Openafs packages have been updated to 1.9.1 for various bugfixes, and added a fix for security vulnerability: There exist in the wild AFS3 clients that improperly construct access control lists which are then stored to directories via RXAFS_StoreACL
This kernel-linus update is based on upstream 5.10.78 and fixes atleast the following security issues: A use-after-free vulnerability in the NFC stack can lead to a threat to confidentiality, integrity, and system availability (CVE-2021-3760).
This kernel update is based on upstream 5.10.78 and fixes atleast the following security issues: A use-after-free vulnerability in the NFC stack can lead to a threat to confidentiality, integrity, and system availability (CVE-2021-3760).
Updated thunderbird packages fix security vulnerabilities: The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame (CVE-2021-38503).
The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame (CVE-2021-38503). When interacting with an HTML input element's file picker dialog with
In GNOME libzapojit through 0.0.3, zpj-skydrive.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. (CVE-2021-39360) References:
libESMTP through 1.0.6 mishandles domain copying into a fixed-size buffer in ntlm_build_type_2 in ntlm/ntlmstruct.c, as demonstrated by a stack-based buffer over-read. (CVE-2019-19977) References:
Shell command injection in sssctl. (CVE-2021-3621) References: - https://bugs.mageia.org/show_bug.cgi?id=29383 - https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./thread/X2K4GIBR2A63ZTPDUJSVOGDICCK4XC4V/
Updated php packages fix security vulnerability: In PHP versions 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access
Updated docker packages fix security vulnerabilities: A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the hosts filesystem,
Updated squid packages fix security vulnerability: Squid through 4.14 and 5.x through 5.0.5, in some configurations, allows information disclosure because of an out-of-bounds read in WCCP protocol data. This can be leveraged as part of a chain for remote code execution
The webkit2 package has been updated to version 2.34.1, fixing several security issues and other bugs. See release notes for details. References: - https://bugs.mageia.org/show_bug.cgi?id=29596
An issue was discovered in cairo 1.16.0. There is an infinite loop in the function _arc_error_normalized in the file cairo-arc.c, related to _arc_max_angle_for_tolerance_normalized. (CVE-2019-6462) References:
A flaw was found in libcaca. A heap buffer overflow in export.c in function export_tga might lead to memory corruption and other potential consequences. (CVE-2021-30498) A flaw was found in libcaca. A buffer overflow of export.c in function
FFmpeg 4.2 is affected by a Divide By Zero issue via libavcodec/aacpsy.c, which allows a remote malicious user to cause a Denial of Service. (CVE-2020-20446) FFmpeg 4.2 is affected by null pointer dereference passed as argument to
cloud-init has the ability to generate and set a randomized password for system users. This functionality is enabled at runtime by passing cloud-config data such as: 'chpasswd: list: | user1:RANDOM' When instructing cloud-init to set a random password for a new user
It was discovered that Qt incorrectly handled certain XBM image files. If a user or automated system were tricked into opening a specially crafted PPM file, a remote attacker could cause Qt to crash, resulting in a denial of service. (CVE-2020-17507)
It was discovered that openCryptoki incorrectly handled certain EC keys. An attacker could possibly use this issue to cause a invalid curve attack. References: - https://bugs.mageia.org/show_bug.cgi?id=29328
Client-side TLS so that it verifies that the server hostname matches its certificate (Fixed in fossil 2.14.2). A data exfiltration bug in the server (Fixed in fossil 2.14.1).
This kernel-linus update is based on upstream 5.10.75 and fixes atleast the following security issues: A memory leak in the ccp_run_aes_gcm_cmd() function in drivers/crypto/ ccp/ccp-ops.c in the Linux kernel allows malicious users to cause a