Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

oss-security mailing list - 2025/05

Messages by day:

May 2 (2 messages)

• CVE-2025-46762: Apache Parquet Java: Potential malicious code execution from trusted packages in the parquet-avro module when readi… (Gang Wu <gangwu@...che.org>)
• CVE-2025-47153: out-of-bounds access in some 32-bit builds of Node.js (Alan Coopersmith <alan.coopersmith@...cle.com>)

• CVE-2025-27533: Apache ActiveMQ: Unchecked buffer length can cause excessive memory allocation ("Christopher L. Shannon" <cshannon@...che.org>)
• Go 1.24.3 fixes CVE-2025-22873: os: Root permits access to parent directory (Alan Coopersmith <alan.coopersmith@...cle.com>)
• Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0 (Alan Coopersmith <alan.coopersmith@...cle.com>)

• CVE-2025-32873: Django: Denial-of-service possibility in strip_tags() (Natalia Bidart <nataliabidart@...ngoproject.com>)

• OSSA-2025-001 / CVE-2025-44021: OpenStack Ironic fails to restrict paths used for file:// image URLs (Jay Faulkner <jay@....cc>)
• Re: 3 new CVE's in old branch of GNU mailman (Jeremy Reeder <jeremy.reeder@...pros.com>)
• Fwd: Node.js security updates for all active release lines, May 2025 (Rafael Gonzaga <work@...aelgss.dev>)
• Re: Fwd: Node.js security updates for all active release lines, May 2025 (Solar Designer <solar@...nwall.com>)

• CVE-2025-1948 & CVE-2024-13009: DoS and infoleak in Jetty (Valtteri Vuorikoski <vuori@...com.org>)
• CVE-2025-46392: Apache Commons Configuration: StackOverflowError loading untrusted configuration (Arnout Engelen <engelen@...che.org>)
• CVE-2025-4207: PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails vali… (Alan Coopersmith <alan.coopersmith@...c…)
• Dropbear SSH 2025.88 fixes CVE-2025-47203 (Alan Coopersmith <alan.coopersmith@...cle.com>)

• screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) (Matthias Gerstner <mgerstner@...e.de>)
• CVE-2025-22247 - Insecure file handling vulnerability in open-vm-tools (VMware PSIRT <vmware.psirt@...adcom.com>)
• CVE-2025-27696: Apache Superset: Improper authorization leading to resource ownership takeover (Daniel Gaspar <dpgaspar@...che.org>)
• Xen Security Advisory 469 v1 - x86: Indirect Target Selection (Xen.org security team <security@....org>)
• Xen Security Advisory 469 v2 (CVE-2024-28956) - x86: Indirect Target Selection (Xen.org security team <security@....org>)
• Re: Dropbear SSH 2025.88 fixes CVE-2025-47203 (Albert Veli <albert.veli@...il.com>)

• Re: Dropbear SSH 2025.88 fixes CVE-2025-47203 (Matt Johnston <matt@....asn.au>)
• Re: CVE-2025-22247 - Insecure file handling vulnerability in open-vm-tools (Solar Designer <solar@...nwall.com>)
• Re: Dropbear SSH 2025.88 fixes CVE-2025-47203 (Albert Veli <albert.veli@...il.com>)
• CVE-2025-47436: Apache ORC: Potential Heap Buffer Overflow during C++ LZO Decompression (Dongjoon Hyun <dongjoon@...che.org>)
• VSV00016: Varnish Cache 6.0, 7.6, 7.7 - Request Smuggling Attack (Asad Ahmed <asadsa@...nish-software.com>)
• Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) ("Dr. Thomas Orgis" <thomas.orgis@...-hamburg.de>)
• Xen Security Notice 3 (CVE-2024-45332) Intel Branch Privilege Injection (Andrew Cooper <andrew.cooper3@...rix.com>)
• Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) ("Dr. Thomas Orgis" <thomas.orgis@...-hamburg.de>)
• Re: VSV00016: Varnish Cache 6.0, 7.6, 7.7 - Request Smuggling Attack (Marco Benatto <mbenatto@...hat.com>)
• Re: Dropbear SSH 2025.88 fixes CVE-2025-47203 (Dave Hart <davehart@...il.com>)
• EU Vulnerability Database (Graeme Fowler <graeme@...emef.net>)
• Re: EU Vulnerability Database (Stuart Henderson <stu@...cehopper.org>)
• Re: EU Vulnerability Database (Stuart Henderson <stu@...cehopper.org>)
• Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) (Simon McVittie <smcv@...ian.org>)
• Re: EU Vulnerability Database (Rolf Reintjes <rolf.reintjes@....de>)
• Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) (Mark Esler <mark.esler@...inguard.dev>)

• Re: EU Vulnerability Database (Solar Designer <solar@...nwall.com>)
• CVE-2024-24780: Apache IoTDB: Remote Code Execution with untrusted URI of User-defined function (Haonan Hou <haonan@...che.org>)
• CVE-2025-26795: Apache IoTDB JDBC driver: Exposure of Sensitive Information in IoTDB JDBC driver (Haonan Hou <haonan@...che.org>)
• CVE-2025-26864: Apache IoTDB: Exposure of Sensitive Information in IoTDB OpenID Authentication (Haonan Hou <haonan@...che.org>)
• Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) (Matthias Gerstner <mgerstner@...e.de>)
• Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) (Matthias Gerstner <mgerstner@...e.de>)
• Re: EU Vulnerability Database ("gmane.io" <wwd.smartmachine.stp@...teo.org>)
• Multiple vulnerabilities in Jenkins plugins (Kevin Guerroudj <kguerroudj@...udbees.com>)
• Fwd: Node.js security updates for all active release lines, May 2025 (Rafael Gonzaga <work@...aelgss.dev>)
• Re: Fwd: Node.js security updates for all active release lines, May 2025 (Solar Designer <solar@...nwall.com>)

• Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) (Stuart Henderson <stu@...cehopper.org>)
• Re: VSV00016: Varnish Cache 6.0, 7.6, 7.7 - Request Smuggling Attack (Asad Ahmed <asadsa@...nish-software.com>)
• WebKitGTK and WPE WebKit Security Advisory WSA-2025-0004 (Adrian Perez de Castro <aperez@...lia.com>)
• Re: Fwd: Node.js security updates for all active release lines, May 2025 (Yogesh Mittal <ymittal@...hat.com>)

• Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) (Matthias Gerstner <mgerstner@...e.de>)
• Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) (Jan Schaumann <jschauma@...meister.org>)
• Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) (Eli Schwartz <eschwartz@...too.org>)
• CPython CVE-2025-4516: Use-after-free crash using bytes.decode("unicode_escape", error="ignore|replace") (Alan Coopersmith <alan.coopersmith@...cle.com>)
• Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) (Taylor R Campbell <riastradh@...BSD.org>)
• Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) (Eli Schwartz <eschwartz@...too.org>)
• The GNU C Library security advisories update for 2025-05-16 (Carlos O'Donell <carlos@...hat.com>)

• Re: describing affected systems (was: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setui… (Jacob Bachmeyer <jcb62281@...il.com>)
• Re: The GNU C Library security advisories update for 2025-05-16 (Solar Designer <solar@...nwall.com>)
• RE: The GNU C Library security advisories update for 2025-05-16 ("Caveney, Seamus G" <sgcaveney@...ttleschools.org>)
• Re: describing affected systems (was: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and s… (Jan Schaumann <jschauma@...meister.org>)
• Re: describing affected systems (was: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and se… (Taylor R Campbell <riastradh@...BSD.org…)

• Re: describing affected systems (Eli Schwartz <eschwartz@...too.org>)

• Re: CPython CVE-2025-4516: Use-after-free crash using bytes.decode("unicode_escape", error="ignore|replace") (Hanno Böck <hanno@...eck.de>)
• Landlock news #5 (Mickaël Salaün <mic@...ikod.net>)

• Re: screen: Multiple Security Issues in Screen (mostly affecting release 5.0.0 and setuid-root installations) (Matthias Gerstner <mgerstner@...e.de>)
• CVE-2025-3908: OpenVPN 3 Linux v24.1 released (David Sommerseth <dazo@...ephia.org>)

• CVE-2025-40775: BIND 9: DNS message with invalid TSIG causes an assertion failure (Nicki Křížek <nicki@....org>)

• CVE-2025-4575: OpenSSL: The x509 application adds trusted use instead of rejected use (Tomas Mraz <tomas@...nssl.org>)
• Perl 5.40 dir dup bug with threading: security consequences (Vincent Lefevre <vincent@...c17.net>)

• Re: Perl 5.40 dir dup bug with threading: security consequences (Stig Palmquist <stig@...g.io>)
• CVE-2025-48708: ghostscript can embed plaintext password in encrypted PDFs (Alan Coopersmith <alan.coopersmith@...cle.com>)

• CVE-2025-35003: Apache NuttX RTOS: NuttX Bluetooth Stack HCI and UART DoS/RCE Vulnerabilities. (Tomasz Cedro <cederom@...che.org>)

• Xen Security Advisory 468 v3 (CVE-2025-27462,CVE-2025-27463,CVE-2025-27464) - WinPVDrivers: Excessive permissions on us… (Xen.org security team <security@....org…)
• CVE-2025-5278: Heap Buffer Overflow in GNU Coreutils sort (Alan Coopersmith <alan.coopersmith@...cle.com>)

• CVE-2025-27526: Apache InLong: JDBC Vulnerability For URLEncode and backspace bypass (Charles Zhang <dockerzhang@...che.org>)
• CVE-2025-27522: Apache InLong: JDBC Vulnerability during verification processing (Charles Zhang <dockerzhang@...che.org>)
• CVE-2025-27528: Apache InLong: JDBC Vulnerability for Invisible Character Bypass Leading to Arbitrary File Read (Charles Zhang <dockerzhang@...che.org>)
• [SECURITY ADVISORY] curl: QUIC certificate check skip with wolfSSL (Daniel Stenberg <daniel@...x.se>)
• [SECURITY ADVISORY] curl: No QUIC certificate pinning with wolfSSL (Daniel Stenberg <daniel@...x.se>)
• CVE-2025-48734: Apache Commons BeanUtils: PropertyUtilsBean does not suppresses an enum's declaredClass property by def… ("Gary D. Gregory" <ggregory@...che.org>)
• ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803) (Andrei Pavel <andrei@....org>)
• Re: ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803) (Matthias Gerstner <mgerstner@...e.de>)
• RE: ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803) (Jounee Kim <Jokim@...com>)
• how to unsubscribe (Re: ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803)) (Solar Designer <solar@...nwall.com>)
• Re: ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803) (Jakub Wilk <jwilk@...lk.net>)

• Re: CVE-2025-5278: Heap Buffer Overflow in GNU Coreutils sort (Simon McVittie <smcv@...ian.org>)
• Re: CVE-2025-5278: Heap Buffer Overflow in GNU Coreutils sort (Alan Coopersmith <alan.coopersmith@...cle.com>)
• Local information disclosure in apport and systemd-coredump (Qualys Security Advisory <qsa@...lys.com>)
• CVE-2025-46701: Apache Tomcat: Security constraint bypass for CGI scripts (Mark Thomas <markt@...che.org>)

• Re: ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803) (Matthias Gerstner <mgerstner@...e.de>)
• Re: ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803) (Matthias Gerstner <mgerstner@...e.de>)
• CVE-2025-48912: Apache Superset: Improper authorization bypass on row level security via SQL Injection (Daniel Gaspar <dpgaspar@...che.org>)
• CVE-2025-40909: Perl threads have a working directory race condition where file operations may target unintended paths (Stig Palmquist <stig@...g.io>)

94 messages

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.