RE: [oss-security] The GNU C Library security advisories update for 2025-05-16

> From: Solar Designer > Sent: Friday, May 16, 2025 10:59 PM > To: Carlos O'Donell > Cc: oss-security@lists.openwall.com > Subject: Re: [oss-security] The GNU C Library security advisories update for > 2025-05-16 > > [...] > > Notably, Go produces static binaries, and I guess would include glibc

Re: [oss-security] The GNU C Library security advisories update for 2025-05-16

On Fri, May 16, 2025 at 03:41:11PM -0400, Carlos O'Donell wrote: > The following security advisories have been published: > > GLIBC-SA-2025-0002: > === > elf: static setuid binary dlopen may incorrectly search LD_LIBRARY_PATH > (CVE-2025-4802) > > A statically linked setuid binar

Re: [oss-security] describing affected systems (was: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations))

On 5/16/25 13:07, Eli Schwartz wrote: On 5/16/25 12:31 PM, Taylor R Campbell wrote: [...] (a) the same pkgsrc packages are available on, e.g., NetBSD 9.x (which is not EOL); and (b) pkgsrc is used on platforms other than NetBSD, including macOS, SmartOS, and various Linux distribution

[oss-security] The GNU C Library security advisories update for 2025-05-16

The following security advisories have been published: GLIBC-SA-2025-0002: === elf: static setuid binary dlopen may incorrectly search LD_LIBRARY_PATH (CVE-2025-4802) A statically linked setuid binary that calls dlopen (including internal dlopen calls after setlocale or calls to

Re: [oss-security] screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)

On 5/16/25 12:31 PM, Taylor R Campbell wrote: > It is not nonsensical, and it is not the inconsequential pedantry you > are suggesting. Please consider avoiding sarcastic disparagement when > publicly discussing the factual matters of security reports. > > The report says that `NetBSD 10.1' is af

Re: [oss-security] screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)

> Date: Fri, 16 May 2025 11:34:29 -0400 > From: Eli Schwartz > > On 5/16/25 11:01 AM, Jan Schaumann wrote: > > I think it's useful to clarify here that NetBSD does > > _not_ ship with GNU screen(1) at all. NetBSD's > > third-party package manager pkgsrc[1] includes > > screen(1), allowing users

[oss-security] CPython CVE-2025-4516: Use-after-free crash using bytes.decode("unicode_escape", error="ignore|replace")

Forwarded Message Subject: [Security-announce][CVE-2025-4516] Use-after-free crash using bytes.decode("unicode_escape", error="ignore|replace") Date: Thu, 15 May 2025 09:33:30 -0400 From: Seth Larson Reply-To: security-...@python.org To: security-annou...@py

Re: [oss-security] screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)

On 5/16/25 11:01 AM, Jan Schaumann wrote: > Matthias Gerstner wrote: >> we were surprised to find a local root exploit in >> the Screen 5.0.0 major version update affecting distributions that ship >> it as setuid-root (Arch Linux and NetBSD). > > I think it's useful to clarify here that NetBSD do

Re: [oss-security] screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)

Matthias Gerstner wrote: > we were surprised to find a local root exploit in > the Screen 5.0.0 major version update affecting distributions that ship > it as setuid-root (Arch Linux and NetBSD). I think it's useful to clarify here that NetBSD does _not_ ship with GNU screen(1) at all. NetBSD's

Re: [oss-security] screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations)

Hi, On Thu, May 15, 2025 at 04:09:51PM +0100, Stuart Henderson wrote: > On 2025/05/14 13:26, Matthias Gerstner wrote: > > Indeed, this is the bugfix release announced by upstream here: > > > > https://lists.gnu.org/archive/html/screen-users/2025-05/msg5.html > > There are two different versi