Open Source Security Mailing List

• Current Quarter
• RSS Feed
• About List
• All Lists

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

• Jan–Mar
• Apr–Jun
• Jul–Sep
• Oct–Dec
• 2026
• 405
• –
• –
• –
• 2025
• 262
• 289
• 251
• 361
• 2024
• 358
• 314
• 293
• 183
• 2023
• 220
• 284
• 269
• 356
• 2022
• 212
• 220
• 239
• 273
• 2021
• 281
• 236
• 193
• 182
• 2020
• 131
• 219
• 211
• 241
• 2019
• 199
• 237
• 257
• 176
• 2018
• 287
• 256
• 284
• 279
• 2017
• 701
• 658
• 596
• 437
• 2016
• 738
• 637
• 689
• 788
• 2015
• 1068
• 839
• 658
• 618
• 2014
• 714
• 711
• 886
• 1185
• 2013
• 777
• 648
• 688
• 583
• 2012
• 815
• 578
• 591
• 549
• 2011
• 640
• 738
• 550
• 591
• 2010
• 291
• 376
• 465
• 383
• 2009
• 250
• 264
• 272
• 304
• 2008
• 206
• 390
• 402
• 358

Latest Posts

Re: Multiple vulnerabilities in AppArmor John Johansen (Mar 28)
It is possible to exploit from a user namespace under the correct
circumstances. Specifically

A privileged process must do the setup, such that it creates a policy
namespace (requires administrative privileges) and ties the "root"
process of the user namespace to the the policy namespace. The "root"
user of the user namespace, then has privilege to load policy to the
policy namespace tied to the container. The root user of...

CVE-2026-3256: HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids Robert Rothenberg (Mar 28)
========================================================================
CVE-2026-3256                                        CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-3256
  Distribution:  http-session
      Versions:  through 0.53

      MetaCPAN:  https://metacpan.org/dist/http-session
      VCS Repo: ...

CVE-2025-15604: Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions Robert Rothenberg (Mar 28)
========================================================================
CVE-2025-15604                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2025-15604
  Distribution:  Amon2
      Versions:  before 6.17

      MetaCPAN:  https://metacpan.org/dist/Amon2
      VCS Repo:  https://github.com/tokuhirom/Amon...

Re: Multiple vulnerabilities in AppArmor Greg KH (Mar 28)
Looks like this one should be rejected, but I will defer to John as to
what he wishes to have done here, as he is the maintainer of this part
of the kernel.

thanks,

greg k-h

Re: [ADVISORY] SQUID-2026:1 Denial of Service in ICP Request handling (CVE-2026-33526) Solar Designer (Mar 27)
Hi Amos,

Thank you for bringing these 3 issues/advisories to oss-security.

Since use-after-free bugs commonly allow for impact not limited to DoS,
but often also code execution and/or information leak, it would help if
you provide justification why you claim this is just a DoS - or add
wording that it may be more than just a DoS. Ditto for SQUID-2026:2
(CVE-2026-32748).

Thanks,

Alexander

WebKitGTK and WPE WebKit Security Advisory WSA-2026-0002 Adrian Perez de Castro (Mar 27)
------------------------------------------------------------------------
WebKitGTK and WPE WebKit Security Advisory WSA-2026-0002
------------------------------------------------------------------------

Date reported : March 28, 2026
Advisory ID : WSA-2026-0002
WebKitGTK Advisory URL : https://webkitgtk.org/security/WSA-2026-0002.html
WPE WebKit Advisory URL :...

Re: Re: Multiple vulnerabilities in AppArmor kf503bla (Mar 27)
it wont work on read-only container

Re: Multiple vulnerabilities in AppArmor Qualys Security Advisory (Mar 27)
Hi Greg, John, all,

Thank you very much for your reply! Adding John Johansen then
(AppArmor's maintainer), since he will have the authoritative answer.

The problem is that containers can be allowed to manage their own
AppArmor profiles (via AppArmor namespaces), in which case an attacker
inside such a container can directly write to AppArmor's .load, .replace
and .remove files and trigger all these vulnerabilities, even without...

CVE-2026-1961: Foreman: Remote Code Execution via command injection in WebSocket proxy Ondrej Gajdusek (Mar 27)
Hi,

A security vulnerability has been fixed in Foreman, an open-source
infrastructure lifecycle management tool.

CVE-2026-1961: Remote Code Execution via command injection in WebSocket
proxy

A command injection vulnerability was discovered in Foreman's WebSocket
proxy implementation. The vulnerability occurs when constructing shell
commands using unsanitized hostname values from compute resource providers
(such as VMware vSphere, Libvirt,...

Dovecot Security Advisory OXDC-2026-0001 Aki Tuomi (Mar 27)
Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. This advisory is also published at
https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html

---

Internal reference: DOV-7830
Type: CWE-1250 (Improper Preservation of Consistency Between Independent Representations of Shared State)
Component: core...

Re: Multiple vulnerabilities in AppArmor Greg KH (Mar 27)
We were told that these all required elevated privileges to hit, and so
were not classified as individual vulnerabilities. If the Apparmor
maintainer tells us that these really all should be assigned a CVE, we
will be glad to do so, but until then, we're just going to stick with
the ones that we have assigned already.

thanks,

greg k-h

TigerVNC 1.16.2 security release Alan Coopersmith (Mar 26)
I don't see a CVE id listed, but the fix appears to be pretty simple:

shminfo->shmid = shmget(IPC_PRIVATE,
xim->bytes_per_line * xim->height,
- IPC_CREAT|0777);
+ IPC_CREAT|0600);

https://github.com/TigerVNC/tigervnc/commit/0b5cab169d847789efa54459a87659d3fd484393

-------- Forwarded Message --------
Subject: [tigervnc-announce] TigerVNC 1.16.1
Date:...

CVE-2026-4851: remote-to-local code execution in GRID::Machine piedcrow (Mar 26)
Affects: GRID::Machine
Versions: 0.127 verified, likely all released versions affected.
URL: https://cpan.org/authors/id/C/CA/CASIANO/GRID-Machine-0.127.tar.gz

Description:
GRID::Machine is a module for the Perl programming language that
implements Remote Procedure Calls (RPC) over SSH.

The module has a security flaw that allows an untrusted remote to
execute arbitrary code on the client.

The subroutine read_operation() in...

Re: Multiple vulnerabilities in AppArmor Qualys Security Advisory (Mar 26)
Hi Linux kernel CVE assignment team, all,

We saw that last week you assigned two CVEs to two of the nine AppArmor
vulnerabilities that were fixed and released on March 12, thank you very
much for these:

------------------------------------------------------------------------
https://lore.kernel.org/linux-cve-announce/2026031846-CVE-2026-23268-6be3@gregkh/T/#u

------------------------------------------------------------------------...

Re: Xen Security Advisory 482 v2 - Linux privcmd driver can circumvent kernel lockdown Juergen Gross (Mar 26)
Hi Greg,

Thanks for the notice.

Such things happen as nobody is perfect.

Stay tuned for future CVE requests. :-)

Juergen

More Lists

Dozens of other network security lists are archived at SecLists.Org.