Open Source Security Mailing List

• Current Quarter
• RSS Feed
• About List
• All Lists

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

• Jan–Mar
• Apr–Jun
• Jul–Sep
• Oct–Dec
• 2026
• 431
• 412
• –
• –
• 2025
• 262
• 289
• 251
• 361
• 2024
• 358
• 314
• 293
• 183
• 2023
• 220
• 284
• 269
• 356
• 2022
• 212
• 220
• 239
• 273
• 2021
• 281
• 236
• 193
• 182
• 2020
• 131
• 219
• 211
• 241
• 2019
• 199
• 237
• 257
• 176
• 2018
• 287
• 256
• 284
• 279
• 2017
• 701
• 658
• 596
• 437
• 2016
• 738
• 637
• 689
• 788
• 2015
• 1068
• 839
• 658
• 618
• 2014
• 714
• 711
• 886
• 1185
• 2013
• 777
• 648
• 688
• 583
• 2012
• 815
• 578
• 591
• 549
• 2011
• 640
• 738
• 550
• 591
• 2010
• 291
• 376
• 465
• 383
• 2009
• 250
• 264
• 272
• 304
• 2008
• 206
• 390
• 402
• 358

Latest Posts

[OSSA-2026-010] Ironic: Credential Forwarding to Arbitrary Endpoints via iDrac Configuration Molds Feature (CVE-2026-42997) Jay Faulkner (May 05)
==========================================================================================================
OSSA-2026-010: Credential Forwarding to Arbitrary Endpoints via Ironic's
idrac Configuration molds Feature
==========================================================================================================

:Date: May 05, 2026
:CVE: CVE-2026-42997

Affects
~~~~~~~
- Ironic: >=17.0.0 <26.1.6, >=27.0.0 <29.0.5,...

CVE-2026-28780: Apache HTTP Server: buffer overflow in mod_proxy_ajp via ajp_msg_check_header() Eric Covener (May 05)
Severity: low

Affected versions:

- Apache HTTP Server through 2.4.66

Description:

Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server.
If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to
mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer.

This issue affects Apache HTTP Server: through 2.4.66.

Users are...

Django CVE-2026-5766, CVE-2026-35192, and CVE-2026-6907 Sarah Boyce (May 05)
* Announce:
https://www.djangoproject.com/weblog/2026/may/05/security-releases/

* CVE JSON Record for CVE-2026-5766:
https://www.cve.org/CVERecord?id=CVE-2026-5766

* CVE JSON Record for CVE-2026-35192:
https://www.cve.org/CVERecord?id=CVE-2026-35192

* CVE JSON Record for CVE-2026-6907:
https://www.cve.org/CVERecord?id=CVE-2026-6907

In accordance with [our security release policy](
https://docs.djangoproject.com/en/dev/internals/security/),...

[OSSA-2026-009] Horizon: Unauthenticated session flood via login redirect storage (CVE-2026-43002) Goutham Pacha Ravi (May 05)
=========================================================================
OSSA-2026-009: Unauthenticated session flood via login redirect storage
=========================================================================

:Date: April 27, 2026
:CVE: CVE-2026-43002

Affects
~~~~~~~
- Horizon: >=25.6.0 <25.7.3

Description
~~~~~~~~~~~
Erichen (Institute of Computing Technology, Chinese Academy of
Sciences) reported a denial of service...

CVE-2026-29168: Apache HTTP Server: mod_md unrestricted OCSP response Eric Covener (May 05)
Severity: low

Affected versions:

- Apache HTTP Server 2.4.30 through 2.4.66

Description:

Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response
data.

This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Credit:

Pavel Kohout, Aisle Research, Aisle.com (finder)

References:...

Re: [pfx] Postfix stable release 3.11.2 and legacy releases 3.10.9, 3.9.10, 3.8.16 Solar Designer (May 04)
Yes, I think your judgement fits what many of us would like to see on
this list. Thank you!

As to this specific issue, I guess Wietse called it a bug and not a
vulnerability deliberately. I trust his judgement on this, but I don't
mind downstreams being cautious. Per my reading, exposure is limited to
other trusted components and impact is not directly security relevant
(if only a child process crashes and will be respawned).

Alexander

CVE-2026-43870: Apache Thrift: Node.js web_server.js multi-vulnerability Jens Geyer (May 04)
Severity: important

Affected versions:

- Apache Thrift before 0.23.0

Description:

Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper
Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption
vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to...

CVE-2026-43869: Apache Thrift: TSSLTransportFactory.java hostname verification Jens Geyer (May 04)
Severity: important

Affected versions:

- Apache Thrift before 0.23.0

Description:

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

References:

https://thrift.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-43869

CVE-2026-43868: Apache Thrift: Rust implementation vulnerable to CVE-2020-13949 pattern Jens Geyer (May 04)
Severity: important

Affected versions:

- Apache Thrift before 0.23.0

Description:

Memory Allocation with Excessive Size Value vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

References:

https://thrift.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-43868

Re: systemd-journald in systemd 259 does not escape characters in emerg messages that are wall'd to other user's terminals Aaron Rainbolt (May 04)
Someone (not sure who) did the kind service of getting a CVE assigned
for this: https://www.cve.org/CVERecord?id=CVE-2026-40228 To whoever
that was, thank you :)

Nix/Lix: local privilege escalation in daemon process Martin Weinelt (May 04)
Nix is a package manager and build system for Unix-like systems. Lix is
a community-maintained fork of Nix. Both provide a daemon used in
multi-user installations to perform privileged build and store operations.

The Nix and Lix projects are issuing a coordinated security advisory for
vulnerabilities in their daemon implementations.

A buffer overflow in the daemon may allow a local attacker with access
to the daemon interface to achieve...

Local privilege escalation in Lix and Nix Thomas GERBET (May 04)
## Summary

Nix and Lix daemon implementations are affected by buffer overflows
vulnerabilities that allow a local attacker to gain arbitrary
code execution as the daemon user (root in multi-user installations).

The vulnerabilities are identified as:
- Nix: GHSA-vh5x-56v6-4368, CVE ID pending attribution.
- Lix: CVE ID pending attribution.

This is a coordinated disclosure between the Nix and Lix projects.

Guix is *NOT* affected by this...

Re: Precise disclosure contents for copyfail (Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation) Emily Shepherd (May 04)
I would - respectfully - disagree. To clarify, I am aware that that is
the process as defined currently, but I am not sure that is the best
that process could be. You asked in a previous message what could have
been done better, so assuming that was meant sincerely, I'll provide
some thoughts.

The first hurdle a reporter must jump through is figuring out who to
actually report to - the process as defined [1] suggests it should be
the...

Re: Fwd: [pfx] Postfix stable release 3.11.2 and legacy releases 3.10.9, 3.9.10, 3.8.16 Salvatore Bonaccorso (May 04)
Hi,

[...]

This one got https://www.cve.org/CVERecord?id=CVE-2026-43964 assigned.

Regards,
Salvatore

Re: CVE-2026-31431: CopyFail: linux local privilege scalation Solar Designer (May 04)
Let's please wind down this sub-thread. I think it is immaterial to the
original discussion whether alternative ciphers are an option in a given
case. In some cases they will be, in others not.

Alexander

More Lists

Dozens of other network security lists are archived at SecLists.Org.