Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -6 articles for you...
100
security advisorycriticalimportantSUSE: 2022:3093-1 Critical: python-Flask-Security-Too CSRF Issue
An update that fixes one vulnerability is now available. . SUSE Security Update: Security update for python-Flask-Security-Too ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:3093-1 Rating: important References: #1181058 Cross-References: CVE-2021-21241 CVSS scores: CVE-2021-21241 (NVD) : 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVE-2021-21241 (SUSE): 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N Affected Products: SUSE Enterprise Storage 7 SUSE Linux Enterprise Desktop 15-SP3 SUSE Linux Enterprise Desktop 15-SP4 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS SUSE Linux Enterprise High Performance Computing 15-SP3 SUSE Linux Enterprise High Performance Computing 15-SP4 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP4 SUSE Linux Enterprise Server 15-SP2-BCL SUSE Linux Enterprise Server 15-SP2-LTSS SUSE Linux Enterprise Server 15-SP3 SUSE Linux Enterprise Server 15-SP4 SUSE Linux Enterprise Server for SAP 15-SP2 SUSE Linux Enterprise Server for SAP Applications 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15-SP4 SUSE Linux Enterprise Storage 7.1 SUSE Manager Proxy 4.1 SUSE Manager Proxy 4.2 SUSE Manager Proxy 4.3 SUSE Manager Retail Branch Server 4.1 SUSE Manager Retail Branch Server 4.2 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.1 SUSE Manager Server 4.2 SUSE Manager Server 4.3 openSUSE Leap 15.3 openSUSE Leap 15.4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-Flask-Security-Too fixes the following issues: - CVE-2021-21241: Fixed an issue where GET requests lacking CSRF protection to certain endpoints could return the user's authentication token (bsc#1181058). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.4: zypper in -t patch openSUSE-SLE-15.4-2022-3093=1 - openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2022-3093=1 - SUSE Manager Server 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-3093=1 - SUSE Manager Retail Branch Server 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-3093=1 - SUSE Manager Proxy 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-3093=1 - SUSE Linux Enterprise Server for SAP 15-SP2: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-3093=1 - SUSE Linux Enterprise Server 15-SP2-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-3093=1 - SUSE Linux Enterprise Server 15-SP2-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-3093=1 - SUSE Linux Enterprise Module for Basesystem 15-SP4: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2022-3093=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-3093=1 - SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS: zypper in -t patchSUSE-SLE-Product-HPC-15-SP2-LTSS-2022-3093=1 - SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-3093=1 - SUSE Enterprise Storage 7: zypper in -t patch SUSE-Storage-7-2022-3093=1 Package List: - openSUSE Leap 15.4 (noarch): python3-Flask-Security-Too-3.4.2-150200.3.3.1 - openSUSE Leap 15.3 (noarch): python3-Flask-Security-Too-3.4.2-150200.3.3.1 - SUSE Manager Server 4.1 (noarch): python3-Flask-Security-Too-3.4.2-150200.3.3.1 - SUSE Manager Retail Branch Server 4.1 (noarch): python3-Flask-Security-Too-3.4.2-150200.3.3.1 - SUSE Manager Proxy 4.1 (noarch): python3-Flask-Security-Too-3.4.2-150200.3.3.1 - SUSE Linux Enterprise Server for SAP 15-SP2 (noarch): python3-Flask-Security-Too-3.4.2-150200.3.3.1 - SUSE Linux Enterprise Server 15-SP2-LTSS (noarch): python3-Flask-Security-Too-3.4.2-150200.3.3.1 - SUSE Linux Enterprise Server 15-SP2-BCL (noarch): python3-Flask-Security-Too-3.4.2-150200.3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP4 (noarch): python3-Flask-Security-Too-3.4.2-150200.3.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): python3-Flask-Security-Too-3.4.2-150200.3.3.1 - SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (noarch): python3-Flask-Security-Too-3.4.2-150200.3.3.1 - SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (noarch): python3-Flask-Security-Too-3.4.2-150200.3.3.1 - SUSE Enterprise Storage 7 (noarch): python3-Flask-Security-Too-3.4.2-150200.3.3.1 References: https://www.suse.com/security/cve/CVE-2021-21241.html https://bugzilla.suse.com/1181058 . SUSE Security Patch for python-Flask-Security-Too resolves CVE-2021-21241 with a critical update applicable across various distributions.. SUSE Security, python-Flask, Security Updates, Threat Management, Software Fixes. . Severity: Important.LinuxSecurity.com Team
Sep 06, 2022
•Important
SuSE
198
security advisoryhigh severitysoftware packageArch Linux: 202105-2 High: Python-Flask-Security-Too Cross-Site Forgery
The package python-flask-security-too before version 4.0.1-1 is vulnerable to cross-site request forgery. . Arch Linux Security Advisory ASA-202105-2 ======================================== Severity: High Date : 2021-05-19 CVE-ID : CVE-2021-21241 Package : python-flask-security-too Type : cross-site request forgery Remote : Yes Link : https://security.archlinux.org/AVG-1434 Summary ====== The package python-flask-security-too before version 4.0.1-1 is vulnerable to cross-site request forgery. Resolution ========= Upgrade to 4.0.1-1. # pacman -Syu "python-flask-security-too> =4.0.1-1" The problem has been fixed upstream in version 4.0.1. Workaround ========= If you aren't using authentication tokens, you can set SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token unusable. Description ========== In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's authentication token in response to a GET request. Since GET requests aren't protected with a CSRF token, this could lead to a malicious 3rd party site acquiring the authentication token. Version 3.4.5 and version 4.0.0 are patched. As a workaround, if you aren't using authentication tokens - you can set the SECURITY_TOKEN_MAX_AGE to "0" (seconds) which should make the token unusable. Impact ===== A remote attacker could obtain a user's authentication token from a cross-site request. References ========= https://bugs.archlinux.org/task/70041 https://security.archlinux.org/CVE-2021-21241 . Learn how to mitigate CSRF vulnerabilities in the python-flask-security-too package on Arch Linux with this comprehensive step-by-step guide. python-flask-security-too,cross site request forgery,arch linux advisory. . LinuxSecurity.com Team
May 20, 2021
ArchLinux
98
security advisorysecurity issueRed HatCloudOps System 2.1 CSAT-2021:0583-05 Critical: Session Exposure
Updated OpenStack Telemetry packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. Red Hat Product Security has rated this update as having Important security [More...]. ==================================================================== Red Hat Security Advisory Synopsis: Important: openstack-ceilometer security and bug fix update Advisory ID: RHSA-2014:1050-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2014:1050.html Issue date: 2014-08-13 CVE Names: CVE-2014-4615 ==================================================================== 1. Summary: Updated OpenStack Telemetry packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux OpenStack Platform 4.0 - noarch 3. Description: OpenStack Telemetry (ceilometer) collects customer usage data for metering purposes. Telemetry implements bus listener, push, and polling agents for data collection; this data is stored in a database and presented via the REST API. In addition, Telemetry's extensible design means it can be optionally extended to gather customized data sets. It was found that authentication tokens were not properly sanitized from the message queue by the notifier middleware. An attacker with read access to the message queue could possibly use this flaw to intercept an authentication token and gain elevated privileges. Note that all services using the notifier middleware configured after the auth_token middleware pipeline were affected. (CVE-2014-4615) This update also fixes the following bug: * Anincompatibility issue was found with the recent update of the python-qpid package. This caused several OpenStack services, including OpenStack Telemetry, to malfunction. By updating the RPC code, this issue is now resolved. (BZ#1116462) All OpenStack Telemetry users are advised to upgrade to these updated packages, which correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1112945 - CVE-2014-4615 pycadf: token leak to message queue 1116462 - RHOSP 4 is incompatible with python-qpid > = 0.18-11 6. Package List: Red Hat Enterprise Linux OpenStack Platform 4.0: Source: openstack-ceilometer-2013.2.3-2.el6ost.src.rpm noarch: openstack-ceilometer-alarm-2013.2.3-2.el6ost.noarch.rpm openstack-ceilometer-api-2013.2.3-2.el6ost.noarch.rpm openstack-ceilometer-central-2013.2.3-2.el6ost.noarch.rpm openstack-ceilometer-collector-2013.2.3-2.el6ost.noarch.rpm openstack-ceilometer-common-2013.2.3-2.el6ost.noarch.rpm openstack-ceilometer-compute-2013.2.3-2.el6ost.noarch.rpm python-ceilometer-2013.2.3-2.el6ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://access.redhat.com/security/cve/CVE-2014-4615 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. . The recent OpenStack Telemetry update addresses a critical security vulnerability and resolves a bug in Red Hat Enterprise Linux OpenStack Platform 4.0.. OpenStack Telemetry, Token Management, Red Hat Advisory, Security Update. .Severity: Important. LinuxSecurity.com Team
Aug 12, 2014
•Important
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!