oss-sec: by thread

• RSS Feed
• About List
• All Lists

Previous period

Next period

289 messages starting Apr 01 25 and ending Jun 30 25
Date index | Thread index | Author index

• Linux kernel: CVE-2024-57882 fix did not prevent data stream corruption in the MPTCP protocol Arthur Mongodin (Apr 01)
  • Re: Linux kernel: CVE-2024-57882 fix did not prevent data stream corruption in the MPTCP protocol Solar Designer (Apr 01)
• CVE-2025-30177: Apache Camel: Camel-Undertow Message Header Injection via Improper Filtering Andrea Cosentino (Apr 01)
• CVE-2025-30676: Apache OFBiz: Stored XSS Vulnerability Jacques Le Roux (Apr 01)
• Re: CVE-2025-29868: Apache Answer: Using externally referenced images can leak user privacy. Jacob Bachmeyer (Apr 01)
  • Re: CVE-2025-29868: Apache Answer: Using externally referenced images can leak user privacy. LinkinStar (Apr 10)
• CVE-2025-27556: Django: Potential DoS in LoginView, LogoutView, and set_language() on Windows Natalia Bidart (Apr 02)
• Multiple vulnerabilities in Jenkins and Jenkins plugins Kevin Guerroudj (Apr 02)
• [ANNOUNCE] ATS is vulnerable to request smuggling via chunked messages Masakazu Kitajo (Apr 02)
• CVE-2025-2704 - OpenVPN 2.6.1 through 2.6.13 with possible DoS David Sommerseth (Apr 02)
• XZ Utils: Threaded decoder frees memory too early (CVE-2025-31115) Sam James (Apr 03)
  • Re: XZ Utils: Threaded decoder frees memory too early (CVE-2025-31115) Sam James (Apr 03)
    • Re: XZ Utils: Threaded decoder frees memory too early (CVE-2025-31115) Sam James (Apr 03)
• CVE-2025-3155 GNOME Yelp: Arbitrary file read by abusing ghelp scheme Alan Coopersmith (Apr 04)
• CVE-2025-30473: Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection Elad Kalif (Apr 04)
  • Re: CVE-2025-30473: Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection Hanno Böck (Apr 06)
    • Re: CVE-2025-30473: Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection Solar Designer (Apr 06)
    • Re: CVE-2025-30473: Apache Airflow Common SQL Provider: Remote Code Execution via Sql Injection Jeffrey Walton (Apr 06)
• pgAdmin 4 v9.2 fixes CVE-2025-2945 & CVE-2025-2946 Alan Coopersmith (Apr 04)
• CVE-2025-22871 : Go net/http: request smuggling through invalid chunked data Alan Coopersmith (Apr 04)
• PowerDNS Recursor Security Advisory 2025-01 regarding PowerDNS Recusor 5.2.0 Otto Moerbeek (Apr 07)
• WebKitGTK and WPE WebKit Security Advisory WSA-2025-0003 Adrian Perez de Castro (Apr 07)
• CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. 李亚杰 (Apr 07)
  • Re: CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. Mingcong Bai (Apr 07)
  • Re: CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. Hanno Böck (Apr 07)
    • Re: CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. 李亚杰 (Apr 08)
  • Re: CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. Bernhard Rosenkränzer (Apr 07)
  • Re: CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. Sebastian Pipping (Apr 09)
    • Re: CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. Bernhard Rosenkränzer (Apr 09)
      • Re: CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. Sebastian Pipping (Apr 09)
• CVE-2025-31672: Apache POI: parsing OOXML based files (xlsx, docx, etc.), poi-ooxml could read unexpected data if underlying zip has duplicate zip entry names PJ Fanning (Apr 08)
• CVE-2025-31498: c-ares use-after-free Brad House (Apr 08)
• Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Andrew Cooper (Apr 08)
• CVE-2025-30215: nats-server: Missing access controls for JS API Phil Pennock (Apr 08)
• Announce: OpenSSH 10.0 released Damien Miller (Apr 09)
  • <Possible follow-ups>
  • Re: Announce: OpenSSH 10.0 released Damien Miller (Apr 09)
• CVE-2025-30677: Apache Pulsar IO Kafka Connector, Apache Pulsar IO Kafka Connect Adaptor: Sensitive information logged in Pulsar's Apache Kafka Connectors Lari Hotari (Apr 09)
• CVE-2025-27391: Apache ActiveMQ Artemis: Passwords leaking from broker properties in the debug log Domenico Francesco Bruscino (Apr 09)
• xmlrpc-c bundles a (very old and) vulnerable copy of libexpat Sebastian Pipping (Apr 09)
• Vulnerabilities in Jenkins Docker images Daniel Beck (Apr 10)
• CVE-2024-50217: Linux kernel: btrfs: Use-after-free of block device file in __btrfs_free_extra_devids() akendo () akendo eu (Apr 10)
  • Re: CVE-2024-50217: Linux kernel: btrfs: Use-after-free of block device file in __btrfs_free_extra_devids() Greg KH (Apr 10)
  • Re: CVE-2024-50217: Linux kernel: btrfs: Use-after-free of block device file in __btrfs_free_extra_devids() Demi Marie Obenour (Apr 10)
• CVE-2025-24859: Apache Roller: Insufficient Session Expiration on Password Change David M. Johnson (Apr 11)
• CVE-2025-32896: Apache SeaTunnel: Unauthenticated insecure access Hailin Wang (Apr 12)
• Security audit of PHP Alan Coopersmith (Apr 12)
  • Re: Security audit of PHP Solar Designer (Apr 12)
• Re: CVE-2025-0395: Buffer overflow in the GNU C Library's assert() Solar Designer (Apr 12)
  • Re: CVE-2025-0395: Buffer overflow in the GNU C Library's assert() Qualys Security Advisory (Apr 24)
• CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow when transliterating non-ASCII bytes Stig Palmquist (Apr 13)
  • Re: CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow when transliterating non-ASCII bytes Solar Designer (Apr 13)
    • Re: CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow when transliterating non-ASCII bytes Stig Palmquist (Apr 13)
• CVE-2024-56736: Apache HertzBeat (incubating): Server-Side Request Forgery (SSRF) in Api Config Oss Chao Gong (Apr 16)
• CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH Fabian Bäumer (Apr 16)
  • Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH Solar Designer (Apr 17)
  • Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH Fabian Bäumer (Apr 18)
    • Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH Solar Designer (Apr 18)
      • Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH Fabian Bäumer (Apr 19)
• CVE program averts swift end Rolf Reintjes (Apr 16)
  • Re: CVE program averts swift end Marco Moock (Apr 16)
    • Re: CVE program averts swift end Jan Klopper (Apr 17)
  • Re: CVE program averts swift end Brian Behlendorf (Apr 16)
    • Re: CVE program averts swift end Alan Coopersmith (Apr 16)
      • Re: CVE program averts swift end Olle E. Johansson (Apr 17)
• Multiple vulnerabilities in libxml2 Nick Wellnhofer (Apr 17)
  • Re: Multiple vulnerabilities in libxml2 Solar Designer (Apr 17)
    • Re: Multiple vulnerabilities in libxml2 Nick Wellnhofer (Apr 17)
• CVE-2025-29953: Apache ActiveMQ NMS OpenWire Client: deserialization allowlist bypass Arnout Engelen (Apr 18)
• A bowlful of bugs in GNOME's libsoup Alan Coopersmith (Apr 18)
• libarchive 3.7.8 fixed CVE-2024-57970, CVE-2025-1632, & CVE-2025-25724 Alan Coopersmith (Apr 18)
• 3 new CVE's in old branch of GNU mailman Alan Coopersmith (Apr 21)
  • Re: 3 new CVE's in old branch of GNU mailman Valtteri Vuorikoski (Apr 21)
    • Re: 3 new CVE's in old branch of GNU mailman Thomas Ward (Apr 21)
      • Re: 3 new CVE's in old branch of GNU mailman Valtteri Vuorikoski (Apr 21)
      • Re: 3 new CVE's in old branch of GNU mailman Jim P. (Apr 21)
  • Re: 3 new CVE's in old branch of GNU mailman Mats Wichmann (Apr 21)
    • Re: 3 new CVE's in old branch of GNU mailman Russ Allbery (Apr 21)
  • <Possible follow-ups>
  • Re: 3 new CVE's in old branch of GNU mailman Jeremy Reeder (May 08)
• CVE-2025-26413: Apache Kvrocks: The server was crashed by the negative offset Hulk Lin (Apr 22)
• vulnerabilities in busybox tar and cpio tools Ian Norton (Apr 23)
  • Re: vulnerabilities in busybox tar and cpio tools Ricardo Branco (Apr 23)
    • Re: vulnerabilities in busybox tar and cpio tools Salvatore Bonaccorso (Apr 23)
      • Re: vulnerabilities in busybox tar and cpio tools Albert Veli (Apr 24)
      • Re: [EXTERNAL] Re: [oss-security] vulnerabilities in busybox tar and cpio tools Ian Norton (Apr 24)
      • Re: vulnerabilities in busybox tar and cpio tools Demi Marie Obenour (Apr 24)
      • Re: vulnerabilities in busybox tar and cpio tools Solar Designer (Apr 24)
      • Re: vulnerabilities in busybox tar and cpio tools Demi Marie Obenour (Apr 25)
  • Re: vulnerabilities in busybox tar and cpio tools Jakub Wilk (Apr 23)
    • Re: [EXTERNAL] Re: [oss-security] vulnerabilities in busybox tar and cpio tools Ian Norton (Apr 24)
  • Re: vulnerabilities in busybox tar and cpio tools Salvatore Bonaccorso (Apr 23)
• CVE-2025-23016: Integer & buffer overflow in fastcgi < 2.4.5 Alan Coopersmith (Apr 23)
• CVE-2025-3512: Qt Base QTextMarkdownImporter Front Matter Buffer Overflow 田世林 (Apr 24)
  • Re: CVE-2025-3512: Qt Base QTextMarkdownImporter Front Matter Buffer Overflow Solar Designer (Apr 24)
    • Re: CVE-2025-3512: Qt Base QTextMarkdownImporter Front Matter Buffer Overflow Jakub Wilk (Apr 24)
      • Re: CVE-2025-3512: Qt Base QTextMarkdownImporter Front Matter Buffer Overflow Solar Designer (Apr 24)
      • Re: CVE-2025-3512: Qt Base QTextMarkdownImporter Front Matter Buffer Overflow Jacob Bachmeyer (Apr 25)
• CVE-2024-56430: openfhe: OpenFHE through 1.2.3 has a NULL pointer dereference bug xiaolin (Apr 25)
• CVE-2024-56431: libtheora: incorrect bitwise shift in huffdec.c xiaolin (Apr 25)
  • Re: CVE-2024-56431: libtheora: incorrect bitwise shift in huffdec.c Solar Designer (Apr 25)
• Re: Trailing dot in Cygwin filenames [was: failed to clone iptables,ipset,nftables] Jan Engelhardt (Apr 25)
  • Re: Re: Trailing dot in Cygwin filenames [was: failed to clone iptables,ipset,nftables] Werner Koch (Apr 28)
• CVE-2025-31650: Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame Mark Thomas (Apr 28)
• CVE-2025-31651: Apache Tomcat: Bypass of rules in Rewrite Valve Mark Thomas (Apr 28)
• PowerDNS Security Advisory 2025-02: Denial of service via crafted DoH exchange Remi Gacogne (Apr 29)
• CVE-2025-46762: Apache Parquet Java: Potential malicious code execution from trusted packages in the parquet-avro module when reading an Avro schema from a Parquet file metadata Gang Wu (May 02)
• CVE-2025-47153: out-of-bounds access in some 32-bit builds of Node.js Alan Coopersmith (May 02)
• CVE-2025-27533: Apache ActiveMQ: Unchecked buffer length can cause excessive memory allocation Christopher L. Shannon (May 06)
• Go 1.24.3 fixes CVE-2025-22873: os: Root permits access to parent directory Alan Coopersmith (May 06)
• Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 Alan Coopersmith (May 06)
• CVE-2025-32873: Django: Denial-of-service possibility in strip_tags() Natalia Bidart (May 07)
• OSSA-2025-001 / CVE-2025-44021: OpenStack Ironic fails to restrict paths used for file:// image URLs Jay Faulkner (May 08)
• Fwd: Node.js security updates for all active release lines, May 2025 Rafael Gonzaga (May 08)
  • Re: Fwd: Node.js security updates for all active release lines, May 2025 Solar Designer (May 08)
  • <Possible follow-ups>
  • Fwd: Node.js security updates for all active release lines, May 2025 Rafael Gonzaga (May 14)
    • Re: Fwd: Node.js security updates for all active release lines, May 2025 Solar Designer (May 14)
    • Re: Fwd: Node.js security updates for all active release lines, May 2025 Yogesh Mittal (May 15)
• CVE-2025-1948 & CVE-2024-13009: DoS and infoleak in Jetty Valtteri Vuorikoski (May 09)
• CVE-2025-46392: Apache Commons Configuration: StackOverflowError loading untrusted configuration Arnout Engelen (May 09)
• CVE-2025-4207: PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation Alan Coopersmith (May 09)
• Dropbear SSH 2025.88 fixes CVE-2025-47203 Alan Coopersmith (May 09)
  • Re: Dropbear SSH 2025.88 fixes CVE-2025-47203 Albert Veli (May 12)
    • Re: Dropbear SSH 2025.88 fixes CVE-2025-47203 Matt Johnston (May 12)
      • Re: Dropbear SSH 2025.88 fixes CVE-2025-47203 Albert Veli (May 13)
      • Re: Dropbear SSH 2025.88 fixes CVE-2025-47203 Dave Hart (May 13)
• screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Matthias Gerstner (May 12)
  • Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Dr. Thomas Orgis (May 13)
    • Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Dr. Thomas Orgis (May 13)
      • Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Simon McVittie (May 13)
    • Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Matthias Gerstner (May 14)
  • Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Mark Esler (May 13)
    • Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Matthias Gerstner (May 14)
      • Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Stuart Henderson (May 15)
      • Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Matthias Gerstner (May 16)
  • Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Jan Schaumann (May 16)
    • Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Eli Schwartz (May 16)
      • Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Taylor R Campbell (May 16)
      • Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) Eli Schwartz (May 16)
      • Re: describing affected systems (was: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)) Jacob Bachmeyer (May 16)
      • Re: describing affected systems (was: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)) Jan Schaumann (May 17)
      • Re: describing affected systems (was: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)) Taylor R Campbell (May 17)
      • Re: describing affected systems Eli Schwartz (May 18)
• CVE-2025-22247 - Insecure file handling vulnerability in open-vm-tools VMware PSIRT (May 12)
  • Re: CVE-2025-22247 - Insecure file handling vulnerability in open-vm-tools Solar Designer (May 12)
• CVE-2025-27696: Apache Superset: Improper authorization leading to resource ownership takeover Daniel Gaspar (May 12)
• Xen Security Advisory 469 v1 - x86: Indirect Target Selection Xen . org security team (May 12)
• Xen Security Advisory 469 v2 (CVE-2024-28956) - x86: Indirect Target Selection Xen . org security team (May 12)
• CVE-2025-47436: Apache ORC: Potential Heap Buffer Overflow during C++ LZO Decompression Dongjoon Hyun (May 13)
• VSV00016: Varnish Cache 6.0, 7.6, 7.7 - Request Smuggling Attack Asad Ahmed (May 13)
  • Re: VSV00016: Varnish Cache 6.0, 7.6, 7.7 - Request Smuggling Attack Marco Benatto (May 13)
  • Re: VSV00016: Varnish Cache 6.0, 7.6, 7.7 - Request Smuggling Attack Asad Ahmed (May 15)
• Xen Security Notice 3 (CVE-2024-45332) Intel Branch Privilege Injection Andrew Cooper (May 13)
• EU Vulnerability Database Graeme Fowler (May 13)
  • Re: EU Vulnerability Database Stuart Henderson (May 13)
    • Re: EU Vulnerability Database Stuart Henderson (May 13)
    • Re: EU Vulnerability Database Rolf Reintjes (May 13)
      • Re: EU Vulnerability Database gmane.io (May 14)
  • Re: EU Vulnerability Database Solar Designer (May 13)
• CVE-2024-24780: Apache IoTDB: Remote Code Execution with untrusted URI of User-defined function Haonan Hou (May 13)
• CVE-2025-26795: Apache IoTDB JDBC driver: Exposure of Sensitive Information in IoTDB JDBC driver Haonan Hou (May 13)
• CVE-2025-26864: Apache IoTDB: Exposure of Sensitive Information in IoTDB OpenID Authentication Haonan Hou (May 13)
• Multiple vulnerabilities in Jenkins plugins Kevin Guerroudj (May 14)
• WebKitGTK and WPE WebKit Security Advisory WSA-2025-0004 Adrian Perez de Castro (May 15)
• CPython CVE-2025-4516: Use-after-free crash using bytes.decode("unicode_escape", error="ignore|replace") Alan Coopersmith (May 16)
  • Re: CPython CVE-2025-4516: Use-after-free crash using bytes.decode("unicode_escape", error="ignore|replace") Hanno Böck (May 19)
• The GNU C Library security advisories update for 2025-05-16 Carlos O'Donell (May 16)
  • Re: The GNU C Library security advisories update for 2025-05-16 Solar Designer (May 16)
    • RE: The GNU C Library security advisories update for 2025-05-16 Caveney, Seamus G (May 16)
• Landlock news #5 Mickaël Salaün (May 19)
• Xen Security Advisory 468 v3 (CVE-2025-27462,CVE-2025-27463,CVE-2025-27464) - WinPVDrivers: Excessive permissions on user-exposed devices Xen . org security team (May 27)
• CVE-2025-5278: Heap Buffer Overflow in GNU Coreutils sort Alan Coopersmith (May 27)
  • Re: CVE-2025-5278: Heap Buffer Overflow in GNU Coreutils sort Simon McVittie (May 29)
    • Re: CVE-2025-5278: Heap Buffer Overflow in GNU Coreutils sort Alan Coopersmith (May 29)
• CVE-2025-27526: Apache InLong: JDBC Vulnerability For URLEncode and backspace bypass Charles Zhang (May 27)
• CVE-2025-27522: Apache InLong: JDBC Vulnerability during verification processing Charles Zhang (May 27)
• CVE-2025-27528: Apache InLong: JDBC Vulnerability for Invisible Character Bypass Leading to Arbitrary File Read Charles Zhang (May 27)
• [SECURITY ADVISORY] curl: QUIC certificate check skip with wolfSSL Daniel Stenberg (May 27)
• [SECURITY ADVISORY] curl: No QUIC certificate pinning with wolfSSL Daniel Stenberg (May 27)
• CVE-2025-48734: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by default Gary D. Gregory (May 28)
• ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803) Andrei Pavel (May 28)
  • Re: ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803) Matthias Gerstner (May 28)
    • Re: ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803) Jakub Wilk (May 28)
      • Re: ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803) Matthias Gerstner (May 30)
      • Re: ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803) Matthias Gerstner (May 30)
  • RE: ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803) Jounee Kim (May 28)
    • how to unsubscribe (Re: ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803)) Solar Designer (May 28)
• Local information disclosure in apport and systemd-coredump Qualys Security Advisory (May 29)
  • Re: Local information disclosure in apport and systemd-coredump Jelle van der Waa (Jun 02)
  • Re: Local information disclosure in apport and systemd-coredump Solar Designer (Jun 02)
    • Re: Local information disclosure in apport and systemd-coredump Vegard Nossum (Jun 03)
      • Re: Local information disclosure in apport and systemd-coredump Solar Designer (Jun 04)
      • Re: Local information disclosure in apport and systemd-coredump Solar Designer (Jun 05)
      • Re: Local information disclosure in apport and systemd-coredump Vegard Nossum (Jun 06)
    • Re: Local information disclosure in apport and systemd-coredump Marco Benatto (Jun 03)
      • Re: Local information disclosure in apport and systemd-coredump Solar Designer (Jun 04)
    • Re: Local information disclosure in apport and systemd-coredump David Fernandez Gonzalez (Jun 04)
      • Re: Local information disclosure in apport and systemd-coredump Solar Designer (Jun 04)
  • Re: Local information disclosure in apport and systemd-coredump Solar Designer (Jun 05)
    • Re: Local information disclosure in apport and systemd-coredump Zbigniew Jędrzejewski-Szmek (Jun 10)
      • Re: Local information disclosure in apport and systemd-coredump Solar Designer (Jun 14)
• CVE-2025-46701: Apache Tomcat: Security constraint bypass for CGI scripts Mark Thomas (May 29)
• CVE-2025-48912: Apache Superset: Improper authorization bypass on row level security via SQL Injection Daniel Gaspar (May 30)
• CVE-2025-40909: Perl threads have a working directory race condition where file operations may target unintended paths Stig Palmquist (May 30)
  • Re: CVE-2025-40909: Perl threads have a working directory race condition where file operations may target unintended paths Florian Weimer (Jun 02)
    • Re: CVE-2025-40909: Perl threads have a working directory race condition where file operations may target unintended paths Leon Timmermans (Jun 02)
      • Re: CVE-2025-40909: Perl threads have a working directory race condition where file operations may target unintended paths Florian Weimer (Jun 02)
      • Re: Re: CVE-2025-40909: Perl threads have a working directory race condition where file operations may target unintended paths Vincent Lefevre (Jun 02)
      • Re: Re: CVE-2025-40909: Perl threads have a working directory race condition where file operations may target unintended paths Vincent Lefevre (Jun 02)
• Roundcube webmail: Post-Auth RCE via PHP Object Deserialization reported by firs0v Hanno Böck (Jun 01)
  • Re: Roundcube webmail: Post-Auth RCE via PHP Object Deserialization reported by firs0v Anton Luka Šijanec (Jun 02)
• Linux kernel: HFS+ filesystem implementation issues, exposure in distros Solar Designer (Jun 02)
  • Re: Linux kernel: HFS+ filesystem implementation issues, exposure in distros Demi Marie Obenour (Jun 02)
    • Re: Linux kernel: HFS+ filesystem implementation issues, exposure in distros Solar Designer (Jun 05)
      • Re: Linux kernel: HFS+ filesystem implementation issues, exposure in distros Attila Szasz (Jun 06)
      • Re: Linux kernel: HFS+ filesystem implementation issues, exposure in distros Simon McVittie (Jun 07)
      • Re: Linux kernel: HFS+ filesystem implementation issues, exposure in distros Marc Deslauriers (Jun 11)
      • Re: Linux kernel: HFS+ filesystem implementation issues, exposure in distros Simon McVittie (Jun 11)
      • Re: Linux kernel: HFS+ filesystem implementation issues, exposure in distros Marc Deslauriers (Jun 11)
      • Re: Linux kernel: HFS+ filesystem implementation issues, exposure in distros Demi Marie Obenour (Jun 11)
      • Re: Linux kernel: HFS+ filesystem implementation issues, exposure in distros Demi Marie Obenour (Jun 11)
  • Re: Linux kernel: HFS+ filesystem implementation issues, exposure in distros Attila Szasz (Jun 03)
    • Re: Re: Linux kernel: HFS+ filesystem implementation issues, exposure in distros Greg KH (Jun 04)
    • Re: Linux kernel: HFS+ filesystem implementation issues, exposure in distros Solar Designer (Jun 05)
      • Re: Re: Linux kernel: HFS+ filesystem implementation issues, exposure in distros Eli Schwartz (Jun 05)
      • Re: Re: Linux kernel: HFS+ filesystem implementation issues, exposure in distros Jacob Bachmeyer (Jun 06)
• CVE-2025-46548: Apache Pekko Management, Apache Pekko Management, Apache Pekko Management: management API basic authentication is not effective Arnout Engelen (Jun 03)
• Samba 4.21.6 fixes CVE-2025-0620 in SMB session re-authentication Alan Coopersmith (Jun 03)
• CVE-2024-47081: Netrc credential leak in PSF requests library Alan Coopersmith (Jun 03)
  • Re: CVE-2024-47081: Netrc credential leak in PSF requests library Dave Walker (Jun 03)
  • Re: CVE-2024-47081: Netrc credential leak in PSF requests library Demi Marie Obenour (Jun 03)
  • Re: CVE-2024-47081: Netrc credential leak in PSF requests library Jakub Wilk (Jun 04)
• [SECURITY AVISORY] curl: CVE-2025-5399: WebSocket endless loop Daniel Stenberg (Jun 03)
• CVE-2025-48432: Django: Potential log injection via unescaped request path Natalia Bidart (Jun 04)
• CVE-2011-10007: File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted file name Timothy Legge (Jun 05)
  • Re: CVE-2011-10007: File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted file name Sam James (Jun 05)
    • Re: CVE-2011-10007: File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted file name Timothy Legge (Jun 05)
• Go 1.24.4 and Go 1.23.10 fix CVE-2025-4673, CVE-2025-0913, CVE-2025-22874 Alan Coopersmith (Jun 05)
• Vulnerability in Jenkins Gatling Plugin Daniel Beck (Jun 06)
• Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Attila Szasz (Jun 06)
  • Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Greg KH (Jun 07)
    • Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Sasha Levin (Jun 07)
      • Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Bastian Blank (Jun 07)
      • Re: Re: Re: Linux kernel: HFS+ filesystem implementation, issues, exposure in distros Sasha Levin (Jun 07)
• CVE-2025-27817: Apache Kafka Client: Arbitrary file read and SSRF vulnerability Luke Chen (Jun 09)
• CVE-2025-27818: Apache Kafka: Possible RCE attack via SASL JAAS LdapLoginModule configuration Luke Chen (Jun 09)
• CVE-2025-27819: Apache Kafka: Possible RCE/Denial of service attack via SASL JAAS JndiLoginModule configuration Luke Chen (Jun 09)
• Django CVE-2025-48432 (follow-up patch releases) Sarah Boyce (Jun 10)
  • Re: Django CVE-2025-48432 (follow-up patch releases) Sarah Boyce (Jun 10)
  • Re: Django CVE-2025-48432 (follow-up patch releases) Sebastian Pipping (Jun 10)
• CVE-2025-49091: Konsole: Code execution from web browser using URL schemes handled by KDE's KTelnetService and Konsole < 25.04.2 Dennis Dast (Jun 10)
• sslh: Remote Denial-of-Service Vulnerabilities (CVE-2025-46807, CVE-2025-46806) Matthias Gerstner (Jun 13)
• CVE-2025-47868: Apache NuttX RTOS: tools/bdf-converter.: tools/bdf-converter: Fix loop termination condition. Tomasz Cedro (Jun 14)
• CVE-2025-47869: Apache NuttX RTOS: examples/xmlrpc: Fix calls buffers size. Tomasz Cedro (Jun 14)
• CVE-2025-48988: Apache Tomcat: FileUpload large number of parts with headers DoS Mark Thomas (Jun 16)
• CVE-2025-49125: Apache Tomcat: Security constraint bypass for pre/post-resources Mark Thomas (Jun 16)
• CVE-2025-49124: Apache Tomcat: exe side-loading via icalcs.exe in Tomcat installer for Windows Mark Thomas (Jun 16)
• CVE-2025-48976: Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers Gary D. Gregory (Jun 16)
• CVE-2025-4748: Erlang/OTP 17.0–28.0.0 absolute-path traversal in zip:unzip/zip:extract Jonatan Männchen (Jun 16)
• 5 security issues disclosed in libxml2 Alan Coopersmith (Jun 16)
• pam: pam_namespace local privilege escalation (CVE-2025-6020) BAL-PETRE Olivier (Jun 17)
• [kubernetes] Race Condition in Go allows Volume Deletion in older Kubernetes versions Craig Ingram (Jun 17)
• Fwd: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland Olivier Fourdan (Jun 17)
  • <Possible follow-ups>
  • Fwd: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland Olivier Fourdan (Jun 18)
• CVE-2025-6019: LPE from allow_active to root in libblockdev via udisks Qualys Security Advisory (Jun 17)
  • Re: CVE-2025-6019: LPE from allow_active to root in libblockdev via udisks Simon McVittie (Jun 17)
  • Re: CVE-2025-6019: LPE from allow_active to root in libblockdev via udisks Jakub Wilk (Jun 17)
  • <Possible follow-ups>
  • Re: CVE-2025-6019: LPE from allow_active to root in libblockdev via udisks Qualys Security Advisory (Jun 17)
• [ANNOUNCE] Apache Traffic Server has an ACL issue, and also has a vulnerability in ESI processing Masakazu Kitajo (Jun 17)
• [kubernetes] CVE-2025-4563: Nodes can bypass dynamic resource allocation authorization checks Rita Zhang (Jun 18)
• Re: path traversal in tar extract in intel cve-bin-tool Jakub Wilk (Jun 20)
  • Re: path traversal in tar extract in intel cve-bin-tool lists (Jun 20)
• ClamAV 1.4.3 and 1.0.9 security patch versions published Alan Coopersmith (Jun 20)
• xdg-open bypassing SameSite=Strict grape mingijung (Jun 23)
  • Re: xdg-open bypassing SameSite=Strict Solar Designer (Jun 23)
    • Re: xdg-open bypassing SameSite=Strict grape mingijung (Jun 24)
  • Re: xdg-open bypassing SameSite=Strict Simon McVittie (Jun 24)
    • Re: xdg-open bypassing SameSite=Strict Anton Luka Šijanec (Jun 24)
  • Re: xdg-open bypassing SameSite=Strict Gabriel Corona (Jun 24)
    • Re: xdg-open bypassing SameSite=Strict Lucas Holt (Jun 24)
• CPython: Multiple CVEs (1 CRITICAL, 3 HIGH, 1 MODERATE) affecting the tarfile module Alan Coopersmith (Jun 23)
• CVE-2025-50213: Apache Airflow Providers Snowflake: Potential SQL injection in CopyFromExternalStageToSnowflakeOperator Elad Kalif (Jun 24)
• sox_ng fixes 20 CVEs in sox Martin Guy (Jun 24)
  • Re: sox_ng fixes 20 CVEs in sox Martin Guy (Jun 25)
• CVE-2025-52555 Ceph: CephFS Permission Escalation Vulnerability in Ceph Fuse mounted FS Sage [They / Them] McTaggart (Jun 26)
  • Re: CVE-2025-52555 Ceph: CephFS Permission Escalation Vulnerability in Ceph Fuse mounted FS Jacob Bachmeyer (Jun 26)
• libssh 0.11.2 security and bugfix release Alan Coopersmith (Jun 27)
• CVE-2025-32897: Apache Seata (incubating): Deserialization of untrusted Data in Apache Seata Server Min Ji (Jun 28)
• CVE-2024-39954: Apache EventMesh Runtime: SSRF Xue Weiming (Jun 29)
• CVE-2025-32462: sudo local privilege escalation via host option Todd C. Miller (Jun 30)
• CVE-2025-32463: sudo local privilege escalation via chroot option Todd C. Miller (Jun 30)

Previous period

Next period