OSS Sec Archive by Thread 2018/04-Apr

• Date Index

• [oss-security] [CVE-2018-1295]: Possible Execution of Arbitrary Code Within Deserialization Endpoints of Apache Ignite, Denis Magda
• [oss-security] Announce: OpenSSH 7.7 released, Damien Miller
• [oss-security] CVE-2018-1002150: koji: Dist Repo call missing authorization check allowing filesystem manipulation, Patrick Uiterwijk
• [oss-security] Linux Kernel Defence Map, Alexander Popov
  • [oss-security] Re: Linux Kernel Defence Map, Kees Cook - Wed Apr 04 22:17:11 GMT 2018
    • Re: [oss-security] Re: Linux Kernel Defence Map, Kurt Seifried - Wed Apr 04 23:55:07 GMT 2018
      • Re: [oss-security] Re: Linux Kernel Defence Map, Alexander Popov - Mon Apr 30 22:17:36 GMT 2018
    • [oss-security] Re: Linux Kernel Defence Map, Alexander Popov - Thu Apr 05 12:32:59 GMT 2018
      • [oss-security] Re: Linux Kernel Defence Map, Kees Cook - Thu Apr 05 19:20:24 GMT 2018
      • [oss-security] Re: Linux Kernel Defence Map, Alexander Popov - Thu Apr 05 23:38:50 GMT 2018
      • [oss-security] Re: Linux Kernel Defence Map, Kees Cook - Thu Apr 05 23:55:49 GMT 2018
      • [oss-security] Re: Linux Kernel Defence Map, Alexander Popov - Fri Apr 06 18:01:02 GMT 2018
• [oss-security] WebKitGTK+ Security Advisory WSA-2018-0003, Michael Catanzaro
  • [oss-security] Re: [webkit-security] WebKitGTK+ Security Advisory WSA-2018-0003, Michael Catanzaro - Wed Apr 04 19:22:53 GMT 2018
• [oss-security] [SECURITY] CVE-2018-1315 'COPY FROM FTP' statement in HPL/SQL can write to arbitrary location if the FTP server is compromised, Daniel Dai
• [oss-security] [SECURITY] CVE-2018-1282 JDBC driver is susceptible to SQL injection attack if the input parameters are not properly cleaned, Daniel Dai
• [oss-security] [SECURITY] CVE-2018-1284: Hive UDF series UDFXPathXXXX allow users to pass carefully crafted XML to access arbitrary files, Daniel Dai
• Re: [oss-security] Multiple vulnerabilities in Jenkins plugins, Daniel Beck
  • <Possible follow-ups>
  • [oss-security] Multiple vulnerabilities in Jenkins plugins, Daniel Beck - Mon Apr 16 11:25:08 GMT 2018
• [oss-security] Privsec vuln in beep / Code execution in GNU patch, Hanno Böck
  • Re: [oss-security] Privsec vuln in beep / Code execution in GNU patch, Sebastian Krahmer - Fri Apr 06 08:35:33 GMT 2018
  • Re: [oss-security] Privsec vuln in beep / Code execution in GNU patch, Jakub Wilk - Fri Apr 06 09:51:40 GMT 2018
• [oss-security] beep infoleak, Hanno Böck
  • Re: [oss-security] beep infoleak, Kash Pande - Mon Apr 09 03:29:33 GMT 2018
• [oss-security] CVE-2018-2767: MySQL & MariaDB: Return of the BACKRONYM vulnerability (public disclosure), Pali Rohár
• [oss-security] [SECURITY] CVE-2018-1308: XXE attack through Apache Solr's DIH's dataConfig request parameter, Uwe Schindler
• [oss-security] pcs: disclosure of CVE-2018-1079 and CVE-2018-1086, Cedric Buissart
• [oss-security] Re: Terminal Control Chars, Ian Zimmerman
  • Re: [oss-security] Re: Terminal Control Chars, Not Real - Mon Apr 09 18:35:21 GMT 2018
    • Re: [oss-security] Re: Terminal Control Chars, Jakub Wilk - Tue Apr 10 10:24:03 GMT 2018
• Re: [oss-security] Terminal Control Chars, Gordo Lowrey
  • Re: [oss-security] Terminal Control Chars, Christian Brabandt - Tue Apr 10 11:02:27 GMT 2018
  • Re: [oss-security] Terminal Control Chars, Jakub Wilk - Thu Apr 12 17:13:27 GMT 2018
    • [oss-security] Re: Terminal Control Chars, Ian Zimmerman - Thu Apr 12 18:07:20 GMT 2018
      • Re: [oss-security] Re: Terminal Control Chars, Russ Allbery - Thu Apr 12 19:01:06 GMT 2018
      • Re: [oss-security] Re: Terminal Control Chars, David A. Wheeler - Thu Apr 12 21:18:45 GMT 2018
      • Re: [oss-security] Re: Terminal Control Chars, Russ Allbery - Thu Apr 12 22:31:19 GMT 2018
      • Re: [oss-security] Re: Terminal Control Chars, Simon McVittie - Thu Apr 12 22:54:41 GMT 2018
      • Re: [oss-security] Re: Terminal Control Chars, David A. Wheeler - Fri Apr 13 00:07:56 GMT 2018
      • Re: [oss-security] Re: Terminal Control Chars, Jakub Wilk - Mon Apr 16 08:15:00 GMT 2018
    • Re: [oss-security] Terminal Control Chars, Jakub Wilk - Fri Apr 13 07:43:10 GMT 2018
  • <Possible follow-ups>
  • Re: [oss-security] Terminal Control Chars, Jakub Wilk - Tue Apr 10 15:20:52 GMT 2018
• [oss-security] CVE-2017-13220 / Android A-63527053: Linux kernel: Possible out-of-bound access in Bluetooth subsystem, Vladis Dronov
• [oss-security] CVE-2018-1097 Foreman: oVirt credentials exposed by host power API, Tomer Brisker
• [oss-security] Change to ASF httpd vulnerability XML format, Mark Cox
• [oss-security] Multiple vulnerabilities in Jenkins, Daniel Beck
• [oss-security] CVE-2018-1084 corosync: Integer overflow in exec/totemcrypto.c:authenticate_nss_2_3() function, Raphael Sanchez Prudencio
• [oss-security] Arbitrary file download vulnerability in Drupal module avatar_uploader v7.x-1.0-beta8, Larry W. Cashdollar
• [oss-security] Re: CVE-2018-1000168: nghttp2: Denial of service due to NULL pointer dereference., Tatsuhiro Tsujikawa
• [oss-security] Updated distros statistics, Kristian Fiskerstrand
  • Re: [oss-security] Updated distros statistics, Seth Arnold - Fri Apr 13 00:23:00 GMT 2018
• [oss-security] CVE-2018-0737 OpenSSL: RSA key generation follows several non constant time code paths, Billy Brumley
  • Re: [oss-security] CVE-2018-0737 OpenSSL: RSA key generation follows several non constant time code paths, Huzaifa Sidhpurwala - Tue Apr 17 04:21:56 GMT 2018
    • Re: [oss-security] CVE-2018-0737 OpenSSL: RSA key generation follows several non constant time code paths, Billy Brumley - Tue Apr 24 15:48:38 GMT 2018
      • Re: [oss-security] CVE-2018-0737 OpenSSL: RSA key generation follows several non constant time code paths, Huzaifa Sidhpurwala - Wed Apr 25 05:41:14 GMT 2018
  • [oss-security] Re: CVE-2018-0737 OpenSSL: RSA key generation follows several non constant time code paths, Billy Brumley - Fri Apr 20 06:07:45 GMT 2018
• [oss-security] CVE-2018-1088 glusterfs: Privilege escalation via gluster_shared_storage when snapshot scheduling is enabled, Siddharth Sharma
• [oss-security] CVE-2018-1172 Squid Proxy Cache Denial of Service vulnerability, Amos Jeffries
• [oss-security] [SECURITY] CVE-2018-1289: Apache Fineract SQL Injection Vulnerability by orderBy and sortOrder parameters, Ed Cable
• [oss-security] [SECURITY] CVE-2018-1290: Apache Fineract SQL Injection Vulnerability - Single quotation escape caused by two continuous SQL parameters, Ed Cable
• [oss-security] [SECURITY] CVE-2018-1291: Apache Fineract SQL Injection Vulnerability - Order by injection via Order Param, Ed Cable
• [oss-security] [SECURITY] CVE-2018-1292: Apache Fineract SQL Injection Vulnerability - Injection via reportName parameter, Ed Cable
• [oss-security] CVE-2018-10194 Ghostscript 9.18 stack-based buffer overflow, Vítor Silva
• [oss-security] Re: a number of CVEs for issues in the filesystem's code in the Linux kernel, Vladis Dronov
• [oss-security] [OSSA-2018-001] Raw underlying encrypted volume access (CVE-2017-18191), Tristan Cacqueray
• [oss-security] Authorization bypass in PHPLiteAdmin since 1.9.5, Karsten König
  • Re: [oss-security] Authorization bypass in PHPLiteAdmin since 1.9.5, Karsten König - Wed Apr 25 08:57:55 GMT 2018
• [oss-security] CVE-2018-1110: Knot Resolver <= 2.2.0 Improper Input Validation, Petr Špaček
• [oss-security] Multiple local root vulnerabilities involving PackageKit CVE-2018-1106, Matthias Gerstner
• [oss-security] ktexteditor / Kate local privilege escalation, Matthias Gerstner
  • Re: [oss-security] ktexteditor / Kate local privilege escalation (CVE-2018-10361), Matthias Gerstner - Wed Apr 25 08:57:01 GMT 2018
• [oss-security] CVE-2018-1000200 (Linux): Bad memory access on oom kill of large mlocked process, David Rientjes
• [oss-security] Xen Security Advisory 258 - Information leak via crafted user-supplied CDROM, Xen . org security team
• [oss-security] Xen Security Advisory 259 - x86: PV guest may crash Xen with XPTI, Xen . org security team
• [oss-security] [CVE-2018-1338] DoS (Infinite Loop) Vulnerability in Apache Tika’s BPGParser, Tim Allison
• [oss-security] [CVE-2018-1339] DoS (Infinite Loop) Vulnerability in Apache Tika’s ChmParser, Tim Allison
• [oss-security] [CVE-2018-1335] Command Injection Vulnerability in Apache Tika’s tika-server module, Tim Allison
• [oss-security] [ANNOUNCE] CVE-2017-15691: Apache UIMA XML external entity expansion (XXE) attack exposure, Marshall Schor
• [oss-security] CVE-XXX (quasselclient/quasselcore version 0.12.4): Heap Remote Code Execution and Null Pointer DDOS, nongiach nongiach
• [oss-security] Xen Security Advisory 258 (CVE-2018-10472) - Information leak via crafted user-supplied CDROM, Xen . org security team
• [oss-security] Xen Security Advisory 259 (CVE-2018-10471) - x86: PV guest may crash Xen with XPTI, Xen . org security team