Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -2 articles for you...
203
security advisorydenial of servicebuffer overflowMageia 9 Thunderbird Security Update MGASA-2026-0081 Addresses Spoofing
MGASA-2026-0081 - Updated thunderbird packages fix security vulnerabilities. MGASA-2026-0081 - Updated thunderbird packages fix security vulnerabilities Publication date: 02 Apr 2026 URL: https://advisories.mageia.org/MGASA-2026-0081.html Type: security Affected Mageia releases: 9 CVE: CVE-2025-59375, CVE-2026-3889, CVE-2026-4684, CVE-2026-4685, CVE-2026-4686, CVE-2026-4687, CVE-2026-4688, CVE-2026-4689, CVE-2026-4690, CVE-2026-4691, CVE-2026-4692, CVE-2026-4693, CVE-2026-4694, CVE-2026-4695, CVE-2026-4696, CVE-2026-4697, CVE-2026-4698, CVE-2026-4699, CVE-2026-4700, CVE-2026-4701, CVE-2026-4702, CVE-2026-4704, CVE-2026-4705, CVE-2026-4706, CVE-2026-4707, CVE-2026-4708, CVE-2026-4709, CVE-2026-4710, CVE-2026-4711, CVE-2026-4712, CVE-2026-4713, CVE-2026-4714, CVE-2026-4715, CVE-2026-4716, CVE-2026-4717, CVE-2026-4718, CVE-2026-4719, CVE-2026-4720, CVE-2026-4721 Description: Denial-of-service in the XML component. (CVE-2025-59375) Spoofing issue in Thunderbird. (CVE-2026-3889) Race condition, use-after-free in the Graphics: WebRender component. (CVE-2026-4684) Incorrect boundary conditions in the Graphics: Canvas2D component. (CVE-2026-4685) Incorrect boundary conditions in the Graphics: Canvas2D component. (CVE-2026-4686) Sandbox escape due to incorrect boundary conditions in the Telemetry component. (CVE-2026-4687) Sandbox escape due to use-after-free in the Disability Access APIs component. (CVE-2026-4688) Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. (CVE-2026-4689) Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. (CVE-2026-4690) Use-after-free in the CSS Parsing and Computation component. (CVE-2026-4691) Sandbox escape in the Responsive Design Mode component. (CVE-2026-4692) Incorrect boundary conditions in the Audio/Video:Playback component. (CVE-2026-4693) Incorrect boundary conditions, integer overflow in the Graphics component. (CVE-2026-4694) Incorrect boundary conditions in the Audio/Video: Web Codecs component. (CVE-2026-4695) Use-after-free in the Layout: Text and Fonts component. (CVE-2026-4696) Incorrect boundary conditions in the Audio/Video: Web Codecs component. (CVE-2026-4697) JIT miscompilation in the JavaScript Engine: JIT component. (CVE-2026-4698) Incorrect boundary conditions in the Layout: Text and Fonts component. (CVE-2026-4699) Mitigation bypass in the Networking: HTTP component. (CVE-2026-4700) Use-after-free in the JavaScript Engine component. (CVE-2026-4701) JIT miscompilation in the JavaScript Engine component. (CVE-2026-4702) Denial-of-service in the WebRTC: Signaling component. (CVE-2026-4704) Undefined behavior in the WebRTC: Signaling component. (CVE-2026-4705) Incorrect boundary conditions in the Graphics: Canvas2D component. (CVE-2026-4706) Incorrect boundary conditions in the Graphics: Canvas2D component. (CVE-2026-4707) Incorrect boundary conditions in the Graphics component. (CVE-2026-4708) Incorrect boundary conditions in the Audio/Video: GMP component. (CVE-2026-4709) Incorrect boundary conditions in the Audio/Video component. (CVE-2026-4710) Use-after-free in the Widget: Cocoa component. (CVE-2026-4711) Information disclosure in the Widget: Cocoa component. (CVE-2026-4712) Incorrect boundary conditions in the Graphics component. (CVE-2026-4713) Incorrect boundary conditions in the Audio/Video component. (CVE-2026-4714) Uninitialized memory in the Graphics: Canvas2D component. (CVE-2026-4715) Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. (CVE-2026-4716) Privilege escalation in the Netmonitor component. (CVE-2026-4717) Undefined behavior in the WebRTC: Signaling component. (CVE-2026-4718) Incorrect boundary conditions in the Graphics: Text component. (CVE-2026-4719) Memory safety bugs fixed in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 andThunderbird 149. (CVE-2026-4720) Memory safety bugs fixed in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. (CVE-2026-4721) References: - https://bugs.mageia.org/show_bug.cgi?id=35273 - https://www.thunderbird.net/en-US/thunderbird/140.9.0esr/releasenotes/ - https://www.mozilla.org/en-US/security/advisories/mfsa2026-24/ - https://www.cve.org/CVERecord?id=CVE-2025-59375 - https://www.cve.org/CVERecord?id=CVE-2026-3889 - https://www.cve.org/CVERecord?id=CVE-2026-4684 - https://www.cve.org/CVERecord?id=CVE-2026-4685 - https://www.cve.org/CVERecord?id=CVE-2026-4686 - https://www.cve.org/CVERecord?id=CVE-2026-4687 - https://www.cve.org/CVERecord?id=CVE-2026-4688 - https://www.cve.org/CVERecord?id=CVE-2026-4689 - https://www.cve.org/CVERecord?id=CVE-2026-4690 - https://www.cve.org/CVERecord?id=CVE-2026-4691 - https://www.cve.org/CVERecord?id=CVE-2026-4692 - https://www.cve.org/CVERecord?id=CVE-2026-4693 - https://www.cve.org/CVERecord?id=CVE-2026-4694 - https://www.cve.org/CVERecord?id=CVE-2026-4695 - https://www.cve.org/CVERecord?id=CVE-2026-4696 - https://www.cve.org/CVERecord?id=CVE-2026-4697 - https://www.cve.org/CVERecord?id=CVE-2026-4698 - https://www.cve.org/CVERecord?id=CVE-2026-4699 - https://www.cve.org/CVERecord?id=CVE-2026-4700 - https://www.cve.org/CVERecord?id=CVE-2026-4701 - https://www.cve.org/CVERecord?id=CVE-2026-4702 - https://www.cve.org/CVERecord?id=CVE-2026-4704 - https://www.cve.org/CVERecord?id=CVE-2026-4705 - https://www.cve.org/CVERecord?id=CVE-2026-4706 - https://www.cve.org/CVERecord?id=CVE-2026-4707 - https://www.cve.org/CVERecord?id=CVE-2026-4708 - https://www.cve.org/CVERecord?id=CVE-2026-4709 - https://www.cve.org/CVERecord?id=CVE-2026-4710 - https://www.cve.org/CVERecord?id=CVE-2026-4711 - https://www.cve.org/CVERecord?id=CVE-2026-4712 - https://www.cve.org/CVERecord?id=CVE-2026-4713 - https://www.cve.org/CVERecord?id=CVE-2026-4714 - https://www.cve.org/CVERecord?id=CVE-2026-4715 - https://www.cve.org/CVERecord?id=CVE-2026-4716 -https://www.cve.org/CVERecord?id=CVE-2026-4717 - https://www.cve.org/CVERecord?id=CVE-2026-4718 - https://www.cve.org/CVERecord?id=CVE-2026-4719 - https://www.cve.org/CVERecord?id=CVE-2026-4720 - https://www.cve.org/CVERecord?id=CVE-2026-4721 SRPMS: - 9/core/thunderbird-140.9.0-1.mga9 - 9/core/thunderbird-l10n-140.9.0-1.mga9 . Obtain essential updates for Mageia Thunderbird addressing multiple critical issues to enhance system reliability and security.. Mageia Thunderbird update, security advisories, software vulnerabilities. . Severity: Critical. LinuxSecurity.com Team
Apr 02, 2026
•Critical
Mageia
100
security advisorySuSEimportantSUSE: MozillaFirefox Important Security Update for 2026:20086-1
An update that solves 13 vulnerabilities can now be installed.. # Security update for MozillaFirefox Announcement ID: SUSE-SU-2026:20086-1 Release Date: 2026-01-15T16:28:43Z Rating: important References: * bsc#1256340 Cross-References: * CVE-2025-14327 * CVE-2026-0877 * CVE-2026-0878 * CVE-2026-0879 * CVE-2026-0880 * CVE-2026-0882 * CVE-2026-0883 * CVE-2026-0884 * CVE-2026-0885 * CVE-2026-0886 * CVE-2026-0887 * CVE-2026-0890 * CVE-2026-0891 CVSS scores: * CVE-2025-14327 ( SUSE ): 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2025-14327 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2025-14327 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2025-14327 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2026-0877 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N * CVE-2026-0878 ( NVD ): 8.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N * CVE-2026-0879 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-0880 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2026-0882 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2026-0883 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N * CVE-2026-0884 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-0885 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L * CVE-2026-0886 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N * CVE-2026-0887 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N * CVE-2026-0890 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L * CVE-2026-0891 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: * SUSE Linux Enterprise Server 16.0 * SUSE Linux Enterprise Server for SAP Applications 16.0 An update that solves 13 vulnerabilities can now be installed. ## Description: This update for MozillaFirefox fixes the following issues: Update toFirefox Extended Support Release 140.7.0 ESR (bsc#1256340). * MFSA 2026-03 (bsc#1256340) * CVE-2026-0877: Mitigation bypass in the DOM: Security component * CVE-2026-0878: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component * CVE-2026-0879: Sandbox escape due to incorrect boundary conditions in the Graphics component * CVE-2026-0880: Sandbox escape due to integer overflow in the Graphics component * CVE-2026-0882: Use-after-free in the IPC component * CVE-2025-14327: Spoofing issue in the Downloads Panel component * CVE-2026-0883: Information disclosure in the Networking component * CVE-2026-0884: Use-after-free in the JavaScript Engine component * CVE-2026-0885: Use-after-free in the JavaScript: GC component * CVE-2026-0886: Incorrect boundary conditions in the Graphics component * CVE-2026-0887: Clickjacking issue, information disclosure in the PDF Viewer component * CVE-2026-0890: Spoofing issue in the DOM: Copy & Paste and Drag & Drop component * CVE-2026-0891: Memory safety bugs fixed in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147 ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Server 16.0 zypper in -t patch SUSE-SLES-16.0-146=1 * SUSE Linux Enterprise Server for SAP Applications 16.0 zypper in -t patch SUSE-SLES-16.0-146=1 ## Package List: * SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64) * MozillaFirefox-translations-common-140.7.0-160000.1.1 * MozillaFirefox-translations-other-140.7.0-160000.1.1 * MozillaFirefox-debuginfo-140.7.0-160000.1.1 * MozillaFirefox-140.7.0-160000.1.1 * MozillaFirefox-debugsource-140.7.0-160000.1.1 * SUSE Linux Enterprise Server 16.0 (noarch) * MozillaFirefox-devel-140.7.0-160000.1.1 * SUSE Linux EnterpriseServer for SAP Applications 16.0 (ppc64le x86_64) * MozillaFirefox-translations-common-140.7.0-160000.1.1 * MozillaFirefox-translations-other-140.7.0-160000.1.1 * MozillaFirefox-debuginfo-140.7.0-160000.1.1 * MozillaFirefox-140.7.0-160000.1.1 * MozillaFirefox-debugsource-140.7.0-160000.1.1 * SUSE Linux Enterprise Server for SAP Applications 16.0 (noarch) * MozillaFirefox-devel-140.7.0-160000.1.1 ## References: * https://www.suse.com/security/cve/CVE-2025-14327.html * https://www.suse.com/security/cve/CVE-2026-0877.html * https://www.suse.com/security/cve/CVE-2026-0878.html * https://www.suse.com/security/cve/CVE-2026-0879.html * https://www.suse.com/security/cve/CVE-2026-0880.html * https://www.suse.com/security/cve/CVE-2026-0882.html * https://www.suse.com/security/cve/CVE-2026-0883.html * https://www.suse.com/security/cve/CVE-2026-0884.html * https://www.suse.com/security/cve/CVE-2026-0885.html * https://www.suse.com/security/cve/CVE-2026-0886.html * https://www.suse.com/security/cve/CVE-2026-0887.html * https://www.suse.com/security/cve/CVE-2026-0890.html * https://www.suse.com/security/cve/CVE-2026-0891.html * https://bugzilla.suse.com/show_bug.cgi?id=1256340 . Mozilla Firefox receives important security updates addressing 13 issues in SUSE Linux Enterprise Server 16.0.. Mozilla Firefox security,SUSE patch update,Firefox vulnerabilities,security updates. . Severity: Important. LinuxSecurity.com Team
Jan 20, 2026
•Important
SuSE
89
security advisorycriticalFedoraFedora 38 BorgBackup 2023-555f9fac30 Critical: Spoofing Issue Fix
fix for CVE-2023-36811: spoofed archive leads to data loss Please note that starting with borgbackup 1.2.5 all borg repos must use TAM authentication: https://github.com/borgbackup/borg/blob/1.2.6/docs/changes.rst#pre-125-archives- spoofing-vulnerability-cve-2023-36811. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2023-555f9fac30 2023-09-15 01:41:41.216114 -------------------------------------------------------------------------------- Name : borgbackup Product : Fedora 38 Version : 1.2.6 Release : 1.fc38 URL : https://borgbackup.readthedocs.io/en/stable/ Summary : A deduplicating backup program with compression and authenticated encryption Description : BorgBackup (short: Borg) is a deduplicating backup program. Optionally, it supports compression and authenticated encryption. -------------------------------------------------------------------------------- Update Information: fix for CVE-2023-36811: spoofed archive leads to data loss Please note that starting with borgbackup 1.2.5 all borg repos must use TAM authentication: https://github.com/borgbackup/borg/blob/1.2.6/docs/changes.rst#pre-125-archives- spoofing-vulnerability-cve-2023-36811 -------------------------------------------------------------------------------- ChangeLog: * Tue Sep 5 2023 Felix Schwarz - 1.2.6-1 - update to 1.2.6 to fix CVE-2023-36811 - rely on auto-generated version requirement for msgpack -------------------------------------------------------------------------------- References: [ 1 ] Bug #2236305 - CVE-2023-36811 borgbackup: spoofed archive leads to data loss [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2236305 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-555f9fac30' at the command line. For more information, refer to thednf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
Sep 15, 2023
•Critical
Fedora
100
security advisoryimportantSUSE LinuxSUSE: 2019:1576-1 Critical Update: Enigmail Spoofing Vulnerability Patch
An update that fixes one vulnerability is now available. . SUSE Security Update: Security update for enigmail ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:1576-1 Rating: important References: #1135855 Cross-References: CVE-2019-12269 Affected Products: SUSE Linux Enterprise Workstation Extension 15-SP1 SUSE Linux Enterprise Workstation Extension 15 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for enigmail to version 2.0.11 fixes the following issues: Security issue fixed: - CVE-2019-12269: Fixed an issue where a specially crafted inline PGP messages could spoof a "correctly signed" message (bsc#1135855). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP1: zypper in -t patch SUSE-SLE-Product-WE-15-SP1-2019-1576=1 - SUSE Linux Enterprise Workstation Extension 15: zypper in -t patch SUSE-SLE-Product-WE-15-2019-1576=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP1 (x86_64): enigmail-2.0.11-3.16.1 - SUSE Linux Enterprise Workstation Extension 15 (x86_64): enigmail-2.0.11-3.16.1 References: https://www.suse.com/security/cve/CVE-2019-12269.html https://bugzilla.suse.com/1135855 _______________________________________________ sle-security-updates mailing list
Jun 20, 2019
•Important
SuSE
172
security advisoryubuntuspoofing issueUbuntu 18.10: USN-3851-1 Critical: Django Spoofing Attack
Django could be made to expose spoofed information over the network.. =========================================================================Ubuntu Security Notice USN-3851-1 January 09, 2019 python-django vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.10 - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Django could be made to expose spoofed information over the network. Software Description: - python-django: High-level Python web development framework Details: It was discovered that Django incorrectly handled the default 404 page. A remote attacker could use this issue to spoof content using a malicious URL. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.10: python-django 1:1.11.15-1ubuntu1.1 python3-django 1:1.11.15-1ubuntu1.1 Ubuntu 18.04 LTS: python-django 1:1.11.11-1ubuntu1.2 python3-django 1:1.11.11-1ubuntu1.2 Ubuntu 16.04 LTS: python-django 1.8.7-1ubuntu5.7 python3-django 1.8.7-1ubuntu5.7 Ubuntu 14.04 LTS: python-django 1.6.11-0ubuntu1.3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-3851-1 CVE-2019-3498 Package Information: https://launchpad.net/ubuntu/+source/python-django/1:1.11.15-1ubuntu1.1 https://launchpad.net/ubuntu/+source/python-django/1:1.11.11-1ubuntu1.2 https://launchpad.net/ubuntu/+source/python-django/1.8.7-1ubuntu5.7 https://launchpad.net/ubuntu/+source/python-django/1.6.11-0ubuntu1.3 . The Ubuntu Security Notice USN-3851-1 addresses a vulnerability found in python-django that may lead to information spoofing. It's highly advisable to apply the recommended updates.. pythondjango, security advisory, network spoofing, update, ubuntu. . Severity: Critical. LinuxSecurity.com Team
Jan 09, 2019
•Critical
Ubuntu
198
security advisoryhigh severitycode executionArch Linux 201611-8 High Severity: Libcurl-Compat Multiple Issues
The package libcurl-compat before version 7.51.0-1 is vulnerable to multiple issues including arbitrary code execution, content spoofing, information disclosure, insufficient validation and authentication bypass. . Arch Linux Security Advisory ASA-201611-8 ======================================== Severity: High Date : 2016-11-03 CVE-ID : CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8619 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 Package : libcurl-compat Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/title/CVE Summary ====== The package libcurl-compat before version 7.51.0-1 is vulnerable to multiple issues including arbitrary code execution, content spoofing, information disclosure, insufficient validation and authentication bypass. Resolution ========= Upgrade to 7.51.0-1. # pacman -Syu "libcurl-compat> =7.51.0-1" The problems have been fixed upstream in version 7.51.0. Workaround ========= None. Description ========== - CVE-2016-8615 (content spoofing) If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar. The issue pertains to the function that loads cookies into memory, which reads the specified file into a fixed-size buffer in a line-by-line manner using the fgets() function. If an invocation of fgets() cannot read the whole line into the destination buffer due to it being too small, it truncates the output. This way, a very long cookie (name + value) sent by a malicious server would be stored in the file and subsequently that cookie could be read partially and crafted correctly, it could be treated as a different cookie for another server. - CVE-2016-8616 (authentication bypass) When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This meansthat if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password. - CVE-2016-8617 (arbitrary code execution) In libcurl's base64 encode function, the output buffer is allocated as follows without any checks on insize: malloc( insize * 4 / 3 + 4 ) On systems with 32-bit addresses in userspace (e.g. x86, ARM, x32), the multiplication in the expression wraps around if insize is at least 1GB of data. If this happens, an undersized output buffer will be allocated, but the full result will be written, thus causing the memory behind the output buffer to be overwritten. If a username is set directly via CURLOPT_USERNAME (or curl's -u, --user option), this vulnerability can be triggered. The name has to be at least 512MB big in a 32bit system. Systems with 64 bit versions of the size_t type are not affected by this issue. - CVE-2016-8619 (arbitrary code execution) In curl's implementation of the Kerberos authentication mechanism, the function read_data() in security.c is used to fill the necessary krb5 structures. When reading one of the length fields from the socket, it fails to ensure that the length parameter passed to realloc() is not set to 0. This would lead to realloc() getting called with a zero size and when doing so realloc() returns NULL and frees the memory - in contrary to normal realloc() fails where it only returns NULL - causing libcurl to free the memory again in the error path. This flaw could be triggered by a malicious or just otherwise ill-behaving server. - CVE-2016-8621 (information disclosure) The curl_getdate converts a given date string into a numerical timestamp and it supports a range of different formats and possibilites to express a date and time. The underlying date parsing function is also used internally when parsing for example HTTP cookies (possibly received fromremote servers) and it can be used when doing conditional HTTP requests. The date parser function uses the libc sscanf() function at two places, with the parsing strings "%02d:%02d" and ""%02d:%02d:%02d". The intent being that it would parse either a string with HH:MM (two digits colon two digits) or HH:MM:SS (two digits colon two digits colon two digits). If instead the piece of time that was sent in had the final digit cut off, thus ending with a single-digit, the date parser code would advance its read pointer one byte too much and end up reading out of bounds. - CVE-2016-8622 (arbitrary code execution) The URL percent-encoding decode function in libcurl is called curl_easy_unescape. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer. This can be triggered by a user on a 64bit system if the user can send in a custom (very large) URL to a libcurl using program. - CVE-2016-8623 (arbitrary code execution) libcurl explicitly allows users to share cookies between multiple easy handles that are concurrently employed by different threads. When cookies to be sent to a server are collected, the matching function collects all cookies to send and the cookie lock is released immediately afterwards. That function however only returns a list with references back to the original strings for name, value, path and so on. Therefore, if another thread quickly takes the lock and frees one of the original cookie structs together with its strings, a use-after-free can occur possibly leading to arbitrary code execution. Another thread can also replace the contents of the cookies from separate HTTP responses or API calls. - CVE-2016-8624 (insufficient validation) curl doesn't parse the authority componentof the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use a URL parser that follows the RFC to check for allowed domains before using curl to request them. Passing in would wrongly make curl send a request to evil.com while your browser would connect to given the same URL. The problem exists for most protocol schemes. - CVE-2016-8625 (insufficient validation) When curl is built with libidn to handle International Domain Names (IDNA), it translates them to puny code for DNS resolving using the IDNA 2003 standard, while IDNA 2008 is the modern and up-to-date IDNA standard. This misalignment causes problems with for example domains using the German ß character (known as the Unicode Character 'LATIN SMALL LETTER SHARP S') which is used at times in the .de TLD and is translated differently in the two IDNA standards, leading to users potentially and unknowingly issuing network transfer requests to the wrong host. For example, straße.de is translated into strasse.de using IDNA 2003 but is translated into xn--strae-oqa.de using IDNA 2008. Needless to say, those host names could very well resolve to different addresses and be two completely independent servers. IDNA 2008 is mandatory for .de domains. This name problem exists for DNS-using protocols in curl, but only when built to use libidn. Impact ===== A remote attacker is able to execute arbitrary code, inject cookies for arbitrary domains and disclose sensitive information viavarious vectors. References ========= https://curl.se/changes.html https://curl.se/docs/CVE-2016-8615.html https://curl.se/docs/CVE-2016-8616.html https://curl.se/docs/CVE-2016-8617.html https://curl.se/docs/CVE-2016-8619.html https://curl.se/docs/CVE-2016-8621.html https://curl.se/docs/CVE-2016-8622.html https://curl.se/docs/CVE-2016-8623.html https://curl.se/docs/CVE-2016-8624.html https://curl.se/docs/CVE-2016-8625.html https://access.redhat.com/security/cve/CVE-2016-8615 https://access.redhat.com/security/cve/CVE-2016-8616 https://access.redhat.com/security/cve/CVE-2016-8617 https://access.redhat.com/security/cve/CVE-2016-8619 https://access.redhat.com/security/cve/CVE-2016-8621 https://access.redhat.com/security/cve/CVE-2016-8622 https://access.redhat.com/security/cve/CVE-2016-8623 https://access.redhat.com/security/cve/CVE-2016-8624 https://access.redhat.com/security/cve/CVE-2016-8625 . Ubuntu Security Notice for libcurl-legacy emphasizes severe vulnerabilities and patch recommendations. Update promptly to protect your environments.. Arch Linux Security Advisory, Libcurl Upgrade, Code Execution Issues. . LinuxSecurity.com Team
Nov 03, 2016
ArchLinux
87
security advisorysoftware updatedebianDebian DSA-775-1 Critical: Mozilla Frame Injection Spoofing
Updated package.. - --------------------------------------------------------------------------Debian Security Advisory DSA 775-1
Aug 15, 2005
•Critical
Debian
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!