Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

oss-security mailing list - 2022/11

Messages by day:

November 1 (24 messages)

• Re: Is third party javascript on a login page considered dangerous? (Jan Engelhardt <jengelh@...i.de>)
• CVE-2022-31764: Apache ShardingSphere ElasticJob-UI allows RCE via event trace data source JDBC (Weijie Wu <wuweijie@...che.org>)
• Xen Security Advisory 412 v2 (CVE-2022-42327) - x86: unintended memory sharing between guests (Xen.org security team <security@....org>)
• Xen Security Advisory 414 v2 (CVE-2022-42309) - Xenstore: Guests can crash xenstored (Xen.org security team <security@....org>)
• Xen Security Advisory 415 v2 (CVE-2022-42310) - Xenstore: Guests can create orphaned Xenstore nodes (Xen.org security team <security@....org>)
• Xen Security Advisory 416 v2 (CVE-2022-42319) - Xenstore: Guests can cause Xenstore to not free temporary memory (Xen.org security team <security@....org>)
• Xen Security Advisory 417 v2 (CVE-2022-42320) - Xenstore: Guests can get access to Xenstore nodes of deleted domains (Xen.org security team <security@....org>)
• Xen Security Advisory 418 v2 (CVE-2022-42321) - Xenstore: Guests can crash xenstored via exhausting the stack (Xen.org security team <security@....org>)
• Xen Security Advisory 419 v2 (CVE-2022-42322,CVE-2022-42323) - Xenstore: Cooperating guests can create arbitrary number… (Xen.org security team <security@....org…)
• Xen Security Advisory 420 v2 (CVE-2022-42324) - Oxenstored 32->31 bit integer truncation issues (Xen.org security team <security@....org>)
• Xen Security Advisory 421 v2 (CVE-2022-42325,CVE-2022-42326) - Xenstore: Guests can create arbitrary number of nodes vi… (Xen.org security team <security@....org…)
• Re: Is third party javascript on a login page considered dangerous? (Solar Designer <solar@...nwall.com>)
• CVE-2022-34662: Apache DolphinScheduler prior to 3.0.0 allows path traversal (Jiajie Zhong <zhongjiajie@...che.org>)
• CVE-2022-31777: Apache Spark XSS vulnerability in log viewer UI Javascript ("Sean R. Owen" <srowen@...che.org>)
• OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE… (Solar Designer <solar@...nwall.com>)
• Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Ove… (Demi Marie Obenour <demi@...isiblething…)
• Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow … (Dave Horsfall <dave@...sfall.org>)
• Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Over… (Pavan Maddamsetti <pavan.maddamsetti@gm…)
• Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Ove… (Demi Marie Obenour <demi@...isiblething…)
• Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overf… ("Erin Shepherd" <erin.shepherd@....eu>)
• Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow… (Jeffrey Walton <noloader@...il.com>)
• CVE-2022-43982: Apache Airflow: Reflected XSS via Origin Query Argument in URL (Jedidiah Cunningham <jedcunningham@...che.org>)
• CVE-2022-43985: Apache Airflow: Open Redirect (Jedidiah Cunningham <jedcunningham@...che.org>)
• Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786) (alex@...xburke.ca)

• Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Ove… (Demi Marie Obenour <demi@...isiblething…)
• Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow… (Alex Gaynor <alex.gaynor@...il.com>)
• Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Ove… (Demi Marie Obenour <demi@...isiblething…)
• Fwd: Node.js security updates for all active release lines, November 2022 ("soyjuanarbol@...il.com" <soyjuanarbol@...il.com>)
• Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-202… ("alice" <alice@...ya.dev>)
• Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-202… ("alice" <alice@...ya.dev>)
• Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (… (Tavis Ormandy <taviso@...il.com>)
• CVE-2022-43670: Apache Sling App CMS: XSS in Sling CMS Reference App Taxonomy Path (Daniel Klco <dklco@...che.org>)
• Re: Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Over… (Alex Gaynor <alex.gaynor@...il.com>)
• Re: Fwd: Node.js security updates for all active release lines, November 2022 (Jan Schaumann <jschauma@...meister.org>)
• Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE… (Hanno Böck <hanno@...eck.de>)
• Re: Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer O… (Steffen Nurpmeso <steffen@...oden.eu>)
• Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (… (Tavis Ormandy <taviso@...il.com>)
• Re: Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Over… (Alex Gaynor <alex.gaynor@...il.com>)
• Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE… (Kurt H Maier <khm@...ops.net>)

• Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overfl… (Steffen Nurpmeso <steffen@...oden.eu>)
• Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow… (John Helmert III <ajak@...too.org>)
• Re: Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Ov… ("Neal H. Walfield" <neal@...field.org>)
• CVE-2022-32287: Apache UIMA prior to 3.3.1 has a path traversal vulnerability when extracting (PEAR) archives (Richard Eckart de Castilho <rec@...che.org>)
• Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (… (Tavis Ormandy <taviso@...il.com>)
• Re: Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow … (Kurt H Maier <khm@...ops.net>)
• Re: Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overfl… (Nicola Tuveri <nic.tuv@...il.com>)
• CVE-2022-33684: Apache Pulsar: Disabled Certificate Validation for OAuth Client Credential Requests makes C++/Python Cl… (Michael Marshall <mmarshall@...che.org>)
• Re: Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow … (Kurt H Maier <khm@...ops.net>)
• Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-20… (Sam James <sam@...too.org>)
• Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-20… (Sam James <sam@...too.org>)

• Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Ove… (Demi Marie Obenour <demi@...isiblething…)
• CVE-2022-37865: Apache Ivy allow create/overwrite any file on the system (Stefan Bodewig <bodewig@...che.org>)
• CVE-2022-37866: Apache Ivy: Ivy Path traversal (Stefan Bodewig <bodewig@...che.org>)
• WebKitGTK and WPE WebKit Security Advisory WSA-2022-0010 (Carlos Alberto Lopez Perez <clopez@...lia.com>)
• Multiple vulnerabilities affecting UYUNI/SUSE Manager (Paolo Perego <pperego@...e.de>)
• CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing ("Gary D. Gregory" <ggregory@...che.org>)
• Re: CVE-2022-37865: Apache Ivy allow create/overwrite any file on the system (Demi Marie Obenour <demi@...isiblethingslab.com>)
• Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing (John Helmert III <ajak@...too.org>)
• Fwd: Node.js security updates for all active release lines, November 2022 ("soyjuanarbol@...il.com" <soyjuanarbol@...il.com>)

• Fwd: [ANNOUNCE] pixman release 0.42.2 now available (Alan Coopersmith <alan.coopersmith@...cle.com>)

• Re: CVE-2022-2602 - Linux kernel io_uring UAF (John Smith <smitchj013@...look.com>)
• Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing (John Helmert III <ajak@...too.org>)

• Xen Security Advisory 422 v1 (CVE-2022-23824) - x86: Multiple speculative security issues (Xen.org security team <security@....org>)
• Re: CVE-2022-2602 - Linux kernel io_uring UAF (Adam Reynolds <adamajreynolds@...il.com>)

• CVE-2022-45063: xterm <375 code execution via font ops (David Leadbeater <dgl@....cx>)
• Xen Security Advisory 422 v2 (CVE-2022-23824) - x86: Multiple speculative security issues (Xen.org security team <security@....org>)
• [kubernetes] CVE-2022-3162: Unauthorized read of Custom Resources (Tim Allclair <timallclair@...il.com>)
• [kubernetes] CVE-2022-3294: Node address isn't always verified when proxying (Tim Allclair <timallclair@...il.com>)
• Re: CVE-2022-45063: xterm <375 code execution via font ops (Matthieu Herrb <matthieu@...rb.eu>)

• Re: Linux kernel: net: mctp: A Use-After-Free bug in mctp_sk_unhash in net/mctp/af_mctp.c (butt3rflyh4ck <butterflyhuangxx@...il.com>)
• CVE-2022-40127: RCE in Apache Airflow <2.4.0 bash example (Jarek Potiuk <potiuk@...che.org>)
• CVE-2022-27949: Apache Airflow: sensitive values in rendered template (Jarek Potiuk <potiuk@...che.org>)
• CVE-2022-45378: Apache SOAP allows unauthenticated users to potentially invoke arbitrary code (Arnout Engelen <engelen@...che.org>)
• CVE-2022-45136: JDBC Deserialisation in Apache Jena SDB (Rob Vesse <rvesse@...che.org>)

• CVE-2022-45402: Apache Airflow: Open redirect during login (Jedidiah Cunningham <jedcunningham@...che.org>)
• CVE-2022-40308: Apache Archiva prior to 2.2.9 may allow the anonymous user to read arbitrary files (Olivier Lamy <olamy@...che.org>)
• CVE-2022-40309: Apache Archiva prior to 2.2.9 allows an authenticated user to delete arbitrary directories (Olivier Lamy <olamy@...che.org>)
• Multiple vulnerabilities in Jenkins plugins (Daniel Beck <ml@...kweb.net>)

• CVE-2022-45047: Apache MINA SSHD: Java unsafe deserialization vulnerability (Thomas Wolf <twolf@...che.org>)

• Linux kernel: staging: rtl8712: A Use-after-Free/Double-Free bug in read_bbreg_hdl in drivers/staging/rtl8712/rtl8712_c… (Zheng Hacker <hackerzheng666@...il.com>)

• CVE-2022-45470: Apache Hama allows XSS and information disclosure (Arnout Engelen <engelen@...che.org>)
• Re: Linux kernel: staging: rtl8712: A Use-after-Free/Double-Free bug in read_bbreg_hdl in drivers/staging/rtl8712/rtl8… (Thadeu Lima de Souza Cascardo <cascardo…)
• Apache Solr is vulnerable to CVE-2022-39135 via /sql handler (David Smiley <dsmiley@...che.org>)
• CVE-2022-38649: Apache Airflow Pinot Provider, Apache Airflow: PinotAdminHook Command Injection (Jarek Potiuk <potiuk@...che.org>)
• CVE-2022-40189: Apache Airlfow Pig Provider RCE (Jarek Potiuk <potiuk@...che.org>)
• CVE-2022-40954: Apache Airflow Spark Provider, Apache Airflow: Airflow 2.3.4 spark provider RCE that bypass restrictions to re… (Jarek Potiuk <potiuk@...che.org>)
• CVE-2022-41131: Apache Airflow Hive Provider vulnerability (command injection via hive_cli connection) (Jarek Potiuk <potiuk@...che.org>)

• CVE-2022-45462: Apache DolphinScheduler prior to 2.0.5 have command execution vulnerability (Jiajie Zhong <zhongjiajie@...che.org>)

• CVE-2022-26885: Apache DolphinScheduler config file read by task risk (ShunFeng Cai <caishunfeng@...che.org>)

• CVE-2022-46146 in Prometheus' exporter toolkit: bypass basic authentication (Julien Pivotto <roidelapluie@...metheus.io>)
• Re: CVE-2022-46146 in Prometheus' exporter toolkit: bypass basic authentication (Solar Designer <solar@...nwall.com>)
• CVE-2022-44635: Apache Fineract allowed an authenticated user to perform remote code execution due to path traversal (Arnout Engelen <engelen@...che.org>)
• Re: CVE-2022-46146 in Prometheus' exporter toolkit: bypass basic authentication (Julien Pivotto <roidelapluie@...metheus.io>)

• Security sensitive bug in the i915 kernel driver (CVE-2022-4139) (Andrzej Hajda <andrzej.hajda@...el.com>)
• Race condition in snap-confine's must_mkdir_and_open_with_perms() (CVE-2022-3328) (Qualys Security Advisory <qsa@...lys.com>)

95 messages

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.