Explore top 10 tips to secure your open-source projects now. Read More
×
The following vulnerability has been discovered in the gorilla/csrf package for Go: Prior to 1.7.3, gorilla/csrf did not validate the Origin header against an allowlist. It executed its validation of the Referer header for . - -------------------------------------------------------------------------- Debian LTS Advisory DLA-4151-1
Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform SQL injection, create open redirects, bypass authorization access, or perform Cross-Site Request Forgery (CSRF) or Cross-Site Scripting (XSS) attacks. . - ------------------------------------------------------------------------- Debian Security Advisory DSA-5279-1
WordPress 5.8.4 Security Release. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2022-4b3079c1be 2022-03-18 19:12:07.465573 --------------------------------------------------------------------------------Name : wordpress Product : Fedora 34 Version : 5.8.4 Release : 1.fc34 URL : https://wordpress.org/ Summary : Blog tool and publishing platform Description : Wordpress is an online publishing / weblog package that makes it very easy, almost trivial, to get information out to people on the web. Important information in /usr/share/doc/wordpress/README.fedora --------------------------------------------------------------------------------Update Information: WordPress 5.8.4 Security Release --------------------------------------------------------------------------------ChangeLog: * Fri Mar 11 2022 Remi Collet - 5.8.4-1 - WordPress 5.8.4 Security Release --------------------------------------------------------------------------------References: [ 1 ] Bug #2063661 - CVE-2022-25600 Wordpress: Cross-Site Request Forgery (CSRF) vulnerability in WP Google Map plugin https://bugzilla.redhat.com/show_bug.cgi?id=2063661 [ 2 ] Bug #2063667 - CVE-2022-25601 wordpress: Reflected Cross-Site Scripting (XSS) in Contact Form X WordPress plugin https://bugzilla.redhat.com/show_bug.cgi?id=2063667 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2022-4b3079c1be' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Red Hat OpenShift Container Platform release 4.9.19 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.9.. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.9.19 security update Advisory ID: RHSA-2022:0339-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2022:0339 Issue date: 2022-02-10 CVE Names: CVE-2022-20612 CVE-2022-20617 ==================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.9.19 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 4.9 - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.9.19. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHBA-2022:0340 Security Fix(es): * jenkins-2-plugins/docker-commons: does not sanitize the name of an image or a tag which could result in an OS command execution (CVE-2022-20617) * jenkins: no POST request is required for the endpoint handlingmanual build requests which could result in CSRF (CVE-2022-20612) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.redhat.com/en/documentation/openshift_container_platform/4.9/html/release_notes/ocp-4-9-release-notes Details on how to access this content are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.9/html/updating_clusters/updating-cluster-cli 5. Bugs fixed (https://bugzilla.redhat.com/): 2044460 - CVE-2022-20612 jenkins: no POST request is required for the endpoint handling manual build requests which could result in CSRF 2044502 - CVE-2022-20617 jenkins-2-plugins/docker-commons: does not sanitize the name of an image or a tag which could result in an OS command execution 6. Package List: Red Hat OpenShift Container Platform 4.9: Source: openshift-4.9.0-202201261537.p0.g2cb6068.assembly.stream.el7.src.rpm x86_64: openshift-hyperkube-4.9.0-202201261537.p0.g2cb6068.assembly.stream.el7.x86_64.rpm Red Hat OpenShift Container Platform 4.9: Source: jenkins-2-plugins-4.9.1643389956-1.el8.src.rpm jenkins-2.319.2.1643391771-1.el8.src.rpm openshift-4.9.0-202201261537.p0.g2cb6068.assembly.stream.el8.src.rpm aarch64: openshift-hyperkube-4.9.0-202201261537.p0.g2cb6068.assembly.stream.el8.aarch64.rpm noarch: jenkins-2-plugins-4.9.1643389956-1.el8.noarch.rpm jenkins-2.319.2.1643391771-1.el8.noarch.rpm ppc64le: openshift-hyperkube-4.9.0-202201261537.p0.g2cb6068.assembly.stream.el8.ppc64le.rpm s390x: openshift-hyperkube-4.9.0-202201261537.p0.g2cb6068.assembly.stream.el8.s390x.rpm x86_64: openshift-hyperkube-4.9.0-202201261537.p0.g2cb6068.assembly.stream.el8.x86_64.rpm These packagesare GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-20612 https://access.redhat.com/security/cve/CVE-2022-20617 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYgTmQdzjgjWX9erEAQiYaA/9HRNrJL9+EkbBoe+4xaR6pzK1cPf0AMRY J5NwsSCQ3ZtCNevXy+lT4FxQN1h8sxiq13rGLQBGSuiH484teWrC0hIgFAmOhKK1 KYZ60AwDLcD6M+7dYjSTRa92MsPTnEj6JeL7Yu8zpVKDZFjBTu49aL7PLhA53/ax Claf8jBaoEjhMuswUIeZk/okE1YbuDGsB5/NeScluZIBaZLfE+nl56IDHZUZkeHV tVUycwoll46oYoZwRtyiFDD1/yRxZDmyd4KGh7pEJ2mJmyTK0UBEf8bs2lClZLLE 4MxIMWQh6HM1hawkRu3ALb7v2t8SbJ9c8pTvRQ7T92qRmT03rY5HKyGNLwGsC76l 1NJ8lS8tZEM7/YlOHAXPLmQbvWj2gN2sMBLYbHG9/A9eIFT3DItb/xwr2mzgYKF5 62kguGfx/d/DilnBEkJHFpDttkL5hWmnbkZQAtQ5vQ0PICKlegYpyU6totXV4EWc KUzbldVpvRVMD6qpJA8Jc5S6Fg8W5ZM7Jre80bQmM8jxSwFkO5Ye0c51gexVTx5w 4s0pcwFE0IL4+MwOaesWnBkU0Q6VFPOTPrrN+ggUMxINLPMF34y6fVriOX9XX+NR iTHWmAya/hHmg5iWARLipBNrnVDZIWzh/vbKUEW6h6g89MxXeIAPZ7xEw7oq75Ic zekSqOfHlCc=2eoh -----END PGP SIGNATURE----- -- RHSA-announce mailing list
An update for the mailman:2.1 module is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: mailman:2.1 security update Advisory ID: RHSA-2021:4837-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:4837 Issue date: 2021-11-24 CVE Names: CVE-2021-42096 CVE-2021-42097 ==================================================================== 1. Summary: An update for the mailman:2.1 module is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64 3. Description: Mailman is a program used to help manage e-mail discussion lists. Security Fix(es): * mailman: CSRF token bypass allows to perform CSRF attacks and account takeover (CVE-2021-42097) * mailman: CSRF token derived from admin password allows offline brute-force attack (CVE-2021-42096) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2020568 - CVE-2021-42097 mailman: CSRF tokenbypass allows to perform CSRF attacks and account takeover 2020575 - CVE-2021-42096 mailman: CSRF token derived from admin password allows offline brute-force attack 6. Package List: Red Hat Enterprise Linux AppStream EUS (v. 8.2): Source: mailman-2.1.29-4.module+el8.2.0+13241+705a6aa4.3.src.rpm aarch64: mailman-2.1.29-4.module+el8.2.0+13241+705a6aa4.3.aarch64.rpm mailman-debuginfo-2.1.29-4.module+el8.2.0+13241+705a6aa4.3.aarch64.rpm mailman-debugsource-2.1.29-4.module+el8.2.0+13241+705a6aa4.3.aarch64.rpm ppc64le: mailman-2.1.29-4.module+el8.2.0+13241+705a6aa4.3.ppc64le.rpm mailman-debuginfo-2.1.29-4.module+el8.2.0+13241+705a6aa4.3.ppc64le.rpm mailman-debugsource-2.1.29-4.module+el8.2.0+13241+705a6aa4.3.ppc64le.rpm s390x: mailman-2.1.29-4.module+el8.2.0+13241+705a6aa4.3.s390x.rpm mailman-debuginfo-2.1.29-4.module+el8.2.0+13241+705a6aa4.3.s390x.rpm mailman-debugsource-2.1.29-4.module+el8.2.0+13241+705a6aa4.3.s390x.rpm x86_64: mailman-2.1.29-4.module+el8.2.0+13241+705a6aa4.3.x86_64.rpm mailman-debuginfo-2.1.29-4.module+el8.2.0+13241+705a6aa4.3.x86_64.rpm mailman-debugsource-2.1.29-4.module+el8.2.0+13241+705a6aa4.3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2021-42096 https://access.redhat.com/security/cve/CVE-2021-42097 https://access.redhat.com/security/updates/classification#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBYZ5PG9zjgjWX9erEAQiaWw/7BMfKu7e2FOZBC68J3F7k5ro49W3eFQj2 u4RtpPPgay+/fmdOXvfxlx/KV7La1vPui5wOLgvYOg2SJ3+sy78yaPjcHOpvrFan iHFBuqRFfHXJr5ZfAx/KrpVEugwqFX6cD7UAdF+gqdpiY4TS0w+c79dpmpYZ4Tps aWy2F3toXLhcIcdggUg6+v2F04yNuGlTGWlordzgrFuAcDpDCfjw+HLlvglzgxJO xFD69MGC8KDNAnQBeuTyhXPuYXlR/f5HtC083of+aS3OLyVLP1xWGTNcsWoblYSm XdYkkbNZM4R16Z7yQuR5DvhJA354eJMuZ1lMXHyjwrB1Eoxxu78Kf5Q0yNXqIn/n GRIoLXCpVnjsLKA5ytyhkY6K+ugIYZvnvrYhEGSpF1Vb/r+TCSkTqA4V3HkADUkO bhcwLm5SUEk+MAEmGoxUEEPTDrn9bv8+yfvvRCCNF0HIeNZ0CwlDIDbvMjDV4JA+ FwINkqjKWiddDONx3gBVn1w9BbhjAFcb7FNrklvgyiZ+WpnVc9qpC2BkJz40M/QY ECFOCB5z1ZZWMJ7TwXtTiYoJ+3IdPBOL8P7+e71GFL/POcd2J6L5qJqCzxUZA2zO kZuyc7AW5Rni55zV5dQNuF3pr6gW8HZv2Qi6siC0n+/h+/NbJ259hdLCzi86X6ms yGo32COQF3k=BJpx -----END PGP SIGNATURE----- -- RHSA-announce mailing list
An update for the mailman:2.1 module is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: mailman:2.1 security update Advisory ID: RHSA-2021:4838-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:4838 Issue date: 2021-11-24 CVE Names: CVE-2021-42096 CVE-2021-42097 ==================================================================== 1. Summary: An update for the mailman:2.1 module is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream EUS (v. 8.1) - aarch64, ppc64le, s390x, x86_64 3. Description: Mailman is a program used to help manage e-mail discussion lists. Security Fix(es): * mailman: CSRF token bypass allows to perform CSRF attacks and account takeover (CVE-2021-42097) * mailman: CSRF token derived from admin password allows offline brute-force attack (CVE-2021-42096) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2020568 - CVE-2021-42097 mailman: CSRF tokenbypass allows to perform CSRF attacks and account takeover 2020575 - CVE-2021-42096 mailman: CSRF token derived from admin password allows offline brute-force attack 6. Package List: Red Hat Enterprise Linux AppStream EUS (v. 8.1): Source: mailman-2.1.29-4.module+el8.1.0+13242+45286865.1.src.rpm aarch64: mailman-2.1.29-4.module+el8.1.0+13242+45286865.1.aarch64.rpm mailman-debuginfo-2.1.29-4.module+el8.1.0+13242+45286865.1.aarch64.rpm mailman-debugsource-2.1.29-4.module+el8.1.0+13242+45286865.1.aarch64.rpm ppc64le: mailman-2.1.29-4.module+el8.1.0+13242+45286865.1.ppc64le.rpm mailman-debuginfo-2.1.29-4.module+el8.1.0+13242+45286865.1.ppc64le.rpm mailman-debugsource-2.1.29-4.module+el8.1.0+13242+45286865.1.ppc64le.rpm s390x: mailman-2.1.29-4.module+el8.1.0+13242+45286865.1.s390x.rpm mailman-debuginfo-2.1.29-4.module+el8.1.0+13242+45286865.1.s390x.rpm mailman-debugsource-2.1.29-4.module+el8.1.0+13242+45286865.1.s390x.rpm x86_64: mailman-2.1.29-4.module+el8.1.0+13242+45286865.1.x86_64.rpm mailman-debuginfo-2.1.29-4.module+el8.1.0+13242+45286865.1.x86_64.rpm mailman-debugsource-2.1.29-4.module+el8.1.0+13242+45286865.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2021-42096 https://access.redhat.com/security/cve/CVE-2021-42097 https://access.redhat.com/security/updates/classification#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBYZ5PF9zjgjWX9erEAQjSgA/9H3ZmrqWVl8jnlbhLgCdNIea3ov1xUsf2 GCorL3sypteQr0jmZ8LmlIV/hmcs3u9gz4rr6V6Za55smf8bRS6zjZ2o4OlQguII RwBgEqsps1SJwQpk0OY9YVnbqqr6c/CboS600HvYCuCnBqgUZxA8CLCf7XyG89n0 4i6EOcfX+k13i+FWDPBFtxY7dpct43F+p44RiSg/B0O4YaZxIpbBMfnXg0WXywR5 WgGqaH7UsC3dnPdn7HdWGmLADQ5uGWa0i/2Mj8boIa/1QPxY8JUdfKfA1eS8+KBt Jf0FG+TYsyKGbU8QuQ6AjFSqojbN1KNZUj0VP+OKZjkwnfHx1HKAa2/EgMzsaNsK Q4yavT4PZa7HcY62Y+wM5KaFWGxsDfALHo+/YoQsRc9ZEYf54ZLzR/aMg/0AFYoi VGCCSi7zWzX4ygeGcqgH/GePWhmIEXGg78Wfv/mgjv/Vyc1Mjki5QBf4vcC8xVKk HNJCaVlDwHfEs55m5am3JyKeFjPh9xAkpp/PGELXNeoqnPzFH0aAQdqwThQ3tWe0 LTkohkmrjpdWlgrNI70/fe0vkQu1cHOvIiSjNO8NVKKWKWj8SiRctn0yKDihMlt2 eEyAuG9gfEhllCGRhDyz9CT31tw4pRMCf+dCI5crODHWWelRE+Pb2SorKJim9lOL pBEUJqr7qww=jDC7 -----END PGP SIGNATURE----- -- RHSA-announce mailing list
- Update to 1.2.12 Release notes: . --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-8560db8779 2020-06-05 02:28:39.634538 --------------------------------------------------------------------------------Name : cacti-spine Product : Fedora 32 Version : 1.2.12 Release : 1.fc32 URL : Summary : Threaded poller for Cacti written in C Description : Spine is a supplemental poller for Cacti that makes use of pthreads to achieve excellent performance. --------------------------------------------------------------------------------Update Information: - Update to 1.2.12 Release notes: --------------------------------------------------------------------------------ChangeLog: * Wed May 27 2020 Morten Stevens - 1.2.12-1 - Update to 1.2.12 --------------------------------------------------------------------------------References: [ 1 ] Bug #1830785 - cacti-1.2.12 is available https://bugzilla.redhat.com/show_bug.cgi?id=1830785 [ 2 ] Bug #1840312 - CVE-2020-13231 cacti: CSRF at admin email [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1840312 [ 3 ] Bug #1840317 - CVE-2020-13230 cacti: improper access control on disabling a user [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1840317 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-8560db8779' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list--
Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks, create files on the server, disclose private information, create open . - ------------------------------------------------------------------------- Debian Security Advisory DSA-4677-1
Get the latest Linux and open source security news straight to your inbox.