Dancer2 0.206000 addresses several potential security issues. There is a potential RCE with regards to Storable. Dancer2 adds session ID validation to the session engine so that session backends based on Storable can reject malformed session IDs that may lead to exploitation of the RCE. Parsing requests now uses HTTP::Entity::Parser which reduces the amount of code needed
The python-cryptography and python-cryptography-vectors packages have been updated to version 2.3.1 and fixes the following security issue: The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to
Updated lighttpd package fixes security vulnerabilities: Potential path traversal with specific configs or in some use cases in mod_alias.
Updated axis packages fix security vulnerability: Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services (CVE-2018-8032).
Updated dnsmasq packages fix a security issue Upstream dnsmasq run as nobody user which could lead to security issue if multiple services run as this same user.
Updated samba packages fix security vulnerabilities: A malicious server could return a directory entry that could corrupt libsmbclient memory (CVE-2018-10858).
The updated packages fix security vulnerabilities: An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image
Updated spamassassin package fixes security vulnerabilities: A reliance on "." in @INC in one configuration script (CVE-2016-1238). A denial of service vulnerability arises with certain unclosed tags in
Updated unzip packages fix security vulnerabilities Heap-based out-of-bounds write (CVE-2018-1000031). Heap/BSS-based buffer overflow (Bypass of CVE-2015-1315)
Updated curl packages fix security vulnerabilities: Peter Wu discovered that curl incorrectly handled certain SMTP buffers. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2018-0500).
A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission check for -modulepath and -logfile options when starting Xorg. X server allows unprivileged users with the ability to log in to the system via physical console to escalate their privileges and run arbitrary code under root privileges (CVE-2018-14665).
This kernel-linus update is based on the upstream 4.14.78 and adds additional fixes for the L1TF security issues. It also fixes atleast the following security issues: Linux kernel from versions 3.9 and up, is vulnerable to a denial of
This kernel update is based on the upstream 4.14.78 and fixes atleast the following security issues: An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel through 4.15.7. The floppy
Updated firefox packages fix security vulnerabilities: Mozilla: Memory safety bugs fixed in Firefox ESR 60.3 (CVE-2018-12389). Mozilla: Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3
This kernel-tmb update is based on the upstream 4.14.78 and adds additional fixes for the L1TF security issues. It also fixes atleast the following security issues: Linux kernel from versions 3.9 and up, is vulnerable to a denial of
It was found that the WEBP::GetLE32 function in XMPFiles/source/FormatSupport/WEBP_Support.hpp in Exempi 2.4.5 has a NULL pointer dereference (CVE-2018-12648). References:
lilypond does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks (CVE-2017-17523). References:
Remote denial of service (application crash) exploitable by miners via duplicate input (CVE-2018-17144). References: - https://bugs.mageia.org/show_bug.cgi?id=23681
Buffer overflow in dhclient possibly allowing code execution triggered by malicious server (CVE-2018-5732). Reference count overflow in dhcpd allows denial of service (CVE-2018-5733).
Flawed polkit authorization checks in blueman allowed any user with access to the D-Bus system bus to trigger certain network configuration logic in blueman without authentication (boo#1083066). References:
Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.
Cloud Security Cryptography Desktop Security Firewall Government Hacks/Cracks IoT Security Network Security Organizations/Events Privacy Security Projects Security Trends Security Vulnerabilities Server Security Vendors/Products
Debian Debian LTS Fedora Gentoo Mageia Oracle openSUSE RockyLinux Slackware SuSE Ubuntu
Harden My Filesystem Learn Tips and Tricks Secure My E-mail Secure My Firewall Secure My Network Secure My Webserver Strengthen My Privacy
Best Secure Linux Distros for Enhanced Privacy & Security The Truth About Linux Malware & How to Protect Your System Is Linux A More Secure Option Than Windows For Businesses? How Secure Is Linux? Top Tips for Securing Your Linux System
Advertise Contribute Your Article Legal Notice RSS Feeds Contact Us Terms of Service Privacy Policy
Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.
