Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 524
Alerts This Week
Warning Icon 1 524

Stay Secure with the Latest Linux Advisories

Filter%20icon Refine advisories
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security advisories

We found 170 articles for you...
89

Fedora 42 Coturn 4.11.0 Advisory for Fixes on Memory Leak Format-String

Coturn 4.11.0 Fix prometheus response memory leak introduced in 4.10.0 Use constant-time compare for STUN MESSAGE-INTEGRITY HMAC Fix format-string injection in Redis DB driver Abort on malformed allowed/denied-peer-ip at startup. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-dfa8ea5809 2026-05-18 01:23:32.591546+00:00 -------------------------------------------------------------------------------- Name : coturn Product : Fedora 42 Version : 4.11.0 Release : 1.fc42 URL : https://github.com/coturn/coturn/ Summary : TURN/STUN & ICE Server Description : The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway. It can be used as a general-purpose network traffic TURN server/gateway, too. This implementation also includes some extra features. Supported RFCs: TURN specs: - RFC 5766 - base TURN specs - RFC 6062 - TCP relaying TURN extension - RFC 6156 - IPv6 extension for TURN - Experimental DTLS support as client protocol. STUN specs: - RFC 3489 - "classic" STUN - RFC 5389 - base "new" STUN specs - RFC 5769 - test vectors for STUN protocol testing - RFC 5780 - NAT behavior discovery support The implementation fully supports the following client-to-TURN-server protocols: - UDP (per RFC 5766) - TCP (per RFC 5766 and RFC 6062) - TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2 - DTLS (experimental non-standard feature) Supported relay protocols: - UDP (per RFC 5766) - TCP (per RFC 6062) Supported user databases (for user repository, with passwords or keys, if authentication is required): - SQLite - MySQL - PostgreSQL - Redis Redis can also be used for status and statistics storage and notification. Supported TURN authentication mechanisms: - long-term - TURN REST API (a modification of the long-term mechanism, for time-limited secret-based authentication, for WebRTC applications) The load balancing can be implemented withthe following tools (either one or a combination of them): - network load-balancer server - DNS-based load balancing - built-in ALTERNATE-SERVER mechanism. -------------------------------------------------------------------------------- Update Information: Coturn 4.11.0 Fix prometheus response memory leak introduced in 4.10.0 Use constant-time compare for STUN MESSAGE-INTEGRITY HMAC Fix format-string injection in Redis DB driver Abort on malformed allowed/denied-peer-ip at startup Pin session origin only after MESSAGE-INTEGRITY validates Fix build failure: define _GNU_SOURCE for recvmmsg() on Linux Drop udp_relay_servers_number config and clean up dead UDP id-space Add Unity-based unit test scaffolding Delete log line per relay thread on start Out of bound HTTP detection in parser Extend STUN client fuzz builder coverage Extend fuzzing coverage and enable local fuzzing in a container Cover all public stun_buffer.c wrappers in FuzzStunClient HTTP parsing fixes Unblock fuzz coverage for is_http and rare STUN attributes Seed address-mapping table in fuzz initializer Add deterministic challenge-response builder to FuzzStun Add fuzz coverage for integrity helpers Hoist turn_server_get_engine() out of per-packet hot path Inline addr_cpy() in the header Trim two redundant checks from per-packet relay hot path Inline get_ioa_addr_len() in the header Cache hot lookups in TURN data-path handlers Load generator mode in turnutils_uclient Filc harness and pointer typedefs -------------------------------------------------------------------------------- ChangeLog: * Sat May 9 2026 Robert Scheck - 4.11.0-1 - Upgrade to 4.11.0 (#2466643) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2466643 - coturn-4.11.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2466643 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program.Use su -c 'dnf upgrade --advisory FEDORA-2026-dfa8ea5809' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it. Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new . Updated Coturn 4.11.0 addresses key issues like memory leak, HMAC flaws, and Redis DB driver injection.. Fedora coturn HMAC memory leak format-string. . Severity: Important. LinuxSecurity.com Team

Calendar%202 May 18, 2026 Important Fedora
89

Fedora 44 Coturn Memory Leak Fix and Format-String Advisory 2026-3b3139882c

Coturn 4.11.0 Fix prometheus response memory leak introduced in 4.10.0 Use constant-time compare for STUN MESSAGE-INTEGRITY HMAC Fix format-string injection in Redis DB driver Abort on malformed allowed/denied-peer-ip at startup. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-3b3139882c 2026-05-18 00:40:49.529034+00:00 -------------------------------------------------------------------------------- Name : coturn Product : Fedora 44 Version : 4.11.0 Release : 1.fc44 URL : https://github.com/coturn/coturn/ Summary : TURN/STUN & ICE Server Description : The Coturn TURN Server is a VoIP media traffic NAT traversal server and gateway. It can be used as a general-purpose network traffic TURN server/gateway, too. This implementation also includes some extra features. Supported RFCs: TURN specs: - RFC 5766 - base TURN specs - RFC 6062 - TCP relaying TURN extension - RFC 6156 - IPv6 extension for TURN - Experimental DTLS support as client protocol. STUN specs: - RFC 3489 - "classic" STUN - RFC 5389 - base "new" STUN specs - RFC 5769 - test vectors for STUN protocol testing - RFC 5780 - NAT behavior discovery support The implementation fully supports the following client-to-TURN-server protocols: - UDP (per RFC 5766) - TCP (per RFC 5766 and RFC 6062) - TLS (per RFC 5766 and RFC 6062); TLS1.0/TLS1.1/TLS1.2 - DTLS (experimental non-standard feature) Supported relay protocols: - UDP (per RFC 5766) - TCP (per RFC 6062) Supported user databases (for user repository, with passwords or keys, if authentication is required): - SQLite - MySQL - PostgreSQL - Redis Redis can also be used for status and statistics storage and notification. Supported TURN authentication mechanisms: - long-term - TURN REST API (a modification of the long-term mechanism, for time-limited secret-based authentication, for WebRTC applications) The load balancing can be implemented withthe following tools (either one or a combination of them): - network load-balancer server - DNS-based load balancing - built-in ALTERNATE-SERVER mechanism. -------------------------------------------------------------------------------- Update Information: Coturn 4.11.0 Fix prometheus response memory leak introduced in 4.10.0 Use constant-time compare for STUN MESSAGE-INTEGRITY HMAC Fix format-string injection in Redis DB driver Abort on malformed allowed/denied-peer-ip at startup Pin session origin only after MESSAGE-INTEGRITY validates Fix build failure: define _GNU_SOURCE for recvmmsg() on Linux Drop udp_relay_servers_number config and clean up dead UDP id-space Add Unity-based unit test scaffolding Delete log line per relay thread on start Out of bound HTTP detection in parser Extend STUN client fuzz builder coverage Extend fuzzing coverage and enable local fuzzing in a container Cover all public stun_buffer.c wrappers in FuzzStunClient HTTP parsing fixes Unblock fuzz coverage for is_http and rare STUN attributes Seed address-mapping table in fuzz initializer Add deterministic challenge-response builder to FuzzStun Add fuzz coverage for integrity helpers Hoist turn_server_get_engine() out of per-packet hot path Inline addr_cpy() in the header Trim two redundant checks from per-packet relay hot path Inline get_ioa_addr_len() in the header Cache hot lookups in TURN data-path handlers Load generator mode in turnutils_uclient Filc harness and pointer typedefs -------------------------------------------------------------------------------- ChangeLog: * Sat May 9 2026 Robert Scheck - 4.11.0-1 - Upgrade to 4.11.0 (#2466643) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2466643 - coturn-4.11.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2466643 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program.Use su -c 'dnf upgrade --advisory FEDORA-2026-3b3139882c' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it. Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new . Fix for Coturn 4.11.0 includes addressing memory leak and security improvements for Redis handling.. Coturn Update, Fedora Security, Redis Injection, VoIP NAT Traversal, TURN Server Fixes. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 May 18, 2026 Critical Fedora
89

Fedora 44 Nano Important Format String DoS Fix FEDORA-2026-3111ffa11a

fix CVE-2026-6842 and CVE-29026-6843 Resolves: CVE-2026-6842 Resolves: CVE-2026-6843 Resolves: rhbz#2455127 Resolves: rhbz#2455314. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-3111ffa11a 2026-05-03 00:48:41.051402+00:00 -------------------------------------------------------------------------------- Name : nano Product : Fedora 44 Version : 8.7.1 Release : 2.fc44 URL : https://www.nano-editor.org Summary : A small text editor Description : GNU nano is a small and friendly text editor. -------------------------------------------------------------------------------- Update Information: fix CVE-2026-6842 and CVE-29026-6843 Resolves: CVE-2026-6842 Resolves: CVE-2026-6843 Resolves: rhbz#2455127 Resolves: rhbz#2455314 -------------------------------------------------------------------------------- ChangeLog: * Thu Apr 30 2026 Luk\u0161 Zaoral - 8.7.1-2 - fix CVE-2026-6842 and CVE-29026-6843 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2455127 - [Security] Format String Vulnerability in nano's statusline() via errormessage Buffer https://bugzilla.redhat.com/show_bug.cgi?id=2455127 [ 2 ] Bug #2460502 - CVE-2026-6842 nano: nano: Local attacker can inject malicious .desktop launcher due to insecure directory permissions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2460502 [ 3 ] Bug #2460503 - CVE-2026-6843 nano: nano: Format string vulnerability leads to Denial of Service [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2460503 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-3111ffa11a' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages aresigned with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- . Update for Fedora 44 addressing CVE-2026-6842 and CVE-2026-6843 vulnerabilities in nano editor available now.. Fedora Update, CVE-2026-6842, CVE-2026-6843, Nano Editor Security, Format String Vulnerability. . Severity: Important. LinuxSecurity.com Team

Calendar%202 May 03, 2026 Important Fedora
89

Fedora 43 rubygem-json Critical Format String Injection CVE-2026-33210

This new updates backports a fix for a format string injection vulnerability in JSON.parse, which is now assigned as CVE-2026-33210. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-8c07fcde49 2026-03-27 01:16:52.247657+00:00 -------------------------------------------------------------------------------- Name : rubygem-json Product : Fedora 43 Version : 2.13.2 Release : 2.fc43 URL : https://github.com/ruby/json Summary : A JSON implementation in Ruby Description : This is a implementation of the JSON specification according to RFC 4627 in Ruby. You can think of it as a low fat alternative to XML, if you want to store data to disk or transmit it over a network rather than use a verbose markup language. -------------------------------------------------------------------------------- Update Information: This new updates backports a fix for a format string injection vulnerability in JSON.parse, which is now assigned as CVE-2026-33210 -------------------------------------------------------------------------------- ChangeLog: * Fri Mar 20 2026 Mamoru TASAKA - 2.13.2-2 - Backport upstream fix for format string injection vulnerability in JSON.parse (CVE-2026-33210) -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-8c07fcde49' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it. Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new . Fedora 43 rubygem-json update fixes critical format string injection risk assigned CVE-2026-33210 for safety.. security update, json parsing, format string injection, ruby implementation, fedora project. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Mar 27, 2026 Critical Fedora
87

Debian 2.2 Security Advisory: PHP 3 Format String Remote Exploit

In versions of the PHP 3 packages before version 3.0.17, several formatstring bugs could allow properly crafted requests to execute code as theuser running PHP scripts on the web server, particularly if error loggingwas enabled. . - ---------------------------------------------------------------------------- Debian Security Advisory This email address is being protected from spambots. You need JavaScript enabled to view it. Debian -- Security Information Daniel Jacobowitz October 14, 2000 - ---------------------------------------------------------------------------- Package: php3 Vulnerability: possible remote exploit Debian-specific: no Vulnerable: yes [Updated version: corrected URLs] In versions of the PHP 3 packages before version 3.0.17, several format string bugs could allow properly crafted requests to execute code as the user running PHP scripts on the web server, particularly if error logging was enabled. This problem is fixed in versions 3.0.17-0potato2 and 3.0.17-0potato3 for Debian 2.2 (potato) and in version 3.0.17-1 for Debian Unstable (woody). This is a bug fix release and we recommend all users of php3 upgrade to it. Debian GNU/Linux 2.1 alias slink - -------------------------------- Slink contains php3 version 3.0.5, which is believed to be affected by this problem. No security updates for slink are available at this time; Slink users who have php3 installed are highly recommended to either upgrade to potato or recompile the potato php3 packages from source (see the URLs below). Debian GNU/Linux 2.2 (stable) alias potato - ------------------------------------------ Fixes are currently available for the Alpha, ARM, Intel ia32, Motorola 680x0, PowerPC and Sun SPARC architectures, and will be included in 2.2r1. Source archives: MD5 checksum: 34000f57a678a5613c9ad925c75015c9 MD5 checksum: 5ccde22fa1eb7b5a1211bdf0733ee5fc MD5 checksum: 82cadd5b244f95f95c0d5b00a9d36419 Architecture indendentarchives: MD5 checksum: 786f3d4889251bcd927475a83cab737d Alpha architecture: MD5 checksum: 0c6d6c84970f7298ba8b3ca267b6d436 MD5 checksum: 63ed819bcde8919a1b04bd668b536bb1 MD5 checksum: 91a7b73e5c53d533cf1b3f9e91477829 MD5 checksum: 69974d87a8ab40de1d80090b56e9e734 MD5 checksum: 7c4fed2056667347d3a8d8fcfde11d18 MD5 checksum: 866f79ff9a5e07c2d1dc625f6b039062 MD5 checksum: f205dc1d6c3d66465223ec2cb915d378 MD5 checksum: 4fabcea51de8ad87072b3892eac3db44 MD5 checksum: 98e60f2ce67b5ac45bbefffee55f4320 MD5 checksum: 6c356cef858b022706d536bdd2a3bda5 MD5 checksum: f00b99a9fbef8eef95b286b0fd07921c MD5 checksum: c28f15858f631739a04b585d88537c35 MD5 checksum: f683f8c1095be5fd6004218e006d95ae MD5 checksum: 2bea51c4216a7509df35ae93852fe12f MD5 checksum: cc46953ee5cf0919a20b03174146042f MD5 checksum: 08902d8dd7c6da8d551df423479774f3 MD5 checksum: 50c5fddca3b974040d727571155d810b MD5 checksum: 95ac10b17e9d253516b6c6566070ed8b MD5 checksum: ac553c47449d417a2151badda621b0b8 MD5 checksum: b0cfeaa821d26b1b5c3e0e02a9c97234 MD5 checksum: cfcff9174113b296a1c527d4d03ff36f ARM architecture: MD5 checksum: dedef18cb5af7321602fdd84e6919a82 MD5 checksum: 2e14ffe7d55808964d3b8745ee6f7a68 MD5 checksum: 6bed9079916e0838549f0cbefac3b364 MD5 checksum: dcd4141709649316490b6c11074b9892 MD5 checksum: 1f74328177093f92f6b690438314e854 MD5 checksum: 96ca00029282d292261a83c792f70634 MD5 checksum: 4aeab7f32a5d76cb4122c99c11e6fd74 MD5 checksum: b1de42a0a93bbd56b8d3bf618738ac97 MD5 checksum: 7cef4e5a8df31213e7d4326ca3e4bc78 MD5 checksum:ae70e50b6a97aa87d102887cc90a039d MD5 checksum: 5b8c0c2f755d9573325bbf93ade047a5 MD5 checksum: 78c58318841395fb2a4830c3fde2ea35 MD5 checksum: ad2d62ae660deb8eb3814725c266f882 MD5 checksum: ab226b1c21bb1bb3e9d2532a307b0a33 MD5 checksum: 28dea447bffa0cc2b1d9526a34b04243 MD5 checksum: 6905809e038ed460e007e305e9d6f27d MD5 checksum: e8931d67b40f57b45d4816efa090869d MD5 checksum: c4492365d13b377f8591d1501e4fffbc MD5 checksum: 794307c984982c144628c165d7fafbdc MD5 checksum: b14b2aef4d507988133e0936b520f827 MD5 checksum: f08677b2a016498de9ac2ae035fcee02 Intel ia32 architecture: MD5 checksum: abb5c61dcb930484d448809f37ceee89 MD5 checksum: eaf1a7ce1191479fab1991a0f7628f35 MD5 checksum: 78a497ee35f72a0a5335dffbb278b51b MD5 checksum: 74ff9c4fdfd1ddff35d229b40389526f MD5 checksum: ce136a323408024afeefd44d71bfa07f MD5 checksum: 18ce8da1e51051009548bcf15e9f22c1 MD5 checksum: 06eaf7f5e580db16bfe6e49ba3f7178e MD5 checksum: d783e965c9975a1418cbf24f2c018cf6 MD5 checksum: b872b9749ee4a7f5e41d2561968185ec MD5 checksum: 9519673f1a4f3cd9e6072aed47571706 MD5 checksum: f697b67a799e4f8a0a52dafad453952e MD5 checksum: 623b94d44c924f2caeaf38dc4c241c47 MD5 checksum: 6427a5b1cec363442b85378dca2068c2 MD5 checksum: 27409fdf4877b7fe148d699fc0e0c513 MD5 checksum: 25da562776c6723d9e6ce9e1d596da55 MD5 checksum: 3f6608677722ecde60038738a5230f15 MD5 checksum: 57b7591a9e024f8bf8deac95ee266ca7 MD5 checksum: a9f0c424781738f0486d0b83f96b9501 MD5 checksum: 388459a9353a97e46eb791dfcf5db4c3 MD5 checksum: 1528dffc6b361dd3636f74cb674a352f MD5 checksum:26ead1ce5f3d9cb28411b1f91853fca5 Motorola 680x0 architecture: MD5 checksum: f738bf60fabff9ff79f08c9e26c78f29 MD5 checksum: 2ada0cf7129796cc9225c8853a1d073d MD5 checksum: b61f66b80f10cd4d6761e76d837457ba MD5 checksum: 265120fac62de3c4702c1ff13407128a MD5 checksum: 015a0b89dccac3bcfbb8250e560e5499 MD5 checksum: a84a25672d154b84ced76d1bb329927b MD5 checksum: 977268a5705ea6e20f74c111d16af478 MD5 checksum: 65021da88ed93caf16f0b45ac8bea916 MD5 checksum: 6ff5aaed2f6a503e61c07a3116beaacd MD5 checksum: d3a2a47c6299ca0d324e9674ec97bb10 MD5 checksum: 578c0d9324b64954f35fd4bd37e29d8a MD5 checksum: df41c6d37b070970338bedbca5fc85df MD5 checksum: 7f2b537a990d333a306ded9da5b4d5c6 MD5 checksum: fd8adf192deb2991f742ad3aa4680b1c MD5 checksum: 409477b06261ff072fdd2dbc0ff897db MD5 checksum: 4244ee22e56cbacfaf98cb0d0be7bdf4 MD5 checksum: 47aefa07233b90a252c91890e45c7d8c MD5 checksum: 0d42a6c597dfd29c2f2e23574333fce4 MD5 checksum: de4e186fcc2ce5506b448ca2114b7f3b MD5 checksum: 47f3196abd592474d92234317743cf15 MD5 checksum: 904fdf57b6f69521f01114506c2bbb72 PowerPC architecture: MD5 checksum: 82f82afc3dc07386e6de6e48d36e2602 MD5 checksum: e3b3ba148a4c7bd216d6d53b6359597c MD5 checksum: ba49214a443a0d1f7aba7355a36cd61e MD5 checksum: 9cab2a6fc9b39ddc7620054643934138 MD5 checksum: d89ca687aa43d812f1034eac57237018 MD5 checksum: c457fb8f71419d0bc6e8320984440ef7 MD5 checksum: 0e5f92ae3cffbc36a8fb36bccbf665f0 MD5 checksum: 096ed7d71dd9a47a18ecbf797e9f76df MD5 checksum: 6d8b207895e140f93b1c21d811a2b914 MD5 checksum:ad45ca5aa800eefb413f3cfeaa4ff539 MD5 checksum: 5ad19d86615ea06ed366bbbd594f4420 MD5 checksum: d8ee51d95b9349b108e27576f3ccde2f MD5 checksum: 9106297857457937832582877c08878b MD5 checksum: 30cea605882bde7ab106d8c341703151 MD5 checksum: f85e9b168874e56917a57ab7b2b44e2e MD5 checksum: 498d82447752aaf0eb3953a995514a7c MD5 checksum: 82a4f1df0a762bdca352643c9253d229 MD5 checksum: 6049f7a8d74a6e3c8d3c2c25e7254ebd MD5 checksum: 1dc286aaa3b9f439d24527be4813ad1c MD5 checksum: a13081289f79a4516c76c8bc4a4badc2 MD5 checksum: b5582aadc3b2469201dd4c51543ee811 Sun Sparc architecture: MD5 checksum: b4ef31bb148e4d8ce6e1fec71e8f432a MD5 checksum: 0e1e649e00838f6f79a45340a2eed64d MD5 checksum: f867fdf0d1f0af24c0b3037d53a11984 MD5 checksum: 1f15607b7791274be01797aa752d59e3 MD5 checksum: e14379467b151693ff20101ab985e030 MD5 checksum: eecfdb9d5d52ff4e7f23d3f7ea2f8db4 MD5 checksum: 3497a5f7a1689da6a77c8568c1d357df MD5 checksum: 6669bee0a5a5729080de9f5b5ba27fe2 MD5 checksum: 3e5a0eed3823ebc6031ff060bc460d94 MD5 checksum: e58049ebc9751b3236a4cb0d4d84ccb8 MD5 checksum: 93df51885ea61b78fc989e4e8060895a MD5 checksum: b5d831eb746ccb75ceadc624a4b569e8 MD5 checksum: 4fe1d6f4a2ed9720663a1aa8f9c99bd3 MD5 checksum: 503fbbe53e202746e02a7b3c02412478 MD5 checksum: 364beab8ec14487043a7003afb128fb1 MD5 checksum: 80c525ea0b007ff11b9170d0ad554473 MD5 checksum: baaa21f47f76ebb42a512d9679192dab MD5 checksum: 455fa856df0719d0c3364ddbdf0a039d MD5 checksum: 80880cffaeded7bb5639bbe85f482cb8 MD5 checksum: 4c96a471e9b77e94f27022d555555f71 MD5 checksum:19fc0fe684dc8eb120475a47d9eabf24 Debian GNU/Linux Unstable alias woody - ------------------------------------- This version of Debian is not yet released. Fixes are currently available for Alpha and Intel ia32 in the Debian archives. The stable packages listed above are also installable on current unstable systems. - ---------------------------------------------------------------------------- . Code execution may be triggered by user inputs in vulnerable PHP versions before 3.0.17, impacting web applications.. Debian PHP exploits, PHP vulnerabilities, code execution threats. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Apr 06, 2024 Important Debian
91

Gentoo GLSA-202310-14 High: Libinput Format String Exploit

A vulnerability has been discovered in libinput where an attacker may run malicous code by exploiting a format string vulnerability.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202310-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: libinput: format string vulnerability when using xf86-input-libinput Date: October 26, 2023 Bugs: #839729 ID: 202310-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in libinput where an attacker may run malicous code by exploiting a format string vulnerability. Background ========== A library to handle input devices in Wayland and, via xf86-input- libinput, in X.org. Affected packages ================= Package Vulnerable Unaffected ----------------- ------------ ------------ dev-libs/libinput < 1.20.1 > = 1.20.1 Description =========== An attacker may be able to run malicious code by exploiting a format string vulnerability. Please review the CVE identifier referenced below for details. Impact ====== When a device is detected by libinput, libinput logs several messages through log handlers set up by the callers. These log handlers usually eventually result in a printf call. Logging happens with the privileges of the caller, in the case of Xorg this may be root. The device name ends up as part of the format string and a kernel device with printf-style format string placeholders in the device name can enable an attacker to run malicious code. An exploit is possible through any device where the attacker controls the device name, e.g. /dev/uinput or Bluetooth devices. Workaround ========== There is no known workaround at this time. Resolution ========== All libinputusers should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =dev-libs/libinput-1.20.1" References ========== [ 1 ] CVE-2022-1215 https://nvd.nist.gov/vuln/detail/CVE-2022-1215 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202310-14 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to This email address is being protected from spambots. You need JavaScript enabled to view it. or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5/ . Uncover a critical security vulnerability related to format strings within libinput which impacts the Gentoo Linux distribution, potentially facilitating the execution of harmful code.. Libinput Vulnerability, Gentoo Advisory, Format String Issue, Malicious Code, Input Device Exploit. . LinuxSecurity.com Team

Calendar%202 Oct 26, 2023 Gentoo
217

Oracle Linux 9 ELSA-2022-5257 Moderate: Libinput Format Fix

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: . Oracle Linux Security Advisory ELSA-2022-5257 https://linux.oracle.com/errata/ELSA-2022-5257.html The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: x86_64: libinput-1.19.3-2.el9_0.i686.rpm libinput-1.19.3-2.el9_0.x86_64.rpm libinput-utils-1.19.3-2.el9_0.x86_64.rpm libinput-devel-1.19.3-2.el9_0.i686.rpm libinput-devel-1.19.3-2.el9_0.x86_64.rpm aarch64: libinput-1.19.3-2.el9_0.aarch64.rpm libinput-utils-1.19.3-2.el9_0.aarch64.rpm libinput-devel-1.19.3-2.el9_0.aarch64.rpm SRPMS: https://oss.oracle.com:443/ol9/SRPMS-updates/libinput-1.19.3-2.el9_0.src.rpm Related CVEs: CVE-2022-1215 Description of changes: [1.19.3-2] - CVE-2022-1215: fix a format string vulnerability (#2076816) _______________________________________________ El-errata mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. https://oss.oracle.com/mailman/listinfo/el-errata . Oracle Linux 9 has rolled out a moderate update for libinput to fix a format string vulnerability. Discover the full story here!. Oracle Linux Update, Libinput Fix, Security Advisory, Format String Issue. . LinuxSecurity.com Team

Calendar%202 Jul 01, 2022 Oracle
217

Oracle Linux 8 ELSA-2022-5331 Moderate: Libinput Format Flaw

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network: . Oracle Linux Security Advisory ELSA-2022-5331 https://linux.oracle.com/errata/ELSA-2022-5331.html The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network: x86_64: libinput-1.16.3-3.el8_6.i686.rpm libinput-1.16.3-3.el8_6.x86_64.rpm libinput-utils-1.16.3-3.el8_6.x86_64.rpm libinput-devel-1.16.3-3.el8_6.i686.rpm libinput-devel-1.16.3-3.el8_6.x86_64.rpm aarch64: libinput-1.16.3-3.el8_6.aarch64.rpm libinput-utils-1.16.3-3.el8_6.aarch64.rpm libinput-devel-1.16.3-3.el8_6.aarch64.rpm SRPMS: https://oss.oracle.com:443/ol8/SRPMS-updates/libinput-1.16.3-3.el8_6.src.rpm Related CVEs: CVE-2022-1215 Description of changes: [1.16.3-3] - Fix a format string vulnerability in the device name logging (#2076815) CVE-2022-1215 _______________________________________________ El-errata mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. https://oss.oracle.com/mailman/listinfo/el-errata . Oracle Linux Security Announcement ELSA-2022-5331 outlines important patches for libinput related to a format string vulnerability. Learn more.. Oracle Linux Updates, Libinput Security Advisory, Security Patch Oracle, Format String Issue. . LinuxSecurity.com Team

Calendar%202 Jul 01, 2022 Oracle
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200