Open Source Security Mailing List

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

Jan–Mar
Apr–Jun
Jul–Sep
Oct–Dec
2025
262
51
–
–
2024
358
314
293
183
2023
220
284
269
356
2022
212
220
239
273
2021
281
236
193
182
2020
131
219
211
241
2019
199
237
257
176
2018
287
256
284
279
2017
701
658
596
437
2016
738
637
689
788
2015
1068
839
658
618
2014
714
711
886
1185
2013
777
648
688
583
2012
815
578
591
549
2011
640
738
550
591
2010
291
376
465
383
2009
250
264
272
304
2008
206
390
402
358

Latest Posts

Re: CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow when transliterating non-ASCII bytes Stig Palmquist (Apr 13)
[..]

Hi Alexander,

Thank you for the feedback. We only considered release branches for the
affected versions.

To fix this, the CVE record has been updated to take into account
development versions and release candidates:

Versions: from 5.41.0 through 5.41.10
from 5.39.0 before 5.40.2-RC1
from 5.33.1 before 5.38.4-RC1

Best,

Re: CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow when transliterating non-ASCII bytes Solar Designer (Apr 13)
Hi Stig,

Thank you for handling this disclosure so well!

Running this command on distro packages based on 5.32.1 (like in EL9)
does not segfault (produces no output), which is as expected for a
version that didn't yet have the bug (and assuming no bug backport).

As it was mentioned in the advance notification to distros, the issue
was introduced in:

https://github.com/Perl/perl5/commit/a311ee08b6781f83a7785f578a26bbc21a7ae457

which is...

CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow when transliterating non-ASCII bytes Stig Palmquist (Apr 13)
========================================================================
CVE-2024-56406 CPAN Security Group
========================================================================

CVE ID: CVE-2024-56406
Distribution: perl
Versions: from 5.40.0 until 5.40.2
from 5.38.0 until 5.38.4
from 5.36.0 through 5.36.3
from 5.34.0 through 5.34.3...

Re: Security audit of PHP Solar Designer (Apr 12)
Hi,

Thank you for bringing this in here, Alan!

The PHP Foundation's blog post gives slightly different breakdown by
severity, with "3 High-severity" and "5 Medium-severity".

This mystery CVE is listed with a brief description in the PHP
Foundation's blog post above:

CVE-2024-8928: Memory-related vulnerability in PHP's filter handling,
leading to segmentation faults.

Alexander

Re: CVE-2025-0395: Buffer overflow in the GNU C Library's assert() Solar Designer (Apr 12)
Hi,

I tried to come up with a better test case / regression test for this
bug / fix (a self-contained C program without randomness), but
unexpectedly ran into the bug manifesting itself differently, which may
be relevant to its exploitability. I'll quote a little bit more context
(than I usually do) since it's an old thread:

Here, "str" comes from a call to asprintf() just made by
__assert_fail_base() itself.

Eventually....

Security audit of PHP Alan Coopersmith (Apr 12)
https://blog.quarkslab.com/security-audit-of-php-src.html announces the
completion of a security audit of PHP by Quarkslab, thanks to funding
provided by Sovereign Tech Fund to The Open Source Technology Improvement Fund.

The blog provides details and a link to the audit report for more.
The summary it provides of the findings is:

These correspond to the following security advisories from the PHP github repo:

CVE-2024-9026: [PHP-FPM] Logs from...

CVE-2025-32896: Apache SeaTunnel: Unauthenticated insecure access Hailin Wang (Apr 12)
Severity: moderate

Affected versions:

- Apache SeaTunnel 2.3.1 through 2.3.10

Description:

# Summary

Unauthorized users can perform Arbitrary File Read and Deserialization
attack by submit job using restful api-v1.

# Details
Unauthorized users can access `/hazelcast/rest/maps/submit-job` to submit
job.
An attacker can set extra params in mysql url to perform Arbitrary File
Read and Deserialization attack.

This issue affects Apache...

CVE-2025-24859: Apache Roller: Insufficient Session Expiration on Password Change David M. Johnson (Apr 11)
Severity: important

Affected versions:

- Apache Roller 1.0.0 before 6.1.5

Description:

A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not
properly invalidated after password changes. When a user's password is changed, either by the user themselves or by an
administrator, existing sessions remain active and usable. This allows continued access to the application through old...

Re: CVE-2024-50217: Linux kernel: btrfs: Use-after-free of block device file in __btrfs_free_extra_devids() Demi Marie Obenour (Apr 10)
Linux kernel patch backporting is best effort, sadly.

Re: CVE-2024-50217: Linux kernel: btrfs: Use-after-free of block device file in __btrfs_free_extra_devids() Greg KH (Apr 10)
That's usually because no one has taken the time to do so. Same for the
thousands of other "unfixed" CVEs in older stable kernel trees.

As an example, for the latest 5.4.y stable kernel release, I see that
there are currently 1110 unfixed CVEs as of right now.

Feel free to send backports to the stable () vger kernel org mailing list
if you wish to see specific commits applied to older stable kernel
releases.

thanks,

greg k-h

CVE-2024-50217: Linux kernel: btrfs: Use-after-free of block device file in __btrfs_free_extra_devids() akendo () akendo eu (Apr 10)
Hey everyone,

Not too sure how or whom to ask about: But I saw that there is CVE-2024-50217 that affects every kernel since 4.8.

However, it is only fixed on more recent version of the linux kernel like 6.11 or 6.12. Any reason this wasn’t
backported to older kernel versions?

Best regards,
Akendo

Re: CVE-2025-29868: Apache Answer: Using externally referenced images can leak user privacy. LinkinStar (Apr 10)
Hi Jacob,

First, we don't have the 1.4.3 and 1.4.4 versions. You can check out all of
our releases on GitHub. [1]
Second, this fix does not affect the same-origin policy. It means that
same-origin images will be displayed usually, while different-origin images
will be restricted according to the administrator's settings.

Best regards,
LinkinStar

[1] https://github.com/apache/answer/releases

Vulnerabilities in Jenkins Docker images Daniel Beck (Apr 10)
Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2025-04-10/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover...

Re: CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. Sebastian Pipping (Apr 09)
Hello Bernhard,

I understand your take (and I believe Red Hat does just that: not
include it with packaging [1]).

I would like to note that gif2rgb is currently shipped with e.g. Ubuntu
[2] and so just dropping that tool will break something somewhere.

On a side note ImageMagick (7.1.1.38) seems to ignore logical screen
size (section "18. Logical Screen Descriptor" of the spec [3]) in GIF
files:

# file max_size.gif...

Re: CVE-2025-31344: giflib: The giflib open-source component has a buffer overflow vulnerability. Bernhard Rosenkränzer (Apr 09)
Except for https://sourceforge.net/p/giflib/bugs/179/, all the issues seem to be in gif2rgb, which is, according to the
giflib maintainer, "old and crappy code", and TBH, other than as a no-dependency test tool for giflib, it is fairly
useless (just use ImageMagick or a similar tool to do the gif to rgb conversion).
Simply removing the gif2rgb tool is probably an acceptable solution.

ttyl
bero

More Lists

Dozens of other network security lists are archived at SecLists.Org.