Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 11 articles for you...
89
security advisoryupdatecriticalFedora 39: FEDORA-2024-6dab59bd47 Critical: Curl Memory Leak Issue
fix Usage of disabled protocol (CVE-2024-2004) fix HTTP/2 push headers memory-leak (CVE-2024-2398). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-6dab59bd47 2024-04-25 01:19:12.574803 -------------------------------------------------------------------------------- Name : curl Product : Fedora 39 Version : 8.2.1 Release : 5.fc39 URL : https://curl.se/ Summary : A utility for getting files from remote servers (FTP, HTTP, and others) Description : curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer resume, proxy tunneling and a busload of other useful tricks. -------------------------------------------------------------------------------- Update Information: fix Usage of disabled protocol (CVE-2024-2004) fix HTTP/2 push headers memory-leak (CVE-2024-2398) -------------------------------------------------------------------------------- ChangeLog: * Wed Apr 3 2024 Jan Macku - 8.2.1-5 - fix Usage of disabled protocol (CVE-2024-2004) - fix HTTP/2 push headers memory-leak (CVE-2024-2398) -------------------------------------------------------------------------------- References: [ 1 ] Bug #2270498 - CVE-2024-2398 curl: HTTP/2 push headers memory-leak https://bugzilla.redhat.com/show_bug.cgi?id=2270498 [ 2 ] Bug #2270500 - CVE-2024-2004 curl: Usage of disabled protocol https://bugzilla.redhat.com/show_bug.cgi?id=2270500 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-6dab59bd47' at thecommand line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Apr 25, 2024
•Critical
Fedora
203
security advisorymemory leakcurlMageia 9 MGASA-2024-0099 moderate: curl HTTP/2 memory leak issue
CVE-2024-2004: Usage of disabled protocol If all protocols are disabled at run-time with none being added, curl/libcurl would still allow communication with the default set of allowed protocols, including some that are unencrypted. CVE-2024-2398: HTTP/2 push headers memory-leak . MGASA-2024-0099 - Updated curl packages fix security vulnerabilities Publication date: 29 Mar 2024 URL: https://advisories.mageia.org/MGASA-2024-0099.html Type: security Affected Mageia releases: 9 CVE: CVE-2024-2004, CVE-2024-2379, CVE-2024-2398, CVE-2024-2466 CVE-2024-2004: Usage of disabled protocol If all protocols are disabled at run-time with none being added, curl/libcurl would still allow communication with the default set of allowed protocols, including some that are unencrypted. CVE-2024-2398: HTTP/2 push headers memory-leak A memory leak could occur when an application enabled HTTP/2 server push and the server sent a large number of headers. References: - https://bugs.mageia.org/show_bug.cgi?id=33020 - https://curl.se/docs/CVE-2024-2004.html - https://curl.se/docs/CVE-2024-2398.html - https://www.cve.org/CVERecord?id=CVE-2024-2004 - https://www.cve.org/CVERecord?id=CVE-2024-2379 - https://www.cve.org/CVERecord?id=CVE-2024-2398 - https://www.cve.org/CVERecord?id=CVE-2024-2466 SRPMS: - 9/core/curl-7.88.1-4.3.mga9 . Recent curl updates tackle various security vulnerabilities, including memory overflow risks and the use of outdated protocols. Find out more information.. curl security, mageia update, memory leak fix, protocol issues. . LinuxSecurity.com Team
Mar 29, 2024
Mageia
172
security advisorydenial of serviceubuntuUbuntu 23.10 USN-6718-1: Multiple Issues Identified in Curl Library
Several security issues were fixed in curl.. ========================================================================== Ubuntu Security Notice USN-6718-1 March 27, 2024 curl vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in curl. Software Description: - curl: HTTP, HTTPS, and FTP client and client libraries Details: Dan Fandrich discovered that curl would incorrectly use the default set of protocols when a parameter option disabled all protocols without adding any, contrary to expectations. This issue only affected Ubuntu 23.10. (CVE-2024-2004) It was discovered that curl incorrectly handled memory when limiting the amount of headers when HTTP/2 server push is allowed. A remote attacker could possibly use this issue to cause curl to consume resources, leading to a denial of service. (CVE-2024-2398) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: curl 8.2.1-1ubuntu3.3 libcurl3-gnutls 8.2.1-1ubuntu3.3 libcurl3-nss 8.2.1-1ubuntu3.3 libcurl4 8.2.1-1ubuntu3.3 Ubuntu 22.04 LTS: curl 7.81.0-1ubuntu1.16 libcurl3-gnutls 7.81.0-1ubuntu1.16 libcurl3-nss 7.81.0-1ubuntu1.16 libcurl4 7.81.0-1ubuntu1.16 Ubuntu 20.04 LTS: curl 7.68.0-1ubuntu2.22 libcurl3-gnutls 7.68.0-1ubuntu2.22 libcurl3-nss 7.68.0-1ubuntu2.22 libcurl4 7.68.0-1ubuntu2.22 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6718-1 CVE-2024-2004, CVE-2024-2398 Package Information: https://launchpad.net/ubuntu/+source/curl/8.2.1-1ubuntu3.3 https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.22 . Debian Security Advisory DSA-5232-1 highlights vulnerabilities in nginx and provides essential upgrade guidelines for administrators.. curl vulnerabilities, ubuntu update instructions, security issue fixes. . Severity: Critical. LinuxSecurity.com Team
Mar 27, 2024
•Critical
Ubuntu
202
security advisorysecurity updatemoderate threatopenSUSE: 2023:0385-1 moderate: python-django-adminlte security flaw
An update that fixes one vulnerability is now available. . openSUSE Security Update: Security update for python-django-grappelli ______________________________________________________________________________ Announcement ID: openSUSE-SU-2023:0384-1 Rating: moderate References: #1216481 Cross-References: CVE-2021-46898 CVSS scores: CVE-2021-46898 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Affected Products: openSUSE Backports SLE-15-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-django-grappelli fixes the following issues: Update to 2.14.4: - CVE-2021-46898: Fixed views/switch.py vulnerable to protocol-relative URL attacks (boo#1216481) - Fixed: Redirect with switch user. - Improved: Remove extra filtering in AutocompleteLookup. - Improved: Added import statement with URLs for quickstart docs. - Improved: Added additional blocks with inlines to allow override. - Fixed: Compatibility with Django 3.1. - Fixed: Docs about adding Grappelli documentation URLS. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2023-384=1 Package List: - openSUSE Backports SLE-15-SP4 (noarch): python3-django-grappelli-2.14.4-bp154.2.3.1 References: https://https://www.suse.com/security/cve/CVE-2021-46898.html https://bugzilla.suse.com/1216481 . openSUSE Security Alert: An updated patch for python-django-grappelli resolves a medium-risk security flaw.. python-django-grappelli, OpenSUSE Security Update, protocol issue, patch instructions. . LinuxSecurity.com Team
Nov 30, 2023
OpenSUSE
89
security advisorysoftware updateFedoraFedora 36 Wireshark 3.6.13 Moderate: Crash Issues Resolved
New version 3.6.13. Fix for CVE-2023-1992, CVE-2023-1993 and CVE-2023-1994.. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2023-203eff67e0 2023-04-22 01:11:17.771502 --------------------------------------------------------------------------------Name : wireshark Product : Fedora 36 Version : 3.6.13 Release : 1.fc36 URL : https://www.wireshark.org/ Summary : Network traffic analyzer Description : Wireshark allows you to examine protocol data stored in files or as it is captured from wired or wireless (WiFi or Bluetooth) networks, USB devices, and many other sources. It supports dozens of protocol capture file formats and understands more than a thousand protocols. It has many powerful features including a rich display filter language and the ability to reassemble multiple protocol packets in order to, for example, view a complete TCP stream, save the contents of a file which was transferred over HTTP or CIFS, or play back an RTP audio stream. --------------------------------------------------------------------------------Update Information: New version 3.6.13. Fix for CVE-2023-1992, CVE-2023-1993 and CVE-2023-1994. --------------------------------------------------------------------------------ChangeLog: * Thu Apr 13 2023 Michal Ruprich - 1:3.6.13-1 - New version 3.6.13 --------------------------------------------------------------------------------References: [ 1 ] Bug #2186326 - CVE-2023-1994 wireshark: GQUIC dissector crash [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2186326 [ 2 ] Bug #2186328 - CVE-2023-1993 wireshark: LISP dissector large loop [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2186328 [ 3 ] Bug #2186330 - CVE-2023-1992 wireshark: RPCoRDMA dissector crash [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2186330 --------------------------------------------------------------------------------Thisupdate can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-203eff67e0' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Apr 22, 2023
Fedora
172
security advisorydenial of servicecriticalUbuntu 22.04 LTS: USN-5491-1 Critical: Squid Denial Of Service Report
Squid could be made to crash if it received specially crafted network traffic.. =========================================================================Ubuntu Security Notice USN-5491-1 June 22, 2022 squid, squid3 vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 21.10 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Squid could be made to crash if it received specially crafted network traffic. Software Description: - squid: Web proxy cache server - squid3: Web proxy cache server Details: Joshua Rogers discovered that Squid incorrectly handled the Gopher protocol. A remote attacker could possibly use this issue to cause Squid to crash, resulting in a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: squid 5.2-1ubuntu4.1 Ubuntu 21.10: squid 4.13-10ubuntu5.1 Ubuntu 20.04 LTS: squid 4.10-1ubuntu1.6 Ubuntu 18.04 LTS: squid 3.5.27-1ubuntu1.13 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5491-1 CVE-2021-46784 Package Information: https://launchpad.net/ubuntu/+source/squid/5.2-1ubuntu4.1 https://launchpad.net/ubuntu/+source/squid/4.13-10ubuntu5.1 https://launchpad.net/ubuntu/+source/squid/4.10-1ubuntu1.6 https://launchpad.net/ubuntu/+source/squid3/3.5.27-1ubuntu1.13 . Uncover the essential Ubuntu 5491-1 notice concerning Squid, highlighting impacted services and suggested patches.. Squid Vulnerability, Ubuntu Security, Denial Of Service. . Severity: Critical. LinuxSecurity.com Team
Jun 22, 2022
•Critical
Ubuntu
203
security advisoryupdatememory leakMageia 8: 2021-0532 Moderate: BlueZ Memory Leak and Crash Threat
BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp . MGASA-2021-0532 - Updated bluez packages fix security vulnerability Publication date: 02 Dec 2021 URL: https://advisories.mageia.org/MGASA-2021-0532.html Type: security Affected Mageia releases: 8 CVE: CVE-2021-41229, CVE-2021-43400 BlueZ is a Bluetooth protocol stack for Linux. In affected versions a vulnerability exists in sdp_cstate_alloc_buf which allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash. (CVE-2021-41229) An issue was discovered in gatt-database.c in BlueZ 5.61. A use-after-free can occur when a client disconnects during D-Bus processing of a WriteValue call. (CVE-2021-43400) References: - https://bugs.mageia.org/show_bug.cgi?id=29694 - https://ubuntu.com/security/notices/USN-5155-1 - https://www.cve.org/CVERecord?id=CVE-2021-41229 - https://www.cve.org/CVERecord?id=CVE-2021-43400 SRPMS: - 8/core/bluez-5.55-3.3.mga8 . Updates to BlueZ in Mageia 8 resolve memory gaps and prevent remote failures stemming from protocol vulnerabilities.. BlueZ Update, Bluetooth Stack Vulnerability, Mageia Security Advisory, Memory Leak Fix, Protocol Security Issues. . Severity: Important. LinuxSecurity.com Team
Dec 02, 2021
•Important
Mageia
89
security advisoryupdatecriticalFedora 34: FEDORA-2021-eb752bce03 Major: Network Socket Vulnerabilities
- CVE-2021-22947 - STARTTLS protocol injection via MITM - CVE-2021-22946 - protocol downgrade required TLS bypassed - CVE-2021-22945 - use-after-free and double-free in MQTT sending. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2021-fc96a3a749 2021-10-02 01:09:40.654419 --------------------------------------------------------------------------------Name : curl Product : Fedora 33 Version : 7.71.1 Release : 11.fc33 URL : https://curl.se/ Summary : A utility for getting files from remote servers (FTP, HTTP, and others) Description : curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer resume, proxy tunneling and a busload of other useful tricks. --------------------------------------------------------------------------------Update Information: - CVE-2021-22947 - STARTTLS protocol injection via MITM - CVE-2021-22946 -protocol downgrade required TLS bypassed - CVE-2021-22945 - use-after-free and double-free in MQTT sending --------------------------------------------------------------------------------ChangeLog: * Fri Sep 17 2021 Kamil Dudka - 7.71.1-11 - fix STARTTLS protocol injection via MITM (CVE-2021-22947) - fix protocol downgrade required TLS bypass (CVE-2021-22946) - fix use-after-free and double-free in MQTT sending (CVE-2021-22945) * Wed Jul 21 2021 Kamil Dudka - 7.71.1-10 - fix TELNET stack contents disclosure again (CVE-2021-22925) - fix TELNET stack contents disclosure (CVE-2021-22898) - fix bad connection reuse due to flawed path name checks (CVE-2021-22924) - disable metalink support to fix the following vulnerabilities CVE-2021-22923 -metalink download sends credentials CVE-2021-22922 - wrong content via metalink not discarded --------------------------------------------------------------------------------References: [ 1 ] Bug #2004362 - CVE-2021-22945 curl: use-after-free and double-free in MQTT sending [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2004362 [ 2 ] Bug #2004363 - CVE-2021-22947 curl: STARTTLS protocol injection via MITM [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2004363 [ 3 ] Bug #2004927 - CVE-2021-22946 curl: protocol downgrade required TLS bypassed [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2004927 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-fc96a3a749' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Oct 01, 2021
•Critical
Fedora
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!