Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -4 articles for you...
100
security advisoryimportant updateopenSUSEopenSUSE Leap 15.5 SUSE-SU-2024:0806-1 Important: Token Issue
* bsc#1199188 Cross-References: * CVE-2021-22573 . # Security update for google-oauth-java-client Announcement ID: SUSE-SU-2024:0806-1 Rating: important References: * bsc#1199188 Cross-References: * CVE-2021-22573 CVSS scores: * CVE-2021-22573 ( NVD ): 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N Affected Products: * openSUSE Leap 15.5 An update that solves one vulnerability can now be installed. ## Description: This update for google-oauth-java-client fixes the following issues: * CVE-2021-22573: Fixed token signature not verified (bsc#1199188). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2024-806=1 ## Package List: * openSUSE Leap 15.5 (noarch) * google-oauth-java-client-servlet-1.22.0-150200.3.7.1 * google-oauth-java-client-parent-1.22.0-150200.3.7.1 * google-oauth-java-client-1.22.0-150200.3.7.1 * google-oauth-java-client-java6-1.22.0-150200.3.7.1 * google-oauth-java-client-javadoc-1.22.0-150200.3.7.1 ## References: * https://www.suse.com/security/cve/CVE-2021-22573.html * https://bugzilla.suse.com/show_bug.cgi?id=1199188 . Critical security patch released for google-oauth-java-client in openSUSE Leap, detailing vulnerabilities and providing necessary update guidelines.. google-oauth-java-client update, openSUSE Leap security, token verification fix. . Severity: Important. LinuxSecurity.com Team
Mar 07, 2024
•Important
SuSE
89
security advisoryFedoracritical updateFedora 33: 2021-891c1ab1ac Critical: Dovecot Token Security Threats
* CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens, if attacker has local access. * CVE-2021-33515: On-path attacker could have injected plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2021-891c1ab1ac 2021-07-05 01:35:53.935167 --------------------------------------------------------------------------------Name : dovecot Product : Fedora 33 Version : 2.3.15 Release : 1.fc33 URL : https://dovecot.org/ Summary : Secure imap and pop3 server Description : Dovecot is an IMAP server for Linux/UNIX-like systems, written with security primarily in mind. It also contains a small POP3 server. It supports mail in either of maildir or mbox formats. The SQL drivers and authentication plug-ins are in their subpackages. --------------------------------------------------------------------------------Update Information: * CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens, if attacker has local access. * CVE-2021-33515: On-path attacker could have injected plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client. * Disconnection log messages are now more standardized across services. They also always now start with "Disconnected" prefix. * Dovecot now depends on libsystemd for systemd integration. * Removed support for Lua 5.2. Use version 5.1 or 5.3 instead. * config: Some settings are now marked as "hidden". It's discouraged to change these settings. They will no longer be visible in doveconf output, except if they have been changed or if doveconf -s parameter is used. Seehttps://doc.dovecot.org/2.3/settings/advanced/ for details. * imap-compress: Compression level is now algorithm specific. See * indexer-worker: Convert "Indexed" info logs to an event named "indexer_worker_indexing_finished". See https://doc.dovecot.org/2.3/admin_manual/list_of_events/ + Add TSLv1.3 support to min_protocols. + Allow configuring ssl_cipher_suites. (for TLSv1.3+) + acl: Add acl_ignore_namespace setting which allows to entirely ignore ACLs for the listed namespaces. + imap: Support official RFC8970 preview/snippet syntax. Old methods of retrieving preview information via IMAP commands ("SNIPPET and PREVIEW with explicit algorithm selection") have been deprecated. + imapc: Support INDEXPVT for imapc storage to enable private message flags for cluster wide shared mailboxes. + lib-storage: Add new events: mail_opened, mail_expunge_requested, mail_expunged, mail_cache_lookup_finished. See https://doc.dovecot.org/2.3/admin_manual/list_of_events/ + zlib, imap-compression, fs-compress: Support compression levels that the algorithm supports. Before, we would allow hardcoded value between 1 to 9 and would default to 6. Now we allow using per-algorithm value range and default to whatever default the algorithm specifies. - *-login: Commands pipelined together with and just after the authenticate command cause these commands to be executed twice. This applies to all protocols that involve user login, which currently comprises of imap, pop3, submisision and managesieve. - *-login: Processes are supposed to disconnect the oldest non-logged in connection when process_limit was reached. This didn't actually happen with the default "high-security mode" (with service_count=1) where each connection is handled by a separate process. - *-login: When login process reaches client/process limits, oldest client connections are disconnected. If one of these was still doing anvil lookup, this causeda crash. This could happen only if the login process limits were very low or if the server was overloaded. -Fixed building with link time optimizations (-flto). - auth: Userdb iteration with passwd driver does not always return all users with some nss drivers. - dsync: Shared INBOX not synced when "mail_shared_explicit_inbox" was disabled. If a user has a shared mailbox which is another user's INBOX, dsync didn't include the mailbox in syncing unless explicit naming is enabled with "mail_shared_explicit_inbox" set to "yes". - dsync: Shared namespaces were not synced with "-n" flag. - dsync: Syncing shared INBOX failed if mail_attribute_dict was not set. If a user has a shared mailbox that is another user's INBOX, dsync failed to export the mailbox if mail attributes are disabled. - fts-solr, fts-tika: Using both Solr FTS and Tika may have caused HTTP requests to assert-crash: Panic: file http-client-request.c: line 1232 (http_client_request_send_more): assertion failed: (req-> payload_input != NULL) - fts-tika: 5xx errors returned by Tika server as indexing failures. However, Tika can return 5xx for some attachments every time. So the 5xx error should be retried once, but treated as success if it happens on the retry as well. v2.3 regression. - fts-tika: v2.3.11 regression: Indexing messages with fts-tika may have resulted in Panic: file message-parser.c: line 802 (message_parser_deinit_from_parts): assertion failed: (ctx-> nested_parts_count == 0 || i_stream_have_bytes_left(ctx-> input)) - imap: SETMETADATA could not be used to unset metadata values. Instead NIL was handled as a "NIL" string. v2.3.14 regression. - imap: IMAP BINARY FETCH crashes at least on empty base64 body: Panic: file index-mail-binary.c: line 358 (blocks_count_lines): assertion failed: (block_count == 0 || block_idx+1 == block_count) - imap: If IMAP client using the NOTIFYcommand was disconnected while sending FETCH notifications to the client, imap could crash with Panic: Trying to close mailbox INBOX with open transactions. - imap: Using IMAP COMPRESS extension can cause IMAP connection to hang when IMAP commands are > 8 kB long. - imapc: If remote server sent BYE but didn't immediately disconnect, it could cause infinite busy-loop. - lib-index: Corrupted cache record size in dovecot.index.cache file could have caused a crash (segfault) when accessing it. - lib-oauth2: JWT token time validation now works correctly with 32-bit systems. - lib-ssl-iostream: Checking hostnames against an SSL certificate was case-sensitive. - lib-storage: Corrupted mime.parts in dovecot.index.cache may have resulted in Panic: file imap-bodystructure.c: line 206 (part_write_body): assertion failed: (text == ((part-> flags & MESSAGE_PART_FLAG_TEXT) != 0)) - lib-storage: Index rebuilding (e.g. via doveadm force-resync) didn't preserve the "hdr-pop3-uidl" header. Because of this, the next pop3 session could have accessed all of the emails' metadata to read their POP3 UIDL (opening dbox files). - listescape: When using the listescape plugin and a shared namespace the plugin didn't work properly anymore resulting in errors like: "Invalid mailbox name: Name must not have '/' character." -lmtp: Connection crashes if connection gets disconnected due to multiple bad commands and the last bad command is BDAT. - lmtp: The Dovecot-specific LMTP parameter XRCPTFORWARD was blindly forwarded by LMTP proxy without checking that the backend has support. This caused a command parameter error from the backend if it was running an older Dovecot release. This could only occur in more complex setups where the message was proxied twice; when the proxy generated the XRCPTFORWARD parameter itself the problem did not occur, sothis only happened when it was forwarded. - lmtp: The LMTP proxy crashes with a panic when the remote server replies with an error while the mail is still being forwarded through a DATA/BDAT command. - lmtp: Username may have been missing from lmtp log line prefixes when it was performing autoexpunging. - master: Dovecot would incorrectly fail with haproxy 2.0.14 service checks. - master: Systemd service: Dovecot announces readiness for accepting connections earlier than it should. The following environment variables are now imported automatically and can be omitted from import_environment setting: NOTIFY_SOCKET LISTEN_FDS LISTEN_PID. - master: service { process_min_avail } was launching processes too slowly when master was forking a lot of processes. - util: Make the health-check.sh example script POSIX shell compatible. --------------------------------------------------------------------------------ChangeLog: * Mon Jun 21 2021 Michal Hlavinka - 1:2.3.15-1 - dovecot updated to 2.3.15, pigeonhole updated to 0.5.15 - CVE-2021-29157: Dovecot does not correctly escape kid and azp fields in JWT tokens. This may be used to supply attacker controlled keys to validate tokens, if attacker has local access. - CVE-2021-33515: On-path attacker could have injected plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client. - Add TSLv1.3 support to min_protocols. - Allow configuring ssl_cipher_suites. (for TLSv1.3+) * Wed May 19 2021 Pete Walter - 1:2.3.14-4 - Rebuild for ICU 69 * Wed May 19 2021 Pete Walter - 1:2.3.14-3 - Rebuild for ICU 69 * Mon May 10 2021 Jeff Law - 1:2.3.14-2 - Re-enable LTO --------------------------------------------------------------------------------References: [ 1 ] Bug #1974392 - CVE-2021-29157 dovecot: local attacker can login as any user and access their emails [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1974392 [ 2 ] Bug #1974393 - CVE-2021-33515 dovecot: plaintext commands injection [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1974393 [ 3 ] Bug #1974394 - CVE-2020-28200 dovecot: insufficient protection against excessive resource usage allows for a DoS [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1974394 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-891c1ab1ac' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Jul 04, 2021
•Critical
Fedora
98
security advisoryRed Hat Enterprise Linuxmoderate impactRed Hat Enterprise Linux OpenStack: RHSA-2014:0580-01 Moderate Token Issue
Updated openstack-keystone packages that fix one security issue and various bugs are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. The Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: openstack-keystone security and bug fix update Advisory ID: RHSA-2014:0580-01 Product: Red Hat Enterprise Linux OpenStack Platform Advisory URL: https://access.redhat.com/errata/RHSA-2014:0580.html Issue date: 2014-05-29 CVE Names: CVE-2014-2237 ==================================================================== 1. Summary: Updated openstack-keystone packages that fix one security issue and various bugs are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. The Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux OpenStack Platform 4.0 - noarch 3. Description: The OpenStack Identity service (keystone) authenticates and authorizes OpenStack users by keeping track of users and their permitted activities. The Identity service supports multiple forms of authentication including user name and password credentials, token-based systems, and AWS-style logins. The openstack-keystone packages have been upgraded to upstream version 2013.2.3, which provides a number of bug fixes over the previous version. The following security issue is also fixed with this release: It was found that the memcached token back end of OpenStack Identity did not correctly invalidate a revoked trust token, allowing users with revoked tokens to retainaccess to services they should no longer be able to access. Note that only OpenStack Identity setups using the memcached back end for tokens were affected. (CVE-2014-2237) All openstack-keystone users are advised to upgrade to these updated packages, which correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1071434 - CVE-2014-2237 openstack-keystone: trustee token revocation does not work with memcache backend 1083415 - keystone qpid reconnection delay must be more accurate 1085933 - Replace python-oauth2 with oauthlib 6. Package List: Red Hat Enterprise Linux OpenStack Platform 4.0: Source: noarch: openstack-keystone-2013.2.3-4.el6ost.noarch.rpm openstack-keystone-doc-2013.2.3-4.el6ost.noarch.rpm python-keystone-2013.2.3-4.el6ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://access.redhat.com/security/cve/CVE-2014-2237 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTh6TtXlSAg2UNWIIRAsLVAJ4uGgQ4i9mF6Tgm4eZPDwZzdmWcrACfcIgy 8Ux6szjaI5yyuEY0o9Euo7M=F5Pt -----END PGP SIGNATURE----- -- Enterprise-watch-list mailing list
May 29, 2014
Red Hat
98
security advisorymoderatesecurity updateRed Hat OpenStack 3.0 RHSA-2013:1285-01 Moderate: Token Access Issue
Updated openstack-keystone packages that fix one security issue are now available for Red Hat OpenStack 3.0. The Red Hat Security Response Team has rated this update as having moderate [More...]. ==================================================================== Red Hat Security Advisory Synopsis: Moderate: openstack-keystone security update Advisory ID: RHSA-2013:1285-01 Product: Red Hat OpenStack Advisory URL: https://access.redhat.com/errata/RHSA-2013:1285.html Issue date: 2013-09-25 CVE Names: CVE-2013-4294 ==================================================================== 1. Summary: Updated openstack-keystone packages that fix one security issue are now available for Red Hat OpenStack 3.0. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: OpenStack 3 - noarch 3. Description: The openstack-keystone packages provide Keystone, a Python implementation of the OpenStack identity service API, which provides Identity, Token, Catalog, and Policy services. It was found that Keystone did not correctly handle revoked PKI tokens, allowing users with revoked tokens to retain access to resources they should no longer be able to access. This issue only affected systems using PKI tokens with the memcache or KVS token back ends. (CVE-2013-4294) Red Hat would like to thank Thierry Carrez of OpenStack upstream for reporting this issue. Upstream acknowledges Kieran Spear of University of Melbourne as the original reporter. All users of openstack-keystone are advised to upgrade to these updated packages, which correct these issues. After installing the updated packages, the Keystone service (openstack-keystone) will be restarted automatically. 4. Solution: Before applying this update, make sure all previously releasederrata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 1004452 - CVE-2013-4294 OpenStack: Keystone Token revocation failure using Keystone memcache/KVS backends 6. Package List: OpenStack 3: Source: noarch: openstack-keystone-2013.1.3-2.el6ost.noarch.rpm openstack-keystone-doc-2013.1.3-2.el6ost.noarch.rpm python-keystone-2013.1.3-2.el6ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package 7. References: https://access.redhat.com/security/cve/CVE-2013-4294 https://access.redhat.com/security/updates/classification#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2013 Red Hat, Inc. . Critical advisory notice for openstack-neutron addresses vulnerability in network management for Red Hat OpenStack 3.1 framework security.. OpenStack Security Update, Red Hat Advisory, Keystone Security Fix, Identity Service. . LinuxSecurity.com Team
Sep 25, 2013
Red Hat
98
security advisorysecurity updatebug fixRed Hat OpenStack 3.0: RHSA-2013:0944-01 Moderate: Keystone Token Flaw
Updated python-keystoneclient packages that fix one security issue and multiple bugs are now available for Red Hat OpenStack 3.0 (Grizzly) Preview. The Red Hat Security Response Team has rated this update as having moderate. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: python-keystoneclient security and bug fix update Advisory ID: RHSA-2013:0944-01 Product: Red Hat OpenStack Advisory URL: https://access.redhat.com/errata/RHSA-2013:0944.html Issue date: 2013-06-12 CVE Names: CVE-2013-2104 ==================================================================== 1. Summary: Updated python-keystoneclient packages that fix one security issue and multiple bugs are now available for Red Hat OpenStack 3.0 (Grizzly) Preview. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: OpenStack 3 - noarch 3. Description: Python-keystoneclient is the client library and command line utility for interacting with the OpenStack identity API. A flaw in Keystone allowed an attacker with access to the web and network interfaces of services utilizing python-keystoneclient (such as Nova, Cinder, Swift, Glance, and so on) to continue using PKI tokens that had expired. This would allow the attacker to continue using the PKI tokens despite the PKI tokens being expired, giving them continued access to OpenStack services. (CVE-2013-2104) This issue was discovered by Eoghan Glynn of Red Hat. This update also fixes a number of bugs in python-keystoneclient. All users of Red Hat OpenStack 3.0 (Grizzly) Preview are advised to install these updated packages. 4. Solution: Before applying this update, make sure all previously-releasederrata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 904351 - Provide keystone man page for the command line interface. 928558 - add support for Swift cache in authtoken m/w 965852 - CVE-2013-2104 OpenStack Keystone: Missing expiration check in Keystone PKI token validation 6. Package List: OpenStack 3: Source: noarch: python-keystoneclient-0.2.3-2.el6ost.noarch.rpm python-keystoneclient-doc-0.2.3-2.el6ost.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package 7. References: https://access.redhat.com/security/cve/CVE-2013-2104 https://access.redhat.com/security/updates/classification#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRuKjAXlSAg2UNWIIRAh13AKCv9LZOC0UN2kddBifOKvNWRnGrwACguXnj WFCF0QI3yxBPKiuMTOkjUv8=07lX -----END PGP SIGNATURE----- -- Enterprise-watch-list mailing list
Jun 12, 2013
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!