Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 0 articles for you...
172
security advisorydenial of serviceUbuntuUbuntu 22.04 LTS USN-6758-1: JSON5 Denial of Service Threat
JSON5 could allow unintended access to network services or have other unspecified impact.. ========================================================================== Ubuntu Security Notice USN-6758-1 April 30, 2024 node-json5 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: JSON5 could allow unintended access to network services or have other unspecified impact. Software Description: - node-json5: JSON for the ES5 era Details: It was discovered that the JSON5 parse method incorrectly handled the parsing of keys named __proto__. An attacker could possibly use this issue to pollute the prototype of the returned object, setting arbitrary or unexpected keys, and cause a denial of service, allow unintended access to network services or have other unspecified impact, depending on the application's use of the module. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS node-json5 2.2.0+dfsg-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 20.04 LTS node-json5 0.5.1-3ubuntu0.1 Ubuntu 18.04 LTS node-json5 0.5.1-1ubuntu0.1~esm1 Available with Ubuntu Pro After a standard system update you may need to restart any services that use the library to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6758-1 CVE-2022-46175 Package Information: https://launchpad.net/ubuntu/+source/node-json5/0.5.1-3ubuntu0.1 . Ubuntu Security Notice USN-6759-2 covers a critical JSON5 library vulnerability affecting multiple Ubuntu versions. Users should apply the recommended patches to protect their systems. JSON5, node-json5, Ubuntu SecurityUpdate. . Severity: Important. LinuxSecurity.com Team
Apr 30, 2024
•Important
Ubuntu
100
security advisorydenial of serviceimportantSUSE: 2022:2101-1 Important: Apache2 Denial Of Service Risk Fixed
An update that fixes 7 vulnerabilities is now available. . SUSE Security Update: Security update for apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:2101-1 Rating: important References: #1200338 #1200340 #1200341 #1200345 #1200348 #1200350 #1200352 Cross-References: CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556 CVE-2022-31813 CVSS scores: CVE-2022-26377 (SUSE): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2022-28614 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2022-28615 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-29404 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-30522 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-30522 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2022-30556 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2022-31813 (SUSE): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server for SAP Applications 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for apache2 fixes the following issues: - CVE-2022-26377: Fixed possible request smuggling in mod_proxy_ajp (bsc#1200338) - CVE-2022-28614: Fixed read beyond bounds via ap_rwrite() (bsc#1200340) - CVE-2022-28615: Fixed read beyond bounds in ap_strcmp_match() (bsc#1200341) - CVE-2022-29404: Fixed denial of service in mod_lua r:parsebody (bsc#1200345) - CVE-2022-30556: Fixed information disclosure in mod_lua with websockets (bsc#1200350) - CVE-2022-30522: Fixed mod_sed denial of service (bsc#1200352) - CVE-2022-31813: Fixed mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism (bsc#1200348) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-2101=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-2101=1 Package List: - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): apache2-debuginfo-2.4.51-35.19.1 apache2-debugsource-2.4.51-35.19.1 apache2-devel-2.4.51-35.19.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): apache2-2.4.51-35.19.1 apache2-debuginfo-2.4.51-35.19.1 apache2-debugsource-2.4.51-35.19.1 apache2-example-pages-2.4.51-35.19.1 apache2-prefork-2.4.51-35.19.1 apache2-prefork-debuginfo-2.4.51-35.19.1 apache2-utils-2.4.51-35.19.1 apache2-utils-debuginfo-2.4.51-35.19.1 apache2-worker-2.4.51-35.19.1 apache2-worker-debuginfo-2.4.51-35.19.1 - SUSE Linux Enterprise Server 12-SP5 (noarch): apache2-doc-2.4.51-35.19.1 References: https://www.suse.com/security/cve/CVE-2022-26377.html https://www.suse.com/security/cve/CVE-2022-28614.html https://www.suse.com/security/cve/CVE-2022-28615.html https://www.suse.com/security/cve/CVE-2022-29404.html https://www.suse.com/security/cve/CVE-2022-30522.html https://www.suse.com/security/cve/CVE-2022-30556.html https://www.suse.com/security/cve/CVE-2022-31813.html https://bugzilla.suse.com/1200338 https://bugzilla.suse.com/1200340 https://bugzilla.suse.com/1200341 https://bugzilla.suse.com/1200345 https://bugzilla.suse.com/1200348 https://bugzilla.suse.com/1200350 https://bugzilla.suse.com/1200352 . SUSE Security Patch for nginx addresses 5 vulnerabilities impacting crucial Enterprise editions, including severe service threats.. SUSE Security Update, apache2 Patches, Denial of Service Issues. . Severity: Important. LinuxSecurity.com Team
Jun 16, 2022
•Important
SuSE
91
security advisorydenial of servicesecurity updateGentoo: GLSA-202107-36 Normal: urllib3 Denial of Service Threat
Multiple vulnerabilities have been found in urllib3, the worst of which could result in a Denial of Service condition.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202107-36 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: urllib3: Multiple vulnerabilities Date: July 15, 2021 Bugs: #776421, #799413 ID: 202107-36 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple vulnerabilities have been found in urllib3, the worst of which could result in a Denial of Service condition. Background ========= The urllib3 library is an HTTP library with thread-safe connection pooling, file post, and more. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-python/urllib3 < 1.26.5 > = 1.26.5 Description ========== Multiple vulnerabilities have been discovered in urllib3. Please review the CVE identifiers referenced below for details. Impact ===== An attacker could cause a possible Denial of Service condition. Workaround ========= There is no known workaround at this time. Resolution ========= All urllib3 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =dev-python/urllib3-1.26.5" References ========= [ 1 ] CVE-2021-28363 https://nvd.nist.gov/vuln/detail/CVE-2021-28363 [ 2 ] CVE-2021-33503 https://nvd.nist.gov/vuln/detail/CVE-2021-33503 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202107-36 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
Jul 15, 2021
Gentoo
172
security advisorydenial of serviceunzipUbuntu 18.04 LTS: USN-4672-1 Critical: Unzip Denial of Service
Several security issues were fixed in unzip.. =========================================================================Ubuntu Security Notice USN-4672-1 December 16, 2020 unzip vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 ESM - Ubuntu 12.04 ESM Summary: Several security issues were fixed in unzip. Software Description: - unzip: De-archiver for .zip files Details: Rene Freingruber discovered that unzip incorrectly handled certain specially crafted password protected ZIP archives. If a user or automated system using unzip were tricked into opening a specially crafted zip file, an attacker could exploit this to cause a crash, resulting in a denial of service. (CVE-2018-1000035) Antonio Carista discovered that unzip incorrectly handled certain specially crafted ZIP archives. If a user or automated system using unzip were tricked into opening a specially crafted zip file, an attacker could exploit this to cause a crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. (CVE-2018-18384) It was discovered that unzip incorrectly handled certain specially crafted ZIP archives. If a user or automated system using unzip were tricked into opening a specially crafted zip file, an attacker could exploit this to cause resource consumption, resulting in a denial of service. (CVE-2019-13232) Martin Carpenter discovered that unzip incorrectly handled certain specially crafted ZIP archives. If a user or automated system using unzip were tricked into opening a specially crafted zip file, an attacker could exploit this to cause a crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 ESM, Ubuntu 14.04 ESM and Ubuntu 16.04 LTS. (CVE-2014-9913) Alexis Vanden Eijnde discovered that unzip incorrectly handled certain specially crafted ZIParchives. If a user or automated system using unzip were tricked into opening a specially crafted zip file, an attacker could exploit this to cause a crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 ESM, Ubuntu 14.04 ESM and Ubuntu 16.04 LTS. (CVE-2016-9844) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS: unzip 6.0-21ubuntu1.1 Ubuntu 16.04 LTS: unzip 6.0-20ubuntu1.1 Ubuntu 14.04 ESM: unzip 6.0-9ubuntu1.6 Ubuntu 12.04 ESM: unzip 6.0-4ubuntu2.6 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-4672-1 CVE-2014-9913, CVE-2016-9844, CVE-2018-1000035, CVE-2018-18384, CVE-2019-13232 Package Information: https://launchpad.net/ubuntu/+source/unzip/6.0-21ubuntu1.1 https://launchpad.net/ubuntu/+source/unzip/6.0-20ubuntu1.1 . To fix unzip vulnerabilities in Ubuntu 12.04-18.04, update packages, install the latest unzip version, and ensure strong configurations and security measures are in place. Ubuntu Unzip Security, Denial of Service Fix, Unzip Package Update. . Severity: Critical. LinuxSecurity.com Team
Dec 16, 2020
•Critical
Ubuntu
203
security advisorymoderatednsmasqMageia: 2018-0427 Moderate Advisory for Dnsmasq Security Risk
Updated dnsmasq packages fix a security issue Upstream dnsmasq run as nobody user which could lead to security issue if multiple services run as this same user. . MGASA-2018-0427 - Updated dnsmasq packages fix security issue Publication date: 03 Nov 2018 URL: https://advisories.mageia.org/MGASA-2018-0427.html Type: security Affected Mageia releases: 6 Updated dnsmasq packages fix a security issue Upstream dnsmasq run as nobody user which could lead to security issue if multiple services run as this same user. This update makes dnsmasq to run as its own user: dnsmasq. References: - https://bugs.mageia.org/show_bug.cgi?id=22694 - https://lists.fedoraproject.org/archives/list/
Nov 03, 2018
Mageia
98
security advisorymoderateupdateRed Hat OpenStack 10.0: Addressing RHSA-2018-1593-01 DDoS Threat Risk
An update is now available for Red Hat OpenStack Platform 10.0 (Newton). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat OpenStack Platform director security update Advisory ID: RHSA-2018:1593-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2018:1593 Issue date: 2018-05-17 CVE Names: CVE-2017-12155 CVE-2018-1000115 ==================================================================== 1. Summary: An update is now available for Red Hat OpenStack Platform 10.0 (Newton). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenStack Platform 10.0 - noarch 3. Description: Red Hat OpenStack Platform director provides the facilities for deploying and monitoring a private or public infrastructure-as-a-service (IaaS) cloud based on Red Hat OpenStack Platform. Security Fix(es): * A resource-permission flaw was found in the python-tripleo and openstack-tripleo-heat-templates packages where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thus potentially reading or modifying data in an OpenStack Block Storage volume. To exploit this flaw, the attacker must have local access to an overcloud node. However by default, access toovercloud nodes is restricted and accessible only from the management undercloud server on an internal network. (CVE-2017-12155) This issue was discovered by Katuya Kawakami (NEC). * It was discovered that the memcached connections using UDP transport protocol can be abused for efficient traffic amplification distributed denial of service (DDoS) attacks. A remote attacker could send a malicious UDP request using a spoofed source IP address of a target system to memcached, causing it to send a significantly larger response to the target. (CVE-2018-1000115) This advisory also addresses the following issues: * This release adds support for deploying Dell EMC VMAX Block Storage backend using the Red Hat OpenStack Platform director. (BZ#1503896) * Using composable roles for deploying Dell SC and PS Block Storage backend caused errors. The backends could only be deploying using 'cinder::config::cinder_config' hiera data. With this update, the composable role support for deploying the Dell SC and PS Block Storage backends is updated. As a result, they can be now deployed using composable roles. (BZ#1552980) * Previously, the iptables rules were managed by the Red Hat OpenStack Platform director and the OpenStack Networking service, which resulted in the rules created by the OpenStack Networking service to persist on to the disk. As a result, the rules that should not be loaded after an iptables restart or a system reboot would be loaded causing traffic issues. With this update, the Red Hat OpenStack Platform director has been updated to exclude the OpenStack Networking rules from '/etc/sysconfig/iptables' when the director saves the firewall rules. As a result, iptables restart or a system reboot should work without causing traffic problems. Note: It might be necessary to perform a rolling restart of the controller nodes to ensure that any orphaned managed neutron rules are no longer reloaded. (BZ#1541528) * OS::TripleO::SwiftStorage::Ports* resources have been renamed to OS::TripleO::ObjectStorage::Port* toensure standalone Object Storage nodes using the 'ObjectStorage' roles can be deployed correctly. Operators need to modify their custom templates that previously used OS::TripleO::SwiftStorage::Ports* settings. (BZ#1544802) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1414549 - Establish and set sensible defaults for ceilometer data retention period 1489360 - CVE-2017-12155 openstack-tripleo-heat-templates: Ceph client keyring is world-readable when deployed by director 1503896 - [RFE] - Dell-EMC VMAX storage integration with Director 1514532 - Ceilometer event dispatcher misses `gnocchi' 1514842 - Keystone Admin API on external Network down after upgrading to OSP10z6 1517302 - openstack-nova-migration is potentially missing after a minor update 1533602 - Backport: Fix the dellemc vmax to use the correct hiera name 1534540 - [Back-Port request to OSP10] aodh-base.yaml uses hard coded regionOne 1538753 - (OSP10 backport) Deployment templates for unsupported components causing some confusion 1541528 - Changing firewall rules with Director saves copy of all rules into /etc/sysconfig/iptables as part of a stack update with `openstack overcloud deploy` 1543883 - [UPGRADE] Upgrade from 9-> 10 failed: update_os_net_config: command not found 1544211 - iptables is dropping rules on package update 1544802 - Deployment fails with ERROR: Failed to validate: Failed to validate: resources[0]: The Resource Type (OS::TripleO::SwiftStorage::Ports::ManagementPort) could not be found.", 1545666 - validation-scripts/all-nodes.sh wait time verification 1547091 - rhel-registration broken with: Failed to validate: resources.NodeExtraConfig: "conditions" is not a valid keyword inside a resource definition' 1547957 - Undercloud / Overcloud Heat stack fails on: YAQL list index out of range (includes upgrades cases) 1551182 - CVE-2018-1000115 memcached: UDP server supportallows spoofed traffic amplification DoS 1552980 - Errors with heat templates used to deploy Dell EMC SC and PS Cinder backends 1559093 - ceilometer event-list empty with event_dispatchers=gnocchi 1568596 - Rebase openstack-tripleo-heat-templates to f452e67 1568601 - Rebase puppet-tripleo to a2b2df9 1571840 - Attempting to use iptables with ipv6 address/prefix 1576577 - Attempting to Deploy RHOSP-10 with NetApp Driver Causes Failure in Overcloud Deploy 6. Package List: Red Hat OpenStack Platform 10.0: Source: openstack-tripleo-heat-templates-5.3.10-1.el7ost.src.rpm puppet-tripleo-5.6.8-6.el7ost.src.rpm noarch: openstack-tripleo-heat-templates-5.3.10-1.el7ost.noarch.rpm puppet-tripleo-5.6.8-6.el7ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2017-12155 https://access.redhat.com/security/cve/CVE-2018-1000115 https://access.redhat.com/security/updates/classification#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBWv2ilNzjgjWX9erEAQhsow//VyQR5IsSkQofZLB0+kqpYTsblr8rSKFa 9Eayc1LTO8xUtwyvTRkT96tgI2pmTxfPva3KZM4gm0GsyQfAAfSmtxRBkQGt4MDl tkR7bFjlxtdZZz6n4tOleHqYLPmZSGmn6ROCE9cLH13lmrGzCeCclWCCnQdbf4Mc HE1Qg0Y2pA7jp/S2M4J76LqGc944pnH5IX7MDzLR++IuI8tHS5cltMjY6eI3nJoM IFqvUo9VIQh3XMYI9NFgNLLJso2s4li4CfqhsYgzGP0h1gNMFnfsQ528l+oMlkhJ C4iy0JSSTwnJEHTGObgLOFJupVWxu7Wvq7nYe2qGIbZNudhE6XESGLtRjbvup9H3 aj5KtESmTGMUn7Mzsn5KLL5RVLuHkzaAm5i3LjcIyd9bkOiVKHCSmuFhDGfhb5a0 EJFBIDtoegWoRalUnYITwiHCq1eb+86311pc4sV+LO3kM9jXa0U3iA7WafVAzTdd lH4tZyYl1NbUahm2kKxBOYBF7Qmz8Y26sHrN+B9wRxtDTRYVCrKXFpKS4qzX45n+ MNfI+by0Lybflhy7H7g63pxpKgBpMjVT2kVzMPLX9ToizQ7R8G91FRacoW0MsrOO BTzbF//U/TwWo/ImbuRRMlOOZX01l/bvUKvqRXeju0IqMgPbaKiX/xrbqfoZY+FI N8eFl5BeXk4=jJ2L -----END PGPSIGNATURE----- -- RHSA-announce mailing list
May 17, 2018
Red Hat
87
security advisoryDebianmemory errorDebian DSA-3510-1 Moderate: Iceweasel Memory Safety Issues
Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors, buffer overflows, use-after-frees and other implementation errors may lead to the execution of arbitrary code, denial of service, address bar . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3510-1
Mar 09, 2016
Debian
87
security advisorydebianexecution riskDebian: DSA-3212-1 Moderate: Icedove Execution Risks and Errors
Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail client: Multiple memory safety errors, use-after-frees and other implementation errors may lead to the execution of arbitrary code, the bypass of security restrictions or . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3212-1
Apr 02, 2015
Debian
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!