Mageia 2021-0401: dino security update
Updated dino packages fix security vulnerability: Dino before 0.1.2 and 0.2.x before 0.2.1 allows Directory Traversal (only for creation of new files) via URI-encoded path separators (CVE-2021-33896).
Updated dino packages fix security vulnerability: Dino before 0.1.2 and 0.2.x before 0.2.1 allows Directory Traversal (only for creation of new files) via URI-encoded path separators (CVE-2021-33896).
Updated webkit2 packages fix security vulnerabilities: A use-after-free vulnerability exists in the way certain events are processed for ImageLoader objects of Webkit WebKitGTK 2.30.4. A specially crafted web page can lead to a potential information leak and further
Updated libvirt packages fix security vulnerability: insecure sVirt label generation (CVE-2021-3631). References:
This kernel-linus update is based on upstream 5.10.56 and fixes atleast the following security issues: In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store
This kernel update is based on upstream 5.10.56 and fixes atleast the following security issues: In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store
Updated exiv2 packages fix security vulnerability: A heap-based buffer overflow vulnerability in jp2image.cpp of Exiv2 0.27.3 allows attackers to cause a denial of service (DOS) via crafted metadata (CVE-2021-31291).
Updated bluez packages fix security vulnerability: Adapter incorrectly restores Discoverable state after powered down (CVE-2021-3658).
Updated nodejs packages fix security vulnerability: Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior (CVE-2021-22930)
Updated php-pear packages fix security vulnerability: In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive (CVE-2021-32610).
Updated libsndfile packages fix security vulnerability: A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted WAV file (CVE-2021-3246).
Updated fetchmail packages fix security vulnerability: report_vbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf va_list argument, which might allow mail servers to cause a denial of service or possibly have unspecified other
Updated rabbitmq-server packages fix security vulnerabilities: RabbitMQ all versions prior to 3.8.16 are prone to a denial of service vulnerability due to improper input validation in AMQP 1.0 client connection endpoint. A malicious user can exploit the vulnerability by
Updated python-pillow packages fix security vulnerabilities: An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2ku_graya_la (CVE-2021-25287).
objstack in GNU Aspell 0.60.8 has a heap-based buffer overflow in acommon::ObjStack::dup_top (called from acommon::StringMap::add and acommon::Config::lookup_list) (CVE-2019-25051). References:
Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8 (CVE-2021-36740).
Update python3 to 3.8.11 to fix several security issues. Fixes in 3.8.10 are also included. Bundled pip and setuptools were updated in 3.8.11 so python-pip needs to be updated to 21.1.3 and python-setuptools to 56.2.0 at the same time.
This update provides the upstream 6.1.24 maintenance release that fixes atleast the following security vulnerabilities: An easily exploitable vulnerability in the Oracle VM VirtualBox (component: Core) prior to 6.1.24 allows high privileged attacker with logon to the
Wrong content via metalink not discarded (CVE-2021-22922). Metalink download sends credentials (CVE-2021-22923). Bad connection reuse due to flawed path name checks (CVE-2021-22924).
This update backports some significant security fixes relating to session security from the upstream 9.19 release. See upstream references for more informations.
Quassel through 0.13.1, when --require-ssl is enabled, launches without SSL or TLS support if a usable X.509 certificate is not found on the local system (CVE-2021-34825). Also, the default IRC server has been changed from Freenode to Libera Chat, as