A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository (CVE-2021-3572). The bundled python-urllib3 was also vulnerable to:
In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream (CVE-2021-21341).
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method (CVE-2021-27918).
A use-after-free vulnerability exists in the NMR::COpcPackageReader::releaseZIP() functionality of 3MF Consortium lib3mf 2.0.0. A specially crafted 3MF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability (CVE-2021-21772).
This kernel-linus update is based on upstream 5.10.52 and fixes atleast the following security issues: There is a race condition in net/can/bcm.c that can lead to local privilege escalation to root (CVE-2021-3609).
This kernel update is based on upstream 5.10.52 and fixes atleast the following security issues: There is a race condition in net/can/bcm.c that can lead to local privilege escalation to root (CVE-2021-3609).
This systemd update provides the v246.15 maintenance release and fixes atleast the following security issues: An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running
Crash in DNP dissector in Wireshark 3.4.0 to 3.4.6 and 3.2.0 to 3.2.14 allows denial of service via packet injection or crafted capture file (CVE-2021-22235). References:
perl-Convert-ASN1 (aka the Convert::ASN1 module for Perl) through 0.27 allows remote attackers to cause an infinite loop via unexpected input (CVE-2013-7488). References: