Open Source Security Mailing List

• Current Quarter
• RSS Feed
• About List
• All Lists

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

• Jan–Mar
• Apr–Jun
• Jul–Sep
• Oct–Dec
• 2026
• 431
• 407
• –
• –
• 2025
• 262
• 289
• 251
• 361
• 2024
• 358
• 314
• 293
• 183
• 2023
• 220
• 284
• 269
• 356
• 2022
• 212
• 220
• 239
• 273
• 2021
• 281
• 236
• 193
• 182
• 2020
• 131
• 219
• 211
• 241
• 2019
• 199
• 237
• 257
• 176
• 2018
• 287
• 256
• 284
• 279
• 2017
• 701
• 658
• 596
• 437
• 2016
• 738
• 637
• 689
• 788
• 2015
• 1068
• 839
• 658
• 618
• 2014
• 714
• 711
• 886
• 1185
• 2013
• 777
• 648
• 688
• 583
• 2012
• 815
• 578
• 591
• 549
• 2011
• 640
• 738
• 550
• 591
• 2010
• 291
• 376
• 465
• 383
• 2009
• 250
• 264
• 272
• 304
• 2008
• 206
• 390
• 402
• 358

Latest Posts

Re: [pfx] Postfix stable release 3.11.2 and legacy releases 3.10.9, 3.9.10, 3.8.16 Solar Designer (May 04)
Yes, I think your judgement fits what many of us would like to see on
this list. Thank you!

As to this specific issue, I guess Wietse called it a bug and not a
vulnerability deliberately. I trust his judgement on this, but I don't
mind downstreams being cautious. Per my reading, exposure is limited to
other trusted components and impact is not directly security relevant
(if only a child process crashes and will be respawned).

Alexander

CVE-2026-43870: Apache Thrift: Node.js web_server.js multi-vulnerability Jens Geyer (May 04)
Severity: important

Affected versions:

- Apache Thrift before 0.23.0

Description:

Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper
Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption
vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to...

CVE-2026-43869: Apache Thrift: TSSLTransportFactory.java hostname verification Jens Geyer (May 04)
Severity: important

Affected versions:

- Apache Thrift before 0.23.0

Description:

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

References:

https://thrift.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-43869

CVE-2026-43868: Apache Thrift: Rust implementation vulnerable to CVE-2020-13949 pattern Jens Geyer (May 04)
Severity: important

Affected versions:

- Apache Thrift before 0.23.0

Description:

Memory Allocation with Excessive Size Value vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

References:

https://thrift.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-43868

Re: systemd-journald in systemd 259 does not escape characters in emerg messages that are wall'd to other user's terminals Aaron Rainbolt (May 04)
Someone (not sure who) did the kind service of getting a CVE assigned
for this: https://www.cve.org/CVERecord?id=CVE-2026-40228 To whoever
that was, thank you :)

Nix/Lix: local privilege escalation in daemon process Martin Weinelt (May 04)
Nix is a package manager and build system for Unix-like systems. Lix is
a community-maintained fork of Nix. Both provide a daemon used in
multi-user installations to perform privileged build and store operations.

The Nix and Lix projects are issuing a coordinated security advisory for
vulnerabilities in their daemon implementations.

A buffer overflow in the daemon may allow a local attacker with access
to the daemon interface to achieve...

Local privilege escalation in Lix and Nix Thomas GERBET (May 04)
## Summary

Nix and Lix daemon implementations are affected by buffer overflows
vulnerabilities that allow a local attacker to gain arbitrary
code execution as the daemon user (root in multi-user installations).

The vulnerabilities are identified as:
- Nix: GHSA-vh5x-56v6-4368, CVE ID pending attribution.
- Lix: CVE ID pending attribution.

This is a coordinated disclosure between the Nix and Lix projects.

Guix is *NOT* affected by this...

Re: Precise disclosure contents for copyfail (Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation) Emily Shepherd (May 04)
I would - respectfully - disagree. To clarify, I am aware that that is
the process as defined currently, but I am not sure that is the best
that process could be. You asked in a previous message what could have
been done better, so assuming that was meant sincerely, I'll provide
some thoughts.

The first hurdle a reporter must jump through is figuring out who to
actually report to - the process as defined [1] suggests it should be
the...

Re: Fwd: [pfx] Postfix stable release 3.11.2 and legacy releases 3.10.9, 3.9.10, 3.8.16 Salvatore Bonaccorso (May 04)
Hi,

[...]

This one got https://www.cve.org/CVERecord?id=CVE-2026-43964 assigned.

Regards,
Salvatore

Re: CVE-2026-31431: CopyFail: linux local privilege scalation Solar Designer (May 04)
Let's please wind down this sub-thread. I think it is immaterial to the
original discussion whether alternative ciphers are an option in a given
case. In some cases they will be, in others not.

Alexander

Re: CVE-2026-31431: CopyFail: linux local privilege scalation Demi Marie Obenour (May 04)
Can you use ChaCha20-Poly1305 or Adiantum instead of AES? That should
be significantly faster on the CPU

Re: Precise disclosure contents for copyfail (Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation) Greg KH (May 04)
I honestly do not remember, that was months and hundreds, if not
thousands, of reports ago.

The job of the kernel security team is to triage a bug report, drag in
the relevant maintainer/developer, get the issue fixed and merged into
Linus's tree as soon as possible. Once it lands in Linus's tree, our
role is over.

We do not do "announcements" of anything to anyone, so even if this was
a "look how bad you can abuse the...

Re: [pfx] Postfix stable release 3.11.2 and legacy releases 3.10.9, 3.9.10, 3.8.16 Sam James (May 04)
Sam James <sam () gentoo org> writes:

I am interested in feedback on whether using my own judgement is
acceptable for bringing these to oss-security, where I believe they may
of interest (releases with fixes that appear security-related, as the
volume is increasing with the current wave of new tooling (*)),
or whether there are some guidelines I should apply.

Thanks in advance.

(*) I of course only plan to bring such things where I plan...

Fwd: [pfx] Postfix stable release 3.11.2 and legacy releases 3.10.9, 3.9.10, 3.8.16 Sam James (May 04)
The most significant one here seems to be the first entry under "Fixed
in Postfix 3.8, 3.9, 3.10:".

-------------------- Start of forwarded message --------------------
To: Postfix announce <postfix-announce () postfix org>
Date: Sun, 3 May 2026 19:43:27 -0400 (EDT)
CC: Postfix users <postfix-users () postfix org>
Subject: [pfx] Postfix stable release 3.11.2 and legacy releases 3.10.9, 3.9.10, 3.8.16
From: Wietse Venema via...

Re: Precise disclosure contents for copyfail (Re: [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation) Emily Shepherd (May 04)
Was the PoC of the exploit / some description of its severity not
made available by the reporter to the security team / maintainer when
they reported it?

More Lists

Dozens of other network security lists are archived at SecLists.Org.