oss-security mailing list
Recent messages:
- 2025/02/11 #1:
Re: CVE-2025-23015: Apache Cassandra: User with MODIFY permission on
ALL KEYSPACES can escalate privileges to superuser via unsa… (Paulo Motta <paulo@...che.org>)
- 2025/02/10 #1:
FELIX-6751: CVE-2025-25247: Apache Felix Webconsole: XSS in
services console (Carsten Ziegeler <cziegeler@...che.org>)
- 2025/02/09 #1:
WebKitGTK and WPE WebKit Security Advisory WSA-2025-0001 (Adrian Perez de Castro <aperez@...lia.com>)
- 2025/02/07 #4:
CVE-2025-25069: Apache Kvrocks: Cross-Protocol Scripting
Vulnerability (Mingyang Liu <twice@...che.org>)
- 2025/02/07 #3:
Re: pam_pkcs11: Possible Authentication Bypass in Error Situations
(CVE-2025-24531) (Jacob Bachmeyer <jcb62281@...il.com>)
- 2025/02/07 #2:
Re: AMD Microcode Signature Verification Vulnerability (Jacob Bachmeyer <jcb62281@...il.com>)
- 2025/02/07 #1:
Re: AMD Microcode Signature Verification Vulnerability (trinity pointard <trinity.pointard@...il.com>)
- 2025/02/06 #7:
Re: pam_pkcs11: Possible Authentication Bypass in Error Situations
(CVE-2025-24531) ("Douglas R. Reno" <renodr@...uxfromscratch.org>)
- 2025/02/06 #6:
Fwd: libtasn1-4.20.0 released [fixes CVE-2024-12133] (Alan Coopersmith <alan.coopersmith@...cle.com>)
- 2025/02/06 #5:
Linux: kernel BUG at fs/ocfs2/refcounttree.c:2678 ocfs2_refcount_cal_cow_clusters in 6.13.0 (Solar Designer <solar@...nwall.com>)
- 2025/02/06 #4:
Re: [SECURITY ADVISORY] curl: CVE-2025-0725: gzip
integer overflow (Fay Stegerman <flx@...usk.net>)
- 2025/02/06 #3:
pam_pkcs11: Possible Authentication Bypass in Error Situations
(CVE-2025-24531) (Matthias Gerstner <mgerstner@...e.de>)
- 2025/02/06 #2:
Re: [SECURITY ADVISORY] curl: CVE-2025-0725: gzip
integer overflow (Daniel Stenberg <daniel@...x.se>)
- 2025/02/06 #1:
Re: AMD Microcode Signature Verification Vulnerability (Jacob Bachmeyer <jcb62281@...il.com>)
- 2025/02/05 #8:
CVE-2025-23419: nginx: Client certificate authentication bypass with TLSv1.3 and session resumption (Solar Designer <solar@...nwall.com>)
- 2025/02/05 #7:
CVE-2024-45626: Apache James: denial of service through JMAP HTML
to text conversion (Benoit Tellier <btellier@...che.org>)
- 2025/02/05 #6:
CVE-2024-37358: Apache James: denial of service through the use of
IMAP literals (Benoit Tellier <btellier@...che.org>)
- 2025/02/05 #5:
Re: [SECURITY ADVISORY] curl: CVE-2025-0665: eventfd
double close (Demi Marie Obenour <demi@...isiblethingslab.com>)
- 2025/02/05 #4:
Curl SSH Insufficient Host Identity Verification (Harry Sintonen <sintonen@....fi>)
- 2025/02/05 #3:
[SECURITY ADVISORY] curl: CVE-2025-0725: gzip integer overflow (Daniel Stenberg <daniel@...x.se>)
- 2025/02/05 #2:
[SECURITY ADVISORY] curl: CVE-2025-0665: eventfd double close (Daniel Stenberg <daniel@...x.se>)
- 2025/02/05 #1:
[SECURITY ADVISORY] curl: CVE-2025-0167: netrc and default credential
leak (Daniel Stenberg <daniel@...x.se>)
- 2025/02/04 #4:
KL-001-2025-002: Checkmk NagVis Remote Code Execution (KoreLogic Disclosures <disclosures@...elogic.com>)
- 2025/02/04 #3:
KL-001-2025-001: Checkmk NagVis Reflected Cross-site Scripting (KoreLogic Disclosures <disclosures@...elogic.com>)
- 2025/02/04 #2:
CVE-2024-48019: Apache Doris: allows admin users to read arbitrary
files through the REST API (Mingyu Chen <morningman@...che.org>)
- 2025/02/04 #1:
Re: AMD Microcode Signature Verification Vulnerability (Solar Designer <solar@...nwall.com>)
- 2025/02/03 #3:
CVE-2025-24860: Apache Cassandra: CassandraNetworkAuthorizer and
CassandraCIDRAuthorizer can be bypassed allowing access to diff… (Paulo Motta <paulo@...che.org>)
- 2025/02/03 #2:
CVE-2025-23015: Apache Cassandra: User with MODIFY permission on
ALL KEYSPACES can escalate privileges to superuser via unsafe a… (Paulo Motta <paulo@...che.org>)
- 2025/02/03 #1:
CVE-2024-27137: Apache Cassandra: unrestricted deserialization of
JMX authentication credentials (Paulo Motta <paulo@...che.org>)
- 2025/01/29 #2:
Re: Oracle January 2025 Critical Patch Update (John Haxby <john.haxby@...cle.com>)
- 2025/01/29 #1:
ISC has disclosed two vulnerabilities in BIND 9 (CVE-2024-11187,
CVE-2024-12705) (Matthijs Mekking <matthijs@....org>)
- 2025/01/28 #4:
CVE-2024-29869: Apache Hive: Credentials file created with non
restrictive permissions (Ayush Saxena <ayushsaxena@...che.org>)
- 2025/01/28 #3:
CVE-2024-23953: Apache Hive: Timing Attack Against Signature in
LLAP util (Ayush Saxena <ayushsaxena@...che.org>)
- 2025/01/28 #2:
Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 (Pete Allor <pallor@...hat.com>)
- 2025/01/28 #1:
Re: Node.js EOL CVEs: CVE-2025-23087,
CVE-2025-23088, CVE-2025-23089 (Florian Weimer <fweimer@...hat.com>)
- 2025/01/27 #6:
Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 (Pete Allor <pallor@...hat.com>)
- 2025/01/27 #5:
Re: issue with stuck Mitre CVE requests (Pete Allor <pallor@...hat.com>)
- 2025/01/27 #4:
Re: Re: [External] : Fwd: Oracle
January 2025 Critical Patch Update (Bruce Lowenthal <bruce.lowenthal@...cle.com>)
- 2025/01/27 #3:
CVE-2025-24783: Apache Cocoon: continuations may not be private (Arnout Engelen <engelen@...che.org>)
- 2025/01/27 #2:
Re: issue with stuck Mitre CVE requests (Johannes Segitz <jsegitz@...e.de>)
- 2025/01/27 #1:
Re: Node.js EOL CVEs: CVE-2025-23087,
CVE-2025-23088, CVE-2025-23089 (Florian Weimer <fweimer@...hat.com>)
- 2025/01/26 #3:
Re: dde-api-proxy: Authentication Bypass in Deepin
D-Bus Proxy Service (CVE-2025-23222) ("U.Mutlu" <um4711@...luit.com>)
- 2025/01/26 #2:
CVE-2024-52012: Apache Solr: Configset upload on Windows allows
arbitrary path write-access (Jason Gerlowski <gerlowskija@...che.org>)
- 2025/01/26 #1:
CVE-2025-24814: Apache Solr: Core-creation with "trusted" configset can use arbitrary untrusted files (Jason Gerlowski <gerlowskija@...che.org>)
- 2025/01/25 #6:
Re: Oracle January 2025 Critical Patch Update (Sam James <sam@...too.org>)
- 2025/01/25 #5:
Re: Re: [External] : Fwd: Oracle
January 2025 Critical Patch Update ("Douglas R. Reno" <renodr@...uxfromscratch.org>)
- 2025/01/25 #4:
Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 (Pete Allor <pallor@...hat.com>)
- 2025/01/25 #3:
Re: Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088,
CVE-2025-23089 (Greg KH <greg@...ah.com>)
- 2025/01/25 #2:
Re: Re: [External] : Fwd: Oracle January 2025 Critical Patch Update (Solar Designer <solar@...nwall.com>)
- 2025/01/25 #1:
Re: issue with stuck Mitre CVE requests (Mark Esler <mark.esler@...onical.com>)
- 2025/01/24 #6:
7-Zip Mark-of-the-Web Bypass Vulnerability on Windows platforms (Alan Coopersmith <alan.coopersmith@...cle.com>)
- 2025/01/24 #5:
Node.js EOL CVEs: CVE-2025-23087, CVE-2025-23088, CVE-2025-23089 (Alan Coopersmith <alan.coopersmith@...cle.com>)
- 2025/01/24 #4:
Re: [External] : Fwd: Oracle January 2025 Critical
Patch Update (Bruce Lowenthal <bruce.lowenthal@...cle.com>)
- 2025/01/24 #3:
dde-api-proxy: Authentication Bypass in Deepin D-Bus Proxy Service
(CVE-2025-23222) (Matthias Gerstner <mgerstner@...e.de>)
- 2025/01/24 #2:
Re: Re: [External] : Fwd: Oracle
January 2025 Critical Patch Update ("Douglas R. Reno" <renodr@...uxfromscratch.org>)
- 2025/01/24 #1:
Re: Oracle January 2025 Critical Patch Update (Solar Designer <solar@...nwall.com>)
- 2025/01/23 #8:
Re: [External] : Fwd: Oracle January 2025 Critical Patch Update (Solar Designer <solar@...nwall.com>)
- 2025/01/23 #7:
Re: issue with stuck Mitre CVE requests (Pete Allor <pallor@...hat.com>)
- 2025/01/23 #6:
Re: Oracle January 2025 Critical Patch Update (Alan Coopersmith <alan.coopersmith@...cle.com>)
- 2025/01/23 #5:
Re: [External] : Fwd: Oracle January 2025 Critical
Patch Update (Bruce Lowenthal <bruce.lowenthal@...cle.com>)
- 2025/01/23 #4:
Re: Oracle January 2025 Critical Patch Update (John Haxby <john.haxby@...cle.com>)
- 2025/01/23 #3:
Re: issue with stuck Mitre CVE requests (Matthias Gerstner <mgerstner@...e.de>)
- 2025/01/23 #2:
Re: CVE-2025-0395: Buffer overflow in the GNU C Library's assert() (Qualys Security Advisory <qsa@...lys.com>)
- 2025/01/23 #1:
Oracle January 2025 Critical Patch Update (Solar Designer <solar@...nwall.com>)
- 2025/01/22 #12:
CVE-2024-53299: Apache Wicket: An attacker can intentionally
trigger a memory leak (Pedro Henrique Oliveira dos Santos <pedro@...che.org>)
- 2025/01/22 #11:
Re: Open Virtual Network egress access control list bypass. (Mark Michelson <mmichels@...hat.com>)
- 2025/01/22 #10:
Multiple vulnerabilities in Jenkins plugins (Kevin Guerroudj <kguerroudj@...udbees.com>)
- 2025/01/22 #9:
Re: AMD Microcode Signature Verification Vulnerability (Tavis Ormandy <taviso@...il.com>)
- 2025/01/22 #8:
Re: issue with stuck Mitre CVE requests (Pedro Sampaio <psampaio@...hat.com>)
- 2025/01/22 #7:
Re: issue with stuck Mitre CVE requests (Johannes Segitz <jsegitz@...e.de>)
- 2025/01/22 #6:
Re: AMD Microcode Signature Verification Vulnerability (Demi Marie Obenour <demi@...isiblethingslab.com>)
- 2025/01/22 #5:
Open Virtual Network egress access control list bypass. (Mark Michelson <mmichels@...hat.com>)
- 2025/01/22 #4:
CVE-2025-0395: Buffer overflow in the GNU C Library's assert() (Qualys Security Advisory <qsa@...lys.com>)
- 2025/01/22 #3:
Re: issue with stuck Mitre CVE requests (Greg KH <greg@...ah.com>)
- 2025/01/22 #2:
issue with stuck Mitre CVE requests (Matthias Gerstner <mgerstner@...e.de>)
- 2025/01/22 #1:
AMD Microcode Signature Verification Vulnerability (Tavis Ormandy <taviso@...il.com>)
- 2025/01/21 #10:
CERT/CC VU#199397 - Insecure Implementation of Tunneling Protocols
(GRE/IPIP/4in6/6in4) (Alan Coopersmith <alan.coopersmith@...cle.com>)
- 2025/01/21 #9:
CVE-2024-51941: Apache Ambari: Remote Code Injection in Ambari
Metrics and AMS Alerts (Viraj Jasani <vjasani@...che.org>)
- 2025/01/21 #8:
CVE-2025-23196: Apache Ambari: Code Injection Vulnerability in
Ambari Alert Definition (Viraj Jasani <vjasani@...che.org>)
- 2025/01/21 #7:
CVE-2025-23195: Apache Ambari: XML External Entity (XXE)
Vulnerability in Ambari/Oozie (Viraj Jasani <vjasani@...che.org>)
- 2025/01/21 #6:
Fwd: Node.js security updates for all active release lines, January
2025 (Rafael Gonzaga <work@...aelgss.dev>)
- 2025/01/21 #5:
Node.js security updates: CVE-2025-23083, CVE-2025-23084,
CVE-2025-23085 (Jan Schaumann <jschauma@...meister.org>)
- 2025/01/21 #4:
CVE-2024-45479: Apache Ranger: SSRF in Edit Service page - Add
logic to filter requests to localhost (Velmurugan Periasamy <vel@...che.org>)
- 2025/01/21 #3:
CVE-2024-45478: Apache Ranger: Stored XSS in Edit Service page -
Add logic to validate user input (Velmurugan Periasamy <vel@...che.org>)
- 2025/01/21 #2:
Re: Subject: [vim-security] segmentation fault in
win_line() in Vim < 9.1.1043 (Christian Brabandt <cb@...bit.org>)
- 2025/01/21 #1:
Re: Subject: [vim-security] segmentation fault in
win_line() in Vim < 9.1.1043 (Eli Schwartz <eschwartz@...too.org>)
- 2025/01/20 #4:
Subject: [vim-security] segmentation fault in win_line() in Vim <
9.1.1043 (Christian Brabandt <cb@...bit.org>)
- 2025/01/20 #3:
CVE-2025-23184: Apache CXF: Denial of Service vulnerability with
temporary files (Colm O hEigeartaigh <coheigea@...che.org>)
- 2025/01/20 #2:
CVE-2024-13176: OpenSSL: Timing side-channel in ECDSA signature computation (Tomas Mraz <tomas@...nssl.org>)
- 2025/01/20 #1:
fdroidserver AllowedAPKSigningKeys certificate pinning fundamentally
unreliable (Fay Stegerman <flx@...usk.net>)
- 2025/01/18 #2:
Re: git: 2 vulnerabilities fixed (Salvatore Bonaccorso <carnil@...ian.org>)
- 2025/01/18 #1:
WriteFreely exposes database credentials though insecure file
permissions (Fay Stegerman <flx@...usk.net>)
- 2025/01/17 #1:
Go 1.23.5 and Go 1.22.11 are released with 2 security fixes (Alan Coopersmith <alan.coopersmith@...cle.com>)
- 2025/01/16 #5:
Re: Re: pam-u2f: problematic PAM_IGNORE return
values in pam_sm_authenticate() (CVE-2025-23013) (Russ Allbery <eagle@...ie.org>)
- 2025/01/16 #4:
Re: pam-u2f: problematic PAM_IGNORE return
values in pam_sm_authenticate() (CVE-2025-23013) (Steffen Nurpmeso <steffen@...oden.eu>)
- 2025/01/16 #3:
Re: pam-u2f: problematic PAM_IGNORE return values in
pam_sm_authenticate() (CVE-2025-23013) (Matthias Gerstner <mgerstner@...e.de>)
- 2025/01/16 #2:
Re: pam-u2f: problematic PAM_IGNORE return values in
pam_sm_authenticate() (CVE-2025-23013) (Jacob Bachmeyer <jcb62281@...il.com>)
- 2025/01/16 #1:
[kubernetes] CVE-2024-9042: Command Injection affecting Windows nodes
via nodes/*/logs/query API ("Vellore Rajakumar, Sri Saran Balaji" <srajakum@...zon.com>)
- 2025/01/15 #2:
Session (a fork of the Signal private messaging app) is sus (Soatok Dreamseeker <soatok.dhole@...il.com>)
- 2025/01/15 #1:
pam-u2f: problematic PAM_IGNORE return values in
pam_sm_authenticate() (CVE-2025-23013) (Matthias Gerstner <mgerstner@...e.de>)
30820 messages
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.