Several vulnerabilities were discovered in libextractor which may lead to denial of service or the execution of arbitrary code if a specially crafted file is opened (CVE-2018-14346, CVE-2018-14347, CVE-2018-16430). References:
okular version 18.08 and earlier contains a Directory Traversal vulnerability in function "unpackDocumentArchive(...)" in "core/document.cpp" that can result in Arbitrary file creation on the user workstation. This attack appear to be exploitable via he victim must open a specially crafted Okular archive (CVE-2018-1000801).
- Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c (CVE-2018-14883) - heap-buffer-overflow (READ of size 48) while reading exif data (CVE-2018-14851) - XSS due to the header Transfer-Encoding: chunked
Dropbear is prone to a user enumeration vulnerability (CVE-2018-15599). An external user without credentials can determine whether a given username exists on a server. References:
Little CMS (aka Little Color Management System) 2.9 has an integer overflow in the AllocateDataSet function in cmscgats.c, leading to a heap-based buffer overflow in the SetData function via a crafted file in the second argument to cmsIT8LoadFromFile. (CVE-2018-16435)
Updated soundtouch package fixes security vulnerabilities: - Reachable assertion in FIRFilter.cpp causing denial of service (CVE-2018-14045). - Reachable assertion in RateTransposer::setChannels() causing denial of service (CVE-2018-14044).
The mpg123 project has fixed several bugs in the player, including an invalid read. We upgrade to the latest version which cumulates all those fixes. References:
Updated mailman package fixes security vulnerability: It was discovered that mailman prior to 2.1.29 mishandled URLs in Utils.py:GetPathPieces() which allowed attackers to display arbitrary text on trusted sites (CVE-2018-13796).
The webkit2 package has been updated to version 2.20.5, fixing several security issues and other bugs. References: - https://bugs.mageia.org/show_bug.cgi?id=23408
It was discovered that the Apache XML Security for C++ library performed insufficient validation of KeyInfo hints, which could result in denial of service via NULL pointer dereferences when processing malformed XML data. References:
The cgrulesengd daemon (cgred) in libcgroup through version 0.41 creates log files (/var/log/cgred) with world readable and writable permissions (0o666) due to a reset of the file mode creation mask (umask(0)) in the daemon/cgrulesengd.c:cgre_start_daemon() function (CVE-2018-14348).
unixODBC before version 2.3.5 is vulnerable to a buffer overflow in the DriverManager/__info.c:unicode_to_ansi_copy() method. An attacker could exploit this to cause a denial of service or other unspecified impact (CVE-2018-7409).
Updated bouncycastle packages fix security vulnerabilities: Ensure full validation of ASN.1 encoding of signature on verification. It was possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may have
Updated ghostscript packages fix several security vulnerabilities including: In Artifex Ghostscript 9.23 before 2018-08-23, attackers are able to supply malicious PostScript files to bypass .tempfile restrictions and write files
Updated libx11 packages fix security vulnerabilities: An issue was discovered in XListExtensions in ListExt.c in libX11 through 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later
This kernel-linus update is based on the upstream 4.14.69 and adds additional fixes for the L1TF and Spectre security issues. It also fixes atleast the following security issues: Other fixes in this update:
This kernel-tmb update is based on the upstream 4.14.69 and adds additional fixes for the L1TF and Spectre security issues. It also fixes atleast the following security issues: Memory leak in the irda_bind function in net/irda/af_irda.c and later in
This kernel update is based on the upstream 4.14.69 and adds additional fixes for the L1TF and Spectre security issues. It also fixes atleast the following security issues: Memory leak in the irda_bind function in net/irda/af_irda.c and later in
Updated ntp packages fix security vulnerability: Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows an attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6
Updated flash-player-plugin packages fix security vulnerability: Successful exploitation of the currently un-disclosed vulerability could lead to information disclosure (CVE-2018-15967).
Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.
Cloud Security Cryptography Desktop Security Firewall Government Hacks/Cracks IoT Security Network Security Organizations/Events Privacy Security Projects Security Trends Security Vulnerabilities Server Security Vendors/Products
Debian Debian LTS Fedora Gentoo Mageia Oracle openSUSE RockyLinux Slackware SuSE Ubuntu
Harden My Filesystem Learn Tips and Tricks Secure My E-mail Secure My Firewall Secure My Network Secure My Webserver Strengthen My Privacy
Best Secure Linux Distros for Enhanced Privacy & Security The Truth About Linux Malware & How to Protect Your System Is Linux A More Secure Option Than Windows For Businesses? How Secure Is Linux? Top Tips for Securing Your Linux System
Advertise Contribute Your Article Legal Notice RSS Feeds Contact Us Terms of Service Privacy Policy
Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.
