oss-sec: by thread
356 messages
starting Oct 01 23 and
ending Dec 30 23
Date index |
Thread index |
Author index
- Re: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) Demi Marie Obenour (Oct 01)
- Re: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) Michael Orlitzky (Oct 02)
- Re: Haskell programs in distributions (was: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx)) Erik Auerswald (Oct 01)
- linux-distros list membership application - CIQ Rocky Linux Security Team Solar Designer (Oct 01)
- Re: linux-distros list membership application - CIQ Rocky Linux Security Team Solar Designer (Oct 11)
- Re: linux-distros list membership application - CIQ Rocky Linux Security Team Vegard Nossum (Oct 12)
- Re: linux-distros list membership application - CIQ Rocky Linux Security Team Neal Gompa (Oct 13)
- Re: linux-distros list membership application - CIQ Rocky Linux Security Team Martin Hecht (Oct 13)
- Re: linux-distros list membership application - CIQ Rocky Linux Security Team Neal Gompa (Oct 14)
- Re: linux-distros list membership application - CIQ Rocky Linux Security Team Jeremy Stanley (Oct 14)
- Re: linux-distros list membership application - CIQ Rocky Linux Security Team Solar Designer (Oct 14)
- Re: linux-distros list membership application - CIQ Rocky Linux Security Team Morten Linderud (Oct 17)
- Re: linux-distros list membership application - CIQ Rocky Linux Security Team Solar Designer (Oct 17)
- Re: linux-distros list membership application - CIQ Rocky Linux Security Team Solar Designer (Oct 14)
- Re: linux-distros list membership application - CIQ Rocky Linux Security Team Solar Designer (Oct 11)
- Re: Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann (Oct 01)
- Re: Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann (Oct 01)
- Re: Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann (Oct 02)
- Re: Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann (Oct 02)
- New Exim security release 4.96.2 (was: Exim4 MTA CVEs assigned from ZDI) Heiko Schlittermann (Oct 15)
- Re: Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann (Oct 02)
- <Possible follow-ups>
- Re: Exim4 MTA CVEs assigned from ZDI Salvatore Bonaccorso (Oct 04)
- RE: Exim4 MTA CVEs assigned from ZDI zdi () trendmicro com (Oct 04)
- Re: Exim4 MTA CVEs assigned from ZDI Fabian Keil (Oct 04)
- Re: Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann (Oct 05)
- Re: Exim4 MTA CVEs assigned from ZDI Solar Designer (Oct 05)
- RE: Exim4 MTA CVEs assigned from ZDI zdi () trendmicro com (Oct 05)
- Re: Exim4 MTA CVEs assigned from ZDI Salvatore Bonaccorso (Oct 05)
- Re: Exim4 MTA CVEs assigned from ZDI Cory McIntire (Oct 05)
- RE: Exim4 MTA CVEs assigned from ZDI zdi () trendmicro com (Oct 04)
- Re: Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann (Oct 01)
- Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx Ken Moffat (Oct 01)
- "Linux Kernel security demistified" Solar Designer (Oct 01)
- Re: "Linux Kernel security demistified" Jan Engelhardt (Oct 01)
- Re: "Linux Kernel security demistified" Greg KH (Oct 02)
- Re: "Linux Kernel security demistified" Loganaden Velvindron (Oct 02)
- Re: "Linux Kernel security demistified" Greg KH (Oct 02)
- Re: "Linux Kernel security demistified" Loganaden Velvindron (Oct 02)
- Re: "Linux Kernel security demistified" Willy Tarreau (Oct 04)
- Re: "Linux Kernel security demistified" Jean Luc Picard (Oct 06)
- Re: "Linux Kernel security demistified" Solar Designer (Oct 06)
- [CVE-2023-42754] null pointer dereference in Linux kernel ipv4 stack Kyle Zeng (Oct 02)
- Re: [CVE-2023-42754] null pointer dereference in Linux kernel ipv4 stack Solar Designer (Oct 02)
- Re: [CVE-2023-42754] null pointer dereference in Linux kernel ipv4 stack Kyle Zeng (Oct 02)
- Re: [CVE-2023-42754] null pointer dereference in Linux kernel ipv4 stack Solar Designer (Oct 02)
- Fwd: X.Org Security Advisory: Issues in libX11 prior to 1.8.7 & libXpm prior to 3.5.17 Alan Coopersmith (Oct 03)
- Re: Fwd: X.Org Security Advisory: Issues in libX11 prior to 1.8.7 & libXpm prior to 3.5.17 Alan Coopersmith (Oct 03)
- CVE-2023-4911: Local Privilege Escalation in the glibc's ld.so Qualys Security Advisory (Oct 03)
- Re: CVE-2023-4911: Local Privilege Escalation in the glibc's ld.so Solar Designer (Oct 03)
- Re: CVE-2023-4911: Local Privilege Escalation in the glibc's ld.so Solar Designer (Oct 04)
- CVE-2023-4806, CVE-2023-5156: glibc: potential use-after-free in getaddrinfo() Solar Designer (Oct 03)
- Re: CVE-2023-4806, CVE-2023-5156: glibc: potential use-after-free in getaddrinfo() Rodrigo Freire (Oct 03)
- Re: CVE-2023-4806, CVE-2023-5156: glibc: potential use-after-free in getaddrinfo() Siddhesh Poyarekar (Oct 03)
- Re: CVE-2023-4806, CVE-2023-5156: glibc: potential use-after-free in getaddrinfo() Siddhesh Poyarekar (Oct 03)
- Re: CVE-2023-4806, CVE-2023-5156: glibc: potential use-after-free in getaddrinfo() Rodrigo Freire (Oct 03)
- Re: administrative tasks (was: illumos (or at least danmcd) membership in the distros list) Solar Designer (Oct 03)
- Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Solar Designer (Oct 03)
- Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Andrew Cooper (Oct 03)
- Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Jeremy Stanley (Oct 03)
- Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Jean Luc Picard (Oct 03)
- Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Solar Designer (Oct 03)
- Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Jean Luc Picard (Oct 04)
- Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Solar Designer (Oct 04)
- Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Jeremy Stanley (Oct 03)
- <Possible follow-ups>
- Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Solar Designer (Oct 03)
- Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Andrew Cooper (Oct 03)
- Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Solar Designer (Oct 04)
- Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Andrew Cooper (Oct 03)
- Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Andrew Cooper (Oct 03)
- Wuffs (was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) Solar Designer (Oct 03)
- CVE-2023-4692, CVE-2023-4693: grub2: OOB write, read via specially crafted NTFS filesystem Solar Designer (Oct 04)
- Django: CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator Natalia Bidart (Oct 04)
- Cadence: Fixed /tmp path issues; no longer maintained by upstream (CVE-2023-43782, CVE-2023-43783) Matthias Gerstner (Oct 05)
- There is a curl "severity HIGH security problem" pre-announcement on GitHub Erik Auerswald (Oct 05)
- Re: There is a curl "severity HIGH security problem" pre-announcement on GitHub Shawn Webb (Oct 05)
- Re: There is a curl "severity HIGH security problem" pre-announcement on GitHub Fabian Keil (Oct 05)
- Re: There is a curl "severity HIGH security problem" pre-announcement on GitHub Shawn Webb (Oct 05)
- European Union Cyber Resilience Act (CRA) David A. Wheeler (Oct 05)
- Re: European Union Cyber Resilience Act (CRA) Katherine Mcmillan (Oct 05)
- Re: European Union Cyber Resilience Act (CRA) Fabian Keil (Oct 08)
- Re: European Union Cyber Resilience Act (CRA) Jean Luc Picard (Oct 08)
- Re: European Union Cyber Resilience Act (CRA) Solar Designer (Oct 08)
- Re: European Union Cyber Resilience Act (CRA) Dirk-Willem van Gulik (Oct 09)
- Re: European Union Cyber Resilience Act (CRA) Jean Luc Picard (Oct 08)
- Meltdown-US / Meltdown 3a Remaining Leakage Daniel Weber (Oct 06)
- Re: Meltdown-US / Meltdown 3a Remaining Leakage Solar Designer (Oct 06)
- Re: Meltdown-US / Meltdown 3a Remaining Leakage Michael Schwarz (Oct 08)
- Re: Meltdown-US / Meltdown 3a Remaining Leakage Solar Designer (Oct 06)
- CVEs assigned for reachable assertions in avahi Alan Coopersmith (Oct 06)
- CVE-2023-45322: Use-after-free in libxml2 through 2.11.5 Alan Coopersmith (Oct 06)
- How can I join the linux-distros mailing list and become a representative? public1020 (Oct 07)
- Re: How can I join the linux-distros mailing list and become a representative? Solar Designer (Oct 09)
- CVE-2023-43641: out-of-bounds array access in libcue 2.2.1 Kevin Backhouse (Oct 09)
- Xen Security Advisory 440 v3 (CVE-2023-34323) - xenstored: A transaction conflict can crash C Xenstored Xen . org security team (Oct 10)
- Xen Security Advisory 441 v4 (CVE-2023-34324) - Possible deadlock in Linux kernel event handling Xen . org security team (Oct 10)
- Xen Security Advisory 442 v2 (CVE-2023-34326) - x86/AMD: missing IOMMU TLB flushing Xen . org security team (Oct 10)
- Xen Security Advisory 444 v3 (CVE-2023-34327,CVE-2023-34328) - x86/AMD: Debug Mask handling Xen . org security team (Oct 10)
- Xen Security Advisory 443 v3 (CVE-2023-34325) - Multiple vulnerabilities in libfsimage disk handling Xen . org security team (Oct 10)
- CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Alan Coopersmith (Oct 10)
- Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Moritz Muehlenhoff (Oct 10)
- Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Jonathan Wright (Oct 13)
- Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Steffen Nurpmeso (Oct 13)
- Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Jonathan Wright (Oct 13)
- Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Alan Coopersmith (Oct 18)
- Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Alan Coopersmith (Oct 20)
- Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Moritz Muehlenhoff (Oct 10)
- CVE-2023-42794: Apache Tomcat: FileUpload: DoS due to accumulation of temporary files on Windows Mark Thomas (Oct 10)
- CVE-2023-42795: Apache Tomcat: Failure during request clean-up leads to sensitive data leaking to subsequent requests Mark Thomas (Oct 10)
- CVE-2023-45648: Apache Tomcat: Trailer header parsing too lenient Mark Thomas (Oct 10)
- [SECURITY ADVISORY] curl: CVE-2023-38545: SOCKS5 heap buffer overflow Daniel Stenberg (Oct 10)
- [SECURITY ADVISORY] curl: CVE-2023-38546 Daniel Stenberg (Oct 10)
- Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days. Joshua Rogers (Oct 11)
- Re: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days. Amos Jeffries (Oct 13)
- Re: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days. Joshua Rogers (Oct 13)
- Re: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days. Joshua Rogers (Oct 21)
- Re: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days. Joshua Rogers (Oct 13)
- Re: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days. Amos Jeffries (Oct 13)
- CVE-2023-44981: Apache ZooKeeper: Authorization bypass in SASL Quorum Peer Authentication Andor Molnar (Oct 11)
- Fwd: Node.js security updates for all active release lines, October 2023 midawson (Oct 12)
- NATS: 2023-01: Adding accounts for just the system account adds auth bypass Phil Pennock (Oct 13)
- Re: NATS: 2023-01: Adding accounts for just the system account adds auth bypass Salvatore Bonaccorso (Oct 28)
- Re: NATS: 2023-01: Adding accounts for just the system account adds auth bypass Phil Pennock (Oct 29)
- Re: NATS: 2023-01: Adding accounts for just the system account adds auth bypass Phil Pennock (Oct 30)
- Re: NATS: 2023-01: Adding accounts for just the system account adds auth bypass Phil Pennock (Oct 29)
- Re: NATS: 2023-01: Adding accounts for just the system account adds auth bypass Salvatore Bonaccorso (Oct 28)
- CVE-2023-42780: Apache Airflow: Improper access control vulnerability in the "List dag warnings" feature Ephraim Anierobi (Oct 13)
- CVE-2023-45348: Apache Airflow: Configuration information leakage vulnerability Ephraim Anierobi (Oct 13)
- CVE-2023-42792: Apache Airflow: Improper access control to DAG resources Ephraim Anierobi (Oct 13)
- CVE-2023-42663: Apache Airflow: Bypass permission verification to view task instances of other dags Ephraim Anierobi (Oct 13)
- Samba 4.19.1, 4.18.8 and 4.17.12 Security Releases are available for Download Alan Coopersmith (Oct 13)
- sandboxing,of upstream programs by distros Matthew Fernandez (Oct 14)
- Re: sandboxing,of upstream programs by distros Demi Marie Obenour (Oct 14)
- Re: sandboxing,of upstream programs by distros Matthew Fernandez (Oct 14)
- Re: sandboxing,of upstream programs by distros Solar Designer (Oct 21)
- Re: sandboxing,of upstream programs by distros Demi Marie Obenour (Oct 22)
- Re: sandboxing,of upstream programs by distros Bob Friesenhahn (Oct 22)
- Re: sandboxing,of upstream programs by distros Demi Marie Obenour (Oct 22)
- Re: sandboxing,of upstream programs by distros Bob Friesenhahn (Oct 22)
- Re: sandboxing,of upstream programs by distros Mickaël Salaün (Oct 22)
- Re: sandboxing,of upstream programs by distros Matthew Fernandez (Oct 22)
- Re: sandboxing,of upstream programs by distros Demi Marie Obenour (Oct 22)
- Re: sandboxing,of upstream programs by distros Demi Marie Obenour (Oct 14)
- CVE-2023-5178: Linux NVMe-oF/TCP Driver - UAF in `nvmet_tcp_free_crypto` Alon Zahavi (Oct 15)
- Re: distros list archive Solar Designer (Oct 15)
- linux-distros membership application of openEuler Aron Xu (Oct 15)
- Re: linux-distros membership application of openEuler Marcus Meissner (Oct 16)
- Re: linux-distros membership application of openEuler Greg KH (Oct 16)
- Re: linux-distros membership application of openEuler Demi Marie Obenour (Oct 16)
- Re: linux-distros membership application of openEuler Greg KH (Oct 16)
- Re: linux-distros membership application of openEuler Demi Marie Obenour (Oct 16)
- Re: linux-distros membership application of openEuler Alan Coopersmith (Oct 16)
- Re: linux-distros membership application of openEuler Demi Marie Obenour (Oct 16)
- Re: linux-distros membership application of openEuler Aron Xu (Oct 16)
- Re: linux-distros membership application of openEuler Greg KH (Oct 16)
- Re: linux-distros membership application of openEuler Aron Xu (Oct 16)
- Re: linux-distros membership application of openEuler Demi Marie Obenour (Oct 16)
- Re: linux-distros membership application of openEuler Tianyu Chen (Oct 16)
- Re: linux-distros membership application of openEuler Igor Seletskiy (Oct 16)
- Re: linux-distros membership application of openEuler Solar Designer (Dec 23)
- Re: linux-distros membership application of openEuler Igor Seletskiy (Dec 23)
- Re: linux-distros membership application of openEuler Alexander E. Patrakov (Dec 24)
- Re: linux-distros membership application of openEuler Solar Designer (Dec 25)
- Re: linux-distros membership application of openEuler Steffen Nurpmeso (Dec 25)
- Re: linux-distros membership application of openEuler Solar Designer (Dec 25)
- Re: linux-distros membership application of openEuler Greg KH (Dec 28)
- Re: linux-distros membership application of openEuler Demi Marie Obenour (Dec 28)
- Re: linux-distros membership application of openEuler Heiko Schlittermann (Oct 16)
- Re: linux-distros membership application of openEuler Greg KH (Oct 16)
- Re: linux-distros membership application of openEuler Steffen Nurpmeso (Oct 16)
- Re: linux-distros membership application of openEuler W. Wadepohl (Oct 17)
- Re: linux-distros membership application of openEuler Greg KH (Oct 16)
- Re: linux-distros membership application of openEuler Marcus Meissner (Oct 16)
- CVE-2023-20867: open-vm-tools: Authentication Bypass vulnerability in the vgauth module Solar Designer (Oct 15)
- Re: CVE-2023-20867: open-vm-tools: Authentication Bypass vulnerability in the vgauth module Demi Marie Obenour (Oct 16)
- CVE-2023-43666: Apache InLong: General user Unauthorized access User Management Charles Zhang (Oct 15)
- CVE-2023-43667: Apache InLong: Log Injection in Global functions Charles Zhang (Oct 15)
- CVE-2023-43668: Apache InLong: Jdbc Connection Security Bypass in InLong Charles Zhang (Oct 15)
- CVE-2023-45757: Apache bRPC: The builtin service rpcz page has an XSS attack vulnerability Wang Weibing (Oct 16)
- with firefox on X11, any page can pastejack you anytime turistu (Oct 17)
- Re: with firefox on X11, any page can pastejack you anytime Michael Orlitzky (Oct 18)
- Re: with firefox on X11, any page can pastejack you anytime Grant Taylor (Oct 18)
- Re: with firefox on X11, any page can pastejack you anytime Michael Orlitzky (Oct 18)
- Re: with firefox on X11, any page can pastejack you anytime Grant Taylor (Oct 18)
- Re: with firefox on X11, any page can pastejack you anytime Michael Orlitzky (Oct 18)
- Re: with firefox on X11, any page can pastejack you anytime Jan Engelhardt (Oct 18)
- Re: with firefox on X11, any page can pastejack you anytime Sam Bull (Oct 19)
- Re: with firefox on X11, any page can pastejack you anytime Steffen Nurpmeso (Oct 19)
- Re: with firefox on X11, any page can pastejack you anytime Sam Bull (Oct 19)
- Re: with firefox on X11, any page can pastejack you anytime Jeremy Stanley (Oct 19)
- Re: with firefox on X11, any page can pastejack you anytime Turistu (Oct 19)
- Re: with firefox on X11, any page can pastejack you anytime David Leadbeater (Oct 20)
- Re: with firefox on X11, any page can pastejack you anytime David Leadbeater (Oct 20)
- Re: with firefox on X11, any page can pastejack you anytime nightmare . yeah27 (Oct 20)
- Re: Re: with firefox on X11, any page can pastejack you anytime Steffen Nurpmeso (Oct 20)
- Re: with firefox on X11, any page can pastejack you anytime niekt0 (Oct 19)
- Re: with firefox on X11, any page can pastejack you anytime Jeffrey Walton (Oct 19)
- Re: with firefox on X11, any page can pastejack you anytime Donald Buczek (Oct 20)
- Re: with firefox on X11, any page can pastejack you anytime Michael Orlitzky (Oct 18)
- Re: with firefox on X11, any page can pastejack you anytime Turistu (Oct 20)
- Re: with firefox on X11, any page can pastejack you anytime Solar Designer (Oct 20)
- Re: with firefox on X11, any page can pastejack you anytime Turistu (Oct 20)
- Re: with firefox on X11, any page can pastejack you anytime Martin Hecht (Oct 24)
- Re: with firefox on X11, any page can pastejack you anytime Solar Designer (Oct 20)
- Re: with firefox on X11, any page can pastejack you anytime Turistu (Oct 26)
- upcoming release of OpenSSL 3.1.4 and 3.0.12 Solar Designer (Oct 17)
- Re: upcoming release of OpenSSL 3.1.4 and 3.0.12 Matt Caswell (Oct 18)
- Re: upcoming release of OpenSSL 3.1.4 and 3.0.12 Solar Designer (Oct 18)
- Re: upcoming release of OpenSSL 3.1.4 and 3.0.12 Matt Caswell (Oct 18)
- Vulnerability in Jenkins Daniel Beck (Oct 18)
- CVE-2023-46227: Apache inlong has an Arbitrary File Read Vulnerability Charles Zhang (Oct 18)
- CVE-2023-25753: Server-Side Request Forgery in Apache ShenYu Zhang Yonglun (Oct 18)
- CVE-2023-31122: Apache HTTP Server: mod_macro buffer over-read Stefan Eissing (Oct 19)
- CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0 Stefan Eissing (Oct 19)
- CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST Stefan Eissing (Oct 19)
- CVE-2023-44483: Apache Santuario: Private Key disclosure in debug-log output Colm O hEigeartaigh (Oct 20)
- CVE-2023-45853: overflows in MiniZip in zlib through 1.3 Alan Coopersmith (Oct 20)
- CVE-2023-46288: Apache Airflow: Sensitive parameters exposed in API when "non-sensitive-only" configuration is set Jarek Potiuk (Oct 23)
- OpenSSL Security Advisory OpenSSL (Oct 24)
- FW: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.9 and Xwayland prior to 23.2.2 Peter Hutterer (Oct 25)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Oct 25)
- <Possible follow-ups>
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Nov 29)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Dec 13)
- [kubernetes] CVE-2023-5044: Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation CJ Cullen (Oct 25)
- [kubernetes] CVE-2023-5043: Ingress nginx annotation injection causes arbitrary command execution CJ Cullen (Oct 25)
- [kubernetes] CVE-2022-4886: Ingress-nginx `path` sanitization can be bypassed with `log_format` directive CJ Cullen (Oct 25)
- [vim-security] integer overflow in :history command in Vim < 9.0.2068 Christian Brabandt (Oct 26)
- CVE-2023-34058 - SAML Token Signature Bypass in open-vm-tools VMware Security Response Center (Oct 27)
- CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools VMware Security Response Center (Oct 27)
- Re: CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools Matthias Gerstner (Oct 27)
- Re: CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools John Helmert III (Nov 26)
- Re: CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools Matthias Gerstner (Nov 27)
- Re: CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools John Helmert III (Nov 26)
- Re: CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools Matthias Gerstner (Oct 27)
- Security issues in passim local caching server Matthias Gerstner (Oct 27)
- CVE-2023-46604: Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack Christopher L. Shannon (Oct 27)
- CVE-2023-46215: Apache Airflow Celery provider, Apache Airflow: Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend Elad Kalif (Oct 28)
- NATS: 2023-02: nkeys: xkeys Seal encryption used fixed key for all encryption Byron Ruth (Oct 31)
- CVE-2023-5631: XSS vulnerability in Roundcube webmail Valtteri Vuorikoski (Oct 31)
- Re: CVE-2023-5631: XSS vulnerability in Roundcube webmail Kapetanakis Giannis (Nov 01)
- Django: CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows Mariusz Felisiak (Nov 01)
- Session File Relative Path Traversal in sudo-rs Alan Coopersmith (Nov 02)
- Bluez, Intel wireless devices: Bluetooth Low Energy stuck in unresponsive state after repeated out of order transmission of packets Solar Designer (Nov 02)
- Re: !CVE: A new platform to track security issues not acknowledged by vendors Mike O'Connor (Nov 10)
- Re: !CVE: A new platform to track security issues not acknowledged by vendors !CVE Team (Nov 10)
- <Possible follow-ups>
- Re: !CVE: A new platform to track security issues not acknowledged by vendors !CVE Team (Nov 10)
- CVE-2023-47037: Apache Airflow missing fix for CVE-2023-40611 in 2.7.1 (DAG run broken access) Ephraim Anierobi (Nov 12)
- CVE-2023-42781: Apache Airflow: Permission verification bypass allows viewing dagruns of other dags Ephraim Anierobi (Nov 12)
- Xen Security Advisory 445 v3 (CVE-2023-46835) - x86/AMD: mismatch in IOMMU quarantine page table levels Xen . org security team (Nov 14)
- Xen Security Advisory 446 v2 (CVE-2023-46836) - x86: BTC/SRSO fixes not fully effective Xen . org security team (Nov 14)
- [kubernetes] CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes Craig Ingram (Nov 14)
- CVE-2023-23583: Intel - Denial of Service - Privilege Escalation (Reptar) Antonio Gomez Iglesias (Nov 14)
- Re: CVE-2023-23583: Intel - Denial of Service - Privilege Escalation (Reptar) Demi Marie Obenour (Nov 14)
- Re: CVE-2023-23583: Intel - Denial of Service - Privilege Escalation (Reptar) Solar Designer (Nov 14)
- Re: CVE-2023-23583: Intel - Denial of Service - Privilege Escalation (Reptar) Solar Designer (Nov 14)
- Re: CVE-2023-23583: Intel - Denial of Service - Privilege Escalation (Reptar) HW42 (Nov 14)
- Re: CVE-2023-23583: Intel - Denial of Service - Privilege Escalation (Reptar) Antonio Gomez Iglesias (Nov 14)
- Re: CVE-2023-23583: Intel - Denial of Service - Privilege Escalation (Reptar) HW42 (Nov 14)
- Re: CVE-2023-23583: Intel - Denial of Service - Privilege Escalation (Reptar) Demi Marie Obenour (Nov 14)
- WebKitGTK and WPE WebKit Security Advisory WSA-2023-0010 Carlos Alberto Lopez Perez (Nov 15)
- [vim-security] several minor security issues in Vim v9.0.2106-v9.0.2112 Christian Brabandt (Nov 16)
- hplip: security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c Matthias Gerstner (Nov 17)
- Re: hplip: security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c Roxana Bradescu (Nov 18)
- Re: hplip: security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c Mike O'Connor (Nov 19)
- Re: hplip: security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c Matthias Gerstner (Nov 20)
- Re: hplip: security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c Alex Murray (Nov 30)
- Re: hplip: security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c Matthias Gerstner (Nov 30)
- Re: hplip: security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c Mike O'Connor (Nov 19)
- Re: hplip: security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c Roxana Bradescu (Nov 18)
- CVE-2023-37580 (and others): XSS vulnerabilities in Zimbra Collaboration Suite Valtteri Vuorikoski (Nov 17)
- CVE-2023-46302: Apache Submarine: Fix CVE-2022-1471 SnakeYaml unsafe deserialization Xiang Chen (Nov 19)
- CVE-2022-46337: Apache Derby: LDAP injection vulnerability in authenticator Richard N. Hillegas (Nov 19)
- GNUTLS-SA-2023-10-23, CVE-2023-5981: timing sidechannel in RSA-PSK key exchange Alan Coopersmith (Nov 20)
- GIMP 2.10.36 fixed multiple image format parser vulnerabilities Alan Coopersmith (Nov 20)
- CVE-2023-37924: Apache Submarine: SQL injection from unauthorized login Xiang Chen (Nov 21)
- CVE-2022-45875: Apache DolphinScheduler: Remote command execution Vulnerability in script alert plugin Wenjun Ruan (Nov 22)
- [vim-security] use-after-free in ex_substitute in Vim < v9.0.2121 Christian Brabandt (Nov 22)
- CVE-2023-43123: Apache Storm: Local Information Disclosure Vulnerability in Storm-core on Unix-Like systems due temporary files Julien Nioche (Nov 23)
- CVE-2023-48796: Apache dolphinscheduler sensitive information disclosure Zhenxu Ke (Nov 24)
- CVE-2023-49068: Apache DolphinScheduler: Information Leakage Vulnerability Zihao Xiang (Nov 24)
- Re: CVE-2023-49068: Apache DolphinScheduler: Information Leakage Vulnerability John Helmert III (Nov 25)
- CVE-2023-40610: Apache Superset: Privilege escalation with default examples database Daniel Gaspar (Nov 27)
- CVE-2023-42501: Apache Superset: Unnecessary read permissions within the Gamma role Daniel Gaspar (Nov 27)
- CVE-2023-43701: Apache Superset: Stored XSS on API endpoint Daniel Gaspar (Nov 27)
- CVE-2023-49145: Apache NiFi: Improper Neutralization of Input in Advanced User Interface for Jolt David Handermann (Nov 27)
- CVE-2022-41678: Apache ActiveMQ: Deserialization vulnerability on Jolokia that allows authenticated users to perform RCE Jean-Baptiste Onofré (Nov 28)
- CVE-2023-46589: Apache Tomcat: HTTP request smuggling via malformed trailer headers Mark Thomas (Nov 28)
- CVE-2023-42502: Apache Superset: Open Redirect Vulnerability Daniel Gaspar (Nov 28)
- Fwd: Samba 4.19.3 Available for Download - addresses CVE-2018-14628 Alan Coopersmith (Nov 28)
- CVE-2023-42505: Apache Superset: Sensitive information disclosure on db connection details Daniel Gaspar (Nov 28)
- CVE-2023-42504: Apache Superset: Lack of rate limiting allows for possible denial of service Daniel Gaspar (Nov 28)
- Python Cryptography advisory: CVE-2023-49083 NULL-dereference when loading PKCS7 certificates Alan Coopersmith (Nov 29)
- CVE-2022-45135: Apache Cocoon: SQL injection in DatabaseCookieAuthenticatorAction Cédric Damioli (Nov 30)
- CVE-2023-49620: Apache DolphinScheduler: Authenticated users could delete UDFs in resouece center they were not authorized Jiajie Zhong (Nov 30)
- CVE-2023-49733: Apache Cocoon's StreamGenerator is vulnerable to XXE injection Cédric Damioli (Nov 30)
- CVE-2023-49735: Apache Tiles: Unvalidated input may lead to path traversal and XXE Arnout Engelen (Nov 30)
- New CVEs and security fix releases for perl Alan Coopersmith (Nov 30)
- HNS-2023-04 - HN Security Advisory - Buffer overflow vulnerabilities with long path names in TinyDir Marco Ivaldi (Dec 04)
- CVE-2023-49070: Pre-auth RCE in Apache Ofbiz 18.12.09 due to XML-RPC still present Jacques Le Roux (Dec 04)
- WebKitGTK and WPE WebKit Security Advisory WSA-2023-0011 Carlos Alberto Lopez Perez (Dec 05)
- Security fixes in Go 1.21.5 and Go 1.20.12 releases Alan Coopersmith (Dec 05)
- SLAM: Spectre based on Linear Address Masking Alan Coopersmith (Dec 05)
- [SECURITY ADVISORY] curl: cookie mixed case PSL bypass Daniel Stenberg (Dec 05)
- [SECURITY ADVISORY] curl: HSTS long file name clears contents Daniel Stenberg (Dec 05)
- CVE-2023-50164: Apache Struts: File upload component had a directory traversal vulnerability Lukasz Lenart (Dec 07)
- CVE-2023-49284: fish command substitution output can trigger shell expansion Alan Coopersmith (Dec 08)
- CVE-2023-41835: Apache Struts: excessive disk usage Lukasz Lenart (Dec 09)
- Buildroot: Talos download hash verification vulnerabilities Peter Korsgaard (Dec 10)
- Xen Security Advisory 447 v2 (CVE-2023-46837) - arm32: The cache may not be properly cleaned/invalidated (take two) Xen . org security team (Dec 12)
- CVE-2023-45725: Apache CouchDB, IBM Cloudant: Privilege Escalation Using _design Documents Nick Vatamaniuc (Dec 12)
- AlmaLinux Distros List Application Jonathan Wright (Dec 12)
- Re: AlmaLinux Distros List Application Darya Malyavkina (Dec 13)
- Re: AlmaLinux Distros List Application Solar Designer (Dec 17)
- Re: AlmaLinux Distros List Application Jonathan Wright (Dec 19)
- Re: AlmaLinux Distros List Application Solar Designer (Dec 21)
- Re: AlmaLinux Distros List Application Jonathan Wright (Dec 19)
- FW: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.10 and Xwayland prior to 23.2.3 Peter Hutterer (Dec 13)
- CVE-2023-40660: Potential PIN bypass with empty PIN in OpenSC before 0.24.0 Jakub Jelen (Dec 13)
- CVE-2023-40661: Dynamic analyzers reports in pkcs15-init in OpenSC before 0.24.0 Jakub Jelen (Dec 13)
- CVE-2023-46750: Apache Shiro: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Shiro. Brian Demers (Dec 13)
- budgie-extras: multiple predictable /tmp path issues in various applications Matthias Gerstner (Dec 14)
- XDG_RUNTIME_DIR "misuse" as $TMPDIR (was: Re: [oss-security] budgie-extras: multiple predictable /tmp path issues in various applications) Steffen Nurpmeso (Dec 15)
- Re: budgie-extras: multiple predictable /tmp path issues in various applications Florian Weimer (Dec 17)
- CVE-2023-29234: Bypass serialize checks in Apache Dubbo Albumen Kevin (Dec 15)
- CVE-2023-46279: Apache Dubbo: Bypass deny serialize list check in Apache Dubbo Albumen Kevin (Dec 15)
- CVE-2023-30867: Apache StreamPark (incubating): Authenticated system users could trigger SQL injection vulnerability Huajie Wang (Dec 15)
- CVE-2023-49898: Apache StreamPark (incubating): Authenticated system users could trigger remote command execution Huajie Wang (Dec 15)
- [ES2023-01] Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation Sandro Gauci (Dec 15)
- [ES2023-03] RTPEngine susceptible to Denial of Service via DTLS Hello packets during call initiation Sandro Gauci (Dec 15)
- jq 1.7.1 fixes CVE-2023-50246 & CVE-2023-50268 Alan Coopersmith (Dec 15)
- CVE-2023-41314: Apache Doris: Missing API authentication allowed DoS Mingyu Chen (Dec 16)
- WebKitGTK and WPE WebKit Security Advisory WSA-2023-0012 Carlos Alberto Lopez Perez (Dec 17)
- Announce: OpenSSH 9.6 released Damien Miller (Dec 18)
- CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack) Fabian Bäumer (Dec 18)
- Re: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack) Alan Coopersmith (Dec 19)
- Re: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack) Marcus Meissner (Dec 20)
- Re: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack) Alan Coopersmith (Dec 19)
- CVE-2023-46104: Apache Superset: Allows for uncontrolled resource consumption via a ZIP bomb Daniel Gaspar (Dec 19)
- CVE-2023-49736: Apache Superset: SQL Injection on where_in JINJA macro Daniel Gaspar (Dec 19)
- CVE-2023-49734: Apache Superset: Privilege Escalation Vulnerability Daniel Gaspar (Dec 19)
- [SECURITY] CVE-2023-43826: Apache Guacamole: Integer overflow in handling of VNC image buffers Michael Jumper (Dec 19)
- CVE-2023-37544: Apache Pulsar WebSocket Proxy: Improper Authentication for WebSocket Proxy Endpoint Allows DoS Michael Marshall (Dec 19)
- CVE-2023-48291: Apache Airflow: Improper access control to DAG resources Ephraim Anierobi (Dec 21)
- CVE-2023-47265: Apache Airflow: DAG Params alllow to embed unchecked Javascript Ephraim Anierobi (Dec 21)
- CVE-2023-49920: Apache Airflow: Missing CSRF protection on DAG/trigger Ephraim Anierobi (Dec 21)
- CVE-2023-50783: Apache Airflow: Improper access control vulnerability on the "varimport" endpoint Ephraim Anierobi (Dec 21)
- CVE-2023-51656: Apache IoTDB: Unsafe deserialize map in Sync Tool Haonan Hou (Dec 21)
- New SMTP smuggling attack Marcus Meissner (Dec 21)
- Re: New SMTP smuggling attack Claus Assmann (Dec 21)
- Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 22)
- Re: Re: New SMTP smuggling attack Stuart Henderson (Dec 22)
- Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 22)
- Re: Re: New SMTP smuggling attack Erik Auerswald (Dec 22)
- Re: Re: New SMTP smuggling attack Rodrigo Freire (Dec 22)
- Re: Re: New SMTP smuggling attack Alexander E. Patrakov (Dec 22)
- Re: Re: New SMTP smuggling attack Erik Auerswald (Dec 22)
- Re: Re: New SMTP smuggling attack Stuart D Gathman (Dec 22)
- Re: Re: New SMTP smuggling attack Harry Sintonen (Dec 22)
- Re: Re: New SMTP smuggling attack Bjoern Franke (Dec 22)
- Re: Re: New SMTP smuggling attack Valtteri Vuorikoski (Dec 23)
- Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 24)
- Re: Re: New SMTP smuggling attack kai (Dec 25)
- Re: New SMTP smuggling attack Claus Assmann (Dec 26)
- Re: Re: New SMTP smuggling attack Alan Coopersmith (Dec 29)
- Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 30)
- Re: Re: New SMTP smuggling attack Claus Assmann (Dec 30)
- Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 22)
- Re: New SMTP smuggling attack Hanno Böck (Dec 22)
- Re: New SMTP smuggling attack Claus Assmann (Dec 21)
- Security vulnerability in Debian's cpio 2.13 Ingo Brückl (Dec 21)
- Mayhem: Targeted Corruption of Register and Stack Variables Tol, Caner (Dec 21)
- CVE-2023-6817: Linux kernel: use-after-free in nf_tables Xingyuan Mo (Dec 22)
- Re: CVE-2023-6817: Linux kernel: use-after-free in nf_tables Dominique Martinet (Dec 22)
- Fwd: [pfx-ann] Postfix stable release 3.8.4 Solar Designer (Dec 22)
- Re: Fwd: [pfx-ann] Postfix stable release 3.8.4 Solar Designer (Dec 22)
- [ES2023-02] FreeSWITCH susceptible to Denial of Service via DTLS Hello packets during call initiation Sandro Gauci (Dec 23)
- CVE-2023-50968: Apache OFBiz: Arbitrary file properties reading and SSRF attack Nicolas Malin (Dec 26)
- CVE-2023-51467: Apache OFBiz: Pre-authentication Remote Code Execution (RCE) vulnerability Deepak Dixit (Dec 26)
- CVE-2023-51385, CVE-2023-6004: OpenSSH, libssh: Security weakness in ProxyCommand handling Solar Designer (Dec 26)
- xarchiver: Path traversal with crafted cpio archives Ingo Brückl (Dec 27)
- xarchiver: Path traversal with crafted cpio archives Ingo Brückl (Dec 29)
- CVE-2023-47804: Apache OpenOffice: Macro URL arbitrary script execution Arrigo Marchiori (Dec 28)
- CVE-2023-1183: Apache OpenOffice: Arbitrary file write in Apache OpenOffice Base Arrigo Marchiori (Dec 28)
- CVE-2022-43680: Apache OpenOffice: "Use after free" fixed in libexpat Arrigo Marchiori (Dec 28)
- CVE-2012-5639: Apache OpenOffice: Loading internal / external resources without warning Arrigo Marchiori (Dec 28)
- CVE-2023-49299: Apache DolphinScheduler: Arbitrary js execute as root for authenticated users Jiajie Zhong (Dec 29)
- CVE-2023-51766: Exim: SMTP smuggling Solar Designer (Dec 29)
- CVE-2023-7101: Spreadsheet::ParseExcel for Perl is vulnerable to arbitrary code execution Stig Palmquist (Dec 29)
- inetutils ftpd, rcp, rlogin, rsh, rshd, uucpd: Avoid potential privilege escalations by checking set*id() return values Solar Designer (Dec 30)