similar to: Security issue: How to report it privately to the maintainers?

Hi Ralph and libvorbis developers, I thought the vorbis gitlab project was the main development site (https://gitlab.xiph.org/xiph/vorbis) because that's what the NVD CVE tracker points to for the two CVEs I mentioned. But I just realized there's also a vorbis github project (https://github.com/xiph/vorbis). Both appear to have recent activity. Is the gitlab project the correct one

Alexander, These are the only two CVEs from 2016 that I found contained in the RPM that you referenced. - add security fix for CVE-2016-5387 - mod_ssl: add security fix for CVE-2016-4979 -- Tyler Waldo Information Security Associate Threat and Vulnerability Management Mobile: (650) 410-0776 On Tue, Dec 19, 2017 at 10:39 AM, Alexander Dalloz <ad+lists at uni-x.org> wrote: > Am

Sorry for missing the importance of these earlier. These vulnerabilities were first disclosed this January. There are seven vulnerabilities reported in the icoutils package, in the 'wrestool' program. Unfortunately because libguestfs downloads untrusted guest content and processes it with 'wrestool -x' on the host, libguestfs is vulnerable to these. This could lead to host

Ok, I wasn't able to track down the original steps to reproduce this issue,s but we believe CVE-2018-10393 is a dupiicate of CVE-2017-14160, both fixed by commit 018ca26dece6. Because of the confusion, I added additional bounds checks to the bark_noise_hybridmp function, which make it clear to local analysis that no for bugs in this class are possible. This change is in commit a9eb99a5bd6f.

Yes, the gitlab instance is the correct upstream development repository. We maintain a mirror at github for the convenience of developers there. Cheers, Ralph On Mon, 2020-06-29 at 21:27 +0000, Ellen Johnson wrote: > Hi Ralph and libvorbis developers, > I thought the vorbis gitlab project was the main development site ( > https://gitlab.xiph.org/xiph/vorbis) because that's what

Hai, Did you check if ifconfig still shows ipv6 adresses. ( even ::1 ) Can you check that. I have several with ipv6 on and severel only ipv4. As of 4.1.17+ i didnt see this happing here. Now on 4.4.5 I think you have forgotten something. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rebecca Gellman > via samba

Hi Ralph, Thank you for your reply! For context -- we consider reported CVEs as bugs even if it's in a third-party library we use (such as libvorbis). We first determine if the CVE is something that would impact our customer workflows. In this case because of our use of libvorbis for audio I/O, it does impact our customers so we need to resolve the CVE as soon as possible. In the

Hi Ralph, Again, thanks so much for doing all this! Plus thanks to all the folks who contributed to the new release! Quick clarifying question -- Isn't CVE-2018-10392 (looks like it’s fixed in https://gitlab.xiph.org/xiph/vorbis/-/issues/2335) also included in new version 1.3.7? If so can you please add it to release notes? (I asked the same question in

This release of Puppet Dashboard addresses CVE-2013-0277 and CVE-2013-0269. These are vulnerabilities that affect Ruby on Rails, specifically around YAML serialization and JSON handling. They expose vulnerable systems to SQL Injection, Denial of Service Attacks, and arbitrary YAML deserialization. Additionally, CVE-2013-0276 and CVE-2013-0263 affect vendored components of Puppet Dashboard, but by

Am 19.12.2017 um 18:44 schrieb Tyler Waldo: > Hello everybody > > I am looking to push out httpd24-httpd-2.4.25-9.el7 to my organization, but > I do not see it as being available on the mirror.centos.org site. I see a > git commit for this package in April and was wondering how long it takes an > rpm to become available once the commit has been completed.

Hi Ellen, Thanks for your kind offer to help the release along. We have indeed been having trouble finding resources for that. You can certainly help by testing the git master branch with your software and reporting any issues you find. Otherwise, triaging outstanding bug reports and patches is always helpful, although that's not essential for a security-based release. I'll try to find

Hello everybody I am looking to push out httpd24-httpd-2.4.25-9.el7 to my organization, but I do not see it as being available on the mirror.centos.org site. I see a git commit for this package in April and was wondering how long it takes an rpm to become available once the commit has been completed. Also, I don't see the following CVEs addressed in any httpd24 changelogs and wanted to know

On Mon, Oct 17, 2016 at 05:13:08PM +0100, Rebecca Gellman via samba wrote: > > > Hi, > > So I did some digging into the source code, and I think I've found the > issue. Around line 120 of source3/libads/cldap.c: > > for (i=0; i<num_servers; i++) { > NTSTATUS status; > > status = cldap_socket_init(state->cldap, > NULL, /* local_addr */

Gregory Pleau wrote: >> >> The problem that you had with LDAP causing long Shorewall startup has >> resurfaced. In your mail to me, you mentioned that you had found that >> the issue was a permissions problem but gave no details. >> >> Would you be so kind as to give me the details so I can pass them on to >> the current sufferer? I notice that you are

Op 11-12-14 om 10:05 schreef Miroslav Lichvar: > but I'd rather see the real seeking bug fixed instead I think I might have a fix, but it touches quite a bit of code, so it'll take some time. I think the problem is that because bogus headers might pop up in the stream of which the CRC checks out, the whole frame is decoded to validate that a frame is correct. The bogus header

On Mon, Nov 18, 2019 at 6:00 PM JF Bastien via llvm-dev < llvm-dev at lists.llvm.org> wrote: > > > On Nov 18, 2019, at 2:42 PM, David Blaikie via llvm-dev < > llvm-dev at lists.llvm.org> wrote: > > > > On Mon, Nov 18, 2019 at 2:31 PM Robinson, Paul via llvm-dev < > llvm-dev at lists.llvm.org> wrote: > >> One problem with defining away

Hi, Is the command #yum list-sec cves still compatible with Centos7? Or are there alternatives to list all CVE applicable to a CentOS without the Satellite? Thanks

Hey, I just updated from the edge and it looks like this _issue_ has resurfaced. Yesterday things were working (stories and specs). No code base changes, only rspec and rspec_on_rails After updating today I now need to set <config.txn...fixtures> to false in the spec_helper.rb to get the specs running, the stories are fine. Looks like the fixture loading is trying to start a txn. I

A few computers -- two or three -- are very spotty about letting people log on. It seems -- and this could be off-base -- that they'll let anyone log on once, but will require a reboot before you can log on again. Sometimes, logging on works fine, though. There really appears to be little rhyme or reason to what happens. In the Samba logs, I'm getting: [2006/10/20 08:08:14, 0]

Hello, will there be updates for these CVEs for CentOS 6? Thanks, Walter