oss-security mailing list

Follow @Openwall on Twitter for new release announcements and other news

oss-security mailing list

	Jan	Feb	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2026	116
2025	92	75	93	105	94	100	69	75	107	112	106	140
2024	80	100	178	197	72	47	128	107	58	52	87	44
2023	69	62	100	107	99	78	87	60	122	198	86	101
2022	116	50	47	79	83	58	77	86	76	70	95	108
2021	92	91	98	90	88	59	61	82	49	76	60	47
2020	52	47	38	82	70	67	76	64	71	85	90	66
2019	102	48	49	86	51	103	107	80	71	75	67	70
2018	122	81	84	81	71	104	71	135	78	120	75	84
2017	252	278	171	171	209	278	225	157	214	162	196	93
2016	258	207	271	183	267	193	214	184	287	294	257	241
2015	377	336	355	319	277	243	266	197	195	206	205	208
2014	214	252	249	211	183	317	273	201	413	485	382	318
2013	217	323	246	258	200	201	260	265	163	203	182	199
2012	333	189	294	216	234	128	150	207	234	192	191	161
2011	153	169	318	354	159	224	258	164	137	203	241	146
2010	72	96	123	118	115	142	119	144	203	84	187	139
2009	89	81	75	114	96	59	84	99	102	122	108	74
2008		104	103	143	136	112	150	125	127	123	128	107

Recent messages:

2026/01/24 #1: CVE-2026-24656: Apache Karaf: Decanter log-socket collector has deserialization vulnerability (Jean-Baptiste Onofré <jbonofre@...che.org>)
2026/01/23 #8: 8 CVEs in Cpython announced this week (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/01/23 #7: CVE-2025-27821: HDFS native client: Out of bounds write in URI parser of native HDFS client (Chris Nauroth <cnauroth@...che.org>)
2026/01/23 #6: Re: Vulnerability management and Open Source: FOSDEM BoF (Brian Behlendorf <brian@...lendorf.com>)
2026/01/23 #5: Re: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter (Stuart Henderson <stu@...cehopper.org>)
2026/01/23 #4: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/01/23 #3: Re: Vulnerability management and Open Source: FOSDEM BoF ("Olle E. Johansson" <oej@...ina.net>)
2026/01/23 #2: Re: Vulnerability management and Open Source: FOSDEM BoF (Peter Gutmann <pgut001@...auckland.ac.nz>)
2026/01/23 #1: Vulnerability management and Open Source: FOSDEM BoF ("Olle E. Johansson" <oej@...ina.net>)
2026/01/22 #2: Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd (Demi Marie Obenour <demiobenour@...il.com>)
2026/01/22 #1: Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd (Christian Fischer <christian.fischer@...enbone.net>)
2026/01/21 #6: CVE-2024-31884 Ceph: Incorrect usage of certificate checking via Pybind ("Sage [They / Them] McTaggart" <amctagga@...hat.com>)
2026/01/21 #5: Vulnerable tmpdir handling in pytest (Michael Orlitzky <michael@...itzky.com>)
2026/01/21 #4: Re: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality (Soatok Dreamseeker <soatok.dhole@...il.com>)
2026/01/21 #3: ISC has disclosed one vulnerability in BIND 9 (CVE-2025-13878) (Michał Kępień <michal@....org>)
2026/01/21 #2: Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd (Jakub Wilk <jwilk@...lk.net>)
2026/01/21 #1: Re: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality (Hanno Böck <hanno@...eck.de>)
2026/01/20 #8: Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd (Alexander Bochmann <ab@...ts.gxis.de>)
2026/01/20 #7: Re: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/01/20 #6: Re: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality (Moritz Mühlenhoff <jmm@...til.org>)
2026/01/20 #5: CVE-2026-22444: Apache Solr: Insufficient file-access checking in standalone core-creation requests (Jason Gerlowski <gerlowskija@...che.org>)
2026/01/20 #4: CVE-2026-22022: Apache Solr: Unauthorized bypass of certain "predefined permission" rules in the RuleBasedAuthorizationP… (Jason Gerlowski <gerlowskija@...che.org…)
2026/01/20 #3: The GNU C Library security advisories update for 2026-01-20 (Carlos O'Donell <carlos@...hat.com>)
2026/01/20 #2: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd (Simon Josefsson <simon@...efsson.org>)
2026/01/20 #1: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality (mohammed gaming 222 <craftmohammed460@...il.com>)
2026/01/18 #2: Re: CVE-2025-8110 in Gogs self-hosted git service (Michael Orlitzky <michael@...itzky.com>)
2026/01/18 #1: Re: CVE-2025-8110 in Gogs self-hosted git service (Collin Funk <collin.funk1@...il.com>)
2026/01/17 #4: Re: CVE-2025-8110 in Gogs self-hosted git service (Chad Dougherty <crd477@...oud.com>)
2026/01/17 #3: Re: CVE-2025-68121: Regression and Incomplete Fix for Go TLS Session Resumption (Coia Prant <coiaprant@...il.com>)
2026/01/17 #2: CVE-2025-68121: Regression and Incomplete Fix for Go TLS Session Resumption (Coia Prant <coiaprant@...il.com>)
2026/01/17 #1: Re: Re: Best practices for signature verifcation (Jacob Bachmeyer <jcb62281@...il.com>)
2026/01/16 #9: [OSSA-2026-001] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-… (Jeremy Stanley <fungi@...goth.org>)
2026/01/16 #8: Re: NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) (Jan Schaumann <jschauma@...meister.org>)
2026/01/16 #7: Re: NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) (Michel Lind <michel@...hel-slm.name>)
2026/01/16 #6: The GNU C Library security advisories update for 2026-01-16 (part 2) (Carlos O'Donell <carlos@...hat.com>)
2026/01/16 #5: The GNU C Library security advisories update for 2026-01-16 (Siddhesh Poyarekar <siddhesh.poyarekar@...il.com>)
2026/01/16 #4: CVE-2025-60021: Apache bRPC: Remote command injection vulnerability in heap builtin service (Guangming Chen <guangmingchen@...che.org>)
2026/01/16 #3: Re: [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE… (Jeremy Stanley <fungi@...goth.org>)
2026/01/16 #2: Re: [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens … (Salvatore Bonaccorso <carnil@...ian.org…)
2026/01/16 #1: Re: Re: Best practices for signature verifcation (Peter Gutmann <pgut001@...auckland.ac.nz>)
2026/01/15 #7: Re: Fwd: [FD] zlib v1.3.1.2 Global Buffer Overflow in TGZfname() of zlib untgz Utility via Unbounded strcpy() on User-S… (Alan Coopersmith <alan.coopersmith@...c…)
2026/01/15 #6: CVE-2025-68675: Apache Airflow: proxy credentials for various providers might leak in task logs (Ephraim Anierobi <ephraimanierobi@...che.org>)
2026/01/15 #5: CVE-2025-68438: Apache Airflow: Secrets in rendered templates could contain parts of sensitive values when truncated (Ephraim Anierobi <ephraimanierobi@...che…)
2026/01/15 #4: Re: Go 1.25.6 and Go 1.24.12 are released with 6 CVE fixes (Steffen Nurpmeso <steffen@...oden.eu>)
2026/01/15 #3: Go 1.25.6 and Go 1.24.12 are released with 6 CVE fixes (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/01/15 #2: Re: The Curious Case of Stack Pivot Detection (Adam Zabrocki <pi3@....com.pl>)
2026/01/15 #1: [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026… (Jeremy Stanley <fungi@...goth.org>)
2026/01/14 #3: Re: Null Pointer Dereference in HarfBuzz (Jacob Bachmeyer <jcb62281@...il.com>)
2026/01/14 #2: Re: NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) (Jan Schaumann <jschauma@...meister.org>)
2026/01/14 #1: Re: NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/01/13 #5: CVE-2025-66169: Apache Camel: Cypher injection vulnerability in Camel-Neo4j component (Andrea Cosentino <acosentino@...che.org>)
2026/01/13 #4: Re: Null Pointer Dereference in HarfBuzz (Vincent Lefevre <vincent@...c17.net>)
2026/01/13 #3: Re: Null Pointer Dereference in HarfBuzz (Jacob Bachmeyer <jcb62281@...il.com>)
2026/01/13 #2: NodeJS Security Releases (CVE-2025-55131, CVE-2025-55130, CVE-2025-59465, and others) (Jan Schaumann <jschauma@...meister.org>)
2026/01/13 #1: Re: Null Pointer Dereference in HarfBuzz (Jacob Bachmeyer <jcb62281@...il.com>)
2026/01/12 #7: libpng 1.6.54: two heap buffer over-read vulnerabilities fixed: CVE-2026-22695, CVE-2026-22801 (Cosmin Truta <ctruta@...il.com>)
2026/01/12 #6: Re: CVE-2025-68493: Apache Struts: XXE vulnerability in outdated XWork component (Loganaden Velvindron <loganaden@...il.com>)
2026/01/12 #5: Re: Null Pointer Dereference in HarfBuzz (Vincent Lefevre <vincent@...c17.net>)
2026/01/12 #4: Re: Null Pointer Dereference in HarfBuzz (Greg KH <greg@...ah.com>)
2026/01/12 #3: Re: Null Pointer Dereference in HarfBuzz (Jan Engelhardt <ej@...i.de>)
2026/01/12 #2: Re: CVE-2025-68493: Apache Struts: XXE vulnerability in outdated XWork component (Hanno Böck <hanno@...eck.de>)
2026/01/12 #1: Re: Null Pointer Dereference in HarfBuzz (Jacob Bachmeyer <jcb62281@...il.com>)
2026/01/11 #2: CVE-2025-68493: Apache Struts: XXE vulnerability in outdated XWork component (Lukasz Lenart <lukaszlenart@...che.org>)
2026/01/11 #1: Null Pointer Dereference in HarfBuzz (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/01/10 #1: The Curious Case of Stack Pivot Detection (Ali Polatel <alip@...sys.org>)
2026/01/09 #2: Net-SNMP snmptrapd vulnerability [CVE-2025-68615] (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/01/09 #1: InputPlumber: Lack of D-Bus Authorization and Input Verification allows UI Input Injection and Denial-of-Service (CVE-202… (Matthias Gerstner <mgerstner@...e.de>)
2026/01/08 #7: Re: Systemd vsock sshd (Greg Dahlman <dahlman@...il.com>)
2026/01/08 #6: Re: Systemd vsock sshd (Solar Designer <solar@...nwall.com>)
2026/01/08 #5: Fwd: libtasn1-4.21.0 released [stable] - fixes CVE-2025-13151 (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/01/08 #4: CVE-2025-62235: Apache NimBLE: Incorrect handling of SMP Security Request could lead to undesirable pairing (Szymon Janc <janc@...che.org>)
2026/01/08 #3: CVE-2025-53477: Apache NimBLE: NULL Pointer Dereference in NimBLE host HCI layer (Szymon Janc <janc@...che.org>)
2026/01/08 #2: CVE-2025-53470: Apache NimBLE: Out-of-Bounds Write Vulnerability in NimBLE HCI H4 driver (Szymon Janc <janc@...che.org>)
2026/01/08 #1: CVE-2025-52435: Apache NimBLE: Invalid error handling in pause encryption procedure in NimBLE controller (Szymon Janc <janc@...che.org>)
2026/01/07 #9: Foomuuri: Lack of Client Authorization and Input Verification allow Control over Firewall Configuration (CVE-2025-67603, … (Matthias Gerstner <mgerstner@...e.de>)
2026/01/07 #8: TLP: Polkit Authentication Bypass in Profiles Daemon in Version 1.9.0 (CVE-2025-67859) (Matthias Gerstner <mgerstner@...e.de>)
2026/01/07 #7: [ADVISORY] curl CVE-2025-15224: libssh key passphrase bypass without agent set (Daniel Stenberg <daniel@...x.se>)
2026/01/07 #6: [ADVISORY] curl CVE-2025-15079: libssh global knownhost override (Daniel Stenberg <daniel@...x.se>)
2026/01/07 #5: [ADVISORY] curl CVE-2025-14819: OpenSSL partial chain store policy bypass (Daniel Stenberg <daniel@...x.se>)
2026/01/07 #4: [ADVISORY] curl CVE-2025-14524: bearer token leak on cross-protocol redirect (Daniel Stenberg <daniel@...x.se>)
2026/01/07 #3: [ADVISORY] curl CVE-2025-14017: broken TLS options for threaded LDAPS (Daniel Stenberg <daniel@...x.se>)
2026/01/07 #2: [ADVISORY] curl CVE-2025-13034: No QUIC certificate pinning with GnuTLS (Daniel Stenberg <daniel@...x.se>)
2026/01/07 #1: wget2-2.2.1 released with security fixes (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/01/06 #5: Fwd: [FD] zlib v1.3.1.2 Global Buffer Overflow in TGZfname() of zlib untgz Utility via Unbounded strcpy() on User-Suppl… (Alan Coopersmith <alan.coopersmith@...c…)
2026/01/06 #4: Re: [External] : Buffer overflow in /bin/su from UNIX v4 (Casper Dik <casper.dik@...cle.com>)
2026/01/06 #3: Re: Re: Best practices for signature verifcation (Taavi Eomäe <taavi@...e.ee>)
2026/01/06 #2: Re: Re: Best practices for signature verifcation (Peter Gutmann <pgut001@...auckland.ac.nz>)
2026/01/06 #1: Re: Buffer overflow in /bin/su from UNIX v4 (Peter Gutmann <pgut001@...auckland.ac.nz>)
2026/01/05 #14: Multiple vulnerabilities in aiohttp (Sam Bull <9m199i@...bull.org>)
2026/01/05 #13: Re: Re: Best practices for signature verifcation (Demi Marie Obenour <demiobenour@...il.com>)
2026/01/05 #12: Re: Best practices for signature verifcation (Demi Marie Obenour <demiobenour@...il.com>)
2026/01/05 #11: Re: CVE-2025-68280: Apache SIS: XML External Entity (XXE) vulnerability (Sebastian Pipping <sebastian@...ping.org>)
2026/01/05 #10: Buffer overflow in /bin/su from UNIX v4 (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/01/05 #9: Re: Re: Best practices for signature verifcation (Morten Linderud <morten@...derud.pw>)
2026/01/05 #8: Re: Best practices for signature verifcation (Clemens Lang <cllang@...hat.com>)
2026/01/05 #7: CVE-2025-68280: Apache SIS: XML External Entity (XXE) vulnerability (Martin Desruisseaux <desruisseaux@...che.org>)
2026/01/05 #6: Re: Re: Best practices for signature verifcation (Jeffrey Walton <noloader@...il.com>)
2026/01/05 #5: Re: Re: Best practices for signature verifcation (Valtteri Vuorikoski <vuori@...com.org>)
2026/01/05 #4: GnuPG ticket T7900 (was: Many vulnerabilities in GnuPG) (Werner Koch <wk@...pg.org>)
2026/01/05 #3: Re: Many vulnerabilities in GnuPG (Stephan Verbücheln <stephan@...buecheln.ch>)

31983 messages

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.