Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 524
Alerts This Week
Warning Icon 1 524

Stay Secure with the Latest Linux Advisories

Filter%20icon Refine advisories
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security advisories

We found 24 articles for you...
197

Debian: Critical DoS Vulnerability in libcommons-fileupload-java DLA-4245-1

Two security vulnerabilities have been found in libcommons-fileupload-java, a Java library that adds robust, high-performance, file upload capability to your servlets and web applications. . ------------------------------------------------------------------------- Debian LTS Advisory DLA-4245-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/lts/security/ Markus Koschany July 22, 2025 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : libcommons-fileupload-java Version : 1.4-1+deb11u1 CVE ID : CVE-2023-24998 CVE-2025-48976 Debian Bug : 1031733 1108120 Two security vulnerabilities have been found in libcommons-fileupload-java, a Java library that adds robust, high-performance, file upload capability to your servlets and web applications. CVE-2023-24998: Apache Commons FileUpload does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured. CVE-2025-48976: Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. For Debian 11 bullseye, these problems have been fixed in version 1.4-1+deb11u1. We recommend that you upgrade your libcommons-fileupload-java packages. For the detailed security status of libcommons-fileupload-java please refer to its security tracker page at: https://security-tracker.debian.org/tracker/source-package/libcommons-fileupload-java Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS .Two significant security flaws identified in libcommons-fileupload-java necessitate urgent action and patching for Debian users.. Debian security, libcommons-fileupload-java update, DoS vulnerabilities, Java library security. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Jul 22, 2025 Critical Debian LTS
100

SUSE: 2024:0472-1 Critical: Tomcat DoS and Security Fixes

* bsc#1216118 * bsc#1216119 * bsc#1216120 * bsc#1217402 * bsc#1217649 . # Security update for tomcat Announcement ID: SUSE-SU-2024:0472-1 Rating: important References: * bsc#1216118 * bsc#1216119 * bsc#1216120 * bsc#1217402 * bsc#1217649 * bsc#1217768 * bsc#1219208 Cross-References: * CVE-2023-42794 * CVE-2023-42795 * CVE-2023-45648 * CVE-2023-46589 * CVE-2024-22029 CVSS scores: * CVE-2023-42794 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-42794 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-42795 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2023-42795 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N * CVE-2023-45648 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2023-45648 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2023-46589 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2023-46589 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2024-22029 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: * openSUSE Leap 15.5 * SUSE Enterprise Storage 7.1 * SUSE Linux Enterprise High Performance Computing 15 SP2 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 * SUSE Linux Enterprise High Performance Computing 15 SP3 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 * SUSE Linux Enterprise Server 15 SP2 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 * SUSE Linux Enterprise Server 15 SP3 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSELinux Enterprise Server for SAP Applications 15 SP2 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Manager Server 4.3 * Web and Scripting Module 15-SP5 An update that solves five vulnerabilities and has two security fixes can now be installed. ## Description: This update for tomcat fixes the following issues: Updated to Tomcat 9.0.85: * CVE-2023-45648: Improve trailer header parsing (bsc#1216118). * CVE-2023-42794: FileUpload: remove tmp files to avoid DoS on Windows (bsc#1216120). * CVE-2023-42795: Improve handling of failures during recycle() methods (bsc#1216119). * CVE-2023-46589: Fixed HTTP request smuggling due to incorrect headers parsing (bsc#1217649) * CVE-2024-22029: Fixed escalation to root from tomcat user via %post script. (bsc#1219208) The following non-security issues were fixed: * Fixed the file permissions for server.xml (bsc#1217768, bsc#1217402). Find the full release notes at: https://tomcat.apache.org/tomcat-9.0-doc/changelog.html ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2024-472=1 * Web and Scripting Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP5-2024-472=1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-472=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-472=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-472=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 zypper in-t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-472=1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-472=1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-472=1 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-472=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2024-472=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2024-472=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-472=1 * SUSE Manager Server 4.3 zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.3-2024-472=1 * SUSE Enterprise Storage 7.1 zypper in -t patch SUSE-Storage-7.1-2024-472=1 ## Package List: * openSUSE Leap 15.5 (noarch) * tomcat-javadoc-9.0.85-150200.57.1 * tomcat-lib-9.0.85-150200.57.1 * tomcat-el-3_0-api-9.0.85-150200.57.1 * tomcat-servlet-4_0-api-9.0.85-150200.57.1 * tomcat-webapps-9.0.85-150200.57.1 * tomcat-admin-webapps-9.0.85-150200.57.1 * tomcat-9.0.85-150200.57.1 * tomcat-embed-9.0.85-150200.57.1 * tomcat-jsp-2_3-api-9.0.85-150200.57.1 * tomcat-docs-webapp-9.0.85-150200.57.1 * tomcat-jsvc-9.0.85-150200.57.1 * Web and Scripting Module 15-SP5 (noarch) * tomcat-lib-9.0.85-150200.57.1 * tomcat-el-3_0-api-9.0.85-150200.57.1 * tomcat-servlet-4_0-api-9.0.85-150200.57.1 * tomcat-webapps-9.0.85-150200.57.1 * tomcat-admin-webapps-9.0.85-150200.57.1 * tomcat-9.0.85-150200.57.1 * tomcat-jsp-2_3-api-9.0.85-150200.57.1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch) * tomcat-lib-9.0.85-150200.57.1 * tomcat-el-3_0-api-9.0.85-150200.57.1 *tomcat-servlet-4_0-api-9.0.85-150200.57.1 * tomcat-webapps-9.0.85-150200.57.1 * tomcat-admin-webapps-9.0.85-150200.57.1 * tomcat-9.0.85-150200.57.1 * tomcat-jsp-2_3-api-9.0.85-150200.57.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch) * tomcat-lib-9.0.85-150200.57.1 * tomcat-el-3_0-api-9.0.85-150200.57.1 * tomcat-servlet-4_0-api-9.0.85-150200.57.1 * tomcat-webapps-9.0.85-150200.57.1 * tomcat-admin-webapps-9.0.85-150200.57.1 * tomcat-9.0.85-150200.57.1 * tomcat-jsp-2_3-api-9.0.85-150200.57.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch) * tomcat-lib-9.0.85-150200.57.1 * tomcat-el-3_0-api-9.0.85-150200.57.1 * tomcat-servlet-4_0-api-9.0.85-150200.57.1 * tomcat-webapps-9.0.85-150200.57.1 * tomcat-admin-webapps-9.0.85-150200.57.1 * tomcat-9.0.85-150200.57.1 * tomcat-jsp-2_3-api-9.0.85-150200.57.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch) * tomcat-lib-9.0.85-150200.57.1 * tomcat-el-3_0-api-9.0.85-150200.57.1 * tomcat-servlet-4_0-api-9.0.85-150200.57.1 * tomcat-webapps-9.0.85-150200.57.1 * tomcat-admin-webapps-9.0.85-150200.57.1 * tomcat-9.0.85-150200.57.1 * tomcat-jsp-2_3-api-9.0.85-150200.57.1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch) * tomcat-lib-9.0.85-150200.57.1 * tomcat-el-3_0-api-9.0.85-150200.57.1 * tomcat-servlet-4_0-api-9.0.85-150200.57.1 * tomcat-webapps-9.0.85-150200.57.1 * tomcat-admin-webapps-9.0.85-150200.57.1 * tomcat-9.0.85-150200.57.1 * tomcat-jsp-2_3-api-9.0.85-150200.57.1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (noarch) * tomcat-lib-9.0.85-150200.57.1 * tomcat-el-3_0-api-9.0.85-150200.57.1 * tomcat-servlet-4_0-api-9.0.85-150200.57.1 * tomcat-webapps-9.0.85-150200.57.1 * tomcat-admin-webapps-9.0.85-150200.57.1 * tomcat-9.0.85-150200.57.1 * tomcat-jsp-2_3-api-9.0.85-150200.57.1 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4(noarch) * tomcat-lib-9.0.85-150200.57.1 * tomcat-el-3_0-api-9.0.85-150200.57.1 * tomcat-servlet-4_0-api-9.0.85-150200.57.1 * tomcat-webapps-9.0.85-150200.57.1 * tomcat-admin-webapps-9.0.85-150200.57.1 * tomcat-9.0.85-150200.57.1 * tomcat-jsp-2_3-api-9.0.85-150200.57.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch) * tomcat-lib-9.0.85-150200.57.1 * tomcat-el-3_0-api-9.0.85-150200.57.1 * tomcat-servlet-4_0-api-9.0.85-150200.57.1 * tomcat-webapps-9.0.85-150200.57.1 * tomcat-admin-webapps-9.0.85-150200.57.1 * tomcat-9.0.85-150200.57.1 * tomcat-jsp-2_3-api-9.0.85-150200.57.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch) * tomcat-lib-9.0.85-150200.57.1 * tomcat-el-3_0-api-9.0.85-150200.57.1 * tomcat-servlet-4_0-api-9.0.85-150200.57.1 * tomcat-webapps-9.0.85-150200.57.1 * tomcat-admin-webapps-9.0.85-150200.57.1 * tomcat-9.0.85-150200.57.1 * tomcat-jsp-2_3-api-9.0.85-150200.57.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch) * tomcat-lib-9.0.85-150200.57.1 * tomcat-el-3_0-api-9.0.85-150200.57.1 * tomcat-servlet-4_0-api-9.0.85-150200.57.1 * tomcat-webapps-9.0.85-150200.57.1 * tomcat-admin-webapps-9.0.85-150200.57.1 * tomcat-9.0.85-150200.57.1 * tomcat-jsp-2_3-api-9.0.85-150200.57.1 * SUSE Manager Server 4.3 (noarch) * tomcat-lib-9.0.85-150200.57.1 * tomcat-el-3_0-api-9.0.85-150200.57.1 * tomcat-servlet-4_0-api-9.0.85-150200.57.1 * tomcat-webapps-9.0.85-150200.57.1 * tomcat-admin-webapps-9.0.85-150200.57.1 * tomcat-9.0.85-150200.57.1 * tomcat-jsp-2_3-api-9.0.85-150200.57.1 * SUSE Enterprise Storage 7.1 (noarch) * tomcat-lib-9.0.85-150200.57.1 * tomcat-el-3_0-api-9.0.85-150200.57.1 * tomcat-servlet-4_0-api-9.0.85-150200.57.1 * tomcat-webapps-9.0.85-150200.57.1 * tomcat-admin-webapps-9.0.85-150200.57.1 * tomcat-9.0.85-150200.57.1 * tomcat-jsp-2_3-api-9.0.85-150200.57.1 ##References: * https://www.suse.com/security/cve/CVE-2023-42794.html * https://www.suse.com/security/cve/CVE-2023-42795.html * https://www.suse.com/security/cve/CVE-2023-45648.html * https://www.suse.com/security/cve/CVE-2023-46589.html * https://www.suse.com/security/cve/CVE-2024-22029.html * https://bugzilla.suse.com/show_bug.cgi?id=1216118 * https://bugzilla.suse.com/show_bug.cgi?id=1216119 * https://bugzilla.suse.com/show_bug.cgi?id=1216120 * https://bugzilla.suse.com/show_bug.cgi?id=1217402 * https://bugzilla.suse.com/show_bug.cgi?id=1217649 * https://bugzilla.suse.com/show_bug.cgi?id=1217768 * https://bugzilla.suse.com/show_bug.cgi?id=1219208 . Important Tomcat security patch for SUSE tackles various vulnerabilities. Apply updates promptly to reduce potential threats efficiently.. SUSE Linux Advisory, Tomcat Important Patch, DoS Fix, Server Security Maintenance. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Feb 14, 2024 Important SuSE
202

openSUSE: 2023:0075-1 Moderate: Prevent DoS In File Uploads

An update that fixes one vulnerability is now available. . openSUSE Security Update: Security update for python-Django ______________________________________________________________________________ Announcement ID: openSUSE-SU-2023:0075-1 Rating: moderate References: #1208082 Cross-References: CVE-2023-24580 CVSS scores: CVE-2023-24580 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-24580 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: openSUSE Backports SLE-15-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: python-Django was update to fix: - CVE-2023-24580: Prevent DOS in file uploads. (bsc#1208082) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2023-75=1 Package List: - openSUSE Backports SLE-15-SP4 (noarch): python3-Django1-1.11.29-bp154.2.3.1 References: https://www.suse.com/security/cve/CVE-2023-24580.html https://bugzilla.suse.com/1208082 . Boost protection with the newest openSUSE patch for python-Django tackling severe file transmission vulnerabilities.. openSUSE Backports, python-Django update, security fixes, moderate threat. . LinuxSecurity.com Team

Calendar%202 Mar 14, 2023 OpenSUSE
203

Mageia 8 MGASA-2022-0257 Moderate: PgAdmin4 File Upload Threat

A malicious, but authorised and authenticated user can construct an HTTP request using their existing CSRF token and session cookie to manually upload files to any location that the operating system user account under which pgAdmin is running has permission to write. (CVE-2022-0959) . MGASA-2022-0257 - Updated pgadmin4 packages fix security vulnerability Publication date: 13 Jul 2022 URL: https://advisories.mageia.org/MGASA-2022-0257.html Type: security Affected Mageia releases: 8 CVE: CVE-2022-0959 A malicious, but authorised and authenticated user can construct an HTTP request using their existing CSRF token and session cookie to manually upload files to any location that the operating system user account under which pgAdmin is running has permission to write. (CVE-2022-0959) In addition, missing requires have been added, file and directory permissions have been corrected. Upstream update check disabled. References: - https://bugs.mageia.org/show_bug.cgi?id=30385 - - https://www.cve.org/CVERecord?id=CVE-2022-0959 SRPMS: - 8/core/pgadmin4-4.30-5.mga8 . Mageia advisory MGASA-2022-0258 highlights vulnerabilities in the GIMP software, issuing an important patch on July 15, 2022.. Mageia Security Update, pgAdmin4 Issue, CSRF Vulnerability. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jul 13, 2022 Important Mageia
100

SUSE: 2022:1541-1 Important: Pgadmin4 File Upload Severity Important

An update that fixes one vulnerability is now available. . SUSE Security Update: Security update for pgadmin4 ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:1541-1 Rating: important References: #1197143 Cross-References: CVE-2022-0959 CVSS scores: CVE-2022-0959 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2022-0959 (SUSE): 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N Affected Products: SUSE Linux Enterprise High Performance Computing 15-SP3 SUSE Linux Enterprise High Performance Computing 15-SP4 SUSE Linux Enterprise Module for Server Applications 15-SP3 SUSE Linux Enterprise Module for Server Applications 15-SP4 SUSE Linux Enterprise Server 15-SP3 SUSE Linux Enterprise Server 15-SP4 SUSE Linux Enterprise Server for SAP Applications 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15-SP4 SUSE Manager Proxy 4.2 SUSE Manager Server 4.2 openSUSE Leap 15.3 openSUSE Leap 15.4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for pgadmin4 fixes the following issues: - CVE-2022-0959: Fixed an unrestricted file upload (bsc#1197143). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.4: zypper in -t patch openSUSE-SLE-15.4-2022-1541=1 - openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2022-1541=1 - SUSE Linux Enterprise Module for Server Applications 15-SP4: zypper in -t patchSUSE-SLE-Module-Server-Applications-15-SP4-2022-1541=1 - SUSE Linux Enterprise Module for Server Applications 15-SP3: zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP3-2022-1541=1 Package List: - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64): pgadmin4-4.30-150300.3.3.1 pgadmin4-debuginfo-4.30-150300.3.3.1 - openSUSE Leap 15.4 (noarch): pgadmin4-doc-4.30-150300.3.3.1 pgadmin4-web-4.30-150300.3.3.1 pgadmin4-web-uwsgi-4.30-150300.3.3.1 - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): pgadmin4-4.30-150300.3.3.1 pgadmin4-debuginfo-4.30-150300.3.3.1 - openSUSE Leap 15.3 (noarch): pgadmin4-doc-4.30-150300.3.3.1 pgadmin4-web-4.30-150300.3.3.1 pgadmin4-web-uwsgi-4.30-150300.3.3.1 - SUSE Linux Enterprise Module for Server Applications 15-SP4 (aarch64 ppc64le s390x x86_64): pgadmin4-4.30-150300.3.3.1 pgadmin4-debuginfo-4.30-150300.3.3.1 - SUSE Linux Enterprise Module for Server Applications 15-SP4 (noarch): pgadmin4-doc-4.30-150300.3.3.1 pgadmin4-web-4.30-150300.3.3.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (aarch64 ppc64le s390x x86_64): pgadmin4-4.30-150300.3.3.1 pgadmin4-debuginfo-4.30-150300.3.3.1 - SUSE Linux Enterprise Module for Server Applications 15-SP3 (noarch): pgadmin4-doc-4.30-150300.3.3.1 pgadmin4-web-4.30-150300.3.3.1 References: https://www.suse.com/security/cve/CVE-2022-0959.html https://bugzilla.suse.com/1197143 . A critical patch has been released for pgadmin4, addressing a security vulnerability related to unrestricted file uploads that was discovered in the recent SUSE Security Update.. SUSE Security Update, pgadmin4 Patch, Software Update, Threat Fix, File Upload Issue. . Severity: Important. LinuxSecurity.com Team

Calendar%202 May 04, 2022 Important SuSE
202

openSUSE 15.2: 2021:1424-1 Moderate: Civetweb File Upload Security

An update that fixes one vulnerability is now available. . openSUSE Security Update: Security update for civetweb ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:1424-1 Rating: moderate References: #1191938 Cross-References: CVE-2020-27304 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for civetweb fixes the following issues: Version 1.15: * boo#1191938 / CVE-2020-27304: missing uploaded filepath validation in the default form-based file upload mechanism * New configuration for URL decoding * Sanitize filenames in handle form * Example ???embedded_c.c???: Do not overwrite files (possible security issue) * Remove obsolete examples * Remove ???experimental??? label for some features * Remove MG_LEGACY_INTERFACE that have been declared obsolete in 2017 or earlier * Modifications to build scripts, required due to changes in the test environment * Unix domain socket support fixed * Fixes for NO_SSL_DL * Fixes for some warnings / static code analysis Version 1.14: * Change SSL default setting to use TLS 1.2 as minimum (set config if you need an earlier version) * Add local_uri_raw field (not sanitized URI) to request_info * Additional API functions and a callback after closing connections * Allow mbedTLS as OpenSSL alternative (basic functionality) * Add OpenSSL 3.0 support (OpenSSL 3.0 Alpha 13) * Support UNIX/Linux domain sockets * Fuzz tests and ossfuzz integration * Compression for websockets * Restructure some source files * Improve documentation * Fix HTTP range requests * Add some functions for Lua scripts/LSP * Build system specific fixes (CMake, MinGW) * Update 3rd party components (Lua, lfs, sqlite) * Allow Lua backgroundscript to use timers, format and filter logs * Remove WinCE code * Update version number Version 1.13: * Add arguments for CGI interpreters * Support multiple CGi interpreters * Buffering HTTP response headers, including API functions mg_response_header_* in C and Lua * Additional C API functions * Fix some memory leaks * Extended use of atomic operations (e.g., for server stats) * Add fuzz tests * Set OpenSSL 1.1 API as default (from 1.0) * Add Lua 5.4 support and deprecate Lua 5.1 * Provide additional Lua API functions * Fix Lua websocket memory leak when closing the server * Remove obsolete "file in memory" implementation * Improvements and fixes in documentation * Fixes from static source code analysis * Additional unit tests * Various small bug fixes * Experimental support for some HTTP2 features (not ready for production) * Experimental support for websocket compression * Remove legacy interfaces declared obsolete since more than 3 years Version 1.12 * See https://github.com/civetweb/civetweb/releases/tag/v1.12 for detailed changelog Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-1424=1 Package List: - openSUSE Leap 15.2 (x86_64): civetweb-1.15-lp152.2.3.1 civetweb-debuginfo-1.15-lp152.2.3.1 civetweb-debugsource-1.15-lp152.2.3.1 civetweb-devel-1.15-lp152.2.3.1 libcivetweb-cpp1_15_0-1.15-lp152.2.3.1 libcivetweb-cpp1_15_0-debuginfo-1.15-lp152.2.3.1 libcivetweb1_15_0-1.15-lp152.2.3.1 libcivetweb1_15_0-debuginfo-1.15-lp152.2.3.1 References: https://www.suse.com/security/cve/CVE-2020-27304.html https://bugzilla.suse.com/1191938 . A patch has been released for civetweb addressing a significant vulnerability related to fileupload checks on openSUSE 15.2. Secure your system immediately!. Civetweb Update, OpenSUSE Patch, File Upload Security, Moderate Fix. . LinuxSecurity.com Team

Calendar%202 Oct 31, 2021 OpenSUSE
91

Gentoo: GLSA-202107-39 Low: Apache Commons FileUpload Denial of Service

Multiple vulnerabilities have been found in Apache Commons FileUpload, the worst of which could result in a Denial of Service condition.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202107-39 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Apache Commons FileUpload: Multiple vulnerabilities Date: July 17, 2021 Bugs: #739350 ID: 202107-39 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple vulnerabilities have been found in Apache Commons FileUpload, the worst of which could result in a Denial of Service condition. Background ========= The Apache Commons FileUpload package makes it easy to add robust, high-performance, file upload capability to your servlets and web applications. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-java/commons-fileupload

Calendar%202 Jul 17, 2021 Low Gentoo
198

Arch Linux: ASA-202105-1 Critical: Redmine Security Flaws

The package redmine before version 4.2.1-1 is vulnerable to multiple issues including arbitrary filesystem access, access restriction bypass, cross-site scripting, arbitrary file upload and information disclosure. . Arch Linux Security Advisory ASA-202105-1 ======================================== Severity: Critical Date : 2021-05-19 CVE-ID : CVE-2021-29274 CVE-2021-30163 CVE-2021-30164 CVE-2021-31863 CVE-2021-31864 CVE-2021-31865 CVE-2021-31866 Package : redmine Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1743 Summary ====== The package redmine before version 4.2.1-1 is vulnerable to multiple issues including arbitrary filesystem access, access restriction bypass, cross-site scripting, arbitrary file upload and information disclosure. Resolution ========= Upgrade to 4.2.1-1. # pacman -Syu "redmine> =4.2.1-1" The problems have been fixed upstream in version 4.2.1. Workaround ========= None. Description ========== - CVE-2021-29274 (cross-site scripting) Redmine 4.1.x before 4.1.2 allows cross-site scripting (XSS) because an issues subject is mishandled in the auto complete tip. - CVE-2021-30163 (information disclosure) Redmine before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values. - CVE-2021-30164 (access restriction bypass) Redmine before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API. - CVE-2021-31863 (arbitrary filesystem access) Insufficient input validation in the Git repository integration of Redmine before 4.2.1 allows Redmine users to read arbitrary local files accessible by the application server process. - CVE-2021-31864 (access restriction bypass) Redmine before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler. - CVE-2021-31865 (arbitrary file upload) Redminebefore 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments. - CVE-2021-31866 (information disclosure) Redmine before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController. Impact ===== A remote attacker could disclose private information, perform actions without having the required permissions, or execute arbitrary JavaScript code by leveraging cross-site scripting. References ========= https://bugs.archlinux.org/task/70203 https://github.com/redmine/redmine/commit/bbfade972865e78e4d865af2cdb93e6cb57d5a45 https://github.com/redmine/redmine/commit/0d96c4ebdb1cceeb6cac8f940a11b5407a0a5211 https://github.com/redmine/redmine/commit/a7b9fa99966e8d59bd88548248ab11400ea48e5e https://github.com/redmine/redmine/commit/45461bfe51e9492d607f7204120f49ce3396a0cf https://github.com/redmine/redmine/commit/d03a718e6efca0493d8b42bd4ba356d736a77f49 https://github.com/redmine/redmine/commit/56979912c9bb041aac3fc5b88bf8275b743b0e28 https://github.com/redmine/redmine/commit/23e09ef64e26d6f63dcdcd624827440d9ad05f93 https://security.archlinux.org/CVE-2021-29274 https://security.archlinux.org/CVE-2021-30163 https://security.archlinux.org/CVE-2021-30164 https://security.archlinux.org/CVE-2021-31863 https://security.archlinux.org/CVE-2021-31864 https://security.archlinux.org/CVE-2021-31865 https://security.archlinux.org/CVE-2021-31866 . Debian Security Bulletin DSA-2021-02 discusses critical flaws found in mediawiki prior to version 1.35.0-1.. Redmine Security Issues, Arch Linux Advisory, Critical Redmine Threats. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 May 20, 2021 Critical ArchLinux
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200