Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <43B86407-F2E4-4081-BB14-1B2D26248767@uraeus.com>
Date: Fri, 20 Feb 2026 08:17:15 -0500
From: Joe Malcolm <jmalcolm@...eus.com>
To: oss-security@...ts.openwall.com
Cc: Joe Malcolm <jmalcolm@...eus.com>
Subject: OpenSC, ghostscript, cgif issues from the recent Anthropic disclosure 

Many will have seen the recent post from Anthropic (1) and associated reporting that says they found 500+ vulnerabilities and lists 3 of them.  These three issues don’t appear to have CVEs and two don’t appear in releases. I don’t know if that indicates the maintainers don't agree with the significance of these findings, but I wonder if the other 498+ vulnerabilities also lack CVEs.

1. For OpenSC, the commit appears to be:

https://github.com/OpenSC/OpenSC/commit/9ab1daf21029dd18f8828d684ee6151d9238edab

There are no disclosed security issues more recent than 2024 at https://github.com/OpenSC/OpenSC/security and the last release was
OpenSC 0.26.1.


2. For cgif, the fix is 
https://github.com/dloebl/cgif/commit/07052febd3a252d30e6f0de67b2ea4f6b9aacddd and it appears in v0.5.1.


4. For ghostscript, the commit appears to be 
https://github.com/ArtifexSoftware/ghostpdl/commit/4e392a82d1b1780cab85804728317f36a9c4f7f7 which references a nonpublic bug 709080 <https://bugs.ghostscript.com/show_bug.cgi?id=709080>. The last release is 10.06.0 (2025-09-09) so there is no release with this fix.


Anthropic’s post: https://red.anthropic.com/2026/zero-days/ 

Joe

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.