Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 4 articles for you...
89
security advisorysoftware updateFedoraFedora 41: FEDORA-2025-18cb3f852d critical: OpenSSH Match Directive Issue
Fix regression of Match directive processing. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-18cb3f852d 2025-02-20 02:26:22.548385+00:00 -------------------------------------------------------------------------------- Name : openssh Product : Fedora 41 Version : 9.9p1 Release : 3.fc41 URL : https://www.openssh.org/portable.html Summary : An open source implementation of SSH protocol version 2 Description : SSH (Secure SHell) is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's version of the last free version of SSH, bringing it up to date in terms of security and features. This package includes the core files necessary for both the OpenSSH client and server. To make this package useful, you should also install openssh-clients, openssh-server, or both. -------------------------------------------------------------------------------- Update Information: Fix regression of Match directive processing -------------------------------------------------------------------------------- ChangeLog: * Tue Feb 18 2025 Dmitry Belyavskiy - 9.9p1-3 - Fix regression of Match directive processing - Fix missing error codes set and invalid error code checks in OpenSSH. It prevents memory exhaustion attack and a MITM attack when VerifyHostKeyDNS is on (CVE-2025-26465, CVE-2025-26466). -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-18cb3f852d' at the command line. For more information, refer to the dnf documentation availableat http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Feb 20, 2025
•Critical
Fedora
172
security advisorydenial of servicecriticalUbuntu 18.04 & 16.04: USN-6857-1 Critical: Squid DoS Issues
Several security issues were fixed in Squid.. ========================================================================== Ubuntu Security Notice USN-6857-1 June 27, 2024 squid3 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in Squid. Software Description: - squid3: Web proxy cache server Details: Joshua Rogers discovered that Squid incorrectly handled requests with the urn: scheme. A remote attacker could possibly use this issue to cause Squid to consume resources, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2021-28651) It was discovered that Squid incorrectly handled SSPI and SMB authentication. A remote attacker could use this issue to cause Squid to crash, resulting in a denial of service, or possibly obtain sensitive information. This issue only affected Ubuntu 16.04 LTS. (CVE-2022-41318) Joshua Rogers discovered that Squid incorrectly handled HTTP message processing. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. (CVE-2023-49285) Joshua Rogers discovered that Squid incorrectly handled Helper process management. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. (CVE-2023-49286) Joshua Rogers discovered that Squid incorrectly handled HTTP request parsing. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. (CVE-2023-50269, CVE-2024-25617) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS squid 3.5.27-1ubuntu1.14+esm2 Available with Ubuntu Pro squid3 3.5.27-1ubuntu1.14+esm2 Available with Ubuntu Pro Ubuntu 16.04 LTS squid 3.5.12-1ubuntu7.16+esm3 Available with Ubuntu Pro squid3 3.5.12-1ubuntu7.16+esm3 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6857-1 CVE-2021-28651, CVE-2022-41318, CVE-2023-49285, CVE-2023-49286, CVE-2023-50269, CVE-2024-25617 . Several security updates for Squid in Ubuntu have been released, mitigating risks of denial of service and potential remote intrusions. Discover further details today!. Ubuntu Security Notice,squid vulnerabilities,remote attack prevention,system update guidance. . Severity: Critical. LinuxSecurity.com Team
Jun 27, 2024
•Critical
Ubuntu
100
security advisorymoderateattack preventionSUSE: 2024:1149-1 Moderate: Postfix SMTP Attack Prevention
* bsc#1218304 * bsc#1218314 Cross-References: * CVE-2023-51764 . # Security update for postfix Announcement ID: SUSE-SU-2024:1149-1 Rating: moderate References: * bsc#1218304 * bsc#1218314 Cross-References: * CVE-2023-51764 CVSS scores: * CVE-2023-51764 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2023-51764 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Affected Products: * SUSE Linux Enterprise High Performance Computing 12 SP5 * SUSE Linux Enterprise Server 12 SP5 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 * SUSE Linux Enterprise Software Development Kit 12 SP5 An update that solves one vulnerability and has one security fix can now be installed. ## Description: This update for postfix fixes the following issues: * CVE-2023-51764: Prevent SMTP smuggling attack. (bsc#1218304) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Software Development Kit 12 SP5 zypper in -t patch SUSE-SLE-SDK-12-SP5-2024-1149=1 * SUSE Linux Enterprise High Performance Computing 12 SP5 zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-1149=1 * SUSE Linux Enterprise Server 12 SP5 zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-1149=1 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-1149=1 ## Package List: * SUSE Linux Enterprise Software Development Kit 12 SP5 (aarch64 ppc64le s390x x86_64) * postfix-debuginfo-3.2.10-3.30.1 * postfix-debugsource-3.2.10-3.30.1 * postfix-devel-3.2.10-3.30.1 * SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64) * postfix-debuginfo-3.2.10-3.30.1 * postfix-mysql-3.2.10-3.30.1 * postfix-3.2.10-3.30.1 * postfix-mysql-debuginfo-3.2.10-3.30.1 * postfix-debugsource-3.2.10-3.30.1 * SUSE Linux Enterprise High Performance Computing 12 SP5 (noarch) * postfix-doc-3.2.10-3.30.1 * SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64) * postfix-debuginfo-3.2.10-3.30.1 * postfix-mysql-3.2.10-3.30.1 * postfix-3.2.10-3.30.1 * postfix-mysql-debuginfo-3.2.10-3.30.1 * postfix-debugsource-3.2.10-3.30.1 * SUSE Linux Enterprise Server 12 SP5 (noarch) * postfix-doc-3.2.10-3.30.1 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64) * postfix-debuginfo-3.2.10-3.30.1 * postfix-mysql-3.2.10-3.30.1 * postfix-3.2.10-3.30.1 * postfix-mysql-debuginfo-3.2.10-3.30.1 * postfix-debugsource-3.2.10-3.30.1 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 (noarch) * postfix-doc-3.2.10-3.30.1 ## References: * https://www.suse.com/security/cve/CVE-2023-51764.html * https://bugzilla.suse.com/show_bug.cgi?id=1218304 * https://bugzilla.suse.com/show_bug.cgi?id=1218314 . Critical security patch released for Postfix to enhance SMTP attack defenses. Includes step-by-step installation instructions and comprehensive product specifications.. Postfix Security Update, SUSE Postfix Advisory, SMTP Vulnerability Fix. . LinuxSecurity.com Team
Apr 08, 2024
SuSE
202
security advisorydirectory traversalpatchopenSUSE 15.5 Advisory: Important Salt Security Fix - SUSE-SU-2024:0510-1
This update for salt fixes the following issues: Security issues fixed:. # Security update for salt Announcement ID: SUSE-SU-2024:0510-1 Rating: important References: * bsc#1193948 * bsc#1211649 * bsc#1215963 * bsc#1216284 * bsc#1219430 * bsc#1219431 * jsc#MSQA-719 Cross-References: * CVE-2024-22231 * CVE-2024-22232 CVSS scores: * CVE-2024-22231 ( SUSE ): 5.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N * CVE-2024-22232 ( SUSE ): 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Affected Products: * Basesystem Module 15-SP5 * openSUSE Leap 15.5 * Server Applications Module 15-SP5 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Micro 5.5 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * Transactional Server Module 15-SP5 An update that solves two vulnerabilities, contains one feature and has four security fixes can now be installed. ## Description: This update for salt fixes the following issues: Security issues fixed: * CVE-2024-22231: Prevent directory traversal when creating syndic cache directory on the master (bsc#1219430) * CVE-2024-22232: Prevent directory traversal attacks in the master's serve_file method (bsc#1219431) Bugs fixed: * Ensure that pillar refresh loads beacons from pillar without restart * Fix the aptpkg.py unit test failure * Prefer unittest.mock to python-mock in test suite * Enable "KeepAlive" probes for Salt SSH executions (bsc#1211649) * Revert changes to set Salt configured user early in the stack (bsc#1216284) * Align behavior of some modules when using salt-call via symlink (bsc#1215963) * Fix gitfs " **env** " and improve cache cleaning (bsc#1193948) * Remove python-boto dependency for the python3-salt-testsuite package for Tumbleweed ## Special Instructions and Notes: ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methodslike YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.5 zypper in -t patch SUSE-2024-510=1 openSUSE-SLE-15.5-2024-510=1 * SUSE Linux Enterprise Micro 5.5 zypper in -t patch SUSE-SLE-Micro-5.5-2024-510=1 * Basesystem Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2024-510=1 * Server Applications Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP5-2024-510=1 * Transactional Server Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Transactional-Server-15-SP5-2024-510=1 ## Package List: * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64 i586) * salt-ssh-3006.0-150500.4.29.1 * salt-cloud-3006.0-150500.4.29.1 * python3-salt-testsuite-3006.0-150500.4.29.1 * salt-3006.0-150500.4.29.1 * salt-doc-3006.0-150500.4.29.1 * python3-salt-3006.0-150500.4.29.1 * salt-proxy-3006.0-150500.4.29.1 * salt-syndic-3006.0-150500.4.29.1 * salt-master-3006.0-150500.4.29.1 * salt-minion-3006.0-150500.4.29.1 * salt-transactional-update-3006.0-150500.4.29.1 * salt-api-3006.0-150500.4.29.1 * salt-standalone-formulas-configuration-3006.0-150500.4.29.1 * openSUSE Leap 15.5 (noarch) * salt-bash-completion-3006.0-150500.4.29.1 * salt-fish-completion-3006.0-150500.4.29.1 * salt-zsh-completion-3006.0-150500.4.29.1 * SUSE Linux Enterprise Micro 5.5 (aarch64 s390x x86_64) * salt-minion-3006.0-150500.4.29.1 * salt-3006.0-150500.4.29.1 * python3-salt-3006.0-150500.4.29.1 * salt-transactional-update-3006.0-150500.4.29.1 * Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64) * salt-minion-3006.0-150500.4.29.1 * salt-3006.0-150500.4.29.1 * salt-doc-3006.0-150500.4.29.1 * python3-salt-3006.0-150500.4.29.1 * Basesystem Module 15-SP5 (noarch) * salt-bash-completion-3006.0-150500.4.29.1 * salt-zsh-completion-3006.0-150500.4.29.1 * Server Applications Module 15-SP5 (aarch64 ppc64le s390x x86_64) * salt-ssh-3006.0-150500.4.29.1 * salt-cloud-3006.0-150500.4.29.1 * salt-proxy-3006.0-150500.4.29.1 * salt-syndic-3006.0-150500.4.29.1 * salt-master-3006.0-150500.4.29.1 * salt-api-3006.0-150500.4.29.1 * salt-standalone-formulas-configuration-3006.0-150500.4.29.1 * Server Applications Module 15-SP5 (noarch) * salt-fish-completion-3006.0-150500.4.29.1 * Transactional Server Module 15-SP5 (aarch64 ppc64le s390x x86_64) * salt-transactional-update-3006.0-150500.4.29.1 ## References: * https://www.suse.com/security/cve/CVE-2024-22231.html * https://www.suse.com/security/cve/CVE-2024-22232.html * https://bugzilla.suse.com/show_bug.cgi?id=1193948 * https://bugzilla.suse.com/show_bug.cgi?id=1211649 * https://bugzilla.suse.com/show_bug.cgi?id=1215963 * https://bugzilla.suse.com/show_bug.cgi?id=1216284 * https://bugzilla.suse.com/show_bug.cgi?id=1219430 * https://bugzilla.suse.com/show_bug.cgi?id=1219431 * . This essential patch addresses security flaws in Salt, enhancing system protection and reliability across SUSE versions.. Salt Security,SUSE Updates,Security Patch,OpenSUSE Fix. . Severity: Important. LinuxSecurity.com Team
Feb 15, 2024
•Important
OpenSUSE
172
security advisorydenial of servicesoftware updateUbuntu 21.10 USN-5295-2 Moderate: Kernel Security Issues and Fixes
Several security issues were fixed in the Linux kernel.. =========================================================================Ubuntu Security Notice USN-5295-2 February 22, 2022 linux, linux-aws, linux-gcp, linux-kvm, linux-oracle, linux-raspi vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 21.10 Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services (AWS) systems - linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems - linux-kvm: Linux kernel for cloud environments - linux-oracle: Linux kernel for Oracle Cloud systems - linux-raspi: Linux kernel for Raspberry Pi systems Details: It was discovered that the Packet network protocol implementation in the Linux kernel contained a double-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-22600) Jann Horn discovered a race condition in the Unix domain socket implementation in the Linux kernel that could result in a read-after-free. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2021-4083) Kirill Tkhai discovered that the XFS file system implementation in the Linux kernel did not calculate size correctly when pre-allocating space in some situations. A local attacker could use this to expose sensitive information. (CVE-2021-4155) Sushma Venkatesh Reddy discovered that the Intel i915 graphics driver in the Linux kernel did not perform a GPU TLB flush in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2022-0330) It was discovered that the VMware Virtual GPU driver in the Linux kernel did not properly handle certain failure conditions, leading to a stale entry in the file descriptor table. Alocal attacker could use this to expose sensitive information or possibly gain administrative privileges. (CVE-2022-22942) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 21.10: linux-image-5.13.0-1013-kvm 5.13.0-1013.14 linux-image-5.13.0-1015-gcp 5.13.0-1015.18 linux-image-5.13.0-1017-raspi 5.13.0-1017.19 linux-image-5.13.0-1017-raspi-nolpae 5.13.0-1017.19 linux-image-5.13.0-1018-oracle 5.13.0-1018.22 linux-image-5.13.0-30-generic 5.13.0-30.33 linux-image-5.13.0-30-generic-64k 5.13.0-30.33 linux-image-5.13.0-30-generic-lpae 5.13.0-30.33 linux-image-5.13.0-30-lowlatency 5.13.0-30.33 linux-image-aws 5.13.0.1014.15 linux-image-gcp 5.13.0.1015.14 linux-image-generic 5.13.0.30.40 linux-image-generic-64k 5.13.0.30.40 linux-image-generic-lpae 5.13.0.30.40 linux-image-gke 5.13.0.1015.14 linux-image-kvm 5.13.0.1013.13 linux-image-lowlatency 5.13.0.30.40 linux-image-oem-20.04 5.13.0.30.40 linux-image-oracle 5.13.0.1018.18 linux-image-raspi 5.13.0.1017.22 linux-image-raspi-nolpae 5.13.0.1017.22 linux-image-virtual 5.13.0.30.40 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-5295-2 https://ubuntu.com/security/notices/USN-5295-1 CVE-2021-22600, CVE-2021-4083, CVE-2021-4155, CVE-2022-0330, CVE-2022-22942 PackageInformation: https://launchpad.net/ubuntu/+source/linux/5.13.0-30.33 https://launchpad.net/ubuntu/+source/linux-aws/5.13.0-1014.15 https://launchpad.net/ubuntu/+source/linux-gcp/5.13.0-1015.18 https://launchpad.net/ubuntu/+source/linux-kvm/5.13.0-1013.14 https://launchpad.net/ubuntu/+source/linux-oracle/5.13.0-1018.22 https://launchpad.net/ubuntu/+source/linux-raspi/5.13.0-1017.19 . Delve into essential updates regarding vulnerabilities within the Linux kernel for Ubuntu, highlighting numerous security concerns and user remediation steps.. Linux Kernel Update, Ubuntu Security Fixes, Denial of Service Prevention, System Protection. . LinuxSecurity.com Team
Feb 22, 2022
Ubuntu
203
security advisorybuffer overflowcriticalMageia 8 MGASA-2021-0571 Critical: OLM Buffer Overflow Mitigation
Updated olm packages fix security vulnerability: The olm_session_describe function in Matrix libolm before 3.2.7 is vulnerable to a buffer overflow. The Olm session object represents a cryptographic channel between two parties. Therefore, its state is . MGASA-2021-0571 - Updated olm packages fix security vulnerability Publication date: 19 Dec 2021 URL: https://advisories.mageia.org/MGASA-2021-0571.html Type: security Affected Mageia releases: 8 CVE: CVE-2021-44538 Updated olm packages fix security vulnerability: The olm_session_describe function in Matrix libolm before 3.2.7 is vulnerable to a buffer overflow. The Olm session object represents a cryptographic channel between two parties. Therefore, its state is partially controllable by the remote party of the channel. Attackerscan construct a crafted sequence of messages to manipulate the state of the receiver's session in such a way that, for some buffer sizes, a buffer overflow happens on a call to olm_session_describe. Furthermore, safe buffer sizes were undocumented. The overflow content is partially controllable by the attacker and limited to ASCII spaces and digits (CVE-2021-44538). References: - https://bugs.mageia.org/show_bug.cgi?id=29773 - https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk - https://www.cve.org/CVERecord?id=CVE-2021-44538 SRPMS: - 8/core/olm-3.2.1-1.1.mga8 . The notification outlines a critical patch for olm components targeting a memory overflow security issue within Matrix libolm.. olm packages update, Buffer Overflow Fix, Mageia Security Advisory, Libolm Vulnerability. . Severity: Critical. LinuxSecurity.com Team
Dec 19, 2021
•Critical
Mageia
100
security advisorysecurity issuecriticalSUSE OpenStack Cloud 9: 2021:4097-1 Critical: Storm-Kit Security Fix
An update that solves two vulnerabilities and has one errata is now available. . SUSE Security Update: Security update for storm-kit ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:4097-1 Rating: critical References: #1193611 #1193641 #1193662 Cross-References: CVE-2021-4104 CVE-2021-44228 CVSS scores: CVE-2021-4104 (SUSE): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-44228 (NVD) : 10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVE-2021-44228 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud 9 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for storm-kit fixes the following issues: - Remove JndiLookup from log4j 2.x jars during build to prevent "log4shell" code injection. (bsc#1193641, bsc#1193611, CVE-2021-44228) - Remove JMSAppender from log4j 1.2.x jars during build to prevent attacks when JMS is enabled (bsc#1193641, bsc#1193662, CVE-2021-4104) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-4097=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-4097=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): storm-1.2.3-3.5.1 storm-nimbus-1.2.3-3.5.1 storm-supervisor-1.2.3-3.5.1 - SUSE OpenStack Cloud 9 (noarch): venv-openstack-monasca-x86_64-2.7.1~dev10-3.25.1 - SUSE OpenStack Cloud 9 (x86_64): storm-1.2.3-3.5.1 storm-nimbus-1.2.3-3.5.1 storm-supervisor-1.2.3-3.5.1 References: https://www.suse.com/security/cve/CVE-2021-4104.html https://www.suse.com/security/cve/CVE-2021-44228.html https://bugzilla.suse.com/1193611 https://bugzilla.suse.com/1193641 https://bugzilla.suse.com/1193662 . Essential SUSE patch for storm-tool resolves critical flaws in OpenStack Cloud solutions. Ensure your safety!. SUSE OpenStack Security Update, Storm-Kit Critical Patch, Attack Prevention Techniques. . Severity: Critical. LinuxSecurity.com Team
Dec 15, 2021
•Critical
SuSE
89
security advisorycriticalFedoraFedora 33: FEDORA-2021-3ab4512c98 Critical HAProxy Security Fix
Security fix for CVE-2021-39240, CVE-2021-39241, CVE-2021-39242. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2021-3ab4512c98 2021-08-26 21:09:57.867706 --------------------------------------------------------------------------------Name : haproxy Product : Fedora 33 Version : 2.2.16 Release : 1.fc33 URL : http://www.haproxy.org/ Summary : HAProxy reverse proxy for high availability environments Description : HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments. Indeed, it can: - route HTTP requests depending on statically assigned cookies - spread load among several servers while assuring server persistence through the use of HTTP cookies - switch to backup servers in the event a main one fails - accept connections to special ports dedicated to service monitoring - stop accepting connections without breaking existing ones - add, modify, and delete HTTP headers in both directions - block requests matching particular patterns - report detailed status to authenticated users from a URI intercepted from the application --------------------------------------------------------------------------------Update Information: Security fix for CVE-2021-39240, CVE-2021-39241, CVE-2021-39242 --------------------------------------------------------------------------------ChangeLog: * Wed Aug 18 2021 Ryan O'Hara - 2.2.16-1 - Update to 2.2.16 - Fix domain parts in :scheme and :path fields (CVE-2021-39240, #1995105) - Fix spaces in the :method field (CVE-2021-39241, #1995109) - Fix mismatch between :authority and Host fields (CVE-2021-39242, #1995113) --------------------------------------------------------------------------------References: [ 1 ] Bug #1995105 - CVE-2021-39240 haproxy: does not ensure that the scheme and path portions of a URI have the expected characters [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1995105 [ 2 ] Bug #1995109 - CVE-2021-39241 haproxy: an HTTP method name may contain a space followed by the name of a protected resource [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1995109 [ 3 ] Bug #1995113 - CVE-2021-39242 haproxy: it can lead to a situation with an attacker-controlled HTTP Host header because a mismatch between Host and authority is mishandled [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1995113 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-3ab4512c98' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Aug 26, 2021
•Critical
Fedora
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!