Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 11 Aug 2015 10:23:59 -0600
From: Kurt Seifried <>
To: oss-security <>
Subject: Terminal escape sequences - the new XSS for admins?

So we've had a bunch of this stuff over the years:

And now more recently:

And we have at least one more coming down the pipeline that's pretty

Also I'm thinking of all those docker apps that log to STDOUT.

So the basic TL;DR: please don't use really ancient terminal programs that
are vulnerable to this stuff. It appears in testing that most (all?) of the
Red Hat stuff is ok, but I can't speak for other vendors.

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact:

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ