Open Source Security Mailing List

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

Jan–Mar
Apr–Jun
Jul–Sep
Oct–Dec
2024
358
274
–
–
2023
220
284
269
356
2022
212
220
239
273
2021
281
236
193
182
2020
131
219
211
241
2019
199
237
257
176
2018
287
256
284
279
2017
701
658
596
437
2016
738
637
689
788
2015
1068
839
658
618
2014
714
711
886
1185
2013
777
648
688
583
2012
815
578
591
549
2011
640
738
550
591
2010
291
376
465
383
2009
250
264
272
304
2008
206
390
402
358

Latest Posts

PHP security releases 8.3.8, 8.2.20, and 8.1.29 Alan Coopersmith (Jun 06)
In https://fosstodon.org/@php/112570710411472992 it is written:

The Changelog link includes further details:

- Fixed bug GHSA-3qgc-jrrr-25jv (Bypass of CVE-2012-1823, Argument Injection
in PHP-CGI). (CVE-2024-4577)

- Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var
FILTER_VALIDATE_URL). (CVE-2024-5458)

- Fixed bug GHSA-9fcc-425m-g385 (Bypass of CVE-2024-1874). (CVE-2024-5585)

- The openssl_private_decrypt function...

[SBA-ADV-20240202-02] CVE-2024-5658: CraftCMS Plugin - Two-Factor Authentication through 3.3.3 - TOTP Token Stays Valid After Use SBA Research Security Advisory (Jun 06)
# CraftCMS Plugin - Two-Factor Authentication - TOTP Token Stays Valid After Use #

Link:
https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240202-02_CraftCMS_Plugin_Two-Factor_Authentication_TOTP_Valid_After_Use

## Vulnerability Overview ##

The CraftCMS plugin Two-Factor Authentication through 3.3.3 allows reuse of
TOTP tokens multiple times within the validity period.

* **Identifier** : SBA-ADV-20240202-02
*...

[SBA-ADV-20240202-01] CVE-2024-5657: CraftCMS Plugin - Two-Factor Authentication 3.3.1 to 3.3.3 - Password Hash Disclosure SBA Research Security Advisory (Jun 06)
# CraftCMS Plugin - Two-Factor Authentication - Password Hash Disclosure #

Link:
https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240202-01_CraftCMS_Plugin_Two-Factor_Authentication_Password_Hash_Disclosure

## Vulnerability Overview ##

The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and
3.3.3 discloses the password hash of the currently authenticated user after
submitting a valid TOTP.

*...

Re: libarchive 3.7.4 released with 2 security fixes Tavis Ormandy (Jun 05)
The e8 thing is kinda interesting, but I think the ZDI description
didn't give enough background.

Here is my attempt:

- A long time ago, WinRAR included a bytecode interpreting VM
called RarVM. In theory, users could preprocess the data they're
compressing to make it more compressible, and then embed "filters"
in the archive. Those filters were little bytecode programs that
reverse the...

libarchive 3.7.4 released with 2 security fixes Alan Coopersmith (Jun 04)
https://github.com/libarchive/libarchive/releases/tag/v3.7.4 announces
the release on April 26 of libarchive 3.7.4 with 2 security fixes:

- rar: Fix OOB in rar e8 filter (#2135) (CVE-2024-26256)
https://github.com/libarchive/libarchive/pull/2135 doesn't give details, but
a detailed writeup from Trend Micro / ZDI has been posted at:...

Go 1.22.4 and Go 1.21.11 released with 2 security fixes (CVE-2024-24789, CVE-2024-24790) Alan Coopersmith (Jun 04)
https://groups.google.com/g/golang-announce/c/XbxouI9gY7k announces:

CVE-2024-36104: Apache OFBiz: Path traversal leading to a RCE Jacques Le Roux (Jun 03)
Severity: important

Affected versions:

- Apache OFBiz before 18.12.14

Description:

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This
issue affects Apache OFBiz: before 18.12.14.

Users are recommended to upgrade to version 18.12.14, which fixes the issue.

Credit:

godspeed (AAA@ZJU) (finder)

References:

https://ofbiz.apache.org/download.html...

nginx HTTP/3 security issues/fixes Solar Designer (May 30)
Hi,

This was on the nginx-announce list yesterday:

https://mailman.nginx.org/pipermail/nginx-announce/2024/GMY32CSHFH6VFTN76HJNX7WNEX4RLHF6.html

---
[nginx-announce] nginx security advisory (CVE-2024-31079, CVE-2024-32760, CVE-2024-34161, CVE-2024-35200)
Sergey Kandaurov pluknet at nginx.com
Wed May 29 15:12:07 UTC 2024

Hello!

Four security issues were identified in nginx HTTP/3 implementation, which
might allow an attacker that uses a...

Security vulnerability in fprintd Yaron Shahrabani (May 30)
Hi everyone, I'm writing to this mailing list since I've already
shared the details with Benjamin Berg and Marco Trevisan privately,
and we have yet to conclude about this vulnerability.
This information was also disclosed to the fprintd mailing list:
https://lists.freedesktop.org/archives/fprint/2024-May/001231.html

My sudo is configured to approve access with pam_fprintd; this is the
config file:

#%PAM-1.0

auth...

Re: List linux CVEs for a given stable release? Greg Kroah-Hartman (May 30)
Very true, I do not claim to be a "robust" bash programmer at all :)

True.

Yeah, but the json files have their own issues, more below...

Great. Only you know your use cases, which is why we do not offer up
any "grading" of kernel CVEs as Linux is used in so many different ways.

The mbox files do get updated along with the json, but please, let's not
parse mbox files, that was a bad example I gave here, sorry.

That...

Re: List linux CVEs for a given stable release? Dominique Martinet (May 30)
Greg Kroah-Hartman wrote on Wed, May 29, 2024 at 09:23:50PM +0200:

(pedantic: `if cve=$(cve_search "$id"); then` is a bit simpler/failproof)

That's roughly what I had done earlier this week (handpicking the
commits that could impact our users), but this doesn't address my second
point as it won't catch any new CVE introduced before that tree that
wasn't fixed.
(also probably a bit more efficient to go by version...

Re: List linux CVEs for a given stable release? Greg Kroah-Hartman (May 29)
True, we don't have that yet, but with the scripts in there, it should
be easy to knock this up (hint, pass the id to scripts/cve_search) if
you need it.

The issue is, CVEs are assigned usually long _AFTER_ the stable release
has happened. So if you want to do this type of report for the latest
stable release, it will look like there are no CVEs. But if you wait a
few weeks, suddenly that old release will have many CVEs assigned to
them....

List linux CVEs for a given stable release? Dominique Martinet (May 29)
Hi Greg,

(Cc-ing oss-security because I think more people there might be
interested than people subscribed to cve () kernel org and I didn't want to
cross-post to multiple lists)

Up until last month someone had been managing a linuxkernelcves[1][2]
site, but it's somehow gone without a trace (DNS emptied, no message I
could see announcing it anywhere)

[1] https://www.linuxkernelcves.com
[2]...

Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Charles Fol (May 27)
Here's what I sent the glibc's security team a few weeks back; I fixed
some typos:

# PHP's heap in 2 sentences

PHP's heap is page-based; each page contains chunks of some specific
size, such as 8, 0x10, 0x18, etc.

Chunks do not have any header or footer, they are raw data. Therefore,
an overflow from some chunk on the heap directly lands on the next chunk.
Now, for each chunk size, a singly-linked list stores chunks that...

Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Florian Weimer (May 27)
* Erik Auerswald:

Oh, right:

| Obviously, base64-encoding is not the only thing you can do. Many
| filters are available.
| […]
|
| » convert.iconv.X.Y, which converts charset from X to Y
|
| Let's take a look at the last filter: convert.iconv.X.Y. Say that I need
| to convert my file from UTF8 to UTF16. I can use:
|
| php://filter/convert.iconv.UTF-8.UTF-16/resource=/etc/passwd

Unfortunately, that exposes all installed iconv...

More Lists

Dozens of other network security lists are archived at SecLists.Org.