Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -2 articles for you...
172
security advisoryDoSUbuntuUbuntu 24.04 LTS U-Boot Critical Denial of Service Threat USN-8056-1
Several security issues were fixed in U-Boot.. ========================================================================== Ubuntu Security Notice USN-8056-1 February 23, 2026 u-boot vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in U-Boot. Software Description: - u-boot: A boot loader for embedded systems Details: Simon Diepold discovered that U-Boot incorrectly handled certain DHCP responses. An attacker on the local network could possibly use this issue to obtain sensitive memory contents. (CVE-2024-42040) It was discovered that U-Boot incorrectly handled symlink size calculations in squashfs file systems. An attacker could use this issue with a specially crafted squashfs file system to cause U-Boot to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2024-57254) It was discovered that U-Boot incorrectly handled inode size calculations in squashfs file systems. An attacker could use this issue with a specially crafted squashfs file system to cause U-Boot to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2024-57255) It was discovered that U-Boot incorrectly handled inode size calculations in EXT4 file systems. An attacker could use this issue with a specially crafted EXT4 file system to cause U-Boot to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2024-57256) It was discovered that U-Boot incorrectly handled deep symlink nesting in squashfs file systems. An attacker could possibly use this issue with a specially crafted squashfs file system to cause U-Boot to crash, resulting in a denial of service. (CVE-2024-57257) It was discovered that U-Boot incorrectly handled memory allocation in squashfs file systems. An attacker could use this issue with a specially crafted squashfs file system to cause U-Boot to crash, resulting in adenial of service, or execute arbitrary code. (CVE-2024-57258) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS u-boot-amlogic 2025.10-0ubuntu0.24.04.2 u-boot-asahi 2025.10-0ubuntu0.24.04.2 u-boot-exynos 2025.10-0ubuntu0.24.04.2 u-boot-imx 2025.10-0ubuntu0.24.04.2 u-boot-microchip 2025.10-0ubuntu0.24.04.2 u-boot-mvebu 2025.10-0ubuntu0.24.04.2 u-boot-omap 2025.10-0ubuntu0.24.04.2 u-boot-qcom 2025.10-0ubuntu0.24.04.2 u-boot-qemu 2025.10-0ubuntu0.24.04.2 u-boot-rockchip 2025.10-0ubuntu0.24.04.2 u-boot-rpi 2025.10-0ubuntu0.24.04.2 u-boot-sifive 2025.10-0ubuntu0.24.04.2 u-boot-sitara-binaries 2025.10-0ubuntu0.24.04.2 u-boot-starfive 2025.10-0ubuntu0.24.04.2 u-boot-stm32 2025.10-0ubuntu0.24.04.2 u-boot-sunxi 2025.10-0ubuntu0.24.04.2 u-boot-tegra 2025.10-0ubuntu0.24.04.2 u-boot-tools 2025.10-0ubuntu0.24.04.2 Ubuntu 22.04 LTS u-boot 2022.01+dfsg-2ubuntu2.7 u-boot-amlogic 2022.01+dfsg-2ubuntu2.7 u-boot-exynos 2022.01+dfsg-2ubuntu2.7 u-boot-imx 2022.01+dfsg-2ubuntu2.7 u-boot-microchip 2022.01+dfsg-2ubuntu2.7 u-boot-mvebu 2022.01+dfsg-2ubuntu2.7 u-boot-omap 2022.01+dfsg-2ubuntu2.7 u-boot-qcom 2022.01+dfsg-2ubuntu2.7 u-boot-qemu 2022.01+dfsg-2ubuntu2.7 u-boot-rockchip 2022.01+dfsg-2ubuntu2.7 u-boot-rpi 2022.01+dfsg-2ubuntu2.7 u-boot-sifive 2022.01+dfsg-2ubuntu2.7 u-boot-sunxi 2022.01+dfsg-2ubuntu2.7 u-boot-tegra 2022.01+dfsg-2ubuntu2.7 u-boot-tools 2022.01+dfsg-2ubuntu2.7 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8056-1 CVE-2024-57254, CVE-2024-57255, CVE-2024-57256, CVE-2024-57257, CVE-2024-57258, CVE-2024-57259 Package Information: https://launchpad.net/ubuntu/+source/u-boot/2025.10-0ubuntu0.24.04.2 https://launchpad.net/ubuntu/+source/u-boot/2022.01+dfsg-2ubuntu2.7 . Fix several U-Boot security issues impacting Ubuntu systems with critical updates addressing multiple exploits.. U-Boot Exploit Risk, Ubuntu Security Notice, U-Boot Update Instructions. . Severity: Critical. LinuxSecurity.com Team
Feb 23, 2026
•Critical
Ubuntu
100
security advisorybuffer overflowimportantSUSE: 2024:2463-1 Important: Squashfs Buffer Overflows and Exploits
* bsc#1189936 * bsc#1190531 * bsc#935380 Cross-References: . # Security update for squashfs Announcement ID: SUSE-SU-2024:2463-1 Rating: important References: * bsc#1189936 * bsc#1190531 * bsc#935380 Cross-References: * CVE-2015-4645 * CVE-2015-4646 * CVE-2021-40153 * CVE-2021-41072 CVSS scores: * CVE-2015-4645 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2015-4645 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2015-4646 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2021-40153 ( SUSE ): 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N * CVE-2021-40153 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H * CVE-2021-41072 ( SUSE ): 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N * CVE-2021-41072 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H Affected Products: * SUSE Linux Enterprise Micro 5.5 An update that solves four vulnerabilities can now be installed. ## Description: This update for squashfs fixes the following issues: * CVE-2015-4645,CVE-2015-4646: Multiple buffer overflows fixed in squashfs- tools (bsc#935380) * CVE-2021-40153: Fixed an issue where an attacker might have been able to write a file outside of destination (bsc#1189936) * CVE-2021-41072: Fixed an issue where an attacker might have been able to write a file outside the destination directory via a symlink (bsc#1190531). update to 4.6.1: * Race condition which can cause corruption of the "fragment table" fixed. This is a regression introduced in August 2022, and it has been seen when tailend packing is used (-tailends option). * Fix build failure when the tools are being built without extended attribute (XATTRs) support. * Fix XATTR error message when an unrecognised prefix is found * Fix incorrect free of pointer when an unrecognised XATTR prefix is found. * Major improvements in extended attribute handling, pseudo file handling, and miscellaneous newoptions and improvements * Extended attribute handling improved in Mksquashfs and Sqfstar * New Pseudo file xattr definition to add extended attributes to files. * New xattrs-add Action to add extended attributes to files * Extended attribute handling improved in Unsquashfs * Other major improvements * Unsquashfs can now output Pseudo files to standard out. * Mksquashfs can now input Pseudo files from standard in. * Squashfs filesystems can now be converted (different block size compression etc) without unpacking to an intermediate filesystem or mounting, by piping the output of Unsquashfs to Mksquashfs. * Pseudo files are now supported by Sqfstar. * "Non-anchored" excludes are now supported by Unsquashfs. update to 4.5.1 (bsc#1190531, CVE-2021-41072): * This release adds Manpages for Mksquashfs(1), Unsquashfs(1), Sqfstar(1) and Sqfscat(1). * The -help text output from the utilities has been improved and extended as well (but the Manpages are now more comprehensive). * CVE-2021-41072 which is a writing outside of destination exploit, has been fixed. * The number of hard-links in the filesystem is now also displayed by Mksquashfs in the output summary. * The number of hard-links written by Unsquashfs is now also displayed in the output summary. * Unsquashfs will now write to a pre-existing destination directory, rather than aborting. * Unsquashfs now allows "." to used as the destination, to extract to the current directory. * The Unsquashfs progress bar now tracks empty files and hardlinks, in addition to data blocks. * -no-hardlinks option has been implemented for Sqfstar. * More sanity checking for "corrupted" filesystems, including checks for multiply linked directories and directory loops. * Options that may cause filesystems to be unmountable have been moved into a new "experts" category in the Mksquashfs help text (and Manpage). * Maximum cpiostyle filename limited to PATH_MAX. This prevents attempts to overflow the stack, or cause system calls to fail with a too long pathname. * Don't always use "max open file limit" when calculating length of queues, as a very large file limit can cause Unsquashfs to abort. Instead use the smaller of max open file limit and cache size. * Fix Mksquashfs silently ignoring Pseudo file definitions when appending. * Don't abort if no XATTR support has been built in, and there's XATTRs in the filesystem. This is a regression introduced in 2019 in Version 4.4. * Fix duplicate check when the last file block is sparse. update to 4.5: * Mksquashfs now supports "Actions". * New sqfstar command which will create a Squashfs image from a tar archive. * Tar style handling of source pathnames in Mksquashfs. * Cpio style handling of source pathnames in Mksquashfs. * New option to throttle the amount of CPU and I/O. * Mksquashfs now allows no source directory to be specified. * New Pseudo file "R" definition which allows a Regular file o be created with data stored within the Pseudo file. * Symbolic links are now followed in extract files * Unsquashfs now supports "exclude" files. * Max depth traversal option added. * Unsquashfs can now output a "Pseudo file" representing the input Squashfs filesystem. * New -one-file-system option in Mksquashfs. * New -no-hardlinks option in Mksquashfs. * Exit code in Unsquashfs changed to distinguish between non-fatal errors (exit 2), and fatal errors (exit 1). * Xattr id count added in Unsquashfs "-stat" output. * Unsquashfs "write outside directory" exploit fixed. * Error handling in Unsquashfs writer thread fixed. * Fix failure to truncate destination if appending aborted. * Prevent Mksquashfs reading the destination file. ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Micro 5.5 zypper in -tpatch SUSE-SLE-Micro-5.5-2024-2463=1 ## Package List: * SUSE Linux Enterprise Micro 5.5 (ppc64le) * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 ## References: * https://www.suse.com/security/cve/CVE-2015-4645.html * https://www.suse.com/security/cve/CVE-2015-4646.html * https://www.suse.com/security/cve/CVE-2021-40153.html * https://www.suse.com/security/cve/CVE-2021-41072.html * https://bugzilla.suse.com/show_bug.cgi?id=1189936 * https://bugzilla.suse.com/show_bug.cgi?id=1190531 * https://bugzilla.suse.com/show_bug.cgi?id=935380 . This bulletin provides information regarding patches for squashfs aimed at addressing various security flaws, including buffer overread issues and unauthorized write vulnerabilities.. squashfs Security Advisory, SUSE linux update, buffer overflow fix, file write exploit, SUSE Linux patches. . Severity: Important. LinuxSecurity.com Team
Jul 12, 2024
•Important
SuSE
202
security advisorybuffer overflowsoftware updateopenSUSE 2023:4591-1 Important: Multiple Squashfs Buffer Overflows
This update for squashfs fixes the following issues: CVE-2015-4645,CVE-2015-4646: Multiple buffer overflows fixed in squashfs- tools (bsc#935380). # Security update for squashfs Announcement ID: SUSE-SU-2023:4591-1 Rating: important References: * bsc#1189936 * bsc#1190531 * bsc#935380 Cross-References: * CVE-2015-4645 * CVE-2015-4646 * CVE-2021-40153 * CVE-2021-41072 CVSS scores: * CVE-2015-4645 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2015-4645 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2015-4646 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2021-40153 ( SUSE ): 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N * CVE-2021-40153 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H * CVE-2021-41072 ( SUSE ): 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N * CVE-2021-41072 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H Affected Products: * Basesystem Module 15-SP4 * Basesystem Module 15-SP5 * openSUSE Leap 15.3 * openSUSE Leap 15.4 * openSUSE Leap 15.5 * openSUSE Leap Micro 5.3 * openSUSE Leap Micro 5.4 * SUSE Enterprise Storage 7.1 * SUSE Linux Enterprise Desktop 15 SP4 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise High Performance Computing 15 SP3 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 * SUSE Linux Enterprise Micro 5.1 * SUSE Linux Enterprise Micro 5.2 * SUSE Linux Enterprise Micro 5.3 * SUSE Linux Enterprise Micro 5.4 * SUSE Linux Enterprise Micro 5.5 * SUSE Linux Enterprise Micro for Rancher 5.2 * SUSE Linux Enterprise Micro for Rancher 5.3 * SUSE Linux Enterprise Micro for Rancher 5.4 * SUSE Linux Enterprise Real Time 15 SP4 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 SP3 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Manager Proxy 4.2 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.2 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.2 * SUSE Manager Server 4.3 An update that solves four vulnerabilities can now be installed. ## Description: This update for squashfs fixes the following issues: * CVE-2015-4645,CVE-2015-4646: Multiple buffer overflows fixed in squashfs- tools (bsc#935380) * CVE-2021-40153: Fixed an issue where an attacker might have been able to write a file outside of destination (bsc#1189936) * CVE-2021-41072: Fixed an issue where an attacker might have been able to write a file outside the destination directory via a symlink (bsc#1190531). update to 4.6.1: * Race condition which can cause corruption of the "fragment table" fixed. This is a regression introduced in August 2022, and it has been seen when tailend packing is used (-tailends option). * Fix build failure when the tools are being built without extended attribute (XATTRs) support. * Fix XATTR error message when an unrecognised prefix is found * Fix incorrect free of pointer when an unrecognised XATTR prefix is found. * Major improvements in extended attribute handling, pseudo file handling, and miscellaneous new options and improvements * Extended attribute handling improved in Mksquashfs and Sqfstar * New Pseudo file xattr definition to add extended attributes to files. * New xattrs-add Action to add extended attributes to files * Extended attribute handling improved in Unsquashfs * Other major improvements * Unsquashfs can now output Pseudo files to standard out. * Mksquashfs can now input Pseudo files from standard in. *Squashfs filesystems can now be converted (different block size compression etc) without unpacking to an intermediate filesystem or mounting, by piping the output of Unsquashfs to Mksquashfs. * Pseudo files are now supported by Sqfstar. * "Non-anchored" excludes are now supported by Unsquashfs. update to 4.5.1 (bsc#1190531, CVE-2021-41072): * This release adds Manpages for Mksquashfs(1), Unsquashfs(1), Sqfstar(1) and Sqfscat(1). * The -help text output from the utilities has been improved and extended as well (but the Manpages are now more comprehensive). * CVE-2021-41072 which is a writing outside of destination exploit, has been fixed. * The number of hard-links in the filesystem is now also displayed by Mksquashfs in the output summary. * The number of hard-links written by Unsquashfs is now also displayed in the output summary. * Unsquashfs will now write to a pre-existing destination directory, rather than aborting. * Unsquashfs now allows "." to used as the destination, to extract to the current directory. * The Unsquashfs progress bar now tracks empty files and hardlinks, in addition to data blocks. * -no-hardlinks option has been implemented for Sqfstar. * More sanity checking for "corrupted" filesystems, including checks for multiply linked directories and directory loops. * Options that may cause filesystems to be unmountable have been moved into a new "experts" category in the Mksquashfs help text (and Manpage). * Maximum cpiostyle filename limited to PATH_MAX. This prevents attempts to overflow the stack, or cause system calls to fail with a too long pathname. * Don't always use "max open file limit" when calculating length of queues, as a very large file limit can cause Unsquashfs to abort. Instead use the smaller of max open file limit and cache size. * Fix Mksquashfs silently ignoring Pseudo file definitions when appending. * Don't abort if no XATTR support has been built in, and there's XATTRs in the filesystem. This is a regression introduced in 2019 in Version 4.4. * Fix duplicate check when the last file block is sparse. update to 4.5: * Mksquashfs now supports "Actions". * New sqfstar command which will create a Squashfs image from a tar archive. * Tar style handling of source pathnames in Mksquashfs. * Cpio style handling of source pathnames in Mksquashfs. * New option to throttle the amount of CPU and I/O. * Mksquashfs now allows no source directory to be specified. * New Pseudo file "R" definition which allows a Regular file o be created with data stored within the Pseudo file. * Symbolic links are now followed in extract files * Unsquashfs now supports "exclude" files. * Max depth traversal option added. * Unsquashfs can now output a "Pseudo file" representing the input Squashfs filesystem. * New -one-file-system option in Mksquashfs. * New -no-hardlinks option in Mksquashfs. * Exit code in Unsquashfs changed to distinguish between non-fatal errors (exit 2), and fatal errors (exit 1). * Xattr id count added in Unsquashfs "-stat" output. * Unsquashfs "write outside directory" exploit fixed. * Error handling in Unsquashfs writer thread fixed. * Fix failure to truncate destination if appending aborted. * Prevent Mksquashfs reading the destination file. ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch openSUSE-SLE-15.4-2023-4591=1 * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2023-4591=1 * SUSE Linux Enterprise Micro for Rancher 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2023-4591=1 * SUSE Linux Enterprise Micro 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2023-4591=1 * SUSE Linux Enterprise Micro for Rancher 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2023-4591=1 * SUSE Linux Enterprise Micro 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2023-4591=1 * SUSE Linux Enterprise Micro 5.5 zypper in -t patch SUSE-SLE-Micro-5.5-2023-4591=1 * Basesystem Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-4591=1 * Basesystem Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2023-4591=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-4591=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-4591=1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-4591=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2023-4591=1 * SUSE Manager Proxy 4.2 zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.2-2023-4591=1 * SUSE Manager Retail Branch Server 4.2 zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch- Server-4.2-2023-4591=1 * SUSE Manager Server 4.2 zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.2-2023-4591=1 * SUSE Enterprise Storage 7.1 zypper in -t patch SUSE-Storage-7.1-2023-4591=1 * SUSE Linux Enterprise Micro 5.1 zypper in -t patch SUSE-SUSE-MicroOS-5.1-2023-4591=1 * SUSE Linux Enterprise Micro 5.2 zypper in -t patch SUSE-SUSE-MicroOS-5.2-2023-4591=1 * SUSE Linux Enterprise Micro for Rancher 5.2 zypper in -t patch SUSE-SUSE-MicroOS-5.2-2023-4591=1 * openSUSE Leap 15.3 zypper in -t patch SUSE-2023-4591=1 * openSUSE Leap Micro 5.3 zypper in -t patch openSUSE-Leap-Micro-5.3-2023-4591=1 * openSUSE Leap Micro 5.4 zypper in -t patch openSUSE-Leap-Micro-5.4-2023-4591=1 ## Package List: * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 *squashfs-4.6.1-150300.3.3.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Linux Enterprise Micro 5.5 (aarch64 s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (aarch64 x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64 x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x x86_64) *squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Manager Proxy 4.2 (x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Manager Retail Branch Server 4.2 (x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Manager Server 4.2 (ppc64le s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Enterprise Storage 7.1 (aarch64 x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64 i586) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * openSUSE Leap Micro 5.3 (aarch64 x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * openSUSE Leap Micro 5.4 (aarch64 s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 *squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 ## References: * https://www.suse.com/security/cve/CVE-2015-4645.html * https://www.suse.com/security/cve/CVE-2015-4646.html * https://www.suse.com/security/cve/CVE-2021-40153.html * https://www.suse.com/security/cve/CVE-2021-41072.html * https://bugzilla.suse.com/show_bug.cgi?id=1189936 * https://bugzilla.suse.com/show_bug.cgi?id=1190531 * https://bugzilla.suse.com/show_bug.cgi?id=935380 . A significant patch release for squashfs, tackling several buffer overflow vulnerabilities through essential fixes.. openSUSE Update,squashfs Advisory,Buffers Issue Fixes,Critical Patch Instructions. . Severity: Important. LinuxSecurity.com Team
Nov 27, 2023
•Important
OpenSUSE
100
security advisorybuffer overflowcriticalSUSE: 2023:4591-1 important: squashfs buffer overflow issues remedied
* bsc#1189936 * bsc#1190531 * bsc#935380 Cross-References: . # Security update for squashfs Announcement ID: SUSE-SU-2023:4591-1 Rating: important References: * bsc#1189936 * bsc#1190531 * bsc#935380 Cross-References: * CVE-2015-4645 * CVE-2015-4646 * CVE-2021-40153 * CVE-2021-41072 CVSS scores: * CVE-2015-4645 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2015-4645 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2015-4646 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2021-40153 ( SUSE ): 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N * CVE-2021-40153 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H * CVE-2021-41072 ( SUSE ): 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N * CVE-2021-41072 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H Affected Products: * Basesystem Module 15-SP4 * Basesystem Module 15-SP5 * openSUSE Leap 15.3 * openSUSE Leap 15.4 * openSUSE Leap 15.5 * openSUSE Leap Micro 5.3 * openSUSE Leap Micro 5.4 * SUSE Enterprise Storage 7.1 * SUSE Linux Enterprise Desktop 15 SP4 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise High Performance Computing 15 SP3 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 * SUSE Linux Enterprise Micro 5.1 * SUSE Linux Enterprise Micro 5.2 * SUSE Linux Enterprise Micro 5.3 * SUSE Linux Enterprise Micro 5.4 * SUSE Linux Enterprise Micro 5.5 * SUSE Linux Enterprise Micro for Rancher 5.2 * SUSE Linux Enterprise Micro for Rancher 5.3 * SUSE Linux Enterprise Micro for Rancher 5.4 * SUSE Linux Enterprise Real Time 15 SP4 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 SP3 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 * SUSE Linux Enterprise Server 15SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Manager Proxy 4.2 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.2 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.2 * SUSE Manager Server 4.3 An update that solves four vulnerabilities can now be installed. ## Description: This update for squashfs fixes the following issues: * CVE-2015-4645,CVE-2015-4646: Multiple buffer overflows fixed in squashfs- tools (bsc#935380) * CVE-2021-40153: Fixed an issue where an attacker might have been able to write a file outside of destination (bsc#1189936) * CVE-2021-41072: Fixed an issue where an attacker might have been able to write a file outside the destination directory via a symlink (bsc#1190531). update to 4.6.1: * Race condition which can cause corruption of the "fragment table" fixed. This is a regression introduced in August 2022, and it has been seen when tailend packing is used (-tailends option). * Fix build failure when the tools are being built without extended attribute (XATTRs) support. * Fix XATTR error message when an unrecognised prefix is found * Fix incorrect free of pointer when an unrecognised XATTR prefix is found. * Major improvements in extended attribute handling, pseudo file handling, and miscellaneous new options and improvements * Extended attribute handling improved in Mksquashfs and Sqfstar * New Pseudo file xattr definition to add extended attributes to files. * New xattrs-add Action to add extended attributes to files * Extended attribute handling improved in Unsquashfs * Other major improvements * Unsquashfs can now output Pseudo files to standard out. * Mksquashfs can now input Pseudo files from standard in. * Squashfs filesystems can now be converted (different block size compression etc)without unpacking to an intermediate filesystem or mounting, by piping the output of Unsquashfs to Mksquashfs. * Pseudo files are now supported by Sqfstar. * "Non-anchored" excludes are now supported by Unsquashfs. update to 4.5.1 (bsc#1190531, CVE-2021-41072): * This release adds Manpages for Mksquashfs(1), Unsquashfs(1), Sqfstar(1) and Sqfscat(1). * The -help text output from the utilities has been improved and extended as well (but the Manpages are now more comprehensive). * CVE-2021-41072 which is a writing outside of destination exploit, has been fixed. * The number of hard-links in the filesystem is now also displayed by Mksquashfs in the output summary. * The number of hard-links written by Unsquashfs is now also displayed in the output summary. * Unsquashfs will now write to a pre-existing destination directory, rather than aborting. * Unsquashfs now allows "." to used as the destination, to extract to the current directory. * The Unsquashfs progress bar now tracks empty files and hardlinks, in addition to data blocks. * -no-hardlinks option has been implemented for Sqfstar. * More sanity checking for "corrupted" filesystems, including checks for multiply linked directories and directory loops. * Options that may cause filesystems to be unmountable have been moved into a new "experts" category in the Mksquashfs help text (and Manpage). * Maximum cpiostyle filename limited to PATH_MAX. This prevents attempts to overflow the stack, or cause system calls to fail with a too long pathname. * Don't always use "max open file limit" when calculating length of queues, as a very large file limit can cause Unsquashfs to abort. Instead use the smaller of max open file limit and cache size. * Fix Mksquashfs silently ignoring Pseudo file definitions when appending. * Don't abort if no XATTR support has been built in, and there's XATTRs in the filesystem. This is a regression introduced in 2019 in Version 4.4. * Fixduplicate check when the last file block is sparse. update to 4.5: * Mksquashfs now supports "Actions". * New sqfstar command which will create a Squashfs image from a tar archive. * Tar style handling of source pathnames in Mksquashfs. * Cpio style handling of source pathnames in Mksquashfs. * New option to throttle the amount of CPU and I/O. * Mksquashfs now allows no source directory to be specified. * New Pseudo file "R" definition which allows a Regular file o be created with data stored within the Pseudo file. * Symbolic links are now followed in extract files * Unsquashfs now supports "exclude" files. * Max depth traversal option added. * Unsquashfs can now output a "Pseudo file" representing the input Squashfs filesystem. * New -one-file-system option in Mksquashfs. * New -no-hardlinks option in Mksquashfs. * Exit code in Unsquashfs changed to distinguish between non-fatal errors (exit 2), and fatal errors (exit 1). * Xattr id count added in Unsquashfs "-stat" output. * Unsquashfs "write outside directory" exploit fixed. * Error handling in Unsquashfs writer thread fixed. * Fix failure to truncate destination if appending aborted. * Prevent Mksquashfs reading the destination file. ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch openSUSE-SLE-15.4-2023-4591=1 * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2023-4591=1 * SUSE Linux Enterprise Micro for Rancher 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2023-4591=1 * SUSE Linux Enterprise Micro 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2023-4591=1 * SUSE Linux Enterprise Micro for Rancher 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2023-4591=1 * SUSE Linux Enterprise Micro 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2023-4591=1 * SUSE Linux EnterpriseMicro 5.5 zypper in -t patch SUSE-SLE-Micro-5.5-2023-4591=1 * Basesystem Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-4591=1 * Basesystem Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2023-4591=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-4591=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-4591=1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-4591=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2023-4591=1 * SUSE Manager Proxy 4.2 zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.2-2023-4591=1 * SUSE Manager Retail Branch Server 4.2 zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch- Server-4.2-2023-4591=1 * SUSE Manager Server 4.2 zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.2-2023-4591=1 * SUSE Enterprise Storage 7.1 zypper in -t patch SUSE-Storage-7.1-2023-4591=1 * SUSE Linux Enterprise Micro 5.1 zypper in -t patch SUSE-SUSE-MicroOS-5.1-2023-4591=1 * SUSE Linux Enterprise Micro 5.2 zypper in -t patch SUSE-SUSE-MicroOS-5.2-2023-4591=1 * SUSE Linux Enterprise Micro for Rancher 5.2 zypper in -t patch SUSE-SUSE-MicroOS-5.2-2023-4591=1 * openSUSE Leap 15.3 zypper in -t patch SUSE-2023-4591=1 * openSUSE Leap Micro 5.3 zypper in -t patch openSUSE-Leap-Micro-5.3-2023-4591=1 * openSUSE Leap Micro 5.4 zypper in -t patch openSUSE-Leap-Micro-5.4-2023-4591=1 ## Package List: * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) *squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Linux Enterprise Micro 5.5 (aarch64 s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (aarch64 x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64 x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 *squashfs-4.6.1-150300.3.3.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Manager Proxy 4.2 (x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Manager Retail Branch Server 4.2 (x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Manager Server 4.2 (ppc64le s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Enterprise Storage 7.1 (aarch64 x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64 i586) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * openSUSE Leap Micro 5.3 (aarch64 x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 * openSUSE Leap Micro 5.4 (aarch64 s390x x86_64) * squashfs-debuginfo-4.6.1-150300.3.3.1 * squashfs-debugsource-4.6.1-150300.3.3.1 * squashfs-4.6.1-150300.3.3.1 ## References: *https://www.suse.com/security/cve/CVE-2015-4645.html * https://www.suse.com/security/cve/CVE-2015-4646.html * https://www.suse.com/security/cve/CVE-2021-40153.html * https://www.suse.com/security/cve/CVE-2021-41072.html * https://bugzilla.suse.com/show_bug.cgi?id=1189936 * https://bugzilla.suse.com/show_bug.cgi?id=1190531 * https://bugzilla.suse.com/show_bug.cgi?id=935380 . To tackle various serious vulnerabilities affecting multiple distributions, it is crucial to update the central squashfs package on SUSE for improved security and system stability. SUSE Squashfs Update, Critical Security Patch, Patch Management, Buffer Overflow Fix. . Severity: Important. LinuxSecurity.com Team
Nov 27, 2023
•Important
SuSE
100
security advisorysecurity updatebuffer overflowSUSE: 2023:4425-1 Critical: Squashfs Memory Corruption Flaw
* bsc#1133284 * bsc#1160294 * bsc#1189936 * bsc#1190531 * bsc#935380 . # Security update for squashfs Announcement ID: SUSE-SU-2023:4424-1 Rating: important References: * bsc#1133284 * bsc#1160294 * bsc#1189936 * bsc#1190531 * bsc#935380 Cross-References: * CVE-2015-4645 * CVE-2015-4646 * CVE-2021-40153 * CVE-2021-41072 CVSS scores: * CVE-2015-4645 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2015-4645 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2015-4646 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2021-40153 ( SUSE ): 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N * CVE-2021-40153 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H * CVE-2021-41072 ( SUSE ): 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N * CVE-2021-41072 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H Affected Products: * SUSE Linux Enterprise High Performance Computing 12 SP5 * SUSE Linux Enterprise Server 12 SP5 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 An update that solves four vulnerabilities and has one security fix can now be installed. ## Description: This update for squashfs fixes the following issues: * CVE-2015-4645,CVE-2015-4646: Multiple buffer overflows fixed in squashfs- tools (bsc#935380) * CVE-2021-40153: Fixed an issue where an attacker might have been able to write a file outside of destination (bsc#1189936) * CVE-2021-41072: Fixed an issue where an attacker might have been able to write a file outside the destination directory via a symlink (bsc#1190531). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise High Performance Computing 12 SP5 zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-4424=1 * SUSE Linux Enterprise Server 12 SP5 zypper in-t patch SUSE-SLE-SERVER-12-SP5-2023-4424=1 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-4424=1 ## Package List: * SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64) * squashfs-debuginfo-4.6.1-8.3.2 * squashfs-4.6.1-8.3.2 * squashfs-debugsource-4.6.1-8.3.2 * SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64) * squashfs-debuginfo-4.6.1-8.3.2 * squashfs-4.6.1-8.3.2 * squashfs-debugsource-4.6.1-8.3.2 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64) * squashfs-debuginfo-4.6.1-8.3.2 * squashfs-4.6.1-8.3.2 * squashfs-debugsource-4.6.1-8.3.2 ## References: * https://www.suse.com/security/cve/CVE-2015-4645.html * https://www.suse.com/security/cve/CVE-2015-4646.html * https://www.suse.com/security/cve/CVE-2021-40153.html * https://www.suse.com/security/cve/CVE-2021-41072.html * https://bugzilla.suse.com/show_bug.cgi?id=1133284 * https://bugzilla.suse.com/show_bug.cgi?id=1160294 * https://bugzilla.suse.com/show_bug.cgi?id=1189936 * https://bugzilla.suse.com/show_bug.cgi?id=1190531 * https://bugzilla.suse.com/show_bug.cgi?id=935380 . A significant security patch for squashfs that addresses crucial vulnerabilities impacting multiple SUSE versions.. SUSE Security Update,Squashfs Attack Vector,Buffer Overflow Fix. . Severity: Important. LinuxSecurity.com Team
Nov 13, 2023
•Important
SuSE
91
security advisorygentoocode executionGentoo: GLSA-201701-73 Normal: SQUASHFS Multiple Execution Issues
Multiple vulnerabilities have been discovered in SQUASHFS, the worst of which may allow execution of arbitrary code. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201701-73 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: SQUASHFS: Multiple vulnerabilities Date: January 29, 2017 Bugs: #552484 ID: 201701-73 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple vulnerabilities have been discovered in SQUASHFS, the worst of which may allow execution of arbitrary code Background ========= Squashfs is a compressed read-only filesystem for Linux. Squashfs is intended for general read-only filesystem use, for archival use (i.e. in cases where a .tar.gz file may be used), and in constrained block device/memory systems (e.g. embedded systems) where low overhead is needed. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 sys-fs/squashfs-tools < 4.3-r1 > = 4.3-r1 Description ========== Multiple vulnerabilities have been discovered in SQUASHFS. Please review the CVE identifiers referenced below for details. Impact ===== Remote attackers, by enticing a user to process a specially crafted SQUASHFS image, could execute arbitrary code with the privileges of the process. Workaround ========= There is no known workaround at this time. Resolution ========= All SQUASHFS users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =sys-fs/squashfs-tools-4.3-r1" References ========= [ 1 ] CVE-2015-4645 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4645 [ 2 ] CVE-2015-4646 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4646 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201701-73 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
Jan 29, 2017
Gentoo
91
security advisorygentooarbitrary code executionGentoo: GLSA-201612-40 Normal Severity: SQUASHFS Code Execution Threat
Multiple vulnerabilities have been found in SQUASHFS, the worst of which may allow execution of arbitrary code.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201612-40 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: SQUASHFS: Multiple vulnerabilities Date: December 13, 2016 Bugs: #427356 ID: 201612-40 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple vulnerabilities have been found in SQUASHFS, the worst of which may allow execution of arbitrary code. Background ========= Squashfs is a compressed read-only filesystem for Linux. Squashfs is intended for general read-only filesystem use, for archival use (i.e. in cases where a .tar.gz file may be used), and in constrained block device/memory systems (e.g. embedded systems) where low overhead is needed. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 squashfs-tools < 4.3 > = 4.3 Description ========== Multiple vulnerabilities have been discovered in SQUASHFS. Please review the CVE identifiers referenced below for details. Impact ===== A remote attacker could entice a user to open a specially crafted .sqsh file using unsquashfs; possibly resulting in the execution of arbitrary code with the privileges of the process, or a Denial of Service condition. Workaround ========= There is no known workaround at this time. Resolution ========= All squashfs-tools users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=squashfs-tools-4.3" References ========= [ 1 ] CVE-2012-4024 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4024 [ 2 ] CVE-2012-4025 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4025 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201612-40 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
Dec 13, 2016
Gentoo
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!