Explore top 10 tips to secure your open-source projects now. Read More
×Several security issues were fixed in Python.. ========================================================================== Ubuntu Security Notice USN-6928-1 July 30, 2024 python3.10, python3.8 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Several security issues were fixed in Python. Software Description: - python3.10: An interactive high-level object-oriented language - python3.8: An interactive high-level object-oriented language Details: It was discovered that the Python ssl module contained a memory race condition when handling the APIs to obtain the CA certificates and certificate store statistics. This could possibly result in applications obtaining wrong results, leading to various SSL issues. (CVE-2024-0397) It was discovered that the Python ipaddress module contained incorrect information about which IP address ranges were considered "private" or "globally reachable". This could possibly result in applications applying incorrect security policies. (CVE-2024-4032) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS python3.10 3.10.12-1~22.04.5 python3.10-minimal 3.10.12-1~22.04.5 Ubuntu 20.04 LTS python3.8 3.8.10-0ubuntu1~20.04.11 python3.8-minimal 3.8.10-0ubuntu1~20.04.11 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6928-1 CVE-2024-0397, CVE-2024-4032 Package Information: https://launchpad.net/ubuntu/+source/python3.10/3.10.12-1~22.04.5 https://launchpad.net/ubuntu/+source/python3.8/3.8.10-0ubuntu1~20.04.11 . Update patches for Python in Ubuntu versions 20.04 and 22.04 resolve serious vulnerabilities related to SSL protocolsand IP address management.. Ubuntu Security, Python Update, Python Security Advisory. . Severity: Critical. LinuxSecurity.com Team
Updated pjproject packages fix security vulnerability: In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and destroy, due to the accepted socket having no group lock. Second, the SSL socket parent/ . MGASA-2021-0559 - Updated pjproject packages fix security vulnerability Publication date: 19 Dec 2021 URL: https://advisories.mageia.org/MGASA-2021-0559.html Type: security Affected Mageia releases: 8 CVE: CVE-2021-32686 Updated pjproject packages fix security vulnerability: In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and destroy, due to the accepted socket having no group lock. Second, the SSL socket parent/ listener may get destroyed during handshake. Both issues were reported to happen intermittently in heavy load TLS connections. They cause a crash, resulting in a denial of service (CVE-2021-32686). References: - https://bugs.mageia.org/show_bug.cgi?id=29317 - https://www.cve.org/CVERecord?id=CVE-2021-32686 SRPMS: - 8/core/pjproject-2.10-5.3.mga8 . Mageia has released MGASA-2021-0560 which tackles vulnerabilities in OpenSSL potentially exposing users to data breaches.. Mageia Security Update,PJProject Issues,SSL Vulnerability Fix,Denial of Service. . LinuxSecurity.com Team
An update that fixes two vulnerabilities is now available. . openSUSE Security Update: Security update for postgresql10 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:4058-1 Rating: important References: #1192516 Cross-References: CVE-2021-23214 CVE-2021-23222 CVSS scores: CVE-2021-23214 (SUSE): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-23222 (SUSE): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Affected Products: openSUSE Leap 15.3 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for postgresql10 fixes the following issues: - CVE-2021-23214: Make the server reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516). - CVE-2021-23222: Make libpq reject extraneous data after an SSL or GSS encryption handshake (bsc#1192516). Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2021-4058=1 Package List: - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): postgresql10-10.19-8.41.1 postgresql10-contrib-10.19-8.41.1 postgresql10-contrib-debuginfo-10.19-8.41.1 postgresql10-debuginfo-10.19-8.41.1 postgresql10-debugsource-10.19-8.41.1 postgresql10-plperl-10.19-8.41.1 postgresql10-plperl-debuginfo-10.19-8.41.1 postgresql10-plpython-10.19-8.41.1 postgresql10-plpython-debuginfo-10.19-8.41.1 postgresql10-pltcl-10.19-8.41.1 postgresql10-pltcl-debuginfo-10.19-8.41.1 postgresql10-server-10.19-8.41.1 postgresql10-server-debuginfo-10.19-8.41.1 postgresql10-test-10.19-8.41.1 - openSUSE Leap 15.3 (noarch): postgresql10-docs-10.19-8.41.1 References: https://www.suse.com/security/cve/CVE-2021-23214.html https://www.suse.com/security/cve/CVE-2021-23222.html https://bugzilla.suse.com/1192516 . This release for Debian tackles essential flaws found in mysql5 to boost security measures and improve operational consistency.. openSUSE PostgreSQL Update, Postgresql Security Patch, SSL Improvements. . Severity: Important. LinuxSecurity.com Team
DLA-2836-1 was rolled out, fixing CVE-2021-43527 in nss, but that lead to a regression, preventing SSL connections in Chromium. The complete bug report could be found here: . . - ----------------------------------------------------------------------- Debian LTS Advisory DLA-2836-2
PostgreSQL 9.6.23 fixes this security issue: Disallow SSL renegotiation more completely (Michael Paquier) . ------------------------------------------------------------------------- Debian LTS Advisory DLA-2751-1
An update that fixes two vulnerabilities is now available.. openSUSE Security Update: Security update for apache-commons-httpclient ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:1875-1 Rating: important References: #1178171 #945190 Cross-References: CVE-2014-3577 CVE-2015-5262 Affected Products: openSUSE Leap 15.2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for apache-commons-httpclient fixes the following issues: - http/conn/ssl/SSLConnectionSocketFactory.java ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors. [bsc#945190, CVE-2015-5262] - org.apache.http.conn.ssl.AbstractVerifier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows MITM attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate. [bsc#1178171, CVE-2014-3577] This update was imported from the SUSE:SLE-15-SP2:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-1875=1 Package List: - openSUSE Leap 15.2 (noarch): apache-commons-httpclient-3.1-lp152.6.3.1 apache-commons-httpclient-demo-3.1-lp152.6.3.1 apache-commons-httpclient-javadoc-3.1-lp152.6.3.1 apache-commons-httpclient-manual-3.1-lp152.6.3.1 References: https://www.suse.com/security/cve/CVE-2014-3577.html https://www.suse.com/security/cve/CVE-2015-5262.html https://bugzilla.suse.com/1178171 https://bugzilla.suse.com/945190 -- . A crucial security patch for openSUSE targets weaknesses found in apache-commons-httpclient. Read on for more information.. openSUSE Security Update, apache update, apache-commons-httpclient patch, important security patch. . Severity: Important. LinuxSecurity.com Team
An update that solves two vulnerabilities and has one errata is now available. . SUSE Security Update: Security update for dovecot22 ______________________________________________________________________________ Announcement ID: SUSE-SU-2019:0900-1 Rating: important References: #1111789 #1123022 #1130116 Cross-References: CVE-2019-3814 CVE-2019-7524 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Software Development Kit 12-SP4 SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server for SAP 12-SP1 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Server 12-LTSS SUSE Enterprise Storage 4 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for dovecot22 fixes the following issues: Security issues fixed: - CVE-2019-7524: Fixed an improper file handling which could result in stack overflow allowing local root escalation (bsc#1130116). - CVE-2019-3814: Fixed a vulnerability related to SSL client certificate authentication (bsc#1123022). Other issue fixed: - Fixed handling of command continuation(bsc#1111789) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2019-900=1 - SUSE LinuxEnterprise Software Development Kit 12-SP4: zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-900=1 - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2019-900=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-900=1 - SUSE Linux Enterprise Server for SAP 12-SP1: zypper in -t patch SUSE-SLE-SAP-12-SP1-2019-900=1 - SUSE Linux Enterprise Server 12-SP4: zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-900=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2019-900=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-900=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-900=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2019-900=1 - SUSE Linux Enterprise Server 12-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-2019-900=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2019-900=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): dovecot22-2.2.31-19.14.2 dovecot22-backend-mysql-2.2.31-19.14.2 dovecot22-backend-mysql-debuginfo-2.2.31-19.14.2 dovecot22-backend-pgsql-2.2.31-19.14.2 dovecot22-backend-pgsql-debuginfo-2.2.31-19.14.2 dovecot22-backend-sqlite-2.2.31-19.14.2 dovecot22-backend-sqlite-debuginfo-2.2.31-19.14.2 dovecot22-debuginfo-2.2.31-19.14.2 dovecot22-debugsource-2.2.31-19.14.2 - SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64): dovecot22-debuginfo-2.2.31-19.14.2 dovecot22-debugsource-2.2.31-19.14.2 dovecot22-devel-2.2.31-19.14.2 - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): dovecot22-debuginfo-2.2.31-19.14.2 dovecot22-debugsource-2.2.31-19.14.2 dovecot22-devel-2.2.31-19.14.2 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): dovecot22-2.2.31-19.14.2 dovecot22-backend-mysql-2.2.31-19.14.2 dovecot22-backend-mysql-debuginfo-2.2.31-19.14.2 dovecot22-backend-pgsql-2.2.31-19.14.2 dovecot22-backend-pgsql-debuginfo-2.2.31-19.14.2 dovecot22-backend-sqlite-2.2.31-19.14.2 dovecot22-backend-sqlite-debuginfo-2.2.31-19.14.2 dovecot22-debuginfo-2.2.31-19.14.2 dovecot22-debugsource-2.2.31-19.14.2 - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64): dovecot22-2.2.31-19.14.2 dovecot22-backend-mysql-2.2.31-19.14.2 dovecot22-backend-mysql-debuginfo-2.2.31-19.14.2 dovecot22-backend-pgsql-2.2.31-19.14.2 dovecot22-backend-pgsql-debuginfo-2.2.31-19.14.2 dovecot22-backend-sqlite-2.2.31-19.14.2 dovecot22-backend-sqlite-debuginfo-2.2.31-19.14.2 dovecot22-debuginfo-2.2.31-19.14.2 dovecot22-debugsource-2.2.31-19.14.2 - SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64): dovecot22-2.2.31-19.14.2 dovecot22-backend-mysql-2.2.31-19.14.2 dovecot22-backend-mysql-debuginfo-2.2.31-19.14.2 dovecot22-backend-pgsql-2.2.31-19.14.2 dovecot22-backend-pgsql-debuginfo-2.2.31-19.14.2 dovecot22-backend-sqlite-2.2.31-19.14.2 dovecot22-backend-sqlite-debuginfo-2.2.31-19.14.2 dovecot22-debuginfo-2.2.31-19.14.2 dovecot22-debugsource-2.2.31-19.14.2 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): dovecot22-2.2.31-19.14.2 dovecot22-backend-mysql-2.2.31-19.14.2 dovecot22-backend-mysql-debuginfo-2.2.31-19.14.2 dovecot22-backend-pgsql-2.2.31-19.14.2 dovecot22-backend-pgsql-debuginfo-2.2.31-19.14.2 dovecot22-backend-sqlite-2.2.31-19.14.2 dovecot22-backend-sqlite-debuginfo-2.2.31-19.14.2 dovecot22-debuginfo-2.2.31-19.14.2 dovecot22-debugsource-2.2.31-19.14.2 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390xx86_64): dovecot22-2.2.31-19.14.2 dovecot22-backend-mysql-2.2.31-19.14.2 dovecot22-backend-mysql-debuginfo-2.2.31-19.14.2 dovecot22-backend-pgsql-2.2.31-19.14.2 dovecot22-backend-pgsql-debuginfo-2.2.31-19.14.2 dovecot22-backend-sqlite-2.2.31-19.14.2 dovecot22-backend-sqlite-debuginfo-2.2.31-19.14.2 dovecot22-debuginfo-2.2.31-19.14.2 dovecot22-debugsource-2.2.31-19.14.2 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): dovecot22-2.2.31-19.14.2 dovecot22-backend-mysql-2.2.31-19.14.2 dovecot22-backend-mysql-debuginfo-2.2.31-19.14.2 dovecot22-backend-pgsql-2.2.31-19.14.2 dovecot22-backend-pgsql-debuginfo-2.2.31-19.14.2 dovecot22-backend-sqlite-2.2.31-19.14.2 dovecot22-backend-sqlite-debuginfo-2.2.31-19.14.2 dovecot22-debuginfo-2.2.31-19.14.2 dovecot22-debugsource-2.2.31-19.14.2 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): dovecot22-2.2.31-19.14.2 dovecot22-backend-mysql-2.2.31-19.14.2 dovecot22-backend-mysql-debuginfo-2.2.31-19.14.2 dovecot22-backend-pgsql-2.2.31-19.14.2 dovecot22-backend-pgsql-debuginfo-2.2.31-19.14.2 dovecot22-backend-sqlite-2.2.31-19.14.2 dovecot22-backend-sqlite-debuginfo-2.2.31-19.14.2 dovecot22-debuginfo-2.2.31-19.14.2 dovecot22-debugsource-2.2.31-19.14.2 - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64): dovecot22-2.2.31-19.14.2 dovecot22-backend-mysql-2.2.31-19.14.2 dovecot22-backend-mysql-debuginfo-2.2.31-19.14.2 dovecot22-backend-pgsql-2.2.31-19.14.2 dovecot22-backend-pgsql-debuginfo-2.2.31-19.14.2 dovecot22-backend-sqlite-2.2.31-19.14.2 dovecot22-backend-sqlite-debuginfo-2.2.31-19.14.2 dovecot22-debuginfo-2.2.31-19.14.2 dovecot22-debugsource-2.2.31-19.14.2 - SUSE Enterprise Storage 4 (x86_64): dovecot22-2.2.31-19.14.2 dovecot22-backend-mysql-2.2.31-19.14.2 dovecot22-backend-mysql-debuginfo-2.2.31-19.14.2 dovecot22-backend-pgsql-2.2.31-19.14.2 dovecot22-backend-pgsql-debuginfo-2.2.31-19.14.2 dovecot22-backend-sqlite-2.2.31-19.14.2 dovecot22-backend-sqlite-debuginfo-2.2.31-19.14.2 dovecot22-debuginfo-2.2.31-19.14.2 dovecot22-debugsource-2.2.31-19.14.2 References: https://www.suse.com/security/cve/CVE-2019-3814.html https://www.suse.com/security/cve/CVE-2019-7524.html https://bugzilla.suse.com/1111789 https://bugzilla.suse.com/1123022 https://bugzilla.suse.com/1130116 _______________________________________________ sle-security-updates mailing list
New mozilla-firefox packages are available for Slackware 14.2 and -current to fix security issues. . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] mozilla-firefox (SSA:2018-265-01) New mozilla-firefox packages are available for Slackware 14.2 and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/packages/mozilla-firefox-60.2.1esr-i686-1_slack14.2.txz: Upgraded. This release contains security fixes and improvements. A potentially exploitable crash in TransportSecurityInfo used for SSL can be triggered by data stored in the local cache in the user profile directory. This issue is only exploitable in combination with another vulnerability allowing an attacker to write data into the local cache or from locally installed malware. This issue also triggers a non-exploitable startup crash for users switching between the Nightly and Release versions of Firefox if the same profile is used. For more information, see: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ https://www.mozilla.org/en-US/security/advisories/mfsa2018-23/ https://www.cve.org/CVERecord?id=CVE-2018-12383 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (https://osuosl.org/) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://www.slackware.com/ for additional mirror sites near you. Updated package for Slackware 14.2: Updated package for Slackware x86_64 14.2: Updated package for Slackware -current: Updated package for Slackware x86_64 -current: MD5 signatures: +-------------+ Slackware 14.2 package: 78eb6398d14511de491425e358670ac1 mozilla-firefox-60.2.1esr-i686-1_slack14.2.txz Slackware x86_64 14.2 package: e054cddedab4f816f9d620a82c37161e mozilla-firefox-60.2.1esr-x86_64-1_slack14.2.txz Slackware-current package: fab5c7ebb3898e4a1cb6997a62c64793 xap/mozilla-firefox-60.2.1esr-i686-1.txz Slackware x86_64 -current package: 0a72f509c4ada2b4a298d06d506253c7 xap/mozilla-firefox-60.2.1esr-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg mozilla-firefox-60.2.1esr-i686-1_slack14.2.txz +-----+ . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] mozilla-firefox (SSA:2018-265-01). mozilla-firefox, packages, slackware, -current, security. . Severity: Critical. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.