oss-security  

Messages by Thread

• [oss-security] CVE-2025-54947: Apache StreamPark: Use hard-coded key vulnerability Huajie Wang
  • Re: [oss-security] CVE-2025-54947: Apache StreamPark: Use hard-coded key vulnerability Solar Designer
• [oss-security] CVE-2025-54981: Apache StreamPark: Weak Encryption Algorithm in StreamPark Huajie Wang
• [oss-security] CVE-2025-65995: Apache Airflow: Disclosure of secrets to UI via kwargs Ephraim Anierobi
• [oss-security] CVE-2025-66388: Apache Airflow: Secrets in rendered templates not redacted properly and exposed in the UI Ephraim Anierobi
• [oss-security] CVE-2025-58137: Apache Fineract: IDOR via self-service API Adam Monsen
• [oss-security] CVE-2025-58130: Apache Fineract: Server Key not masked Adam Monsen
• [oss-security] CVE-2025-23408: Apache Fineract: weak password policy Adam Monsen
• [oss-security] CVE-2025-8110 in Gogs self-hosted git service Alan Coopersmith
  • Re: [oss-security] CVE-2025-8110 in Gogs self-hosted git service Jakub Wilk
  • Re: [oss-security] CVE-2025-8110 in Gogs self-hosted git service Martin Weinelt
• [oss-security] smb4k: Major Vulnerabilities in KAuth Helper (CVE-2025-66002, CVE-2025-66003) Matthias Gerstner
• [oss-security] LibreOffice puts searched text into the PRIMARY selection (Linux, X11) Vincent Lefevre
  • Re: [oss-security] LibreOffice puts searched text into the PRIMARY selection (Linux, X11) Marco Moock
  • Re: [oss-security] LibreOffice puts searched text into the PRIMARY selection (Linux, X11) Vincent Lefevre
• [oss-security] CVE-2025-66675: Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS) - version ranges fixed Lukasz Lenart
• [oss-security] EXIM-Security-2025-12-09.1: Exim 4.99: Remote heap corruption Heiko Schlittermann
  • [oss-security] Update: EXIM-Security-2025-12-09.1: Exim 4.99: Remote heap corruption Heiko Schlittermann
  • [oss-security] Re: Update: CVE-2025-67896: EXIM-Security-2025-12-09.1: Exim 4.99: Remote heap corruption Heiko Schlittermann
• [oss-security] CVE-2025-26866: Apache HugeGraph-Server: RAFT and deserialization vulnerability VGalaxies
• [oss-security] CVE-2025-62408: c-ares 1.32.3-1.34.5 use after free() Brad House
  • Re: [oss-security] CVE-2025-62408: c-ares 1.32.3-1.34.5 use after free() Demi Marie Obenour
• [oss-security] PowerDNS Security Announcement 2025-07 and 2025-08 regarding PowerDNS Recursor Otto Moerbeek
• [oss-security] CPython vulnerable to CVE-2025-13836, CVE-2025-13837, & CVE-2025-12084 Alan Coopersmith
• [oss-security] CVE-2025-66418 & CVE-2025-66471 fixed in urllib3 2.6.0 Alan Coopersmith
• [oss-security] Go 1.25.5 and Go 1.24.11 are released - fix CVE-2025-61729 & CVE-2025-61727 Alan Coopersmith
• [oss-security] Island: Sandboxing tool powered by Landlock Mickaël Salaün
• [oss-security] React2Shell (CVE-2025-55182/CVE-2025-66478) Jeffrey Walton
• [oss-security] CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo Eric Covener
• [oss-security] CVE-2025-65082: Apache HTTP Server: CGI environment variable override Eric Covener
• [oss-security] CVE-2025-59775: Apache HTTP Server: NTLM Leakage on Windows through UNC SSRF Eric Covener
• [oss-security] CVE-2025-58098: Apache HTTP Server: Server Side Includes adds query string to #exec cmd=... Eric Covener
• [oss-security] CVE-2025-55753: Apache HTTP Server: mod_md (ACME), unintended retry intervals Eric Covener
• [oss-security] WebKitGTK and WPE WebKit Security Advisory WSA-2025-0009 Adrian Perez de Castro
  • [oss-security] Re: [webkit-gtk] WebKitGTK and WPE WebKit Security Advisory WSA-2025-0009 Adrian Perez de Castro
• [oss-security] CVE-2025-66516: Apache Tika core, Apache Tika parsers, Apache Tika PDF parser module: Update to CVE-2025-54988 to expand scope of artifacts affected Tim Allison
• [oss-security] CVE-2025-53960: Apache StreamPark: Use the user’s password as the secret key Vulnerability Huajie Wang
• [oss-security] libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Cosmin Truta
  • Re: [oss-security] libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Alan Coopersmith
  • Re: [oss-security] libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Cosmin Truta
  • Re: [oss-security] libpng 1.6.52: Out-of-bounds vulnerability fixed: CVE-2025-66293 Greg Roelofs
• [oss-security] CVE-2025-55182: RCE in React Server Components Jan Schaumann
  • [oss-security] additional React vulnerabilities (CVE-2025-55183, CVE-2025-55184, CVE-2025-67779) Jan Schaumann
• [oss-security] FW: X.Org Security Advisory: multiple security issues in xkbcomp Peter Hutterer
• [oss-security] [vim-security] A Windows uncontrolled search path vulnerability affects Vim < 9.1.1947 Christian Brabandt
• [oss-security] Django CVE-2025-13372 and CVE-2025-64460 Natalia Bidart
• [oss-security] expat looking for help with another unfixed non-public denial-of-service vulnerability [CVE-2025-66382] Alan Coopersmith
• [oss-security] CVE-2025-12183 in lz4-java, fixed in new fork Alan Coopersmith
  • [oss-security] CVE-2025-66566 fixed in lz4-java 1.10.1 Alan Coopersmith
• [oss-security] [kubernetes] CVE-2025-13281: Portworx Half-Blind SSRF in kube-controller-manager Nathan Herz
• [oss-security] WebKitGTK and WPE WebKit Security Advisory WSA-2025-0008 Adrian Perez de Castro
• [oss-security] CVE-2025-64775: Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS) - S2-068 Lukasz Lenart
• [oss-security] CVE-2025-59789: Apache bRPC: Stack Exhaustion via Unbounded Recursion in JSON Parser Wang Weibing
• [oss-security] CVE-2025-59792: Apache Kvrocks: MONITOR command reveals plaintext credentials to non-admins Hulk Lin
• [oss-security] CVE-2025-59790: Apache Kvrocks: RESET command grants admin privileges Hulk Lin
• [oss-security] CVE-2023-48796: Apache DolphinScheduler: Sensitive information disclosure Lidong Dai
• [oss-security] CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues Zdenek Dohnal
• [oss-security] CVE-2025-58436 cups: Slow client communication leads to a possible DoS attack Zdenek Dohnal
• [oss-security] CVE-2025-59454: Apache CloudStack: Lack of user permission validation leading to data leak for few APIs Harikrishna Patnala
• [oss-security] CVE-2025-59302: Apache CloudStack: Potential remote code execution on Javascript engine defined rules Harikrishna Patnala
• [oss-security] CVE-2025-54057: Apache SkyWalking: Stored XSS vulnerability Zhenxu Ke
• [oss-security] Unbound: 1.24.2 addresses CVE-2025-11411 (again) Yorgos Thessalonikefs
• [oss-security] CVE-2025-62728: Apache Hive: SQL injection vulnerability when processing delete column statistics requests via the HMS Thrift APIs Stamatis Zampetakis
• [oss-security] 5 CVE's fixed in Fluent Bit Alan Coopersmith
  • Re: [oss-security] 5 CVE's fixed in Fluent Bit Christian Brabandt
  • Re: [oss-security] 5 CVE's fixed in Fluent Bit Christian Fischer
  • Re: [oss-security] 5 CVE's fixed in Fluent Bit Christian Brabandt
  • Re: [oss-security] 5 CVE's fixed in Fluent Bit Christian Fischer
• [oss-security] CVE-2025-59390: Apache Druid: Kerberos authenticaton chooses a cryptographically unsecure secret if not configured explicitly. Karan Kumar
• [oss-security] CVE-2025-65998: Apache Syncope: Default AES key used for internal password encryption Francesco Chicchiriccò
• [oss-security] libpng 1.6.51: Four buffer overflow vulnerabilities fixed: CVE-2025-64505, CVE-2025-64506, CVE-2025-64720, CVE-2025-65018 Cosmin Truta
• [oss-security] gnutls 3.8.11 released with fix for CVE-2025-9820 Alan Coopersmith
• [oss-security] CVE-2025-64524 cups-filters: Heap Buffer Overflow in rastertopclx Filter Leading to Potential Arbitrary Code Execution Zdenek Dohnal
• [oss-security] CVE-2025-64408: Apache Causeway: Java deserialization vulnerability to authenticated attackers Dan Haywood
• [oss-security] [SECURITY PATCH 8/8] commands/usbtest: Ensure string length is sufficient in usb string processing Daniel Kiper
• [oss-security] [SECURITY PATCH 7/8] commands/usbtest: Use correct string length field Daniel Kiper
• [oss-security] [SECURITY PATCH 6/8] tests/lib/functional_test: Unregister commands on module unload Daniel Kiper
• [oss-security] [SECURITY PATCH 5/8] normal/main: Unregister commands on module unload Daniel Kiper
• [oss-security] [SECURITY PATCH 4/8] gettext/gettext: Unregister gettext command on module unload Daniel Kiper
• [oss-security] [SECURITY PATCH 3/8] net/net: Unregister net_set_vlan command on unload Daniel Kiper
• [oss-security] [SECURITY PATCH 2/8] kern/file: Call grub_dl_unref() after fs->fs_close() Daniel Kiper
• [oss-security] [SECURITY PATCH 1/8] commands/test: Fix error in recursion depth calculation Daniel Kiper
• [oss-security] [SECURITY PATCH 0/8] GRUB2 vulnerabilities - 2025/11/18 Daniel Kiper
• [oss-security] lightdm-kde-greeter: Privilege Escalation from lightdm Service User to root in KAuth Helper Service (CVE-2025-62876) Matthias Gerstner
• [oss-security] GitGuardian GGShield SSL/TLS Verification Bypass (No CVE) tanish saxena
• [oss-security] PostgreSQL releases fixes for CVE-2025-12817 & CVE-2025-12818 Alan Coopersmith
• [oss-security] CVE-2025-40300 / VMScape Bjoern Franke
  • Re: [oss-security] CVE-2025-40300 / VMScape Alan Coopersmith
  • Re: [oss-security] CVE-2025-40300 / VMScape Moritz Mühlenhoff
  • Re: [oss-security] CVE-2025-40300 / VMScape Solar Designer
  • Re: [oss-security] CVE-2025-40300 / VMScape Bjoern Franke
• [oss-security] CVE-2025-64503 libcupsfilters, cups-filters 1.x: out of bounds write in pdftoraster Zdenek Dohnal
• [oss-security] CVE-2025-57812 libcupsfilters, cups-filters 1.x: Multiple TIFF-related issues in libcupsfilters Zdenek Dohnal
• [oss-security] CVE-2025-64407: Apache OpenOffice: URL fetching can be used to exfiltrate arbitrary INI file values and environment variables Arrigo Marchiori
• [oss-security] CVE-2025-64406: Apache OpenOffice: Possible memory corruption during CSV import Arrigo Marchiori
• [oss-security] CVE-2025-64405: Apache OpenOffice: Remote documents loaded without prompt via DDE function Arrigo Marchiori
• [oss-security] CVE-2025-64404: Apache OpenOffice: Remote documents loaded without prompt via background and bullet images Arrigo Marchiori
• [oss-security] CVE-2025-64403: Apache OpenOffice: Remote documents loaded without prompt via "external data sources" in Calc Arrigo Marchiori
• [oss-security] CVE-2025-64402: Apache OpenOffice: Remote documents loaded without prompt via OLE objects Arrigo Marchiori
• [oss-security] CVE-2025-64401: Apache OpenOffice: Remote documents loaded without prompt via IFrame Arrigo Marchiori
• [oss-security] CVE-2024-47866 Ceph: RGW DoS via improper input validation. Sage [They / Them] McTaggart
• [oss-security] CVE-2025-61623: Apache OFBiz: Reflected Cross-site Scripting Jacques Le Roux
• [oss-security] CVE-2025-59118: Apache OFBiz: Critical Remote Command Execution via Unrestricted File Upload Jacques Le Roux
• [oss-security] Re: runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 Ali Polatel
• Re: [oss-security] runc container breakouts via procfs writes: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 [email protected]
• [oss-security] scx: Unauthenticated scx_loader D-Bus Service can lead to major Denial-of-Service Matthias Gerstner
• [oss-security] Django CVE-2025-64458 and CVE-2025-64459 Natalia Bidart
• [oss-security] [CVE-2025-62168] SQUID-2025:2 Information Disclosure in Error handling Amos Jeffries
• [oss-security] [CVE-2025-54574] SQUID-2025:1 Buffer Overflow in URN Handling Amos Jeffries
• [oss-security] [SECURITY ADVISORY] curl: missing SFTP host verification with wolfSSH Daniel Stenberg
• [oss-security] [CVE-2019-18860] SQUID-2023:6 Cross Site Scripting in cachemgr.cgi Amos Jeffries
  • Re: [oss-security] [CVE-2019-18860] SQUID-2023:6 Cross Site Scripting in cachemgr.cgi Solar Designer
  • Re: [oss-security] [CVE-2019-18860] SQUID-2023:6 Cross Site Scripting in cachemgr.cgi Amos Jeffries
• [oss-security] CVE-2025-58337: Apache Doris-MCP-Server: Improper Access Control results in bypassing a "read-only" mode for doris-mcp-server MCP Server Mingyu Chen
• [oss-security] Becoming a CVE Naming Authority for your project Rodrigo Freire
  • Re: [oss-security] Becoming a CVE Naming Authority for your project Greg KH
  • Re: [oss-security] Becoming a CVE Naming Authority for your project Olle E. Johansson
  • Re: [oss-security] Becoming a CVE Naming Authority for your project Pedro Sampaio
  • Re: [oss-security] Becoming a CVE Naming Authority for your project Peter Gutmann
  • Re: [oss-security] Becoming a CVE Naming Authority for your project Matthew Fernandez
  • Re: [oss-security] Becoming a CVE Naming Authority for your project Art Manion
  • Re: [oss-security] Becoming a CVE Naming Authority for your project Pedro Sampaio
  • Re: [oss-security] Becoming a CVE Naming Authority for your project Olle E. Johansson
  • Re: [oss-security] Becoming a CVE Naming Authority for your project Peter Gutmann
  • Re: [oss-security] Becoming a CVE Naming Authority for your project Yogesh Mittal
  • Re: [oss-security] Becoming a CVE Naming Authority for your project Pat Gunn
  • Re: [oss-security] Becoming a CVE Naming Authority for your project Jeremy Stanley
• [oss-security] [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Jeremy Stanley
  • Re: [oss-security] [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Demi Marie Obenour
  • Re: [oss-security] [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Jeremy Stanley
  • Re: [oss-security] [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Salvatore Bonaccorso
  • Re: [oss-security] [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Jeremy Stanley
  • [oss-security] [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE-2025-65073) Jeremy Stanley
• [oss-security] [SECURITY ADVISORY] wcurl path traversal with percent-encoded slashes Daniel Stenberg
• [oss-security] OpenSMTPD: Trivial Local Denial-of-Service via UNIX Domain Socket (CVE-2025-62875) Matthias Gerstner
• [oss-security] CVE-2025-62232: Apache APISIX: APISIX basic-auth logs plaintext credentials at info level Ashish Tiwari
• [oss-security] CVE-2025-62503: Apache Airflow: Privilege boundary bypass in bulk APIs (create action can upsert existing Pools/Connections/Variables) Kaxil Naik
• [oss-security] CVE-2025-62402: Apache Airflow: Airflow 3 API: /api/v2/dagReports executes DAG Python in API Kaxil Naik
• [oss-security] CVE-2025-54941: Apache Airflow: Command injection in "example_dag_decorator" Kaxil Naik
• [oss-security] ISC has disclosed one vulnerability in Kea (CVE-2025-11232) Wlodek Wencel
• [oss-security] CVE-2025-30189: Dovecot IMAP Server: Using auth caching causes the first lookup to be cached for all lookups Camelia Lavender
• [oss-security] CVE-2025-61795: Apache Tomcat: Delayed cleaning of multi-part upload temporary files may lead to DoS Mark Thomas
• [oss-security] CVE-2025-55754: Apache Tomcat: console manipulation via escape sequences in log messages Mark Thomas
• [oss-security] CVE-2025-55752: Apache Tomcat: Directory traversal via rewrite with possible RCE if PUT is enabled Mark Thomas
• [oss-security] Questionable CVE's reported against dnsmasq Alan Coopersmith
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Jeremy Stanley
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Andrew Latham
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Sebastian Pipping
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Stuart Henderson
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Sebastian Pipping
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Matthew Fernandez
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Eli Schwartz
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Stuart Henderson
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Salvatore Bonaccorso
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Petr Menšík
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Sebastian Pipping
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Jeffrey Walton
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Moritz Mühlenhoff
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Collin Funk
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Michael Orlitzky
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Hank Leininger
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Solar Designer
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Douglas Bagnall
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Art Manion
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Solar Designer
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Art Manion
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Russ Allbery
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Collin Funk
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Solar Designer
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Jeremy Stanley
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Demi Marie Obenour
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Russ Allbery
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Peter Gutmann
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Russ Allbery
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Demi Marie Obenour
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Peter Gutmann
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Alexander Patrakov
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Jacob Bachmeyer
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Peter Gutmann
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Jeffrey Walton
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Peter Gutmann
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Olle E. Johansson
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Art Manion
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Olle E. Johansson
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Art Manion
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Olle E. Johansson
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Pedro Sampaio
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Olle E. Johansson
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Demi Marie Obenour
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Demi Marie Obenour
  • Re: [oss-security] Questionable CVE's reported against dnsmasq nightmare . yeah27
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Simon McVittie
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Alan Coopersmith
  • Re: [oss-security] Questionable CVE's reported against dnsmasq Christian Fischer
• [oss-security] OOB read / segfault and endless loop in courier mail server 1.5.0 Hanno Böck
• [oss-security] Xen Security Advisory 476 v1 (CVE-2025-58149) - Incorrect removal of permissions on PCI device unplug Xen . org security team
• [oss-security] PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor Otto Moerbeek
• [oss-security] ISC has disclosed three vulnerabilities in BIND 9 (CVE-2025-8677, CVE-2025-40778, CVE-2025-40780) Michał Kępień
• [oss-security] Xen Security Advisory 475 v2 (CVE-2025-58147,CVE-2025-58148) - x86: Incorrect input sanitisation in Viridian hypercalls Xen . org security team
• [oss-security] CVE-2025-57738: Apache Syncope: Remote Code Execution by delegated administrators Francesco Chicchiriccò

• Earlier messages