Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the SSH protocol used in FileZilla is prone to a prefix truncation attack, known as the "Terrapin attack". A remote attacker could use this issue to downgrade or disable some security features and obtain sensitive information.
Upstream version 6.6.14 with many bugfixes and at least the following security fixes: An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.
The updated packages fix security vulnerabilities: A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to
The updated packages fix a security vulnerability: pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS situations. (CVE-2024-22365) References:
Postfix has been updated to fix smtp smuggling, an email spoofing attack that involves a composition of email services with specific differences in the way they handle line endings other than . References:
This update fixes two security vulnerabilities, CVE-2023-3012 and CVE-2023-3291, see the References below. References: - https://bugs.mageia.org/show_bug.cgi?id=32016
The updated packages fix security vulnerabilities: A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program
Out of bounds write in ANGLE. (CVE-2024-0741) Failure to update user input timestamp. (CVE-2024-0742) Crash when listing printers on Linux. (CVE-2024-0746)
The updated packages fix a security vulnerability: Write past buffer end via illegal user-defined Unicode property. (CVE-2023-47038) References:
The updated packages fix security vulnerabilities: Excessive time spent in DH check / generation with large Q parameter value. (CVE-2023-5678) POLY1305 MAC implementation corrupts vector registers on PowerPC. (CVE-2023-6129)
Updated zlib packages fix a security vulnerability: Directory traversal vulnerability in the do_extract_currentfile function in miniunz.c in miniunzip in minizip before 1.1-5 might allow remote attackers to write to arbitrary files via a crafted
This update fixes the following security issue: Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter This is a different vulnerability than CVE-2022-22817 (which was about the expression parameter).
The chromium-browser-stable package has been updated to the 120.0.6099.224 release. 4 vulnerabilities are fixed; some of them are listed below: High CVE-2024-0517: Out of bounds write in V8. Reported by Toan (suto) Pham of Qrious Secure on 2024-01-06.
The updated packages fix security vulnerabilities: A vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record. (CVE-2023-38469) A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function. (CVE-2023-38470)
The updated packages fix a security vulnerability: Prefix Truncation Attacks in SSH Specification (Terrapin Attack): erlang-ssh. (CVE-2023-48795) References:
The updated packages fix a security vulnerability: StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in TinyXML through 2.6.2 has a reachable assertion (and application exit) via a crafted XML document with a '\0' located after whitespace. (CVE-2023-34194)
There were security issues in hplip's `hpps` program due to fixed /tmp path usage in prnt/hpps/hppsfilter.c This update fixes these issues. References:
The updated packages fix security vulnerabilities Heap-buffer-overflow affecting WebGL DrawElementsInstanced method with Mesa VM driver. (CVE-2023-6856) Potential exposure of uninitialized data in EncryptingOutputStream. (CVE-2023-6865)
The chromium-browser-stable package has been updated to the 120.0.6099.216release. Together with 120.0.6099.199, 7 vulnerabilities are fixed; some of them are listed below: References:
The updated packages fix security vulnerabilities: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (CVE-2023-38408)
Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.
Cloud Security Cryptography Desktop Security Firewall Government Hacks/Cracks IoT Security Network Security Organizations/Events Privacy Security Projects Security Trends Security Vulnerabilities Server Security Vendors/Products
Debian Debian LTS Fedora Gentoo Mageia Oracle openSUSE RockyLinux Slackware SuSE Ubuntu
Harden My Filesystem Learn Tips and Tricks Secure My E-mail Secure My Firewall Secure My Network Secure My Webserver Strengthen My Privacy
Best Secure Linux Distros for Enhanced Privacy & Security The Truth About Linux Malware & How to Protect Your System Is Linux A More Secure Option Than Windows For Businesses? How Secure Is Linux? Top Tips for Securing Your Linux System
Advertise Contribute Your Article Legal Notice RSS Feeds Contact Us Terms of Service Privacy Policy
Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.
