Updated rabbitmq-server packages fix security vulnerabilities: RabbitMQ all versions prior to 3.8.16 are prone to a denial of service vulnerability due to improper input validation in AMQP 1.0 client connection endpoint. A malicious user can exploit the vulnerability by
Updated python-pillow packages fix security vulnerabilities: An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la (CVE-2021-25287).
objstack in GNU Aspell 0.60.8 has a heap-based buffer overflow in acommon::ObjStack::dup_top (called from acommon::StringMap::add and acommon::Config::lookup_list) (CVE-2019-25051). References:
Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8 (CVE-2021-36740).
Update python3 to 3.8.11 to fix several security issues. Fixes in 3.8.10 are also included. Bundled pip and setuptools were updated in 3.8.11 so python-pip needs to be updated to 21.1.3 and python-setuptools to 56.2.0 at the same time.
This update provides the upstream 6.1.24 maintenance release that fixes atleast the following security vulnerabilities: An easily exploitable vulnerability in the Oracle VM VirtualBox (component: Core) prior to 6.1.24 allows high privileged attacker with logon to the
Wrong content via metalink not discarded (CVE-2021-22922). Metalink download sends credentials (CVE-2021-22923). Bad connection reuse due to flawed path name checks (CVE-2021-22924).
This update backports some significant security fixes relating to session security from the upstream 9.19 release. See upstream references for more informations.
Quassel through 0.13.1, when --require-ssl is enabled, launches without SSL or TLS support if a usable X.509 certificate is not found on the local system (CVE-2021-34825). Also, the default IRC server has been changed from Freenode to Libera Chat, as
An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request (CVE-2021-33813). References: - https://bugs.mageia.org/show_bug.cgi?id=29187
filezilla embeds a PuTTY client that was vulnerable: PuTTY 0.68 through 0.73 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client) (CVE-2020-14002).
An Out of Bounds flaw was found fig2dev version 3.2.8a. A flawed bounds check in read_objects() could allow an attacker to provide a crafted malicious input causing the application to either crash or in some cases cause memory corruption. The highest threat from this vulnerability is to integrity as well as system availability (CVE-2021-3561).
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions (CVE-2021-31811). In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3
It was discovered that the perl Net-CIDR-Lite module did not correctly handle IP addresses with IP octets containing leading zeros. Leading zeros were ignored, while the underlying system can treat such octets as octal numbers and interpret them differently. For example, IP address of 010.0.0.1 was considered by Net CIDR-Lite to be the same address as 10.0.0.1, while system may consider it to be
The Net::Netmask module before 2.0000 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses (CVE-2021-29424).
In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an
An integer overflow bug in Redis version 6.0 or newer could be exploited using the `STRALGO LCS` command to corrupt the heap and potentially result with remote code execution (CVE-2021-29477). An integer overflow bug in Redis 6.2 before 6.2.3 could be exploited to corrupt
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require('y18n')(); y18n.setLocale('__proto__'); y18n.updateLocale({polluted: true}); console.log(polluted); // true (CVE-2020-7774).
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository (CVE-2021-3572). The bundled python-urllib3 was also vulnerable to: