Open Source Security Mailing List

• Current Quarter
• RSS Feed
• About List
• All Lists

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

• Jan–Mar
• Apr–Jun
• Jul–Sep
• Oct–Dec
• 2024
• 358
• 209
• –
• –
• 2023
• 220
• 284
• 269
• 356
• 2022
• 212
• 220
• 239
• 273
• 2021
• 281
• 236
• 193
• 182
• 2020
• 131
• 219
• 211
• 241
• 2019
• 199
• 237
• 257
• 176
• 2018
• 287
• 256
• 284
• 279
• 2017
• 701
• 658
• 596
• 437
• 2016
• 738
• 637
• 689
• 788
• 2015
• 1068
• 839
• 658
• 618
• 2014
• 714
• 711
• 886
• 1185
• 2013
• 777
• 648
• 688
• 583
• 2012
• 815
• 578
• 591
• 549
• 2011
• 640
• 738
• 550
• 591
• 2010
• 291
• 376
• 465
• 383
• 2009
• 250
• 264
• 272
• 304
• 2008
• 206
• 390
• 402
• 358

Latest Posts

CVE-2023-35701: Apache Hive: Arbitrary command execution via JDBC driver Stamatis Zampetakis (May 03)
Severity: moderate

Affected versions:

- Apache Hive 4.0.0-alpha-1 before 4.0.0

Description:

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Hive.

The vulnerability affects the Hive JDBC driver component and it can potentially lead to arbitrary code execution on the
machine/endpoint that the JDBC driver (client) is running. The malicious user must have sufficient permissions to
specify/edit JDBC...

Re: escaping terminal control characters (was Re: backdoor in upstream xz/liblzma leading to ssh server compromise) Steffen Nurpmeso (May 03)
Steffen Nurpmeso wrote in
<20240502223912.08A3RYp4@steffen%sdaoden.eu>:
|Sam James wrote in
| <87o79nlwxl.fsf () gentoo org>:
||Solar Designer <solar () openwall com> writes:
||> On Wed, Apr 03, 2024 at 11:03:17AM +1100, Matthew Fernandez wrote:
||>> On 4/1/24 08:30, Solar Designer wrote:
||>>>On Sat, Mar 30, 2024 at 04:37:48PM -0000, Tavis Ormandy wrote:
...
||>> Is the currently accepted wisdom...

Re: escaping terminal control characters (was Re: backdoor in upstream xz/liblzma leading to ssh server compromise) Steffen Nurpmeso (May 03)
Sam James wrote in
<87o79nlwxl.fsf () gentoo org>:
|Solar Designer <solar () openwall com> writes:
|> On Wed, Apr 03, 2024 at 11:03:17AM +1100, Matthew Fernandez wrote:
|>> On 4/1/24 08:30, Solar Designer wrote:
|>>>On Sat, Mar 30, 2024 at 04:37:48PM -0000, Tavis Ormandy wrote:
|>>>>It was also pointed out they submitted an odd PR to libarchive:
|>>>>
|>>>>...

Re: escaping terminal control characters (was Re: backdoor in upstream xz/liblzma leading to ssh server compromise) Sam James (May 02)
Solar Designer <solar () openwall com> writes:

Lasse has put up an initial implementation for xz:
https://github.com/tukaani-project/xz/pull/118.

Comments are welcome. It was a TODO from a long time ago ;)

We're not sure how much is overkill (or underkill) for this, especially
given it gets harder when Unicode is involved.

thanks,
sam

Re: New SMTP smuggling attack Solar Designer (May 02)
Steffen,

This reads like an excuse to post lots of thoughts that are off-topic
for this thread. I understand that sometimes discussions wander off the
original topic, but in this case the second half of your message is
totally irrelevant. I approved this one message anyway out of respect
for the time you spent writing it, but please be aware that I am
unlikely to do that next time you do something like this. I also ask
others to please...

Re: New SMTP smuggling attack Steffen Nurpmeso (May 02)
Please let me elaborate a little more on this, not to be
misunderstood and also..

Steffen Nurpmeso wrote in
<20240430224823.uA8Nr1Cp@steffen%sdaoden.eu>:
|Mark Esler wrote in
| <ZjBHOEHylGAaIo57@moon>:
||To mitigate future end-of-data sequence attacks, like SMTP Smuggling, MTAs
||should comply with RFC 5321 section 4.1.1.4 [0] to strip control
||characters other than <SP>, <HT>, <CR>, and <LF> in the...

CVE-2024-30251: DoS in aiohttp Sam Bull (May 02)
Aiohttp is an HTTP client and server-side web framework in Python. This issue only affects
users of the server-side web framework. We've not seen any evidence of this being
exploited in the wild yet, and fixes were already included in the 3.9.4 and 3.9.5
releases.

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5m98-qgg9-wh84

### Summary
An attacker can send a specially crafted POST (multipart/form-data) request. When the...

Multiple vulnerabilities in Jenkins plugins Daniel Beck (May 02)
Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Git server Plugin 117.veb_68868fa_027
* Script Security Plugin 1336.vf33a_a_9863911

Additionally, we announce unresolved security issues in the following
plugins:

* Subversion Partial Release Manager Plugin
* Telegram Bot Plugin

Summaries...

CVE-2024-32638: Apache APISIX: Forward-Auth Request Smuggling YuanSheng Wang (May 02)
Severity: low

Affected versions:

- Apache APISIX 3.8.0, 3.9.0

Description:

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
vulnerability in Apache APISIX when using `forward-auth` plugin.

This issue affects Apache APISIX: from 3.8.0, 3.9.0 .

Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which
fixes the issue.

Credit:

Discovered and reported by Brandon Arp and Bruno Green of Topsort....

Re: Re: CVEs issued by the Linux kernel CNA Greg KH (May 02)
And, if anyone wants to play along at home, they can get the same
information directly from our git repo at:
https://git.kernel.org/pub/scm/linux/security/vulns.git/
by cloning it locally and then running:

$ ./scripts/summary
Year Reserved Assigned Rejected Total
2019: 47 2 1 50
2020: 37 13 0...

Re: CVEs issued by the Linux kernel CNA Alan Coopersmith (May 01)
Quantifying this a bit more now - Greg K-H provided some stats so far in:
https://social.kernel.org/notice/AhSCMVs4RofbnTftGS

which says:

CVE-2024-32114: Apache ActiveMQ: Jolokia and REST API were not secured with default configuration Jean-Baptiste Onofré (May 01)
Severity: low

Affected versions:

- Apache ActiveMQ 6.0.0 through 6.1.1

Description:

In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context (where the Jolokia JMX REST API
and the Message REST API are located).
It means that anyone can use these layers without any required authentication. Potentially, anyone can interact with
the broker (using Jolokia JMX REST API) and/or produce/consume messages or...

Re: New SMTP smuggling attack Steffen Nurpmeso (Apr 30)
Mark Esler wrote in
<ZjBHOEHylGAaIo57@moon>:
|To mitigate future end-of-data sequence attacks, like SMTP Smuggling, MTAs
|should comply with RFC 5321 section 4.1.1.4 [0] to strip control
|characters other than <SP>, <HT>, <CR>, and <LF> in the DATA section of
|SMTP messages.

Given that RFC 733 is from 1977 and RFC 822 is from 1982 i feel
this entire thread is exaggerating.

The smuggling problem solely was...

Re: New SMTP smuggling attack Erik Auerswald (Apr 30)
Hi Mark,

This is an interesting interpretation of RFC 5321, but I do not think
it follows the contents of said RFC.

Well, my reading of the RFC does not forbid this sequence. RFC 5321
clearly does not require transforming this sequence into another sequence.

RFC 5321 section 4.1.1.4 (DATA (DATA)) states:

"The mail data may contain any of the 128 ASCII character codes"

RFC 5321 section 4.5.2 (Transparency) states:...

Re: New SMTP smuggling attack nightmare . yeah27 (Apr 30)
[...]

I don't see that stripping specifically is implied.

What is the benefit of stripping versus the much more natural option
of rejecting such messages?

One possible consequence of passing messages along in an altered form
is that various signatures may break.

More Lists

Dozens of other network security lists are archived at SecLists.Org.