oss-sec: by date

• RSS Feed
• About List
• All Lists

Previous period

Next period

131 messages starting Jan 07 20 and ending Mar 30 20
Date index | Thread index | Author index

Tuesday, 07 January

[SECURITY ADVISORY] curl: SMB access smuggling via FILE URL on Windows (CVE-2019-15601) Daniel Stenberg

Wednesday, 08 January

[SECURITY] CVE-2020-1925: Possible SSRF in AsyncResponseWrapperImpl mibo

Friday, 10 January

linux-distros membership adjustment/vouching Kees Cook

Sunday, 12 January

Re: linux-distros membership adjustment/vouching Solar Designer

Monday, 13 January

CVE-2019-12399: Apache Kafka Connect REST API may expose plaintext secrets in tasks endpoint Randall Hauch

Tuesday, 14 January

[CVE-2019-12398] Apache Airflow Stored XSS vulnerability in classic UI Ash Berlin-Taylor
Xen Security Advisory 312 v1 - arm: a CPU may speculate past the ERET instruction Xen . org security team
Re: linux-distros membership adjustment/vouching Jorge Lucangeli Obes

Wednesday, 15 January

Multiple vulnerabilities in Jenkins plugins Daniel Beck
[CVE-2020-1929] Apache Beam MongoDB IO connector disables certificate trust verification Ismaël Mejía

Thursday, 16 January

[CVE-2019-17570] xmlrpc-common untrusted deserialization cert.cc
CVE-2020-7039 QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() P J P
[CVE-2019-12423] Apache CXF OpenId Connect JWK Keys service returns private/secret credentials if configured with a jwk keystore Colm O hEigeartaigh
[CVE-2019-17573] Apache CXF Reflected XSS in the services listing page Colm O hEigeartaigh
Some AMD cpus with RDRAND fail to produce random numbers after suspend/resume Jeffrey Walton
CVE-2020-7211 QEMU: Slirp: potential directory traversal using relative paths via tftp server on Windows host P J P

Friday, 17 January

Re: Some AMD cpus with RDRAND fail to produce random numbers after suspend/resume Sven Schwedas
Re: Some AMD cpus with RDRAND fail to produce random numbers after suspend/resume John Haxby

Monday, 20 January

Re: Some AMD cpus with RDRAND fail to produce random numbers after suspend/resume Peter Kjellström
CVE-2020-2656, CVE-2020-2696 - Multiple vulnerabilities in Oracle Solaris Marco Ivaldi
CVE-2020-7040: storeBackup: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock Matthias Gerstner
CVE-2020-5202: apt-cacher-ng: a local unprivileged user can impersonate the apt-cacher-ng daemon, possible credentials leak Matthias Gerstner
CVE-2019-18899: apt-cacher-ng: openSUSE packaging for apt-cacher-ng runs the daemon as root instead of as an unprivileged user Matthias Gerstner
CVE-2019-18932: sarg: insecure usage of /tmp/sarg allows privilege escalation / DoS attack vector Matthias Gerstner

Tuesday, 21 January

CVE-2019-20384: Portage insecure temporary location Michael Orlitzky
Re: CVE-2020-7040: storeBackup: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock Nick Boyce
Plone security hotfix 20200121 Maurits van Rees

Wednesday, 22 January

Re: CVE-2020-7040: storeBackup: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock Matthias Gerstner
Re: CVE-2020-7040: storeBackup: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock Matthias Gerstner

Thursday, 23 January

Re: CVE-2020-7040: storeBackup: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock Nick Boyce
WebKitGTK and WPE WebKit Security Advisory WSA-2020-0001 Carlos Alberto Lopez Perez
CVE-2020-1711 QEMU: block: iscsi: OOB heap access via an unexpected response of iSCSI Server P J P

Friday, 24 January

Re: Plone security hotfix 20200121 Maurits van Rees
RE: [CVE-2019-17570] xmlrpc-common untrusted deserialization cert.cc

Monday, 27 January

Re: CVE-2019-18932: sarg: insecure usage of /tmp/sarg allows privilege escalation / DoS attack vector Matthias Gerstner
[CVE-2020-1933] Apache NiFi Information Disclosure Nathan Gough
[CVE-2020-1933] Apache NiFi XSS Attack Nathan Gough
[CVE-2020-1932] Apache Incubator Superset user data leak vulnerability daniel gaspar

Tuesday, 28 January

CVE-2020-1940: Apache Jackrabbit Oak sensitive information disclosure vulnerability Angela Schreiber
Linux kernel: user-triggerable read-after-free crash or 1-bit infoleak oracle in open(2) Solar Designer
LPE and RCE in OpenSMTPD (CVE-2020-7247) Qualys Security Advisory
Re: Linux kernel: user-triggerable read-after-free crash or 1-bit infoleak oracle in open(2) Solar Designer

Wednesday, 29 January

Multiple vulnerabilities in Jenkins and Jenkins plugins Daniel Beck

Thursday, 30 January

New Qt vulnerabilities Thiago Macieira
[CVE-2020-1931] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands with warnings. Kevin A. McGrail
[CVE-2020-1930] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands Kevin A. McGrail
CVE-2019-3016: information leak within a KVM guest John Haxby
Linux kernel: arm64/KVM debug registers vulnerability Catalin Marinas
CVE-2019-18634: buffer overflow in sudo when pwfeedback is enabled Todd C. Miller

Friday, 31 January

Re: CVE-2019-18634: buffer overflow in sudo when pwfeedback is enabled Todd C. Miller
CVE-2020-1700 ceph: connection leak in the RGW Beast front-end permits a DoS against the RGW server Hardik Vyas
multiple NULL pointer dereference vulnerabilities in newlib Dimitrios Glynos

Sunday, 02 February

Re: Linux kernel: user-triggerable read-after-free crash or 1-bit infoleak oracle in open(2) Solar Designer
Re: Linux kernel: user-triggerable read-after-free crash or 1-bit infoleak oracle in open(2) Al Viro

Monday, 03 February

Django 3.0.3, 2.2.10 and 1.11.28: CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)`` Carlton Gibson

Tuesday, 04 February

CVE-2020-7221: mariadb: possible local mysql to root user exploit in mysql_install_db script setting permissions of /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool Matthias Gerstner
Re: CVE-2020-7221: mariadb: possible local mysql to root user exploit in mysql_install_db script setting permissions of /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool Solar Designer
Re: CVE-2020-7221: mariadb: possible local mysql to root user exploit in mysql_install_db script setting permissions of /usr/lib64/mysql/plugin/auth_pam_tool_dir/auth_pam_tool Matthias Gerstner

Wednesday, 05 February

CVE-2020-1712 systemd: use-after-free when asynchronous polkit queries are performed Riccardo Schirone
Re: CVE-2019-18634: buffer overflow in sudo when pwfeedback is enabled William Bowling
CVE-2019-18901: mariadb: possible symlink attack for the mysql user in the SUSE specific mysql-systemd-helper script Matthias Gerstner
Re: CVE-2019-18901: mariadb: possible symlink attack for the mysql user in the SUSE specific mysql-systemd-helper script Larry W. Cashdollar
Re: CVE-2019-18634: buffer overflow in sudo when pwfeedback is enabled Todd C. Miller

Thursday, 06 February

Re: CVE-2019-18901: mariadb: possible symlink attack for the mysql user in the SUSE specific mysql-systemd-helper script Matthias Gerstner
CVE-2020-8608 QEMU: Slirp: potential OOB access due to unsafe snprintf() usages P J P
GNU screen "out of bounds access when setting w_xtermosc after OSC 49" Solar Designer
[SECURITY] CVE-2019-12426 information disclosure vulnerability in Apache OFBiz Jacopo Cappellato
Re: GNU screen "out of bounds access when setting w_xtermosc after OSC 49" Amadeusz Sławiński

Monday, 10 February

CVE-2020-1942: Apache NiFi 0.0.1 to 1.11.0 information disclosure in logs Andy LoPresto

Tuesday, 11 February

Potential regression and/or incomplete fix for CVE-2017-12762 Ibrahim el-sayed
Re: Potential regression and/or incomplete fix for CVE-2017-12762 Brad Spengler

Wednesday, 12 February

CVE-2020-7046: Dovecot: Truncated UTF-8 can be used to DoS submission-login and lmtp processes Aki Tuomi
CVE-2020-7957: Dovecot: Specially crafted mail can crash snippet generation Aki Tuomi
Multiple vulnerabilities in Jenkins plugins Daniel Beck

Thursday, 13 February

Announce: OpenSSH 8.2 released Damien Miller

Friday, 14 February

CVE for program distributing vulnerable components ? security minded
Re: CVE for program distributing vulnerable components ? Simon McVittie
Re: Potential regression and/or incomplete fix for CVE-2017-12762 Ibrahim el-sayed
Re: CVE for program distributing vulnerable components ? Francis Perron
WebKitGTK and WPE WebKit Security Advisory WSA-2020-0002 Carlos Alberto Lopez Perez

Wednesday, 19 February

Wordpress themegrill-demo-importer: database reset/auth bypass, incomplete fix due to CSRF Hanno Böck
[OSSA-2020-001] Nova can leak consoleauth token into log files (CVE-2015-9543) Jeremy Stanley

Saturday, 22 February

[CVE-2020-1937] Apache Kylin SQL injection vulnerability George Ni

Monday, 24 February

Re: Re: GNU screen "out of bounds access when setting w_xtermosc after OSC 49" Cedric Buissart
mailman 2.x: XSS via file attachments in list archives Hanno Böck
Re: mailman 2.x: XSS via file attachments in list archives Jim Popovitch
Local information disclosure in OpenSMTPD (CVE-2020-8793) Qualys Security Advisory
LPE and RCE in OpenSMTPD's default install (CVE-2020-8794) Qualys Security Advisory
Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794) Alexander E. Patrakov
Re: Re: GNU screen "out of bounds access when setting w_xtermosc after OSC 49" Cedric Buissart

Tuesday, 25 February

Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794) Qualys Security Advisory
CVE-2020-2732: Nested VMX vulnerability Boris Ostrovsky
Re: CVE-2020-2732: Nested VMX vulnerability P J P
Re: GNU screen "out of bounds access when setting w_xtermosc after OSC 49" Salvatore Bonaccorso
CVE-2020-9391: Ignoring the top byte of addresses in brk causes heap corruption (AArch64) Florian Weimer
Re: GNU screen "out of bounds access when setting w_xtermosc after OSC 49" Amadeusz Sławiński

Wednesday, 26 February

Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794) Qualys Security Advisory

Thursday, 27 February

Hostapd fails at seeding PRNGS, leading to insufficient entropy (CVE-2016-10743 and CVE-2019-10064) Jonathan Brossard
Re: Hostapd fails at seeding PRNGS, leading to insufficient entropy (CVE-2016-10743 and CVE-2019-10064) Jouni Malinen

Saturday, 29 February

Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794) Alexander E. Patrakov

Sunday, 01 March

Re: LPE and RCE in OpenSMTPD's default install (CVE-2020-8794) Florian Weimer

Tuesday, 03 March

CoreOS leaving distros/linux-distros on May 26, handing off responsibilities Benjamin Gilbert

Wednesday, 04 March

Django: CVE-2020-9402: Potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle Mariusz Felisiak
Re: CoreOS leaving distros/linux-distros on May 26, handing off responsibilities Igor Seletskiy
Re: CoreOS leaving distros/linux-distros on May 26, handing off responsibilities John Haxby

Thursday, 05 March

CVE-2019-20382 QEMU: vnc: memory leakage upon disconnect P J P
BIND Operational Notification: An error in handling TCP client quota limits can exhaust TCP connections in BIND 9.16.0 ISC Security Officer

Friday, 06 March

[CVE-2020-1943] Apache OFBiz XSS Vulnerability Jacopo Cappellato
CVE-2020-10174: timeshift: arbitrary local code execution due to unsafe usage of temporary directory in /tmp/timeshift Matthias Gerstner

Friday, 13 March

Bluez <5.53 DoS/privilege escalation Matthew Garrett
Re: Bluez <5.53 DoS/privilege escalation Marc Deslauriers
[CVE-2020-1953] Uncontrolled class instantiation when loading YAML files in Apache Commons Configuration Oliver Heger

Saturday, 14 March

[CVE-2019-10091] Apache Geode SSL endpoint verification vulnerability Anthony Baker

Wednesday, 18 March

Insecure implementation of OpenResty ngx.req.set_uri + memory content leak in nginx. Vladimir Dubrovin
Re: Insecure implementation of OpenResty ngx.req.set_uri + memory content leak in nginx. Vladimir Dubrovin
[CVE-2020-1950] Excessive memory usage (DoS) vulnerability in Apache Tika's PSDParser Tim Allison
[CVE-2020-1951] Infinite Loop (DoS) vulnerability in Apache Tika's PSDParser Tim Allison
U-Boot verified boot improper signature verification Janushkevich, Dmitry

Thursday, 19 March

[CVE-2020-5267] Possible XSS vulnerability in ActionView Aaron Patterson

Monday, 23 March

Serendipity XSS via update notification (minor, exploitable by s9y developers) Hanno Böck
[CVE-2020-1957] Apache Shiro 1.5.2 released Brian Demers
CVE-2020-8551, CVE-2020-8552: Kubernetes: Denial of service Tim Allclair

Wednesday, 25 March

CVE-2020-1949: Apache Sling CMS Reflected XSS Vulnerability Daniel Klco
Multiple vulnerabilities in Jenkins and Jenkins plugins Daniel Beck

Thursday, 26 March

Stealing Videos from VLC-iOS (IDOR) Dhiraj Mishra

Monday, 30 March

[CVE-2019-17560] "Apache NetBeans" autoupdate cert validation Matthias Bläsing
[CVE-2019-17561] "Apache NetBeans" autoupdate system does not fully validate code signatures. Matthias Bläsing
CVE-2020-8835: Linux kernel bpf incorrect verifier vulnerability Steve Beattie
pam-krb5 security advisory (4.9 and earlier) Russ Allbery
Re: pam-krb5 security advisory (4.9 and earlier) Russ Allbery
Re: pam-krb5 security advisory (4.9 and earlier) Russ Allbery

Previous period

Next period