Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 0 articles for you...
98
security advisorymoderateupdateRed Hat Enterprise Linux 7.6 RHSA-2021:4771 Moderate RPM Signature Bypass
An update for rpm is now available for Red Hat Enterprise Linux 7.6 Advanced Update Support, Red Hat Enterprise Linux 7.6 Telco Extended Update Support, and Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions.. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: rpm security update Advisory ID: RHSA-2021:4771-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:4771 Issue date: 2021-11-23 CVE Names: CVE-2021-20271 ==================================================================== 1. Summary: An update for rpm is now available for Red Hat Enterprise Linux 7.6 Advanced Update Support, Red Hat Enterprise Linux 7.6 Telco Extended Update Support, and Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server AUS (v. 7.6) - x86_64 Red Hat Enterprise Linux Server E4S (v. 7.6) - ppc64le, x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 7.6) - noarch, x86_64 Red Hat Enterprise Linux Server Optional E4S (v. 7.6) - noarch, ppc64le, x86_64 Red Hat Enterprise Linux Server Optional TUS (v. 7.6) - noarch, x86_64 Red Hat Enterprise Linux Server TUS (v. 7.6) - x86_64 3. Description: The RPM Package Manager (RPM) is a command-line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages. Security Fix(es): * rpm: Signature checks bypass via corrupted rpm package (CVE-2021-20271) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and otherrelated information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running applications linked against the RPM library must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1934125 - CVE-2021-20271 rpm: Signature checks bypass via corrupted rpm package 6. Package List: Red Hat Enterprise Linux Server AUS (v. 7.6): Source: rpm-4.11.3-35.el7_6.2.src.rpm x86_64: rpm-4.11.3-35.el7_6.2.x86_64.rpm rpm-build-4.11.3-35.el7_6.2.x86_64.rpm rpm-build-libs-4.11.3-35.el7_6.2.i686.rpm rpm-build-libs-4.11.3-35.el7_6.2.x86_64.rpm rpm-debuginfo-4.11.3-35.el7_6.2.i686.rpm rpm-debuginfo-4.11.3-35.el7_6.2.x86_64.rpm rpm-devel-4.11.3-35.el7_6.2.i686.rpm rpm-devel-4.11.3-35.el7_6.2.x86_64.rpm rpm-libs-4.11.3-35.el7_6.2.i686.rpm rpm-libs-4.11.3-35.el7_6.2.x86_64.rpm rpm-python-4.11.3-35.el7_6.2.x86_64.rpm rpm-sign-4.11.3-35.el7_6.2.x86_64.rpm Red Hat Enterprise Linux Server E4S (v. 7.6): Source: rpm-4.11.3-35.el7_6.2.src.rpm ppc64le: rpm-4.11.3-35.el7_6.2.ppc64le.rpm rpm-build-4.11.3-35.el7_6.2.ppc64le.rpm rpm-build-libs-4.11.3-35.el7_6.2.ppc64le.rpm rpm-debuginfo-4.11.3-35.el7_6.2.ppc64le.rpm rpm-devel-4.11.3-35.el7_6.2.ppc64le.rpm rpm-libs-4.11.3-35.el7_6.2.ppc64le.rpm rpm-python-4.11.3-35.el7_6.2.ppc64le.rpm rpm-sign-4.11.3-35.el7_6.2.ppc64le.rpm x86_64: rpm-4.11.3-35.el7_6.2.x86_64.rpm rpm-build-4.11.3-35.el7_6.2.x86_64.rpm rpm-build-libs-4.11.3-35.el7_6.2.i686.rpm rpm-build-libs-4.11.3-35.el7_6.2.x86_64.rpm rpm-debuginfo-4.11.3-35.el7_6.2.i686.rpm rpm-debuginfo-4.11.3-35.el7_6.2.x86_64.rpm rpm-devel-4.11.3-35.el7_6.2.i686.rpm rpm-devel-4.11.3-35.el7_6.2.x86_64.rpm rpm-libs-4.11.3-35.el7_6.2.i686.rpm rpm-libs-4.11.3-35.el7_6.2.x86_64.rpm rpm-python-4.11.3-35.el7_6.2.x86_64.rpm rpm-sign-4.11.3-35.el7_6.2.x86_64.rpm Red Hat Enterprise Linux Server TUS (v.7.6): Source: rpm-4.11.3-35.el7_6.2.src.rpm x86_64: rpm-4.11.3-35.el7_6.2.x86_64.rpm rpm-build-4.11.3-35.el7_6.2.x86_64.rpm rpm-build-libs-4.11.3-35.el7_6.2.i686.rpm rpm-build-libs-4.11.3-35.el7_6.2.x86_64.rpm rpm-debuginfo-4.11.3-35.el7_6.2.i686.rpm rpm-debuginfo-4.11.3-35.el7_6.2.x86_64.rpm rpm-devel-4.11.3-35.el7_6.2.i686.rpm rpm-devel-4.11.3-35.el7_6.2.x86_64.rpm rpm-libs-4.11.3-35.el7_6.2.i686.rpm rpm-libs-4.11.3-35.el7_6.2.x86_64.rpm rpm-python-4.11.3-35.el7_6.2.x86_64.rpm rpm-sign-4.11.3-35.el7_6.2.x86_64.rpm Red Hat Enterprise Linux Server Optional AUS (v. 7.6): noarch: rpm-apidocs-4.11.3-35.el7_6.2.noarch.rpm rpm-cron-4.11.3-35.el7_6.2.noarch.rpm x86_64: rpm-debuginfo-4.11.3-35.el7_6.2.x86_64.rpm rpm-plugin-systemd-inhibit-4.11.3-35.el7_6.2.x86_64.rpm Red Hat Enterprise Linux Server Optional E4S (v. 7.6): noarch: rpm-apidocs-4.11.3-35.el7_6.2.noarch.rpm rpm-cron-4.11.3-35.el7_6.2.noarch.rpm ppc64le: rpm-debuginfo-4.11.3-35.el7_6.2.ppc64le.rpm rpm-plugin-systemd-inhibit-4.11.3-35.el7_6.2.ppc64le.rpm x86_64: rpm-debuginfo-4.11.3-35.el7_6.2.x86_64.rpm rpm-plugin-systemd-inhibit-4.11.3-35.el7_6.2.x86_64.rpm Red Hat Enterprise Linux Server Optional TUS (v. 7.6): noarch: rpm-apidocs-4.11.3-35.el7_6.2.noarch.rpm rpm-cron-4.11.3-35.el7_6.2.noarch.rpm x86_64: rpm-debuginfo-4.11.3-35.el7_6.2.x86_64.rpm rpm-plugin-systemd-inhibit-4.11.3-35.el7_6.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2021-20271 https://access.redhat.com/security/updates/classification#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBYZz9kdzjgjWX9erEAQjBVhAAhVWwglN0b8rmDy8bmCMUBc82Pa+DK/PX oQkc0cu+V8YT2V7bMqymnMac/8PI/Mg4nNkP7m2KQtNEyxPSsYSc8B0uNpQyyuE2 LKmZrm7QsJC9KFBPobzGnPMp1xkSaUVBy7KDG8+kchDOmCQ3pEnjkOaHv4B6gNN1 /L/gN5VpkbyrkWz/T5J3nsdZ6DmYRTe/2ewuZwzpZMukZXS9V6UbmnCKRQ7ORrLT Z21vINHYbVar9oKTdCVCjlIShLTkZuo0HlDU9GhT6tWkZF2lwDnw+1Q3pxnrYCbF Ea0Ner/O8aXLj9eFjczCZ2Qm8X7E2FJCcbGYY6dB8ylcPuZFHL4ZHBpTpUHCrKJM lL/4VSqs/KY6vJBmQsbeUSTtDSkjmfzI+SxGN9W4DVI1mRKRaqrvhkjt+3E766zL BbI+dssVyM2xnCFhkzX8r918bqLmKTFn6vVgSFZNWy2eMdT03wCd68N8RIndb1UN 4/Er2lkg4s7Zp1nf7oiK5HLlFt/mfZEEJ+k8S1crSziIySfgvtESnkuI1mPx56O1 jv9aQ4H+nu1AmcwHxdwVVa6izpeWGFSU9nC5HeGXlsz3VeEDwAUoPrOWra3B9zfB z3ZfH5ZaBBwLgQj52R6hBy55uFepyr0lUAwsv+gcvpYm9z4MSQ19SefqJBewmlf0 spvlSgwYHRg=I2gA -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Nov 23, 2021
Red Hat
100
security advisorymoderatememory leakSUSE: 2020:0495-1 Moderate: ovmf Memory Leak and Signature Issues
An update that solves four vulnerabilities and has one errata is now available. . SUSE Security Update: Security update for ovmf ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:0495-1 Rating: moderate References: #1077330 #1094291 #1163927 #1163959 #1163969 Cross-References: CVE-2018-0739 CVE-2019-14559 CVE-2019-14563 CVE-2019-14575 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL ______________________________________________________________________________ An update that solves four vulnerabilities and has one errata is now available. Description: This update for ovmf fixes the following issues: Security issues fixed: - CVE-2018-0739: Update openssl to 1.0.2o to limit ASN.1 constructed types recursive definition depth (bsc#1094291). - CVE-2019-14563: Fixed a memory corruption caused by insufficient numeric truncation (bsc#1163959). - CVE-2019-14559: Fixed a remotely exploitable memory leak in the ARP handling code (bsc#1163927). - CVE-2019-14575: Fixed an insufficient signature check in the DxeImageVerificationHandler (bsc#1163969). Bug fixes: - Only use SLES-UEFI-CA-Certificate-2048.crt for the SUSE flavor to provide the better compatibility. (bsc#1077330) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2020-495=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2020-495=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2020-495=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2020-495=1 Package List: - SUSE OpenStack Cloud 7 (x86_64): ovmf-2015+git1462940744.321151f-19.10.3 ovmf-tools-2015+git1462940744.321151f-19.10.3 - SUSE OpenStack Cloud 7 (noarch): qemu-ovmf-x86_64-2015+git1462940744.321151f-19.10.3 - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64): ovmf-2015+git1462940744.321151f-19.10.3 ovmf-tools-2015+git1462940744.321151f-19.10.3 - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch): qemu-ovmf-x86_64-2015+git1462940744.321151f-19.10.3 - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64): ovmf-2015+git1462940744.321151f-19.10.3 ovmf-tools-2015+git1462940744.321151f-19.10.3 - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch): qemu-ovmf-x86_64-2015+git1462940744.321151f-19.10.3 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): ovmf-2015+git1462940744.321151f-19.10.3 ovmf-tools-2015+git1462940744.321151f-19.10.3 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): qemu-ovmf-x86_64-2015+git1462940744.321151f-19.10.3 References: https://www.suse.com/security/cve/CVE-2018-0739.html https://www.suse.com/security/cve/CVE-2019-14559.html https://www.suse.com/security/cve/CVE-2019-14563.html https://www.suse.com/security/cve/CVE-2019-14575.html https://bugzilla.suse.com/1077330 https://bugzilla.suse.com/1094291 https://bugzilla.suse.com/1163927 https://bugzilla.suse.com/1163959 https://bugzilla.suse.com/1163969 _______________________________________________ sle-security-updates mailing list
Feb 26, 2020
SuSE
100
security advisorymoderateDoSSUSE: 2019:3024-1 Moderate: python-ecdsa Signature Check Issues
An update that fixes two vulnerabilities is now available. . SUSE Security Update: Security update for python-ecdsa ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:3024-1 Rating: moderate References: #1153165 #1154217 Cross-References: CVE-2019-14853 CVE-2019-14859 Affected Products: SUSE OpenStack Cloud Crowbar 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 7 SUSE Manager Server 3.2 SUSE Linux Enterprise Module for Public Cloud 12 SUSE CaaS Platform 3.0 HPE Helion Openstack 8 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for python-ecdsa to version 0.13.3 fixes the following issues: Security issues fixed: - CVE-2019-14853: Fixed unexpected exceptions during signature decoding (bsc#1153165). - CVE-2019-14859: Fixed a signature malleability caused by insufficient checks of DER encoding (bsc#1154217). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2019-3024=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2019-3024=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2019-3024=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2019-3024=1 - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2019-3024=1 - SUSE Manager Server 3.2: zypper in -tpatch SUSE-SUSE-Manager-Server-3.2-2019-3024=1 - SUSE Linux Enterprise Module for Public Cloud 12: zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2019-3024=1 - SUSE CaaS Platform 3.0: To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2019-3024=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (noarch): python-ecdsa-0.13.3-5.10.1 - SUSE OpenStack Cloud Crowbar 8 (noarch): python-ecdsa-0.13.3-5.10.1 - SUSE OpenStack Cloud 9 (noarch): python-ecdsa-0.13.3-5.10.1 - SUSE OpenStack Cloud 8 (noarch): python-ecdsa-0.13.3-5.10.1 - SUSE OpenStack Cloud 7 (noarch): python-ecdsa-0.13.3-5.10.1 - SUSE Manager Server 3.2 (noarch): python-ecdsa-0.13.3-5.10.1 - SUSE Linux Enterprise Module for Public Cloud 12 (noarch): python-ecdsa-0.13.3-5.10.1 python3-ecdsa-0.13.3-5.10.1 - SUSE CaaS Platform 3.0 (noarch): python-ecdsa-0.13.3-5.10.1 - HPE Helion Openstack 8 (noarch): python-ecdsa-0.13.3-5.10.1 References: https://www.suse.com/security/cve/CVE-2019-14853.html https://www.suse.com/security/cve/CVE-2019-14859.html https://bugzilla.suse.com/1153165 https://bugzilla.suse.com/1154217 _______________________________________________ sle-security-updates mailing list
Nov 21, 2019
SuSE
100
security advisoryimportantsignature checkSUSE: 2018:2716-2 Important: Libzypp and Zypper Security Fix
An update that solves two vulnerabilities and has 12 fixes is now available. . SUSE Security Update: Security update for libzypp, zypper ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2716-2 Rating: important References: #1036304 #1045735 #1049825 #1070851 #1076192 #1079334 #1088705 #1091624 #1092413 #1096803 #1099847 #1100028 #1101349 #1102429 Cross-References: CVE-2017-9269 CVE-2018-7685 Affected Products: SUSE Linux Enterprise Server 12-SP2-BCL ______________________________________________________________________________ An update that solves two vulnerabilities and has 12 fixes is now available. Description: This update for libzypp, zypper provides the following fixes: Update libzypp to version 16.17.20 Security issues fixed: - PackageProvider: Validate delta rpms before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) - PackageProvider: Validate downloaded rpm package signatures before caching (bsc#1091624, bsc#1088705, CVE-2018-7685) Other bugs fixed: - lsof: use '-K i' if lsof supports it (bsc#1099847, bsc#1036304) - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - Avoid zombie tar processes (bsc#1076192) Update to zypper to version 1.13.45 Security issue fixed: - Improve signature check callback messages (bsc#1045735, CVE-2017-9269) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735, CVE-2017-9269) Other bugs fixed: - XML attribute `packages-to-change` added (bsc#1102429) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) -Prevent nested calls to exit() if aborted by a signal (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope (bsc#1092413) - Fix: zypper bash completion expands non-existing options (bsc#1049825) - do not recommend cron (bsc#1079334) - Improve signature check callback messages (bsc#1045735) - add/modify repo: Add options to tune the GPG check settings (bsc#1045735) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2018-1905=1 Package List: - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): libzypp-16.17.20-27.52.1 libzypp-debuginfo-16.17.20-27.52.1 libzypp-debugsource-16.17.20-27.52.1 zypper-1.13.45-18.33.1 zypper-debuginfo-1.13.45-18.33.1 zypper-debugsource-1.13.45-18.33.1 - SUSE Linux Enterprise Server 12-SP2-BCL (noarch): zypper-log-1.13.45-18.33.1 References: https://www.suse.com/security/cve/CVE-2017-9269.html https://www.suse.com/security/cve/CVE-2018-7685.html https://bugzilla.suse.com/1036304 https://bugzilla.suse.com/1045735 https://bugzilla.suse.com/1049825 https://bugzilla.suse.com/1070851 https://bugzilla.suse.com/1076192 https://bugzilla.suse.com/1079334 https://bugzilla.suse.com/1088705 https://bugzilla.suse.com/1091624 https://bugzilla.suse.com/1092413 https://bugzilla.suse.com/1096803 https://bugzilla.suse.com/1099847 https://bugzilla.suse.com/1100028 https://bugzilla.suse.com/1101349 https://bugzilla.suse.com/1102429 _______________________________________________ sle-security-updates mailing list
Oct 18, 2018
•Important
SuSE
100
security advisoryimportant fixSUSE LinuxSUSE: 2019:3589-1 Critical Updates for Libzypp and Zypper Vulnerabilities
An update that solves two vulnerabilities and has 26 fixes is now available. . SUSE Security Update: Security update for libzypp, zypper ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2690-1 Rating: important References: #1036304 #1041178 #1043166 #1045735 #1058515 #1066215 #1070770 #1070851 #1082318 #1084525 #1088037 #1088705 #1091624 #1092413 #1093103 #1096217 #1096617 #1096803 #1099847 #1100028 #1100095 #1100427 #1101349 #1102019 #1102429 #408814 #428822 #907538 Cross-References: CVE-2017-9269 CVE-2018-7685 Affected Products: SUSE Linux Enterprise Module for Development Tools 15 SUSE Linux Enterprise Module for Basesystem 15 ______________________________________________________________________________ An update that solves two vulnerabilities and has 26 fixes is now available. Description: This update for libzypp, zypper, libsolv provides the following fixes: Security fixes in libzypp: - CVE-2018-7685: PackageProvider: Validate RPMs before caching (bsc#1091624, bsc#1088705) - CVE-2017-9269: Be sure bad packages do not stay in the cache (bsc#1045735) Changes in libzypp: - Update to version 17.6.4 - Automatically fetch repository signing key from gpgkey url (bsc#1088037) - lsof: use '-K i' if lsof supports it (bsc#1099847,bsc#1036304) - Check for not imported keys after multi key import from rpmdb (bsc#1096217) - Flags: make it std=c++14 ready - Ignore /var, /tmp and /proc in zypper ps. (bsc#1096617) - Show GPGME version in log - Adapt to changes in libgpgme11-11.1.0 breaking the signature verification (bsc#1100427) - RepoInfo::provideKey: add report telling where we look for missing keys. - Support listing gpgkey URLs in repo files (bsc#1088037) - Add new report to request user approval forimporting a package key - Handle http error 502 Bad Gateway in curl backend (bsc#1070851) - Add filesize check for downloads with known size (bsc#408814) - Removed superfluous space in translation (bsc#1102019) - Prevent the system from sleeping during a commit - RepoManager: Explicitly request repo2solv to generate application pseudo packages. - libzypp-devel should not require cmake (bsc#1101349) - Avoid zombies from ExternalProgram - Update ApiConfig - HardLocksFile: Prevent against empty commit without Target having been been loaded (bsc#1096803) - lsof: use '-K i' if lsof supports it (bsc#1099847) - Add filesize check for downloads with known size (bsc#408814) - Fix detection of metalink downloads and prevent aborting if a metalink file is larger than the expected data file. - Require libsolv-devel > = 0.6.35 during build (fixing bsc#1100095) - Make use of %license macro (bsc#1082318) Security fix in zypper: - CVE-2017-9269: Improve signature check callback messages (bsc#1045735) Changes in zypper: - Always set error status if any nr of unknown repositories are passed to lr and ref (bsc#1093103) - Notify user about unsupported rpm V3 keys in an old rpm database (bsc#1096217) - Detect read only filesystem on system modifying operations (fixes #199) - Use %license (bsc#1082318) - Handle repo aliases containing multiple ':' in the PackageArgs parser (bsc #1041178) - Fix broken display of detailed query results. - Fix broken search for items with a dash. (bsc#907538, bsc#1043166, bsc#1070770) - Disable repository operations when searching installed packages. (bsc#1084525) - Prevent nested calls to exit() if aborted by a signal. (bsc#1092413) - ansi.h: Prevent ESC sequence strings from going out of scope. (bsc#1092413) - Fix some translation errors. - Support listing gpgkey URLs in repo files (bsc#1088037) - Check for root privileges in zypper verify and si (bsc#1058515) -XML attribute `packages-to-change` added (bsc#1102429) - Add expert (allow-*) options to all installer commands (bsc#428822) - Sort search results by multiple columns (bsc#1066215) - man: Strengthen that `--config FILE' affects zypper.conf, not zypp.conf (bsc#1100028) - Set error status if repositories passed to lr and ref are not known (bsc#1093103) - Do not override table style in search - Fix out of bound read in MbsIterator - Add --supplements switch to search and info - Add setter functions for zypp cache related config values to ZConfig Changes in libsolv: - convert repo2solv.sh script into a binary tool - Make use of %license macro (bsc#1082318) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for Development Tools 15: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-2018-1883=1 - SUSE Linux Enterprise Module for Basesystem 15: zypper in -t patch SUSE-SLE-Module-Basesystem-15-2018-1883=1 Package List: - SUSE Linux Enterprise Module for Development Tools 15 (aarch64 ppc64le s390x x86_64): libsolv-debuginfo-0.6.35-3.5.2 libsolv-debugsource-0.6.35-3.5.2 perl-solv-0.6.35-3.5.2 perl-solv-debuginfo-0.6.35-3.5.2 python3-solv-0.6.35-3.5.2 python3-solv-debuginfo-0.6.35-3.5.2 ruby-solv-0.6.35-3.5.2 ruby-solv-debuginfo-0.6.35-3.5.2 - SUSE Linux Enterprise Module for Basesystem 15 (aarch64 ppc64le s390x x86_64): libsolv-debuginfo-0.6.35-3.5.2 libsolv-debugsource-0.6.35-3.5.2 libsolv-devel-0.6.35-3.5.2 libsolv-devel-debuginfo-0.6.35-3.5.2 libsolv-tools-0.6.35-3.5.2 libsolv-tools-debuginfo-0.6.35-3.5.2 libzypp-17.6.4-3.10.1 libzypp-debuginfo-17.6.4-3.10.1 libzypp-debugsource-17.6.4-3.10.1 libzypp-devel-17.6.4-3.10.1 python-solv-0.6.35-3.5.2 python-solv-debuginfo-0.6.35-3.5.2 zypper-1.14.10-3.7.1 zypper-debuginfo-1.14.10-3.7.1 zypper-debugsource-1.14.10-3.7.1 - SUSE Linux Enterprise Module for Basesystem 15 (noarch): zypper-log-1.14.10-3.7.1 References: https://www.suse.com/security/cve/CVE-2017-9269.html https://www.suse.com/security/cve/CVE-2018-7685.html https://bugzilla.suse.com/1036304 https://bugzilla.suse.com/1041178 https://bugzilla.suse.com/1043166 https://bugzilla.suse.com/1045735 https://bugzilla.suse.com/1058515 https://bugzilla.suse.com/1066215 https://bugzilla.suse.com/1070770 https://bugzilla.suse.com/1070851 https://bugzilla.suse.com/1082318 https://bugzilla.suse.com/1084525 https://bugzilla.suse.com/1088037 https://bugzilla.suse.com/1088705 https://bugzilla.suse.com/1091624 https://bugzilla.suse.com/1092413 https://bugzilla.suse.com/1093103 https://bugzilla.suse.com/1096217 https://bugzilla.suse.com/1096617 https://bugzilla.suse.com/1096803 https://bugzilla.suse.com/1099847 https://bugzilla.suse.com/1100028 https://bugzilla.suse.com/1100095 https://bugzilla.suse.com/1100427 https://bugzilla.suse.com/1101349 https://bugzilla.suse.com/1102019 https://bugzilla.suse.com/1102429 https://bugzilla.suse.com/408814 https://bugzilla.suse.com/428822 https://bugzilla.suse.com/907538 _______________________________________________ sle-security-updates mailing list
Sep 11, 2018
•Important
SuSE
89
security advisoryfedoraupdateFedora 24 Advisory: 2017-a73bc7ac5d Critical Validation Fix in Fedmsg
Fix validation logic in the base consumer The base consumer is intended to only derive its validation switch from the on-disk configuration if the child class doesn't override the validate_signatures switch. There was a bug here where the default value provided in the base class made it appear as if *all* child consumers had turned *off* validation, which is incorrect. This fix turns on. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2017-a73bc7ac5d 2017-01-27 18:29:56.052283 -------------------------------------------------------------------------------- Name : fedmsg Product : Fedora 24 Version : 0.18.2 Release : 1.fc24 URL : https://github.com/fedora-infra/fedmsg Summary : Tools for Fedora Infrastructure real-time messaging Description : Python API used around Fedora Infrastructure to send and receive messages with zeromq. Includes some CLI tools. -------------------------------------------------------------------------------- Update Information: Fix validation logic in the base consumer The base consumer is intended to only derive its validation switch from the on-disk configuration if the child class doesn't override the validate_signatures switch. There was a bug here where the default value provided in the base class made it appear as if *all* child consumers had turned *off* validation, which is incorrect. This fix turns on signature validation by default while preserving the ability of child consumersto override the on-disk configuration in special cases. - Fixes: CVE-2017-1000001 - Reviewed-by: Patrick Uiterwijk -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade fedmsg' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details onthe GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
Jan 27, 2017
•Critical
Fedora
172
security advisoryupdateremote exploitUbuntu 14.10: USN-2566-1 Critical: Dpkg Signature Bypass Exploit
dpkg could be tricked into bypassing source package signature checks.. =========================================================================Ubuntu Security Notice USN-2566-1 April 09, 2015 dpkg vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.10 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS - Ubuntu 10.04 LTS Summary: dpkg could be tricked into bypassing source package signature checks. Software Description: - dpkg: Debian package management system Details: Jann Horn discovered that dpkg incorrectly validated signatures when extracting local source packages. If a user or an automated system were tricked into unpacking a specially crafted source package, a remote attacker could bypass signature verification checks. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.10: libdpkg-perl 1.17.13ubuntu1.1 Ubuntu 14.04 LTS: libdpkg-perl 1.17.5ubuntu5.4 Ubuntu 12.04 LTS: libdpkg-perl 1.16.1.2ubuntu7.6 Ubuntu 10.04 LTS: dpkg-dev 1.15.5.6ubuntu4.10 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-2566-1 CVE-2015-0840 Package Information: https://launchpad.net/ubuntu/+source/dpkg/1.17.13ubuntu1.1 https://launchpad.net/ubuntu/+source/dpkg/1.17.5ubuntu5.4 https://launchpad.net/ubuntu/+source/dpkg/1.16.1.2ubuntu7.6 https://launchpad.net/ubuntu/+source/dpkg/1.15.5.6ubuntu4.10 . A recent dpkg flaw in Ubuntu could facilitate evasion of source package verification. It's critical to refresh your system to mitigate potential threats.. dpkg vulnerability, security update, source package signature. . Severity: Critical. LinuxSecurity.com Team
Apr 09, 2015
•Critical
Ubuntu
172
security advisorymoderateubuntuUbuntu 12.10 USN-1694-1 Moderate: Bypass of rpm Signature Verification
RPM could incorrectly validate package signatures.. =========================================================================Ubuntu Security Notice USN-1694-1 January 17, 2013 rpm vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.10 Summary: RPM could incorrectly validate package signatures. Software Description: - rpm: package manager for RPM Details: It was discovered that RPM incorrectly handled signature checking. An attacker could create a specially-crafted rpm with an invalid signature which could pass the signature validation check. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.10: rpm 4.10.0-4ubuntu0.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-1694-1 CVE-2012-6088 Package Information: https://launchpad.net/ubuntu/+source/rpm/4.10.0-4ubuntu0.1 . An RPM security flaw in Ubuntu 12.10 permits adversaries to circumvent signature checks, as highlighted in USN-1694-1.. RPM Package Manager, Ubuntu 12.10 Security, Signature Validation Issue, USN-1694-1. . LinuxSecurity.com Team
Jan 17, 2013
Ubuntu
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!