oss-security mailing list

Follow @Openwall on Twitter for new release announcements and other news

oss-security mailing list

	Jan	Feb	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2026	141	103	190	45
2025	92	75	93	105	94	100	69	75	107	112	106	140
2024	80	100	178	197	72	47	128	107	58	52	87	44
2023	69	62	100	107	99	78	87	60	122	198	86	101
2022	116	50	47	79	83	58	77	86	76	70	95	108
2021	92	91	98	90	88	59	61	82	49	76	60	47
2020	52	47	38	82	70	67	76	64	71	85	90	66
2019	102	48	49	86	51	103	107	80	71	75	67	70
2018	122	81	84	81	71	104	71	135	78	120	75	84
2017	252	278	171	171	209	278	225	157	214	162	196	93
2016	258	207	271	183	267	193	214	184	287	294	257	241
2015	377	336	355	319	277	243	266	197	195	206	205	208
2014	214	252	249	211	183	317	273	201	413	485	382	318
2013	217	323	246	258	200	201	260	265	163	203	182	199
2012	333	189	294	216	234	128	150	207	234	192	191	161
2011	153	169	318	354	159	224	258	164	137	203	241	146
2010	72	96	123	118	115	142	119	144	203	84	187	139
2009	89	81	75	114	96	59	84	99	102	122	108	74
2008		104	103	143	136	112	150	125	127	123	128	107

Recent messages:

2026/04/08 #5: Re: Axios Supply-Chain Attack [v1.14.1] [0.30.4] --> plain-crypto-js [4.2.0][4.2.1] (Solar Designer <solar@...nwall.com>)
2026/04/08 #4: Fwd: [siren] Severity: High – Potential Malicious Campaign Underway Targeting Open Source Developers via Slack (Solar Designer <solar@...nwall.com>)
2026/04/08 #3: Re: Multiple CVEs disclosed in CUPS (Peter Gutmann <pgut001@...auckland.ac.nz>)
2026/04/08 #2: Multiple CVEs disclosed in CUPS (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/08 #1: systemd-journald in systemd 259 does not escape characters in emerg messages that are wall'd to other user's terminals (Aaron Rainbolt <arraybolt3@...eup.net>)
2026/04/07 #14: Re: libcap-2.77 (since libcap-2.04) has TOCTOU privilege escalation issue (Christian Göttsche <cgoettsche@...tendoof.de>)
2026/04/07 #13: [vim-security] Netbeans command injection in Vim < v9.2.0316 (Christian Brabandt <cb@...bit.org>)
2026/04/07 #12: [OSSA-2026-005] Keystone: Restricted application credentials can create EC2 credentials (CVE-2026-33551) (Jeremy Stanley <fungi@...goth.org>)
2026/04/07 #11: OpenSSL Security Advisory (Tomas Mraz <tomas@...nssl.foundation>)
2026/04/07 #10: Django CVE-2026-3902, CVE-2026-4277, CVE-2026-4292, CVE-2026-33033, and CVE-2026-33034 (Jacob Walls <jwalls@...ngoproject.com>)
2026/04/07 #9: CASSANDRA-21202: CVE-2026-32588: Apache Cassandra: Authenticated DoS via ALTER ROLE Password Hashing (Michael Semb Wever <mck@...che.org>)
2026/04/07 #8: CVE-2026-27315: Apache Cassandra: cqlsh history sensitive information leak (Michael Semb Wever <mck@...che.org>)
2026/04/07 #7: CVE-2026-27314: Apache Cassandra: Privilege escalation via ADD IDENTITY authorization bypass (Michael Semb Wever <mck@...che.org>)
2026/04/07 #6: CVE-2026-35554: Apache Kafka Clients: Kafka Producer Message Corruption and Misrouting via Buffer Pool Race Condition (Manikumar <manikumar@...che.org>)
2026/04/07 #5: Re: Heads-up: Upcoming Samba security releases (2026-04-09) (Douglas Bagnall <dbagnall@...ba.org>)
2026/04/07 #4: libcap-2.77 (since libcap-2.04) has TOCTOU privilege escalation issue ("Andrew G. Morgan" <morgan@...nel.org>)
2026/04/07 #3: Re: Announce: OpenSSH 10.3 released (Demi Marie Obenour <demiobenour@...il.com>)
2026/04/07 #2: Re: Announce: OpenSSH 10.3 released (Damien Miller <djm@...drot.org>)
2026/04/07 #1: Re: Announce: OpenSSH 10.3 released (Demi Marie Obenour <demiobenour@...il.com>)
2026/04/06 #4: CVE-2026-33227: Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ Web: Improper Limitati… ("Christopher L. Shannon" <cshannon@...c…)
2026/04/06 #3: CVE-2026-34197: Apache ActiveMQ Broker, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans ("Christopher L. Shannon" <cshannon@...che.o…)
2026/04/06 #2: Re: Announce: OpenSSH 10.3 released (Damien Miller <djm@...drot.org>)
2026/04/06 #1: Heads-up: Upcoming Samba security releases (2026-04-09) (Douglas Bagnall <dbagnall@...ba.org>)
2026/04/03 #7: Re: Announce: OpenSSH 10.3 released (Demi Marie Obenour <demiobenour@...il.com>)
2026/04/03 #6: Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 (Salvatore Bonaccorso <carnil@...ian.org>)
2026/04/03 #5: Re: Re: Multiple vulnerabilities in AppArmor (Salvatore Bonaccorso <carnil@...ian.org>)
2026/04/03 #4: Re: Announce: OpenSSH 10.3 released (Salvatore Bonaccorso <carnil@...ian.org>)
2026/04/03 #3: Re: Announce: OpenSSH 10.3 released (Agostino Sarubbo <ago@...too.org>)
2026/04/03 #2: Re: [libc musl] - Algorithmic complexity DoS in iconv GB18030 decoder (Rich Felker <dalias@...c.org>)
2026/04/03 #1: Re: [libc musl] - Algorithmic complexity DoS in iconv GB18030 decoder (Rich Felker <dalias@...c.org>)
2026/04/02 #10: [libc musl] - Algorithmic complexity DoS in iconv GB18030 decoder (Jens Jarl Nestén Hansen-Nord <jens@...ten.eu>)
2026/04/02 #9: Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 (Solar Designer <solar@...nwall.com>)
2026/04/02 #8: Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 (Christian Brabandt <cb@...bit.org>)
2026/04/02 #7: Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 ("David A. Wheeler" <dwheeler@...eeler.com>)
2026/04/02 #6: [ANNOUNCE] ATS is vulnerable to HTTP requests with body (Masakazu Kitajo <maskit@...che.org>)
2026/04/02 #5: Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 (Tianyu Chen <sweetyfish@...pin.org>)
2026/04/02 #4: Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 (Christian Brabandt <cb@...bit.org>)
2026/04/02 #3: Announce: OpenSSH 10.3 released (Damien Miller <djm@....openbsd.org>)
2026/04/02 #2: Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 (Christian Brabandt <cb@...bit.org>)
2026/04/02 #1: FW: libinput Security Advisory: multiple security issues in libinput (Peter Hutterer <peter.hutterer@...-t.net>)
2026/04/01 #5: [CVE-2026-5271] Python install manager script aliases search path hijack (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/01 #4: [vim-security] Path traversal issue with zip.vim and special crafted zip archives in Vim < v9.2.0280 (Christian Brabandt <cb@...bit.org>)
2026/04/01 #3: Re: Multiple vulnerabilities in AppArmor (Greg KH <greg@...ah.com>)
2026/04/01 #2: Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 (Christian Brabandt <cb@...bit.org>)
2026/04/01 #1: Re: [vim-security] Vim modeline bypass via various options affects Vim < 9.2.0276 (Salvatore Bonaccorso <carnil@...ian.org>)
2026/03/31 #15: [ADVISORY] CVE-2026-34956: Open vSwitch: Invalid memory access in conntrack FTP alg. (Aaron Conole <aconole@...hat.com>)
2026/03/31 #14: [vim-security] Vim modeline bypass via various options affects Vim < 9.2.0276 (Christian Brabandt <cb@...bit.org>)
2026/03/31 #13: Fwd: XZ Utils 5.8.3 and a security fix (Sam James <sam@...too.org>)
2026/03/31 #12: Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 ("David A. Wheeler" <dwheeler@...eeler.com>)
2026/03/31 #11: Re: Multiple vulnerabilities in AppArmor (Greg KH <gregkh@...uxfoundation.org>)
2026/03/31 #10: Fwd: CVE-2026-5087: PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for Perl generates random bytes ins… (Robert Rothenberg <rrwo@...nsec.org>)
2026/03/31 #9: CVE-2024-14030: Sereal::Decoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in… (Robert Rothenberg <rrwo@...nsec.org>)
2026/03/31 #8: CVE-2024-14031: Sereal::Encoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in… (Robert Rothenberg <rrwo@...nsec.org>)
2026/03/31 #7: CVE-2025-15618: Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key (Robert Rothenberg <rrwo@...nsec.org>)
2026/03/31 #6: Axios Supply-Chain Attack [v1.14.1] [0.30.4] --> plain-crypto-js [4.2.0][4.2.1] (Michael Straßberger <m.strassberger@...aways.de>)
2026/03/31 #5: Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 (Tianyu Chen <sweetyfish@...pin.org>)
2026/03/31 #4: Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 (Christian Brabandt <cb@...bit.org>)
2026/03/31 #3: PowerDNS Security Advisory 2026-02 for DNSdist: Multiple issues (Remi Gacogne <remi.gacogne@...erdns.com>)
2026/03/31 #2: Re: Multiple vulnerabilities in AppArmor (John Johansen <john.johansen@...onical.com>)
2026/03/31 #1: Re: KVM shadow EPT stale rmap use-after-free (Solar Designer <solar@...nwall.com>)
2026/03/30 #9: CVE-2026-32794: Apache Airflow Provider for Databricks: TLS Certificate Verification Disabled in Databricks Provider K8s T… (Jens Scheffler <jscheffl@...che.org>)
2026/03/30 #8: pyca/cryptography: CVE-2026-34073: X.509: bypass of name constraints on wildcard SANs with matching peer names (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/03/30 #7: The GNU C Library security advisory update for 2026-03-30 (Siddhesh Poyarekar <siddhesh.poyarekar@...il.com>)
2026/03/30 #6: Re: KVM shadow EPT stale rmap use-after-free (Demi Marie Obenour <demiobenour@...il.com>)
2026/03/30 #5: KVM shadow EPT stale rmap use-after-free (Sandipan Roy <saroy@...hat.com>)
2026/03/30 #4: Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 (Demi Marie Obenour <demiobenour@...il.com>)
2026/03/30 #3: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 (Christian Brabandt <cb@...bit.org>)
2026/03/30 #2: Re: CVE-2026-4176: Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 co… (Jacob Bachmeyer <jcb62281@...il.com>)
2026/03/30 #1: CVE-2026-4176: Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vul… (Stig Palmquist <stig@...g.io>)
2026/03/29 #2: [CVE-2026-33691] OWASP CRS whitespace padding bypass vulnerability (cyber security <cs7778503@...il.com>)
2026/03/29 #1: Re: Multiple vulnerabilities in AppArmor (Greg KH <gregkh@...uxfoundation.org>)
2026/03/28 #6: Re: Multiple vulnerabilities in AppArmor (John Johansen <john.johansen@...onical.com>)
2026/03/28 #5: CVE-2026-3256: HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids (Robert Rothenberg <rrwo@...nsec.org>)
2026/03/28 #4: CVE-2025-15604: Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions (Robert Rothenberg <rrwo@...nsec.org>)
2026/03/28 #3: Re: Multiple vulnerabilities in AppArmor (Greg KH <gregkh@...uxfoundation.org>)
2026/03/28 #2: Re: [ADVISORY] SQUID-2026:1 Denial of Service in ICP Request handling (CVE-2026-33526) (Solar Designer <solar@...nwall.com>)
2026/03/28 #1: WebKitGTK and WPE WebKit Security Advisory WSA-2026-0002 (Adrian Perez de Castro <aperez@...lia.com>)
2026/03/27 #5: Re: Re: Multiple vulnerabilities in AppArmor (kf503bla@...k.com)
2026/03/27 #4: Re: Multiple vulnerabilities in AppArmor (Qualys Security Advisory <qsa@...lys.com>)
2026/03/27 #3: CVE-2026-1961: Foreman: Remote Code Execution via command injection in WebSocket proxy (Ondrej Gajdusek <ogajduse@...hat.com>)
2026/03/27 #2: Dovecot Security Advisory OXDC-2026-0001 (Aki Tuomi <aki.tuomi@...ecot.fi>)
2026/03/27 #1: Re: Multiple vulnerabilities in AppArmor (Greg KH <gregkh@...uxfoundation.org>)
2026/03/26 #7: TigerVNC 1.16.2 security release (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/03/26 #6: CVE-2026-4851: remote-to-local code execution in GRID::Machine (piedcrow@...eup.net)
2026/03/26 #5: Re: Multiple vulnerabilities in AppArmor (Qualys Security Advisory <qsa@...lys.com>)
2026/03/26 #4: Re: Xen Security Advisory 482 v2 - Linux privcmd driver can circumvent kernel lockdown (Juergen Gross <jgross@...e.com>)
2026/03/26 #3: 7 CVEs fixed in nginx (Solar Designer <solar@...nwall.com>)
2026/03/26 #2: CVE-2014-125112: Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution (Timothy Legge <timlegge@...nsec.org>)
2026/03/26 #1: libpng 1.6.56: Two high-severity vulnerabilities fixed: CVE-2026-33416, CVE-2026-33636 (Cosmin Truta <ctruta@...il.com>)
2026/03/25 #8: Re: CVE-2026-33150, CVE-2026-33179: libfuse io_uring memory safety vulnerabilities (use-after-free, NULL deref) (Abhinav Agarwal <abhinavagarwal1996@...il.com>)
2026/03/25 #7: ISC has disclosed four vulnerabilities in BIND 9 (CVE-2026-1519, CVE-2026-3104, CVE-2026-3119, CVE-2026-3591) (Nicki Křížek <nicki@....org>)
2026/03/25 #6: ISC has disclosed one vulnerability in Kea (CVE-2026-3608) (Peter Davies <peterd@....org>)
2026/03/25 #5: backdoor in litellm version 1.82.7 (Jan Schaumann <jschauma@...meister.org>)
2026/03/25 #4: [ADVISORY] SQUID-2026:3 Out of Bounds Read in ICP message handling (CVE-2026-33515) (Amos Jeffries <squid3@...enet.co.nz>)
2026/03/25 #3: [ADVISORY] SQUID-2026:2 Denial of Service in ICP Request handling (CVE-2026-32748) (Amos Jeffries <squid3@...enet.co.nz>)
2026/03/25 #2: [ADVISORY] SQUID-2026:1 Denial of Service in ICP Request handling (CVE-2026-33526) (Amos Jeffries <squid3@...enet.co.nz>)
2026/03/25 #1: NodeJS Security Releases fixes High, 5 Medium, 2 Low severity issues (Jan Schaumann <jschauma@...meister.org>)
2026/03/24 #6: litellm pypi packages compromised, infostealer added (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/03/24 #5: Re: Xen Security Advisory 482 v2 - Linux privcmd driver can circumvent kernel lockdown (Andrew Cooper <andrew.cooper3@...rix.com>)
2026/03/24 #4: Re: Xen Security Advisory 482 v2 - Linux privcmd driver can circumvent kernel lockdown (Greg KH <greg@...ah.com>)

32346 messages

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.