Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 0 articles for you...
197
security advisorydebianimportantDebian 11: DLA-4224-1 important: node-send template injection fixed
Template injection that can lead to XSS has been fixed in node-send, a Node.js module for streaming files over HTTP. For Debian 11 bullseye, this problem has been fixed in version . - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4224-1
Jun 23, 2025
•Important
Debian LTS
203
security advisoryhtml injectiongolangMageia 8 MGASA-2023-0169: Critical Golang Injection Risks Addressed
Angle brackets ( ) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for injection of unexpected HMTL, if executed with untrusted input. (CVE-2023-24539) . MGASA-2023-0169 - Updated golang packages fix security vulnerability Publication date: 16 May 2023 URL: https://advisories.mageia.org/MGASA-2023-0169.html Type: security Affected Mageia releases: 8 CVE: CVE-2023-24539, CVE-2023-24540, CVE-2023-29400 Angle brackets ( ) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for injection of unexpected HMTL, if executed with untrusted input. (CVE-2023-24539) Not all valid JavaScript whitespace characters were considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution. (CVE-2023-24540) Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input could result in output that would have unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags. (CVE-2023-29400) References: - https://bugs.mageia.org/show_bug.cgi?id=31886 - https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU - https://lists.suse.com/pipermail/sle-security-updates/2023-May/014738.html - https://www.cve.org/CVERecord?id=CVE-2023-24539 - https://www.cve.org/CVERecord?id=CVE-2023-24540 - https://www.cve.org/CVERecord?id=CVE-2023-29400 SRPMS: - 8/core/golang-1.19.9-1.mga8 . MGASA-2023-0170 highlights security flaws in Python libraries with updates available for Mageia 8. Explore the threats to system integrity.. Golang Security,Mageia Updates,InjectionRisks,HTML Security,Template Vulnerabilities. . Severity: Critical. LinuxSecurity.com Team
May 16, 2023
•Critical
Mageia
100
security advisoryimportantsensitive informationSUSE 8 Important: Ansible Update Fixes Template Injection Issue
An update that solves two vulnerabilities and has one errata is now available. . SUSE Security Update: Security update for ansible ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:4152-1 Rating: important References: #1176460 #1187725 #1188061 Cross-References: CVE-2021-3583 CVE-2021-3620 CVSS scores: CVE-2021-3583 (SUSE): 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N CVE-2021-3620 (SUSE): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Affected Products: SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud 8 HPE Helion Openstack 8 ______________________________________________________________________________ An update that solves two vulnerabilities and has one errata is now available. Description: This update for ansible fixes the following issues: Update to 2.9.27: - CVE-2021-3620: ansible-connection module discloses sensitive info in traceback error message (bsc#1187725). - CVE-2021-3583: Template Injection through yaml multi-line strings with ansible facts used in template (bsc#1188061). - ansible module nmcli is broken in ansible 2.9.13 (bsc#1176460) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-4152=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-4152=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-4152=1 Package List: - SUSE OpenStack Cloud Crowbar 8 (x86_64): ansible-2.9.27-3.21.1 - SUSE OpenStack Cloud 8 (x86_64): ansible-2.9.27-3.21.1 - HPE Helion Openstack 8 (x86_64): ansible-2.9.27-3.21.1 References: https://www.suse.com/security/cve/CVE-2021-3583.html https://www.suse.com/security/cve/CVE-2021-3620.html https://bugzilla.suse.com/1176460 https://bugzilla.suse.com/1187725 https://bugzilla.suse.com/1188061 . Important update from SUSE fixes Ansible security issues, combating sensitive information leaks and template injection risks.. SUSE Update, Ansible Patch, Security Flaws, Security Update. . Severity: Important. LinuxSecurity.com Team
Dec 22, 2021
•Important
SuSE
87
security advisorydebianlocal escalationDebian DSA-5011-1: Salt Security Update for Privilege Escalation Threats
Multiple security vulnerabilities have been discovered in Salt, a powerful remote execution manager, that allow for local privilege escalation on a minion, server side template injection attacks, insufficient checks for eauth credentials, shell and command injections or incorrect validation of SSL . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5011-1
Nov 19, 2021
•Important
Debian
197
security advisorydebianprivilege escalationDebian 9 DLA-2815-1 Critical: Salt Command Injection Issues
Multiple security vulnerabilities have been discovered in Salt, a powerful remote execution manager, that allow for local privilege escalation on a minion, server side template injection attacks, insufficient checks for eauth credentials, shell and command injections or incorrect validation of . -------------------------------------------------------------------------Debian LTS Advisory DLA-2815-1
Nov 10, 2021
•Critical
Debian LTS
89
security advisoryFedoranetwork managementFedora 35 Security Update: Moderate Cobbler Issues Resolved and Improved
* Migrate settings to settings.yaml * Migrate pre-cobbler 3 data if needed * Fix autoinstall_templates -> templates ---- Update to 3.2.2 New: --- * Signatures: Add ESXi 7.0 U1 #2525 #2526 #2442 * AlmaLinux & RockyLinux are now supported * Signatures: Add generic openSUSE Leap 15 #2508 * Settings: Use .yaml as a file extension #2531 * Settings: Validate what settings we have in. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2021-3a640d3d4c 2021-09-29 00:16:07.673853 --------------------------------------------------------------------------------Name : cobbler Product : Fedora 35 Version : 3.2.2 Release : 2.fc35 URL : https://cobbler.github.io/ Summary : Boot server configurator Description : Cobbler is a network install server. Cobbler supports PXE, ISO virtualized installs, and re-installing existing Linux machines. The last two modes use a helper tool, 'koan', that integrates with cobbler. There is also a web interface 'cobbler-web'. Cobbler's advanced features include importing distributions from DVDs and rsync mirrors, kickstart templating, integrated yum mirroring, and built-in DHCP/DNS Management. Cobbler has a XML-RPC API for integration with other applications. --------------------------------------------------------------------------------Update Information: * Migrate settings to settings.yaml * Migrate pre-cobbler 3 data if needed * Fix autoinstall_templates -> templates ---- Update to 3.2.2 New: --- * Signatures: Add ESXi 7.0 U1 #2525 #2526 #2442 * AlmaLinux & RockyLinux are now supported * Signatures: Add generic openSUSE Leap 15 #2508 * Settings: Use .yaml as a file extension #2531 * Settings: Validate what settings we have in the YAML-File #2533 #2419 #2530 * Modules: We now support automatic Windows installations #2466 * Docs: Terraform provider now included #2166 #2528 Changes: ----- * Web Frontend: Show VMware as a breed #2449 * Logging check fails with SELinux #2440 #2441 * Typing: Convert docstring types to typing types #2564 * ESXi Support: Now partly supported #2541 * ipmitool now is upstream supported by fence_agents via ipmilanplus #2542 * cobbler version remove the b prefix #2543 * We are now using inst.ks instead of ks #2534 * Use the python-file bindings instead of a subprocess call #2482 #2480 * Web Interface: Make new user management more obvious #2484 Bugfixes: -----* Remove redundant .json suffix: #2451 #2376 #2545 #2529 * PAM Authentication failures are fixed now: #2400 #2444 * Templating: Fix Cheetah macros #2570 #2509 #2403 * Templating: Fix regex replacements #2513 * Templating: Add http_port to all snippets we are aware of #2058 * API: Have the legacy fields kickstart and ks_meta present at all times. #2311 #2568 * Replicate: revert_strip_none prior adding an object on replicate #2548 #2505 * Replicate: Fix paths during replication #2516 * Web interface: Fix snippet path #2520 * Web interface: Prevent duplicate pathing of snippets #2485 * Fix script path from Cobbler #2479 #2478 * Settings: Add missing rsync flags option #2467 #2468 * Startup: Cobbler starts with sub-profiles now #2259 #2450 * Web: Permissions for /var/lib/cobbler/web.ss #2439 #2452 * Power management: Follow the fence_agent return codes #1491 * cobbler check: Fix dnsmasq check #2155 Other: ---- * Cleanup unused import #2551 * Docs: Improvements at various places #2547 #2481 #2473 #1801 #2228 * Removed unused multi-language support #2532 * Un-categorized improvements #2524 #2464 * Items: Streamline template_types type in all items #2262 Breaking Changes: ----* Possibly the settings file is not correctly migrated and needs to be manually adjusted. * Rename settings to settings.yaml * Add all keys which are missing. List will be available in /var/log/cobbler/cobbler.log. * We dropped support for CentOS 7 since no full Python 3 stack is available#2515 Fedora --- * bz#2006840: CVE-2021-40323: Arbitrary file disclosure/Template Injection * bz#2006897: CVE-2021-40324: Arbitrary file write via upload_log_data XMLRPC function * bz#2006904: CVE-2021-40325: Authorization bypass allows modifying settings --------------------------------------------------------------------------------ChangeLog: * Thu Sep 23 2021 Orion Poplawski - 3.2.2-2 - Migrate settings to settings.yaml - Migrate pre-cobbler 3 data if needed - Fix autoinstall_templates -> templates * Thu Sep 23 2021 Orion Poplawski - 3.2.2-1 - Update to 3.2.2 - bz#2006840: CVE-2021-40323: Arbitrary file disclosure/Template Injection - bz#2006897: CVE-2021-40324: Arbitrary file write via upload_log_data XMLRPC function - bz#2006904: CVE-2021-40325: Authorization bypass allows modifying settings * Wed Sep 22 2021 Orion Poplawski - 3.2.1-1 - Update to 3.2.1 --------------------------------------------------------------------------------References: [ 1 ] Bug #2006840 - CVE-2021-40323 cobbler: Arbitrary File Disclosure/Template Injection via generate_script RPC method https://bugzilla.redhat.com/show_bug.cgi?id=2006840 [ 2 ] Bug #2006897 - CVE-2021-40324 cobbler: Arbitrary file write via upload_log_data XMLRPC function https://bugzilla.redhat.com/show_bug.cgi?id=2006897 [ 3 ] Bug #2006904 - CVE-2021-40325 cobbler: Authorization bypass allows modifying settings https://bugzilla.redhat.com/show_bug.cgi?id=2006904 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-3a640d3d4c' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Sep 28, 2021
Fedora
203
security advisorycriticaldata confidentialityMageia: 2021-0420 Critical Security Advisory for Ansible Risks
A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. . MGASA-2021-0420 - Updated ansible packages fix security vulnerability Publication date: 23 Sep 2021 URL: https://advisories.mageia.org/MGASA-2021-0420.html Type: security Affected Mageia releases: 8 CVE: CVE-2021-3447, CVE-2021-3583 A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided when they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality. This flaw affects Red Hat Ansible Automation Platform in versions before 1.2.2 and Ansible Tower in versions before 3.8.2 (CVE-2021-3447). A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity (CVE-2021-3583). References: - https://bugs.mageia.org/show_bug.cgi?id=28832 - https://access.redhat.com/errata/RHSA-2021:1342 - https://access.redhat.com/errata/RHSA-2021:2664 - https://github.com/ansible/ansible/blob/v2.9.24/changelogs/CHANGELOG-v2.9.rst - https://www.cve.org/CVERecord?id=CVE-2021-3447 - https://www.cve.org/CVERecord?id=CVE-2021-3583 SRPMS: - 8/core/ansible-2.9.24-1.mga8 . MGASA-2021-0421 tackles potential vulnerabilitiesrelated to system integrity and user management, delivering patches for Mageia packages.. Ansible Security Update, Mageia Packages, Data Confidentiality Threats. . Severity: Critical. LinuxSecurity.com Team
Sep 23, 2021
•Critical
Mageia
98
security advisoryRed Hatbug fixRed Hat Ansible Engine 2.9 RHSA-2021-2663 Important: Template Injection
An update for ansible is now available for Ansible Engine 2.9 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Ansible security and bug fix update (2.9.23) Advisory ID: RHSA-2021:2663-01 Product: Red Hat Ansible Engine Advisory URL: https://access.redhat.com/errata/RHSA-2021:2663 Issue date: 2021-07-07 CVE Names: CVE-2021-3583 ==================================================================== 1. Summary: An update for ansible is now available for Ansible Engine 2.9 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Ansible Engine 2.9 for RHEL 7 Server - noarch Red Hat Ansible Engine 2.9 for RHEL 8 - noarch 3. Description: Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. The following packages have been upgraded to a newer upstream version: ansible (2.9.23) Bug Fix(es): * CVE-2021-3583 ansible: Template Injection through yaml multi-line strings with ansible facts used in template. See: https://github.com/ansible/ansible/blob/v2.9.23/changelogs/CHANGELOG-v2.9.rst for details on bug fixes in this release. 4. Solution: For details on how to apply this update, which includes thechanges described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1968412 - CVE-2021-3583 ansible: Template Injection through yaml multi-line strings with ansible facts used in template. 6. Package List: Red Hat Ansible Engine 2.9 for RHEL 7 Server: Source: ansible-2.9.23-1.el7ae.src.rpm noarch: ansible-2.9.23-1.el7ae.noarch.rpm ansible-test-2.9.23-1.el7ae.noarch.rpm Red Hat Ansible Engine 2.9 for RHEL 8: Source: ansible-2.9.23-1.el8ae.src.rpm noarch: ansible-2.9.23-1.el8ae.noarch.rpm ansible-test-2.9.23-1.el8ae.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-3583 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYOUx8dzjgjWX9erEAQgaDg/+Ilw5Ks86OUFHcuqtQoQz96fbkDqSJDLL M/oD4gGpeDhgN4G/kE1dPVR534OTB9MG87aImqoZWw3k2kS0/nN3fUptyRWjOts/ WkIjQKKIc7DXeMRWtEyVeRsxu4oHJ8wDpCTuLkBVrbgHWCYb0stfSZVO3SajD4g/ hmhFhPnKelLgZKGBw06Wg488CFOrQFDj7IQaA+jrSBK8CtiFpUiwZRjanehHnuu6 F++tlcs7lA8YCwSblpuCPJ7WDlkFM7PqTHOlb1r5shH8nQ2+sStDvsJtFYrMWsfR ig8+VeV9NygaUKoEicV7+mYnnv8ehAD7Mdn5ONI+aDYxUo9ng6hJtK7EpBLQN3lB hNSZw4xKKNmVS9Ihupzh0Qk27U2XIxtnFVEzkdLb7W/puPuHtLKfNQEdfRX3qzzw 92T1kNjGjKE4M8clIZFWbLU9bBCjBQVJ0WNaTHLk4ysOfmyHb9yactT49p1uU42f Q2mJ3CIG6+XUF/QlzXKjp+GXWg6uaff999KQhKRG2fZlcL91r78ReoLXbL4SziVg 3hnwdEbEhJDBXBDbBbZV4qo9KNdbmziwtO7gaB1PBB6QiPpWTmGapS6SfE7x1z+S lQG6jOUAAAYc3pX5fvOylybxmq6G4BFJ49B7YgMKv6YuRtQHi9runThqg096CC2k JB5/xg/uwt0=A8Rr -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Jul 07, 2021
•Important
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!