The updated golang packages fix a security vulnerability: Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort (CVE-2021-36221).
The updated exiv2 packages fix security vulnerabilities: An assertion failure is triggered when Exiv2 is used to modify the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim
A stack buffer overflow in libspf2 versions below 1.2.11 when processing certain SPF macros can lead to Denial of service and potentially code execution via malicious crafted SPF explanation messages (CVE-2021-20314). References:
Updated libass packages fix security vulnerability: libass 0.15.x before 0.15.1 has a heap-based buffer overflow in decode_chars (called from decode_font and process_text) because the wrong integer data type is used for subtraction (CVE-2020-36430).
runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an attacker must be able to create multiple containers with a fairly specific mount configuration. The problem occurs via a symlink-exchange attack that relies on a race condition (CVE-2021-30465).
It was discovered that GPSd incorrectly handled certain leap second events which would result in the time jumping back 1024 weeks on 2021-10-31. This update provides upstream version 3.23 that has this and several
This kernel-linus update is based on upstream 5.10.60 and fixes atleast the following security issues: A missing validation of the "int_ctl" VMCB field allows a malicious L1 guest to enable AVIC support (Advanced Virtual Interrupt Controller)
This kernel update is based on upstream 5.10.60 and fixes atleast the following security issues: Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a
Updated sylpheed and claws-mail packages fix security vulnerability: The textview_uri_security_check() function in textview.c in Claws Mail before 3.18.0, and Sylpheed through 3.7.0, does not have sufficient link checks before accepting a click (CVE-2021-37746).
Updated thunderbird packages fix security vulnerabilities: Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption and a potentially exploitable crash (CVE-2021-29980).
Updated qtwebengine5 packages fix security vulnerabilities: The qtwebengine5 package has been updated to version 5.15.5, fixing several security issues in the bundled chromium code.
Updated spice packages fix security vulnerability: A flaw was found in spice in versions before 0.14.92. A DoS tool might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection
The recent fix for CVE-2021-33574 released in MGASA-2021-0308 introduced a NULL pointer dereference that will result in segmentation fault. This update adds the missing NULL pointer check to resolve this issue. References:
Updated firefox packages fix security vulnerabilities: Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption and a potentially exploitable crash (CVE-2021-29980).
Updated mariadb packages fix security vulnerabilities: A security issue has been found in the InnoDB component of MariaDB before version 10.6.4. A difficult to exploit vulnerability allows a high privileged attacker with network access via multiple protocols to
Updated dino packages fix security vulnerability: Dino before 0.1.2 and 0.2.x before 0.2.1 allows Directory Traversal (only for creation of new files) via URI-encoded path separators (CVE-2021-33896).
Updated webkit2 packages fix security vulnerabilities: A use-after-free vulnerability exists in the way certain events are processed for ImageLoader objects of Webkit WebKitGTK 2.30.4. A specially crafted web page can lead to a potential information leak and further
This kernel-linus update is based on upstream 5.10.56 and fixes atleast the following security issues: In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store
This kernel update is based on upstream 5.10.56 and fixes atleast the following security issues: In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store