oss-security  

Messages by Date

• 2026/04/30 Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Solar Designer
• 2026/04/30 Re: [oss-security] 10+ CVEs in GStreamer Solar Designer
• 2026/04/30 [oss-security] Exim 4.99.2 fixes 4 CVEs Solar Designer
• 2026/04/30 Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Alan Coopersmith
• 2026/04/30 [oss-security] CVE-2026-5080: Dancer::Session::Abstract versions through 1.3522 for Perl generates session ids insecurely Robert Rothenberg
• 2026/04/30 Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Roman Medina-Heigl Hernandez
• 2026/04/30 Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Greg KH
• 2026/04/30 Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Sam James
• 2026/04/30 Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Eric Biggers
• 2026/04/30 Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation cyber security
• 2026/04/30 Re: [oss-security] Coordinated Disclosure in the LLM Age Greg KH
• 2026/04/30 Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Greg KH
• 2026/04/30 Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Salvatore Bonaccorso
• 2026/04/29 Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Sam James
• 2026/04/29 Re: [oss-security] lcms2 <= 2.18 CubeSize() integer overflow: stock Ubuntu 24.04 Poppler / evince-thumbnailer / OpenJDK crashers (different triggers), no CVE Sam James
• 2026/04/29 [oss-security] Re: lcms2 <= 2.18 CubeSize() integer overflow: stock Ubuntu 24.04 Poppler / evince-thumbnailer / OpenJDK crashers (different triggers), no CVE Abhinav Agarwal
• 2026/04/29 [oss-security] [CVE-2026-37555] libsndfile IMA-ADPCM integer overflow (incomplete fix for CVE-2022-33065) Feng Ning
• 2026/04/29 Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Solar Designer
• 2026/04/29 Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Aaron Rainbolt
• 2026/04/29 [oss-security] inetutils-2.8 released with 2 CVE fixes Alan Coopersmith
• 2026/04/29 [oss-security] gnutls 3.8.13 released with 12 CVE fixes and more Alan Coopersmith
• 2026/04/29 Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Zube
• 2026/04/29 [oss-security] OSSA-2026-008: OpenStack Ironic: Command Injection in Ironic IPMI Console Implementations (CVE-2026-42510) - errata 1 Goutham Pacha Ravi
• 2026/04/29 [oss-security] CVE-2026-7381: Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting Robert Rothenberg
• 2026/04/29 Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Sam James
• 2026/04/29 Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Eddie Chapman
• 2026/04/29 Re: [oss-security] Coordinated Disclosure in the LLM Age Brian May
• 2026/04/29 [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Jan Schaumann
• 2026/04/29 Re: [oss-security] Coordinated Disclosure in the LLM Age Clemens Lang
• 2026/04/29 Re: [oss-security] Coordinated Disclosure in the LLM Age Renaud Allard
• 2026/04/29 Re: [oss-security] Coordinated Disclosure in the LLM Age Willy Tarreau
• 2026/04/29 Re: [oss-security] Coordinated Disclosure in the LLM Age Jeremy Stanley
• 2026/04/29 [oss-security] Xen Security Advisory 489 v2 (CVE-2026-23559,CVE-2026-23560,CVE-2026-23561,CVE-2026-23562,CVE-2026-42486) - Multiple RBAC issues in XAPI Xen . org security team
• 2026/04/29 [oss-security] CVE-2026-7111: Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption Stig Palmquist
• 2026/04/29 Re: [oss-security] Coordinated Disclosure in the LLM Age Lucas Holt
• 2026/04/29 [oss-security] Multiple vulnerabilities in Jenkins plugins Daniel Beck
• 2026/04/28 [oss-security] [ADVISORY] curl: CVE-2026-7168: cross-proxy Digest auth state leak Daniel Stenberg
• 2026/04/28 [oss-security] [ADVISORY] curl: CVE-2026-6276: stale custom cookie host causes cookie leak Daniel Stenberg
• 2026/04/28 [oss-security] [ADVISORY] curl: CVE-2026-7009: OCSP stapling bypass with Apple SecTrust Daniel Stenberg
• 2026/04/28 [oss-security] [ADVISORY] curl: CVE-2026-6253: proxy credentials leak over redirect-to proxy Daniel Stenberg
• 2026/04/28 [oss-security] [ADVISORY] curl: CVE-2026-6429: netrc credential leak with reused proxy connection Daniel Stenberg
• 2026/04/28 [oss-security] [ADVISORY] curl: CVE-2026-5773: wrong reuse of SMB connection Daniel Stenberg
• 2026/04/28 [oss-security] [ADVISORY] curl: CVE-2026-5545: wrong reuse of HTTP Negotiate connection Daniel Stenberg
• 2026/04/28 [oss-security] [ADVISORY] curl: CVE-2026-4873: connection reuse ignores TLS requirement Daniel Stenberg
• 2026/04/28 Re: [oss-security] Coordinated Disclosure in the LLM Age Peter Gutmann
• 2026/04/28 Re: [oss-security] [SECURITY] Out-of-Bounds Read in MPLS Extension Parsing — traceroute 2.1.2 Jacob Bachmeyer
• 2026/04/28 Re: [oss-security] Coordinated Disclosure in the LLM Age Jacob Bachmeyer
• 2026/04/28 Re: [oss-security] [SECURITY] Out-of-Bounds Read in MPLS Extension Parsing — traceroute 2.1.2 Solar Designer
• 2026/04/28 Re: [oss-security] [SECURITY] Out-of-Bounds Read in MPLS Extension Parsing — traceroute 2.1.2 Ellenor Bjornsdottir
• 2026/04/28 [oss-security] CVE-2026-40560: Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence Timothy Legge
• 2026/04/28 Re: [oss-security] [SECURITY] Out-of-Bounds Read in MPLS Extension Parsing — traceroute 2.1.2 Alan Coopersmith
• 2026/04/28 [oss-security] Re: [SECURITY] Out-of-Bounds Read in MPLS Extension Parsing — traceroute 2.1.2 Dmitry Butskoy
• 2026/04/28 [oss-security] Re: [SECURITY] Out-of-Bounds Read in MPLS Extension Parsing — traceroute 2.1.2 Dmitry Butskoy
• 2026/04/28 Re: [oss-security] Coordinated Disclosure in the LLM Age Greg Dahlman
• 2026/04/28 [oss-security] Xen Security Advisory 489 v1 (CVE-2026-23559,CVE-2026-23560,CVE-2026-23561,CVE-2026-23562,CVE-2026-42486) - Multiple RBAC issues in XAPI Xen . org security team
• 2026/04/28 [oss-security] CVE-2026-41873: Pony Mail: Admin account takeover via request smuggling Arnout Engelen
• 2026/04/28 [oss-security] The GNU C Library security advisories update for 2026-04-28 Carlos O'Donell
• 2026/04/28 [oss-security] Coordinated Disclosure in the LLM Age Jeremy Stanley
• 2026/04/28 [oss-security] Xen Security Advisory 487 v2 (CVE-2026-31787) - Linux kernel double free in Xen privcmd driver Xen . org security team
• 2026/04/28 [oss-security] Xen Security Advisory 486 v2 (CVE-2026-23558) - grant table v2 race in status page mapping Xen . org security team
• 2026/04/28 [oss-security] Xen Security Advisory 485 v2 (CVE-2026-31786) - Linux kernel out of bounds read via Xen-related sysfs file Xen . org security team
• 2026/04/28 [oss-security] Xen Security Advisory 484 v2 (CVE-2026-23557) - Xenstored DoS via XS_RESET_WATCHES command Xen . org security team
• 2026/04/28 [oss-security] Xen Security Advisory 483 v2 (CVE-2026-23556) - oxenstored keeps quota related use counts across domain destruction Xen . org security team
• 2026/04/27 [oss-security][CVE-2026-3087] shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs Alan Coopersmith
• 2026/04/27 [oss-security] CVE-2026-41602: Apache Thrift: Go TFramedTransport uint32 overflow Jens Geyer
• 2026/04/27 [oss-security] CVE-2025-48431: Apache Thrift glibc language bindings: Specially crafted input can crash a c_glib Thrift server with invalid pointer error. Jens Geyer
• 2026/04/27 [oss-security] CVE-2026-41603: Apache Thrift: Java TSSLTransportFactory hostname verification Jens Geyer
• 2026/04/27 [oss-security] CVE-2026-41604: Apache Thrift: Swift Range crash in skip() Jens Geyer
• 2026/04/27 [oss-security] CVE-2026-41605: Apache Thrift: Swift Compact Protocol integer overflow Jens Geyer
• 2026/04/27 [oss-security] CVE-2026-41606: Apache Thrift: c_glib dispatch stack overflow Jens Geyer
• 2026/04/27 [oss-security] CVE-2026-41607: Apache Thrift: C++ JSON OOB read Jens Geyer
• 2026/04/27 [oss-security] CVE-2026-41636: Apache Thrift: Node.js skip() recursion Jens Geyer
• 2026/04/27 [oss-security] CVE-2026-40355, CVE-2026-40356: MIT krb5 1.18+ Unauthenticated Network read overrun and null pointer dereference Cem Onat Karagun
• 2026/04/27 [oss-security][CVE-2026-6357] pip self-update functionality can import newly installed modules after wheel installation Alan Coopersmith
• 2026/04/27 [oss-security] [OSSA-2026-008] Ironic: Command Injection in IPMI Console Implementations (CVE pending) Jay Faulkner
• 2026/04/27 [oss-security] CVE-2026-41409: Apache MINA: CWE-502 Deserialization of Untrusted Data Emmanuel Lécharny
• 2026/04/27 [oss-security] CVE-2026-7040: Text::Minify::XS versions from v0.3.0 before v0.7.8 for Perl have heap overflow when processing some malformed UTF-8 characters Robert Rothenberg
• 2026/04/27 [oss-security] ZDRES-059: CVE-2026-41635: Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter — Full Object Deserialization RCE Emmanuel Lécharny
• 2026/04/27 [oss-security] uriparser 1.0.1 fixes CVE-2026-42371 (integer overflow) Sebastian Pipping
• 2026/04/27 [oss-security] plasma-login-manager: Weaknesses in plasmaloginauthhelper (CVE-2026-25710) Matthias Gerstner
• 2026/04/26 [oss-security] CVE-2026-40860: Apache Camel: Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel-sjms2 and camel-amqp Andrea Cosentino
• 2026/04/26 [oss-security] CVE-2026-40858: Apache Camel: Camel-Infinispan: Unsafe Deserialization in Remote Aggregation Repository Andrea Cosentino
• 2026/04/26 [oss-security] CVE-2026-40473: Apache Camel: Camel-Mina: Unsafe Deserialization in MinaConverter.toObjectInput() via TCP/UDP Andrea Cosentino
• 2026/04/26 [oss-security] CVE-2026-40453: Apache Camel: Incomplete fix for CVE-2025-27636 in non-HTTP HeaderFilterStrategies (camel-jms, camel-sjms, camel-coap, camel-google-pubsub) allows case-variant header injection Andrea Cosentino
• 2026/04/26 [oss-security] CVE-2026-40048: Apache Camel: Camel-PQC: Unsafe Deserialization from FileBasedKeyLifecycleManager Andrea Cosentino
• 2026/04/26 [oss-security] CVE-2026-40022: Apache Camel: Camel-Platform-HTTP-Main: Authentication Bypass on Non-Root Context Paths in camel main runtime Andrea Cosentino
• 2026/04/26 [oss-security] CVE-2026-33454: Apache Camel: Inbound Header Filter Missing in MailHeaderFilterStrategy Allows Remote Code Execution via MIME Header Injection (CVE-2025-30177 Variant) Andrea Cosentino
• 2026/04/26 [oss-security] CVE-2026-33453: Apache Camel: CoAP URI Query Parameter to Exchange Header Injection in camel-coap Allows Single-Packet Pre-Auth Remote Code Execution Andrea Cosentino
• 2026/04/26 [oss-security] CVE-2026-27172: Apache Camel: Unsafe Java deserialization in camel-consul ConsulRegistry allows arbitrary code execution via malicious values read from the Consul KV store Andrea Cosentino
• 2026/04/26 [oss-security] libexpat 2.8.0 fixes CVE-2026-41080 (insufficient entropy) Sebastian Pipping
• 2026/04/25 [oss-security] CVE-2026-41081: Apache Storm Client: Anonymous principal assigned on TLS client certificate verification failure Richard Zowalla
• 2026/04/25 [oss-security] CVE-2026-40557: Apache Storm Prometheus Reporter: Disabling TLS verification for Prometheus Reporter also disables it for all other connections Richard Zowalla
• 2026/04/25 [oss-security] bubblewrap CVE-2026-41163: Privilege escalation if setuid root, via ptrace Simon McVittie
• 2026/04/24 [oss-security] rust-openssl-v0.10.78 fixes 5 CVEs Alan Coopersmith
• 2026/04/24 [oss-security] CVE-2026-40690: Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized users Rahul Vats
• 2026/04/24 [oss-security] CVE-2026-38743: Apache Airflow: Dags endpoint might provide access to otherwise inaccessible entities Rahul Vats
• 2026/04/23 [oss-security] CVE-2025-62233: Apache DolphinScheduler: Deserialization of untrusted data in RPC Wenjun Ruan
• 2026/04/23 [oss-security] CVE-2026-23902: Apache DolphinScheduler: Users are able to use tenants that are not defined on the platform during workflow execution. Wenjun Ruan
• 2026/04/23 [oss-security] CVE-2026-41044: Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All: Authenticated user can perform RCE via DestinationView MBean exposed by Jolokia Christopher L. Shannon
• 2026/04/23 [oss-security] CVE-2026-41043: Apache ActiveMQ, Apache ActiveMQ Web: ActiveMQ Web Console - XSS vulnerability when browsing queues Christopher L. Shannon
• 2026/04/23 [oss-security] CVE-2026-40466: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Possible bypass of CVE-2026-34197 via HTTP discovery second-stage URI Christopher L. Shannon
• 2026/04/23 [oss-security] PowerDNS Authoritative Server 4.9.14 and 5.0.4 released Miod Vallat
• 2026/04/23 [oss-security] CVE-2026-41564: CryptX versions before 0.088 for Perl do not reseed the Crypt::PK PRNG state after forking Stig Palmquist
• 2026/04/23 [oss-security] PowerDNS Security Advisory 2026-03 for PowerDNS Recursor: Multiple issues Otto Moerbeek
• 2026/04/22 [oss-security] [vim-security] OS Command Injection in netrw affects Vim < 9.2.0383 Christian Brabandt
• 2026/04/22 Re: [oss-security] CVE-2017-20230: Storable versions before 3.05 for Perl has a stack overflow Steffen Nurpmeso
• 2026/04/22 [oss-security] CVE-2026-41651: TOCTOU vulnerability in PackageKit <= 1.3.4 leads to local root exploit Matthias Klumpp
• 2026/04/22 [oss-security] [SECURITY] CVE-2026-40542: Apache HttpClient 5.6 SCRAM-SHA-256 mutual authentication bypass Arturo Bernal
• 2026/04/21 Re: [oss-security] Go 1.26.2 and Go 1.25.9 are released with 10 security fixes Demi Marie Obenour
• 2026/04/21 Re: [oss-security] UAF in rsync 3.4.1 and below Sam James
• 2026/04/21 Re: [oss-security] CVE-2017-20230: Storable versions before 3.05 for Perl has a stack overflow Sam James
• 2026/04/21 Re: [oss-security] CVE-2017-20230: Storable versions before 3.05 for Perl has a stack overflow Sam James
• 2026/04/21 [oss-security] CVE-2025-15638: Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt Robert Rothenberg
• 2026/04/21 [oss-security] CVE-2017-20230: Storable versions before 3.05 for Perl has a stack overflow Robert Rothenberg
• 2026/04/21 [oss-security] CVE-2026-40706: ntfs-3g 2022.10.3: Heap buffer overflow Rostislav
• 2026/04/21 [oss-security] Fwd: X.Org Security Advisory: CVE-2026-4367: libXpm Out-of-bounds read in xpmNextWord() Olivier Fourdan
• 2026/04/21 Re: [oss-security] Go 1.26.2 and Go 1.25.9 are released with 10 security fixes Michael Orlitzky
• 2026/04/21 [oss-security] Libgcrypt security releases 1.12.2, 1.11.3, 1.10.x Valtteri Vuorikoski
• 2026/04/20 [oss-security] The GNU C Library security advisories update for 2026-04-20 Carlos O'Donell
• 2026/04/20 [oss-security] Fwd: [CVE-2026-3219] pip doesn't reject concatenated ZIP and tar archives Alan Coopersmith
• 2026/04/20 Re: [oss-security] Go 1.26.2 and Go 1.25.9 are released with 10 security fixes Demi Marie Obenour
• 2026/04/20 Re: [oss-security] Go 1.26.2 and Go 1.25.9 are released with 10 security fixes Morten Linderud
• 2026/04/20 [oss-security] [ADVISORY] CVE-2026-5367: Heap over-read in OVN DHCPv6 Client ID processing Ales Musil
• 2026/04/20 [oss-security] Re: [ADVISORY] CVE-2026-5367: Heap over-read in OVN DHCPv6 Client ID processing Ales Musil
• 2026/04/20 [oss-security] Re: [ADVISORY] CVE-2026-5265: Heap Over-Read in ICMP Error Response Generation Ales Musil
• 2026/04/20 [oss-security] [ADVISORY] CVE-2026-5265: Heap Over-Read in ICMP Error Response Generation Ales Musil
• 2026/04/20 Re: [oss-security] Go 1.26.2 and Go 1.25.9 are released with 10 security fixes Dimitri Ledkov
• 2026/04/19 Re: [oss-security] Go 1.26.2 and Go 1.25.9 are released with 10 security fixes Matthias Ferdinand
• 2026/04/19 Re: [oss-security] CVE-2025-27363: FontForge affected by FreeType heap-buffer-overflow; upstream maintainer declines under Community-guidelines #D1 Sam James
• 2026/04/19 Re: [oss-security] [CVE REQUEST] terminal-controller-mcp: trivially bypassable command blocklist enables unrestricted RCE (CVSS 10.0) Alan Coopersmith
• 2026/04/19 [oss-security] [CVE REQUEST] terminal-controller-mcp: trivially bypassable command blocklist enables unrestricted RCE (CVSS 10.0) Pico 🧬
• 2026/04/18 [oss-security] CVE-2026-41113: RCE in sagredo fork of qmail Alan Coopersmith
• 2026/04/18 Re: [oss-security] [CVE-2026-33691] OWASP CRS whitespace padding bypass vulnerability Solar Designer
• 2026/04/18 [oss-security] Re: [CVE-2026-33691] OWASP CRS whitespace padding bypass vulnerability cyber security
• 2026/04/18 [oss-security] Re: [CVE-2026-33691] OWASP CRS whitespace padding bypass vulnerability cyber security
• 2026/04/18 [oss-security] Re: lcms2 <= 2.18 CubeSize() integer overflow: stock Ubuntu 24.04 Poppler / evince-thumbnailer / OpenJDK crashers (different triggers), no CVE Abhinav Agarwal
• 2026/04/17 Re: [oss-security] Go 1.26.2 and Go 1.25.9 are released with 10 security fixes Sam James
• 2026/04/17 [oss-security] lcms2 <= 2.18 CubeSize() integer overflow: stock Ubuntu 24.04 Poppler / evince-thumbnailer / OpenJDK crashers (different triggers), no CVE Abhinav Agarwal
• 2026/04/17 Re: [oss-security] Go 1.26.2 and Go 1.25.9 are released with 10 security fixes Eli Schwartz
• 2026/04/17 [oss-security] CVE-2026-40948: Apache Airflow Keycloak Provider: OAuth Login CSRF — Missing State Parameter in Keycloak Auth Manager Jarek Potiuk
• 2026/04/17 [oss-security] Xen Security Advisory 488 v1 - x86: Floating Point Divider State Sampling Xen . org security team
• 2026/04/17 [oss-security] ngtcp2: qlog_parameters_set_transport_params_stack_overflow [CVE-2026-40170] Alan Coopersmith
• 2026/04/17 [oss-security] cups: 8 various moderate vulnerabilities Zdenek Dohnal
• 2026/04/17 Re: [oss-security] Go 1.26.2 and Go 1.25.9 are released with 10 security fixes Matthias Ferdinand
• 2026/04/17 [oss-security] CVE-2026-25917: Apache Airflow: API extra-links triggers XCom deserialization/class instantiation (Airflow 3.1.5) Rahul Vats
• 2026/04/17 [oss-security] CVE-2026-32228: Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to Rahul Vats
• 2026/04/17 [oss-security] CVE-2026-30898: Apache Airflow: Bad example of BashOperator shell injection via dag_run.conf Rahul Vats
• 2026/04/17 [oss-security] CVE-2026-32690: Apache Airflow: 3.x - Nested Variable Secret Values Bypass Redaction via max_depth=1 Rahul Vats
• 2026/04/17 [oss-security] CVE-2026-30912: Apache Airflow: Exposing stack trace in case of constraint error Rahul Vats
• 2026/04/17 [oss-security] CVE-2025-66335: Apache Doris MCP Server: MCP SQL inject Mingyu Chen
• 2026/04/17 [oss-security] CVE-2026-33558: Apache Kafka, Apache Kafka Clients: Information Exposure Through Network Client Log Output Luke Chen
• 2026/04/17 [oss-security] CVE-2026-33557: Apache Kafka: Missing JWT token validation in OAUTHBEARER authentication Luke Chen
• 2026/04/16 Re: [oss-security] Apache Kvrocks affected by CVE-2024-31449 and CVE-2025-49844 (Redis Lua); fixed but no formal advisory yangjincheng1998
• 2026/04/16 [oss-security] Re: [CVE-2026-33691] OWASP CRS whitespace padding bypass vulnerability cyber security
• 2026/04/16 Re: [oss-security] Apache Kvrocks affected by CVE-2024-31449 and CVE-2025-49844 (Redis Lua); fixed but no formal advisory Solar Designer
• 2026/04/16 Re: [oss-security] Apache Kvrocks affected by CVE-2024-31449 and CVE-2025-49844 (Redis Lua); fixed but no formal advisory yangjincheng1998
• 2026/04/16 Re: [oss-security] UAF in rsync 3.4.1 and below Salvatore Bonaccorso
• 2026/04/16 Re: [oss-security] Apache Kvrocks affected by CVE-2024-31449 and CVE-2025-49844 (Redis Lua); fixed but no formal advisory Alan Coopersmith
• 2026/04/16 [oss-security] CVE-2026-31987: Apache Airflow: JWT token appearing in logs Rahul Vats
• 2026/04/16 [oss-security] Apache Kvrocks affected by CVE-2024-31449 and CVE-2025-49844 (Redis Lua); fixed but no formal advisory yangjincheng1998
• 2026/04/16 [oss-security] CVE-2025-27363: FontForge affected by FreeType heap-buffer-overflow; upstream maintainer declines under Community-guidelines #D1 yangjincheng1998
• 2026/04/16 Re: [oss-security] UAF in rsync 3.4.1 and below Alan Coopersmith
• 2026/04/16 [oss-security] cosmic-greeter: Unsafe File System Operations in User Home Directories (CVE-2026-25704) Matthias Gerstner
• 2026/04/15 [oss-security] UAF in rsync 3.4.1 and below Przemyslaw Frasunek
• 2026/04/15 Re: [oss-security] 7 vulnerabilities disclosed & patched in jq Collin Funk
• 2026/04/15 Re: [oss-security] Fwd: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland Alan Coopersmith
• 2026/04/15 [oss-security] 7 vulnerabilities disclosed & patched in jq Alan Coopersmith
• 2026/04/15 [oss-security] [vim-security] Command injection via backtick expansion in tag filenames in Vim < v9.2.0357 Christian Brabandt
• 2026/04/15 [oss-security][CVE-2026-5713] CPython: Out-of-bounds read/write during remote debugging when connecting to malicious target Alan Coopersmith
• 2026/04/15 [oss-security] Re: CVE-2026-5088: Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts Jacques Deguest
• 2026/04/15 [oss-security] CVE-2026-5088: Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts Robert Rothenberg
• 2026/04/15 [oss-security] CVE-2026-25219: Apache Airlfow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access Jarek Potiuk
• 2026/04/14 [oss-security] CVE-2026-30778: Apache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. Kai Wan
• 2026/04/14 [oss-security] CVE-2025-54550: Apache Airflow: RCE by race condition in example_xcom dag Jarek Potiuk
• 2026/04/14 [oss-security] [OSSA-2026-007] OpenStack Keystone: LDAP identity backend does not convert enabled attribute to boolean (CVE PENDING) Goutham Pacha Ravi
• 2026/04/14 [oss-security] Fwd: X.Org Security Advisory: multiple security issues X.Org X server and Xwayland Olivier Fourdan
• 2026/04/14 [oss-security] [disclosure] Multiple unpatched CVEs in libav (unmaintained FFmpeg fork, last update 2019) yangjincheng1998
• 2026/04/13 [oss-security] wolfSSL 5.9.1 CVE and non-CVE fixes Solar Designer
• 2026/04/13 [oss-security] wolfSSL ML-DSA: same-process heap reuse exposes private signing material, enabling signature forgery Abhinav Agarwal
• 2026/04/13 [oss-security] CVE-2026-33929: Apache PDFBox Examples: Path Traversal in PDFBox ExtractEmbeddedFiles Example Code Tilman Hausherr
• 2026/04/13 [oss-security] CVE-2026-31908: Apache APISIX: forward auth plugin allows header injection Abhishek Choudhary
• 2026/04/13 [oss-security] CVE-2026-31924: Apache APISIX: Plugin tencent-cloud-cls log export uses plaintext HTTP Abhishek Choudhary
• 2026/04/13 [oss-security] CVE-2026-31923: Apache APISIX: Openid-connect `tls_verify` field is disabled by default Abhishek Choudhary
• 2026/04/13 [oss-security] CVE-2026-5086: Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks Robert Rothenberg
• 2026/04/13 [oss-security][CVE-2026-4786] CPython: Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open() Alan Coopersmith
• 2026/04/13 [oss-security][CVE-2026-6100] CPython: Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure Alan Coopersmith
• 2026/04/13 Re: [oss-security] Security Audit of Hex, the Erlang package manager Alan Coopersmith
• 2026/04/13 [oss-security] CVE-2026-39816: Apache NiFi: Missing Execute Code Required Permission on TinkerpopClientService David Handermann
• 2026/04/13 [oss-security] CVE-2026-33858: Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API Rahul Vats
• 2026/04/13 [oss-security] CVE-2025-66236: Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI Rahul Vats
• 2026/04/13 [oss-security] CVE-2026-34884: Apache SkyWalking MCP: SSRF via set_skywalking_url Tool and GraphQL Expression Injection in MCP Server Qiuxia Fan
• 2026/04/13 [oss-security] CVE-2026-34476: Apache SkyWalking MCP: Server-Side Request Forgery via SW-URL Header in MCP Server Qiuxia Fan
• 2026/04/13 [oss-security] CVE-2025-54057: Apache SkyWalking: Stored XSS vulnerability Zhenxu Ke
• 2026/04/13 [oss-security] CVE-2026-5085: Solstice::Session versions through 1440 for Perl generates session ids insecurely Robert Rothenberg
• 2026/04/12 Re: [oss-security] Security Audit of Hex, the Erlang package manager Alexander Patrakov
• 2026/04/12 [oss-security] CVE-2026-35565: Apache Storm UI: Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Storm UI Richard Zowalla
• 2026/04/12 [oss-security] CVE-2026-35337: Apache Storm Client: RCE through Unsafe Deserialization via Kerberos TGT Credential Handling Richard Zowalla
• 2026/04/12 Re: [oss-security] GNU tar: listing/extraction desynchronization allows hidden file injection Paul Eggert
• 2026/04/12 [oss-security] Security Audit of Hex, the Erlang package manager Alan Coopersmith
• 2026/04/11 Re: [oss-security] GNU tar: listing/extraction desynchronization allows hidden file injection Collin Funk

• Earlier messages