Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -2 articles for you...
91
security advisorydenial of servicegentooGentoo: GLSA-201705-01 Normal: Libevent Remote Code Execution Risk
Multiple vulnerabilities have been found in libevent, the worst of which allows remote attackers to execute arbitrary code.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201705-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libevent: Multiple vulnerabilities Date: May 07, 2017 Bugs: #608042 ID: 201705-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple vulnerabilities have been found in libevent, the worst of which allows remote attackers to execute arbitrary code. Background ========= libevent is a library to execute a function when a specific event occurs on a file descriptor. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/libevent < 2.1.7_rc > = 2.1.7_rc Description ========== Multiple vulnerabilities have been discovered in libevent. Please review the CVE identifiers referenced below for details. Impact ===== A remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. Workaround ========= There is no known workaround at this time. Resolution ========= All libevent users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =dev-libs/libevent-2.1.7_rc" References ========= [ 1 ] CVE-2016-10195 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10195 [ 2 ] CVE-2016-10196 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10196 [ 3 ] CVE-2016-10197 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10197 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201705-01 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
May 07, 2017
Gentoo
172
security advisorydenial of servicecriticalUbuntu 16.10: USN-3228-1 Critical: libevent Denial of Service
Several security issues were fixed in libevent.. =========================================================================Ubuntu Security Notice USN-3228-1 March 13, 2017 libevent vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.10 - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in libevent. Software Description: - libevent: Asynchronous event notification library Details: Guido Vranken discovered that libevent incorrectly handled memory when processing certain data. A remote attacker could possibly use this issue with an application that uses libevent to cause a denial of service, or possibly execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.10: libevent-2.0-5 2.0.21-stable-2ubuntu0.16.10.1 Ubuntu 16.04 LTS: libevent-2.0-5 2.0.21-stable-2ubuntu0.16.04.1 Ubuntu 14.04 LTS: libevent-2.0-5 2.0.21-stable-1ubuntu1.14.04.2 Ubuntu 12.04 LTS: libevent-2.0-5 2.0.16-stable-1ubuntu0.2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-3228-1 CVE-2016-10195, CVE-2016-10196, CVE-2016-10197 Package Information: https://launchpad.net/ubuntu/+source/libevent/2.0.21-stable-2ubuntu0.16.10.1 https://launchpad.net/ubuntu/+source/libevent/2.0.21-stable-2ubuntu0.16.04.1 https://launchpad.net/ubuntu/+source/libevent/2.0.21-stable-1ubuntu1.14.04.2 https://launchpad.net/ubuntu/+source/libevent/2.0.16-stable-1ubuntu0.2 . Enhance your Ubuntu installation by applying updates that address libevent security flaws present in various versions, posing significant risks.. Libevent Security Update, Ubuntu Vulnerability Advisory, Remote CodeExploit, Denial of Service, Critical Security Fix. . Severity: Critical. LinuxSecurity.com Team
Mar 13, 2017
•Critical
Ubuntu
87
security advisorycriticalDebianDebian 8: DSA-3789-1 Critical: libevent DoS Remote Code Execution
Several vulnerabilities were discovered in libevent, an asynchronous event notification library. They would lead to Denial Of Service via application crash, or remote code execution. . - ------------------------------------------------------------------------- Debian Security Advisory DSA-3789-1
Feb 15, 2017
•Critical
Debian
99
security advisorydenial of servicebuffer overflowSlackware 14.1 Libevent Advisory SSA:2016-085-01 Critical: Buffer Overflow
New libevent packages are available for Slackware 14.1 and -current to fix security issues. . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] libevent (SSA:2016-085-01) New libevent packages are available for Slackware 14.1 and -current to fix security issues. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/libevent-2.0.22-i486-1_slack14.1.txz: Upgraded. Multiple integer overflows in the evbuffer API allow context-dependent attackers to cause a denial of service or possibly have other unspecified impact via "insanely large inputs" to the (1) evbuffer_add, (2) evbuffer_expand, or (3) bufferevent_write function, which triggers a heap-based buffer overflow or an infinite loop. For more information, see: https://www.cve.org/CVERecord?id=CVE-2014-6272 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (https://osuosl.org/) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://www.slackware.com/ for additional mirror sites near you. Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/libevent-2.0.22-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/libevent-2.0.22-x86_64-1_slack14.1.txz Updated package for Slackware -current: Updated package for Slackware x86_64 -current: MD5 signatures: +-------------+ Slackware 14.1 package: ab84c0702044de88f1b051ed3d3d1c40 libevent-2.0.22-i486-1_slack14.1.txz Slackware x86_64 14.1 package: bc5d1dff8d2f3758b0feddf00d2c6229 libevent-2.0.22-x86_64-1_slack14.1.txz Slackware -current package: b195a6e34b8ce7043da6cd57670db4a7 l/libevent-2.0.22-i586-1.txz Slackware x86_64 -current package: 7a755ece3e378f244a3c327369e7f2ac l/libevent-2.0.22-x86_64-1.txz Installationinstructions: +------------------------+ Upgrade the package as root: # upgradepkg libevent-2.0.22-i486-1_slack14.1.txz +-----+ . Updated libevent versions for Slackware 14.1 tackle security vulnerabilities with essential enhancements to avert potential buffer overflow issues.. Libevent Updates, Slackware Packages, Security Updates. . Severity: Critical. LinuxSecurity.com Team
Mar 25, 2016
•Critical
Slackware
172
security advisorydenial of servicecriticalUbuntu 14.10 USN-2477-1 Critical: libevent Denial of Service Risk
libevent could be made to crash or run programs if it processed specially crafted data.. =========================================================================Ubuntu Security Notice USN-2477-1 January 19, 2015 libevent vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.10 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS - Ubuntu 10.04 LTS Summary: libevent could be made to crash or run programs if it processed specially crafted data. Software Description: - libevent: Asynchronous event notification library Details: Andrew Bartlett discovered that libevent incorrectly handled large inputs to the evbuffer API. A remote attacker could possibly use this issue with an application that uses libevent to cause a denial of service, or possibly execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.10: libevent-2.0-5 2.0.21-stable-1ubuntu1.14.10.1 Ubuntu 14.04 LTS: libevent-2.0-5 2.0.21-stable-1ubuntu1.14.04.1 Ubuntu 12.04 LTS: libevent-2.0-5 2.0.16-stable-1ubuntu0.1 Ubuntu 10.04 LTS: libevent-1.4-2 1.4.13-stable-1ubuntu0.1 In general, a standard system update will make all the necessary changes. References: CVE-2014-6272 Package Information: https://launchpad.net/ubuntu/+source/libevent/2.0.21-stable-1ubuntu1.14.10.1 https://launchpad.net/ubuntu/+source/libevent/2.0.21-stable-1ubuntu1.14.04.1 https://launchpad.net/ubuntu/+source/libevent/2.0.16-stable-1ubuntu0.1 https://launchpad.net/ubuntu/+source/libevent/1.4.13-stable-1ubuntu0.1 . Ubuntu Security Notice USN-2478-1 addresses a libxml2 vulnerability that may result in information exposure and potential system compromise.. Denial Of Service, Libevent Flaw, Ubuntu Security Notice. . Severity: Critical.LinuxSecurity.com Team
Jan 19, 2015
•Critical
Ubuntu
198
security advisorysoftware updatecode executionArch Linux: ASA-201504-1 High: Libxml2 XML Entity Expansion Vulnerability
The package libevent before version 2.0.22-1 is vulnerable to a potential heap overflow. . Arch Linux Security Advisory ASA-201501-4 ======================================== Severity: Medium Date : 2015-01-13 CVE-ID : CVE-2014-6272 Package : libevent Type : heap overflow Remote : No Link : https://wiki.archlinux.org/title/CVE Summary ====== The package libevent before version 2.0.22-1 is vulnerable to a potential heap overflow. Resolution ========= Upgrade to 2.0.22-1. # pacman -Syu "libevent> =2.0.22-1" The problem has been fixed upstream in version 2.0.22. Workaround ========= The potential heap overflow can be prevented by not using evbuffer_add(), evbuffer_prepend(), evbuffer_expand(), exbuffer_reserve_space(), or evbuffer_read() in a way leading to the use of a buffer chunk larger than a single size_t. Description ========== A defect in the libevent evbuffer API could possibly leave some programs that use the evbuffer API open to potential heap overflows. A program using the evbuffer_add(), evbuffer_prepend(), evbuffer_expand(), exbuffer_reserve_space(), or evbuffer_read() functions may be vulnerable if an attacker is able to coax the linked program into trying to make a buffer larger than that which would fit into a single size_t. Impact ===== An attacker may be able to execute arbitrary code in a program using a vulnerable version of libevent. Upstream has attempted to identify any programs using libevent in a vulnerable way and has not as of yet found any that do but, as a precaution, recommends upgrading. References ========= https://bugs.archlinux.org/task/43366 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6272 . Arch Linux alert regarding libevent buffer overflow, it is advised to update promptly to mitigate possible remote code execution vulnerabilities.. libevent security, heap overflow threat, Arch Linux advisory. . Severity: Medium. LinuxSecurity.com Team
Jan 13, 2015
•Medium
ArchLinux
87
security advisorysecurity issuecriticalDebian 7 (Wheezy) DSA-3119-1 Critical: Libevent Heap Overflow
Andrew Bartlett of Catalyst reported a defect affecting certain applications using the Libevent evbuffer API. This defect leaves applications which pass insanely large inputs to evbuffers open to a possible heap overflow or infinite loop. In order to exploit this flaw, . - ------------------------------------------------------------------------- Debian Security Advisory DSA-3119-1
Jan 06, 2015
•Critical
Debian
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!