oss-sec: by thread
358 messages
starting Jan 01 24 and
ending Mar 31 24
Date index |
Thread index |
Author index
- Re: CVE-2023-51766: Exim: SMTP smuggling halfdog (Jan 01)
- Re: CVE-2023-51766: Exim: SMTP smuggling Demi Marie Obenour (Jan 01)
- Re: CVE-2023-51766: Exim: SMTP smuggling Jeffrey Walton (Jan 01)
- Re: CVE-2023-51766: Exim: SMTP smuggling Demi Marie Obenour (Jan 01)
- CVE-2023-51784: Apache InLong: Remote Code Execution vulnerability in Apache InLong Manager Charles Zhang (Jan 03)
- CVE-2023-51785: Apache InLong: Arbitrary File Read Vulnerability in Apache InLong Manager Charles Zhang (Jan 03)
- CVE-2023-47804: Apache OpenOffice: Macro URL arbitrary script execution Arrigo Marchiori (Jan 03)
- CVE-2023-1183: Apache OpenOffice: Arbitrary file write in Apache OpenOffice Base Arrigo Marchiori (Jan 03)
- CVE-2022-43680: Apache OpenOffice: "Use after free" fixed in libexpat Arrigo Marchiori (Jan 03)
- CVE-2012-5639: Apache OpenOffice: Loading internal / external resources without warning Arrigo Marchiori (Jan 03)
- Re: hplip: security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c Matthias Gerstner (Jan 04)
- Re: Security vulnerability in Debian's cpio 2.13 Mark Esler (Jan 05)
- CVE-2023-51441: Apache Axis 1.x (EOL) may allow SSRF when untrusted input is passed to the service admin HTTP API Arnout Engelen (Jan 05)
- Re: TTY pushback vulnerabilities / TIOCSTI Jakub Wilk (Jan 07)
- Re: TTY pushback vulnerabilities / TIOCSTI Eddie Chapman (Jan 08)
- Re: TTY pushback vulnerabilities / TIOCSTI Jakub Wilk (Jan 16)
- OpenSSL Security Advisory Tomas Mraz (Jan 09)
- <Possible follow-ups>
- OpenSSL Security Advisory Tomas Mraz (Jan 15)
- OpenSSL Security Advisory Matt Caswell (Jan 25)
- Re: OpenSSL Security Advisory sjw (Jan 25)
- CVE-2023-49619: Apache Answer: Repeated submissions using scripts resulted in an abnormal number of collections for questions. Enxin Xie (Jan 10)
- CVE-2024-22368: Spreadsheet::ParseXLSX for Perl is vulnerable to DoS via out-of-memory bugs Stig Palmquist (Jan 10)
- CVE-2023-6040: Linux Kernel netfilter out-of-bounds access Cengiz Can (Jan 11)
- CVE-2023-46749: Apache Shiro before 1.130 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting Brian Demers (Jan 12)
- CVE-2023-50290: Apache Solr: Host environment variables are published via the Metrics API Houston Putman (Jan 12)
- CVE-2023-46226: Apache IoTDB: Remote Code Execution (RCE) risk via the UDF Haonan Hou (Jan 15)
- CVE-2023-4001: a password bypass vulnerability in the downstream GRUB boot manager Maxim Suhanov (Jan 15)
- CVE-2023-6395 Mock: Privilege escalation for users that can access mock configuration Marco Benatto (Jan 16)
- CVE-2023-45229 and others: Multiple vulnerabilities in EDK II UEFI stack (PixieFAIL) Valtteri Vuorikoski (Jan 16)
- Mock, Snap, LXC expose(d) chroot, container trees with unsafe permissions and contents to host users, pose risk to host Solar Designer (Jan 16)
- Fwd: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.11 and Xwayland prior to 23.2.4 Jose Exposito Quintana (Jan 18)
- GNU coreutils v9.4; v9.3; v9.2 split heap buffer overflow vulnerability Valentin Metz (Jan 18)
- Re: GNU coreutils v9.4; v9.3; v9.2 split heap buffer overflow vulnerability Valentin Metz (Jan 19)
- pam: pam_namespace misses O_DIRECTORY flag in `protect_dir()` (CVE-2024-22365) Matthias Gerstner (Jan 18)
- CVE-2024-23525: Spreadsheet::ParseXLSX for Perl is vulnerable to XXE attacks Stig Palmquist (Jan 18)
- CVE-2024-21733: Apache Tomcat: Leaking of unrelated request bodies in default error page Mark Thomas (Jan 19)
- GnuTLS 3.8.3 released, fixes CVE-2024-0553 & CVE-2024-0567 Alan Coopersmith (Jan 19)
- Pillow 10.2.0 released, fixes CVE-2023-50447 Alan Coopersmith (Jan 20)
- Postfix updated SMTP smuggling countermeasure Solar Designer (Jan 22)
- Re: Postfix updated SMTP smuggling countermeasure Wietse Venema (Jan 23)
- Re: Re: Postfix updated SMTP smuggling countermeasure Alexander Burke (Jan 23)
- Re: Postfix updated SMTP smuggling countermeasure Wietse Venema (Jan 23)
- Xen Security Advisory 448 v2 (CVE-2023-46838) - Linux: netback processing of zero-length transmit fragment Xen . org security team (Jan 22)
- Re: announcing sponsorship; distros list statistics for 2023 Solar Designer (Jan 22)
- darkhttpd: timing attack and local leak of HTTP basic auth credentials Matthias Gerstner (Jan 23)
- Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials Hanno Böck (Jan 23)
- Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials Johannes Segitz (Jan 24)
- Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials nightmare . yeah27 (Jan 24)
- Re: Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials Anton Luka Šijanec (Jan 24)
- systemd and other system services (in)compatibility with Linux procfs hidepid (was: darkhttpd: timing attack and local leak of HTTP basic auth credentials) Solar Designer (Feb 02)
- Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials Johannes Segitz (Jan 24)
- Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials Matthias Gerstner (Jan 25)
- Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials Hanno Böck (Jan 23)
- CVE-2023-49657: Apache Superset: Stored XSS in Dashboard Title and Chart Title Daniel Gaspar (Jan 23)
- Re: CVE-2023-49657: Apache Superset: Stored XSS in Dashboard Title and Chart Title Christian Fischer (Jan 23)
- CVE-2023-51702: Apache Airflow CNCF Kubernetes provider, Apache Airflow: Kubernetes configuration file saved without encryption in the Metadata and logged as plain text in the Triggerer service Ephraim Anierobi (Jan 24)
- CVE-2023-50943: Apache Airflow: Potential pickle deserialization vulnerability in XComs Ephraim Anierobi (Jan 24)
- CVE-2023-50944: Apache Airflow: Bypass permission verification to read code of other dags Ephraim Anierobi (Jan 24)
- Multiple vulnerabilities in Jenkins and Jenkins plugins Daniel Beck (Jan 24)
- Re: Fwd: X.Org Security Advisory: Issues in libX11 prior to 1.8.7 & libXpm prior to 3.5.17 Alan Coopersmith (Jan 24)
- Re: CVE-2023-45853: overflows in MiniZip in zlib through 1.3 Alan Coopersmith (Jan 24)
- shim 15.8 released with 6 CVE fixes Alan Coopersmith (Jan 26)
- Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Alan Coopersmith (Jan 26)
- Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Matthew Fernandez (Jan 26)
- Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Christian Brabandt (Jan 28)
- Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Amos Jeffries (Feb 01)
- Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Matthew Fernandez (Feb 01)
- Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Christian Brabandt (Feb 01)
- Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Matthew Fernandez (Jan 26)
- CVE-2023-29055: Apache Kylin: Insufficiently protected credentials in config file Li Yang (Jan 29)
- Xen Security Advisory 449 v2 (CVE-2023-46839) - pci: phantom functions assigned to incorrect contexts Xen . org security team (Jan 30)
- Xen Security Advisory 450 v2 (CVE-2023-46840) - VT-d: Failure to quarantine devices in !HVM builds Xen . org security team (Jan 30)
- FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Armin Kuster (Jan 30)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Solar Designer (Jan 30)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Greg KH (Jan 30)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Solar Designer (Jan 30)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Greg KH (Jan 30)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Demi Marie Obenour (Jan 31)
- Re: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Roxana Bradescu (Feb 02)
- Re: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Demi Marie Obenour (Feb 02)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Thadeu Lima de Souza Cascardo (Jan 31)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Armin Kuster (Feb 02)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Greg KH (Jan 30)
- Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Solar Designer (Jan 30)
- CVE-2023-6246: Heap-based buffer overflow in the glibc's syslog() Qualys Security Advisory (Jan 30)
- Re: CVE-2023-6246: Heap-based buffer overflow in the glibc's syslog() Siddhesh Poyarekar (Jan 30)
- Out-of-bounds read & write in the glibc's qsort() Qualys Security Advisory (Jan 30)
- Re: Out-of-bounds read & write in the glibc's qsort() Solar Designer (Feb 04)
- Re: Out-of-bounds read & write in the glibc's qsort() Alexander E. Patrakov (Feb 05)
- Re: Out-of-bounds read & write in the glibc's qsort() Alexander E. Patrakov (Feb 05)
- Re: Out-of-bounds read & write in the glibc's qsort() Alexander E. Patrakov (Feb 05)
- Re: Out-of-bounds read & write in the glibc's qsort() Qualys Security Advisory (Feb 05)
- Re: Out-of-bounds read & write in the glibc's qsort() Solar Designer (Feb 05)
- Re: Out-of-bounds read & write in the glibc's qsort() Adhemerval Zanella Netto (Feb 05)
- Re: Out-of-bounds read & write in the glibc's qsort() Alexander E. Patrakov (Feb 05)
- Re: Out-of-bounds read & write in the glibc's qsort() Solar Designer (Feb 04)
- [SECURITY ADVISORY] curl: CVE-2024-0853 : OCSP verification bypass with TLS session reuse Daniel Stenberg (Jan 30)
- CVE-2023-44313: Apache ServiceComb Service-Center: attacker can perform SSRF through the frontend API bismy (Jan 31)
- CVE-2023-44312: Apache ServiceComb Service-Center: attacker can query all environment variables of the service-center server bismy (Jan 31)
- runc: CVE-2024-21626: high severity container breakout attack Aleksa Sarai (Jan 31)
- Re: runc: CVE-2024-21626: high severity container breakout attack Solar Designer (Jan 31)
- Re: Re: runc: CVE-2024-21626: high severity container breakout attack Aleksa Sarai (Feb 02)
- Re: runc: CVE-2024-21626: high severity container breakout attack Solar Designer (Jan 31)
- Re: TTY handling when executing code in different lower-privileged context (su, virt containers) Jakub Wilk (Jan 31)
- Python standard library defaults to insecure TLS for mail protocols Hanno Böck (Feb 01)
- Re: Python standard library defaults to insecure TLS for mail protocols nightmare . yeah27 (Feb 01)
- Re: Re: Python standard library defaults to insecure TLS for mail protocols Hanno Böck (Feb 01)
- Re: Python standard library defaults to insecure TLS for mail protocols Steffen Nurpmeso (Feb 02)
- Re: Python standard library defaults to insecure TLS for mail protocols Kurt H Maier (Feb 02)
- Re: Python standard library defaults to insecure TLS for mail protocols Steffen Nurpmeso (Feb 02)
- Re: Python standard library defaults to insecure TLS for mail protocols nightmare . yeah27 (Feb 02)
- Re: Re: Python standard library defaults to insecure TLS for mail protocols Daniel Kahn Gillmor (Feb 02)
- Re: Re: Python standard library defaults to insecure TLS for mail protocols Hanno Böck (Feb 01)
- Re: Python standard library defaults to insecure TLS for mail protocols Alex Gaynor (Feb 01)
- Re: Python standard library defaults to insecure TLS for mail protocols Jeremy Stanley (Feb 01)
- Re: Python standard library defaults to insecure TLS for mail protocols Stuart D Gathman (Feb 02)
- Re: Python standard library defaults to insecure TLS for mail protocols nightmare . yeah27 (Feb 01)
- CVE-2024-23832: Mastodon: Remote user impersonation and takeover Valtteri Vuorikoski (Feb 02)
- WebKitGTK and WPE WebKit Security Advisory WSA-2024-0001 Adrian Perez de Castro (Feb 05)
- CVE-2024-23673: Apache Sling Servlets Resolver: Malicious code execution via path traversal Carsten Ziegeler (Feb 06)
- Django CVE-2024-24680: Potential denial-of-service in intcomma template filter Natalia Bidart (Feb 06)
- CVE-2024-1048: grub2-set-bootflag may be abused to fill up /boot, bypass RLIMIT_NPROC Solar Designer (Feb 06)
- CVE-2023-51437: Apache Pulsar: Timing attack in SASL token signature verification Michael Marshall (Feb 07)
- CVE-2023-39196: Apache Ozone: Missing mutual TLS authentication in one of the service internal Ozone Storage Container Manager endpoints István Fajth (Feb 07)
- The GNU C Library has been authorized by the CVE Program as a CVE Numbering Authority (CNA) Carlos O'Donell (Feb 07)
- CVE-2024-23452: Apache bRPC: HTTP request smuggling vulnerability Wang Weibing (Feb 08)
- libuv 1.48.0 released, fixes CVE-2024-24806 Alan Coopersmith (Feb 08)
- Re: libuv 1.48.0 released, fixes CVE-2024-24806 Salvatore Bonaccorso (Feb 11)
- [ADVISORY] CVE-2023-3966: Open vSwitch: Invalid memory access in Geneve with HW offload. Ilya Maximets (Feb 08)
- [ADVISORY] CVE-2023-5366: Open vSwitch: OpenFlow match on Neighbor Discovery Target may be ignored Ilya Maximets (Feb 08)
- CVE-2023-50386: Apache Solr: Backup/Restore APIs allow for deployment of executables in malicious ConfigSets Houston Putman (Feb 09)
- CVE-2023-50298: Apache Solr: Solr can expose ZooKeeper credentials via Streaming Expressions Houston Putman (Feb 09)
- CVE-2023-50292: Apache Solr: Solr Schema Designer blindly "trusts" all configsets, possibly leading to RCE by unauthenticated users Houston Putman (Feb 09)
- CVE-2023-50291: Apache Solr: System Property redaction logic inconsistency can lead to leaked passwords Houston Putman (Feb 09)
- ISC has disclosed six vulnerabilities in BIND 9 (CVE-2023-4408, CVE-2023-5517, CVE-2023-5679, CVE-2023-6516, CVE-2023-50387, CVE-2023-50868) Michał Kępień (Feb 13)
- Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Yorgos Thessalonikefs (Feb 13)
- Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Alan Coopersmith (Feb 13)
- Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Solar Designer (Feb 13)
- Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Solar Designer (Feb 13)
- Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Alan Coopersmith (Feb 16)
- Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Solar Designer (Feb 16)
- Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Solar Designer (Feb 13)
- Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Alan Coopersmith (Feb 13)
- PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor Otto Moerbeek (Feb 14)
- CVE-2024-23952: Apache Superset: Allows for uncontrolled resource consumption via a ZIP bomb (version range fix for CVE-2023-46104) Daniel Gaspar (Feb 14)
- Secure Boot bypass in EDK2 based Virtual Machine firmware Mate Kukri (Feb 14)
- Re: Secure Boot bypass in EDK2 based Virtual Machine firmware Yves-Alexis Perez (Feb 14)
- Re: Secure Boot bypass in EDK2 based Virtual Machine firmware Mate Kukri (Feb 14)
- Re: Secure Boot bypass in EDK2 based Virtual Machine firmware Yves-Alexis Perez (Feb 14)
- Re: Secure Boot bypass in EDK2 based Virtual Machine firmware Mate Kukri (Feb 14)
- Re: Secure Boot bypass in EDK2 based Virtual Machine firmware Mate Kukri (Feb 14)
- Re: Secure Boot bypass in EDK2 based Virtual Machine firmware Yves-Alexis Perez (Feb 14)
- CVE-2024-23807: Apache Xerces C++: Use-after-free on external DTD scan Arnout Engelen (Feb 16)
- CVE-2024-25710: Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file Gary D. Gregory (Feb 19)
- CVE-2024-26308: Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file Gary D. Gregory (Feb 19)
- CVE-2024-22369: Apache Camel: Camel-SQL: Unsafe Deserialization from JDBCAggregationRepository Andrea Cosentino (Feb 19)
- CVE-2024-23114: Apache Camel: Camel-CassandraQL: Unsafe Deserialization from CassandraAggregationRepository Andrea Cosentino (Feb 19)
- CVE-2023-49250: Apache DolphinScheduler: Insecure TLS TrustManager used in HttpUtil Jiajie Zhong (Feb 20)
- CVE-2023-51770: Apache DolphinScheduler: Arbitrary File Read Vulnerability Jiajie Zhong (Feb 20)
- CVE-2023-50270: Apache DolphinScheduler: Session do not expire after password change Jiajie Zhong (Feb 20)
- CVE-2023-49109: Remote Code Execution in Apache Dolphinscheduler Jiajie Zhong (Feb 20)
- CVE-2024-25141: Apache Airflow Mongo Provider: Certificate validation isn't respected even if SSL is enabled for apache-airflow-providers-mongo Elad Kalif (Feb 20)
- CVEs issued by the Linux kernel CNA Alan Coopersmith (Feb 20)
- Re: CVEs issued by the Linux kernel CNA Marcus Meissner (Feb 21)
- Re: CVEs issued by the Linux kernel CNA Solar Designer (Feb 22)
- Re: CVEs issued by the Linux kernel CNA Greg KH (Feb 22)
- Re: CVEs issued by the Linux kernel CNA eduardo vela (Feb 24)
- Re: CVEs issued by the Linux kernel CNA Greg KH (Feb 22)
- Re: CVEs issued by the Linux kernel CNA Vegard Nossum (Mar 13)
- CVE-2024-22393: Apache Answer: Pixel Flood Attack by uploading the large pixel file Enxin Xie (Feb 22)
- CVE-2024-23349: Apache Answer: XSS vulnerability when submitting summary Enxin Xie (Feb 22)
- CVE-2024-26578: Apache Answer: Repeated submission at registration created duplicate users with the same name Enxin Xie (Feb 22)
- c-ares CVE-2024-25629 Brad House (Feb 23)
- CVE-2024-23320: Apache DolphinScheduler: Arbitrary js execution as root for authenticated users Jiajie Zhong (Feb 23)
- CVE-2024-22371: Apache Camel issue on ExchangeCreatedEvent Otavio Rodolfo Piske (Feb 23)
- CVE-2023-51518: Apache James server: Privilege escalation via JMX pre-authentication deserialisation Benoit Tellier (Feb 26)
- CVE-2023-50379: Apache Ambari: authenticated users could perform command injection to perform RCE Brahma Reddy Battula (Feb 26)
- Xen Security Advisory 451 v2 (CVE-2023-46841) - x86: shadow stack vs exceptions from emulation stubs Xen . org security team (Feb 27)
- CVE-2024-27905: Apache Aurora: padding oracle can allow construction an authentication cookie Arnout Engelen (Feb 27)
- CVE-2023-51747: SMTP smuggling in Apache James Benoit Tellier (Feb 27)
- CVE-2024-21742: Apache James Mime4J: Mime4J DOM header injection Benoit Tellier (Feb 27)
- CVE-2023-50380: Apache Ambari: authenticated users could perform XXE to read arbitrary files on the server Brahma Reddy Battula (Feb 27)
- Performance Co-Pilot (pcp): Unsafe use of Directories in /var/lib/pcp and /var/log/pcp breaks pcp Service User Isolation (CVE-2023-6917) Matthias Gerstner (Feb 28)
- CVE-2024-22857: Heap Based Buffer overflow in zlog library Ali Raza Mumtaz (Feb 28)
- Re: CVE-2024-22857: Heap Based Buffer overflow in zlog library Solar Designer (Feb 28)
- Re: CVE-2024-22857: Heap Based Buffer overflow in zlog library Ali Raza Mumtaz (Feb 29)
- Re: CVE-2024-22857: Heap Based Buffer overflow in zlog library Solar Designer (Feb 28)
- CVE-2024-27315: Apache Superset: Improper error handling on alerts Daniel Gaspar (Feb 28)
- CVE-2024-24773: Apache Superset: Improper validation of SQL statements allows for unauthorized access to data Daniel Gaspar (Feb 28)
- CVE-2024-24772: Apache Superset: Improper Neutralisation of custom SQL on embedded context Daniel Gaspar (Feb 28)
- CVE-2024-24779: Apache Superset: Improper data authorization when creating a new dataset Daniel Gaspar (Feb 28)
- CVE-2024-26016: Apache Superset: Improper authorization validation on dashboards and charts import Daniel Gaspar (Feb 28)
- CVE-2024-23946: Apache OFBiz: Path traversal or file inclusion Jacques Le Roux (Feb 28)
- CVE-2024-25065: Apache OFBiz: Path traversal allowing authentication bypass. Jacques Le Roux (Feb 28)
- CVE-2024-27906: Apache Airflow: Dag Code and Import Error Permissions Ignored Ephraim Anierobi (Feb 29)
- CVE-2024-26280: Apache Airflow: Overly broad default permissions for Viewer/Ops (audit logs) Ephraim Anierobi (Mar 01)
- CVE-2024-27140: Apache Archiva: reflected XSS Arnout Engelen (Mar 01)
- CVE-2024-27139: Apache Archiva: incorrect authentication potentially leading to account takeover Arnout Engelen (Mar 01)
- CVE-2024-27138: Apache Archiva: disabling user registration is not effective Arnout Engelen (Mar 01)
- CVE-2023-50378: Apache Ambari: Various XSS problems Brahma Reddy Battula (Mar 01)
- Django: CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words() Mariusz Felisiak (Mar 04)
- dnf5daemon-server: Local root Exploit and Local Denial-of-Service in dnf5 D-Bus Components (CVE-2024-1929, CVE-2024-1930) Matthias Gerstner (Mar 04)
- HNS-2024-05 - HN Security Advisory - Multiple vulnerabilities in RT-Thread RTOS Marco Ivaldi (Mar 05)
- CVE-2024-26580: Apache InLong: Logged-in user could exploit an arbitrary file read vulnerability Charles Zhang (Mar 06)
- CVE-2023-50740: Apache Linkis DataSource: DataSource module Oracle SQL Database Password Logged Heping Wang (Mar 06)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Mar 06)
- help wanted - bring more issues in here Solar Designer (Mar 07)
- Re: help wanted - bring more issues in here Katherine Mcmillan (Mar 07)
- Re: help wanted - bring more issues in here Alan Coopersmith (Mar 07)
- Re: help wanted - bring more issues in here Solar Designer (Mar 08)
- Re: help wanted - bring more issues in here nightmare . yeah27 (Mar 09)
- Re: help wanted - bring more issues in here Solar Designer (Mar 09)
- Re: help wanted - bring more issues in here Bernd Zeimetz (Mar 09)
- Re: help wanted - bring more issues in here Solar Designer (Mar 08)
- Re: help wanted - bring more issues in here Miguel Suarez (Mar 09)
- Re: help wanted - bring more issues in here Solar Designer (Mar 09)
- OSSN-0093: Unresolved Vulnerability in OpenStack Murano Jeremy Stanley (Mar 07)
- OSSN-0093: [OpenStack Murano] Unsafe Environment Handling in MuranoPL Jeremy Stanley (Mar 14)
- Vulnerabilties in FontTools & FontForge Alan Coopersmith (Mar 08)
- Re: Vulnerabilties in FontTools & FontForge Hanno Böck (Mar 08)
- 5 CVEs fixed in Go 1.22.1 and Go 1.21.8, 1 CVE fixed in google.golang.org/protobuf Alan Coopersmith (Mar 08)
- CVE-2023-41313: Apache Doris: Timing Attack weakness Mingyu Chen (Mar 10)
- NodeJS v{18.x,20.x,21.x} February Security Updates suarezmiguelc (Mar 11)
- Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Valtteri Vuorikoski (Mar 11)
- Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Demi Marie Obenour (Mar 12)
- Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday David W. Hodgins (Mar 12)
- Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Valtteri Vuorikoski (Mar 12)
- Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Steffen Nurpmeso (Mar 12)
- Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Armin Kuster (Mar 12)
- Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Valtteri Vuorikoski (Mar 12)
- Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Demi Marie Obenour (Mar 12)
- CVE-2023-51786: Lustre: incorrect access control resulting in potential data compromise or privilege escalation daniel (Mar 12)
- [ADVISORY] CVE-2024-2182: Open Virtual Network: Insufficient validation of incoming BFD packets. Dumitru Ceara (Mar 12)
- CVE-2022-34321: Apache Pulsar: Improper Authentication for Pulsar Proxy Statistics Endpoint Lari Hotari (Mar 12)
- CVE-2024-27135: Apache Pulsar: Improper Input Validation in Pulsar Function Worker allows Remote Code Execution Lari Hotari (Mar 12)
- CVE-2024-27317: Apache Pulsar: Pulsar Functions Worker's Archive Extraction Vulnerability Allows Unauthorized File Modification Lari Hotari (Mar 12)
- CVE-2024-27894: Apache Pulsar: Pulsar Functions Worker Allows Unauthorized File Access and Unauthorized HTTP/HTTPS Proxying Lari Hotari (Mar 12)
- CVE-2024-28098: Apache Pulsar: Improper Authorization For Topic-Level Policy Management Lari Hotari (Mar 12)
- Xen Security Advisory 452 v1 (CVE-2023-28746) - x86: Register File Data Sampling Xen . org security team (Mar 12)
- Xen Security Advisory 453 v1 (CVE-2024-2193) - GhostRace: Speculative Race Conditions Xen . org security team (Mar 12)
- Public Review Period for CVE rules Alan Coopersmith (Mar 12)
- Re: CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/2 request Christian Fischer (Mar 13)
- CVE-2024-24549: Apache Tomcat: HTTP/2 header handling DoS Mark Thomas (Mar 13)
- CVE-2024-23672: Apache Tomcat: WebSocket DoS with incomplete closing handshake Mark Thomas (Mar 13)
- CVE-2024-28746: Apache Airflow: Ignored Airflow Permissions Ephraim Anierobi (Mar 13)
- CVE-2024-23944: Apache ZooKeeper: Information disclosure in persistent watcher handling Andor Molnar (Mar 14)
- CVE-2024-28752: Apache CXF SSRF Vulnerability using the Aegis databinding Colm O hEigeartaigh (Mar 14)
- Expat 2.6.2 released, includes security fixes Alan Coopersmith (Mar 15)
- CVE-2024-24683: Apache Hop Engine: ID isn't escaped when generating HTML Hans Van Akelyen (Mar 18)
- 5 Linux kernel ksmbd vulnerabilities daniel (Mar 18)
- Re: 5 Linux kernel ksmbd vulnerabilities Alexander E. Patrakov (Mar 18)
- Re: 5 Linux kernel ksmbd vulnerabilities Hauke Mehrtens (Mar 20)
- Re: 5 Linux kernel ksmbd vulnerabilities Alexander E. Patrakov (Mar 18)
- CVE-2024-27439: Apache Wicket: Possible bypass of CSRF protection Emond Papegaaij (Mar 19)
- Vulnerability in Jenkins Daniel Beck (Mar 20)
- CVE-2024-29133: Apache Commons Configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree Gary D. Gregory (Mar 20)
- CVE-2024-29131: Apache Commons Configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator() Gary D. Gregory (Mar 20)
- Security fixes in Python 3.10.14, 3.9.19, and 3.8.19 (CVE-2023-6597 & CVE-2024-0450) Alan Coopersmith (Mar 20)
- CVE-2024-27438: Apache Doris: Downloading arbitrary remote jar files resulting in remote command execution Mingyu Chen (Mar 21)
- CVE-2024-26307: Apache Doris: Possible race condition Mingyu Chen (Mar 21)
- GnuTLS 3.8.4 released, fixes CVE-2024-28834 & CVE-2024-28835 Alan Coopersmith (Mar 22)
- Re: GnuTLS 3.8.4 released, fixes CVE-2024-28834 & CVE-2024-28835 Alex Gaynor (Mar 22)
- Firefox 124.0.1 fixes two critical JavaScript engine vulnerabilities Solar Designer (Mar 23)
- GNU emacs 29.3 released to fix security issues Alan Coopersmith (Mar 24)
- Fwd: GNU emacs 29.3 released to fix security issues Alan Coopersmith (Mar 24)
- Re: [External] : [oss-security] Fwd: GNU emacs 29.3 released to fix security issues Alan Coopersmith (Mar 24)
- Re: GNU emacs 29.3 released to fix security issues Salvatore Bonaccorso (Mar 25)
- Re: GNU emacs 29.3 released to fix security issues Salvatore Bonaccorso (Mar 25)
- Fwd: GNU emacs 29.3 released to fix security issues Alan Coopersmith (Mar 24)
- WebKitGTK and WPE WebKit Security Advisory WSA-2024-0002 Adrian Perez de Castro (Mar 25)
- CVE-2024-29735: Apache Airflow: Potentially harmful permission changing by log task handler Jarek Potiuk (Mar 26)
- [SECURITY ADVISORY] curl: CVE-2024-2004: Usage of disabled protocol Daniel Stenberg (Mar 26)
- [SECURITY ADVISORY] curl: CVE-2024-2379: QUIC certificate check bypass with wolfSSL Daniel Stenberg (Mar 27)
- [SECURITY ADVISORY] curl: CVE-2024-2398: HTTP/2 push headers memory-leak Daniel Stenberg (Mar 27)
- [SECURITY ADVISORY] curl: CVE-2024-2466: TLS certificate check bypass with mbedTLS Daniel Stenberg (Mar 27)
- CVE-2024-28085: Escape sequence injection in util-linux wall Skyler Ferrante (RIT Student) (Mar 27)
- Re: CVE-2024-28085: Escape sequence injection in util-linux wall nightmare . yeah27 (Mar 27)
- Re: Re: CVE-2024-28085: Escape sequence injection in util-linux wall Jakub Wilk (Mar 28)
- Re: CVE-2024-28085: Escape sequence injection in util-linux wall Jakub Wilk (Mar 27)
- Re: CVE-2024-28085: Escape sequence injection in util-linux wall Demi Marie Obenour (Mar 27)
- Re: CVE-2024-28085: Escape sequence injection in util-linux wall Solar Designer (Mar 27)
- Re: CVE-2024-28085: Escape sequence injection in util-linux wall Karel Zak (Mar 28)
- Re: CVE-2024-28085: Escape sequence injection in util-linux wall Alexander E. Patrakov (Mar 28)
- Re: CVE-2024-28085: Escape sequence injection in util-linux wall Demi Marie Obenour (Mar 27)
- Re: CVE-2024-28085: Escape sequence injection in util-linux wall nightmare . yeah27 (Mar 27)
- CVE-2024-23537: Apache Fineract: Under certain circumstances, this vulnerability allowed users, without specific permissions, to escalate their privileges to any role. Arnout Engelen (Mar 29)
- CVE-2024-23538: Apache Fineract: Under certain system configurations, the sqlSearch parameter was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries. Arnout Engelen (Mar 29)
- CVE-2024-23539: Apache Fineract: Under certain system configurations, the sqlSearch parameter for specific endpoints was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries. Arnout Engelen (Mar 29)
- backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alex Gaynor (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Anthony Liguori (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alex Gaynor (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jeffrey Walton (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Ivan Delalande (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Vegard Nossum (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Vegard Nossum (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Vegard Nossum (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alexander E. Patrakov (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alexander E. Patrakov (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise terraminator (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alexander E. Patrakov (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Matthias Weckbecker (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Demi Marie Obenour (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Michael Tokarev (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Matthias Weckbecker (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 29)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 29)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Liguori, Anthony (Mar 29)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 29)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Russ Allbery (Mar 29)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 29)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marcin Wolcendorf (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Bo Anderson (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Bjoern Franke (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Pierre-Elliott Bécue (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jeffrey Walton (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Mats Wichmann (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jan Engelhardt (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Pat Gunn (Mar 30)
- SV: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Markus Klyver (Mar 31)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 31)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Russ Allbery (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Mike O'Connor (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Florian Weimer (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise sjw (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alexander E. Patrakov (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Axel Beckert (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Salvatore Bonaccorso (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Axel Beckert (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Collin Funk (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jonathan Schleifer (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jonathan Schleifer (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Fay Stegerman (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Christoph Anton Mitterer (Mar 30)
- RE: backdoor in upstream xz/liblzma leading to ssh server compromise Thomas Ward (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alexander E. Patrakov (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Axel Beckert (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jeffrey Walton (Mar 31)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Fay Stegerman (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Axel Beckert (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Michael.Karcher (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Dominique Martinet (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Dominique Martinet (Mar 31)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alex Gaynor (Mar 29)