oss-security

Messages by Thread

[oss-security] CVE-2024-45219: Apache CloudStack: Uploaded and registered templates and volumes can be used to abuse KVM-based infrastructure Daniel Augusto Veronezi Salvador
[oss-security] CVE-2023-50780: Apache ActiveMQ Artemis: Authenticated users could perform RCE via Jolokia MBeans Justin Bertram
[oss-security] [kubernetes] CVE-2024-9486 and CVE-2024-9594: VM images built with Kubernetes Image Builder use default credentials Joel Smith
[oss-security] CVE-2024-46911: Apache Roller: Weakness in CSRF protection allows privilege escalation David M. Johnson
[oss-security] libarchive 3.7.5 released with security fixes Alan Coopersmith
[oss-security] CVE-2024-28168: Apache XML Graphics FOP: XML External Entity (XXE) Processing Simon Steiner
[oss-security] CVE-2024-45720: Apache Subversion: Command line argument injection on Windows platforms Stefan Sperling
[oss-security] [vim-security] use-after-free when closing buffers in Vim < 9.1.0764 Christian Brabandt
[oss-security] OSSA-2024-004 / CVE-2024-47211: OpenStack Ironic <26.1.1 fails to verify checksums of supplied image_source URLs when configured to convert images to raw for streaming Jay Faulkner
[oss-security] CVE-2024-8508 in Unbound DNS server prior to 1.21.1 Alan Coopersmith
[oss-security] CVE-2024-42415: Integer Overflow in GNOME libgsf Alan Coopersmith
- Re: [oss-security] CVE-2024-42415: Integer Overflow in GNOME libgsf Alan Coopersmith
[oss-security] CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Johannes Segitz
- [oss-security] Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Simon Josefsson
- Re: [oss-security] CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Solar Designer
- [oss-security] Re: CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Simon Josefsson
- Re: [oss-security] CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Solar Designer
- Re: [oss-security] CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Matthias Gerstner
- Re: [oss-security] CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Demi Marie Obenour
- Re: [oss-security] CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Solar Designer
- Re: [oss-security] CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Matthias Gerstner
- Re: [oss-security] CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Steffen Nurpmeso
- Re: [oss-security] CVE-2024-47191: Local root exploit in the PAM module pam_oath.so Solar Designer
[oss-security] cups-browsed vulnerable to DDoS amplification attack Larry Cashdollar
- Re: [oss-security] cups-browsed vulnerable to DDoS amplification attack Peter van Dijk
- Re: [oss-security] cups-browsed vulnerable to DDoS amplification attack Larry Cashdollar
- Re[2]: [oss-security] cups-browsed vulnerable to DDoS amplification attack larry0
[oss-security] PowerDNS Security Advisory 2024-04 Otto Moerbeek
[oss-security] CVE-2024-47554: Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader Gary D. Gregory
[oss-security] CVE-2024-47561: Apache Avro Java SDK: Arbitrary Code Execution when reading Avro Data (Java SDK) Martin Tzvetanov Grigorov
[oss-security] Multiple vulnerabilities in Jenkins and Jenkins plugins Daniel Beck
- [oss-security] Multiple vulnerabilities in Jenkins and Jenkins plugins Daniel Beck
- [oss-security] Multiple vulnerabilities in Jenkins and Jenkins plugins Kevin Guerroudj
[oss-security] CVE-2024-45772: Apache Lucene Replicator: Deserialization of Untrusted Data Robert Muir
[oss-security] CUPS printing system vulnerabilities Solar Designer
- Re: [oss-security] CUPS printing system vulnerabilities Alan Coopersmith
- Re: [oss-security] CUPS printing system vulnerabilities Solar Designer
- Re: [oss-security] CUPS printing system vulnerabilities Zdenek Dohnal
- Re: [oss-security] CUPS printing system vulnerabilities Michael Sweet
- Re: [oss-security] CUPS printing system vulnerabilities Mark Esler
- Re: [oss-security] CUPS printing system vulnerabilities Will Dormann
[oss-security] CVE-2024-47197: Maven Archetype Plugin: Maven Archetype integration-test may package local settings into the published artifact, possibly containing credentials Slawomir Jaranowski
[oss-security] WebKitGTK and WPE WebKit Security Advisory WSA-2024-0005 Adrian Perez de Castro
[oss-security] CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Enxin Xie
- Re: [oss-security] CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Solar Designer
- RE: [oss-security] CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Goldberg, Adam
- Re: [oss-security] CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Jeffrey Walton
- Re: [oss-security] CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses LinkinStar
- Re: [oss-security] CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Solar Designer
- Re: [oss-security] CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Demi Marie Obenour
- Re: [oss-security] CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Alexander Patrakov
- Re: [oss-security] CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Fabian Bäumer
- Re: [oss-security] CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Sam Bull
- Re: [oss-security] CVE-2024-40761: Apache Answer: Avatar URL leaked user email addresses Fabian Bäumer
[oss-security] CVE-2024-23454: Apache Hadoop: Temporary File Local Information Disclosure Shilun Fan
[oss-security] CVE-2024-42154: Linux kernel: tcp_metrics: validate source addr length Joel GUITTET
- Re: [oss-security] CVE-2024-42154: Linux kernel: tcp_metrics: validate source addr length Solar Designer
- Re: [oss-security] CVE-2024-42154: Linux kernel: tcp_metrics: validate source addr length Sandipan Roy
[oss-security] CVE-2024-39928: Apache Linkis Spark EngineConn: Commons Lang's RandomStringUtils Random string security vulnerability Heping Wang
[oss-security] Xen Security Advisory 462 v2 (CVE-2024-45817) - x86: Deadlock in vlapic_error() Xen . org security team
[oss-security] CVE-2024-38286: Apache Tomcat: Denial of Service Mark Thomas
[oss-security] CVE-2024-46544: Apache Tomcat Connectors: mod_jk: local users can view and modify configuration Mark Thomas
[oss-security] CVE-2024-42323: Apache HertzBeat: RCE by snakeYaml deser load malicious xml Chao Gong
[oss-security] Performance Co-Pilot (PCP): pmcd network daemon security issues and review results (CVE-2024-45769), (CVE-2024-45770) Matthias Gerstner
[oss-security] CVE-2024-45537: Apache Druid: Users can provide MySQL JDBC properties not on allow list Karan Kumar
[oss-security] CVE-2024-45384: Apache Druid: Padding oracle in druid-pac4j extension that allows an attacker to manipulate a pac4j session cookie via Padding Oracle Attack Karan Kumar
[oss-security] CVE-2024-22399: Apache Seata: Remote Code Execution vulnerability via Hessian Deserialization in Apache Seata Server Min Ji
[oss-security] [SECURITY ADVISORY] curl: CVE-2024-8096: OCSP stapling bypass with GnuTLS Daniel Stenberg
[oss-security] CVE-2024-6655 Library injection from CWD in GTK-2/GTK-3 Dimitrios Glynos
[oss-security] Security fixes available in Python 3.13.0RC2, 3.12.6, 3.11.10, 3.10.15, 3.9.20, and 3.8.20 Alan Coopersmith
[oss-security] CVE-2024-45751: CHAP authentication bypass in user-space Linux target framework (tgt) up to v1.0.92 David Gstir
[oss-security] libpcap 1.10.5 released with two security fixes Alan Coopersmith
[oss-security] CVE-2024-7012, CVE-2024-7923: Authentication bypass in Foreman & Pulpcore Christian Hoffmann
[oss-security] CVE-2024-45034: Apache Airflow: Authenticated DAG authors could execute code on scheduler nodes Ephraim Anierobi
[oss-security] CVE-2024-45498: Apache Airflow: Command Injection in an example DAG Ephraim Anierobi
[oss-security] Go 1.23.1 and Go 1.22.7 released with 3 security fixes Alan Coopersmith
[oss-security] [OSSA-2024-003] OpenStack Ironic: Unvalidated image data passed to qemu-img (CVE-2024-44082) Brian Rosmaita
[oss-security] CVE-2024-43402: Rust before 1.81.0 didn't fully fix argument escaping for batch files Pietro Albini
[oss-security] Re: CVE-2024-45310: runc can be tricked into creating empty files/directories on host Aleksa Sarai
[oss-security] Webmin UDP/10000 discovery service Loop DoS (COK-2024-05-05) Sergei G
[oss-security] CVE-2024-45507: Apache OFBiz: Prevent use of URLs in files when loading them from Java or Groovy, leading to a RCE Jacques Le Roux
[oss-security] CVE-2024-45195: Apache OFBiz: Confused controller-view authorization logic (forced browsing) Jacques Le Roux
[oss-security] CPython: [CVE-2024-6232] Regular-expression DoS when parsing TarFile headers Alan Coopersmith
[oss-security] CVE-2024-6119: OpenSSL: Possible denial of service in X.509 name checks Tomas Mraz
[oss-security] Django CVE-2024-45230 and CVE-2024-45231 Natalia Bidart
[oss-security] CVE-2024-45310: runc can be tricked into creating empty files/directories on host Aleksa Sarai
- Re: [oss-security] CVE-2024-45310: runc can be tricked into creating empty files/directories on host Mike O'Connor
[oss-security] Linux kernel: memory leak in arch/powerpc/platforms/powernv/opal-irqchip.c: opal_event_init() 2639161967
- Re: [oss-security] Linux kernel: memory leak in arch/powerpc/platforms/powernv/opal-irqchip.c: opal_event_init() Solar Designer
- Re: [oss-security] Linux kernel: memory leak in arch/powerpc/platforms/powernv/opal-irqchip.c: opal_event_init() Michael Ellerman
[oss-security] [vim-security] heap-buffer-overflow in Vim > 9.1.0038 && < 9.1.0707 Christian Brabandt
[oss-security] CVE-2023-49582: Apache Portable Runtime (APR): Unexpected lax shared memory permissions Eric Covener
[oss-security] [vim-security] heap-buffer-overflow in ins_typebuf() in Vim < 9.1.0697 Christian Brabandt
[oss-security] [vim-security] heap-buffer-overflow in do_search() in Vim < 9.1.0689 Christian Brabandt
[oss-security] gh:facebook/rocksdb v9.5.2 - SupplyChainAttackPoC for Meta BB Andreas Stieger
[oss-security] CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Alan Coopersmith
- Re: [oss-security] CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Fay Stegerman
- Re: [oss-security] CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Fay Stegerman
- Re: [oss-security] CPython: CVE-2024-8088: Infinite loop when iterating over zip archive entry names Fay Stegerman
[oss-security] CVE-2024-41937: Apache Airflow: Stored XSS Vulnerability on provider link Ephraim Anierobi
[oss-security] CVE-2023-49198: Apache SeaTunnel Web: Arbitrary file read vulnerability Jun Gao
[oss-security] CVE-2024-22281: Apache Helix Front (UI): Helix front hard-coded secret in the express-session Junkai Xue
[oss-security] CVE-2024-43202: Apache DolphinScheduler: Remote Code Execution Vulnerability ShunFeng Cai
[oss-security] Landlock Houdini fix: CVE-2024-42318 Mickaël Salaün
[oss-security] WebKitGTK and WPE WebKit Security Advisory WSA-2024-0004 Adrian Perez de Castro
[oss-security] AI Cyber Challenge (AIxCC) semi-final results from DEF CON 32 (2024) David A. Wheeler
- Re: [oss-security] AI Cyber Challenge (AIxCC) semi-final results from DEF CON 32 (2024) Alfredo Ortega
- Re: [oss-security] AI Cyber Challenge (AIxCC) semi-final results from DEF CON 32 (2024) David A. Wheeler
[oss-security] Unbound 1.21.0 released with multiple security fixes Alan Coopersmith
[oss-security] [kubernetes] CVE-2024-7646: Ingress-nginx Annotation Validation Bypass Craig Ingram
[oss-security] Heads-up: there are two versions of Intel microcode update IPU 2024.3 Samuel Verschelde
[oss-security] [vim-security] use-after-free in alist_add() in Vim < v9.1.0678 Christian Brabandt
[oss-security] Dovecot CVE-2024-23185: Very large headers can cause resource exhaustion when parsing message Aki Tuomi
[oss-security] Dovecot CVE-2024-23184: Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive Aki Tuomi
[oss-security] flatpak CVE-2024-42472: Access to files outside sandbox for apps using persistent= (--persist) Simon McVittie
[oss-security] CVE-2024-7347: nginx: ngx_http_mp4_module: Worker process crash by using a specially crafted mp4 file Solar Designer
[oss-security] Xen Security Advisory 461 v2 (CVE-2024-31146) - PCI device pass-through with shared resources Xen . org security team
[oss-security] Xen Security Advisory 460 v2 (CVE-2024-31145) - error handling in x86 IOMMU identity mapping Xen . org security team
[oss-security] CVE-2024-41909: Apache MINA SSHD: integrity check bypass Arnout Engelen
[oss-security] CVE-2024-42008 and more: XSS vulnerabilities in Roundcube webmail Valtteri Vuorikoski
[oss-security] CVE-2024-7348: PostgreSQL relation replacement during pg_dump executes arbitrary SQL Solar Designer
[oss-security] CVE-2024-30188: Apache DolphinScheduler: Resource File Read And Write Vulnerability ShunFeng Cai
[oss-security] CVE-2024-29831: Apache DolphinScheduler: RCE by arbitrary js execution ShunFeng Cai
[oss-security] CVE-2024-41888: Apache Answer: The link for resetting user password is not Single-Use Enxin Xie
[oss-security] CVE-2024-41890: Apache Answer: The link to reset the user's password will remain valid after sending a new link Enxin Xie
[oss-security] KL-001-2024-006: Open WebUI Arbitrary File Upload + Path Traversal KoreLogic Disclosures
[oss-security] KL-001-2024-005: Open WebUI Stored Cross-Site Scripting KoreLogic Disclosures
[oss-security] Multiple vulnerabilities in Jenkins Daniel Beck
- [oss-security] Multiple vulnerabilities in Jenkins Kevin Guerroudj
[oss-security] CVE-2024-42222: Apache CloudStack: Unauthorised Network List Access Rohit Yadav
[oss-security] CVE-2024-42062: Apache CloudStack: User Key Exposure to Domain Admins Rohit Yadav
[oss-security] Tracking down a lost CVE request (MITRE) Michael Orlitzky
- Re: [oss-security] Tracking down a lost CVE request (MITRE) Mark Esler
- Re: [oss-security] Tracking down a lost CVE request (MITRE) Michael Orlitzky
[oss-security] Django CVE-2024-41989, CVE-2024-41990, CVE-2024-41991, and CVE-2024-42005 Sarah Boyce
[oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Neil Horman
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Marco Moock
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Stuart Henderson
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Marco Moock
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Bob Friesenhahn
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Steffen Nurpmeso
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Jeffrey Walton
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Steffen Nurpmeso
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Neil Horman
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Demi Marie Obenour
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Chad Sheridan
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Jeffrey Walton
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Dan Kegel
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Demi Marie Obenour
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 niekt0
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Solar Designer
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Pat Gunn
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Steffen Nurpmeso
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Clemens Lang
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Steffen Nurpmeso
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 steffen
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Peter Gutmann
- Re: [oss-security] collision confounders (was: feedback requested regarding deprecation of TLS 1.0/1.1) Jacob Bachmeyer
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Demi Marie Obenour
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Clemens Lang
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Jens Timmerman
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Marco Moock
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Clemens Lang
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Demi Marie Obenour
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Alex Gaynor
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Neil Horman
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Jan Engelhardt
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Duncan Grisby
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Mike O'Connor
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Pat Gunn
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Hanno Böck
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Peter Gutmann
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Jeffrey Walton
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Peter Gutmann
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Steffen Nurpmeso
- Re: [oss-security] feedback requested regarding deprecation of TLS 1.0/1.1 Jacob Bachmeyer
[oss-security] CVE-2024-36448: Apache IoTDB Workbench: SSRF Vulnerability (EOL) Haonan Hou
[oss-security] CVE-2024-42447: Apache Airflow Providers FAB: FAB provider 1.2.1 and 1.2.0 did not let user to logout for Airflow Jarek Potiuk
[oss-security] CVE-2024-38856: Apache OFBiz: Unauthenticated endpoint could allow execution of screen rendering code Jacques Le Roux
[oss-security] CVE-2024-36268: Apache InLong TubeMQ Client: Remote Code Execution vulnerability Charles Zhang
[oss-security] CVE-2024-27182: Apache Linkis Basic management services: Engine material management Arbitrary file deletion vulnerability Heping Wang
[oss-security] CVE-2024-27181: Apache Linkis Basic management services: Privilege Escalation Attack vulnerability Heping Wang
[oss-security] Neat VNC Security Vulnerability Andri Yngvason
- Re: [oss-security] Neat VNC Security Vulnerability Solar Designer
- RE: [oss-security] Neat VNC Security Vulnerability Dane Bouchie
- Re: [oss-security] Neat VNC Security Vulnerability Solar Designer
- Re: [oss-security] Neat VNC Security Vulnerability Andri Yngvason
- RE: [oss-security] Neat VNC Security Vulnerability Dane Bouchie
- Re: [oss-security] Neat VNC Security Vulnerability Salvatore Bonaccorso
[oss-security] CPython CVE-2024-6923: Email header injection due to unquoted newlines Alan Coopersmith
- Re: [oss-security] CPython CVE-2024-6923: Email header injection due to unquoted newlines Hanno Böck
[oss-security] [vim-security] double-free in dialog_changed() in Vim < v9.1.0648 Christian Brabandt
[oss-security] [vim-security] use-after-free in tagstack_clear_entry() in Vim < v9.1.0647 Christian Brabandt
[oss-security] [SECURITY ADVISORY] curl: CVE-2024-7264 ASN.1 date parser overread Daniel Stenberg
[oss-security] CVE-2023-48396: Apache SeaTunnel Web: Authentication bypass Jun Gao