux kernel: ttusb-dec: overflow by descriptor (Marcus Meissner <meissner@...e.de>)
Re: CVE-2014-8598: MantisBT XML Import/Export plugin unrestricted access (Damien Regad <dregad@...tisbt.org>)
old CVE assignments for JQuery 1.10.0 ("Vincent Danen" <vdanen@...hat.com>)
Re: Re: CVE-request: systemd-resolved DNS cache poisoning (Greg KH <greg@...ah.com>)
Re: CVE Request: Linux kernel: ttusb-dec: overflow by descriptor (cve-assign@...re.org)
Re: old CVE assignments for JQuery 1.10.0 (cve-assign@...re.org)
CVE Request: XSS vulnerability in MantisBT 1.2.13 (Damien Regad <dregad@...tisbt.org>)

November 15 (11 messages)

RE: CVE Request: XSS vulnerability in MantisBT 1.2.13 ("P Richards" <paul@...tisforge.org>)
Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 (Damien Regad <dregad@...tisbt.org>)
Re: Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 (Paul Richards <paul@...tisforge.org>)
Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 (Damien Regad <dregad@...tisbt.org>)
Re: CVE-Request: dpkg handling of 'control' and warnings format string vulnerability (Joshua Roers <honey@...ernot.info>)
CVE Request: information disclosure in MantisBT attachments (Damien Regad <dregad@...tisbt.org>)
Re: Re: strings / libbfd crasher (Alexander Cherepanov <cherepan@...me.ru>)
Re: Re: strings / libbfd crasher (Michal Zalewski <lcamtuf@...edump.cx>)
Re: Linux kernel: SCTP issues (Sven Kieske <svenkieske@...il.com>)
Re: Re: strings / libbfd crasher (Alexander Cherepanov <cherepan@...me.ru>)
CVE Request: "Reflected Cross-Site Scripting (XSS) in Flash Version of Flowplayer" (Soroush Dalili <sd.bugreport@...il.com>)

November 16 (6 messages)

Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Hanno Böck <hanno@...eck.de>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Robert Święcki <robert@...ecki.net>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Michal Zalewski <lcamtuf@...edump.cx>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Joshua Rogers <oss@...ernot.info>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Robert Święcki <robert@...ecki.net>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Robert Święcki <robert@...ecki.net>)

November 17 (23 messages)

Re: Re: Fuzzing objdump (PR 17512) and readelf (PR 17531) (Alexander Cherepanov <cherepan@...me.ru>)
Re: Re: Fuzzing objdump (PR 17512) and readelf (PR 17531) (Robert Święcki <robert@...ecki.net>)
Location of OS security audit reports ("M.T. Roebuck" <marvint.roebuck@...ox.lv>)
Re: Location of OS security audit reports (Joshua Rogers <oss@...ernot.info>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Robert Watson <robertcwatson1@...il.com>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Hanno Böck <hanno@...eck.de>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Raphael Geissert <geissert@...ian.org>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Hanno Böck <hanno@...eck.de>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Jakub Wilk <jwilk@...lk.net>)
Re: Location of OS security audit reports (Nguyen Cong <cong.nguyenthe@...hiba-tsdv.com>)
Moodle security issues are now public (Marina Glancy <marina@...dle.com>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Robert Święcki <robert@...ecki.net>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Michal Zalewski <lcamtuf@...edump.cx>)
[CVE-2014-7829] Arbitrary file existence disclosure in Action Pack (Aaron Patterson <tenderlove@...y-lang.org>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Hanno Böck <hanno@...eck.de>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Alexander Cherepanov <cherepan@...me.ru>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Raphael Geissert <geissert@...ian.org>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Jakub Wilk <jwilk@...lk.net>)
Linux user namespaces can bypass group-based restrictions (Andy Lutomirski <luto@...capital.net>)
Re: Re: CVE-request: systemd-resolved DNS cache poisoning (Florian Weimer <fweimer@...hat.com>)
Requesting a CVE for pip - Local DoS with predictable temp directory names (Donald Stufft <donald@...fft.io>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Daniel Kahn Gillmor <dkg@...thhorseman.n…)
Wordpress WP-DB-Backup v2.2.4 Plugin Remote Database Backup Download Vulnerability ("Larry W. Cashdollar" <larry0@...com>)

November 18 (14 messages)

Re: Wordpress WP-DB-Backup v2.2.4 Plugin Remote Database Backup Download Vulnerability (Joshua Rogers <oss@...ernot.info>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Robert Watson <robertcwatson1@...il.com>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Robert Watson <robertcwatson1@...il.com>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Michal Zalewski <lcamtuf@...edump.cx>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Raphael Geissert <geissert@...ian.org>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Hanno Böck <hanno@...eck.de>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Źmicier Januszkiewicz <gauri@....by>)
Xen Security Advisory 110 (CVE-2014-8595) - Missing privilege level checks in x86 emulation of far branches (Xen.org security team <security@....org>)
Xen Security Advisory 109 (CVE-2014-8594) - Insufficient restrictions on certain MMU update hypercalls (Xen.org security team <security@....org>)
RE: [security-vendor] Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf,… ("Radzykewycz, T (Radzy)" <radzy@...driv…)
Re: Wordpress WP-DB-Backup v2.2.4 Plugin Remote Database Backup Download Vulnerability (Larry Cashdollar <larry0@...com>)
Re: RE: [security-vendor] Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pi… (Seth Arnold <seth.arnold@...onical.com>)
Re: RE: [security-vendor] Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file… (Hanno Böck <hanno@...eck.de>)
Re: RE: [security-vendor] Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pi… (Seth Arnold <seth.arnold@...onical.com>)

November 19 (23 messages)

CVE request: lsyncd command injection (Murray McAllister <mmcallis@...hat.com>)
Fwd: [Clamav-devel] ClamAV(R) blog: ClamAV 0.98.5 has been released! (Steven Morgan <smorgan@...rcefire.com>)
CVE Request: LibreOffice -- several issues (Alexander Cherepanov <cherepan@...me.ru>)
Re: RE: [security-vendor] Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pi… (Alexander Cherepanov <cherepan@...me.ru…)
Re: Fwd: [Clamav-devel] ClamAV(R) blog: ClamAV 0.98.5 has been released! (Kurt Seifried <kseifried@...hat.com>)
Re: RE: [security-vendor] Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbu… (Kurt Seifried <kseifried@...hat.com>)
Re: RE: [security-vendor] Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixb… (Michal Zalewski <lcamtuf@...edump.cx>)
CVE request for check_diskio nagios/icinga plugin (Pierre Schweitzer <pierre@...ctos.org>)
Re: RE: [security-vendor] Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pix… (Gynvael Coldwind <gynvael@...dwind.pl>)
Re: CVE Request: information disclosure in MantisBT attachments (Damien Regad <dregad@...tisbt.org>)
Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 (Damien Regad <dregad@...tisbt.org>)
Re: Location of OS security audit reports ("M.T. Roebuck" <marvint.roebuck@...ox.lv>)
Re: Location of OS security audit reports ("M.T. Roebuck" <marvint.roebuck@...ox.lv>)
Re: Re: Location of OS security audit reports (Tracy Reed <treed@...raviolet.org>)
Re: Location of OS security audit reports (Tracy Reed <treed@...raviolet.org>)
Re: RE: [security-vendor] Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, … (Joshua Rogers <oss@...ernot.info>)
Re: Requesting a CVE for pip - Local DoS with predictable temp directory names (Donald Stufft <donald@...fft.io>)
Re: CVE Request: LibreOffice -- several issues (timo.warns@...il.com)
[OSSA 2014-039] Neutron DoS through invalid DNS configuration (CVE-2014-7821) (Tristan Cacqueray <tristan.cacqueray@...vance.com>)
Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 (cve-assign@...re.org)
Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 (cve-assign@...re.org)
Re: CVE Request: information disclosure in MantisBT attachments (cve-assign@...re.org)
CVE request: icecast: possible leak of on-connect scripts (Murray McAllister <mmcallis@...hat.com>)

November 20 (46 messages)

Re: Linux user namespaces can bypass group-based restrictions (Andy Lutomirski <luto@...capital.net>)
Re: Re: Location of OS security audit reports (Nguyen Cong <cong.nguyenthe@...hiba-tsdv.com>)
Pending CVE assignments for SA-CORE-2014-006? (Salvatore Bonaccorso <carnil@...ian.org>)
Re: Linux user namespaces can bypass group-based restrictions - Linux kernel (cve-assign@...re.org)
Re: CVE request: lsyncd command injection (cve-assign@...re.org)
Re: Requesting a CVE for pip - Local DoS with predictable temp directory names (cve-assign@...re.org)
Re: CVE request for check_diskio nagios/icinga plugin (cve-assign@...re.org)
Re: Re: Linux user namespaces can bypass group-based restrictions (Vitor Ventura <ventura.vitor@...il.com>)
Re: RE: [security-vendor] Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf,… (Sven Kieske <s.kieske@...twald.de>)
Re: Location of OS security audit reports (Sven Kieske <s.kieske@...twald.de>)
Re: Re: Location of OS security audit reports (Niklas Kielblock <niklas@...derschwe.in>)
Re: Re: Linux user namespaces can bypass group-based restrictions (Simon McVittie <smcv@...ian.org>)
Re: Re: Location of OS security audit reports (Mark Kipyegon <mkipyegon@...look.com>)
Re: Re: Location of OS security audit reports (Solar Designer <solar@...nwall.com>)
Re: Location of OS security audit reports (Alexander Cherepanov <cherepan@...me.ru>)
Fuzzing project brainstorming (Hanno Böck <hanno@...eck.de>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Alexander Cherepanov <cherepan@...me.ru>)
Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less (Hanno Böck <hanno@...eck.de>)
Re: Pending CVE assignments for SA-CORE-2014-006? (Gunnar Wolf <gwolf@...lf.org>)
CVE request: heap buffer overflow in PCRE (Vasyl Kaigorodov <vkaigoro@...hat.com>)
Re: Pending CVE assignments for SA-CORE-2014-006? (cve-assign@...re.org)
Re: CVE request: icecast: possible leak of on-connect scripts (cve-assign@...re.org)
Re: Fuzzing project brainstorming (Kurt Seifried <kseifried@...hat.com>)
[AMENDED] [CVE-2014-7829] Arbitrary file existence disclosure in Action Pack (Aaron Patterson <tenderlove@...y-lang.org>)
Re: Fuzzing project brainstorming (Hanno Böck <hanno@...eck.de>)
Re: Fuzzing project brainstorming (Sven Kieske <s.kieske@...twald.de>)
Xen Security Advisory 113 - Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling (Xen.org security team <security@....org>)
Re: Fuzzing project brainstorming (Amos Jeffries <squid3@...enet.co.nz>)
Re: Fuzzing project brainstorming ("M.T. Roebuck" <marvint.roebuck@...ox.lv>)
Re: Fuzzing project brainstorming (Gynvael Coldwind <gynvael@...dwind.pl>)
Re: Location of OS security audit reports ("M.T. Roebuck" <marvint.roebuck@...ox.lv>)
Re: Location of OS security audit reports ("M.T. Roebuck" <marvint.roebuck@...ox.lv>)
Re: Re: Location of OS security audit reports (Joshua Rogers <oss@...ernot.info>)
Re: Location of OS security audit reports ("M.T. Roebuck" <marvint.roebuck@...ox.lv>)
Re: Location of OS security audit reports ("M.T. Roebuck" <marvint.roebuck@...ox.lv>)
CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified (Francisco Alonso <falonsoe@...hat.com>)
Re: [security] Pending CVE assignments for SA-CORE-2014-006? (Peter Wolanin <pwolanin@...il.com>)
Re: Fuzzing project brainstorming (Michal Zalewski <lcamtuf@...edump.cx>)
Re: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified (mancha <mancha1@...o.com>)
Re: Fuzzing project brainstorming (Hanno Böck <hanno@...eck.de>)
Re: Re: Fuzzing project brainstorming (Hanno Böck <hanno@...eck.de>)
Re: Re: Fuzzing project brainstorming (Daniel Kahn Gillmor <dkg@...thhorseman.net>)
WordPress 4.0.1 Security Release (Henri Salo <henri@...v.fi>)
Fwd: [langsec-discuss] 2nd LangSec workshop at IEEE S&P CFP and website (Sven Kieske <svenkieske@...il.com>)
Re: Fuzzing project brainstorming (Michal Zalewski <lcamtuf@...edump.cx>)
RE: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified ("Mehaffey, John" <John_Mehaffey@...tor.com>)

November 21 (16 messages)

Re: [security] Pending CVE assignments for SA-CORE-2014-006? (cve-assign@...re.org)
Re: WordPress 4.0.1 Security Release (Kurt Seifried <kseifried@...hat.com>)
Re: WordPress 4.0.1 Security Release (Andrew Nacin <nacin@...dpress.org>)
Re: Fuzzing project brainstorming (Alexander Cherepanov <cherepan@...me.ru>)
Re: CVE request: heap buffer overflow in PCRE (Murray McAllister <mmcallis@...hat.com>)
Re: CVE request: heap buffer overflow in PCRE (cve-assign@...re.org)
Re: Xen Security Advisory 113 - Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling (cve-assign@...re.org)
Re: Fuzzing project brainstorming (Gynvael Coldwind <gynvael@...dwind.pl>)
Re: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified (Vasyl Kaigorodov <vkaigoro@...hat.com>)
Re: CVE-2014-7817 glibc: command execution in wordexp() with WRDE_NOCMD specified (Marcus Meissner <meissner@...e.de>)
Re: Re: CVE request: lsyncd command injection (Michael Samuel <mik@...net.net>)
CVE request: heap buffer overflow in ClamAV (Damien Millescamps <Damien.Millescamps@...ida.fr>)
Xen Security Advisory 113 (CVE-2014-9030) - Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling (Xen.org security team <security@....org>)
Re: cve request: libbfd? (Vasyl Kaigorodov <vkaigoro@...hat.com>)
Re: cve request: libbfd? (Alexander Cherepanov <cherepan@...me.ru>)
Re: Fuzzing project brainstorming ("M.T. Roebuck" <marvint.roebuck@...ox.lv>)

November 22 (11 messages)

Re: CVE request: heap buffer overflow in ClamAV (cve-assign@...re.org)
Off-by-one question (Joshua Roers <honey@...ernot.info>)
Re: Off-by-one question (Simon McVittie <smcv@...ian.org>)
Re: CVE Request: XSS vulnerability in MantisBT 1.2.13 (Damien Regad <dregad@...tisbt.org>)
Running Java across a privilege boundry (Tim Brown <tmb@...35.com>)
Re: Off-by-one question (Stuart Gathman <stuart@...hman.org>)
Re: Running Java across a privilege boundry (Russ Allbery <eagle@...ie.org>)
Re: Running Java across a privilege boundry (Marc Chadwick <marc@...dwick.net>)
Re: Running Java across a privilege boundry (Russ Allbery <eagle@...ie.org>)
Re: Stack smashing in libjpeg-turbo (Bastien ROUCARIES <roucaries.bastien@...il.com>)
Re: Running Java across a privilege boundry (Tim Brown <tmb@...35.com>)

November 23 (9 messages)

Re: Off-by-one question (Joshua Rogers <oss@...ernot.info>)
so, can we do something about lesspipe? (+ a cpio bug to back up the argument) (Michal Zalewski <lcamtuf@...edump.cx>)
Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) (Hanno Böck <hanno@...eck.de>)
Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) (Bernhard Hermann <bernhard.hermann@...il.com>)
Re: Running Java across a privilege boundry (Solar Designer <solar@...nwall.com>)
Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) (Alexander Cherepanov <cherepan@...me.ru>)
The Fuzzing Project (Hanno Böck <hanno@...eck.de>)
Re: The Fuzzing Project (Joshua Rogers <oss@...ernot.info>)
Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) (Lionel Debroux <lionel_debroux@...oo.fr>)

November 24 (5 messages)

CVE Request: Linux kernel LDT handling bugs (Andy Lutomirski <luto@...capital.net>)
Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument) (Michael Samuel <mik@...net.net>)
Re: The Fuzzing Project (Sven Kieske <s.kieske@...twald.de>)
CVE request: firefox: integer overflow (Vasyl Kaigorodov <vkaigoro@...hat.com>)
Docker 1.3.2 - Security Advisory [24 Nov 2014] (Eric Windisch <eric.windisch@...ker.com>)

November 25 (17 messages)

parse_datetime() bug in coreutils (Seth Arnold <seth.arnold@...onical.com>)
CVE request: cpio heap-based buffer overflow [was Re: so, can we do something about lesspipe? (+ a cpio bug to back up… (Murray McAllister <mmcallis@...hat.com>)
CVE Request: Graphviz format string vuln (Joshua Rogers <oss@...ernot.info>)
AW: parse_datetime() bug in coreutils (Fiedler Roman <Roman.Fiedler@....ac.at>)
[oCERT 2014-008] libFLAC multiple issues (Daniele Bianco <danbia@...rt.org>)
CVE request: missing checks for small-sized files in hivex (Martin Prpic <mprpic@...hat.com>)
CVE Request: buffer overflow in ksba_oid_to_str in Libksba (Salvatore Bonaccorso <carnil@...ian.org>)
CVE REJECT CVE-2014-3605 (Kurt Seifried <kseifried@...hat.com>)
CVE request: teeworlds: security issues fixed in 0.6.3 release (Salvatore Bonaccorso <carnil@...ian.org>)
Re: WordPress 4.0.1 Security Release (Andrew Nacin <nacin@...dpress.org>)
Re: WordPress 4.0.1 Security Release (Andrew Nacin <nacin@...dpress.org>)
Re: WordPress 4.0.1 Security Release (cve-assign@...re.org)
Re: Re: CVE request: icecast: possible leak of on-connect scripts (jmm@...ian.org)
CVE Request: MantisBT SQL injection in view_all_set.php (Damien Regad <dregad@...tisbt.org>)
Re: Re: CVE request: lsyncd command injection (Ángel González <angel@...its.net>)
OpenBSD patch issue also affects GNU patch (Hanno Böck <hanno@...eck.de>)
Re: OpenBSD patch issue also affects GNU patch (Alan Coopersmith <alan.coopersmith@...cle.com>)

November 26 (28 messages)

Re: CVE Request: buffer overflow in ksba_oid_to_str in Libksba (Hanno Böck <hanno@...eck.de>)
Re: Running Java across a privilege boundry (Solar Designer <solar@...nwall.com>)
Re: CVE Request: buffer overflow in ksba_oid_to_str in Libksba (cve-assign@...re.org)
Re: CVE request: icecast: possible leak of on-connect scripts (cve-assign@...re.org)
Re: CVE Request: Linux kernel LDT handling bugs (cve-assign@...re.org)
Re: CVE Request: MantisBT SQL injection in view_all_set.php (cve-assign@...re.org)
Re: CVE Request: LibreOffice -- several issues (cve-assign@...re.org)
Re: Stack smashing in libjpeg-turbo (cve-assign@...re.org)
Re: OpenBSD patch issue also affects GNU patch (Tobias Stoeckmann <tobias@...eckmann.org>)
O_CREAT|O_DIRECTORY on nonexisting file expected behaviour? (Fiedler Roman <Roman.Fiedler@....ac.at>)
Re: Re: CVE request: lsyncd command injection (Sven Schwedas <sven.schwedas@....at>)
Re: O_CREAT|O_DIRECTORY on nonexisting file expected behaviour? (Eric Blake <eblake@...hat.com>)
blkid command injection (Sebastian Krahmer <krahmer@...e.de>)
AW: O_CREAT|O_DIRECTORY on nonexisting file expected behaviour? (Fiedler Roman <Roman.Fiedler@....ac.at>)
Re: Re: CVE Request: LibreOffice -- several issues (Alexander Cherepanov <cherepan@...me.ru>)
Re: CVE Request: LibreOffice -- several issues (Alexander Cherepanov <cherepan@...me.ru>)
Re: AW: O_CREAT|O_DIRECTORY on nonexisting file expected behaviour? (Daniel Kahn Gillmor <dkg@...thhorseman.net>)
Re: [Officesecurity] Re: CVE Request: LibreOffice -- several issues (Caolán McNamara <caolanm@...hat.com>)
CVE Request: CAPTCHA bypass in MantisBT (Damien Regad <dregad@...tisbt.org>)
Re: CVE request: cpio heap-based buffer overflow [was Re: so, can we do something about lesspipe? (+ a cpio bug to back up the argument)] (cve-assign@...re.org)
Re: blkid command injection (cve-assign@...re.org)
Apple goto fail - lessons that should be learned ("David A. Wheeler" <dwheeler@...eeler.com>)
Re: CVE request: firefox: integer overflow (Daniel Veditz <dveditz@...illa.com>)
Re: O_CREAT|O_DIRECTORY on nonexisting file expected behaviour? (Matthew Daley <mattd@...fuzz.com>)
AW: O_CREAT|O_DIRECTORY on nonexisting file expected behaviour? (Fiedler Roman <Roman.Fiedler@....ac.at>)
Re: Apple goto fail - lessons that should be learned (Hanno Böck <hanno@...eck.de>)
Re: Apple goto fail - lessons that should be learned ("David A. Wheeler" <dwheeler@...eeler.com>)
CVE request: Canto Feed URL Parsing Command Line Injection (Henri Salo <henri@...v.fi>)

November 27 (20 messages)

Please reject CVE-2014-8585 (Henri Salo <henri@...v.fi>)
CVE Request: LibreOffice -- several issues (Alexander Cherepanov <cherepan@...me.ru>)
Re: Re: CVE Request: buffer overflow in ksba_oid_to_str in Libksba (Hanno Böck <hanno@...eck.de>)
CVE-2014-7816 Undertow (on Windows): Information disclosure via directory traversal (Arun Babu Neelicattu <abn@...hat.com>)
CVE request: mutt: heap-based buffer overflow in mutt_substrdup() (Murray McAllister <mmcallis@...hat.com>)
Re: CVE request: Canto Feed URL Parsing Command Line Injection (cve-assign@...re.org)
Re: CVE request: mutt: heap-based buffer overflow in mutt_substrdup() (Murray McAllister <mmcallis@...hat.com>)
Re: CVE Request: CAPTCHA bypass in MantisBT (cve-assign@...re.org)
Re: CVE request: mutt: heap-based buffer overflow in mutt_substrdup() (cve-assign@...re.org)
Re: CVE Request: buffer overflow in ksba_oid_to_str in Libksba (cve-assign@...re.org)
CVE Request: Multiple vulnerabilities in Centreon <= 2.5.3 (Damien Cauquil <d.cauquil@...dream.com>)
Re: CVE Request: Multiple vulnerabilities in Centreon <= 2.5.3 (Henri Salo <henri@...v.fi>)
Xen Security Advisory 111 (CVE-2014-8866) - Excessive checking in compatibility mode hypercall argument translation (Xen.org security team <security@....org>)
Xen Security Advisory 112 (CVE-2014-8867) - Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor (Xen.org security team <security@....org…)
Re: CVE Request: Multiple vulnerabilities in Centreon <= 2.5.3 (Damien Cauquil <d.cauquil@...dream.com>)
Re: [Officesecurity] CVE Request: LibreOffice -- several issues (Rene Engelhard <rene@...ian.org>)
Re: blkid command injection (Murray McAllister <mmcallis@...hat.com>)
Bug#771125: Info received (CVE request: mutt: heap-based buffer overflow in mutt_substrdup()) (owner@...s.debian.org (Debian Bug Tracking System))
Re: Bug#771125: CVE request: mutt: heap-based buffer overflow in mutt_substrdup() (Antonio Radici <antonio@...e.org>)
CC'ing external lists/bugs (Re: Bug#771125: Info received (CVE request: mutt: heap-based buffer overflow in mutt_substrdup()… (Solar Designer <solar@...nwall.com>)

November 28 (12 messages)

libyaml / YAML-LibYAML DoS (Jonathan Gray <jsg@....id.au>)
CVE Request: Multiple vulnerabilities in Centreon <= 2.5.3 (Damien Cauquil <d.cauquil@...dream.com>)
Re: libyaml / YAML-LibYAML DoS (John Haxby <john.haxby@...cle.com>)
Re: The Fuzzing Project (Joshua Rogers <oss@...ernot.info>)
CVE Request: "LuaAuthzProvider" in Apache HTTP Server mixes up arguments (Eric Covener <covener@...il.com>)
Re: libyaml / YAML-LibYAML DoS (Ingy dot Net <ingy@...y.net>)
Re: libyaml / YAML-LibYAML DoS (Ian Cordasco <graffatcolmingov@...il.com>)
Re: libyaml / YAML-LibYAML DoS (cve-assign@...re.org)
Re: CVE Request: "LuaAuthzProvider" in Apache HTTP Server mixes up arguments (cve-assign@...re.org)
Re: libyaml / YAML-LibYAML DoS (Ingy dot Net <ingy@...y.net>)
Re: CVE Request: "LuaAuthzProvider" in Apache HTTP Server mixes up arguments (Eric Covener <covener@...il.com>)
Re: libyaml / YAML-LibYAML DoS (Ingy dot Net <ingy@...y.net>)

November 29 (6 messages)

Re: Re: libyaml / YAML-LibYAML DoS (Dāvis Mosāns <davispuh@...il.com>)
Re: CVE Request: "LuaAuthzProvider" in Apache HTTP Server mixes up arguments (cve-assign@...re.org)
Re: Re: libyaml / YAML-LibYAML DoS (Jonathan Gray <jsg@....id.au>)
Re: CC'ing external lists/bugs (Jakub Wilk <jwilk@...ian.org>)
CVE Request: DB credentials disclosure in MantisBT's unattended upgrade script (Damien Regad <dregad@...tisbt.org>)
CVE request: PHP Object Injection in MantisBT filter API (Damien Regad <dregad@...tisbt.org>)

November 30 (2 messages)

Re: CVE Request: Graphviz format string vuln (Joshua Rogers <honey@...ernot.info>)
CVE request: OpenVAS Manager SQL injection (OVSA20141128) (Murray McAllister <mmcallis@...hat.com>)

382 messages

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.