Messages by Thread
-
[oss-security] CVE-2023-49582: Apache Portable Runtime (APR): Unexpected lax shared memory permissions
Eric Covener
-
[oss-security] [vim-security] heap-buffer-overflow in ins_typebuf() in Vim < 9.1.0697
Christian Brabandt
-
[oss-security] [vim-security] heap-buffer-overflow in do_search() in Vim < 9.1.0689
Christian Brabandt
-
[oss-security] gh:facebook/rocksdb v9.5.2 - SupplyChainAttackPoC for Meta BB
Andreas Stieger
-
[oss-security] CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names
Alan Coopersmith
-
[oss-security] CVE-2024-41937: Apache Airflow: Stored XSS Vulnerability on provider link
Ephraim Anierobi
-
[oss-security] CVE-2023-49198: Apache SeaTunnel Web: Arbitrary file read vulnerability
Jun Gao
-
[oss-security] CVE-2024-22281: Apache Helix Front (UI): Helix front hard-coded secret in the express-session
Junkai Xue
-
[oss-security] CVE-2024-43202: Apache DolphinScheduler: Remote Code Execution Vulnerability
ShunFeng Cai
-
[oss-security] Landlock Houdini fix: CVE-2024-42318
Mickaël Salaün
-
[oss-security] WebKitGTK and WPE WebKit Security Advisory WSA-2024-0004
Adrian Perez de Castro
-
[oss-security] AI Cyber Challenge (AIxCC) semi-final results from DEF CON 32 (2024)
David A. Wheeler
-
[oss-security] Unbound 1.21.0 released with multiple security fixes
Alan Coopersmith
-
[oss-security] [kubernetes] CVE-2024-7646: Ingress-nginx Annotation Validation Bypass
Craig Ingram
-
[oss-security] Heads-up: there are two versions of Intel microcode update IPU 2024.3
Samuel Verschelde
-
[oss-security] [vim-security] use-after-free in alist_add() in Vim < v9.1.0678
Christian Brabandt
-
[oss-security] Dovecot CVE-2024-23185: Very large headers can cause resource exhaustion when parsing message
Aki Tuomi
-
[oss-security] Dovecot CVE-2024-23184: Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive
Aki Tuomi
-
[oss-security] flatpak CVE-2024-42472: Access to files outside sandbox for apps using persistent= (--persist)
Simon McVittie
-
[oss-security] CVE-2024-7347: nginx: ngx_http_mp4_module: Worker process crash by using a specially crafted mp4 file
Solar Designer
-
[oss-security] Xen Security Advisory 461 v2 (CVE-2024-31146) - PCI device pass-through with shared resources
Xen . org security team
-
[oss-security] Xen Security Advisory 460 v2 (CVE-2024-31145) - error handling in x86 IOMMU identity mapping
Xen . org security team
-
[oss-security] CVE-2024-41909: Apache MINA SSHD: integrity check bypass
Arnout Engelen
-
[oss-security] CVE-2024-42008 and more: XSS vulnerabilities in Roundcube webmail
Valtteri Vuorikoski
-
[oss-security] CVE-2024-7348: PostgreSQL relation replacement during pg_dump executes arbitrary SQL
Solar Designer
-
[oss-security] CVE-2024-30188: Apache DolphinScheduler: Resource File Read And Write Vulnerability
ShunFeng Cai
-
[oss-security] CVE-2024-29831: Apache DolphinScheduler: RCE by arbitrary js execution
ShunFeng Cai
-
[oss-security] CVE-2024-41888: Apache Answer: The link for resetting user password is not Single-Use
Enxin Xie
-
[oss-security] CVE-2024-41890: Apache Answer: The link to reset the user's password will remain valid after sending a new link
Enxin Xie
-
[oss-security] KL-001-2024-006: Open WebUI Arbitrary File Upload + Path Traversal
KoreLogic Disclosures
-
[oss-security] KL-001-2024-005: Open WebUI Stored Cross-Site Scripting
KoreLogic Disclosures
-
[oss-security] Multiple vulnerabilities in Jenkins
Daniel Beck
-
[oss-security] CVE-2024-42222: Apache CloudStack: Unauthorised Network List Access
Rohit Yadav
-
[oss-security] CVE-2024-42062: Apache CloudStack: User Key Exposure to Domain Admins
Rohit Yadav
-
[oss-security] Tracking down a lost CVE request (MITRE)
Michael Orlitzky
-
[oss-security] Django CVE-2024-41989, CVE-2024-41990, CVE-2024-41991, and CVE-2024-42005
Sarah Boyce
-
[oss-security] feedback requested regarding deprecation of TLS 1.0/1.1
Neil Horman
-
[oss-security] CVE-2024-36448: Apache IoTDB Workbench: SSRF Vulnerability (EOL)
Haonan Hou
-
[oss-security] CVE-2024-42447: Apache Airflow Providers FAB: FAB provider 1.2.1 and 1.2.0 did not let user to logout for Airflow
Jarek Potiuk
-
[oss-security] CVE-2024-38856: Apache OFBiz: Unauthenticated endpoint could allow execution of screen rendering code
Jacques Le Roux
-
[oss-security] CVE-2024-36268: Apache InLong TubeMQ Client: Remote Code Execution vulnerability
Charles Zhang
-
[oss-security] CVE-2024-27182: Apache Linkis Basic management services: Engine material management Arbitrary file deletion vulnerability
Heping Wang
-
[oss-security] CVE-2024-27181: Apache Linkis Basic management services: Privilege Escalation Attack vulnerability
Heping Wang
-
[oss-security] Neat VNC Security Vulnerability
Andri Yngvason
-
[oss-security] CPython CVE-2024-6923: Email header injection due to unquoted newlines
Alan Coopersmith
-
[oss-security] [vim-security] double-free in dialog_changed() in Vim < v9.1.0648
Christian Brabandt
-
[oss-security] [vim-security] use-after-free in tagstack_clear_entry() in Vim < v9.1.0647
Christian Brabandt
-
[oss-security] [SECURITY ADVISORY] curl: CVE-2024-7264 ASN.1 date parser overread
Daniel Stenberg
-
[oss-security] CVE-2023-48396: Apache SeaTunnel Web: Authentication bypass
Jun Gao
-
[oss-security] Fwd: [Security-announce] [CVE-2024-3219] Pure-Python fallback of socket.socketpair() doesn’t authenticate peer connection
Alan Coopersmith
-
[oss-security] GStreamer Security Advisory 2024-0003: Orc compiler stack-based buffer overflow
Alan Coopersmith
-
[oss-security] CVE-2024-25090: Apache Roller: Insufficient input validation for some user profile and bookmark fields when Roller in untested-users mode
David M. Johnson
-
[oss-security] [ANNOUNCE] Apache Traffic Server is vulnerable to request smuggling and DoS
Masakazu Kitajo
-
[oss-security] inux kernel: virtio-net host dos
John Haxby
-
[oss-security] CVE-2023-48362: Apache Drill: XXE Vulnerability in XML Format Reader
James Turton
-
[oss-security] [SECURITY ADVISORY] curl: CVE-2024-6874: macidn punycode buffer overread
Daniel Stenberg
-
[oss-security] [SECURITY ADVISORY] curl: CVE-2024-6197: freeing stack buffer in utf8asn1str
Daniel Stenberg
-
[oss-security] CVE-2024-39676: Apache Pinot: Unauthorized endpoint exposed sensitive information
Yupeng Fu
-
[oss-security] CVE-2024-41178: Apache Arrow Rust Object Store: AWS WebIdentityToken exposure in log files
Andrew Lamb
-
[oss-security] [OSSA-2024-002] OpenStack Nova: Incomplete file access fix and regression for QCOW2 backing files and VMDK flat descriptors (CVE-2024-40767)
Jeremy Stanley
-
[oss-security] ISC has disclosed four vulnerabilities in BIND 9 (CVE-2024-0760, CVE-2024-1737, CVE-2024-1975, CVE-2024-4076)
Aram Sargsyan
-
[oss-security] GNU C Library version 2.40 released with 5 CVE fixes
Alan Coopersmith
-
[oss-security] CVE-2024-29070: Apache StreamPark: session not invalidated after logout
Huajie Wang
-
[oss-security] CVE-2024-38503: Apache Syncope: HTML tags can be injected into Console or Enduser text fields
Francesco Chicchiriccò
-
[oss-security] CVE-2024-34457: Apache StreamPark IDOR Vulnerability
Huajie Wang
-
[oss-security] CVE-2024-23321: Apache RocketMQ: Unauthorized Exposure of Sensitive Data
Rongtong Jin
-
[oss-security] CVE-2024-41107: Apache CloudStack: SAML Signature Exclusion
Rohit Yadav
-
[oss-security] [ANNOUNCE] Apache CloudStack CVE-2024-41107: SAML Signature Exclusion
Abhishek Kumar
-
[oss-security] CVE-2024-41172: Unrestricted memory consumption in CXF HTTP clients
Colm O hEigeartaigh
-
[oss-security] CVE-2024-32007: Apache CXF Denial of Service vulnerability in JOSE
Colm O hEigeartaigh
-
[oss-security] CVE-2024-29736: Apache CXF: SSRF vulnerability via WADL stylesheet parameter
Colm O hEigeartaigh
-
[oss-security] CVE-2024-29178: Apache StreamPark: FreeMarker SSTI RCE Vulnerability
Huajie Wang
-
[oss-security] CVE-2024-40898: Apache HTTP Server: SSRF with mod_rewrite in server/vhost context on Windows
Eric Covener
-
[oss-security] CVE-2024-40725: Apache HTTP Server: source code disclosure with handlers configured via AddType
Eric Covener
-
[oss-security] Python Infrastructure Admin Token Leaked Through Docker Hub
Andrii Polkovnychenko [EXT]
-
[oss-security] CVE-2024-29120: Apache StreamPark: Information leakage vulnerability
Huajie Wang
-
[oss-security] [kubernetes] CVE-2024-5321: Incorrect permissions on Windows containers logs
Craig Ingram
-
[oss-security] CVE-2024-29737: Apache StreamPark (incubating): maven build params could trigger remote command execution
Huajie Wang
-
[oss-security] CVE-2023-52291: Apache StreamPark (incubating): Unchecked maven build params could trigger remote command execution
Huajie Wang
-
[oss-security] CVE-2024-31979: Apache StreamPipes: Possibility of SSRF in pipeline element installation process
Dominik Riemer
-
[oss-security] CVE-2024-31411: Apache StreamPipes: Potential remote code execution (RCE) via file upload
Dominik Riemer
-
[oss-security] CVE-2024-30471: Apache StreamPipes: Potential creation of multiple identical accounts
Dominik Riemer
-
[oss-security] Landlock news #4
Mickaël Salaün
-
[oss-security] CVE-2024-39877: Apache Airflow: DAG Author Code Execution possibility in airflow-scheduler
Ephraim Anierobi
-
[oss-security] CVE-2024-39863: Apache Airflow: Potential XSS Vulnerability
Ephraim Anierobi
-
[oss-security] CVE-2024-39887: Apache Superset: Improper SQL authorisation, parse not checking for specific engine functions
Daniel Gaspar
-
[oss-security] Xen Security Advisory 459 v2 (CVE-2024-31144) - Xapi: Metadata injection attack against backup/restore functionality
Xen . org security team
-
[oss-security] Xen Security Advisory 458 v2 (CVE-2024-31143) - double unlock in x86 guest IRQ handling
Xen . org security team
-
[oss-security] CVE-2023-52290: Apache StreamPark (incubating): Unchecked SQL query fields trigger SQL injection vulnerability
Huajie Wang
-
[oss-security] CVE-2023-46801: Apache Linkis DataSource: Remote code execution vulnerability in apache Linkis 1.4.0
Heping Wang
-
[oss-security] CVE-2023-49566: Apache Linkis DataSource: JDBC Datasource Module with DB2 has JNDI Injection vulnerability
Heping Wang
-
[oss-security] CVE-2023-41916: Apache Linkis DataSource: DatasourceManager module has a JDBC parameter judgment logic vulnerability that allows for arbitrary file reading
Heping Wang
-
[oss-security] CVE-2024-36522: Apache Wicket: Remote code execution via XSLT injection
Martin Tzvetanov Grigorov
-
[oss-security] backtrace_symbols() misuse by Ceph and its supposedly-safe use
Alexander Patrakov
-
[oss-security] linux-distros application for CentOS Project's Hyperscale SIG
Michel Lind
-
[oss-security] CVE-2024-3596: RADIUS/UDP vulnerable to improved MD5 collision attack
Alan Coopersmith
-
[oss-security] Django CVE-2024-38875, CVE-2024-39329, CVE-2024-39330, and CVE-2024-39614
Natalia Bidart
-
[oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch
Will Dormann
-
Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch
Florian Weimer
-
Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch
Will Dormann
-
Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch
David A. Wheeler
-
Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch
Florian Weimer
-
Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch
Simon McVittie
-
[oss-security] Re: ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch
Will Dormann
-
Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch
Yves-Alexis Perez
-
Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch
Will Dormann
-
Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch
Yves-Alexis Perez
-
Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch
Yves-Alexis Perez
-
Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch
Steffen Nurpmeso
-
Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch
David A. Wheeler
-
Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch
Steffen Nurpmeso
-
Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch
Jacob Bachmeyer
-
Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch
Steffen Nurpmeso
-
Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch
Demi Marie Obenour
-
Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch
Steffen Nurpmeso
-
Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch
Jacob Bachmeyer
-
Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch
Steffen Nurpmeso
-
Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch
Yves-Alexis Perez
-
Re: [oss-security] ASLRn't is still alive and well on x86 kernels, despite CVE-2024-26621 patch
Will Dormann
-
[oss-security] CVE-2024-37389: Apache NiFi: Improper Neutralization of Input in Parameter Context Description
David Handermann
-
[oss-security] [ANNOUNCE] Apache CloudStack LTS Security Releases 4.18.2.1 and 4.19.0.2
Abhishek Kumar
-
[oss-security] CVE-2023-52168, CVE-2023-52169: buffer overflow, over-read vulnerabilities in the 7-Zip archiver
Maxim Suhanov
-
[oss-security] CVE-2024-39844: ZNC modtcl RCE
Martin Weinelt
-
[oss-security] CVE-2024-39884: Apache HTTP Server: source code disclosure with handlers configured via AddType
Eric Covener
-
[oss-security] [OSSA-2024-001] OpenStack Cinder, Glance, Nova: Arbitrary file access through custom QCOW2 external data (CVE-2024-32498)
Jeremy Stanley