Explore top 10 tips to secure your open-source projects now. Read More
×
A flaw with the authentication cache management was discovered in the Dovecot email server, which could result in users being logged in as the wrong user in certain configurations. For the stable distribution (trixie), this problem has been fixed in version 1:2.4.1+dfsg1-6+deb13u1.. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6019-1
Several security issues were fixed in the Linux kernel.. ========================================================================== Ubuntu Security Notice USN-6739-1 April 19, 2024 linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS (Available with Ubuntu Pro) - Ubuntu 14.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services (AWS) systems - linux-kvm: Linux kernel for cloud environments - linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty Details: It was discovered that a race condition existed in the instruction emulator of the Linux kernel on Arm 64-bit systems. A local attacker could use this to cause a denial of service (system crash). (CVE-2022-20422) Wei Chen discovered that a race condition existed in the TIPC protocol implementation in the Linux kernel, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service (system crash). (CVE-2023-1382) Jose Oliveira and Rodrigo Branco discovered that the Spectre Variant 2 mitigations with prctl syscall were insufficient in some situations. A local attacker could possibly use this to expose sensitive information. (CVE-2023-1998) Daniele Antonioli discovered that the Secure Simple Pairing and Secure Connections pairing in the Bluetooth protocol could allow an unauthenticated user to complete authentication without pairing credentials. A physically proximate attacker placed between two Bluetooth devices could use this to subsequently impersonate one of the paired devices. (CVE-2023-24023) shanzhulig discovered that the DRM subsystem in the Linux kernel contained a race condition when performing certain operation whilehandling driver unload, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-51043) It was discovered that a race condition existed in the Bluetooth subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-51779) It was discovered that the device mapper driver in the Linux kernel did not properly validate target size during certain memory allocations. A local attacker could use this to cause a denial of service (system crash). (CVE-2023-52429, CVE-2024-23851) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Architecture specifics; - ACPI drivers; - I2C subsystem; - Media drivers; - JFS file system; - IPv4 Networking; - Open vSwitch; (CVE-2021-46966, CVE-2021-46936, CVE-2023-52451, CVE-2019-25162, CVE-2023-52445, CVE-2023-52600, CVE-2021-46990, CVE-2021-46955, CVE-2023-52603) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS (Available with Ubuntu Pro): linux-image-4.4.0-1131-kvm 4.4.0-1131.141 linux-image-4.4.0-1168-aws 4.4.0-1168.183 linux-image-4.4.0-253-generic 4.4.0-253.287 linux-image-4.4.0-253-lowlatency 4.4.0-253.287 linux-image-aws 4.4.0.1168.172 linux-image-generic 4.4.0.253.259 linux-image-generic-lts-xenial 4.4.0.253.259 linux-image-kvm 4.4.0.1131.128 linux-image-lowlatency 4.4.0.253.259 linux-image-lowlatency-lts-xenial 4.4.0.253.259 linux-image-virtual 4.4.0.253.259 linux-image-virtual-lts-xenial 4.4.0.253.259 Ubuntu 14.04 LTS (Available with Ubuntu Pro): linux-image-4.4.0-1130-aws 4.4.0-1130.136 linux-image-4.4.0-253-generic 4.4.0-253.287~14.04.1 linux-image-4.4.0-253-lowlatency 4.4.0-253.287~14.04.1 linux-image-aws 4.4.0.1130.127 linux-image-generic-lts-xenial 4.4.0.253.287~14.04.1 linux-image-lowlatency-lts-xenial 4.4.0.253.287~14.04.1 linux-image-virtual-lts-xenial 4.4.0.253.287~14.04.1 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6739-1 CVE-2019-25162, CVE-2021-46936, CVE-2021-46955, CVE-2021-46966, CVE-2021-46990, CVE-2022-20422, CVE-2023-1382, CVE-2023-1998, CVE-2023-24023, CVE-2023-51043, CVE-2023-51779, CVE-2023-52429, CVE-2023-52445, CVE-2023-52451, CVE-2023-52600, CVE-2023-52603, CVE-2024-23851 . The Ubuntu Linux kernel contains significant vulnerabilities that necessitate prompt updates, as they pose risks of denial-of-service (DoS) attacks and potential data exposure.. Ubuntu Kernel Flaw, Linux Security Update, Kernel Mitigation, System Vulnerabilities. . Severity: Critical. LinuxSecurity.com Team
The updated packages fix security vulnerabilities: Authentication bypass vulnerability in the vgauth module. (CVE-2023-20867) SAML token signature bypass. (CVE-2023-34058) File descriptor hijack vulnerability in the vmware-user-suid-wrapper. . MGASA-2024-0058 - Updated open-vm-tools packages fix security vulnerabilities Publication date: 14 Mar 2024 URL: https://advisories.mageia.org/MGASA-2024-0058.html Type: security Affected Mageia releases: 9 CVE: CVE-2023-34058, CVE-2023-34059 The updated packages fix security vulnerabilities: Authentication bypass vulnerability in the vgauth module. (CVE-2023-20867) SAML token signature bypass. (CVE-2023-34058) File descriptor hijack vulnerability in the vmware-user-suid-wrapper. (CVE-2023-34059) References: - https://bugs.mageia.org/show_bug.cgi?id=32454 - https://access.redhat.com/errata/RHSA-2023:3948 - https://www.openwall.com/lists/oss-security/2023/10/27/1 - https://www.openwall.com/lists/oss-security/2023/10/27/2 - https://github.com/vmware/open-vm-tools/releases/tag/stable-12.3.5 - https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/23678 - https://www.cve.org/CVERecord?id=CVE-2023-34058 - https://www.cve.org/CVERecord?id=CVE-2023-34059 SRPMS: - 9/core/open-vm-tools-12.3.5-2.mga9 . The latest version of Mageia's open-vm-tools packages fixes severe security vulnerabilities that could leave users open to threats.. open-vm-tools security fix,Mageia packages update,authentication flaws,security vulnerabilities. . Severity: Critical. LinuxSecurity.com Team
An update that fixes two vulnerabilities is now available. . SUSE Security Update: Security update for freerdp ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:2352-1 Rating: critical References: #1198919 #1198921 Cross-References: CVE-2022-24882 CVE-2022-24883 CVSS scores: CVE-2022-24882 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2022-24882 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-24883 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-24883 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Desktop 12-SP5 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server for SAP Applications 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Workstation Extension 12-SP5 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for freerdp fixes the following issues: - CVE-2022-24882: Fixed incorrect check parameters in NTLM (bsc#1198919). - CVE-2022-24883: Fixed authentication against invalid SAM files (bsc#1198921). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2022-2352=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-2352=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): freerdp-2.1.2-12.23.1 freerdp-debuginfo-2.1.2-12.23.1 freerdp-debugsource-2.1.2-12.23.1 freerdp-proxy-2.1.2-12.23.1 freerdp-server-2.1.2-12.23.1 libfreerdp2-2.1.2-12.23.1 libfreerdp2-debuginfo-2.1.2-12.23.1 libwinpr2-2.1.2-12.23.1 libwinpr2-debuginfo-2.1.2-12.23.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): freerdp-debuginfo-2.1.2-12.23.1 freerdp-debugsource-2.1.2-12.23.1 freerdp-devel-2.1.2-12.23.1 libfreerdp2-2.1.2-12.23.1 libfreerdp2-debuginfo-2.1.2-12.23.1 libwinpr2-2.1.2-12.23.1 libwinpr2-debuginfo-2.1.2-12.23.1 winpr2-devel-2.1.2-12.23.1 References: https://www.suse.com/security/cve/CVE-2022-24882.html https://www.suse.com/security/cve/CVE-2022-24883.html https://bugzilla.suse.com/1198919 https://bugzilla.suse.com/1198921 . This enhancement resolves two key problems in freerdp impacting various SUSE editions and rectifies login mechanisms.. SUSE Linux Security Update, freerdp Fixes, Critical SUSE Advisory, Software Patch Instructions. . Severity: Critical. LinuxSecurity.com Team
A flaw was identified in how phpMyAdmin processes two factor authentication; a user could potentially manipulate their account to bypass two factor authentication in subsequent authentication sessions (PMASA-2022-1). . MGASA-2022-0036 - Updated phpmyadmin packages fix security vulnerability Publication date: 25 Jan 2022 URL: https://advisories.mageia.org/MGASA-2022-0036.html Type: security Affected Mageia releases: 8 CVE: CVE-2022-23807, CVE-2022-23808 A flaw was identified in how phpMyAdmin processes two factor authentication; a user could potentially manipulate their account to bypass two factor authentication in subsequent authentication sessions (PMASA-2022-1). A series of weaknesses was identified allowing a malicious user to submit malicious information to present an XSS or HTML injection attack in the graphical setup page (PMASA-2022-2). In some scenarios, potentially sensitive information such as a the database name can be part of the URL. This can now be optionally encrypted. During a failed log on attempt, the error message reveals the target database server's hostname or IP address. This can reveal some information about the network infrastructure to an attacker. Fixed some situations where a user is logged out when working with more than one server Fixed a problem with assigning privileges to a user using the multiselect list when the database name has an underscore Enable cookie parameter "SameSite" when the PHP version is 7.3 or newer. References: - https://bugs.mageia.org/show_bug.cgi?id=29931 - https://www.phpmyadmin.net/news/2022/1/22/phpmyadmin-498-512-and-520-rc1-are-released/ - https://www.cve.org/CVERecord?id=CVE-2022-23807 - https://www.cve.org/CVERecord?id=CVE-2022-23808 SRPMS: - 8/core/phpmyadmin-5.1.2-1.mga8 . phpMyAdmin releases enhancements that rectify significant vulnerabilities in access controls and the leakage of confidential information.. phpMyAdmin Update,Mageia Security Advisory,Authentication Flaw,XSS Vulnerability,Network Security. . Severity: Critical.LinuxSecurity.com Team
Several security issues were fixed in Ceph.. =========================================================================Ubuntu Security Notice USN-5128-1 November 01, 2021 ceph vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 21.04 - Ubuntu 18.04 LTS Summary: Several security issues were fixed in Ceph. Software Description: - ceph: distributed storage and file system Details: Goutham Pacha Ravi, Jahson Babel, and John Garbutt discovered that user credentials in Ceph could be manipulated in certain environments. An attacker could use this to gain unintended access to resources. This issue only affected Ubuntu 18.04 LTS. (CVE-2020-27781) It was discovered that Ceph contained an authentication flaw, leading to key reuse. An attacker could use this to cause a denial of service or possibly impersonate another user. This issue only affected Ubuntu 21.04. (CVE-2021-20288) Sergey Bobrov discovered that the Ceph dashboard was susceptible to a cross-site scripting attack. An attacker could use this to expose sensitive information or gain unintended access. This issue only affected Ubuntu 21.04. (CVE-2021-3509) Sergey Bobrov discovered that Ceph's RadosGW (Ceph Object Gateway) allowed the injection of HTTP headers in responses to CORS requests. An attacker could use this to violate system integrity. (CVE-2021-3524) It was discovered that Ceph's RadosGW (Ceph Object Gateway) did not properly handle GET requests for swift URLs in some situations, leading to an application crash. An attacker could use this to cause a denial of service. (CVE-2021-3531) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 21.04: ceph 16.2.6-0ubuntu0.21.04.2 ceph-base 16.2.6-0ubuntu0.21.04.2 ceph-common 16.2.6-0ubuntu0.21.04.2 Ubuntu 18.04 LTS: ceph 12.2.13-0ubuntu0.18.04.10 ceph-base 12.2.13-0ubuntu0.18.04.10 ceph-common 12.2.13-0ubuntu0.18.04.10 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5128-1 CVE-2020-27781, CVE-2021-20288, CVE-2021-3509, CVE-2021-3524, CVE-2021-3531 Package Information: https://launchpad.net/ubuntu/+source/ceph/16.2.6-0ubuntu0.21.04.2 https://launchpad.net/ubuntu/+source/ceph/12.2.13-0ubuntu0.18.04.10 . This notification outlines various vulnerabilities associated with Ceph on Ubuntu versions 18.04 and 21.04, providing instructions for necessary patches to reduce exposure to threats.. Ceph Security Advisory, Ubuntu 21.04, User Credentials Issue, Denial of Service. . Severity: Critical. LinuxSecurity.com Team
The container ses/7/ceph/ceph was updated. The following patches have been included in this update:. SUSE Container Update Advisory: ses/7/ceph/ceph ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:250-1 Container Tags : ses/7/ceph/ceph:15.2.13.79 , ses/7/ceph/ceph:15.2.13.79.4.232 , ses/7/ceph/ceph:latest , ses/7/ceph/ceph:sle15.2.octopus Container Release : 4.232 Severity : important Type : security References : 1029961 1106014 1153687 1161268 1172308 1174526 1178577 1178624 1178675 1179805 1180851 1181874 1182016 1182372 1182936 1183074 1183194 1183268 1183589 1183628 1184326 1184399 1184505 1184997 1184997 1185239 1185325 1185910 1186015 1186642 1186642 1186642 1186673 CVE-2020-29651 CVE-2021-20288 CVE-2021-3541 ----------------------------------------------------------------- The container ses/7/ceph/ceph was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1833-1 Released: Wed Jun 2 15:32:28 2021 Summary: Recommended update for zypper Type: recommended Severity: moderate References: 1153687,1180851,1181874,1182372,1182936,1183268,1183589,1183628,1184997,1185239 This update for zypper fixes the following issues: zypper was upgraded to 1.14.44: - man page: Recommend the needs-rebooting command to test whether a system reboot is suggested. - patch: Let a patch's reboot-needed flag overrule included packages. (bsc#1183268) - Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687) - Protect against strict/relaxed user umask via sudo. (bsc#1183589) - xml summary: Add solvables repository alias. (bsc#1182372) libzypp was upgraded from version 17.25.8 to version 17.25.10 - Properly handle permission denied when providing optional files.(bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1846-1 Released: Fri Jun 4 08:46:37 2021 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1185910 This update for mozilla-nss fixes the following issue: - Provide some missing binaries from `mozilla-nss` not added in `SLE-Module-Basesystem_15-SP3`. (bsc#1185910) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1859-1 Released: Fri Jun 4 09:02:38 2021 Summary: Security update for python-py Type: security Severity: moderate References: 1179805,1184505,CVE-2020-29651 This update for python-py fixes the following issues: - CVE-2020-29651: Fixed regular expression denial of service in svnwc.py (bsc#1179805, bsc#1184505). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1861-1 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Type: recommended Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target.(bsc#1106014) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1879-1 Released: Tue Jun 8 09:16:09 2021 Summary: Recommended update for libzypp, zypper Type: recommended Severity: important References: 1184326,1184399,1184997,1185325 This update for libzypp, zypper fixes the following issues: libzypp was updated to 17.26.0: - Work around download.o.o broken https redirects. - Allow trusted repos to add additional signing keys (bsc#1184326) Repositories signed with a trusted gpg key may import additional package signing keys. This is needed if different keys were used to sign the the packages shipped by the repository. - MediaCurl: Fix logging of redirects. - Use 15.3 resolver problem and solution texts on all distros. - $ZYPP_LOCK_TIMEOUT: Let negative values wait forever for the zypp lock (bsc#1184399) Helps boot time services like 'zypper purge-kernels' to wait for the zypp lock until other services using zypper have completed. - Fix purge-kernels is broken in Leap 15.3 (bsc#1185325) Leap 15.3 introduces a new kernel package called kernel-flavour-extra, which contain kmp's. Currently kmp's are detected by name '.*-kmp(-.*)?' but this does not work which those new packages. This patch fixes the problem by checking packages for kmod(*) and ksym(*) provides and only falls back to name checking if the package in question does not provide one of those. - Introduce zypp-runpurge, a tool to run purge-kernels on testcases. zypper was updated to 1.14.45: - Fix service detection with cgroupv2 (bsc#1184997) - Add hints to 'trust GPG key' prompt. - Add report when receiving new package signing keys from a trusted repo (bsc#1184326) - Added translation using Weblate (Kabyle) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1910-1 Released: Wed Jun 9 09:37:41 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1186673 Thisupdate for openssh fixes the following issues: - Further attempts to mitigate instances of secrets lingering in memory after a session exits to meet key zeroization requirements. (bsc#1186673) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1917-1 Released: Wed Jun 9 14:48:05 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1186015,CVE-2021-3541 This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1923-1 Released: Thu Jun 10 08:37:00 2021 Summary: Recommended update for nfs-utils Type: recommended Severity: important References: 1183194 This update for nfs-utils fixes the following issues: - Ensured thread safety when opening files over NFS to prevent a use-after-free issue (bsc#1183194) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1935-1 Released: Thu Jun 10 10:45:09 2021 Summary: Recommended update for gzip Type: recommended Severity: moderate References: 1186642 This update for gzip fixes the following issue: - gzip had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1937-1 Released: Thu Jun 10 10:47:09 2021 Summary: Recommended update for nghttp2 Type: recommended Severity: moderate References: 1186642 This update for nghttp2 fixes the following issue: - The (lib)nghttp2 packages had a lower release number in SUSE Linux Enterprise 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1941-1 Released: Thu Jun 1010:49:52 2021 Summary: Recommended update for sysconfig Type: recommended Severity: moderate References: 1186642 This update for sysconfig fixes the following issue: - sysconfig had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1953-1 Released: Thu Jun 10 16:18:50 2021 Summary: Recommended update for gpg2 Type: recommended Severity: moderate References: 1161268,1172308 This update for gpg2 fixes the following issues: - Fixed an issue where the gpg-agent's ssh-agent does not handle flags in signing requests properly (bsc#1161268 and bsc#1172308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1971-1 Released: Tue Jun 15 06:57:16 2021 Summary: Security update for ceph and ceph-csi Type: security Severity: important References: 1174526,1183074,CVE-2021-20288 This update for ceph and ceph-csi fixes the following issues: ceph: - updated ceph to upstream version 15.2.13: * mgr/dashboard: allow getting fresh inventory data from the orchestrator (bsc#1174526) The whole upstream changelog can be found here: https://ceph.io/en/news/blog/2021/v15-2-13-octopus-released/ ceph-csi: - CVE-2021-20288: An authentication flaw was found in ceph in versions prior to 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associated with another user, as ceph does not force the reuse of old keys to generate new ones. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (bsc#1183074) . Recent security enhancement for SUSE Ceph container reinforces data integrity and operational continuity by addressing vulnerabilitiesrelated to authentication weaknesses.. SUSE Container, Ceph Update, Security Patch, Integrity Issues, Authentication Flaw. . Severity: Important. LinuxSecurity.com Team
The container ses/7/cephcsi/cephcsi was updated. The following patches have been included in this update:. SUSE Container Update Advisory: ses/7/cephcsi/cephcsi ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2021:248-1 Container Tags : ses/7/cephcsi/cephcsi:3.2.2 , ses/7/cephcsi/cephcsi:3.2.2.0.3.430 , ses/7/cephcsi/cephcsi:latest , ses/7/cephcsi/cephcsi:sle15.2.octopus , ses/7/cephcsi/cephcsi:v3.2.2 , ses/7/cephcsi/cephcsi:v3.2.2.0 Container Release : 3.430 Severity : important Type : security References : 1029961 1106014 1153687 1161268 1172308 1174526 1178577 1178624 1178675 1179805 1180851 1181874 1182016 1182372 1182936 1183074 1183194 1183268 1183589 1183628 1184326 1184399 1184505 1184997 1184997 1185239 1185325 1186015 1186642 1186642 1186673 CVE-2020-29651 CVE-2021-20288 CVE-2021-3541 ----------------------------------------------------------------- The container ses/7/cephcsi/cephcsi was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1833-1 Released: Wed Jun 2 15:32:28 2021 Summary: Recommended update for zypper Type: recommended Severity: moderate References: 1153687,1180851,1181874,1182372,1182936,1183268,1183589,1183628,1184997,1185239 This update for zypper fixes the following issues: zypper was upgraded to 1.14.44: - man page: Recommend the needs-rebooting command to test whether a system reboot is suggested. - patch: Let a patch's reboot-needed flag overrule included packages. (bsc#1183268) - Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687) - Protect against strict/relaxed user umask via sudo. (bsc#1183589) - xml summary: Add solvables repository alias. (bsc#1182372) libzypp was upgraded from version 17.25.8 to version17.25.10 - Properly handle permission denied when providing optional files. (bsc#1185239) - Fix service detection with `cgroupv2`. (bsc#1184997) - Add missing includes for GCC 11. (bsc#1181874) - Fix unsafe usage of static in media verifier. - `Solver`: Avoid segfault if no system is loaded. (bsc#1183628) - `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851) - Do no cleanup in custom cache dirs. (bsc#1182936) - `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1859-1 Released: Fri Jun 4 09:02:38 2021 Summary: Security update for python-py Type: security Severity: moderate References: 1179805,1184505,CVE-2020-29651 This update for python-py fixes the following issues: - CVE-2020-29651: Fixed regular expression denial of service in svnwc.py (bsc#1179805, bsc#1184505). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1861-1 Released: Fri Jun 4 09:59:40 2021 Summary: Recommended update for gcc10 Type: recommended Severity: moderate References: 1029961,1106014,1178577,1178624,1178675,1182016 This update for gcc10 fixes the following issues: - Disable nvptx offloading for aarch64 again since it doesn't work - Fixed a build failure issue. (bsc#1182016) - Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577) - Fix 32bit 'libgnat.so' link. (bsc#1178675) - prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961) - Build complete set of multilibs for arm-none target. (bsc#1106014) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1879-1 Released: Tue Jun 8 09:16:09 2021 Summary: Recommended update for libzypp, zypper Type: recommended Severity: important References: 1184326,1184399,1184997,1185325 This update for libzypp, zypper fixes the following issues: libzypp was updated to17.26.0: - Work around download.o.o broken https redirects. - Allow trusted repos to add additional signing keys (bsc#1184326) Repositories signed with a trusted gpg key may import additional package signing keys. This is needed if different keys were used to sign the the packages shipped by the repository. - MediaCurl: Fix logging of redirects. - Use 15.3 resolver problem and solution texts on all distros. - $ZYPP_LOCK_TIMEOUT: Let negative values wait forever for the zypp lock (bsc#1184399) Helps boot time services like 'zypper purge-kernels' to wait for the zypp lock until other services using zypper have completed. - Fix purge-kernels is broken in Leap 15.3 (bsc#1185325) Leap 15.3 introduces a new kernel package called kernel-flavour-extra, which contain kmp's. Currently kmp's are detected by name '.*-kmp(-.*)?' but this does not work which those new packages. This patch fixes the problem by checking packages for kmod(*) and ksym(*) provides and only falls back to name checking if the package in question does not provide one of those. - Introduce zypp-runpurge, a tool to run purge-kernels on testcases. zypper was updated to 1.14.45: - Fix service detection with cgroupv2 (bsc#1184997) - Add hints to 'trust GPG key' prompt. - Add report when receiving new package signing keys from a trusted repo (bsc#1184326) - Added translation using Weblate (Kabyle) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1910-1 Released: Wed Jun 9 09:37:41 2021 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1186673 This update for openssh fixes the following issues: - Further attempts to mitigate instances of secrets lingering in memory after a session exits to meet key zeroization requirements. (bsc#1186673) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1917-1 Released: Wed Jun 9 14:48:05 2021 Summary: Security update for libxml2 Type: security Severity: moderate References: 1186015,CVE-2021-3541 This update for libxml2 fixes the following issues: - CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1923-1 Released: Thu Jun 10 08:37:00 2021 Summary: Recommended update for nfs-utils Type: recommended Severity: important References: 1183194 This update for nfs-utils fixes the following issues: - Ensured thread safety when opening files over NFS to prevent a use-after-free issue (bsc#1183194) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1935-1 Released: Thu Jun 10 10:45:09 2021 Summary: Recommended update for gzip Type: recommended Severity: moderate References: 1186642 This update for gzip fixes the following issue: - gzip had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1937-1 Released: Thu Jun 10 10:47:09 2021 Summary: Recommended update for nghttp2 Type: recommended Severity: moderate References: 1186642 This update for nghttp2 fixes the following issue: - The (lib)nghttp2 packages had a lower release number in SUSE Linux Enterprise 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2021:1953-1 Released: Thu Jun 10 16:18:50 2021 Summary: Recommended update for gpg2 Type: recommended Severity: moderate References: 1161268,1172308 This update for gpg2 fixes the following issues: - Fixed an issue where the gpg-agent's ssh-agent does not handle flags in signing requests properly (bsc#1161268 andbsc#1172308). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:1971-1 Released: Tue Jun 15 06:57:16 2021 Summary: Security update for ceph and ceph-csi Type: security Severity: important References: 1174526,1183074,CVE-2021-20288 This update for ceph and ceph-csi fixes the following issues: ceph: - updated ceph to upstream version 15.2.13: * mgr/dashboard: allow getting fresh inventory data from the orchestrator (bsc#1174526) The whole upstream changelog can be found here: https://ceph.io/en/news/blog/2021/v15-2-13-octopus-released/ ceph-csi: - CVE-2021-20288: An authentication flaw was found in ceph in versions prior to 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associated with another user, as ceph does not force the reuse of old keys to generate new ones. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (bsc#1183074) . SUSE Container Patch Notice for ses/7/cephcsi highlights critical security enhancements and issues that have been resolved.. SUSE Update, Ceph CSI Security, Container Security. . Severity: Important. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.