oss-sec: by date
RSS Feed
About List
All Lists
Previous period
358 messages
starting Jan 01 24 and
ending Mar 31 24
Date index |
Thread index |
Author index
Monday, 01 January
Re: CVE-2023-51766: Exim: SMTP smuggling halfdog
Re: CVE-2023-51766: Exim: SMTP smuggling Demi Marie Obenour
Re: CVE-2023-51766: Exim: SMTP smuggling Jeffrey Walton
Wednesday, 03 January
CVE-2023-51784: Apache InLong: Remote Code Execution vulnerability in Apache InLong Manager Charles Zhang
CVE-2023-51785: Apache InLong: Arbitrary File Read Vulnerability in Apache InLong Manager Charles Zhang
CVE-2023-47804: Apache OpenOffice: Macro URL arbitrary script execution Arrigo Marchiori
CVE-2023-1183: Apache OpenOffice: Arbitrary file write in Apache OpenOffice Base Arrigo Marchiori
CVE-2022-43680: Apache OpenOffice: "Use after free" fixed in libexpat Arrigo Marchiori
CVE-2012-5639: Apache OpenOffice: Loading internal / external resources without warning Arrigo Marchiori
Re: CVE-2012-5639: Apache OpenOffice: Loading internal / external resources without warning Timo Warns
Thursday, 04 January
Re: hplip: security issues in `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c Matthias Gerstner
Friday, 05 January
Re: Security vulnerability in Debian's cpio 2.13 Mark Esler
CVE-2023-51441: Apache Axis 1.x (EOL) may allow SSRF when untrusted input is passed to the service admin HTTP API Arnout Engelen
Sunday, 07 January
Re: TTY pushback vulnerabilities / TIOCSTI Jakub Wilk
Monday, 08 January
Re: TTY pushback vulnerabilities / TIOCSTI Eddie Chapman
Tuesday, 09 January
OpenSSL Security Advisory Tomas Mraz
Wednesday, 10 January
CVE-2023-49619: Apache Answer: Repeated submissions using scripts resulted in an abnormal number of collections for questions. Enxin Xie
CVE-2024-22368: Spreadsheet::ParseXLSX for Perl is vulnerable to DoS via out-of-memory bugs Stig Palmquist
Thursday, 11 January
CVE-2023-6040: Linux Kernel netfilter out-of-bounds access Cengiz Can
Friday, 12 January
CVE-2023-46749: Apache Shiro before 1.130 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting Brian Demers
CVE-2023-50290: Apache Solr: Host environment variables are published via the Metrics API Houston Putman
Monday, 15 January
CVE-2023-46226: Apache IoTDB: Remote Code Execution (RCE) risk via the UDF Haonan Hou
OpenSSL Security Advisory Tomas Mraz
CVE-2023-4001: a password bypass vulnerability in the downstream GRUB boot manager Maxim Suhanov
Tuesday, 16 January
CVE-2023-6395 Mock: Privilege escalation for users that can access mock configuration Marco Benatto
CVE-2023-45229 and others: Multiple vulnerabilities in EDK II UEFI stack (PixieFAIL) Valtteri Vuorikoski
Mock, Snap, LXC expose(d) chroot, container trees with unsafe permissions and contents to host users, pose risk to host Solar Designer
Re: Mock, Snap, LXC expose(d) chroot, container trees with unsafe permissions and contents to host users, pose risk to host Willy Tarreau
Re: TTY pushback vulnerabilities / TIOCSTI Jakub Wilk
Thursday, 18 January
Fwd: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.11 and Xwayland prior to 23.2.4 Jose Exposito Quintana
GNU coreutils v9.4; v9.3; v9.2 split heap buffer overflow vulnerability Valentin Metz
pam: pam_namespace misses O_DIRECTORY flag in `protect_dir()` (CVE-2024-22365) Matthias Gerstner
CVE-2024-23525: Spreadsheet::ParseXLSX for Perl is vulnerable to XXE attacks Stig Palmquist
Friday, 19 January
Re: GNU coreutils v9.4; v9.3; v9.2 split heap buffer overflow vulnerability Valentin Metz
CVE-2024-21733: Apache Tomcat: Leaking of unrelated request bodies in default error page Mark Thomas
GnuTLS 3.8.3 released, fixes CVE-2024-0553 & CVE-2024-0567 Alan Coopersmith
Saturday, 20 January
Pillow 10.2.0 released, fixes CVE-2023-50447 Alan Coopersmith
Monday, 22 January
Postfix updated SMTP smuggling countermeasure Solar Designer
Xen Security Advisory 448 v2 (CVE-2023-46838) - Linux: netback processing of zero-length transmit fragment Xen . org security team
Re: announcing sponsorship; distros list statistics for 2023 Solar Designer
Tuesday, 23 January
darkhttpd: timing attack and local leak of HTTP basic auth credentials Matthias Gerstner
CVE-2023-49657: Apache Superset: Stored XSS in Dashboard Title and Chart Title Daniel Gaspar
Re: Postfix updated SMTP smuggling countermeasure Wietse Venema
Re: CVE-2023-49657: Apache Superset: Stored XSS in Dashboard Title and Chart Title Christian Fischer
Re: Re: Postfix updated SMTP smuggling countermeasure Alexander Burke
Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials Hanno Böck
Wednesday, 24 January
Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials Johannes Segitz
CVE-2023-51702: Apache Airflow CNCF Kubernetes provider, Apache Airflow: Kubernetes configuration file saved without encryption in the Metadata and logged as plain text in the Triggerer service Ephraim Anierobi
CVE-2023-50943: Apache Airflow: Potential pickle deserialization vulnerability in XComs Ephraim Anierobi
CVE-2023-50944: Apache Airflow: Bypass permission verification to read code of other dags Ephraim Anierobi
Multiple vulnerabilities in Jenkins and Jenkins plugins Daniel Beck
Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials nightmare . yeah27
Re: Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials Anton Luka Šijanec
Re: Fwd: X.Org Security Advisory: Issues in libX11 prior to 1.8.7 & libXpm prior to 3.5.17 Alan Coopersmith
Re: CVE-2023-45853: overflows in MiniZip in zlib through 1.3 Alan Coopersmith
Thursday, 25 January
Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials Matthias Gerstner
OpenSSL Security Advisory Matt Caswell
Re: OpenSSL Security Advisory sjw
Friday, 26 January
shim 15.8 released with 6 CVE fixes Alan Coopersmith
Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Alan Coopersmith
Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Matthew Fernandez
Sunday, 28 January
Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Christian Brabandt
Monday, 29 January
CVE-2023-29055: Apache Kylin: Insufficiently protected credentials in config file Li Yang
Tuesday, 30 January
Xen Security Advisory 449 v2 (CVE-2023-46839) - pci: phantom functions assigned to incorrect contexts Xen . org security team
Xen Security Advisory 450 v2 (CVE-2023-46840) - VT-d: Failure to quarantine devices in !HVM builds Xen . org security team
FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Armin Kuster
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Solar Designer
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Greg KH
CVE-2023-6246: Heap-based buffer overflow in the glibc's syslog() Qualys Security Advisory
Out-of-bounds read & write in the glibc's qsort() Qualys Security Advisory
Re: CVE-2023-6246: Heap-based buffer overflow in the glibc's syslog() Siddhesh Poyarekar
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Solar Designer
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Greg KH
[SECURITY ADVISORY] curl: CVE-2024-0853 : OCSP verification bypass with TLS session reuse Daniel Stenberg
Wednesday, 31 January
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Demi Marie Obenour
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Thadeu Lima de Souza Cascardo
CVE-2023-44313: Apache ServiceComb Service-Center: attacker can perform SSRF through the frontend API bismy
CVE-2023-44312: Apache ServiceComb Service-Center: attacker can query all environment variables of the service-center server bismy
runc: CVE-2024-21626: high severity container breakout attack Aleksa Sarai
Re: TTY handling when executing code in different lower-privileged context (su, virt containers) Jakub Wilk
Re: runc: CVE-2024-21626: high severity container breakout attack Solar Designer
Thursday, 01 February
Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Matthew Fernandez
Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Christian Brabandt
Python standard library defaults to insecure TLS for mail protocols Hanno Böck
Re: Numerous unconfirmed FOSS CVEs disclosed on FD mailing list Amos Jeffries
Re: Python standard library defaults to insecure TLS for mail protocols nightmare . yeah27
Re: Re: Python standard library defaults to insecure TLS for mail protocols Hanno Böck
Re: Python standard library defaults to insecure TLS for mail protocols Alex Gaynor
Re: Python standard library defaults to insecure TLS for mail protocols Jeremy Stanley
Friday, 02 February
Re: Python standard library defaults to insecure TLS for mail protocols Steffen Nurpmeso
Re: Python standard library defaults to insecure TLS for mail protocols Stuart D Gathman
Re: Re: runc: CVE-2024-21626: high severity container breakout attack Aleksa Sarai
CVE-2024-23832: Mastodon: Remote user impersonation and takeover Valtteri Vuorikoski
Re: Python standard library defaults to insecure TLS for mail protocols Kurt H Maier
Re: FWD: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Armin Kuster
systemd and other system services (in)compatibility with Linux procfs hidepid (was: darkhttpd: timing attack and local leak of HTTP basic auth credentials) Solar Designer
Re: Python standard library defaults to insecure TLS for mail protocols nightmare . yeah27
Re: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Roxana Bradescu
Re: Kernel vulnerabilities CVE-2021-33630 & CVE-2021-33631 Demi Marie Obenour
Re: Python standard library defaults to insecure TLS for mail protocols Steffen Nurpmeso
Re: Re: Python standard library defaults to insecure TLS for mail protocols Daniel Kahn Gillmor
Sunday, 04 February
Re: Out-of-bounds read & write in the glibc's qsort() Solar Designer
Monday, 05 February
Re: Out-of-bounds read & write in the glibc's qsort() Alexander E. Patrakov
Re: Out-of-bounds read & write in the glibc's qsort() Alexander E. Patrakov
Re: Out-of-bounds read & write in the glibc's qsort() Alexander E. Patrakov
Re: systemd and other system services (in)compatibility with Linux procfs hidepid (was: darkhttpd: timing attack and local leak of HTTP basic auth credentials) Matthias Gerstner
Re: Out-of-bounds read & write in the glibc's qsort() Qualys Security Advisory
Re: Out-of-bounds read & write in the glibc's qsort() Solar Designer
Re: Out-of-bounds read & write in the glibc's qsort() Adhemerval Zanella Netto
WebKitGTK and WPE WebKit Security Advisory WSA-2024-0001 Adrian Perez de Castro
Tuesday, 06 February
CVE-2024-23673: Apache Sling Servlets Resolver: Malicious code execution via path traversal Carsten Ziegeler
Django CVE-2024-24680: Potential denial-of-service in intcomma template filter Natalia Bidart
CVE-2024-1048: grub2-set-bootflag may be abused to fill up /boot, bypass RLIMIT_NPROC Solar Designer
Wednesday, 07 February
CVE-2023-51437: Apache Pulsar: Timing attack in SASL token signature verification Michael Marshall
CVE-2023-39196: Apache Ozone: Missing mutual TLS authentication in one of the service internal Ozone Storage Container Manager endpoints István Fajth
The GNU C Library has been authorized by the CVE Program as a CVE Numbering Authority (CNA) Carlos O'Donell
Thursday, 08 February
CVE-2024-23452: Apache bRPC: HTTP request smuggling vulnerability Wang Weibing
libuv 1.48.0 released, fixes CVE-2024-24806 Alan Coopersmith
[ADVISORY] CVE-2023-3966: Open vSwitch: Invalid memory access in Geneve with HW offload. Ilya Maximets
[ADVISORY] CVE-2023-5366: Open vSwitch: OpenFlow match on Neighbor Discovery Target may be ignored Ilya Maximets
Friday, 09 February
CVE-2023-50386: Apache Solr: Backup/Restore APIs allow for deployment of executables in malicious ConfigSets Houston Putman
CVE-2023-50298: Apache Solr: Solr can expose ZooKeeper credentials via Streaming Expressions Houston Putman
CVE-2023-50292: Apache Solr: Solr Schema Designer blindly "trusts" all configsets, possibly leading to RCE by unauthenticated users Houston Putman
CVE-2023-50291: Apache Solr: System Property redaction logic inconsistency can lead to leaked passwords Houston Putman
Sunday, 11 February
Re: libuv 1.48.0 released, fixes CVE-2024-24806 Salvatore Bonaccorso
Tuesday, 13 February
ISC has disclosed six vulnerabilities in BIND 9 (CVE-2023-4408, CVE-2023-5517, CVE-2023-5679, CVE-2023-6516, CVE-2023-50387, CVE-2023-50868) Michał Kępień
Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Yorgos Thessalonikefs
Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Alan Coopersmith
Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Solar Designer
Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Solar Designer
Wednesday, 14 February
PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor Otto Moerbeek
CVE-2024-23952: Apache Superset: Allows for uncontrolled resource consumption via a ZIP bomb (version range fix for CVE-2023-46104) Daniel Gaspar
Re: CVE-2024-23952: Apache Superset: Allows for uncontrolled resource consumption via a ZIP bomb (version range fix for CVE-2023-46104) Solar Designer
Secure Boot bypass in EDK2 based Virtual Machine firmware Mate Kukri
Re: Secure Boot bypass in EDK2 based Virtual Machine firmware Yves-Alexis Perez
Re: Secure Boot bypass in EDK2 based Virtual Machine firmware Yves-Alexis Perez
Re: Secure Boot bypass in EDK2 based Virtual Machine firmware Mate Kukri
Re: Secure Boot bypass in EDK2 based Virtual Machine firmware Mate Kukri
Friday, 16 February
CVE-2024-23807: Apache Xerces C++: Use-after-free on external DTD scan Arnout Engelen
Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Alan Coopersmith
Re: Unbound: disclosure of CVE-2023-50387 and CVE-2023-50868 DNSSEC validation vulnerabilities Solar Designer
Monday, 19 February
CVE-2024-25710: Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file Gary D. Gregory
CVE-2024-26308: Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file Gary D. Gregory
CVE-2024-22369: Apache Camel: Camel-SQL: Unsafe Deserialization from JDBCAggregationRepository Andrea Cosentino
CVE-2024-23114: Apache Camel: Camel-CassandraQL: Unsafe Deserialization from CassandraAggregationRepository Andrea Cosentino
Tuesday, 20 February
CVE-2023-49250: Apache DolphinScheduler: Insecure TLS TrustManager used in HttpUtil Jiajie Zhong
CVE-2023-51770: Apache DolphinScheduler: Arbitrary File Read Vulnerability Jiajie Zhong
CVE-2023-50270: Apache DolphinScheduler: Session do not expire after password change Jiajie Zhong
CVE-2023-49109: Remote Code Execution in Apache Dolphinscheduler Jiajie Zhong
CVE-2024-25141: Apache Airflow Mongo Provider: Certificate validation isn't respected even if SSL is enabled for apache-airflow-providers-mongo Elad Kalif
CVEs issued by the Linux kernel CNA Alan Coopersmith
Wednesday, 21 February
Re: CVEs issued by the Linux kernel CNA Marcus Meissner
Thursday, 22 February
CVE-2024-22393: Apache Answer: Pixel Flood Attack by uploading the large pixel file Enxin Xie
CVE-2024-23349: Apache Answer: XSS vulnerability when submitting summary Enxin Xie
CVE-2024-26578: Apache Answer: Repeated submission at registration created duplicate users with the same name Enxin Xie
Re: CVEs issued by the Linux kernel CNA Solar Designer
Re: CVEs issued by the Linux kernel CNA Greg KH
Friday, 23 February
c-ares CVE-2024-25629 Brad House
CVE-2024-23320: Apache DolphinScheduler: Arbitrary js execution as root for authenticated users Jiajie Zhong
CVE-2024-22371: Apache Camel issue on ExchangeCreatedEvent Otavio Rodolfo Piske
Saturday, 24 February
Re: CVEs issued by the Linux kernel CNA eduardo vela
Monday, 26 February
CVE-2023-51518: Apache James server: Privilege escalation via JMX pre-authentication deserialisation Benoit Tellier
CVE-2023-50379: Apache Ambari: authenticated users could perform command injection to perform RCE Brahma Reddy Battula
Tuesday, 27 February
Xen Security Advisory 451 v2 (CVE-2023-46841) - x86: shadow stack vs exceptions from emulation stubs Xen . org security team
CVE-2024-27905: Apache Aurora: padding oracle can allow construction an authentication cookie Arnout Engelen
CVE-2023-51747: SMTP smuggling in Apache James Benoit Tellier
CVE-2024-21742: Apache James Mime4J: Mime4J DOM header injection Benoit Tellier
CVE-2023-50380: Apache Ambari: authenticated users could perform XXE to read arbitrary files on the server Brahma Reddy Battula
Wednesday, 28 February
Performance Co-Pilot (pcp): Unsafe use of Directories in /var/lib/pcp and /var/log/pcp breaks pcp Service User Isolation (CVE-2023-6917) Matthias Gerstner
CVE-2024-22857: Heap Based Buffer overflow in zlog library Ali Raza Mumtaz
CVE-2024-27315: Apache Superset: Improper error handling on alerts Daniel Gaspar
CVE-2024-24773: Apache Superset: Improper validation of SQL statements allows for unauthorized access to data Daniel Gaspar
CVE-2024-24772: Apache Superset: Improper Neutralisation of custom SQL on embedded context Daniel Gaspar
CVE-2024-24779: Apache Superset: Improper data authorization when creating a new dataset Daniel Gaspar
CVE-2024-26016: Apache Superset: Improper authorization validation on dashboards and charts import Daniel Gaspar
Re: CVE-2024-22857: Heap Based Buffer overflow in zlog library Solar Designer
CVE-2024-23946: Apache OFBiz: Path traversal or file inclusion Jacques Le Roux
CVE-2024-25065: Apache OFBiz: Path traversal allowing authentication bypass. Jacques Le Roux
Thursday, 29 February
CVE-2024-27906: Apache Airflow: Dag Code and Import Error Permissions Ignored Ephraim Anierobi
Re: CVE-2024-22857: Heap Based Buffer overflow in zlog library Ali Raza Mumtaz
Friday, 01 March
CVE-2024-26280: Apache Airflow: Overly broad default permissions for Viewer/Ops (audit logs) Ephraim Anierobi
CVE-2024-27140: Apache Archiva: reflected XSS Arnout Engelen
CVE-2024-27139: Apache Archiva: incorrect authentication potentially leading to account takeover Arnout Engelen
CVE-2024-27138: Apache Archiva: disabling user registration is not effective Arnout Engelen
CVE-2023-50378: Apache Ambari: Various XSS problems Brahma Reddy Battula
Monday, 04 March
Django: CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words() Mariusz Felisiak
dnf5daemon-server: Local root Exploit and Local Denial-of-Service in dnf5 D-Bus Components (CVE-2024-1929, CVE-2024-1930) Matthias Gerstner
Tuesday, 05 March
HNS-2024-05 - HN Security Advisory - Multiple vulnerabilities in RT-Thread RTOS Marco Ivaldi
Wednesday, 06 March
CVE-2024-26580: Apache InLong: Logged-in user could exploit an arbitrary file read vulnerability Charles Zhang
CVE-2023-50740: Apache Linkis DataSource: DataSource module Oracle SQL Database Password Logged Heping Wang
Multiple vulnerabilities in Jenkins plugins Daniel Beck
Thursday, 07 March
help wanted - bring more issues in here Solar Designer
Re: help wanted - bring more issues in here Katherine Mcmillan
OSSN-0093: Unresolved Vulnerability in OpenStack Murano Jeremy Stanley
Re: help wanted - bring more issues in here Alan Coopersmith
Friday, 08 March
Vulnerabilties in FontTools & FontForge Alan Coopersmith
Re: help wanted - bring more issues in here Solar Designer
5 CVEs fixed in Go 1.22.1 and Go 1.21.8, 1 CVE fixed in google.golang.org/protobuf Alan Coopersmith
Re: Vulnerabilties in FontTools & FontForge Hanno Böck
Saturday, 09 March
Re: help wanted - bring more issues in here nightmare . yeah27
Re: help wanted - bring more issues in here Solar Designer
Re: help wanted - bring more issues in here Miguel Suarez
Re: help wanted - bring more issues in here Solar Designer
Re: help wanted - bring more issues in here Bernd Zeimetz
Sunday, 10 March
CVE-2023-41313: Apache Doris: Timing Attack weakness Mingyu Chen
Monday, 11 March
NodeJS v{18.x,20.x,21.x} February Security Updates suarezmiguelc
Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Valtteri Vuorikoski
Tuesday, 12 March
Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Demi Marie Obenour
CVE-2023-51786: Lustre: incorrect access control resulting in potential data compromise or privilege escalation daniel
Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Armin Kuster
Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday David W. Hodgins
[ADVISORY] CVE-2024-2182: Open Virtual Network: Insufficient validation of incoming BFD packets. Dumitru Ceara
Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Valtteri Vuorikoski
Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Valtteri Vuorikoski
CVE-2022-34321: Apache Pulsar: Improper Authentication for Pulsar Proxy Statistics Endpoint Lari Hotari
CVE-2024-27135: Apache Pulsar: Improper Input Validation in Pulsar Function Worker allows Remote Code Execution Lari Hotari
CVE-2024-27317: Apache Pulsar: Pulsar Functions Worker's Archive Extraction Vulnerability Allows Unauthorized File Modification Lari Hotari
CVE-2024-27894: Apache Pulsar: Pulsar Functions Worker Allows Unauthorized File Access and Unauthorized HTTP/HTTPS Proxying Lari Hotari
CVE-2024-28098: Apache Pulsar: Improper Authorization For Topic-Level Policy Management Lari Hotari
Xen Security Advisory 452 v1 (CVE-2023-28746) - x86: Register File Data Sampling Xen . org security team
Xen Security Advisory 453 v1 (CVE-2024-2193) - GhostRace: Speculative Race Conditions Xen . org security team
Public Review Period for CVE rules Alan Coopersmith
Re: Certificate policy: OCSP becomes optional and CRLs mandatory for public CAs on Friday Steffen Nurpmeso
Wednesday, 13 March
Re: CVEs issued by the Linux kernel CNA Vegard Nossum
Re: CVE-2021-31618: Apache httpd: NULL pointer dereference on specially crafted HTTP/2 request Christian Fischer
CVE-2024-24549: Apache Tomcat: HTTP/2 header handling DoS Mark Thomas
CVE-2024-23672: Apache Tomcat: WebSocket DoS with incomplete closing handshake Mark Thomas
CVE-2024-28746: Apache Airflow: Ignored Airflow Permissions Ephraim Anierobi
Thursday, 14 March
OSSN-0093: [OpenStack Murano] Unsafe Environment Handling in MuranoPL Jeremy Stanley
CVE-2024-23944: Apache ZooKeeper: Information disclosure in persistent watcher handling Andor Molnar
CVE-2024-28752: Apache CXF SSRF Vulnerability using the Aegis databinding Colm O hEigeartaigh
Friday, 15 March
Expat 2.6.2 released, includes security fixes Alan Coopersmith
Monday, 18 March
CVE-2024-24683: Apache Hop Engine: ID isn't escaped when generating HTML Hans Van Akelyen
5 Linux kernel ksmbd vulnerabilities daniel
Re: 5 Linux kernel ksmbd vulnerabilities Alexander E. Patrakov
Tuesday, 19 March
CVE-2024-27439: Apache Wicket: Possible bypass of CSRF protection Emond Papegaaij
Wednesday, 20 March
Re: 5 Linux kernel ksmbd vulnerabilities Hauke Mehrtens
Vulnerability in Jenkins Daniel Beck
CVE-2024-29133: Apache Commons Configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree Gary D. Gregory
CVE-2024-29131: Apache Commons Configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator() Gary D. Gregory
Security fixes in Python 3.10.14, 3.9.19, and 3.8.19 (CVE-2023-6597 & CVE-2024-0450) Alan Coopersmith
Thursday, 21 March
CVE-2024-27438: Apache Doris: Downloading arbitrary remote jar files resulting in remote command execution Mingyu Chen
CVE-2024-26307: Apache Doris: Possible race condition Mingyu Chen
Friday, 22 March
GnuTLS 3.8.4 released, fixes CVE-2024-28834 & CVE-2024-28835 Alan Coopersmith
Re: GnuTLS 3.8.4 released, fixes CVE-2024-28834 & CVE-2024-28835 Alex Gaynor
Saturday, 23 March
Firefox 124.0.1 fixes two critical JavaScript engine vulnerabilities Solar Designer
Sunday, 24 March
GNU emacs 29.3 released to fix security issues Alan Coopersmith
Fwd: GNU emacs 29.3 released to fix security issues Alan Coopersmith
Re: [External] : [oss-security] Fwd: GNU emacs 29.3 released to fix security issues Alan Coopersmith
Monday, 25 March
Re: GNU emacs 29.3 released to fix security issues Salvatore Bonaccorso
Re: GNU emacs 29.3 released to fix security issues Salvatore Bonaccorso
WebKitGTK and WPE WebKit Security Advisory WSA-2024-0002 Adrian Perez de Castro
Tuesday, 26 March
CVE-2024-29735: Apache Airflow: Potentially harmful permission changing by log task handler Jarek Potiuk
[SECURITY ADVISORY] curl: CVE-2024-2004: Usage of disabled protocol Daniel Stenberg
Wednesday, 27 March
[SECURITY ADVISORY] curl: CVE-2024-2379: QUIC certificate check bypass with wolfSSL Daniel Stenberg
[SECURITY ADVISORY] curl: CVE-2024-2398: HTTP/2 push headers memory-leak Daniel Stenberg
[SECURITY ADVISORY] curl: CVE-2024-2466: TLS certificate check bypass with mbedTLS Daniel Stenberg
CVE-2024-28085: Escape sequence injection in util-linux wall Skyler Ferrante (RIT Student)
Re: CVE-2024-28085: Escape sequence injection in util-linux wall nightmare . yeah27
Re: CVE-2024-28085: Escape sequence injection in util-linux wall Jakub Wilk
Re: CVE-2024-28085: Escape sequence injection in util-linux wall Demi Marie Obenour
Re: CVE-2024-28085: Escape sequence injection in util-linux wall Solar Designer
Thursday, 28 March
Re: CVE-2024-28085: Escape sequence injection in util-linux wall Alexander E. Patrakov
Re: Re: CVE-2024-28085: Escape sequence injection in util-linux wall Jakub Wilk
Re: CVE-2024-28085: Escape sequence injection in util-linux wall Karel Zak
Friday, 29 March
CVE-2024-23537: Apache Fineract: Under certain circumstances, this vulnerability allowed users, without specific permissions, to escalate their privileges to any role. Arnout Engelen
CVE-2024-23538: Apache Fineract: Under certain system configurations, the sqlSearch parameter was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries. Arnout Engelen
CVE-2024-23539: Apache Fineract: Under certain system configurations, the sqlSearch parameter for specific endpoints was vulnerable to SQL injection attacks, potentially allowing attackers to manipulate database queries. Arnout Engelen
backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alex Gaynor
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jeffrey Walton
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alex Gaynor
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Anthony Liguori
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Ivan Delalande
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alexander E. Patrakov
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Matthias Weckbecker
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Vegard Nossum
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alexander E. Patrakov
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise sjw
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer
Re: backdoor in upstream xz/liblzma leading to ssh server compromise terraminator
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Demi Marie Obenour
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Liguori, Anthony
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Russ Allbery
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating)
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund
Saturday, 30 March
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alexander E. Patrakov
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Florian Weimer
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy
Re: backdoor in upstream xz/liblzma leading to ssh server compromise sjw
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Vegard Nossum
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Matthias Weckbecker
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Mike O'Connor
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Collin Funk
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jonathan Schleifer
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Bjoern Franke
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Pierre-Elliott Bécue
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Bo Anderson
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marcin Wolcendorf
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating)
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jeffrey Walton
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Russ Allbery
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jonathan Schleifer
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating)
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Axel Beckert
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Christoph Anton Mitterer
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund
RE: backdoor in upstream xz/liblzma leading to ssh server compromise Thomas Ward
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Alexander E. Patrakov
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Salvatore Bonaccorso
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Mats Wichmann
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Fay Stegerman
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Axel Beckert
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Fay Stegerman
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Rein Fernhout (Levitating)
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Andres Freund
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jan Engelhardt
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Pat Gunn
Sunday, 31 March
SV: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Markus Klyver
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Michael.Karcher
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Dominique Martinet
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Michael Tokarev
Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jeffrey Walton