[go: up one dir, main page]

oss-sec: by author

269 messages starting Sep 26 23 and ending Sep 29 23
Date index | Thread index | Author index


Alan Coopersmith

Re: administrative tasks (was: illumos (or at least danmcd) membership in the distros list) Alan Coopersmith (Sep 26)
CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx Alan Coopersmith (Sep 28)
CVE-2023-38633 in librsvg: Arbitrary file read when xinclude href has special characters Alan Coopersmith (Jul 27)
Re: CVE-2023-38633 in librsvg: Arbitrary file read when xinclude href has special characters Alan Coopersmith (Sep 06)
Re: Re: Re: [MAINTAINERS SUMMIT] Handling of embargoed security issues -- security@korg vs. linux-distros@ Alan Coopersmith (Aug 27)
3 buffer overflows in gstreamer's gst-plugins-bad before 1.22.6 Alan Coopersmith (Sep 29)
Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx Alan Coopersmith (Sep 30)
Re: illumos (or at least danmcd) membership in the distros list Alan Coopersmith (Sep 14)
Re: illumos (or at least danmcd) membership in the distros list Alan Coopersmith (Sep 25)

Alexander Bluhm

Re: CVE-2023-4809: FreeBSD pf bypass when using IPv6 Alexander Bluhm (Sep 08)

Alex Gaynor

Re: OpenSSL Security Advisory Alex Gaynor (Sep 08)
Re: Multiple Exim4 Zero Days Alex Gaynor (Sep 29)

alice

Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors alice (Jul 25)
Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors alice (Jul 25)

Andrea Cosentino

CVE-2023-34442: Apache Camel JIRA: Temporary file information disclosure in Camel-Jira Andrea Cosentino (Jul 07)

Andrew Cooper

Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Andrew Cooper (Sep 26)
Re: Xen Security Advisory 433 v3 (CVE-2023-20593) - x86/AMD: Zenbleed Andrew Cooper (Aug 16)
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Andrew Cooper (Sep 25)
Re: Xen Security Advisory 433 v3 (CVE-2023-20593) - x86/AMD: Zenbleed Andrew Cooper (Aug 08)
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Andrew Cooper (Sep 26)

Andy Seaborne

CVE-2023-32200: Apache Jena: Exposure of execution in script engine expressions. Andy Seaborne (Jul 11)

Arnout Engelen

CVE-2023-40743: Apache Axis 1.x (EOL) may allow RCE when untrusted input is passed to getService Arnout Engelen (Sep 05)
CVE-2023-34150: Apache Any23: Possible excessive allocation of resources reading input. Arnout Engelen (Jul 04)

Barnabás Pőcze

Re: manjaro pamac vulnerability Barnabás Pőcze (Jul 09)

Bob Friesenhahn

Re: illumos (or at least danmcd) membership in the distros list Bob Friesenhahn (Sep 14)

Brahma Reddy Battula

CVE-2022-45855: Apache Ambari: Allows authenticated metrics consumers to perform RCE Brahma Reddy Battula (Jul 10)
CVE-2022-42009: Apache Ambari: A malicious authenticated user can remotely execute arbitrary code in the context of the application. Brahma Reddy Battula (Jul 10)

Brandon Perry

Re: CVE-2022-42009: Apache Ambari: A malicious authenticated user can remotely execute arbitrary code in the context of the application. Brandon Perry (Jul 10)

Brian Demers

CVE-2023-34478: Apache Shiro before 1.12.0, or 2.0.0-alpha-3, may be susceptible to a path traversal attack when used together with APIs or other web frameworks that route requests based on non-normalized requests. Brian Demers (Jul 24)

Carlos Alberto Lopez Perez

WebKitGTK and WPE WebKit Security Advisory WSA-2023-0006 Carlos Alberto Lopez Perez (Jul 21)
WebKitGTK and WPE WebKit Security Advisory WSA-2023-0008 Carlos Alberto Lopez Perez (Sep 11)
WebKitGTK and WPE WebKit Security Advisory WSA-2023-0009 Carlos Alberto Lopez Perez (Sep 28)
WebKitGTK and WPE WebKit Security Advisory WSA-2023-0007 Carlos Alberto Lopez Perez (Aug 02)

Carsten Ziegeler

CVE-2023-38435: Apache Felix Healthcheck Webconsole Plugin: XSS in healthcheck webconsole plugin Carsten Ziegeler (Jul 25)

Casper Dik

RE: [External] : [oss-security] Possible AMD Zen2 CVE Casper Dik (Sep 19)

Charles Zhang

CVE-2023-34434: Apache InLong: JDBC URL bypassing by allowLoadLocalInfileInPath param Charles Zhang (Jul 25)
CVE-2023-35088: Apache InLong: SQL injection in audit endpoint Charles Zhang (Jul 25)
CVE-2023-34189: Apache InLong: General user can delete and update process Charles Zhang (Jul 25)

Christopher Schultz

CVE-2023-41081: Apache Tomcat Connectors: Unexpected use of first declared worker in mod_jk for unmapped request [CORRECTION] Christopher Schultz (Sep 28)

Damien Miller

Announce: OpenSSH 9.3p2 released Damien Miller (Jul 19)

Daniel Beck

Multiple vulnerabilities in Jenkins and Jenkins plugins Daniel Beck (Sep 20)
Multiple vulnerabilities in Jenkins and Jenkins plugins Daniel Beck (Jul 26)
Multiple vulnerabilities in Jenkins plugins Daniel Beck (Aug 16)
Multiple vulnerabilities in Jenkins plugins Daniel Beck (Sep 06)
Multiple vulnerabilities in Jenkins plugins Daniel Beck (Jul 12)

Daniel Gaspar

CVE-2023-37941: Apache Superset: Metadata db write access can lead to remote code execution Daniel Gaspar (Sep 06)
CVE-2023-39264: Apache Superset: Stack traces enabled by default Daniel Gaspar (Sep 06)
CVE-2023-36387: Apache Superset: Improper API permission for low privilege users Daniel Gaspar (Sep 06)
CVE-2023-39265: Apache Superset: Possible Unauthorized Registration of SQLite Database Connections Daniel Gaspar (Sep 06)
CVE-2023-27523: Apache Superset: Improper data permission validation on Jinja templated queries Daniel Gaspar (Sep 06)
CVE-2023-32672: Apache Superset: SQL parser edge case bypasses data access authorization Daniel Gaspar (Sep 06)
CVE-2023-27526: Apache Superset: Improper Authorization check on import charts Daniel Gaspar (Sep 06)
CVE-2023-36388: Apache Superset: Improper API permission for low privilege users allows for SSRF Daniel Gaspar (Sep 06)

Daniel Stenberg

CVE-2023-38039 curl: HTTP headers eat all memory Daniel Stenberg (Sep 12)
curl: fopen race condition: CVE-2023-32001 Daniel Stenberg (Jul 18)

Dan McDonald

Re: illumos (or at least danmcd) membership in the distros list Dan McDonald (Sep 18)
illumos (or at least danmcd) membership in the distros list Dan McDonald (Sep 13)
Re: illumos (or at least danmcd) membership in the distros list Dan McDonald (Sep 25)
Re: illumos (or at least danmcd) membership in the distros list Dan McDonald (Sep 14)
Re: illumos (or at least danmcd) membership in the distros list Dan McDonald (Sep 14)
Re: illumos (or at least danmcd) membership in the distros list Dan McDonald (Sep 25)
Re: illumos (or at least danmcd) membership in the distros list Dan McDonald (Sep 14)

Dave

CVE-2023-37581: Apache Roller: XSS vulnerability for site with untrusted users Dave (Aug 05)

Dave Fisher

CVE-2023-31007: Apache Pulsar: Broker does not always disconnect client when authentication data expires Dave Fisher (Jul 11)
CVE-2023-30429: Apache Pulsar: Incorrect Authorization for Function Worker when using mTLS Authentication through Pulsar Proxy Dave Fisher (Jul 11)
CVE-2023-30428: Apache Pulsar Broker: Incorrect Authorization Validation for Rest Producer Dave Fisher (Jul 11)
CVE-2023-37579: Apache Pulsar Function Worker: Incorrect Authorization for Function Worker Can Leak Sink/Source Credentials Dave Fisher (Jul 11)

David Handermann

CVE-2023-40037: Apache NiFi: Incomplete Validation of JDBC and JNDI Connection URLs David Handermann (Aug 18)
CVE-2023-36542: Apache NiFi: Potential Code Injection with Properties Referencing Remote Resources David Handermann (Jul 29)

Demi Marie Obenour

Re: linux-distros list policy and Linux kernel, again Demi Marie Obenour (Aug 27)
Re: linux-distros list policy and Linux kernel, again Demi Marie Obenour (Aug 26)
Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Demi Marie Obenour (Jul 25)
Re: linux-distros list policy and Linux kernel, again Demi Marie Obenour (Aug 28)
Re: illumos (or at least danmcd) membership in the distros list Demi Marie Obenour (Sep 14)
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Demi Marie Obenour (Sep 27)
Re: Announce: OpenSSH 9.3p2 released Demi Marie Obenour (Jul 21)
Re: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) Demi Marie Obenour (Sep 30)
Re: Xen Security Advisory 433 v3 (CVE-2023-20593) - x86/AMD: Zenbleed Demi Marie Obenour (Aug 08)
Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx Demi Marie Obenour (Sep 28)
Re: Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx Demi Marie Obenour (Sep 29)
Re: Announce: OpenSSH 9.3p2 released Demi Marie Obenour (Jul 20)
Re: Multiple vulnerabilities in Jenkins plugins Demi Marie Obenour (Aug 16)
Re: CVE-2023-4809: FreeBSD pf bypass when using IPv6 Demi Marie Obenour (Sep 08)

Dennis Dast

Podman: API service listening on TCP can be used from websites Dennis Dast (Aug 15)

Dominique Martinet

Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) Dominique Martinet (Sep 30)

Donald Buczek

Re: Re: [MAINTAINERS SUMMIT] Handling of embargoed security issues -- security@korg vs. linux-distros@ Donald Buczek (Aug 25)

Eddie Chapman

Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Eddie Chapman (Jul 25)

Eduardo' Vela" <Nava>

Re: linux-distros list policy and Linux kernel, again Eduardo' Vela" <Nava> (Aug 27)
Re: linux-distros list policy and Linux kernel, again Eduardo' Vela" <Nava> (Aug 27)

Elad Kalif

CVE-2023-37415: Apache Airflow Apache Hive Provider: Improper Input Validation in Hive Provider with proxy_user Elad Kalif (Jul 12)
CVE-2023-41267: Apache HDFS Provider error message suggested installation of incorrect pip package Elad Kalif (Sep 14)
CVE-2023-40195: Apache Airflow Spark Provider Deserialization Vulnerability RCE Elad Kalif (Aug 25)
CVE-2023-40272: Apache Airflow Spark Provider Arbitrary File Read via JDBC Elad Kalif (Aug 17)
CVE-2023-39553: Apache Airflow Drill Provider Arbitrary File Read Vulnerability Elad Kalif (Aug 11)
CVE-2023-27604: Apache Airflow Sqoop Provider: Airflow Sqoop Provider RCE Vulnerability Elad Kalif (Aug 25)
CVE-2023-35797: Apache Airflow Hive Provider Beeline RCE with Principal Elad Kalif (Jul 02)

Emilio Pozuelo Monfort

Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Emilio Pozuelo Monfort (Sep 28)

Enrico Bassetti

CVE-2023-4809: FreeBSD pf bypass when using IPv6 Enrico Bassetti (Sep 08)

Ephraim Anierobi

CVE-2023-22888: Apache Airflow: Scheduler remote DoS Ephraim Anierobi (Jul 11)
CVE-2023-39441: Apache Airflow SMTP Provider, Apache Airflow IMAP Provider, Apache Airflow: SMTP/IMAP client components allowed MITM due to missing Certificate Validation Ephraim Anierobi (Aug 23)
CVE-2023-40273: Session fixation in Apache Airflow web interface Ephraim Anierobi (Aug 23)
CVE-2023-40712: Apache Airflow: Secrets can be unmasked in the "Rendered Template" Ephraim Anierobi (Sep 12)
CVE-2023-35908: Apache Airflow: Access to DAGs without relevant permission Ephraim Anierobi (Jul 11)
CVE-2023-37379: Apache Airflow: Exposure of sensitive connection information, DOS and SSRF on "test connection" feature Ephraim Anierobi (Aug 23)
CVE-2022-46651: Apache Airflow: Security vulnerability on AirFlow Connections Ephraim Anierobi (Jul 11)
CVE-2023-40611: Apache Airflow Dag Runs Broken Access Control Vulnerability Ephraim Anierobi (Sep 12)
CVE-2023-36543: Apache Airflow: ReDoS via dags function Ephraim Anierobi (Jul 11)
CVE-2023-22887: Apache Airflow path traversal by authenticated user Ephraim Anierobi (Jul 11)

Gary D. Gregory

CVE-2023-42503: Apache Commons Compress: Denial of service via CPU consumption for malformed TAR file Gary D. Gregory (Sep 13)

Greg KH

Re: [CVE-2023-42755] Linux kernel wild pointer access <= v6.2 Greg KH (Sep 26)
Re: [CVE-2023-42755] Linux kernel wild pointer access <= v6.2 Greg KH (Sep 26)

Guillaume Nodet

CVE-2023-35887: Apache MINA SSHD: Information disclosure bugs with RootedFilesystem Guillaume Nodet (Jul 07)

Hanno Böck

Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Hanno Böck (Sep 21)

Heiko Schlittermann

Exim4 MTA CVEs assigned from ZDI Heiko Schlittermann (Sep 29)

Jan Schaumann

Re: RCE in acme.sh < 3.0.6 Jan Schaumann (Jul 13)
CVE-2023-36459: mastodon: XSS through oEmbed preview cards Jan Schaumann (Jul 06)
CVE-2023-36460: mastodon: Arbitrary file creation through media attachments Jan Schaumann (Jul 06)
CVE-2023-36461: mastodon: Denial of Service through slow HTTP responses Jan Schaumann (Jul 06)
CVE-2023-28853: mastodon: Blind LDAP injection in login Jan Schaumann (Jul 06)

Jarek Potiuk

CVE-2023-39508: Apache Airflow: Airflow "Run task" feature allows execution with unnecessary priviledges Jarek Potiuk (Aug 04)

Jean-Louis Monteiro

CVE-2023-33008: Apache Johnzon: Prevent inefficient internal conversion from BigDecimal at large scale Jean-Louis Monteiro (Jul 06)

Jean Luc Picard

Re: illumos (or at least danmcd) membership in the distros list Jean Luc Picard (Sep 14)

Jeffrey Walton

Re: OpenSSL Security Advisory Jeffrey Walton (Jul 19)
Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx Jeffrey Walton (Sep 29)
Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Jeffrey Walton (Jul 25)
Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Jeffrey Walton (Sep 28)

Jeremy Stanley

Re: linux-distros list policy and Linux kernel, again Jeremy Stanley (Aug 28)

Jonathan Gray

Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Jonathan Gray (Jul 25)

Julian Reschke

CVE-2023-37895: Apache Jackrabbit RMI access can lead to RCE Julian Reschke (Jul 25)

Junkai Xue

CVE-2023-38647: Apache Helix: Deserialization vulnerability in Helix workflow and REST Junkai Xue (Jul 25)

Katherine Mcmillan

Re: illumos (or at least danmcd) membership in the distros list Katherine Mcmillan (Sep 13)

Ken Moffat

Node.js security updates for August Ken Moffat (Aug 09)

Kyle Zeng

[CVE-2023-42756] Linux kernel race condition in netfilter Kyle Zeng (Sep 27)
Re: [CVE-2023-42755] Linux kernel wild pointer access <= v6.2 Kyle Zeng (Sep 26)
[CVE-2023-42752] integer overflow in Linux kernel leading to exploitable memory access Kyle Zeng (Sep 18)
[CVE-2023-42753] Array Indexing error in Linux kernel Kyle Zeng (Sep 22)
[CVE-2023-42755] Linux kernel wild pointer access <= v6.2 Kyle Zeng (Sep 25)

Levente Polyak

Replacement of Allan McRae on linux-distros for Arch Linux Levente Polyak (Sep 01)

Lin Ma

CVE-2023-3439: Linux MCTP use-after-free in mctp_sendmsg Lin Ma (Jul 02)
CVE-2023-3772: Linux kernel: xfrm_update_ae_params NULL pointer dereference Lin Ma (Aug 09)

Lucas Rolff

Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Lucas Rolff (Jul 25)

Marc Deslauriers

Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Marc Deslauriers (Sep 22)
Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Marc Deslauriers (Jul 24)

Marcus Meissner

Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Marcus Meissner (Jul 25)
Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Marcus Meissner (Jul 19)
Re: Announce: OpenSSH 9.3p2 released Marcus Meissner (Jul 21)

Mariusz Felisiak

Django: CVE-2023-41164: Potential denial of service vulnerability in django.utils.encoding.uri_to_iri() Mariusz Felisiak (Sep 04)
Django: CVE-2023-36053: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator Mariusz Felisiak (Jul 03)

Mark Thomas

[SECURITY] CVE-2023-41081 Apache Tomcat Connectors (mod_jk) Information Disclosure Mark Thomas (Sep 13)

Markus Gschwendt

Multiple Exim4 Zero Days Markus Gschwendt (Sep 29)

Martijn Visser

[CVE-2023-41834] Apache Flink Stateful Functions allowed HTTP header injection due to Improper Neutralization of CRLF Sequences Martijn Visser (Sep 19)

Marton Szasz

CVE-2023-41180: Apache NiFi MiNiFi C++: Incorrect Certificate Validation in InvokeHTTP for MiNiFi C++ Marton Szasz (Sep 02)

Mathias Krause

Re: Possible AMD Zen2 CVE Mathias Krause (Sep 19)

Matt Caswell

OpenSSL Security Advisory Matt Caswell (Jul 31)

Matthew Fernandez

Re: Announce: OpenSSH 9.3p2 released Matthew Fernandez (Jul 20)

Matthias Gerstner

openSUSE-welcome: local privilege escalation when choosing XFCE desktop layout (CVE-2023-32184) Matthias Gerstner (Aug 22)
croc: multiple issues in file sharing utility Matthias Gerstner (Sep 08)
Mozilla VPN: CVE-2023-4104: Privileged vpndaemon on Linux wrongly and incompletely implements Polkit authentication Matthias Gerstner (Aug 03)

Matthias Schmidt

Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Matthias Schmidt (Jul 25)

Maurits van Rees

Plone security advisory 2023/09/21 Maurits van Rees (Sep 22)

Michael Daum

Foswiki-2.1.8 has been released Michael Daum (Aug 07)

Michael Orlitzky

Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx Michael Orlitzky (Sep 29)
Re: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) Michael Orlitzky (Sep 30)
Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx Michael Orlitzky (Sep 29)

Michał Kępień

ISC has disclosed two vulnerabilities in BIND 9 (CVE-2023-3341, CVE-2023-4236) Michał Kępień (Sep 20)

Miroslav Benes

Re: Re: [MAINTAINERS SUMMIT] Handling of embargoed security issues -- security@korg vs. linux-distros@ Miroslav Benes (Aug 29)

Moritz Bechler

Re: [CVE-2022-44730] Apache Batik information disclosure vulnerability Moritz Bechler (Aug 22)

Nbxiglk

Re: [CVE-2022-44729] Apache Batik information disclosure vulnerability Nbxiglk (Aug 22)

nightmare . yeah27

Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx nightmare . yeah27 (Sep 29)

Pietro Albini

CVE-2023-38497: Cargo does not respect umask when extracting packages Pietro Albini (Aug 03)

Qualys Security Advisory

CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent Qualys Security Advisory (Jul 19)
Re: Announce: OpenSSH 9.3p2 released Qualys Security Advisory (Jul 21)

Rafael Silva

Fwd: Node.js security updates for all active release lines, August 2023 Rafael Silva (Aug 10)
Fwd: Node.js security updates for all active release lines, August 2023 Rafael Silva (Aug 08)

Ramon de C Valle

Re: CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent Ramon de C Valle (Jul 20)

Rita Zhang

[kubernetes] CVE-2023-3955: Insufficient input sanitization on Windows nodes leads to privilege escalation Rita Zhang (Aug 23)
[kubernetes] CVE-2023-2728: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin Rita Zhang <rita.z.zhang () gmail com> Rita Zhang (Jul 06)
[kubernetes] CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation Rita Zhang (Aug 23)
[kubernetes] CVE-2023-3893: Insufficient input sanitization on kubernetes-csi-proxy leads to privilege escalation Rita Zhang (Aug 23)
[kubernetes] CVE-2023-2727: Bypassing policies imposed by the ImagePolicyWebhook admission plugin Rita Zhang (Jul 06)

Rodrigo Freire

Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Rodrigo Freire (Sep 22)

Rongtong Jin

CVE-2023-37582: Apache RocketMQ: Possible remote code execution when using the update configuration function Rongtong Jin (Jul 12)

Ruihan Li

StackRot (CVE-2023-3269): Linux kernel privilege escalation vulnerability Ruihan Li (Jul 05)
Re: StackRot (CVE-2023-3269): Linux kernel privilege escalation vulnerability Ruihan Li (Jul 28)

Ryan Skraba

CVE-2023-39410: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK Ryan Skraba (Sep 29)

Sage [They / Them] McTaggart

CVE-2023-43040 Ceph: Improperly verified POST keys. Sage [They / Them] McTaggart (Sep 26)

Salvatore Bonaccorso

Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Salvatore Bonaccorso (Sep 28)
Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Salvatore Bonaccorso (Sep 26)
Re: croc: multiple issues in file sharing utility Salvatore Bonaccorso (Sep 21)

Sandipan Roy

Re: OpenSSL Security Advisory Sandipan Roy (Jul 19)

Seth Arnold

Re: CVE-2023-3772: Linux kernel: xfrm_update_ae_params NULL pointer dereference Seth Arnold (Aug 10)
Re: linux-distros list policy and Linux kernel, again Seth Arnold (Aug 25)
Re: CVE-2023-40272: Apache Airflow Spark Provider Arbitrary File Read via JDBC Seth Arnold (Aug 17)

Sevan Janiyan

Re: Announce: OpenSSH 9.3p2 released Sevan Janiyan (Jul 20)
Re: Announce: OpenSSH 9.3p2 released Sevan Janiyan (Jul 21)

Shawn Webb

Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx Shawn Webb (Sep 29)

Simon Steiner

[CVE-2022-44729] Apache Batik information disclosure vulnerability Simon Steiner (Aug 22)
[CVE-2022-44730] Apache Batik information disclosure vulnerability Simon Steiner (Aug 22)

Solar Designer

Re: linux-distros list policy and Linux kernel, again Solar Designer (Sep 21)
Re: Replacement of Allan McRae on linux-distros for Arch Linux Solar Designer (Sep 01)
Re: CVE-2022-42009: Apache Ambari: A malicious authenticated user can remotely execute arbitrary code in the context of the application. Solar Designer (Jul 11)
Re: Fwd: Node.js security updates for all active release lines, August 2023 Solar Designer (Aug 08)
Re: illumos (or at least danmcd) membership in the distros list Solar Designer (Sep 22)
Re: Xen Security Advisory 433 v3 (CVE-2023-20593) - x86/AMD: Zenbleed Solar Designer (Aug 16)
Re: linux-distros list policy and Linux kernel, again Solar Designer (Aug 26)
Re: illumos (or at least danmcd) membership in the distros list Solar Designer (Sep 15)
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Solar Designer (Sep 25)
Re: illumos (or at least danmcd) membership in the distros list Solar Designer (Sep 25)
Re: illumos (or at least danmcd) membership in the distros list Solar Designer (Sep 25)
Re: linux-distros list policy and Linux kernel, again Solar Designer (Aug 30)
Re: Exim4 MTA CVEs assigned from ZDI Solar Designer (Sep 29)
Re: linux-distros list policy and Linux kernel, again Solar Designer (Aug 28)
Re: CVE-2023-4504 cups, libppd: Postscript parsing heap-based buffer overflow Solar Designer (Sep 20)
Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Solar Designer (Jul 25)
CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Solar Designer (Sep 21)
Re: CVE-2023-20593: A use-after-free in AMD Zen2 Processors Solar Designer (Jul 25)
Re: illumos (or at least danmcd) membership in the distros list Solar Designer (Sep 22)
CVE-2023-4527: glibc: Stack read overflow in getaddrinfo in no-aaaa mode Solar Designer (Sep 25)
Re: linux-distros list policy and Linux kernel, again Solar Designer (Sep 08)
Re: StackRot (CVE-2023-3269): Linux kernel privilege escalation vulnerability Solar Designer (Jul 07)
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Solar Designer (Sep 25)
linux-distros list policy and Linux kernel, again Solar Designer (Aug 25)
Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Solar Designer (Sep 22)
Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Solar Designer (Sep 26)
Re: illumos (or at least danmcd) membership in the distros list Solar Designer (Sep 14)
Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Solar Designer (Sep 22)
Re: Xen Security Advisory 433 v3 (CVE-2023-20593) - x86/AMD: Zenbleed Solar Designer (Aug 08)
Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Solar Designer (Sep 26)
Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Solar Designer (Jul 14)

Srivani Reddy

Re: CVE-2023-37581: Apache Roller: XSS vulnerability for site with untrusted users Srivani Reddy (Aug 16)

Stefan Bodewig

CVE-2022-46751: Apache Ivy: XML External Entity vulnerability in Apache Ivy Stefan Bodewig (Aug 20)

Steffen Nurpmeso

Re: Rust programs in distrbutions (Was: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx) Steffen Nurpmeso (Sep 30)

Steve Thompson

Possible AMD Zen2 CVE Steve Thompson (Sep 18)

Stian Kristoffersen

Supply Chain Issues in PyPI Stian Kristoffersen (Sep 21)

Tamás Koczka

Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Tamás Koczka (Jul 19)

Tavis Ormandy

CVE-2023-20593: A use-after-free in AMD Zen2 Processors Tavis Ormandy (Jul 24)
manjaro pamac vulnerability Tavis Ormandy (Jul 07)
MOV{H,L}PS instructions can fail on Genoa (Zen 4) Tavis Ormandy (Sep 21)
mutt 2.2.12 security update Tavis Ormandy (Sep 09)

Thadeu Lima de Souza Cascardo

CVE-2023-31248 - Linux kernel nf_tables UAF when using nft_chain_lookup_byid Thadeu Lima de Souza Cascardo (Jul 05)
Re: mutt 2.2.12 security update Thadeu Lima de Souza Cascardo (Sep 26)
CVE-2023-35001 - Linux kernel nf_tables nft_byteorder_eval OOB read/write Thadeu Lima de Souza Cascardo (Jul 05)

Tomas Mraz

OpenSSL Security Advisory Tomas Mraz (Jul 15)
OpenSSL Security Advisory Tomas Mraz (Sep 08)
OpenSSL Security Advisory Tomas Mraz (Jul 19)

Travis Finkenauer

Re: CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx Travis Finkenauer (Sep 29)

Vincent Rabaud

Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Vincent Rabaud (Sep 22)
Re: CVE-2023-4863: libwebp: Heap buffer overflow in WebP Codec Vincent Rabaud (Sep 22)

VMware Security Response Center

[Security Advisory] open-vm-tools: SAML token signature bypass vulnerability (CVE-2023-20900) VMware Security Response Center (Aug 31)

Weijie Wu

CVE-2023-28754: ShardingSphere-Agent: Deserialization vulnerability in ShardingSphere Agent Weijie Wu (Jul 19)

Willy Tarreau

Re: linux-distros list policy and Linux kernel, again Willy Tarreau (Aug 27)
Re: linux-distros list policy and Linux kernel, again Willy Tarreau (Aug 28)
Re: linux-distros list policy and Linux kernel, again Willy Tarreau (Sep 04)

X41 D-Sec GmbH Advisories

Advisory X41-2023-001: Two Vulnerabilities in OPNsense X41 D-Sec GmbH Advisories (Sep 21)

Xen . org security team

Xen Security Advisory 433 v3 (CVE-2023-20593) - x86/AMD: Zenbleed Xen . org security team (Jul 31)
Xen Security Notice 1 v1 - winpvdrvbuild.xenproject.org potentially compromised Xen . org security team (Jul 14)
Xen Security Advisory 433 v1 - x86/AMD: Zenbleed Xen . org security team (Jul 24)
Xen Security Advisory 439 v2 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Xen . org security team (Sep 25)
Xen Security Advisory 432 v2 (CVE-2023-34319) - Linux: buffer overrun in netback due to unusual packet Xen . org security team (Aug 08)
Xen Security Advisory 438 v2 (CVE-2023-34322) - top-level shadow reference dropped too early for 64-bit PV guests Xen . org security team (Sep 20)
Xen Security Advisory 433 v2 (CVE-2023-20593) - x86/AMD: Zenbleed Xen . org security team (Jul 26)
Xen Security Advisory 437 v2 (CVE-2023-34321) - arm32: The cache may not be properly cleaned/invalidated Xen . org security team (Sep 05)
Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak Xen . org security team (Sep 25)
Xen Security Advisory 435 v1 (CVE-2022-40982) - x86/Intel: Gather Data Sampling Xen . org security team (Aug 08)
Xen Security Advisory 436 v1 (CVE-2023-34320) - arm: Guests can trigger a deadlock on Cortex-A77 Xen . org security team (Aug 01)
Xen Security Advisory 434 v1 (CVE-2023-20569) - x86/AMD: Speculative Return Stack Overflow Xen . org security team (Aug 08)

Xue Weiming

CVE-2023-26512: Apache EventMesh RabbitMQ-Connector plugin allows RCE through deserialization of untrusted data Xue Weiming (Jul 15)

Zdenek Dohnal

CVE-2023-4504 cups, libppd: Postscript parsing heap-based buffer overflow Zdenek Dohnal (Sep 20)

zdi () trendmicro com

RE: Exim4 MTA CVEs assigned from ZDI zdi () trendmicro com (Sep 29)