oss-security mailing list

Follow @Openwall on Twitter for new release announcements and other news

oss-security mailing list

	Jan	Feb	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2026	141	103	190	113
2025	92	75	93	105	94	100	69	75	107	112	106	140
2024	80	100	178	197	72	47	128	107	58	52	87	44
2023	69	62	100	107	99	78	87	60	122	198	86	101
2022	116	50	47	79	83	58	77	86	76	70	95	108
2021	92	91	98	90	88	59	61	82	49	76	60	47
2020	52	47	38	82	70	67	76	64	71	85	90	66
2019	102	48	49	86	51	103	107	80	71	75	67	70
2018	122	81	84	81	71	104	71	135	78	120	75	84
2017	252	278	171	171	209	278	225	157	214	162	196	93
2016	258	207	271	183	267	193	214	184	287	294	257	241
2015	377	336	355	319	277	243	266	197	195	206	205	208
2014	214	252	249	211	183	317	273	201	413	485	382	318
2013	217	323	246	258	200	201	260	265	163	203	182	199
2012	333	189	294	216	234	128	150	207	234	192	191	161
2011	153	169	318	354	159	224	258	164	137	203	241	146
2010	72	96	123	118	115	142	119	144	203	84	187	139
2009	89	81	75	114	96	59	84	99	102	122	108	74
2008		104	103	143	136	112	150	125	127	123	128	107

Recent messages:

2026/04/12 #3: Re: GNU tar: listing/extraction desynchronization allows hidden file injection (Collin Funk <collin.funk1@...il.com>)
2026/04/12 #2: Re: GNU tar: listing/extraction desynchronization allows hidden file injection (Solar Designer <solar@...nwall.com>)
2026/04/12 #1: Re: GNU tar: listing/extraction desynchronization allows hidden file injection (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/11 #11: Re: GNU tar: listing/extraction desynchronization allows hidden file injection (Collin Funk <collin.funk1@...il.com>)
2026/04/11 #10: GNU tar: listing/extraction desynchronization allows hidden file injection (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/11 #9: Avahi: Reachable assertion in transport_flags_from_domain (CVE-2026-34933) (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/11 #8: LibRaw 0.22.1 Release with security fixes (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/11 #7: Re: CVE-2026-35537+more: Roundcube arbitrary write + ID/XSS/etc. prior to 1.6.14 (Valtteri Vuorikoski <vuori@...com.org>)
2026/04/11 #6: CVE-2026-35537+more: Roundcube arbitrary write + ID/XSS/etc. prior to 1.6.14 (Valtteri Vuorikoski <vuori@...com.org>)
2026/04/11 #5: CPython [CVE-2026-3446] Base64 decoding stops at first padded quad by default (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/11 #4: CPython [CVE-2026-1502] HTTP client proxy tunnel headers not validated for CR/LF (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/11 #3: [kubernetes] CVE-2026-3865: CSI Driver for SMB path traversal via subDir may delete unintended directories on the SMB s… (Vinayak Goyal <vinayakankugoyal@...il.c…)
2026/04/11 #2: CVE-2026-40199: Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypas… (Stig Palmquist <stig@...g.io>)
2026/04/11 #1: CVE-2026-40198: Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass (Stig Palmquist <stig@...g.io>)
2026/04/10 #15: xdg-dbus-proxy CVE-2026-34080: Eavesdrop filter bypass allows message interception (Simon McVittie <smcv@...ian.org>)
2026/04/10 #14: xdg-desktop-portal GHSA-rqr9-jwwf-wxgj: Trashing of arbitrary host files (Simon McVittie <smcv@...ian.org>)
2026/04/10 #13: CVE-2026-40200: musl libc: stack corruption in qsort with sufficiently large inputs (Rich Felker <dalias@...c.org>)
2026/04/10 #12: CVE-2026-40023: Apache Log4cxx, Apache Log4cxx (Conan), Apache Log4cxx (Brew): Silent log event loss in XMLLayout due to un… (Piotr Karwasz <pkarwasz@...che.org>)
2026/04/10 #11: CVE-2026-40021: Apache Log4net: Silent log event loss in XmlLayout and XmlLayoutSchemaLog4J due to unescaped XML 1.0 forbid… (Piotr Karwasz <pkarwasz@...che.org>)
2026/04/10 #10: CVE-2026-34481: Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTempla… (Piotr Karwasz <pkarwasz@...che.org>)
2026/04/10 #9: CVE-2026-34480: Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters (Piotr Karwasz <pkarwasz@...che.org>)
2026/04/10 #8: CVE-2026-34479: Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidd… (Piotr Karwasz <pkarwasz@...che.org>)
2026/04/10 #7: CVE-2026-34478: Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility (Piotr Karwasz <pkarwasz@...che.org>)
2026/04/10 #6: CVE-2026-34477: Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verifi… (Piotr Karwasz <pkarwasz@...che.org>)
2026/04/10 #5: CVE-2026-4631 [cockpit] Unauthenticated remote code execution due to SSH command-line argument injection (Jelle van der Waa <jelle@...aa.nl>)
2026/04/10 #4: Re: systemd-journald in systemd 259 does not escape characters in emerg messages that are wall'd to other user's terminals (Vincent Lefevre <vincent@...c17.net>)
2026/04/10 #3: Re: Go 1.26.2 and Go 1.25.9 are released with 10 security fixes (Solar Designer <solar@...nwall.com>)
2026/04/10 #2: Re: X41 Advisory X41-2026-001: Guardrail Sandbox Escape in LiteLLM (Solar Designer <solar@...nwall.com>)
2026/04/10 #1: Re: systemd-journald in systemd 259 does not escape characters in emerg messages that are wall'd to other user's terminal… (Aaron Rainbolt <arraybolt3@...il.com>)
2026/04/09 #30: [OSSA-2026-006] OpenStack Skyline: DOM-based XSS in Skyline Console via unsanitized instance console log rendering (CVE… (Goutham Pacha Ravi <gouthampravi@...il.…)
2026/04/09 #29: CVE-2026-34500: Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (Mark Thomas <markt@...che.org>)
2026/04/09 #28: CVE-2026-34487: Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token (Mark Thomas <markt@...che.org>)
2026/04/09 #27: CVE-2026-34486: Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor (Mark Thomas <markt@...che.org>)
2026/04/09 #26: CVE-2026-34483: Apache Tomcat: Incomplete escaping of JSON access logs (Mark Thomas <markt@...che.org>)
2026/04/09 #25: CVE-2026-32990: Apache Tomcat: Fix for CVE-2025-66614 is incomplete (Mark Thomas <markt@...che.org>)
2026/04/09 #24: CVE-2026-29146: Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default (Mark Thomas <markt@...che.org>)
2026/04/09 #23: CVE-2026-29145: Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled (Mark Thomas <markt@...che.org>)
2026/04/09 #22: CVE-2026-29129: Apache Tomcat: TLS cipher order is not preserved (Mark Thomas <markt@...che.org>)
2026/04/09 #21: CVE-2026-25854: Apache Tomcat: Occasionally open redirect (Mark Thomas <markt@...che.org>)
2026/04/09 #20: CVE-2026-24880: Apache Tomcat: Request smuggling via invalid chunk extension (Mark Thomas <markt@...che.org>)
2026/04/09 #19: Re: [libc musl] - Algorithmic complexity DoS in iconv GB18030 decoder (Jens Jarl Nestén Hansen-Nord <jens@...ten.eu>)
2026/04/09 #18: CVE-2026-40046: Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT: Missing fix for CVE-2025-66168: MQTT contro… ("Christopher L. Shannon" <cshannon@...c…)
2026/04/09 #17: CVE-2026-39304: Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incorrect handlin… ("Christopher L. Shannon" <cshannon@...c…)
2026/04/09 #16: CVE-2025-57735: Apache Airflow: Airflow Logout Not Invalidating JWT (Rahul Vats <rahulvats@...che.org>)
2026/04/09 #15: Re: libcap-2.77 (since libcap-2.04) has TOCTOU privilege escalation issue (Tianyu Chen <sweetyfish@...pin.org>)
2026/04/09 #14: Re: libcap-2.77 (since libcap-2.04) has TOCTOU privilege escalation issue ("Andrew G. Morgan" <morgan@...nel.org>)
2026/04/09 #13: Re: systemd-journald in systemd 259 does not escape characters in emerg messages that are wall'd to other user's termin… (Salvatore Bonaccorso <carnil@...ian.org…)
2026/04/09 #12: CVE-2026-34020: Apache OpenMeetings: Login Credentials Passed via GET Query Parameters (Maxim Solodovnik <solomax@...che.org>)
2026/04/09 #11: CVE-2026-33266: Apache OpenMeetings: Hardcoded Remember-Me Cookie Encryption Key and Salt (Maxim Solodovnik <solomax@...che.org>)
2026/04/09 #10: CVE-2026-33005: Apache OpenMeetings: Insufficient checks in FileWebService (Maxim Solodovnik <solomax@...che.org>)
2026/04/09 #9: CVE-2026-34538: Apache Airflow: Authorization bypass in DagRun wait endpoint (XCom exposure) (Rahul Vats <rahulvats@...che.org>)
2026/04/09 #8: Re: 4 security fixes in Flatpak, including critical CVE-2026-34078: Complete sandbox escape leading to host file access and co… (Simon McVittie <smcv@...ian.org>)
2026/04/09 #7: Re: libcap-2.77 (since libcap-2.04) has TOCTOU privilege escalation issue (Solar Designer <solar@...nwall.com>)
2026/04/09 #6: Re: libcap-2.77 (since libcap-2.04) has TOCTOU privilege escalation issue ("Andrew G. Morgan" <morgan@...nel.org>)
2026/04/09 #5: Re: libcap-2.77 (since libcap-2.04) has TOCTOU privilege escalation issue (Solar Designer <solar@...nwall.com>)
2026/04/09 #4: lftp 4.9.3 does not filter non-printable characters in the output to the terminal (Vincent Lefevre <vincent@...c17.net>)
2026/04/09 #3: 4 security fixes in Flatpak, including critical CVE-2026-34078: Complete sandbox escape leading to host file access and code… (Solar Designer <solar@...nwall.com>)
2026/04/09 #2: libpng 1.6.57: Use-after-free vulnerability fixed: CVE-2026-34757 (Cosmin Truta <ctruta@...il.com>)
2026/04/09 #1: X41 Advisory X41-2026-001: Guardrail Sandbox Escape in LiteLLM (Markus Vervier <markus.vervier@...-dsec.de>)
2026/04/08 #14: Go 1.26.2 and Go 1.25.9 are released with 10 security fixes (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/08 #13: Re: Re: Heads-up: Upcoming Samba security releases (2026-04-09) (Douglas Bagnall <dbagnall@...ba.org>)
2026/04/08 #12: PyCA cryptography 46.0.7 released, fixes CVE-2026-39892 (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/08 #11: Re: Fwd: [siren] Severity: High – Potential Malicious Campaign Underway Targeting Open Source Developers via Slack (Stuart D Gathman <stuart@...hman.org>)
2026/04/08 #10: Re: systemd-journald in systemd 259 does not escape characters in emerg messages that are wall'd to other user's termina… (Aaron Rainbolt <arraybolt3@...eup.net>)
2026/04/08 #9: Re: libcap-2.77 (since libcap-2.04) has TOCTOU privilege escalation issue ("Andrew G. Morgan" <morgan@...nel.org>)
2026/04/08 #8: Re: [EXTERN] Re: Multiple CVEs disclosed in CUPS ("Schwedas, Sven" <Sven.Schwedas@...z.at>)
2026/04/08 #7: CVE-2026-5083: Ado::Sessions versions through 0.935 for Perl generates insecure session ids (Robert Rothenberg <rrwo@...nsec.org>)
2026/04/08 #6: CVE-2026-5082: Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id (Robert Rothenberg <rrwo@...nsec.org>)
2026/04/08 #5: Re: Axios Supply-Chain Attack [v1.14.1] [0.30.4] --> plain-crypto-js [4.2.0][4.2.1] (Solar Designer <solar@...nwall.com>)
2026/04/08 #4: Fwd: [siren] Severity: High – Potential Malicious Campaign Underway Targeting Open Source Developers via Slack (Solar Designer <solar@...nwall.com>)
2026/04/08 #3: Re: Multiple CVEs disclosed in CUPS (Peter Gutmann <pgut001@...auckland.ac.nz>)
2026/04/08 #2: Multiple CVEs disclosed in CUPS (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/08 #1: systemd-journald in systemd 259 does not escape characters in emerg messages that are wall'd to other user's terminals (Aaron Rainbolt <arraybolt3@...eup.net>)
2026/04/07 #14: Re: libcap-2.77 (since libcap-2.04) has TOCTOU privilege escalation issue (Christian Göttsche <cgoettsche@...tendoof.de>)
2026/04/07 #13: [vim-security] Netbeans command injection in Vim < v9.2.0316 (Christian Brabandt <cb@...bit.org>)
2026/04/07 #12: [OSSA-2026-005] Keystone: Restricted application credentials can create EC2 credentials (CVE-2026-33551) (Jeremy Stanley <fungi@...goth.org>)
2026/04/07 #11: OpenSSL Security Advisory (Tomas Mraz <tomas@...nssl.foundation>)
2026/04/07 #10: Django CVE-2026-3902, CVE-2026-4277, CVE-2026-4292, CVE-2026-33033, and CVE-2026-33034 (Jacob Walls <jwalls@...ngoproject.com>)
2026/04/07 #9: CASSANDRA-21202: CVE-2026-32588: Apache Cassandra: Authenticated DoS via ALTER ROLE Password Hashing (Michael Semb Wever <mck@...che.org>)
2026/04/07 #8: CVE-2026-27315: Apache Cassandra: cqlsh history sensitive information leak (Michael Semb Wever <mck@...che.org>)
2026/04/07 #7: CVE-2026-27314: Apache Cassandra: Privilege escalation via ADD IDENTITY authorization bypass (Michael Semb Wever <mck@...che.org>)
2026/04/07 #6: CVE-2026-35554: Apache Kafka Clients: Kafka Producer Message Corruption and Misrouting via Buffer Pool Race Condition (Manikumar <manikumar@...che.org>)
2026/04/07 #5: Re: Heads-up: Upcoming Samba security releases (2026-04-09) (Douglas Bagnall <dbagnall@...ba.org>)
2026/04/07 #4: libcap-2.77 (since libcap-2.04) has TOCTOU privilege escalation issue ("Andrew G. Morgan" <morgan@...nel.org>)
2026/04/07 #3: Re: Announce: OpenSSH 10.3 released (Demi Marie Obenour <demiobenour@...il.com>)
2026/04/07 #2: Re: Announce: OpenSSH 10.3 released (Damien Miller <djm@...drot.org>)
2026/04/07 #1: Re: Announce: OpenSSH 10.3 released (Demi Marie Obenour <demiobenour@...il.com>)
2026/04/06 #4: CVE-2026-33227: Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ Web: Improper Limitati… ("Christopher L. Shannon" <cshannon@...c…)
2026/04/06 #3: CVE-2026-34197: Apache ActiveMQ Broker, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans ("Christopher L. Shannon" <cshannon@...che.o…)
2026/04/06 #2: Re: Announce: OpenSSH 10.3 released (Damien Miller <djm@...drot.org>)
2026/04/06 #1: Heads-up: Upcoming Samba security releases (2026-04-09) (Douglas Bagnall <dbagnall@...ba.org>)
2026/04/03 #7: Re: Announce: OpenSSH 10.3 released (Demi Marie Obenour <demiobenour@...il.com>)
2026/04/03 #6: Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 (Salvatore Bonaccorso <carnil@...ian.org>)
2026/04/03 #5: Re: Re: Multiple vulnerabilities in AppArmor (Salvatore Bonaccorso <carnil@...ian.org>)
2026/04/03 #4: Re: Announce: OpenSSH 10.3 released (Salvatore Bonaccorso <carnil@...ian.org>)
2026/04/03 #3: Re: Announce: OpenSSH 10.3 released (Agostino Sarubbo <ago@...too.org>)
2026/04/03 #2: Re: [libc musl] - Algorithmic complexity DoS in iconv GB18030 decoder (Rich Felker <dalias@...c.org>)
2026/04/03 #1: Re: [libc musl] - Algorithmic complexity DoS in iconv GB18030 decoder (Rich Felker <dalias@...c.org>)
2026/04/02 #10: [libc musl] - Algorithmic complexity DoS in iconv GB18030 decoder (Jens Jarl Nestén Hansen-Nord <jens@...ten.eu>)
2026/04/02 #9: Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 (Solar Designer <solar@...nwall.com>)

32414 messages

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.