oss-sec: by author
247 messages
starting Apr 17 24 and
ending May 02 24
Date index |
Thread index |
Author index
Adhemerval Zanella Netto
The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Adhemerval Zanella Netto (Apr 17)
Adrien Nader
Detecting code injections in packages through debug infos Adrien Nader (Apr 03)
Alan Coopersmith
CERT/CC VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacks Alan Coopersmith (Apr 03)
CVE-2024-21823: Intel DSA and Intel IAA advisory Alan Coopersmith (May 15)
PHP security releases 8.1.28, 8.2.18, & 8.3.6 Alan Coopersmith (Apr 12)
Re: Fwd: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.12 and Xwayland prior to 23.2.5 Alan Coopersmith (Apr 12)
CERT VU#123335: Multiple Programming Languages Fail to Escape Arguments Properly in Microsoft Windows Alan Coopersmith (Apr 10)
[security] Go 1.22.3 and Go 1.21.10 are released Alan Coopersmith (May 08)
Fwd: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.12 and Xwayland prior to 23.2.5 Alan Coopersmith (Apr 03)
Re: CVEs issued by the Linux kernel CNA Alan Coopersmith (May 01)
CVE-2024-27322: Deserialization vulnerability in R before 4.4.0 Alan Coopersmith (Apr 29)
Alejandro Colomar
Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Alejandro Colomar (Apr 11)
Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Alejandro Colomar (Apr 10)
Analysis on who is Jia Tan, and who he could work for, reading xz.git Alejandro Colomar (Apr 10)
Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Alejandro Colomar (Apr 12)
Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Alejandro Colomar (Apr 10)
Alex Sarum
opusfile by Xiph.Org Foundation, DoS vulnerability (SIGFPE) Alex Sarum (Apr 04)
Andrea Intilangelo
CVE-2024-34058: Nethserver 7 & 8 stored cross-site scripting (XSS) in WebTop package Andrea Intilangelo (May 16)
Andres Freund
Re: xz backdoor prevention using hosts.deny? Andres Freund (Apr 09)
Ángel
Re: xz backdoor prevention using hosts.deny? Ángel (Apr 08)
Re: Re: finding similar compromises (was Re: From xz to ibus: more questionable tarballs) Ángel (Apr 08)
Arnout Engelen
CVE-2024-34365: Apache Karaf Cave: Cave SSRF and arbitrary file access Arnout Engelen (May 09)
Ben Hutchings
Buildroot: incorrect permissons on /dev/shm Ben Hutchings (Apr 11)
Re: Buildroot: incorrect permissons on /dev/shm Ben Hutchings (May 06)
[PATCH] package/skeleton-init-sysv: Set sticky bit on /dev/shm Ben Hutchings (Apr 11)
Bryan Call
CVE-2024-31309: Apache Traffic Server: HTTP/2 CONTINUATION frames can be utilized for DoS attack Bryan Call (Apr 10)
Carlos O'Donell
The GNU C Library security advisories update for 2024-05-06 Carlos O'Donell (May 06)
Charles Zhang
CVE-2024-26579: Apache Inlong JDBC Vulnerability Charles Zhang (May 09)
Chris Down
Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Chris Down (Apr 10)
Christian Brabandt
[vim-security] buffer-overlow in xxd with colored output < v9.1.0404 Christian Brabandt (May 10)
Christoph Anton Mitterer
Re: xz backdoor prevention using hosts.deny? Christoph Anton Mitterer (Apr 09)
Colin McCabe
CVE-2024-27309: Apache Kafka: Potential incorrect access control during migration from ZK mode to KRaft mode Colin McCabe (Apr 11)
Corey Lopez
Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Corey Lopez (May 11)
daniel
CVE-2024-1597: PostgreSQL pgjdbc: SQL injection in non-default configuration daniel (Apr 02)
Daniel Beck
Terrapin vulnerability in Jenkins CLI client Daniel Beck (Apr 17)
Multiple vulnerabilities in Jenkins plugins Daniel Beck (May 02)
Daniel Gaspar
CVE-2024-28148: Apache Superset: Incorrect datasource authorization on explore REST API Daniel Gaspar (May 07)
David Morel
libreswan: IKEv1 default AH/ESP responder can crash and restart David Morel (Apr 18)
Demi Marie Obenour
Re: Linux: Disabling network namespaces Demi Marie Obenour (Apr 15)
Re: Linux: Disabling network namespaces Demi Marie Obenour (Apr 23)
Re: Linux: Disabling network namespaces Demi Marie Obenour (Apr 16)
Donald Buczek
Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Donald Buczek (Apr 11)
Dr. Christopher Kunz
Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Dr. Christopher Kunz (Apr 11)
New Linux LPE via GSMIOC_SETCONF_DLCI? Dr. Christopher Kunz (Apr 10)
Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Dr. Christopher Kunz (Apr 17)
Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Dr. Christopher Kunz (Apr 11)
Elad Kalif
CVE-2024-29733: Apache Airflow FTP Provider: FTP_TLS instance with unverified SSL context Elad Kalif (Apr 19)
Eli Zaretskii
Re: Is CVE-2024-30203 bogus? (Emacs) Eli Zaretskii (Apr 08)
Enxin Xie
CVE-2024-29217: Apache Answer: XSS vulnerability when changing personal website Enxin Xie (Apr 19)
Ephraim Anierobi
CVE-2024-31869: Apache Airflow: Sensitive configuration for providers displayed when "non-sensitive-only" config used Ephraim Anierobi (Apr 17)
CVE-2024-32077: Apache Airflow: XSS vulnerability in Task Instance Log/Log Details Ephraim Anierobi (May 14)
Eric Covener
CVE-2023-38709: Apache HTTP Server: HTTP response splitting Eric Covener (Apr 04)
CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames Eric Covener (Apr 04)
CVE-2024-24795: Apache HTTP Server: HTTP Response Splitting in multiple modules Eric Covener (Apr 04)
Erik Auerswald
Re: New SMTP smuggling attack Erik Auerswald (May 09)
Re: New SMTP smuggling attack Erik Auerswald (Apr 30)
Fabian Bäumer
CVE-2024-31497: Secret Key Recovery of NIST P-521 Private Keys Through Biased ECDSA Nonces in PuTTY Client Fabian Bäumer (Apr 15)
Fay Stegerman
[Update] PoC for fdroidserver AllowedAPKSigningKeys certificate pinning bypass Fay Stegerman (Apr 20)
PoC for fdroidserver AllowedAPKSigningKeys certificate pinning bypass Fay Stegerman (Apr 08)
Florian Weimer
Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Florian Weimer (Apr 24)
Gabriel Ravier
Re: Update on the distro-backdoor-scanner effort Gabriel Ravier (Apr 29)
Georgia Garcia
Re: Linux: Disabling network namespaces Georgia Garcia (Apr 17)
Greg KH
Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Greg KH (Apr 16)
Re: Re: CVEs issued by the Linux kernel CNA Greg KH (May 02)
Hank Leininger
Re: finding similar compromises (was Re: From xz to ibus: ... Hank Leininger (Apr 02)
Re: Update on the distro-backdoor-scanner effort Hank Leininger (Apr 28)
Update on the distro-backdoor-scanner effort Hank Leininger (Apr 26)
Re: Update on the distro-backdoor-scanner effort Hank Leininger (Apr 28)
Hanno Böck
Wordpress Responsive theme: arbitrary HTML content injection (CVE-2024-2848) Hanno Böck (Apr 22)
HexRabbit Chen
CVE-2024-26925: Linux: nf_tables: locking issue in the nf_tables_abort() function HexRabbit Chen (May 07)
HW42
Re: From xz to ibus: more questionable tarballs HW42 (Apr 01)
Ihor Radchenko
Re: Is CVE-2024-30203 bogus? (Emacs) Ihor Radchenko (Apr 08)
Re: Is CVE-2024-30203 bogus? (Emacs) Ihor Radchenko (Apr 10)
Imba Jin
CVE-2024-27347: Apache HugeGraph-Hubble: SSRF in Hubble connection page Imba Jin (Apr 22)
CVE-2024-27349: Apache HugeGraph-Server: Bypass whitelist in Auth mode Imba Jin (Apr 22)
CVE-2024-27348: Apache HugeGraph-Server: Command execution in gremlin Imba Jin (Apr 22)
Jacob Bachmeyer
Re: Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Jacob Bachmeyer (May 13)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jacob Bachmeyer (Apr 19)
Re: Update on the distro-backdoor-scanner effort Jacob Bachmeyer (Apr 29)
Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Jacob Bachmeyer (Apr 12)
Re: Update on the distro-backdoor-scanner effort Jacob Bachmeyer (Apr 27)
Re: xz backdoor prevention using hosts.deny? Jacob Bachmeyer (Apr 10)
Re: xz backdoor prevention using hosts.deny? Jacob Bachmeyer (Apr 09)
Re: Update on the distro-backdoor-scanner effort Jacob Bachmeyer (Apr 30)
Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Jacob Bachmeyer (Apr 11)
Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Jacob Bachmeyer (Apr 13)
Re: Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Jacob Bachmeyer (May 13)
Re: Make your own backdoor: CFLAGS code injection, Makefile injection, pkg-config Jacob Bachmeyer (Apr 18)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jacob Bachmeyer (Apr 17)
Jacques Le Roux
CVE-2024-32113: Apache OFBiz: Path traversal leading to RCE Jacques Le Roux (May 09)
Jakub Wilk
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jakub Wilk (Apr 12)
Re: less(1) with LESSOPEN mishandles \n in paths Jakub Wilk (Apr 15)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jakub Wilk (Apr 01)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jakub Wilk (Apr 17)
less(1) with LESSOPEN mishandles \n in paths Jakub Wilk (Apr 12)
Jan Engelhardt
From xz to ibus: more questionable tarballs Jan Engelhardt (Apr 01)
Jan Schaumann
Go 1.22.2 and 1.21.9 (CVE-2023-45288 HTTP/2 CONTINUATION issue) Jan Schaumann (Apr 05)
NodeJS Command injection via args parameter of child_process.spawn without shell option enabled on Windows (CVE-2024-27980) Jan Schaumann (Apr 10)
Envoy security releases [1.29.3, 1.28.2, 1.27.4, 1.26.8] are now available Jan Schaumann (Apr 05)
Jason Gerlowski
CVE-2024-31391: Apache Solr Operator: Solr-Operator liveness and readiness probes may leak basic auth credentials Jason Gerlowski (Apr 12)
Jean-Baptiste Onofré
CVE-2024-32114: Apache ActiveMQ: Jolokia and REST API were not secured with default configuration Jean-Baptiste Onofré (May 01)
Jeffrey Walton
Re: PoC for fdroidserver AllowedAPKSigningKeys certificate pinning bypass Jeffrey Walton (Apr 21)
Joey Hess
Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Joey Hess (Apr 10)
Johannes Schindelin
git: 5 vulnerabilities fixed Johannes Schindelin (May 14)
John Johansen
Re: Re: Linux: Disabling network namespaces John Johansen (Apr 29)
Re: Linux: Disabling network namespaces John Johansen (Apr 29)
Jonas Schäfer
libksieve (used by kmail/kontact) sent password as username Jonas Schäfer (Apr 25)
Jonathan Wright
Re: CVE-2024-1086: Linux: nf_tables: use-after-free vulnerability in the nft_verdict_init() function Jonathan Wright (Apr 10)
Jongyoul Lee
CVE-2024-31865: Apache Zeppelin: Cron arbitrary user impersonation with improper privileges Jongyoul Lee (Apr 09)
CVE-2024-31860: Apache Zeppelin: Path traversal vulnerability Jongyoul Lee (Apr 09)
CVE-2022-47894: Apache Zeppelin SAP: connecting to a malicious SAP server allowed it to perform XXE Jongyoul Lee (Apr 09)
CVE-2024-31863: Apache Zeppelin: Replacing other users notebook, bypassing any permissions Jongyoul Lee (Apr 09)
CVE-2021-28656: Apache Zeppelin: CSRF vulnerability in the Credentials page Jongyoul Lee (Apr 09)
CVE-2024-31864: Apache Zeppelin: Remote code execution by adding malicious JDBC connection string Jongyoul Lee (Apr 09)
CVE-2024-31861: Apache Zeppelin: Code injection by Shell interpreter Jongyoul Lee (Apr 10)
CVE-2024-31866: Apache Zeppelin: Interpreter download command does not escape malicious code injection Jongyoul Lee (Apr 09)
CVE-2024-31867: Apache Zeppelin: LDAP search filter query Injection Vulnerability Jongyoul Lee (Apr 09)
CVE-2024-31862: Apache Zeppelin: Denial of service with invalid notebook name Jongyoul Lee (Apr 09)
CVE-2024-31868: Apache Zeppelin: XSS vulnerability in the helium module Jongyoul Lee (Apr 09)
Jordan Glover
Re: Linux: Disabling network namespaces Jordan Glover (Apr 16)
Re: Linux: Disabling network namespaces Jordan Glover (Apr 22)
Re: Linux: Disabling network namespaces Jordan Glover (Apr 20)
Kyle Zeng
Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Kyle Zeng (Apr 11)
Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Kyle Zeng (Apr 11)
Lam Bruce
minor problem on detect_sh.bin Lam Bruce (Apr 05)
Lari Hotari
CVE-2024-29834: Apache Pulsar: Improper Authorization For Namespace and Topic Management Endpoints Lari Hotari (Apr 02)
Loganaden Velvindron
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Apr 17)
Marco Ivaldi
HNS-2024-07 - HN Security Advisory - Multiple vulnerabilities in RIOT OS Marco Ivaldi (May 07)
Mark Esler
Re: New SMTP smuggling attack Mark Esler (May 09)
Re: 83 bogus CVEs assigned to Robot Operating System (ROS) Mark Esler (Apr 23)
Re: New SMTP smuggling attack Mark Esler (Apr 30)
83 bogus CVEs assigned to Robot Operating System (ROS) Mark Esler (Apr 23)
Markus Klyver
Just a reminder to never run ldd or strings on untrusted binaries Markus Klyver (Apr 04)
Matthew Fernandez
YSA-2024-01: YubiKey Manager Privilege Escalation Matthew Fernandez (Apr 04)
escaping terminal control characters (was Re: backdoor in upstream xz/liblzma leading to ssh server compromise) Matthew Fernandez (Apr 02)
Re: Just a reminder to never run ldd or strings on untrusted binaries Matthew Fernandez (Apr 04)
Matthias Gerstner
dnf5daemon-server: Incomplete fix of CVE-2024-1929 (CVE-2024-2746) Matthias Gerstner (Apr 03)
Matt Johnston
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Matt Johnston (Apr 17)
Max Nikulin
Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 11)
Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 10)
Re: Is CVE-2024-30203 bogus? (Emacs) Max Nikulin (Apr 08)
Maysara Alhindi
Looking for developers who know how to use Seccomp for a paid study Maysara Alhindi (Apr 03)
Michael Dawson
Re: Fwd: Node.js security update for all active release lines Michael Dawson (Apr 03)
Re: Fwd: Node.js security update for all active release lines Michael Dawson (Apr 03)
Michael Knap
Re: Re: CWE-121, CWE-122: libfreeimage 3.40-3.18/19+ buffer overflow Michael Knap (Apr 11)
CWE-121, CWE-122: libfreeimage 3.40-3.18/19+ buffer overflow Michael Knap (Apr 09)
Re: Re: CWE-121, CWE-122: libfreeimage 3.40-3.18/19+ buffer overflow Michael Knap (Apr 11)
Mickaël Salaün
Re: Linux: Disabling network namespaces Mickaël Salaün (May 17)
midawson
Fwd: Node.js security update for all active release lines midawson (Apr 03)
Morten Linderud
Re: Update on the distro-backdoor-scanner effort Morten Linderud (Apr 27)
Nick Sal
xz backdoor prevention using hosts.deny? Nick Sal (Apr 03)
nightmare . yeah27
Re: New SMTP smuggling attack nightmare . yeah27 (Apr 30)
Re: Linux: Disabling network namespaces nightmare . yeah27 (Apr 19)
Oriol Castejón
CVE-2024-0582 - Linux kernel use-after-free vulnerability in io_uring, writeup and exploit strategy Oriol Castejón (Apr 24)
Paragon Initiative Enterprises Security Team
Security Issues and Abandonment of PHP ECC library (mdanter/ecc, phpecc/phpecc) Paragon Initiative Enterprises Security Team (Apr 24)
Pedro Batista
Re: Telegram Web app XSS / Session Hijacking 1-click Pedro Batista (Apr 30)
Telegram Web app XSS / Session Hijacking 1-click Pedro Batista (Apr 28)
Peter Korsgaard
Re: Buildroot: incorrect permissons on /dev/shm Peter Korsgaard (May 07)
Re: [PATCH] package/skeleton-init-sysv: Set sticky bit on /dev/shm Peter Korsgaard (May 06)
Peter van Dijk
PowerDNS Recursor Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor Peter van Dijk (Apr 24)
Philippe Cerfon
Re: Linux: Disabling network namespaces Philippe Cerfon (Apr 16)
Philip Withnall
GLib (2.26.0+): GDBus signal subscriptions for well-known names are vulnerable to unicast spoofing Philip Withnall (May 07)
Pierre-Elliott Bécue
Re: xz backdoor prevention using hosts.deny? Pierre-Elliott Bécue (Apr 03)
Pietro Albini
CVE-2024-24576: Rust 1.77.1 and earlier did not properly escape arguments of batch files on Windows Pietro Albini (Apr 09)
Priedhorsky, Reid
Re: Linux: Disabling network namespaces Priedhorsky, Reid (Apr 22)
Rafael Gonzaga
Fwd: Node.js security update for all active relesae lines, April 9 2024 Rafael Gonzaga (Apr 04)
Fwd: Node.js security update for all active release lines Rafael Gonzaga (Apr 02)
Fwd: Node.js security update for all active relesae lines, April 9 2024 Rafael Gonzaga (Apr 10)
Remi Gacogne
PowerDNS Security Advisory 2024-03: Transfer requests received over DoH can lead to a denial of service in DNSdist Remi Gacogne (May 13)
Rita Zhang
[kubernetes] CVE-2024-3744: azure-file-csi-driver discloses service account tokens in logs Rita Zhang (May 09)
[kubernetes] CVE-2024-3177: Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin Rita Zhang (Apr 16)
Salvatore Bonaccorso
Re: libksieve (used by kmail/kontact) sent password as username Salvatore Bonaccorso (Apr 30)
Re: Re: Is CVE-2024-30203 bogus? (Emacs) Salvatore Bonaccorso (Apr 10)
Re: CVE-2024-26925: Linux: nf_tables: locking issue in the nf_tables_abort() function Salvatore Bonaccorso (May 08)
Sam Bull
CVE-2024-30251: DoS in aiohttp Sam Bull (May 02)
Sam James
Re: escaping terminal control characters (was Re: backdoor in upstream xz/liblzma leading to ssh server compromise) Sam James (May 02)
Re: Update on the distro-backdoor-scanner effort Sam James (Apr 26)
Suspicious hook-loading mechanism in hyprland Sam James (Apr 28)
Re: less(1) with LESSOPEN mishandles \n in paths Sam James (Apr 12)
Sean Whitton
Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 11)
Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 08)
Re: Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 11)
Re: Is CVE-2024-30203 bogus? (Emacs) Sean Whitton (Apr 10)
Sebastian Pipping
Fwd: uriparser 0.9.8 released, includes security fixes Sebastian Pipping (May 06)
Simon McVittie
Re: Linux: Disabling network namespaces Simon McVittie (Apr 21)
Re: Linux: Disabling network namespaces Simon McVittie (Apr 15)
Re: Linux: Disabling network namespaces Simon McVittie (Apr 21)
Re: lsof "can't stat() fuse.${name} filesystem /run/user/1000/${dir}" Simon McVittie (May 11)
Re: Linux: Disabling network namespaces Simon McVittie (Apr 23)
Re: Linux: Disabling network namespaces Simon McVittie (Apr 15)
Re: Linux: Disabling network namespaces Simon McVittie (Apr 19)
Re: Update on the distro-backdoor-scanner effort Simon McVittie (Apr 26)
flatpak CVE-2024-32462 : Sandbox escape via RequestBackground portal and CWE-88 Simon McVittie (Apr 18)
Solar Designer
Re: Linux: Disabling network namespaces Solar Designer (Apr 21)
Re: Looking for developers who know how to use Seccomp for a paid study Solar Designer (Apr 03)
Re: Linux: Disabling network namespaces Solar Designer (Apr 15)
Re: escaping terminal control characters (was Re: backdoor in upstream xz/liblzma leading to ssh server compromise) Solar Designer (Apr 03)
Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Solar Designer (Apr 18)
Re: New SMTP smuggling attack Solar Designer (May 02)
Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Solar Designer (Apr 11)
Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Solar Designer (Apr 10)
Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Solar Designer (Apr 10)
Re: New Linux LPE via GSMIOC_SETCONF_DLCI? Solar Designer (Apr 16)
Re: Fwd: Node.js security update for all active release lines Solar Designer (Apr 03)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Apr 16)
CVE-2024-1086: Linux: nf_tables: use-after-free vulnerability in the nft_verdict_init() function Solar Designer (Apr 10)
Re: Linux: Disabling network namespaces Solar Designer (Apr 20)
Re: Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Solar Designer (May 11)
Re: Fwd: Node.js security update for all active release lines Solar Designer (Apr 03)
Re: Fwd: uriparser 0.9.8 released, includes security fixes Solar Designer (May 06)
Linux: Disabling network namespaces Solar Designer (Apr 14)
Re: Linux: Disabling network namespaces Solar Designer (Apr 21)
Re: Linux: Disabling network namespaces Solar Designer (Apr 19)
Stamatis Zampetakis
CVE-2023-35701: Apache Hive: Arbitrary command execution via JDBC driver Stamatis Zampetakis (May 03)
Steffen Nurpmeso
Re: New SMTP smuggling attack Steffen Nurpmeso (Apr 30)
Re: New SMTP smuggling attack Steffen Nurpmeso (May 02)
Re: escaping terminal control characters (was Re: backdoor in upstream xz/liblzma leading to ssh server compromise) Steffen Nurpmeso (May 03)
Re: CERT VU#123335: Multiple Programming Languages Fail to Escape Arguments Properly in Microsoft Windows Steffen Nurpmeso (Apr 10)
Re: escaping terminal control characters (was Re: backdoor in upstream xz/liblzma leading to ssh server compromise) Steffen Nurpmeso (May 03)
Stephen John Smoogen
Re: xz backdoor prevention using hosts.deny? Stephen John Smoogen (Apr 03)
Stig Palmquist
HTTP::Body before 1.23 for Perl is still vulnerable to CVE-2013-4407 Stig Palmquist (Apr 07)
Stuart D Gathman
Re: xz backdoor prevention using hosts.deny? Stuart D Gathman (Apr 03)
Szymon Janc
CVE-2024-24746: Apache NimBLE: Denial of service in NimBLE Bluetooth stack Szymon Janc (Apr 05)
Takao Fujiwara
Re: From xz to ibus: more questionable tarballs Takao Fujiwara (Apr 01)
Tavis Ormandy
Re: finding similar compromises (was Re: From xz to ibus: more questionable tarballs) Tavis Ormandy (Apr 02)
finding similar compromises (was Re: From xz to ibus: more questionable tarballs) Tavis Ormandy (Apr 02)
Tianyu Chen
Re: CWE-121, CWE-122: libfreeimage 3.40-3.18/19+ buffer overflow Tianyu Chen (Apr 11)
Tobias Powalowski
Re: less(1) with LESSOPEN mishandles \n in paths Tobias Powalowski (Apr 13)
Tomas Mraz
OpenSSL Security Advisory Tomas Mraz (May 16)
OpenSSL Security Advisory [corrected CVE id] Tomas Mraz (May 16)
OpenSSL Security Advisory Tomas Mraz (Apr 08)
Valtteri Vuorikoski
CVE-2023-49606, CVE-2023-40533: memory safety vulnerabilities in tinyproxy <=1.11.1 Valtteri Vuorikoski (May 07)
Vegard Nossum
Re: Analysis on who is Jia Tan, and who he could work for, reading xz.git Vegard Nossum (Apr 10)
Re: Update on the distro-backdoor-scanner effort Vegard Nossum (Apr 29)
Make your own backdoor: CFLAGS code injection, Makefile injection, pkg-config Vegard Nossum (Apr 17)
Xen . org security team
Xen Security Advisory 457 v1 - Linux/xen-netback: Memory leak due to missing cleanup function Xen . org security team (May 07)
Xen Security Advisory 454 v2 (CVE-2023-46842) - x86 HVM hypercalls may trigger Xen bug check Xen . org security team (Apr 09)
Xen Security Advisory 456 v2 (CVE-2024-2201) - x86: Native Branch History Injection Xen . org security team (Apr 09)
Xen Security Advisory 455 v4 (CVE-2024-31142) - x86: Incorrect logic for BTC/SRSO mitigations Xen . org security team (Apr 09)
Xen Security Advisory 457 v3 (CVE-2024-27393) - Linux/xen-netfront: Memory leak due to missing cleanup function Xen . org security team (May 08)
Xen Security Advisory 456 v3 (CVE-2024-2201) - x86: Native Branch History Injection Xen . org security team (May 07)
Xen Security Advisory 457 v2 - Linux/xen-netfront: Memory leak due to missing cleanup function Xen . org security team (May 08)
Yann E. MORIN
Re: [Buildroot] Buildroot: incorrect permissons on /dev/shm Yann E. MORIN (May 06)
Re: [Buildroot] [PATCH] package/skeleton-init-sysv: Set sticky bit on /dev/shm Yann E. MORIN (Apr 11)
Yash Patel
Re: 83 bogus CVEs assigned to Robot Operating System (ROS) Yash Patel (Apr 23)
Re: 83 bogus CVEs assigned to Robot Operating System (ROS) Yash Patel (Apr 23)
YuanSheng Wang
CVE-2024-32638: Apache APISIX: Forward-Auth Request Smuggling YuanSheng Wang (May 02)