oss-sec: by thread
182 messages
starting Oct 03 21 and
ending Dec 28 21
Date index |
Thread index |
Author index
- Supply Chain Security and Tar Samanta Navarro (Oct 03)
- CVE-2021-28116 / ZDI-CAN-11610 / SQUID-2020:12 Out-Of-Bounds memory access in WCCPv2 Amos Jeffries (Oct 03)
- Re: 3 new CVE's in vim Alan Coopersmith (Oct 04)
- Re: 3 new CVE's in vim Alex Gaynor (Oct 04)
- Re: 3 new CVE's in vim Alan Coopersmith (Oct 04)
- Re: 3 new CVE's in vim Alex Gaynor (Oct 04)
- Moby (Docker Engine) CVE-2021-41089 Karp, Samuel (Oct 04)
- CVE-2021-41524: Apache HTTP Server: null pointer dereference in h2 fuzzing Stefan Eissing (Oct 05)
- CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 Stefan Eissing (Oct 05)
- RE: CVE-2021-41773: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 Tim Wadhwa-Brown (twadhwab) (Oct 07)
- Fwd: Node.js security updates for all active release lines, October 2021 Matteo Collina (Oct 05)
- CVE-2021-39226 Grafana snapshot authentication bypass Richard Hartmann (Oct 05)
- Xen Security Advisory 386 v1 (CVE-2021-28702) - PCI devices with RMRRs not deassigned correctly Xen . org security team (Oct 05)
- Multiple vulnerabilities in Jenkins and Jenkins plugins Wadeck Follonier (Oct 06)
- <Possible follow-ups>
- Multiple vulnerabilities in Jenkins and Jenkins plugins Daniel Beck (Nov 04)
- Xen Security Advisory 386 v2 (CVE-2021-28702) - PCI devices with RMRRs not deassigned correctly Xen . org security team (Oct 07)
- CVE-2021-33035: Apache OpenOffice: Buffer overflow from a crafted DBF file Dave Fisher (Oct 07)
- CVE-2021-40439: Apache OpenOffice: Billion Laughs Dave Fisher (Oct 07)
- CVE-2021-28129: DEB packaging for Apache OpenOffice 4.1.8 installed with a non-root userid and groupid Dave Fisher (Oct 07)
- CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Stefan Eissing (Oct 07)
- Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Roman Medina-Heigl Hernandez (Oct 07)
- Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Yann Ylavic (Oct 08)
- Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Solar Designer (Oct 08)
- Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Yann Ylavic (Oct 08)
- Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Solar Designer (Oct 08)
- Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Yann Ylavic (Oct 08)
- Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Roman Medina-Heigl Hernandez (Oct 09)
- Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Yann Ylavic (Oct 11)
- Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Roman Medina-Heigl Hernandez (Oct 15)
- Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Yann Ylavic (Oct 15)
- Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Yann Ylavic (Oct 08)
- Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Roman Medina-Heigl Hernandez (Oct 07)
- CVE-2021-41830: Apache OpenOffice: Double Certificate Attack Dave Fisher (Oct 11)
- CVE-2021-41831: Apache OpenOffice: Timestamp Manipulation with Signature Wrapping Dave Fisher (Oct 11)
- CVE-2021-41832: Apache OpenOffice: Content Manipulation with Certificate Validation Attack Dave Fisher (Oct 11)
- CVE-2021-42009: Apache Traffic Control Arbitrary Email Content Insertion in /deliveryservices/request Eric Friedrich (Oct 12)
- CVE-2021-38295 Apache CouchDB <= 3.1.1 privilege escalation Jan Lehnardt (Oct 12)
- CVE-2021-42340: Apache Tomcat: DoS via memory leak with WebSocket connections Mark Thomas (Oct 14)
- CVE-2021-42257: check_smart.pl: unprivileged user can alter hard drive settings Wolfgang Frisch (Oct 14)
- CVE-2021-3847: OverlayFS - Potential Privilege Escalation using overlays copy_up Alon Zahavi (Oct 14)
- Re: CVE-2021-3847: OverlayFS - Potential Privilege Escalation using overlays copy_up halfdog (Oct 18)
- Re: CVE-2021-3847: OverlayFS - Potential Privilege Escalation using overlays copy_up Miklos Szeredi (Oct 19)
- Re: CVE-2021-3847: OverlayFS - Potential Privilege Escalation using overlays copy_up Thadeu Lima de Souza Cascardo (Oct 19)
- Re: CVE-2021-3847: OverlayFS - Potential Privilege Escalation using overlays copy_up Miklos Szeredi (Oct 20)
- Re: CVE-2021-3847: OverlayFS - Potential Privilege Escalation using overlays copy_up Thadeu Lima de Souza Cascardo (Oct 19)
- CVE-2021-32609: Apache Superset: XSS vulnerability on Explore page Daniel Gaspar (Oct 15)
- CVE-2021-41971: Apache Superset: Possible SQL Injection when template processing is enabled Daniel Gaspar (Oct 15)
- Linux kernel: isdn: cpai: array-index-out-of-bounds in detach_capi_ctr in drivers/isdn/capi/kcapi.c butt3rflyh4ck (Oct 19)
- Core-dump handing issues with suid binaries Itai Greenhut (Oct 20)
- CVE-2021-38294: Apache Storm: Shell Command Injection Vulnerability in Nimbus Thrift Server Derek Dagit (Oct 21)
- CVE-2021-40865: Apache Storm: Unsafe Pre-Authentication Deserialization In Workers Derek Dagit (Oct 21)
- [kubernetes] CVE-2021-25742: Ingress-nginx custom snippets allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces CJ Cullen (Oct 21)
- Mailman 2.1.35 security release Alan Coopersmith (Oct 21)
- Linux kernel: powerpc: KVM guest can trigger host crash on Power8 Michael Ellerman (Oct 25)
- Re: Linux kernel: powerpc: KVM guest can trigger host crash on Power8 John Paul Adrian Glaubitz (Oct 26)
- Re: Linux kernel: powerpc: KVM guest can trigger host crash on Power8 John Paul Adrian Glaubitz (Oct 28)
- Re: Linux kernel: powerpc: KVM guest can trigger host crash on Power8 John Paul Adrian Glaubitz (Oct 28)
- Re: Linux kernel: powerpc: KVM guest can trigger host crash on Power8 John Paul Adrian Glaubitz (Oct 28)
- Re: Linux kernel: powerpc: KVM guest can trigger host crash on Power8 Salvatore Bonaccorso (Oct 27)
- Re: Linux kernel: powerpc: KVM guest can trigger host crash on Power8 John Paul Adrian Glaubitz (Oct 26)
- [ES2021-05] FreeSWITCH vulnerable to SIP digest leak for configured gateways Sandro Gauci (Oct 25)
- [ES2021-08] FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default Sandro Gauci (Oct 25)
- [ES2021-06] FreeSWITCH susceptible to Denial of Service via SIP flooding Sandro Gauci (Oct 25)
- [ES2021-09] FreeSWITCH susceptible to Denial of Service via invalid SRTP packets Sandro Gauci (Oct 25)
- [ES2021-07] FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing Sandro Gauci (Oct 25)
- CVE-2021-3760: Linux kernel: Use-After-Free vulnerability of ndev->rf_conn_info object Lin Horse (Oct 26)
- Re: CVE-2021-3760: Linux kernel: Use-After-Free vulnerability of ndev->rf_conn_info object Solar Designer (Oct 26)
- Re: CVE-2021-3760: Linux kernel: Use-After-Free vulnerability of ndev->rf_conn_info object Lin Horse (Oct 26)
- Re: CVE-2021-3760: Linux kernel: Use-After-Free vulnerability of ndev->rf_conn_info object Solar Designer (Oct 26)
- Re: CVE-2021-3760: Linux kernel: Use-After-Free vulnerability of ndev->rf_conn_info object Thadeu Lima de Souza Cascardo (Oct 26)
- RE: CVE-2021-3760: Linux kernel: Use-After-Free vulnerability of ndev->rf_conn_info object Anthony Liguori (Oct 26)
- Re: CVE-2021-3760: Linux kernel: Use-After-Free vulnerability of ndev->rf_conn_info object Roxana Bradescu (Oct 28)
- Re: CVE-2021-3760: Linux kernel: Use-After-Free vulnerability of ndev->rf_conn_info object Lin Horse (Oct 26)
- Re: CVE-2021-3760: Linux kernel: Use-After-Free vulnerability of ndev->rf_conn_info object Solar Designer (Oct 26)
- CVE-2021-21703: PHP-FPM 5.3.7 <= 8.0.12 Local Root Charles Fol (Oct 26)
- WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 Carlos Alberto Lopez Perez (Oct 26)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 Salvatore Bonaccorso (Oct 26)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 Francis Perron (Oct 27)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 Alberto Garcia (Oct 27)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 Samuel Groß (Oct 27)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 Salvatore Bonaccorso (Oct 27)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 Salvatore Bonaccorso (Oct 31)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 Francis Perron (Oct 27)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 Salvatore Bonaccorso (Oct 26)
- spacewalk-admin: CVE-2021-40348: arbitrary local code execution by 'tomcat' user via rhn-config-satellite.pl Paolo Perego (Oct 28)
- CVE website transition from cve.mitre.org to cve.org Alan Coopersmith (Oct 29)
- CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code Pietro Albini (Oct 31)
- Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code Jakub Wilk (Nov 01)
- Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code Dave Horsfall (Nov 01)
- [ANNOUNCE] Apache MINA 2.0.22 & 2.1.5 released Emmanuel Lecharny (Nov 01)
- CVE-2021-27644: Apache DolphinScheduler: DolphinScheduler mysql jdbc connector parameters deserialize remote code execution Calvin Kirs (Nov 01)
- Trojan Source Attacks Nicholas Boucher (Nov 01)
- Re: Trojan Source Attacks Jan Engelhardt (Nov 01)
- Re: Trojan Source Attacks Perry E. Metzger (Nov 01)
- Re: Trojan Source Attacks Jan Engelhardt (Nov 01)
- Re: Trojan Source Attacks Siddhesh Poyarekar (Nov 01)
- Re: Trojan Source Attacks Stuart D Gathman (Nov 02)
- Re: Trojan Source Attacks Seth Arnold (Nov 02)
- Re: Trojan Source Attacks Santiago Torres (Nov 01)
- Re: Trojan Source Attacks Perry E. Metzger (Nov 01)
- Re: Trojan Source Attacks David A. Wheeler (Nov 02)
- Re: Trojan Source Attacks Josh Bressers (Nov 02)
- Re: Trojan Source Attacks David A. Wheeler (Nov 02)
- Re: Trojan Source Attacks Michael Orlitzky (Nov 02)
- Re: Trojan Source Attacks Josh Bressers (Nov 02)
- Re: Trojan Source Attacks Stuart D Gathman (Nov 02)
- Re: Trojan Source Attacks Georgi Guninski (Nov 04)
- Re: Trojan Source Attacks Leonid Isaev (ifax) (Nov 04)
- Re: Trojan Source Attacks Jan Engelhardt (Nov 01)
- CVE-2021-41973: Apache MINA HTTP listener DOS Emmanuel Lecharny (Nov 01)
- Barrier "software KVM switch" multiple remote security issues Matthias Gerstner (Nov 02)
- Apache Traffic Server is vulnerable to various smuggle, DOS, and validation attacks Bryan Call (Nov 02)
- CVE-2021-41174 Grafana XSS vulnerability Daniel Lee (Nov 03)
- [CVE-2021-43523] Incorrect handling of special characters in domain names in uclibc and uclibc-ng Philipp Jeitner (SIT) (Nov 09)
- Trovent Security Advisory 2105-02 / CVE-2021-33618: Stored cross-site scripting in Dolibarr ERP & CRM Stefan Pietsch (Nov 10)
- Trovent Security Advisory 2106-01 / CVE-2021-33816: Authenticated remote code execution in Dolibarr ERP & CRM Stefan Pietsch (Nov 10)
- Fwd: Samba 4.15.2, 4.14.10, 4.13.14 Security Releases are available for Download Solar Designer (Nov 10)
- CVE-2021-26558: Apache ShardingSphere-UI: Deserialization of Untrusted Data Juan Pan (Nov 11)
- CVE-2021-41972: Apache Superset: Credentials leak Daniel Gaspar (Nov 11)
- CVE-2021-43350: Apache Traffic Control: LDAP filter injection vulnerability in Traffic Ops Zach Hoffman (Nov 11)
- <Possible follow-ups>
- Re: CVE-2021-43350: Apache Traffic Control: LDAP filter injection vulnerability in Traffic Ops Zach Hoffman (Nov 11)
- Re: CVE-2021-43350: Apache Traffic Control: LDAP filter injection vulnerability in Traffic Ops Zach Hoffman (Nov 17)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Nov 12)
- Grafana 8.2.4 released with security fixes Vardan Torosyan (Nov 15)
- CVE-2021-37580: Apache ShenYu Admin bypass JWT authentication Liang Liu (Nov 16)
- CVE-2021-42250: Apache Superset: Possible log injection Daniel Gaspar (Nov 17)
- CVE-2021-36372: Apache Ozone: Original block tokens are persisted and can be retrieved Siddharth Wagle (Nov 19)
- CVE-2021-39231: Apache Ozone: Missing authentication/authorization on internal RPC endpoints Siddharth Wagle (Nov 19)
- CVE-2021-39232: Apache Ozone: Missing admin check for SCM related admin commands Siddharth Wagle (Nov 19)
- CVE-2021-39233: Apache Ozone: Container-related datanode operations can be called without authorization Siddharth Wagle (Nov 19)
- CVE-2021-39234: Apache Ozone: Raw block data can be read bypassing ACL/authorization Siddharth Wagle (Nov 19)
- CVE-2021-39235: Apache Ozone: Access mode of block tokens are not enforced Siddharth Wagle (Nov 19)
- CVE-2021-39236: Apache Ozone: Owners of the S3 tokens are not validated Siddharth Wagle (Nov 19)
- CVE-2021-41532: Apache Ozone: Unauthenticated access to Ozone Recon HTTP endpoints Siddharth Wagle (Nov 19)
- Xen Security Advisory 390 v1 (CVE-2021-28710) - certain VT-d IOMMUs may not work in shared page table mode Xen . org security team (Nov 19)
- CVE-2021-41190 OCI distribution and image spec: "content-type" confusion Vincent Batts (Nov 19)
- CVE-2021-43557: Apache APISIX: Path traversal in request_uri variable Zexuan Luo (Nov 22)
- Re: CVE-2021-43557: Apache APISIX: Path traversal in request_uri variable Marcin Niemiec (Nov 22)
- Re: CVE-2021-43557: Apache APISIX: Path traversal in request_uri variable Zhiyuan Ju (Nov 23)
- [CVE-2021-40369] Apache JSPWiki Cross-site scripting vulnerability on Denounce plugin Juan Pablo Santos Rodríguez (Nov 23)
- [CVE-2021-44140] Apache JSPWiki Arbitrary file deletion on logout Juan Pablo Santos Rodríguez (Nov 23)
- Xen Security Advisory 385 v2 (CVE-2021-28706) - guests may exceed their designated memory limit Xen . org security team (Nov 23)
- Xen Security Advisory 389 v3 (CVE-2021-28705,CVE-2021-28709) - issues with partially successful P2M updates on x86 Xen . org security team (Nov 23)
- Xen Security Advisory 387 v2 (CVE-2021-28703) - grant table v2 status pages may remain accessible after de-allocation (take two) Xen . org security team (Nov 23)
- Xen Security Advisory 388 v3 (CVE-2021-28704,CVE-2021-28707,CVE-2021-28708) - PoD operations on misaligned GFNs Xen . org security team (Nov 23)
- CVE-2021-4002: Linux kernel: Missing TLB flush on hugetlbfs Nadav Amit (Nov 25)
- IMA gadgets Florian Weimer (Nov 30)
- Re: IMA gadgets Grant Taylor (Dec 01)
- Re: IMA gadgets Jens Timmerman (Dec 01)
- Re: IMA gadgets Johannes Segitz (Dec 01)
- Re: IMA gadgets Travis Finkenauer (Dec 01)
- Re: IMA gadgets Grant Taylor (Dec 01)
- CVE-2021-43527: Heap overflow in NSS when verifying DSA/RSA-PSS DER-encoded signatures Dennis Jackson (Dec 01)
- Re: CVE-2021-43527: Heap overflow in NSS when verifying DSA/RSA-PSS DER-encoded signatures Alan Coopersmith (Dec 01)
- Message not available
- Message not available
- Re: CVE-2021-43527: Heap overflow in NSS when verifying DSA/RSA-PSS DER-encoded signatures Kai Engert (Dec 01)
- Message not available
- Re: CVE-2021-43527: Heap overflow in NSS when verifying DSA/RSA-PSS DER-encoded signatures Alan Coopersmith (Dec 01)
- Re: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints Moritz Bechler (Dec 10)
- Re: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints Moritz Bechler (Dec 10)
- Re: CVE-2021-4104: Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2 Moritz Bechler (Dec 13)
- Re: Fwd: X.Org Security Advisory: December 14, 2021 Alan Coopersmith (Dec 14)
- Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack Jeffrey Walton (Dec 15)