The SingleDocParser::HandleNode function in yaml-cpp (aka LibYaml-C++) 0.5.1 allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted YAML file. (CVE-2017-5950)
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p). (CVE-2018-0734)
In libpng until version 1.6.35, a wrong calculation of row_factor in the png_check_chunk_length function (pngrutil.c) may trigger an integer overflow and resultant divide-by-zero while processing a crafted PNG file, leading to a denial of service. (CVE-2018-13785)
Some easily exploitable vulnerabilities allowing high privileged attacker with network access via multiple protocols to compromise MySQL Server have been fixed. References:
A critical vulnerability in Adobe Flash Player 31.0.0.148 and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user. (CVE-2018-15981) References:
In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause infinite recursion via a crafted file. A remote attacker can leverage this for a DoS attack. (CVE-2018-16646) An issue was discovered in Poppler 0.71.0. There is a reachable abort in
The ghostscript 9.26 update is focusing on security issues, including solving several (well publicised) real and potential exploits. For other fixes in this release, see the referenced News.
This is a service release to update the stable version 1.3 of Roundcube Webmail. It contains fixes to several bugs backported from the master branch including a security fix for a reported XSS vulnerability (in handling invalid style tag content) plus updates to ensure compatibility with PHP 7.3 and recent versions of Courier-IMAP, Dovecot and MySQL 8
An issue was discovered in GNU gettext 0.19.8. There is a double free in default_add_message in read-catalog.c, related to an invalid free in po_gram_parse in po-gram-gen.y, as demonstrated by lt-msgfmt. (CVE-2018-18751)
Assertion failure in BPMDetect class in BPMDetect.cpp (CVE-2018-17096). Out-of-bounds heap write in WavOutFile::write() (CVE-2018-17097). Heap corruption in WavFileBase class in WavFile.cpp (CVE-2018-17098). References:
It was discovered that mishandled search requests in servers/slapd/search.c:do_search() in 389-ds-base allows for denial of service (CVE-2018-14648). References:
mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example,
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption (CVE-2018-16843). nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the
Luis Merino, Markus Vervier and Eric Sesterhenn discovered that missing input sanitising in the Hylafax fax software could potentially result in the execution of arbitrary code via a malformed fax message (CVE-2018-17141).
Due to incorrect input handling, Squid is vulnerable to a Cross-Site Scripting vulnerability when generating HTTPS response messages about TLS errors (CVE-2018-19131). Due to a memory leak in SNMP query rejection code, Squid is vulnerable
Hanno B?ck discovered that libmspack incorrectly handled certain CHM files. An attacker could possibly use this issue to cause a denial of service (CVE-2018-14679, CVE-2018-14680). Jakub Wilk discovered that libmspack incorrectly handled certain KWAJ
This update fixes various security vulnerabilities affecting the SDL2_image library, listed below. The fixes are provided in SDL2_image 2.0.4, which depends on SDL2 2.0.8 or later. As such, the SDL2 and SDL2_mixer libraries are also updated to their current stable releases, providing various bug fixes and features.
The ProcessGpsInfo function may have allowed a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because of inconsistency between float and double in a sprintf format string during TAG_GPS_ALT handling (CVE-2018-16554).
A flaw was found in gdal up to version 2.3.0. A Heap-buffer-overflow in GTiffOddBitsBand::IReadBlock. A flaw was found in gdal. A Heap-buffer-overflow in NITFRasterBand::Unpack.
Updated php-pear-CAS packages fix security vulnerabilities: An XSS vulnerabilities has been fixed for proxy mode. References: - https://bugs.mageia.org/show_bug.cgi?id=23833
Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.
Cloud Security Cryptography Desktop Security Firewall Government Hacks/Cracks IoT Security Network Security Organizations/Events Privacy Security Projects Security Trends Security Vulnerabilities Server Security Vendors/Products
Debian Debian LTS Fedora Gentoo Mageia Oracle openSUSE RockyLinux Slackware SuSE Ubuntu
Harden My Filesystem Learn Tips and Tricks Secure My E-mail Secure My Firewall Secure My Network Secure My Webserver Strengthen My Privacy
Best Secure Linux Distros for Enhanced Privacy & Security The Truth About Linux Malware & How to Protect Your System Is Linux A More Secure Option Than Windows For Businesses? How Secure Is Linux? Top Tips for Securing Your Linux System
Advertise Contribute Your Article Legal Notice RSS Feeds Contact Us Terms of Service Privacy Policy
Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.
