UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.13.0, ujson.dumps() (or ujson.dump() or ujson.encode()) have a reject_bytes=False option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into diffe...
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReadWriteLock#release_write_lock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can...
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are use...
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::AtomicReference#update can enter a permanent busy retry loop when the current value is Float::NAN. The issue is caused by the interaction between AtomicReference#update, which retries until compare_and_set(old_value,...
Oj: Integer Overflow in Oj.load 2GB String Handling
Oj: Use-After-Free in Oj::Parser SAJ Long Key Callback
Oj: Use-After-Free in Oj::Parser array_class/hash_class GC Marking
Oj: Negative-Size memcpy in Oj::Parser create_id Attribute Handling
CoreWCF: SPNEGO SecurityContextToken proof key wrapped without confidentiality
CoreWCF: XML Signature Wrapping in WS-Security endorsing/supporting signature verification allows replay of captured signed messages
CoreWCF: Authentication bypass in CoreWCF SAML 1.1 / 2.0 token signature validation
CoreWCF: SAML SubjectConfirmation methods and holder-of-key proof keys are not enforced
CoreWCF: WS-Security Reference DigestMethod Algorithm-Suite Bypass
CoreWCF: SAML token replay protection is inoperative
CoreWCF: UnixDomainSocket Non-Reentrant POSIX Identity Resolution
CoreWCF NetNamedPipe transport accepts attach to a pre-existing named pipe instance
CoreWCF: Unix Domain Socket PosixIdentity transport accepts connections that skip the security upgrade
CoreWCF: Kafka consume pump halts permanently on a Kafka tombstone (null-value record), causing persistent endpoint denial of service.
CoreWCF: SamlSerializer skips SignatureValue verification when SAML signing token is not an X.509 certificate
CoreWCF: WS-Security signature substitution via document-wide Signature lookup