oss-security  

Messages by Date

• 2026/06/03 [oss-security] [OSSA-2026-020] OpenStack Mistral: Mistral policy enforcement bypass allows unauthorized public resource creation and arbitrary code execution (CVE-2026-41283) Goutham Pacha Ravi
• 2026/06/03 [oss-security] [OSSA-2026-019] Ironic: File Extraction from conductor via pxe_template (CVE-2026-44917) Jay Faulkner
• 2026/06/03 [oss-security] [OSSA-2026-018] Ironic: File overwrite on Ironic conductor via path traversal in ISO handling (CVE-2026-48681) Jay Faulkner
• 2026/06/03 [oss-security] [OSSA-2026-017] Ironic: Script injection during node boot via linux command line override (CVE-2026-46447) Jay Faulkner
• 2026/06/03 [oss-security] Django CVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193, and CVE-2026-48587 Natalia Bidart
• 2026/06/03 Re: [oss-security] Linux kernel TLS ULP use-after-free in tls_sk_proto_close() Oleg Sevostyanov
• 2026/06/03 Re: [oss-security] Fwd: FreeIPMI 1.6.18 Released with security fixes Salvatore Bonaccorso
• 2026/06/02 Re: [oss-security] Linux kernel TLS ULP use-after-free in tls_sk_proto_close() Jacob Bachmeyer
• 2026/06/02 [oss-security] CVE-2026-9516: Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws Paul Johnson
• 2026/06/02 [oss-security] CVE-2026-9334: Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled Paul Johnson
• 2026/06/02 [oss-security] HTTP/2 Bomb affects Apache httpd, nginx, envoy, & pingora Alan Coopersmith
• 2026/06/02 [oss-security] Fwd: Go 1.26.4 and Go 1.25.11 are released Alan Coopersmith
• 2026/06/02 [oss-security] Fwd: FreeIPMI 1.6.18 Released with security fixes Alan Coopersmith
• 2026/06/02 Re: [oss-security] BIRD/BIRD2: stack buffer overflow in BGP AS_PATH mask matching, CVE pending Dan Yefihmov
• 2026/06/02 [oss-security] Linux kernel TLS ULP use-after-free in tls_sk_proto_close() Oleg Sevostyanov
• 2026/06/02 Re: [oss-security] BIRD/BIRD2: stack buffer overflow in BGP AS_PATH mask matching, CVE pending Stuart Henderson
• 2026/06/02 Re: [oss-security] BIRD/BIRD2: stack buffer overflow in BGP AS_PATH mask matching, CVE pending Dan Yefihmov
• 2026/06/02 Re: [oss-security] BIRD/BIRD2: stack buffer overflow in BGP AS_PATH mask matching, CVE pending Stuart Henderson
• 2026/06/02 Re: [oss-security] BIRD/BIRD2: stack buffer overflow in BGP AS_PATH mask matching, CVE pending Bakabaka_9
• 2026/06/02 [oss-security] [OSSA-2026-016] OpenStack Neutron: Errata 1 - Tagging policy bypass allows project readers to mutate tags (CVE-2026-49299) Goutham Pacha Ravi
• 2026/06/02 [oss-security] [OSSA-2026-014] OpenStack Swift: Errata 1 - Proxy-server denial of service via truncated s3api chunked upload, (CVE-2026-49017) Goutham Pacha Ravi
• 2026/06/02 [oss-security] CVE-2026-41115: Apache Kafka: Improper Authorization in CONSUMER_GROUP_DESCRIBE API Luke Chen
• 2026/06/02 Re: [oss-security] BIRD/BIRD2: stack buffer overflow in BGP AS_PATH mask matching, CVE pending Dan Yefihmov
• 2026/06/02 Re: [oss-security] BIRD/BIRD2: stack buffer overflow in BGP AS_PATH mask matching, CVE pending Stuart Henderson
• 2026/06/01 [oss-security] BIRD/BIRD2: stack buffer overflow in BGP AS_PATH mask matching, CVE pending Bakabaka_9
• 2026/06/01 [oss-security] FW: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland Peter Hutterer
• 2026/06/01 [oss-security] CVE-2025-60495: NULL Pointer Dereference in GPAC/MP4Box via gf_media_get_color_info on crafted MP4 with inconsistent sample entry Alexander A. Shvedov
• 2026/06/01 [oss-security] CVE-2025-60486: Use-After-Free in GPAC/MP4Box via dasher_process on crafted MPEG-2 TS file Alexander A. Shvedov
• 2026/06/01 [oss-security] CVE-2025-60485: NULL Pointer Dereference in GPAC/MP4Box via gf_isom_apple_set_tag_ex on crafted MP4 with corrupted esds box Alexander A. Shvedov
• 2026/06/01 [oss-security] CVE-2025-55664: Heap-based Buffer Overflow in GPAC/MP4Box via m2tsdmx_send_packet on crafted MPEG-2 TS file Alexander A. Shvedov
• 2026/06/01 [oss-security] CVE-2025-60483: NULL Pointer Dereference in GPAC/MP4Box via gf_ac4_pres_b_4_back_channels_present on crafted AC-4 stream Alexander A. Shvedov
• 2026/06/01 [oss-security] CVE-2025-60481: NULL Pointer Dereference in GPAC/MP4Box via gf_odf_ac4_cfg_dsi_v1 on crafted AC-4 stream Alexander A. Shvedov
• 2026/06/01 [oss-security] CVE-2026-46718: Apache Calcite: A user-controled model can load arbitrary classes, leading to code execution Julian Hyde
• 2026/06/01 [oss-security] Re: CIFSwitch: Linux kernel/cifs-utils local root via forged cifs.spnego upcall manizada
• 2026/06/01 [oss-security][CVE-2026-8643] pip can extract console_scripts and gui_scripts outside installation directory Alan Coopersmith
• 2026/06/01 [oss-security] CVE-2026-49328: Apache Fesod (Incubating): Improper validation of user-supplied URLs leading to SSRF Shuxin Pan
• 2026/05/31 [oss-security] CVE-2026-45192: Apache Airflow: Incomplete Redaction of Sensitive Fields in Connection Extra API Response Rahul Vats
• 2026/05/31 [oss-security] CVE-2026-35563: Apache Directory LDAP API: LDAP client implementation does not verify if the server certificate matches the intended LDAP hostname Emmanuel Lécharny
• 2026/05/31 [oss-security] CVE-2026-8796: Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input Paul Johnson
• 2026/05/31 Re: [oss-security] CVE request experience Fabian Keil
• 2026/05/31 [oss-security] CVE-2026-49270: Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All: Durable Subscription Disclosure via Crafted BrokerInfo (OpenWire) Christopher L. Shannon
• 2026/05/31 [oss-security] CVE-2026-49157: Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default Christopher L. Shannon
• 2026/05/31 [oss-security] CVE-2026-46605: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incomplete authorization during destination removal Christopher L. Shannon
• 2026/05/31 [oss-security] CVE-2026-45505: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Jolokia `addNetworkConnector` Discovery Wrapper Bypass Christopher L. Shannon
• 2026/05/31 [oss-security] CVE-2026-42588: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Remote Code Execution via Jolokia addNetworkConnector Christopher L. Shannon
• 2026/05/31 [oss-security] CVE-2026-42253: Apache ActiveMQ, Apache ActiveMQ Web: HTTP Response Header Injection via JMS Message Properties Christopher L. Shannon
• 2026/05/31 [oss-security] CVE-2026-49298: Apache Airflow: JWT Token Exposure in KubernetesExecutor Command-Line Arguments Rahul Vats
• 2026/05/31 [oss-security] CVE-2026-48726: Apache Airflow: revoke_token() unreachable in FabAuthManager / KeycloakAuthManager logout path Rahul Vats
• 2026/05/31 [oss-security] CVE-2026-46764: Apache Airflow: Event Log detail endpoint bypasses DAG-scoped event log permission filter Rahul Vats
• 2026/05/31 [oss-security] CVE-2026-45426: Apache Airflow: Log server JWT authorization bypass via Python lstrip() character stripping allows cross-Dag log access Rahul Vats
• 2026/05/31 [oss-security] CVE-2026-45360: Apache Airflow: Arbitrary import in custom deadline-reference deserialization Rahul Vats
• 2026/05/31 [oss-security] CVE-2026-42359: Apache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validator Rahul Vats
• 2026/05/31 [oss-security] CVE-2026-42358: Apache Airflow: Variable masker depth-limit bypass returns cleartext nested secrets Rahul Vats
• 2026/05/31 [oss-security] CVE-2026-42360: Apache Airflow: Rendered template truncation bypasses nested sensitive-key masking Rahul Vats
• 2026/05/31 [oss-security] CVE-2026-42252: Apache Airflow: BashOperator Jinja2 injection via dag_run.conf — low-privilege user pattern Rahul Vats
• 2026/05/31 [oss-security] CVE-2026-41084: Apache Airflow: API authorization bypass: bulk TaskInstances allows cross-DAG mutation Rahul Vats
• 2026/05/31 [oss-security] CVE-2026-41017: Apache Airflow: JWT cookie missing Secure flag in JWTRefreshMiddleware behind HTTPS-terminating proxy Rahul Vats
• 2026/05/31 [oss-security] CVE-2026-49267: Apache Airflow: No certificate validation on SMTP STARTTLS connections Rahul Vats
• 2026/05/31 [oss-security] CVE-2026-41014: Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints Rahul Vats
• 2026/05/31 [oss-security] CVE-2026-40963: Apache Airflow: DAG authorization bypass on /ui/structure/structure_data Rahul Vats
• 2026/05/31 [oss-security] CVE-2026-40961: Apache Airflow: Open Redirect Bypass Vulnerability Rahul Vats
• 2026/05/31 [oss-security] CVE-2026-40861: Apache Airflow: Arbitrary File Read via Log Symlink following in FileTaskHandler Rahul Vats
• 2026/05/30 [oss-security] CVE-2025-70103: Heap-based Buffer Overflow in libjxl/cjxl via jxl::extras::DecodeImagePNM on crafted PBM file Alexander A. Shvedov
• 2026/05/30 [oss-security] CVE-2026-8594: Text::LineFold versions through 2019.001 for Perl duplicate the output based on the number of special break characters Robert Rothenberg
• 2026/05/30 [oss-security] CVE-2026-49361: Apache Fluss Netty Frame Decoder Memory Exhaustion Vulnerability Jark Wu
• 2026/05/30 [oss-security] [vim-security] Out-of-bounds Read in Terminal Screen Snapshot in Vim < 9.2.565 Christian Brabandt
• 2026/05/30 [oss-security] CVE-2026-47187, CVE-2026-48711: sshfs <= 3.7.5 symlink escape (local file read/write) and ssh argument injection (local command execution) Abhinav Agarwal
• 2026/05/30 [oss-security] CVE-2025-70116: NULL Pointer Dereference in GPAC/MP4Box via gf_media_map_esd on truncated MP4 input Alexander
• 2026/05/30 [oss-security] CVE-2026-48827: Apache MINA SSHD: Path traversal in org.apache.sshd:sshd-git Thomas Wolf
• 2026/05/29 [oss-security] CVE-2026-44825: Apache Solr: Enabling BasicAuth using bin/solr CLI configures additional insecure users Jan Høydahl
• 2026/05/29 [oss-security] [vim-security] Arbitrary Code Execution via Python Omni-Completion in Vim < 9.2.561 Christian Brabandt
• 2026/05/29 [oss-security] [vim-security] Arbitrary Code Execution via Python Omni-Completion in Vim < 9.2.561 Christian Brabandt
• 2026/05/29 [oss-security] CVE-2026-48840: Exim 4.99.4: PROXY-protocol uninitialised-stack information disclosure Heiko Schlittermann
• 2026/05/29 [oss-security] CVE-2024-13745, EDK II: several issues with partition table measurements Maxim Suhanov
• 2026/05/28 Re: [oss-security] Linux: DMA-after-unmap race in ZCRX via netif_rxq_cleanup_unlease() ordering inversion (netkit + page_pool) Solar Designer
• 2026/05/28 [oss-security] CVE-2026-41565: CryptX versions before 0.088_001 for Perl have a stack buffer overflow in four AEAD decrypt_verify helpers Stig Palmquist
• 2026/05/28 [oss-security] CVE-2026-9658: Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths Robert Rothenberg
• 2026/05/28 [oss-security] [OSSA-2026-016] OpenStack Neutron: Tagging policy bypass allows project readers to mutate tags (CVE-2026-pending) Goutham Pacha Ravi
• 2026/05/28 [oss-security] [OSSA-2026-015] OpenStack Keystone: Multiple credential delegation and authorization bypass vulnerabilities (CVE-2026-42998, CVE-2026-42999, CVE-2026-43000, CVE-2026-43001, CVE-2026-44394) Goutham Pacha Ravi
• 2026/05/28 [oss-security] Open Babel 3.2.0: 24 CVEs fixed across file-format parsers Geoffrey Hutchison
• 2026/05/28 [oss-security] Two security advisories for Cargo from Rust Alan Coopersmith
• 2026/05/28 [oss-security] Various memory access violations in 7-Zip Alan Coopersmith
• 2026/05/28 [oss-security] CVE-2025-48977: Apache Ignite: Rest Http default Arbitrary file read vulnerability zstan
• 2026/05/28 [oss-security] CIFSwitch: Linux kernel/cifs-utils local root via forged cifs.spnego upcall manizada
• 2026/05/27 Re: [oss-security] Linux: DMA-after-unmap race in ZCRX via netif_rxq_cleanup_unlease() ordering inversion (netkit + page_pool) Jacob Bachmeyer
• 2026/05/27 [oss-security] [OSSA-2026-014] OpenStack Swift: Swift proxy-server denial of service via truncated s3api chunked upload (CVE-2026-49017) Goutham Pacha Ravi
• 2026/05/27 [oss-security] ARTEMIS-5996: CVE-2026-40914: Apache Artemis, Apache ActiveMQ Artemis: Address routing-type can be updated by STOMP protocol user without the createAddress permission Justin Bertram
• 2026/05/27 [oss-security] Multiple vulnerabilities in Jenkins plugins Daniel Beck
• 2026/05/26 [oss-security] Samba 4.24.3, 4.23.8 and 4.22.10 Security Releases are available for Download Douglas Bagnall
• 2026/05/26 [oss-security] CVE-2026-8450: HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file() Stig Palmquist
• 2026/05/26 [oss-security] CVE-2026-48962: IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob Stig Palmquist
• 2026/05/26 [oss-security] CVE-2026-48961: IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID Stig Palmquist
• 2026/05/26 [oss-security] CVE-2026-48959: IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward Stig Palmquist
• 2026/05/26 [oss-security] CVE-2025-15649: IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date Stig Palmquist
• 2026/05/26 [oss-security] CVE-2026-8647: Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available Robert Rothenberg
• 2026/05/26 [oss-security] CVE-2026-46740: Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections Robert Rothenberg
• 2026/05/26 [oss-security] CVE-2026-40564: Apache Flink Kubernetes Operator: Server-Side Request Forgery and local file access in Kubernetes Operator Gyula Fora
• 2026/05/26 [oss-security] qSnapper: Various Security Issues in Privileged D-Bus Service (CVE-2026-41045 through CVE-2026-41048) Matthias Gerstner
• 2026/05/25 [oss-security] CVE-2026-9538: Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header Stig Palmquist
• 2026/05/25 [oss-security] CVE-2026-42497: Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory Stig Palmquist
• 2026/05/25 [oss-security] CVE-2026-42496: Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory Stig Palmquist
• 2026/05/25 [oss-security] CVE-2026-8376: Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds Timothy Legge
• 2026/05/25 [oss-security] CVE-2026-48589: Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow Lenny Primak
• 2026/05/25 [oss-security] CVE-2026-44598: Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials) Lenny Primak
• 2026/05/25 [oss-security] CVE-2026-43828: Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default Lenny Primak
• 2026/05/25 [oss-security] CVE-2026-43827: Apache Shiro: Session fixation: new session is not created after login by default Lenny Primak
• 2026/05/25 [oss-security] CVE-2026-42797: Apache Syncope: JexlContextBuilder Information Disclosure Francesco Chicchiriccò
• 2026/05/25 [oss-security] CVE-2026-42782: Apache Syncope: Post-auth RCE via Groovy static Francesco Chicchiriccò
• 2026/05/24 Re: [oss-security] Coordinated Disclosure in the LLM Age ROI AI
• 2026/05/24 Re: [oss-security] Coordinated Disclosure in the LLM Age Jacob Bachmeyer
• 2026/05/24 [oss-security] Re: On the issue of MIME handlers that execute arbitrary code (e.g. Wine) Aaron Rainbolt
• 2026/05/24 [oss-security] PuTTY 0.84 released with 3 minor security fixes Alan Coopersmith
• 2026/05/24 [oss-security] CVE-2026-46745: Apache Airflow FAB provider: [ Security Report ] LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token (ZDRES-223) Jens Scheffler
• 2026/05/24 [oss-security] CVE-2026-45361: Apache Airflow Google provider: SSH host key verification disabled in ComputeEngineSSHHook (paramiko AutoAddPolicy default) Jens Scheffler
• 2026/05/24 Re: [oss-security] root-project/root: Heap buffer overflow in TKey::Streamer / TBasket::ReadBasketBuffers Matt Christie
• 2026/05/24 Re: [oss-security] Memcached 1.6.42 is a "major security focused release" with CVE's TBD Alan Coopersmith
• 2026/05/24 [oss-security] Re: PCManFM-Qt allows arbitrary files to be opened via the org.freedesktop.FileManager1.ShowFolders method Aaron Rainbolt
• 2026/05/24 Re: [oss-security] Coordinated Disclosure in the LLM Age Solar Designer
• 2026/05/24 Re: [oss-security] root-project/root: Heap buffer overflow in TKey::Streamer / TBasket::ReadBasketBuffers Solar Designer
• 2026/05/24 [oss-security] root-project/root: Heap buffer overflow in TKey::Streamer / TBasket::ReadBasketBuffers Manopakorn Kooharueangrong
• 2026/05/24 Re: [oss-security] Coordinated Disclosure in the LLM Age ROI AI
• 2026/05/24 Sv: [oss-security] Coordinated Disclosure in the LLM Age ROI AI
• 2026/05/23 [oss-security] Anthropic's coordinated vulnerability disclosure dashboard Alan Coopersmith
• 2026/05/22 [oss-security] CVE-2026-45249: Apache ECharts: XSS in Lines series tooltip rendering Zhongxiang Wang
• 2026/05/22 Re: [oss-security] Coordinated Disclosure in the LLM Age Jacob Bachmeyer
• 2026/05/22 [oss-security] CVE-2026-9277: shell-quote before 1.8.4 command injection in quote() Akshat Sinha
• 2026/05/22 [oss-security] HPLIP: Potential Escalation of Privilege and Arbitrary Code Execution Alan Coopersmith
• 2026/05/22 Re: [oss-security] Linux kernel: Dirty Frag variants — fix merged into netdev Demi Marie Obenour
• 2026/05/22 [oss-security] NGINX ngx_http_rewrite_module buffer overflow (CVE-2026-9256) Alan Coopersmith
• 2026/05/22 [oss-security] [vim-security] Multiple Memory Safety Issues in Vim Spell File Parser affects Vim < 9.2.0513 Christian Brabandt
• 2026/05/22 [oss-security] illumos: 18118 SCTP frees wrong-size, and need to keep private options Dan McDonald
• 2026/05/22 [oss-security] Re: Evince/Atril/Xreader command injection CVE-2026-46529 Wolfgang
• 2026/05/22 Sv: [oss-security] Coordinated Disclosure in the LLM Age Markus Klyver
• 2026/05/22 [oss-security] CVE-2026-44930: Apache CXF: LDAP Injection vulnerability in XKMS LDAP Repository Colm O hEigeartaigh
• 2026/05/22 [oss-security] CVE-2026-44618: Apache CXF: XXE vulnerability in WS-Transfer functionality Colm O hEigeartaigh
• 2026/05/22 [oss-security] CVE-2026-44417: Apache CXF: Incomplete fix for CVE-2025-48913 (Untrusted JMS configuration can lead to RCE) Colm O hEigeartaigh
• 2026/05/22 [oss-security] Vulnerabilities in golang.org/x/crypto Alan Coopersmith
• 2026/05/21 Re: [oss-security] CVE-2026-45250: FreeBSD setcred(2) stack overflow -> local privilege escalation (FatGid) Przemyslaw Frasunek
• 2026/05/21 Re: [oss-security] Coordinated Disclosure in the LLM Age ROI AI
• 2026/05/21 Re: [oss-security] Coordinated Disclosure in the LLM Age Jeffrey Walton
• 2026/05/21 Re: [oss-security] Coordinated Disclosure in the LLM Age Jacob Bachmeyer
• 2026/05/21 Re: [oss-security] Re: Fixed: local root exploit in haveged, fixed in 1.9.21, CVE-2026-41054 Jeffrey Walton
• 2026/05/21 Re: [oss-security] Host ambiguous requests through NGINX $host and Debian's proxy_params Gabriel Corona
• 2026/05/21 Re: [oss-security] Host ambiguous requests through NGINX **$http_host** and Debian's proxy_params Gabriel Corona
• 2026/05/21 [oss-security] CVE-2026-5091: Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks Robert Rothenberg
• 2026/05/21 Re: [oss-security] CVE-2026-45250: FreeBSD setcred(2) stack overflow -> local privilege escalation (FatGid) Steffen Nurpmeso
• 2026/05/21 [oss-security] Re: Fixed: local root exploit in haveged, fixed in 1.9.21, CVE-2026-41054 nightmare . yeah27
• 2026/05/21 Re: [oss-security] On the issue of MIME handlers that execute arbitrary code (e.g. Wine) Steffen Nurpmeso
• 2026/05/21 [oss-security] CVE-2026-46473: Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand Robert Rothenberg
• 2026/05/21 [oss-security] CVE-2026-47243: Kata Containers runtime-rs 3.30: virtiofsd symlink escape Aurelien Bombo
• 2026/05/21 Re: [oss-security] Linux kernel: Dirty Frag variants — fix merged into netdev Hyunwoo Kim
• 2026/05/21 Re: [oss-security] Linux kernel: Dirty Frag variants — fix merged into netdev Solar Designer
• 2026/05/21 [oss-security] Linux kernel: Dirty Frag variants — fix merged into netdev Hyunwoo Kim
• 2026/05/21 [oss-security] CVE-2026-48207: Apache Fory: PyFory ReduceSerializer Incomplete Policy Enforcement Chaokun Yang
• 2026/05/21 [oss-security] Host ambiguous requests through NGINX $host and Debian's proxy_params gabriel . corona
• 2026/05/21 [oss-security] CVE-2026-45760: Apache Camel K: Camel K Cross-Namespace Build Deputy Attack Pasquale Congiusti
• 2026/05/21 [oss-security] Re: Evince/Atril/Xreader command injection CVE-2026-46529 Michael Catanzaro
• 2026/05/21 Re: [oss-security] Coordinated Disclosure in the LLM Age ROI AI
• 2026/05/21 Re: [oss-security] Coordinated Disclosure in the LLM Age ROI AI
• 2026/05/21 Re: [oss-security] Coordinated Disclosure in the LLM Age Douglas Bagnall
• 2026/05/21 [oss-security] CVE-2026-45250: FreeBSD setcred(2) stack overflow -> local privilege escalation (FatGid) Przemyslaw Frasunek
• 2026/05/21 Re: [oss-security] PinTheft Linux LPE Marcus Meissner
• 2026/05/21 Re: [oss-security] Re: Logic bug in the Linux kernel's __ptrace_may_access() function Simon McVittie
• 2026/05/20 [oss-security] CVE-2026-47372: Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts Robert Rothenberg
• 2026/05/20 [oss-security] CVE-2026-47373: Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks Robert Rothenberg
• 2026/05/20 Re: [oss-security] On the issue of MIME handlers that execute arbitrary code (e.g. Wine) Gabriel Corona
• 2026/05/20 [oss-security] CVE-2026-4802 [cockpit] Arbitrary code execution in the logs page via a specially crafted link Jelle van der Waa
• 2026/05/20 Re: [oss-security] On the issue of MIME handlers that execute arbitrary code (e.g. Wine) Demi Marie Obenour
• 2026/05/20 Re: [oss-security] Coordinated Disclosure in the LLM Age Alan Coopersmith
• 2026/05/20 [oss-security] Re: Multiple vulnerabilities in AppArmor Qualys Security Advisory
• 2026/05/20 [oss-security] Re: Logic bug in the Linux kernel's __ptrace_may_access() function Qualys Security Advisory
• 2026/05/20 [oss-security] Re: Logic bug in the Linux kernel's __ptrace_may_access() function Qualys Security Advisory
• 2026/05/20 Re: [oss-security] On the issue of MIME handlers that execute arbitrary code (e.g. Wine) gabriel . corona
• 2026/05/20 [oss-security] PowerDNS Security Advisory 2026-06: Multiple Issues Miod Vallat
• 2026/05/20 [oss-security] ISC has disclosed six vulnerabilities in BIND 9 (CVE-2026-3039, CVE-2026-3592, CVE-2026-3593, CVE-2026-5946, CVE-2026-5947, CVE-2026-5950) Michał Kępień
• 2026/05/20 Re: [oss-security] PCManFM-Qt allows arbitrary files to be opened via the org.freedesktop.FileManager1.ShowFolders method gabriel . corona
• 2026/05/20 Re: [oss-security] PCManFM-Qt allows arbitrary files to be opened via the org.freedesktop.FileManager1.ShowFolders method gabriel . corona
• 2026/05/20 Re: [oss-security] PCManFM-Qt allows arbitrary files to be opened via the org.freedesktop.FileManager1.ShowFolders method Simon McVittie
• 2026/05/20 Re: [oss-security] On the issue of MIME handlers that execute arbitrary code (e.g. Wine) Simon McVittie
• 2026/05/20 [oss-security] rsync 3.4.3 released: six CVEs (CVE-2026-29518, CVE-2026-43617, CVE-2026-43618, CVE-2026-43619, CVE-2026-43620, CVE-2026-45232) Andrew Tridgell
• 2026/05/20 [oss-security] Unbound: 1.25.1 addresses multiple CVE items Yorgos Thessalonikefs
• 2026/05/20 [oss-security] QEMU CXL Memory Corruption Vulnerability ("QEMUtiny") Brett Sheffield
• 2026/05/19 [oss-security] Heads-up: Upcoming Samba security releases (2026-05-26) Douglas Bagnall
• 2026/05/19 [oss-security] PCManFM-Qt allows arbitrary files to be opened via the org.freedesktop.FileManager1.ShowFolders method Aaron Rainbolt
• 2026/05/19 [oss-security] CVE-2026-41054: haveged — privilege escalation via command socket Jiri Hladky
• 2026/05/19 Re: [oss-security] On the issue of MIME handlers that execute arbitrary code (e.g. Wine) Aaron Rainbolt
• 2026/05/19 Re: [oss-security] On the issue of MIME handlers that execute arbitrary code (e.g. Wine) Aaron Rainbolt
• 2026/05/19 [oss-security] CVE-2026-5090: Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected Robert Rothenberg
• 2026/05/19 [oss-security] [OSSA-2026-013] Ironic: Denial of Service via specially crafted deployment requests (CVE-2026-44919) Jay Faulkner
• 2026/05/19 Re: [oss-security] On the issue of MIME handlers that execute arbitrary code (e.g. Wine) Gabriel Corona
• 2026/05/19 Re: [oss-security] PinTheft Linux LPE Jelle van der Waa
• 2026/05/19 [oss-security] CVE-2026-42526: Apache Airflow Amazon provider: Prevent unauthorized access to team-scoped secrets in AWS Secrets Manager and SSM Parameter Store backends Vincent Beck
• 2026/05/19 [oss-security] CVE-2026-27173: Apache Airflow CNCF Kubernetes provider: JWT Token Exposure in KubernetesExecutor Command-Line Arguments Vincent Beck
• 2026/05/19 [oss-security] Evince/Atril/Xreader command injection CVE-2026-46529 Michael Catanzaro
• 2026/05/19 Re: [oss-security] PinTheft Linux LPE Sam James
• 2026/05/19 [oss-security] Memcached 1.6.42 is a "major security focused release" with CVE's TBD Alan Coopersmith
• 2026/05/19 Re: [oss-security] PinTheft Linux LPE Sam James
• 2026/05/19 [oss-security] CVE-2026-46586: Apache OFBiz: Improper Validation in traverseContent Service Enables Authenticated Groovy Code Execution Jacopo Cappellato
• 2026/05/19 [oss-security] CVE-2026-45434: Apache OFBiz: Authentication Bypass via Password-Change Logic Flaw Leading to RCE Jacopo Cappellato
• 2026/05/19 [oss-security] CVE-2026-45187: Apache OFBiz: Improper Authorization in Scheduled Job Creation Allows Low-Privileged Users to Submit System Jobs Jacopo Cappellato

• Earlier messages