Open Source Security Mailing List

• Current Quarter
• RSS Feed
• About List
• All Lists

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

• Jan–Mar
• Apr–Jun
• Jul–Sep
• Oct–Dec
• 2025
• 262
• 289
• 251
• 22
• 2024
• 358
• 314
• 293
• 183
• 2023
• 220
• 284
• 269
• 356
• 2022
• 212
• 220
• 239
• 273
• 2021
• 281
• 236
• 193
• 182
• 2020
• 131
• 219
• 211
• 241
• 2019
• 199
• 237
• 257
• 176
• 2018
• 287
• 256
• 284
• 279
• 2017
• 701
• 658
• 596
• 437
• 2016
• 738
• 637
• 689
• 788
• 2015
• 1068
• 839
• 658
• 618
• 2014
• 714
• 711
• 886
• 1185
• 2013
• 777
• 648
• 688
• 583
• 2012
• 815
• 578
• 591
• 549
• 2011
• 640
• 738
• 550
• 591
• 2010
• 291
• 376
• 465
• 383
• 2009
• 250
• 264
• 272
• 304
• 2008
• 206
• 390
• 402
• 358

Latest Posts

Announce: OpenSSH 10.2 released Damien Miller (Oct 10)
OpenSSH 10.2 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More...

CVE-2025-62228: Apache Flink CDC, Apache Flink CDC, Apache Flink CDC, Apache Flink CDC, Apache Flink CDC: SQL injection via maliciously crafted identifiers Leonard Xu (Oct 09)
Severity:

Affected versions:

- Apache Flink CDC (org.apache.flink:flink-connector-mysql-cdc) 3.0.0 through 3.4.0
- Apache Flink CDC (org.apache.flink:flink-connector-sqlserver-cdc) 3.0.0 through 3.4.0
- Apache Flink CDC (org.apache.flink:flink-connector-db2-cdc) 3.0.0 through 3.4.0
- Apache Flink CDC (org.apache.flink:flink-connector-oracle-cdc) 3.0.0 through 3.4.0
- Apache Flink CDC (org.apache.flink:flink-cdc-pipeline-connector-oceanbase)...

Fwd: Heads-up: Upcoming Samba security releases Douglas Bagnall (Oct 08)
The Samba team (which includes me) has announced there will be a
security release next Wednesday. This is our standard procedure, though
this time we have added an estimate of how many people might be affected
by each bug.

Douglas

-------- Forwarded Message --------
Subject: Heads-up: Upcoming Samba security releases
Date: Thu, 9 Oct 2025 17:38:13 +1300
From: Douglas Bagnall via samba-technical <samba-technical () lists samba org>...

several vulnerabilities fixed in Go 1.25.2 and Go 1.24.8 Jan Schaumann (Oct 07)
Forwarding from
https://groups.google.com/g/golang-nuts/c/Gxn25BP4MXk/m/3KrM-XBOBAAJ
because I don't think I've seen it here on this list
yet.

----- Forwarded message from announce () golang org -----

----- End forwarded message -----

redis: CVE-2025-49844: Lua Use-After-Free may lead to remote code execution Jan Schaumann (Oct 07)
I haven't seen it here on this list yet, so
forwarding:

There's an RCE vulnerability in Redis with a CVSS
Score of 9.9 (although advertised as 10.0):

https://nvd.nist.gov/vuln/detail/CVE-2025-49844
https://github.com/redis/redis/security/advisories/GHSA-4789-qfc9-5f9q

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Impact

An authenticated user may use a specially crafted Lua
script to manipulate the garbage collector, trigger a...

Re: Announce: OpenSSH 10.1 released David Leadbeater (Oct 07)
[...]

There was a minor error in the above, it should say %r (remote
username), not %u (local username).

It has also now been assigned CVE-2025-61984.

I thought it was worth expanding on this issue, it is essentially a
follow up from CVE-2023-51385, where if a user clones a git repo or
otherwise performs another action that passes an attacker controlled
string to SSH, it could be passed through to the user configured
ProxyCommand. i.e. it...

Resource consumption weakness in Postgres-using applications & frameworks Peter Bex (Oct 06)
Hello all,

In "Paged Out!" magazine, issue #7, I posted an article[1] about a
potential resource consumption weakness (aka potential DoS) in
applications using Postgres. This issue allows an attacker to
force a sequential scan under certain conditions, regardless of any
index.

The issue itself was originally found by Jeremy Evans in 2022[2] using
integer literals in SQL statements. It had a broader impact than he
originally thought...

Announce: OpenSSH 10.1 released Damien Miller (Oct 06)
OpenSSH 10.1 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More...

Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros nightmare . yeah27 (Oct 05)
Yes, thank you. This in fact improved my understanding of the
situation a lot. I hope it also did so for others.

Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH (Oct 04)
I don't understand this, sorry. Right now, we _do_ triage all bugfixes
that are added to the Linux kernel and classify them if they meet the
requirement of a "vulnerability" as required by cve.org or not. Any
that do, we assign a CVE to. Any that do not, we do not. There are 3
of us doing this work, in our public git repo, plus we have 2 "guest"
reviewers also helping out at times, so everyone can see what is...

Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros nightmare . yeah27 (Oct 04)
I can guess Attila's meaning as an outsider. It seems strange to me
that as one so deeply engaged in these issues you (Greg) cannot do
that.

The meaning is: it *would* be unsustainable *if* you actually started
triaging. You don't triage now, because "a bug is a bug".

Re: fetchmail-SA-2025-01: SMTP AUTH denial of service now called CVE-2025-61962. Matthias Andree (Oct 04)
fetchmail-SA-2025-01: SMTP AUTH denial of service

Topics: fetchmail SMTP client can crash when authenticating

Author: Matthias Andree
Version: 1.1
Announced: 2025-10-03
Type: failure to validate network input in certain configurations
Impact: fetchmail tries to read from address 1 and can crash
Severity: moderate

URL: https://www.fetchmail.info/fetchmail-SA-2025-01.txt
Project URL:...

Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH (Oct 03)
What do you mean by this? I never stated it was unsustainable, in fact
it's just fine from our side. What is the problem you are wanting
others to help in solving with here exactly?

We never turn down help, so sure, work away. But I'm very unclear as to
exactly what you are going to be wanting to work on.

Decision about what exactly?

What specific criticisms are you having here? What what ones does
Canonical have? I talk to...

Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Attila Szasz (Oct 03)
Greg,

I truly appreciate your answer. When I last spoke about this at a
private infosec conference, I made it clear to the audience that I
deeply respect your work. In my view, developing Linux continues to be
one of the most admirable and noble endeavors in technology.

That said, let me try to be constructive.

I know the workload is immense, but from my perspective as a security
researcher, here’s what I propose:

*

I can reach...

fetchmail-SA-2025-01: SMTP AUTH denial of service Alan Coopersmith (Oct 03)
fetchmail-SA-2025-01: SMTP AUTH denial of service

Topics: fetchmail SMTP client can crash when authenticating

Author: Matthias Andree
Version: 1.0
Announced: 2025-10-03
Type: failure to validate network input in certain configurations
Impact: fetchmail tries to read from address 1 and can crash
Severity: moderate

URL: https://www.fetchmail.info/fetchmail-SA-2025-01.txt
Project URL:...

More Lists

Dozens of other network security lists are archived at SecLists.Org.