Open Source Security Mailing List

• Current Quarter
• RSS Feed
• About List
• All Lists

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

• Jan–Mar
• Apr–Jun
• Jul–Sep
• Oct–Dec
• 2026
• 431
• 22
• –
• –
• 2025
• 262
• 289
• 251
• 361
• 2024
• 358
• 314
• 293
• 183
• 2023
• 220
• 284
• 269
• 356
• 2022
• 212
• 220
• 239
• 273
• 2021
• 281
• 236
• 193
• 182
• 2020
• 131
• 219
• 211
• 241
• 2019
• 199
• 237
• 257
• 176
• 2018
• 287
• 256
• 284
• 279
• 2017
• 701
• 658
• 596
• 437
• 2016
• 738
• 637
• 689
• 788
• 2015
• 1068
• 839
• 658
• 618
• 2014
• 714
• 711
• 886
• 1185
• 2013
• 777
• 648
• 688
• 583
• 2012
• 815
• 578
• 591
• 549
• 2011
• 640
• 738
• 550
• 591
• 2010
• 291
• 376
• 465
• 383
• 2009
• 250
• 264
• 272
• 304
• 2008
• 206
• 390
• 402
• 358

Latest Posts

Re: Announce: OpenSSH 10.3 released Demi Marie Obenour (Apr 03)
Is it safe (from a shell injection perspective) to pass inputs that are
sanitized for character set, but otherwise untrusted? For instance,
is it sufficient to limit usernames to ^[A-Za-z][A-Za-z0-9_-]{0,31}$
and domain names to valid host names [1]?

Can one assume that in situations where entries come from an
untrusted source (such as AuthorizedKeysCommand), OpenSSH _does_
do such checking?

[1]: No more than 254 bytes (plus optional trailing...

Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 Salvatore Bonaccorso (Apr 03)
Hi,

According to https://www.cve.org/CVERecord?id=CVE-2026-34714 the
assigner is MITRE CNA itself.

Regards,
Salvatore

Re: Re: Multiple vulnerabilities in AppArmor Salvatore Bonaccorso (Apr 03)
Hi,

[...]

[...]

To close the circle here: sudo has a own CVE for the issue addressed
above, it is CVE-2026-35535.

https://www.cve.org/CVERecord?id=CVE-2026-35535

Regards,
Salvatore

Re: Announce: OpenSSH 10.3 released Salvatore Bonaccorso (Apr 03)
Hi Agostino,

I think since yesterday there were CVE assigned actually by MITRE,
they should be:

https://www.cve.org/CVERecord?id=CVE-2026-35414
https://www.cve.org/CVERecord?id=CVE-2026-35385
https://www.cve.org/CVERecord?id=CVE-2026-35386
https://www.cve.org/CVERecord?id=CVE-2026-35387
https://www.cve.org/CVERecord?id=CVE-2026-35388

Regards,
Salvatore

Re: Announce: OpenSSH 10.3 released Agostino Sarubbo (Apr 03)
Hello Damien,

thank you for bringing this to oss-security so that everyone is aware of it.

Regarding the security changes, we do not see any CVE assigned. Could you please clarify
your perspective on this? Are these changes considered simply hardening improvements,
or do they have a security impact that would warrant a CVE?

Thank you.
Agostino

Re: [libc musl] - Algorithmic complexity DoS in iconv GB18030 decoder Rich Felker (Apr 02)
The attached patch has now been tested to work. Compared to the
previous version above, it corrects one value in the table, an
erroneous += 0x10000 above, and missing logic for characters U+10000
and up.

Rich

From: Rich Felker <dalias () aerifal cx>
Date: Mon, 30 Mar 2026 16:00:50 -0400
Subject: [PATCH] fix pathological slowness & incorrect mappings in iconv
gb18030 decoder

in order to implement the "UTF" aspect of gb18030...

Re: [libc musl] - Algorithmic complexity DoS in iconv GB18030 decoder Rich Felker (Apr 02)
The above patch was a proposal for testing. It should mitigate the
extreme slowness for characters encoded in GB18030's UTF, but it does
not work correctly and has not been confirmed not to have other
problems. I will follow up with a correct patch.

Rich

[libc musl] - Algorithmic complexity DoS in iconv GB18030 decoder Jens Jarl Nestén Hansen-Nord (Apr 02)
==========================================
libc musl Security Advisory: April 2, 2026
==========================================
Description:
The GB18030 4-byte decoder in musl libc's iconv() implementation contains a gap-skipping loop that performs a full
linear scan of the gb18030126 lookup table (23,940 entries) on each iteration of an outer loop whose iteration count is
input-dependent. For 4-byte sequences whose linear index falls...

Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 Solar Designer (Apr 02)
That's bad news. We really need to disable modelines by default. I see
the discussion in https://github.com/vim/vim/pull/19875 but I think
that's advanced users, it's not representative of the Vim userbase.
Someone who makes very basic use of Vim does not even know modelines
exist and would not comment in that PR, but those basic users are the
majority. The advanced users who know and need modelines can re-enable
them -...

Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 Christian Brabandt (Apr 02)
It seems the community prefers a whitelist approach however. So this is
probably what it will be soon.

Thanks,
Christian

Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 David A. Wheeler (Apr 02)
Yes, nomodeline, sorry for the error. You *can* say ":set" but it's
conventional to omit the colon prefix.

I did find this gem in vim ":help modeline":

If vim just has a weird display, instead of executing programs, I guess
it's arguable that this isn't "insecure by default". But this at least teeters close to it.
When people use a text editor, they're not trying to think
through trust boundary...

[ANNOUNCE] ATS is vulnerable to HTTP requests with body Masakazu Kitajo (Apr 02)
Description:
ATS is vulnerable to HTTP requests with body.

CVE:
CVE-2025-58136 - A simple legitimate POST request causes a crash
CVE-2025-65114 - Malformed chunked message body allows request smuggling

Reported By:
Masakazu Kitajo (CVE-2025-58136)
Katsutoshi Ikenoya (CVE-2025-65114)

Vendor:
The Apache Software Foundation

Version Affected:
ATS 9.0.0 to 9.2.12
ATS 10.0.0 to 10.1.1

Mitigation:
9.x users should upgrade to 9.1.13 or later...

Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 Tianyu Chen (Apr 02)
Isn't it CVE-2026-34714? I saw it noted on
https://github.com/vim/vim/security/advisories/GHSA-2gmj-rpqf-pxvh.

Best regards,
Tianyu Chen @ deepin

Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 Christian Brabandt (Apr 02)
Tianyu Chen schrieb am Donnerstag, den 02. April 2026:

Yes, but Github did not assign it. Someone else did and GH did barely
notify me of this already existing CVE.

Thanks,
Christian

Announce: OpenSSH 10.3 released Damien Miller (Apr 02)
OpenSSH 10.3 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More...

More Lists

Dozens of other network security lists are archived at SecLists.Org.