oss-security mailing list

Follow @Openwall on Twitter for new release announcements and other news

oss-security mailing list

	Jan	Feb	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2026	141	57
2025	92	75	93	105	94	100	69	75	107	112	106	140
2024	80	100	178	197	72	47	128	107	58	52	87	44
2023	69	62	100	107	99	78	87	60	122	198	86	101
2022	116	50	47	79	83	58	77	86	76	70	95	108
2021	92	91	98	90	88	59	61	82	49	76	60	47
2020	52	47	38	82	70	67	76	64	71	85	90	66
2019	102	48	49	86	51	103	107	80	71	75	67	70
2018	122	81	84	81	71	104	71	135	78	120	75	84
2017	252	278	171	171	209	278	225	157	214	162	196	93
2016	258	207	271	183	267	193	214	184	287	294	257	241
2015	377	336	355	319	277	243	266	197	195	206	205	208
2014	214	252	249	211	183	317	273	201	413	485	382	318
2013	217	323	246	258	200	201	260	265	163	203	182	199
2012	333	189	294	216	234	128	150	207	234	192	191	161
2011	153	169	318	354	159	224	258	164	137	203	241	146
2010	72	96	123	118	115	142	119	144	203	84	187	139
2009	89	81	75	114	96	59	84	99	102	122	108	74
2008		104	103	143	136	112	150	125	127	123	128	107

Recent messages:

2026/02/20 #6: Re: OpenSC, ghostscript, cgif issues from the recent Anthropic disclosure (Eli Schwartz <eschwartz@...too.org>)
2026/02/20 #5: OpenSC, ghostscript, cgif issues from the recent Anthropic disclosure (Joe Malcolm <jmalcolm@...eus.com>)
2026/02/20 #4: Re: MIT/Heimdal Kerberos credentials cache type FILE risks (Russ Allbery <eagle@...ie.org>)
2026/02/20 #3: Re: MIT/Heimdal Kerberos credentials cache type FILE risks (Jacob Bachmeyer <jcb62281@...il.com>)
2026/02/20 #2: Re: MIT/Heimdal Kerberos credentials cache type FILE risks (Jacob Bachmeyer <jcb62281@...il.com>)
2026/02/20 #1: Re: MIT/Heimdal Kerberos credentials cache type FILE risks (Russ Allbery <eagle@...ie.org>)
2026/02/19 #7: Re: MIT/Heimdal Kerberos credentials cache type FILE risks (Russ Allbery <eagle@...ie.org>)
2026/02/19 #6: Re: MIT/Heimdal Kerberos credentials cache type FILE risks (Jacob Bachmeyer <jcb62281@...il.com>)
2026/02/19 #5: Re: Default IV & other issues in aes-js & pyaes modules, & strongMan VPN manager (Soatok Dreamseeker <soatok.dhole@...il.com>)
2026/02/19 #4: Default IV & other issues in aes-js & pyaes modules, & strongMan VPN manager (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/02/19 #3: Re: Systemd vsock sshd (Solar Designer <solar@...nwall.com>)
2026/02/19 #2: MIT/Heimdal Kerberos credentials cache type FILE risks (Solar Designer <solar@...nwall.com>)
2026/02/19 #1: Re: Re: zlib security audit by 7asecurity (Sevan Janiyan <venture37@...klan.co.uk>)
2026/02/18 #7: CVE-2026-23552: Apache Camel: Camel-Keycloak: Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy (Andrea Cosentino <acosentino@...che.org>)
2026/02/18 #6: CVE-2026-25747: Apache Camel: Deserialization of Untrusted Data in Camel LevelDB (Andrea Cosentino <acosentino@...che.org>)
2026/02/18 #5: Re: Re: zlib security audit by 7asecurity (Sevan Janiyan <venture37@...klan.co.uk>)
2026/02/18 #4: Multiple vulnerabilities in Jenkins (Daniel Beck <ml@...kweb.net>)
2026/02/18 #3: Re: zlib security audit by 7asecurity (Steffen Nurpmeso <steffen@...oden.eu>)
2026/02/18 #2: Re: Re: zlib security audit by 7asecurity (Sevan Janiyan <venture37@...klan.co.uk>)
2026/02/18 #1: Re: Re: zlib security audit by 7asecurity (Jan Engelhardt <ej@...i.de>)
2026/02/17 #8: Re: zlib security audit by 7asecurity (Simon Josefsson <simon@...efsson.org>)
2026/02/17 #7: [OSSA-2026-002] OpenStack Nova: calls qemu-img without format restrictions for resize (CVE-2026-24708) errata 1 (Jeremy Stanley <fungi@...goth.org>)
2026/02/17 #6: Re: CVE-2026-25506: MUNGE 0.5-0.5.17 buffer overflow allowing key leakage (Sam James <sam@...too.org>)
2026/02/17 #5: zlib security audit by 7asecurity (Sam James <sam@...too.org>)
2026/02/17 #4: CVE-2026-25087: Apache Arrow: Potential use-after-free when reading IPC file with pre-buffering (Antoine Pitrou <apitrou@...che.org>)
2026/02/17 #3: Re: [OSSA-2026-002] OpenStack Nova: calls qemu-img without format restrictions for resize (CVE-2026-24708) (Jeremy Stanley <fungi@...goth.org>)
2026/02/17 #2: Re: [OSSA-2026-002] OpenStack Nova: calls qemu-img without format restrictions for resize (CVE-2026-24708) (Salvatore Bonaccorso <carnil@...ian.org>)
2026/02/17 #1: [OSSA-2026-002] OpenStack Nova: calls qemu-img without format restrictions for resize (CVE-2026-24708) (Jeremy Stanley <fungi@...goth.org>)
2026/02/16 #1: CVE-2026-25903: Apache NiFi: Missing Authorization of Restricted Permissions for Component Updates (David Handermann <exceptionfactory@...che.org>)
2026/02/13 #2: [vim-security] NetBeans specialKeys Stack Buffer Overflow with Vim <9.1.2148 (Christian Brabandt <cb@...bit.org>)
2026/02/13 #1: CVE-2025-40905: WWW::OAuth 1.000 and earlier for Perl uses insecure rand() function for cryptographic functions (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/02/12 #2: CVE-2025-33042: Apache Avro Java SDK: Code injection on Java generated code (Ryan Skraba <rskraba@...che.org>)
2026/02/12 #1: Pillow 12.1.1 released with fix for CVE-2026-25990 (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/02/10 #4: PyCA cryptography 46.0.5 released with fix for CVE-2026-26007 (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/02/10 #3: CVE-2026-25506: MUNGE 0.5-0.5.17 buffer overflow allowing key leakage (Chris Dunlap <chris.m.dunlap@...il.com>)
2026/02/10 #2: PowerDNS Security Advisory 2026-01: Crafted zones can lead to increased resource usage in Recursor (Otto Moerbeek <otto.moerbeek@...erdns.com>)
2026/02/10 #1: Re: FreeRDP fixes 12 CVEs in 3.22.0 release (Solar Designer <solar@...nwall.com>)
2026/02/09 #8: FreeRDP fixes 12 CVEs in 3.22.0 release (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/02/09 #7: libpng 1.6.55: Heap buffer overflow vulnerability fixed: CVE-2026-25646 (Cosmin Truta <ctruta@...il.com>)
2026/02/09 #6: gnutls 3.8.12 fixes CVE-2026-1584 & CVE-2025-14831 (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/02/09 #5: CVE-2026-23906: Apache Druid: Authentication Bypass via LDAP Anonymous Bind (Karan Kumar <karan@...che.org>)
2026/02/09 #4: CVE-2026-24343: Apache HertzBeat: Uncontrolled Resource Consumption via Crafted XPath Expressions (Qingran Zhao <zhaoqingran@...che.org>)
2026/02/09 #3: CVE-2026-24098: Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors (Ephraim Anierobi <ephraimanierobi@...che.org>)
2026/02/09 #2: CVE-2026-22922: Apache Airflow: Airflow externalLogUrl Permission Bypass (Ephraim Anierobi <ephraimanierobi@...che.org>)
2026/02/09 #1: Re: On patch vs commit messages (Florian Weimer <fweimer@...hat.com>)
2026/02/08 #2: CVE-2026-23901: Apache Shiro: Brute force attack possible to determine valid user names (Lenny Primak <lprimak@...che.org>)
2026/02/08 #1: CVE-2026-23903: Apache Shiro: Auth bypass when accessing static files only on case-insensitive filesystems (Lenny Primak <lprimak@...che.org>)
2026/02/07 #2: Go 1.25.7 and Go 1.24.13 are released with 2 CVE fixes (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/02/07 #1: On patch vs commit messages (Sam James <sam@...too.org>)
2026/02/05 #2: [vim-security] buffer overflow in helpfile option handling affects Vim <9.1.2132 (Christian Brabandt <cb_home@....de>)
2026/02/05 #1: NGINX < 1.29.5, 1.28.2 MitM injection CVE-2026-1642 (Jan Schaumann <jschauma@...meister.org>)
2026/02/04 #1: CVE-2026-24735: Apache Answer: Revision API Improper Access Control leads to Information Disclosure (Enxin Xie <linkinstar@...che.org>)
2026/02/03 #2: Re: Systemd vsock sshd (Bastian Blank <bblank@...nkmo.de>)
2026/02/03 #1: Django CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, CVE-2026-1287, and CVE-2026-1312 (Jacob Walls <jwalls@...ngoproject.com>)
2026/02/02 #3: [kubernetes] Multiple issues in ingress-nginx (Tabitha Sable <tabitha.c.sable@...il.com>)
2026/02/02 #2: CVE-2026-23795: Apache Syncope: Console XXE on Keymaster parameters (Francesco Chicchiriccò <ilgrosso@...che.org>)
2026/02/02 #1: CVE-2026-23794: Apache Syncope: Reflected XSS on Enduser Login (Francesco Chicchiriccò <ilgrosso@...che.org>)
2026/01/31 #2: Security incident on plone GitHub org with force pushes (Maurits van Rees <maurits@...rees.org>)
2026/01/31 #1: libexpat 2.7.4 fixes CVE-2026-24515 and CVE-2026-25210 (Sebastian Pipping <sebastian@...ping.org>)
2026/01/30 #1: Re: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter (Jakub Wilk <jwilk@...lk.net>)
2026/01/29 #2: Re: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter (Sebastian Pipping <sebastian@...ping.org>)
2026/01/29 #1: Re: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter (Jakub Wilk <jwilk@...lk.net>)
2026/01/28 #5: Re: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/01/28 #4: Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd (Paul Ducklin <pducklin@...look.com>)
2026/01/28 #3: Re: OpenSSL Security Advisory (corrected - added CVE-2026-22795 and CVE-2026-22796) (Tomas Mraz <tomas@...nssl.org>)
2026/01/28 #2: Re: OpenSSL Security Advisory (corrected - added CVE-2026-22795 and CVE-2026-22796) (Demi Marie Obenour <demiobenour@...il.com>)
2026/01/28 #1: Re: Clarification: rbash escape via history built-ins (cyber security <cs7778503@...il.com>)
2026/01/27 #11: Re: GnuPG security release (Salvatore Bonaccorso <carnil@...ian.org>)
2026/01/27 #10: Re: GnuPG security release (Jan Schaumann <jschauma@...meister.org>)
2026/01/27 #9: Re: GnuPG security release (Pedro Sampaio <psampaio@...hat.com>)
2026/01/27 #8: GnuPG security release (Sam James <sam@...too.org>)
2026/01/27 #7: OpenSSL Security Advisory (corrected - added CVE-2026-22795 and CVE-2026-22796) (Tomas Mraz <tomas@...nssl.org>)
2026/01/27 #6: Clarification: rbash escape via history built-ins (cyber security <cs7778503@...il.com>)
2026/01/27 #5: OpenSSL Security Advisory (Tomas Mraz <tomas@...nssl.org>)
2026/01/27 #4: Agno's PythonTools: Path traversal leads to sensitive information disclosure and potential RCE (Ali Raza <aliraza@...erock.io>)
2026/01/27 #3: Xen Security Advisory 479 v2 (CVE-2026-23553) - x86: incomplete IBPB for vCPU isolation (Xen.org security team <security@....org>)
2026/01/27 #2: Xen Security Advisory 478 v2 (CVE-2025-58151) - varstored: TOCTOU issues with mapped guest memory (Xen.org security team <security@....org>)
2026/01/27 #1: Xen Security Advisory 477 v2 (CVE-2025-58150) - x86: buffer overrun with shadow paging + tracing (Xen.org security team <security@....org>)
2026/01/26 #1: CVE-2016-15057: Apache Continuum: Command injection leading to RCE (Arnout Engelen <engelen@...che.org>)
2026/01/25 #3: Re: Vulnerability management and Open Source: FOSDEM BoF ("Olle E. Johansson" <oej@...ina.net>)
2026/01/25 #2: Re: Vulnerability management and Open Source: FOSDEM BoF (Peter Gutmann <pgut001@...auckland.ac.nz>)
2026/01/25 #1: Re: Vulnerability management and Open Source: FOSDEM BoF (Solar Designer <solar@...nwall.com>)
2026/01/24 #1: CVE-2026-24656: Apache Karaf: Decanter log-socket collector has deserialization vulnerability (Jean-Baptiste Onofré <jbonofre@...che.org>)
2026/01/23 #8: 8 CVEs in Cpython announced this week (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/01/23 #7: CVE-2025-27821: HDFS native client: Out of bounds write in URI parser of native HDFS client (Chris Nauroth <cnauroth@...che.org>)
2026/01/23 #6: Re: Vulnerability management and Open Source: FOSDEM BoF (Brian Behlendorf <brian@...lendorf.com>)
2026/01/23 #5: Re: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter (Stuart Henderson <stu@...cehopper.org>)
2026/01/23 #4: CVE-2025-56005 Undocumented RCE in PLY via `picklefile` Parameter (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/01/23 #3: Re: Vulnerability management and Open Source: FOSDEM BoF ("Olle E. Johansson" <oej@...ina.net>)
2026/01/23 #2: Re: Vulnerability management and Open Source: FOSDEM BoF (Peter Gutmann <pgut001@...auckland.ac.nz>)
2026/01/23 #1: Vulnerability management and Open Source: FOSDEM BoF ("Olle E. Johansson" <oej@...ina.net>)
2026/01/22 #2: Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd (Demi Marie Obenour <demiobenour@...il.com>)
2026/01/22 #1: Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd (Christian Fischer <christian.fischer@...enbone.net>)
2026/01/21 #6: CVE-2024-31884 Ceph: Incorrect usage of certificate checking via Pybind ("Sage [They / Them] McTaggart" <amctagga@...hat.com>)
2026/01/21 #5: Vulnerable tmpdir handling in pytest (Michael Orlitzky <michael@...itzky.com>)
2026/01/21 #4: Re: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality (Soatok Dreamseeker <soatok.dhole@...il.com>)
2026/01/21 #3: ISC has disclosed one vulnerability in BIND 9 (CVE-2025-13878) (Michał Kępień <michal@....org>)
2026/01/21 #2: Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd (Jakub Wilk <jwilk@...lk.net>)
2026/01/21 #1: Re: WordPress Plugin "Under Construction & Maintenance Mode": Exposed debug functionality (Hanno Böck <hanno@...eck.de>)
2026/01/20 #8: Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd (Alexander Bochmann <ab@...ts.gxis.de>)

32065 messages

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.