oss-sec: by author
RSS Feed
About List
All Lists
Previous period
358 messages
starting Feb 05 24 and
ending Feb 14 24
Date index |
Thread index |
Author index
Adhemerval Zanella Netto
Re: Out-of-bounds read & write in the glibc's qsort() Adhemerval Zanella Netto (Feb 05)
Adrian Perez de Castro
WebKitGTK and WPE WebKit Security Advisory WSA-2024-0001 Adrian Perez de Castro (Feb 05)
WebKitGTK and WPE WebKit Security Advisory WSA-2024-0002 Adrian Perez de Castro (Mar 25)
Alan Coopersmith
shim 15.8 released with 6 CVE fixes Alan Coopersmith (Jan 26)
Pillow 10.2.0 released, fixes CVE-2023-50447 Alan Coopersmith (Jan 20)
Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Alan Coopersmith (Feb 13)
GnuTLS 3.8.3 released, fixes CVE-2024-0553 & CVE-2024-0567 Alan Coopersmith (Jan 19)
libuv 1.48.0 released, fixes CVE-2024-24806 Alan Coopersmith (Feb 08)
Security fixes in Python 3.10.14, 3.9.19, and 3.8.19 (CVE-2023-6597 & CVE-2024-0450) Alan Coopersmith (Mar 20)
GnuTLS 3.8.4 released, fixes CVE-2024-28834 & CVE-2024-28835 Alan Coopersmith (Mar 22)
Vulnerabilties in FontTools & FontForge Alan Coopersmith (Mar 08)
Re: [External] : [oss-security] Fwd: GNU emacs 29.3 released to fix security issues Alan Coopersmith (Mar 24)
Re: Fwd: X.Org Security Advisory: Issues in libX11 prior to 1.8.7 & libXpm prior to 3.5.17 Alan Coopersmith (Jan 24)
5 CVEs fixed in Go 1.22.1 and Go 1.21.8, 1 CVE fixed in google.golang.org/protobuf Alan Coopersmith (Mar 08)
CVEs issued by the Linux kernel CNA Alan Coopersmith (Feb 20)
Fwd: GNU emacs 29.3 released to fix security issues Alan Coopersmith (Mar 24)
Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Alan Coopersmith (Feb 16)
Re: CVE-2023-45853: overflows in MiniZip in zlib through 1.3 Alan Coopersmith (Jan 24)
Public Review Period for CVE rules Alan Coopersmith (Mar 12)
GNU emacs 29.3 released to fix security issues Alan Coopersmith (Mar 24)
Expat 2.6.2 released, includes security fixes Alan Coopersmith (Mar 15)
Re: help wanted - bring more issues in here Alan Coopersmith (Mar 07)
Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Alan Coopersmith (Jan 26)
Aleksa Sarai
runc: CVE-2024-21626: high severity container breakout attack Aleksa Sarai (Jan 31)
Re: Re: runc: CVE-2024-21626: high severity container breakout attack Aleksa Sarai (Feb 02)
Alexander Burke
Re: Re: Postfix updated SMTP smuggling countermeasure Alexander Burke (Jan 23)
Alexander E. Patrakov
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alexander E. Patrakov (Mar 29)
Re: Out-of-bounds read & write in the glibc's qsort() Alexander E. Patrakov (Feb 05)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alexander E. Patrakov (Mar 30)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alexander E. Patrakov (Mar 30)
Re: CVE-2024-28085: Escape sequence injection in util-linux wall Alexander E. Patrakov (Mar 28)
Re: 5 Linux kernel ksmbd vulnerabilities Alexander E. Patrakov (Mar 18)
Re: Out-of-bounds read & write in the glibc's qsort() Alexander E. Patrakov (Feb 05)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alexander E. Patrakov (Mar 29)
Re: Out-of-bounds read & write in the glibc's qsort() Alexander E. Patrakov (Feb 05)
Alex Gaynor
Re: Python standard library defaults to insecure TLS for mail protocols Alex Gaynor (Feb 01)
Re: GnuTLS 3.8.4 released, fixes CVE-2024-28834 & CVE-2024-28835 Alex Gaynor (Mar 22)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alex Gaynor (Mar 29)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alex Gaynor (Mar 29)
Ali Raza Mumtaz
CVE-2024-22857: Heap Based Buffer overflow in zlog library Ali Raza Mumtaz (Feb 28)
Re: CVE-2024-22857: Heap Based Buffer overflow in zlog library Ali Raza Mumtaz (Feb 29)
Amos Jeffries
Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Amos Jeffries (Feb 01)
Andor Molnar
CVE-2024-23944: Apache ZooKeeper: Information disclosure in persistent watcher handling Andor Molnar (Mar 14)
Andrea Cosentino
CVE-2024-23114: Apache Camel: Camel-CassandraQL: Unsafe Deserialization from CassandraAggregationRepository Andrea Cosentino (Feb 19)
CVE-2024-22369: Apache Camel: Camel-SQL: Unsafe Deserialization from JDBCAggregationRepository Andrea Cosentino (Feb 19)
Andres Freund
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 30)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 30)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 30)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 30)
backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund (Mar 29)
Anthony Liguori
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Anthony Liguori (Mar 29)
Anton Luka Šijanec
Re: Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials Anton Luka Šijanec (Jan 24)
Armin Kuster
FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Armin Kuster (Jan 30)
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Armin Kuster (Feb 02)
Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Armin Kuster (Mar 12)
Arnout Engelen
CVE-2024-23539: Apache Fineract: Under certain system configurations, the sqlSearch parameter for specific endpoints was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries. Arnout Engelen (Mar 29)
CVE-2024-23538: Apache Fineract: Under certain system configurations, the sqlSearch parameter was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries. Arnout Engelen (Mar 29)
CVE-2024-27139: Apache Archiva: incorrect authentication potentially leading to account takeover Arnout Engelen (Mar 01)
CVE-2024-27905: Apache Aurora: padding oracle can allow construction an authentication cookie Arnout Engelen (Feb 27)
CVE-2024-27138: Apache Archiva: disabling user registration is not effective Arnout Engelen (Mar 01)
CVE-2024-27140: Apache Archiva: reflected XSS Arnout Engelen (Mar 01)
CVE-2024-23537: Apache Fineract: Under certain circumstances, this vulnerability allowed users, without specific permissions, to escalate their privileges to any role. Arnout Engelen (Mar 29)
CVE-2024-23807: Apache Xerces C++: Use-after-free on external DTD scan Arnout Engelen (Feb 16)
CVE-2023-51441: Apache Axis 1.x (EOL) may allow SSRF when untrusted input is passed to the service admin HTTP API Arnout Engelen (Jan 05)
Arrigo Marchiori
CVE-2023-47804: Apache OpenOffice: Macro URL arbitrary script execution Arrigo Marchiori (Jan 03)
CVE-2023-1183: Apache OpenOffice: Arbitrary file write in Apache OpenOffice Base Arrigo Marchiori (Jan 03)
CVE-2012-5639: Apache OpenOffice: Loading internal / external resources without warning Arrigo Marchiori (Jan 03)
CVE-2022-43680: Apache OpenOffice: "Use after free" fixed in libexpat Arrigo Marchiori (Jan 03)
Axel Beckert
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Axel Beckert (Mar 30)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Axel Beckert (Mar 30)
Benoit Tellier
CVE-2023-51747: SMTP smuggling in Apache James Benoit Tellier (Feb 27)
CVE-2023-51518: Apache James server: Privilege escalation via JMX pre-authentication deserialisation Benoit Tellier (Feb 26)
CVE-2024-21742: Apache James Mime4J: Mime4J DOM header injection Benoit Tellier (Feb 27)
Bernd Zeimetz
Re: help wanted - bring more issues in here Bernd Zeimetz (Mar 09)
bismy
CVE-2023-44313: Apache ServiceComb Service-Center: attacker can perform SSRF through the frontend API bismy (Jan 31)
CVE-2023-44312: Apache ServiceComb Service-Center: attacker can query all environment variables of the service-center server bismy (Jan 31)
Bjoern Franke
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Bjoern Franke (Mar 30)
Bo Anderson
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Bo Anderson (Mar 30)
Brad House
c-ares CVE-2024-25629 Brad House (Feb 23)
Brahma Reddy Battula
CVE-2023-50378: Apache Ambari: Various XSS problems Brahma Reddy Battula (Mar 01)
CVE-2023-50379: Apache Ambari: authenticated users could perform command injection to perform RCE Brahma Reddy Battula (Feb 26)
CVE-2023-50380: Apache Ambari: authenticated users could perform XXE to read arbitrary files on the server Brahma Reddy Battula (Feb 27)
Brian Demers
CVE-2023-46749: Apache Shiro before 1.130 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting Brian Demers (Jan 12)
Carlos O'Donell
The GNU C Library has been authorized by the CVE Program as a CVE Numbering Authority (CNA) Carlos O'Donell (Feb 07)
Carsten Ziegeler
CVE-2024-23673: Apache Sling Servlets Resolver: Malicious code execution via path traversal Carsten Ziegeler (Feb 06)
Cengiz Can
CVE-2023-6040: Linux Kernel netfilter out-of-bounds access Cengiz Can (Jan 11)
Charles Zhang
CVE-2023-51785: Apache InLong: Arbitrary File Read Vulnerability in Apache InLong Manager Charles Zhang (Jan 03)
CVE-2024-26580: Apache InLong: Logged-in user could exploit an arbitrary file read vulnerability Charles Zhang (Mar 06)
CVE-2023-51784: Apache InLong: Remote Code Execution vulnerability in Apache InLong Manager Charles Zhang (Jan 03)
Christian Brabandt
Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Christian Brabandt (Jan 28)
Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Christian Brabandt (Feb 01)
Christian Fischer
Re: CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/2 request Christian Fischer (Mar 13)
Re: CVE-2023-49657: Apache Superset: Stored XSS in Dashboard Title and Chart Title Christian Fischer (Jan 23)
Christoph Anton Mitterer
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Christoph Anton Mitterer (Mar 30)
Collin Funk
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Collin Funk (Mar 30)
Colm O hEigeartaigh
CVE-2024-28752: Apache CXF SSRF Vulnerability using the Aegis databinding Colm O hEigeartaigh (Mar 14)
daniel
5 Linux kernel ksmbd vulnerabilities daniel (Mar 18)
CVE-2023-51786: Lustre: incorrect access control resulting in potential data compromise or privilege escalation daniel (Mar 12)
Daniel Beck
Vulnerability in Jenkins Daniel Beck (Mar 20)
Multiple vulnerabilities in Jenkins plugins Daniel Beck (Mar 06)
Multiple vulnerabilities in Jenkins and Jenkins plugins Daniel Beck (Jan 24)
Daniel Gaspar
CVE-2024-24772: Apache Superset: Improper Neutralisation of custom SQL on embedded context Daniel Gaspar (Feb 28)
CVE-2024-23952: Apache Superset: Allows for uncontrolled resource consumption via a ZIP bomb (version range fix for CVE-2023-46104) Daniel Gaspar (Feb 14)
CVE-2024-26016: Apache Superset: Improper authorization validation on dashboards and charts import Daniel Gaspar (Feb 28)
CVE-2024-27315: Apache Superset: Improper error handling on alerts Daniel Gaspar (Feb 28)
CVE-2023-49657: Apache Superset: Stored XSS in Dashboard Title and Chart Title Daniel Gaspar (Jan 23)
CVE-2024-24779: Apache Superset: Improper data authorization when creating a new dataset Daniel Gaspar (Feb 28)
CVE-2024-24773: Apache Superset: Improper validation of SQL statements allows for unauthorized access to data Daniel Gaspar (Feb 28)
Daniel Kahn Gillmor
Re: Re: Python standard library defaults to insecure TLS for mail protocols Daniel Kahn Gillmor (Feb 02)
Daniel Stenberg
[SECURITY ADVISORY] curl: CVE-2024-2379: QUIC certificate check bypass with wolfSSL Daniel Stenberg (Mar 27)
[SECURITY ADVISORY] curl: CVE-2024-2466: TLS certificate check bypass with mbedTLS Daniel Stenberg (Mar 27)
[SECURITY ADVISORY] curl: CVE-2024-2004: Usage of disabled protocol Daniel Stenberg (Mar 26)
[SECURITY ADVISORY] curl: CVE-2024-0853 : OCSP verification bypass with TLS session reuse Daniel Stenberg (Jan 30)
[SECURITY ADVISORY] curl: CVE-2024-2398: HTTP/2 push headers memory-leak Daniel Stenberg (Mar 27)
David W. Hodgins
Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday David W. Hodgins (Mar 12)
Demi Marie Obenour
Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Demi Marie Obenour (Mar 12)
Re: CVE-2023-51766: Exim: SMTP smuggling Demi Marie Obenour (Jan 01)
Re: CVE-2024-28085: Escape sequence injection in util-linux wall Demi Marie Obenour (Mar 27)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Demi Marie Obenour (Mar 29)
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Demi Marie Obenour (Jan 31)
Re: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Demi Marie Obenour (Feb 02)
Dominique Martinet
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Dominique Martinet (Mar 31)
Dumitru Ceara
[ADVISORY] CVE-2024-2182: Open Virtual Network: Insufficient validation of incoming BFD packets. Dumitru Ceara (Mar 12)
Eddie Chapman
Re: TTY pushback vulnerabilities / TIOCSTI Eddie Chapman (Jan 08)
eduardo vela
Re: CVEs issued by the Linux kernel CNA eduardo vela (Feb 24)
Elad Kalif
CVE-2024-25141: Apache Airflow Mongo Provider: Certificate validation isn't respected even if SSL is enabled for apache-airflow-providers-mongo Elad Kalif (Feb 20)
Emond Papegaaij
CVE-2024-27439: Apache Wicket: Possible bypass of CSRF protection Emond Papegaaij (Mar 19)
Enxin Xie
CVE-2024-22393: Apache Answer: Pixel Flood Attack by uploading the large pixel file Enxin Xie (Feb 22)
CVE-2023-49619: Apache Answer: Repeated submissions using scripts resulted in an abnormal number of collections for questions. Enxin Xie (Jan 10)
CVE-2024-23349: Apache Answer: XSS vulnerability when submitting summary Enxin Xie (Feb 22)
CVE-2024-26578: Apache Answer: Repeated submission at registration created duplicate users with the same name Enxin Xie (Feb 22)
Ephraim Anierobi
CVE-2023-50943: Apache Airflow: Potential pickle deserialization vulnerability in XComs Ephraim Anierobi (Jan 24)
CVE-2024-26280: Apache Airflow: Overly broad default permissions for Viewer/Ops (audit logs) Ephraim Anierobi (Mar 01)
CVE-2023-50944: Apache Airflow: Bypass permission verification to read code of other dags Ephraim Anierobi (Jan 24)
CVE-2023-51702: Apache Airflow CNCF Kubernetes provider, Apache Airflow: Kubernetes configuration file saved without encryption in the Metadata and logged as plain text in the Triggerer service Ephraim Anierobi (Jan 24)
CVE-2024-27906: Apache Airflow: Dag Code and Import Error Permissions Ignored Ephraim Anierobi (Feb 29)
CVE-2024-28746: Apache Airflow: Ignored Airflow Permissions Ephraim Anierobi (Mar 13)
Fay Stegerman
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Fay Stegerman (Mar 30)
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Fay Stegerman (Mar 30)
Florian Weimer
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Florian Weimer (Mar 30)
Gary D. Gregory
CVE-2024-25710: Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file Gary D. Gregory (Feb 19)
CVE-2024-29131: Apache Commons Configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator() Gary D. Gregory (Mar 20)
CVE-2024-26308: Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file Gary D. Gregory (Feb 19)
CVE-2024-29133: Apache Commons Configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree Gary D. Gregory (Mar 20)
Greg KH
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Greg KH (Jan 30)
Re: CVEs issued by the Linux kernel CNA Greg KH (Feb 22)
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Greg KH (Jan 30)
halfdog
Re: CVE-2023-51766: Exim: SMTP smuggling halfdog (Jan 01)
Hanno Böck
Re: Re: Python standard library defaults to insecure TLS for mail protocols Hanno Böck (Feb 01)
Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials Hanno Böck (Jan 23)
Re: Vulnerabilties in FontTools & FontForge Hanno Böck (Mar 08)
Python standard library defaults to insecure TLS for mail protocols Hanno Böck (Feb 01)
Hans Van Akelyen
CVE-2024-24683: Apache Hop Engine: ID isn't escaped when generating HTML Hans Van Akelyen (Mar 18)
Haonan Hou
CVE-2023-46226: Apache IoTDB: Remote Code Execution (RCE) risk via the UDF Haonan Hou (Jan 15)
Hauke Mehrtens
Re: 5 Linux kernel ksmbd vulnerabilities Hauke Mehrtens (Mar 20)
Heping Wang
CVE-2023-50740: Apache Linkis DataSource: DataSource module Oracle SQL Database Password Logged Heping Wang (Mar 06)
Houston Putman
CVE-2023-50291: Apache Solr: System Property redaction logic inconsistency can lead to leaked passwords Houston Putman (Feb 09)
CVE-2023-50292: Apache Solr: Solr Schema Designer blindly "trusts" all configsets, possibly leading to RCE by unauthenticated users Houston Putman (Feb 09)
CVE-2023-50298: Apache Solr: Solr can expose ZooKeeper credentials via Streaming Expressions Houston Putman (Feb 09)
CVE-2023-50386: Apache Solr: Backup/Restore APIs allow for deployment of executables in malicious ConfigSets Houston Putman (Feb 09)
CVE-2023-50290: Apache Solr: Host environment variables are published via the Metrics API Houston Putman (Jan 12)
Ilya Maximets
[ADVISORY] CVE-2023-5366: Open vSwitch: OpenFlow match on Neighbor Discovery Target may be ignored Ilya Maximets (Feb 08)
[ADVISORY] CVE-2023-3966: Open vSwitch: Invalid memory access in Geneve with HW offload. Ilya Maximets (Feb 08)
István Fajth
CVE-2023-39196: Apache Ozone: Missing mutual TLS authentication in one of the service internal Ozone Storage Container Manager endpoints István Fajth (Feb 07)
Ivan Delalande
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Ivan Delalande (Mar 29)
Jacques Le Roux
CVE-2024-23946: Apache OFBiz: Path traversal or file inclusion Jacques Le Roux (Feb 28)
CVE-2024-25065: Apache OFBiz: Path traversal allowing authentication bypass. Jacques Le Roux (Feb 28)
Jakub Wilk
Re: TTY pushback vulnerabilities / TIOCSTI Jakub Wilk (Jan 16)
Re: CVE-2024-28085: Escape sequence injection in util-linux wall Jakub Wilk (Mar 27)
Re: TTY pushback vulnerabilities / TIOCSTI Jakub Wilk (Jan 07)
Re: TTY handling when executing code in different lower-privileged context (su, virt containers) Jakub Wilk (Jan 31)
Re: Re: CVE-2024-28085: Escape sequence injection in util-linux wall Jakub Wilk (Mar 28)
Jan Engelhardt
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jan Engelhardt (Mar 30)
Jarek Potiuk
CVE-2024-29735: Apache Airflow: Potentially harmful permission changing by log task handler Jarek Potiuk (Mar 26)
Jeffrey Walton
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jeffrey Walton (Mar 29)
Re: CVE-2023-51766: Exim: SMTP smuggling Jeffrey Walton (Jan 01)
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jeffrey Walton (Mar 30)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jeffrey Walton (Mar 31)
Jeremy Stanley
Re: Python standard library defaults to insecure TLS for mail protocols Jeremy Stanley (Feb 01)
OSSN-0093: Unresolved Vulnerability in OpenStack Murano Jeremy Stanley (Mar 07)
OSSN-0093: [OpenStack Murano] Unsafe Environment Handling in MuranoPL Jeremy Stanley (Mar 14)
Jiajie Zhong
CVE-2023-51770: Apache DolphinScheduler: Arbitrary File Read Vulnerability Jiajie Zhong (Feb 20)
CVE-2024-23320: Apache DolphinScheduler: Arbitrary js execution as root for authenticated users Jiajie Zhong (Feb 23)
CVE-2023-49250: Apache DolphinScheduler: Insecure TLS TrustManager used in HttpUtil Jiajie Zhong (Feb 20)
CVE-2023-49109: Remote Code Execution in Apache Dolphinscheduler Jiajie Zhong (Feb 20)
CVE-2023-50270: Apache DolphinScheduler: Session do not expire after password change Jiajie Zhong (Feb 20)
Johannes Segitz
Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials Johannes Segitz (Jan 24)
Jonathan Schleifer
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jonathan Schleifer (Mar 30)
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jonathan Schleifer (Mar 30)
Jose Exposito Quintana
Fwd: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.11 and Xwayland prior to 23.2.4 Jose Exposito Quintana (Jan 18)
Karel Zak
Re: CVE-2024-28085: Escape sequence injection in util-linux wall Karel Zak (Mar 28)
Katherine Mcmillan
Re: help wanted - bring more issues in here Katherine Mcmillan (Mar 07)
Kurt H Maier
Re: Python standard library defaults to insecure TLS for mail protocols Kurt H Maier (Feb 02)
Lari Hotari
CVE-2024-27317: Apache Pulsar: Pulsar Functions Worker's Archive Extraction Vulnerability Allows Unauthorized File Modification Lari Hotari (Mar 12)
CVE-2024-28098: Apache Pulsar: Improper Authorization For Topic-Level Policy Management Lari Hotari (Mar 12)
CVE-2024-27894: Apache Pulsar: Pulsar Functions Worker Allows Unauthorized File Access and Unauthorized HTTP/HTTPS Proxying Lari Hotari (Mar 12)
CVE-2022-34321: Apache Pulsar: Improper Authentication for Pulsar Proxy Statistics Endpoint Lari Hotari (Mar 12)
CVE-2024-27135: Apache Pulsar: Improper Input Validation in Pulsar Function Worker allows Remote Code Execution Lari Hotari (Mar 12)
Liguori, Anthony
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Liguori, Anthony (Mar 29)
Li Yang
CVE-2023-29055: Apache Kylin: Insufficiently protected credentials in config file Li Yang (Jan 29)
Loganaden Velvindron
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 31)
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 30)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 29)
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 30)
Marc Deslauriers
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 29)
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 30)
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 29)
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 30)
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 29)
Marcin Wolcendorf
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marcin Wolcendorf (Mar 30)
Marco Benatto
CVE-2023-6395 Mock: Privilege escalation for users that can access mock configuration Marco Benatto (Jan 16)
Marco Ivaldi
HNS-2024-05 - HN Security Advisory - Multiple vulnerabilities in RT-Thread RTOS Marco Ivaldi (Mar 05)
Marcus Meissner
Re: CVEs issued by the Linux kernel CNA Marcus Meissner (Feb 21)
Mariusz Felisiak
Django: CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words() Mariusz Felisiak (Mar 04)
Mark Esler
Re: Security vulnerability in Debian's cpio 2.13 Mark Esler (Jan 05)
Mark Thomas
CVE-2024-24549: Apache Tomcat: HTTP/2 header handling DoS Mark Thomas (Mar 13)
CVE-2024-21733: Apache Tomcat: Leaking of unrelated request bodies in default error page Mark Thomas (Jan 19)
CVE-2024-23672: Apache Tomcat: WebSocket DoS with incomplete closing handshake Mark Thomas (Mar 13)
Markus Klyver
SV: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Markus Klyver (Mar 31)
Mate Kukri
Re: Secure Boot bypass in EDK2 based Virtual Machine firmware Mate Kukri (Feb 14)
Re: Secure Boot bypass in EDK2 based Virtual Machine firmware Mate Kukri (Feb 14)
Secure Boot bypass in EDK2 based Virtual Machine firmware Mate Kukri (Feb 14)
Mats Wichmann
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Mats Wichmann (Mar 30)
Matt Caswell
OpenSSL Security Advisory Matt Caswell (Jan 25)
Matthew Fernandez
Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Matthew Fernandez (Jan 26)
Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Matthew Fernandez (Feb 01)
Matthias Gerstner
Re: hplip: security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c Matthias Gerstner (Jan 04)
Re: systemd and other system services (in)compatibility with Linux procfs hidepid (was: darkhttpd: timing attack and local leak of HTTP basic auth credentials) Matthias Gerstner (Feb 05)
Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials Matthias Gerstner (Jan 25)
darkhttpd: timing attack and local leak of HTTP basic auth credentials Matthias Gerstner (Jan 23)
dnf5daemon-server: Local root Exploit and Local Denial-of-Service in dnf5 D-Bus Components (CVE-2024-1929, CVE-2024-1930) Matthias Gerstner (Mar 04)
pam: pam_namespace misses O_DIRECTORY flag in `protect_dir()` (CVE-2024-22365) Matthias Gerstner (Jan 18)
Performance Co-Pilot (pcp): Unsafe use of Directories in /var/lib/pcp and /var/log/pcp breaks pcp Service User Isolation (CVE-2023-6917) Matthias Gerstner (Feb 28)
Matthias Weckbecker
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Matthias Weckbecker (Mar 29)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Matthias Weckbecker (Mar 30)
Maxim Suhanov
CVE-2023-4001: a password bypass vulnerability in the downstream GRUB boot manager Maxim Suhanov (Jan 15)
Michael.Karcher
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Michael.Karcher (Mar 31)
Michael Marshall
CVE-2023-51437: Apache Pulsar: Timing attack in SASL token signature verification Michael Marshall (Feb 07)
Michael Tokarev
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Michael Tokarev (Mar 31)
Michał Kępień
ISC has disclosed six vulnerabilities in BIND 9 (CVE-2023-4408, CVE-2023-5517, CVE-2023-5679, CVE-2023-6516, CVE-2023-50387, CVE-2023-50868) Michał Kępień (Feb 13)
Miguel Suarez
Re: help wanted - bring more issues in here Miguel Suarez (Mar 09)
Mike O'Connor
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Mike O'Connor (Mar 30)
Mingyu Chen
CVE-2023-41313: Apache Doris: Timing Attack weakness Mingyu Chen (Mar 10)
CVE-2024-27438: Apache Doris: Downloading arbitrary remote jar files resulting in remote command execution Mingyu Chen (Mar 21)
CVE-2024-26307: Apache Doris: Possible race condition Mingyu Chen (Mar 21)
Natalia Bidart
Django CVE-2024-24680: Potential denial-of-service in intcomma template filter Natalia Bidart (Feb 06)
nightmare . yeah27
Re: CVE-2024-28085: Escape sequence injection in util-linux wall nightmare . yeah27 (Mar 27)
Re: Python standard library defaults to insecure TLS for mail protocols nightmare . yeah27 (Feb 02)
Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials nightmare . yeah27 (Jan 24)
Re: Python standard library defaults to insecure TLS for mail protocols nightmare . yeah27 (Feb 01)
Re: help wanted - bring more issues in here nightmare . yeah27 (Mar 09)
Otavio Rodolfo Piske
CVE-2024-22371: Apache Camel issue on ExchangeCreatedEvent Otavio Rodolfo Piske (Feb 23)
Otto Moerbeek
PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor Otto Moerbeek (Feb 14)
Pat Gunn
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Pat Gunn (Mar 30)
Pierre-Elliott Bécue
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Pierre-Elliott Bécue (Mar 30)
Qualys Security Advisory
CVE-2023-6246: Heap-based buffer overflow in the glibc's syslog() Qualys Security Advisory (Jan 30)
Out-of-bounds read & write in the glibc's qsort() Qualys Security Advisory (Jan 30)
Re: Out-of-bounds read & write in the glibc's qsort() Qualys Security Advisory (Feb 05)
Rein Fernhout (Levitating)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 29)
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 29)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 29)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating) (Mar 30)
Roxana Bradescu
Re: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Roxana Bradescu (Feb 02)
Russ Allbery
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Russ Allbery (Mar 29)
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Russ Allbery (Mar 30)
Salvatore Bonaccorso
Re: GNU emacs 29.3 released to fix security issues Salvatore Bonaccorso (Mar 25)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Salvatore Bonaccorso (Mar 30)
Re: GNU emacs 29.3 released to fix security issues Salvatore Bonaccorso (Mar 25)
Re: libuv 1.48.0 released, fixes CVE-2024-24806 Salvatore Bonaccorso (Feb 11)
Siddhesh Poyarekar
Re: CVE-2023-6246: Heap-based buffer overflow in the glibc's syslog() Siddhesh Poyarekar (Jan 30)
sjw
Re: backdoor in upstream xz/liblzma leading to ssh server compromise sjw (Mar 29)
Re: OpenSSL Security Advisory sjw (Jan 25)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise sjw (Mar 30)
Skyler Ferrante (RIT Student)
CVE-2024-28085: Escape sequence injection in util-linux wall Skyler Ferrante (RIT Student) (Mar 27)
Solar Designer
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
Mock, Snap, LXC expose(d) chroot, container trees with unsafe permissions and contents to host users, pose risk to host Solar Designer (Jan 16)
Re: help wanted - bring more issues in here Solar Designer (Mar 08)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 30)
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Solar Designer (Jan 30)
Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Solar Designer (Feb 16)
Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Solar Designer (Feb 13)
Firefox 124.0.1 fixes two critical JavaScript engine vulnerabilities Solar Designer (Mar 23)
Postfix updated SMTP smuggling countermeasure Solar Designer (Jan 22)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
Re: CVE-2024-23952: Apache Superset: Allows for uncontrolled resource consumption via a ZIP bomb (version range fix for CVE-2023-46104) Solar Designer (Feb 14)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 30)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
Re: announcing sponsorship; distros list statistics for 2023 Solar Designer (Jan 22)
Re: help wanted - bring more issues in here Solar Designer (Mar 09)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)
systemd and other system services (in)compatibility with Linux procfs hidepid (was: darkhttpd: timing attack and local leak of HTTP basic auth credentials) Solar Designer (Feb 02)
Re: CVE-2024-22857: Heap Based Buffer overflow in zlog library Solar Designer (Feb 28)
Re: runc: CVE-2024-21626: high severity container breakout attack Solar Designer (Jan 31)
Re: Out-of-bounds read & write in the glibc's qsort() Solar Designer (Feb 04)
Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Solar Designer (Feb 13)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Solar Designer (Jan 30)
Re: Out-of-bounds read & write in the glibc's qsort() Solar Designer (Feb 05)
Re: CVEs issued by the Linux kernel CNA Solar Designer (Feb 22)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 31)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 30)
CVE-2024-1048: grub2-set-bootflag may be abused to fill up /boot, bypass RLIMIT_NPROC Solar Designer (Feb 06)
help wanted - bring more issues in here Solar Designer (Mar 07)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 29)
Re: help wanted - bring more issues in here Solar Designer (Mar 09)
Re: CVE-2024-28085: Escape sequence injection in util-linux wall Solar Designer (Mar 27)
Steffen Nurpmeso
Re: Python standard library defaults to insecure TLS for mail protocols Steffen Nurpmeso (Feb 02)
Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Steffen Nurpmeso (Mar 12)
Re: Python standard library defaults to insecure TLS for mail protocols Steffen Nurpmeso (Feb 02)
Stig Palmquist
CVE-2024-22368: Spreadsheet::ParseXLSX for Perl is vulnerable to DoS via out-of-memory bugs Stig Palmquist (Jan 10)
CVE-2024-23525: Spreadsheet::ParseXLSX for Perl is vulnerable to XXE attacks Stig Palmquist (Jan 18)
Stuart D Gathman
Re: Python standard library defaults to insecure TLS for mail protocols Stuart D Gathman (Feb 02)
suarezmiguelc
NodeJS v{18.x,20.x,21.x} February Security Updates suarezmiguelc (Mar 11)
Tavis Ormandy
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 29)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 30)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 30)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 29)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 29)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 29)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 30)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 30)
terraminator
Re: backdoor in upstream xz/liblzma leading to ssh server compromise terraminator (Mar 29)
Thadeu Lima de Souza Cascardo
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Thadeu Lima de Souza Cascardo (Jan 31)
Thomas Ward
RE: backdoor in upstream xz/liblzma leading to ssh server compromise Thomas Ward (Mar 30)
Timo Warns
Re: CVE-2012-5639: Apache OpenOffice: Loading internal / external resources without warning Timo Warns (Jan 03)
Tomas Mraz
OpenSSL Security Advisory Tomas Mraz (Jan 15)
OpenSSL Security Advisory Tomas Mraz (Jan 09)
Valentin Metz
Re: GNU coreutils v9.4; v9.3; v9.2 split heap buffer overflow vulnerability Valentin Metz (Jan 19)
GNU coreutils v9.4; v9.3; v9.2 split heap buffer overflow vulnerability Valentin Metz (Jan 18)
Valtteri Vuorikoski
Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Valtteri Vuorikoski (Mar 11)
Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Valtteri Vuorikoski (Mar 12)
CVE-2023-45229 and others: Multiple vulnerabilities in EDK II UEFI stack (PixieFAIL) Valtteri Vuorikoski (Jan 16)
CVE-2024-23832: Mastodon: Remote user impersonation and takeover Valtteri Vuorikoski (Feb 02)
Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Valtteri Vuorikoski (Mar 12)
Vegard Nossum
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Vegard Nossum (Mar 29)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Vegard Nossum (Mar 30)
Re: CVEs issued by the Linux kernel CNA Vegard Nossum (Mar 13)
Wang Weibing
CVE-2024-23452: Apache bRPC: HTTP request smuggling vulnerability Wang Weibing (Feb 08)
Wietse Venema
Re: Postfix updated SMTP smuggling countermeasure Wietse Venema (Jan 23)
Willy Tarreau
Re: Mock, Snap, LXC expose(d) chroot, container trees with unsafe permissions and contents to host users, pose risk to host Willy Tarreau (Jan 16)
Xen . org security team
Xen Security Advisory 453 v1 (CVE-2024-2193) - GhostRace: Speculative Race Conditions Xen . org security team (Mar 12)
Xen Security Advisory 452 v1 (CVE-2023-28746) - x86: Register File Data Sampling Xen . org security team (Mar 12)
Xen Security Advisory 449 v2 (CVE-2023-46839) - pci: phantom functions assigned to incorrect contexts Xen . org security team (Jan 30)
Xen Security Advisory 448 v2 (CVE-2023-46838) - Linux: netback processing of zero-length transmit fragment Xen . org security team (Jan 22)
Xen Security Advisory 450 v2 (CVE-2023-46840) - VT-d: Failure to quarantine devices in !HVM builds Xen . org security team (Jan 30)
Xen Security Advisory 451 v2 (CVE-2023-46841) - x86: shadow stack vs exceptions from emulation stubs Xen . org security team (Feb 27)
Yorgos Thessalonikefs
Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Yorgos Thessalonikefs (Feb 13)
Yves-Alexis Perez
Re: Secure Boot bypass in EDK2 based Virtual Machine firmware Yves-Alexis Perez (Feb 14)
Re: Secure Boot bypass in EDK2 based Virtual Machine firmware Yves-Alexis Perez (Feb 14)