Bundler sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. (CVE-2020-36327)
Malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. References: - https://bugs.mageia.org/show_bug.cgi?id=28380
Updated apache packages fix security vulnerabilities: A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request
Updated apache-mod_security packages fix security vulnerability: ModSecurity mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately
This kernel-linus update is based on upstream 5.15.10 and fixes atleast the following security issues: A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call
This kernel update is based on upstream 5.15.10 and fixes atleast the following security issues: A read-after-free memory flaw was found in the Linux kernel's garbage collection for Unix domain socket file handlers in the way users call
Updated x11-server packages fix security vulnerabilities: The handler for the CompositeGlyphs request of the Render extension does not properly validate the request length leading to out of bounds memory write (CVE-2021-4008).
Updated log4j packages fix security vulnerability: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial
Updated olm packages fix security vulnerability: The olm_session_describe function in Matrix libolm before 3.2.7 is vulnerable to a buffer overflow. The Olm session object represents a cryptographic channel between two parties. Therefore, its state is
Updated privoxy packages fix security vulnerabilities: A security issue has been found in Privoxy before version 3.0.33. get_url_spec_param() did not free memory of compiled pattern spec before bailing (CVE-2021-44540).
Updated watchdog packages fixes an issue with a memory leak when verbose mode is on. References: - https://bugs.mageia.org/show_bug.cgi?id=29576
Updated mediawiki packages fix security vulnerabilities: == Security fixes == * (T292763. CVE-2021-44854) REST API incorrectly publicly caches autocomplete search results from private wikis.
In Keepalived through 2.2.4, the D-Bus policy does not sufficiently restrict the message destination, allowing any user to inspect and manipulate any property. This leads to access-control bypass in some situations in which an unrelated D-Bus system service has a settable (writable) property (CVE-2021-44225).
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map
Updated chromium-browser-stable packages fix security vulnerabilities. The chromium-browser-stable package has been updated to 96.0.4664.110 version that fixes multiples security vulnerabilities. One of these CVEs is known to be actively exploited.
Updated vim packages fix security vulnerability: vim is vulnerable to Use After Free (CVE-2021-4069). References:
Updated botan2 packages fix security vulnerability: The ElGamal implementation in Botan through 2.18.1, as used in Thunderbird and other products, allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the
Updated hiredis packages fix security vulnerability: It was discovered that there was an integer-overflow vulnerability in hiredis, a C client library for communicating with Redis databases. This occurred within the handling and parsing of 'multi-bulk' replies
Updated openssh packages fix security vulnerability: sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for
Updated bind packages fix security vulnerability: Kishore Kumar Kothapalli discovered that the lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays
Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.
Cloud Security Cryptography Desktop Security Firewall Government Hacks/Cracks IoT Security Network Security Organizations/Events Privacy Security Projects Security Trends Security Vulnerabilities Server Security Vendors/Products
Debian Debian LTS Fedora Gentoo Mageia Oracle openSUSE RockyLinux Slackware SuSE Ubuntu
Harden My Filesystem Learn Tips and Tricks Secure My E-mail Secure My Firewall Secure My Network Secure My Webserver Strengthen My Privacy
Best Secure Linux Distros for Enhanced Privacy & Security The Truth About Linux Malware & How to Protect Your System Is Linux A More Secure Option Than Windows For Businesses? How Secure Is Linux? Top Tips for Securing Your Linux System
Advertise Contribute Your Article Legal Notice RSS Feeds Contact Us Terms of Service Privacy Policy
Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.
