oss-sec: by date
220 messages
starting Apr 02 22 and
ending Jun 30 22
Date index |
Thread index |
Author index
Saturday, 02 April
Re: [PATCH AUTOSEL 5.15 13/16] vdpa: clean up get_config_size ret value handling Dan Carpenter
CVE-2022-1204: Linux kernel: UAF caused by binding operation when ax25 device is detaching 周多明
CVE-2022-1198 kernel: use-after-free in drivers/net/hamradio/6pack.c 周多明
CVE-2022-1205 kernel: Null pointer dereference and use-after-free in net/ax25/ax25_timer.c 周多明
CVE-2022-1199 kernel: Null pointer dereference and use-after-free in ax25_release() 周多明
Tuesday, 05 April
Xen Security Advisory 397 v2 (CVE-2022-26356) - Racy interactions between dirty vram tracking and paging log dirty hypercalls Xen . org security team
Xen Security Advisory 399 v2 (CVE-2022-26357) - race in VT-d domain ID cleanup Xen . org security team
Xen Security Advisory 400 v2 (CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361) - IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues Xen . org security team
CVE-2022-23974: Apache Pinot: Pinot segment push endpoint has a vulnerability in unprotected environments Subbu Subramaniam
Wednesday, 06 April
CVE-2022-28356: Linux kernel: refcount leak in llc_ui_bind and llc_ui_autobind Gianluca Gabrielli
CVE-2022-26850: Apache NiFi: Insufficiently protected credentials Nathan Gough
Thursday, 07 April
Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push kangel
Re: Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push Solar Designer
Re: Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push Paolo Bonzini
Re: Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push Solar Designer
Re: Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push Qiuhao Li
Re: Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push Qiuhao Li
CVE-2022-26612: Apache Hadoop: Arbitrary file write in FileUtil#unpackEntries on Windows Gautham Banasandra
zgrep, xzgrep: arbitrary-file-write vulnerability Jim Meyering
Announce: OpenSSH 9.0 released Damien Miller
Friday, 08 April
Re: zgrep, xzgrep: arbitrary-file-write vulnerability Jakub Wilk
Re: zgrep, xzgrep: arbitrary-file-write vulnerability Levente Polyak
CVE-2022-1158: Linux Kernel v5.2+: x86/kvm: cmpxchg_gpte can write to pfns outside the userspace region Qiuhao Li
Re: zgrep, xzgrep: arbitrary-file-write vulnerability Axel Beckert
WebKitGTK and WPE WebKit Security Advisory WSA-2022-0004 Carlos Alberto Lopez Perez
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0004 John Helmert III
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0004 John Helmert III
Monday, 11 April
Django: CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()`` Mariusz Felisiak
Django: CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL Mariusz Felisiak
CVE-2022-28893: Linux kernel: Use after free in SUNRPC subsystem Felix Fu
Re: CVE-2022-28893: Linux kernel: Use after free in SUNRPC subsystem Greg KH
Re: CVE-2022-28893: Linux kernel: Use after free in SUNRPC subsystem Mike O'Connor
Tuesday, 12 April
[SECURITY][ANNOUNCE] Apache Subversion 1.10.8 released markphip () gmail com
[SECURITY][ANNOUNCE] Apache Subversion 1.14.2 released markphip () gmail com
Linux kernel: A concurrency use-after-free between drm_setmaster_ioctl and drm_mode_getresources Minh Yuan
Re: Linux kernel: A concurrency use-after-free between drm_setmaster_ioctl and drm_mode_getresources Greg KH
Multiple vulnerabilities in Jenkins plugins Daniel Beck
CVE-2021-31805: Apache Struts: Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE. Yasser Zamani
git v2.35.2 and friends for CVE-2022-24765 Junio C Hamano
Re: Linux kernel: A concurrency use-after-free between drm_setmaster_ioctl and drm_mode_getresources Salvatore Bonaccorso
Wednesday, 13 April
CVE-2022-0617: udf:A null-ptr-deref bug be triggered when write to an ICB inode butt3rflyh4ck
CVE-2022-27479: Apache Superset: SQL injection vulnerability in chart data API Ville Brofeldt
Thursday, 14 April
Multiple vulnerabilities in swhkd hotkey helper for Wayland Matthias Gerstner
Re: Browser-mediated attacks on WebDriver servers Gabriel Corona
mutt 2.2.3 released - fixes CVE-2022-1328 Alan Coopersmith
Saturday, 16 April
Re: Browser-mediated attacks on WebDriver servers Gabriel Corona
Tuesday, 19 April
CVE-2022-29266: Apache APISIX: apisix/jwt-auth may leak secrets in error response Zeping Bai
CVE-2022-1215 libinput format string vulnerability Peter Hutterer
Wednesday, 20 April
tpm2-abrmd: possibly surprising security model for local users could result in a local DoS against TPM configuration and data Matthias Gerstner
Thursday, 21 April
CVE-2022-1419: Linux kernel: A concurrency use-after-free in vgem_gem_dumb_create Minh Yuan
Re: CVE-2022-1419: Linux kernel: A concurrency use-after-free in vgem_gem_dumb_create Greg KH
Friday, 22 April
Re: CVE-2022-1419: Linux kernel: A concurrency use-after-free in vgem_gem_dumb_create Marcus Meissner
Re: CVE-2022-1419: Linux kernel: A concurrency use-after-free in vgem_gem_dumb_create Greg KH
Linux: UaF due to concurrency issue in io_uring timeouts David Bouman
Re: Linux: UaF due to concurrency issue in io_uring timeouts Salvatore Bonaccorso
[kubernetes] CVE-2021-25745: Ingress-nginx `path` can be pointed to service account token file CJ Cullen
[kubernetes] CVE-2021-25746: Ingress-nginx directive injection via annotations CJ Cullen
CVE-2022-29464 :: WSO2 Unrestricted arbitrary file upload, and remote code to execution vulnerability. Myers, Christopher
Tuesday, 26 April
CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging Jan Lehnardt
CVE-2022-23942: Apache Doris(incubating) hardcoded cryptography initialization 陈明雨
[morningman () 163 com: [oss-security] CVE-2022-23942: Apache Doris(incubating) hardcoded cryptography initialization] Seth Arnold
[SECURITY ADVISORY] curl OAUTH2 bearer bypass in connection re-use Daniel Stenberg
[SECURITY ADVISORY] curl credential leak on redirect Daniel Stenberg
[SECURITY ADVISORY] curl bad local IPv6 connection reuse Daniel Stenberg
[SECURITY ADVISORY] curl auth/cookie leak on redirect Daniel Stenberg
Wednesday, 27 April
CVE-2022-27239: cifs-utils mount.cifs buffer overflow in ip parameter Marcus Meissner
Thursday, 28 April
Linux kernel: A concurrency use-after-free in floppy's raw_cmd Minh Yuan
CVE-2022-21449 and version reporting Seaman, Chad
Re: CVE-2022-21449 and version reporting Brian Behlendorf
Re: CVE-2022-21449 and version reporting Jeremy Stanley
Re: CVE-2022-21449 and version reporting Seth Arnold
Re: CVE-2022-21449 and version reporting Sven Schwedas
Re: CVE-2022-21449 and version reporting Seaman, Chad
Friday, 29 April
Re: CVE-2022-21449 and version reporting Iron-Bound
CVE-2022-29265: Apache NiFi: Improper Restriction of XML External Entity References in Multiple Components David Handermann
Saturday, 30 April
Re: CVE-2022-21449 and version reporting Christian Fischer
Re: CVE-2022-21449 and version reporting John Helmert III
Re: CVE-2022-21449 and version reporting Jeremy Stanley
Re: CVE-2022-21449 and version reporting David A. Wheeler
Re: CVE-2022-21449 and version reporting Christian Fischer
Sunday, 01 May
Re: CVE-2022-21449 and version reporting John Helmert III
Monday, 02 May
Re: CVE-2022-21449 and version reporting Christian Fischer
Wednesday, 04 May
CVE-2022-28890: Apache Jena: Processing external DTDs Andy Seaborne
DPDK CVE-2021-3839 Release Notice Jiang, Cheng1
DPDK CVE-2022-0669 Release Notice Jiang, Cheng1
Thursday, 05 May
CVE-2022-24903: rsyslog < 8.2204.1 heap buffer overrun Rainer Gerhards
Monday, 09 May
Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging Archange
Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging Jan Lehnardt
Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging Archange
Re: CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging Jan Lehnardt
Tuesday, 10 May
Linux kernel: A concurrency use-after-free in bad_flp_intr for latest kernel version Minh Yuan
Re: Linux kernel: A concurrency use-after-free in bad_flp_intr for latest kernel version Minh Yuan
[SECURITY ADVISORY] curl: removes wrong file on error Daniel Stenberg
[SECURITY ADVISORY] curl: cookie for trailing dot TLD Daniel Stenberg
[SECURITY ADVISORY] curl: percent-encoded path separator in URL host Daniel Stenberg
[SECURITY ADVISORY] curl: CERTINFO never-ending busy-loop Daniel Stenberg
[SECURITY ADVISORY] curl: TLS and SSH connection too eager reuse Daniel Stenberg
[SECURITY ADVISORY] curl: HSTS bypass via trailing dot Daniel Stenberg
Wednesday, 11 May
CVE-2022-29162: runc < 1.1.2 incorrect handling of inheritable capabilities in default configuration Aleksa Sarai
Sunday, 15 May
linux-distros list policy and Linux kernel Solar Designer
Re: linux-distros list policy and Linux kernel Igor Seletskiy
Re: linux-distros list policy and Linux kernel Anthony Liguori
Monday, 16 May
Re: linux-distros list policy and Linux kernel Jason A. Donenfeld
Re: linux-distros list policy and Linux kernel Thadeu Lima de Souza Cascardo
CVE-2022-30126: Apache Tika Regular Expression Denial of Service in Standards Extractor Tim Allison
CVE-2022-25169: Apache Tika BPGParser Memory Usage DoS Tim Allison
Re: linux-distros list policy and Linux kernel Greg KH
Re: linux-distros list policy and Linux kernel Greg KH
Re: linux-distros list policy and Linux kernel Seth Arnold
Re: linux-distros list policy and Linux kernel Greg KH
Tuesday, 17 May
CVE-2022-26650: Apache ShenYu (incubating) Regular expression denial of service Zhang Yonglun
Re: linux-distros list policy and Linux kernel Jason A. Donenfeld
Re: linux-distros list policy and Linux kernel Greg KH
Re: linux-distros list policy and Linux kernel Thadeu Lima de Souza Cascardo
Re: linux-distros list policy and Linux kernel Jeremy Stanley
Multiple vulnerabilities in Jenkins plugins Daniel Beck
CVE-2022-30688: needrestart 0.8+ local privilege escalation Thomas Liske
Wednesday, 18 May
ISC has disclosed a vulnerability in BIND (CVE-2022-1183) ISC Security Officer
CVE-2022-29581: Linux kernel cls_u32 UAF Kyle Zeng
Thursday, 19 May
Re: linux-distros list policy and Linux kernel Dan Carpenter
Re: linux-distros list policy and Linux kernel Alan Coopersmith
Friday, 20 May
Re: linux-distros list policy and Linux kernel Vegard Nossum
CVE-2022-1729: race condition in Linux perf subsystem leads to local privilege escalation Norbert Slusarek
Saturday, 21 May
Re: CVE-2022-1729: race condition in Linux perf subsystem leads to local privilege escalation Solar Designer
Sunday, 22 May
Re: linux-distros list policy and Linux kernel Solar Designer
Re: linux-distros list policy and Linux kernel Solar Designer
Re: linux-distros list policy and Linux kernel Sam James
Re: linux-distros list policy and Linux kernel Sam James
Re: linux-distros list policy and Linux kernel Greg KH
Monday, 23 May
Re: linux-distros list policy and Linux kernel eduardo vela
CVE-2022-29599: Apache Maven: Commandline class shell injection vulnerabilities Slawomir Jaranowski
Tuesday, 24 May
Re: linux-distros list policy and Linux kernel Solar Designer
Re: linux-distros list policy and Linux kernel Solar Designer
Re: linux-distros list policy and Linux kernel Vegard Nossum
CVE-2022-1786: Linux Kernel invalid-free in io_uring Kyle Zeng
Re: CVE-2022-1786: Linux Kernel invalid-free in io_uring Solar Designer
Re: linux-distros list policy and Linux kernel Greg KH
CVE-2022-21499: trivial lockdown break John Haxby
Re: CVE-2022-1786: Linux Kernel invalid-free in io_uring Kyle Zeng
Re: linux-distros list policy and Linux kernel Mickaël Salaün
Re: CVE-2022-21499: trivial lockdown break John Haxby
Re: CVE-2022-1729: race condition in Linux perf subsystem leads to local privilege escalation Norbert Slusarek
Re: CVE-2022-1729: race condition in Linux perf subsystem leads to local privilege escalation Solar Designer
Wednesday, 25 May
multiple vulnerabilities in radare2 Dimitrios Glynos
CVE-2022-1789: Linux Kernel: x86/kvm: NULL pointer dereference in kvm_mmu_invpcid_gva kangel
Re: CVE-2022-1348 logrotate: potential DoS from unprivileged users via the state file Kamil Dudka
Re: Re: CVE-2022-1348 logrotate: potential DoS from unprivileged users via the state file Marc Deslauriers
Re: Re: CVE-2022-1348 logrotate: potential DoS from unprivileged users via the state file Kamil Dudka
Thursday, 26 May
OPEN SOURCE NTFS-3G SECURITY ADVISORY NTFS3G-SA-2022-0001 Jussi Hietanen
OPEN SOURCE NTFS-3G SECURITY ADVISORY NTFS3G-SA-2022-0002 Jussi Hietanen
Re: CVE-2022-1729: race condition in Linux perf subsystem leads to local privilege escalation Norbert Slusarek
Re: CVE-2022-1729: race condition in Linux perf subsystem leads to local privilege escalation Jeremy Stanley
Re: CVE-2022-1729: race condition in Linux perf subsystem leads to local privilege escalation Solar Designer
Re: CVE-2022-1729: race condition in Linux perf subsystem leads to local privilege escalation Philip Pettersson
Friday, 27 May
Re: CVE-2022-1729: race condition in Linux perf subsystem leads to local privilege escalation Mike O'Connor
CVE-2022-1462: Linux kernel: A race condition vulnerability in drivers/tty/tty_buffers.c 一只狗
Saturday, 28 May
Re: CVE-2022-1786: Linux Kernel invalid-free in io_uring Kyle Zeng
Re: CVE-2022-1729: race condition in Linux perf subsystem leads to local privilege escalation Solar Designer
Monday, 30 May
WebKitGTK and WPE WebKit Security Advisory WSA-2022-0005 Carlos Alberto Lopez Perez
Tuesday, 31 May
Linux Kernel use-after-free write in netfilter EDG EDG
CVE-2022-30973: Apache Tika: Missing fix for CVE-2022-30126 in 1.28.2 Tim Allison
CVE-2022-1852: Linux Kernel: x86/kvm: NULL pointer dereference in x86_emulate_insn kangel
Wednesday, 01 June
Re: Linux Kernel eBPF Improper Input Validation Vulnerability Solar Designer
Re: CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability Solar Designer
Thursday, 02 June
CVE-2022-1972: out-of-bound write in Linux netfilter subsystem leads to local privilege escalation 张子明(明程)
Re: Linux Kernel use-after-free write in netfilter Salvatore Bonaccorso
Saturday, 04 June
Re: Linux Kernel use-after-free write in netfilter Solar Designer
Re: CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability Solar Designer
Re: Linux Kernel eBPF Improper Input Validation Vulnerability Solar Designer
Re: Linux Kernel: Exploitable vulnerability in io_uring Solar Designer
Sunday, 05 June
CVE-2022-1974: Linux kernel: use-after-free caused by improper check device_is_registered() in nfc netlink related functions duoming
CVE-2022-1975: Linux kernel: sleep in atomic context bug when nfc firmware download timeout duoming
Linux kernel: UAF, null-ptr-deref and double-free vulnerabilities in nfcmrvl module duoming
Re: Linux kernel: UAF, null-ptr-deref and double-free vulnerabilities in nfcmrvl module Salvatore Bonaccorso
Tuesday, 07 June
CVE-2022-31030: containerd CRI plugin: Host memory exhaustion through ExecSync Samuel Karp
Re: CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability tr3e wang
Re: Linux Kernel eBPF Improper Input Validation Vulnerability tr3e wang
UNPAR-2022-0 Multiple Vulnerabilities in ntfs-3g NTFS Mount Tool Roman Fiedler
[SECURITY PATCH 00/30] Multiple GRUB2 vulnerabilities - 2022/06/07 round John Haxby
CVE-2022-1973: Linux Kernel: fs/ntfs3: invalid free in log_replay Gerald Lee
Wednesday, 08 June
CVE-2022-26377: Apache HTTP Server: mod_proxy_ajp: Possible request smuggling Stefan Eissing
CVE-2022-28330: Apache HTTP Server: read beyond bounds in mod_isapi Stefan Eissing
CVE-2022-28614: Apache HTTP Server: read beyond bounds via ap_rwrite() Stefan Eissing
CVE-2022-29404: Apache HTTP Server: Denial of service in mod_lua r:parsebody Stefan Eissing
CVE-2022-30522: Apache HTTP Server: mod_sed denial of service Stefan Eissing
CVE-2022-30556: Apache HTTP Server: Information Disclosure in mod_lua with websockets Stefan Eissing
CVE-2022-31813: Apache HTTP Server: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism Stefan Eissing
CVE-2022-28615: Apache HTTP Server: Read beyond bounds in ap_strcmp_match() Stefan Eissing
firejail: local root exploit reachable via --join logic (CVE-2022-31214) Matthias Gerstner
Thursday, 09 June
Re: Linux kernel: UAF, null-ptr-deref and double-free vulnerabilities in nfcmrvl module duoming
Re: firejail: local root exploit reachable via --join logic (CVE-2022-31214) Alex Murray
Xen Security Advisory 401 v2 (CVE-2022-26362) - x86 pv: Race condition in typeref acquisition Xen . org security team
Xen Security Advisory 402 v4 (CVE-2022-26363,CVE-2022-26364) - x86 pv: Insufficient care with non-coherent mappings Xen . org security team
Friday, 10 June
[kubernetes] CVE-2021-25748: Ingress-nginx `path` sanitization can be bypassed with newline character CJ Cullen
Tuesday, 14 June
CVE-2022-25167 - Apache Flume JMSSource does not protect from malicious JNDI urls Ralph Goers
CVE-2022-1976: Linux Kernel: A use-after-free in __lock_acquire Gerald Lee
CVE-2022-32981: Linux kernel for powerpc 32-bit, buffer overflow in ptrace PEEKUSER/POKEUSER Michael Ellerman
Xen Security Advisory 404 v1 (CVE-2022-21123,CVE-2022-21124,CVE-2022-21166) - x86: MMIO Stale Data vulnerabilities Xen . org security team
Wednesday, 15 June
CVE-2022-33140: Apache NiFi, Apache NiFi Registry: Improper Neutralization of Command Elements in Shell User Group Provider David Handermann
CVE-2021-33036: Apache Hadoop Privilege escalation vulnerability Akira Ajisaka
Thursday, 16 June
Xen Security Advisory 404 v2 (CVE-2022-21123,CVE-2022-21125,CVE-2022-21166) - x86: MMIO Stale Data vulnerabilities Xen . org security team
Sunday, 19 June
Linux kernel: CVE-2022-1516: NULL pointer dereference in Linux kernel`s X.25 network protocol duoming
Monday, 20 June
Re: Linux Kernel use-after-free write in netfilter Moritz Mühlenhoff
Tuesday, 21 June
Multiple vulnerabilities affecting Uyuni / SUSE Manager Paolo Perego
Request for comment: kmod signing by AlmaLinux OS Foundation Igor Seletskiy
Wednesday, 22 June
CVE-2022-2153: Linux Kernel: x86/kvm: NULL pointer dereference in kvm_irq_delivery_to_apic_fast kangel
CVE-2022-32549: Apache Sling: log injection in Sling logging Robert Munteanu
Multiple vulnerabilities in Jenkins and Jenkins plugins Daniel Beck
Thursday, 23 June
CVE-2022-34305: Apache Tomcat: XSS in examples web application Mark Thomas
Sunday, 26 June
[SECURITY ADVISORY] curl: CVE-2022-32205: Set-Cookie denial of service Daniel Stenberg
[SECURITY ADVISORY] curl: CVE-2022-32206: HTTP compression denial of service Daniel Stenberg
[SECURITY ADVISORY] curl: CVE-2022-32207: Unpreserved file permissions Daniel Stenberg
[SECURITY ADVISORY] curl: FTP-KRB bad message verification Daniel Stenberg
Monday, 27 June
CVE-2022-33879: Apache Tika: Incomplete fix and new regex DoS in StandardsExtractingContentHandler Tim Allison
Tuesday, 28 June
Fwd: Node.js security updates for all active release lines, July 2022 Matteo Collina
CVE-2022-32532: Apache Shiro: Authentication Bypass Vulnerability Brian Demers
Wednesday, 29 June
GnuPG signature spoofing via status line injection Demi Marie Obenour
Thursday, 30 June
Re: CVE-2022-1729: race condition in Linux perf subsystem leads to local privilege escalation Solar Designer
Multiple vulnerabilities in Jenkins plugins Daniel Beck
Re: CVE-2022-1729: race condition in Linux perf subsystem leads to local privilege escalation Norbert Slusarek