Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 2 articles for you...
172
security advisorydenial of servicekernelUbuntu 22.04 & 20.04 USN-6704-4 Moderate: Kernel Denial Of Service Risks
Several security issues were fixed in the Linux kernel.. ========================================================================== Ubuntu Security Notice USN-6704-4 March 28, 2024 linux-intel-iotg, linux-intel-iotg-5.15 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-intel-iotg: Linux kernel for Intel IoT platforms - linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms Details: It was discovered that the NVIDIA Tegra XUSB pad controller driver in the Linux kernel did not properly handle return values in certain error conditions. A local attacker could use this to cause a denial of service (system crash). (CVE-2023-23000) Quentin Minster discovered that the KSMBD implementation in the Linux kernel did not properly handle session setup requests. A remote attacker could possibly use this to cause a denial of service (memory exhaustion). (CVE-2023-32247) Lonial Con discovered that the netfilter subsystem in the Linux kernel did not properly handle element deactivation in certain cases, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2024-1085) Notselwyn discovered that the netfilter subsystem in the Linux kernel did not properly handle verdict parameters in certain cases, leading to a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2024-1086) It was discovered that a race condition existed in the SCSI Emulex LightPulse Fibre Channel driver in the Linux kernel when unregistering FCF and re-scanning an HBA FCF table, leading to a null pointer dereference vulnerability. A local attacker could use thisto cause a denial of service (system crash). (CVE-2024-24855) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: linux-image-5.15.0-1051-intel-iotg 5.15.0-1051.57 linux-image-intel-iotg 5.15.0.1051.51 Ubuntu 20.04 LTS: linux-image-5.15.0-1051-intel-iotg 5.15.0-1051.57~20.04.1 linux-image-intel 5.15.0.1051.57~20.04.41 linux-image-intel-iotg 5.15.0.1051.57~20.04.41 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-6704-4 https://ubuntu.com/security/notices/USN-6704-1 CVE-2023-23000, CVE-2023-32247, CVE-2024-1085, CVE-2024-1086, CVE-2024-24855 Package Information: https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1051.57 . Attention Ubuntu 20.04 and 22.04 users: Several vulnerabilities have been found in the Linux kernel. Update your system promptly to protect against threats. Linux Kernel Security, Ubuntu Update, Denial of Service Risks. . LinuxSecurity.com Team
Mar 28, 2024
Ubuntu
172
security advisorycriticalUbuntuUbuntu 23.04 LTS: USN-6236-1 Critical ConnMan Denial of Service
Several security issues were fixed in ConnMan.. =========================================================================Ubuntu Security Notice USN-6236-1 July 19, 2023 connman vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.04 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in ConnMan. Software Description: - connman: Intel Connection Manager daemon Details: It was discovered that ConnMan could be made to write out of bounds. A remote attacker could possibly use this issue to cause ConnMan to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-26675, CVE-2021-33833) It was discovered that ConnMan could be made to leak sensitive information via the gdhcp component. A remote attacker could possibly use this issue to obtain information for further exploitation. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-26676) It was discovered that ConnMan could be made to read out of bounds. A remote attacker could possibly use this issue to case ConnMan to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-23096, CVE-2022-23097) It was discovered that ConnMan could be made to run into an infinite loop. A remote attacker could possibly use this issue to cause ConnMan to consume resources and to stop operating, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-23098) It was discovered that ConnMan could be made to write out of bounds via the gweb component. A remote attacker couldpossibly use this issue to cause ConnMan to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-32292) It was discovered that ConnMan did not properly manage memory under certain circumstances. A remote attacker could possibly use this issue to cause ConnMan to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-32293) It was discovered that ConnMan could be made to write out of bounds via the gdhcp component. A remote attacker could possibly use this issue to cause ConnMan to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2023-28488) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.04: connman 1.41-2ubuntu0.23.04.1 Ubuntu 22.04 LTS: connman 1.36-2.3ubuntu0.1 Ubuntu 20.04 LTS: connman 1.36-2ubuntu0.1 Ubuntu 18.04 LTS (Available with Ubuntu Pro): connman 1.35-6ubuntu0.1~esm1 Ubuntu 16.04 LTS (Available with Ubuntu Pro): connman 1.21-1.2+deb8u1ubuntu0.1~esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6236-1 CVE-2021-26675, CVE-2021-26676, CVE-2021-33833, CVE-2022-23096, CVE-2022-23097, CVE-2022-23098, CVE-2022-32292, CVE-2022-32293, CVE-2023-28488 Package Information: https://launchpad.net/ubuntu/+source/connman/1.41-2ubuntu0.23.04.1 https://launchpad.net/ubuntu/+source/connman/1.36-2.3ubuntu0.1 https://launchpad.net/ubuntu/+source/connman/1.36-2ubuntu0.1 . Ubuntu's ConnMan has resolved multiple vulnerabilities affecting numerous LTS releases. It's recommended to perform updates to ensure system security.. ConnMan Updates, Ubuntu Security Fixes, Network Management Issues, Remote Exploits. . Severity: Critical. LinuxSecurity.com Team
Jul 19, 2023
•Critical
Ubuntu
172
security advisoryUbunturemote attacksUbuntu 20.04 LTS USN-5474-2: Varnish Cache Restart Due To Crafted Input
Varnish Cache could be made to restart if it received specially crafted input.. =========================================================================Ubuntu Security Notice USN-5474-2 August 23, 2022 varnish regression ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: Varnish Cache could be made to restart if it received specially crafted input. Software Description: - varnish: state of the art, high-performance web accelerator Details: USN-5474-1 fixed vulnerabilities in Varnish Cache. Unfortunately the fix for CVE-2020-11653 was incomplete. This update fixes the problem. Original advisory details: It was discovered that Varnish Cache could have an assertion failure when a TLS termination proxy uses PROXY version 2. A remote attacker could possibly use this issue to restart the daemon and cause a performance loss. (CVE-2020-11653) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: libvarnishapi2 6.2.1-2ubuntu0.2 varnish 6.2.1-2ubuntu0.2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5474-1 CVE-2020-11653 Package Information: https://launchpad.net/ubuntu/+source/varnish/6.2.1-2ubuntu0.2 . Ubuntu Security Notice USN-5474-3 addresses a restart problem with Varnish Cache due to manipulated input impacting Ubuntu 22.04 LTS.. Varnish Cache, Ubuntu Update, Software Security Issue, System Performance, Remote Attacks. . Severity: Important. LinuxSecurity.com Team
Aug 24, 2022
•Important
Ubuntu
198
security advisorymultiple issuesupgrade recommendationArch Linux: ASA-202112-2 High: Opera Multiple Security Issues
The package opera before version 82.0.4227.23-1 is vulnerable to multiple issues including arbitrary code execution, access restriction bypass, content spoofing, information disclosure, same-origin policy bypass, sandbox escape and denial of service. . Arch Linux Security Advisory ASA-202112-2 ======================================== Severity: High Date : 2021-12-03 CVE-ID : CVE-2021-38005 CVE-2021-38006 CVE-2021-38007 CVE-2021-38008 CVE-2021-38009 CVE-2021-38010 CVE-2021-38011 CVE-2021-38012 CVE-2021-38013 CVE-2021-38014 CVE-2021-38015 CVE-2021-38016 CVE-2021-38017 CVE-2021-38018 CVE-2021-38019 CVE-2021-38020 CVE-2021-38021 CVE-2021-38022 Package : opera Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2563 Summary ====== The package opera before version 82.0.4227.23-1 is vulnerable to multiple issues including arbitrary code execution, access restriction bypass, content spoofing, information disclosure, same-origin policy bypass, sandbox escape and denial of service. Resolution ========= Upgrade to 82.0.4227.23-1. # pacman -Syu "opera> =82.0.4227.23-1" The problems have been fixed upstream in version 82.0.4227.23. Workaround ========= None. Description ========== - CVE-2021-38005 (arbitrary code execution) A use after free security issue has been found in the loader component of the Chromium browser engine before version 96.0.4664.45. - CVE-2021-38006 (arbitrary code execution) A use after free security issue has been found in the storage foundation component of the Chromium browser engine before version 96.0.4664.45. - CVE-2021-38007 (arbitrary code execution) A type confusion security issue has been found in the V8 component of the Chromium browser engine before version 96.0.4664.45. - CVE-2021-38008 (arbitrary code execution) A use after free security issue has been found in the media component of the Chromium browser engine before version 96.0.4664.45. - CVE-2021-38009 (arbitrary code execution) Aninappropriate implementation security issue has been found in the cache component of the Chromium browser engine before version 96.0.4664.45. - CVE-2021-38010 (arbitrary code execution) An inappropriate implementation security issue has been found in the service workers component of the Chromium browser engine before version 96.0.4664.45. - CVE-2021-38011 (arbitrary code execution) A use after free security issue has been found in the storage foundation component of the Chromium browser engine before version 96.0.4664.45. - CVE-2021-38012 (arbitrary code execution) A type confusion security issue has been found in the V8 component of the Chromium browser engine before version 96.0.4664.45. - CVE-2021-38013 (arbitrary code execution) A heap buffer overflow security issue has been found in the fingerprint recognition component of the Chromium browser engine before version 96.0.4664.45. - CVE-2021-38014 (arbitrary code execution) An out of bounds write security issue has been found in the Swiftshader component of the Chromium browser engine before version 96.0.4664.45. - CVE-2021-38015 (arbitrary code execution) An inappropriate implementation security issue has been found in the input component of the Chromium browser engine before version 96.0.4664.45. - CVE-2021-38016 (access restriction bypass) An insufficient policy enforcement security issue has been found in the background fetch component of the Chromium browser engine before version 96.0.4664.45. - CVE-2021-38017 (sandbox escape) An insufficient policy enforcement security issue has been found in the iframe sandbox component of the Chromium browser engine before version 96.0.4664.45. - CVE-2021-38018 (content spoofing) An inappropriate implementation security issue has been found in the navigation component of the Chromium browser engine before version 96.0.4664.45. - CVE-2021-38019 (same-origin policy bypass) An insufficient policy enforcement security issue has been found in the CORS component of the Chromium browser engine beforeversion 96.0.4664.45. - CVE-2021-38020 (information disclosure) An insufficient policy enforcement security issue has been found in the contacts picker component of the Chromium browser engine before version 96.0.4664.45. - CVE-2021-38021 (information disclosure) An inappropriate implementation security issue has been found in the referrer component of the Chromium browser engine before version 96.0.4664.45. - CVE-2021-38022 (denial of service) An inappropriate implementation security issue has been found in the WebAuthentication component of the Chromium browser engine before version 96.0.4664.45. Impact ===== A remote attacker could execute arbitrary code, spoof content, bypass security restrictions or crash the browser through crafted web content. References ========= https://blogs.opera.com/desktop/changelog-for-81/ https://blogs.opera.com/desktop/changelog-for-82/ https://chromereleases.googleblog.com/2021/11/stable-channel-update-for-desktop.html https://security.archlinux.org/CVE-2021-38005 https://security.archlinux.org/CVE-2021-38006 https://security.archlinux.org/CVE-2021-38007 https://security.archlinux.org/CVE-2021-38008 https://security.archlinux.org/CVE-2021-38009 https://security.archlinux.org/CVE-2021-38010 https://security.archlinux.org/CVE-2021-38011 https://security.archlinux.org/CVE-2021-38012 https://security.archlinux.org/CVE-2021-38013 https://security.archlinux.org/CVE-2021-38014 https://security.archlinux.org/CVE-2021-38015 https://security.archlinux.org/CVE-2021-38016 https://security.archlinux.org/CVE-2021-38017 https://security.archlinux.org/CVE-2021-38018 https://security.archlinux.org/CVE-2021-38019 https://security.archlinux.org/CVE-2021-38020 https://security.archlinux.org/CVE-2021-38021 https://security.archlinux.org/CVE-2021-38022 . Various vulnerabilities in Opera versions prior to 82.0.4227.23-1 can potentially lead to exposure to remote exploitation and various security risks. Prompt update is advised.. Opera Security Threats, Arch Linux Issues, BrowserVulnerabilities. . LinuxSecurity.com Team
Dec 06, 2021
ArchLinux
87
security advisorydebiancross-site scriptingDebian DSA-4677-1 Critical: Wordpress XSS and CSRF Threats
Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks, create files on the server, disclose private information, create open . - ------------------------------------------------------------------------- Debian Security Advisory DSA-4677-1
May 06, 2020
•Critical
Debian
100
security advisorydenial of serviceaccess controlSUSE: 2018:1176-1 Important: Remote Access Control Issues in Php7
An update that fixes four vulnerabilities is now available.. SUSE Security Update: Security update for php7 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:1176-1 Rating: important References: #1091355 #1091362 #1091363 #1091367 Cross-References: CVE-2018-10545 CVE-2018-10546 CVE-2018-10547 CVE-2018-10548 Affected Products: SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Module for Web Scripting 12 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for php7 fixes the following issues: Security issues fixed: - CVE-2018-10545: Fix access controls in FPM child processes (bsc#1091367). - CVE-2018-10547: Fix Reflected XSS on the PHAR 403 and 404 error pages (bsc#1091362). - CVE-2018-10546: Fix an infinite loop exists in ext/iconv/iconv.c (bsc#1091363). - CVE-2018-10548: Fix remote denial of service in ext/ldap/ldap.c (bsc#1091355). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-817=1 - SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2018-817=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): php7-debuginfo-7.0.7-50.38.2 php7-debugsource-7.0.7-50.38.2 php7-devel-7.0.7-50.38.2 - SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): apache2-mod_php7-7.0.7-50.38.2 apache2-mod_php7-debuginfo-7.0.7-50.38.2 php7-7.0.7-50.38.2 php7-bcmath-7.0.7-50.38.2 php7-bcmath-debuginfo-7.0.7-50.38.2 php7-bz2-7.0.7-50.38.2 php7-bz2-debuginfo-7.0.7-50.38.2 php7-calendar-7.0.7-50.38.2 php7-calendar-debuginfo-7.0.7-50.38.2 php7-ctype-7.0.7-50.38.2 php7-ctype-debuginfo-7.0.7-50.38.2 php7-curl-7.0.7-50.38.2 php7-curl-debuginfo-7.0.7-50.38.2 php7-dba-7.0.7-50.38.2 php7-dba-debuginfo-7.0.7-50.38.2 php7-debuginfo-7.0.7-50.38.2 php7-debugsource-7.0.7-50.38.2 php7-dom-7.0.7-50.38.2 php7-dom-debuginfo-7.0.7-50.38.2 php7-enchant-7.0.7-50.38.2 php7-enchant-debuginfo-7.0.7-50.38.2 php7-exif-7.0.7-50.38.2 php7-exif-debuginfo-7.0.7-50.38.2 php7-fastcgi-7.0.7-50.38.2 php7-fastcgi-debuginfo-7.0.7-50.38.2 php7-fileinfo-7.0.7-50.38.2 php7-fileinfo-debuginfo-7.0.7-50.38.2 php7-fpm-7.0.7-50.38.2 php7-fpm-debuginfo-7.0.7-50.38.2 php7-ftp-7.0.7-50.38.2 php7-ftp-debuginfo-7.0.7-50.38.2 php7-gd-7.0.7-50.38.2 php7-gd-debuginfo-7.0.7-50.38.2 php7-gettext-7.0.7-50.38.2 php7-gettext-debuginfo-7.0.7-50.38.2 php7-gmp-7.0.7-50.38.2 php7-gmp-debuginfo-7.0.7-50.38.2 php7-iconv-7.0.7-50.38.2 php7-iconv-debuginfo-7.0.7-50.38.2 php7-imap-7.0.7-50.38.2 php7-imap-debuginfo-7.0.7-50.38.2 php7-intl-7.0.7-50.38.2 php7-intl-debuginfo-7.0.7-50.38.2 php7-json-7.0.7-50.38.2 php7-json-debuginfo-7.0.7-50.38.2 php7-ldap-7.0.7-50.38.2 php7-ldap-debuginfo-7.0.7-50.38.2 php7-mbstring-7.0.7-50.38.2 php7-mbstring-debuginfo-7.0.7-50.38.2 php7-mcrypt-7.0.7-50.38.2 php7-mcrypt-debuginfo-7.0.7-50.38.2 php7-mysql-7.0.7-50.38.2 php7-mysql-debuginfo-7.0.7-50.38.2 php7-odbc-7.0.7-50.38.2 php7-odbc-debuginfo-7.0.7-50.38.2 php7-opcache-7.0.7-50.38.2 php7-opcache-debuginfo-7.0.7-50.38.2 php7-openssl-7.0.7-50.38.2 php7-openssl-debuginfo-7.0.7-50.38.2 php7-pcntl-7.0.7-50.38.2 php7-pcntl-debuginfo-7.0.7-50.38.2 php7-pdo-7.0.7-50.38.2 php7-pdo-debuginfo-7.0.7-50.38.2 php7-pgsql-7.0.7-50.38.2 php7-pgsql-debuginfo-7.0.7-50.38.2 php7-phar-7.0.7-50.38.2 php7-phar-debuginfo-7.0.7-50.38.2 php7-posix-7.0.7-50.38.2 php7-posix-debuginfo-7.0.7-50.38.2 php7-pspell-7.0.7-50.38.2 php7-pspell-debuginfo-7.0.7-50.38.2 php7-shmop-7.0.7-50.38.2 php7-shmop-debuginfo-7.0.7-50.38.2 php7-snmp-7.0.7-50.38.2 php7-snmp-debuginfo-7.0.7-50.38.2 php7-soap-7.0.7-50.38.2 php7-soap-debuginfo-7.0.7-50.38.2 php7-sockets-7.0.7-50.38.2 php7-sockets-debuginfo-7.0.7-50.38.2 php7-sqlite-7.0.7-50.38.2 php7-sqlite-debuginfo-7.0.7-50.38.2 php7-sysvmsg-7.0.7-50.38.2 php7-sysvmsg-debuginfo-7.0.7-50.38.2 php7-sysvsem-7.0.7-50.38.2 php7-sysvsem-debuginfo-7.0.7-50.38.2 php7-sysvshm-7.0.7-50.38.2 php7-sysvshm-debuginfo-7.0.7-50.38.2 php7-tokenizer-7.0.7-50.38.2 php7-tokenizer-debuginfo-7.0.7-50.38.2 php7-wddx-7.0.7-50.38.2 php7-wddx-debuginfo-7.0.7-50.38.2 php7-xmlreader-7.0.7-50.38.2 php7-xmlreader-debuginfo-7.0.7-50.38.2 php7-xmlrpc-7.0.7-50.38.2 php7-xmlrpc-debuginfo-7.0.7-50.38.2 php7-xmlwriter-7.0.7-50.38.2 php7-xmlwriter-debuginfo-7.0.7-50.38.2 php7-xsl-7.0.7-50.38.2 php7-xsl-debuginfo-7.0.7-50.38.2 php7-zip-7.0.7-50.38.2 php7-zip-debuginfo-7.0.7-50.38.2 php7-zlib-7.0.7-50.38.2 php7-zlib-debuginfo-7.0.7-50.38.2 - SUSE Linux Enterprise Module for Web Scripting 12 (noarch): php7-pear-7.0.7-50.38.2 php7-pear-Archive_Tar-7.0.7-50.38.2 References: https://www.suse.com/security/cve/CVE-2018-10545.html https://www.suse.com/security/cve/CVE-2018-10546.html https://www.suse.com/security/cve/CVE-2018-10547.html https://www.suse.com/security/cve/CVE-2018-10548.html https://bugzilla.suse.com/1091355 https://bugzilla.suse.com/1091362 https://bugzilla.suse.com/1091363 https://bugzilla.suse.com/1091367 -- . The latest SUSE security patch for php7 rectifies multiple vulnerabilities and improves safeguards against external threats. Discover further details here.. php7 Security Update,SUSE Advisory,Web Scripting Security,Access Control Issues,Remote Access Vulnerabilities. . Severity: Important. LinuxSecurity.com Team
May 09, 2018
•Important
SuSE
91
security advisorybuffer overflowinput validationGentoo: GLSA-201607-10 Normal: Varnish Input Attacks - Remote Threats
Improper input validation in Varnish allows remote attackers to conduct HTTP smuggling attacks, and possibly trigger a buffer overflow.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201607-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Varnish: Multiple vulnerabilities Date: July 20, 2016 Bugs: #542886 ID: 201607-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Improper input validation in Varnish allows remote attackers to conduct HTTP smuggling attacks, and possibly trigger a buffer overflow. Background ========= Varnish is a web application accelerator. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/varnish < 3.0.7 > = 3.0.7 Description ========== Varnish fails to properly validate input from HTTP headers, and does not deny requests with multiple Content-Length headers. Impact ===== Remote attackers could conduct an HTTP response splitting attack, which may further enable them to conduct Cross-Site Scripting (XSS), Cache Poisoning, Defacement, and Page Hijacking. Workaround ========= There is no known workaround at this time. Resolution ========= All Varnish users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =www-servers/varnish-3.0.7" References ========= [ 1 ] CVE-2015-8852 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8852 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201607-10 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
Jul 20, 2016
Gentoo
87
security advisorycriticalsoftware updateDebian: DSA-3545-1 Critical: Cgit Remote Attacks Mitigated
Several vulnerabilities were discovered in cgit, a fast web frontend for git repositories written in C. A remote attacker can take advantage of these flaws to perform cross-site scripting, header injection or denial of service attacks. . - ------------------------------------------------------------------------- Debian Security Advisory DSA-3545-1
Apr 07, 2016
•Critical
Debian
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!