[oss-security] sslh: Remote Denial-of-Service Vulnerabilities (CVE-2025-46807, CVE-2025-46806)

tschle/sslh/blob/v2.2.1/common.c#L516 [21]: https://github.com/yrutschle/sslh/commit/ad1f5d68e96eec389668d1139cb281b1f3f13725 [22]: https://en.wikipedia.org/wiki/Fork_bomb [23]: https://bugzilla.suse.com/show_bug.cgi?id=1224800 Best Regards Matthias -- Matthias Gerstner Security Engineer https://www

Re: [oss-security] ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803)

Hi, On Fri, May 30, 2025 at 10:11:51AM +0200, Matthias Gerstner wrote: > > Default ACLs to the rescue! > > > > $ chmod a+x ~ > > $ mkdir -m 777 ~/.Private > > $ setfacl -d -m u:$LOGNAME:rwx ~/.Private/ > > $ curl -s -H "Content-Type: application/

Re: [oss-security] ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803)

Hi, On Wed, May 28, 2025 at 08:23:25PM +0200, Jakub Wilk wrote: > * Matthias Gerstner , 2025-05-28 19:21: > >By leveraging issue 3.2), the Kea services can be instructed to create > >`_kea` owned files in the attacker's `$HOME/.Private`. The content of > >the created f

Re: [oss-security] ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803)

/src/lib/http/basic_auth_config.cc?ref_type=tags#L365 [7]: https://github.com/gcc-mirror/gcc/blob/97a36b466ba1420210294f0a1dd7002054ba3b7e/libstdc%2B%2B-v3/libsupc%2B%2B/hash_bytes.cc#L74 [8]: https://github.com/gcc-mirror/gcc/blob/97a36b466ba1420210294f0a1dd7002054ba3b7e/libstdc%2B%2B-v3/include/bits/fun

Re: [oss-security] screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)

Hello, On Fri, May 16, 2025 at 11:01:53AM -0400, Jan Schaumann wrote: > Matthias Gerstner wrote: > > we were surprised to find a local root exploit in > > the Screen 5.0.0 major version update affecting distributions that ship > > it as setuid-root (Arch Linux and NetBS

Re: [oss-security] screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)

Hi, On Thu, May 15, 2025 at 04:09:51PM +0100, Stuart Henderson wrote: > On 2025/05/14 13:26, Matthias Gerstner wrote: > > Indeed, this is the bugfix release announced by upstream here: > > > > https://lists.gnu.org/archive/html/screen-users/2025-05/msg5.html > &

Re: [oss-security] screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)

Hello Thomas, On Tue, May 13, 2025 at 06:21:06PM +0200, Dr. Thomas Orgis wrote: > Are you sure the safe default wins? I also read configure.ac as such, > at a first glance … but running plain configure results in > > $ grep PTYMODE config.h > * define PTYMODE if you do not like the default of 06

Re: [oss-security] screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)

v5&id=2bdebfc9837cfd3cea0645030e626b08bb6bc2d0 Best Regards Matthias -- Matthias Gerstner Security Engineer https://www.suse.com/security GPG Key ID: 0x14C405C971923553 SUSE Software Solutions Germany GmbH HRB 36809, AG Nürnberg Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich signature.asc Description: PGP signature

[oss-security] screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)

n.h?h=v.5.0.0#n148 [26]: https://lists.gnu.org/archive/html/screen-users/2024-12/msg0.html [27]: https://en.opensuse.org/openSUSE:Security_disclosure_policy [28]: https://oss-security.openwall.org/wiki/mailing-lists/distros [29]: https://bugzilla.suse.com/show_bug.cgi?id=1227243#c8 [30]: https://savanna

[oss-security] Below: World Writable Directory in /var/log/below Allows Local Privilege Escalation (CVE-2025-27591)

cda145e1a83 [14]: https://bugzilla.suse.com/show_bug.cgi?id=1236109 [15]: https://bugbounty.meta.com [16]: https://oss-security.openwall.org/wiki/mailing-lists/distros Best Regards Matthias -- Matthias Gerstner Security Engineer https://www.suse.com/security GPG Key ID: 0x14C405C971923553

[oss-security] pam_pkcs11: Possible Authentication Bypass in Error Situations (CVE-2025-24531)

25/01/22/2 [31]: https://sourceforge.net/p/opensc/mailman/message/58838740/ [32]: https://github.com/linux-pam/linux-pam [33]: https://oss-security.openwall.org/wiki/mailing-lists/distros Best Regards Matthias -- Matthias Gerstner Security Engineer https://www.suse.com/security GPG Key ID: 0x14C405C971923553 SUSE Software Solutions Germany GmbH HRB 36809, AG Nürnberg Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich signature.asc Description: PGP signature

[oss-security] dde-api-proxy: Authentication Bypass in Deepin D-Bus Proxy Service (CVE-2025-23222)

0c86fa2cbaaa7c130088fda8315c01 [8]: https://github.com/linuxdeepin/dde-api-proxy/releases/tag/1.0.19 [9]: https://www.openwall.com/lists/oss-security/2014/03/24/2 [10]: https://www.deepin.org/index/en/docs/wiki/en/About_Deepin/Contact-the-deepin-Officials Best Regards Matthias -- Matthias G

Re: [oss-security] issue with stuck Mitre CVE requests

gt;Type of comment: Issue > > "Request type: Other" items are read every day. Additionally Mitre expressed that they are working on improvements to prevent such situations in the future. Best Regards Matthias -- Matthias Gerstner Security Engineer https://www.suse.com/

[oss-security] issue with stuck Mitre CVE requests

Matthias [1]: https://cveform.mitre.org/ [2]: https://www.openwall.com/lists/oss-security/2024/08/06/3 -- Matthias Gerstner Security Engineer https://www.suse.com/security GPG Key ID: 0x14C405C971923553 SUSE Software Solutions Germany GmbH HRB 36809, AG Nürnberg Geschäftsführer: Ivo Totev, And

[oss-security] Re: pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013)

Hi Jacob, On Wed, Jan 15, 2025 at 11:58:00PM -0600, Jacob Bachmeyer wrote: > On 1/15/25 06:03, Matthias Gerstner wrote: > > There exist utility modules that don't > > actually authenticate but perform helper functions or enforce policy. An > > example is the pam_failloc

[oss-security] pam-u2f: problematic PAM_IGNORE return values in pam_sm_authenticate() (CVE-2025-23013)

ww.yubico.com/support/security-advisories/ysa-2025-01/ Best Regards Matthias -- Matthias Gerstner Security Engineer https://www.suse.com/security GPG Key ID: 0x14C405C971923553 SUSE Software Solutions Germany GmbH HRB 36809, AG Nürnberg Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich signature.asc Description: PGP signature

[oss-security] SSSD: Weaknesses in Privilege Separation due to Issues in Privileged Helper Programs

che.c#L247 [5]: https://github.com/SSSD/sssd/releases/tag/2.10.1 [6]: https://github.com/samba-team/samba/blob/master/lib/ldb/common/ldb.c#L94 [7]: https://github.com/SSSD/sssd/commit/0562646cc261 [8]: https://github.com/SSSD/sssd/pull/7764 [9]: https://github.com/SSSD/sssd/blob/2.10.0/src/provid

[oss-security] stalld: unpatched fixed temporary file use and other issues

rottlectl.sh#L13 [6]: https://gitlab.com/rt-linux-tools/stalld/-/blob/v1.19.6/src/utils.c?ref_type=tags#L54 [7]: https://gitlab.com/rt-linux-tools/stalld/-/blob/v1.19.6/src/utils.c?ref_type=tags#L355 [7]: https://gitlab.com/rt-linux-tools/stalld/-/blob/v1.19.6/src/stalld.h?ref_type=ta

Re: [oss-security] tuned: local root exploit in D-Bus method instance_create and other issues in tuned >= 2.23 (CVE-2024-52336, CVE-2024-52337)

valent of SO_PEERCRED on various non-Linux OSs.) thanks for the hint! Relying on D-Bus and kernel features is surely the cleanest way to implement this. Cheers Matthias -- Matthias Gerstner Security Engineer https://www.suse.com/security GPG Key ID: 0x14C405C971923553 SUSE Software Solution

[oss-security] tuned: local root exploit in D-Bus method instance_create and other issues in tuned >= 2.23 (CVE-2024-52336, CVE-2024-52337)

/redhat-performance/tuned/commit/cddcd2336944a56e313324c699dd739fe8f1f85d [6]: https://github.com/redhat-performance/tuned/releases/tag/v2.24.1 [7]: https://github.com/redhat-performance/tuned/commit/90c24eea037c7a5e9414c93f8fb3e549ed4a7b06 Regards Matthias -- Matthias Gerstner Secur

[oss-security] authentik: remote timing attack in MetricsView HTTP Basic Auth (CVE-2024-52307)

4]: https://github.com/goauthentik/authentik/blob/fd1d252d44a010fad558bed2d315577a9d8d1f2b/authentik/root/monitoring.py#L27 [5]: https://github.com/goauthentik/authentik/security/advisories/GHSA-2xrw-5f2x-m56j [6]: https://documentation.suse.com/smart/security/html/systemd-securing/index.html

Re: [oss-security] CVE-2024-47191: Local root exploit in the PAM module pam_oath.so

When only supporting the simple scenario of the usersfile being located directly beneath the to-be-authenticated user's home directory, then a lot of things become simpler, as it has been done in the upstream approach in a couple of aspects. Best Regards Matthias From 345ae06e0f698bdb1e9b4529e5

Re: [oss-security] CVE-2024-47191: Local root exploit in the PAM module pam_oath.so

Hi, thanks for bringing up the potential problems with the patch we (SUSE) suggested. The missing drop of the ancillary group list has indeed been overlooked and will result in a lack of protection, since the "unprivileged" process will likely still be a member of the root group. I will adjust th

[oss-security] Performance Co-Pilot (PCP): pmcd network daemon security issues and review results (CVE-2024-45769), (CVE-2024-45770)

Hello list, please find below a report about recently fixed security issues in PCP. You can also find a rendered HTML version of this report on our blog [13]. Best Regards Matthias 1) Introduction === Earlier this year we already reported a local symlink attack in Performance Co-

[oss-security] gnome-remote-desktop: D-Bus system service in GNOME release 46 local information leaks (CVE-2024-5148)

e-remote-desktop-system-dbus.html [4]: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/commit/9fbaae1aaa0b821e4a859f22bad17979225af058 [5]: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/commit/663ad63172e0bfc8bd50a475ede753583bc3c99a [6]: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/issues/180 Best