Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -5 articles for you...
219
security advisoryDoSimportantRocky Linux 8 RLSA-2024:1687 Important: Nodejs DoS Attack Fixes
Important: nodejs:20 security update. {"type": "TYPE_SECURITY", "shortCode": "RL", "name": "RLSA-2024:1687", "synopsis": "Important: nodejs:20 security update", "severity": "SEVERITY_IMPORTANT", "topic": "An update is available for nodejs-nodemon, module.nodejs, nodejs, module.nodejs-nodemon, module.nodejs-packaging, nodejs-packaging.\nThis update affects Rocky Linux 8.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", "description": "Node.js is a software development platform for building fast and scalable\nnetwork applications in the JavaScript programming language.\n\nSecurity Fix(es):\n\n* nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding (Marvin) (CVE-2023-46809)\n\n* nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks (CVE-2024-22019)\n\n* nodejs: code injection and privilege escalation through Linux capabilities (CVE-2024-21892)\n\n* nodejs: path traversal by monkey-patching buffer internals (CVE-2024-21896)\n\n* nodejs: multiple permission model bypasses due to improper path traversal sequence sanitization (CVE-2024-21891)\n\n* nodejs: improper handling of wildcards in --allow-fs-read and --allow-fs-write (CVE-2024-21890)\n\n* nodejs: setuid() does not drop all privileges due to io_uring (CVE-2024-22017)", "solution": null, "affectedProducts": ["Rocky Linux 8"], "fixes": [{"ticket": "2264569", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2264569", "description": ""}, {"ticket": "2264574", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2264574", "description": ""}, {"ticket": "2264582", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2264582", "description": ""}, {"ticket": "2265717", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2265717", "description": ""}, {"ticket": "2265720","sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2265720", "description": ""}, {"ticket": "2265722", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2265722", "description": ""}, {"ticket": "2265727", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2265727", "description": ""}], "cves": [{"name": "CVE-2023-46809", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2023-46809", "cvss3ScoringVector": "UNKNOWN", "cvss3BaseScore": "UNKNOWN", "cwe": "UNKNOWN"}, {"name": "CVE-2024-21890", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2024-21890", "cvss3ScoringVector": "UNKNOWN", "cvss3BaseScore": "UNKNOWN", "cwe": "UNKNOWN"}, {"name": "CVE-2024-21891", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2024-21891", "cvss3ScoringVector": "UNKNOWN", "cvss3BaseScore": "UNKNOWN", "cwe": "UNKNOWN"}, {"name": "CVE-2024-21892", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2024-21892", "cvss3ScoringVector": "UNKNOWN", "cvss3BaseScore": "UNKNOWN", "cwe": "UNKNOWN"}, {"name": "CVE-2024-21896", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2024-21896", "cvss3ScoringVector": "UNKNOWN", "cvss3BaseScore": "UNKNOWN", "cwe": "UNKNOWN"}, {"name": "CVE-2024-22017", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2024-22017", "cvss3ScoringVector": "UNKNOWN", "cvss3BaseScore": "UNKNOWN", "cwe": "UNKNOWN"}, {"name": "CVE-2024-22019", "sourceBy": "MITRE", "sourceLink": "https://www.cve.org/CVERecord?id=CVE-2024-22019", "cvss3ScoringVector": "UNKNOWN", "cvss3BaseScore": "UNKNOWN", "cwe": "UNKNOWN"}], "references": [], "publishedAt": "2024-05-06T13:04:21.002456Z", "rpms": {"Rocky Linux 8": {"nvras": ["nodejs-1:20.11.1-1.module+el8.9.0+1776+addd4aec.aarch64.rpm", "nodejs-1:20.11.1-1.module+el8.9.0+1776+addd4aec.src.rpm", "nodejs-1:20.11.1-1.module+el8.9.0+1776+addd4aec.x86_64.rpm","nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+1776+addd4aec.aarch64.rpm", "nodejs-debuginfo-1:20.11.1-1.module+el8.9.0+1776+addd4aec.x86_64.rpm", "nodejs-debugsource-1:20.11.1-1.module+el8.9.0+1776+addd4aec.aarch64.rpm", "nodejs-debugsource-1:20.11.1-1.module+el8.9.0+1776+addd4aec.x86_64.rpm", "nodejs-devel-1:20.11.1-1.module+el8.9.0+1776+addd4aec.aarch64.rpm", "nodejs-devel-1:20.11.1-1.module+el8.9.0+1776+addd4aec.x86_64.rpm", "nodejs-docs-1:20.11.1-1.module+el8.9.0+1776+addd4aec.noarch.rpm", "nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+1776+addd4aec.aarch64.rpm", "nodejs-full-i18n-1:20.11.1-1.module+el8.9.0+1776+addd4aec.x86_64.rpm", "nodejs-nodemon-0:3.0.1-1.module+el8.8.0+1459+02651ab6.noarch.rpm", "nodejs-nodemon-0:3.0.1-1.module+el8.8.0+1459+02651ab6.src.rpm", "nodejs-packaging-0:2021.06-4.module+el8.7.0+1072+5b168780.noarch.rpm", "nodejs-packaging-0:2021.06-4.module+el8.7.0+1072+5b168780.src.rpm", "nodejs-packaging-bundler-0:2021.06-4.module+el8.7.0+1072+5b168780.noarch.rpm", "npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+1776+addd4aec.aarch64.rpm", "npm-1:10.2.4-1.20.11.1.1.module+el8.9.0+1776+addd4aec.x86_64.rpm"]}}, "rebootSuggested": false, "buildReferences": []}. Node.js security patches tackle severe flaws in Rocky Linux. Discover the key resolutions that matter.. Nodejs Security Fixes,Rocky Linux Advisories,Important Security Updates. . Severity: Important. LinuxSecurity.com Team
May 06, 2024
•Important
Rocky Linux
203
security advisoryupdatecriticalMageia 9: 2024-0031 Critical GnuTLS Update on DoS and Timing Attacks
The updated packages fix security vulnerabilities: A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to . MGASA-2024-0031 - Updated gnutls packages fix security vulnerabilities Publication date: 09 Feb 2024 URL: https://advisories.mageia.org/MGASA-2024-0031.html Type: security Affected Mageia releases: 9 CVE: CVE-2024-0567, CVE-2024-0553 The updated packages fix security vulnerabilities: A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack. (CVE-2024-0567) A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981. (CVE-2024-0553) References: - https://bugs.mageia.org/show_bug.cgi?id=32755 - https://www.openwall.com/lists/oss-security/2024/01/19/3 - https://www.cve.org/CVERecord?id=CVE-2024-0567 - https://www.cve.org/CVERecord?id=CVE-2024-0553 SRPMS: - 9/core/gnutls-3.8.0-2.2.mga9 . Mageia 2024-0031 delivers gnutls updates resolving critical vulnerabilities for improved security measures.. GnuTLS Security Update,Mageia 2024-0031,Denial Of Service,Timing Attack. . Severity: Critical. LinuxSecurity.com Team
Feb 09, 2024
•Critical
Mageia
202
security advisorymoderateupdateopenSUSE Leap: 15.1, 15.0 Security Advisory for Libcryptopp Timing Issue
An update that fixes one vulnerability is now available.. openSUSE Security Update: Security update for libcryptopp ______________________________________________________________________________ Announcement ID: openSUSE-SU-2019:1968-1 Rating: moderate References: #1143532 Cross-References: CVE-2019-14318 Affected Products: openSUSE Leap 15.1 openSUSE Leap 15.0 openSUSE Backports SLE-15-SP1 openSUSE Backports SLE-15 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for libcryptopp fixes the following issues: - CVE-2019-14318: Fixed a timing side channel vulnerability in the ECDSA signature generation (boo#1143532). Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2019-1968=1 - openSUSE Leap 15.0: zypper in -t patch openSUSE-2019-1968=1 - openSUSE Backports SLE-15-SP1: zypper in -t patch openSUSE-2019-1968=1 - openSUSE Backports SLE-15: zypper in -t patch openSUSE-2019-1968=1 Package List: - openSUSE Leap 15.1 (i586 x86_64): libcryptopp-debugsource-5.6.5-lp151.3.3.1 libcryptopp-devel-5.6.5-lp151.3.3.1 libcryptopp5_6_5-5.6.5-lp151.3.3.1 libcryptopp5_6_5-debuginfo-5.6.5-lp151.3.3.1 - openSUSE Leap 15.1 (x86_64): libcryptopp5_6_5-32bit-5.6.5-lp151.3.3.1 libcryptopp5_6_5-32bit-debuginfo-5.6.5-lp151.3.3.1 - openSUSE Leap 15.0 (i586 x86_64): libcryptopp-debugsource-5.6.5-lp150.2.3.1 libcryptopp-devel-5.6.5-lp150.2.3.1 libcryptopp5_6_5-5.6.5-lp150.2.3.1 libcryptopp5_6_5-debuginfo-5.6.5-lp150.2.3.1 - openSUSE Leap 15.0 (x86_64): libcryptopp5_6_5-32bit-5.6.5-lp150.2.3.1 libcryptopp5_6_5-32bit-debuginfo-5.6.5-lp150.2.3.1 - openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64): libcryptopp-devel-5.6.5-bp151.4.3.1 libcryptopp5_6_5-5.6.5-bp151.4.3.1 - openSUSE Backports SLE-15-SP1 (aarch64_ilp32): libcryptopp5_6_5-64bit-5.6.5-bp151.4.3.1 - openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64): libcryptopp-debugsource-5.6.5-bp150.3.3.1 libcryptopp-devel-5.6.5-bp150.3.3.1 libcryptopp5_6_5-5.6.5-bp150.3.3.1 libcryptopp5_6_5-debuginfo-5.6.5-bp150.3.3.1 - openSUSE Backports SLE-15 (aarch64_ilp32): libcryptopp5_6_5-64bit-5.6.5-bp150.3.3.1 libcryptopp5_6_5-64bit-debuginfo-5.6.5-bp150.3.3.1 References: https://www.suse.com/security/cve/CVE-2019-14318.html https://bugzilla.suse.com/1143532 -- . Addressed timing side-channel vulnerabilities in libcryptopp for openSUSE. Patch released for impacted versions.. libcryptopp update, openSUSE security, timing issue fix. . LinuxSecurity.com Team
Aug 20, 2019
OpenSUSE
202
security advisorymoderateupdateopenSUSE Leap 15.0: 2018:4050-1 Moderate: OpenSSL Timing Issues
An update that solves two vulnerabilities and has three fixes is now available.. openSUSE Security Update: Security update for openssl-1_0_0 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2018:4050-1 Rating: moderate References: #1100078 #1112209 #1113534 #1113652 #1113742 Cross-References: CVE-2018-0734 CVE-2018-5407 Affected Products: openSUSE Leap 15.0 ______________________________________________________________________________ An update that solves two vulnerabilities and has three fixes is now available. Description: This update for openssl-1_0_0 fixes the following issues: Security issues fixed: - CVE-2018-0734: Fixed timing vulnerability in DSA signature generation (bsc#1113652). - CVE-2018-5407: Added elliptic curve scalar multiplication timing attack defenses that fixes "PortSmash" (bsc#1113534). Non-security issues fixed: - Added missing timing side channel patch for DSA signature generation (bsc#1113742). - Set TLS version to 0 in msg_callback for record messages to avoid confusing applications (bsc#1100078). - Fixed infinite loop in DSA generation with incorrect parameters (bsc#1112209) This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.0: zypper in -t patch openSUSE-2018-1518=1 Package List: - openSUSE Leap 15.0 (i586 x86_64): libopenssl-1_0_0-devel-1.0.2p-lp150.2.9.1 libopenssl1_0_0-1.0.2p-lp150.2.9.1 libopenssl1_0_0-debuginfo-1.0.2p-lp150.2.9.1 libopenssl1_0_0-hmac-1.0.2p-lp150.2.9.1 libopenssl1_0_0-steam-1.0.2p-lp150.2.9.1 libopenssl1_0_0-steam-debuginfo-1.0.2p-lp150.2.9.1 openssl-1_0_0-1.0.2p-lp150.2.9.1 openssl-1_0_0-cavs-1.0.2p-lp150.2.9.1 openssl-1_0_0-cavs-debuginfo-1.0.2p-lp150.2.9.1 openssl-1_0_0-debuginfo-1.0.2p-lp150.2.9.1 openssl-1_0_0-debugsource-1.0.2p-lp150.2.9.1 - openSUSE Leap 15.0 (noarch): openssl-1_0_0-doc-1.0.2p-lp150.2.9.1 - openSUSE Leap 15.0 (x86_64): libopenssl-1_0_0-devel-32bit-1.0.2p-lp150.2.9.1 libopenssl1_0_0-32bit-1.0.2p-lp150.2.9.1 libopenssl1_0_0-32bit-debuginfo-1.0.2p-lp150.2.9.1 libopenssl1_0_0-hmac-32bit-1.0.2p-lp150.2.9.1 libopenssl1_0_0-steam-32bit-1.0.2p-lp150.2.9.1 libopenssl1_0_0-steam-32bit-debuginfo-1.0.2p-lp150.2.9.1 References: https://www.suse.com/security/cve/CVE-2018-0734.html https://www.suse.com/security/cve/CVE-2018-5407.html https://bugzilla.suse.com/1100078 https://bugzilla.suse.com/1112209 https://bugzilla.suse.com/1113534 https://bugzilla.suse.com/1113652 https://bugzilla.suse.com/1113742 -- . Debian security patch addresses vulnerabilities in openssl-1_0_0 with effective solutions. Crucial for your system's protection.. OpenSSL Update, openSUSE Updates, Security Fixes. . LinuxSecurity.com Team
Dec 08, 2018
OpenSUSE
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!