oss-sec: by date
RSS Feed
About List
All Lists
Previous period
212 messages
starting Jan 03 22 and
ending Mar 31 22
Date index |
Thread index |
Author index
Monday, 03 January
CVE-2021-34797: Apache Geode project log file redaction of sensitive information vulnerability Kirk Lund
CVE-2021-38542: Apache James vulnerable to STARTTLS command injection (IMAP and POP3) Benoit Tellier
CVE-2021-40110: Apache James IMAP vulnerable to a ReDoS Benoit Tellier
CVE-2021-40111: Apache James IMAP parsing Denial Of Service Benoit Tellier
CVE-2021-40525: Apache James: Sieve file storage vulnerable to path traversal attacks Benoit Tellier
Tuesday, 04 January
Django security releases issued: 4.0.1, 3.2.11, and 2.2.26 (Multiple CVEs) Carlton Gibson
Fwd: Node.js security updates for all active release lines, January 2022 Bryan English
Wednesday, 05 January
CVE-2021-36737: Apache Portals: XSS in V3 Demo Portlet Neil Griffin
CVE-2021-36738: XSS vulnerability in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet Neil Griffin
CVE-2021-36739: Apache Portals: XSS vulnerability in the MVCBean JSP portlet maven archetype Neil Griffin
Thursday, 06 January
CVE-2021-45456: Apache Kylin: Command injection Xiaoxiang Yu
CVE-2021-45457: Apache Kylin: Overly broad CORS configuration Xiaoxiang Yu
CVE-2021-45458: Apache Kylin: Hardcoded credentials Xiaoxiang Yu
CVE-2021-31522: Apache Kylin unsafe class loading Xiaoxiang Yu
CVE-2021-36774: Apache Kylin: Mysql JDBC Connector Deserialize RCE Xiaoxiang Yu
CVE-2021-27738: Apache Kylin: Improper Access Control to Streaming Coordinator & SSRF Xiaoxiang Yu
CVE-2021-43045: Apache Avro: Possible DOS vulnerabilities in C# Avro SDK Ryan Skraba
Monday, 10 January
CVE-2021-4155 kernel: xfs: raw block device data leak in ioctl(XFS_IOC_ALLOCSP) Rohit Keshri
CVE-2021-3997: Uncontrolled recursion in systemd's systemd-tmpfiles Qualys Security Advisory
Tuesday, 11 January
Re: CVE-2021-3997: Uncontrolled recursion in systemd's systemd-tmpfiles Sam James
Re: CVE-2021-3997: Uncontrolled recursion in systemd's systemd-tmpfiles Sam James
Fwd: Node.js security updates for all active release lines, January 2022 Bryan English
CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability tr3e wang
CVE-2021-3979 ceph: Ceph volume does not honour osd_dmcrypt_key_size Ana McTaggart
[SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections Mike Jumper
[SECURITY] CVE-2021-43999: Apache Guacamole: Improper validation of SAML responses Mike Jumper
Wednesday, 12 January
Re: CVE-2021-3979 ceph: Ceph volume does not honour osd_dmcrypt_key_size Jeffrey Walton
Re: CVE-2021-3979 ceph: Ceph volume does not honour osd_dmcrypt_key_size John Helmert III
Re: CVE-2021-3979 ceph: Ceph volume does not honour osd_dmcrypt_key_size Sven Kieske
CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS Ana Oprea
Re: CVE-2021-3979 ceph: Ceph volume does not honour osd_dmcrypt_key_size Ana McTaggart
Multiple vulnerabilities in Jenkins and Jenkins plugins Wadeck Follonier
Re: CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS John Helmert III
Thursday, 13 January
Linux Kernel eBPF Improper Input Validation Vulnerability tr3e wang
CVE-2021-4122: cryptsetup 2.x: decryption through LUKS2 reencryption crash recovery Milan Broz
Prosody XMPP server advisory 2022-01-13 (Remote Unauthenticated Denial of Service) (CVE request) Jonas Schäfer
Re: Prosody XMPP server advisory 2022-01-13 (Remote Unauthenticated Denial of Service) (CVE request) Jonas Schäfer
Re: Prosody XMPP server advisory 2022-01-13 (Remote Unauthenticated Denial of Service) (CVE-2022-0217) Jonas Schäfer
Friday, 14 January
Re: Linux Kernel eBPF Improper Input Validation Vulnerability tr3e wang
Null pointer deref in unzip 6.0 Nils Bars
Saturday, 15 January
Re: 3 new CVE's in vim Alan Coopersmith
Fuzzy CVE's in GNU inetutils Alan Coopersmith
Sunday, 16 January
Re: Fuzzy CVE's in GNU inetutils Salvatore Bonaccorso
wpa_supplicant/hostapd: SAE/EAP-pwd side-channel attack update 2 Jouni Malinen
Re: Fuzzy CVE's in GNU inetutils Alan Coopersmith
Re: CVE-2021-4095: kernel: KVM: NULL pointer dereference in kvm_dirty_ring_get() in virt/kvm/dirty_ring.c butt3rflyh4ck
Monday, 17 January
CVE-2021-42357: DOM based XSS Vulnerability in Apache Knox Larry McCay
Expat 2.4.3 released, includes 8 security fixes Alan Coopersmith
Tuesday, 18 January
Re: CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability tr3e wang
Re: Linux Kernel eBPF Improper Input Validation Vulnerability tr3e wang
CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x Ralph Goers
CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1 Ralph Goers
CVE-2022-23307: Apache Log4j 1.x: A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution. Ralph Goers
Re: Prosody XMPP server advisory 2022-01-13 (Remote Unauthenticated Denial of Service) (CVE request) Jonas Schäfer
Linux kernel: Heap buffer overflow in fs_context.c since version 5.1 Will
Re: Linux kernel: Heap buffer overflow in fs_context.c since version 5.1 John Haxby
Wednesday, 19 January
CVE-2021-45230: Apache Airflow: Creating DagRuns didn't respect Dag-level permissions in the Webserver Kaxil Naik
Thursday, 20 January
Race condition in the Rust standard library (CVE-2022-21658) Pietro Albini
CVE-2022-22733: Apache ShardingSphere ElasticJob-UI: Access-Token in ElasticJob UI causes password disclosure Haoran Meng
CVE-2021-45417 - aide (>= 0.13 <= 0.17.3): heap-based buffer overflow vulnerability in base64 functions Hannes von Haugwitz
Re: Prosody XMPP server advisory 2022-01-13 (Remote Unauthenticated Denial of Service) (CVE-2022-0217) Kim Alvefur
Friday, 21 January
usbview polkit policy local root exploit (CVE-2022-23220) Matthias Gerstner
WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 Carlos Alberto Lopez Perez
Saturday, 22 January
Re: usbview polkit policy local root exploit (CVE-2022-23220) Greg KH
Sunday, 23 January
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 John Helmert III
Monday, 24 January
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 Leo Famulari
CVE-2021-3996 and CVE-2021-3995 in util-linux's libmount Qualys Security Advisory
CVE-2022-23437: Infinite loop within Apache XercesJ xml parser Mukul Gandhi
CVE-2021-3998 and CVE-2021-3999 in glibc's realpath() and getcwd() Qualys Security Advisory
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 John Helmert III
Tuesday, 25 January
Multiple vulnerabilities in connman's dnsproxy component Matthias Gerstner
Xen Security Advisory 393 v2 (CVE-2022-23033) - arm: guest_physmap_remove_page not removing the p2m mappings Xen . org security team
Xen Security Advisory 394 v3 (CVE-2022-23034) - A PV guest could DoS Xen while unmapping a grant Xen . org security team
Xen Security Advisory 395 v2 (CVE-2022-23035) - Insufficient cleanup of passed-through device IRQs Xen . org security team
CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control Zhang Yonglun
CVE-2022-23945: Apache ShenYu missing authentication allows gateway registration Zhang Yonglun
CVE-2022-23223: Password leakage in Apache ShenYu Zhang Yonglun
CVE-2021-45029: Groovy Code Injection & SpEL Injection in Apache ShenYu 2.4.1 Zhang Yonglun
[SECURITY] New security advisory for CVE-2021-41766 released for Apache Karaf Jean-Baptiste Onofré
[SECURITY] New security advisory for CVE-2022-22932 Jean-Baptiste Onofré
pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Qualys Security Advisory
Linux kernel: Security sensitive bug in the i915 kernel driver (CVE-2022-0330) Tvrtko Ursulin
Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Sam James
CVE-2022-0185: Linux kernel slab out-of-bounds write: exploit and writeup Alejandro Guerrero
Re: CVE-2022-23944: Apache ShenYu 2.4.1 Improper access control Alan Coopersmith
Bad signal handling in shell scripts leading to insecure use of /tmp Jakub Wilk
Wednesday, 26 January
CVE-2021-45029: Apache ShenYu (incubating) Groovy Code Injection and SpEL Injection Zhang Yonglun
CVE-2022-23944: Apache ShenYu (incubating) Improper access control Zhang Yonglun
CVE-2022-23945: Apache ShenYu (incubating) missing authentication allows gateway registration Zhang Yonglun
CVE-2022-23223: Apache ShenYu (incubating) Password leakage Zhang Yonglun
Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Roman Medina-Heigl Hernandez
Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Henri Salo
Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Matthias Schmidt
Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Dominik Czarnota
Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Erik Auerswald
Thursday, 27 January
Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Chris Boot
Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Kai Lüke
Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Bastian Blank
CVE-2022-22942: Linux kernel: wrong file descriptor handling in the vmwgfx driver Mathias Krause
Linux kernel: erroneous error handling after fd_install() Mathias Krause
Re: CVE-2022-22942: Linux kernel: wrong file descriptor handling in the vmwgfx driver Mathias Krause
Friday, 28 January
keylime: Multiple Security Issues (including remote code execution in the Agent component) Matthias Gerstner
Saturday, 29 January
Linux kernel: use-after-free of user namespace on shm and mqueue destruction Mathias Krause
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 Leo Famulari
Re: Linux kernel: use-after-free of user namespace on shm and mqueue destruction Salvatore Bonaccorso
Sunday, 30 January
xterm buffer overflow via crafted sixel nick black
Re: xterm buffer overflow via crafted sixel Tavis Ormandy
General authentication bypass in Atheme IRC services with InspIRCd 3 Ed Kellett
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 Sam James
Re: xterm buffer overflow via crafted sixel Salvatore Bonaccorso
Monday, 31 January
Plone: cache poisoning in image_view_fullscreen Maurits van Rees
Re: Re: xterm buffer overflow via crafted sixel Jakub Wilk
CVE-2021-41571: Apache Pulsar: Pulsar Admin API allows access to data from other tenants using getMessageById API Enrico Olivelli
[SBA-ADV-20220127-01] CVE-2022-24129: Shibboleth Identity Provider OIDC OP Plugin 3.0.3 or below Server-Side Request Forgery SBA - Advisory
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 Carlos Alberto Lopez Perez
Samba 4.15.5, 4.14.12, 4.13.17 Security Releases John Helmert III
Tuesday, 01 February
Django: CVE-2022-22818: Possible XSS via {% debug %} template tag Mariusz Felisiak
Django: CVE-2022-23833: Denial-of-service possibility in file uploads Mariusz Felisiak
CVE-2021-44451: Apache Superset: API sensitive information leak Daniel Gaspar
Thursday, 03 February
Re: CVE-2022-22942: Linux kernel: wrong file descriptor handling in the vmwgfx driver Mathias Krause
CVE-2021-36152: Apache Gobblin: Insecure TrustManager used in LDAP connections Abhishek Tiwari
CVE-2021-36151: Apache Gobblin: Local Credentials Disclosure Vulnerability Abhishek Tiwari
ARTEMIS-3593: CVE-2022-23913: Apache ActiveMQ Artemis DoS Justin Bertram
Friday, 04 February
CVE-2022-0492: Linux kernel cgroups v1 missing capabilities check when setting release_agent Tabitha Sable
CVE-2022-23206: Apache Traffic Control: Server-Side Request Forgery in Traffic Ops endpoint POST /user/login/oauth Zach Hoffman
Monday, 07 February
CVE-2022-22931: Path traversal in Apache James Benoit Tellier
[CVE-2022-24450] nats-server unconstrained account assumption by authenticated clients Phil Pennock
Browser-mediated attacks on WebDriver servers Gabriel Corona
Wednesday, 09 February
Vulnerability in Jenkins Daniel Beck
WebKitGTK and WPE WebKit Security Advisory WSA-2022-0002 Carlos Alberto Lopez Perez
Thursday, 10 February
CVE-2022-0435: Remote Stack Overflow in Linux Kernel TIPC Module since 4.8 (net/tipc) Samuel Page
Friday, 11 February
CVE-2022-24289: Apache Cayenne: Deserialization of untrusted data in the Hessian Component of Apache Cayenne 4.1 with older Java versions Aristedes Maniatis
Linux kernel: Fix for KVM on s390, insufficient checks for ioctl Christian Borntraeger
CVE-2022-24112: Apache APISIX: apisix/batch-requests plugin allows overwriting the X-REAL-IP header Zexuan Luo
CVE-2021-44521: Apache Cassandra: Remote code execution for scripted UDFs Marcus Eriksson
[CVE-2022-23633] Possible exposure of information vulnerability in Action Pack Aaron Patterson
CVE-2021-44879: kernel:NULL pointer dereference in fs/f2fs/gc.c:move_data_page Wenqing Liu
Sunday, 13 February
Linux kernel: potential net namespace bug in IPv6 flow label management Liu, Congyu
Re: Linux kernel: potential net namespace bug in IPv6 flow label management Willem de Bruijn
Re: Linux kernel: potential net namespace bug in IPv6 flow label management Willem de Bruijn
Tuesday, 15 February
CVE-2022-21698: HTTP method DOS; Prometheus client_golang <1.11.1 affected; Other web servers might be affected too Bartek Plotka
Multiple vulnerabilities in Jenkins plugins Wadeck Follonier
Thursday, 17 February
WebKitGTK and WPE WebKit Security Advisory WSA-2022-0003 Carlos Alberto Lopez Perez
CVE-2021-44731: Race condition in snap-confine's setup_private_mount() Qualys Security Advisory
Friday, 18 February
CVE-2021-4115: polkit: file descriptor leak allows an unprivileged user to cause a crash. Devon Thompson
CVE-2021-4120: Insufficient validation of snap content interface and layout paths Alex Murray
Multiple vulnerabilities affecting cobbler Paolo Perego
Re: CVE-2021-3997: Uncontrolled recursion in systemd's systemd-tmpfiles Solar Designer
Re: CVE-2021-4115: polkit: file descriptor leak allows an unprivileged user to cause a crash. Alan Coopersmith
Re: CVE-2021-4115: polkit: file descriptor leak allows an unprivileged user to cause a crash. Alan Coopersmith
Saturday, 19 February
Expat 2.4.5 released, includes 5 security fixes Alan Coopersmith
Monday, 21 February
CVE-2022-25375 : Linux RNDIS USB Gadget memory extraction via packet filter Szymon Heidrich
Linux kernel: heap out of bounds write in nf_dup_netdev.c since 5.4 Nick Gregory
Re: Linux kernel: heap out of bounds write in nf_dup_netdev.c since 5.4 Salvatore Bonaccorso
Wednesday, 23 February
Re: CVE-2021-44731: Race condition in snap-confine's setup_private_mount() Wire Snark
Re: CVE-2021-44731: Race condition in snap-confine's setup_private_mount() Simon McVittie
Announce: OpenSSH 8.9 released Damien Miller
Fwd: Cyrus-SASL 2.1.28 released [fixes CVE-2022-24407 & CVE-2019-19906] Alan Coopersmith
Thursday, 24 February
fscrypt: Multiple File System Related Security Issues (CVE-2022-25326, CVE-2022-25327, CVE-2022-25328) Matthias Gerstner
CVE-2021-45229: Apache Airflow: Reflected XSS via Origin Query Argument in URL Jedidiah Cunningham
CVE-2022-24288: Apache Airflow: RCE in example DAGs Jedidiah Cunningham
Re: fscrypt: Multiple File System Related Security Issues (CVE-2022-25326, CVE-2022-25327, CVE-2022-25328) Eric Biggers
Friday, 25 February
[CVE-2022-24947] Apache JSPWiki CSRF Account Takeover Juan Pablo Santos Rodríguez
[CVE-2022-24948] Apache JSPWiki Cross-site scripting vulnerability on User Preferences screen Juan Pablo Santos Rodríguez
CVE-2022-24986: KCron: Insecure temporary file handling Carlos López
Wednesday, 02 March
CVE-2022-23648: containerd CRI plugin: Insecure handling of image volumes Karp, Samuel
Thursday, 03 March
DNS rebinding on ReadyMedia/minidlna v1.3.0 and below Gabriel Corona
Friday, 04 March
CVE-2022-26336: poi-scratchpad: A carefully crafted TNEF file can cause an out of memory exception PJ Fanning
CVE-2022-25312: An XML external entity (XXE) injection vulnerability exists in the Apache Any23 RDFa XSLTStylesheet extractor lewis john mcgibbney
Sunday, 06 March
Re: DNS rebinding on ReadyMedia/minidlna v1.3.0 and below Gabriel Corona
Monday, 07 March
CVE-2022-0847: Linux kernel: overwriting read-only files Max Kellermann
Tuesday, 08 March
Xen Security Advisory 398 v1 - Multiple speculative security issues Xen . org security team
Thursday, 10 March
CVE-2022-26652: nats-server arbitrary file write Phil Pennock
Xen Security Advisory 396 v3 (CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042) - Linux PV device frontends vulnerable to attacks by backends Xen . org security team
Grant Opportunities to Protect Open Source Deepesh Chaudhari
Friday, 11 March
CVE-2022-26878: Memory leak in Linux VirtIO Bluetooth driver Sönke Huster
Sunday, 13 March
Memory leak in Linux HID-elo driver Dongliang Mu
Monday, 14 March
CVE-2022-23943: Apache HTTP Server: mod_sed: Read/write beyond bounds Stefan Eissing
CVE-2022-22721: Apache HTTP Server: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody Stefan Eissing
CVE-2022-22720: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier Stefan Eissing
CVE-2022-22719: Apache HTTP Server: mod_lua Use of uninitialized value of in r:parsebody Stefan Eissing
Tuesday, 15 March
CVE-2022-26779: Apache Cloudstack insecure random number generation affects project email invitation Daan
Multiple vulnerabilities in Jenkins plugins Daniel Beck
CVE-2022-0742: Remote Denial of Service on Linux Kernel >=5.13 icmp6 sirdarckcat .
Wednesday, 16 March
Fwd: Node.js security updates for all active release lines, March 2022 Joe Sepi
Four vulnerabilities disclosed in BIND (CVE-2021-25220, CVE-2022-0396, CVE-2022-0635 and CVE-2022-0667) Everett B. Fulton
Thursday, 17 March
Linux Kernel 5.15-rc-ksmbd-part2 is affected by: Buffer Overflow. The impact is: use-after-free (local). 王明义
Re: Linux Kernel 5.15-rc-ksmbd-part2 is affected by: Buffer Overflow. The impact is: use-after-free (local). Filip Palian
Friday, 18 March
Fwd: Node.js security updates for all active release lines, March 2022 Joe Sepi
Xen Security Advisory 398 v2 - Multiple speculative security issues Xen . org security team
Wednesday, 23 March
Lack of TLS certification chain validation in ZAP Proxy Gabriel Corona
zlib memory corruption on deflate (i.e. compress) Tavis Ormandy
Thursday, 24 March
Re: zlib memory corruption on deflate (i.e. compress) Petr Štetiar
Re: Lack of TLS certification chain validation in ZAP Proxy Gabriel Corona
Friday, 25 March
Security Advisory 2022-01 for PowerDNS Authoritative Server 4.4.2, 4.5.3, 4.6.0 and PowerDNS Recursor 4.4.7, 4.5.7, 4.6.0 Otto Moerbeek
Re: zlib memory corruption on deflate (i.e. compress) John Helmert III
Saturday, 26 March
Re: zlib memory corruption on deflate (i.e. compress) Tavis Ormandy
Sunday, 27 March
Re: zlib memory corruption on deflate (i.e. compress) Eric Biggers
Re: zlib memory corruption on deflate (i.e. compress) Adler, Mark
Re: zlib memory corruption on deflate (i.e. compress) ariel . byd
Re: zlib memory corruption on deflate (i.e. compress) Eric Biggers
Monday, 28 March
Re: zlib memory corruption on deflate (i.e. compress) Eric Biggers
CVE-2022-25757: Apache APISIX: the body_schema check in request-validation plugin can be bypassed Zexuan Luo
Re: Re: zlib memory corruption on deflate (i.e. compress) Tavis Ormandy
Linux Kernel: Race Condition in snd_pcm_hw_free leading to use-after-free Hu Jiahui
Linux kernel: CVE-2022-1015,CVE-2022-1016 in nf_tables cause privilege escalation, information leak David Bouman
Tuesday, 29 March
Multiple vulnerabilities in Jenkins plugins Daniel Beck
Re: zlib memory corruption on deflate (i.e. compress) Alan Coopersmith
Wednesday, 30 March
SpringShell and recent OpenJDK updates Jeffrey Walton
Re: SpringShell and recent OpenJDK updates Seth Arnold
Re: SpringShell and recent OpenJDK updates Alan Coopersmith
Thursday, 31 March
Re: SpringShell and recent OpenJDK updates Kevin Decherf