oss-sec: by thread
RSS Feed
About List
All Lists
Previous period
276 messages
starting Apr 01 24 and
ending Jun 09 24
Date index |
Thread index |
Author index
- From xz to ibus: more questionable tarballs Jan Engelhardt (Apr 01)
- Re: From xz to ibus: more questionable tarballs HW42 (Apr 01)
- finding similar compromises (was Re: From xz to ibus: more questionable tarballs) Tavis Ormandy (Apr 02)
- Re: finding similar compromises (was Re: From xz to ibus: more questionable tarballs) Tavis Ormandy (Apr 02)
- Re: finding similar compromises (was Re: From xz to ibus: ... Hank Leininger (Apr 02)
- Re: Re: finding similar compromises (was Re: From xz to ibus: more questionable tarballs) Ángel (Apr 08)
- finding similar compromises (was Re: From xz to ibus: more questionable tarballs) Tavis Ormandy (Apr 02)
- Re: From xz to ibus: more questionable tarballs Takao Fujiwara (Apr 01)
- Re: From xz to ibus: more questionable tarballs HW42 (Apr 01)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jakub Wilk (Apr 01)
- <Possible follow-ups>
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jakub Wilk (Apr 12)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Apr 16)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jacob Bachmeyer (Apr 17)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Apr 17)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Matt Johnston (Apr 17)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jacob Bachmeyer (Apr 19)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jacob Bachmeyer (Apr 17)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jakub Wilk (Apr 17)
- CVE-2024-29834: Apache Pulsar: Improper Authorization For Namespace and Topic Management Endpoints Lari Hotari (Apr 02)
- Fwd: Node.js security update for all active release lines Rafael Gonzaga (Apr 02)
- <Possible follow-ups>
- Fwd: Node.js security update for all active release lines midawson (Apr 03)
- Re: Fwd: Node.js security update for all active release lines Solar Designer (Apr 03)
- Re: Fwd: Node.js security update for all active release lines Michael Dawson (Apr 03)
- Re: Fwd: Node.js security update for all active release lines Solar Designer (Apr 03)
- Re: Fwd: Node.js security update for all active release lines Michael Dawson (Apr 03)
- Re: Fwd: Node.js security update for all active release lines Solar Designer (Apr 03)
- CVE-2024-1597: PostgreSQL pgjdbc: SQL injection in non-default configuration daniel (Apr 02)
- escaping terminal control characters (was Re: backdoor in upstream xz/liblzma leading to ssh server compromise) Matthew Fernandez (Apr 02)
- Detecting code injections in packages through debug infos Adrien Nader (Apr 03)
- xz backdoor prevention using hosts.deny? Nick Sal (Apr 03)
- Re: xz backdoor prevention using hosts.deny? Stuart D Gathman (Apr 03)
- Re: xz backdoor prevention using hosts.deny? Stephen John Smoogen (Apr 03)
- Re: xz backdoor prevention using hosts.deny? Pierre-Elliott Bécue (Apr 03)
- Re: xz backdoor prevention using hosts.deny? Ángel (Apr 08)
- Re: xz backdoor prevention using hosts.deny? Jacob Bachmeyer (Apr 09)
- Re: xz backdoor prevention using hosts.deny? Andres Freund (Apr 09)
- Re: xz backdoor prevention using hosts.deny? Christoph Anton Mitterer (Apr 09)
- Re: xz backdoor prevention using hosts.deny? Jacob Bachmeyer (Apr 10)
- Re: xz backdoor prevention using hosts.deny? Jacob Bachmeyer (Apr 09)
- Looking for developers who know how to use Seccomp for a paid study Maysara Alhindi (Apr 03)
- Re: Looking for developers who know how to use Seccomp for a paid study Solar Designer (Apr 03)
- dnf5daemon-server: Incomplete fix of CVE-2024-1929 (CVE-2024-2746) Matthias Gerstner (Apr 03)
- Fwd: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.12 and Xwayland prior to 23.2.5 Alan Coopersmith (Apr 03)
- Re: Fwd: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.12 and Xwayland prior to 23.2.5 Alan Coopersmith (Apr 12)
- CERT/CC VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacks Alan Coopersmith (Apr 03)
- Envoy security releases [1.29.3, 1.28.2, 1.27.4, 1.26.8] are now available Jan Schaumann (Apr 05)
- Go 1.22.2 and 1.21.9 (CVE-2023-45288 HTTP/2 CONTINUATION issue) Jan Schaumann (Apr 05)
- Just a reminder to never run ldd or strings on untrusted binaries Markus Klyver (Apr 04)
- Re: Just a reminder to never run ldd or strings on untrusted binaries Matthew Fernandez (Apr 04)
- opusfile by Xiph.Org Foundation, DoS vulnerability (SIGFPE) Alex Sarum (Apr 04)
- CVE-2023-38709: Apache HTTP Server: HTTP response splitting Eric Covener (Apr 04)
- CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames Eric Covener (Apr 04)
- CVE-2024-24795: Apache HTTP Server: HTTP Response Splitting in multiple modules Eric Covener (Apr 04)
- YSA-2024-01: YubiKey Manager Privilege Escalation Matthew Fernandez (Apr 04)
- Fwd: Node.js security update for all active relesae lines, April 9 2024 Rafael Gonzaga (Apr 04)
- <Possible follow-ups>
- Fwd: Node.js security update for all active relesae lines, April 9 2024 Rafael Gonzaga (Apr 10)
- minor problem on detect_sh.bin Lam Bruce (Apr 05)
- CVE-2024-24746: Apache NimBLE: Denial of service in NimBLE Bluetooth stack Szymon Janc (Apr 05)
- HTTP::Body before 1.23 for Perl is still vulnerable to CVE-2013-4407 Stig Palmquist (Apr 07)
- Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 08)
- Re: Is CVE-2024-30203 bogus? (Emacs) Eli Zaretskii (Apr 08)
- Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 08)
- Re: Is CVE-2024-30203 bogus? (Emacs) Ihor Radchenko (Apr 08)
- Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 10)
- Re: Is CVE-2024-30203 bogus? (Emacs) Ihor Radchenko (Apr 10)
- Re: Re: Is CVE-2024-30203 bogus? (Emacs) Salvatore Bonaccorso (Apr 10)
- Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 10)
- Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 11)
- Re: Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 11)
- Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 11)
- Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 10)
- Re: Is CVE-2024-30203 bogus? (Emacs) Eli Zaretskii (Apr 08)
- OpenSSL Security Advisory Tomas Mraz (Apr 08)
- <Possible follow-ups>
- OpenSSL Security Advisory Tomas Mraz (May 16)
- PoC for fdroidserver AllowedAPKSigningKeys certificate pinning bypass Fay Stegerman (Apr 08)
- Re: PoC for fdroidserver AllowedAPKSigningKeys certificate pinning bypass Jeffrey Walton (Apr 21)
- Xen Security Advisory 454 v2 (CVE-2023-46842) - x86 HVM hypercalls may trigger Xen bug check Xen . org security team (Apr 09)
- CVE-2024-31860: Apache Zeppelin: Path traversal vulnerability Jongyoul Lee (Apr 09)
- CVE-2021-28656: Apache Zeppelin: CSRF vulnerability in the Credentials page Jongyoul Lee (Apr 09)
- CVE-2022-47894: Apache Zeppelin SAP: connecting to a malicious SAP server allowed it to perform XXE Jongyoul Lee (Apr 09)
- CVE-2024-31862: Apache Zeppelin: Denial of service with invalid notebook name Jongyoul Lee (Apr 09)
- CVE-2024-31863: Apache Zeppelin: Replacing other users notebook, bypassing any permissions Jongyoul Lee (Apr 09)
- CVE-2024-31864: Apache Zeppelin: Remote code execution by adding malicious JDBC connection string Jongyoul Lee (Apr 09)
- CVE-2024-31865: Apache Zeppelin: Cron arbitrary user impersonation with improper privileges Jongyoul Lee (Apr 09)
- CVE-2024-31866: Apache Zeppelin: Interpreter download command does not escape malicious code injection Jongyoul Lee (Apr 09)
- CVE-2024-31868: Apache Zeppelin: XSS vulnerability in the helium module Jongyoul Lee (Apr 09)
- CVE-2024-31867: Apache Zeppelin: LDAP search filter query Injection Vulnerability Jongyoul Lee (Apr 09)
- CWE-121, CWE-122: libfreeimage 3.40-3.18/19+ buffer overflow Michael Knap (Apr 09)
- <Possible follow-ups>
- Re: CWE-121, CWE-122: libfreeimage 3.40-3.18/19+ buffer overflow Tianyu Chen (Apr 11)
- Re: Re: CWE-121, CWE-122: libfreeimage 3.40-3.18/19+ buffer overflow Michael Knap (Apr 11)
- Re: Re: CWE-121, CWE-122: libfreeimage 3.40-3.18/19+ buffer overflow Michael Knap (Apr 11)
- Re: Re: CWE-121, CWE-122: libfreeimage 3.40-3.18/19+ buffer overflow Michael Knap (Apr 11)
- Xen Security Advisory 455 v4 (CVE-2024-31142) - x86: Incorrect logic for BTC/SRSO mitigations Xen . org security team (Apr 09)
- Xen Security Advisory 456 v2 (CVE-2024-2201) - x86: Native Branch History Injection Xen . org security team (Apr 09)
- CVE-2024-24576: Rust 1.77.1 and earlier did not properly escape arguments of batch files on Windows Pietro Albini (Apr 09)
- CVE-2024-31309: Apache Traffic Server: HTTP/2 CONTINUATION frames can be utilized for DoS attack Bryan Call (Apr 10)
- CVE-2024-31861: Apache Zeppelin: Code injection by Shell interpreter Jongyoul Lee (Apr 10)
- Analysis on who is Jia Tan, and who he could work for, reading xz.git Alejandro Colomar (Apr 10)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Alejandro Colomar (Apr 10)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Joey Hess (Apr 10)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Alejandro Colomar (Apr 10)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Vegard Nossum (Apr 10)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Alejandro Colomar (Apr 10)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Solar Designer (Apr 10)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Jacob Bachmeyer (Apr 11)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Alejandro Colomar (Apr 11)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Jacob Bachmeyer (Apr 12)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Alejandro Colomar (Apr 12)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Jacob Bachmeyer (Apr 13)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Jacob Bachmeyer (Apr 11)
- Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Chris Down (Apr 10)
- CERT VU#123335: Multiple Programming Languages Fail to Escape Arguments Properly in Microsoft Windows Alan Coopersmith (Apr 10)
- New Linux LPE via GSMIOC_SETCONF_DLCI? Dr. Christopher Kunz (Apr 10)
- Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Solar Designer (Apr 10)
- Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Solar Designer (Apr 16)
- Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Greg KH (Apr 16)
- Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Dr. Christopher Kunz (Apr 17)
- Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Solar Designer (Apr 16)
- Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Donald Buczek (Apr 11)
- Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Dr. Christopher Kunz (Apr 11)
- Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Solar Designer (Apr 11)
- Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Dr. Christopher Kunz (Apr 11)
- Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Kyle Zeng (Apr 11)
- Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Kyle Zeng (Apr 11)
- Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Solar Designer (Apr 11)
- Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Solar Designer (Apr 10)
- CVE-2024-1086: Linux: nf_tables: use-after-free vulnerability in the nft_verdict_init() function Solar Designer (Apr 10)
- Re: CVE-2024-1086: Linux: nf_tables: use-after-free vulnerability in the nft_verdict_init() function Jonathan Wright (Apr 10)
- [PATCH] package/skeleton-init-sysv: Set sticky bit on /dev/shm Ben Hutchings (Apr 11)
- Buildroot: incorrect permissons on /dev/shm Ben Hutchings (Apr 11)
- Re: Buildroot: incorrect permissons on /dev/shm Ben Hutchings (May 06)
- Re: [Buildroot] Buildroot: incorrect permissons on /dev/shm Yann E. MORIN (May 06)
- Re: Buildroot: incorrect permissons on /dev/shm Peter Korsgaard (May 07)
- Re: Buildroot: incorrect permissons on /dev/shm Ben Hutchings (May 06)
- Re: [Buildroot] [PATCH] package/skeleton-init-sysv: Set sticky bit on /dev/shm Yann E. MORIN (Apr 11)
- Re: [PATCH] package/skeleton-init-sysv: Set sticky bit on /dev/shm Peter Korsgaard (May 06)
- Buildroot: incorrect permissons on /dev/shm Ben Hutchings (Apr 11)
- CVE-2024-27309: Apache Kafka: Potential incorrect access control during migration from ZK mode to KRaft mode Colin McCabe (Apr 11)
- less(1) with LESSOPEN mishandles \n in paths Jakub Wilk (Apr 12)
- Re: less(1) with LESSOPEN mishandles \n in paths Sam James (Apr 12)
- Re: less(1) with LESSOPEN mishandles \n in paths Jakub Wilk (Apr 15)
- <Possible follow-ups>
- Re: less(1) with LESSOPEN mishandles \n in paths Tobias Powalowski (Apr 13)
- CVE-2024-31391: Apache Solr Operator: Solr-Operator liveness and readiness probes may leak basic auth credentials Jason Gerlowski (Apr 12)
- PHP security releases 8.1.28, 8.2.18, & 8.3.6 Alan Coopersmith (Apr 12)
- Linux: Disabling network namespaces Solar Designer (Apr 14)
- Re: Linux: Disabling network namespaces Demi Marie Obenour (Apr 15)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 15)
- Re: Linux: Disabling network namespaces Simon McVittie (Apr 15)
- Re: Linux: Disabling network namespaces Jordan Glover (Apr 16)
- Re: Linux: Disabling network namespaces Mickaël Salaün (May 17)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 15)
- Re: Linux: Disabling network namespaces Simon McVittie (Apr 15)
- Re: Linux: Disabling network namespaces Georgia Garcia (Apr 17)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 19)
- Re: Linux: Disabling network namespaces Simon McVittie (Apr 19)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 20)
- Re: Linux: Disabling network namespaces Jordan Glover (Apr 20)
- Re: Linux: Disabling network namespaces Simon McVittie (Apr 21)
- Re: Linux: Disabling network namespaces Priedhorsky, Reid (Apr 22)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 21)
- Re: Linux: Disabling network namespaces Jordan Glover (Apr 22)
- Re: Linux: Disabling network namespaces Demi Marie Obenour (Apr 23)
- Re: Linux: Disabling network namespaces Simon McVittie (Apr 23)
- Re: Linux: Disabling network namespaces John Johansen (Apr 29)
- Re: Linux: Disabling network namespaces Simon McVittie (Apr 21)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 21)
- Re: Linux: Disabling network namespaces nightmare . yeah27 (Apr 19)
- Re: Re: Linux: Disabling network namespaces John Johansen (Apr 29)
- Re: Linux: Disabling network namespaces Solar Designer (Apr 19)
- <Possible follow-ups>
- Re: Linux: Disabling network namespaces Philippe Cerfon (Apr 16)
- Re: Linux: Disabling network namespaces Demi Marie Obenour (Apr 16)
- Re: Linux: Disabling network namespaces Demi Marie Obenour (Apr 15)
- CVE-2024-31497: Secret Key Recovery of NIST P-521 Private Keys Through Biased ECDSA Nonces in PuTTY Client Fabian Bäumer (Apr 15)
- [kubernetes] CVE-2024-3177: Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin Rita Zhang (Apr 16)
- Make your own backdoor: CFLAGS code injection, Makefile injection, pkg-config Vegard Nossum (Apr 17)
- Re: Make your own backdoor: CFLAGS code injection, Makefile injection, pkg-config Jacob Bachmeyer (Apr 18)
- Terrapin vulnerability in Jenkins CLI client Daniel Beck (Apr 17)
- The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Adhemerval Zanella Netto (Apr 17)
- Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Solar Designer (Apr 18)
- Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Charles Fol (May 27)
- Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Florian Weimer (May 27)
- Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Erik Auerswald (May 27)
- Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Florian Weimer (May 27)
- Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Solar Designer (May 27)
- Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Charles Fol (May 27)
- Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Charles Fol (May 27)
- Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Florian Weimer (Apr 24)
- Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Solar Designer (Apr 18)
- CVE-2024-31869: Apache Airflow: Sensitive configuration for providers displayed when "non-sensitive-only" config used Ephraim Anierobi (Apr 17)
- libreswan: IKEv1 default AH/ESP responder can crash and restart David Morel (Apr 18)
- flatpak CVE-2024-32462 : Sandbox escape via RequestBackground portal and CWE-88 Simon McVittie (Apr 18)
- CVE-2024-29217: Apache Answer: XSS vulnerability when changing personal website Enxin Xie (Apr 19)
- CVE-2024-29733: Apache Airflow FTP Provider: FTP_TLS instance with unverified SSL context Elad Kalif (Apr 19)
- [Update] PoC for fdroidserver AllowedAPKSigningKeys certificate pinning bypass Fay Stegerman (Apr 20)
- Wordpress Responsive theme: arbitrary HTML content injection (CVE-2024-2848) Hanno Böck (Apr 22)
- CVE-2024-27347: Apache HugeGraph-Hubble: SSRF in Hubble connection page Imba Jin (Apr 22)
- CVE-2024-27348: Apache HugeGraph-Server: Command execution in gremlin Imba Jin (Apr 22)
- CVE-2024-27349: Apache HugeGraph-Server: Bypass whitelist in Auth mode Imba Jin (Apr 22)
- 83 bogus CVEs assigned to Robot Operating System (ROS) Mark Esler (Apr 23)
- Re: 83 bogus CVEs assigned to Robot Operating System (ROS) Yash Patel (Apr 23)
- Re: 83 bogus CVEs assigned to Robot Operating System (ROS) Mark Esler (Apr 23)
- Re: 83 bogus CVEs assigned to Robot Operating System (ROS) Yash Patel (Apr 23)
- Re: 83 bogus CVEs assigned to Robot Operating System (ROS) Mark Esler (Apr 23)
- Re: 83 bogus CVEs assigned to Robot Operating System (ROS) Yash Patel (Apr 23)
- PowerDNS Recursor Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor Peter van Dijk (Apr 24)
- CVE-2024-0582 - Linux kernel use-after-free vulnerability in io_uring, writeup and exploit strategy Oriol Castejón (Apr 24)
- Security Issues and Abandonment of PHP ECC library (mdanter/ecc, phpecc/phpecc) Paragon Initiative Enterprises Security Team (Apr 24)
- libksieve (used by kmail/kontact) sent password as username Jonas Schäfer (Apr 25)
- Re: libksieve (used by kmail/kontact) sent password as username Salvatore Bonaccorso (Apr 30)
- Update on the distro-backdoor-scanner effort Hank Leininger (Apr 26)
- Re: Update on the distro-backdoor-scanner effort Simon McVittie (Apr 26)
- Re: Update on the distro-backdoor-scanner effort Sam James (Apr 26)
- Re: Update on the distro-backdoor-scanner effort Jacob Bachmeyer (Apr 27)
- Re: Update on the distro-backdoor-scanner effort Morten Linderud (Apr 27)
- <Possible follow-ups>
- Re: Update on the distro-backdoor-scanner effort Hank Leininger (Apr 28)
- Re: Update on the distro-backdoor-scanner effort Jacob Bachmeyer (Apr 29)
- Re: Update on the distro-backdoor-scanner effort Vegard Nossum (Apr 29)
- Re: Update on the distro-backdoor-scanner effort Gabriel Ravier (Apr 29)
- Re: Update on the distro-backdoor-scanner effort Jacob Bachmeyer (Apr 30)
- Re: Update on the distro-backdoor-scanner effort Hank Leininger (Apr 28)
- Re: Update on the distro-backdoor-scanner effort Simon McVittie (Apr 26)
- Suspicious hook-loading mechanism in hyprland Sam James (Apr 28)
- Telegram Web app XSS / Session Hijacking 1-click Pedro Batista (Apr 28)
- Re: Telegram Web app XSS / Session Hijacking 1-click Pedro Batista (Apr 30)
- CVE-2024-27322: Deserialization vulnerability in R before 4.4.0 Alan Coopersmith (Apr 29)
- Re: New SMTP smuggling attack Mark Esler (Apr 30)
- Re: New SMTP smuggling attack nightmare . yeah27 (Apr 30)
- Re: New SMTP smuggling attack Erik Auerswald (Apr 30)
- Re: New SMTP smuggling attack Steffen Nurpmeso (Apr 30)
- Re: New SMTP smuggling attack Steffen Nurpmeso (May 02)
- Re: New SMTP smuggling attack Solar Designer (May 02)
- Re: New SMTP smuggling attack Mark Esler (May 09)
- Re: New SMTP smuggling attack Erik Auerswald (May 09)
- Re: New SMTP smuggling attack Steffen Nurpmeso (May 02)
- CVE-2024-32114: Apache ActiveMQ: Jolokia and REST API were not secured with default configuration Jean-Baptiste Onofré (May 01)
- Re: CVEs issued by the Linux kernel CNA Alan Coopersmith (May 01)
- Re: Re: CVEs issued by the Linux kernel CNA Greg KH (May 02)
- CVE-2024-32638: Apache APISIX: Forward-Auth Request Smuggling YuanSheng Wang (May 02)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (May 02)
- <Possible follow-ups>
- Multiple vulnerabilities in Jenkins plugins Kevin Guerroudj (May 24)
- CVE-2024-30251: DoS in aiohttp Sam Bull (May 02)
- CVE-2023-35701: Apache Hive: Arbitrary command execution via JDBC driver Stamatis Zampetakis (May 03)
- Fwd: uriparser 0.9.8 released, includes security fixes Sebastian Pipping (May 06)
- Re: Fwd: uriparser 0.9.8 released, includes security fixes Solar Designer (May 06)
- The GNU C Library security advisories update for 2024-05-06 Carlos O'Donell (May 06)
- CVE-2023-49606, CVE-2023-40533: memory safety vulnerabilities in tinyproxy <=1.11.1 Valtteri Vuorikoski (May 07)
- CVE-2024-28148: Apache Superset: Incorrect datasource authorization on explore REST API Daniel Gaspar (May 07)
- HNS-2024-07 - HN Security Advisory - Multiple vulnerabilities in RIOT OS Marco Ivaldi (May 07)
- GLib (2.26.0+): GDBus signal subscriptions for well-known names are vulnerable to unicast spoofing Philip Withnall (May 07)
- CVE-2024-26925: Linux: nf_tables: locking issue in the nf_tables_abort() function HexRabbit Chen (May 07)
- Re: CVE-2024-26925: Linux: nf_tables: locking issue in the nf_tables_abort() function Salvatore Bonaccorso (May 08)
- Xen Security Advisory 456 v3 (CVE-2024-2201) - x86: Native Branch History Injection Xen . org security team (May 07)
- Xen Security Advisory 457 v1 - Linux/xen-netback: Memory leak due to missing cleanup function Xen . org security team (May 07)
- Xen Security Advisory 457 v2 - Linux/xen-netfront: Memory leak due to missing cleanup function Xen . org security team (May 08)
- [security] Go 1.22.3 and Go 1.21.10 are released Alan Coopersmith (May 08)
- Xen Security Advisory 457 v3 (CVE-2024-27393) - Linux/xen-netfront: Memory leak due to missing cleanup function Xen . org security team (May 08)
- CVE-2024-32113: Apache OFBiz: Path traversal leading to RCE Jacques Le Roux (May 09)
- CVE-2024-26579: Apache Inlong JDBC Vulnerability Charles Zhang (May 09)
- [kubernetes] CVE-2024-3744: azure-file-csi-driver discloses service account tokens in logs Rita Zhang (May 09)
- CVE-2024-34365: Apache Karaf Cave: Cave SSRF and arbitrary file access Arnout Engelen (May 09)
- [vim-security] buffer-overlow in xxd with colored output < v9.1.0404 Christian Brabandt (May 10)
- Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Corey Lopez (May 11)
- Re: Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Solar Designer (May 11)
- Re: Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Jacob Bachmeyer (May 13)
- Re: lsof "can't stat() fuse.${name} filesystem /run/user/1000/${dir}" Simon McVittie (May 11)
- Re: Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Jacob Bachmeyer (May 13)
- Re: Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Solar Designer (May 11)
- PowerDNS Security Advisory 2024-03: Transfer requests received over DoH can lead to a denial of service in DNSdist Remi Gacogne (May 13)
- CVE-2024-32077: Apache Airflow: XSS vulnerability in Task Instance Log/Log Details Ephraim Anierobi (May 14)
- git: 5 vulnerabilities fixed Johannes Schindelin (May 14)
- CVE-2024-21823: Intel DSA and Intel IAA advisory Alan Coopersmith (May 15)
- OpenSSL Security Advisory [corrected CVE id] Tomas Mraz (May 16)
- CVE-2024-34058: Nethserver 7 & 8 stored cross-site scripting (XSS) in WebTop package Andrea Intilangelo (May 16)
- Article: State of Sandboxing in Linux Ali Polatel (May 20)
- Re: Article: State of Sandboxing in Linux Solar Designer (May 20)
- WebKitGTK and WPE WebKit Security Advisory WSA-2024-0003 Adrian Perez de Castro (May 21)
- asterisk security releases 18.23.1, 20.8.1, & 21.3.1 Alan Coopersmith (May 21)
- Intel CPU Hardware Features and Behaviors Related to Speculative Execution Alan Coopersmith (May 23)
- gnome-remote-desktop: D-Bus system service in GNOME release 46 local information leaks (CVE-2024-5148) Matthias Gerstner (May 24)
- path traversal in tar extract in intel cve-bin-tool houjingyi (May 26)
- List linux CVEs for a given stable release? Dominique Martinet (May 29)
- Re: List linux CVEs for a given stable release? Greg Kroah-Hartman (May 29)
- Re: List linux CVEs for a given stable release? Dominique Martinet (May 30)
- Re: List linux CVEs for a given stable release? Greg Kroah-Hartman (May 30)
- Re: List linux CVEs for a given stable release? Dominique Martinet (May 30)
- Re: List linux CVEs for a given stable release? Greg Kroah-Hartman (May 29)
- Security vulnerability in fprintd Yaron Shahrabani (May 30)
- nginx HTTP/3 security issues/fixes Solar Designer (May 30)
- CVE-2024-36104: Apache OFBiz: Path traversal leading to a RCE Jacques Le Roux (Jun 03)
- Go 1.22.4 and Go 1.21.11 released with 2 security fixes (CVE-2024-24789, CVE-2024-24790) Alan Coopersmith (Jun 04)
- libarchive 3.7.4 released with 2 security fixes Alan Coopersmith (Jun 04)
- Re: libarchive 3.7.4 released with 2 security fixes Tavis Ormandy (Jun 05)
- [SBA-ADV-20240202-01] CVE-2024-5657: CraftCMS Plugin - Two-Factor Authentication 3.3.1 to 3.3.3 - Password Hash Disclosure SBA Research Security Advisory (Jun 06)
- [SBA-ADV-20240202-02] CVE-2024-5658: CraftCMS Plugin - Two-Factor Authentication through 3.3.3 - TOTP Token Stays Valid After Use SBA Research Security Advisory (Jun 06)
- PHP security releases 8.3.8, 8.2.20, and 8.1.29 Alan Coopersmith (Jun 06)
- vte 0.76.3 released with fix for CVE-2024-37535 Alan Coopersmith (Jun 09)
- Re: vte 0.76.3 released with fix for CVE-2024-37535 Solar Designer (Jun 09)