Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 524
Alerts This Week
Warning Icon 1 524

Stay Secure with the Latest Linux Advisories

Filter%20icon Refine advisories
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security advisories

We found 26 articles for you...
89

Fedora 39: FEDORA-2024-a58a7e2388 Critical: perl-Data-UUID Symlink Risk

This update fixes CVE-2013-4184 (possible symlink attack due to use of predictable temporary file names). The module no longer saves state in temporary files at all.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-a58a7e2388 2024-03-28 01:25:38.092437 -------------------------------------------------------------------------------- Name : perl-Data-UUID Product : Fedora 39 Version : 1.227 Release : 1.fc39 URL : https://metacpan.org/dist/Data-UUID Summary : Globally/Universally Unique Identifiers (GUIDs/UUIDs) Description : This module provides a framework for generating v3 UUIDs (Universally Unique Identifiers, also known as GUIDs (Globally Unique Identifiers). A UUID is 128 bits long, and is guaranteed to be different from all other UUIDs/GUIDs generated until 3400 CE. UUIDs were originally used in the Network Computing System (NCS) and later in the Open Software Foundation's (OSF) Distributed Computing Environment. Currently many different technologies rely on UUIDs to provide unique identity for various software components. Microsoft COM/DCOM for instance, uses GUIDs very extensively to uniquely identify classes, applications and components across network-connected systems. The algorithm for UUID generation, used by this extension, is described in the Internet Draft "UUIDs and GUIDs" by Paul J. Leach and Rich Salz (see RFC 4122). It provides a reasonably efficient and reliable framework for generating UUIDs and supports fairly high allocation rates - 10 million per second per machine - and therefore is suitable for identifying both extremely short-lived and very persistent objects on a given system as well as across the network. This module provides several methods to create a UUID. In all methods, is a UUID and is a free form string. -------------------------------------------------------------------------------- Update Information: This update fixesCVE-2013-4184 (possible symlink attack due to use of predictable temporary file names). The module no longer saves state in temporary files at all. -------------------------------------------------------------------------------- ChangeLog: * Tue Mar 19 2024 Paul Howarth - 1.227-1 - Update to 1.227 - New maintainer, GTERMARS - Add basic GitHub Actions setup for testing - Typo corrections in POD - Eliminated use of state/node files in temp directory (CVE-2013-4184) * Thu Jan 25 2024 Fedora Release Engineering - 1.226-16 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild * Sun Jan 21 2024 Fedora Release Engineering - 1.226-15 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild * Tue Aug 29 2023 Jitka Plesnikova - 1.226-14 - Update license to SPDX format -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-a58a7e2388' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./ Do not reply to spam, report it: . The patch addressing CVE-2013-4184 in perl-Data-UUID enhances the management of temporary files to mitigaterisks associated with symlink attacks.. Fedora Updates, Symlink Attack Prevention, Perl Module Security. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Mar 28, 2024 Critical Fedora
202

openSUSE 2023:0270-1 Moderate: Cadence Security Fix for Temporary Files

An update that contains security fixes can now be installed. . openSUSE Security Update: Security update for Cadence ______________________________________________________________________________ Announcement ID: openSUSE-SU-2023:0270-1 Rating: moderate References: #1213330 #1213983 #1213985 Affected Products: openSUSE Backports SLE-15-SP4 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for Cadence fixes the following issues: - Fix security bugs related to use of Fixed Temporary Files. (boo#1213330, boo#1213983, boo#1213985) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2023-270=1 Package List: - openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64): Cadence-0.9.1-bp154.2.3.1 References: https://bugzilla.suse.com/1213330 https://bugzilla.suse.com/1213983 https://bugzilla.suse.com/1213985 . Apply security fixes for Cadence using the most recent openSUSE update to mitigate medium-risk vulnerabilities.. openSUSE Security Update,Cadence Fixes,SLE-15 Security Patch. . LinuxSecurity.com Team

Calendar%202 Sep 26, 2023 OpenSUSE
202

openSUSE: 2018:4213-1 Moderate: keepalived Security Update

An update that fixes three vulnerabilities is now available. Description: Description: This update for keepalived to version 2.0.10 fixes the following issues: Security issues fixed (bsc#1015141): - CVE-2018-19044: Fixed a check for pathnames with symlinks when writing data to a temporary file upon a call to PrintData or PrintStats - CVE-2018-19045: Fixed mode when creating new temporary files upo [More...]. openSUSE Security Update: Security update for keepalived ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:4213-1 Rating: moderate References: #1015141 #1069468 #949238 Cross-References: CVE-2018-19044 CVE-2018-19045 CVE-2018-19046 Affected Products: SUSE Package Hub for SUSE Linux Enterprise 12 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for keepalived to version 2.0.10 fixes the following issues: Security issues fixed (bsc#1015141): - CVE-2018-19044: Fixed a check for pathnames with symlinks when writing data to a temporary file upon a call to PrintData or PrintStats - CVE-2018-19045: Fixed mode when creating new temporary files upon a call to PrintData or PrintStats - CVE-2018-19046: Fixed a check for existing plain files when writing data to a temporary file upon a call to PrintData or PrintStats Non-security issues fixed: - Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468) - Use getaddrinfo instead of gethostbyname to workaround glibc gethostbyname function buffer overflow (bsc#949238) For the full list of changes refer to: https://www.keepalived.org/changelog.html Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you canrun the command listed for your product: - SUSE Package Hub for SUSE Linux Enterprise 12: zypper in -t patch openSUSE-2018-1575=1 Package List: - SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 ppc64le s390x x86_64): keepalived-2.0.10-6.1 References: https://www.suse.com/security/cve/CVE-2018-19044.html https://www.suse.com/security/cve/CVE-2018-19045.html https://www.suse.com/security/cve/CVE-2018-19046.html https://bugzilla.suse.com/1015141 https://bugzilla.suse.com/1069468 https://bugzilla.suse.com/949238 -- . openSUSE Security Patch for keepalived addresses several vulnerabilities, enhancing the reliability and safety of your environments.. openSUSE Security, keepalived Update, Linux Patch Management, moderate Security Advisory. . LinuxSecurity.com Team

Calendar%202 Dec 21, 2018 OpenSUSE
89

Fedora 22 FEDORA-2015-020f4b9400 Moderate: Xsupplicant Temp File Issue

Fix security issue with tmp file naming.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2015-020f4b9400 2015-12-20 00:06:39.526376 -------------------------------------------------------------------------------- Name : xsupplicant Product : Fedora 22 Version : 2.2.0 Release : 13.fc22 URL : http://www.open1x.org/ Summary : Open Source Implementation of IEEE 802.1x Description : This software allows a GNU/Linux or BSD workstation to authenticate with a RADIUS server using 802.1x and various EAP protocols. The intended use is for computers with wireless LAN connections to complete a strong authentication before joining the network. -------------------------------------------------------------------------------- Update Information: Fix security issue with tmp file naming. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1276614 - xsupplicant: Usage of fixed temtporary file https://bugzilla.redhat.com/show_bug.cgi?id=1276614 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update xsupplicant' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. https://lists.fedoraproject.org/admin/lists/package-announce.lists.fedoraproject.org/ . The resolution for the temporary file naming concern in xsupplicant enhances secure authentication protocols on Fedora 22 platforms.. xsupplicant security issues,Fedora 22 update,temporary file issues. .Severity: Important. LinuxSecurity.com Team

Calendar%202 Dec 20, 2015 Important Fedora
89

Fedora 22: FEDORA-2016-20456 Crucial: Trafficserver File Permissions Flaw

https://cwiki.apache.org/confluence/display/TS/What%27s+New+in+v5.3.x. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2015-10520 2015-06-23 03:02:16 -------------------------------------------------------------------------------- Name : trafficserver Product : Fedora 21 Version : 5.3.0 Release : 1.fc21 URL : https://trafficserver.apache.org/index.html Summary : Fast, scalable and extensible HTTP/1.1 compliant caching proxy server Description : Apache Traffic Server is a fast, scalable and extensible HTTP/1.1 compliant caching proxy server. -------------------------------------------------------------------------------- Update Information: https://cwiki.apache.org/confluence/display/TS/What%27s+New+in+v5.3.x -------------------------------------------------------------------------------- ChangeLog: * Sun Jun 21 2015 Peter Robinson 5.3.0-1 - Update to 5.3.0 LTS release - Build on aarch64 and power64 - Split perl bindings to sub package - Cleanup and modernise spec * Fri Jun 19 2015 Fedora Release Engineering - 5.0.1-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild * Sat May 2 2015 Kalev Lember - 5.0.1-3 - Rebuilt for GCC 5 C++11 ABI change * Mon Jan 26 2015 Petr Machata - 5.0.1-2 - Rebuild for boost 1.57.0 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1102559 - Add AArch64 support to trafficserver https://bugzilla.redhat.com/show_bug.cgi?id=1102559 [ 2 ] Bug #1103173 - trafficserver: insecure temporary file usage [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1103173 [ 3 ] Bug #1179204 - trafficserver: incorrect handling of "Max-Forwards" header [fedora-21] https://bugzilla.redhat.com/show_bug.cgi?id=1179204 [ 4 ] Bug #1103174 - trafficserver: insecure temporary file usage [epel-6] https://bugzilla.redhat.com/show_bug.cgi?id=1103174 [ 5 ] Bug #1133387 - CVE-2014-3525trafficserver: unspecified flaw related to health checks fixed in versions 4.2.1.1 and 5.0.1 [epel-6] https://bugzilla.redhat.com/show_bug.cgi?id=1133387 [ 6 ] Bug #1179205 - trafficserver: incorrect handling of "Max-Forwards" header [epel-7] https://bugzilla.redhat.com/show_bug.cgi?id=1179205 [ 7 ] Bug #994224 - trafficserver must be compiled with -fno-strict-aliasing, but it is not https://bugzilla.redhat.com/show_bug.cgi?id=994224 [ 8 ] Bug #955127 - trafficserver package should be built with PIE flags https://bugzilla.redhat.com/show_bug.cgi?id=955127 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update trafficserver' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. https://lists.fedoraproject.org/admin/lists/package-announce.lists.fedoraproject.org/ . Details of the trafficserver security update for Fedora reveals file permissions flaw essential for patching.. trafficserver update,Fedora security,apache trafficserver,HTTP caching,software update. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Jul 03, 2015 Critical Fedora
91

Gentoo: 201310-17 Low Severity: Pmake Symlink Attack Advisory

pmake uses temporary files in an insecure manner, allowing for symlink attacks.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201310-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: pmake: Insecure temporary file usage Date: October 28, 2013 Bugs: #367891 ID: 201310-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= pmake uses temporary files in an insecure manner, allowing for symlink attacks. Background ========= pmake is Debian's version of NetBSD's make, a tool to build programs in parallel. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 sys-devel/pmake < 1.111.3.1 > = 1.111.3.1 Description ========== /usr/share/mk/bsd.lib.mk and /usr/share/mk/bsd.prog.mk create temporary files insecurely, with predictable names (/tmp/_depend[PID]), and without using $TMPDIR. Impact ===== The make include files allow local users to overwrite arbitrary files via a symlink attack. Workaround ========= There is no known workaround at this time. Resolution ========= All pmake users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =sys-devel/pmake-1.111.3.1" References ========= [ 1 ] CVE-2011-1920 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1920 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201310-17 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentialityand security of our users' machines is of utmost importance to us. Any security concerns should be addressed to This email address is being protected from spambots. You need JavaScript enabled to view it. or alternatively, you may file a bug at https://bugs.gentoo.org. License ====== Copyright 2013 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5/ . Gentoo Security Advisory GLSA 201400-15 raises an alert regarding a medium severity vulnerability associated with improper handling of file permissions during the installation process.. Gentoo Security, Pmake, Temporary Files, Symlink Attack. . Severity: Low. LinuxSecurity.com Team

Calendar%202 Oct 28, 2013 Low Gentoo
91

Gentoo: GLSA-201206-17 Normal: Symlink Attack Risk in Virtualenv

An insecure temporary file usage has been reported in virtualenv, possibly allowing symlink attacks.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201206-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: virtualenv: Insecure temporary file usage Date: June 22, 2012 Bugs: #395285 ID: 201206-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= An insecure temporary file usage has been reported in virtualenv, possibly allowing symlink attacks. Background ========= virtualenv is a virtual Python environment builder. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-python/virtualenv < 1.5.1 > = 1.5.1 Description ========== The virtualenv.py script in virtualenv does not handle temporary files securely. Impact ===== A local attacker could perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application. Workaround ========= There is no known workaround at this time. Resolution ========= All virtualenv users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =dev-python/virtualenv-1.5.1" References ========= [ 1 ] CVE-2011-4617 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4617 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201206-17 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and securityof our users' machines is of utmost importance to us. Any security concerns should be addressed to This email address is being protected from spambots. You need JavaScript enabled to view it. or alternatively, you may file a bug at https://bugs.gentoo.org. License ====== Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5/ . Unsecured temporary files in virtual environments can lead to symbolic link vulnerabilities; it is advisable to update to mitigate potential risks.. Virtualenv Security,Gentoo Advisory,Temp File Misuse,Symlink Attack Risk. . LinuxSecurity.com Team

Calendar%202 Jun 22, 2012 Gentoo
172

Ubuntu 11.10: 1308-1 Critical Advisory on bzip2 Local Attack Execution

Executables compressed by bzexe could be made to run programs as yourlogin.. =========================================================================Ubuntu Security Notice USN-1308-1 December 14, 2011 bzip2 vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS - Ubuntu 8.04 LTS Summary: Executables compressed by bzexe could be made to run programs as your login. Software Description: - bzip2: high-quality block-sorting file compressor - utilities Details: vladz discovered that executables compressed by bzexe insecurely create temporary files when they are ran. A local attacker could exploit this issue to execute arbitrary code as the user running a compressed executable. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: bzip2 1.0.5-6ubuntu1.11.10.1 Ubuntu 11.04: bzip2 1.0.5-6ubuntu1.11.04.1 Ubuntu 10.10: bzip2 1.0.5-4ubuntu1.1 Ubuntu 10.04 LTS: bzip2 1.0.5-4ubuntu0.2 Ubuntu 8.04 LTS: bzip2 1.0.4-2ubuntu4.2 In general, a standard system update will make all the necessary changes to the bzexe utility. If you have previously used bzexe to compress any executables, they need to be recompressed using the updated version. References: https://ubuntu.com/security/notices/USN-1308-1 CVE-2011-4089 Package Information: https://launchpad.net/ubuntu/+source/bzip2/1.0.5-6ubuntu1.11.10.1 https://launchpad.net/ubuntu/+source/bzip2/1.0.5-6ubuntu1.11.04.1 https://launchpad.net/ubuntu/+source/bzip2/1.0.5-4ubuntu1.1 https://launchpad.net/ubuntu/+source/bzip2/1.0.5-4ubuntu0.2 https://launchpad.net/ubuntu/+source/bzip2/1.0.4-2ubuntu4.2 . The recent Ubuntu Security Advisory USN-1308-1 highlights a significant vulnerabilityin bzip2, which could enable local malicious actors to run arbitrary code.. bzip2 exploit, Ubuntu patch, local attack execution. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Dec 14, 2011 Critical Ubuntu
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200