Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 527
Alerts This Week
Warning Icon 1 527

Stay Secure with the Latest Linux Advisories

Filter%20icon Refine advisories
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security advisories

We found 1 articles for you...
100

SUSE: 2024:1079-2 Important: Netty, Netty-Tcnative Out Of Memory Fix

* bsc#1222045 Cross-References: * CVE-2024-29025 . # Security update for netty, netty-tcnative Announcement ID: SUSE-SU-2024:1079-2 Rating: important References: * bsc#1222045 Cross-References: * CVE-2024-29025 CVSS scores: * CVE-2024-29025 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * Development Tools Module 15-SP6 * openSUSE Leap 15.6 * SUSE Linux Enterprise Desktop 15 SP6 * SUSE Linux Enterprise Real Time 15 SP6 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 * SUSE Package Hub 15 15-SP6 An update that solves one vulnerability can now be installed. ## Description: This update for netty, netty-tcnative fixes the following issues: * CVE-2024-29025: Fixed out of memory due to large number of form fields (bsc#1222045). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2024-1079=1 * Development Tools Module 15-SP6 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2024-1079=1 * SUSE Package Hub 15 15-SP6 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-1079=1 ## Package List: * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64) * netty-4.1.108-150200.4.23.1 * netty-tcnative-2.0.65-150200.3.19.1 * openSUSE Leap 15.6 (noarch) * netty-poms-4.1.108-150200.4.23.1 * netty-javadoc-4.1.108-150200.4.23.1 * netty-tcnative-javadoc-2.0.65-150200.3.19.1 * Development Tools Module 15-SP6 (aarch64 ppc64le s390x x86_64) * netty-tcnative-2.0.65-150200.3.19.1 * SUSE Package Hub 15 15-SP6 (aarch64 ppc64le s390x x86_64) * netty-4.1.108-150200.4.23.1 * SUSE Package Hub 15 15-SP6 (noarch) * netty-poms-4.1.108-150200.4.23.1 * netty-javadoc-4.1.108-150200.4.23.1 ## References: * https://www.suse.com/security/cve/CVE-2024-29025.html * https://bugzilla.suse.com/show_bug.cgi?id=1222045 . Important patch for netty and netty-tcnative resolves memory overflow problems on SUSE platforms. Implement these updates immediately!. SUSE Security Update, Netty Advisory, Netty-Tcnative Patch, SUSE Important Update. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Aug 19, 2024 Important SuSE
100

SUSE: 2024:2313-1 Critical Update: Netty3 Memory Leak Resolution

* bsc#1222045 Cross-References: * CVE-2024-29025 . # Security update for netty3 Announcement ID: SUSE-SU-2024:2313-1 Rating: important References: * bsc#1222045 Cross-References: * CVE-2024-29025 CVSS scores: * CVE-2024-29025 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * Development Tools Module 15-SP5 * Development Tools Module 15-SP6 * openSUSE Leap 15.5 * openSUSE Leap 15.6 * SUSE Enterprise Storage 7.1 * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise Desktop 15 SP6 * SUSE Linux Enterprise High Performance Computing 15 SP2 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 * SUSE Linux Enterprise High Performance Computing 15 SP3 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Real Time 15 SP6 * SUSE Linux Enterprise Server 15 SP2 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 * SUSE Linux Enterprise Server 15 SP3 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 An update that solves one vulnerability can now be installed. ## Description: This update for netty3 fixes the following issues: * CVE-2024-29025: FixedHttpPostRequestDecoder can out of memory due to large number of form fields (bsc#1222045). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2024-2313=1 * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2024-2313=1 * Development Tools Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2024-2313=1 * Development Tools Module 15-SP6 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP6-2024-2313=1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-2313=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-2313=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-2313=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-2313=1 * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-2313=1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-2313=1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-2313=1 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-2313=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2024-2313=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2024-2313=1 * SUSE Linux Enterprise Server for SAPApplications 15 SP4 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-2313=1 * SUSE Enterprise Storage 7.1 zypper in -t patch SUSE-Storage-7.1-2024-2313=1 ## Package List: * openSUSE Leap 15.5 (noarch) * netty3-3.10.6-150200.3.10.1 * netty3-javadoc-3.10.6-150200.3.10.1 * openSUSE Leap 15.6 (noarch) * netty3-3.10.6-150200.3.10.1 * netty3-javadoc-3.10.6-150200.3.10.1 * Development Tools Module 15-SP5 (noarch) * netty3-3.10.6-150200.3.10.1 * Development Tools Module 15-SP6 (noarch) * netty3-3.10.6-150200.3.10.1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch) * netty3-3.10.6-150200.3.10.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch) * netty3-3.10.6-150200.3.10.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch) * netty3-3.10.6-150200.3.10.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch) * netty3-3.10.6-150200.3.10.1 * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (noarch) * netty3-3.10.6-150200.3.10.1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch) * netty3-3.10.6-150200.3.10.1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (noarch) * netty3-3.10.6-150200.3.10.1 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (noarch) * netty3-3.10.6-150200.3.10.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch) * netty3-3.10.6-150200.3.10.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch) * netty3-3.10.6-150200.3.10.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch) * netty3-3.10.6-150200.3.10.1 * SUSE Enterprise Storage 7.1 (noarch) * netty3-3.10.6-150200.3.10.1 ## References: * https://www.suse.com/security/cve/CVE-2024-29025.html * https://bugzilla.suse.com/show_bug.cgi?id=1222045 . Dive into the SUSE Netty3 enhancement and critical vulnerability patch related to CVE-2024-29025. It's essential to maintain thesecurity of your system!. SUSE Netty3 Update, Security Advisory, CVE-2024-29025, Software Patch, OpenSUSE Security. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jul 08, 2024 Important SuSE
98

Red Hat: RHSA-2023-5441-01 Moderate: Security Update for Camel

Red Hat Integration Camel for Spring Boot 4.0.0 release and security update is now available. Red Hat Product Security has rated this update as having an impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Integration Camel for Spring Boot 4.0.0 release and security update Advisory ID: RHSA-2023:5441-01 Product: Red Hat Integration Advisory URL: https://access.redhat.com/errata/RHSA-2023:5441 Issue date: 2023-10-04 CVE Names: CVE-2022-44729 CVE-2022-44730 CVE-2022-46751 CVE-2023-26048 CVE-2023-26049 CVE-2023-33008 CVE-2023-34462 CVE-2023-40167 ===================================================================== 1. Summary: Red Hat Integration Camel for Spring Boot 4.0.0 release and security update is now available. Red Hat Product Security has rated this update as having an impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Integration Camel for Spring Boot 4.0.0 is now available. The purpose of this text-only errata is to inform you about the security issues fixed. * batik: Server-Side Request Forgery vulnerability (CVE-2022-44729) * batik: Server-Side Request Forgery vulnerability (CVE-2022-44730) * apache-ivy: XML External Entity vulnerability (CVE-2022-46751) * jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048) * jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049) * apache-johnzon: Prevent inefficient internal conversion from BigDecimal at large scale (CVE-2023-33008) * netty: io.netty:netty-handler:SniHandler 16MB allocation (CVE-2023-34462) * jetty-http: jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 2216888 - CVE-2023-34462 netty: SniHandler 16MB allocation leads to OOM 2221135 - CVE-2023-33008 apache-johnzon: Prevent inefficient internal conversion from BigDecimal at large scale 2233112 - CVE-2022-46751 apache-ivy: XML External Entity vulnerability 2233889 - CVE-2022-44729 batik: Server-Side Request Forgery vulnerability 2233899 - CVE-2022-44730 batik: Server-Side Request Forgery vulnerability 2236340 - CVE-2023-26048 jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() 2236341 - CVE-2023-26049 jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies 2239634 - CVE-2023-40167 jetty: Improper validation of HTTP/1 content-length 5. References: https://access.redhat.com/security/cve/CVE-2022-44729 https://access.redhat.com/security/cve/CVE-2022-44730 https://access.redhat.com/security/cve/CVE-2022-46751 https://access.redhat.com/security/cve/CVE-2023-26048 https://access.redhat.com/security/cve/CVE-2023-26049 https://access.redhat.com/security/cve/CVE-2023-33008 https://access.redhat.com/security/cve/CVE-2023-34462 https://access.redhat.com/security/cve/CVE-2023-40167 https://access.redhat.com/security/updates/classification#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q4 6. Contact: The Red Hatsecurity contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJlHYSlAAoJENzjgjWX9erEY5sP/2dMIE7R17o8VqlZdqqId2PD m7WiE/9WiEgtKr7540nykn3dMB8wt5IrAan7UhCQ60S2Q+xtlXKRsTxKWxmOtp/F cyOUufeXQsnl0hF68sBrTKgUKYzmOnsUSQXOnF8Hq9jgRPcDhq288F3T60cJZk3o mkibHlqe+1Gbr7rzeDtmdCiqDhlWSoTRgy9Q1xGVubica8sXhelc430Fm11pLms1 CzY6VXxD6t1WRnJ7k//pPVguqGsZytLBPlLclsFXa9CG4fNaN/m2jCncLEuaOZxN K5Ap6IGTqUow2dzY4N4k0v6V24srZtSFt+dFknwrjSaUeEl0p8H6wl11UJrW3DL5 1IizSST8NXrd783a1pqNTKD5iwgJ/94jpm673kzDxDZCoueFbc1ER/YOtQg5bCAd nzdormAVtnOBIzwVUi4l0l5bk0BMtfD0E8xHZeN502DJfAABZH27D3r7LnOgyXkj MjoMmMRtAl4xKeH3GlM1fyIYu3jHSsrId9ykTEZwvlegtFIKSTUF0/Znz7pSfO/w eMIvqinTX/rZ6Wjy4ENntMFvpFDkTastJLrsKmeSm+/mV44l9v76m/Oylsro/ui2 b9IuKcyJW2WGEosT++VUpgMrdJ8BWhBfirGpa1rh4fRQDh4NlB7VjiXwccHbEH2A lVwPfcWEn2MqKPtlx/vU =0Oie -----END PGP SIGNATURE----- -- RHSA-announce mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. . Apache Camel for Spring Boot 4.0.0 security patch resolves several vulnerabilities classified as Moderate.. Red Hat Integration,Spring Boot Release,Security Update,Integration Security Fix. . LinuxSecurity.com Team

Calendar%202 Oct 04, 2023 Red Hat
100

SUSE Linux Enterprise 15-SP4: 2022:2619-1 Moderate: gimp Memory Issue

An update that fixes one vulnerability is now available. . SUSE Security Update: Security update for gimp ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:2619-1 Rating: moderate References: #1199653 Cross-References: CVE-2022-30067 CVSS scores: CVE-2022-30067 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2022-30067 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Affected Products: SUSE Linux Enterprise Desktop 15-SP4 SUSE Linux Enterprise High Performance Computing 15-SP4 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 SUSE Linux Enterprise Server 15-SP4 SUSE Linux Enterprise Server for SAP Applications 15-SP4 SUSE Linux Enterprise Workstation Extension 15-SP4 SUSE Manager Proxy 4.3 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.3 openSUSE Leap 15.4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for gimp fixes the following issues: - CVE_2022-30067: Fixed an out of memory when reading. (bsc#1199653) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.4: zypper in -t patch openSUSE-SLE-15.4-2022-2619=1 - SUSE Linux Enterprise Workstation Extension 15-SP4: zypper in -t patch SUSE-SLE-Product-WE-15-SP4-2022-2619=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-2619=1 Package List: - openSUSE Leap15.4 (aarch64 ppc64le s390x x86_64): gimp-2.10.30-150400.3.3.1 gimp-debuginfo-2.10.30-150400.3.3.1 gimp-debugsource-2.10.30-150400.3.3.1 gimp-devel-2.10.30-150400.3.3.1 gimp-devel-debuginfo-2.10.30-150400.3.3.1 gimp-plugin-aa-2.10.30-150400.3.3.1 gimp-plugin-aa-debuginfo-2.10.30-150400.3.3.1 libgimp-2_0-0-2.10.30-150400.3.3.1 libgimp-2_0-0-debuginfo-2.10.30-150400.3.3.1 libgimpui-2_0-0-2.10.30-150400.3.3.1 libgimpui-2_0-0-debuginfo-2.10.30-150400.3.3.1 - openSUSE Leap 15.4 (x86_64): libgimp-2_0-0-32bit-2.10.30-150400.3.3.1 libgimp-2_0-0-32bit-debuginfo-2.10.30-150400.3.3.1 libgimpui-2_0-0-32bit-2.10.30-150400.3.3.1 libgimpui-2_0-0-32bit-debuginfo-2.10.30-150400.3.3.1 - openSUSE Leap 15.4 (noarch): gimp-lang-2.10.30-150400.3.3.1 - SUSE Linux Enterprise Workstation Extension 15-SP4 (x86_64): gimp-2.10.30-150400.3.3.1 gimp-debuginfo-2.10.30-150400.3.3.1 gimp-debugsource-2.10.30-150400.3.3.1 gimp-devel-2.10.30-150400.3.3.1 gimp-devel-debuginfo-2.10.30-150400.3.3.1 libgimp-2_0-0-2.10.30-150400.3.3.1 libgimp-2_0-0-debuginfo-2.10.30-150400.3.3.1 libgimpui-2_0-0-2.10.30-150400.3.3.1 libgimpui-2_0-0-debuginfo-2.10.30-150400.3.3.1 - SUSE Linux Enterprise Workstation Extension 15-SP4 (noarch): gimp-lang-2.10.30-150400.3.3.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (aarch64 ppc64le s390x): gimp-debuginfo-2.10.30-150400.3.3.1 gimp-debugsource-2.10.30-150400.3.3.1 libgimp-2_0-0-2.10.30-150400.3.3.1 libgimp-2_0-0-debuginfo-2.10.30-150400.3.3.1 libgimpui-2_0-0-2.10.30-150400.3.3.1 libgimpui-2_0-0-debuginfo-2.10.30-150400.3.3.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (aarch64): gimp-2.10.30-150400.3.3.1 gimp-devel-2.10.30-150400.3.3.1 gimp-devel-debuginfo-2.10.30-150400.3.3.1 gimp-plugin-aa-2.10.30-150400.3.3.1 gimp-plugin-aa-debuginfo-2.10.30-150400.3.3.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (noarch): gimp-lang-2.10.30-150400.3.3.1 References: https://www.suse.com/security/cve/CVE-2022-30067.html https://bugzilla.suse.com/1199653 . A recent GIMP release rectifies a significant security concern in the SUSE operating system. Detailed setup guidelines are provided.. gimp Fix, SUSE Security Update, Software Patching. . LinuxSecurity.com Team

Calendar%202 Aug 01, 2022 SuSE
202

openSUSE Leap 15.2: 2021:0670-1 Important Integer Overflow Issue

An update that fixes 5 vulnerabilities is now available. . openSUSE Security Update: Security update for openexr ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:0670-1 Rating: important References: #1184353 #1184354 #1184355 #1185216 #1185217 Cross-References: CVE-2021-20296 CVE-2021-23215 CVE-2021-26260 CVE-2021-3477 CVE-2021-3479 CVSS scores: CVE-2021-20296 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-20296 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-23215 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-26260 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-3477 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-3477 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-3479 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2021-3479 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for openexr fixes the following issues: - CVE-2021-23215: Fixed an integer-overflow in Imf_2_5:DwaCompressor:initializeBuffers (bsc#1185216). - CVE-2021-26260: Fixed an Integer-overflow in Imf_2_5:DwaCompressor:initializeBuffers (bsc#1185217). - CVE-2021-20296: Fixed a Null Pointer dereference in Imf_2_5:hufUncompress (bsc#1184355). - CVE-2021-3477: Fixed a Heap-buffer-overflow in Imf_2_5::DeepTiledInputFile::readPixelSampleCounts (bsc#1184353). - CVE-2021-3479: Fixed an Out-of-memory caused by allocation of a very large buffer (bsc#1184354). Thisupdate was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-670=1 Package List: - openSUSE Leap 15.2 (i586 x86_64): libIlmImf-2_2-23-2.2.1-lp152.7.14.1 libIlmImf-2_2-23-debuginfo-2.2.1-lp152.7.14.1 libIlmImfUtil-2_2-23-2.2.1-lp152.7.14.1 libIlmImfUtil-2_2-23-debuginfo-2.2.1-lp152.7.14.1 openexr-2.2.1-lp152.7.14.1 openexr-debuginfo-2.2.1-lp152.7.14.1 openexr-debugsource-2.2.1-lp152.7.14.1 openexr-devel-2.2.1-lp152.7.14.1 openexr-doc-2.2.1-lp152.7.14.1 - openSUSE Leap 15.2 (x86_64): libIlmImf-2_2-23-32bit-2.2.1-lp152.7.14.1 libIlmImf-2_2-23-32bit-debuginfo-2.2.1-lp152.7.14.1 libIlmImfUtil-2_2-23-32bit-2.2.1-lp152.7.14.1 libIlmImfUtil-2_2-23-32bit-debuginfo-2.2.1-lp152.7.14.1 References: https://www.suse.com/security/cve/CVE-2021-20296.html https://www.suse.com/security/cve/CVE-2021-23215.html https://www.suse.com/security/cve/CVE-2021-26260.html https://www.suse.com/security/cve/CVE-2021-3477.html https://www.suse.com/security/cve/CVE-2021-3479.html https://bugzilla.suse.com/1184353 https://bugzilla.suse.com/1184354 https://bugzilla.suse.com/1184355 https://bugzilla.suse.com/1185216 https://bugzilla.suse.com/1185217 . A critical Fedora patch fixes 7 vulnerabilities in gimp, improving overall security resilience.. openSUSE Security Update, OpenEXR Patches, Integer Overflow Fix. . Severity: Important. LinuxSecurity.com Team

Calendar%202 May 05, 2021 Important OpenSUSE
197

Debian 9 Stretch DLA-2583-1 Critical: ActiveMQ Threats and Updates

Multiple security issues were discovered in activemq, a message broker built around Java Message Service. CVE-2017-15709 . - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2583-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/lts/security/ Abhijith PA March 05, 2021 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : activemq Version : 5.14.3-3+deb9u2 CVE ID : CVE-2017-15709 CVE-2018-11775 CVE-2019-0222 CVE-2021-26117 Debian Bug : 890352 908950 982590 Multiple security issues were discovered in activemq, a message broker built around Java Message Service. CVE-2017-15709 When using the OpenWire protocol in activemq, it was found that certain system details (such as the OS and kernel version) are exposed as plain text. CVE-2018-11775 TLS hostname verification when using the Apache ActiveMQ Client was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default. CVE-2019-0222 Unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive CVE-2021-26117 The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. The anonymous context is used to verify a valid users password in error, resulting in no check on the password. For Debian 9 stretch, these problems have been fixed in version 5.14.3-3+deb9u2. We recommend that you upgrade your activemq packages. For the detailed security status of activemq please refer to its security tracker page at: https://security-tracker.debian.org/tracker/source-package/activemq Further information about Debian LTS security advisories, how to apply these updates to your system and frequentlyasked questions can be found at: https://wiki.debian.org/LTS . Enhance your ActiveMQ installations to resolve various security vulnerabilities highlighted in the recent Debian LTS notice DLA-2583-1.. ActiveMQ Security Update, Debian LTS Advisory, Critical Security Threats. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Mar 05, 2021 Critical Debian LTS
172

Ubuntu 20.04 LTS: USN-4596-1 Moderate: Tomcat Denial of Service

Several security issues were fixed in Tomcat.. =========================================================================Ubuntu Security Notice USN-4596-1 October 21, 2020 tomcat9 vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Tomcat. Software Description: - tomcat9: Apache Tomcat 9 - Servlet and JSP engine Details: It was discovered that Tomcat did not properly manage HTTP/2 streams. An attacker could possibly use this to cause Tomcat to consume resources, resulting in a denial of service. (CVE-2020-11996) It was discovered that Tomcat did not properly release the HTTP/1.1 processor after the upgrade to HTTP/2. An attacker could possibly use this to generate an OutOfMemoryException, resulting in a denial of service. (CVE-2020-13934) It was discovered that Tomcat did not properly validate the payload length in a WebSocket frame. An attacker could possibly use this to trigger an infinite loop, resulting in a denial of service. (CVE-2020-13935) It was discovered that Tomcat did not properly deserialize untrusted data. An attacker could possibly use this issue to execute arbitrary code. (CVE-2020-9484) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: libtomcat9-embed-java 9.0.31-1ubuntu0.1 libtomcat9-java 9.0.31-1ubuntu0.1 tomcat9 9.0.31-1ubuntu0.1 tomcat9-common 9.0.31-1ubuntu0.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-4596-1 CVE-2020-11996, CVE-2020-13934, CVE-2020-13935, CVE-2020-9484 Package Information: https://launchpad.net/ubuntu/+source/tomcat9/9.0.31-1ubuntu0.1 . Several security flaws in Tomcat highlighted inUbuntu security advisory USN-4596-1, affecting operational stability.. Ubuntu Tomcat Vulnerabilities, Apache Tomcat Security, Ubuntu Security Notice. . LinuxSecurity.com Team

Calendar%202 Oct 21, 2020 Ubuntu
89

Fedora 30: FEDORA-2019-7bb07c3b02 Moderate: PHP RCE and Bug Fixes

**PHP version 7.3.11** (24 Oct 2019) **Core:** * Fixed bug php#78535 (auto_detect_line_endings value not parsed as bool). (bugreportuser) * Fixed bug php#78620 (Out of memory error). (cmb, Nikita) **Exif :** * Fixed bug php#78442 ('Illegal component' on exif_read_data since PHP7) (Kalle) **FPM:** * Fixed bug php#78599 (env_path_info underflow in fpm_main.c can lead to RCE).. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2019-7bb07c3b02 2019-11-03 00:10:34.337843 --------------------------------------------------------------------------------Name : php Product : Fedora 30 Version : 7.3.11 Release : 1.fc30 URL : https://www.php.net/ Summary : PHP scripting language for creating dynamic web sites Description : PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server. --------------------------------------------------------------------------------Update Information: **PHP version 7.3.11** (24 Oct 2019) **Core:** * Fixed bug php#78535 (auto_detect_line_endings value not parsed as bool). (bugreportuser) * Fixed bug php#78620 (Out of memory error). (cmb, Nikita) **Exif :** * Fixed bug php#78442 ('Illegal component' on exif_read_data since PHP7) (Kalle) **FPM:** * Fixed bug php#78599 (env_path_info underflow in fpm_main.c can lead to RCE). (**CVE-2019-11043**) (Jakub Zelenka) * Fixed bug php#78413 (request_terminate_timeout does not take effect after fastcgi_finish_request). (Sergei Turchanov) **MBString:** * Fixed bugphp#78579 (mb_decode_numericentity: args number inconsistency). (cmb) * Fixed bug php#78609 (mb_check_encoding() no longer supports stringable objects). (cmb) **MySQLi:** * Fixed bug php#76809 (SSL settings aren't respected when persistent connections are used). (fabiomsouto) **Mysqlnd:** * Fixed bug php#78525 (Memory leak in pdo when reusing native prepared statements). (Nikita) **PCRE:** * Fixed bug php#78272 (calling preg_match() before pcntl_fork() will freeze child process). (Nikita) **PDO_MySQL:** * Fixed bug php#78623 (Regression caused by "SP call yields additional empty result set"). (cmb) **Session:** * Fixed bug php#78624 (session_gc return value for user defined session handlers). (bshaffer) **Standard:** * Fixed bug php#76342 (file_get_contents waits twice specified timeout). (Thomas Calvet) * Fixed bug php#78612 (strtr leaks memory when integer keys are used and the subject string shorter). (Nikita) * Fixed bug php#76859 (stream_get_line skips data if used with data-generating filter). (kkopachev) **Zip:** * Fixed bug php#78641 (addGlob can modify given remove_path value). (cmb) --------------------------------------------------------------------------------ChangeLog: * Tue Oct 22 2019 Remi Collet - 7.3.11-1 - Update to 7.3.11 - https://www.php.net/releases/7_3_11.php * Tue Sep 24 2019 Remi Collet - 7.3.10-1 - Update to 7.3.10 - https://www.php.net/releases/7_3_10.php * Wed Aug 28 2019 Remi Collet - 7.3.9-1 - Update to 7.3.9 - https://www.php.net/releases/7_3_9.php * Tue Jul 30 2019 Remi Collet - 7.3.8-1 - Update to 7.3.8 - https://www.php.net/releases/7_3_8.php * Wed Jul 3 2019 Remi Collet - 7.3.7-2 - Update to 7.3.7 - https://www.php.net/releases/7_3_7.php * Tue May 28 2019 Remi Collet - 7.3.6-1 - Update to 7.3.6 - https://www.php.net/releases/7_3_6.php * Wed May 1 2019 Remi Collet - 7.3.5-1 - Update to 7.3.5 -https://www.php.net/releases/7_3_5.php --------------------------------------------------------------------------------References: [ 1 ] Bug #1766378 - CVE-2019-11043 php: underflow in env_path_info in fpm_main.c https://bugzilla.redhat.com/show_bug.cgi?id=1766378 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2019-7bb07c3b02' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./ . The latest security patch for Fedora 30 addresses critical vulnerabilities in PHP, particularly Remote Code Execution (RCE) risks. Explore the main fixes that have been applied. Fedora PHP Update, Core Fixes, PHP Security Update. . LinuxSecurity.com Team

Calendar%202 Nov 02, 2019 Fedora
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200