Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -2 articles for you...
203
security advisorymoderatepythonMageia 9: 2024-0317 moderate: Python memory race, email header injection
A defect was discovered in the Python âsslâ module where there is a memory race condition with the ssl.SSLContext methods âcert_store_stats()â and âget_ca_certs()â. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a . MGASA-2024-0317 - Updated python3 packages fix security vulnerabilities Publication date: 27 Sep 2024 URL: https://advisories.mageia.org/MGASA-2024-0317.html Type: security Affected Mageia releases: 9 CVE: CVE-2024-0397, CVE-2024-4032, CVE-2024-6923, CVE-2024-8088, CVE-2024-6232, CVE-2024-7592, CVE-2015-2104, CVE-2023-27043 A defect was discovered in the Python âsslâ module where there is a memory race condition with the ssl.SSLContext methods âcert_store_stats()â and âget_ca_certs()â. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. (CVE-2024-0397) The âipaddressâ module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as âglobally reachableâ or âprivateâ. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldnât be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. (CVE-2024-4032) The email module didnât properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. (CVE-2024-6923) When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defectapplies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected. (CVE-2024-8088) Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. (CVE-2024-6232) When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value. (CVE-2024-7592) Urlparse insufficient validation leads to open redirect. (CVE-2015-2104) The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python. (CVE-2023-27043) References: - https://bugs.mageia.org/show_bug.cgi?id=33436 - https://www.openwall.com/lists/oss-security/2024/06/17/2 - https://www.openwall.com/lists/oss-security/2024/06/17/3 - - https://www.openwall.com/lists/oss-security/2024/08/01/3 - https://www.openwall.com/lists/oss-security/2024/08/22/1 - https://www.openwall.com/lists/oss-security/2024/09/03/5 - https://www.openwall.com/lists/oss-security/2024/09/07/3 - https://www.cve.org/CVERecord?id=CVE-2024-0397 - https://www.cve.org/CVERecord?id=CVE-2024-4032 - https://www.cve.org/CVERecord?id=CVE-2024-6923 - https://www.cve.org/CVERecord?id=CVE-2024-8088 - https://www.cve.org/CVERecord?id=CVE-2024-6232 - https://www.cve.org/CVERecord?id=CVE-2024-7592 - https://www.cve.org/CVERecord?id=CVE-2015-2104 - https://www.cve.org/CVERecord?id=CVE-2023-27043 SRPMS: - 9/core/python3-3.10.11-1.3.mga9 . Recentenhancements to python3 libraries address concerns related to memory concurrency and secure SSL context protocols for Mageia 9. Release date: 27 September 2024.. Python Security, Mageia Advisory, TLS Handshake Issues, Memory Race Condition, Email Serialization. . LinuxSecurity.com Team
Sep 27, 2024
Mageia
172
security advisoryeximubuntuUbuntu 24.04 LTS Security Advisory USN-6939-1: Exim MIME Bypass
Exim could be made to bypass a MIME filename extension-blocking protection mechanism if it received specially crafted input.. ========================================================================== Ubuntu Security Notice USN-6939-1 July 31, 2024 exim4 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Exim could be made to bypass a MIME filename extension-blocking protection mechanism if it received specially crafted input. Software Description: - exim4: Exim is a mail transport agent Details: Phillip Szelat discovered that Exim misparses multiline MIME header filenames. A remote attacker could use this issue to bypass a MIME filename extension-blocking protection mechanism and possibly deliver executable attachments to the mailboxes of end users. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS exim4 4.97-4ubuntu4.1 exim4-base 4.97-4ubuntu4.1 eximon4 4.97-4ubuntu4.1 Ubuntu 22.04 LTS exim4 4.95-4ubuntu2.6 exim4-base 4.95-4ubuntu2.6 eximon4 4.95-4ubuntu2.6 Ubuntu 20.04 LTS exim4 4.93-13ubuntu1.12 exim4-base 4.93-13ubuntu1.12 eximon4 4.93-13ubuntu1.12 Ubuntu 18.04 LTS exim4 4.90.1-1ubuntu1.10+esm5 Available with Ubuntu Pro exim4-base 4.90.1-1ubuntu1.10+esm5 Available with Ubuntu Pro eximon4 4.90.1-1ubuntu1.10+esm5 Available with Ubuntu Pro Ubuntu 16.04 LTS exim4 4.86.2-2ubuntu2.6+esm8 Available with Ubuntu Pro exim4-base 4.86.2-2ubuntu2.6+esm8 Available with Ubuntu Pro eximon4 4.86.2-2ubuntu2.6+esm8 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6939-1 CVE-2024-39929 Package Information: https://launchpad.net/ubuntu/+source/exim4/4.97-4ubuntu4.1 https://launchpad.net/ubuntu/+source/exim4/4.95-4ubuntu2.6 https://launchpad.net/ubuntu/+source/exim4/4.93-13ubuntu1.12 . The recent update for Exim on Ubuntu addresses a flaw that permitted the circumvention of MIME filename safeguards.. Exim Security, Ubuntu Updates, Email Security, MIME Bypass, Linux Advisory. . Severity: Critical. LinuxSecurity.com Team
Jul 31, 2024
•Critical
Ubuntu
172
security advisorycriticalthreatUbuntu 20.04 LTS USN-6356-1 Critical: OpenDMARC Input Issues
Several security issues were fixed in OpenDMARC.. ========================================================================== Ubuntu Security Notice USN-6356-1 September 11, 2023 opendmarc vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in OpenDMARC. Software Description: - opendmarc: Open Source implementation of the DMARC specification Details: Jianjun Chen, Vern Paxson and Jian Jiang discovered that OpenDMARC incorrectly handled certain inputs. If a user or an automated system were tricked into receiving crafted inputs, an attacker could possibly use this to falsify the domain of an e-mails origin. (CVE-2020-12272) Patrik Lantz discovered that OpenDMARC incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. (CVE-2020-12460) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: libopendmarc2 1.3.2-7ubuntu0.1 opendmarc 1.3.2-7ubuntu0.1 Ubuntu 18.04 LTS: libopendmarc2 1.3.2-3ubuntu0.2 opendmarc 1.3.2-3ubuntu0.2 Ubuntu 16.04 LTS (Available with Ubuntu Pro): libopendmarc2 1.3.1+dfsg-3ubuntu0.1~esm1 opendmarc 1.3.1+dfsg-3ubuntu0.1~esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6356-1 CVE-2020-12272, CVE-2020-12460 Package Information: https://launchpad.net/ubuntu/+source/opendmarc/1.3.2-7ubuntu0.1 https://launchpad.net/ubuntu/+source/opendmarc/1.3.2-3ubuntu0.2 . Multiple vulnerabilities addressed in OpenDMARC for Ubuntu 20.04 LTS and additional distributions. System security upgrade is strongly advised.. OpenDMARC Issues, Ubuntu Security Notice, Update Recommendations. . Severity: Critical. LinuxSecurity.com Team
Sep 11, 2023
•Critical
Ubuntu
197
security advisorycriticaldebianDebian 9: DLA-2930-1 Critical: Thunderbird Out-Of-Bounds Issue
An out-of-bounds write was discovered in Thunderbird, which could be triggered via a malformed email message. For Debian 9 stretch, this problem has been fixed in version . - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2930-1
Mar 01, 2022
•Critical
Debian LTS
203
security advisorymoderatedenial of serviceMageia 7: Advisory 2021-0078 Moderate: Email MIME Memory Exhaustion DoS
Messages with too many tiny nested MIME parts can lead to memory exhaustion on split(), resulting in denial of service (rhbz#1835353) This update limits the number of nested MIME parts to 10 (by default), to avoid a possible memory exhaustion issue with lots of tiny MIME parts. . MGASA-2021-0078 - Updated perl-Email-MIME and perl-Email-MIME-ContentType packages fix security vulnerability Publication date: 10 Feb 2021 URL: https://advisories.mageia.org/MGASA-2021-0078.html Type: security Affected Mageia releases: 7 Messages with too many tiny nested MIME parts can lead to memory exhaustion on split(), resulting in denial of service (rhbz#1835353) This update limits the number of nested MIME parts to 10 (by default), to avoid a possible memory exhaustion issue with lots of tiny MIME parts. References: - https://bugs.mageia.org/show_bug.cgi?id=26757 - https://lists.fedoraproject.org/archives/list/
Feb 10, 2021
Mageia
200
security advisoryimportantthunderbirdScientific Linux 7: SLSA-2020-0576-1 Important: Thunderbird Security Fixes
Mozilla: Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5 (CVE-2020-6800) Mozilla: Out-of-bounds read when processing certain email messages (CVE-2020-6793) Mozilla: Setting a master password post-Thunderbird 52 does not delete unencrypted previously stored passwords (CVE-2020-6794) Mozilla: Crash processing S/MIME messages with multiple signatures (CVE-2020-6795) Mozilla: Incorrect p [More...]. Synopsis: Important: thunderbird security update Advisory ID: SLSA-2020:0576-1 Issue Date: 2020-02-24 CVE Numbers: None -- Security Fix(es): Mozilla: Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5 (CVE-2020-6800) Mozilla: Out-of-bounds read when processing certain email messages (CVE-2020-6793) Mozilla: Setting a master password post-Thunderbird 52 does not delete unencrypted previously stored passwords (CVE-2020-6794) Mozilla: Crash processing S/MIME messages with multiple signatures (CVE-2020-6795) Mozilla: Incorrect parsing of template tag could result in JavaScript injection (CVE-2020-6798) Mozilla: Message ID calculation was based on uninitialized data (CVE-2020-6792) -- SL7 x86_64 thunderbird-68.5.0-1.el7_7.x86_64.rpm thunderbird-debuginfo-68.5.0-1.el7_7.x86_64.rpm - Scientific Linux Development Team . The latest security patch for Scientific Linux's Thunderbird incorporates improvements in memory safety along with solutions for various other vulnerabilities.. Thunderbird Security, Browser Updates, Email Safety Issues. . Severity: Important. LinuxSecurity.com Team
Feb 25, 2020
•Important
Scientific Linux
87
security advisorydebianremoteDebian: DSA-2234-2 Critical: OpenSSH Vulnerability Mitigation
Several vulnerabilities were discovered in Postfix, a mail transfer agent. The Common Vulnerabilities and Exposures project identifies the following problems: . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2233-1
May 10, 2011
•Critical
Debian
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!