Open Source Security Mailing List

• Current Quarter
• RSS Feed
• About List
• All Lists

Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

• Jan–Mar
• Apr–Jun
• Jul–Sep
• Oct–Dec
• 2024
• 358
• 206
• –
• –
• 2023
• 220
• 284
• 269
• 356
• 2022
• 212
• 220
• 239
• 273
• 2021
• 281
• 236
• 193
• 182
• 2020
• 131
• 219
• 211
• 241
• 2019
• 199
• 237
• 257
• 176
• 2018
• 287
• 256
• 284
• 279
• 2017
• 701
• 658
• 596
• 437
• 2016
• 738
• 637
• 689
• 788
• 2015
• 1068
• 839
• 658
• 618
• 2014
• 714
• 711
• 886
• 1185
• 2013
• 777
• 648
• 688
• 583
• 2012
• 815
• 578
• 591
• 549
• 2011
• 640
• 738
• 550
• 591
• 2010
• 291
• 376
• 465
• 383
• 2009
• 250
• 264
• 272
• 304
• 2008
• 206
• 390
• 402
• 358

Latest Posts

Re: escaping terminal control characters (was Re: backdoor in upstream xz/liblzma leading to ssh server compromise) Sam James (May 02)
Solar Designer <solar () openwall com> writes:

Lasse has put up an initial implementation for xz:
https://github.com/tukaani-project/xz/pull/118.

Comments are welcome. It was a TODO from a long time ago ;)

We're not sure how much is overkill (or underkill) for this, especially
given it gets harder when Unicode is involved.

thanks,
sam

Re: New SMTP smuggling attack Solar Designer (May 02)
Steffen,

This reads like an excuse to post lots of thoughts that are off-topic
for this thread. I understand that sometimes discussions wander off the
original topic, but in this case the second half of your message is
totally irrelevant. I approved this one message anyway out of respect
for the time you spent writing it, but please be aware that I am
unlikely to do that next time you do something like this. I also ask
others to please...

Re: New SMTP smuggling attack Steffen Nurpmeso (May 02)
Please let me elaborate a little more on this, not to be
misunderstood and also..

Steffen Nurpmeso wrote in
<20240430224823.uA8Nr1Cp@steffen%sdaoden.eu>:
|Mark Esler wrote in
| <ZjBHOEHylGAaIo57@moon>:
||To mitigate future end-of-data sequence attacks, like SMTP Smuggling, MTAs
||should comply with RFC 5321 section 4.1.1.4 [0] to strip control
||characters other than <SP>, <HT>, <CR>, and <LF> in the...

CVE-2024-30251: DoS in aiohttp Sam Bull (May 02)
Aiohttp is an HTTP client and server-side web framework in Python. This issue only affects
users of the server-side web framework. We've not seen any evidence of this being
exploited in the wild yet, and fixes were already included in the 3.9.4 and 3.9.5
releases.

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5m98-qgg9-wh84

### Summary
An attacker can send a specially crafted POST (multipart/form-data) request. When the...

Multiple vulnerabilities in Jenkins plugins Daniel Beck (May 02)
Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Git server Plugin 117.veb_68868fa_027
* Script Security Plugin 1336.vf33a_a_9863911

Additionally, we announce unresolved security issues in the following
plugins:

* Subversion Partial Release Manager Plugin
* Telegram Bot Plugin

Summaries...

CVE-2024-32638: Apache APISIX: Forward-Auth Request Smuggling YuanSheng Wang (May 02)
Severity: low

Affected versions:

- Apache APISIX 3.8.0, 3.9.0

Description:

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
vulnerability in Apache APISIX when using `forward-auth` plugin.

This issue affects Apache APISIX: from 3.8.0, 3.9.0 .

Users are recommended to upgrade to version 3.8.1, 3.9.1 or higher, which
fixes the issue.

Credit:

Discovered and reported by Brandon Arp and Bruno Green of Topsort....

Re: Re: CVEs issued by the Linux kernel CNA Greg KH (May 02)
And, if anyone wants to play along at home, they can get the same
information directly from our git repo at:
https://git.kernel.org/pub/scm/linux/security/vulns.git/
by cloning it locally and then running:

$ ./scripts/summary
Year Reserved Assigned Rejected Total
2019: 47 2 1 50
2020: 37 13 0...

Re: CVEs issued by the Linux kernel CNA Alan Coopersmith (May 01)
Quantifying this a bit more now - Greg K-H provided some stats so far in:
https://social.kernel.org/notice/AhSCMVs4RofbnTftGS

which says:

CVE-2024-32114: Apache ActiveMQ: Jolokia and REST API were not secured with default configuration Jean-Baptiste Onofré (May 01)
Severity: low

Affected versions:

- Apache ActiveMQ 6.0.0 through 6.1.1

Description:

In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context (where the Jolokia JMX REST API
and the Message REST API are located).
It means that anyone can use these layers without any required authentication. Potentially, anyone can interact with
the broker (using Jolokia JMX REST API) and/or produce/consume messages or...

Re: New SMTP smuggling attack Steffen Nurpmeso (Apr 30)
Mark Esler wrote in
<ZjBHOEHylGAaIo57@moon>:
|To mitigate future end-of-data sequence attacks, like SMTP Smuggling, MTAs
|should comply with RFC 5321 section 4.1.1.4 [0] to strip control
|characters other than <SP>, <HT>, <CR>, and <LF> in the DATA section of
|SMTP messages.

Given that RFC 733 is from 1977 and RFC 822 is from 1982 i feel
this entire thread is exaggerating.

The smuggling problem solely was...

Re: New SMTP smuggling attack Erik Auerswald (Apr 30)
Hi Mark,

This is an interesting interpretation of RFC 5321, but I do not think
it follows the contents of said RFC.

Well, my reading of the RFC does not forbid this sequence. RFC 5321
clearly does not require transforming this sequence into another sequence.

RFC 5321 section 4.1.1.4 (DATA (DATA)) states:

"The mail data may contain any of the 128 ASCII character codes"

RFC 5321 section 4.5.2 (Transparency) states:...

Re: New SMTP smuggling attack nightmare . yeah27 (Apr 30)
[...]

I don't see that stripping specifically is implied.

What is the benefit of stripping versus the much more natural option
of rejecting such messages?

One possible consequence of passing messages along in an altered form
is that various signatures may break.

Re: Telegram Web app XSS / Session Hijacking 1-click Pedro Batista (Apr 30)
CVE-2024-33905

Re: New SMTP smuggling attack Mark Esler (Apr 30)
To mitigate future end-of-data sequence attacks, like SMTP Smuggling, MTAs
should comply with RFC 5321 section 4.1.1.4 [0] to strip control
characters other than <SP>, <HT>, <CR>, and <LF> in the DATA section of
SMTP messages.

e.g., `\r\n\x00.\r\n` _SHOULD_ become `\r\n.\r\n` and then (as per RFC
5321 section 4.5.2 [1]) dot-stuff the _forbidden_ sequences.

As per RFC 2119 section 3 [2], the word *SHOULD* implies *MUST*...

Re: Update on the distro-backdoor-scanner effort Jacob Bachmeyer (Apr 30)
Vegard Nossum wrote:

You are correct, but making this a little bit harder for an attacker is
still an improvement. Perhaps pkg-config variable values should be
required to be in quotes if they contain spaces?

The bigger issue is accepting an *-uninstalled.pc in a system directory,
which means that it actually *has* been installed. That logic error
allowed your backdoor to override the real libelf.pc without producing a
file conflict that...

More Lists

Dozens of other network security lists are archived at SecLists.Org.