Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -2 articles for you...
100
security advisorymoderate severityopenSUSEopenSUSE: 2024:0035-1 Critical Vulnerability in Python-Requests Headers
* bsc#1217684 Cross-References: * CVE-2023-49081 . # Security update for python-aiohttp Announcement ID: SUSE-SU-2024:0034-1 Rating: moderate References: * bsc#1217684 Cross-References: * CVE-2023-49081 CVSS scores: * CVE-2023-49081 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2023-49081 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Affected Products: * openSUSE Leap 15.5 * Public Cloud Module 15-SP2 * Public Cloud Module 15-SP1 * Public Cloud Module 15-SP3 * Public Cloud Module 15-SP4 * Public Cloud Module 15-SP5 * SUSE Linux Enterprise High Performance Computing 15 SP1 * SUSE Linux Enterprise High Performance Computing 15 SP2 * SUSE Linux Enterprise High Performance Computing 15 SP3 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Server 15 SP1 * SUSE Linux Enterprise Server 15 SP2 * SUSE Linux Enterprise Server 15 SP3 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Manager Proxy 4.0 * SUSE Manager Proxy 4.1 * SUSE Manager Proxy 4.2 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.0 * SUSE Manager Retail Branch Server 4.1 * SUSE Manager Retail Branch Server 4.2 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.0 * SUSE Manager Server 4.1 * SUSE Manager Server 4.2 * SUSE Manager Server 4.3 An update that solves one vulnerability can now be installed. ## Description: This update for python-aiohttp fixes the following issues: * CVE-2023-49081: fixed an HTTP header injection via a crafted version (bsc#1217684). ## PatchInstructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2024-34=1 * Public Cloud Module 15-SP1 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2024-34=1 * Public Cloud Module 15-SP2 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP2-2024-34=1 * Public Cloud Module 15-SP3 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP3-2024-34=1 * Public Cloud Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP4-2024-34=1 * Public Cloud Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP5-2024-34=1 ## Package List: * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * python-aiohttp-doc-3.6.0-150100.3.15.1 * python-aiohttp-debugsource-3.6.0-150100.3.15.1 * python3-aiohttp-debuginfo-3.6.0-150100.3.15.1 * python3-aiohttp-3.6.0-150100.3.15.1 * Public Cloud Module 15-SP1 (aarch64 ppc64le s390x x86_64) * python-aiohttp-doc-3.6.0-150100.3.15.1 * python-aiohttp-debugsource-3.6.0-150100.3.15.1 * python3-aiohttp-debuginfo-3.6.0-150100.3.15.1 * python3-aiohttp-3.6.0-150100.3.15.1 * Public Cloud Module 15-SP2 (aarch64 ppc64le s390x x86_64) * python-aiohttp-doc-3.6.0-150100.3.15.1 * python-aiohttp-debugsource-3.6.0-150100.3.15.1 * python3-aiohttp-debuginfo-3.6.0-150100.3.15.1 * python3-aiohttp-3.6.0-150100.3.15.1 * Public Cloud Module 15-SP3 (aarch64 ppc64le s390x x86_64) * python-aiohttp-debugsource-3.6.0-150100.3.15.1 * python3-aiohttp-debuginfo-3.6.0-150100.3.15.1 * python3-aiohttp-3.6.0-150100.3.15.1 * Public Cloud Module 15-SP4 (aarch64 ppc64le s390x x86_64) * python-aiohttp-debugsource-3.6.0-150100.3.15.1 * python3-aiohttp-debuginfo-3.6.0-150100.3.15.1 * python3-aiohttp-3.6.0-150100.3.15.1 * Public Cloud Module 15-SP5 (aarch64 ppc64le s390x x86_64) *python-aiohttp-debugsource-3.6.0-150100.3.15.1 * python3-aiohttp-debuginfo-3.6.0-150100.3.15.1 * python3-aiohttp-3.6.0-150100.3.15.1 ## References: * https://www.suse.com/security/cve/CVE-2023-49081.html * https://bugzilla.suse.com/show_bug.cgi?id=1217684 . A vulnerability related to HTTP header manipulation in python-aiohttp has been resolved for both openSUSE and SUSE Linux Enterprise.. python aiohttp security, SUSE update, security advisory, openSUSE patch, HTTP injection. . Severity: Critical. LinuxSecurity.com Team
Jan 05, 2024
•Critical
SuSE
202
security advisorymoderateopenSUSEopenSUSE 15.5 SUSE-SU-2024:0034-1 Moderate: HTTP Header Injection Fix
This update for python-aiohttp fixes the following issues: CVE-2023-49081: fixed an HTTP header injection via a crafted version (bsc#1217684).. # Security update for python-aiohttp Announcement ID: SUSE-SU-2024:0034-1 Rating: moderate References: * bsc#1217684 Cross-References: * CVE-2023-49081 CVSS scores: * CVE-2023-49081 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2023-49081 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Affected Products: * openSUSE Leap 15.5 * Public Cloud Module 15-SP2 * Public Cloud Module 15-SP1 * Public Cloud Module 15-SP3 * Public Cloud Module 15-SP4 * Public Cloud Module 15-SP5 * SUSE Linux Enterprise High Performance Computing 15 SP1 * SUSE Linux Enterprise High Performance Computing 15 SP2 * SUSE Linux Enterprise High Performance Computing 15 SP3 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Server 15 SP1 * SUSE Linux Enterprise Server 15 SP2 * SUSE Linux Enterprise Server 15 SP3 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Manager Proxy 4.0 * SUSE Manager Proxy 4.1 * SUSE Manager Proxy 4.2 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.0 * SUSE Manager Retail Branch Server 4.1 * SUSE Manager Retail Branch Server 4.2 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.0 * SUSE Manager Server 4.1 * SUSE Manager Server 4.2 * SUSE Manager Server 4.3 An update that solves one vulnerability can now be installed. ## Description: This update for python-aiohttp fixes the following issues: *CVE-2023-49081: fixed an HTTP header injection via a crafted version (bsc#1217684). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2024-34=1 * Public Cloud Module 15-SP1 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2024-34=1 * Public Cloud Module 15-SP2 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP2-2024-34=1 * Public Cloud Module 15-SP3 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP3-2024-34=1 * Public Cloud Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP4-2024-34=1 * Public Cloud Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP5-2024-34=1 ## Package List: * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * python-aiohttp-doc-3.6.0-150100.3.15.1 * python-aiohttp-debugsource-3.6.0-150100.3.15.1 * python3-aiohttp-debuginfo-3.6.0-150100.3.15.1 * python3-aiohttp-3.6.0-150100.3.15.1 * Public Cloud Module 15-SP1 (aarch64 ppc64le s390x x86_64) * python-aiohttp-doc-3.6.0-150100.3.15.1 * python-aiohttp-debugsource-3.6.0-150100.3.15.1 * python3-aiohttp-debuginfo-3.6.0-150100.3.15.1 * python3-aiohttp-3.6.0-150100.3.15.1 * Public Cloud Module 15-SP2 (aarch64 ppc64le s390x x86_64) * python-aiohttp-doc-3.6.0-150100.3.15.1 * python-aiohttp-debugsource-3.6.0-150100.3.15.1 * python3-aiohttp-debuginfo-3.6.0-150100.3.15.1 * python3-aiohttp-3.6.0-150100.3.15.1 * Public Cloud Module 15-SP3 (aarch64 ppc64le s390x x86_64) * python-aiohttp-debugsource-3.6.0-150100.3.15.1 * python3-aiohttp-debuginfo-3.6.0-150100.3.15.1 * python3-aiohttp-3.6.0-150100.3.15.1 * Public Cloud Module 15-SP4 (aarch64 ppc64le s390x x86_64) * python-aiohttp-debugsource-3.6.0-150100.3.15.1 * python3-aiohttp-debuginfo-3.6.0-150100.3.15.1 *python3-aiohttp-3.6.0-150100.3.15.1 * Public Cloud Module 15-SP5 (aarch64 ppc64le s390x x86_64) * python-aiohttp-debugsource-3.6.0-150100.3.15.1 * python3-aiohttp-debuginfo-3.6.0-150100.3.15.1 * python3-aiohttp-3.6.0-150100.3.15.1 ## References: * https://www.suse.com/security/cve/CVE-2023-49081.html * https://bugzilla.suse.com/show_bug.cgi?id=1217684 . SUSE-SU-2024:0045-1 security update for python-aiohttp addresses potential cross-site scripting vulnerabilities linked to CVE-2023-50123.. openSUSE Python Aiohttp Update Moderate Fix. . LinuxSecurity.com Team
Jan 05, 2024
OpenSUSE
100
security advisoryimportantSUSE Linux EnterpriseSUSE: 2022:3772-1 Important: curl Injection Issues Resolved
An update that fixes two vulnerabilities is now available. . SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:3772-1 Rating: important References: #1202593 #1204383 Cross-References: CVE-2022-32221 CVE-2022-35252 CVSS scores: CVE-2022-32221 (SUSE): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2022-35252 (NVD) : 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2022-35252 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L Affected Products: SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server for SAP 12-SP4 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 9 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for curl fixes the following issues: - CVE-2022-35252: Fixed a potential injection of control characters into cookies (bsc#1202593). - CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2022-3772=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2022-3772=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2022-3772=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2022-3772=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): curl-7.60.0-4.43.1 curl-debuginfo-7.60.0-4.43.1 curl-debugsource-7.60.0-4.43.1 libcurl4-32bit-7.60.0-4.43.1 libcurl4-7.60.0-4.43.1 libcurl4-debuginfo-32bit-7.60.0-4.43.1 libcurl4-debuginfo-7.60.0-4.43.1 - SUSE OpenStack Cloud 9 (x86_64): curl-7.60.0-4.43.1 curl-debuginfo-7.60.0-4.43.1 curl-debugsource-7.60.0-4.43.1 libcurl4-32bit-7.60.0-4.43.1 libcurl4-7.60.0-4.43.1 libcurl4-debuginfo-32bit-7.60.0-4.43.1 libcurl4-debuginfo-7.60.0-4.43.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): curl-7.60.0-4.43.1 curl-debuginfo-7.60.0-4.43.1 curl-debugsource-7.60.0-4.43.1 libcurl4-7.60.0-4.43.1 libcurl4-debuginfo-7.60.0-4.43.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64): libcurl4-32bit-7.60.0-4.43.1 libcurl4-debuginfo-32bit-7.60.0-4.43.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): curl-7.60.0-4.43.1 curl-debuginfo-7.60.0-4.43.1 curl-debugsource-7.60.0-4.43.1 libcurl4-7.60.0-4.43.1 libcurl4-debuginfo-7.60.0-4.43.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64): libcurl4-32bit-7.60.0-4.43.1 libcurl4-debuginfo-32bit-7.60.0-4.43.1 References: https://www.suse.com/security/cve/CVE-2022-32221.html https://www.suse.com/security/cve/CVE-2022-35252.html https://bugzilla.suse.com/1202593 https://bugzilla.suse.com/1204383 . SUSE enhances wget with critical patches addressing vulnerabilities related to command execution and input validation, bolstering defenses on various platforms.. SUSE Update, curl Fixes, OpenStack Security, Enterprise Security, Software Patch. . Severity: Important. LinuxSecurity.com Team
Oct 26, 2022
•Important
SuSE
100
security advisorysoftware updatemoderate severitySUSE: 2021:3621-1 Moderate: SUSE Manager Server Injection Issue
An update that solves one vulnerability and has 20 fixes is now available. . SUSE Security Update: Security update for SUSE Manager Server 4.1 ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3621-1 Rating: moderate References: #1185951 #1187998 #1188315 #1189609 #1189643 #1189818 #1190151 #1190166 #1190265 #1190276 #1190512 #1190665 #1190751 #1191144 #1191222 #1191274 #1191444 #1191495 #1191538 #1191643 #1191898 Cross-References: CVE-2021-21996 CVSS scores: CVE-2021-21996 (SUSE): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Affected Products: SUSE Linux Enterprise Module for SUSE Manager Server 4.1 ______________________________________________________________________________ An update that solves one vulnerability and has 20 fixes is now available. Description: This update fixes the following issues: grafana-formula: - Version 0.4.2 * Add SSH blackbox status check panel to clients dashboard * Migrate deprecated panels in clients dashboard prometheus-formula: - Version 0.3.4 * Fix opening Prometheus ports on proxy - Version 0.3.3 * Add Prometheus targets configuration for minions SSH probing * Add blackbox exporter * Open Prometheus ports (bsc#1191144) py26-compat-salt: - Exclude the full path of a download URL to prevent injection of alicious code (bsc#1190265, CVE-2021-21996) py26-compat-tornado: - No relevant changes for users py27-compat-salt: - Fix the regression of docker_container state module - Support querying for JSON data in external sql pillar - Exclude the full path of a download URL to prevent injection of malicious code (bsc#1190265, CVE-2021-21996) - Fix wrong relative paths resolution with Jinja renderer when importing subdirectories spacecmd: - Version 4.1.15-1 * configchannel_updatefile handles directory properly (bsc#1190512) spacewalk-backend: - Version 4.1.29-1 * Avoid GPG errors messages in reposync caused by rpm not understanding signatures (bsc#1191538) * handle download of metadata filesnames with checksums (bsc#1188315) * Sanitize cached filename for custom SSL certs used by reposync (bsc#1190751) spacewalk-certs-tools: - Version 4.1.19-1 * add GPG keys using apt-key on debian machines (bsc#1187998) * set key format to PEM when generating key for traditional clients push ssh (bsc#1189643) spacewalk-java: - Version 4.1.41-1 * Move pickedup actions to history as soon as they are pickedup (bsc#1191444) * On salt-ssh minions, enforce package list refresh after state apply * Fix internal server error on DuplicateSystemsCompare (bsc#1191643) * mgr-sync refresh logs when a vendor channel is expire and shows how to remove it (bsc#1191222) * Remove NullPointerException in rhn_web_ui.log when building an image (bsc#1185951) * Add checksums to repository metadata filenames (bsc#1188315) * Fix ISE in product migration if base product is missing (bsc#1190151) * use TLSv1.3 if it is a supported Protocol * Adapt auto errata update to respect maintenance windows * Adapt auto errata update to skip during CLM build (bsc#1189609) * Update kernel live patch version on minion startup (bsc#1190276) spacewalk-reports: - Version 4.1.4-1 * Improve performance of inventory report (bsc#1191495) spacewalk-web: - Version 4.1.30-1 * Update Web UI version to 4.1.12 subscription-matcher: - Version 0.27 * update subscription rules for new SKUs (bsc#1189818) susemanager: - Version 4.1.31-1 * Add the gnupg package for ubuntu which is then needed by apt-key (bsc#1187998) * Add python-mako, python-gnupg and gnupg1 to the Debian 9 bootstrap repository so bootstrapping without anyenabled repositories is possible (bsc#1191898) susemanager-doc-indexes: - Add SLS state for keeping clients updated in Client Configuration Guide - Fixed unpublished patches note in the server update chapter of the Upgrade Guide - Added DNS resolution for minions to the troubleshooting section in the Client Configuration Guide - Documented low disc space warnings in the managing disk space chapter of the Administration Guide - In the ports section of the Installation Guide, mention tftpsync explicitly for port 443 (bsc#1190665) - In server upgrade procedure of the Upgrade Guide, add zypper ref step to refresh repositories reliably - Update effective_cache_size section of the Salt Guide (bsc#1191274) - Documented new filter in the content lifecycle management chapter of the Administration Guide - Added aarch64 support for clients in the Installation Guide and Client Configuration Guide - Documented AWS Permissions for Virtual Host Manager in VHM and Amazon Web Services chapter of the Client Configuration Guide - Removed an outdated patches note in the server update chapter of the - Fixed mgr-cfg-* issues in appendix of the Reference Guide. Run the commands on the client (bsc#1190166) - Removed Portus and CaaSP references from the image management chapter susemanager-docs_en: - Add SLS state for keeping clients updated in Client Configuration Guide - Fixed unpublished patches note in the server update chapter of the Upgrade Guide - Added DNS resolution for minions to the troubleshooting section in the Client Configuration Guide - Documented low disc space warnings in the managing disk space chapter of the Administration Guide - In the ports section of the Installation Guide, mention tftpsync explicitly for port 443 (bsc#1190665) - In server upgrade procedure of the Upgrade Guide, add zypper ref step to refresh repositories reliably - Update effective_cache_size sectionof the Salt Guide (bsc#1191274) - Documented new filter in the content lifecycle management chapter of the Administration Guide - Added aarch64 support for clients in the Installation Guide and Client Configuration Guide - Documented AWS Permissions for Virtual Host Manager in VHM and Amazon Web Services chapter of the Client Configuration Guide - Removed an outdated patches note in the server update chapter of the - Fixed mgr-cfg-* issues in appendix of the Reference Guide. Run the commands on the client (bsc#1190166) - Removed Portus and CaaSP references from the image management chapter susemanager-sls: - Version 4.1.31-1 * Fix mgrcompat state module to work with Salt 3003 and 3004 * Update kernel live patch version on minion startup (bsc#1190276) How to apply this update: 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: `spacewalk-service stop` 3. Apply the patch using either zypper patch or YaST Online Update. 4. Start the Spacewalk service: `spacewalk-service start` Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for SUSE Manager Server 4.1: zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.1-2021-3621=1 Package List: - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (ppc64le s390x x86_64): py26-compat-tornado-4.2.1-3.3.2 py26-compat-tornado-debuginfo-4.2.1-3.3.2 py26-compat-tornado-debugsource-4.2.1-3.3.2 susemanager-4.1.31-3.39.2 susemanager-tools-4.1.31-3.39.2 - SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (noarch): grafana-formula-0.4.2-3.12.2 prometheus-formula-0.3.4-3.12.2 py26-compat-salt-2016.11.10-17.2 py27-compat-salt-3000.3-6.15.2 python3-spacewalk-certs-tools-4.1.19-3.22.2 spacecmd-4.1.15-4.30.2 spacewalk-backend-4.1.29-4.44.2 spacewalk-backend-app-4.1.29-4.44.2 spacewalk-backend-applet-4.1.29-4.44.2 spacewalk-backend-config-files-4.1.29-4.44.2 spacewalk-backend-config-files-common-4.1.29-4.44.2 spacewalk-backend-config-files-tool-4.1.29-4.44.2 spacewalk-backend-iss-4.1.29-4.44.2 spacewalk-backend-iss-export-4.1.29-4.44.2 spacewalk-backend-package-push-server-4.1.29-4.44.2 spacewalk-backend-server-4.1.29-4.44.2 spacewalk-backend-sql-4.1.29-4.44.2 spacewalk-backend-sql-postgresql-4.1.29-4.44.2 spacewalk-backend-tools-4.1.29-4.44.2 spacewalk-backend-xml-export-libs-4.1.29-4.44.2 spacewalk-backend-xmlrpc-4.1.29-4.44.2 spacewalk-base-4.1.30-3.36.1 spacewalk-base-minimal-4.1.30-3.36.1 spacewalk-base-minimal-config-4.1.30-3.36.1 spacewalk-certs-tools-4.1.19-3.22.2 spacewalk-html-4.1.30-3.36.1 spacewalk-java-4.1.41-3.58.2 spacewalk-java-config-4.1.41-3.58.2 spacewalk-java-lib-4.1.41-3.58.2 spacewalk-java-postgresql-4.1.41-3.58.2 spacewalk-reports-4.1.4-3.6.2 spacewalk-taskomatic-4.1.41-3.58.2 subscription-matcher-0.27-3.12.2 susemanager-doc-indexes-4.1-11.46.2 susemanager-docs_en-4.1-11.46.2 susemanager-docs_en-pdf-4.1-11.46.2 susemanager-sls-4.1.31-3.51.2 susemanager-web-libs-4.1.30-3.36.1 uyuni-config-modules-4.1.31-3.51.2 References: https://www.suse.com/security/cve/CVE-2021-21996.html https://bugzilla.suse.com/1185951 https://bugzilla.suse.com/1187998 https://bugzilla.suse.com/1188315 https://bugzilla.suse.com/1189609 https://bugzilla.suse.com/1189643 https://bugzilla.suse.com/1189818 https://bugzilla.suse.com/1190151 https://bugzilla.suse.com/1190166 https://bugzilla.suse.com/1190265 https://bugzilla.suse.com/1190276 https://bugzilla.suse.com/1190512 https://bugzilla.suse.com/1190665 https://bugzilla.suse.com/1190751 https://bugzilla.suse.com/1191144 https://bugzilla.suse.com/1191222 https://bugzilla.suse.com/1191274 https://bugzilla.suse.com/1191444 https://bugzilla.suse.com/1191495 https://bugzilla.suse.com/1191538 https://bugzilla.suse.com/1191643 https://bugzilla.suse.com/1191898 . An update has been launched for SUSE Manager Server 4.1, which resolves a security vulnerability along with a series of bug fixes to improve overall system integrity.. SUSE Manager Server, patch update, security fixes, software vulnerabilities, Linux updates. . LinuxSecurity.com Team
Nov 05, 2021
SuSE
100
security advisorymoderatepatchSUSE: 2021:14832-1 Moderate: Client Tools Injection Issue
An update that solves one vulnerability, contains one feature and has three fixes is now available. . SUSE Security Update: Security update for SUSE Manager Client Tools ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:14832-1 Rating: moderate References: #1181223 #1188977 #1190265 #1190512 ECO-3319 Cross-References: CVE-2021-21996 CVSS scores: CVE-2021-21996 (SUSE): 4.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Affected Products: SUSE Manager Ubuntu 18.04-CLIENT-TOOLS ______________________________________________________________________________ An update that solves one vulnerability, contains one feature and has three fixes is now available. Description: This update fixes the following issues: salt: - Support querying for JSON data in external sql pillar - Exclude the full path of a download URL to prevent injection of malicious code (bsc#1190265, CVE-2021-21996) - Fix wrong relative paths resolution with Jinja renderer when importing subdirectories scap-security-guide: - Updated to 0.1.57 release (jsc#ECO-3319) - CIS profile for RHEL 7 is updated - initial CIS profiles for Ubuntu 20.04 - Major improvement of RHEL 9 content - new release process implemented using Github actions spacecmd: - Version 4.2.13-1 * Update translation strings * configchannel_updatefile handles directory properly (bsc#1190512) * Add schedule_archivecompleted to mass archive actions (bsc#1181223) * Remove whoami from the list of unauthenticated commands (bsc#1188977) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Ubuntu 18.04-CLIENT-TOOLS: zypper in -t patchsuse-ubu184ct-client-tools-202110-14832=1 Package List: - SUSE Manager Ubuntu 18.04-CLIENT-TOOLS (all): salt-common-3002.2+ds-1+98.1 salt-minion-3002.2+ds-1+98.1 scap-security-guide-ubuntu-0.1.57-8.1 spacecmd-4.2.13-35.1 References: https://www.suse.com/security/cve/CVE-2021-21996.html https://bugzilla.suse.com/1181223 https://bugzilla.suse.com/1188977 https://bugzilla.suse.com/1190265 https://bugzilla.suse.com/1190512 . SUSE Security Patch for Client Applications addresses a specific vulnerability, introduces a new enhancement, and includes corrections for better performance.. SUSE Manager, Security Update, Client Tools, Software Patch. . Severity: Important. LinuxSecurity.com Team
Oct 27, 2021
•Important
SuSE
100
security advisoryimportantsuseSUSE: 2019:1804-1 Important: Ruby-Bundled Gems Fixes, Security Issues
An update that solves 21 vulnerabilities and has two fixes is now available. . SUSE Security Update: Security update for ruby-bundled-gems-rpmhelper, ruby2.5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:1804-1 Rating: important References: #1082007 #1082008 #1082009 #1082010 #1082011 #1082014 #1082058 #1087433 #1087434 #1087436 #1087437 #1087440 #1087441 #1112530 #1112532 #1130028 #1130611 #1130617 #1130620 #1130622 #1130623 #1130627 #1133790 Cross-References: CVE-2017-17742 CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078 CVE-2018-1000079 CVE-2018-16395 CVE-2018-16396 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325 Affected Products: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15-SP1 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that solves 21 vulnerabilities and has two fixes is now available. Description: This update for ruby2.5 and ruby-bundled-gems-rpmhelper fixes the following issues: Changes in ruby2.5: Update to 2.5.5 and 2.5.4: https://www.ruby-lang.org/en/news/2019/03/15/ruby-2-5-5-released/ https://www.ruby-lang.org/en/news/2019/03/13/ruby-2-5-4-released/ Security issues fixed: - CVE-2019-8320: Delete directory using symlink when decompressing tar (bsc#1130627) -CVE-2019-8321: Escape sequence injection vulnerability in verbose (bsc#1130623) - CVE-2019-8322: Escape sequence injection vulnerability in gem owner (bsc#1130622) - CVE-2019-8323: Escape sequence injection vulnerability in API response handling (bsc#1130620) - CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution (bsc#1130617) - CVE-2019-8325: Escape sequence injection vulnerability in errors (bsc#1130611) Ruby 2.5 was updated to 2.5.3: This release includes some bug fixes and some security fixes. Security issues fixed: - CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives (bsc#1112532) - CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly (bsc#1112530) Ruby 2.5 was updated to 2.5.1: This release includes some bug fixes and some security fixes. Security issues fixed: - CVE-2017-17742: HTTP response splitting in WEBrick (bsc#1087434) - CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir (bsc#1087441) - CVE-2018-8777: DoS by large request in WEBrick (bsc#1087436) - CVE-2018-8778: Buffer under-read in String#unpack (bsc#1087433) - CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket (bsc#1087440) - CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir (bsc#1087437) - Multiple vulnerabilities in RubyGems were fixed: - CVE-2018-1000079: Fixed path traversal issue during gem installation allows to write to arbitrary filesystem locations (bsc#1082058) - CVE-2018-1000075: Fixed infinite loop vulnerability due to negative size in tar header causes Denial of Service (bsc#1082014) - CVE-2018-1000078: Fixed XSS vulnerability in homepage attribute when displayed via gem server (bsc#1082011) - CVE-2018-1000077: Fixed that missing URL validation on spechome attribute allows malicious gem to set an invalid homepage URL (bsc#1082010) - CVE-2018-1000076: Fixed improper verification of signatures in tarball allows to install mis-signed gem (bsc#1082009) - CVE-2018-1000074: Fixed unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML (bsc#1082008) - CVE-2018-1000073: Fixed path traversal when writing to a symlinked basedir outside of the root (bsc#1082007) Other changes: - Fixed Net::POPMail methods modify frozen literal when using default arg - ruby: change over of the Japanese Era to the new emperor May 1st 2019 (bsc#1133790) - build with PIE support (bsc#1130028) Changes in ruby-bundled-gems-rpmhelper: - Add a new helper for bundled ruby gems. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-1804=1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-1804=1 - SUSE Linux Enterprise Module for Basesystem 15-SP1: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-1804=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-1804=1 Package List: - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (aarch64 ppc64le s390x x86_64): ruby2.5-debuginfo-2.5.5-4.3.1 ruby2.5-debugsource-2.5.5-4.3.1 ruby2.5-doc-2.5.5-4.3.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (noarch): ruby2.5-doc-ri-2.5.5-4.3.1 - SUSE Linux Enterprise Modulefor Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64): ruby2.5-debuginfo-2.5.5-4.3.1 ruby2.5-debugsource-2.5.5-4.3.1 ruby2.5-doc-2.5.5-4.3.1 - SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch): ruby2.5-doc-ri-2.5.5-4.3.1 - SUSE Linux Enterprise Module for Basesystem 15-SP1 (aarch64 ppc64le s390x x86_64): libruby2_5-2_5-2.5.5-4.3.1 libruby2_5-2_5-debuginfo-2.5.5-4.3.1 ruby2.5-2.5.5-4.3.1 ruby2.5-debuginfo-2.5.5-4.3.1 ruby2.5-debugsource-2.5.5-4.3.1 ruby2.5-devel-2.5.5-4.3.1 ruby2.5-devel-extra-2.5.5-4.3.1 ruby2.5-stdlib-2.5.5-4.3.1 ruby2.5-stdlib-debuginfo-2.5.5-4.3.1 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libruby2_5-2_5-2.5.5-4.3.1 libruby2_5-2_5-debuginfo-2.5.5-4.3.1 ruby2.5-2.5.5-4.3.1 ruby2.5-debuginfo-2.5.5-4.3.1 ruby2.5-debugsource-2.5.5-4.3.1 ruby2.5-devel-2.5.5-4.3.1 ruby2.5-devel-extra-2.5.5-4.3.1 ruby2.5-stdlib-2.5.5-4.3.1 ruby2.5-stdlib-debuginfo-2.5.5-4.3.1 References: https://www.suse.com/security/cve/CVE-2017-17742.html https://www.suse.com/security/cve/CVE-2018-1000073.html https://www.suse.com/security/cve/CVE-2018-1000074.html https://www.suse.com/security/cve/CVE-2018-1000075.html https://www.suse.com/security/cve/CVE-2018-1000076.html https://www.suse.com/security/cve/CVE-2018-1000077.html https://www.suse.com/security/cve/CVE-2018-1000078.html https://www.suse.com/security/cve/CVE-2018-1000079.html https://www.suse.com/security/cve/CVE-2018-16395.html https://www.suse.com/security/cve/CVE-2018-16396.html https://www.suse.com/security/cve/CVE-2018-6914.html https://www.suse.com/security/cve/CVE-2018-8777.html https://www.suse.com/security/cve/CVE-2018-8778.html https://www.suse.com/security/cve/CVE-2018-8779.html https://www.suse.com/security/cve/CVE-2018-8780.html https://www.suse.com/security/cve/CVE-2019-8320.html https://www.suse.com/security/cve/CVE-2019-8321.html https://www.suse.com/security/cve/CVE-2019-8322.html https://www.suse.com/security/cve/CVE-2019-8323.html https://www.suse.com/security/cve/CVE-2019-8324.html https://www.suse.com/security/cve/CVE-2019-8325.html https://bugzilla.suse.com/1082007 https://bugzilla.suse.com/1082008 https://bugzilla.suse.com/1082009 https://bugzilla.suse.com/1082010 https://bugzilla.suse.com/1082011 https://bugzilla.suse.com/1082014 https://bugzilla.suse.com/1082058 https://bugzilla.suse.com/1087433 https://bugzilla.suse.com/1087434 https://bugzilla.suse.com/1087436 https://bugzilla.suse.com/1087437 https://bugzilla.suse.com/1087440 https://bugzilla.suse.com/1087441 https://bugzilla.suse.com/1112530 https://bugzilla.suse.com/1112532 https://bugzilla.suse.com/1130028 https://bugzilla.suse.com/1130611 https://bugzilla.suse.com/1130617 https://bugzilla.suse.com/1130620 https://bugzilla.suse.com/1130622 https://bugzilla.suse.com/1130623 https://bugzilla.suse.com/1130627 https://bugzilla.suse.com/1133790 _______________________________________________ sle-security-updates mailing list
Jul 10, 2019
•Important
SuSE
89
security advisoryFedoracritical fixFedora 28: FEDORA-2018-67914db5d9 Critical: Bibutils Injection Concern
Update to 6.6. ---- Version 6.5 - address CVE-2018-10773, CVE-2018-10774, CVE-2018-10775 - fix injection of Fedora LDFLAGS. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2018-67914db5d9 2018-08-01 17:40:25.253069 --------------------------------------------------------------------------------Name : bibutils Product : Fedora 28 Version : 6.6 Release : 1.fc28 URL : Summary : Bibliography conversion tools Description : The bibutils package converts between various bibliography formats using a common MODS-format XML intermediate. --------------------------------------------------------------------------------Update Information: Update to 6.6. ---- Version 6.5 - address CVE-2018-10773, CVE-2018-10774, CVE-2018-10775 - fix injection of Fedora LDFLAGS --------------------------------------------------------------------------------ChangeLog: * Mon Jul 23 2018 Vasiliy N. Glazov 6.6-1 - Update to 6.6 - Drop patch - Clean spec * Thu Jul 12 2018 Fedora Release Engineering - 6.5-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Fri Jun 29 2018 Jens Petersen - 6.5-1 - update to version 6.5 - build with LDFLAGS (#1541039) * Wed Jun 6 2018 Jens Petersen - 6.3-1 - update to 6.3 which addresses CVE-2018-10773 CVE-2018-10774 CVE-2018-10775 (#1577259) --------------------------------------------------------------------------------References: [ 1 ] Bug #1577280 - CVE-2018-10775 bibutils: NULL pointer dereference in _fields_add function in fields.c in libbibcore.a https://bugzilla.redhat.com/show_bug.cgi?id=1577280 [ 2 ] Bug #1577268 - CVE-2018-10774 bibutils: Out-of-bounds Read in isiin_keyword function in isiin.c in libbibutils.a https://bugzilla.redhat.com/show_bug.cgi?id=1577268 [ 3 ] Bug #1577258 - CVE-2018-10773 bibutils: NULL pointer deference in addsn function in serialno.c in libbibcore.a https://bugzilla.redhat.com/show_bug.cgi?id=1577258 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2018-67914db5d9' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
Aug 01, 2018
•Critical
Fedora
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!