Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 11 articles for you...
197
security advisorymoderatedebianDebian 10 Buster DLA-3487-1 Moderate: Fusiondirectory XSS And Session Flaw
A potential Cross Site Scripting (XSS) vulnerablity (CVE-2022-36180) and session handling vulnerability (CVE-2022-36179 )have been found in fusiondirectory, a Web Based LDAP Administration Program. . -------------------------------------------------------------------------Debian LTS Advisory DLA-3487-1
Jul 08, 2023
Debian LTS
203
security advisorycritical threatsecurity flawMageia 8: MGASA-2021-0441 Critical: Libssh Session ID Issue
A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically, . MGASA-2021-0441 - Updated libssh packages fix security vulnerability Publication date: 23 Sep 2021 URL: https://advisories.mageia.org/MGASA-2021-0441.html Type: security Affected Mageia releases: 8 CVE: CVE-2021-3634 A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating "secret_hash" of different size than the session_id has. This becomes an issue when the session_id memory is zeroed or when it is used again during second key re-exchange. (CVE-2021-3634) References: - https://bugs.mageia.org/show_bug.cgi?id=29419 - https://www.libssh.org/security/advisories/CVE-2021-3634.txt - - https://ubuntu.com/security/notices/USN-5053-1 - https://lists.debian.org/debian-security-announce/2021/msg00150.html - https://www.cve.org/CVERecord?id=CVE-2021-3634 SRPMS: - 8/core/libssh-0.9.6-1.mga8 . Mageia 2021-0441 resolves vulnerabilities in libssh impacting earlier releases. Update now accessible along with comprehensive advisory details.. libssh Security Advisory,Mageia 8 Security Update,Session ID Issue,Security Flaw Fix. . Severity: Critical. LinuxSecurity.com Team
Sep 23, 2021
•Critical
Mageia
202
security advisorymoderate severitysession issueopenSUSE: 2021:0934-1 Moderate: tpm2.0-tools Session Fix
An update that fixes one vulnerability is now available. . openSUSE Security Update: Security update for tpm2.0-tools ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:0934-1 Rating: moderate References: #1186490 Cross-References: CVE-2021-3565 CVSS scores: CVE-2021-3565 (NVD) : 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-3565 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for tpm2.0-tools fixes the following issues: - CVE-2021-3565: Fixed issue when no encrypted session with the TPM is used (bsc#1186490). This update was imported from the SUSE:SLE-15-SP2:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-934=1 Package List: - openSUSE Leap 15.2 (x86_64): tpm2.0-tools-4.1-lp152.2.3.1 tpm2.0-tools-debuginfo-4.1-lp152.2.3.1 tpm2.0-tools-debugsource-4.1-lp152.2.3.1 References: https://www.suse.com/security/cve/CVE-2021-3565.html https://bugzilla.suse.com/1186490 . A security patch for tpm2.0-tools addressing CVE-2021-3565 has been released on openSUSE. Check the official repository for installation instructions and download links to the updates. openSUSE updates, tpm2.0-tools, security fixes. . LinuxSecurity.com Team
Jun 27, 2021
OpenSUSE
100
security advisorymoderatecurlSUSE MicroOS: 2021:1006-1 Moderate: Curl Session Vulnerabilities
An update that fixes two vulnerabilities is now available. . SUSE Security Update: Security update for curl ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:1006-1 Rating: moderate References: #1183933 #1183934 Cross-References: CVE-2021-22876 CVE-2021-22890 CVSS scores: CVE-2021-22876 (SUSE): 6.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N CVE-2021-22890 (SUSE): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N Affected Products: SUSE MicroOS 5.0 SUSE Linux Enterprise Module for Basesystem 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for curl fixes the following issues: - CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934) - CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE MicroOS 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1006=1 - SUSE Linux Enterprise Module for Basesystem 15-SP2: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1006=1 Package List: - SUSE MicroOS 5.0 (aarch64 x86_64): curl-7.66.0-4.14.1 curl-debuginfo-7.66.0-4.14.1 curl-debugsource-7.66.0-4.14.1 libcurl4-7.66.0-4.14.1 libcurl4-debuginfo-7.66.0-4.14.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2 (aarch64 ppc64le s390x x86_64): curl-7.66.0-4.14.1 curl-debuginfo-7.66.0-4.14.1 curl-debugsource-7.66.0-4.14.1 libcurl-devel-7.66.0-4.14.1 libcurl4-7.66.0-4.14.1 libcurl4-debuginfo-7.66.0-4.14.1 - SUSE Linux Enterprise Module for Basesystem 15-SP2(x86_64): libcurl4-32bit-7.66.0-4.14.1 libcurl4-32bit-debuginfo-7.66.0-4.14.1 References: https://www.suse.com/security/cve/CVE-2021-22876.html https://www.suse.com/security/cve/CVE-2021-22890.html https://bugzilla.suse.com/1183933 https://bugzilla.suse.com/1183934 . Keep up to date with this notification covering two curl vulnerabilities in SUSE MicroOS aimed at improving security measures and system efficiency.. SUSE MicroOS Curl Update, Curl Security Fix, Linux Patch Management. . LinuxSecurity.com Team
Apr 01, 2021
SuSE
89
security advisoryFedoramemory corruptionFedora 31 Advisory: Critical Bugs Fixed in PHP 7.3.15 Release
**PHP version 7.3.15** (20 Feb 2020) **Core:** * Fixed bug php#71876 (Memory corruption htmlspecialchars(): charset `*' not supported). (Nikita) * Fixed bug #php#79146 (cscript can fail to run on some systems). (clarodeus) * Fixed bug php#78323 (Code 0 is returned on invalid options). (Ivan Mikheykin) * Fixed bug php#76047 (Use-after-free when accessing already destructed backtrace. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-32f9a2b308 2020-02-27 17:26:04.898486 --------------------------------------------------------------------------------Name : php Product : Fedora 31 Version : 7.3.15 Release : 1.fc31 URL : https://www.php.net/ Summary : PHP scripting language for creating dynamic web sites Description : PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module (often referred to as mod_php) which adds support for the PHP language to Apache HTTP Server. --------------------------------------------------------------------------------Update Information: **PHP version 7.3.15** (20 Feb 2020) **Core:** * Fixed bug php#71876 (Memory corruption htmlspecialchars(): charset `*' not supported). (Nikita) * Fixed bug #php#79146 (cscript can fail to run on some systems). (clarodeus) * Fixed bug php#78323 (Code 0 is returned on invalid options). (Ivan Mikheykin) * Fixed bug php#76047 (Use-after-free when accessing already destructed backtrace arguments). (Nikita) **CURL:** * Fixed bug php#79078 (Hypothetical use-after-free in curl_multi_add_handle()). (cmb) **Intl:** * Fixed bug php#79212 (NumberFormatter::format()may detect wrong type). (cmb) **Libxml:** * Fixed bug php#79191 (Error in SoapClient ctor disables DOMDocument::save()). (Nikita, cmb) **MBString:** * Fixed bug php#79154 (mb_convert_encoding() can modify $from_encoding). (cmb) **MySQLnd:** * Fixed bug php#79084 (mysqlnd may fetch wrong column indexes with MYSQLI_BOTH). (cmb) **OpenSSL:** * Fixed bug php#79145 (openssl memory leak). (cmb, Nikita) **Phar:** * Fixed bug php#79082 (Files added to tar with Phar::buildFromIterator have all-access permissions). (**CVE-2020-7063**) (stas) * Fixed bug php#79171 (heap-buffer-overflow in phar_extract_file). (**CVE-2020-7061**) (cmb) * Fixed bug php#76584 (PharFileInfo::decompress not working). (cmb) **Reflection:** * Fixed bug php#79115 (ReflectionClass::isCloneable call reflected class __destruct). (Nikita) **Session:** * Fixed bug php#79221 (Null Pointer Dereference in PHP Session Upload Progress). (**CVE-2020-7062**) (stas) **SPL:** * Fixed bug php#79151 (heap use after free caused by spl_dllist_it_helper_move_forward). (Nikita) **Standard:** * Fixed bug php#78902 (Memory leak when using stream_filter_append). (liudaixiao) **Testing:** * Fixed bug php#78090 (bug45161.phpt takes forever to finish). (cmb) **XSL:** * Fixed bug php#70078 (XSL callbacks with nodes as parameter leak memory). (cmb) --------------------------------------------------------------------------------ChangeLog: * Tue Feb 18 2020 Remi Collet - 7.3.15-1 - Update to 7.3.15 - https://www.php.net/releases/7_3_15.php * Tue Jan 21 2020 Remi Collet - 7.3.14-1 - Update to 7.3.14 - https://www.php.net/releases/7_3_14.php * Tue Jan 7 2020 Remi Collet - 7.3.14~RC1-1 - update to 7.3.14RC1 * Tue Dec 17 2019 Remi Collet - 7.3.13-1 - Update to 7.3.13 - https://www.php.net/releases/7_3_13.php * Tue Dec 3 2019 Remi Collet - 7.3.13~RC1-1 - update to 7.3.13RC1 * Tue Nov 19 2019 Remi Collet - 7.3.12-1 - Update to 7.3.12 - https://www.php.net/releases/7_3_12.php * Wed Nov 6 2019 Remi Collet -7.3.12~RC1-1 - update to 7.3.12RC1 * Tue Oct 22 2019 Remi Collet - 7.3.11-1 - Update to 7.3.11 - https://www.php.net/releases/7_3_11.php --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-32f9a2b308' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Feb 27, 2020
•Critical
Fedora
197
security advisorydebiansession issueDebian Jessie DLA-2038-2 x2goclient Critical Session Issue Fix
A change introduced in libssh 0.6.3-4+deb8u4 (which got released as DLA 2038-1) has broken x2goclient's way of scp'ing session setup files from client to server, resulting in an error message shown in a GUI error dialog box during session startup (and session resuming). . Package : x2goclient Version : 4.0.3.1-4+deb8u1 Debian Bug : 947129 A change introduced in libssh 0.6.3-4+deb8u4 (which got released as DLA 2038-1) has broken x2goclient's way of scp'ing session setup files from client to server, resulting in an error message shown in a GUI error dialog box during session startup (and session resuming). For Debian 8 "Jessie", this problem has been fixed in x2goclient version 4.0.3.1-4+deb8u1. We recommend that you upgrade your x2goclient packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail:
Dec 22, 2019
•Critical
Debian LTS
100
security advisoryaccess controlimportantSUSE: 2019:0889-1 Important: Apache2 Access Control Issues
An update that fixes three vulnerabilities is now available. . SUSE Security Update: Security update for apache2 ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:0889-1 Rating: important References: #1122839 #1131239 #1131241 Cross-References: CVE-2018-17199 CVE-2019-0217 CVE-2019-0220 Affected Products: SUSE Linux Enterprise Server 12-LTSS ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for apache2 fixes the following issues: Security issues fixed: - CVE-2018-17199: A bug in Apache's "mod_session_cookie" lead to an issue where the module did not respect a cookie's expiry time. [bsc#1122839] * CVE-2019-0220: The Apache HTTP server did not use a consistent strategy for URL normalization throughout all of its components. In particular, consecutive slashes were not always collapsed. Attackers could potentially abuse these inconsistencies to by-pass access control mechanisms and thus gain unauthorized access to protected parts of the service. [bsc#1131241] * CVE-2019-0217: A race condition in Apache's "mod_auth_digest" when running in a threaded server could have allowed users with valid credentials to authenticate using another username, bypassing configured access control restrictions. [bsc#1131239] Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2019-889=1 Package List: - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): apache2-2.4.10-14.36.1 apache2-debuginfo-2.4.10-14.36.1 apache2-debugsource-2.4.10-14.36.1 apache2-example-pages-2.4.10-14.36.1 apache2-prefork-2.4.10-14.36.1 apache2-prefork-debuginfo-2.4.10-14.36.1 apache2-utils-2.4.10-14.36.1 apache2-utils-debuginfo-2.4.10-14.36.1 apache2-worker-2.4.10-14.36.1 apache2-worker-debuginfo-2.4.10-14.36.1 - SUSE Linux Enterprise Server 12-LTSS (noarch): apache2-doc-2.4.10-14.36.1 References: https://www.suse.com/security/cve/CVE-2018-17199.html https://www.suse.com/security/cve/CVE-2019-0217.html https://www.suse.com/security/cve/CVE-2019-0220.html https://bugzilla.suse.com/1122839 https://bugzilla.suse.com/1131239 https://bugzilla.suse.com/1131241 _______________________________________________ sle-security-updates mailing list
Apr 05, 2019
•Important
SuSE
98
security advisoryred hatimportantRed Hat 7: RHSA-2016:2809-01 Important: Ipsilon DoS Session Issue
An update for ipsilon is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ==================================================================== Red Hat Security Advisory Synopsis: Important: ipsilon security update Advisory ID: RHSA-2016:2809-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2016:2809.html Issue date: 2016-11-21 CVE Names: CVE-2016-8638 ==================================================================== 1. Summary: An update for ipsilon is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server (v. 7) - noarch 3. Description: The ipsilon packages provide the Ipsilon identity provider service for federated single sign-on (SSO). Ipsilon links authentication providers and applications or utilities to allow for SSO. It includes a server and utilities to configure Apache-based service providers. Security Fix(es): * A vulnerability was found in ipsilon in the SAML2 provider's handling of sessions. An attacker able to hit the logout URL could determine what service providers other users are logged in to and terminate their sessions. (CVE-2016-8638) This issue was discovered by Patrick Uiterwijk (Red Hat) and Howard Johnson. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed(https://bugzilla.redhat.com/): 1392829 - CVE-2016-8638 ipsilon: DoS via logging out all open SAML2 sessions 6. Package List: Red Hat Enterprise Linux Server (v. 7): Source: ipsilon-1.0.0-13.el7_3.src.rpm noarch: ipsilon-1.0.0-13.el7_3.noarch.rpm ipsilon-authform-1.0.0-13.el7_3.noarch.rpm ipsilon-authgssapi-1.0.0-13.el7_3.noarch.rpm ipsilon-authldap-1.0.0-13.el7_3.noarch.rpm ipsilon-base-1.0.0-13.el7_3.noarch.rpm ipsilon-client-1.0.0-13.el7_3.noarch.rpm ipsilon-filesystem-1.0.0-13.el7_3.noarch.rpm ipsilon-infosssd-1.0.0-13.el7_3.noarch.rpm ipsilon-persona-1.0.0-13.el7_3.noarch.rpm ipsilon-saml2-1.0.0-13.el7_3.noarch.rpm ipsilon-saml2-base-1.0.0-13.el7_3.noarch.rpm ipsilon-tools-ipa-1.0.0-13.el7_3.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-8638 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYMumXXlSAg2UNWIIRAiLWAJ9KI2+OnMI5+a9ufCpKAV4/aoBztgCgoFNK YaJ728CWgwA3R5mGP6taDLk=xOPm -----END PGP SIGNATURE----- -- Enterprise-watch-list mailing list
Nov 21, 2016
•Important
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!