oss-sec: by date
219 messages
starting Apr 01 20 and
ending Jun 30 20
Date index |
Thread index |
Author index
Wednesday, 01 April
Re: pam-krb5 security advisory (4.9 and earlier) Jason Bishop
CVE-2020-1954: Apache CXF JMX Integration is vulnerable to a MITM attack Colm O hEigeartaigh
CVE-2019-11254: Kubernetes: denial of service vulnerability from malicious YAML payloads CJ Cullen
CVE-2020-1927: mod_rewrite configurations vulnerable to open redirect Daniel Ruggeri
CVE-2020-1934: mod_proxy_ftp use of uninitialized value Daniel Ruggeri
[CVE-2020-1958]: Apache Druid LDAP injection vulnerability Jonathan Wei
Deficient engineering processes Jeffrey Walton
Re: Deficient engineering processes Michael Orlitzky
Re: Deficient engineering processes Russ Allbery
Re: Deficient engineering processes Seth Arnold
Thursday, 02 April
Re: Deficient engineering processes Ulisses Albuquerque
Re: Deficient engineering processes Reed Black
Friday, 03 April
Re: CVE-2020-1927: mod_rewrite configurations vulnerable to open redirect Alan Coopersmith
Saturday, 04 April
Re: CVE-2020-1927: mod_rewrite configurations vulnerable to open redirect Daniel Ruggeri
Monday, 06 April
CVE-2020-11102 QEMU: tulip: OOB access in tulip_copy_tx_buffers P J P
CVE-2020-8834: Linux kernel Power8 conflicting use of HSTATE_HOST_R1 vulnerability Steve Beattie
Tuesday, 07 April
CVE-2020-1760 ceph: header-splitting in RGW GetObject has a possible XSS Hardik Vyas
CVE-2020-1759 ceph: secure mode of msgr2 breaks both confidentiality and integrity aspects for long-lived sessions Hardik Vyas
Multiple vulnerabilities in Jenkins plugins Daniel Beck
Wednesday, 08 April
Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack Brian May
Thursday, 09 April
libssh - CVE-2020-1730 Huzaifa Sidhpurwala
Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack Stuart D Gathman
Tuesday, 14 April
Xen Security Advisory 313 v3 (CVE-2020-11740,CVE-2020-11741) - multiple xenoprof issues Xen . org security team
Xen Security Advisory 314 v3 (CVE-2020-11739) - Missing memory barriers in read-write unlock paths Xen . org security team
Xen Security Advisory 316 v3 (CVE-2020-11743) - Bad error path in GNTTABOP_map_grant Xen . org security team
Xen Security Advisory 318 v3 (CVE-2020-11742) - Bad continuation handling in GNTTABOP_copy Xen . org security team
Wednesday, 15 April
CVE-2020-11669: Linux kernel 4.10 to 5.1: powerpc: guest can cause DoS on POWER9 KVM hosts Andrew Donnellan
Re: CVE-2020-11669: Linux kernel 4.10 to 5.1: powerpc: guest can cause DoS on POWER9 KVM hosts Michal Suchánek
CVE-2020-2771, CVE-2020-2851, CVE-2020-2944 - Multiple vulnerabilities in Oracle Solaris Marco Ivaldi
CVE-2020-10942 Kernel: vhost-net: stack overflow in get_raw_socket while checking sk_family field P J P
CVE-2020-5260: Git: malicious URLs may cause Git to present stored credentials to the wrong server Solar Designer
Re: CVE-2020-5260: Git: malicious URLs may cause Git to present stored credentials to the wrong server Taylor Blau
CVE-2020-1964: Apache Heron (incubating) information disclosure vulnerability Josh Fischer
Re: CVE-2020-11669: Linux kernel 4.10 to 5.1: powerpc: guest can cause DoS on POWER9 KVM hosts Paul Mackerras
Thursday, 16 April
WebKitGTK and WPE WebKit Security Advisory WSA-2020-0004 Carlos Alberto Lopez Perez
Multiple vulnerabilities in Jenkins plugins Daniel Beck
Friday, 17 April
CVE-2020-10708 kernel: race condition in kernel/audit.c may allow low privilege users trigger kernel panic 陈伟宸(田各)
Re: CVE-2020-10708 kernel: race condition in kernel/audit.c may allow low privilege users trigger kernel panic Greg KH
回复:[oss-security] CVE-2020-10708 kernel: race condition in kernel/audit.c may allow low privilege users trigger kernel panic 陈伟宸(田各)
Re: CVE-2020-10708 kernel: race condition in kernel/audit.c may allow low privilege users trigger kernel panic Steve Grubb
Sunday, 19 April
re2c: heap overflow in Scanner::fill (scanner.cc) Agostino Sarubbo
Re: re2c: heap overflow in Scanner::fill (scanner.cc) Henri Salo
Monday, 20 April
CVE-2020-11008: Git: Malicious URLs can still cause Git to send a stored credential to the wrong server Taylor Blau
Tuesday, 21 April
Re: re2c: heap overflow in Scanner::fill (scanner.cc) Henri Salo
CVE-2020-10690 kernel: use-after-free in cdev_put() when a PTP device is removed while it's chardev is open Rohit Keshri
Pacman package manager - taking untrusted input jellicent () protonmail com
Re: Pacman package manager - taking untrusted input Santiago Torres
Re: Pacman package manager - taking untrusted input Amin Vakil
Re: Pacman package manager - taking untrusted input jellicent () protonmail com
Re: Pacman package manager - taking untrusted input Simon McVittie
Re: Pacman package manager - taking untrusted input Jelle van der Waa
Re: Pacman package manager - taking untrusted input Morten Linderud
Wednesday, 22 April
Re: Pacman package manager - taking untrusted input Eli Schwartz
[CVE-2020-1967] OpenSSL 1.1.1d+ Segmentation fault in SSL_check_chain Mark J Cox
Thursday, 23 April
[ADVISORY] SQUID-2019:12 Multiple issues in ESI Response processing Amos Jeffries
[ADVISORY] SQUID-2020:4 Multiple issues in HTTP Digest authentication Amos Jeffries
spoofing of local email sender via a homoglyph attack PromiseLabs Pentest Research
Exuberant Ctags and x2vpn format string vulnerabilities Jasper Lievisse Adriaanse
Re: spoofing of local email sender via a homoglyph attack Solar Designer
Re: spoofing of local email sender via a homoglyph attack PromiseLabs Pentest Research
Re: mailman 2.x: XSS via file attachments in list archives Stefan Cornelius
Re: spoofing of local email sender via a homoglyph attack Solar Designer
Re: spoofing of local email sender via a homoglyph attack Claus Assmann
Re: spoofing of local email sender via a homoglyph attack PromiseLabs Pentest Research
Re: spoofing of local email sender via a homoglyph attack Stuart D. Gathman
Re: spoofing of local email sender via a homoglyph attack Wietse Venema
Re: spoofing of local email sender via a homoglyph attack Solar Designer
Re: spoofing of local email sender via a homoglyph attack Jeremy Stanley
Re: spoofing of local email sender via a homoglyph attack John Haxby
Friday, 24 April
[CVE-2020-9489] Denial of Service (DOS) Vulnerabilities in Some of Apache Tika's Parsers Tim Allison
CVE-2020-11869 qemu: integer overflow in ati_2d_blt() in hw/display/ati-2d.c could lead to DoS Mauro Matteo Cascella
Re: mailman 2.x: XSS via file attachments in list archives Salvatore Bonaccorso
Saturday, 25 April
[CVE-2020-9488] Improper validation of certificate with host mismatch in Apache Log4j SMTP appender Matt Sicker
Monday, 27 April
[CVE-2020-1952] Apache IoTDB (incubating) Remote Code execution vulnerability Dawei Liu
re2c: infinite loop Agostino Sarubbo
WebKitGTK and WPE WebKit Security Advisory WSA-2020-0005 Carlos Alberto Lopez Perez
[CVE-2020-9482] Apache NiFi Registry user log out issue Nathan Gough
Thursday, 30 April
Check your pre/post install scripts in rpm/deb/... packages for security issues Johannes Segitz
[CVE-2019-12425] Apache OFBiz Host Header Injection Jacques Le Roux
Re: Check your pre/post install scripts in rpm/deb/... packages for security issues Michael Orlitzky
[CVE-2019-0235 ] Apache OFBiz multiple CSRF vulnerabilities Jacques Le Roux
Linux kernel SELinux/netlink missing access check Paul Moore
Saturday, 02 May
[CVE-2019-17557] Enduser UI XSS Francesco Chicchiriccò
[CVE-2020-1959] Apache Syncope: Multiple Remote Code Execution Vulnerabilities Francesco Chicchiriccò
[CVE-2020-1961] Apache Syncope: Server-Side Template Injection on mail templates Francesco Chicchiriccò
Sunday, 03 May
CVE-2020-10717 QEMU: virtiofsd: guest may open maximum file descriptor to cause DoS P J P
Monday, 04 May
[CVE-2020-12114] Linux kernel denial of service by corrupting mountpoint reference counter Piotr Krysiuk
Tuesday, 05 May
Re: CoreOS leaving distros/linux-distros on May 26, handing off responsibilities Solar Designer
CVE-2020-10732 kernel: uninitialized kernel data leak in userspace coredumps Wade Mealing
Wednesday, 06 May
Re: CoreOS leaving distros/linux-distros on May 26, handing off responsibilities Igor Seletskiy
Multiple vulnerabilities in Jenkins plugins Daniel Beck
[OSSA-2020-003] Keystone: Keystone does not check signature TTL of the EC2 credential auth method (CVE PENDING) Gage Hugo
[OSSA-2020-004] Keystone: Keystone credential endpoints allow owner modification and are not protected from a scoped context (CVE PENDING) Gage Hugo
[OSSA-2020-005] Keystone: OAuth1 request token authorize silently ignores roles parameter (CVE PENDING) Gage Hugo
Thursday, 07 May
Re: [OSSA-2020-003] Keystone: Keystone does not check signature TTL of the EC2 credential auth method (CVE PENDING) Gage Hugo
Re: [OSSA-2020-004] Keystone: Keystone credential endpoints allow owner modification and are not protected from a scoped context (CVE PENDING) Gage Hugo
Re: [OSSA-2020-005] Keystone: OAuth1 request token authorize silently ignores roles parameter (CVE PENDING) Gage Hugo
Re: CoreOS leaving distros/linux-distros on May 26, handing off responsibilities Benjamin Gilbert
Friday, 08 May
Linux kernel: two buffer overflow in the marvell wifi driver qing xu
Incentives for pre-release reporting Florian Weimer
Re: Incentives for pre-release reporting Henri Salo
Sunday, 10 May
[CVE-2018-1285] XXE vulnerability in Apache log4net Matt Sicker
Monday, 11 May
oddjob: mkhomedir: CVE-2020-10737: race condition when copying skeleton tree Matthias Gerstner
[CVE-2020-1939] Apache NuttX optional/example ftpd program NULL pointer bug Brennan Ashton
Tuesday, 12 May
CVE-2020-10711 Kernel: NetLabel: null pointer dereference while receiving CIPSO packet with null category P J P
Re: CVE-2020-10711 Kernel: NetLabel: null pointer dereference while receiving CIPSO packet with null category P J P
Wednesday, 13 May
[CVE-2020-1945] Apache Ant insecure temporary file vulnerability Stefan Bodewig
[CVE-2020-1960] Apache Flink JMX information disclosure vulnerability Chesnay Schepler
[CVE-2020-1941] XSS in ActiveMQ WebConsole Jean-Baptiste Onofre
Thursday, 14 May
Hypermail XSS via attachment Hanno Böck
XSS in BigBlueButton < 2.2.6 Hanno Böck
Re: re2c: infinite loop Agostino Sarubbo
[SECURITY][CVE-2019-17572] Apache RocketMQ directory traversal vulnerability ShannonDing
CVE-2019-17562 buffer overflow in baremetal plugin. Daan Hoogland
[SECURITY] New security advisory CVE-2020-11971 released for Apache Camel Andrea Cosentino
[SECURITY] New security advisory CVE-2020-11972 released for Apache Camel Andrea Cosentino
[SECURITY] New security advisory CVE-2020-11973 released for Apache Camel Andrea Cosentino
Re: [SECURITY] New security advisory CVE-2020-11972 released for Apache Camel Andrea Cosentino
Python Beaker - Deserialization of Untrasted Data which can lead to Arbitrary code execution Matheus Bratfisch
Re: [test case][kunit] CVE-2020-10711 Kernel netLabel P J P
Friday, 15 May
[test case][kunit] CVE-2020-10711 Kernel netLabel Singh, Balbir
Re: [test case][kunit] CVE-2020-10711 Kernel netLabel Singh, Balbir
Monday, 18 May
Multiple vulnerabilities in Dovecot IMAP server Aki Tuomi
DPDK security advisory for multiple vhost related issues Ferruh Yigit
Tuesday, 19 May
CVE-2020-10736 ceph: authorization bypass in monitor and manager daemons Hardik Vyas
[CVE-2020-12667] Knot Resolver 5.1.1 NXNSAttack mitigation Petr Špaček
PowerDNS Recursor 4.3.1, 4.2.2. and 4.1.16 released fixing multiple vulnerabilities Otto Moerbeek
Two vulnerabilities disclosed in BIND (CVE-2020-8616 and CVE-2020-8617) ISC Security Officer
Unbound - CVE-2020-12662, CVE-2020-12663 Ralph Dolmans
CVE-2020-12888 Kernel: vfio: access to disabled MMIO space of some devices may lead to DoS scenario P J P
[CVE-2020-1955] Apache CouchDB Remote Privilege Escalation Jan Lehnardt
Remote Code Execution in qmail (CVE-2005-1513) Qualys Security Advisory
qmail: short/int vs. gid_t Qualys Security Advisory
[CVE-2020-1956] Apache Kylin command injection vulnerability George Ni
Wednesday, 20 May
Re: Remote Code Execution in qmail (CVE-2005-1513) Georgi Guninski
Multiple Security Issues in the TrouSerS tpm1.2 tscd Daemon Matthias Gerstner
CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence Mark Thomas
Re: Remote Code Execution in qmail (CVE-2005-1513) Qualys Security Advisory
Thursday, 21 May
Short notes on qmail security guarantee Georgi Guninski
Friday, 22 May
Re: Short notes on qmail security guarantee Solar Designer
Re: Short notes on qmail security guarantee Michal Zalewski
Re: Short notes on qmail security guarantee Georgi Guninski
Re: Short notes on qmail security guarantee Arrigo Triulzi
Re: Short notes on qmail security guarantee Perry E. Metzger
Re: Short notes on qmail security guarantee Jeffrey Walton
Tuesday, 26 May
Announce: OpenSSH 8.3 released Damien Miller
Wednesday, 27 May
CVE-2020-13253 QEMU: sd: OOB access could crash the guest resulting in DoS P J P
CVE-2020-10751 - Linux kernel: SELinux netlink permission check bypass Ondrej Mosnacek
Re: CoreOS leaving distros/linux-distros on May 26, handing off responsibilities Benjamin Gilbert
Re: CoreOS leaving distros/linux-distros on May 26, handing off responsibilities Vincent Batts
CVE-2020-13361 QEMU: es1370: OOB access due to incorrect frame count leads to DoS P J P
CVE-2020-13362 QEMU: megasas: OOB read access due to invalid index leads to DoS P J P
Monday, 01 June
Exploitability of the integer overflows in djbdns 1.05? Georgi Guninski
Re: Exploitability of the integer overflows in djbdns 1.05? Solar Designer
CVE-2020-13659 QEMU: exec: address_space_map returns NULL without setting length to zero may lead to DoS P J P
CVE-2020-8555: Kubernetes: Half-Blind SSRF in kube-controller-manager Tim Allclair
Kubernetes: IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements Joel Smith
CVE-2020-13754 QEMU: msix: OOB access during mmio operations may lead to DoS P J P
Tuesday, 02 June
Re: Exploitability of the integer overflows in djbdns 1.05? Georgi Guninski
Wednesday, 03 June
Django security releases issued: 3.0.7, and 2.2.13 for CVE-2020-13254 & CVE-2020-13596. Carlton Gibson
[CVE-2020-1963] Apache Ignite access to file system disclosure vulnerability Юрий
Multiple vulnerabilities in Jenkins plugins Daniel Beck
Grafana 6.7.4 and 7.0.2 released with fix for CVE-2020-13379 Richard Hartmann
Re: Exploitability of the integer overflows in djbdns 1.05? Georgi Guninski
CVE-2020-13765 QEMU: loader: OOB access while loading registered ROM may lead to code execution P J P
CVE-2020-13791 QEMU: ati-vga: OOB access while reading PCI configuration may lead to DoS P J P
CVE-2020-13800 QEMU: ati-vga: infinite recursion in ati_mm_read/write calls may lead to DoS P J P
Thursday, 04 June
CVE-2020-12049: dbus: denial of service via file descriptor leak Simon McVittie
CVE-2020-10757 Linux kernel: mremap hugepage mmaped DAX nvdimm may cause corrupted page table Fan Yang
linux-pam: pam_setquota.so vulnerability facilitated through fusermount setuid-root program Matthias Gerstner
xawtv: CVE-2020-13696: v4l-conf setuid-root program allows file existence tests and open(..., O_RDRW) on arbitrary files Matthias Gerstner
Friday, 05 June
[SECURITY][ANNOUNCEMENT] Fix for CVE-2020-11975 in Apache Unomi 1.5.1 Serge Huber
Monday, 08 June
CVE-2020-13881: pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if configured with debug parameter Gollub, Daniel
hostapd: UPnP SUBSCRIBE misbehavior in hostapd WPS AP Jouni Malinen
CVE-2020-10761 QEMU: nbd: reachable assertion failure innbd_negotiate_send_rep_verr via remote client P J P
Tuesday, 09 June
Re: Grafana 6.7.4 and 7.0.2 released with fix for CVE-2020-13379 Richard Hartmann
Xen Security Advisory 320 v1 (CVE-2020-0543) - Special Register Buffer speculative side channel Xen . org security team
Wednesday, 10 June
kernel: Multiple SSBD related flaws CVE-2020-10766 , CVE-2020-10767, CVE-2020-10768 Wade Mealing
Re: kernel: Multiple SSBD related flaws CVE-2020-10766 , CVE-2020-10767, CVE-2020-10768 Greg KH
Re: kernel: Multiple SSBD related flaws CVE-2020-10766 , CVE-2020-10767, CVE-2020-10768 Wade Mealing
Re: kernel: Multiple SSBD related flaws CVE-2020-10766 , CVE-2020-10767, CVE-2020-10768 Greg KH
Re: kernel: Multiple SSBD related flaws CVE-2020-10766 , CVE-2020-10767, CVE-2020-10768 Monsieur Francis Perron
Thursday, 11 June
Xen Security Advisory 320 v2 (CVE-2020-0543) - Special Register Buffer speculative side channel Xen . org security team
adns (dns resolver library) multiple vulns Ian Jackson
Friday, 12 June
icinga2: CVE-2020-14004: prepare-dirs script allows for symlink attack in the icinga user context Matthias Gerstner
[CVE-2020-11980] A remote client could create MBeans from arbitrary URLs Jean-Baptiste Onofre
Re: icinga2: CVE-2020-14004: prepare-dirs script allows for symlink attack in the icinga user context Michael Orlitzky
Saturday, 13 June
lockdown bypass on ubuntu 18.04's 4.15 kernel for loading unsigned modules Jason A. Donenfeld
Monday, 15 June
[CVE-2020-9483] Apache SkyWalking SQL injection vulnerability Sheng Wu
[CVE-2019-17566] Apache XML Graphics Batik SSRF vulnerability Simon Steiner
lockdown bypass on mainline kernel for loading unsigned modules Jason A. Donenfeld
CVE-2020-11969 Apache TomEE - useJMX attribute on ActiveMQ resource adapter URI causes authenticated JMX port to be open Jonathan Gallimore
Re: lockdown bypass on mainline kernel for loading unsigned modules John Haxby
Re: lockdown bypass on mainline kernel for loading unsigned modules Jann Horn
Re: lockdown bypass on mainline kernel for loading unsigned modules Jason A. Donenfeld
Re: CVE-2020-13754 QEMU: msix: OOB access during mmio operations may lead to DoS P J P
Re: lockdown bypass on ubuntu 18.04's 4.15 kernel for loading unsigned modules Jason A. Donenfeld
Re: lockdown bypass on mainline kernel for loading unsigned modules Jason A. Donenfeld
Re: Re: lockdown bypass on ubuntu 18.04's 4.15 kernel for loading unsigned modules Reed Loden
Tuesday, 16 June
Re: Remote Code Execution in qmail (CVE-2005-1513) Qualys Security Advisory
Wednesday, 17 June
ISC announces two medium-severity vulnerabilities, CVE-2020-8618 and CVE-2020-8619 Michael McNally
CVE-2020-10781 kernel: zram sysfs resource consumption Wade Mealing
Friday, 19 June
[SECURITY] CVE-2020-9495: Apache Archiva login service is vulnerable to LDAP injection Martin
Saturday, 20 June
Squirrelmail: Use of unserialize() on user data Hanno Böck
Monday, 22 June
[CVE-2020-11989] Apache Shiro authentication bypass vulnerability Brian Demers
CVE-2020-9480: Apache Spark RCE vulnerability in auth-enabled standalone master Sean Owen
Tuesday, 23 June
CVE-2020-10769 kernel: Buffer over-read in crypto_authenc_extractkeys() when a payload longer than 4 bytes is not aligned. Rohit Keshri
Re: CVE-2020-10769 kernel: Buffer over-read in crypto_authenc_extractkeys() when a payload longer than 4 bytes is not aligned. Eric Biggers
[SECURITY ADVISORY] curl: Partial password leak over DNS on HTTP redirect Daniel Stenberg
[SECURITY ADVISORY] curl: overwrite local file with -J Daniel Stenberg
Thursday, 25 June
Requesting a CVE id for Trojitá, an e-mail client: Improper Certificate Validation Jan Kundrát
Re: Requesting a CVE id for Trojitá, an e-mail client: Improper Certificate Validation Agostino Sarubbo
Re: Requesting a CVE id for Trojitá, an e-mail client: Improper Certificate Validation Johannes Segitz
[cve-request () mitre org: Re: [scr916814] net-snmp - Perhaps only unreleased development versions; fix appears to be in v5.8.1.pre1] Seth Arnold
CVE-2020-10753 ceph: radosgw: HTTP header injection via CORS ExposeHeader tag Przemyslaw Roguski
CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service Mark Thomas
Tuesday, 30 June
default behavior in unzip more dangerous then -^ Dennis Goodlett
libvncserver: old websocket decoding patch Stefan Cornelius
Re: libvncserver: old websocket decoding patch Stefan Cornelius