oss-sec: by thread
176 messages
starting Oct 01 19 and
ending Dec 30 19
Date index |
Thread index |
Author index
- PDFex: Security weakness in PDF encryption Jens Müller (Oct 01)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Oct 01)
- <Possible follow-ups>
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Oct 16)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Nov 21)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Dec 17)
- Multiple vulnerabilities in Online store system v1.0 Stored XSS and unauthenticated product deletions. Akamai (Oct 02)
- Minerva: ECDSA key recovery from bit-length leakage Ján Jančár (Oct 02)
- Re: CVE-2019-14835: QEMU-KVM Guest to Host Kernel Escape Vulnerability: vhost/vhost_net kernel buffer overflow Tina Li (Oct 03)
- CVE-2018-11768: Apache Hadoop HDFS FSImage Corruption Akira Ajisaka (Oct 04)
- Multiple vulnerabilities in Centreon-Web and Centreon-VM Guillaume Quéré (Oct 08)
- Re: Multiple vulnerabilities in Centreon-Web and Centreon-VM Guillaume Quéré (Oct 08)
- [OSSA-2019-005] Octavia Amphora-Agent not requiring Client-Certificate (CVE-2019-17134) Daniel 'f0o' Preussker (Oct 08)
- CVE-2019-16760: Cargo prior to Rust 1.26.0 may download the wrong dependency Pietro Albini (Oct 08)
- Announce: OpenSSH 8.1 released Damien Miller (Oct 08)
- CVE-2019-17365: Nix per-user profile directory hijack Michael Orlitzky (Oct 09)
- Re: CVE-2019-17365: Nix per-user profile directory hijack Graham Christensen (Oct 09)
- Re: CVE-2019-17365: Nix per-user profile directory hijack Michael Orlitzky (Oct 10)
- CVE-2019-18192: Insecure permissions on Guix profile directory Ludovic Courtès (Oct 17)
- Re: CVE-2019-17365: Nix per-user profile directory hijack Graham Christensen (Oct 09)
- Koji CVE-2019-17109: koji hub allows arbitrary upload destinations Patrick Uiterwijk (Oct 09)
- Statistics for distros lists updated for 2019Q3 Kristian Fiskerstrand (Oct 13)
- Re: Statistics for distros lists updated for 2019Q3 Kristian Fiskerstrand (Oct 15)
- Sudo: CVE-2019-14287 Todd C. Miller (Oct 14)
- Re: Sudo: CVE-2019-14287 Todd C. Miller (Oct 15)
- Fwd: [CVE-2016-4977] Apache Fineract remote code execution vulnerabilities fixed in v1.3.0 Vishwas Babu (Oct 16)
- [SBA-ADV-20190913-01] CVE-2019-16522: WordPress Plugin - EU Cookie Law (GDPR) <= 3.0.6 and possibly upwards - Stored XSS SBA Research Advisory (Oct 16)
- [SBA-ADV-20190913-02] CVE-2019-16521: WordPress Plugin - Broken Link Checker <= 1.11.8 - Reflected XSS SBA Research Advisory (Oct 16)
- [SBA-ADV-20190913-03] CVE-2019-16523: WordPress Plugin - Events Manager <= 5.9.5 - Stored XSS SBA Research Advisory (Oct 16)
- [SBA-ADV-20190913-04] CVE-2019-16520: WordPress Plugin - All in One SEO Pack <= 3.2.6 - Stored XSS SBA Research Advisory (Oct 16)
- BIND9 CVE-2019-6475 and CVE-2019-6476 ISC Security Officer (Oct 16)
- CVE-2019-0205: Apache Thrift: potential DoS when processing untrusted Thrift payload Jens Geyer (Oct 17)
- CVE-2019-0210: Apache Thrift: out-of-bounds read vulnerability Jens Geyer (Oct 17)
- [CVE-2019-15587] Loofah XSS Vulnerability Mike Dalessio (Oct 22)
- Re: [CVE-2019-15587] Loofah XSS Vulnerability Mike Dalessio (Oct 22)
- Xen Security Advisory 303 v4 (CVE-2019-18422) - ARM: Interrupts are unconditionally unmasked in exception handlers Xen . org security team (Oct 31)
- Xen Security Advisory 302 v5 (CVE-2019-18424) - passed through PCI devices may corrupt host memory after deassignment Xen . org security team (Oct 31)
- Xen Security Advisory 296 v4 (CVE-2019-18420) - VCPUOP_initialise DoS Xen . org security team (Oct 31)
- Xen Security Advisory 298 v3 (CVE-2019-18425) - missing descriptor table limit checking in x86 PV emulation Xen . org security team (Oct 31)
- Xen Security Advisory 299 v4 (CVE-2019-18421) - Issues with restartable PV type change operations Xen . org security team (Oct 31)
- Re: Python-3.5.8.tar.xz does NOT contain the fix for bpo-38243 Peter van Dijk (Oct 31)
- Xen Security Advisory 301 v3 (CVE-2019-18423) - add-to-physmap can be abused to DoS Arm hosts Xen . org security team (Oct 31)
- [CVE-2019-10084] privilege escalation by authenticated Apache Impala users Tim Armstrong (Nov 04)
- Re: Membership application for linux-distros - VMware Srivatsa S. Bhat (Nov 04)
- Re: Membership application for linux-distros - VMware Solar Designer (Nov 05)
- Re: Membership application for linux-distros - VMware Srivatsa S. Bhat (Nov 06)
- Re: Membership application for linux-distros - VMware Solar Designer (Nov 06)
- Re: Membership application for linux-distros - VMware Srivatsa S. Bhat (Nov 06)
- <Possible follow-ups>
- Re: Membership application for linux-distros - VMware Srivatsa S. Bhat (Nov 04)
- Re: Membership application for linux-distros - VMware Solar Designer (Nov 05)
- Re: [ Linux kernel ] Exploitable bugs in drivers/media/platform/vivid Salvatore Bonaccorso (Nov 04)
- [CVE-2019-12406] Apache CXF does not restrict the number of message attachments Colm O hEigeartaigh (Nov 05)
- [CVE-2019-12419] Apache CXF OpenId Connect token service does not properly validate the clientId Colm O hEigeartaigh (Nov 05)
- Re: Contributing Back Solar Designer (Nov 05)
- Re: Contributing Back Seth Arnold (Nov 05)
- Re: Contributing Back Solar Designer (Nov 06)
- Re: Contributing Back Anthony Liguori (Nov 06)
- Re: Contributing Back Seth Arnold (Nov 05)
- Re: Security fixes from Android 10 release which are relevant outside the Android ecosystem? Kees Cook (Nov 07)
- Re: independent volunteers on distros list Solar Designer (Nov 07)
- [CVE-2019-12408][CVE-2019-12410] Uninitialized Memory Vulnerabilities fixed in Apache Arrow 0.15.1 Micah Kornfield (Nov 07)
- Controversy and exploitability of gcc issue 30475 |assert(int+100 > int)| Georgi Guninski (Nov 08)
- Re: Controversy and exploitability of gcc issue 30475 |assert(int+100 > int)| John Haxby (Nov 08)
- Re: Controversy and exploitability of gcc issue 30475 |assert(int+100 > int)| John Haxby (Nov 08)
- Re: Controversy and exploitability of gcc issue 30475 |assert(int+100 > int)| Russ Allbery (Nov 08)
- Re: Controversy and exploitability of gcc issue 30475 |assert(int+100 > int)| Florian Weimer (Nov 08)
- Re: Controversy and exploitability of gcc issue 30475 |assert(int+100 > int)| John Haxby (Nov 08)
- CVE-2019-18397 - Stack buffer overflow in GNU FriBidi >= 1.0.0 Alex Murray (Nov 08)
- WebKitGTK and WPE WebKit Security Advisory WSA-2019-0006 Carlos Alberto Lopez Perez (Nov 08)
- CVE-2019-2201: libjpeg-turbo: code execution Wolfgang Frisch (Nov 11)
- Re: CVE-2019-2201: libjpeg-turbo: code execution pgajdos (Nov 12)
- DPDK security advisory: CVE-2019-14818 Ferruh Yigit (Nov 12)
- Xen Security Advisory 304 v1 (CVE-2018-12207) - x86: Machine Check Error on Page Size Change DoS Xen . org security team (Nov 12)
- Xen Security Advisory 305 v1 (CVE-2019-11135) - TSX Asynchronous Abort speculative side channel Xen . org security team (Nov 12)
- Security release of kubernetes-csi sidecars - CVE-2019-11255 Tim Allclair (Nov 14)
- CVE-2019-14869 ghostscript: -dSAFER escape in .charkeys Cedric Buissart (Nov 15)
- [CVE-2019-10070] Apache Atlas Stored XSS Vulnerability Madhan Neethiraj (Nov 17)
- Nokogiri security update v1.10.5 Mike Dalessio (Nov 17)
- [CVE-2019-12422] Apache Shiro weak cookie vulnerability Brian Demers (Nov 18)
- CVE-2019-18934 Unbound: Vulnerability in IPSEC module Ralph Dolmans (Nov 19)
- Mitigating malicious packages in gnu/linux Georgi Guninski (Nov 19)
- Re: Mitigating malicious packages in gnu/linux Morten Linderud (Nov 19)
- Re: Mitigating malicious packages in gnu/linux Stuart D. Gathman (Nov 19)
- Re: Mitigating malicious packages in gnu/linux Tim Kuijsten (Nov 19)
- Re: Mitigating malicious packages in gnu/linux Ludovic Courtès (Nov 19)
- Re: Mitigating malicious packages in gnu/linux Morten Linderud (Nov 19)
- Re: Mitigating malicious packages in gnu/linux Pavel Heimlich (Nov 19)
- Re: Mitigating malicious packages in gnu/linux Jakub Wilk (Nov 19)
- Re: Mitigating malicious packages in gnu/linux Solar Designer (Nov 20)
- Re: Mitigating malicious packages in gnu/linux Russ Allbery (Nov 20)
- Re: Mitigating malicious packages in gnu/linux Solar Designer (Nov 20)
- Re: Mitigating malicious packages in gnu/linux Mark Hatle (Nov 20)
- Re: Mitigating malicious packages in gnu/linux Aditya Sirish Arunkumar Yelgundhalli (Nov 20)
- Re: Mitigating malicious packages in gnu/linux Bob Friesenhahn (Nov 20)
- Re: Mitigating malicious packages in gnu/linux Jeremy Stanley (Nov 20)
- Re: Mitigating malicious packages in gnu/linux Bob Friesenhahn (Nov 20)
- Re: Mitigating malicious packages in gnu/linux Russ Allbery (Nov 20)
- Re: Mitigating malicious packages in gnu/linux Morten Linderud (Nov 19)
- [CVE-2019-10083] Apache NiFi process group information disclosure Nathan Gough (Nov 19)
- [CVE-2019-12421] Apache NiFi 'Log out' button did not completely log user out Nathan Gough (Nov 19)
- [CVE-2019-10080] Apache NiFi XXE information disclosure Nathan Gough (Nov 19)
- BIND9 CVE-2019-6477 ISC Security Officer (Nov 20)
- Linux kernel: three buffer overflow in the marvell wifi driver huangwen (Nov 22)
- Linux kernel: heap overflow in the marvell wifi driver qize wang (Nov 22)
- Re: Linux kernel: heap overflow in the marvell wifi driver Solar Designer (Nov 25)
- Lots of bugs in 32-bit x86 Linux entry code Andy Lutomirski (Nov 25)
- Re: Lots of bugs in 32-bit x86 Linux entry code Stuart D. Gathman (Nov 25)
- Re: Lots of bugs in 32-bit x86 Linux entry code Simon McVittie (Nov 25)
- grub2-set-bootflag utility causes grubenv corruption rendering the system un-bootable Huzaifa Sidhpurwala (Nov 25)
- Xen Security Advisory 306 v2 - Device quarantine for alternate pci assignment methods Xen . org security team (Nov 26)
- CVE-2019-18660: Linux kernel: powerpc: missing Spectre-RSB mitigation Michael Ellerman (Nov 27)
- CVE-2019-0219: Apache Cordova InAppBrowser Privilege Escalation (Android) Jesse (Nov 28)
- Multiple issues in lemonldap-ng Raphael Geissert (Nov 28)
- Django 2.2.8 and 2.1.15: CVE-2019-19118: Privilege escalation in the Django admin. Carlton Gibson (Dec 02)
- virtual consoles Tavis Ormandy (Dec 02)
- Re: virtual consoles Solar Designer (Dec 02)
- Re: virtual consoles Tavis Ormandy (Dec 02)
- Re: virtual consoles Leonid Isaev (Dec 02)
- Re: virtual consoles Leonid Isaev (Dec 02)
- Re: virtual consoles Georgi Guninski (Dec 03)
- Re: virtual consoles Simon McVittie (Dec 03)
- Re: virtual consoles Tavis Ormandy (Dec 03)
- Re: virtual consoles Solar Designer (Dec 02)
- Linux kernel: multiple vulnerabilities in the USB subsystem x3 Andrey Konovalov (Dec 03)
- CVE-2019-17554: Olingo: XML External Entity resolution attack mibo (Dec 04)
- CVE-2019-17555: Olingo: DoS via Retry-After header vulnerability mibo (Dec 04)
- CVE-2019-17556: Olingo: Deserialization vulnerability mibo (Dec 04)
- [CVE-2019-19331] Knot Resolver 4.3.0 security release Vladimír Čunát (Dec 04)
- Authentication vulnerabilities in OpenBSD Qualys Security Advisory (Dec 04)
- Re: Authentication vulnerabilities in OpenBSD Solar Designer (Dec 04)
- Re: Authentication vulnerabilities in OpenBSD Georgi Guninski (Dec 05)
- Re: Authentication vulnerabilities in OpenBSD Renaud Allard (Dec 05)
- Re: Authentication vulnerabilities in OpenBSD Arrigo Triulzi (Dec 05)
- [CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections. William J. Tolley (Dec 04)
- Re: [CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections. Noel Kuntze (Dec 05)
- Re: [CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections. Noel Kuntze (Dec 08)
- Re: [CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections. Noel Kuntze (Dec 05)
- Re: [CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections. Colm MacCárthaigh (Dec 05)
- <Possible follow-ups>
- Re: [CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections. ValdikSS (Dec 06)
- Xen Security Advisory 306 v3 (CVE-2019-19579) - Device quarantine for alternate pci assignment methods Xen . org security team (Dec 05)
- CVE-2019-5544 openslp 1.2.1, 2.0.0 heap overflow vulnerability VMware Security Response Center (Dec 05)
- Re: CVE-2019-5544 openslp 1.2.1, 2.0.0 heap overflow vulnerability Riccardo Schirone (Dec 10)
- Re: CVE-2019-5544 openslp 1.2.1, 2.0.0 heap overflow vulnerability VMware Security Response Center (Dec 11)
- Re: CVE-2019-5544 openslp 1.2.1, 2.0.0 heap overflow vulnerability Riccardo Schirone (Dec 10)
- Shell wildcards considered dangerous? Georgi Guninski (Dec 09)
- Re: Shell wildcards considered dangerous? Noel Kuntze (Dec 09)
- Re: Shell wildcards considered dangerous? Leonid Isaev (Dec 09)
- Re: Shell wildcards considered dangerous? Noel Kuntze (Dec 09)
- Re: Shell wildcards considered dangerous? Leonid Isaev (Dec 09)
- Re: Shell wildcards considered dangerous? Noel Kuntze (Dec 09)
- Re: Shell wildcards considered dangerous? Leonid Isaev (Dec 09)
- Re: Shell wildcards considered dangerous? Leonid Isaev (Dec 09)
- Re: Shell wildcards considered dangerous? Heiko Schlittermann (Dec 09)
- Re: Shell wildcards considered dangerous? Noel Kuntze (Dec 09)
- CVE-2019-18960: Firecracker v0.18.0 and v0.19.0 vsock buffer overflow sandreim (Dec 10)
- CVE-2019-19338 Kernel: KVM: export MSR_IA32_TSX_CTRL to guest - incomplete fix for TAA (CVE-2019-11135) P J P (Dec 10)
- Xen Security Advisory 307 v3 (CVE-2019-19581,CVE-2019-19582) - find_next_bit() issues Xen . org security team (Dec 11)
- Xen Security Advisory 309 v3 (CVE-2019-19578) - Linear pagetable use / entry miscounts Xen . org security team (Dec 11)
- Xen Security Advisory 310 v3 (CVE-2019-19580) - Further issues with restartable PV type change operations Xen . org security team (Dec 11)
- Xen Security Advisory 311 v4 (CVE-2019-19577) - Bugs in dynamic height handling for AMD IOMMU pagetables Xen . org security team (Dec 11)
- Xen Security Advisory 308 v3 (CVE-2019-19583) - VMX: VMentry failure with debug exceptions and blocked states Xen . org security team (Dec 11)
- [OSSA-2019-006] Keystone: Credentials API allows listing and retrieving of all users credentials (CVE-2019-19687) Gage Hugo (Dec 11)
- Local Privilege Escalation in OpenBSD's dynamic loader (CVE-2019-19726) Qualys Security Advisory (Dec 11)
- Apache SpamAssassin v3.4.3 released with fix for CVE-2018-11805 Kevin A. McGrail (Dec 12)
- Apache SpamAssassin v3.4.3 released with fix for CVE-2019-12420 Kevin A. McGrail (Dec 12)
- Multiple vulnerabilities fixed in Git Johannes Schindelin (Dec 13)
- CVE-2019-19722: Critical vulnerability in Dovecot Aki Tuomi (Dec 13)
- Re: CVE-2019-19722: Critical vulnerability in Dovecot Aki Tuomi (Dec 13)
- CVE-2019-19332 Kernel: kvm: OOB memory write via kvm_dev_ioctl_get_cpuid P J P (Dec 15)
- [CVE-2019-12414] Apache Incubator Superset medata data leak vulnerability daniel gaspar (Dec 16)
- [CVE-2019-12413] Apache Incubator Superset meta data leak vulnerability daniel gaspar (Dec 16)
- Django: CVE-2019-19844: Potential account hijack via password reset form Mariusz Felisiak (Dec 18)
- [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack Aaron Patterson (Dec 18)
- Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack Alexander E. Patrakov (Dec 18)
- Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack Stuart D. Gathman (Dec 19)
- Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack Alexander E. Patrakov (Dec 18)
- CVE requests: three vulnerabilities in ImageMagick GalyCannon (Dec 19)
- Re: CVE requests: three vulnerabilities in ImageMagick Mohammad Tausif Siddiqui (Dec 20)
- [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer Matt Sicker (Dec 19)
- VNC vulnerabilities. TigerVNC security update Pavel Cheremushkin (Dec 20)
- Arbitrary file upload vulnerability in upload-image-with-ajax v1.0 Larry W. Cashdollar (Dec 23)
- <Possible follow-ups>
- Re: Arbitrary file upload vulnerability in upload-image-with-ajax v1.0 Larry W. Cashdollar (Dec 23)
- CVE-2019-19947: Linux kernel can: kvaser_usb: kvaser_usb_leaf: some info-leaks vulnerabilities butt3rflyh4ck (Dec 23)
- OpenSC 0.20.0 released Frank Morgner (Dec 29)
- [CVE-2019-17558] Apache Solr RCE through VelocityResponseWriter Erik Hatcher (Dec 30)