oss-sec: by date
356 messages
starting Oct 01 23 and
ending Dec 30 23
Date index |
Thread index |
Author index
Sunday, 01 October
Re: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) Demi Marie Obenour
Re: Haskell programs in distributions (was: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx)) Erik Auerswald
linux-distros list membership application - CIQ Rocky Linux Security Team Solar Designer
Re: Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann
Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx Ken Moffat
"Linux Kernel security demistified" Solar Designer
Re: Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann
Re: "Linux Kernel security demistified" Jan Engelhardt
Monday, 02 October
Re: "Linux Kernel security demistified" Greg KH
Re: Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann
Re: "Linux Kernel security demistified" Loganaden Velvindron
Re: "Linux Kernel security demistified" Greg KH
Re: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) Michael Orlitzky
Re: Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann
[CVE-2023-42754] null pointer dereference in Linux kernel ipv4 stack Kyle Zeng
Re: [CVE-2023-42754] null pointer dereference in Linux kernel ipv4 stack Solar Designer
Re: [CVE-2023-42754] null pointer dereference in Linux kernel ipv4 stack Kyle Zeng
Tuesday, 03 October
Fwd: X.Org Security Advisory: Issues in libX11 prior to 1.8.7 & libXpm prior to 3.5.17 Alan Coopersmith
CVE-2023-4911: Local Privilege Escalation in the glibc's ld.so Qualys Security Advisory
Re: CVE-2023-4911: Local Privilege Escalation in the glibc's ld.so Solar Designer
CVE-2023-4806, CVE-2023-5156: glibc: potential use-after-free in getaddrinfo() Solar Designer
Re: CVE-2023-4806, CVE-2023-5156: glibc: potential use-after-free in getaddrinfo() Rodrigo Freire
Re: CVE-2023-4806, CVE-2023-5156: glibc: potential use-after-free in getaddrinfo() Siddhesh Poyarekar
Re: administrative tasks (was: illumos (or at least danmcd) membership in the distros list) Solar Designer
Re: CVE-2023-4806, CVE-2023-5156: glibc: potential use-after-free in getaddrinfo() Siddhesh Poyarekar
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Solar Designer
Re: Fwd: X.Org Security Advisory: Issues in libX11 prior to 1.8.7 & libXpm prior to 3.5.17 Alan Coopersmith
Wuffs (was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) Solar Designer
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Solar Designer
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Andrew Cooper
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Jeremy Stanley
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Jean Luc Picard
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Solar Designer
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Andrew Cooper
Wednesday, 04 October
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Jean Luc Picard
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Solar Designer
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Solar Designer
CVE-2023-4692, CVE-2023-4693: grub2: OOB write, read via specially crafted NTFS filesystem Solar Designer
Django: CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator Natalia Bidart
Re: Exim4 MTA CVEs assigned from ZDI Salvatore Bonaccorso
Re: CVE-2023-4692, CVE-2023-4693: grub2: OOB write, read via specially crafted NTFS filesystem Daniel Kiper
RE: Exim4 MTA CVEs assigned from ZDI zdi () trendmicro com
Re: CVE-2023-4911: Local Privilege Escalation in the glibc's ld.so Solar Designer
Re: Exim4 MTA CVEs assigned from ZDI Fabian Keil
Re: "Linux Kernel security demistified" Willy Tarreau
Thursday, 05 October
Cadence: Fixed /tmp path issues; no longer maintained by upstream (CVE-2023-43782, CVE-2023-43783) Matthias Gerstner
Re: Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann
There is a curl "severity HIGH security problem" pre-announcement on GitHub Erik Auerswald
Re: There is a curl "severity HIGH security problem" pre-announcement on GitHub Shawn Webb
European Union Cyber Resilience Act (CRA) David A. Wheeler
Re: European Union Cyber Resilience Act (CRA) Katherine Mcmillan
Re: Exim4 MTA CVEs assigned from ZDI Solar Designer
Re: There is a curl "severity HIGH security problem" pre-announcement on GitHub Fabian Keil
RE: Exim4 MTA CVEs assigned from ZDI zdi () trendmicro com
Re: Exim4 MTA CVEs assigned from ZDI Salvatore Bonaccorso
Re: Exim4 MTA CVEs assigned from ZDI Cory McIntire
Friday, 06 October
Re: "Linux Kernel security demistified" Jean Luc Picard
Meltdown-US / Meltdown 3a Remaining Leakage Daniel Weber
Re: "Linux Kernel security demistified" Solar Designer
CVEs assigned for reachable assertions in avahi Alan Coopersmith
CVE-2023-45322: Use-after-free in libxml2 through 2.11.5 Alan Coopersmith
Re: Meltdown-US / Meltdown 3a Remaining Leakage Solar Designer
Saturday, 07 October
How can I join the linux-distros mailing list and become a representative? public1020
Sunday, 08 October
Re: European Union Cyber Resilience Act (CRA) Fabian Keil
Re: Meltdown-US / Meltdown 3a Remaining Leakage Michael Schwarz
Re: European Union Cyber Resilience Act (CRA) Jean Luc Picard
Re: European Union Cyber Resilience Act (CRA) Solar Designer
Monday, 09 October
Re: European Union Cyber Resilience Act (CRA) Dirk-Willem van Gulik
Re: How can I join the linux-distros mailing list and become a representative? Solar Designer
CVE-2023-43641: out-of-bounds array access in libcue 2.2.1 Kevin Backhouse
Tuesday, 10 October
Xen Security Advisory 440 v3 (CVE-2023-34323) - xenstored: A transaction conflict can crash C Xenstored Xen . org security team
Xen Security Advisory 441 v4 (CVE-2023-34324) - Possible deadlock in Linux kernel event handling Xen . org security team
Xen Security Advisory 442 v2 (CVE-2023-34326) - x86/AMD: missing IOMMU TLB flushing Xen . org security team
Xen Security Advisory 444 v3 (CVE-2023-34327,CVE-2023-34328) - x86/AMD: Debug Mask handling Xen . org security team
Xen Security Advisory 443 v3 (CVE-2023-34325) - Multiple vulnerabilities in libfsimage disk handling Xen . org security team
CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Alan Coopersmith
Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Moritz Muehlenhoff
CVE-2023-42794: Apache Tomcat: FileUpload: DoS due to accumulation of temporary files on Windows Mark Thomas
CVE-2023-42795: Apache Tomcat: Failure during request clean-up leads to sensitive data leaking to subsequent requests Mark Thomas
CVE-2023-45648: Apache Tomcat: Trailer header parsing too lenient Mark Thomas
[SECURITY ADVISORY] curl: CVE-2023-38545: SOCKS5 heap buffer overflow Daniel Stenberg
[SECURITY ADVISORY] curl: CVE-2023-38546 Daniel Stenberg
Wednesday, 11 October
Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days. Joshua Rogers
CVE-2023-44981: Apache ZooKeeper: Authorization bypass in SASL Quorum Peer Authentication Andor Molnar
Re: linux-distros list membership application - CIQ Rocky Linux Security Team Solar Designer
Thursday, 12 October
Fwd: Node.js security updates for all active release lines, October 2023 midawson
Re: linux-distros list membership application - CIQ Rocky Linux Security Team Vegard Nossum
Friday, 13 October
Re: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days. Amos Jeffries
NATS: 2023-01: Adding accounts for just the system account adds auth bypass Phil Pennock
Re: linux-distros list membership application - CIQ Rocky Linux Security Team Neal Gompa
Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Jonathan Wright
CVE-2023-42780: Apache Airflow: Improper access control vulnerability in the "List dag warnings" feature Ephraim Anierobi
CVE-2023-45348: Apache Airflow: Configuration information leakage vulnerability Ephraim Anierobi
CVE-2023-42792: Apache Airflow: Improper access control to DAG resources Ephraim Anierobi
CVE-2023-42663: Apache Airflow: Bypass permission verification to view task instances of other dags Ephraim Anierobi
Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Steffen Nurpmeso
Re: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days. Joshua Rogers
Re: linux-distros list membership application - CIQ Rocky Linux Security Team Martin Hecht
Samba 4.19.1, 4.18.8 and 4.17.12 Security Releases are available for Download Alan Coopersmith
Saturday, 14 October
sandboxing,of upstream programs by distros Matthew Fernandez
Re: linux-distros list membership application - CIQ Rocky Linux Security Team Neal Gompa
Re: linux-distros list membership application - CIQ Rocky Linux Security Team Jeremy Stanley
Re: linux-distros list membership application - CIQ Rocky Linux Security Team Solar Designer
Re: linux-distros list membership application - CIQ Rocky Linux Security Team Solar Designer
Re: sandboxing,of upstream programs by distros Demi Marie Obenour
Re: sandboxing,of upstream programs by distros Matthew Fernandez
Sunday, 15 October
CVE-2023-5178: Linux NVMe-oF/TCP Driver - UAF in `nvmet_tcp_free_crypto` Alon Zahavi
New Exim security release 4.96.2 (was: Exim4 MTA CVEs assigned from ZDI) Heiko Schlittermann
Re: distros list archive Solar Designer
linux-distros membership application of openEuler Aron Xu
CVE-2023-20867: open-vm-tools: Authentication Bypass vulnerability in the vgauth module Solar Designer
CVE-2023-43666: Apache InLong: General user Unauthorized access User Management Charles Zhang
CVE-2023-43667: Apache InLong: Log Injection in Global functions Charles Zhang
CVE-2023-43668: Apache InLong: Jdbc Connection Security Bypass in InLong Charles Zhang
Monday, 16 October
Re: linux-distros membership application of openEuler Marcus Meissner
Re: linux-distros membership application of openEuler Greg KH
CVE-2023-45757: Apache bRPC: The builtin service rpcz page has an XSS attack vulnerability Wang Weibing
Re: linux-distros membership application of openEuler Heiko Schlittermann
Re: linux-distros membership application of openEuler Demi Marie Obenour
Re: CVE-2023-20867: open-vm-tools: Authentication Bypass vulnerability in the vgauth module Demi Marie Obenour
Re: linux-distros membership application of openEuler Greg KH
Re: linux-distros membership application of openEuler Greg KH
Re: linux-distros membership application of openEuler Demi Marie Obenour
Re: linux-distros membership application of openEuler Alan Coopersmith
Re: linux-distros membership application of openEuler Demi Marie Obenour
Re: linux-distros membership application of openEuler Aron Xu
Re: linux-distros membership application of openEuler Greg KH
Re: linux-distros membership application of openEuler Igor Seletskiy
Re: linux-distros membership application of openEuler Aron Xu
Re: linux-distros membership application of openEuler Demi Marie Obenour
Re: linux-distros membership application of openEuler Tianyu Chen
Re: linux-distros membership application of openEuler Steffen Nurpmeso
Tuesday, 17 October
with firefox on X11, any page can pastejack you anytime turistu
Re: linux-distros list membership application - CIQ Rocky Linux Security Team Morten Linderud
Re: linux-distros membership application of openEuler W. Wadepohl
Re: linux-distros list membership application - CIQ Rocky Linux Security Team Solar Designer
upcoming release of OpenSSL 3.1.4 and 3.0.12 Solar Designer
Wednesday, 18 October
Re: upcoming release of OpenSSL 3.1.4 and 3.0.12 Matt Caswell
Re: upcoming release of OpenSSL 3.1.4 and 3.0.12 Solar Designer
Re: with firefox on X11, any page can pastejack you anytime Michael Orlitzky
Vulnerability in Jenkins Daniel Beck
Re: with firefox on X11, any page can pastejack you anytime Grant Taylor
Re: with firefox on X11, any page can pastejack you anytime Michael Orlitzky
Re: with firefox on X11, any page can pastejack you anytime Grant Taylor
Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Alan Coopersmith
Re: with firefox on X11, any page can pastejack you anytime Michael Orlitzky
Re: with firefox on X11, any page can pastejack you anytime Jan Engelhardt
CVE-2023-46227: Apache inlong has an Arbitrary File Read Vulnerability Charles Zhang
CVE-2023-25753: Server-Side Request Forgery in Apache ShenYu Zhang Yonglun
Thursday, 19 October
CVE-2023-31122: Apache HTTP Server: mod_macro buffer over-read Stefan Eissing
CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0 Stefan Eissing
CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST Stefan Eissing
Re: with firefox on X11, any page can pastejack you anytime Sam Bull
Re: with firefox on X11, any page can pastejack you anytime Steffen Nurpmeso
Re: with firefox on X11, any page can pastejack you anytime Jeremy Stanley
Re: with firefox on X11, any page can pastejack you anytime Sam Bull
Re: with firefox on X11, any page can pastejack you anytime niekt0
Re: with firefox on X11, any page can pastejack you anytime Jeffrey Walton
Re: with firefox on X11, any page can pastejack you anytime Turistu
Friday, 20 October
Re: with firefox on X11, any page can pastejack you anytime Turistu
Re: with firefox on X11, any page can pastejack you anytime David Leadbeater
Re: with firefox on X11, any page can pastejack you anytime Donald Buczek
Re: with firefox on X11, any page can pastejack you anytime David Leadbeater
CVE-2023-44483: Apache Santuario: Private Key disclosure in debug-log output Colm O hEigeartaigh
Re: with firefox on X11, any page can pastejack you anytime Solar Designer
Re: with firefox on X11, any page can pastejack you anytime Turistu
Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Alan Coopersmith
CVE-2023-45853: overflows in MiniZip in zlib through 1.3 Alan Coopersmith
Re: with firefox on X11, any page can pastejack you anytime nightmare . yeah27
Re: Re: with firefox on X11, any page can pastejack you anytime Steffen Nurpmeso
Saturday, 21 October
Re: Squid Caching Proxy Security Audit: 55 Vulnerabilities, 35 0days. Joshua Rogers
Re: sandboxing,of upstream programs by distros Solar Designer
Sunday, 22 October
Re: sandboxing,of upstream programs by distros Demi Marie Obenour
Re: sandboxing,of upstream programs by distros Mickaël Salaün
Re: sandboxing,of upstream programs by distros Bob Friesenhahn
Re: sandboxing,of upstream programs by distros Demi Marie Obenour
Re: sandboxing,of upstream programs by distros Bob Friesenhahn
Re: sandboxing,of upstream programs by distros Matthew Fernandez
Monday, 23 October
CVE-2023-46288: Apache Airflow: Sensitive parameters exposed in API when "non-sensitive-only" configuration is set Jarek Potiuk
Tuesday, 24 October
OpenSSL Security Advisory OpenSSL
Re: with firefox on X11, any page can pastejack you anytime Martin Hecht
Wednesday, 25 October
FW: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.9 and Xwayland prior to 23.2.2 Peter Hutterer
Multiple vulnerabilities in Jenkins plugins Daniel Beck
[kubernetes] CVE-2023-5044: Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation CJ Cullen
[kubernetes] CVE-2023-5043: Ingress nginx annotation injection causes arbitrary command execution CJ Cullen
[kubernetes] CVE-2022-4886: Ingress-nginx `path` sanitization can be bypassed with `log_format` directive CJ Cullen
Thursday, 26 October
[vim-security] integer overflow in :history command in Vim < 9.0.2068 Christian Brabandt
Re: with firefox on X11, any page can pastejack you anytime Turistu
Friday, 27 October
CVE-2023-34058 - SAML Token Signature Bypass in open-vm-tools VMware Security Response Center
CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools VMware Security Response Center
Re: CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools Matthias Gerstner
Security issues in passim local caching server Matthias Gerstner
CVE-2023-46604: Apache ActiveMQ, Apache ActiveMQ Legacy OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack Christopher L. Shannon
Saturday, 28 October
CVE-2023-46215: Apache Airflow Celery provider, Apache Airflow: Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend Elad Kalif
Re: NATS: 2023-01: Adding accounts for just the system account adds auth bypass Salvatore Bonaccorso
Sunday, 29 October
Re: NATS: 2023-01: Adding accounts for just the system account adds auth bypass Phil Pennock
Monday, 30 October
Re: NATS: 2023-01: Adding accounts for just the system account adds auth bypass Phil Pennock
Tuesday, 31 October
NATS: 2023-02: nkeys: xkeys Seal encryption used fixed key for all encryption Byron Ruth
CVE-2023-5631: XSS vulnerability in Roundcube webmail Valtteri Vuorikoski
Wednesday, 01 November
Django: CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows Mariusz Felisiak
Re: CVE-2023-5631: XSS vulnerability in Roundcube webmail Kapetanakis Giannis
Thursday, 02 November
Session File Relative Path Traversal in sudo-rs Alan Coopersmith
Bluez, Intel wireless devices: Bluetooth Low Energy stuck in unresponsive state after repeated out of order transmission of packets Solar Designer
Friday, 10 November
Re: !CVE: A new platform to track security issues not acknowledged by vendors Mike O'Connor
Re: !CVE: A new platform to track security issues not acknowledged by vendors !CVE Team
Re: !CVE: A new platform to track security issues not acknowledged by vendors !CVE Team
Sunday, 12 November
CVE-2023-47037: Apache Airflow missing fix for CVE-2023-40611 in 2.7.1 (DAG run broken access) Ephraim Anierobi
CVE-2023-42781: Apache Airflow: Permission verification bypass allows viewing dagruns of other dags Ephraim Anierobi
Tuesday, 14 November
Xen Security Advisory 445 v3 (CVE-2023-46835) - x86/AMD: mismatch in IOMMU quarantine page table levels Xen . org security team
Xen Security Advisory 446 v2 (CVE-2023-46836) - x86: BTC/SRSO fixes not fully effective Xen . org security team
[kubernetes] CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes Craig Ingram
CVE-2023-23583: Intel - Denial of Service - Privilege Escalation (Reptar) Antonio Gomez Iglesias
Re: CVE-2023-23583: Intel - Denial of Service - Privilege Escalation (Reptar) Demi Marie Obenour
Re: CVE-2023-23583: Intel - Denial of Service - Privilege Escalation (Reptar) Solar Designer
Re: CVE-2023-23583: Intel - Denial of Service - Privilege Escalation (Reptar) HW42
Re: CVE-2023-23583: Intel - Denial of Service - Privilege Escalation (Reptar) Solar Designer
Re: CVE-2023-23583: Intel - Denial of Service - Privilege Escalation (Reptar) Antonio Gomez Iglesias
Wednesday, 15 November
WebKitGTK and WPE WebKit Security Advisory WSA-2023-0010 Carlos Alberto Lopez Perez
Thursday, 16 November
[vim-security] several minor security issues in Vim v9.0.2106-v9.0.2112 Christian Brabandt
Friday, 17 November
hplip: security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c Matthias Gerstner
CVE-2023-37580 (and others): XSS vulnerabilities in Zimbra Collaboration Suite Valtteri Vuorikoski
Saturday, 18 November
Re: hplip: security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c Roxana Bradescu
Sunday, 19 November
CVE-2023-46302: Apache Submarine: Fix CVE-2022-1471 SnakeYaml unsafe deserialization Xiang Chen
Re: hplip: security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c Mike O'Connor
CVE-2022-46337: Apache Derby: LDAP injection vulnerability in authenticator Richard N. Hillegas
Monday, 20 November
Re: hplip: security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c Matthias Gerstner
GNUTLS-SA-2023-10-23, CVE-2023-5981: timing sidechannel in RSA-PSK key exchange Alan Coopersmith
GIMP 2.10.36 fixed multiple image format parser vulnerabilities Alan Coopersmith
Tuesday, 21 November
CVE-2023-37924: Apache Submarine: SQL injection from unauthorized login Xiang Chen
Wednesday, 22 November
CVE-2022-45875: Apache DolphinScheduler: Remote command execution Vulnerability in script alert plugin Wenjun Ruan
[vim-security] use-after-free in ex_substitute in Vim < v9.0.2121 Christian Brabandt
Thursday, 23 November
CVE-2023-43123: Apache Storm: Local Information Disclosure Vulnerability in Storm-core on Unix-Like systems due temporary files Julien Nioche
Friday, 24 November
CVE-2023-48796: Apache dolphinscheduler sensitive information disclosure Zhenxu Ke
CVE-2023-49068: Apache DolphinScheduler: Information Leakage Vulnerability Zihao Xiang
Saturday, 25 November
Re: CVE-2023-49068: Apache DolphinScheduler: Information Leakage Vulnerability John Helmert III
Sunday, 26 November
Re: CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools John Helmert III
Monday, 27 November
Re: CVE-2023-34059 - File Descriptor Hijack vulnerability in open-vm-tools Matthias Gerstner
CVE-2023-40610: Apache Superset: Privilege escalation with default examples database Daniel Gaspar
CVE-2023-42501: Apache Superset: Unnecessary read permissions within the Gamma role Daniel Gaspar
CVE-2023-43701: Apache Superset: Stored XSS on API endpoint Daniel Gaspar
CVE-2023-49145: Apache NiFi: Improper Neutralization of Input in Advanced User Interface for Jolt David Handermann
Tuesday, 28 November
CVE-2022-41678: Apache ActiveMQ: Deserialization vulnerability on Jolokia that allows authenticated users to perform RCE Jean-Baptiste Onofré
CVE-2023-46589: Apache Tomcat: HTTP request smuggling via malformed trailer headers Mark Thomas
CVE-2023-42502: Apache Superset: Open Redirect Vulnerability Daniel Gaspar
Fwd: Samba 4.19.3 Available for Download - addresses CVE-2018-14628 Alan Coopersmith
CVE-2023-42505: Apache Superset: Sensitive information disclosure on db connection details Daniel Gaspar
CVE-2023-42504: Apache Superset: Lack of rate limiting allows for possible denial of service Daniel Gaspar
Wednesday, 29 November
Multiple vulnerabilities in Jenkins plugins Daniel Beck
Python Cryptography advisory: CVE-2023-49083 NULL-dereference when loading PKCS7 certificates Alan Coopersmith
Thursday, 30 November
Re: hplip: security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c Matthias Gerstner
Re: hplip: security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c Alex Murray
CVE-2022-45135: Apache Cocoon: SQL injection in DatabaseCookieAuthenticatorAction Cédric Damioli
CVE-2023-49620: Apache DolphinScheduler: Authenticated users could delete UDFs in resouece center they were not authorized Jiajie Zhong
CVE-2023-49733: Apache Cocoon's StreamGenerator is vulnerable to XXE injection Cédric Damioli
CVE-2023-49735: Apache Tiles: Unvalidated input may lead to path traversal and XXE Arnout Engelen
New CVEs and security fix releases for perl Alan Coopersmith
Monday, 04 December
HNS-2023-04 - HN Security Advisory - Buffer overflow vulnerabilities with long path names in TinyDir Marco Ivaldi
CVE-2023-49070: Pre-auth RCE in Apache Ofbiz 18.12.09 due to XML-RPC still present Jacques Le Roux
Tuesday, 05 December
WebKitGTK and WPE WebKit Security Advisory WSA-2023-0011 Carlos Alberto Lopez Perez
Security fixes in Go 1.21.5 and Go 1.20.12 releases Alan Coopersmith
SLAM: Spectre based on Linear Address Masking Alan Coopersmith
[SECURITY ADVISORY] curl: cookie mixed case PSL bypass Daniel Stenberg
[SECURITY ADVISORY] curl: HSTS long file name clears contents Daniel Stenberg
Thursday, 07 December
CVE-2023-50164: Apache Struts: File upload component had a directory traversal vulnerability Lukasz Lenart
Friday, 08 December
CVE-2023-49284: fish command substitution output can trigger shell expansion Alan Coopersmith
Saturday, 09 December
CVE-2023-41835: Apache Struts: excessive disk usage Lukasz Lenart
Sunday, 10 December
Buildroot: Talos download hash verification vulnerabilities Peter Korsgaard
Tuesday, 12 December
Xen Security Advisory 447 v2 (CVE-2023-46837) - arm32: The cache may not be properly cleaned/invalidated (take two) Xen . org security team
CVE-2023-45725: Apache CouchDB, IBM Cloudant: Privilege Escalation Using _design Documents Nick Vatamaniuc
AlmaLinux Distros List Application Jonathan Wright
Wednesday, 13 December
FW: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.10 and Xwayland prior to 23.2.3 Peter Hutterer
CVE-2023-40660: Potential PIN bypass with empty PIN in OpenSC before 0.24.0 Jakub Jelen
CVE-2023-40661: Dynamic analyzers reports in pkcs15-init in OpenSC before 0.24.0 Jakub Jelen
Multiple vulnerabilities in Jenkins plugins Daniel Beck
Re: AlmaLinux Distros List Application Darya Malyavkina
CVE-2023-46750: Apache Shiro: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Shiro. Brian Demers
Thursday, 14 December
budgie-extras: multiple predictable /tmp path issues in various applications Matthias Gerstner
Friday, 15 December
XDG_RUNTIME_DIR "misuse" as $TMPDIR (was: Re: [oss-security] budgie-extras: multiple predictable /tmp path issues in various applications) Steffen Nurpmeso
CVE-2023-29234: Bypass serialize checks in Apache Dubbo Albumen Kevin
CVE-2023-46279: Apache Dubbo: Bypass deny serialize list check in Apache Dubbo Albumen Kevin
CVE-2023-30867: Apache StreamPark (incubating): Authenticated system users could trigger SQL injection vulnerability Huajie Wang
CVE-2023-49898: Apache StreamPark (incubating): Authenticated system users could trigger remote command execution Huajie Wang
Re: XDG_RUNTIME_DIR "misuse" as $TMPDIR (was: Re: [oss-security] budgie-extras: multiple predictable /tmp path issues in various applications) Matthias Gerstner
[ES2023-01] Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation Sandro Gauci
[ES2023-03] RTPEngine susceptible to Denial of Service via DTLS Hello packets during call initiation Sandro Gauci
Re: XDG_RUNTIME_DIR "misuse" as $TMPDIR (was: Re: [oss-security] budgie-extras: multiple predictable /tmp path issues in various applications) Steffen Nurpmeso
jq 1.7.1 fixes CVE-2023-50246 & CVE-2023-50268 Alan Coopersmith
Saturday, 16 December
CVE-2023-41314: Apache Doris: Missing API authentication allowed DoS Mingyu Chen
Sunday, 17 December
Re: budgie-extras: multiple predictable /tmp path issues in various applications Florian Weimer
Re: AlmaLinux Distros List Application Solar Designer
WebKitGTK and WPE WebKit Security Advisory WSA-2023-0012 Carlos Alberto Lopez Perez
Monday, 18 December
Announce: OpenSSH 9.6 released Damien Miller
CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack) Fabian Bäumer
Tuesday, 19 December
CVE-2023-46104: Apache Superset: Allows for uncontrolled resource consumption via a ZIP bomb Daniel Gaspar
CVE-2023-49736: Apache Superset: SQL Injection on where_in JINJA macro Daniel Gaspar
CVE-2023-49734: Apache Superset: Privilege Escalation Vulnerability Daniel Gaspar
[SECURITY] CVE-2023-43826: Apache Guacamole: Integer overflow in handling of VNC image buffers Michael Jumper
Re: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack) Alan Coopersmith
Re: AlmaLinux Distros List Application Jonathan Wright
CVE-2023-37544: Apache Pulsar WebSocket Proxy: Improper Authentication for WebSocket Proxy Endpoint Allows DoS Michael Marshall
Wednesday, 20 December
Re: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack) Marcus Meissner
Thursday, 21 December
CVE-2023-48291: Apache Airflow: Improper access control to DAG resources Ephraim Anierobi
CVE-2023-47265: Apache Airflow: DAG Params alllow to embed unchecked Javascript Ephraim Anierobi
CVE-2023-49920: Apache Airflow: Missing CSRF protection on DAG/trigger Ephraim Anierobi
CVE-2023-50783: Apache Airflow: Improper access control vulnerability on the "varimport" endpoint Ephraim Anierobi
CVE-2023-51656: Apache IoTDB: Unsafe deserialize map in Sync Tool Haonan Hou
New SMTP smuggling attack Marcus Meissner
Re: New SMTP smuggling attack Claus Assmann
Security vulnerability in Debian's cpio 2.13 Ingo Brückl
Mayhem: Targeted Corruption of Register and Stack Variables Tol, Caner
Re: AlmaLinux Distros List Application Solar Designer
Friday, 22 December
Re: Re: New SMTP smuggling attack Marcus Meissner
Re: Re: New SMTP smuggling attack Stuart Henderson
Re: New SMTP smuggling attack Hanno Böck
Re: Re: New SMTP smuggling attack Marcus Meissner
Re: Re: New SMTP smuggling attack Bjoern Franke
CVE-2023-6817: Linux kernel: use-after-free in nf_tables Xingyuan Mo
Re: Re: New SMTP smuggling attack Erik Auerswald
Re: Re: New SMTP smuggling attack Rodrigo Freire
Re: Re: New SMTP smuggling attack Alexander E. Patrakov
Fwd: [pfx-ann] Postfix stable release 3.8.4 Solar Designer
Re: Re: New SMTP smuggling attack Erik Auerswald
Re: Re: New SMTP smuggling attack Stuart D Gathman
Re: CVE-2023-6817: Linux kernel: use-after-free in nf_tables Dominique Martinet
Re: Fwd: [pfx-ann] Postfix stable release 3.8.4 Solar Designer
Re: Re: New SMTP smuggling attack Harry Sintonen
Saturday, 23 December
Re: Re: New SMTP smuggling attack Valtteri Vuorikoski
Re: linux-distros membership application of openEuler Solar Designer
[ES2023-02] FreeSWITCH susceptible to Denial of Service via DTLS Hello packets during call initiation Sandro Gauci
Re: linux-distros membership application of openEuler Igor Seletskiy
Sunday, 24 December
Re: Re: New SMTP smuggling attack Marcus Meissner
Re: linux-distros membership application of openEuler Alexander E. Patrakov
Monday, 25 December
Re: Re: New SMTP smuggling attack kai
Re: linux-distros membership application of openEuler Solar Designer
Re: linux-distros membership application of openEuler Steffen Nurpmeso
Re: linux-distros membership application of openEuler Solar Designer
Tuesday, 26 December
CVE-2023-50968: Apache OFBiz: Arbitrary file properties reading and SSRF attack Nicolas Malin
CVE-2023-51467: Apache OFBiz: Pre-authentication Remote Code Execution (RCE) vulnerability Deepak Dixit
CVE-2023-51385, CVE-2023-6004: OpenSSH, libssh: Security weakness in ProxyCommand handling Solar Designer
Re: New SMTP smuggling attack Claus Assmann
Wednesday, 27 December
xarchiver: Path traversal with crafted cpio archives Ingo Brückl
Thursday, 28 December
Re: linux-distros membership application of openEuler Greg KH
Re: linux-distros membership application of openEuler Demi Marie Obenour
CVE-2023-47804: Apache OpenOffice: Macro URL arbitrary script execution Arrigo Marchiori
CVE-2023-1183: Apache OpenOffice: Arbitrary file write in Apache OpenOffice Base Arrigo Marchiori
CVE-2022-43680: Apache OpenOffice: "Use after free" fixed in libexpat Arrigo Marchiori
CVE-2012-5639: Apache OpenOffice: Loading internal / external resources without warning Arrigo Marchiori
Friday, 29 December
CVE-2023-49299: Apache DolphinScheduler: Arbitrary js execute as root for authenticated users Jiajie Zhong
CVE-2023-51766: Exim: SMTP smuggling Solar Designer
xarchiver: Path traversal with crafted cpio archives Ingo Brückl
CVE-2023-7101: Spreadsheet::ParseExcel for Perl is vulnerable to arbitrary code execution Stig Palmquist
Re: Re: New SMTP smuggling attack Alan Coopersmith
Saturday, 30 December
Re: Re: New SMTP smuggling attack Marcus Meissner
inetutils ftpd, rcp, rlogin, rsh, rshd, uucpd: Avoid potential privilege escalations by checking set*id() return values Solar Designer
Re: Re: New SMTP smuggling attack Claus Assmann
Re: inetutils ftpd, rcp, rlogin, rsh, rshd, uucpd: Avoid potential privilege escalations by checking set*id() return values Solar Designer