Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -3 articles for you...
91
security advisorygentoonormalGentoo: GLSA 202502-04 moderate: npm remote code execution vulnerability
A vulnerability has been discovered in pip, which could lead to arbitrary configuration options being injected.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202501-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: pip: arbitrary configuration injection Date: January 17, 2025 Bugs: #918427 ID: 202501-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in pip, which could lead to arbitrary configuration options being injected. Background ========== pip is a tool for installing and managing Python packages. Affected packages ================= Package Vulnerable Unaffected -------------- ------------ ------------ dev-python/pip < 23.3 > = 23.3 Description =========== Multiple vulnerabilities have been discovered in pip. Please review the CVE identifiers referenced below for details. Impact ====== When installing a package from a Mercurial VCS URL (ie "pip install hg+..."), the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. Workaround ========== There is no known workaround at this time. Resolution ========== All pip users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =dev-python/pip-23.3" References ========== [ 1 ] CVE-2023-5752 https://nvd.nist.gov/vuln/detail/CVE-2023-5752 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202501-03 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
Jan 17, 2025
Gentoo
87
security advisorycode executiondebianDebian Bookworm: DSA-5769-1 Critical: Git File Management Issues
Multiple issues were found in Git, a fast, scalable, distributed revision control system, which may result in file overwrites outside the repository, arbitrary configuration injection or arbitrary code execution. . - ------------------------------------------------------------------------- Debian Security Advisory DSA-5769-1
Sep 13, 2024
•Critical
Debian
200
security advisoryfile overwriteimportantSciLinux SL7: SLSA-2023-3263-1 Important Git Update and Threats
git: by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (CVE-2023-25652) * git: arbitrary configuration injection when renaming or deleting a section from a configuration file (CVE-2023-29007) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and oth [More...]. Synopsis: Important: git security update Advisory ID: SLSA-2023:3263-1 Issue Date: 2023-05-24 CVE Numbers: CVE-2023-25652 CVE-2023-29007 -- Security Fix(es): * git: by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (CVE-2023-25652) * git: arbitrary configuration injection when renaming or deleting a section from a configuration file (CVE-2023-29007) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE -- SL7 x86_64 git-1.8.3.1-25.el7_9.x86_64.rpm git-daemon-1.8.3.1-25.el7_9.x86_64.rpm git-debuginfo-1.8.3.1-25.el7_9.x86_64.rpm git-gnome-keyring-1.8.3.1-25.el7_9.x86_64.rpm git-svn-1.8.3.1-25.el7_9.x86_64.rpm noarch emacs-git-1.8.3.1-25.el7_9.noarch.rpm emacs-git-el-1.8.3.1-25.el7_9.noarch.rpm git-all-1.8.3.1-25.el7_9.noarch.rpm git-bzr-1.8.3.1-25.el7_9.noarch.rpm git-cvs-1.8.3.1-25.el7_9.noarch.rpm git-email-1.8.3.1-25.el7_9.noarch.rpm git-gui-1.8.3.1-25.el7_9.noarch.rpm git-hg-1.8.3.1-25.el7_9.noarch.rpm git-instaweb-1.8.3.1-25.el7_9.noarch.rpm git-p4-1.8.3.1-25.el7_9.noarch.rpm gitk-1.8.3.1-25.el7_9.noarch.rpm gitweb-1.8.3.1-25.el7_9.noarch.rpm perl-Git-1.8.3.1-25.el7_9.noarch.rpm perl-Git-SVN-1.8.3.1-25.el7_9.noarch.rpm - Scientific Linux Development Team . A vital patch for Git resolves severe vulnerabilities that could facilitate unrestricted configuration insertion and risk unwanted filereplacements.. Git Security, Arbitrary Configuration Injection, SL7 Updates. . Severity: Important. LinuxSecurity.com Team
May 24, 2023
•Important
Scientific Linux
98
security advisorysecurity fiximportantRed Hat Enterprise Linux 9.0 RHSA-2023-3248-01 Important: Git Security Fix
An update for git is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: git security update Advisory ID: RHSA-2023:3248-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2023:3248 Issue date: 2023-05-22 CVE Names: CVE-2023-25652 CVE-2023-25815 CVE-2023-29007 ==================================================================== 1. Summary: An update for git is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Security Fix(es): * git: by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (CVE-2023-25652) * git: arbitrary configuration injection when renaming or deletinga section from a configuration file (CVE-2023-29007) * git: malicious placement of crafted messages when git was compiled with runtime prefix (CVE-2023-25815) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2188333 - CVE-2023-25652 git: by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents 2188337 - CVE-2023-25815 git: malicious placement of crafted messages when git was compiled with runtime prefix 2188338 - CVE-2023-29007 git: arbitrary configuration injection when renaming or deleting a section from a configuration file 6. Package List: Red Hat Enterprise Linux AppStream EUS(v.9.0): Source: git-2.31.1-5.el9_0.src.rpm aarch64: git-2.31.1-5.el9_0.aarch64.rpm git-core-2.31.1-5.el9_0.aarch64.rpm git-core-debuginfo-2.31.1-5.el9_0.aarch64.rpm git-credential-libsecret-2.31.1-5.el9_0.aarch64.rpm git-credential-libsecret-debuginfo-2.31.1-5.el9_0.aarch64.rpm git-daemon-2.31.1-5.el9_0.aarch64.rpm git-daemon-debuginfo-2.31.1-5.el9_0.aarch64.rpm git-debuginfo-2.31.1-5.el9_0.aarch64.rpm git-debugsource-2.31.1-5.el9_0.aarch64.rpm git-subtree-2.31.1-5.el9_0.aarch64.rpm noarch: git-all-2.31.1-5.el9_0.noarch.rpm git-core-doc-2.31.1-5.el9_0.noarch.rpm git-email-2.31.1-5.el9_0.noarch.rpm git-gui-2.31.1-5.el9_0.noarch.rpm git-instaweb-2.31.1-5.el9_0.noarch.rpm git-svn-2.31.1-5.el9_0.noarch.rpm gitk-2.31.1-5.el9_0.noarch.rpm gitweb-2.31.1-5.el9_0.noarch.rpm perl-Git-2.31.1-5.el9_0.noarch.rpm perl-Git-SVN-2.31.1-5.el9_0.noarch.rpm ppc64le: git-2.31.1-5.el9_0.ppc64le.rpm git-core-2.31.1-5.el9_0.ppc64le.rpm git-core-debuginfo-2.31.1-5.el9_0.ppc64le.rpm git-credential-libsecret-2.31.1-5.el9_0.ppc64le.rpm git-credential-libsecret-debuginfo-2.31.1-5.el9_0.ppc64le.rpm git-daemon-2.31.1-5.el9_0.ppc64le.rpm git-daemon-debuginfo-2.31.1-5.el9_0.ppc64le.rpm git-debuginfo-2.31.1-5.el9_0.ppc64le.rpm git-debugsource-2.31.1-5.el9_0.ppc64le.rpm git-subtree-2.31.1-5.el9_0.ppc64le.rpm s390x: git-2.31.1-5.el9_0.s390x.rpm git-core-2.31.1-5.el9_0.s390x.rpm git-core-debuginfo-2.31.1-5.el9_0.s390x.rpm git-credential-libsecret-2.31.1-5.el9_0.s390x.rpm git-credential-libsecret-debuginfo-2.31.1-5.el9_0.s390x.rpm git-daemon-2.31.1-5.el9_0.s390x.rpm git-daemon-debuginfo-2.31.1-5.el9_0.s390x.rpm git-debuginfo-2.31.1-5.el9_0.s390x.rpm git-debugsource-2.31.1-5.el9_0.s390x.rpm git-subtree-2.31.1-5.el9_0.s390x.rpm x86_64: git-2.31.1-5.el9_0.x86_64.rpm git-core-2.31.1-5.el9_0.x86_64.rpm git-core-debuginfo-2.31.1-5.el9_0.x86_64.rpm git-credential-libsecret-2.31.1-5.el9_0.x86_64.rpm git-credential-libsecret-debuginfo-2.31.1-5.el9_0.x86_64.rpm git-daemon-2.31.1-5.el9_0.x86_64.rpm git-daemon-debuginfo-2.31.1-5.el9_0.x86_64.rpm git-debuginfo-2.31.1-5.el9_0.x86_64.rpm git-debugsource-2.31.1-5.el9_0.x86_64.rpm git-subtree-2.31.1-5.el9_0.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2023-25652 https://access.redhat.com/security/cve/CVE-2023-25815 https://access.redhat.com/security/cve/CVE-2023-29007 https://access.redhat.com/security/updates/classification#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZGskgdzjgjWX9erEAQj5DA//e9/tITQA5CIJBEKojXtF/rGbRLbt3ns9 fez8K07pUEBnzVr0JF91Rem+NBqblyWtLIxGHrgG49Jgq5oyl3CWQwHVoet+kg9m Op4rA3Wll1B3OyHak7FsXNveLK8IU39qiKWo6DeWyj5fTeJCjb0Bi7lziSBAOsIY i8vQHa9kx4WdgTIwXj+b8nEr718UAVgO8N/d82sqS9dL4R1y0gTkDZDGNFs69edw p0d9YEbWBc4Ucj/Mp3NIK8O3mz+NLrtKdvcwk8s/3s6xtVR2FckpIq4zDpvlZhMT OIj5G04ig/UshzMWrmGEnqucKyH9MvTuKJ3Le/rQDCAwYYyDYMRdzmFOr39lIvxD mm6gc+JzJLl2RLOSqDkp+wmeA9Yvw6hcltysqLAsDPYxmiwveOEguAnZUJh6oOXl WYWZha84aUzFqdP24kuZ4gK+BHetMIL5uXfxHDILhaxuzWibC/VcN3o7dOxEp2lw Gk/tO7I35FznCeZibQA85doGDoBMR+OUdm3kHEXO4BMn6TV5nC8MUrbcpipv5spN nqxpkDWSRlrUln5l8mWbw9hWKIqFnkG/+zVUumgJygVJq8l7KtaDty7NLKn8J01r Wa8AnPc5idUTinlTmzFzvNFEtzC32gA6wDMWjNUTTWmBJAUboDlas6cRRfjFfiGL QSX2fDzbwrQ=jpwm -----END PGP SIGNATURE----- -- RHSA-announce mailing list
May 22, 2023
•Important
Red Hat
89
security advisoryupdatesoftware updateFedora 33: 2021-abc123xyz Moderate: Skopeo Path Manipulation Issue
bump podman to v3.0.1, Security fix for CVE-2021-20206 ---- Resolves: #1919391, #1926796 - Security fix for CVE-2021-20206 ---- Autobuilt v1.19.3 ---- Autobuilt v1.19.2 ---- Autobuilt v1.19.1 ---- Autobuilt v1.19.0 ---- harden cgo based golang binaries ---- Autobuilt v0.9.1. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2021-fb466fb623 2021-02-26 01:07:35.018897 --------------------------------------------------------------------------------Name : skopeo Product : Fedora 33 Version : 1.2.2 Release : 1.fc33 URL : https://github.com/containers/skopeo Summary : Inspect container images and repositories on registries Description : Command line utility to inspect images and repositories directly on Docker registries without the need to pull them --------------------------------------------------------------------------------Update Information: bump podman to v3.0.1, Security fix for CVE-2021-20206 ---- Resolves: #1919391, #1926796 - Security fix for CVE-2021-20206 ---- Autobuilt v1.19.3 ---- Autobuilt v1.19.2 ---- Autobuilt v1.19.1 ---- Autobuilt v1.19.0 ----harden cgo based golang binaries ---- Autobuilt v0.9.1 --------------------------------------------------------------------------------ChangeLog: * Fri Feb 19 2021 Lokesh Mandvekar - 1:1.2.2-1 - bump to v1.2.2 * Fri Feb 12 2021 Lokesh Mandvekar - 1:1.2.1-2 - adjust buildtags for centos and bump release * Thu Feb 11 2021 Lokesh Mandvekar - 1:1.2.1-1 - bump to v1.2.1 - depend on standalone containers-common * Tue Dec 15 2020 Lokesh Mandvekar - 1:1.2.0-15 - handle fcf-protection for fedora and centos8 * Tue Dec 15 2020 Lokesh Mandvekar - 1:1.2.0-14 - no fcf-protection for centos7 --------------------------------------------------------------------------------References: [ 1 ] Bug #1919391 - CVE-2021-20206 containernetworking-cni: Arbitrary path injection via type field in CNI configuration https://bugzilla.redhat.com/show_bug.cgi?id=1919391 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-fb466fb623' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Feb 25, 2021
Fedora
89
security advisorymoderateFedoraFedora 33 Advisory: CVE-2021-20206 Moderate Threat on Buildah
bump podman to v3.0.1, Security fix for CVE-2021-20206 ---- Resolves: #1919391, #1926796 - Security fix for CVE-2021-20206 ---- Autobuilt v1.19.3 ---- Autobuilt v1.19.2 ---- Autobuilt v1.19.1 ---- Autobuilt v1.19.0 ---- harden cgo based golang binaries ---- Autobuilt v0.9.1. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2021-fb466fb623 2021-02-26 01:07:35.018897 --------------------------------------------------------------------------------Name : buildah Product : Fedora 33 Version : 1.19.6 Release : 2.fc33 URL : https://buildah.io Summary : A command line tool used for creating OCI Images Description : The buildah package provides a command line tool which can be used to * create a working container from scratch or * create a working container from an image as a starting point * mount/umount a working container's root file system for manipulation * save container's root file system layer to create a new image * delete a working container or an image --------------------------------------------------------------------------------Update Information: bump podman to v3.0.1, Security fix for CVE-2021-20206 ---- Resolves: #1919391, #1926796 - Security fix for CVE-2021-20206 ---- Autobuilt v1.19.3 ---- Autobuilt v1.19.2 ---- Autobuilt v1.19.1 ---- Autobuilt v1.19.0 ----harden cgo based golang binaries ---- Autobuilt v0.9.1 --------------------------------------------------------------------------------ChangeLog: * Mon Feb 22 2021 Lokesh Mandvekar - 1.19.6-2 - bump timeout for buildah gating tests - Suggested by Ed Santiago * Fri Feb 19 2021 Dan Walsh - 1.19.6-1 - Fix gating test and bum to 1.19.6 * Fri Feb 12 2021 Lokesh Mandvekar - 1.19.4-3 - adjust buildtags for centos * Thu Feb 11 2021 Lokesh Mandvekar - 1.19.4-2 - bump for centos * Tue Feb 9 2021 Lokesh Mandvekar - 1.19.4-1 - Resolves: #1919391, #1926796 - Security fix for CVE-2021-20206 - bumpto v1.19.4 - adjust dependencies * Fri Jan 29 2021 RH Container Bot - 1.19.3-1 - autobuilt v1.19.3 * Fri Jan 15 2021 RH Container Bot - 1.19.2-1 - autobuilt v1.19.2 * Thu Jan 14 2021 RH Container Bot - 1.19.1-1 - autobuilt v1.19.1 * Sat Jan 9 2021 RH Container Bot - 1.19.0-1 - autobuilt v1.19.0 * Mon Dec 7 2020 Lokesh Mandvekar - 1.18.0-3 - bump release tag for centos OBS * Mon Dec 7 2020 Lokesh Mandvekar - 1.18.0-2 - harden cgo based go binaries - Reported-by: Wade Mealing --------------------------------------------------------------------------------References: [ 1 ] Bug #1919391 - CVE-2021-20206 containernetworking-cni: Arbitrary path injection via type field in CNI configuration https://bugzilla.redhat.com/show_bug.cgi?id=1919391 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-fb466fb623' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Feb 25, 2021
Fedora
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!