[oss-security] PHP security releases 8.1.28, 8.2.18, & 8.3.6

https://news-web.php.net/php.announce/424 (dated April 11) states: The PHP development team announces the immediate availability of PHP 8.3.6. This is a security release that addresses CVE-2024-1874, CVE-2024-2756, CVE-2024-3096, and CVE-2024-2757. All PHP 8.3 users are encouraged to upgrade to

[oss-security] Re: Fwd: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.12 and Xwayland prior to 23.2.5

Forwarded Message Subject: Re: X.Org Security Advisory: Issues in X.Org X server prior to 21.1.12 and Xwayland prior to 23.2.5 Date: Fri, 12 Apr 2024 10:41:28 -0700 From: Alan Coopersmith To: xorg-annou...@lists.x.org CC: x...@lists.x.org The fix we provided for CVE-2024-3108

Re: [oss-security] Re: backdoor in upstream xz/liblzma leading to ssh server compromise

* Jonathan Schleifer , 2024-03-30 17:17: I replaced the sed in here: sed \"r\n\" $gl_am_configmake | eval $gl_path_map | $gl_localedir_prefix -d 2>/dev/null With a simple cat, as I could not make sed work. This worries me as it means there is probably some other transformation that I'm missi

Re: [oss-security] Analysis on who is Jia Tan, and who he could work for, reading xz.git

Hi Jacob, Thanks to your script, I've found a mistake in my analysis of the timestamps. The commit dates in +0200 recently seem to be because Jia Tan rebased some commits from Lasse, and used --committer-date-is-author-date. commit 3007e74ef250f0ce95d97ffbdf2282284f93764d Author:

[oss-security] CVE-2024-31391: Apache Solr Operator: Solr-Operator liveness and readiness probes may leak basic auth credentials

Severity: moderate Affected versions: - Apache Solr Operator 0.3.0 through 0.8.0 Description: Insertion of Sensitive Information into Log File vulnerability in the Apache Solr Operator. This issue affects all versions of the Apache Solr Operator from 0.3.0 through 0.8.0. When asked to boots

Re: [oss-security] less(1) with LESSOPEN mishandles \n in paths

Jakub Wilk writes: > less(1) does not correctly escape newlines in pathnames when > constructing command line of the input preprocessor. If a user ran > less(1) on files with untrusted names, this could result in execution > of arbitrary code. > > The input preprocessor is enabled by the LESSOPEN

[oss-security] less(1) with LESSOPEN mishandles \n in paths

less(1) does not correctly escape newlines in pathnames when constructing command line of the input preprocessor. If a user ran less(1) on files with untrusted names, this could result in execution of arbitrary code. The input preprocessor is enabled by the LESSOPEN environment variable. But i

Re: [oss-security] Analysis on who is Jia Tan, and who he could work for, reading xz.git

Alejandro Colomar wrote: [...] On Wed, Apr 10, 2024 at 10:26:13PM -0500, Jacob Bachmeyer wrote: [...] First, a factual correction: The hypothesis that "Jia Tan" was actually in UTC+03 seems to have been backwards, since the peak activity overlaps only partially with office hours in U