Open Source Security Mailing List

• Current Quarter
• RSS Feed
• About List
• All Lists

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

• Jan–Mar
• Apr–Jun
• Jul–Sep
• Oct–Dec
• 2024
• 358
• 276
• –
• –
• 2023
• 220
• 284
• 269
• 356
• 2022
• 212
• 220
• 239
• 273
• 2021
• 281
• 236
• 193
• 182
• 2020
• 131
• 219
• 211
• 241
• 2019
• 199
• 237
• 257
• 176
• 2018
• 287
• 256
• 284
• 279
• 2017
• 701
• 658
• 596
• 437
• 2016
• 738
• 637
• 689
• 788
• 2015
• 1068
• 839
• 658
• 618
• 2014
• 714
• 711
• 886
• 1185
• 2013
• 777
• 648
• 688
• 583
• 2012
• 815
• 578
• 591
• 549
• 2011
• 640
• 738
• 550
• 591
• 2010
• 291
• 376
• 465
• 383
• 2009
• 250
• 264
• 272
• 304
• 2008
• 206
• 390
• 402
• 358

Latest Posts

Re: vte 0.76.3 released with fix for CVE-2024-37535 Solar Designer (Jun 09)
The above command is missing its backslash. This triggers a crash:

printf '\e[4;65535;65535t'

and so does this:

printf '\e[8;65535;65535t'

The latter is a different escape sequence that accepts the sizes in
different units. I hope the fix covers both, but I didn't review nor
test it - I hope someone does and posts in here.

Alexander

vte 0.76.3 released with fix for CVE-2024-37535 Alan Coopersmith (Jun 09)
https://www.cve.org/CVERecord?id=CVE-2024-37535 states:

https://gitlab.gnome.org/GNOME/vte/-/issues/2786 explains further:

PHP security releases 8.3.8, 8.2.20, and 8.1.29 Alan Coopersmith (Jun 06)
In https://fosstodon.org/@php/112570710411472992 it is written:

The Changelog link includes further details:

- Fixed bug GHSA-3qgc-jrrr-25jv (Bypass of CVE-2012-1823, Argument Injection
in PHP-CGI). (CVE-2024-4577)

- Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var
FILTER_VALIDATE_URL). (CVE-2024-5458)

- Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874). (CVE-2024-5585)

- The openssl_private_decrypt function...

[SBA-ADV-20240202-02] CVE-2024-5658: CraftCMS Plugin - Two-Factor Authentication through 3.3.3 - TOTP Token Stays Valid After Use SBA Research Security Advisory (Jun 06)
# CraftCMS Plugin - Two-Factor Authentication - TOTP Token Stays Valid After Use #

Link:
https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240202-02_CraftCMS_Plugin_Two-Factor_Authentication_TOTP_Valid_After_Use

## Vulnerability Overview ##

The CraftCMS plugin Two-Factor Authentication through 3.3.3 allows reuse of
TOTP tokens multiple times within the validity period.

* **Identifier** : SBA-ADV-20240202-02
*...

[SBA-ADV-20240202-01] CVE-2024-5657: CraftCMS Plugin - Two-Factor Authentication 3.3.1 to 3.3.3 - Password Hash Disclosure SBA Research Security Advisory (Jun 06)
# CraftCMS Plugin - Two-Factor Authentication - Password Hash Disclosure #

Link:
https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240202-01_CraftCMS_Plugin_Two-Factor_Authentication_Password_Hash_Disclosure

## Vulnerability Overview ##

The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and
3.3.3 discloses the password hash of the currently authenticated user after
submitting a valid TOTP.

*...

Re: libarchive 3.7.4 released with 2 security fixes Tavis Ormandy (Jun 05)
The e8 thing is kinda interesting, but I think the ZDI description
didn't give enough background.

Here is my attempt:

- A long time ago, WinRAR included a bytecode interpreting VM
called RarVM. In theory, users could preprocess the data they're
compressing to make it more compressible, and then embed "filters"
in the archive. Those filters were little bytecode programs that
reverse the...

libarchive 3.7.4 released with 2 security fixes Alan Coopersmith (Jun 04)
https://github.com/libarchive/libarchive/releases/tag/v3.7.4 announces
the release on April 26 of libarchive 3.7.4 with 2 security fixes:

- rar: Fix OOB in rar e8 filter (#2135) (CVE-2024-26256)
https://github.com/libarchive/libarchive/pull/2135 doesn't give details, but
a detailed writeup from Trend Micro / ZDI has been posted at:...

Go 1.22.4 and Go 1.21.11 released with 2 security fixes (CVE-2024-24789, CVE-2024-24790) Alan Coopersmith (Jun 04)
https://groups.google.com/g/golang-announce/c/XbxouI9gY7k announces:

CVE-2024-36104: Apache OFBiz: Path traversal leading to a RCE Jacques Le Roux (Jun 03)
Severity: important

Affected versions:

- Apache OFBiz before 18.12.14

Description:

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This
issue affects Apache OFBiz: before 18.12.14.

Users are recommended to upgrade to version 18.12.14, which fixes the issue.

Credit:

godspeed (AAA@ZJU) (finder)

References:

https://ofbiz.apache.org/download.html...

nginx HTTP/3 security issues/fixes Solar Designer (May 30)
Hi,

This was on the nginx-announce list yesterday:

https://mailman.nginx.org/pipermail/nginx-announce/2024/GMY32CSHFH6VFTN76HJNX7WNEX4RLHF6.html

---
[nginx-announce] nginx security advisory (CVE-2024-31079, CVE-2024-32760, CVE-2024-34161, CVE-2024-35200)
Sergey Kandaurov pluknet at nginx.com
Wed May 29 15:12:07 UTC 2024

Hello!

Four security issues were identified in nginx HTTP/3 implementation, which
might allow an attacker that uses a...

Security vulnerability in fprintd Yaron Shahrabani (May 30)
Hi everyone, I'm writing to this mailing list since I've already
shared the details with Benjamin Berg and Marco Trevisan privately,
and we have yet to conclude about this vulnerability.
This information was also disclosed to the fprintd mailing list:
https://lists.freedesktop.org/archives/fprint/2024-May/001231.html

My sudo is configured to approve access with pam_fprintd; this is the
config file:

#%PAM-1.0

auth...

Re: List linux CVEs for a given stable release? Greg Kroah-Hartman (May 30)
Very true, I do not claim to be a "robust" bash programmer at all :)

True.

Yeah, but the json files have their own issues, more below...

Great. Only you know your use cases, which is why we do not offer up
any "grading" of kernel CVEs as Linux is used in so many different ways.

The mbox files do get updated along with the json, but please, let's not
parse mbox files, that was a bad example I gave here, sorry.

That...

Re: List linux CVEs for a given stable release? Dominique Martinet (May 30)
Greg Kroah-Hartman wrote on Wed, May 29, 2024 at 09:23:50PM +0200:

(pedantic: `if cve=$(cve_search "$id"); then` is a bit simpler/failproof)

That's roughly what I had done earlier this week (handpicking the
commits that could impact our users), but this doesn't address my second
point as it won't catch any new CVE introduced before that tree that
wasn't fixed.
(also probably a bit more efficient to go by version...

Re: List linux CVEs for a given stable release? Greg Kroah-Hartman (May 29)
True, we don't have that yet, but with the scripts in there, it should
be easy to knock this up (hint, pass the id to scripts/cve_search) if
you need it.

The issue is, CVEs are assigned usually long _AFTER_ the stable release
has happened. So if you want to do this type of report for the latest
stable release, it will look like there are no CVEs. But if you wait a
few weeks, suddenly that old release will have many CVEs assigned to
them....

List linux CVEs for a given stable release? Dominique Martinet (May 29)
Hi Greg,

(Cc-ing oss-security because I think more people there might be
interested than people subscribed to cve () kernel org and I didn't want to
cross-post to multiple lists)

Up until last month someone had been managing a linuxkernelcves[1][2]
site, but it's somehow gone without a trace (DNS emptied, no message I
could see announcing it anywhere)

[1] https://www.linuxkernelcves.com
[2]...

More Lists

Dozens of other network security lists are archived at SecLists.Org.