Please submit a pull request if you have corrections or know about any other unfixed security bugs.

• rmt filename support makes tar vulnerable to "phishing" attacks

• CSS mix-blend-mode is bad for your browsing history (demo)

• Multi-line pastes from an untrusted source (e.g. browser) can automatically execute something you did not intend to copy

• When running sudo -u non-root-user as root, TIOCSTI allows the command in sudo -u non-root-user command to execute anything as root. Can be fixed with Defaults use_pty in sudoers. More notes.

• sudo credential caching (generally enabled by default; disabled with Defaults timestamp_timeout=0) allows any process in a TTY to do a passwordless sudo within the timeout period, not just commands that you've prefixed with sudo in the shell.

• Unlike VMware Workstation, VirtualBox clipboard sharing gives guests continuous access to the host clipboard, instead of just when the VM is focused.

• Unlike VMware Workstation, virt-manager/spice-gtk clipboard sharing gives guests continuous access to the host clipboard, instead of just when the VM is focused. This clipboard sharing feature is unconditionally enabled without warning. A compromised guest with no need for clipboard access can install spice-vdagent and start continuously sniffing the host clipboard.

• Any program connected to the server can sniff another program's keystrokes. Solved in Wayland.

• node climbs up to look for node_modules in directories that can be written to by other users

• You can crash a distributed Erlang node by making ~1M connections with an invalid security cookie

• Check for null bytes in binaries / strings when opening files (to be fixed in OTP 21.0)

• Stored XSS vulnerability in mod_dir

• HTTP content injection in httpc:request

• Credentials materials are compared unsafely throughout Twisted, still open due to the difficulty of measuring whether the constant-time compare function actually fixes anything.

• twisted.web has no protection against HTTP response-splitting attacks

• twisted.web server has no way to limit size of request body

• WeeChat relays allows clients to execute code on the relay

• These packages exist in a state of permanent insecurity because they don't keep up with the ~6-week browser update cycle. (e.g. take any one of the many WebKit security bugs fixed after the last release of these packages, which could be a ~year old.)

• Windows Defender's malware emulator is unsandboxed and runs with SYSTEM privileges

• Various methods of automatically bypassing UAC (see "Unfixed methods in upcoming Windows 10 RS2 release")

• Debian stable
• Debian testing
• Debian unstable
• Ubuntu main archive
• Ubuntu universe archive
• Ubuntu partner archive
• Arch Linux

• CVE Tracker