Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -2 articles for you...
89
security advisorydenial of servicefedoraFedora 35: 2022-3969b64d4b Critical Denial of Service Updates
Rebuild for CVE-2022-{24675,28327,29526} in golang and other go ecosystem CVEs --- This contains the result from the mass rebuild in F35 for all packages that require `golang` and provide binaries to mitigate the following CVEs: `golang` itself: - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar -. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2022-3969b64d4b 2022-07-17 00:57:11.020145 --------------------------------------------------------------------------------Name : golang-github-a8m-envsubst Product : Fedora 35 Version : 1.3.0 Release : 2.fc35 URL : https://github.com/a8m/envsubst Summary : Environment variables substitution for Go Description : Go package for substituting environment variables. --------------------------------------------------------------------------------Update Information: Rebuild for CVE-2022-{24675,28327,29526} in golang and other go ecosystem CVEs --- This contains the result from the mass rebuild in F35 for all packages that require `golang` and provide binaries to mitigate the following CVEs: `golang` itself: - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode -CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar -CVE-2022-29526 golang: syscall: faccessat checks wrong group (There are some Go CVEs that are a little bit older that will also be mitigated by the rebuild for packages that haven't been updated recently) CVEs in other golang libraries that affect a subset of Go packages: - CVE-2022-21698 golang-github-prometheus-client: prometheus/client_golang: Denial of service using InstrumentHandlerCounter - CVE-2022-1996 go-restful: Authorization Bypass Through User-Controlled Key ---- Initial import for golang-github-a8m-envsubst Resolves: rhbz#2074406 ---- Initial package Resolves: rhbz#2074438 ----Update tov3.14.0 (close rhbz#2105612) ---- Fix merge ---- Update to 1.22.1 - Close: rhbz#2077577 --------------------------------------------------------------------------------ChangeLog: * Sat Jul 9 2022 Maxwell G - 1.3.0-2 - Rebuild for CVE-2022-{24675,28327,29526} in golang * Wed Jun 29 2022 Julien Rische - 1.3.0-1 - Initial package - Resolves: rhbz#2074406 --------------------------------------------------------------------------------References: [ 1 ] Bug #2074406 - Review Request: golang-github-a8m-envsubst - Environment variables substitution for Go https://bugzilla.redhat.com/show_bug.cgi?id=2074406 [ 2 ] Bug #2074438 - Review Request: golang-github-goccy-yaml - YAML support for the Go language https://bugzilla.redhat.com/show_bug.cgi?id=2074438 [ 3 ] Bug #2077577 - powerline-go-1.22.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2077577 [ 4 ] Bug #2105612 - golang-github-task-3.14.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2105612 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2022-3969b64d4b' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Jul 16, 2022
•Critical
Fedora
89
security advisorycriticalsoftware updateFedora 32: 2020-76fcd0ba34 Critical: Podman Environment Variables Leak
autobuilt v2.1.0, Security fix for CVE-2020-14370. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-76fcd0ba34 2020-10-02 01:26:57.180439 --------------------------------------------------------------------------------Name : podman Product : Fedora 32 Version : 2.1.1 Release : 7.fc32 URL : https://podman.io/ Summary : Manage Pods, Containers and Container Images Description : podman (Pod Manager) is a fully featured container engine that is a simple daemonless tool. podman provides a Docker-CLI comparable command line that eases the transition from other container engines and allows the management of pods, containers and images. Simply put: alias docker=podman. Most podman commands can be run as a regular user, without requiring additional privileges. podman uses Buildah(1) internally to create container images. Both tools share image (not container) storage, hence each can use or manipulate images (but not containers) created by the other. Manage Pods, Containers and Container Images podman is a simple management tool for pods, containers and images --------------------------------------------------------------------------------Update Information: autobuilt v2.1.0, Security fix for CVE-2020-14370 --------------------------------------------------------------------------------ChangeLog: * Wed Sep 30 2020 Lokesh Mandvekar - 2:2.1.1-7 - fix crun gating test issue - bump release tag to preserve upgrade path * Wed Sep 30 2020 Lokesh Mandvekar - 2:2.1.1-6 - fedora Requires: crun-0.15-4 * Wed Sep 30 2020 Lokesh Mandvekar - 2:2.1.1-5 - fedora requires crun > = 0.15-3 * Sun Sep 27 2020 Lokesh Mandvekar - 2:2.1.1-4 - correct bad date in changelog * Sun Sep 27 2020 Lokesh Mandvekar - 2:2.1.1-3 - adjust deps for centos7 * Wed Sep 23 2020 Lokesh Mandvekar - 2:2.1.1-1 - bump to v2.1.1 * Wed Sep 23 2020 Lokesh Mandvekar - 2:2.1.0-2 - podman-plugins is a weak depfor podman * Tue Sep 22 2020 RH Container Bot - 2:2.1.0-1 - autobuilt v2.1.0 - Resolves: #1874268, #1881345 - CVE-2020-14370 * Fri Sep 18 2020 Lokesh Mandvekar - 2:2.1.0-0.5.rc2 - fix release tag * Thu Sep 17 2020 RH Container Bot - 2:2.1.0-0.4.rc1 - autobuilt v2.1.0-rc2 * Wed Sep 16 2020 Lokesh Mandvekar - 2:2.1.0-0.3.rc1 - plugins requires dnsmasq * Mon Sep 14 2020 Lokesh Mandvekar - 2:2.1.0-0.2.rc1 - use correct release tag * Mon Sep 14 2020 RH Container Bot - 2:2.1.0-0.1.rc1 - autobuilt v2.1.0-rc1 --------------------------------------------------------------------------------References: [ 1 ] Bug #1874268 - CVE-2020-14370 podman: environment variables leak between containers when started via Varlink or Docker-compatible REST API https://bugzilla.redhat.com/show_bug.cgi?id=1874268 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-76fcd0ba34' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Oct 01, 2020
•Critical
Fedora
200
security advisorycode injectionScientific LinuxScientific Linux SL6: SLSA-2020-0515-1 Important Ksh Code Injection Fix
ksh: certain environment variables interpreted as arithmetic expressions on startup, leading to code injection (CVE-2019-14868) SL6 x86_64 ksh-20120801-38.el6_10.x86_64.rpm ksh-debuginfo-20120801-38.el6_10.x86_64.rpm i386 ksh-20120801-38.el6_10.i686.rpm ksh-debuginfo-20120801-38.el6_10.i686.rpm - Scientific Linux Development Team. Synopsis: Important: ksh security update Advisory ID: SLSA-2020:0515-1 Issue Date: 2020-02-17 CVE Numbers: None -- Security Fix(es): * ksh: certain environment variables interpreted as arithmetic expressions on startup, leading to code injection (CVE-2019-14868) -- SL6 x86_64 ksh-20120801-38.el6_10.x86_64.rpm ksh-debuginfo-20120801-38.el6_10.x86_64.rpm i386 ksh-20120801-38.el6_10.i686.rpm ksh-debuginfo-20120801-38.el6_10.i686.rpm - Scientific Linux Development Team . Urgent ksh security patch released for Scientific Linux focusing on threat mitigation related to code execution vulnerabilities under defined scenarios.. ksh Security Update, Scientific Linux Advisory, Code Injection Issue, Environment Variable Misinterpretation. . Severity: Important. LinuxSecurity.com Team
Feb 17, 2020
•Important
Scientific Linux
89
security advisoryFedoracode injectionFedora 31: FEDORA-2020-d940aca772 Critical: Ksh Env Var Vulnerability
Do not evaluate arithmetic expressions from environment variables at startup. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-d940aca772 2020-02-16 01:29:39.329571 --------------------------------------------------------------------------------Name : ksh Product : Fedora 31 Version : 2020.0.0 Release : 2.fc31 URL : http://www.kornshell.com/ Summary : The Original ATT Korn Shell Description : KornShell is a shell programming language, which is upward compatible with "sh" (the Bourne Shell). --------------------------------------------------------------------------------Update Information: Do not evaluate arithmetic expressions from environment variables at startup --------------------------------------------------------------------------------ChangeLog: * Fri Feb 7 2020 Siteshwar Vashisht - 1:2020.0.0-2 - Do not evaluate arithmetic expressions from environment variables at startup Resolves: #1790549 * Fri Oct 11 2019 Siteshwar Vashisht - 1:2020.0.0-1 - Rebase to 2020.0.0 --------------------------------------------------------------------------------References: [ 1 ] Bug #1790549 - CVE-2019-14868 ksh: environment variables on startup are interpreted as arithmetic expression leading to code injection [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1790549 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-d940aca772' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Feb 15, 2020
•Critical
Fedora
98
security advisorysecurity updateimportantRedHat: RHSA-2020-0431-01 Important: ksh Code Injection Threat
An update for ksh is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: ksh security update Advisory ID: RHSA-2020:0431-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:0431 Issue date: 2020-02-05 CVE Names: CVE-2019-14868 ==================================================================== 1. Summary: An update for ksh is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream E4S (v. 8.0) - aarch64, ppc64le, s390x, x86_64 3. Description: KornShell (ksh) is a Unix shell developed by AT&T Bell Laboratories, which is backward-compatible with the Bourne shell (sh) and includes many features of the C shell. The most recent version is KSH-93. KornShell complies with the POSIX.2 standard (IEEE Std 1003.2-1992). Security Fix(es): * ksh: certain environment variables interpreted as arithmetic expressions on startup, leading to code injection (CVE-2019-14868) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, referto: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1757324 - CVE-2019-14868 ksh: certain environment variables interpreted as arithmetic expressions on startup, leading to code injection 6. Package List: Red Hat Enterprise Linux AppStream E4S (v. 8.0): Source: ksh-20120801-253.el8_0.src.rpm aarch64: ksh-20120801-253.el8_0.aarch64.rpm ksh-debuginfo-20120801-253.el8_0.aarch64.rpm ksh-debugsource-20120801-253.el8_0.aarch64.rpm ppc64le: ksh-20120801-253.el8_0.ppc64le.rpm ksh-debuginfo-20120801-253.el8_0.ppc64le.rpm ksh-debugsource-20120801-253.el8_0.ppc64le.rpm s390x: ksh-20120801-253.el8_0.s390x.rpm ksh-debuginfo-20120801-253.el8_0.s390x.rpm ksh-debugsource-20120801-253.el8_0.s390x.rpm x86_64: ksh-20120801-253.el8_0.x86_64.rpm ksh-debuginfo-20120801-253.el8_0.x86_64.rpm ksh-debugsource-20120801-253.el8_0.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-14868 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBXjqxzNzjgjWX9erEAQhAixAAnRhvcG+S+LBLnKxe5VgSNXM7qJ8yBxm+ jXqPABRRiPTfnvzkGuhmbHOeWMfQ2uwjBwoiaI4oSAvt0+wYiquvkX+IqXrI1v53 LJ+0NBc/yqpFzm1al1H8Xxf2H0/pJna9YINbweEvhRZWJXrP4KeVQhSGqunlZn4O bs/HvoSKk/ai9od9bj3cWdpRX1xEnWLRmDdWGKTdw1Leu20gRRedSJ6POXAWrcye yinmbPwlfdm2VLN5E/7r2RKt86LATRil6v5wLbL2VilYikF/jy6GSHNbTXXdKLs3 fRh9grhUmyonJgZRjXhGSMCeNsNfEkJqdSsBlgwmIj5isUU4+2H3vr4ZtoUBOZA7 pdp3+x9EzZxTTBmmVU4jkmGGMCX6FyAnBnkUsaA5XovCJpIqATZVDJ6EWxpp6V7/ qXv8EJRunrQ3XrWvY7zW0e3XDQryNj91CraplFgkdsCVhX+TiSIMniZ3EphtFsH2 F4eWrf8WAflj8bUajoRpGYb/svoEwlKlYmUIoqnNcsNK+y2T+6yO6VeYbQOX29zQ mIYO8yNqa1PR+S77E/XpA3ufLIhS8TZ9swMkX5IZfyiHkCKNh5f7uAH0Dz/k0pip V7N0BgJnRqA7hkCWGTtUk89do8sNo1QgG0oggWQI9T09441zxWo5NizkEIWBudiK 9meBnBEE7Xc=T2ua -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Feb 05, 2020
•Important
Red Hat
172
security advisoryprivilege escalationUbuntuUbuntu 14.10 USN-2579-1: Critical Autofs Privilege Escalation
autofs could be made to run programs as an administrator if program maps were configured.. =========================================================================Ubuntu Security Notice USN-2579-1 April 27, 2015 autofs vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.10 Summary: autofs could be made to run programs as an administrator if program maps were configured. Software Description: - autofs: kernel-based automounter for Linux Details: It was discovered that autofs incorrectly filtered environment variables when using program maps. When program maps were configured, a local user could use this issue to escalate privileges. This update changes the default behaviour by adding a prefix to environment variables. Sites using program maps will need to adapt to the new variable names, or revert to the previous names by using a new configuration option called FORCE_STANDARD_PROGRAM_MAP_ENV. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.10: autofs 5.0.8-1ubuntu1.1 After a standard system update you need to reboot your computer to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-2579-1 CVE-2014-8169 Package Information: https://launchpad.net/ubuntu/+source/autofs/5.0.8-1ubuntu1.1 . A vulnerability in autofs may lead to privilege escalation due to misconfigured program maps within the Ubuntu 14.10 environment.. Ubuntu Security Notice, Autofs Privilege Escalation, Environment Variable Security. . Severity: Critical. LinuxSecurity.com Team
Apr 27, 2015
•Critical
Ubuntu
200
security advisorymoderatesecurity updateScientific Linux: 2010-06-15 Moderate: Sudo Security Patch for SL5.x
Moderate: sudo security update. Date: Wed, 16 Jun 2010 11:27:35 -0500 Reply-To: Troy Dawson Sender: Security Errata for Scientific Linux From: Troy Dawson Subject: Security ERRATA Moderate: sudo on SL5.x i386/x86_64 Comments: To: "
Jun 16, 2010
•Important
Scientific Linux
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!