Explore top 10 tips to secure your open-source projects now. Read More
×giflib: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function. (CVE-2023-48161) Array indexing integer overflow. (CVE-2024-21210) HTTP client improper handling of maxHeaderSize. (CVE-2024-21208) Unbounded allocation leads to out-of-memory error. (CVE-2024-21217) . MGASA-2024-0364 - Updated java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk & java-latest-openjdk packages fix security vulnerabilities Publication date: 13 Nov 2024 URL: https://advisories.mageia.org/MGASA-2024-0364.html Type: security Affected Mageia releases: 9 CVE: CVE-2023-48161, CVE-2024-21208, CVE-2024-21210, CVE-2024-21217, CVE-2024-21235 giflib: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function. (CVE-2023-48161) Array indexing integer overflow. (CVE-2024-21210) HTTP client improper handling of maxHeaderSize. (CVE-2024-21208) Unbounded allocation leads to out-of-memory error. (CVE-2024-21217) Integer conversion error leads to incorrect range check. (CVE-2024-21235) References: - https://bugs.mageia.org/show_bug.cgi?id=33648 - https://access.redhat.com/errata/RHSA-2024:8117 - https://access.redhat.com/errata/RHSA-2024:8121 - https://access.redhat.com/errata/RHSA-2024:8124 - https://www.oracle.com/security-alerts/cpuoct2024.html#AppendixJAVA - https://www.cve.org/CVERecord?id=CVE-2023-48161 - https://www.cve.org/CVERecord?id=CVE-2024-21208 - https://www.cve.org/CVERecord?id=CVE-2024-21210 - https://www.cve.org/CVERecord?id=CVE-2024-21217 - https://www.cve.org/CVERecord?id=CVE-2024-21235 SRPMS: - 9/core/java-17-openjdk-17.0.13.0.11-1.mga9 - 9/core/java-11-openjdk-11.0.25.0.9-1.mga9 - 9/core/java-1.8.0-openjdk-1.8.0.432.b06-1.mga9 - 9/core/java-latest-openjdk-23.0.1.0.11-2.rolling.1.mga9 . Recent patches for java-1.8.0-openjdk and related packages resolve vulnerabilities involving heap-buffer overflows and integer handling errors in Mageia.. Java Updates, Security Advisory, Mageia Releases, Buffer Overflow, Integer Overflow. . Severity: Critical. LinuxSecurity.com Team
Several security issues were fixed in ImageMagick.. ========================================================================== Ubuntu Security Notice USN-7053-1 October 03, 2024 imagemagick vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS Summary: Several security issues were fixed in ImageMagick. Software Description: - imagemagick: Image manipulation programs and library Details: It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or potentially leak sensitive information. These vulnerabilities included heap and stack-based buffer overflows, memory leaks, and improper handling of uninitialized values. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS imagemagick 8:6.7.7.10-6ubuntu3.13+esm10 Available with Ubuntu Pro libmagick++-dev 8:6.7.7.10-6ubuntu3.13+esm10 Available with Ubuntu Pro libmagick++5 8:6.7.7.10-6ubuntu3.13+esm10 Available with Ubuntu Pro libmagickcore-dev 8:6.7.7.10-6ubuntu3.13+esm10 Available with Ubuntu Pro libmagickcore5 8:6.7.7.10-6ubuntu3.13+esm10 Available with Ubuntu Pro libmagickcore5-extra 8:6.7.7.10-6ubuntu3.13+esm10 Available with Ubuntu Pro libmagickwand-dev 8:6.7.7.10-6ubuntu3.13+esm10 Available with Ubuntu Pro libmagickwand5 8:6.7.7.10-6ubuntu3.13+esm10 Available with Ubuntu Pro perlmagick 8:6.7.7.10-6ubuntu3.13+esm10 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7053-1 CVE-2019-13135, CVE-2019-13295, CVE-2019-13297, CVE-2019-13300, CVE-2019-13301, CVE-2019-13304, CVE-2019-13305, CVE-2019-13306, CVE-2019-13307, CVE-2019-13309, CVE-2019-13310, CVE-2019-13311, CVE-2019-13454, CVE-2019-15139, CVE-2019-15140, CVE-2019-15141, CVE-2019-16708, CVE-2019-16709, CVE-2019-16710, CVE-2019-16711, CVE-2019-16712, CVE-2019-16713, CVE-2019-19948, CVE-2019-19949, CVE-2019-7175 . Ubuntu 14.04 LTS has received vital security updates for ImageMagick. Address vulnerabilities to thwart possible exploitation and safeguard sensitive information.. ImageMagick updates, Ubuntu security, buffer overflow fixes, critical updates. . Severity: Critical. LinuxSecurity.com Team
It was discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. (CVE-2019-11471) Reza Mirzazade Farkhani discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash . MGASA-2024-0243 - Updated libheif packages fix security vulnerabilities Publication date: 28 Jun 2024 URL: https://advisories.mageia.org/MGASA-2024-0243.html Type: security Affected Mageia releases: 9 CVE: CVE-2023-49460, CVE-2023-49462, CVE-2023-49463, CVE-2023-49464 It was discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. (CVE-2019-11471) Reza Mirzazade Farkhani discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. (CVE-2020-23109) Eugene Lim discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. (CVE-2023-0996) Min Jang discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. (CVE-2023-29659) Yuchuan Meng discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. (CVE-2023-49460, CVE-2023-49462, CVE-2023-49463, CVE-2023-49464) References: - https://bugs.mageia.org/show_bug.cgi?id=33332 - https://ubuntu.com/security/notices/USN-6847-1 - https://www.cve.org/CVERecord?id=CVE-2023-49460 - https://www.cve.org/CVERecord?id=CVE-2023-49462 - https://www.cve.org/CVERecord?id=CVE-2023-49463 - https://www.cve.org/CVERecord?id=CVE-2023-49464 SRPMS: - 9/core/libheif-1.16.2-1.1.mga9 - 9/tainted/libheif-1.16.2-1.1.mga9.tainted . MGASA-2024-0244security notice outlines patch information for libheif that mitigates buffer overflow vulnerabilities as of July 5, 2024.. libheif Security, Mageia Update, Denial of Service, Security Advisory, Image Processing. . Severity: Critical. LinuxSecurity.com Team
GDK-PixBuf could be made do execute arbitrary code or crash if it received a specially crafted image.. =========================================================================Ubuntu Security Notice USN-5607-1 September 13, 2022 gdk-pixbuf vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: GDK-PixBuf could be made do execute arbitrary code or crash if it received a specially crafted image. Software Description: - gdk-pixbuf: GDK Pixbuf library Details: It was discovered that GDK-PixBuf incorrectly handled certain images. An attacker could possibly use this issue to execute arbitrary code or cause a crash. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: libgdk-pixbuf-2.0-0 2.42.8+dfsg-1ubuntu0.1 Ubuntu 20.04 LTS: libgdk-pixbuf2.0-0 2.40.0+dfsg-3ubuntu0.4 After a standard system update you need to restart your session to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5607-1 CVE-2021-44648 Package Information: https://launchpad.net/ubuntu/+source/gdk-pixbuf/2.42.8+dfsg-1ubuntu0.1 https://launchpad.net/ubuntu/+source/gdk-pixbuf/2.40.0+dfsg-3ubuntu0.4 . A security flaw in GDK-PixBuf affecting Ubuntu may permit the execution of unauthorized commands or cause system crashes when handling specially designed image files.. GDK Pixbuf, Ubuntu Security, Image Handling, Code Execution Risk. . Severity: Critical. LinuxSecurity.com Team
# New in release OpenJDK 17.0.2 (2022-01-18): Live versions of these release notes can be found at: * * https://builds.shipilev.net/backports-monitor/release-notes-17.0.2.txt ## Security fixes - JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if zip has dir named "." inside - JDK-8264934, CVE-2022-21248: Enhance cross VM. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2022-7d8b535724 2022-01-29 06:37:20.624368 --------------------------------------------------------------------------------Name : java-latest-openjdk Product : Fedora 35 Version : 17.0.2.0.8 Release : 2.rolling.fc35 URL : https://openjdk.org/ Summary : OpenJDK 17 Runtime Environment Description : The OpenJDK 17 runtime environment. --------------------------------------------------------------------------------Update Information: # New in release OpenJDK 17.0.2 (2022-01-18): Live versions of these release notes can be found at: * * https://builds.shipilev.net/backports-monitor/release-notes-17.0.2.txt ## Security fixes - JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if zip has dir named "." inside - JDK-8264934, CVE-2022-21248: Enhance cross VM serialization - JDK-8268488: More valuable DerValues - JDK-8268494: Better inlining of inlined interfaces - JDK-8268512: More content for ContentInfo -JDK-8268813, CVE-2022-21283: Better String matching - JDK-8269151: Better construction of EncryptedPrivateKeyInfo - JDK-8269944: Better HTTP transport redux - JDK-8270386, CVE-2022-21291: Better verification of scan methods -JDK-8270392, CVE-2022-21293: Improve String constructions - JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps - JDK-8270492, CVE-2022-21282: Better resolution of URIs - JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management - JDK-8270646, CVE-2022-21299: Improved scanning of XML entities - JDK-8270952, CVE-2022-21277:Improve TIFF file handling - JDK-8271962: Better TrueType font loading - JDK-8271968: Better canonical naming - JDK-8271987: Manifest improved manifest entries -JDK-8272014, CVE-2022-21305: Better array indexing - JDK-8272026, CVE-2022-21340: Verify Jar Verification - JDK-8272236, CVE-2022-21341: Improve serial forms for transport - JDK-8272272: Enhance jcmd communication -JDK-8272462: Enhance image handling - JDK-8273290: Enhance sound handling -JDK-8273756, CVE-2022-21360: Enhance BMP image support - JDK-8273838, CVE-2022-21365: Enhanced BMP processing - JDK-8274096, CVE-2022-21366: Improve decoding of image files ## Major Changes -[JDK-8277157](https://bugs.openjdk.org/browse/JDK-8277157): Vector should throw ClassNotFoundException for a missing class of an element -[JDK-8272535](https://bugs.openjdk.org/browse/JDK-8272535): Removed Google's GlobalSign Root Certificate -[JDK-8277533](https://bugs.openjdk.org/browse/JDK-8277533): ZGC: Fixed long Process Non-Strong References times -[JDK-8274857](https://bugs.openjdk.org/browse/JDK-8274857): Update Timezone Data to 2021c ## FIPS Changes - Fix FIPS issues in native code and with initialisation of java.security.Security --------------------------------------------------------------------------------ChangeLog: * Mon Jan 24 2022 Andrew Hughes - 1:17.0.2.0.8-2.rolling - Require tzdata 2021e as of JDK-8275766. * Wed Jan 12 2022 Andrew Hughes - 1:17.0.2.0.8-1.rolling - January 2022 security update to jdk 17.0.2+8 - Extend LTS check to exclude EPEL. - Rename libsvml.so to libjsvml.so following JDK-8276025 - Remove JDK-8276572 patch which is now upstream. - Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java - Fix FIPS issues in native code and with initialisation of java.security.Security * Wed Jan 12 2022 Severin Gehwolf - 1:17.0.2.0.8-1.rolling - Set LTS designator. --------------------------------------------------------------------------------References: [1 ] Bug #2042455 - Missing latest release OpenJDK 17.0.2 https://bugzilla.redhat.com/show_bug.cgi?id=2042455 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2022-7d8b535724' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Several security issues were fixed in Pillow.. =========================================================================Ubuntu Security Notice USN-5227-1 January 13, 2022 pillow vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 21.10 - Ubuntu 21.04 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in Pillow. Software Description: - pillow: Python Imaging Library Details: It was discovered that Pillow incorrectly handled certain image files. If a user or automated system were tricked into opening a specially-crafted file, a remote attacker could cause Pillow to hang, resulting in a denial of service. (CVE-2021-23437) It was discovered that Pillow incorrectly handled certain image files. If a user or automated system were tricked into opening a specially-crafted file, a remote attacker could cause Pillow to crash, resulting in a denial of service. This issue ony affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 21.04. (CVE-2021-34552) It was discovered that Pillow incorrectly handled certain image files. If a user or automated system were tricked into opening a specially-crafted file, a remote attacker could cause Pillow to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2022-22815) It was discovered that Pillow incorrectly handled certain image files. If a user or automated system were tricked into opening a specially-crafted file, a remote attacker could cause Pillow to crash, resulting in a denial of service. (CVE-2022-22816) It was discovered that Pillow incorrectly handled certain image files. If a user or automated system were tricked into opening a specially-crafted file, a remote attacker could cause Pillow to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2022-22817) Update instructions: The problem can be corrected byupdating your system to the following package versions: Ubuntu 21.10: python3-pil 8.1.2+dfsg-0.3ubuntu0.1 Ubuntu 21.04: python3-pil 8.1.2-1ubuntu0.2 Ubuntu 20.04 LTS: python3-pil 7.0.0-4ubuntu0.5 Ubuntu 18.04 LTS: python-pil 5.1.0-1ubuntu0.7 python3-pil 5.1.0-1ubuntu0.7 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5227-1 CVE-2021-23437, CVE-2021-34552, CVE-2022-22815, CVE-2022-22816, CVE-2022-22817 Package Information: https://launchpad.net/ubuntu/+source/pillow/8.1.2+dfsg-0.3ubuntu0.1 https://launchpad.net/ubuntu/+source/pillow/8.1.2-1ubuntu0.2 https://launchpad.net/ubuntu/+source/pillow/7.0.0-4ubuntu0.5 https://launchpad.net/ubuntu/+source/pillow/5.1.0-1ubuntu0.7 . Fixing security flaws in Pillow across multiple Ubuntu releases to mitigate denial of service and execution risks.. Pillow Security, Ubuntu Vulnerabilities, DoS Issues, Image Processing Security. . LinuxSecurity.com Team
Several security issues were fixed in OpenEXR.. =========================================================================Ubuntu Security Notice USN-4996-2 June 22, 2021 openexr vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM Summary: Several security issues were fixed in OpenEXR. Software Description: - openexr: tools for the OpenEXR image format Details: USN-4996-1 fixed several vulnerabilities in OpenEXR. This update provides the corresponding update for Ubuntu 16.04 ESM. Original advisory details: It was discovered that OpenEXR incorrectly handled certain malformed EXR image files. If a user were tricked into opening a crafted EXR image file, a remote attacker could cause a denial of service, or possibly execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: libopenexr22 2.2.0-10ubuntu2.6+esm1 openexr 2.2.0-10ubuntu2.6+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-4996-2 https://ubuntu.com/security/notices/USN-4996-1 CVE-2021-20296, CVE-2021-23215, CVE-2021-26260, CVE-2021-3598, CVE-2021-3605 . The Ubuntu 16.04 ESM update addresses vulnerabilities in OpenEXR image processing to mitigate possible security threats.. Ubuntu OpenEXR Security, OpenEXR Exploits, Security Update Ubuntu. . Severity: Critical. LinuxSecurity.com Team
Pillow could be made to crash or run programs as your login if it opened a specially crafted file.. =========================================================================Ubuntu Security Notice USN-4697-2 January 20, 2021 pillow vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 ESM Summary: Pillow could be made to crash or run programs as your login if it opened a specially crafted file. Software Description: - pillow: Python Imaging Library Details: USN-4697-1 fixed several vulnerabilities in Pillow. This update provides the corresponding update for Ubuntu 14.04 ESM. Original advisory details: It was discovered that Pillow incorrectly handled certain PCX image files. If a user or automated system were tricked into opening a specially-crafted PCX file, a remote attacker could possibly cause Pillow to crash, resulting in a denial of service. (CVE-2020-35653) It was discovered that Pillow incorrectly handled certain image files. If a user or automated system were tricked into opening a specially-crafted image file, a remote attacker could possibly cause Pillow to crash, resulting in a denial of service. (CVE-2020-10177) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 ESM: python-pil 2.3.0-1ubuntu3.4+esm2 python3-pil 2.3.0-1ubuntu3.4+esm2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-4697-2 https://ubuntu.com/security/notices/USN-4697-1 CVE-2020-10177, CVE-2020-35653 . Potential exploits in Pillow on Ubuntu 14.04 ESM may enable malicious users to disrupt services or run harmful commands. Take action now!. Pillow Vulnerabilities, Ubuntu ESM 14.04, Denial of Service Fix. . Severity: Important. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.