oss-sec: by thread
RSS Feed
About List
All Lists
Previous period
293 messages
starting Jul 01 24 and
ending Sep 28 24
Date index |
Thread index |
Author index
- Announce: OpenSSH 9.8 released Damien Miller (Jul 01)
- Re: Announce: OpenSSH 9.8 released Dominique Martinet (Jul 02)
- Re: Announce: OpenSSH 9.8 released Christian Fischer (Jul 03)
- Re: Announce: OpenSSH 9.8 released Solar Designer (Jul 28)
- Re: Announce: OpenSSH 9.8 released Dominique Martinet (Jul 02)
- Re: Announce: OpenSSH 9.8 released (fwd) Damien Miller (Jul 01)
- CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Qualys Security Advisory (Jul 01)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems jvoisin (Jul 01)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Mathias Krause (Jul 01)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Jacob Bachmeyer (Jul 02)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Jeffrey Walton (Jul 03)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Jacob Bachmeyer (Jul 04)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Solar Designer (Jul 03)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Qualys Security Advisory (Jul 03)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Jeffrey Walton (Jul 03)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Qualys Security Advisory (Jul 03)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Solar Designer (Jul 28)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Yves-Alexis Perez (Jul 03)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Qualys Security Advisory (Jul 03)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Solar Designer (Jul 08)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Damien Miller (Jul 09)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Solar Designer (Jul 09)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Nick Tait (Jul 10)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Pete Allor (Jul 10)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Alan Coopersmith (Jul 10)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems Damien Miller (Jul 09)
- Re: CVE-2024-6387: RCE in OpenSSH's server, on glibc-based Linux systems jvoisin (Jul 01)
- CVE-2024-36387: Apache HTTP Server: DoS by Null pointer in websocket over HTTP/2 Eric Covener (Jul 01)
- CVE-2024-38472: Apache HTTP Server on WIndows UNC SSRF Eric Covener (Jul 01)
- CVE-2024-38473: Apache HTTP Server proxy encoding problem Eric Covener (Jul 01)
- CVE-2024-38474: Apache HTTP Server weakness with encoded question marks in backreferences Eric Covener (Jul 01)
- CVE-2024-38475: Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path. Eric Covener (Jul 01)
- CVE-2024-38476: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect Eric Covener (Jul 01)
- CVE-2024-38477: Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request Eric Covener (Jul 01)
- CVE-2024-39573: Apache HTTP Server: mod_rewrite proxy handler substitution Eric Covener (Jul 01)
- [OSSA-2024-001] OpenStack Cinder, Glance, Nova: Arbitrary file access through custom QCOW2 external data (CVE-2024-32498) Jeremy Stanley (Jul 02)
- Re: Ghostscript 10.03.1 (2024-05-02) fixed 5 CVEs including CVE-2024-33871 arbitrary code execution Thomas Rinsma (Jul 03)
- CVE-2024-39884: Apache HTTP Server: source code disclosure with handlers configured via AddType Eric Covener (Jul 03)
- CVE-2024-39844: ZNC modtcl RCE Martin Weinelt (Jul 03)
- CVE-2023-52168, CVE-2023-52169: buffer overflow, over-read vulnerabilities in the 7-Zip archiver Maxim Suhanov (Jul 03)
- [ANNOUNCE] Apache CloudStack LTS Security Releases 4.18.2.1 and 4.19.0.2 Abhishek Kumar (Jul 05)
- CVE-2024-37389: Apache NiFi: Improper Neutralization of Input in Parameter Context Description David Handermann (Jul 07)
- ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Will Dormann (Jul 08)
- Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Florian Weimer (Jul 08)
- Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Will Dormann (Jul 08)
- Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch David A. Wheeler (Jul 08)
- Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Florian Weimer (Jul 08)
- Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Simon McVittie (Jul 08)
- Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Will Dormann (Jul 08)
- Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Yves-Alexis Perez (Jul 10)
- Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Will Dormann (Jul 10)
- Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Yves-Alexis Perez (Jul 11)
- Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Yves-Alexis Perez (Jul 11)
- Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Steffen Nurpmeso (Jul 10)
- Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch David A. Wheeler (Jul 11)
- Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Steffen Nurpmeso (Jul 12)
- Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Jacob Bachmeyer (Jul 13)
- Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Steffen Nurpmeso (Jul 13)
- Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Demi Marie Obenour (Jul 14)
- Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Steffen Nurpmeso (Jul 15)
- Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Jacob Bachmeyer (Jul 14)
- Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Steffen Nurpmeso (Jul 15)
- Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Will Dormann (Jul 10)
- Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Yves-Alexis Perez (Jul 29)
- Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Will Dormann (Jul 30)
- Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch Florian Weimer (Jul 08)
- Django CVE-2024-38875, CVE-2024-39329, CVE-2024-39330, and CVE-2024-39614 Natalia Bidart (Jul 09)
- CVE-2024-3596: RADIUS/UDP vulnerable to improved MD5 collision attack Alan Coopersmith (Jul 09)
- linux-distros application for CentOS Project's Hyperscale SIG Michel Lind (Jul 10)
- Re: linux-distros application for CentOS Project's Hyperscale SIG Demi Marie Obenour (Jul 10)
- Re: linux-distros application for CentOS Project's Hyperscale SIG Mark Esler (Jul 10)
- Re: linux-distros application for CentOS Project's Hyperscale SIG Michel Lind (Jul 11)
- Re: linux-distros application for CentOS Project's Hyperscale SIG Jonathan Wright (Jul 15)
- Re: linux-distros application for CentOS Project's Hyperscale SIG Solar Designer (Jul 23)
- Re: linux-distros application for CentOS Project's Hyperscale SIG Michel Lind (Jul 23)
- Re: linux-distros application for CentOS Project's Hyperscale SIG Mark Esler (Jul 10)
- Re: linux-distros application for CentOS Project's Hyperscale SIG Neil Hanlon (Jul 11)
- Re: linux-distros application for CentOS Project's Hyperscale SIG Demi Marie Obenour (Jul 10)
- Re: Fwd: Node.js security updates for all active release lines, July 2024 Solar Designer (Jul 11)
- Re: Fwd: Node.js security updates for all active release lines, July 2024 Yogesh Mittal (Jul 19)
- backtrace_symbols() misuse by Ceph and its supposedly-safe use Alexander Patrakov (Jul 12)
- Re: backtrace_symbols() misuse by Ceph and its supposedly-safe use Jacob Bachmeyer (Jul 13)
- Re: backtrace_symbols() misuse by Ceph and its supposedly-safe use Simon McVittie (Jul 13)
- CVE-2024-36522: Apache Wicket: Remote code execution via XSLT injection Martin Tzvetanov Grigorov (Jul 12)
- CVE-2023-41916: Apache Linkis DataSource: DatasourceManager module has a JDBC parameter judgment logic vulnerability that allows for arbitrary file reading Heping Wang (Jul 13)
- CVE-2023-49566: Apache Linkis DataSource: JDBC Datasource Module with DB2 has JNDI Injection vulnerability Heping Wang (Jul 13)
- CVE-2023-46801: Apache Linkis DataSource: Remote code execution vulnerability in apache Linkis 1.4.0 Heping Wang (Jul 13)
- CVE-2023-52290: Apache StreamPark (incubating): Unchecked SQL query fields trigger SQL injection vulnerability Huajie Wang (Jul 15)
- Xen Security Advisory 458 v2 (CVE-2024-31143) - double unlock in x86 guest IRQ handling Xen . org security team (Jul 16)
- Xen Security Advisory 459 v2 (CVE-2024-31144) - Xapi: Metadata injection attack against backup/restore functionality Xen . org security team (Jul 16)
- CVE-2024-39887: Apache Superset: Improper SQL authorisation, parse not checking for specific engine functions Daniel Gaspar (Jul 16)
- CVE-2024-39863: Apache Airflow: Potential XSS Vulnerability Ephraim Anierobi (Jul 16)
- CVE-2024-39877: Apache Airflow: DAG Author Code Execution possibility in airflow-scheduler Ephraim Anierobi (Jul 16)
- Landlock news #4 Mickaël Salaün (Jul 16)
- CVE-2024-30471: Apache StreamPipes: Potential creation of multiple identical accounts Dominik Riemer (Jul 16)
- CVE-2024-31411: Apache StreamPipes: Potential remote code execution (RCE) via file upload Dominik Riemer (Jul 16)
- CVE-2024-31979: Apache StreamPipes: Possibility of SSRF in pipeline element installation process Dominik Riemer (Jul 16)
- CVE-2023-52291: Apache StreamPark (incubating): Unchecked maven build params could trigger remote command execution Huajie Wang (Jul 17)
- CVE-2024-29737: Apache StreamPark (incubating): maven build params could trigger remote command execution Huajie Wang (Jul 17)
- [kubernetes] CVE-2024-5321: Incorrect permissions on Windows containers logs Craig Ingram (Jul 17)
- CVE-2024-29120: Apache StreamPark: Information leakage vulnerability Huajie Wang (Jul 17)
- Python Infrastructure Admin Token Leaked Through Docker Hub Andrii Polkovnychenko [EXT] (Jul 17)
- CVE-2024-40725: Apache HTTP Server: source code disclosure with handlers configured via AddType Eric Covener (Jul 17)
- CVE-2024-40898: Apache HTTP Server: SSRF with mod_rewrite in server/vhost context on Windows Eric Covener (Jul 17)
- CVE-2024-29178: Apache StreamPark: FreeMarker SSTI RCE Vulnerability Huajie Wang (Jul 18)
- CVE-2024-29736: Apache CXF: SSRF vulnerability via WADL stylesheet parameter Colm O hEigeartaigh (Jul 18)
- CVE-2024-32007: Apache CXF Denial of Service vulnerability in JOSE Colm O hEigeartaigh (Jul 18)
- CVE-2024-41172: Unrestricted memory consumption in CXF HTTP clients Colm O hEigeartaigh (Jul 18)
- [ANNOUNCE] Apache CloudStack CVE-2024-41107: SAML Signature Exclusion Abhishek Kumar (Jul 19)
- CVE-2024-41107: Apache CloudStack: SAML Signature Exclusion Rohit Yadav (Jul 19)
- CVE-2024-23321: Apache RocketMQ: Unauthorized Exposure of Sensitive Data Rongtong Jin (Jul 22)
- CVE-2024-34457: Apache StreamPark IDOR Vulnerability Huajie Wang (Jul 22)
- CVE-2024-38503: Apache Syncope: HTML tags can be injected into Console or Enduser text fields Francesco Chicchiriccò (Jul 22)
- CVE-2024-29070: Apache StreamPark: session not invalidated after logout Huajie Wang (Jul 22)
- GNU C Library version 2.40 released with 5 CVE fixes Alan Coopersmith (Jul 22)
- ISC has disclosed four vulnerabilities in BIND 9 (CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, CVE-2024-4076) Aram Sargsyan (Jul 23)
- Re: ISC has disclosed four vulnerabilities in BIND 9 (CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, CVE-2024-4076) Valtteri Vuorikoski (Jul 31)
- [OSSA-2024-002] OpenStack Nova: Incomplete file access fix and regression for QCOW2 backing files and VMDK flat descriptors (CVE-2024-40767) Jeremy Stanley (Jul 23)
- CVE-2024-41178: Apache Arrow Rust Object Store: AWS WebIdentityToken exposure in log files Andrew Lamb (Jul 23)
- CVE-2024-39676: Apache Pinot: Unauthorized endpoint exposed sensitive information Yupeng Fu (Jul 23)
- [SECURITY ADVISORY] curl: CVE-2024-6197: freeing stack buffer in utf8asn1str Daniel Stenberg (Jul 23)
- Re: [SECURITY ADVISORY] curl: CVE-2024-6197: freeing stack buffer in utf8asn1str Demi Marie Obenour (Jul 24)
- [SECURITY ADVISORY] curl: CVE-2024-6874: macidn punycode buffer overread Daniel Stenberg (Jul 23)
- CVE-2023-48362: Apache Drill: XXE Vulnerability in XML Format Reader James Turton (Jul 24)
- inux kernel: virtio-net host dos John Haxby (Jul 24)
- Re: linux kernel: virtio-net host dos Salvatore Bonaccorso (Jul 27)
- [ANNOUNCE] Apache Traffic Server is vulnerable to request smuggling and DoS Masakazu Kitajo (Jul 25)
- CVE-2024-25090: Apache Roller: Insufficient input validation for some user profile and bookmark fields when Roller in untested-users mode David M. Johnson (Jul 25)
- GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Alan Coopersmith (Jul 26)
- Re: GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Solar Designer (Jul 26)
- Re: GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Alan Coopersmith (Jul 26)
- Re: GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Solar Designer (Jul 28)
- Re: GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Florian Weimer (Jul 29)
- Re: GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Alan Coopersmith (Jul 26)
- Re: GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow Solar Designer (Jul 26)
- Fwd: [Security-announce] [CVE-2024-3219] Pure-Python fallback of socket.socketpair() doesn’t authenticate peer connection Alan Coopersmith (Jul 29)
- CVE-2023-48396: Apache SeaTunnel Web: Authentication bypass Jun Gao (Jul 30)
- [SECURITY ADVISORY] curl: CVE-2024-7264 ASN.1 date parser overread Daniel Stenberg (Jul 31)
- [vim-security] use-after-free in tagstack_clear_entry() in Vim < v9.1.0647 Christian Brabandt (Aug 01)
- [vim-security] double-free in dialog_changed() in Vim < v9.1.0648 Christian Brabandt (Aug 01)
- CPython CVE-2024-6923: Email header injection due to unquoted newlines Alan Coopersmith (Aug 01)
- Re: CPython CVE-2024-6923: Email header injection due to unquoted newlines Hanno Böck (Aug 01)
- Neat VNC Security Vulnerability Andri Yngvason (Aug 01)
- Re: Neat VNC Security Vulnerability Solar Designer (Aug 02)
- RE: Neat VNC Security Vulnerability Dane Bouchie (Aug 02)
- Re: Neat VNC Security Vulnerability Solar Designer (Aug 02)
- Re: Neat VNC Security Vulnerability Andri Yngvason (Aug 02)
- RE: Neat VNC Security Vulnerability Dane Bouchie (Aug 02)
- <Possible follow-ups>
- RE: Neat VNC Security Vulnerability Dane Bouchie (Aug 02)
- Re: Neat VNC Security Vulnerability Salvatore Bonaccorso (Aug 03)
- Re: Neat VNC Security Vulnerability Solar Designer (Aug 02)
- CVE-2024-27181: Apache Linkis Basic management services: Privilege Escalation Attack vulnerability Heping Wang (Aug 02)
- CVE-2024-27182: Apache Linkis Basic management services: Engine material management Arbitrary file deletion vulnerability Heping Wang (Aug 02)
- CVE-2024-36268: Apache InLong TubeMQ Client: Remote Code Execution vulnerability Charles Zhang (Aug 02)
- CVE-2024-38856: Apache OFBiz: Unauthenticated endpoint could allow execution of screen rendering code Jacques Le Roux (Aug 04)
- CVE-2024-42447: Apache Airflow Providers FAB: FAB provider 1.2.1 and 1.2.0 did not let user to logout for Airflow Jarek Potiuk (Aug 04)
- CVE-2024-36448: Apache IoTDB Workbench: SSRF Vulnerability (EOL) Haonan Hou (Aug 05)
- feedback requested regarding deprecation of TLS 1.0/1.1 Neil Horman (Aug 06)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Marco Moock (Aug 06)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Stuart Henderson (Aug 06)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Marco Moock (Aug 06)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Bob Friesenhahn (Aug 07)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Steffen Nurpmeso (Aug 07)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jeffrey Walton (Aug 08)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Steffen Nurpmeso (Aug 08)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Neil Horman (Aug 06)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Demi Marie Obenour (Aug 06)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Chad Sheridan (Aug 07)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jeffrey Walton (Aug 07)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Dan Kegel (Aug 07)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Demi Marie Obenour (Aug 07)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 niekt0 (Aug 07)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Solar Designer (Aug 07)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Pat Gunn (Aug 07)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Steffen Nurpmeso (Aug 07)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Clemens Lang (Aug 08)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Steffen Nurpmeso (Aug 08)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 steffen (Aug 08)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Peter Gutmann (Aug 09)
- Re: collision confounders (was: feedback requested regarding deprecation of TLS 1.0/1.1) Jacob Bachmeyer (Aug 16)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Demi Marie Obenour (Aug 08)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Clemens Lang (Aug 08)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer (Aug 09)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jens Timmerman (Aug 09)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Marco Moock (Aug 07)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Stuart Henderson (Aug 06)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Clemens Lang (Aug 06)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Demi Marie Obenour (Aug 06)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Alex Gaynor (Aug 06)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Neil Horman (Aug 07)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jan Engelhardt (Aug 06)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Duncan Grisby (Aug 08)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Mike O'Connor (Aug 14)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Pat Gunn (Aug 14)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer (Aug 15)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Pat Gunn (Aug 14)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Hanno Böck (Aug 15)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Peter Gutmann (Aug 15)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer (Aug 16)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jeffrey Walton (Aug 16)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer (Aug 17)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Peter Gutmann (Aug 18)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer (Aug 19)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Steffen Nurpmeso (Aug 20)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer (Aug 20)
- Re: feedback requested regarding deprecation of TLS 1.0/1.1 Marco Moock (Aug 06)
- Django CVE-2024-41989, CVE-2024-41990, CVE-2024-41991, and CVE-2024-42005 Sarah Boyce (Aug 06)
- Tracking down a lost CVE request (MITRE) Michael Orlitzky (Aug 06)
- Re: Tracking down a lost CVE request (MITRE) Mark Esler (Aug 14)
- Re: Tracking down a lost CVE request (MITRE) Michael Orlitzky (Aug 14)
- Re: Tracking down a lost CVE request (MITRE) Mark Esler (Aug 14)
- CVE-2024-42062: Apache CloudStack: User Key Exposure to Domain Admins Rohit Yadav (Aug 06)
- CVE-2024-42222: Apache CloudStack: Unauthorised Network List Access Rohit Yadav (Aug 06)
- Multiple vulnerabilities in Jenkins Daniel Beck (Aug 07)
- KL-001-2024-005: Open WebUI Stored Cross-Site Scripting KoreLogic Disclosures (Aug 08)
- KL-001-2024-006: Open WebUI Arbitrary File Upload + Path Traversal KoreLogic Disclosures (Aug 08)
- CVE-2024-41890: Apache Answer: The link to reset the user's password will remain valid after sending a new link Enxin Xie (Aug 09)
- CVE-2024-41888: Apache Answer: The link for resetting user password is not Single-Use Enxin Xie (Aug 09)
- CVE-2024-29831: Apache DolphinScheduler: RCE by arbitrary js execution ShunFeng Cai (Aug 09)
- CVE-2024-30188: Apache DolphinScheduler: Resource File Read And Write Vulnerability ShunFeng Cai (Aug 09)
- CVE-2024-7348: PostgreSQL relation replacement during pg_dump executes arbitrary SQL Solar Designer (Aug 11)
- CVE-2024-42008 and more: XSS vulnerabilities in Roundcube webmail Valtteri Vuorikoski (Aug 12)
- CVE-2024-41909: Apache MINA SSHD: integrity check bypass Arnout Engelen (Aug 12)
- Xen Security Advisory 460 v2 (CVE-2024-31145) - error handling in x86 IOMMU identity mapping Xen . org security team (Aug 14)
- Xen Security Advisory 461 v2 (CVE-2024-31146) - PCI device pass-through with shared resources Xen . org security team (Aug 14)
- CVE-2024-7347: nginx: ngx_http_mp4_module: Worker process crash by using a specially crafted mp4 file Solar Designer (Aug 14)
- flatpak CVE-2024-42472: Access to files outside sandbox for apps using persistent= (--persist) Simon McVittie (Aug 14)
- Dovecot CVE-2024-23184: Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive Aki Tuomi (Aug 15)
- Dovecot CVE-2024-23185: Very large headers can cause resource exhaustion when parsing message Aki Tuomi (Aug 15)
- [vim-security] use-after-free in alist_add() in Vim < v9.1.0678 Christian Brabandt (Aug 15)
- Heads-up: there are two versions of Intel microcode update IPU 2024.3 Samuel Verschelde (Aug 16)
- [kubernetes] CVE-2024-7646: Ingress-nginx Annotation Validation Bypass Craig Ingram (Aug 16)
- Unbound 1.21.0 released with multiple security fixes Alan Coopersmith (Aug 16)
- AI Cyber Challenge (AIxCC) semi-final results from DEF CON 32 (2024) David A. Wheeler (Aug 16)
- Re: AI Cyber Challenge (AIxCC) semi-final results from DEF CON 32 (2024) Alfredo Ortega (Aug 17)
- Re: AI Cyber Challenge (AIxCC) semi-final results from DEF CON 32 (2024) David A. Wheeler (Aug 19)
- Re: AI Cyber Challenge (AIxCC) semi-final results from DEF CON 32 (2024) Alfredo Ortega (Aug 17)
- WebKitGTK and WPE WebKit Security Advisory WSA-2024-0004 Adrian Perez de Castro (Aug 16)
- Landlock Houdini fix: CVE-2024-42318 Mickaël Salaün (Aug 17)
- CVE-2024-43202: Apache DolphinScheduler: Remote Code Execution Vulnerability ShunFeng Cai (Aug 20)
- CVE-2024-22281: Apache Helix Front (UI): Helix front hard-coded secret in the express-session Junkai Xue (Aug 20)
- CVE-2023-49198: Apache SeaTunnel Web: Arbitrary file read vulnerability Jun Gao (Aug 21)
- CVE-2024-41937: Apache Airflow: Stored XSS Vulnerability on provider link Ephraim Anierobi (Aug 21)
- CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Alan Coopersmith (Aug 22)
- Re: CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Fay Stegerman (Aug 22)
- Re: CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Fay Stegerman (Aug 23)
- Re: CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Fay Stegerman (Aug 23)
- Re: CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Fay Stegerman (Aug 23)
- Re: CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Fay Stegerman (Aug 22)
- gh:facebook/rocksdb v9.5.2 - SupplyChainAttackPoC for Meta BB Andreas Stieger (Aug 22)
- [vim-security] heap-buffer-overflow in do_search() in Vim < 9.1.0689 Christian Brabandt (Aug 22)
- [vim-security] heap-buffer-overflow in ins_typebuf() in Vim < 9.1.0697 Christian Brabandt (Aug 25)
- CVE-2023-49582: Apache Portable Runtime (APR): Unexpected lax shared memory permissions Eric Covener (Aug 26)
- [vim-security] heap-buffer-overflow in Vim > 9.1.0038 && < 9.1.0707 Christian Brabandt (Aug 31)
- Linux kernel: memory leak in arch/powerpc/platforms/powernv/opal-irqchip.c: opal_event_init() 2639161967 (Sep 02)
- Re: Linux kernel: memory leak in arch/powerpc/platforms/powernv/opal-irqchip.c: opal_event_init() Solar Designer (Sep 02)
- Re: Linux kernel: memory leak in arch/powerpc/platforms/powernv/opal-irqchip.c: opal_event_init() Michael Ellerman (Sep 06)
- Re: Linux kernel: memory leak in arch/powerpc/platforms/powernv/opal-irqchip.c: opal_event_init() Solar Designer (Sep 02)
- CVE-2024-45310: runc can be tricked into creating empty files/directories on host Aleksa Sarai (Sep 02)
- Re: CVE-2024-45310: runc can be tricked into creating empty files/directories on host Mike O'Connor (Sep 03)
- <Possible follow-ups>
- Re: CVE-2024-45310: runc can be tricked into creating empty files/directories on host Aleksa Sarai (Sep 04)
- Django CVE-2024-45230 and CVE-2024-45231 Natalia Bidart (Sep 03)
- CVE-2024-6119: OpenSSL: Possible denial of service in X.509 name checks Tomas Mraz (Sep 03)
- CPython: [CVE-2024-6232] Regular-expression DoS when parsing TarFile headers Alan Coopersmith (Sep 03)
- CVE-2024-45195: Apache OFBiz: Confused controller-view authorization logic (forced browsing) Jacques Le Roux (Sep 03)
- CVE-2024-45507: Apache OFBiz: Prevent use of URLs in files when loading them from Java or Groovy, leading to a RCE Jacques Le Roux (Sep 03)
- Webmin UDP/10000 discovery service Loop DoS (COK-2024-05-05) Sergei G (Sep 04)
- CVE-2024-43402: Rust before 1.81.0 didn't fully fix argument escaping for batch files Pietro Albini (Sep 04)
- [OSSA-2024-003] OpenStack Ironic: Unvalidated image data passed to qemu-img (CVE-2024-44082) Brian Rosmaita (Sep 04)
- Go 1.23.1 and Go 1.22.7 released with 3 security fixes Alan Coopersmith (Sep 05)
- CVE-2024-45498: Apache Airflow: Command Injection in an example DAG Ephraim Anierobi (Sep 06)
- CVE-2024-45034: Apache Airflow: Authenticated DAG authors could execute code on scheduler nodes Ephraim Anierobi (Sep 06)
- CVE-2024-7012, CVE-2024-7923: Authentication bypass in Foreman & Pulpcore Christian Hoffmann (Sep 06)
- libpcap 1.10.5 released with two security fixes Alan Coopersmith (Sep 06)
- CVE-2024-45751: CHAP authentication bypass in user-space Linux target framework (tgt) up to v1.0.92 David Gstir (Sep 07)
- Security fixes available in Python 3.13.0RC2, 3.12.6, 3.11.10, 3.10.15, 3.9.20, and 3.8.20 Alan Coopersmith (Sep 07)
- CVE-2024-6655 Library injection from CWD in GTK-2/GTK-3 Dimitrios Glynos (Sep 09)
- [SECURITY ADVISORY] curl: CVE-2024-8096: OCSP stapling bypass with GnuTLS Daniel Stenberg (Sep 10)
- CVE-2024-22399: Apache Seata: Remote Code Execution vulnerability via Hessian Deserialization in Apache Seata Server Min Ji (Sep 11)
- CVE-2024-45384: Apache Druid: Padding oracle in druid-pac4j extension that allows an attacker to manipulate a pac4j session cookie via Padding Oracle Attack Karan Kumar (Sep 17)
- CVE-2024-45537: Apache Druid: Users can provide MySQL JDBC properties not on allow list Karan Kumar (Sep 17)
- Performance Co-Pilot (PCP): pmcd network daemon security issues and review results (CVE-2024-45769), (CVE-2024-45770) Matthias Gerstner (Sep 20)
- CVE-2024-42323: Apache HertzBeat: RCE by snakeYaml deser load malicious xml Chao Gong (Sep 21)
- CVE-2024-46544: Apache Tomcat Connectors: mod_jk: local users can view and modify configuration Mark Thomas (Sep 23)
- CVE-2024-38286: Apache Tomcat: Denial of Service Mark Thomas (Sep 23)
- Xen Security Advisory 462 v2 (CVE-2024-45817) - x86: Deadlock in vlapic_error() Xen . org security team (Sep 24)
- CVE-2024-39928: Apache Linkis Spark EngineConn: Commons Lang's RandomStringUtils Random string security vulnerability Heping Wang (Sep 24)
- CVE-2024-42154: Linux kernel: tcp_metrics: validate source addr length Joel GUITTET (Sep 24)
- Re: CVE-2024-42154: Linux kernel: tcp_metrics: validate source addr length Solar Designer (Sep 24)
- Re: CVE-2024-42154: Linux kernel: tcp_metrics: validate source addr length Sandipan Roy (Sep 25)
- Re: CVE-2024-42154: Linux kernel: tcp_metrics: validate source addr length Solar Designer (Sep 24)
- CVE-2024-23454: Apache Hadoop: Temporary File Local Information Disclosure Shilun Fan (Sep 24)
- CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Enxin Xie (Sep 25)
- Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Solar Designer (Sep 25)
- RE: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Goldberg, Adam (Sep 25)
- Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Jeffrey Walton (Sep 25)
- Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses LinkinStar (Sep 26)
- Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Solar Designer (Sep 26)
- RE: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Goldberg, Adam (Sep 25)
- Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Demi Marie Obenour (Sep 25)
- Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Alexander Patrakov (Sep 27)
- Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Fabian Bäumer (Sep 27)
- Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Sam Bull (Sep 27)
- Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Alexander Patrakov (Sep 27)
- Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Fabian Bäumer (Sep 26)
- Re: CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Solar Designer (Sep 25)
- WebKitGTK and WPE WebKit Security Advisory WSA-2024-0005 Adrian Perez de Castro (Sep 25)
- CVE-2024-47197: Maven Archetype Plugin: Maven Archetype integration-test may package local settings into the published artifact, possibly containing credentials Slawomir Jaranowski (Sep 26)
- CUPS printing system vulnerabilities Solar Designer (Sep 26)
- Re: CUPS printing system vulnerabilities Alan Coopersmith (Sep 26)
- Re: CUPS printing system vulnerabilities Solar Designer (Sep 26)
- Re: CUPS printing system vulnerabilities Zdenek Dohnal (Sep 26)
- Re: CUPS printing system vulnerabilities Michael Sweet (Sep 26)
- Re: CUPS printing system vulnerabilities Mark Esler (Sep 26)
- Re: CUPS printing system vulnerabilities Solar Designer (Sep 26)
- Re: CUPS printing system vulnerabilities Will Dormann (Sep 27)
- Re: CUPS printing system vulnerabilities Alan Coopersmith (Sep 26)
- Re: List linux CVEs for a given stable release? Greg Kroah-Hartman (Sep 27)
- CVE-2024-45772: Apache Lucene Replicator: Deserialization of Untrusted Data Robert Muir (Sep 28)