Mageia 2021-0591: eclipse security update
Authenticate active help requests to the local help web server (CVE-2020-27225) References: - https://bugs.mageia.org/show_bug.cgi?id=29048
Authenticate active help requests to the local help web server (CVE-2020-27225) References: - https://bugs.mageia.org/show_bug.cgi?id=29048
CryptSym: fix AES output IV (CVE-2021-3505). Fixed a context save and suspend/resume problem when public keys are loaded. Reset too large size indicators in TPM2B to avoid access beyond buffer (CVE-2021-3623)
This kernel-linus update is based on upstream 5.15.11 and fixes atleast the following security issues: Potentially malicious XEN PV backends can cause guest DoS due to unhardened frontends in the guests, even though this ought to have been prevented by
This kernel update is based on upstream 5.15.11 and fixes atleast the following security issues: Potentially malicious XEN PV backends can cause guest DoS due to unhardened frontends in the guests, even though this ought to have been prevented by
net/http: limit growth of header canonicalization cache (CVE-2021-44716) syscall: don't close fd 0 on ForkExec error (CVE-2021-44717) References: - https://bugs.mageia.org/show_bug.cgi?id=29807
Fixes out of bounds read issue in *larrv functions (CVE-2021-4048) References: - https://bugs.mageia.org/show_bug.cgi?id=29788 - https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./thread/DROZM4M2QRKSD6FBO4BHSV2QMIRJQPHT/
Multiple security issues affecting ldb, samba and sssd. See references for details. References: - https://bugs.mageia.org/show_bug.cgi?id=29641
OpenPGP signature status doesn't consider additional message content. (CVE-2021-4126) Matrix chat library libolm bundled with Thunderbird vulnerable to a buffer overflow. (CVE-2021-44538)
Processing maliciously crafted web content may lead to unexpectedly unenforced Content Security Policy. (CVE-2021-30887) Processing maliciously crafted web content may lead to universal cross site scripting. (CVE-2021-30890)
Heap out-of-bound read vulnerability in rr_frm_str_internal function Heap out-of-bound read vulnerability in ldns_nsec3_salt_data function Fixed time memory compare for Openssl 0.9.8 References:
Out of bounds in php_pcre_replace_impl (CVE-2017-9118) Multiple bugs fixed. See referenced changelog for details. References: - https://bugs.mageia.org/show_bug.cgi?id=29775
Multiple security issues found in ezXML, bundled in netcdf References: - https://bugs.mageia.org/show_bug.cgi?id=29241 - https://www.debian.org/lts/security/2021/dla-2705
Bundler sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. (CVE-2020-36327)
Malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. References: - https://bugs.mageia.org/show_bug.cgi?id=28380
Updated apache packages fix security vulnerabilities: A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request
Updated apache-mod_security packages fix security vulnerability: ModSecurity mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately
This kernel-linus update is based on upstream 5.15.10 and fixes atleast the following security issues: A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call
This kernel update is based on upstream 5.15.10 and fixes atleast the following security issues: A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call
Updated x11-server packages fix security vulnerabilities: The handler for the CompositeGlyphs request of the Render extension does not properly validate the request length leading to out of bounds memory write (CVE-2021-4008).
Updated log4j packages fix security vulnerability: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial