This kernel update is based on upstream 5.10.33 and fixes atleast the following security issues: A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a
Updated nvidia-current packages fix security vulnerabilities: NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko) where improper access control may lead to denial of service, information disclosure, or data corruption (CVE-2021-1076).
Updated nvidia390 packages fix security vulnerabilities: NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko) where improper access control may lead to denial of service, information disclosure, or data corruption (CVE-2021-1076).
This update fixes two security vulnerabilities which could result in heap corruption or over-read with crafted .BMP files (CVE-2020-14409, CVE-2020-14410). References:
QSslSocket incorrectly calls SSL_shutdown() in OpenSSL mid-handshake causing denial of service in TLS applications (CVE-2020-13962) This update provides additionals fixes: - Check that the sizes are even representable when checking if clipping is
More internal network hosts could have been probed by a malicious webpage: Further techniques that built on the slipstream research combined with a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine (CVE-2021-23961).
More internal network hosts could have been probed by a malicious webpage: Further techniques that built on the slipstream research combined with a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine (CVE-2021-23961).
This update provides the upstream 6.1.20 maintenance release that fixes atleast the following security vulnerabilities: A difficult to exploit vulnerability in the Oracle VM VirtualBox (component: Core) prior to 6.1.20 allows high privileged attacker with
An issue was discovered in rcp in MIT krb5-appl through 1.0.3. Due to the rcp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the rcp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious rcp server (or
A remote information leak vulnerability and a remote buffer overflow vulnerability were discovered in ConnMan, which could result in denial of service or the execution of arbitrary code (CVE-2021-26675, CVE-2021-26676). References:
The updated packages fix a security vulnerability: A vulnerability in the email parsing module in Clam AntiVirus (ClamAV) Software version 0.103.1 and all prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition
There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality (CVE-2021-3426).
This kernel update is based on upstream 5.10.30 and fixes atleast the following security issues: nfc: fix refcount leak in llcp_sock_bind() (CVE-2020-25670)
This kernel-linus update is based on upstream 5.10.30 and fixes atleast the following security issues: nfc: fix refcount leak in llcp_sock_bind() (CVE-2020-25670)
Insufficient checks on the lengths of the XInput extension ChangeFeedbackControl request can lead to out of bounds memory accesses in the X server. These issues can lead to privilege escalation for authorized clients
An attacker may use Thunderbird's OpenPGP key refresh mechanism to poison an existing key (CVE-2021-23991). A crafted OpenPGP key with an invalid user ID could be used to confuse the user (MOZ-2021-23992).
The updated packages fix security vulnerabilities and a crash when a device does some cast traffic in the local network. (See upstream release notes). References: - https://bugs.mageia.org/show_bug.cgi?id=28702
GStreamer before 1.18.4 might access already-freed memory in error code paths when demuxing certain malformed Matroska files (SA-2021-0002). GStreamer before 1.18.4 might cause heap corruption when parsing certain malformed Matroska files (SA-2021-0003).
libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. (CVE-2021-22876)