oss-security  

Messages by Thread

• [oss-security] CVE-2026-8647: Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available Robert Rothenberg
• [oss-security] CVE-2026-46740: Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections Robert Rothenberg
• [oss-security] CVE-2026-40564: Apache Flink Kubernetes Operator: Server-Side Request Forgery and local file access in Kubernetes Operator Gyula Fora
• [oss-security] qSnapper: Various Security Issues in Privileged D-Bus Service (CVE-2026-41045 through CVE-2026-41048) Matthias Gerstner
• [oss-security] CVE-2026-9538: Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header Stig Palmquist
• [oss-security] CVE-2026-42497: Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory Stig Palmquist
• [oss-security] CVE-2026-42496: Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory Stig Palmquist
• [oss-security] CVE-2026-8376: Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds Timothy Legge
• [oss-security] CVE-2026-48589: Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow Lenny Primak
• [oss-security] CVE-2026-44598: Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials) Lenny Primak
• [oss-security] CVE-2026-43828: Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default Lenny Primak
• [oss-security] CVE-2026-43827: Apache Shiro: Session fixation: new session is not created after login by default Lenny Primak
• [oss-security] CVE-2026-42797: Apache Syncope: JexlContextBuilder Information Disclosure Francesco Chicchiriccò
• [oss-security] CVE-2026-42782: Apache Syncope: Post-auth RCE via Groovy static Francesco Chicchiriccò
• [oss-security] PuTTY 0.84 released with 3 minor security fixes Alan Coopersmith
• [oss-security] CVE-2026-46745: Apache Airflow FAB provider: [ Security Report ] LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token (ZDRES-223) Jens Scheffler
• [oss-security] CVE-2026-45361: Apache Airflow Google provider: SSH host key verification disabled in ComputeEngineSSHHook (paramiko AutoAddPolicy default) Jens Scheffler
• [oss-security] root-project/root: Heap buffer overflow in TKey::Streamer / TBasket::ReadBasketBuffers Manopakorn Kooharueangrong
  • Re: [oss-security] root-project/root: Heap buffer overflow in TKey::Streamer / TBasket::ReadBasketBuffers Solar Designer
  • Re: [oss-security] root-project/root: Heap buffer overflow in TKey::Streamer / TBasket::ReadBasketBuffers Matt Christie
• [oss-security] Anthropic's coordinated vulnerability disclosure dashboard Alan Coopersmith
• [oss-security] CVE-2026-45249: Apache ECharts: XSS in Lines series tooltip rendering Zhongxiang Wang
• [oss-security] CVE-2026-9277: shell-quote before 1.8.4 command injection in quote() Akshat Sinha
• [oss-security] HPLIP: Potential Escalation of Privilege and Arbitrary Code Execution Alan Coopersmith
• [oss-security] [vim-security] Multiple Memory Safety Issues in Vim Spell File Parser affects Vim < 9.2.0513 Christian Brabandt
• [oss-security] illumos: 18118 SCTP frees wrong-size, and need to keep private options Dan McDonald
• [oss-security] CVE-2026-44930: Apache CXF: LDAP Injection vulnerability in XKMS LDAP Repository Colm O hEigeartaigh
• [oss-security] CVE-2026-44618: Apache CXF: XXE vulnerability in WS-Transfer functionality Colm O hEigeartaigh
• [oss-security] CVE-2026-44417: Apache CXF: Incomplete fix for CVE-2025-48913 (Untrusted JMS configuration can lead to RCE) Colm O hEigeartaigh
• [oss-security] Vulnerabilities in golang.org/x/crypto Alan Coopersmith
• [oss-security] CVE-2026-5091: Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks Robert Rothenberg
• [oss-security] CVE-2026-46473: Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand Robert Rothenberg
• [oss-security] CVE-2026-47243: Kata Containers runtime-rs 3.30: virtiofsd symlink escape Aurelien Bombo
• [oss-security] CVE-2026-48207: Apache Fory: PyFory ReduceSerializer Incomplete Policy Enforcement Chaokun Yang
• [oss-security] Host ambiguous requests through NGINX $host and Debian's proxy_params gabriel . corona
  • Re: [oss-security] Host ambiguous requests through NGINX **$http_host** and Debian's proxy_params Gabriel Corona
  • Re: [oss-security] Host ambiguous requests through NGINX $host and Debian's proxy_params Gabriel Corona
• [oss-security] CVE-2026-45760: Apache Camel K: Camel K Cross-Namespace Build Deputy Attack Pasquale Congiusti
• [oss-security] CVE-2026-45250: FreeBSD setcred(2) stack overflow -> local privilege escalation (FatGid) Przemyslaw Frasunek
  • Re: [oss-security] CVE-2026-45250: FreeBSD setcred(2) stack overflow -> local privilege escalation (FatGid) Steffen Nurpmeso
  • Re: [oss-security] CVE-2026-45250: FreeBSD setcred(2) stack overflow -> local privilege escalation (FatGid) Przemyslaw Frasunek
• [oss-security] CVE-2026-47372: Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts Robert Rothenberg
• [oss-security] CVE-2026-47373: Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks Robert Rothenberg
• [oss-security] CVE-2026-4802 [cockpit] Arbitrary code execution in the logs page via a specially crafted link Jelle van der Waa
• [oss-security] PowerDNS Security Advisory 2026-06: Multiple Issues Miod Vallat
• [oss-security] ISC has disclosed six vulnerabilities in BIND 9 (CVE-2026-3039, CVE-2026-3592, CVE-2026-3593, CVE-2026-5946, CVE-2026-5947, CVE-2026-5950) Michał Kępień
• [oss-security] rsync 3.4.3 released: six CVEs (CVE-2026-29518, CVE-2026-43617, CVE-2026-43618, CVE-2026-43619, CVE-2026-43620, CVE-2026-45232) Andrew Tridgell
• [oss-security] Unbound: 1.25.1 addresses multiple CVE items Yorgos Thessalonikefs
• [oss-security] QEMU CXL Memory Corruption Vulnerability ("QEMUtiny") Brett Sheffield
• [oss-security] PCManFM-Qt allows arbitrary files to be opened via the org.freedesktop.FileManager1.ShowFolders method Aaron Rainbolt
  • Re: [oss-security] PCManFM-Qt allows arbitrary files to be opened via the org.freedesktop.FileManager1.ShowFolders method Simon McVittie
  • Re: [oss-security] PCManFM-Qt allows arbitrary files to be opened via the org.freedesktop.FileManager1.ShowFolders method gabriel . corona
  • Re: [oss-security] PCManFM-Qt allows arbitrary files to be opened via the org.freedesktop.FileManager1.ShowFolders method gabriel . corona
  • [oss-security] Re: PCManFM-Qt allows arbitrary files to be opened via the org.freedesktop.FileManager1.ShowFolders method Aaron Rainbolt
• [oss-security] CVE-2026-5090: Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected Robert Rothenberg
• [oss-security] [OSSA-2026-013] Ironic: Denial of Service via specially crafted deployment requests (CVE-2026-44919) Jay Faulkner
• [oss-security] CVE-2026-42526: Apache Airflow Amazon provider: Prevent unauthorized access to team-scoped secrets in AWS Secrets Manager and SSM Parameter Store backends Vincent Beck
• [oss-security] CVE-2026-27173: Apache Airflow CNCF Kubernetes provider: JWT Token Exposure in KubernetesExecutor Command-Line Arguments Vincent Beck
• [oss-security] Evince/Atril/Xreader command injection CVE-2026-46529 Michael Catanzaro
  • [oss-security] Re: Evince/Atril/Xreader command injection CVE-2026-46529 Michael Catanzaro
  • [oss-security] Re: Evince/Atril/Xreader command injection CVE-2026-46529 Wolfgang
• [oss-security] Memcached 1.6.42 is a "major security focused release" with CVE's TBD Alan Coopersmith
  • Re: [oss-security] Memcached 1.6.42 is a "major security focused release" with CVE's TBD Alan Coopersmith
• [oss-security] CVE-2026-46586: Apache OFBiz: Improper Validation in traverseContent Service Enables Authenticated Groovy Code Execution Jacopo Cappellato
• [oss-security] CVE-2026-45434: Apache OFBiz: Authentication Bypass via Password-Change Logic Flaw Leading to RCE Jacopo Cappellato
• [oss-security] CVE-2026-45187: Apache OFBiz: Improper Authorization in Scheduled Job Creation Allows Low-Privileged Users to Submit System Jobs Jacopo Cappellato
• [oss-security] CVE-2026-41919: Apache OFBiz: Authentication Bypass due to Improper Neutralization of LDAP Special Elements in DN Construction Jacopo Cappellato
• [oss-security] CVE-2026-35086: Apache OFBiz: Authenticated Remote Code Execution via Unsafe Template Expansion in email services Jacopo Cappellato
• [oss-security] CVE-2026-31986: Apache OFBiz: Unauthenticated RCE via Default JWT Signing Key and Widget Template Injection Jacopo Cappellato
• [oss-security] CVE-2026-31910: Apache OFBiz: Improper Input Validation in UI Factory Classes Leads to SSRF and Blind File Access Jacopo Cappellato
• [oss-security] CVE-2026-31909: Apache OFBiz: Unauthenticated Shipment Label Image Disclosure Jacopo Cappellato
• [oss-security] CVE-2026-31906: Apache OFBiz: Reflected XSS via Improper HTML Attribute Escaping in Layered-Modal Dialog Parameters Jacopo Cappellato
• [oss-security] CVE-2026-31388: Apache OFBiz: Cross-Tenant Data Exposure via Program Export Feature Jacopo Cappellato
• [oss-security] CVE-2026-31387: Apache OFBiz: Cookie Manipulation Allows Authenticated JWT Forgery and Account Impersonation Jacopo Cappellato
• [oss-security] CVE-2026-31380: Apache OFBiz: FreeMarker SSTI via Duplicate Parameter Sanitization Bypass Jacopo Cappellato
• [oss-security] CVE-2026-31379: Apache OFBiz: Path Traversal and File Upload Validation Bypass Leading to Arbitrary File Write, Stored XSS and RCE in Catalog Manager Jacopo Cappellato
• [oss-security] CVE-2026-31378: Apache OFBiz: JSON Attribute Override and URL Allowlist Bypass Leads to Remote Code Execution Jacopo Cappellato
• [oss-security] CVE-2026-29226: Apache OFBiz: Low-Privilege SSRF in Content Component Jacopo Cappellato
• [oss-security] CVE-2026-29220: Apache OFBiz: Low-Privilege LFI in Content Component Jacopo Cappellato
• [oss-security] CVE-2026-29207: Apache OFBiz: Low-Privilege SSTI Leading to RCE in the Content Component Jacopo Cappellato
• [oss-security] CVE-2026-47323: Apache Camel: Camel-CXF Message Header Injection via Missing Inbound Filtering Andrea Cosentino
• [oss-security] [SBA-ADV-20260128-05] CVE-2026-42547: DFIR-IRIS before 2.4.28 Alerts Can be Falsely Attributed to Customers SBA Research Security Advisory
• [oss-security] [SBA-ADV-20260128-03] CVE-2026-42543: DFIR-IRIS before 2.4.28 Cross-Site Request Forgery (CSRF) SBA Research Security Advisory
• [oss-security] [SBA-ADV-20260128-01] CVE-2026-42540: DFIR-IRIS before 2.4.28 Mass Assignment SBA Research Security Advisory
• [oss-security] [SBA-ADV-20260126-04] CVE-2026-42539: DFIR-IRIS before 2.4.28 Excessive Data Exposure SBA Research Security Advisory
• [oss-security] [SBA-ADV-20260126-03] CVE-2026-42538: DFIR-IRIS before 2.4.28 Insecure File Upload SBA Research Security Advisory
• [oss-security] [SBA-ADV-20260126-02] CVE-2026-42329: DFIR-IRIS before 2.4.28 Open Redirect SBA Research Security Advisory
• [oss-security] PinTheft Linux LPE Sam James
  • Re: [oss-security] PinTheft Linux LPE Sam James
  • Re: [oss-security] PinTheft Linux LPE Sam James
  • Re: [oss-security] PinTheft Linux LPE Jelle van der Waa
  • Re: [oss-security] PinTheft Linux LPE Marcus Meissner
• [oss-security] Fixed: local root exploit in haveged, fixed in 1.9.21, CVE-2026-41054 Marcus Meissner
  • Re: [oss-security] Fixed: local root exploit in haveged, fixed in 1.9.21, CVE-2026-41054 Hanno Böck
  • Re: [oss-security] Fixed: local root exploit in haveged, fixed in 1.9.21, CVE-2026-41054 Steffen Nurpmeso
  • [oss-security] Re: Fixed: local root exploit in haveged, fixed in 1.9.21, CVE-2026-41054 nightmare . yeah27
  • Re: [oss-security] Re: Fixed: local root exploit in haveged, fixed in 1.9.21, CVE-2026-41054 Jeffrey Walton
  • [oss-security] CVE-2026-41054: haveged — privilege escalation via command socket Jiri Hladky
• [oss-security] On the issue of MIME handlers that execute arbitrary code (e.g. Wine) Aaron Rainbolt
  • Re: [oss-security] On the issue of MIME handlers that execute arbitrary code (e.g. Wine) Simon McVittie
  • Re: [oss-security] On the issue of MIME handlers that execute arbitrary code (e.g. Wine) Aaron Rainbolt
  • Re: [oss-security] On the issue of MIME handlers that execute arbitrary code (e.g. Wine) Aaron Rainbolt
  • Re: [oss-security] On the issue of MIME handlers that execute arbitrary code (e.g. Wine) Simon McVittie
  • Re: [oss-security] On the issue of MIME handlers that execute arbitrary code (e.g. Wine) Demi Marie Obenour
  • Re: [oss-security] On the issue of MIME handlers that execute arbitrary code (e.g. Wine) Gabriel Corona
  • Re: [oss-security] On the issue of MIME handlers that execute arbitrary code (e.g. Wine) Steffen Nurpmeso
  • Re: [oss-security] On the issue of MIME handlers that execute arbitrary code (e.g. Wine) gabriel . corona
  • Re: [oss-security] On the issue of MIME handlers that execute arbitrary code (e.g. Wine) Gabriel Corona
  • [oss-security] Re: On the issue of MIME handlers that execute arbitrary code (e.g. Wine) Aaron Rainbolt
• Re: [oss-security] CVE request experience Fabian Keil
• [oss-security] CVE-2026-8788: Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections Robert Rothenberg
• [oss-security] CVE-2026-8721: Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs Timothy Legge
• [oss-security] CVE-2026-8507: Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl have out of bound (OOB) write flaws Timothy Legge
• [oss-security] [vim-security] Vimscript Code Injection in cucumber filetype plugin via crafted step-definition regex affects Vim < 9.2.0496 Christian Brabandt
• [oss-security] [vim-security] Vimscript Code Injection in netrw NetrwBookHistSave() via crafted directory name affects Vim < 9.2.495 Christian Brabandt
• [oss-security] CVE-2026-46720: Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections Robert Rothenberg
• [oss-security] CVE-2026-46719: Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections Robert Rothenberg
• [oss-security] Recent Kernel exploits, attack surface reduction, example IPSEC Hanno Böck
  • Re: [oss-security] Recent Kernel exploits, attack surface reduction, example IPSEC Valtteri Vuorikoski
  • Re: [oss-security] Recent Kernel exploits, attack surface reduction, example IPSEC Agostino Sarubbo
  • Re: [oss-security] Recent Kernel exploits, attack surface reduction, example IPSEC Bernhard R. Link
  • Re: [oss-security] Recent Kernel exploits, attack surface reduction, example IPSEC Donald Buczek
  • Re: [oss-security] Recent Kernel exploits, attack surface reduction, example IPSEC Lionel Debroux
  • Re: [oss-security] Recent Kernel exploits, attack surface reduction, example IPSEC Jeffrey Walton
• [oss-security] CVE-2026-8704: Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing existing files to be modified Timothy Legge
• [oss-security] CVE-2026-8700: Crypt::DSA versions before 1.20 for Perl generate seeds using rand Timothy Legge
• [oss-security] Poppy: XPC Observability & Fault Injection Stuart Thomas
  • Re: [oss-security] Poppy: XPC Observability & Fault Injection Solar Designer
• [oss-security] PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 Released with security fixes Alan Coopersmith
• [oss-security] netatalk 4.4.3 fixes 20 CVEs, leaves 18 for later Alan Coopersmith
• [oss-security] libpng-apng: Chunk-smuggling vulnerability in push-mode APNG parser: CVE-2026-40930 Cosmin Truta
• [oss-security] CVE-2026-35194: Apache Flink: Remote code execution via SQL injection in code generation Martijn Visser
• [oss-security] Security Advisory: Multiple Vulnerabilities in llama.cpp GGUF Format Parsers 135266653
• [oss-security] CVE-2026-46474: Trog::TOTP versions before 1.006 for Perl generate secrets using rand Robert Rothenberg
• [oss-security] CVE-2026-8669: Imager versions through 1.030 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files Timothy Legge
• [oss-security] CVE-2026-8503: Apache::Session::Generate::SHA256 versions before 1.3.19 for Perl create insecure session ids Robert Rothenberg
• [oss-security] CVE-2026-8454: Imager::File::GIF versions through 1.002 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files Timothy Legge
• [oss-security] Logic bug in the Linux kernel's __ptrace_may_access() function Qualys Security Advisory
  • Re: [oss-security] Logic bug in the Linux kernel's __ptrace_may_access() function Sam James
  • Re: [oss-security] Logic bug in the Linux kernel's __ptrace_may_access() function Salvatore Bonaccorso
  • Re: [oss-security] Logic bug in the Linux kernel's __ptrace_may_access() function Salvatore Bonaccorso
  • Re: [oss-security] Logic bug in the Linux kernel's __ptrace_may_access() function Sam James
  • Re: [oss-security] Logic bug in the Linux kernel's __ptrace_may_access() function Qualys Security Advisory
  • Re: [oss-security] Logic bug in the Linux kernel's __ptrace_may_access() function David Gonzalez
  • [oss-security] Re: Logic bug in the Linux kernel's __ptrace_may_access() function Qualys Security Advisory
  • [oss-security] Re: Logic bug in the Linux kernel's __ptrace_may_access() function Qualys Security Advisory
  • [oss-security] Re: Logic bug in the Linux kernel's __ptrace_may_access() function Qualys Security Advisory
  • Re: [oss-security] Re: Logic bug in the Linux kernel's __ptrace_may_access() function Simon McVittie
• [oss-security] CVE-2026-8612: WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution Stig Palmquist
• [oss-security] [vim-security] Vimscript Code Injection in netrw NetrwMarkFile() via crafted filename affects Vim < 9.2.480 Christian Brabandt
• [oss-security] [vim-security] Command Injection in tar.vim affects Vim < 9.2.479 Christian Brabandt
• [oss-security] CVE-2026-45205: Apache Commons Configuration: StackOverflowError for YAML input with cycles Gary D. Gregory
• [oss-security][CVE-2026-8328] CPython: FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address Alan Coopersmith
• [oss-security] CVE-2026-8500: Web::Passwd versions through 0.03 for Perl is vulnerable to RCE Robert Rothenberg
• [oss-security] NGINX ngx_http_rewrite_module vulnerability CVE-2026-42945 Alan Coopersmith
  • [oss-security] NGINX ngx_http_rewrite_module buffer overflow (CVE-2026-9256) Alan Coopersmith
• [oss-security] CVE-2026-8463: Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2_verify on empty encoded input Stig Palmquist
• [oss-security] Linux kernel LPE ("fragnesia", copyfail 3.0) Sam James
  • Re: [oss-security] Linux kernel LPE ("fragnesia", copyfail 3.0) Greg KH
  • Re: [oss-security] Linux kernel LPE ("fragnesia", copyfail 3.0) Solar Designer
  • Re: [oss-security] Linux kernel LPE ("fragnesia", copyfail 3.0) Jan Schaumann
  • Re: [oss-security] Linux kernel LPE ("fragnesia", copyfail 3.0) Salvatore Bonaccorso
  • [oss-security] Linux kernel: Dirty Frag variants — fix merged into netdev Hyunwoo Kim
  • Re: [oss-security] Linux kernel: Dirty Frag variants — fix merged into netdev Solar Designer
  • Re: [oss-security] Linux kernel: Dirty Frag variants — fix merged into netdev Hyunwoo Kim
  • Re: [oss-security] Linux kernel: Dirty Frag variants — fix merged into netdev Demi Marie Obenour
• [oss-security] CVE-2026-41326: Kata Containers: CopyFile Policy Subversion via Symlinks Solar Designer
• [oss-security] CVE-2026-5958: GNU sed: TOCTOU race in sed -i --follow-symlinks Solar Designer
• [oss-security] Fwd: [siren] [Security Advisory] Severity: CRITICAL - Malicious Compromise of OpenSearch Pre-Release npm Packages Alan Coopersmith
• [oss-security] CVE-2026-5089: YAML::Syck versions before 1.38 for Perl has an out-of-bounds read Robert Rothenberg
• [oss-security] Xen Security Advisory 490 v1 (CVE-2025-54518) - x86: CPU Opcode Cache corruption Xen . org security team
• [oss-security] CVE-2026-42498: Apache Tomcat: WebSocket authentication header exposure Mark Thomas
• [oss-security] CVE-2026-41293: Apache Tomcat: HTTP/2 request headers not validated Mark Thomas
• [oss-security] CVE-2026-41284: Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling Mark Thomas
• [oss-security] CVE-2026-43515: Apache Tomcat: Security constraints not correctly applied Mark Thomas
• [oss-security] CVE-2026-43514: Apache Tomcat: AJP secret compared in non-constant time Mark Thomas
• [oss-security] CVE-2026-43513: Apache Tomcat: LockOutRealm treats user names as case-sensitive Mark Thomas
• [oss-security] CVE-2026-43512: Apache Tomcat: Digest authenticator will authenticate any unknown user Mark Thomas
• [oss-security] CVE-2026-8368: LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects Stig Palmquist
• [oss-security] Dovecot Security Advisory OXDC-2026-0002 Aki Tuomi
• [oss-security] [EXIM-Security-2026-05-01.1] Security Release 4.99.3 Heiko Schlittermann
  • [oss-security] Re: [EXIM-Security-2026-05-01.1] Security Release 4.99.3 Heiko Schlittermann
  • Re: [oss-security] [EXIM-Security-2026-05-01.1] Security Release 4.99.3 Sam James
• [oss-security] Public security analysis and LLM-assisted variant discovery Tim Shephard
• [oss-security] CVE-2026-7010: HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values Stig Palmquist
• [oss-security] libexpat 2.8.1 fixes CVE-2026-45186 (denial of service) Sebastian Pipping
• [oss-security] CVE-2026-6146: Amazon::Credentials versions through 1.2.0 for Perl uses rand to generate encryption keys Robert Rothenberg
• [oss-security] CVE-2022-4988: Alien::FreeImage versions through 1.001 for Perl contains several vulnerable libraries Robert Rothenberg
• [oss-security] OpenSSL ARM64 SM2 scalar multiplication timing side-channel (no CVE) Abhinav Agarwal
• [oss-security] dnsmasq vulnerabilities, including attacker DNS redirect, privilege escalation, and heap manipulation Alan Coopersmith
  • Re: [oss-security] dnsmasq vulnerabilities, including attacker DNS redirect, privilege escalation, and heap manipulation Alan Coopersmith
  • Re: [oss-security] dnsmasq vulnerabilities, including attacker DNS redirect, privilege escalation, and heap manipulation Sam James
• [oss-security] CVE Request: Fail-open authentication in hathor-wallet-headless <= 0.38.0 (vendor declined to fix) Emiliano Solazzi G.
• [oss-security][CVE-2026-7210] Cpython: The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection Alan Coopersmith
  • Re: [oss-security][CVE-2026-7210] Cpython: The expat and elementtree parsers use insufficient entropy for XML hash-flooding protection Sebastian Pipping
• [oss-security] [OSSA-2026-012] Ironic: Remote Code Execution when Anaconda driver enabled (CVE-2026-44916) Jay Faulkner
• [oss-security] CVE-2026-5084: WebDyne::Session versions through 2.075 for Perl generates the session id insecurely Stig Palmquist
• [oss-security] malcontent: Disk Space Exhaustion via Globally Accessible D-Bus API (CVE-2026-44931) Matthias Gerstner
• [oss-security] CVE-2026-45191: Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass Stig Palmquist
• [oss-security] CVE-2026-8177: XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences Stig Palmquist

• Earlier messages