oss-sec: by thread
193 messages
starting Jul 01 21 and
ending Sep 30 21
Date index |
Thread index |
Author index
- CVE-2021-26920: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended Jihoon Son (Jul 01)
- Django: CVE-2021-35042: Potential SQL injection via unsanitized QuerySet.order_by() input Mariusz Felisiak (Jul 01)
- CVE-2021-33192: Apache Jena Fuseki: Display information UI XSS Andy Seaborne (Jul 04)
- Re: Blind in/on-path attacks against VPN-tunneled connections (CVE-2019-14899 follow-up) vpn-research (Jul 05)
- linuxptp: Fixes published for CVE-2021-3570 and CVE-2021-3571 Richard Cochran (Jul 06)
- xscreensaver 5.45 crash Mustafa Kuscu (Jul 06)
- CVE-2021-35039: Linux kernel loading unsigned kernel modules via init_module syscall Nayna (Jul 06)
- CVE-2021-30129: DoS/OOM leak vulnerability in Apache Mina SSHD Server Guillaume Nodet (Jul 12)
- [OSSA-2021-001] Neutron: Anti-spoofing bypass for Open vSwitch networks (CVE-2021-20267) Jeremy Stanley (Jul 12)
- CVE-2021-35515: Apache Commons Compress 1.6 to 1.20 denial of service vulnerability Stefan Bodewig (Jul 13)
- CVE-2021-35516: Apache Commons Compress 1.6 to 1.20 denial of service vulnerability Stefan Bodewig (Jul 13)
- CVE-2021-35517: Apache Commons Compress 1.1 to 1.20 denial of service vulnerability Stefan Bodewig (Jul 13)
- CVE-2021-36090: Apache Commons Compress 1.0 to 1.20 denial of service vulnerability Stefan Bodewig (Jul 13)
- CVE-2021-36373: Apache Ant TAR archive denial of service vulnerability Stefan Bodewig (Jul 13)
- CVE-2021-36374: Apache Ant ZIP, and ZIP based, archive denial of service vulerability Stefan Bodewig (Jul 13)
- [kubernetes] CVE-2021-25740: Endpoint & EndpointSlice permissions allow cross-Namespace forwarding CJ Cullen (Jul 14)
- Re: Polipo: denial-of-service using range John Helmert III (Jul 18)
- <Possible follow-ups>
- Re: Polipo: denial-of-service using range Jeffrey Walton (Jul 19)
- Re: Polipo: denial-of-service using range Alexandr Savca (chinarulezzz) (Jul 28)
- Re: Polipo: denial-of-service using range John Helmert III (Aug 01)
- Re: Polipo: denial-of-service using range Alexandr Savca (chinarulezzz) (Aug 03)
- Re: Polipo: denial-of-service using range John Helmert III (Aug 13)
- Re: Polipo: denial-of-service using range Alexandr Savca (chinarulezzz) (Jul 28)
- CVE-2021-32760: containerd archive package allows chmod of file outside of unpack target directory Karp, Samuel (Jul 19)
- CVE-2021-33909: size_t-to-int vulnerability in Linux's filesystem layer Qualys Security Advisory (Jul 20)
- Re: CVE-2021-33909: size_t-to-int vulnerability in Linux's filesystem layer Petr Matousek (Jul 20)
- <Possible follow-ups>
- Re: CVE-2021-33909: size_t-to-int vulnerability in Linux's filesystem layer Qualys Security Advisory (Jul 22)
- Re: CVE-2021-33909: size_t-to-int vulnerability in Linux's filesystem layer Qualys Security Advisory (Aug 25)
- CVE-2021-33910: Denial of service (stack exhaustion) in systemd (PID 1) Qualys Security Advisory (Jul 20)
- Re: CVE-2021-33910: Denial of service (stack exhaustion) in systemd (PID 1) Mauro Matteo Cascella (Jul 20)
- Pop!_OS Membership to linux-distros list Jeremy Soller (Jul 20)
- Re: Pop!_OS Membership to linux-distros list Solar Designer (Jul 27)
- Re: Pop!_OS Membership to linux-distros list Tyler Hicks (Jul 30)
- Re: Pop!_OS Membership to linux-distros list Jeremy Soller (Aug 04)
- Re: Pop!_OS Membership to linux-distros list Tyler Hicks (Aug 04)
- Re: Pop!_OS Membership to linux-distros list Solar Designer (Aug 17)
- Re: Pop!_OS Membership to linux-distros list Jeremy Soller (Sep 07)
- Re: Pop!_OS Membership to linux-distros list Solar Designer (Jul 27)
- [SECURITY ADVISORY] curl: Wrong content via metalink not discarded Daniel Stenberg (Jul 21)
- [SECURITY ADVISORY] curl: Metalink download sends credentials Daniel Stenberg (Jul 21)
- [SECURITY ADVISORY] curl: Bad connection reuse due to flawed path name checks Daniel Stenberg (Jul 21)
- [SECURITY ADVISORY] curl: TELNET stack contents disclosure again Daniel Stenberg (Jul 21)
- CVE-2021-3640: Linux kernel: UAF in sco_send_frame function Lin Horse (Jul 22)
- ipython3 may execute code from the current working directory Georgi Guninski (Jul 22)
- Re: ipython3 may execute code from the current working directory Jakub Wilk (Jul 22)
- Re: ipython3 may execute code from the current working directory Jakub Wilk (Jul 22)
- Re: ipython3 may execute code from the current working directory Jakub Wilk (Jul 23)
- Re: ipython3 may execute code from the current working directory Mats Wichmann (Jul 23)
- Re: ipython3 may execute code from the current working directory Jakub Wilk (Jul 24)
- Re: ipython3 may execute code from the current working directory Georgi Guninski (Jul 25)
- Re: ipython3 may execute code from the current working directory Jakub Wilk (Jul 22)
- CVE-2021-28131: Apache Impala: Impala logs contain secrets Zoltán Borók-Nagy (Jul 22)
- Prosody XMPP server advisory 2021-07-22 (Remote Information Disclosure) (CVE Request) Jonas Schäfer (Jul 22)
- Re: Prosody XMPP server advisory 2021-07-22 (Remote Information Disclosure) (CVE Request) Salvatore Bonaccorso (Jul 27)
- Re: Prosody XMPP server advisory 2021-07-22 (Remote Information Disclosure) (CVE Request) Jonas Schäfer (Jul 28)
- Re: Prosody XMPP server advisory 2021-07-22 (Remote Information Disclosure) (CVE-2021-37601) Jonas Schäfer (Jul 28)
- Re: Prosody XMPP server advisory 2021-07-22 (Remote Information Disclosure) (CVE Request) Salvatore Bonaccorso (Jul 27)
- WebKitGTK and WPE WebKit Security Advisory WSA-2021-0004 Carlos Alberto Lopez Perez (Jul 23)
- CVE-2021-33900: Apache Directory Studio: StartTLS and SASL confidentiality protection bypass Stefan Seelmann (Jul 24)
- Potential symlink attack in python3 __pycache__ Georgi Guninski (Jul 24)
- Re: Potential symlink attack in python3 __pycache__ Michael Orlitzky (Jul 24)
- Re: Potential symlink attack in python3 __pycache__ Georgi Guninski (Jul 26)
- Re: Potential symlink attack in python3 __pycache__ Santiago Torres (Jul 26)
- Re: Potential symlink attack in python3 __pycache__ Jakub Wilk (Jul 26)
- Re: Potential symlink attack in python3 __pycache__ Georgi Guninski (Jul 26)
- Re: Potential symlink attack in python3 __pycache__ Michael Orlitzky (Jul 24)
- CVE-2020-28020: Integer overflow in Exim that can lead to RCE: Some questions to the Qualys researchers who designed the exploit Jonas Dellinger (Jul 25)
- Re: CVE-2020-28020: Integer overflow in Exim that can lead to RCE: Some questions to the Qualys researchers who designed the exploit Qualys Security Advisory (Aug 02)
- Linux kernel: powerpc: KVM guest to host memory corruption Michael Ellerman (Jul 26)
- Re: Linux kernel: powerpc: KVM guest to host memory corruption Michael Ellerman (Jul 27)
- security advisory 2021-01 for PowerDNS Authoritative Server 4.5.0 Peter van Dijk (Jul 26)
- replay-sorcery: CVE-2021-36983: kms service in version 0.6.0 allows local root exploit and other local attack vectors Matthias Gerstner (Jul 27)
- ANNOUNCE: fetchmail <= 6.4.19 security announcement 2021-01 (CVE-2021-36386) - fetchmail 6.4.20 released. DoS or information disclosure in some configurations Matthias Andree (Jul 28)
- [SECURITY] CVE-2021-37578 Apache jUDDI Remote code execution Alex O'Ree (Jul 29)
- [OSSA-2021-002] Nova: Open Redirect in noVNC proxy (CVE-2021-3654) Jeremy Stanley (Jul 29)
- <Possible follow-ups>
- [OSSA-2021-002] Nova: Open Redirect in noVNC proxy (CVE-2021-3654) Jeremy Stanley (Sep 27)
- Node.js: Security updates for all active release lines, 30 July 2021 Daniel Bevenius (Jul 29)
- GPSD time will jump back 1024 weeks at after week=2180 (23-October-2021) Bernd Zeimetz (Aug 01)
- [CVE-2021-34556,CVE-2021-35477] Linux kernel BPF protection against Speculative Store Bypass can be bypassed to disclose arbitrary kernel memory Piotr Krysiuk (Aug 01)
- Reminder: QtWebKit known vulnerabilities Alex Xu (Hello71) (Aug 04)
- Fwd: Node.js security updates for all active release lines, August 2021 Michael Dawson (Aug 05)
- Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 06)
- Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Thorsten Glaser (Aug 07)
- Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 07)
- SNI is a security vulnerability all by itself (was Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)) Thorsten Glaser (Aug 07)
- Re: Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Ariadne Conill (Aug 07)
- Re: [Lynx-dev] [oss-security] Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Thorsten Glaser (Aug 07)
- Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 07)
- Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Ariadne Conill (Aug 07)
- Re: Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Axel Beckert (Aug 07)
- Re: Bug#991971: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Salvatore Bonaccorso (Aug 07)
- Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances) Thorsten Glaser (Aug 07)
- [SECURITY ADVISORY] c-ares: Missing input validation on hostnames returned by DNS servers Daniel Stenberg (Aug 09)
- STARTTLS vulnerabilities Hanno Böck (Aug 10)
- Re: STARTTLS vulnerabilities Guido Berhoerster (Aug 10)
- Re: STARTTLS vulnerabilities Hanno Böck (Aug 10)
- Re: STARTTLS vulnerabilities Eric Blake (Aug 11)
- Re: STARTTLS vulnerabilities Hanno Böck (Aug 11)
- Re: STARTTLS vulnerabilities Eric Blake (Aug 16)
- Re: STARTTLS vulnerabilities Eric Blake (Aug 18)
- Re: STARTTLS vulnerabilities Matthew Wild (Aug 11)
- Re: STARTTLS vulnerabilities Hanno Böck (Aug 11)
- Re: STARTTLS vulnerabilities Matthew Wild (Aug 11)
- Re: STARTTLS vulnerabilities Hanno Böck (Aug 10)
- Re: STARTTLS vulnerabilities Guido Berhoerster (Aug 10)
- CVE-2021-21501: Apache ServiceComb: ServiceComb ServiceCenter Directory Traversal Willem Jiang (Aug 10)
- [OSSA-2021-003] Keystone: Account name and UUID oracles in account locking (CVE-2021-38155) Jeremy Stanley (Aug 10)
- firebase/php-jwt Algorithm Confusion with Key IDs Paragon Initiative Enterprises Security Team (Aug 11)
- CVE-2021-20314: Remote stack buffer overflow in libspf2 Philipp Jeitner (SIT) (Aug 11)
- Re: CVE-2021-20314: Remote stack buffer overflow in libspf2 Sam James (Aug 12)
- [CVE-2021-37608] Arbitrary file upload vulnerability in OFBiz jleroux () apache org (Aug 11)
- CVE-2021-35936: Apache Airflow: No Authentication on Logging Server Kaxil Naik (Aug 14)
- kopano-core 11.0.2.43: Remote authenticated DoS with unhandled exception Jan Engelhardt (Aug 14)
- [CVE-2021-3653, CVE-2021-3656] SVM nested virtualization issues in KVM Mauro Matteo Cascella (Aug 16)
- Re: Linux kernel: nfc: null ptr dereference in llcp_sock_getname butt3rflyh4ck (Aug 17)
- Re: Linux kernel: nfc: null ptr dereference in llcp_sock_getname Salvatore Bonaccorso (Aug 17)
- Re: Linux kernel: nfc: null ptr dereference in llcp_sock_getname Mohammad Tausif Siddiqui (Aug 24)
- Re: Linux kernel: nfc: null ptr dereference in llcp_sock_getname Salvatore Bonaccorso (Aug 17)
- [OSSA-2021-004] Neutron: Linuxbridge ARP filter bypass on Netfilter platforms (CVE-2021-38598) Jeremy Stanley (Aug 17)
- CVE-2021-33580: Apache Roller: regex injection leading to DoS Dave (Aug 17)
- ISC has disclosed a vulnerability in BIND (CVE-2021-25218) Michael McNally (Aug 18)
- [CVE-2021-22942] Possible Open Redirect in Host Authorization Middleware Aaron Patterson (Aug 19)
- August BIND maintenance releases contain a defect affecting servers using the map zone file format (was: A vulnerability in BIND (CVE-2021-25218) will be announced 18 August 2021) Michael McNally (Aug 20)
- CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613 Joe Orton (Aug 23)
- CVE-2021-33191: Apache NiFi - MiNiFi C++: MiNiFi CPP arbitrary script execution is possible on the agent's host machine through the c2 protocol Arpad Boda (Aug 24)
- Oracle Solaris membership in the distros list Alan Coopersmith (Aug 24)
- Re: Oracle Solaris membership in the distros list Solar Designer (Sep 06)
- Re: Oracle Solaris membership in the distros list Alan Coopersmith (Sep 14)
- Re: Oracle Solaris membership in the distros list Solar Designer (Sep 17)
- Re: Oracle Solaris membership in the distros list Alan Coopersmith (Sep 14)
- Re: Oracle Solaris membership in the distros list Solar Designer (Sep 06)
- Possible memory leak on getspnam / getspnam_r Jean Diogo (Aug 25)
- Re: Possible memory leak on getspnam / getspnam_r Travis Finkenauer (Aug 25)
- Message not available
- Re: Possible memory leak on getspnam / getspnam_r Jean D'Elboux (Aug 26)
- Message not available
- Re: Possible memory leak on getspnam / getspnam_r Travis Finkenauer (Aug 25)
- Re: Possible memory leak on getspnam / getspnam_r Solar Designer (Sep 06)
- Re: Linux kernel: qrtr: another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c John Haxby (Aug 26)
- Re: Linux kernel: qrtr: another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c butt3rflyh4ck (Aug 26)
- Re: Linux kernel: qrtr: another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c butt3rflyh4ck (Aug 27)
- Re: Linux kernel: qrtr: another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c butt3rflyh4ck (Aug 27)
- <Possible follow-ups>
- Fwd: Node.js security updates for versions 12.x, and 14.x releases lines, August 31 2021 Daniel Bevenius (Aug 31)
- Re: Containers-optimized OS (COS) membership in the linux-distros list Solar Designer (Sep 17)
- Re: Containers-optimized OS (COS) membership in the linux-distros list Kees Cook (Sep 18)
- Re: Containers-optimized OS (COS) membership in the linux-distros list Oleksandr Tymoshenko (Sep 21)
- Re: Containers-optimized OS (COS) membership in the linux-distros list Solar Designer (Sep 21)