oss-sec: by author
RSS Feed
About List
All Lists
Previous period
199 messages
starting Mar 13 19 and
ending Jan 24 19
Date index |
Thread index |
Author index
Aaron Patterson
[CVE-2019-5418] File Content Disclosure in Action View Aaron Patterson (Mar 13)
[CVE-2019-5418] Amendment: Possible Remote Code Execution Exploit in Action View Aaron Patterson (Mar 22)
[CVE-2019-5420] Possible Remote Code Execution Exploit in Rails Development Mode Aaron Patterson (Mar 13)
[CVE-2019-5419] Denial of Service Vulnerability in Action View Aaron Patterson (Mar 13)
Ailin Nemui
Irssi 1.1.2: CVE-2019-5882 Ailin Nemui (Jan 10)
Akira Ajisaka
CVE-2018-1296: Apache Hadoop HDFS Permissive listXAttr Authorization Akira Ajisaka (Jan 23)
CVE-2018-11767: Apache Hadoop KMS ACL regression Akira Ajisaka (Mar 11)
Aki Tuomi
CVE-2019-3814: Suitable client certificate can be used to login as other user Aki Tuomi (Feb 05)
CVE-2019-7524: Buffer overflow when reading extension header from dovecot index files Aki Tuomi (Mar 28)
Alan Coopersmith
Fwd: [ANNOUNCE] libXdmcp 1.1.3 [fix for CVE-2017-2625] Alan Coopersmith (Mar 16)
Aleksa Sarai
Re: CVE-2019-5736: runc container breakout (all versions) Aleksa Sarai (Feb 12)
Re: CVE-2019-5736: runc container breakout (all versions) Aleksa Sarai (Feb 12)
Re: CVE-2019-5736: runc container breakout exploit code Aleksa Sarai (Feb 13)
Re: CVE-2019-5736: runc container breakout exploit code Aleksa Sarai (Feb 13)
CVE-2019-5736: runc container breakout exploit code Aleksa Sarai (Feb 13)
CVE-2019-5736: runc container breakout (all versions) Aleksa Sarai (Feb 11)
Re: CVE-2019-5736: runc container breakout (all versions) Aleksa Sarai (Feb 13)
Re: CVE-2019-5736: runc container breakout (all versions) Aleksa Sarai (Feb 13)
Alexander E. Patrakov
Two more LXC breakouts (both privileged), apparmor issue? Alexander E. Patrakov (Feb 12)
Alexander Potapenko
Re: Heap based buffer overflow in wolfSSL Alexander Potapenko (Jan 16)
Alex Gaynor
Notes on fuzzing ImageMagick and GraphicsMagick Alex Gaynor (Feb 05)
Alex R
CVE-2018-11793: Mesos components might crash when parsing deeply nested JSON structures. Alex R (Mar 04)
CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible. Alex R (Mar 23)
Alex Rudyy
[SECURITY] CVE-2019-0200: Apache Qpid Broker-J Denial of Service due to malformed AMQP 0-8 to 0-10 commands Alex Rudyy (Mar 01)
Ali Saidi
Stack/Heap Clashing on Linux >=4.13 when loader directly invoked Ali Saidi (Mar 13)
Amos Jeffries
Re: wget / chromium: URL metadata and potential password leaks via extended filesystem attributes Amos Jeffries (Jan 02)
Ash Berlin-Taylor
RCE, CSRF and Information leak vulnerabilities against Airflow <= 1.8.2 (CVE-2017-15720, CVE-2017-17835, CVE-2017-17836) Ash Berlin-Taylor (Jan 08)
CVE-2018-20245: Apache Airflow LDAP auth backend did not validate SSL certificate for <= 1.10.0 Ash Berlin-Taylor (Jan 08)
Ben Hutchings
Re: Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver) Ben Hutchings (Feb 07)
Bryan Call
[CVE-2018-11783] Apache Traffic Server vulnerability with sslheader plugin Bryan Call (Feb 13)
Carlton Gibson
CVE-2019-6975 -- Django fixed memory exhaustion in utils.numberformat.format(). Carlton Gibson (Feb 11)
Cedric Buissart
ghostscript: 2 -dSAFER bypass: CVE-2019-3835 & CVE-2019-3838 Cedric Buissart (Mar 21)
Chris Coulson
CVE-2019-6454: systemd (PID1) crash with specially crafted D-Bus message Chris Coulson (Feb 18)
Craig Young
Re: Apache web server use after free bugs (unfixed) Craig Young (Jan 21)
Daniel Beck
Multiple vulnerabilities in Jenkins plugins Daniel Beck (Feb 19)
Re: Sandbox bypass in multiple Jenkins plugins Daniel Beck (Jan 23)
Re: Multiple vulnerabilities in Jenkins Daniel Beck (Jan 23)
Multiple vulnerabilities in Jenkins Daniel Beck (Jan 16)
Multiple vulnerabilities in Jenkins plugins Daniel Beck (Mar 06)
Re: Multiple vulnerabilities in Jenkins Daniel Beck (Jan 23)
Multiple vulnerabilities in Jenkins plugins Daniel Beck (Mar 25)
Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Mar 28)
Sandbox bypass in multiple Jenkins plugins Daniel Beck (Jan 08)
Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Feb 06)
Multiple vulnerabilities in Jenkins plugins Daniel Beck (Jan 28)
Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Feb 23)
Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Mar 25)
Daniel Ruggeri
CVE-2018-17199: mod_session_cookie does not respect expiry time Daniel Ruggeri (Jan 22)
CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies Daniel Ruggeri (Jan 22)
CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1 Daniel Ruggeri (Jan 22)
Daniel Stenberg
[SECURITY ADVISORY] curl: NTLM type-2 out-of-bounds buffer read Daniel Stenberg (Feb 05)
[SECURITY ADVISORIES] libssh2 Daniel Stenberg (Mar 18)
[SECURITY ADVISORY] curl: NTLMv2 type-3 header stack buffer overflow Daniel Stenberg (Feb 05)
[SECURITY ADVISORY] curl: SMTP end-of-response out-of-bounds read Daniel Stenberg (Feb 05)
Dave
[CVE-2018-17198] Server-side Request Forgery (SSRF) and File Enumeration vulnerability in Apache Roller Dave (Jan 11)
David A. Wheeler
Railroader: static analysis tool for Ruby on Rails (OSS fork of Brakeman) David A. Wheeler (Feb 13)
Dejan Bosanac
[ANNOUNCE] CVE-2019-0222 - Apache ActiveMQ: Corrupt MQTT frame can cause broker shutdown Dejan Bosanac (Mar 27)
Dhiraj Mishra
aria2 leaks passwords for HTTP based authentication Dhiraj Mishra (Jan 02)
Heap based buffer overflow in wolfSSL Dhiraj Mishra (Jan 16)
Memory leak in libiec61850 protocol Dhiraj Mishra (Jan 11)
GattLib 0.2 has a stack-based buffer - CVE-2019-6498 Dhiraj Mishra (Jan 21)
Memory leak in libiec61850 Dhiraj Mishra (Jan 11)
NULL pointer dereference in lib60870 protocol Dhiraj Mishra (Jan 11)
SEGV in libIEC61850 protocol Dhiraj Mishra (Jan 11)
EJ Campbell
Re: CVE-2019-5736: runc container breakout exploit code EJ Campbell (Feb 13)
Re: CVE-2019-5736: runc container breakout exploit code EJ Campbell (Feb 13)
Entropy Moe
Re: KASAN stack out of bound bug Entropy Moe (Jan 08)
KASAN stack out of bound bug Entropy Moe (Jan 08)
Re: Linux Kernel 4.20(21) deadlock vulnerability. Entropy Moe (Jan 08)
Re: KASAN stack out of bound bug Entropy Moe (Jan 08)
Re: Linux Kernel 4.20(21) deadlock vulnerability. Entropy Moe (Jan 08)
Linux Kernel 4.20(21) deadlock vulnerability. Entropy Moe (Jan 08)
Re: KASAN stack out of bound bug Entropy Moe (Jan 08)
Eric Dumazet
Re: Linux Kernel 4.20(21) deadlock vulnerability. Eric Dumazet (Jan 08)
Re: KASAN stack out of bound bug Eric Dumazet (Jan 08)
Erik Winkels
PowerDNS Security Advisory 2019-03 Erik Winkels (Mar 18)
Florian Weimer
Re: Apache web server use after free bugs (unfixed) Florian Weimer (Jan 21)
Re: CVE-2019-5736: runc container breakout (all versions) Florian Weimer (Feb 12)
Greg KH
Re: Linux Kernel 4.20(21) deadlock vulnerability. Greg KH (Jan 08)
Re: KASAN stack out of bound bug Greg KH (Jan 08)
Re: Linux Kernel 4.20(21) deadlock vulnerability. Greg KH (Jan 08)
halfdog
Re: Asserts considered harmful (or GMP spills its sensitive information) halfdog (Jan 01)
Re: Re: Asserts considered harmful (or GMP spills its sensitive information) halfdog (Jan 01)
Re: Re: Asserts considered harmful (or GMP spills its sensitive information) halfdog (Jan 02)
Hanno Böck
Open Redirect in Tiny Tiny RSS (tt-rss) Hanno Böck (Mar 03)
Re: Notes on fuzzing ImageMagick and GraphicsMagick Hanno Böck (Feb 06)
Apache web server use after free bugs (unfixed) Hanno Böck (Jan 21)
Re: Squirrelmail XSS Fixes Hanno Böck (Mar 01)
wget / chromium: URL metadata and potential password leaks via extended filesystem attributes Hanno Böck (Jan 01)
Re: wget / chromium: URL metadata and potential password leaks via extended filesystem attributes Hanno Böck (Jan 03)
Squirrelmail XSS Fixes Hanno Böck (Mar 01)
Harry Sintonen
SCP client multiple vulnerabilities Harry Sintonen (Jan 14)
Henri Salo
CVE-2019-9573 / CVE-2019-9574: WordPress plugin hrm missing server side authorization checks Henri Salo (Mar 17)
Re: [CVE-2018-20242] Apache JSPWiki Cross-site scripting vulnerability on Apache JSPWiki Henri Salo (Jan 31)
Imran Rashid
CVE-2018-11760: Apache Spark local privilege escalation vulnerability Imran Rashid (Jan 29)
Jakub Wilk
Re: Disabling ptrace Jakub Wilk (Jan 02)
James E. King III
Re: [SECURITY] CVE-2018-1320 Apache Thrift SASL negotiation vulnerability (update) James E. King III (Mar 13)
[SECURITY] CVE-2018-1320 Announcement James E. King III (Jan 07)
[SECURITY] CVE-2018-11798 Announcement James E. King III (Jan 07)
Jann Horn
Linux kernel: three KVM bugs (CVE-2019-6974, CVE-2019-7221, CVE-2019-7222) Jann Horn (Feb 18)
Linux kernel: OOB R/W in SNMP NAT module (CVE-2019-9162); virtual address 0 mappable (CVE-2019-9213) Jann Horn (Mar 06)
Linux kernel: BPF spectre v1 mitigation bypass (CVE-2019-7308, fixed in 4.19.19 and 4.20.6) Jann Horn (Feb 02)
Jean-Baptiste Onofré
[SECURITY] New security advisory for CVE-2018-11788 released for Apache Karaf Jean-Baptiste Onofré (Jan 06)
[SECURITY] New security advisory for CVE-2019-0191 released for Apache Karaf Jean-Baptiste Onofré (Mar 07)
Jeffrey Walton
Re: Asserts considered harmful (or GMP spills its sensitive information) Jeffrey Walton (Jan 01)
Re: Asserts considered harmful (or GMP spills its sensitive information) Jeffrey Walton (Jan 06)
Re: Asserts considered harmful (or GMP spills its sensitive information) Jeffrey Walton (Jan 01)
Re: Asserts considered harmful (or GMP spills its sensitive information) Jeffrey Walton (Jan 03)
Re: Asserts considered harmful (or GMP spills its sensitive information) Jeffrey Walton (Jan 03)
Re: Re: Asserts considered harmful (or GMP spills its sensitive information) Jeffrey Walton (Jan 02)
Jeremy Stanley
[OSSA-2019-001] Unsupported dport option prevents applying security groups in OpenStack Neutron (CVE-2019-9735) Jeremy Stanley (Mar 18)
Josh Elser
[CVE-2019-0212] Apache HBase REST Server incorrect user authorization Josh Elser (Mar 27)
Juan Pablo Santos Rodríguez
Re: [CVE-2018-20242] Apache JSPWiki Cross-site scripting vulnerability on Apache JSPWiki Juan Pablo Santos Rodríguez (Feb 01)
[CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure Juan Pablo Santos Rodríguez (Mar 26)
[CVE-2019-0224] Apache JSPWiki Cross-site scripting vulnerability Juan Pablo Santos Rodríguez (Mar 26)
[CVE-2018-20242] Apache JSPWiki Cross-site scripting vulnerability on Apache JSPWiki Juan Pablo Santos Rodríguez (Jan 31)
Kristian Fiskerstrand
Statistics for distros lists updated for 2018Q4 Kristian Fiskerstrand (Jan 14)
Loganaden Velvindron
Re: CVE-2019-5736: runc container breakout (all versions) Loganaden Velvindron (Feb 13)
Marco Bodrato
Re: Asserts considered harmful (or GMP spills its sensitive information) Marco Bodrato (Jan 03)
Marcus Meissner
New pagecache based sidechannel attack published Marcus Meissner (Jan 06)
Kernel local root in SCTP / CVE-2019-8956 Marcus Meissner (Feb 21)
Re: New pagecache based sidechannel attack published Marcus Meissner (Jan 07)
Mark Steward
Re: Open Redirect in Tiny Tiny RSS (tt-rss) Mark Steward (Mar 03)
Mathias Payer
Transient execution attacks leveraging port contention Mathias Payer (Mar 06)
Matthew Fernandez
Re: Asserts considered harmful (or GMP spills its sensitive information) Matthew Fernandez (Jan 01)
Michael Catanzaro
WebKitGTK+ and WPE WebKit Security Advisory WSA-2019-0001 Michael Catanzaro (Feb 09)
Michael Ellerman
Re: Re: Linux Kernel 4.20(21) deadlock vulnerability. Michael Ellerman (Jan 09)
Re: Linux kernel: Bluetooth: two remote infoleaks (CVE-2019-3459, CVE-2019-3460) Michael Ellerman (Jan 14)
Michael McNally
Multiple BIND CVEs disclosed (CVE-2018-5744, CVE-2018-5745, CVE-2019-6465) Michael McNally (Feb 21)
Mike Jumper
Re: CVE-2018-1340: Apache Guacamole: Secure flag missing from session cookie Mike Jumper (Feb 02)
CVE-2018-1340: Apache Guacamole: Secure flag missing from session cookie Mike Jumper (Jan 23)
Neng Lu
[CVE-2018-11789] Apache Incubator Heron file access vulnerability Neng Lu (Mar 07)
Niels Möller
Re: Asserts considered harmful (or GMP spills its sensitive information) Niels Möller (Jan 01)
Disabling ptrace (was Re: [oss-security] Asserts considered harmful (or GMP spills its sensitive information)) Niels Möller (Jan 01)
Re: Asserts considered harmful (or GMP spills its sensitive information) Niels Möller (Jan 06)
Re: Asserts considered harmful (or GMP spills its sensitive information) Niels Möller (Jan 01)
Re: Disabling ptrace Niels Möller (Jan 02)
Patrick Uiterwijk
CVE-2018-1002161 - Koji - SQL injection in multiple remote calls Patrick Uiterwijk (Feb 21)
Paul Harvey
CVE-2018-16886 etcd: Improper Authentication in auth/store.go:AuthInfoFromTLS() via gRPC-gateway Paul Harvey (Jan 14)
Paul Moore
libseccomp: incorrect generation of syscall argument filters Paul Moore (Mar 15)
Peter Korsgaard
Re: CVE-2019-3813: spice: Off-by-one error in array access in spice/server/memslot.c Peter Korsgaard (Jan 28)
Peter Kovacs
CVE-2018-11790: Apache OpenOffice: Arithmetic overflow and wrap around during string length calculation Peter Kovacs (Jan 16)
Philippe Mouawad
[SECURITY] CVE-2019-0187: Apache JMeter Missing client auth for RMI connection when distributed test is used Philippe Mouawad (Mar 02)
P J P
CVE-2019-6501 QEMU: scsi-generic: possible OOB access while handling inquiry request P J P (Jan 23)
CVE-2019-6778 QEMU: slirp: heap buffer overflow in tcp_emu() P J P (Jan 24)
CVE-2019-9824 QEMU: Slirp: information leakage in tcp_emu() due to uninitialized stack variables P J P (Mar 18)
CVE-2018-20815 QEMU: device_tree: heap buffer overflow while loading device tree blob P J P (Mar 27)
CVE-2019-8934 QEMU: ppc64: sPAPR emulator leaks the host hardware identity P J P (Feb 21)
Purushottam Choudhary
Fastbin double free issue in MP4v2 2.0.0 Purushottam Choudhary (Jan 09)
Qualys Security Advisory
System Down: A systemd-journald exploit Qualys Security Advisory (Jan 09)
Randy Barlow
CVE-2019-7628: Pagure version 5.2 leaks API keys by e-mail Randy Barlow (Feb 08)
Remi Gacogne
PowerDNS Security Advisories 2011-01 and 2019-02 Remi Gacogne (Jan 21)
Riccardo Schirone
Re: [SECURITY ADVISORIES] libssh2 Riccardo Schirone (Mar 19)
Salvatore Bonaccorso
Re: CVE-2018-1340: Apache Guacamole: Secure flag missing from session cookie Salvatore Bonaccorso (Feb 02)
Re: CVE-2018-1340: Apache Guacamole: Secure flag missing from session cookie Salvatore Bonaccorso (Feb 01)
Scott Gayou
CVE-2019-3813: spice: Off-by-one error in array access in spice/server/memslot.c Scott Gayou (Jan 28)
Simon McVittie
Re: CVE-2019-6454: systemd (PID1) crash with specially crafted D-Bus message Simon McVittie (Feb 19)
Re: Re: Asserts considered harmful (or GMP spills its sensitive information) Simon McVittie (Jan 01)
ikiwiki: CVE-2019-9187: Server-side request forgery Simon McVittie (Feb 28)
Solar Designer
Linux kernel: Bluetooth: two remote infoleaks (CVE-2019-3459, CVE-2019-3460) Solar Designer (Jan 11)
Re: CVE-2019-5736: runc container breakout (all versions) Solar Designer (Feb 12)
Re: Linux kernel: OOB R/W in SNMP NAT module (CVE-2019-9162); virtual address 0 mappable (CVE-2019-9213) Solar Designer (Mar 10)
Steve Grubb
Re: CVE-2019-5736: runc container breakout (all versions) Steve Grubb (Feb 12)
Sysdream Labs
[CVE-2018-14013] Reflected Cross-Site Scripting (XSS) vulnerabilities in Zimbra Collaboration Sysdream Labs (Jan 30)
Tavis Ormandy
MatrixSSL stack buffer overflow Tavis Ormandy (Feb 14)
ghostscript: subroutines within pseudo-operators must themselves be pseudo-operators Tavis Ormandy (Jan 23)
Thomas Jarosch
Re: Re: ghostscript: 1Policy operator gives access to .forceput CVE-2018-18284 Thomas Jarosch (Jan 22)
Tim Graham
Django security releases issued: 2.1.5, 2.0.10, and 1.11.18 Tim Graham (Jan 04)
Timothy Michaud
Re: Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver) Timothy Michaud (Feb 07)
Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver) Timothy Michaud (Jan 23)
Tomas Fernandez Lobbe
CVE-2017-3164: Apache Solr: SSRF issue Tomas Fernandez Lobbe (Feb 12)
CVE-2019-0192 Deserialization of untrusted data via jmx.serviceUrl in Apache Solr Tomas Fernandez Lobbe (Mar 07)
Torbjörn Granlund
Re: Asserts considered harmful (or GMP spills its sensitive information) Torbjörn Granlund (Jan 01)
Re: Asserts considered harmful (or GMP spills its sensitive information) Torbjörn Granlund (Jan 03)
Troy Curtis
[CVE-2018-11803] Apache Subversion Denial of Service Vulnerability Troy Curtis (Jan 23)
Vincent Lefevre
Re: Asserts considered harmful (or GMP spills its sensitive information) Vincent Lefevre (Jan 01)
Vladis Dronov
CVE-2018-16880 Linux kernel: oob-write in drivers/vhost/net.c:get_rx_bufs() Vladis Dronov (Jan 25)
Vlad Tsyrklevich
Unfixed FreeBSD uninitialized memory disclosures Vlad Tsyrklevich (Jan 21)
Wade Mealing
CVE-2019-3812 - qemu - Out-of-bounds read in hw/i2c/i2c-ddc.c allows for memory disclosure Wade Mealing (Feb 17)
X41 D-Sec GmbH Advisories
X41 D-Sec GmbH Security Advisory X41-2018-009: ReDoS Vulnerability in UA-Parser X41 D-Sec GmbH Advisories (Jan 10)
Xen . org security team
Xen Security Advisory 282 v2 (CVE-2018-19967) - guest use of HLE constructs may lock up host Xen . org security team (Jan 08)
Xen Security Advisory 289 v2 - Spectre V1 gadgets exploitable with L1TF Xen . org security team (Jan 21)
Xen Security Advisory 291 v2 - x86/PV: page type reference counting issue with failed IOMMU update Xen . org security team (Mar 05)
Xen Security Advisory 294 v2 - x86 shadow: Insufficient TLB flushing when using PCID Xen . org security team (Mar 05)
Xen Security Advisory 279 v3 (CVE-2018-19965) - x86: DoS from attempting to use INVPCID with a non-canonical addresses Xen . org security team (Jan 08)
Xen Security Advisory 287 v2 - x86: steal_page violates page_struct access discipline Xen . org security team (Mar 05)
Xen Security Advisory 284 v2 - grant table transfer issues on large hosts Xen . org security team (Mar 05)
Xen Security Advisory 292 v2 - x86: insufficient TLB flushing when using PCID Xen . org security team (Mar 05)
Xen Security Advisory 276 v3 (CVE-2018-19963) - resource accounting issues in x86 IOREQ server handling Xen . org security team (Jan 08)
Xen Security Advisory 275 v3 (CVE-2018-19961,CVE-2018-19962) - insufficient TLB flushing / improper large page mappings with AMD IOMMUs Xen . org security team (Jan 08)
Xen Security Advisory 288 v2 - x86: Inconsistent PV IOMMU discipline Xen . org security team (Mar 05)
Xen Security Advisory 280 v3 (CVE-2018-19966) - Fix for XSA-240 conflicts with shadow paging Xen . org security team (Jan 08)
Xen Security Advisory 290 v2 - missing preemption in x86 PV page table unvalidation Xen . org security team (Mar 05)
Xen Security Advisory 285 v2 - race with pass-through device hotplug Xen . org security team (Mar 05)
Xen Security Advisory 277 v3 (CVE-2018-19964) - x86: incorrect error handling for guest p2m page removals Xen . org security team (Jan 08)
Xen Security Advisory 289 v3 - Cache-load gadgets exploitable with L1TF Xen . org security team (Jan 21)
Xen Security Advisory 293 v3 - x86: PV kernel context switch corruption Xen . org security team (Mar 05)
Xen Security Advisory 283 v2 - Withdrawn Xen Security Advisory number Xen . org security team (Feb 22)
Yves-Alexis Perez
Re: Linux Kernel: Missing access_ok() checks in IOCTL function (gpu/drm/i915 Driver) Yves-Alexis Perez (Jan 24)