Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

oss-security mailing list - 2024/04

Messages by day:

April 1 (4 messages)

• From xz to ibus: more questionable tarballs (Jan Engelhardt <jengelh@...i.de>)
• Re: backdoor in upstream xz/liblzma leading to ssh server compromise (Jakub Wilk <jwilk@...lk.net>)
• Re: From xz to ibus: more questionable tarballs (HW42 <hw42@...umj.de>)
• Re: From xz to ibus: more questionable tarballs (Takao Fujiwara <takao.fujiwara1@...il.com>)

• finding similar compromises (was Re: From xz to ibus: more questionable tarballs) (Tavis Ormandy <taviso@...il.com>)
• CVE-2024-29834: Apache Pulsar: Improper Authorization For Namespace and Topic Management Endpoints (Lari Hotari <lhotari@...che.org>)
• Fwd: Node.js security update for all active release lines (Rafael Gonzaga <work@...aelgss.dev>)
• Re: finding similar compromises (was Re: From xz to ibus: more questionable tarballs) (Tavis Ormandy <taviso@...il.com>)
• Re: finding similar compromises (was Re: From xz to ibus: ... (Hank Leininger <hlein@...elogic.com>)
• CVE-2024-1597: PostgreSQL pgjdbc: SQL injection in non-default configuration (daniel <sd@....eu>)

• escaping terminal control characters (was Re: backdoor in upstream xz/liblzma leading to ssh server compromise) (Matthew Fernandez <matthew.fernandez@...il.com…)
• Detecting code injections in packages through debug infos (Adrien Nader <adrien@...k.org>)
• xz backdoor prevention using hosts.deny? (Nick Sal <specialroumpa@...ton.me>)
• Looking for developers who know how to use Seccomp for a paid study (Maysara Alhindi <maysara.alhindi@...stol.ac.uk>)
• dnf5daemon-server: Incomplete fix of CVE-2024-1929 (CVE-2024-2746) (Matthias Gerstner <mgerstner@...e.de>)
• Re: xz backdoor prevention using hosts.deny? (Stuart D Gathman <stuart@...hman.org>)
• Re: xz backdoor prevention using hosts.deny? (Stephen John Smoogen <smooge@...il.com>)
• Re: xz backdoor prevention using hosts.deny? (Pierre-Elliott Bécue <peb@...ian.org>)
• Fwd: Node.js security update for all active release lines (midawson <midawson@...hat.com>)
• Re: Fwd: Node.js security update for all active release lines (Solar Designer <solar@...nwall.com>)
• Re: Looking for developers who know how to use Seccomp for a paid study (Solar Designer <solar@...nwall.com>)
• Re: Fwd: Node.js security update for all active release lines (Michael Dawson <midawson@...hat.com>)
• Fwd: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.12 and Xwayland prior to 23.2.5 (Alan Coopersmith <alan.coopersmith@...cle.com>)
• Re: Fwd: Node.js security update for all active release lines (Solar Designer <solar@...nwall.com>)
• Re: Fwd: Node.js security update for all active release lines (Michael Dawson <midawson@...hat.com>)
• CERT/CC VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacks (Alan Coopersmith <alan.coopersmith@...cle.com>)
• Re: escaping terminal control characters (was Re: backdoor in upstream xz/liblzma leading to ssh server compromise) (Solar Designer <solar@...nwall.com>)

• Just a reminder to never run ldd or strings on untrusted binaries (Markus Klyver <markusklyver@...mail.com>)
• opusfile by Xiph.Org Foundation, DoS vulnerability (SIGFPE) (Alex Sarum <rum.274.4@...il.com>)
• CVE-2023-38709: Apache HTTP Server: HTTP response splitting (Eric Covener <covener@...che.org>)
• CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames (Eric Covener <covener@...che.org>)
• CVE-2024-24795: Apache HTTP Server: HTTP Response Splitting in multiple modules (Eric Covener <covener@...che.org>)
• Re: Just a reminder to never run ldd or strings on untrusted binaries (Matthew Fernandez <matthew.fernandez@...il.com>)
• YSA-2024-01: YubiKey Manager Privilege Escalation (Matthew Fernandez <matthew.fernandez@...il.com>)
• Fwd: Node.js security update for all active relesae lines, April 9 2024 (Rafael Gonzaga <work@...aelgss.dev>)

• minor problem on detect_sh.bin (Lam Bruce <brucelam1982pi@...il.com>)
• CVE-2024-24746: Apache NimBLE: Denial of service in NimBLE Bluetooth stack (Szymon Janc <janc@...che.org>)
• Envoy security releases [1.29.3, 1.28.2, 1.27.4, 1.26.8] are now available (Jan Schaumann <jschauma@...meister.org>)
• Go 1.22.2 and 1.21.9 (CVE-2023-45288 HTTP/2 CONTINUATION issue) (Jan Schaumann <jschauma@...meister.org>)

• HTTP::Body before 1.23 for Perl is still vulnerable to CVE-2013-4407 (Stig Palmquist <stig@...g.io>)

• Re: xz backdoor prevention using hosts.deny? (Ángel <oss-security@....16bits.net>)
• Re: Re: finding similar compromises (was Re: From xz to ibus: more questionable tarballs) (Ángel <oss-security@....16bits.net>)
• Is CVE-2024-30203 bogus? (Emacs) (Sean Whitton <spwhitton@...hitton.name>)
• Re: Is CVE-2024-30203 bogus? (Emacs) (Eli Zaretskii <eliz@....org>)
• OpenSSL Security Advisory (Tomas Mraz <tomas@...nssl.org>)
• Re: Is CVE-2024-30203 bogus? (Emacs) (Max Nikulin <manikulin@...il.com>)
• Re: Is CVE-2024-30203 bogus? (Emacs) (Ihor Radchenko <yantar92@...teo.net>)
• PoC for fdroidserver AllowedAPKSigningKeys certificate pinning bypass (Fay Stegerman <flx@...usk.net>)

• Xen Security Advisory 454 v2 (CVE-2023-46842) - x86 HVM hypercalls may trigger Xen bug check (Xen.org security team <security@....org>)
• CVE-2024-31860: Apache Zeppelin: Path traversal vulnerability (Jongyoul Lee <jongyoul@...che.org>)
• CVE-2021-28656: Apache Zeppelin: CSRF vulnerability in the Credentials page (Jongyoul Lee <jongyoul@...che.org>)
• CVE-2022-47894: Apache Zeppelin SAP: connecting to a malicious SAP server allowed it to perform XXE (Jongyoul Lee <jongyoul@...che.org>)
• CVE-2024-31862: Apache Zeppelin: Denial of service with invalid notebook name (Jongyoul Lee <jongyoul@...che.org>)
• CVE-2024-31863: Apache Zeppelin: Replacing other users notebook, bypassing any permissions (Jongyoul Lee <jongyoul@...che.org>)
• Re: xz backdoor prevention using hosts.deny? (Jacob Bachmeyer <jcb62281@...il.com>)
• CVE-2024-31864: Apache Zeppelin: Remote code execution by adding malicious JDBC connection string (Jongyoul Lee <jongyoul@...che.org>)
• CVE-2024-31865: Apache Zeppelin: Cron arbitrary user impersonation with improper privileges (Jongyoul Lee <jongyoul@...che.org>)
• CVE-2024-31866: Apache Zeppelin: Interpreter download command does not escape malicious code injection (Jongyoul Lee <jongyoul@...che.org>)
• CVE-2024-31868: Apache Zeppelin: XSS vulnerability in the helium module (Jongyoul Lee <jongyoul@...che.org>)
• CVE-2024-31867: Apache Zeppelin: LDAP search filter query Injection Vulnerability (Jongyoul Lee <jongyoul@...che.org>)
• CWE-121, CWE-122: libfreeimage 3.40-3.18/19+ buffer overflow (Michael Knap <oss-sec@...ap.com>)
• Xen Security Advisory 455 v4 (CVE-2024-31142) - x86: Incorrect logic for BTC/SRSO mitigations (Xen.org security team <security@....org>)
• Xen Security Advisory 456 v2 (CVE-2024-2201) - x86: Native Branch History Injection (Xen.org security team <security@....org>)
• CVE-2024-24576: Rust 1.77.1 and earlier did not properly escape arguments of batch files on Windows ("Pietro Albini" <pietro@...troalbini.org>)
• Re: xz backdoor prevention using hosts.deny? (Andres Freund <andres@...razel.de>)

• Re: xz backdoor prevention using hosts.deny? (Christoph Anton Mitterer <calestyo@...entia.org>)
• Re: xz backdoor prevention using hosts.deny? (Jacob Bachmeyer <jcb62281@...il.com>)
• Re: Is CVE-2024-30203 bogus? (Emacs) (Sean Whitton <spwhitton@...hitton.name>)
• Re: Is CVE-2024-30203 bogus? (Emacs) (Ihor Radchenko <yantar92@...teo.net>)
• Re: Re: Is CVE-2024-30203 bogus? (Emacs) (Salvatore Bonaccorso <carnil@...ian.org>)
• Re: Is CVE-2024-30203 bogus? (Emacs) (Max Nikulin <manikulin@...il.com>)
• CVE-2024-31309: Apache Traffic Server: HTTP/2 CONTINUATION frames can be utilized for DoS attack (Bryan Call <bcall@...che.org>)
• CVE-2024-31861: Apache Zeppelin: Code injection by Shell interpreter (Jongyoul Lee <jongyoul@...che.org>)
• Analysis on who is Jia Tan, and who he could work for, reading xz.git (Alejandro Colomar <alx@...nel.org>)
• Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git (Alejandro Colomar <alx@...nel.org>)
• Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git (Joey Hess <id@...yh.name>)
• Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git (Solar Designer <solar@...nwall.com>)
• Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git (Chris Down <chris@...isdown.name>)
• Fwd: Node.js security update for all active relesae lines, April 9 2024 (Rafael Gonzaga <work@...aelgss.dev>)
• NodeJS Command injection via args parameter of child_process.spawn without shell option enabled on Windows (CVE-2024-27… (Jan Schaumann <jschauma@...meister.org>)
• CERT VU#123335: Multiple Programming Languages Fail to Escape Arguments Properly in Microsoft Windows (Alan Coopersmith <alan.coopersmith@...cle.com>)
• Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git (Alejandro Colomar <alx@...nel.org>)
• New Linux LPE via GSMIOC_SETCONF_DLCI? ("Dr. Christopher Kunz" <info@...istopher-kunz.de>)
• Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git (Vegard Nossum <vegard.nossum@...cle.com>)
• Re: CERT VU#123335: Multiple Programming Languages Fail to Escape Arguments Properly in Microsoft Windows (Steffen Nurpmeso <steffen@...oden.eu>)
• Re: New Linux LPE via GSMIOC_SETCONF_DLCI? (Solar Designer <solar@...nwall.com>)
• CVE-2024-1086: Linux: nf_tables: use-after-free vulnerability in the nft_verdict_init() function (Solar Designer <solar@...nwall.com>)
• Re: CVE-2024-1086: Linux: nf_tables: use-after-free vulnerability in the nft_verdict_init() function (Jonathan Wright <jonathan@...alinux.org>)

• Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git (Jacob Bachmeyer <jcb62281@...il.com>)
• Re: CWE-121, CWE-122: libfreeimage 3.40-3.18/19+ buffer overflow (Tianyu Chen <billchenchina2001@...il.com>)
• Re: Re: CWE-121, CWE-122: libfreeimage 3.40-3.18/19+ buffer overflow (Michael Knap <oss-sec@...ap.com>)
• Re: Is CVE-2024-30203 bogus? (Emacs) (Sean Whitton <spwhitton@...hitton.name>)
• Re: Re: Is CVE-2024-30203 bogus? (Emacs) (Sean Whitton <spwhitton@...hitton.name>)
• Re: Is CVE-2024-30203 bogus? (Emacs) (Max Nikulin <manikulin@...il.com>)
• Re: New Linux LPE via GSMIOC_SETCONF_DLCI? (Donald Buczek <buczek@...gen.mpg.de>)
• Re: New Linux LPE via GSMIOC_SETCONF_DLCI? ("Dr. Christopher Kunz" <info@...istopher-kunz.de>)
• Re: New Linux LPE via GSMIOC_SETCONF_DLCI? (Solar Designer <solar@...nwall.com>)
• Re: Re: CWE-121, CWE-122: libfreeimage 3.40-3.18/19+ buffer overflow (Michael Knap <oss-sec@...ap.com>)
• Re: New Linux LPE via GSMIOC_SETCONF_DLCI? ("Dr. Christopher Kunz" <info@...istopher-kunz.de>)
• [PATCH] package/skeleton-init-sysv: Set sticky bit on /dev/shm (Ben Hutchings <ben.hutchings@...d.be>)
• Buildroot: incorrect permissons on /dev/shm (Ben Hutchings <ben.hutchings@...ensium.com>)
• Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git (Alejandro Colomar <alx@...nel.org>)
• Re: [Buildroot] [PATCH] package/skeleton-init-sysv: Set sticky bit on /dev/shm ("Yann E. MORIN" <yann.morin.1998@...e.fr>)

• Re: New Linux LPE via GSMIOC_SETCONF_DLCI? (Kyle Zeng <zengyhkyle@...il.com>)
• Re: New Linux LPE via GSMIOC_SETCONF_DLCI? (Kyle Zeng <zengyhkyle@...il.com>)
• CVE-2024-27309: Apache Kafka: Potential incorrect access control during migration from ZK mode to KRaft mode (Colin McCabe <cmccabe@...che.org>)
• Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git (Jacob Bachmeyer <jcb62281@...il.com>)
• less(1) with LESSOPEN mishandles \n in paths (Jakub Wilk <jwilk@...lk.net>)
• Re: less(1) with LESSOPEN mishandles \n in paths (Sam James <sam@...too.org>)
• CVE-2024-31391: Apache Solr Operator: Solr-Operator liveness and readiness probes may leak basic auth credentials (Jason Gerlowski <gerlowskija@...che.org>)
• Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git (Alejandro Colomar <alx@...nel.org>)
• Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise (Jakub Wilk <jwilk@...lk.net>)
• Re: Fwd: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.12 and Xwayland prior to 23.2.5 (Alan Coopersmith <alan.coopersmith@...cle.com>)
• PHP security releases 8.1.28, 8.2.18, & 8.3.6 (Alan Coopersmith <alan.coopersmith@...cle.com>)

• Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git (Jacob Bachmeyer <jcb62281@...il.com>)
• Re: less(1) with LESSOPEN mishandles \n in paths (Tobias Powalowski <tobias.powalowski@...glemail.com>)

• Linux: Disabling network namespaces (Solar Designer <solar@...nwall.com>)

• Re: less(1) with LESSOPEN mishandles \n in paths (Jakub Wilk <jwilk@...lk.net>)
• Re: Linux: Disabling network namespaces (Demi Marie Obenour <demi@...isiblethingslab.com>)
• Re: Linux: Disabling network namespaces (Solar Designer <solar@...nwall.com>)
• Re: Linux: Disabling network namespaces (Simon McVittie <smcv@...ian.org>)
• Re: Linux: Disabling network namespaces (Simon McVittie <smcv@...ian.org>)
• CVE-2024-31497: Secret Key Recovery of NIST P-521 Private Keys Through Biased ECDSA Nonces in PuTTY Client (Fabian Bäumer <fabian.baeumer@....de>)

• Re: Linux: Disabling network namespaces (Jordan Glover <Golden_Miller83@...tonmail.ch>)
• Re: New Linux LPE via GSMIOC_SETCONF_DLCI? (Solar Designer <solar@...nwall.com>)
• Re: Linux: Disabling network namespaces (Philippe Cerfon <philcerf@...il.com>)
• [kubernetes] CVE-2024-3177: Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin (Rita Zhang <rita.z.zhang@...il.com>)
• Re: backdoor in upstream xz/liblzma leading to ssh server compromise (Solar Designer <solar@...nwall.com>)
• Re: Linux: Disabling network namespaces (Demi Marie Obenour <demi@...isiblethingslab.com>)

• Re: New Linux LPE via GSMIOC_SETCONF_DLCI? (Greg KH <greg@...ah.com>)
• Re: New Linux LPE via GSMIOC_SETCONF_DLCI? ("Dr. Christopher Kunz" <info@...istopher-kunz.de>)
• Make your own backdoor: CFLAGS code injection, Makefile injection, pkg-config (Vegard Nossum <vegard.nossum@...cle.com>)
• Re: backdoor in upstream xz/liblzma leading to ssh server compromise (Jacob Bachmeyer <jcb62281@...il.com>)
• Re: Linux: Disabling network namespaces (Georgia Garcia <georgia.garcia@...onical.com>)
• Re: backdoor in upstream xz/liblzma leading to ssh server compromise (Jakub Wilk <jwilk@...lk.net>)
• Re: backdoor in upstream xz/liblzma leading to ssh server compromise (Loganaden Velvindron <loganaden@...il.com>)
• Terrapin vulnerability in Jenkins CLI client (Daniel Beck <ml@...kweb.net>)
• The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out… (Adhemerval Zanella Netto <zatrazz@...il…)
• CVE-2024-31869: Apache Airflow: Sensitive configuration for providers displayed when "non-sensitive-only" config used (Ephraim Anierobi <ephraimanierobi@...che…)

• Re: backdoor in upstream xz/liblzma leading to ssh server compromise (Matt Johnston <matt@....asn.au>)
• libreswan: IKEv1 default AH/ESP responder can crash and restart (David Morel <david.morel@...es.tech>)
• Re: Make your own backdoor: CFLAGS code injection, Makefile injection, pkg-config (Jacob Bachmeyer <jcb62281@...il.com>)
• Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-… (Solar Designer <solar@...nwall.com>)
• flatpak CVE-2024-32462 : Sandbox escape via RequestBackground portal and CWE-88 (Simon McVittie <smcv@...ian.org>)

• CVE-2024-29217: Apache Answer: XSS vulnerability when changing personal website (Enxin Xie <linkinstar@...che.org>)
• Re: backdoor in upstream xz/liblzma leading to ssh server compromise (Jacob Bachmeyer <jcb62281@...il.com>)
• CVE-2024-29733: Apache Airflow FTP Provider: FTP_TLS instance with unverified SSL context (Elad Kalif <eladkal@...che.org>)
• Re: Linux: Disabling network namespaces (Solar Designer <solar@...nwall.com>)
• Re: Linux: Disabling network namespaces (Simon McVittie <smcv@...ian.org>)
• Re: Linux: Disabling network namespaces (nightmare.yeah27@...ecat.org)

• Re: Linux: Disabling network namespaces (Solar Designer <solar@...nwall.com>)
• Re: Linux: Disabling network namespaces (Jordan Glover <Golden_Miller83@...tonmail.ch>)
• [Update] PoC for fdroidserver AllowedAPKSigningKeys certificate pinning bypass (Fay Stegerman <flx@...usk.net>)

• Re: Linux: Disabling network namespaces (Simon McVittie <smcv@...ian.org>)
• Re: Linux: Disabling network namespaces (Simon McVittie <smcv@...ian.org>)
• Re: PoC for fdroidserver AllowedAPKSigningKeys certificate pinning bypass (Jeffrey Walton <noloader@...il.com>)
• Re: Linux: Disabling network namespaces (Solar Designer <solar@...nwall.com>)
• Re: Linux: Disabling network namespaces (Solar Designer <solar@...nwall.com>)

• Wordpress Responsive theme: arbitrary HTML content injection (CVE-2024-2848) (Hanno Böck <hanno@...eck.de>)
• CVE-2024-27347: Apache HugeGraph-Hubble: SSRF in Hubble connection page (Imba Jin <jin@...che.org>)
• CVE-2024-27348: Apache HugeGraph-Server: Command execution in gremlin (Imba Jin <jin@...che.org>)
• CVE-2024-27349: Apache HugeGraph-Server: Bypass whitelist in Auth mode (Imba Jin <jin@...che.org>)
• Re: Linux: Disabling network namespaces (Jordan Glover <Golden_Miller83@...tonmail.ch>)
• Re: Linux: Disabling network namespaces ("Priedhorsky, Reid" <reidpr@...l.gov>)

• Re: Linux: Disabling network namespaces (Demi Marie Obenour <demi@...isiblethingslab.com>)
• 83 bogus CVEs assigned to Robot Operating System (ROS) (Mark Esler <mark.esler@...onical.com>)
• Re: 83 bogus CVEs assigned to Robot Operating System (ROS) (Yash Patel <yashpatelphd@...il.com>)
• Re: 83 bogus CVEs assigned to Robot Operating System (ROS) (Mark Esler <mark.esler@...onical.com>)
• Re: 83 bogus CVEs assigned to Robot Operating System (ROS) (Yash Patel <yashpatelphd@...il.com>)
• Re: Linux: Disabling network namespaces (Simon McVittie <smcv@...ian.org>)

• PowerDNS Recursor Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a den… (Peter van Dijk <peter.van.dijk@...erdns…)
• Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix ou… (Florian Weimer <fweimer@...hat.com>)
• CVE-2024-0582 - Linux kernel use-after-free vulnerability in io_uring, writeup and exploit strategy (Oriol Castejón <Oriol.Castejon@...dusintel.com>)
• Security Issues and Abandonment of PHP ECC library (mdanter/ecc, phpecc/phpecc) (Paragon Initiative Enterprises Security Team <security@...agonie.com>)

• libksieve (used by kmail/kontact) sent password as username (Jonas Schäfer <j.wielicki@...ecware.net>)

• Update on the distro-backdoor-scanner effort (Hank Leininger <hlein@...elogic.com>)
• Re: Update on the distro-backdoor-scanner effort (Simon McVittie <smcv@...ian.org>)
• Re: Update on the distro-backdoor-scanner effort (Sam James <sam@...too.org>)

• Re: Update on the distro-backdoor-scanner effort (Jacob Bachmeyer <jcb62281@...il.com>)
• Re: Update on the distro-backdoor-scanner effort (Morten Linderud <foxboron@...hlinux.org>)

• Re: Update on the distro-backdoor-scanner effort (Hank Leininger <hlein@...elogic.com>)
• Re: Update on the distro-backdoor-scanner effort (Hank Leininger <hlein@...elogic.com>)
• Suspicious hook-loading mechanism in hyprland (Sam James <sam@...too.org>)
• Telegram Web app XSS / Session Hijacking 1-click (Pedro Batista <pedbap.g@...il.com>)

• Re: Update on the distro-backdoor-scanner effort (Jacob Bachmeyer <jcb62281@...il.com>)
• Re: Update on the distro-backdoor-scanner effort (Vegard Nossum <vegard.nossum@...cle.com>)
• CVE-2024-27322: Deserialization vulnerability in R before 4.4.0 (Alan Coopersmith <alan.coopersmith@...cle.com>)
• Re: Linux: Disabling network namespaces (John Johansen <john.johansen@...onical.com>)
• Re: Re: Linux: Disabling network namespaces (John Johansen <john.johansen@...onical.com>)
• Re: Update on the distro-backdoor-scanner effort (Gabriel Ravier <gabravier@...il.com>)

• Re: libksieve (used by kmail/kontact) sent password as username (Salvatore Bonaccorso <carnil@...ian.org>)
• Re: Update on the distro-backdoor-scanner effort (Jacob Bachmeyer <jcb62281@...il.com>)
• Re: New SMTP smuggling attack (Mark Esler <mark.esler@...onical.com>)
• Re: Telegram Web app XSS / Session Hijacking 1-click (Pedro Batista <pedbap.g@...il.com>)
• Re: New SMTP smuggling attack (nightmare.yeah27@...ecat.org)
• Re: New SMTP smuggling attack (Erik Auerswald <auerswal@...x-ag.uni-kl.de>)
• Re: New SMTP smuggling attack (Steffen Nurpmeso <steffen@...oden.eu>)

197 messages

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.