oss-sec: by author
RSS Feed
About List
All Lists
Previous period
356 messages
starting Nov 20 23 and
ending Nov 24 23
Date index |
Thread index |
Author index
Alan Coopersmith
GNUTLS-SA-2023-10-23, CVE-2023-5981: timing sidechannel in RSA-PSK key exchange Alan Coopersmith (Nov 20)
Security fixes in Go 1.21.5 and Go 1.20.12 releases Alan Coopersmith (Dec 05)
Re: linux-distros membership application of openEuler Alan Coopersmith (Oct 16)
Fwd: X.Org Security Advisory: Issues in libX11 prior to 1.8.7 & libXpm prior to 3.5.17 Alan Coopersmith (Oct 03)
Session File Relative Path Traversal in sudo-rs Alan Coopersmith (Nov 02)
Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Alan Coopersmith (Oct 18)
Re: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack) Alan Coopersmith (Dec 19)
Re: Re: New SMTP smuggling attack Alan Coopersmith (Dec 29)
New CVEs and security fix releases for perl Alan Coopersmith (Nov 30)
Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Alan Coopersmith (Oct 20)
CVEs assigned for reachable assertions in avahi Alan Coopersmith (Oct 06)
CVE-2023-45853: overflows in MiniZip in zlib through 1.3 Alan Coopersmith (Oct 20)
Re: Fwd: X.Org Security Advisory: Issues in libX11 prior to 1.8.7 & libXpm prior to 3.5.17 Alan Coopersmith (Oct 03)
CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Alan Coopersmith (Oct 10)
GIMP 2.10.36 fixed multiple image format parser vulnerabilities Alan Coopersmith (Nov 20)
CVE-2023-49284: fish command substitution output can trigger shell expansion Alan Coopersmith (Dec 08)
Samba 4.19.1, 4.18.8 and 4.17.12 Security Releases are available for Download Alan Coopersmith (Oct 13)
SLAM: Spectre based on Linear Address Masking Alan Coopersmith (Dec 05)
Fwd: Samba 4.19.3 Available for Download - addresses CVE-2018-14628 Alan Coopersmith (Nov 28)
Python Cryptography advisory: CVE-2023-49083 NULL-dereference when loading PKCS7 certificates Alan Coopersmith (Nov 29)
jq 1.7.1 fixes CVE-2023-50246 & CVE-2023-50268 Alan Coopersmith (Dec 15)
CVE-2023-45322: Use-after-free in libxml2 through 2.11.5 Alan Coopersmith (Oct 06)
Albumen Kevin
CVE-2023-46279: Apache Dubbo: Bypass deny serialize list check in Apache Dubbo Albumen Kevin (Dec 15)
CVE-2023-29234: Bypass serialize checks in Apache Dubbo Albumen Kevin (Dec 15)
Alexander E. Patrakov
Re: Re: New SMTP smuggling attack Alexander E. Patrakov (Dec 22)
Re: linux-distros membership application of openEuler Alexander E. Patrakov (Dec 24)
Alex Murray
Re: hplip: security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c Alex Murray (Nov 30)
Alon Zahavi
CVE-2023-5178: Linux NVMe-oF/TCP Driver - UAF in `nvmet_tcp_free_crypto` Alon Zahavi (Oct 15)
Amos Jeffries
Re: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days. Amos Jeffries (Oct 13)
Andor Molnar
CVE-2023-44981: Apache ZooKeeper: Authorization bypass in SASL Quorum Peer Authentication Andor Molnar (Oct 11)
Andrew Cooper
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Andrew Cooper (Oct 03)
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Andrew Cooper (Oct 03)
Antonio Gomez Iglesias
Re: CVE-2023-23583: Intel - Denial of Service - Privilege Escalation (Reptar) Antonio Gomez Iglesias (Nov 14)
CVE-2023-23583: Intel - Denial of Service - Privilege Escalation (Reptar) Antonio Gomez Iglesias (Nov 14)
Arnout Engelen
CVE-2023-49735: Apache Tiles: Unvalidated input may lead to path traversal and XXE Arnout Engelen (Nov 30)
Aron Xu
Re: linux-distros membership application of openEuler Aron Xu (Oct 16)
linux-distros membership application of openEuler Aron Xu (Oct 15)
Re: linux-distros membership application of openEuler Aron Xu (Oct 16)
Arrigo Marchiori
CVE-2023-1183: Apache OpenOffice: Arbitrary file write in Apache OpenOffice Base Arrigo Marchiori (Dec 28)
CVE-2023-47804: Apache OpenOffice: Macro URL arbitrary script execution Arrigo Marchiori (Dec 28)
CVE-2022-43680: Apache OpenOffice: "Use after free" fixed in libexpat Arrigo Marchiori (Dec 28)
CVE-2012-5639: Apache OpenOffice: Loading internal / external resources without warning Arrigo Marchiori (Dec 28)
Bjoern Franke
Re: Re: New SMTP smuggling attack Bjoern Franke (Dec 22)
Bob Friesenhahn
Re: sandboxing,of upstream programs by distros Bob Friesenhahn (Oct 22)
Re: sandboxing,of upstream programs by distros Bob Friesenhahn (Oct 22)
Brian Demers
CVE-2023-46750: Apache Shiro: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Shiro. Brian Demers (Dec 13)
Byron Ruth
NATS: 2023-02: nkeys: xkeys Seal encryption used fixed key for all encryption Byron Ruth (Oct 31)
Carlos Alberto Lopez Perez
WebKitGTK and WPE WebKit Security Advisory WSA-2023-0011 Carlos Alberto Lopez Perez (Dec 05)
WebKitGTK and WPE WebKit Security Advisory WSA-2023-0012 Carlos Alberto Lopez Perez (Dec 17)
WebKitGTK and WPE WebKit Security Advisory WSA-2023-0010 Carlos Alberto Lopez Perez (Nov 15)
Cédric Damioli
CVE-2022-45135: Apache Cocoon: SQL injection in DatabaseCookieAuthenticatorAction Cédric Damioli (Nov 30)
CVE-2023-49733: Apache Cocoon's StreamGenerator is vulnerable to XXE injection Cédric Damioli (Nov 30)
Charles Zhang
CVE-2023-46227: Apache inlong has an Arbitrary File Read Vulnerability Charles Zhang (Oct 18)
CVE-2023-43666: Apache InLong: General user Unauthorized access User Management Charles Zhang (Oct 15)
CVE-2023-43667: Apache InLong: Log Injection in Global functions Charles Zhang (Oct 15)
CVE-2023-43668: Apache InLong: Jdbc Connection Security Bypass in InLong Charles Zhang (Oct 15)
Christian Brabandt
[vim-security] use-after-free in ex_substitute in Vim < v9.0.2121 Christian Brabandt (Nov 22)
[vim-security] several minor security issues in Vim v9.0.2106-v9.0.2112 Christian Brabandt (Nov 16)
[vim-security] integer overflow in :history command in Vim < 9.0.2068 Christian Brabandt (Oct 26)
Christopher L. Shannon
CVE-2023-46604: Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack Christopher L. Shannon (Oct 27)
CJ Cullen
[kubernetes] CVE-2022-4886: Ingress-nginx `path` sanitization can be bypassed with `log_format` directive CJ Cullen (Oct 25)
[kubernetes] CVE-2023-5044: Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation CJ Cullen (Oct 25)
[kubernetes] CVE-2023-5043: Ingress nginx annotation injection causes arbitrary command execution CJ Cullen (Oct 25)
Claus Assmann
Re: New SMTP smuggling attack Claus Assmann (Dec 21)
Re: Re: New SMTP smuggling attack Claus Assmann (Dec 30)
Re: New SMTP smuggling attack Claus Assmann (Dec 26)
Colm O hEigeartaigh
CVE-2023-44483: Apache Santuario: Private Key disclosure in debug-log output Colm O hEigeartaigh (Oct 20)
Cory McIntire
Re: Exim4 MTA CVEs assigned from ZDI Cory McIntire (Oct 05)
Craig Ingram
[kubernetes] CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes Craig Ingram (Nov 14)
!CVE Team
Re: !CVE: A new platform to track security issues not acknowledged by vendors !CVE Team (Nov 10)
Re: !CVE: A new platform to track security issues not acknowledged by vendors !CVE Team (Nov 10)
Damien Miller
Announce: OpenSSH 9.6 released Damien Miller (Dec 18)
Daniel Beck
Vulnerability in Jenkins Daniel Beck (Oct 18)
Multiple vulnerabilities in Jenkins plugins Daniel Beck (Nov 29)
Multiple vulnerabilities in Jenkins plugins Daniel Beck (Oct 25)
Multiple vulnerabilities in Jenkins plugins Daniel Beck (Dec 13)
Daniel Gaspar
CVE-2023-42505: Apache Superset: Sensitive information disclosure on db connection details Daniel Gaspar (Nov 28)
CVE-2023-49736: Apache Superset: SQL Injection on where_in JINJA macro Daniel Gaspar (Dec 19)
CVE-2023-42502: Apache Superset: Open Redirect Vulnerability Daniel Gaspar (Nov 28)
CVE-2023-42501: Apache Superset: Unnecessary read permissions within the Gamma role Daniel Gaspar (Nov 27)
CVE-2023-43701: Apache Superset: Stored XSS on API endpoint Daniel Gaspar (Nov 27)
CVE-2023-40610: Apache Superset: Privilege escalation with default examples database Daniel Gaspar (Nov 27)
CVE-2023-46104: Apache Superset: Allows for uncontrolled resource consumption via a ZIP bomb Daniel Gaspar (Dec 19)
CVE-2023-49734: Apache Superset: Privilege Escalation Vulnerability Daniel Gaspar (Dec 19)
CVE-2023-42504: Apache Superset: Lack of rate limiting allows for possible denial of service Daniel Gaspar (Nov 28)
Daniel Kiper
Re: CVE-2023-4692, CVE-2023-4693: grub2: OOB write, read via specially crafted NTFS filesystem Daniel Kiper (Oct 04)
Daniel Stenberg
[SECURITY ADVISORY] curl: CVE-2023-38545: SOCKS5 heap buffer overflow Daniel Stenberg (Oct 10)
[SECURITY ADVISORY] curl: cookie mixed case PSL bypass Daniel Stenberg (Dec 05)
[SECURITY ADVISORY] curl: HSTS long file name clears contents Daniel Stenberg (Dec 05)
[SECURITY ADVISORY] curl: CVE-2023-38546 Daniel Stenberg (Oct 10)
Daniel Weber
Meltdown-US / Meltdown 3a Remaining Leakage Daniel Weber (Oct 06)
Darya Malyavkina
Re: AlmaLinux Distros List Application Darya Malyavkina (Dec 13)
David A. Wheeler
European Union Cyber Resilience Act (CRA) David A. Wheeler (Oct 05)
David Handermann
CVE-2023-49145: Apache NiFi: Improper Neutralization of Input in Advanced User Interface for Jolt David Handermann (Nov 27)
David Leadbeater
Re: with firefox on X11, any page can pastejack you anytime David Leadbeater (Oct 20)
Re: with firefox on X11, any page can pastejack you anytime David Leadbeater (Oct 20)
Deepak Dixit
CVE-2023-51467: Apache OFBiz: Pre-authentication Remote Code Execution (RCE) vulnerability Deepak Dixit (Dec 26)
Demi Marie Obenour
Re: sandboxing,of upstream programs by distros Demi Marie Obenour (Oct 14)
Re: linux-distros membership application of openEuler Demi Marie Obenour (Oct 16)
Re: CVE-2023-23583: Intel - Denial of Service - Privilege Escalation (Reptar) Demi Marie Obenour (Nov 14)
Re: sandboxing,of upstream programs by distros Demi Marie Obenour (Oct 22)
Re: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) Demi Marie Obenour (Oct 01)
Re: linux-distros membership application of openEuler Demi Marie Obenour (Dec 28)
Re: linux-distros membership application of openEuler Demi Marie Obenour (Oct 16)
Re: CVE-2023-20867: open-vm-tools: Authentication Bypass vulnerability in the vgauth module Demi Marie Obenour (Oct 16)
Re: linux-distros membership application of openEuler Demi Marie Obenour (Oct 16)
Re: sandboxing,of upstream programs by distros Demi Marie Obenour (Oct 22)
Re: linux-distros membership application of openEuler Demi Marie Obenour (Oct 16)
Dirk-Willem van Gulik
Re: European Union Cyber Resilience Act (CRA) Dirk-Willem van Gulik (Oct 09)
Dominique Martinet
Re: CVE-2023-6817: Linux kernel: use-after-free in nf_tables Dominique Martinet (Dec 22)
Donald Buczek
Re: with firefox on X11, any page can pastejack you anytime Donald Buczek (Oct 20)
Elad Kalif
CVE-2023-46215: Apache Airflow Celery provider, Apache Airflow: Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend Elad Kalif (Oct 28)
Ephraim Anierobi
CVE-2023-50783: Apache Airflow: Improper access control vulnerability on the "varimport" endpoint Ephraim Anierobi (Dec 21)
CVE-2023-47037: Apache Airflow missing fix for CVE-2023-40611 in 2.7.1 (DAG run broken access) Ephraim Anierobi (Nov 12)
CVE-2023-42780: Apache Airflow: Improper access control vulnerability in the "List dag warnings" feature Ephraim Anierobi (Oct 13)
CVE-2023-42663: Apache Airflow: Bypass permission verification to view task instances of other dags Ephraim Anierobi (Oct 13)
CVE-2023-42781: Apache Airflow: Permission verification bypass allows viewing dagruns of other dags Ephraim Anierobi (Nov 12)
CVE-2023-49920: Apache Airflow: Missing CSRF protection on DAG/trigger Ephraim Anierobi (Dec 21)
CVE-2023-42792: Apache Airflow: Improper access control to DAG resources Ephraim Anierobi (Oct 13)
CVE-2023-48291: Apache Airflow: Improper access control to DAG resources Ephraim Anierobi (Dec 21)
CVE-2023-47265: Apache Airflow: DAG Params alllow to embed unchecked Javascript Ephraim Anierobi (Dec 21)
CVE-2023-45348: Apache Airflow: Configuration information leakage vulnerability Ephraim Anierobi (Oct 13)
Erik Auerswald
Re: Re: New SMTP smuggling attack Erik Auerswald (Dec 22)
There is a curl "severity HIGH security problem" pre-announcement on GitHub Erik Auerswald (Oct 05)
Re: Re: New SMTP smuggling attack Erik Auerswald (Dec 22)
Re: Haskell programs in distributions (was: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx)) Erik Auerswald (Oct 01)
Fabian Bäumer
CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack) Fabian Bäumer (Dec 18)
Fabian Keil
Re: There is a curl "severity HIGH security problem" pre-announcement on GitHub Fabian Keil (Oct 05)
Re: Exim4 MTA CVEs assigned from ZDI Fabian Keil (Oct 04)
Re: European Union Cyber Resilience Act (CRA) Fabian Keil (Oct 08)
Florian Weimer
Re: budgie-extras: multiple predictable /tmp path issues in various applications Florian Weimer (Dec 17)
Grant Taylor
Re: with firefox on X11, any page can pastejack you anytime Grant Taylor (Oct 18)
Re: with firefox on X11, any page can pastejack you anytime Grant Taylor (Oct 18)
Greg KH
Re: linux-distros membership application of openEuler Greg KH (Oct 16)
Re: linux-distros membership application of openEuler Greg KH (Oct 16)
Re: "Linux Kernel security demistified" Greg KH (Oct 02)
Re: linux-distros membership application of openEuler Greg KH (Oct 16)
Re: "Linux Kernel security demistified" Greg KH (Oct 02)
Re: linux-distros membership application of openEuler Greg KH (Dec 28)
Re: linux-distros membership application of openEuler Greg KH (Oct 16)
Hanno Böck
Re: New SMTP smuggling attack Hanno Böck (Dec 22)
Haonan Hou
CVE-2023-51656: Apache IoTDB: Unsafe deserialize map in Sync Tool Haonan Hou (Dec 21)
Harry Sintonen
Re: Re: New SMTP smuggling attack Harry Sintonen (Dec 22)
Heiko Schlittermann
Re: linux-distros membership application of openEuler Heiko Schlittermann (Oct 16)
Re: Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann (Oct 02)
Re: Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann (Oct 05)
Re: Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann (Oct 01)
New Exim security release 4.96.2 (was: Exim4 MTA CVEs assigned from ZDI) Heiko Schlittermann (Oct 15)
Re: Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann (Oct 02)
Re: Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann (Oct 01)
Huajie Wang
CVE-2023-49898: Apache StreamPark (incubating): Authenticated system users could trigger remote command execution Huajie Wang (Dec 15)
CVE-2023-30867: Apache StreamPark (incubating): Authenticated system users could trigger SQL injection vulnerability Huajie Wang (Dec 15)
HW42
Re: CVE-2023-23583: Intel - Denial of Service - Privilege Escalation (Reptar) HW42 (Nov 14)
Igor Seletskiy
Re: linux-distros membership application of openEuler Igor Seletskiy (Dec 23)
Re: linux-distros membership application of openEuler Igor Seletskiy (Oct 16)
Ingo Brückl
xarchiver: Path traversal with crafted cpio archives Ingo Brückl (Dec 27)
xarchiver: Path traversal with crafted cpio archives Ingo Brückl (Dec 29)
Security vulnerability in Debian's cpio 2.13 Ingo Brückl (Dec 21)
Jacques Le Roux
CVE-2023-49070: Pre-auth RCE in Apache Ofbiz 18.12.09 due to XML-RPC still present Jacques Le Roux (Dec 04)
Jakub Jelen
CVE-2023-40660: Potential PIN bypass with empty PIN in OpenSC before 0.24.0 Jakub Jelen (Dec 13)
CVE-2023-40661: Dynamic analyzers reports in pkcs15-init in OpenSC before 0.24.0 Jakub Jelen (Dec 13)
Jan Engelhardt
Re: "Linux Kernel security demistified" Jan Engelhardt (Oct 01)
Re: with firefox on X11, any page can pastejack you anytime Jan Engelhardt (Oct 18)
Jarek Potiuk
CVE-2023-46288: Apache Airflow: Sensitive parameters exposed in API when "non-sensitive-only" configuration is set Jarek Potiuk (Oct 23)
Jean-Baptiste Onofré
CVE-2022-41678: Apache ActiveMQ: Deserialization vulnerability on Jolokia that allows authenticated users to perform RCE Jean-Baptiste Onofré (Nov 28)
Jean Luc Picard
Re: "Linux Kernel security demistified" Jean Luc Picard (Oct 06)
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Jean Luc Picard (Oct 03)
Re: European Union Cyber Resilience Act (CRA) Jean Luc Picard (Oct 08)
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Jean Luc Picard (Oct 04)
Jeffrey Walton
Re: with firefox on X11, any page can pastejack you anytime Jeffrey Walton (Oct 19)
Jeremy Stanley
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Jeremy Stanley (Oct 03)
Re: with firefox on X11, any page can pastejack you anytime Jeremy Stanley (Oct 19)
Re: linux-distros list membership application - CIQ Rocky Linux Security Team Jeremy Stanley (Oct 14)
Jiajie Zhong
CVE-2023-49299: Apache DolphinScheduler: Arbitrary js execute as root for authenticated users Jiajie Zhong (Dec 29)
CVE-2023-49620: Apache DolphinScheduler: Authenticated users could delete UDFs in resouece center they were not authorized Jiajie Zhong (Nov 30)
John Helmert III
Re: CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools John Helmert III (Nov 26)
Re: CVE-2023-49068: Apache DolphinScheduler: Information Leakage Vulnerability John Helmert III (Nov 25)
Jonathan Wright
Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Jonathan Wright (Oct 13)
Re: AlmaLinux Distros List Application Jonathan Wright (Dec 19)
AlmaLinux Distros List Application Jonathan Wright (Dec 12)
Joshua Rogers
Re: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days. Joshua Rogers (Oct 21)
Re: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days. Joshua Rogers (Oct 13)
Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days. Joshua Rogers (Oct 11)
Julien Nioche
CVE-2023-43123: Apache Storm: Local Information Disclosure Vulnerability in Storm-core on Unix-Like systems due temporary files Julien Nioche (Nov 23)
kai
Re: Re: New SMTP smuggling attack kai (Dec 25)
Kapetanakis Giannis
Re: CVE-2023-5631: XSS vulnerability in Roundcube webmail Kapetanakis Giannis (Nov 01)
Katherine Mcmillan
Re: European Union Cyber Resilience Act (CRA) Katherine Mcmillan (Oct 05)
Ken Moffat
Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx Ken Moffat (Oct 01)
Kevin Backhouse
CVE-2023-43641: out-of-bounds array access in libcue 2.2.1 Kevin Backhouse (Oct 09)
Kyle Zeng
[CVE-2023-42754] null pointer dereference in Linux kernel ipv4 stack Kyle Zeng (Oct 02)
Re: [CVE-2023-42754] null pointer dereference in Linux kernel ipv4 stack Kyle Zeng (Oct 02)
Loganaden Velvindron
Re: "Linux Kernel security demistified" Loganaden Velvindron (Oct 02)
Lukasz Lenart
CVE-2023-41835: Apache Struts: excessive disk usage Lukasz Lenart (Dec 09)
CVE-2023-50164: Apache Struts: File upload component had a directory traversal vulnerability Lukasz Lenart (Dec 07)
Marco Ivaldi
HNS-2023-04 - HN Security Advisory - Buffer overflow vulnerabilities with long path names in TinyDir Marco Ivaldi (Dec 04)
Marcus Meissner
New SMTP smuggling attack Marcus Meissner (Dec 21)
Re: linux-distros membership application of openEuler Marcus Meissner (Oct 16)
Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 22)
Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 30)
Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 24)
Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 22)
Re: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack) Marcus Meissner (Dec 20)
Mariusz Felisiak
Django: CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows Mariusz Felisiak (Nov 01)
Mark Thomas
CVE-2023-42795: Apache Tomcat: Failure during request clean-up leads to sensitive data leaking to subsequent requests Mark Thomas (Oct 10)
CVE-2023-46589: Apache Tomcat: HTTP request smuggling via malformed trailer headers Mark Thomas (Nov 28)
CVE-2023-45648: Apache Tomcat: Trailer header parsing too lenient Mark Thomas (Oct 10)
CVE-2023-42794: Apache Tomcat: FileUpload: DoS due to accumulation of temporary files on Windows Mark Thomas (Oct 10)
Martin Hecht
Re: with firefox on X11, any page can pastejack you anytime Martin Hecht (Oct 24)
Re: linux-distros list membership application - CIQ Rocky Linux Security Team Martin Hecht (Oct 13)
Matt Caswell
Re: upcoming release of OpenSSL 3.1.4 and 3.0.12 Matt Caswell (Oct 18)
Matthew Fernandez
sandboxing,of upstream programs by distros Matthew Fernandez (Oct 14)
Re: sandboxing,of upstream programs by distros Matthew Fernandez (Oct 14)
Re: sandboxing,of upstream programs by distros Matthew Fernandez (Oct 22)
Matthias Gerstner
Re: hplip: security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c Matthias Gerstner (Nov 30)
budgie-extras: multiple predictable /tmp path issues in various applications Matthias Gerstner (Dec 14)
Cadence: Fixed /tmp path issues; no longer maintained by upstream (CVE-2023-43782, CVE-2023-43783) Matthias Gerstner (Oct 05)
Re: CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools Matthias Gerstner (Oct 27)
Security issues in passim local caching server Matthias Gerstner (Oct 27)
Re: hplip: security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c Matthias Gerstner (Nov 20)
Re: XDG_RUNTIME_DIR "misuse" as $TMPDIR (was: Re: [oss-security] budgie-extras: multiple predictable /tmp path issues in various applications) Matthias Gerstner (Dec 15)
hplip: security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c Matthias Gerstner (Nov 17)
Re: CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools Matthias Gerstner (Nov 27)
Michael Jumper
[SECURITY] CVE-2023-43826: Apache Guacamole: Integer overflow in handling of VNC image buffers Michael Jumper (Dec 19)
Michael Marshall
CVE-2023-37544: Apache Pulsar WebSocket Proxy: Improper Authentication for WebSocket Proxy Endpoint Allows DoS Michael Marshall (Dec 19)
Michael Orlitzky
Re: with firefox on X11, any page can pastejack you anytime Michael Orlitzky (Oct 18)
Re: with firefox on X11, any page can pastejack you anytime Michael Orlitzky (Oct 18)
Re: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) Michael Orlitzky (Oct 02)
Re: with firefox on X11, any page can pastejack you anytime Michael Orlitzky (Oct 18)
Michael Schwarz
Re: Meltdown-US / Meltdown 3a Remaining Leakage Michael Schwarz (Oct 08)
Mickaël Salaün
Re: sandboxing,of upstream programs by distros Mickaël Salaün (Oct 22)
midawson
Fwd: Node.js security updates for all active release lines, October 2023 midawson (Oct 12)
Mike O'Connor
Re: !CVE: A new platform to track security issues not acknowledged by vendors Mike O'Connor (Nov 10)
Re: hplip: security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c Mike O'Connor (Nov 19)
Mingyu Chen
CVE-2023-41314: Apache Doris: Missing API authentication allowed DoS Mingyu Chen (Dec 16)
Moritz Muehlenhoff
Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Moritz Muehlenhoff (Oct 10)
Morten Linderud
Re: linux-distros list membership application - CIQ Rocky Linux Security Team Morten Linderud (Oct 17)
Natalia Bidart
Django: CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator Natalia Bidart (Oct 04)
Neal Gompa
Re: linux-distros list membership application - CIQ Rocky Linux Security Team Neal Gompa (Oct 13)
Re: linux-distros list membership application - CIQ Rocky Linux Security Team Neal Gompa (Oct 14)
Nick Vatamaniuc
CVE-2023-45725: Apache CouchDB, IBM Cloudant: Privilege Escalation Using _design Documents Nick Vatamaniuc (Dec 12)
Nicolas Malin
CVE-2023-50968: Apache OFBiz: Arbitrary file properties reading and SSRF attack Nicolas Malin (Dec 26)
niekt0
Re: with firefox on X11, any page can pastejack you anytime niekt0 (Oct 19)
nightmare . yeah27
Re: with firefox on X11, any page can pastejack you anytime nightmare . yeah27 (Oct 20)
OpenSSL
OpenSSL Security Advisory OpenSSL (Oct 24)
Peter Hutterer
FW: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.9 and Xwayland prior to 23.2.2 Peter Hutterer (Oct 25)
FW: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.10 and Xwayland prior to 23.2.3 Peter Hutterer (Dec 13)
Peter Korsgaard
Buildroot: Talos download hash verification vulnerabilities Peter Korsgaard (Dec 10)
Phil Pennock
NATS: 2023-01: Adding accounts for just the system account adds auth bypass Phil Pennock (Oct 13)
Re: NATS: 2023-01: Adding accounts for just the system account adds auth bypass Phil Pennock (Oct 30)
Re: NATS: 2023-01: Adding accounts for just the system account adds auth bypass Phil Pennock (Oct 29)
public1020
How can I join the linux-distros mailing list and become a representative? public1020 (Oct 07)
Qualys Security Advisory
CVE-2023-4911: Local Privilege Escalation in the glibc's ld.so Qualys Security Advisory (Oct 03)
Richard N. Hillegas
CVE-2022-46337: Apache Derby: LDAP injection vulnerability in authenticator Richard N. Hillegas (Nov 19)
Rodrigo Freire
Re: Re: New SMTP smuggling attack Rodrigo Freire (Dec 22)
Re: CVE-2023-4806, CVE-2023-5156: glibc: potential use-after-free in getaddrinfo() Rodrigo Freire (Oct 03)
Roxana Bradescu
Re: hplip: security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c Roxana Bradescu (Nov 18)
Salvatore Bonaccorso
Re: Exim4 MTA CVEs assigned from ZDI Salvatore Bonaccorso (Oct 04)
Re: NATS: 2023-01: Adding accounts for just the system account adds auth bypass Salvatore Bonaccorso (Oct 28)
Re: Exim4 MTA CVEs assigned from ZDI Salvatore Bonaccorso (Oct 05)
Sam Bull
Re: with firefox on X11, any page can pastejack you anytime Sam Bull (Oct 19)
Re: with firefox on X11, any page can pastejack you anytime Sam Bull (Oct 19)
Sandro Gauci
[ES2023-02] FreeSWITCH susceptible to Denial of Service via DTLS Hello packets during call initiation Sandro Gauci (Dec 23)
[ES2023-03] RTPEngine susceptible to Denial of Service via DTLS Hello packets during call initiation Sandro Gauci (Dec 15)
[ES2023-01] Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation Sandro Gauci (Dec 15)
Shawn Webb
Re: There is a curl "severity HIGH security problem" pre-announcement on GitHub Shawn Webb (Oct 05)
Siddhesh Poyarekar
Re: CVE-2023-4806, CVE-2023-5156: glibc: potential use-after-free in getaddrinfo() Siddhesh Poyarekar (Oct 03)
Re: CVE-2023-4806, CVE-2023-5156: glibc: potential use-after-free in getaddrinfo() Siddhesh Poyarekar (Oct 03)
Solar Designer
Re: linux-distros membership application of openEuler Solar Designer (Dec 25)
Wuffs (was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) Solar Designer (Oct 03)
"Linux Kernel security demistified" Solar Designer (Oct 01)
Re: CVE-2023-23583: Intel - Denial of Service - Privilege Escalation (Reptar) Solar Designer (Nov 14)
Re: linux-distros list membership application - CIQ Rocky Linux Security Team Solar Designer (Oct 14)
Re: [CVE-2023-42754] null pointer dereference in Linux kernel ipv4 stack Solar Designer (Oct 02)
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Solar Designer (Oct 03)
Re: Fwd: [pfx-ann] Postfix stable release 3.8.4 Solar Designer (Dec 22)
Re: linux-distros membership application of openEuler Solar Designer (Dec 25)
Re: CVE-2023-4911: Local Privilege Escalation in the glibc's ld.so Solar Designer (Oct 03)
Re: Meltdown-US / Meltdown 3a Remaining Leakage Solar Designer (Oct 06)
Re: linux-distros list membership application - CIQ Rocky Linux Security Team Solar Designer (Oct 14)
Re: administrative tasks (was: illumos (or at least danmcd) membership in the distros list) Solar Designer (Oct 03)
Re: AlmaLinux Distros List Application Solar Designer (Dec 17)
Re: CVE-2023-4911: Local Privilege Escalation in the glibc's ld.so Solar Designer (Oct 04)
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Solar Designer (Oct 04)
linux-distros list membership application - CIQ Rocky Linux Security Team Solar Designer (Oct 01)
Re: with firefox on X11, any page can pastejack you anytime Solar Designer (Oct 20)
Re: linux-distros list membership application - CIQ Rocky Linux Security Team Solar Designer (Oct 11)
Re: upcoming release of OpenSSL 3.1.4 and 3.0.12 Solar Designer (Oct 18)
CVE-2023-51766: Exim: SMTP smuggling Solar Designer (Dec 29)
Re: European Union Cyber Resilience Act (CRA) Solar Designer (Oct 08)
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Solar Designer (Oct 03)
Bluez, Intel wireless devices: Bluetooth Low Energy stuck in unresponsive state after repeated out of order transmission of packets Solar Designer (Nov 02)
upcoming release of OpenSSL 3.1.4 and 3.0.12 Solar Designer (Oct 17)
Re: distros list archive Solar Designer (Oct 15)
Re: Exim4 MTA CVEs assigned from ZDI Solar Designer (Oct 05)
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Solar Designer (Oct 03)
CVE-2023-20867: open-vm-tools: Authentication Bypass vulnerability in the vgauth module Solar Designer (Oct 15)
inetutils ftpd, rcp, rlogin, rsh, rshd, uucpd: Avoid potential privilege escalations by checking set*id() return values Solar Designer (Dec 30)
CVE-2023-4806, CVE-2023-5156: glibc: potential use-after-free in getaddrinfo() Solar Designer (Oct 03)
Re: "Linux Kernel security demistified" Solar Designer (Oct 06)
Re: inetutils ftpd, rcp, rlogin, rsh, rshd, uucpd: Avoid potential privilege escalations by checking set*id() return values Solar Designer (Dec 30)
CVE-2023-4692, CVE-2023-4693: grub2: OOB write, read via specially crafted NTFS filesystem Solar Designer (Oct 04)
Re: CVE-2023-23583: Intel - Denial of Service - Privilege Escalation (Reptar) Solar Designer (Nov 14)
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Solar Designer (Oct 04)
Re: linux-distros membership application of openEuler Solar Designer (Dec 23)
Re: sandboxing,of upstream programs by distros Solar Designer (Oct 21)
Fwd: [pfx-ann] Postfix stable release 3.8.4 Solar Designer (Dec 22)
Re: AlmaLinux Distros List Application Solar Designer (Dec 21)
Re: How can I join the linux-distros mailing list and become a representative? Solar Designer (Oct 09)
CVE-2023-51385, CVE-2023-6004: OpenSSH, libssh: Security weakness in ProxyCommand handling Solar Designer (Dec 26)
Re: linux-distros list membership application - CIQ Rocky Linux Security Team Solar Designer (Oct 17)
Stefan Eissing
CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0 Stefan Eissing (Oct 19)
CVE-2023-31122: Apache HTTP Server: mod_macro buffer over-read Stefan Eissing (Oct 19)
CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST Stefan Eissing (Oct 19)
Steffen Nurpmeso
Re: Re: with firefox on X11, any page can pastejack you anytime Steffen Nurpmeso (Oct 20)
Re: linux-distros membership application of openEuler Steffen Nurpmeso (Oct 16)
Re: with firefox on X11, any page can pastejack you anytime Steffen Nurpmeso (Oct 19)
XDG_RUNTIME_DIR "misuse" as $TMPDIR (was: Re: [oss-security] budgie-extras: multiple predictable /tmp path issues in various applications) Steffen Nurpmeso (Dec 15)
Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Steffen Nurpmeso (Oct 13)
Re: linux-distros membership application of openEuler Steffen Nurpmeso (Dec 25)
Re: XDG_RUNTIME_DIR "misuse" as $TMPDIR (was: Re: [oss-security] budgie-extras: multiple predictable /tmp path issues in various applications) Steffen Nurpmeso (Dec 15)
Stig Palmquist
CVE-2023-7101: Spreadsheet::ParseExcel for Perl is vulnerable to arbitrary code execution Stig Palmquist (Dec 29)
Stuart D Gathman
Re: Re: New SMTP smuggling attack Stuart D Gathman (Dec 22)
Stuart Henderson
Re: Re: New SMTP smuggling attack Stuart Henderson (Dec 22)
Tianyu Chen
Re: linux-distros membership application of openEuler Tianyu Chen (Oct 16)
Tol, Caner
Mayhem: Targeted Corruption of Register and Stack Variables Tol, Caner (Dec 21)
turistu
with firefox on X11, any page can pastejack you anytime turistu (Oct 17)
Re: with firefox on X11, any page can pastejack you anytime Turistu (Oct 26)
Re: with firefox on X11, any page can pastejack you anytime Turistu (Oct 20)
Re: with firefox on X11, any page can pastejack you anytime Turistu (Oct 19)
Re: with firefox on X11, any page can pastejack you anytime Turistu (Oct 20)
Valtteri Vuorikoski
CVE-2023-37580 (and others): XSS vulnerabilities in Zimbra Collaboration Suite Valtteri Vuorikoski (Nov 17)
CVE-2023-5631: XSS vulnerability in Roundcube webmail Valtteri Vuorikoski (Oct 31)
Re: Re: New SMTP smuggling attack Valtteri Vuorikoski (Dec 23)
Vegard Nossum
Re: linux-distros list membership application - CIQ Rocky Linux Security Team Vegard Nossum (Oct 12)
VMware Security Response Center
CVE-2023-34058 - SAML Token Signature Bypass in open-vm-tools VMware Security Response Center (Oct 27)
CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools VMware Security Response Center (Oct 27)
Wang Weibing
CVE-2023-45757: Apache bRPC: The builtin service rpcz page has an XSS attack vulnerability Wang Weibing (Oct 16)
Wenjun Ruan
CVE-2022-45875: Apache DolphinScheduler: Remote command execution Vulnerability in script alert plugin Wenjun Ruan (Nov 22)
Willy Tarreau
Re: "Linux Kernel security demistified" Willy Tarreau (Oct 04)
W. Wadepohl
Re: linux-distros membership application of openEuler W. Wadepohl (Oct 17)
Xen . org security team
Xen Security Advisory 445 v3 (CVE-2023-46835) - x86/AMD: mismatch in IOMMU quarantine page table levels Xen . org security team (Nov 14)
Xen Security Advisory 447 v2 (CVE-2023-46837) - arm32: The cache may not be properly cleaned/invalidated (take two) Xen . org security team (Dec 12)
Xen Security Advisory 444 v3 (CVE-2023-34327,CVE-2023-34328) - x86/AMD: Debug Mask handling Xen . org security team (Oct 10)
Xen Security Advisory 443 v3 (CVE-2023-34325) - Multiple vulnerabilities in libfsimage disk handling Xen . org security team (Oct 10)
Xen Security Advisory 441 v4 (CVE-2023-34324) - Possible deadlock in Linux kernel event handling Xen . org security team (Oct 10)
Xen Security Advisory 442 v2 (CVE-2023-34326) - x86/AMD: missing IOMMU TLB flushing Xen . org security team (Oct 10)
Xen Security Advisory 446 v2 (CVE-2023-46836) - x86: BTC/SRSO fixes not fully effective Xen . org security team (Nov 14)
Xen Security Advisory 440 v3 (CVE-2023-34323) - xenstored: A transaction conflict can crash C Xenstored Xen . org security team (Oct 10)
Xiang Chen
CVE-2023-37924: Apache Submarine: SQL injection from unauthorized login Xiang Chen (Nov 21)
CVE-2023-46302: Apache Submarine: Fix CVE-2022-1471 SnakeYaml unsafe deserialization Xiang Chen (Nov 19)
Xingyuan Mo
CVE-2023-6817: Linux kernel: use-after-free in nf_tables Xingyuan Mo (Dec 22)
zdi () trendmicro com
RE: Exim4 MTA CVEs assigned from ZDI zdi () trendmicro com (Oct 04)
RE: Exim4 MTA CVEs assigned from ZDI zdi () trendmicro com (Oct 05)
Zhang Yonglun
CVE-2023-25753: Server-Side Request Forgery in Apache ShenYu Zhang Yonglun (Oct 18)
Zhenxu Ke
CVE-2023-48796: Apache dolphinscheduler sensitive information disclosure Zhenxu Ke (Nov 24)
Zihao Xiang
CVE-2023-49068: Apache DolphinScheduler: Information Leakage Vulnerability Zihao Xiang (Nov 24)