oss-sec: by author
131 messages
starting Mar 19 20 and
ending Jan 14 20
Date index |
Thread index |
Author index
Aaron Patterson
[CVE-2020-5267] Possible XSS vulnerability in ActionView Aaron Patterson (Mar 19)
Aki Tuomi
CVE-2020-7046: Dovecot: Truncated UTF-8 can be used to DoS submission-login and lmtp processes Aki Tuomi (Feb 12)
CVE-2020-7957: Dovecot: Specially crafted mail can crash snippet generation Aki Tuomi (Feb 12)
Alexander E. Patrakov
Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794) Alexander E. Patrakov (Feb 24)
Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794) Alexander E. Patrakov (Feb 29)
Al Viro
Re: Linux kernel: user-triggerable read-after-free crash or 1-bit infoleak oracle in open(2) Al Viro (Feb 02)
Amadeusz Sławiński
Re: GNU screen "out of bounds access when setting w_xtermosc after OSC 49" Amadeusz Sławiński (Feb 06)
Re: GNU screen "out of bounds access when setting w_xtermosc after OSC 49" Amadeusz Sławiński (Feb 25)
Andy LoPresto
CVE-2020-1942: Apache NiFi 0.0.1 to 1.11.0 information disclosure in logs Andy LoPresto (Feb 10)
Angela Schreiber
CVE-2020-1940: Apache Jackrabbit Oak sensitive information disclosure vulnerability Angela Schreiber (Jan 28)
Anthony Baker
[CVE-2019-10091] Apache Geode SSL endpoint verification vulnerability Anthony Baker (Mar 14)
Ash Berlin-Taylor
[CVE-2019-12398] Apache Airflow Stored XSS vulnerability in classic UI Ash Berlin-Taylor (Jan 14)
Benjamin Gilbert
CoreOS leaving distros/linux-distros on May 26, handing off responsibilities Benjamin Gilbert (Mar 03)
Boris Ostrovsky
CVE-2020-2732: Nested VMX vulnerability Boris Ostrovsky (Feb 25)
Brad Spengler
Re: Potential regression and/or incomplete fix for CVE-2017-12762 Brad Spengler (Feb 11)
Brian Demers
[CVE-2020-1957] Apache Shiro 1.5.2 released Brian Demers (Mar 23)
Carlos Alberto Lopez Perez
WebKitGTK and WPE WebKit Security Advisory WSA-2020-0001 Carlos Alberto Lopez Perez (Jan 23)
WebKitGTK and WPE WebKit Security Advisory WSA-2020-0002 Carlos Alberto Lopez Perez (Feb 14)
Carlton Gibson
Django 3.0.3, 2.2.10 and 1.11.28: CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)`` Carlton Gibson (Feb 03)
Catalin Marinas
Linux kernel: arm64/KVM debug registers vulnerability Catalin Marinas (Jan 30)
Cedric Buissart
Re: Re: GNU screen "out of bounds access when setting w_xtermosc after OSC 49" Cedric Buissart (Feb 24)
Re: Re: GNU screen "out of bounds access when setting w_xtermosc after OSC 49" Cedric Buissart (Feb 24)
cert.cc
RE: [CVE-2019-17570] xmlrpc-common untrusted deserialization cert.cc (Jan 24)
[CVE-2019-17570] xmlrpc-common untrusted deserialization cert.cc (Jan 16)
Colm O hEigeartaigh
[CVE-2019-17573] Apache CXF Reflected XSS in the services listing page Colm O hEigeartaigh (Jan 16)
[CVE-2019-12423] Apache CXF OpenId Connect JWK Keys service returns private/secret credentials if configured with a jwk keystore Colm O hEigeartaigh (Jan 16)
Damien Miller
Announce: OpenSSH 8.2 released Damien Miller (Feb 13)
Daniel Beck
Multiple vulnerabilities in Jenkins and Jenkins plugins Daniel Beck (Jan 29)
Multiple vulnerabilities in Jenkins plugins Daniel Beck (Feb 12)
Multiple vulnerabilities in Jenkins plugins Daniel Beck (Jan 15)
Multiple vulnerabilities in Jenkins and Jenkins plugins Daniel Beck (Mar 25)
daniel gaspar
[CVE-2020-1932] Apache Incubator Superset user data leak vulnerability daniel gaspar (Jan 27)
Daniel Klco
CVE-2020-1949: Apache Sling CMS Reflected XSS Vulnerability Daniel Klco (Mar 25)
Daniel Stenberg
[SECURITY ADVISORY] curl: SMB access smuggling via FILE URL on Windows (CVE-2019-15601) Daniel Stenberg (Jan 07)
Dhiraj Mishra
Stealing Videos from VLC-iOS (IDOR) Dhiraj Mishra (Mar 26)
Dimitrios Glynos
multiple NULL pointer dereference vulnerabilities in newlib Dimitrios Glynos (Jan 31)
Florian Weimer
CVE-2020-9391: Ignoring the top byte of addresses in brk causes heap corruption (AArch64) Florian Weimer (Feb 25)
Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794) Florian Weimer (Mar 01)
Francis Perron
Re: CVE for program distributing vulnerable components ? Francis Perron (Feb 14)
George Ni
[CVE-2020-1937] Apache Kylin SQL injection vulnerability George Ni (Feb 22)
Hanno Böck
Serendipity XSS via update notification (minor, exploitable by s9y developers) Hanno Böck (Mar 23)
Wordpress themegrill-demo-importer: database reset/auth bypass, incomplete fix due to CSRF Hanno Böck (Feb 19)
mailman 2.x: XSS via file attachments in list archives Hanno Böck (Feb 24)
Hardik Vyas
CVE-2020-1700 ceph: connection leak in the RGW Beast front-end permits a DoS against the RGW server Hardik Vyas (Jan 31)
Ibrahim el-sayed
Potential regression and/or incomplete fix for CVE-2017-12762 Ibrahim el-sayed (Feb 11)
Re: Potential regression and/or incomplete fix for CVE-2017-12762 Ibrahim el-sayed (Feb 14)
Igor Seletskiy
Re: CoreOS leaving distros/linux-distros on May 26, handing off responsibilities Igor Seletskiy (Mar 04)
ISC Security Officer
BIND Operational Notification: An error in handling TCP client quota limits can exhaust TCP connections in BIND 9.16.0 ISC Security Officer (Mar 05)
Ismaël Mejía
[CVE-2020-1929] Apache Beam MongoDB IO connector disables certificate trust verification Ismaël Mejía (Jan 15)
Jacopo Cappellato
[CVE-2020-1943] Apache OFBiz XSS Vulnerability Jacopo Cappellato (Mar 06)
[SECURITY] CVE-2019-12426 information disclosure vulnerability in Apache OFBiz Jacopo Cappellato (Feb 06)
Janushkevich, Dmitry
U-Boot verified boot improper signature verification Janushkevich, Dmitry (Mar 18)
Jeffrey Walton
Some AMD cpus with RDRAND fail to produce random numbers after suspend/resume Jeffrey Walton (Jan 16)
Jeremy Stanley
[OSSA-2020-001] Nova can leak consoleauth token into log files (CVE-2015-9543) Jeremy Stanley (Feb 19)
Jim Popovitch
Re: mailman 2.x: XSS via file attachments in list archives Jim Popovitch (Feb 24)
John Haxby
Re: CoreOS leaving distros/linux-distros on May 26, handing off responsibilities John Haxby (Mar 04)
Re: Some AMD cpus with RDRAND fail to produce random numbers after suspend/resume John Haxby (Jan 17)
CVE-2019-3016: information leak within a KVM guest John Haxby (Jan 30)
Jonathan Brossard
Hostapd fails at seeding PRNGS, leading to insufficient entropy (CVE-2016-10743 and CVE-2019-10064) Jonathan Brossard (Feb 27)
Jorge Lucangeli Obes
Re: linux-distros membership adjustment/vouching Jorge Lucangeli Obes (Jan 14)
Jouni Malinen
Re: Hostapd fails at seeding PRNGS, leading to insufficient entropy (CVE-2016-10743 and CVE-2019-10064) Jouni Malinen (Feb 27)
Kees Cook
linux-distros membership adjustment/vouching Kees Cook (Jan 10)
Kevin A. McGrail
[CVE-2020-1931] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands with warnings. Kevin A. McGrail (Jan 30)
[CVE-2020-1930] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands Kevin A. McGrail (Jan 30)
Larry W. Cashdollar
Re: CVE-2019-18901: mariadb: possible symlink attack for the mysql user in the SUSE specific mysql-systemd-helper script Larry W. Cashdollar (Feb 05)
Marc Deslauriers
Re: Bluez <5.53 DoS/privilege escalation Marc Deslauriers (Mar 13)
Marco Ivaldi
CVE-2020-2656, CVE-2020-2696 - Multiple vulnerabilities in Oracle Solaris Marco Ivaldi (Jan 20)
Mariusz Felisiak
Django: CVE-2020-9402: Potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle Mariusz Felisiak (Mar 04)
Matthew Garrett
Bluez <5.53 DoS/privilege escalation Matthew Garrett (Mar 13)
Matthias Bläsing
[CVE-2019-17560] "Apache NetBeans" autoupdate cert validation Matthias Bläsing (Mar 30)
[CVE-2019-17561] "Apache NetBeans" autoupdate system does not fully validate code signatures. Matthias Bläsing (Mar 30)
Matthias Gerstner
CVE-2019-18901: mariadb: possible symlink attack for the mysql user in the SUSE specific mysql-systemd-helper script Matthias Gerstner (Feb 05)
CVE-2020-7221: mariadb: possible local mysql to root user exploit in mysql_install_db script setting permissions of /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool Matthias Gerstner (Feb 04)
Re: CVE-2019-18932: sarg: insecure usage of /tmp/sarg allows privilege escalation / DoS attack vector Matthias Gerstner (Jan 27)
Re: CVE-2020-7040: storeBackup: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock Matthias Gerstner (Jan 22)
CVE-2019-18899: apt-cacher-ng: openSUSE packaging for apt-cacher-ng runs the daemon as root instead of as an unprivileged user Matthias Gerstner (Jan 20)
Re: CVE-2020-7040: storeBackup: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock Matthias Gerstner (Jan 22)
CVE-2020-5202: apt-cacher-ng: a local unprivileged user can impersonate the apt-cacher-ng daemon, possible credentials leak Matthias Gerstner (Jan 20)
CVE-2020-7040: storeBackup: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock Matthias Gerstner (Jan 20)
Re: CVE-2020-7221: mariadb: possible local mysql to root user exploit in mysql_install_db script setting permissions of /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool Matthias Gerstner (Feb 04)
CVE-2020-10174: timeshift: arbitrary local code execution due to unsafe usage of temporary directory in /tmp/timeshift Matthias Gerstner (Mar 06)
Re: CVE-2019-18901: mariadb: possible symlink attack for the mysql user in the SUSE specific mysql-systemd-helper script Matthias Gerstner (Feb 06)
CVE-2019-18932: sarg: insecure usage of /tmp/sarg allows privilege escalation / DoS attack vector Matthias Gerstner (Jan 20)
Maurits van Rees
Re: Plone security hotfix 20200121 Maurits van Rees (Jan 24)
Plone security hotfix 20200121 Maurits van Rees (Jan 21)
mibo
[SECURITY] CVE-2020-1925: Possible SSRF in AsyncResponseWrapperImpl mibo (Jan 08)
Michael Orlitzky
CVE-2019-20384: Portage insecure temporary location Michael Orlitzky (Jan 21)
Nathan Gough
[CVE-2020-1933] Apache NiFi Information Disclosure Nathan Gough (Jan 27)
[CVE-2020-1933] Apache NiFi XSS Attack Nathan Gough (Jan 27)
Nick Boyce
Re: CVE-2020-7040: storeBackup: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock Nick Boyce (Jan 21)
Re: CVE-2020-7040: storeBackup: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock Nick Boyce (Jan 23)
Oliver Heger
[CVE-2020-1953] Uncontrolled class instantiation when loading YAML files in Apache Commons Configuration Oliver Heger (Mar 13)
Peter Kjellström
Re: Some AMD cpus with RDRAND fail to produce random numbers after suspend/resume Peter Kjellström (Jan 20)
P J P
CVE-2020-7211 QEMU: Slirp: potential directory traversal using relative paths via tftp server on Windows host P J P (Jan 16)
CVE-2019-20382 QEMU: vnc: memory leakage upon disconnect P J P (Mar 05)
CVE-2020-8608 QEMU: Slirp: potential OOB access due to unsafe snprintf() usages P J P (Feb 06)
CVE-2020-1711 QEMU: block: iscsi: OOB heap access via an unexpected response of iSCSI Server P J P (Jan 23)
CVE-2020-7039 QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() P J P (Jan 16)
Re: CVE-2020-2732: Nested VMX vulnerability P J P (Feb 25)
Qualys Security Advisory
Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794) Qualys Security Advisory (Feb 26)
LPE and RCE in OpenSMTPD's default install (CVE-2020-8794) Qualys Security Advisory (Feb 24)
Local information disclosure in OpenSMTPD (CVE-2020-8793) Qualys Security Advisory (Feb 24)
LPE and RCE in OpenSMTPD (CVE-2020-7247) Qualys Security Advisory (Jan 28)
Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794) Qualys Security Advisory (Feb 25)
Randall Hauch
CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint Randall Hauch (Jan 13)
Riccardo Schirone
CVE-2020-1712 systemd: use-after-free when asynchronous polkit queries are performed Riccardo Schirone (Feb 05)
Russ Allbery
Re: pam-krb5 security advisory (4.9 and earlier) Russ Allbery (Mar 30)
pam-krb5 security advisory (4.9 and earlier) Russ Allbery (Mar 30)
Re: pam-krb5 security advisory (4.9 and earlier) Russ Allbery (Mar 30)
Salvatore Bonaccorso
Re: GNU screen "out of bounds access when setting w_xtermosc after OSC 49" Salvatore Bonaccorso (Feb 25)
security minded
CVE for program distributing vulnerable components ? security minded (Feb 14)
Simon McVittie
Re: CVE for program distributing vulnerable components ? Simon McVittie (Feb 14)
Solar Designer
Linux kernel: user-triggerable read-after-free crash or 1-bit infoleak oracle in open(2) Solar Designer (Jan 28)
Re: Linux kernel: user-triggerable read-after-free crash or 1-bit infoleak oracle in open(2) Solar Designer (Jan 28)
Re: Linux kernel: user-triggerable read-after-free crash or 1-bit infoleak oracle in open(2) Solar Designer (Feb 02)
Re: CVE-2020-7221: mariadb: possible local mysql to root user exploit in mysql_install_db script setting permissions of /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool Solar Designer (Feb 04)
GNU screen "out of bounds access when setting w_xtermosc after OSC 49" Solar Designer (Feb 06)
Re: linux-distros membership adjustment/vouching Solar Designer (Jan 12)
Steve Beattie
CVE-2020-8835: Linux kernel bpf incorrect verifier vulnerability Steve Beattie (Mar 30)
Sven Schwedas
Re: Some AMD cpus with RDRAND fail to produce random numbers after suspend/resume Sven Schwedas (Jan 17)
Thiago Macieira
New Qt vulnerabilities Thiago Macieira (Jan 30)
Tim Allclair
CVE-2020-8551, CVE-2020-8552: Kubernetes: Denial of service Tim Allclair (Mar 23)
Tim Allison
[CVE-2020-1950] Excessive memory usage (DoS) vulnerability in Apache Tika's PSDParser Tim Allison (Mar 18)
[CVE-2020-1951] Infinite Loop (DoS) vulnerability in Apache Tika's PSDParser Tim Allison (Mar 18)
Todd C. Miller
Re: CVE-2019-18634: buffer overflow in sudo when pwfeedback is enabled Todd C. Miller (Feb 05)
CVE-2019-18634: buffer overflow in sudo when pwfeedback is enabled Todd C. Miller (Jan 30)
Re: CVE-2019-18634: buffer overflow in sudo when pwfeedback is enabled Todd C. Miller (Jan 31)
Vladimir Dubrovin
Re: Insecure implementation of OpenResty ngx.req.set_uri + memory content leak in nginx. Vladimir Dubrovin (Mar 18)
Insecure implementation of OpenResty ngx.req.set_uri + memory content leak in nginx. Vladimir Dubrovin (Mar 18)
William Bowling
Re: CVE-2019-18634: buffer overflow in sudo when pwfeedback is enabled William Bowling (Feb 05)
Xen . org security team
Xen Security Advisory 312 v1 - arm: a CPU may speculate past the ERET instruction Xen . org security team (Jan 14)