oss-security

Messages by Thread

[oss-security] Go 1.23.1 and Go 1.22.7 released with 3 security fixes Alan Coopersmith
[oss-security] [OSSA-2024-003] OpenStack Ironic: Unvalidated image data passed to qemu-img (CVE-2024-44082) Brian Rosmaita
[oss-security] CVE-2024-43402: Rust before 1.81.0 didn't fully fix argument escaping for batch files Pietro Albini
[oss-security] Re: CVE-2024-45310: runc can be tricked into creating empty files/directories on host Aleksa Sarai
[oss-security] Webmin UDP/10000 discovery service Loop DoS (COK-2024-05-05) Sergei G
[oss-security] CVE-2024-45507: Apache OFBiz: Prevent use of URLs in files when loading them from Java or Groovy, leading to a RCE Jacques Le Roux
[oss-security] CVE-2024-45195: Apache OFBiz: Confused controller-view authorization logic (forced browsing) Jacques Le Roux
[oss-security] CPython: [CVE-2024-6232] Regular-expression DoS when parsing TarFile headers Alan Coopersmith
[oss-security] CVE-2024-6119: OpenSSL: Possible denial of service in X.509 name checks Tomas Mraz
[oss-security] Django CVE-2024-45230 and CVE-2024-45231 Natalia Bidart
[oss-security] CVE-2024-45310: runc can be tricked into creating empty files/directories on host Aleksa Sarai
- Re: [oss-security] CVE-2024-45310: runc can be tricked into creating empty files/directories on host Mike O'Connor
[oss-security] Linux kernel: memory leak in arch/powerpc/platforms/powernv/opal-irqchip.c: opal_event_init() 2639161967
- Re: [oss-security] Linux kernel: memory leak in arch/powerpc/platforms/powernv/opal-irqchip.c: opal_event_init() Solar Designer
- Re: [oss-security] Linux kernel: memory leak in arch/powerpc/platforms/powernv/opal-irqchip.c: opal_event_init() Michael Ellerman
[oss-security] [vim-security] heap-buffer-overflow in Vim > 9.1.0038 && < 9.1.0707 Christian Brabandt
[oss-security] CVE-2023-49582: Apache Portable Runtime (APR): Unexpected lax shared memory permissions Eric Covener
[oss-security] [vim-security] heap-buffer-overflow in ins_typebuf() in Vim < 9.1.0697 Christian Brabandt
[oss-security] [vim-security] heap-buffer-overflow in do_search() in Vim < 9.1.0689 Christian Brabandt
[oss-security] gh:facebook/rocksdb v9.5.2 - SupplyChainAttackPoC for Meta BB Andreas Stieger
[oss-security] CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Alan Coopersmith
- Re: [oss-security] CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Fay Stegerman
- Re: [oss-security] CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Fay Stegerman
- Re: [oss-security] CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Fay Stegerman
[oss-security] CVE-2024-41937: Apache Airflow: Stored XSS Vulnerability on provider link Ephraim Anierobi
[oss-security] CVE-2023-49198: Apache SeaTunnel Web: Arbitrary file read vulnerability Jun Gao
[oss-security] CVE-2024-22281: Apache Helix Front (UI): Helix front hard-coded secret in the express-session Junkai Xue
[oss-security] CVE-2024-43202: Apache DolphinScheduler: Remote Code Execution Vulnerability ShunFeng Cai
[oss-security] Landlock Houdini fix: CVE-2024-42318 Mickaël Salaün
[oss-security] WebKitGTK and WPE WebKit Security Advisory WSA-2024-0004 Adrian Perez de Castro
[oss-security] AI Cyber Challenge (AIxCC) semi-final results from DEF CON 32 (2024) David A. Wheeler
- Re: [oss-security] AI Cyber Challenge (AIxCC) semi-final results from DEF CON 32 (2024) Alfredo Ortega
- Re: [oss-security] AI Cyber Challenge (AIxCC) semi-final results from DEF CON 32 (2024) David A. Wheeler
[oss-security] Unbound 1.21.0 released with multiple security fixes Alan Coopersmith
[oss-security] [kubernetes] CVE-2024-7646: Ingress-nginx Annotation Validation Bypass Craig Ingram
[oss-security] Heads-up: there are two versions of Intel microcode update IPU 2024.3 Samuel Verschelde
[oss-security] [vim-security] use-after-free in alist_add() in Vim < v9.1.0678 Christian Brabandt
[oss-security] Dovecot CVE-2024-23185: Very large headers can cause resource exhaustion when parsing message Aki Tuomi
[oss-security] Dovecot CVE-2024-23184: Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive Aki Tuomi
[oss-security] flatpak CVE-2024-42472: Access to files outside sandbox for apps using persistent= (--persist) Simon McVittie
[oss-security] CVE-2024-7347: nginx: ngx_http_mp4_module: Worker process crash by using a specially crafted mp4 file Solar Designer
[oss-security] Xen Security Advisory 461 v2 (CVE-2024-31146) - PCI device pass-through with shared resources Xen . org security team
[oss-security] Xen Security Advisory 460 v2 (CVE-2024-31145) - error handling in x86 IOMMU identity mapping Xen . org security team
[oss-security] CVE-2024-41909: Apache MINA SSHD: integrity check bypass Arnout Engelen
[oss-security] CVE-2024-42008 and more: XSS vulnerabilities in Roundcube webmail Valtteri Vuorikoski
[oss-security] CVE-2024-7348: PostgreSQL relation replacement during pg_dump executes arbitrary SQL Solar Designer
[oss-security] CVE-2024-30188: Apache DolphinScheduler: Resource File Read And Write Vulnerability ShunFeng Cai
[oss-security] CVE-2024-29831: Apache DolphinScheduler: RCE by arbitrary js execution ShunFeng Cai
[oss-security] CVE-2024-41888: Apache Answer: The link for resetting user password is not Single-Use Enxin Xie
[oss-security] CVE-2024-41890: Apache Answer: The link to reset the user's password will remain valid after sending a new link Enxin Xie
[oss-security] KL-001-2024-006: Open WebUI Arbitrary File Upload + Path Traversal KoreLogic Disclosures
[oss-security] KL-001-2024-005: Open WebUI Stored Cross-Site Scripting KoreLogic Disclosures
[oss-security] Multiple vulnerabilities in Jenkins Daniel Beck
- [oss-security] Multiple vulnerabilities in Jenkins Kevin Guerroudj
- [oss-security] Multiple vulnerabilities in Jenkins Daniel Beck
[oss-security] CVE-2024-42222: Apache CloudStack: Unauthorised Network List Access Rohit Yadav
[oss-security] CVE-2024-42062: Apache CloudStack: User Key Exposure to Domain Admins Rohit Yadav
[oss-security] Tracking down a lost CVE request (MITRE) Michael Orlitzky
- Re: [oss-security] Tracking down a lost CVE request (MITRE) Mark Esler
- Re: [oss-security] Tracking down a lost CVE request (MITRE) Michael Orlitzky
[oss-security] Django CVE-2024-41989, CVE-2024-41990, CVE-2024-41991, and CVE-2024-42005 Sarah Boyce
[oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Neil Horman
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Marco Moock
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Stuart Henderson
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Marco Moock
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Bob Friesenhahn
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Steffen Nurpmeso
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Jeffrey Walton
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Steffen Nurpmeso
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Neil Horman
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Demi Marie Obenour
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Chad Sheridan
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Jeffrey Walton
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Dan Kegel
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Demi Marie Obenour
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 niekt0
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Solar Designer
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Pat Gunn
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Steffen Nurpmeso
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Clemens Lang
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Steffen Nurpmeso
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 steffen
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Peter Gutmann
- Re: [oss-security] collision confounders (was: feedback requested regarding deprecation of TLS 1.0/1.1) Jacob Bachmeyer
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Demi Marie Obenour
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Clemens Lang
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Jens Timmerman
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Marco Moock
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Clemens Lang
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Demi Marie Obenour
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Alex Gaynor
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Neil Horman
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Jan Engelhardt
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Duncan Grisby
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Mike O'Connor
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Pat Gunn
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Hanno Böck
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Peter Gutmann
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Jeffrey Walton
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Peter Gutmann
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Steffen Nurpmeso
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer
[oss-security] CVE-2024-36448: Apache IoTDB Workbench: SSRF Vulnerability (EOL) Haonan Hou
[oss-security] CVE-2024-42447: Apache Airflow Providers FAB: FAB provider 1.2.1 and 1.2.0 did not let user to logout for Airflow Jarek Potiuk
[oss-security] CVE-2024-38856: Apache OFBiz: Unauthenticated endpoint could allow execution of screen rendering code Jacques Le Roux
[oss-security] CVE-2024-36268: Apache InLong TubeMQ Client: Remote Code Execution vulnerability Charles Zhang
[oss-security] CVE-2024-27182: Apache Linkis Basic management services: Engine material management Arbitrary file deletion vulnerability Heping Wang
[oss-security] CVE-2024-27181: Apache Linkis Basic management services: Privilege Escalation Attack vulnerability Heping Wang
[oss-security] Neat VNC Security Vulnerability Andri Yngvason
- Re: [oss-security] Neat VNC Security Vulnerability Solar Designer
- RE: [oss-security] Neat VNC Security Vulnerability Dane Bouchie
- Re: [oss-security] Neat VNC Security Vulnerability Solar Designer
- Re: [oss-security] Neat VNC Security Vulnerability Andri Yngvason
- RE: [oss-security] Neat VNC Security Vulnerability Dane Bouchie
- Re: [oss-security] Neat VNC Security Vulnerability Salvatore Bonaccorso
[oss-security] CPython CVE-2024-6923: Email header injection due to unquoted newlines Alan Coopersmith
- Re: [oss-security] CPython CVE-2024-6923: Email header injection due to unquoted newlines Hanno Böck
[oss-security] [vim-security] double-free in dialog_changed() in Vim < v9.1.0648 Christian Brabandt
[oss-security] [vim-security] use-after-free in tagstack_clear_entry() in Vim < v9.1.0647 Christian Brabandt
[oss-security] [SECURITY ADVISORY] curl: CVE-2024-7264 ASN.1 date parser overread Daniel Stenberg
[oss-security] CVE-2023-48396: Apache SeaTunnel Web: Authentication bypass Jun Gao
[oss-security] Fwd: [Security-announce] [CVE-2024-3219] Pure-Python fallback of socket.socketpair() doesn’t authenticate peer connection Alan Coopersmith
[oss-security] GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Alan Coopersmith
- Re: [oss-security] GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Solar Designer
- Re: [oss-security] GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Alan Coopersmith
- Re: [oss-security] GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Solar Designer
- Re: [oss-security] GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Florian Weimer
[oss-security] CVE-2024-25090: Apache Roller: Insufficient input validation for some user profile and bookmark fields when Roller in untested-users mode David M. Johnson
[oss-security] [ANNOUNCE] Apache Traffic Server is vulnerable to request smuggling and DoS Masakazu Kitajo
[oss-security] inux kernel: virtio-net host dos John Haxby
- Re: [oss-security] linux kernel: virtio-net host dos Salvatore Bonaccorso
[oss-security] CVE-2023-48362: Apache Drill: XXE Vulnerability in XML Format Reader James Turton
[oss-security] [SECURITY ADVISORY] curl: CVE-2024-6874: macidn punycode buffer overread Daniel Stenberg
[oss-security] [SECURITY ADVISORY] curl: CVE-2024-6197: freeing stack buffer in utf8asn1str Daniel Stenberg
- Re: [oss-security] [SECURITY ADVISORY] curl: CVE-2024-6197: freeing stack buffer in utf8asn1str Demi Marie Obenour
[oss-security] CVE-2024-39676: Apache Pinot: Unauthorized endpoint exposed sensitive information Yupeng Fu
[oss-security] CVE-2024-41178: Apache Arrow Rust Object Store: AWS WebIdentityToken exposure in log files Andrew Lamb
[oss-security] [OSSA-2024-002] OpenStack Nova: Incomplete file access fix and regression for QCOW2 backing files and VMDK flat descriptors (CVE-2024-40767) Jeremy Stanley
[oss-security] ISC has disclosed four vulnerabilities in BIND 9 (CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, CVE-2024-4076) Aram Sargsyan
- Re: [oss-security] ISC has disclosed four vulnerabilities in BIND 9 (CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, CVE-2024-4076) Valtteri Vuorikoski
[oss-security] GNU C Library version 2.40 released with 5 CVE fixes Alan Coopersmith
[oss-security] CVE-2024-29070: Apache StreamPark: session not invalidated after logout Huajie Wang
[oss-security] CVE-2024-38503: Apache Syncope: HTML tags can be injected into Console or Enduser text fields Francesco Chicchiriccò
[oss-security] CVE-2024-34457: Apache StreamPark IDOR Vulnerability Huajie Wang
[oss-security] CVE-2024-23321: Apache RocketMQ: Unauthorized Exposure of Sensitive Data Rongtong Jin
[oss-security] CVE-2024-41107: Apache CloudStack: SAML Signature Exclusion Rohit Yadav
[oss-security] [ANNOUNCE] Apache CloudStack CVE-2024-41107: SAML Signature Exclusion Abhishek Kumar
[oss-security] CVE-2024-41172: Unrestricted memory consumption in CXF HTTP clients Colm O hEigeartaigh
[oss-security] CVE-2024-32007: Apache CXF Denial of Service vulnerability in JOSE Colm O hEigeartaigh
[oss-security] CVE-2024-29736: Apache CXF: SSRF vulnerability via WADL stylesheet parameter Colm O hEigeartaigh
[oss-security] CVE-2024-29178: Apache StreamPark: FreeMarker SSTI RCE Vulnerability Huajie Wang
[oss-security] CVE-2024-40898: Apache HTTP Server: SSRF with mod_rewrite in server/vhost context on Windows Eric Covener
[oss-security] CVE-2024-40725: Apache HTTP Server: source code disclosure with handlers configured via AddType Eric Covener
[oss-security] Python Infrastructure Admin Token Leaked Through Docker Hub Andrii Polkovnychenko [EXT]
[oss-security] CVE-2024-29120: Apache StreamPark: Information leakage vulnerability Huajie Wang
[oss-security] [kubernetes] CVE-2024-5321: Incorrect permissions on Windows containers logs Craig Ingram
[oss-security] CVE-2024-29737: Apache StreamPark (incubating): maven build params could trigger remote command execution Huajie Wang
[oss-security] CVE-2023-52291: Apache StreamPark (incubating): Unchecked maven build params could trigger remote command execution Huajie Wang
[oss-security] CVE-2024-31979: Apache StreamPipes: Possibility of SSRF in pipeline element installation process Dominik Riemer
[oss-security] CVE-2024-31411: Apache StreamPipes: Potential remote code execution (RCE) via file upload Dominik Riemer
[oss-security] CVE-2024-30471: Apache StreamPipes: Potential creation of multiple identical accounts Dominik Riemer
[oss-security] Landlock news #4 Mickaël Salaün
[oss-security] CVE-2024-39877: Apache Airflow: DAG Author Code Execution possibility in airflow-scheduler Ephraim Anierobi
[oss-security] CVE-2024-39863: Apache Airflow: Potential XSS Vulnerability Ephraim Anierobi
[oss-security] CVE-2024-39887: Apache Superset: Improper SQL authorisation, parse not checking for specific engine functions Daniel Gaspar
[oss-security] Xen Security Advisory 459 v2 (CVE-2024-31144) - Xapi: Metadata injection attack against backup/restore functionality Xen . org security team
[oss-security] Xen Security Advisory 458 v2 (CVE-2024-31143) - double unlock in x86 guest IRQ handling Xen . org security team
[oss-security] CVE-2023-52290: Apache StreamPark (incubating): Unchecked SQL query fields trigger SQL injection vulnerability Huajie Wang
[oss-security] CVE-2023-46801: Apache Linkis DataSource: Remote code execution vulnerability in apache Linkis 1.4.0 Heping Wang
[oss-security] CVE-2023-49566: Apache Linkis DataSource: JDBC Datasource Module with DB2 has JNDI Injection vulnerability Heping Wang
[oss-security] CVE-2023-41916: Apache Linkis DataSource: DatasourceManager module has a JDBC parameter judgment logic vulnerability that allows for arbitrary file reading Heping Wang
[oss-security] CVE-2024-36522: Apache Wicket: Remote code execution via XSLT injection Martin Tzvetanov Grigorov
[oss-security] backtrace_symbols() misuse by Ceph and its supposedly-safe use Alexander Patrakov
- Re: [oss-security] backtrace_symbols() misuse by Ceph and its supposedly-safe use Jacob Bachmeyer
- Re: [oss-security] backtrace_symbols() misuse by Ceph and its supposedly-safe use Simon McVittie
[oss-security] linux-distros application for CentOS Project's Hyperscale SIG Michel Lind
- Re: [oss-security] linux-distros application for CentOS Project's Hyperscale SIG Demi Marie Obenour
- Re: [oss-security] linux-distros application for CentOS Project's Hyperscale SIG Mark Esler
- Re: [oss-security] linux-distros application for CentOS Project's Hyperscale SIG Michel Lind
- Re: [oss-security] linux-distros application for CentOS Project's Hyperscale SIG Jonathan Wright
- Re: [oss-security] linux-distros application for CentOS Project's Hyperscale SIG Solar Designer
- Re: [oss-security] linux-distros application for CentOS Project's Hyperscale SIG Michel Lind
- Re: [oss-security] linux-distros application for CentOS Project's Hyperscale SIG Neil Hanlon
[oss-security] CVE-2024-3596: RADIUS/UDP vulnerable to improved MD5 collision attack Alan Coopersmith
[oss-security] Django CVE-2024-38875, CVE-2024-39329, CVE-2024-39330, and CVE-2024-39614 Natalia Bidart
[oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Will Dormann
- Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Florian Weimer
- Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Will Dormann
- Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch David A. Wheeler
- Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Florian Weimer
- Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Simon McVittie
- [oss-security] Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Will Dormann
- Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Yves-Alexis Perez
- Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Will Dormann
- Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Yves-Alexis Perez