Open Source Security Mailing List

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

Jan–Mar
Apr–Jun
Jul–Sep
Oct–Dec
2025
262
38
–
–
2024
358
314
293
183
2023
220
284
269
356
2022
212
220
239
273
2021
281
236
193
182
2020
131
219
211
241
2019
199
237
257
176
2018
287
256
284
279
2017
701
658
596
437
2016
738
637
689
788
2015
1068
839
658
618
2014
714
711
886
1185
2013
777
648
688
583
2012
815
578
591
549
2011
640
738
550
591
2010
291
376
465
383
2009
250
264
272
304
2008
206
390
402
358

Latest Posts

Re: CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. Sebastian Pipping (Apr 09)
Hello Bernhard,

I understand your take (and I believe Red Hat does just that: not
include it with packaging [1]).

I would like to note that gif2rgb is currently shipped with e.g. Ubuntu
[2] and so just dropping that tool will break something somewhere.

On a side note ImageMagick (7.1.1.38) seems to ignore logical screen
size (section "18. Logical Screen Descriptor" of the spec [3]) in GIF
files:

# file max_size.gif...

Re: CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. Bernhard Rosenkränzer (Apr 09)
Except for https://sourceforge.net/p/giflib/bugs/179/, all the issues seem to be in gif2rgb, which is, according to the
giflib maintainer, "old and crappy code", and TBH, other than as a no-dependency test tool for giflib, it is fairly
useless (just use ImageMagick or a similar tool to do the gif to rgb conversion).
Simply removing the gif2rgb tool is probably an acceptable solution.

ttyl
bero

Re: Announce: OpenSSH 10.0 released Damien Miller (Apr 09)
Regarding the Portable OpenSSH 10.0 release:

Due to an error in the release process, the recent Portable OpenSSH
release identifies itself as 10.0p2 rather than the intended 10.0p1.

We do not intend to make a new release to fix this mistake. This
portable OpenSSH release will henceforth be knows as 10.0p2 and no
release numbered 10.0p1 will be made.

Sorry for the confusion,
Damien Miller

Re: CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. Sebastian Pipping (Apr 09)
A quick note that there is more to giflib than just CVE-2025-31344:

Duplication of CVEs, officially fixed versus de-facto still vulnerable
in more than one case, another CVE also upcoming (not mine)…
I created a quick summary of what I know at…

https://github.com/openwrt/packages/issues/26277

…if you're interested.

Best, Sebastian

xmlrpc-c bundles a (very old and) vulnerable copy of libexpat Sebastian Pipping (Apr 09)
Hello oss-security!

Red Hat and OpenWrt [1] and Gentoo [2] are already aware, but maybe this
matter is of interest to more of you:

It has come to my attention through [0] that xmlrpc-c bundles a (very
old and) vulnerable copy of libexpat. I reached out to upstream and
they made a few minor related changes:

- The configure script started to default to libxml2 rather than
libexpat at [3].

- Also there is a new readme now [4] that warns that...

CVE-2025-27391: Apache ActiveMQ Artemis: Passwords leaking from broker properties in the debug log Domenico Francesco Bruscino (Apr 09)
Affected versions:

- Apache ActiveMQ Artemis 1.5.1 before 2.40.0

Description:

Insertion of Sensitive Information into Log File vulnerability in Apache ActiveMQ Artemis. All the values of the broker
properties are logged when the org.apache.activemq.artemis.core.config.impl.ConfigurationImpl logger has the debug
level enabled.

This issue affects Apache ActiveMQ Artemis: from 1.5.1 before 2.40.0. It can be mitigated by restricting log...

CVE-2025-30677: Apache Pulsar IO Kafka Connector, Apache Pulsar IO Kafka Connect Adaptor: Sensitive information logged in Pulsar's Apache Kafka Connectors Lari Hotari (Apr 09)
Affected versions:

- Apache Pulsar IO Kafka Connector 2.3.0 before 3.0.11
- Apache Pulsar IO Kafka Connector 3.1.0 before 3.3.6
- Apache Pulsar IO Kafka Connector 4.0.0 before 4.0.4
- Apache Pulsar IO Kafka Connect Adaptor 2.3.0 before 3.0.11
- Apache Pulsar IO Kafka Connect Adaptor 3.1.0 before 3.3.6
- Apache Pulsar IO Kafka Connect Adaptor 4.0.0 before 4.0.4

Description:

Apache Pulsar contains multiple connectors for integrating with Apache...

Announce: OpenSSH 10.0 released Damien Miller (Apr 09)
OpenSSH 10.0 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More...

CVE-2025-30215: nats-server: Missing access controls for JS API Phil Pennock (Apr 08)
Missing access controls for JS API in multi-tenancy

NATS-advisory-ID: 2025-01
Aliases: CVE-2025-30215, GHSA-fhg8-qxh5-7q3w
Date: 2025-04-08
Fixed-In: nats-server 2.11.1, 2.10.27

Background:

NATS.io is a high performance open source pub-sub distributed communication
technology, built for the cloud, on-premise, IoT, and edge computing.

The NATS account system provides for multi-tenancy and isolation.
JetStream provides for persistent storage of...

Re: Xen Security Notice 2 (CVE-2024-35347) AMD CPU Microcode Signature Verification Vulnerability Andrew Cooper (Apr 08)
Oops, my mistake. (This is what happens when the sources of information
try to block things like copy/paste, and I'm in a rush.)

However, happy patch Tuesday.

Zen5 CPUs have been breached too, and
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html
has been quietly updated to reflect this.

~Andrew

CVE-2025-31498: c-ares use-after-free Brad House (Apr 08)
CVE-2025-31498

Impact

Use after free() in read_answers() when process_answer() may re-enqueue
a query either due to a DNS Cookie Failure or when the upstream server
does not properly support EDNS, or possibly on TCP queries if the remote
closed the connection immediately after a response. If there was an
issue trying to put that new transaction on the wire, it would close the
connection handle, but read_answers() was still...

CVE-2025-31672: Apache POI: parsing OOXML based files (xlsx, docx, etc.), poi-ooxml could read unexpected data if underlying zip has duplicate zip entry names PJ Fanning (Apr 08)
Severity: moderate

Affected versions:

- Apache POI before 5.4.0

Description:

Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx,
docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries
with duplicate names (including the path) in the zip. In this case, products reading the affected file could read
different data...

Re: CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. 李亚杰 (Apr 08)
Hi Hanno,

We have noticed your report on this issue. But because the code snippet of the same issue exists in multiple code
branches, so I think this issue is not fixed completely.

For the current CVE-2025-31344, Bernhard has submitted a patch:
https://github.com/OpenMandrivaAssociation/giflib/blob/master/giflib-5.2.2-cve-2025-31344.patch. I think this patch
works for the one we reported.

Best Regards,
Yajie Li

Re: CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. Bernhard Rosenkränzer (Apr 07)
Thanks for the disclosure. Since there doesn't seem to be a proposed patch yet, here's mine:
https://github.com/OpenMandrivaAssociation/giflib/blob/master/giflib-5.2.2-cve-2025-31344.patch

ttyl
bero

Re: CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. Hanno Böck (Apr 07)
I...
think I reported this in 2016 already:
https://sourceforge.net/p/giflib/bugs/79/

The bug was closed without a fix, yet with giflib's author claiming
multiple times that it was fixed.

More Lists

Dozens of other network security lists are archived at SecLists.Org.