Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 10 articles for you...
89
security advisoryFedorasecurity fixFedora 41 Update: Varnish Security Fix VSV00015 Low Risk
Security: This update includes fix for VSV00015 aka CVE-2025-30346. Upstream considers this a low risk problem. For details, refer to cache.org/security/VSV00015.html. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-4453f596a8 2025-04-05 01:25:14.172279+00:00 -------------------------------------------------------------------------------- Name : varnish Product : Fedora 41 Version : 7.5.0 Release : 3.fc41 URL : cache.org// Summary : High-performance HTTP accelerator Description : This is Varnish Cache, a high-performance HTTP accelerator. Varnish Cache stores web pages in memory so web servers donât have to create the same web page over and over again. Varnish Cache serves pages much faster than any application server; giving the website a significant speed up. Documentation wiki and additional information about Varnish Cache is available on: cache.org// -------------------------------------------------------------------------------- Update Information: Security: This update includes fix for VSV00015 aka CVE-2025-30346. Upstream considers this a low risk problem. For details, refer to cache.org/security/VSV00015.html -------------------------------------------------------------------------------- ChangeLog: * Tue Mar 25 2025 Ingvar Hagelund - 7.5.0-3 - Security: Added patch for VSV00015 aka CVE-2025-30346 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-4453f596a8' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/security/ -------------------------------------------------------------------------------- . The latest Fedora 41 update resolves a minor security concern in Varnish, as outlined in security advisory VSV00015. Discover further details here.. Fedora Security Update, Varnish Cache, HTTP Accelerator, Update Advisory, Low Risk Security. . Severity: Low. LinuxSecurity.com Team
Apr 05, 2025
•Low
Fedora
100
security advisorysecurity patchsuseSUSE: 2024:148-1 Low Risk: tar extension attributes fix
The container suse/sle15 was updated. The following patches have been included in this update:. SUSE Container Update Advisory: suse/sle15 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2024:148-1 Container Tags : bci/bci-base:15.5 , bci/bci-base:15.5.36.5.71 , suse/sle15:15.5 , suse/sle15:15.5.36.5.71 Container Release : 36.5.71 Severity : low Type : security References : 1217969 CVE-2023-39804 ----------------------------------------------------------------- The container suse/sle15 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:70-1 Released: Tue Jan 9 18:29:39 2024 Summary: Security update for tar Type: security Severity: low References: 1217969,CVE-2023-39804 This update for tar fixes the following issues: - CVE-2023-39804: Fixed extension attributes in PAX archives incorrect hanling (bsc#1217969). The following package changes have been done: - tar-1.34-150000.3.34.1 updated . SUSE Container Update Notice for suse/sle15 provides essential upgrades and corrections, improving security within container environments.. SUSE Container, Security Update, Tar Fixes, Container Advisory. . Severity: Low. LinuxSecurity.com Team
Jan 10, 2024
•Low
SuSE
98
security advisoryRed Hatremote code executionRed Hat JBoss Web Server: RHSA-2022:0527-01 Low Risk Security Update
An update is now available for Red Hat JBoss Web Server 3.1 for Red Hat Enterprise Linux 7 and Microsoft Windows. Red Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Low: Red Hat JBoss Web Server 3.1 Service Pack 14 security update Advisory ID: RHSA-2022:0527-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2022:0527 Issue date: 2022-02-14 CVE Names: CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307 ==================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server 3.1 for Red Hat Enterprise Linux 7 and Microsoft Windows. Red Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 14 serves as a replacement for Red Hat JBoss Web Server 3.1 Service Pack 12. This release includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es): * log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink [jws-3] (CVE-2022-23302) * log4j-eap6: log4j: SQL injection in Log4j 1.x when applicationis configured to use JDBCAppender [jws-3] (CVE-2022-23305) * log4j-eap6: log4j: Unsafe deserialization flaw in Chainsaw log viewer [jws-3] (CVE-2022-23307) * log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [jws-3.1] (CVE-2021-4104) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. 4. Bugs fixed (https://bugzilla.redhat.com/): 2031667 - CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender 2041949 - CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink 2041959 - CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender 2041967 - CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer 5. References: https://access.redhat.com/security/cve/CVE-2021-4104 https://access.redhat.com/security/cve/CVE-2022-23302 https://access.redhat.com/security/cve/CVE-2022-23305 https://access.redhat.com/security/cve/CVE-2022-23307 https://access.redhat.com/security/updates/classification#low 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBYgrT1NzjgjWX9erEAQhZrg//WOeG1zWmnAHFE2ddq4VPxZN5wpA/maF8 btqL62GLO62fH+0p95Fbq/YQ9cKrVauGO4ffWh2uOpTCVs35uCoCLxvnZoLMNT4B ohkA2uN/S50rqR1oP2R33zvnC7XipZsTTXvUaomnvfBpzxJvfNV3d8qMF07nsxxd Fu3YiXjgPYLBHyL0nr9GEBe5RbCMfyX4eqD3+vceMzM5Wtcx418Asd0yADCH1orv pj+jBq1BKOvtOAu+eKBzFMgYl9dOK0H55CGspscyr+VGMo3HILgNsQJAFkUv2GFx fGG/f0+PqTD5WMK1rD7V3V2NXjClcEp3AvxAAUOtznnNWGVNDiQZ7Sq1wdUBm0K/ WlNEiAgSea4dTNnjE35tl01TFMHAxL97lx2Mn+zLMmQBSbR+4DuQe2bzm0dnw6Hx HLKcZTFvkYBWMNUZPeIifyvGaeD9TZ5dVASgtB5F5BMiXaeAluD7o7NhYNX30O3q iP39XrlAAJRssRAO7K/xG7wCqS+jkH/lQjOTNmARDs7Aoldwd1a+XsWpG9Uq+Oep dmv3k1G/ijcjEA6oMLuvVgrtoXM0SxPHzVMmt0UT8++kMO+6Rm15nlE8RdbMWqPW Fh0QAmuwERu/1Hb1ePOujq4OAyM8a+Fhzd4IYnV5neETS9ZoaqKEvMrdccMQ3T+T adFSYa/4Skg=K+yX -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Feb 14, 2022
•Low
Red Hat
98
security advisorysecurity updateRed HatAdvisory RHSA-2021:0489-01 for Low Risk OpenSSL Issue in JBoss 3.1
An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 7. Red Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Low: Red Hat JBoss Web Server 3.1 Service Pack 11 security update Advisory ID: RHSA-2021:0489-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2021:0489 Issue date: 2021-02-11 CVE Names: CVE-2020-1971 ==================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 7. Red Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 3.1 for RHEL 7 - x86_64 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 11 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es): * openssl: EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to theCVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1903409 - CVE-2020-1971 openssl: EDIPARTYNAME NULL pointer de-reference 6. JIRA issues fixed (https://redhat.atlassian.net/jira/projects): JWS-1938 - Update to the latest JBCS version - Drop RHEL6 7. Package List: Red Hat JBoss Web Server 3.1 for RHEL 7: Source: tomcat-native-1.2.23-23.redhat_23.ep7.el7.src.rpm x86_64: tomcat-native-1.2.23-23.redhat_23.ep7.el7.x86_64.rpm tomcat-native-debuginfo-1.2.23-23.redhat_23.ep7.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 8. References: https://access.redhat.com/security/cve/CVE-2020-1971 https://access.redhat.com/security/updates/classification#low 9. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYCUzSdzjgjWX9erEAQhezg//aTexLHlDGTrqV+pOKk3IAlauE8Pd7+DJ hxifoGNalrgXYhY/8bWREEa/o4MO8QeJdvPSwtG/MJ9WETeGYRoofp3cMIP0J+nt 7MxOMm9ZyOuAgM9COERsOykyddEMF1b3Xl5rjuDICrSiPMjp5AExbHmOdMH5l44c RcRExhmlL6i+/aLSNDfO5QjGae6oXZnDKaMVavbhv2gllHDQ4lewIP+omgiiV72c bjALMk6QulenYJ69ClqONDBKJbnu1/zfj2V3OOkQG5VbvlhzxQ6JYmXixDNNEC3p U/KhdhaD0E2MGz92SCRvj6AvO3UdTRIkb2heby896J41YcnypGSrmDurjcUDJ3u2 NpWF+p5BEEFiHkzRuP5e8PgTNjxy7Ye7WtR1KhCLFK/OcI4R8Hs5qu0ufQHqcHGF cJNaOmKObdZ6vhees45s9mv6K6EJi6G5oY+82VzUPm1HOxjLU+gkxEws8uJTpKc4 goRzO7rCdsgFXXFcniLYJKn70jj0ngGG/3X4YgxlJHrJiEMRuuiQvRCbqRwkcYA7 ViCJ/pPqh0KxqtkFTGNtIHJUvEelSNcizlWu+gmE3BclLihD5x+8R9g3Zfo0xW7f B0hy/QhSoc+UXwBYJ03TvCvy2Z3CA14g3Q28x6v42tY+QUzwzGwwot0NWHcWCbxQ 8WOFuknf+mY=It3J -----END PGP SIGNATURE----- -- RHSA-announce mailinglist
Feb 11, 2021
•Low
Red Hat
98
security advisorysecurity updatebug fixUpdate RHSA-2020-4436-01 for gnome-software and fwupd on RHEL 8
An update for appstream-data, fwupd, gnome-software, and libxmlb is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Low: gnome-software and fwupd security, bug fix, and enhancement update Advisory ID: RHSA-2020:4436-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4436 Issue date: 2020-11-03 CVE Names: CVE-2020-10759 ==================================================================== 1. Summary: An update for appstream-data, fwupd, gnome-software, and libxmlb is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64 Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: The gnome-software packages contain an application that makes it easy to add, remove, and update software in the GNOME desktop. The appstream-data package provides the distribution specific AppStream metadata required for the GNOME and KDE software centers. The fwupd packages provide a service that allows session software to update device firmware. The following packages have been upgraded to a later upstream version: gnome-software (3.36.1), fwupd (1.4.2). Security Fix(es): * fwupd: Possible bypass in signature verification (CVE-2020-10759) For more details about the security issue(s), including the impact, a CVSS score,acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1797932 - Rebase gnome-software to 3.36 1815502 - gnome-software support for auth webflow in flatpak remotes 1839774 - missing section for gnome-shell extensions 1844316 - CVE-2020-10759 fwupd: Possible bypass in signature verification 1844488 - request for appstream-data refresh in 8.3 1845714 - Show Details not working for e.g. Firefox installed from rpm 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: appstream-data-8-20200724.el8.src.rpm gnome-software-3.36.1-4.el8.src.rpm aarch64: gnome-software-3.36.1-4.el8.aarch64.rpm gnome-software-debuginfo-3.36.1-4.el8.aarch64.rpm gnome-software-debugsource-3.36.1-4.el8.aarch64.rpm noarch: appstream-data-8-20200724.el8.noarch.rpm ppc64le: gnome-software-3.36.1-4.el8.ppc64le.rpm gnome-software-debuginfo-3.36.1-4.el8.ppc64le.rpm gnome-software-debugsource-3.36.1-4.el8.ppc64le.rpm s390x: gnome-software-3.36.1-4.el8.s390x.rpm gnome-software-debuginfo-3.36.1-4.el8.s390x.rpm gnome-software-debugsource-3.36.1-4.el8.s390x.rpm x86_64: gnome-software-3.36.1-4.el8.x86_64.rpm gnome-software-debuginfo-3.36.1-4.el8.x86_64.rpm gnome-software-debugsource-3.36.1-4.el8.x86_64.rpm Red Hat Enterprise Linux BaseOS (v.8): Source: fwupd-1.4.2-4.el8.src.rpm libxmlb-0.1.15-1.el8.src.rpm aarch64: fwupd-1.4.2-4.el8.aarch64.rpm fwupd-debuginfo-1.4.2-4.el8.aarch64.rpm fwupd-debugsource-1.4.2-4.el8.aarch64.rpm libxmlb-0.1.15-1.el8.aarch64.rpm libxmlb-debuginfo-0.1.15-1.el8.aarch64.rpm libxmlb-debugsource-0.1.15-1.el8.aarch64.rpm libxmlb-tests-debuginfo-0.1.15-1.el8.aarch64.rpm ppc64le: fwupd-1.4.2-4.el8.ppc64le.rpm fwupd-debuginfo-1.4.2-4.el8.ppc64le.rpm fwupd-debugsource-1.4.2-4.el8.ppc64le.rpm libxmlb-0.1.15-1.el8.ppc64le.rpm libxmlb-debuginfo-0.1.15-1.el8.ppc64le.rpm libxmlb-debugsource-0.1.15-1.el8.ppc64le.rpm libxmlb-tests-debuginfo-0.1.15-1.el8.ppc64le.rpm s390x: fwupd-1.4.2-4.el8.s390x.rpm fwupd-debuginfo-1.4.2-4.el8.s390x.rpm fwupd-debugsource-1.4.2-4.el8.s390x.rpm libxmlb-0.1.15-1.el8.s390x.rpm libxmlb-debuginfo-0.1.15-1.el8.s390x.rpm libxmlb-debugsource-0.1.15-1.el8.s390x.rpm libxmlb-tests-debuginfo-0.1.15-1.el8.s390x.rpm x86_64: fwupd-1.4.2-4.el8.x86_64.rpm fwupd-debuginfo-1.4.2-4.el8.x86_64.rpm fwupd-debugsource-1.4.2-4.el8.x86_64.rpm libxmlb-0.1.15-1.el8.i686.rpm libxmlb-0.1.15-1.el8.x86_64.rpm libxmlb-debuginfo-0.1.15-1.el8.i686.rpm libxmlb-debuginfo-0.1.15-1.el8.x86_64.rpm libxmlb-debugsource-0.1.15-1.el8.i686.rpm libxmlb-debugsource-0.1.15-1.el8.x86_64.rpm libxmlb-tests-debuginfo-0.1.15-1.el8.i686.rpm libxmlb-tests-debuginfo-0.1.15-1.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-10759 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBX6IwzdzjgjWX9erEAQiEkw/9EHxBFnwx6//BhQJrkHPtgRWkqyEjuvQM YFk8fcmGTuEMMEYPKYUE/xs6jQtXf7WZIjPgLlP3qJuTwAKlICINxSWVORvv57d/ TGNH4pGMAZoluAwnh0NINam386q3208n7ThT88SeAqg2P8FWNeqzVcQpYOo9vTk0 0tnHrN5cI1vYOOMiMxRHMoFz8tMSGArNjsvtfnG/lpJE2IGsqz+jVJscGk8/Nh40 nH377NLdZ4c4vLKWyVNO6IiSwVEng1VBWU2vHV4v7oF+2tpB8dQymdE/YixSe5Bm RAZRgNN86OSO8JXHbGHU4irZFoMWJ3TPtWPueVxxorq1zAxLiKmea9MJMnwhk/gx P9azqKkDaWlJb3ThIajTyjYMntsMUzkFmeh0VPMj25+2+jyPumc9a2MTfI3xGIwl ccUNtbOtsu+hNb+BbCptnUm28jOtn9chX9e4sEr+Ybu/27JL19xdlo9k1yu+08AL f9J4t24MyoqsqgqkGgzsgop2cIiySFErdkKlWSdBr3Imhg11odZZktKFAiO7gyzm RdsOMzWd2meVPZ7OWsHJqYRxsRCqQiY4TURSAI4S77y9eAGCO4DEM2OMWFwiEJ8i 6Xv2mFbsy8ir/gLri0hOLolKQB+qmccqRsqlTuaHAkzBJL2wBEnoQpwHpWhNeCrf Gg+qW27WkWk=FWNx -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Nov 03, 2020
•Low
Red Hat
89
security advisoryfedoramemory issueFedora 26: 2018-63de5f3f6b Low Risk: Mod_Http2 Memory Issue
This release includes the latest stable upstream release of mod_http2. The changes since the last update are: * fixes a race condition where aborting streams triggers an unnecessary timeout. * accurate reporting of h2 data input/output per request via mod_logio. Fixes an issue where output sizes where counted n-times on reused slave connections. See [issue. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2018-63de5f3f6b 2018-04-27 22:57:28.389494 --------------------------------------------------------------------------------Name : mod_http2 Product : Fedora 26 Version : 1.10.18 Release : 1.fc26 URL : https://icing.github.io/mod_h2/ Summary : module implementing HTTP/2 for Apache 2 Description : The mod_h2 Apache httpd module implements the HTTP2 protocol (h2+h2c) on top of libnghttp2 for httpd 2.4 servers. --------------------------------------------------------------------------------Update Information: This release includes the latest stable upstream release of mod_http2. The changes since the last update are: * fixes a race condition where aborting streams triggers an unnecessary timeout. * accurate reporting of h2 data input/output per request via mod_logio. Fixes an issue where output sizes where counted n-times on reused slave connections. See [issue #158](https://github.com/icing/mod_h2/issues/158). * normalized connection prefix logging when trace2 is enabled for direct h2 connection detection. ----This update includes the latest upstream release of mod_http2, version 1.10.16. This includes a security fix (CVE-2018-1302): When an HTTP/2 stream was destroyed after being handled, mod_http2 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerabilty hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as lowrisk. --------------------------------------------------------------------------------ChangeLog: * Wed Apr 18 2018 Joe Orton - 1.10.18-1 - update to 1.10.18 * Thu Mar 29 2018 Joe Orton - 1.10.16-1 - update to 1.10.16 (CVE-2018-1302) * Thu Feb 8 2018 Fedora Release Engineering - 1.10.13-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild * Tue Nov 7 2017 Joe Orton - 1.10.13-1 - update to 1.10.13 * Fri Oct 20 2017 Joe Orton - 1.10.12-1 - update to 1.10.12 * Thu Aug 3 2017 Fedora Release Engineering - 1.10.10-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild * Mon Jul 31 2017 Joe Orton - 1.10.10-1 - update to 1.10.10 * Wed Jul 26 2017 Fedora Release Engineering - 1.10.7-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild * Thu Jul 6 2017 Joe Orton - 1.10.7-1 - update to 1.10.7 --------------------------------------------------------------------------------References: [ 1 ] Bug #1561570 - CVE-2018-1302 mod_http2: httpd: Use-after-free on HTTP/2 stream shutdown [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1561570 [ 2 ] Bug #1560627 - CVE-2018-1302 httpd: Use-after-free on HTTP/2 stream shutdown [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1560627 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2018-63de5f3f6b' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
Apr 27, 2018
•Low
Fedora
89
security advisoryfedoramemory issueFedora: 2018-63de5f3f6b Low Risk: mod_http2 Memory Issue Fix
This release includes the latest stable upstream release of mod_http2. The changes since the last update are: * fixes a race condition where aborting streams triggers an unnecessary timeout. * accurate reporting of h2 data input/output per request via mod_logio. Fixes an issue where output sizes where counted n-times on reused slave connections. See [issue. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2018-63de5f3f6b 2018-04-27 22:57:28.389494 --------------------------------------------------------------------------------Name : mod_http2 Product : Fedora 26 Version : 1.10.18 Release : 1.fc26 URL : https://icing.github.io/mod_h2/ Summary : module implementing HTTP/2 for Apache 2 Description : The mod_h2 Apache httpd module implements the HTTP2 protocol (h2+h2c) on top of libnghttp2 for httpd 2.4 servers. --------------------------------------------------------------------------------Update Information: This release includes the latest stable upstream release of mod_http2. The changes since the last update are: * fixes a race condition where aborting streams triggers an unnecessary timeout. * accurate reporting of h2 data input/output per request via mod_logio. Fixes an issue where output sizes where counted n-times on reused slave connections. See [issue #158](https://github.com/icing/mod_h2/issues/158). * normalized connection prefix logging when trace2 is enabled for direct h2 connection detection. ----This update includes the latest upstream release of mod_http2, version 1.10.16. This includes a security fix (CVE-2018-1302): When an HTTP/2 stream was destroyed after being handled, mod_http2 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerabilty hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as lowrisk. --------------------------------------------------------------------------------ChangeLog: * Wed Apr 18 2018 Joe Orton - 1.10.18-1 - update to 1.10.18 * Thu Mar 29 2018 Joe Orton - 1.10.16-1 - update to 1.10.16 (CVE-2018-1302) * Thu Feb 8 2018 Fedora Release Engineering - 1.10.13-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild * Tue Nov 7 2017 Joe Orton - 1.10.13-1 - update to 1.10.13 * Fri Oct 20 2017 Joe Orton - 1.10.12-1 - update to 1.10.12 * Thu Aug 3 2017 Fedora Release Engineering - 1.10.10-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild * Mon Jul 31 2017 Joe Orton - 1.10.10-1 - update to 1.10.10 * Wed Jul 26 2017 Fedora Release Engineering - 1.10.7-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild * Thu Jul 6 2017 Joe Orton - 1.10.7-1 - update to 1.10.7 --------------------------------------------------------------------------------References: [ 1 ] Bug #1561570 - CVE-2018-1302 mod_http2: httpd: Use-after-free on HTTP/2 stream shutdown [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1561570 [ 2 ] Bug #1560627 - CVE-2018-1302 httpd: Use-after-free on HTTP/2 stream shutdown [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1560627 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2018-63de5f3f6b' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
Apr 27, 2018
•Low
Fedora
89
security advisoryFedoralow riskFedora 27: FEDORA-2018-0a95bff197 Low Risk: Use-After-Free in Mod_Http2
This update includes the latest upstream release of mod_http2, version 1.10.16. This includes a security fix (CVE-2018-1302): When an HTTP/2 stream was destroyed after being handled, mod_http2 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerabilty hard to trigger in usual configurations, the. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2018-0a95bff197 2018-04-05 23:56:01.161334 --------------------------------------------------------------------------------Name : mod_http2 Product : Fedora 27 Version : 1.10.16 Release : 1.fc27 URL : https://icing.github.io/mod_h2/ Summary : module implementing HTTP/2 for Apache 2 Description : The mod_h2 Apache httpd module implements the HTTP2 protocol (h2+h2c) on top of libnghttp2 for httpd 2.4 servers. --------------------------------------------------------------------------------Update Information: This update includes the latest upstream release of mod_http2, version 1.10.16. This includes a security fix (CVE-2018-1302): When an HTTP/2 stream was destroyed after being handled, mod_http2 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerabilty hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk. --------------------------------------------------------------------------------References: [ 1 ] Bug #1561570 - CVE-2018-1302 mod_http2: httpd: Use-after-free on HTTP/2 stream shutdown [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1561570 [ 2 ] Bug #1560627 - CVE-2018-1302 httpd: Use-after-free on HTTP/2 stream shutdown [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1560627 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade mod_http2' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
Apr 05, 2018
•Low
Fedora
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!