The updated php-pear packages fix a security vulnerability in component Archive_tar, a symlink out-of-path write vulnerability. Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links. (CVE-2020-36193).
Multiples vulnerabilities have been discovered in dnsmasq up to version 2.82: - subtle errors in dnsmasq's protections against cache-poisoning attacks (CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686) - buffer overflow in dnsmasq's DNSSEC code (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 and CVE-2020-25687)
This kernel-linus update is based on upstream 5.10.11 and fixes atleast the following security issue: SCSI “EXTENDED COPY” (XCOPY) requests sent to a Linux SCSI target (LIO) allow an attacker to read or write anywhere on any LIO backstore configured
Vulnerability in the Data Store component of Oracle Berkeley DB. Easily exploitable vulnerability allows low privileged attacker having Local Logon privilege with logon to the infrastructure where Data Store executes to compromise Data Store. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Data
A serious heap-based buffer overflow has been discovered in sudo that is exploitable by any local user. It has been given the name Baron Samedit by its discoverer. The bug can be leveraged to elevate privileges to root, even if the user is not listed in the sudoers file. User authentication is not required to exploit the bug (CVE-2021-3156).
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest() (CVE-2020-26137). References:
It was discovered that pip did not properly sanitize the filename during pip install. A remote attacker could possible use this issue to read and write arbitrary files on the host filesystem as root, resulting in a directory traversal attack (CVE-2019-20916).
A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling (CVE-2020-10719). References: