Mageia 2021-0178: python-jinja2 security update
ReDOS vulnerability where urlize could have been called with untrusted user data (CVE-2020-28493). References: - https://bugs.mageia.org/show_bug.cgi?id=28461
ReDOS vulnerability where urlize could have been called with untrusted user data (CVE-2020-28493). References: - https://bugs.mageia.org/show_bug.cgi?id=28461
A denial of service vulnerability was discovered in mongodb whereby a user authorized to perform database queries may issue specially crafted queries, which violate an invariant in the query subsystem's support for geoNear (CVE-2020-7923).
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service
This kernel-linus update is based on upstream 5.10.27 and fixes atleast the following security issues: The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values.
This kernel update is based on upstream 5.10.27 and fixes atleast the following security issues: The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values.
Updated ant packages fix security vulnerability: As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file
Updated ruby-em-http-request packages fix security vulnerability: A flaw was found in rubygem-em-http-request. The eventmachine library does not verify the hostname in a TLS server certificate which can allow an attacker to perform a man-in-the-middle attack. The highest threat from this
Updated python-bottle packages fix security vulnerability: python-bottle before 0.12.19 is vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload (CVE-2020-7608). References: - https://bugs.mageia.org/show_bug.cgi?id=27975