Mageia 2021-0466: weechat security update
A crafted WebSocket frame could result in a crash in the weechat Relay plugin. References: - https://bugs.mageia.org/show_bug.cgi?id=29513 - https://www.debian.org/lts/security/2021/dla-2770
A crafted WebSocket frame could result in a crash in the weechat Relay plugin. References: - https://bugs.mageia.org/show_bug.cgi?id=29513 - https://www.debian.org/lts/security/2021/dla-2770
Unsafe use of strncpy. (rhbz#1932066) References: - https://bugs.mageia.org/show_bug.cgi?id=29493 - https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./thread/7WQQBJ424DJMGRN6HI2OEMSSZ5XBG5ZH/
fail2ban is a daemon to ban hosts that cause multiple authentication errors. In versions 0.9.7 and prior, 0.10.0 through 0.10.6, and 0.11.0 through 0.11.2, there is a vulnerability that leads to possible remote code execution in the mailing action mail-whois. Command `mail` from mailutils package used in mail actions like `mail-whois` can execute command if
Multiple security fixes for nodejs. See references for details References: - https://bugs.mageia.org/show_bug.cgi?id=29365 - https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field (CVE-2019-20790). OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject authentication
The updated packages fix a security vulnerabilities: While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The
This kernel-linus update is based on upstream 5.10.70 and fixes atleast the following security issues: Use-after-free vulnerability in the Linux kernel exploitable by a local attacker due to reuse of a DCCP socket with an attached dccps_hc_tx_ccid
This kernel update is based on upstream 5.10.70 and fixes atleast the following security issues: Use-after-free vulnerability in the Linux kernel exploitable by a local attacker due to reuse of a DCCP socket with an attached dccps_hc_tx_ccid
The updated sqlite packages fix a security vulnerability: Use after free in sqlite in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page (CVE-2021-30569).
Denial of service when identifying crafted invalid RFCs Security fix for CVE-2021-3737: python client can enter an infinite loop on a 100 Continue response from the server References:
It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA. (CVE-2020-25658) References:
Double free in ICU in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-30535) References:
Updated libspf2 packages fix buffer overflow. References: - https://bugs.mageia.org/show_bug.cgi?id=29396 - https://www.openwall.com/lists/oss-security/2021/08/11/6
Missing input validation on hostnames returned by DNS servers. (CVE-2021-3672) References: - https://bugs.mageia.org/show_bug.cgi?id=29350
In versions prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. (CVE-2021-32786)
An issue was discovered in the DBI module through 1.643 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). (CVE-2014-10402)
The chromium-browser-stable package has been updated to 94.0.4606.61 version that fixes multiples security vulnerabilities. From 90.0.4430.72 (released on April 14, 2021) to 94.0.4606.61 version, see upstream advisories.
The updated packages fix a security vulnerability: The GD Graphics Library (aka LibGD) through 2.3.2 has an out-of-bounds read because of the lack of certain gdGetBuf and gdPutBuf return value checks (CVE-2021-40812).
Updated python-pillow packages fix security vulnerability: The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function (CVE-2021-23437).
Updated webkit2 packages fix security vulnerabilities: The webkit2 package has been updated to version 2.32.4, fixing various bugs and the following security issue: