Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

oss-security mailing list

• 2021/12/07 #1: Django: CVE-2021-44420: Potential bypass of an upstream access control based on URL paths (Mariusz Felisiak <felisiak.mariusz@...il.com>)
• 2021/12/06 #3: CVE-2021-43410: Apache Airavata Django Portal: airavata-django-portal allows CRLF log injection because of the lack of … (Marcus Christie <machristie@...che.org>)
• 2021/12/06 #2: tmate-ssh-server: Local Privilege Escalation Issues and DoS issues (CVE-2021-44512, CVE-2021-44513) (Matthias Gerstner <mgerstner@...e.de>)
• 2021/12/06 #1: CVE-2021-43784: integer overflow in runc's netlink bytemsg allows malicious configuration to discreetly modify container confi… (Aleksa Sarai <cyphar@...har.com>)
• 2021/12/03 #2: CVE-2021-44143: heap overflow in isync/mbsync (Oswald Buddenhagen <oswald.buddenhagen@....de>)
• 2021/12/03 #1: CVE-2021-3657: multiple buffer overflows in isync/mbsync (Oswald Buddenhagen <oswald.buddenhagen@....de>)
• 2021/12/01 #7: Re: IMA gadgets (Travis Finkenauer <tmfink@...iper.net>)
• 2021/12/01 #6: Re: CVE-2021-43527: Heap overflow in NSS when verifying DSA/RSA-PSS DER-encoded signatures (Kai Engert <kaie@...x.de>)
• 2021/12/01 #5: Re: CVE-2021-43527: Heap overflow in NSS when verifying DSA/RSA-PSS DER-encoded signatures (Alan Coopersmith <alan.coopersmith@...cle.com>)
• 2021/12/01 #4: CVE-2021-43527: Heap overflow in NSS when verifying DSA/RSA-PSS DER-encoded signatures (Dennis Jackson <djackson@...illa.com>)
• 2021/12/01 #3: Re: IMA gadgets (Jens Timmerman <jens@...et.be>)
• 2021/12/01 #2: Re: IMA gadgets (Johannes Segitz <jsegitz@...e.de>)
• 2021/12/01 #1: Re: IMA gadgets (Grant Taylor <gtaylor@...tconsulting.net>)
• 2021/11/30 #1: IMA gadgets (Florian Weimer <fweimer@...hat.com>)
• 2021/11/25 #1: CVE-2021-4002: Linux kernel: Missing TLB flush on hugetlbfs (Nadav Amit <namit@...are.com>)
• 2021/11/23 #7: Xen Security Advisory 388 v3 (CVE-2021-28704,CVE-2021-28707,CVE-2021-28708) - PoD operations on misaligned GFNs (Xen.org security team <security@....org>)
• 2021/11/23 #6: Xen Security Advisory 387 v2 (CVE-2021-28703) - grant table v2 status pages may remain accessible after de-allocation (… (Xen.org security team <security@....org…)
• 2021/11/23 #5: Xen Security Advisory 389 v3 (CVE-2021-28705,CVE-2021-28709) - issues with partially successful P2M updates on x86 (Xen.org security team <security@....org>)
• 2021/11/23 #4: Xen Security Advisory 385 v2 (CVE-2021-28706) - guests may exceed their designated memory limit (Xen.org security team <security@....org>)
• 2021/11/23 #3: [CVE-2021-44140] Apache JSPWiki Arbitrary file deletion on logout (Juan Pablo Santos Rodríguez <juanpablo.santos@...il.com>)
• 2021/11/23 #2: [CVE-2021-40369] Apache JSPWiki Cross-site scripting vulnerability on Denounce plugin (Juan Pablo Santos Rodríguez <juanpablo@...che.org>)
• 2021/11/23 #1: Re: CVE-2021-43557: Apache APISIX: Path traversal in request_uri variable (Zhiyuan Ju <juzhiyuan@...che.org>)
• 2021/11/22 #2: Re: CVE-2021-43557: Apache APISIX: Path traversal in request_uri variable (Marcin Niemiec <niemiec.marcin@...il.com>)
• 2021/11/22 #1: CVE-2021-43557: Apache APISIX: Path traversal in request_uri variable (Zexuan Luo <spacewander@...che.org>)
• 2021/11/19 #10: CVE-2021-41190 OCI distribution and image spec: "content-type" confusion (Vincent Batts <vbatts@...hbangbash.com>)
• 2021/11/19 #9: Xen Security Advisory 390 v1 (CVE-2021-28710) - certain VT-d IOMMUs may not work in shared page table mode (Xen.org security team <security@....org>)
• 2021/11/19 #8: CVE-2021-41532: Apache Ozone: Unauthenticated access to Ozone Recon HTTP endpoints (Siddharth Wagle <swagle@...che.org>)
• 2021/11/19 #7: CVE-2021-39236: Apache Ozone: Owners of the S3 tokens are not validated (Siddharth Wagle <swagle@...che.org>)
• 2021/11/19 #6: CVE-2021-39235: Apache Ozone: Access mode of block tokens are not enforced (Siddharth Wagle <swagle@...che.org>)
• 2021/11/19 #5: CVE-2021-39234: Apache Ozone: Raw block data can be read bypassing ACL/authorization (Siddharth Wagle <swagle@...che.org>)
• 2021/11/19 #4: CVE-2021-39233: Apache Ozone: Container-related datanode operations can be called without authorization (Siddharth Wagle <swagle@...che.org>)
• 2021/11/19 #3: CVE-2021-39232: Apache Ozone: Missing admin check for SCM related admin commands (Siddharth Wagle <swagle@...che.org>)
• 2021/11/19 #2: CVE-2021-39231: Apache Ozone: Missing authentication/authorization on internal RPC endpoints (Siddharth Wagle <swagle@...che.org>)
• 2021/11/19 #1: CVE-2021-36372: Apache Ozone: Original block tokens are persisted and can be retrieved (Siddharth Wagle <swagle@...che.org>)
• 2021/11/17 #2: CVE-2021-42250: Apache Superset: Possible log injection (Daniel Gaspar <dpgaspar@...che.org>)
• 2021/11/17 #1: Re: CVE-2021-43350: Apache Traffic Control: LDAP filter injection vulnerability in Traffic Ops (Zach Hoffman <zrhoffman@...che.org>)
• 2021/11/16 #1: CVE-2021-37580: Apache ShenYu Admin bypass JWT authentication (Liang Liu <midnight2104@...che.org>)
• 2021/11/15 #1: Grafana 8.2.4 released with security fixes (Vardan Torosyan <vardan.torosyan@...fana.com>)
• 2021/11/12 #1: Multiple vulnerabilities in Jenkins plugins (Daniel Beck <ml@...kweb.net>)
• 2021/11/11 #4: Re: CVE-2021-43350: Apache Traffic Control: LDAP filter injection vulnerability in Traffic Ops (Zach Hoffman <zrhoffman@...che.org>)
• 2021/11/11 #3: CVE-2021-43350: Apache Traffic Control: LDAP filter injection vulnerability in Traffic Ops (Zach Hoffman <zrhoffman@...che.org>)
• 2021/11/11 #2: CVE-2021-41972: Apache Superset: Credentials leak (Daniel Gaspar <dpgaspar@...che.org>)
• 2021/11/11 #1: CVE-2021-26558: Apache ShardingSphere-UI: Deserialization of Untrusted Data (Juan Pan <panjuan@...che.org>)
• 2021/11/10 #3: Fwd: Samba 4.15.2, 4.14.10, 4.13.14 Security Releases are available for Download (Solar Designer <solar@...nwall.com>)
• 2021/11/10 #2: Trovent Security Advisory 2106-01 / CVE-2021-33816: Authenticated remote code execution in Dolibarr ERP & CRM (Stefan Pietsch <s.pietsch@...vent.io>)
• 2021/11/10 #1: Trovent Security Advisory 2105-02 / CVE-2021-33618: Stored cross-site scripting in Dolibarr ERP & CRM (Stefan Pietsch <s.pietsch@...vent.io>)
• 2021/11/09 #1: [CVE-2021-43523] Incorrect handling of special characters in domain names in uclibc and uclibc-ng ("Philipp Jeitner (SIT)" <philipp.jeitner@....fraunhofer.de>)
• 2021/11/05 #1: Re: Linux kernel: isdn: cpai: array-index-out-of-bounds in detach_capi_ctr in drivers/isdn/capi/kcapi.c (butt3rflyh4ck <butterflyhuangxx@...il.com>)
• 2021/11/04 #3: Multiple vulnerabilities in Jenkins and Jenkins plugins (Daniel Beck <ml@...kweb.net>)
• 2021/11/04 #2: Re: Trojan Source Attacks ("Leonid Isaev (ifax)" <leonid.isaev@...x.com>)
• 2021/11/04 #1: Re: Trojan Source Attacks (Georgi Guninski <gguninski@...il.com>)
• 2021/11/03 #1: CVE-2021-41174 Grafana XSS vulnerability (Daniel Lee <daniel@...fana.com>)
• 2021/11/02 #12: Re: Trojan Source Attacks (Seth Arnold <seth.arnold@...onical.com>)
• 2021/11/02 #11: Apache Traffic Server is vulnerable to various smuggle, DOS, and validation attacks (Bryan Call <bcall@...che.org>)
• 2021/11/02 #10: Re: Trojan Source Attacks (Stuart D Gathman <stuart@...hman.org>)
• 2021/11/02 #9: Re: Trojan Source Attacks (Stuart D Gathman <stuart@...hman.org>)
• 2021/11/02 #8: Re: Trojan Source Attacks (Michael Orlitzky <michael@...itzky.com>)
• 2021/11/02 #7: Re: Trojan Source Attacks ("David A. Wheeler" <dwheeler@...eeler.com>)
• 2021/11/02 #6: Re: Trojan Source Attacks (Josh Bressers <josh@...ss.net>)
• 2021/11/02 #5: Re: Trojan Source Attacks ("David A. Wheeler" <dwheeler@...eeler.com>)
• 2021/11/02 #4: Barrier "software KVM switch" multiple remote security issues (Matthias Gerstner <mgerstner@...e.de>)
• 2021/11/02 #3: Re: Trojan Source Attacks (Siddhesh Poyarekar <siddhesh.poyarekar@...il.com>)
• 2021/11/02 #2: Re: Trojan Source Attacks (Jan Engelhardt <jengelh@...i.de>)
• 2021/11/02 #1: Re: Trojan Source Attacks (Santiago Torres <torresariass@...il.com>)
• 2021/11/01 #9: Re: Trojan Source Attacks ("Perry E. Metzger" <perry@...rmont.com>)
• 2021/11/01 #8: CVE-2021-41973: Apache MINA HTTP listener DOS (Emmanuel Lecharny <elecharny@...che.org>)
• 2021/11/01 #7: Re: Trojan Source Attacks (Jan Engelhardt <jengelh@...i.de>)
• 2021/11/01 #6: Trojan Source Attacks (Nicholas Boucher <nicholas.boucher@...cam.ac.uk>)
• 2021/11/01 #5: Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code (Dave Horsfall <dave@...sfall.org>)
• 2021/11/01 #4: Re: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code (Jakub Wilk <jwilk@...lk.net>)
• 2021/11/01 #3: CVE-2021-27644: Apache DolphinScheduler: DolphinScheduler mysql jdbc connector parameters deserialize remote code execution (Calvin Kirs <kirs@...che.org>)
• 2021/11/01 #2: [ANNOUNCE] Apache MINA 2.0.22 & 2.1.5 released (Emmanuel Lecharny <elecharny@...che.org>)
• 2021/11/01 #1: CVE-2021-42574: rustc 1.56.0 and bidirectional-override codepoints in source code (Pietro Albini <pietro@...troalbini.org>)
• 2021/10/31 #1: Re: WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 (Salvatore Bonaccorso <carnil@...ian.org>)
• 2021/10/30 #1: CVE website transition from cve.mitre.org to cve.org (Alan Coopersmith <alan.coopersmith@...cle.com>)
• 2021/10/28 #6: Re: Linux kernel: powerpc: KVM guest can trigger host crash on Power8 (John Paul Adrian Glaubitz <glaubitz@...sik.fu-berlin.de>)
• 2021/10/28 #5: Re: Linux kernel: powerpc: KVM guest can trigger host crash on Power8 (John Paul Adrian Glaubitz <glaubitz@...sik.fu-berlin.de>)
• 2021/10/28 #4: spacewalk-admin: CVE-2021-40348: arbitrary local code execution by 'tomcat' user via rhn-config-satellite.pl (Paolo Perego <paolo.perego@...e.com>)
• 2021/10/28 #3: Re: CVE-2021-3760: Linux kernel: Use-After-Free vulnerability of ndev->rf_conn_info object (Roxana Bradescu <roxana.bradescu@...cle.com>)
• 2021/10/28 #2: Re: WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 (Salvatore Bonaccorso <carnil@...ian.org>)
• 2021/10/28 #1: Re: Linux kernel: powerpc: KVM guest can trigger host crash on Power8 (Salvatore Bonaccorso <carnil@...ian.org>)
• 2021/10/27 #4: Re: WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 (Samuel Groß <saelo@...gle.com>)
• 2021/10/27 #3: Re: WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 (Alberto Garcia <berto@...lia.com>)
• 2021/10/27 #2: Re: WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 (Francis Perron <francis.perron@...pify.com>)
• 2021/10/27 #1: Re: WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 (Salvatore Bonaccorso <carnil@...ian.org>)
• 2021/10/26 #9: WebKitGTK and WPE WebKit Security Advisory WSA-2021-0006 (Carlos Alberto Lopez Perez <clopez@...lia.com>)
• 2021/10/26 #8: RE: CVE-2021-3760: Linux kernel: Use-After-Free vulnerability of ndev->rf_conn_info object (Anthony Liguori <aliguori@...zon.com>)
• 2021/10/26 #7: CVE-2021-21703: PHP-FPM 5.3.7 <= 8.0.12 Local Root (Charles Fol <c.fol@...fo.fr>)
• 2021/10/26 #6: Re: CVE-2021-3760: Linux kernel: Use-After-Free vulnerability of ndev->rf_conn_info object (Thadeu Lima de Souza Cascardo <cascardo@...onical.com>)
• 2021/10/26 #5: Re: CVE-2021-3760: Linux kernel: Use-After-Free vulnerability of ndev->rf_conn_info object (Solar Designer <solar@...nwall.com>)
• 2021/10/26 #4: Re: CVE-2021-3760: Linux kernel: Use-After-Free vulnerability of ndev->rf_conn_info object (Lin Horse <kylin.formalin@...il.com>)
• 2021/10/26 #3: Re: CVE-2021-3760: Linux kernel: Use-After-Free vulnerability of ndev->rf_conn_info object (Solar Designer <solar@...nwall.com>)
• 2021/10/26 #2: CVE-2021-3760: Linux kernel: Use-After-Free vulnerability of ndev->rf_conn_info object (Lin Horse <kylin.formalin@...il.com>)
• 2021/10/26 #1: Re: Linux kernel: powerpc: KVM guest can trigger host crash on Power8 (John Paul Adrian Glaubitz <glaubitz@...sik.fu-berlin.de>)
• 2021/10/25 #6: [ES2021-07] FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing ("Sandro Gauci" <sandro@...blesecurity.com>)
• 2021/10/25 #5: [ES2021-09] FreeSWITCH susceptible to Denial of Service via invalid SRTP packets ("Sandro Gauci" <sandro@...blesecurity.com>)
• 2021/10/25 #4: [ES2021-06] FreeSWITCH susceptible to Denial of Service via SIP flooding ("Sandro Gauci" <sandro@...blesecurity.com>)
• 2021/10/25 #3: [ES2021-08] FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default ("Sandro Gauci" <sandro@...blesecurity.com>)
• 2021/10/25 #2: [ES2021-05] FreeSWITCH vulnerable to SIP digest leak for configured gateways ("Sandro Gauci" <sandro@...blesecurity.com>)
• 2021/10/25 #1: Linux kernel: powerpc: KVM guest can trigger host crash on Power8 (Michael Ellerman <mpe@...erman.id.au>)

27401 messages

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.