Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 2 articles for you...
197
security advisorybuffer overflowdebianDebian 11: Serious Buffer Overflow Flaw Detected in osslsigncode DLA-4426-1
A Buffer Overflow vulnerability has been found in osslsigncode, a OpenSSL based Authenticode signing tool for PE/MSI/Java CAB files, which possibly allows an malicious attacker to execute arbitrary code when signing a crafted file. For Debian 11 bullseye, this problem has been fixed in version. Debian LTS Advisory DLA-4426-1
Dec 30, 2025
•Important
Debian LTS
98
security advisorymoderateupdateModerate Security Update RHSA-2020-4025-01 for qt5-qtbase in RHEL 7
An update for qt5-qtbase is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: qt5-qtbase security update Advisory ID: RHSA-2020:4025-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4025 Issue date: 2020-09-29 CVE Names: CVE-2020-0569 CVE-2020-0570 ==================================================================== 1. Summary: An update for qt5-qtbase is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt. Security Fix(es): * qt: files placed by attacker can influence the working directory and lead to malicious code execution (CVE-2020-0569) * qt: files placed by attacker can influence the workingdirectory and lead to malicious code execution (CVE-2020-0570) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1800600 - CVE-2020-0569 qt: files placed by attacker can influence the working directory and lead to malicious code execution 1800604 - CVE-2020-0570 qt: files placed by attacker can influence the working directory and lead to malicious code execution 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: qt5-qtbase-5.9.7-4.el7.src.rpm noarch: qt5-qtbase-common-5.9.7-4.el7.noarch.rpm x86_64: qt5-qtbase-5.9.7-4.el7.i686.rpm qt5-qtbase-5.9.7-4.el7.x86_64.rpm qt5-qtbase-debuginfo-5.9.7-4.el7.i686.rpm qt5-qtbase-debuginfo-5.9.7-4.el7.x86_64.rpm qt5-qtbase-gui-5.9.7-4.el7.i686.rpm qt5-qtbase-gui-5.9.7-4.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: qt5-rpm-macros-5.9.7-4.el7.noarch.rpm x86_64: qt5-qtbase-debuginfo-5.9.7-4.el7.i686.rpm qt5-qtbase-debuginfo-5.9.7-4.el7.x86_64.rpm qt5-qtbase-devel-5.9.7-4.el7.i686.rpm qt5-qtbase-devel-5.9.7-4.el7.x86_64.rpm qt5-qtbase-doc-5.9.7-4.el7.x86_64.rpm qt5-qtbase-examples-5.9.7-4.el7.x86_64.rpm qt5-qtbase-mysql-5.9.7-4.el7.i686.rpm qt5-qtbase-mysql-5.9.7-4.el7.x86_64.rpm qt5-qtbase-odbc-5.9.7-4.el7.i686.rpm qt5-qtbase-odbc-5.9.7-4.el7.x86_64.rpm qt5-qtbase-postgresql-5.9.7-4.el7.i686.rpm qt5-qtbase-postgresql-5.9.7-4.el7.x86_64.rpm qt5-qtbase-static-5.9.7-4.el7.i686.rpm qt5-qtbase-static-5.9.7-4.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v.7): Source: qt5-qtbase-5.9.7-4.el7.src.rpm noarch: qt5-qtbase-common-5.9.7-4.el7.noarch.rpm qt5-rpm-macros-5.9.7-4.el7.noarch.rpm x86_64: qt5-qtbase-5.9.7-4.el7.i686.rpm qt5-qtbase-5.9.7-4.el7.x86_64.rpm qt5-qtbase-debuginfo-5.9.7-4.el7.i686.rpm qt5-qtbase-debuginfo-5.9.7-4.el7.x86_64.rpm qt5-qtbase-devel-5.9.7-4.el7.i686.rpm qt5-qtbase-devel-5.9.7-4.el7.x86_64.rpm qt5-qtbase-doc-5.9.7-4.el7.x86_64.rpm qt5-qtbase-examples-5.9.7-4.el7.x86_64.rpm qt5-qtbase-gui-5.9.7-4.el7.i686.rpm qt5-qtbase-gui-5.9.7-4.el7.x86_64.rpm qt5-qtbase-mysql-5.9.7-4.el7.i686.rpm qt5-qtbase-mysql-5.9.7-4.el7.x86_64.rpm qt5-qtbase-odbc-5.9.7-4.el7.i686.rpm qt5-qtbase-odbc-5.9.7-4.el7.x86_64.rpm qt5-qtbase-postgresql-5.9.7-4.el7.i686.rpm qt5-qtbase-postgresql-5.9.7-4.el7.x86_64.rpm qt5-qtbase-static-5.9.7-4.el7.i686.rpm qt5-qtbase-static-5.9.7-4.el7.x86_64.rpm Red Hat Enterprise Linux Server (v.7): Source: qt5-qtbase-5.9.7-4.el7.src.rpm noarch: qt5-qtbase-common-5.9.7-4.el7.noarch.rpm qt5-rpm-macros-5.9.7-4.el7.noarch.rpm ppc64: qt5-qtbase-5.9.7-4.el7.ppc.rpm qt5-qtbase-5.9.7-4.el7.ppc64.rpm qt5-qtbase-debuginfo-5.9.7-4.el7.ppc.rpm qt5-qtbase-debuginfo-5.9.7-4.el7.ppc64.rpm qt5-qtbase-devel-5.9.7-4.el7.ppc.rpm qt5-qtbase-devel-5.9.7-4.el7.ppc64.rpm qt5-qtbase-gui-5.9.7-4.el7.ppc.rpm qt5-qtbase-gui-5.9.7-4.el7.ppc64.rpm qt5-qtbase-mysql-5.9.7-4.el7.ppc.rpm qt5-qtbase-mysql-5.9.7-4.el7.ppc64.rpm qt5-qtbase-odbc-5.9.7-4.el7.ppc.rpm qt5-qtbase-odbc-5.9.7-4.el7.ppc64.rpm qt5-qtbase-postgresql-5.9.7-4.el7.ppc.rpm qt5-qtbase-postgresql-5.9.7-4.el7.ppc64.rpm ppc64le: qt5-qtbase-5.9.7-4.el7.ppc64le.rpm qt5-qtbase-debuginfo-5.9.7-4.el7.ppc64le.rpm qt5-qtbase-devel-5.9.7-4.el7.ppc64le.rpm qt5-qtbase-gui-5.9.7-4.el7.ppc64le.rpm qt5-qtbase-mysql-5.9.7-4.el7.ppc64le.rpm qt5-qtbase-odbc-5.9.7-4.el7.ppc64le.rpm qt5-qtbase-postgresql-5.9.7-4.el7.ppc64le.rpm s390x: qt5-qtbase-5.9.7-4.el7.s390.rpm qt5-qtbase-5.9.7-4.el7.s390x.rpm qt5-qtbase-debuginfo-5.9.7-4.el7.s390.rpm qt5-qtbase-debuginfo-5.9.7-4.el7.s390x.rpm qt5-qtbase-devel-5.9.7-4.el7.s390.rpm qt5-qtbase-devel-5.9.7-4.el7.s390x.rpm qt5-qtbase-gui-5.9.7-4.el7.s390.rpm qt5-qtbase-gui-5.9.7-4.el7.s390x.rpm qt5-qtbase-mysql-5.9.7-4.el7.s390.rpm qt5-qtbase-mysql-5.9.7-4.el7.s390x.rpm qt5-qtbase-odbc-5.9.7-4.el7.s390.rpm qt5-qtbase-odbc-5.9.7-4.el7.s390x.rpm qt5-qtbase-postgresql-5.9.7-4.el7.s390.rpm qt5-qtbase-postgresql-5.9.7-4.el7.s390x.rpm x86_64: qt5-qtbase-5.9.7-4.el7.i686.rpm qt5-qtbase-5.9.7-4.el7.x86_64.rpm qt5-qtbase-debuginfo-5.9.7-4.el7.i686.rpm qt5-qtbase-debuginfo-5.9.7-4.el7.x86_64.rpm qt5-qtbase-devel-5.9.7-4.el7.i686.rpm qt5-qtbase-devel-5.9.7-4.el7.x86_64.rpm qt5-qtbase-gui-5.9.7-4.el7.i686.rpm qt5-qtbase-gui-5.9.7-4.el7.x86_64.rpm qt5-qtbase-mysql-5.9.7-4.el7.i686.rpm qt5-qtbase-mysql-5.9.7-4.el7.x86_64.rpm qt5-qtbase-odbc-5.9.7-4.el7.i686.rpm qt5-qtbase-odbc-5.9.7-4.el7.x86_64.rpm qt5-qtbase-postgresql-5.9.7-4.el7.i686.rpm qt5-qtbase-postgresql-5.9.7-4.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: qt5-qtbase-debuginfo-5.9.7-4.el7.ppc.rpm qt5-qtbase-debuginfo-5.9.7-4.el7.ppc64.rpm qt5-qtbase-doc-5.9.7-4.el7.ppc64.rpm qt5-qtbase-examples-5.9.7-4.el7.ppc64.rpm qt5-qtbase-static-5.9.7-4.el7.ppc.rpm qt5-qtbase-static-5.9.7-4.el7.ppc64.rpm ppc64le: qt5-qtbase-debuginfo-5.9.7-4.el7.ppc64le.rpm qt5-qtbase-doc-5.9.7-4.el7.ppc64le.rpm qt5-qtbase-examples-5.9.7-4.el7.ppc64le.rpm qt5-qtbase-static-5.9.7-4.el7.ppc64le.rpm s390x: qt5-qtbase-debuginfo-5.9.7-4.el7.s390.rpm qt5-qtbase-debuginfo-5.9.7-4.el7.s390x.rpm qt5-qtbase-doc-5.9.7-4.el7.s390x.rpm qt5-qtbase-examples-5.9.7-4.el7.s390x.rpm qt5-qtbase-static-5.9.7-4.el7.s390.rpm qt5-qtbase-static-5.9.7-4.el7.s390x.rpm x86_64: qt5-qtbase-debuginfo-5.9.7-4.el7.i686.rpm qt5-qtbase-debuginfo-5.9.7-4.el7.x86_64.rpm qt5-qtbase-doc-5.9.7-4.el7.x86_64.rpm qt5-qtbase-examples-5.9.7-4.el7.x86_64.rpm qt5-qtbase-static-5.9.7-4.el7.i686.rpm qt5-qtbase-static-5.9.7-4.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: qt5-qtbase-5.9.7-4.el7.src.rpm noarch: qt5-qtbase-common-5.9.7-4.el7.noarch.rpm qt5-rpm-macros-5.9.7-4.el7.noarch.rpm x86_64: qt5-qtbase-5.9.7-4.el7.i686.rpm qt5-qtbase-5.9.7-4.el7.x86_64.rpm qt5-qtbase-debuginfo-5.9.7-4.el7.i686.rpm qt5-qtbase-debuginfo-5.9.7-4.el7.x86_64.rpm qt5-qtbase-devel-5.9.7-4.el7.i686.rpm qt5-qtbase-devel-5.9.7-4.el7.x86_64.rpm qt5-qtbase-gui-5.9.7-4.el7.i686.rpm qt5-qtbase-gui-5.9.7-4.el7.x86_64.rpm qt5-qtbase-mysql-5.9.7-4.el7.i686.rpm qt5-qtbase-mysql-5.9.7-4.el7.x86_64.rpm qt5-qtbase-odbc-5.9.7-4.el7.i686.rpm qt5-qtbase-odbc-5.9.7-4.el7.x86_64.rpm qt5-qtbase-postgresql-5.9.7-4.el7.i686.rpm qt5-qtbase-postgresql-5.9.7-4.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v.7): x86_64: qt5-qtbase-debuginfo-5.9.7-4.el7.i686.rpm qt5-qtbase-debuginfo-5.9.7-4.el7.x86_64.rpm qt5-qtbase-doc-5.9.7-4.el7.x86_64.rpm qt5-qtbase-examples-5.9.7-4.el7.x86_64.rpm qt5-qtbase-static-5.9.7-4.el7.i686.rpm qt5-qtbase-static-5.9.7-4.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-0569 https://access.redhat.com/security/cve/CVE-2020-0570 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX3OimdzjgjWX9erEAQgcAg/9HrYEzEm1xtXfVsSR7Ya6tPOu1zK9VtFw XvSopMHtyGDWPbN4PogOkcQ7fVIyUPHjEW3X78FuifYVpRAuZ8FZaTuDHgC7/HwA vUDqjtw8xSqZCNOyTKHwRnw5RmdllncUmkaYWm4BDLf8B6tcdL+CufpIvs+Oedt7 NGDWTvq7wHE/EhBuBd8Gr98TfUS5+9/BeQTQCc+swAeyfNdeGztcwLuZ12NCOuV/ URx9Ny9GbPnddGN3kyPV1d8Tc8RXDZNgkZrvTqQeKWKUD9VE1Gfxtph/2HOR6cjN dXydUrBdcil+1F1fKp2vYMmEm3NDeXAKCtI2E2h5iBXZ8ThJ2j6C6jGaQBiIDzxH PZT0LHaBPrQtNMbwzU8GP0Nbg96EBeKqtbIWPKTsFJuz+QNCOPj7nxewsRnPUCAJ 6XikZI966HXtpoqD9nVQY0EyUmjfqktG+bgMYpyV7rAWd/dbuqqPpPltn2kBwfBb +HlyZVa+Q3qocV0nUYJtLmbK25G6BoACJ3xA6Qvz30hWZwsu9JUdxjaYOy9gnC17 UnxS3J3+PfFLMv2xoBjwnJlbuUsJJRAKB/0YPwro6WMIj88dz7r4jUGa3+GdCI/2 wxd8rKV5jLn8+2ffGDpOQ+MrbNuV48s0RNLz/zi3DIPF0x5xzlIEdaOISaHEfMOD DFXQ3loC/vk=hKRk -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Sep 29, 2020
Red Hat
203
security advisorysoftware updatemalicious code executionMageia 7: 2020-0080 Critical: Qtbase5 Malicious Code Threat
Updated qtbase5 packages fix security vulnerabilities: QPluginLoader in Qt versions 5.0.0 through 5.13.2 would search for certain plugins first on the current working directory of the application, which allows an attacker that can place files in the file system and influence . MGASA-2020-0080 - Updated qtbase5 packages fix security vulnerabilities Publication date: 09 Feb 2020 URL: https://advisories.mageia.org/MGASA-2020-0080.html Type: security Affected Mageia releases: 7 CVE: CVE-2020-0569, CVE-2020-0570 Updated qtbase5 packages fix security vulnerabilities: QPluginLoader in Qt versions 5.0.0 through 5.13.2 would search for certain plugins first on the current working directory of the application, which allows an attacker that can place files in the file system and influence the working directory of Qt-based applications to load and execute malicious code (CVE-2020-0569). QLibrary in Qt versions 5.12.0 through 5.14.0, on certain x86 machines, would search for certain libraries and plugins relative to current working directory of the application, which allows an attacker that can place files in the file system and influence the working directory of Qt-based applications to load and execute malicious code (CVE-2020-0570). Also, a file conflict that caused issues when upgrading from Mageia 6 has been fixed (mga#25418) References: - https://bugs.mageia.org/show_bug.cgi?id=26153 - https://bugs.mageia.org/show_bug.cgi?id=25418 - https://www.openwall.com/lists/oss-security/2020/01/30/1 - https://www.cve.org/CVERecord?id=CVE-2020-0569 - https://www.cve.org/CVERecord?id=CVE-2020-0570 SRPMS: - 7/core/qtbase5-5.12.6-2.mga7 . New qtbase5 versions fix significant security flaws in Mageia. Urgency of prompt updates cannot be overstated. Keep your system secure!. qtbase5 security, Mageia update, code execution risk, application vulnerabilities. . Severity: Critical. LinuxSecurity.com Team
Feb 09, 2020
•Critical
Mageia
172
security advisorydenial of serviceUbuntuUbuntu 19.04 LTS: USN-3991-1 Moderate: Firefox Denial Of Service
Firefox could be made to crash or run programs as your login if it opened a malicious website.. =========================================================================Ubuntu Security Notice USN-3991-1 May 21, 2019 firefox vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 19.04 - Ubuntu 18.10 - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Firefox could be made to crash or run programs as your login if it opened a malicious website. Software Description: - firefox: Mozilla Open Source web browser Details: Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, spoof the browser UI, trick the user in to launching local executable binaries, obtain sensitive information, conduct cross-site scripting (XSS) attacks, or execute arbitrary code. (CVE-2019-11691, CVE-2019-11692, CVE-2019-11693, CVE-2019-11695, CVE-2019-11696, CVE-2019-11699, CVE-2019-11701, CVE-2019-7317, CVE-2019-9800, CVE-2019-9814, CVE-2019-9817, CVE-2019-9819, CVE-2019-9820, CVE-2019-9821) It was discovered that pressing certain key combinations could bypass addon installation prompt delays. If a user opened a specially crafted website, an attacker could potentially exploit this to trick them in to installing a malicious extension. (CVE-2019-11697) It was discovered that history data could be exposed via drag and drop of hyperlinks to and from bookmarks. If a user were tricked in to dragging a specially crafted hyperlink to the bookmark toolbar or sidebar, and subsequently back in to the web content area, an attacker could potentially exploit this to obtain sensitive information. (CVE-2019-11698) A type confusion bug was discovered with object groups and UnboxedObjects. If a user were tricked in to opening a specially crafted websiteafter enabling the UnboxedObjects feature, an attacker could potentially exploit this to bypass security checks. (CVE-2019-9816) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 19.04: firefox 67.0+build2-0ubuntu0.19.04.1 Ubuntu 18.10: firefox 67.0+build2-0ubuntu0.18.10.1 Ubuntu 18.04 LTS: firefox 67.0+build2-0ubuntu0.18.04.1 Ubuntu 16.04 LTS: firefox 67.0+build2-0ubuntu0.16.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-3991-1 CVE-2019-11691, CVE-2019-11692, CVE-2019-11693, CVE-2019-11695, CVE-2019-11696, CVE-2019-11697, CVE-2019-11698, CVE-2019-11699, CVE-2019-11701, CVE-2019-7317, CVE-2019-9800, CVE-2019-9814, CVE-2019-9816, CVE-2019-9817, CVE-2019-9819, CVE-2019-9820, CVE-2019-9821 Package Information: https://launchpad.net/ubuntu/+source/firefox/67.0+build2-0ubuntu0.19.04.1 https://launchpad.net/ubuntu/+source/firefox/67.0+build2-0ubuntu0.18.10.1 https://launchpad.net/ubuntu/+source/firefox/67.0+build2-0ubuntu0.18.04.1 https://launchpad.net/ubuntu/+source/firefox/67.0+build2-0ubuntu0.16.04.1 . Numerous security flaws present in Firefox on Ubuntu may result in system crashes or allow rogue applications to run through harmful websites.. Mozilla Firefox Vulnerabilities, Ubuntu Security Notice, Firefox Updates. . Severity: Important. LinuxSecurity.com Team
May 21, 2019
•Important
Ubuntu
202
security advisorymemory overwriteimportant updateopenSUSE Leap 42.3: 2018:4287-1 Important Netatalk Arbitrary Code Risk
An update that fixes one vulnerability is now available.. openSUSE Security Update: Security update for netatalk ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:4287-1 Rating: important References: #1119540 Cross-References: CVE-2018-1160 Affected Products: openSUSE Leap 42.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for netatalk fixes the following issues: Security issue fixed: - CVE-2018-1160 Fixed a missing bounds check in the handling of the DSI OPEN SESSION request, which allowed an unauthenticated to overwrite memory with data of their choice leading for arbitrary code execution with root privileges. (bsc#1119540) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2018-1614=1 Package List: - openSUSE Leap 42.3 (i586 x86_64): libatalk16-3.1.7-8.3.1 libatalk16-debuginfo-3.1.7-8.3.1 netatalk-3.1.7-8.3.1 netatalk-debuginfo-3.1.7-8.3.1 netatalk-debugsource-3.1.7-8.3.1 netatalk-devel-3.1.7-8.3.1 References: https://www.suse.com/security/cve/CVE-2018-1160.html https://bugzilla.suse.com/1119540 -- . A significant patch for samba addresses a severe vulnerability that permits unauthorized command execution on Fedora 31.. openSUSE Security, Netatalk Patch, Arbitrary Code Execution. . Severity: Important. LinuxSecurity.com Team
Dec 28, 2018
•Important
OpenSUSE
200
security advisoryimportant advisorymalicious code executionScientific Linux: SLSA-2014:1870-1 Important: libXfont Security Flaws
Important: libXfont security update. Date: Tue, 18 Nov 2014 20:43:56 +0000 Reply-To: scientific-linux-users@ Sender: Security Errata for Scientific Linux From: Pat Riehecky Subject: Security ERRATA Important: libXfont on SL6.x, SL7.x i386/srpm/x86_64 MIME-Version: 1.0 Synopsis: Important: libXfont security update Advisory ID: SLSA-2014:1870-1 Issue Date: 2014-11-18 CVE Numbers: CVE-2014-0211 CVE-2014-0210 CVE-2014-0209 -- A use-after-free flaw was found in the way libXfont processed certain font files when attempting to add a new directory to the font path. A malicious, local user could exploit this issue to potentially execute arbitrary code with the privileges of the X.Org server. (CVE-2014-0209) Multiple out-of-bounds write flaws were found in the way libXfont parsed replies received from an X.org font server. A malicious X.org server could cause an X client to crash or, possibly, execute arbitrary code with the privileges of the X.Org server. (CVE-2014-0210, CVE-2014-0211) All running X.Org server instances must be restarted for the update to take effect. -- SL6 x86_64 libXfont-devel-1.4.5-4.el6_6.x86_64.rpm libXfont-devel-1.4.5-4.el6_6.i686.rpm libXfont-1.4.5-4.el6_6.i686.rpm libXfont-1.4.5-4.el6_6.x86_64.rpm libXfont-debuginfo-1.4.5-4.el6_6.x86_64.rpm libXfont-debuginfo-1.4.5-4.el6_6.i686.rpm srpm libXfont-1.4.5-4.el6_6.src.rpm i386 libXfont-devel-1.4.5-4.el6_6.i686.rpm libXfont-1.4.5-4.el6_6.i686.rpm libXfont-debuginfo-1.4.5-4.el6_6.i686.rpm noarch libXfont-debuginfo-1.4.5-4.el6_6.i686.rpm libXfont-debuginfo-1.4.5-4.el6_6.x86_64.rpm SL7 x86_64 libXfont-devel-1.4.7-2.el7_0.i686.rpm libXfont-1.4.7-2.el7_0.x86_64.rpm libXfont-devel-1.4.7-2.el7_0.x86_64.rpm libXfont-1.4.7-2.el7_0.i686.rpm libXfont-debuginfo-1.4.7-2.el7_0.i686.rpm libXfont-debuginfo-1.4.7-2.el7_0.x86_64.rpm srpm libXfont-1.4.7-2.el7_0.src.rpm noarch libXfont-debuginfo-1.4.7-2.el7_0.i686.rpm libXfont-debuginfo-1.4.7-2.el7_0.x86_64.rpm - Scientific Linux Development Team . Crucial notificationregarding vulnerabilities in libXfont for users of Scientific Linux, highlighting critical exploit threats along with recommended patches.. libXfont Update, Security Fixes, Scientific Linux, Code Execution, Security Advisory. . Severity: Important. LinuxSecurity.com Team
Nov 18, 2014
•Important
Scientific Linux
200
security advisorymemory corruptionimportantSciLinux: SLSA-2014:0407-1 Important: java-1.7.0-openjdk Memory Corruption
Important: java-1.7.0-openjdk security update. Date: Wed, 16 Apr 2014 15:34:19 +0000 Reply-To: scientific-linux-users@ Sender: Security Errata for Scientific Linux From: Pat Riehecky Subject: Security ERRATA Important: java-1.7.0-openjdk on SL5.x i386/x86_64 MIME-Version: 1.0 Synopsis: Important: java-1.7.0-openjdk security update Advisory ID: SLSA-2014:0407-1 Issue Date: 2014-04-16 CVE Numbers: CVE-2014-1876 CVE-2014-2398 CVE-2014-0453 CVE-2014-0429 CVE-2014-0457 CVE-2014-0456 CVE-2014-2421 CVE-2014-2397 CVE-2014-0455 CVE-2014-0461 CVE-2014-2412 CVE-2014-0451 CVE-2014-0458 CVE-2014-2414 CVE-2014-2423 CVE-2014-0452 CVE-2014-2402 CVE-2014-0446 CVE-2014-0454 CVE-2014-2427 CVE-2014-0460 CVE-2014-2403 CVE-2014-0459 CVE-2014-2413 -- An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2014-0429) Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421) Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2014-0457, CVE-2014-0455, CVE-2014-0461) Multiple improper permission check issues were discovered in the AWT, JAX- WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-2402, CVE-2014-0446,CVE-2014-2413, CVE-2014-0454, CVE-2014-2427, CVE-2014-0459) Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks. (CVE-2014-0460) It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability. (CVE-2014-2403) It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption. (CVE-2014-0453) It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks. (CVE-2014-2398) An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200. (CVE-2014-1876) All running instances of OpenJDK Java must be restarted for the update to take effect. -- SL5 x86_64 java-1.7.0-openjdk-1.7.0.55-2.4.7.1.el5_10.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.55-2.4.7.1.el5_10.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.55-2.4.7.1.el5_10.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.55-2.4.7.1.el5_10.x86_64.rpm java-1.7.0-openjdk-javadoc-1.7.0.55-2.4.7.1.el5_10.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.55-2.4.7.1.el5_10.x86_64.rpm i386 java-1.7.0-openjdk-1.7.0.55-2.4.7.1.el5_10.i386.rpm java-1.7.0-openjdk-debuginfo-1.7.0.55-2.4.7.1.el5_10.i386.rpm java-1.7.0-openjdk-demo-1.7.0.55-2.4.7.1.el5_10.i386.rpm java-1.7.0-openjdk-devel-1.7.0.55-2.4.7.1.el5_10.i386.rpm java-1.7.0-openjdk-javadoc-1.7.0.55-2.4.7.1.el5_10.i386.rpm java-1.7.0-openjdk-src-1.7.0.55-2.4.7.1.el5_10.i386.rpm - Scientific Linux Development Team . A critical enhancement for java-1.7.0-openjdk in SL5.x is now available to mitigate possible security vulnerabilities and thwart unauthorized code execution.. Important Update, Java Security, SL5 Advisory, Memory Corruption, Java Threats. . Severity: Important. LinuxSecurity.com Team
Apr 16, 2014
•Important
Scientific Linux
172
security advisorymemory corruptionUbuntuUbuntu 12.04 LTS: USN-1608-1 Moderate: Firefox Memory Corruption
Several security issues were fixed in Firefox.. =========================================================================Ubuntu Security Notice USN-1608-1 October 11, 2012 firefox vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS Summary: Several security issues were fixed in Firefox. Software Description: - firefox: Mozilla Open Source web browser Details: It was discovered that the browser engine used in Firefox contained a memory corruption flaw. If a user were tricked into opening a specially crafted web page, a remote attacker could cause Firefox to crash or potentially execute arbitrary code as the user invoking the program. (CVE-2012-4191) It was discovered that Firefox allowed improper access to the Location object. An attacker could exploit this to obtain sensitive information. (CVE-2012-4192) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: firefox 16.0.1+build1-0ubuntu0.12.04.1 Ubuntu 11.10: firefox 16.0.1+build1-0ubuntu0.11.10.1 Ubuntu 11.04: firefox 16.0.1+build1-0ubuntu0.11.04.1 Ubuntu 10.04 LTS: firefox 16.0.1+build1-0ubuntu0.10.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-1608-1 CVE-2012-4191, CVE-2012-4192, https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1065285 Package Information: https://launchpad.net/ubuntu/+source/firefox/16.0.1+build1-0ubuntu0.12.04.1 https://launchpad.net/ubuntu/+source/firefox/16.0.1+build1-0ubuntu0.11.10.1 https://launchpad.net/ubuntu/+source/firefox/16.0.1+build1-0ubuntu0.11.04.1 https://launchpad.net/ubuntu/+source/firefox/16.0.1+build1-0ubuntu0.10.04.1 . Ubuntu Security Notice USN-1608-1 warns of critical Firefox vulnerabilities as of October 11, 2012, urging users to update for protection against exploits.. Firefox Issues, Ubuntu Security, Memory Corruption Bug. . Severity: Important. LinuxSecurity.com Team
Oct 11, 2012
•Important
Ubuntu
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!