Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -2 articles for you...
172
security advisorydenial of servicecritical issueUbuntu 20.04 ESM: 5990-1 Critical: Musl DoS Risk Detected
Several security issues were fixed in musl.. =========================================================================Ubuntu Security Notice USN-5990-1 March 31, 2023 musl vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 ESM - Ubuntu 18.04 ESM - Ubuntu 16.04 ESM - Ubuntu 14.04 ESM Summary: Several security issues were fixed in musl. Software Description: - musl: standard C library Details: It was discovered that musl did not handle certain i386 math functions properly. An attacker could use this vulnerability to cause a denial of service (crash) or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, and Ubuntu 18.04 LTS. (CVE-2019-14697) It was discovered that musl did not handle wide-character conversion properly. A remote attacker could use this vulnerability to cause resource consumption (infinite loop), denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2020-28928) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 ESM: musl 1.1.24-1ubuntu0.1~esm1 musl-dev 1.1.24-1ubuntu0.1~esm1 Ubuntu 18.04 ESM: musl 1.1.19-1ubuntu0.1~esm1 musl-dev 1.1.19-1ubuntu0.1~esm1 Ubuntu 16.04 ESM: musl 1.1.9-1ubuntu0.1~esm3 musl-dev 1.1.9-1ubuntu0.1~esm3 Ubuntu 14.04 ESM: musl 0.9.15-1ubuntu0.1~esm2 musl-dev 0.9.15-1ubuntu0.1~esm2 In general, a standard system update will make all the necessary changes. References: CVE-2019-14697, CVE-2020-28928 . Numerous vulnerabilities addressed in musl impact various versions of Ubuntu. Essential update guidelines are available.. musl Security Update, Ubuntu Software Advisory, Denial of Service Risk. . Severity: Critical. LinuxSecurity.com Team
Mar 31, 2023
•Critical
Ubuntu
89
security advisoryfedorabuffer overflowFedora 34: FEDORA-2021-0cf36f9134 Critical: musl Buffer Overflow
#### What's new for 1.2.2 The release adds the `_Fork` function from the upcoming edition of POSIX and takes advantage of the interpretation dropping the async-signal-safety requirement from `fork` to provide a consistent execution environment (not restricted to calling only async-signal-safe functions) after a multithreaded parent forks. This solves deadlocks which would otherwise be. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2021-0cf36f9134 2021-06-08 01:06:15.794782 --------------------------------------------------------------------------------Name : musl Product : Fedora 34 Version : 1.2.2 Release : 1.fc34 URL : Summary : Fully featured lightweight standard C library for Linux Description : musl is a C standard library to power a new generation of Linux-based devices. It is lightweight, fast, simple, free, and strives to be correct in the sense of standards conformance and safety. --------------------------------------------------------------------------------Update Information: #### What's new for 1.2.2 The release adds the `_Fork` function from the upcoming edition of POSIX and takes advantage of the interpretation dropping the async-signal-safety requirement from `fork` to provide a consistent execution environment (not restricted to calling only async-signal-safe functions) after a multithreaded parent forks. This solves deadlocks which would otherwise be effectively unfixable in some language runtimes that expose `fork` as part of their contract with applications, as well as various library and application software that could and should be fixed, but hasn't been. A number of related issues in synchronization between `fork`, `abort`, async IO, `posix_spawn`, `pthread_exit`, and other components have been fixed as part of this change. The `realpath` function has been rewritten to do its own path traversal, rather than depending on procfs magic symlink contents for`O_PATH` file descriptors. This makes it work prior to mount of `/proc` and in container or chroot environments where `/proc` contents may not accurately reflect the pathname as visible to the calling process. The C versions of the square root functions, used on archs without a native FPU instruction for square root, have also been rewritten with significant improvements to performance, especially on archs that lack FPU entirely. This rewrite also fixes the lack of accurate `sqrtl` on archs with quad-precision `long double`. New functions added include the aforementioned `_Fork`, `reallocarray` from OpenBSD, `gettid` along with `SIGEV_THREAD_ID` timer notification support, and `tcgetwinsize`/`tcsetwinsize` from POSIX-future. A buffer overflow (CVE-2020-28928) in `wcsnrtombs` has been fixed with the function essentially rewritten. This function is not widely used and the bug is not relevant to software that does not use it directly (it's not used by other libc components), but it may be serious for software that does. An assortment of lesser bugs have also been fixed. --------------------------------------------------------------------------------ChangeLog: * Sun May 30 2021 Neal Gompa - 1.2.2-1 - Update to 1.2.2 --------------------------------------------------------------------------------References: [ 1 ] Bug #1900056 - CVE-2020-28928 musl: infinite loop in wcsnrtombs function [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1900056 [ 2 ] Bug #1916568 - musl-1.2.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=1916568 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-0cf36f9134' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPGkeys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Jun 07, 2021
•Critical
Fedora
89
security advisorybuffer overflowFedoraFedora: 2021-4892dbbf76 Critical: Musl 1.2.2 Buffer Overflow Fix
#### What's new for 1.2.2 The release adds the `_Fork` function from the upcoming edition of POSIX and takes advantage of the interpretation dropping the async-signal-safety requirement from `fork` to provide a consistent execution environment (not restricted to calling only async-signal-safe functions) after a multithreaded parent forks. This solves deadlocks which would otherwise be. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2021-4892dbbf76 2021-06-08 01:05:58.761448 --------------------------------------------------------------------------------Name : musl Product : Fedora 33 Version : 1.2.2 Release : 1.fc33 URL : Summary : Fully featured lightweight standard C library for Linux Description : musl is a C standard library to power a new generation of Linux-based devices. It is lightweight, fast, simple, free, and strives to be correct in the sense of standards conformance and safety. --------------------------------------------------------------------------------Update Information: #### What's new for 1.2.2 The release adds the `_Fork` function from the upcoming edition of POSIX and takes advantage of the interpretation dropping the async-signal-safety requirement from `fork` to provide a consistent execution environment (not restricted to calling only async-signal-safe functions) after a multithreaded parent forks. This solves deadlocks which would otherwise be effectively unfixable in some language runtimes that expose `fork` as part of their contract with applications, as well as various library and application software that could and should be fixed, but hasn't been. A number of related issues in synchronization between `fork`, `abort`, async IO, `posix_spawn`, `pthread_exit`, and other components have been fixed as part of this change. The `realpath` function has been rewritten to do its own path traversal, rather than depending on procfs magic symlink contents for`O_PATH` file descriptors. This makes it work prior to mount of `/proc` and in container or chroot environments where `/proc` contents may not accurately reflect the pathname as visible to the calling process. The C versions of the square root functions, used on archs without a native FPU instruction for square root, have also been rewritten with significant improvements to performance, especially on archs that lack FPU entirely. This rewrite also fixes the lack of accurate `sqrtl` on archs with quad-precision `long double`. New functions added include the aforementioned `_Fork`, `reallocarray` from OpenBSD, `gettid` along with `SIGEV_THREAD_ID` timer notification support, and `tcgetwinsize`/`tcsetwinsize` from POSIX-future. A buffer overflow (CVE-2020-28928) in `wcsnrtombs` has been fixed with the function essentially rewritten. This function is not widely used and the bug is not relevant to software that does not use it directly (it's not used by other libc components), but it may be serious for software that does. An assortment of lesser bugs have also been fixed. --------------------------------------------------------------------------------ChangeLog: * Sun May 30 2021 Neal Gompa - 1.2.2-1 - Update to 1.2.2 * Tue Jan 26 2021 Fedora Release Engineering - 1.2.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild --------------------------------------------------------------------------------References: [ 1 ] Bug #1900056 - CVE-2020-28928 musl: infinite loop in wcsnrtombs function [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1900056 [ 2 ] Bug #1916568 - musl-1.2.2 is available https://bugzilla.redhat.com/show_bug.cgi?id=1916568 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-4892dbbf76' at the command line. For more information, refer to the dnf documentation availableat https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Jun 07, 2021
•Critical
Fedora
198
security advisorycode executionmedium severityArch Linux: 202011-29 Medium: Musl Arbitrary Code Execution Risk
The package musl before version 1.2.1-2 is vulnerable to arbitrary code execution. . Arch Linux Security Advisory ASA-202011-29 ========================================= Severity: Medium Date : 2020-11-26 CVE-ID : CVE-2020-28928 Package : musl Type : arbitrary code execution Remote : No Link : https://security.archlinux.org/AVG-1287 Summary ====== The package musl before version 1.2.1-2 is vulnerable to arbitrary code execution. Resolution ========= Upgrade to 1.2.1-2. # pacman -Syu "musl> =1.2.1-2" The problem has been fixed upstream but no release is available yet. Workaround ========= None. Description ========== The wcsnrtombs function in all musl libc versions up to 1.2.1 has been found to have multiple bugs in the handling of the destination buffer size when limiting the input character count, which can lead to an infinite loop with no progress (no overflow) or to writing past the end of the destination buffer. Impact ===== An attacker might be able to execute arbitrary code via crafted input content. References ========= https://bugs.archlinux.org/task/68685 https://www.openwall.com/lists/musl/2020/11/19/1 https://security.archlinux.org/CVE-2020-28928 . The musl library on Arch Linux contains a critical security vulnerability that enables arbitrary code execution. Upgrading to the latest version is vital for system protection. Arch Linux, Musl Execution Risk, Security Update. . Severity: Medium. LinuxSecurity.com Team
Dec 05, 2020
•Medium
ArchLinux
197
security advisorymoderatedebianDebian 9 Stretch DLA-2474-1 Moderate: Musl Infinite Loop Threat
The wcsnrtombs function in all musl libc versions up through 1.2.1 has been found to have multiple bugs in handling of destination buffer size when limiting the input character count, which can lead to infinite loop with no forward progress (no overflow) or . - ----------------------------------------------------------------------- Debian LTS Advisory DLA-2474-1
Nov 30, 2020
Debian LTS
91
security advisorygentoostack overflowGentoo: GLSA-202003-13 Normal: musl Buffer Overflow Impact and Resolution
A stack-based buffer overflow in musl might allow an attacker to have an application dependent impact.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202003-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: musl: Stack-based buffer overflow Date: March 14, 2020 Bugs: #711276 ID: 202003-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= A stack-based buffer overflow in musl might allow an attacker to have an application dependent impact. Background ========= musl is an implementation of the C standard library built on top of the Linux system call API, including interfaces defined in the base language standard, POSIX, and widely agreed-upon extensions. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 sys-libs/musl < 1.1.24 > = 1.1.24 Description ========== A flaw in musl libc's arch-specific math assembly code for i386 was found which can lead to x87 stack overflow in the execution of subsequent math code. Impact ===== Impact depends on how the application built against musl libc handles the ABI-violating x87 state. Workaround ========= There is no known workaround at this time. Resolution ========= All musl users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =sys-libs/musl-1.1.24" References ========= [ 1 ] CVE-2019-14697 https://nvd.nist.gov/vuln/detail/CVE-2019-14697 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo SecurityWebsite: https://security.gentoo.org/glsa/202003-13 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
Mar 14, 2020
Gentoo
91
security advisorygentoocode executionGentoo: GLSA-201701-11 Normal: Musl Integer Overflow Risk
An integer overflow in musl might allow an attacker to execute arbitrary code.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201701-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: musl: Integer overflow Date: January 02, 2017 Bugs: #597498 ID: 201701-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= An integer overflow in musl might allow an attacker to execute arbitrary code. Background ========= musl is a "libc", an implementation of the standard library functionality described in the ISO C and POSIX standards, plus common extensions, intended for use on Linux-based systems. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 sys-libs/musl < 1.1.15-r2 > = 1.1.15-r2 Description ========== A vulnerability was discovered in musl's tre_tnfa_run_parallel function buffer overflow logic, due to the incorrect use of integer types and missing overflow checks. Impact ===== An attacker, who controls the regular expression and/or string being searched, could execute arbitrary code with the privileges of the process. Workaround ========= There is no known workaround at this time. Resolution ========= All musl users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =sys-libs/musl-1.1.15-r2" References ========= [ 1 ] CVE-2016-8859 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8859 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo SecurityWebsite: https://security.gentoo.org/glsa/201701-11 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
Jan 02, 2017
Gentoo
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!