@oss_security profile picture
Open Source Security mailing list @oss_security

@Openwall oss-security mailing list thread summaries, currently maintained by @solardiz. Originally setup and maintained as an automated feed by @eugeneteo.

Joined August 2009
  • Tweets 23,718
  • Following 9
  • Followers 4,609
Photos and videos
Perl CPAN CVE-2026-8722: Net::Async::Statsd::Client through 0.005 allow metric injections openwall.com/lists/oss-secur… CVE-2026-8829: HTML::Entities before 3.84 read freed heap memory in _decode_entities openwall.com/lists/oss-secur…

1
3
823
more replies
Perl CPAN CVE-2026-9698: DBI before 1.648 saved errors in a limited-sized buffer (can trigger a buffer overflow) openwall.com/lists/oss-secur… CVE-2009-10007: Catalyst::Plugin::Authentication before 0.10_027 is susceptible to session fixation attacks openwall.com/lists/oss-secur…

1
1
233
Perl CPAN Metrics-Any-Adapter-Statsd CVE-2026-50637,CVE-2026-50638,CVE-2026-50639: Statsd, DogStatsd, SignalFx before 0.04 do not protect against metric injections openwall.com/lists/oss-secur… & openwall.com/lists/oss-secur… & openwall.com/lists/oss-secur…
1
178
17 CVEs in Apache Airflow openwall.com/lists/oss-secur… and openwall.com/lists/oss-secur… including a few with "Severity: important" or "Severity: high"

1
1
402
CVE-2026-49818: Apache Airflow Samba provider: Path traversal in GCSToSambaOperator via GCS object names openwall.com/lists/oss-secur…
1
194
Open Source Security mailing list@oss_security
Jun 11
7 CVEs in Apache Answer openwall.com/lists/oss-secur… & openwall.com/lists/oss-secur… One "Severity: critical", several "important" AI-generated response content was rendered in the browser without proper sanitization, allowing malicious scripts to be executed when the content was viewed
1
3
241
Open Source Security mailing list@oss_security
Jun 11
Proposal: Add separate oss-security-vulnerability-reports mailing list (for AI vulnpocalypse) openwall.com/lists/oss-secur… "leave *this* oss-security" mailing list for general discussions" "If we don't do this, I think the human participants will need to unsubscribe from this list"
5
299
CVE-2026-3276: CPython: Potential DoS via quadratic complexity in unicodedata.normalize() openwall.com/lists/oss-secur… CVE-2026-7774: CPython: tarfile.⁠data_filter path traversal bypass allows writing outside the extraction directory openwall.com/lists/oss-secur…

1
4
552
CVE-2026-9669: CPython: bz2.BZ2Decompressor reuse after error can cause a stack buffer overflow openwall.com/lists/oss-secur… "HIGH severity"
179
Open Source Security mailing list@oss_security
Jun 11
13 CVEs in Apache HTTP Server openwall.com/lists/oss-secur… fixed in 2.4.68, up to "Severity: moderate"

1
1
6
407
Open Source Security mailing list@oss_security
Jun 11
CVE-2020-37248: OfflineIMAP: STARTTLS stripping openwall.com/lists/oss-secur… OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS MITM attacks taking over the connection and extracting account credentials in cleartext
3
229
rsync 3.4.3 fixes 6 CVEs openwall.com/lists/oss-secur… 3 CVEs require a non-default daemon configuration to reach, 2 are reachable from a normal pull or a normal authenticated daemon connection, 1 is reachable only when RSYNC_PROXY is set. CVSS scores up to 8.1.

1
1
7
887
rsync 3.4.4 has regression fixes for the rsync 3.4.3 security release openwall.com/lists/oss-secur… but fixes no new security issues. There will be a 3.5.0 release soon with a lot more security updates. Created a rsync-security mailing list.
181
April 2026 was the busiest month for oss-security in 11 years. 311 messages posted. We surpassed the XZ backdoor spike of March-April 2024. We last had 300 in April 2015 when we still had CVE assignment via the list. Now we're back without that incentive. openwall.com/lists/oss-secur…

2
8
20
1,899
May 2026 was the second busiest month for oss-security so far. 455 messages, which is close to the peak of 485 in October 2014 after Shellshock.
192
Open Source Security mailing list@oss_security
Jun 7
CVE-2026-47430: Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews openwall.com/lists/oss-secur… Severity: important
1
2
530
Open Source Security mailing list@oss_security
Jun 7
FreeType: 4 issues disclosed by Project Zero openwall.com/lists/oss-secur… Heap Buffer Overflows and Out-of-Bounds Reads via various TrueType Instructions, Variation Handling, and Sub-byte Bitmaps
1
10
938
Open Source Security mailing list@oss_security
Jun 7
Vim: Arbitrary Code Execution via Python Omni-Completion in Vim < 9.2.597 openwall.com/lists/oss-secur… convince a user to open or edit a hostile Python buffer and trigger Python omni-completion (CTRL-X CTRL-O, or a plugin that invokes the completion function)
6
799
Open Source Security mailing list@oss_security
Jun 7
libinput: libinput-device-group unescaped phys output can inject udev properties openwall.com/lists/oss-secur… Malicious uinput or uhid device that sets a phys sysattr containing \n [...] could cause arbitrary execution as root (e.g. by setting the REMOVE_CMD property). Duplicate CVEs.
1
4
858
Open Source Security mailing list@oss_security
Jun 7
CVE-2026-50076: Apache Fory: Java ReplaceResolverSerializer deserialization checks bypass openwall.com/lists/oss-secur… Severity: important
4
458
Load more