Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -2 articles for you...
203
security advisorycritical severityuser authenticationMageia 8 MGASA-2021-0494 Critical: Cloud-Init Local Access Issue
cloud-init has the ability to generate and set a randomized password for system users. This functionality is enabled at runtime by passing cloud-config data such as: 'chpasswd: list: | user1:RANDOM' When instructing cloud-init to set a random password for a new user . MGASA-2021-0494 - Updated cloud-init packages fix security vulnerability Publication date: 29 Oct 2021 URL: https://advisories.mageia.org/MGASA-2021-0494.html Type: security Affected Mageia releases: 8 CVE: CVE-2021-3429 cloud-init has the ability to generate and set a randomized password for system users. This functionality is enabled at runtime by passing cloud-config data such as: 'chpasswd: list: | user1:RANDOM' When instructing cloud-init to set a random password for a new user account, versions before 21.1.19 would write that password to the world-readable log file /var/log/cloud-init-output.log. This could allow a local user to log in as another user (CVE-2021-3429). References: - https://bugs.mageia.org/show_bug.cgi?id=28991 - https://lists.debian.org/debian-lts-announce/2021/03/msg00025.html - https://github.com/canonical/cloud-init/releases/tag/21.2 - https://www.cve.org/CVERecord?id=CVE-2021-3429 SRPMS: - 8/core/cloud-init-20.2-2.1.mga8 . Stay informed about MGASA-2021-0494: an essential security patch for Mageia's cloud-init that impacts access for local users.. cloud-init Vulnerability, Mageia Security Advisory, Critical Updates, User Access Issues. . Severity: Critical. LinuxSecurity.com Team
Oct 29, 2021
•Critical
Mageia
89
security advisoryFedoraaccess controlFedora 31: 2020-f49fe7f011 Moderate: elog Multiple Access Issues
Security fix for CVE-2019-3993, CVE-2019-3994, CVE-2019-3995, CVE-2019-3992, CVE-2019-3996. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-f49fe7f011 2020-01-25 06:33:58.981322 --------------------------------------------------------------------------------Name : elog Product : Fedora 31 Version : 3.1.4 Release : 1.20190113git283534d97d5a.fc31 URL : Summary : Logbook system to manage notes through a Web interface Description : ELOG is part of a family of applications known as weblogs. Their general purpose is: 1. To make it easy for people to put information online in a chronological fashion, in the form of short, time-stamped text messages ("entries") with optional HTML markup for presentation, and optional file attachments (images, archives, etc.) 2. To make it easy for other people to access this information through a Web interface, browse entries, search, download files, and optionally add, update, delete or comment on entries. ELOG is a remarkable implementation of a weblog in at least two respects: 1. Its simplicity of use: you don't need to be a seasoned server operator and/or an experimented database administrator to run ELOG ; one executable file (under Unix or Windows), a simple configuration text file, and it works. No Web server or relational database required. It is also easy to translate the interface to the appropriate language for your users. 2. Its versatility: through its single configuration file, ELOG can be made to display an infinity of variants of the weblog concept. There are options for what to display, how to display it, what commands are available and to whom, access control, etc. Moreover, a single server can host several weblogs, and each weblog can be totally different from the rest. --------------------------------------------------------------------------------Update Information: Security fix for CVE-2019-3993, CVE-2019-3994,CVE-2019-3995, CVE-2019-3992, CVE-2019-3996 --------------------------------------------------------------------------------ChangeLog: * Mon Jan 13 2020 Ben Rosser - 3.1.4-1.20190113git283534d97d5a - Update to post-release snapshot of 3.1.4. - Fix several security issues. --------------------------------------------------------------------------------References: [ 1 ] Bug #1787064 - CVE-2019-3993 elog: allows recover an user password hash by sending a crafted HTTP POST request https://bugzilla.redhat.com/show_bug.cgi?id=1787064 [ 2 ] Bug #1787060 - CVE-2019-3994 elog: use-after-free by sending multiple crafted HTTP POST requests https://bugzilla.redhat.com/show_bug.cgi?id=1787060 [ 3 ] Bug #1787055 - CVE-2019-3995 elog: NULL pointer dereference via crafted HTTP GET request https://bugzilla.redhat.com/show_bug.cgi?id=1787055 [ 4 ] Bug #1787051 - CVE-2019-3992 elog: allows access the server configuration file by sending a HTTP GET request https://bugzilla.redhat.com/show_bug.cgi?id=1787051 [ 5 ] Bug #1786750 - CVE-2019-3996 elog: unauthenticated remote users can proxy HTTP GET requests via crafted POST requests https://bugzilla.redhat.com/show_bug.cgi?id=1786750 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-f49fe7f011' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Jan 25, 2020
Fedora
89
security advisoryFedorasoftware fixFedora 24: 2017-05e32fe278 Critical: xrdp Password Issue
WARNING: Please note that this update comes with a slightly different syntax of sesman.ini file, so if you edited this file by hand, you may need to look at the .rpmnew file and merge any required changes by hand. This release also creates three files in /etc/xrdp directory if they don't already exist or are empty: - rsakeys.ini - cert.pem - key.pem Also note that in Fedora, the only backend. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2017-05e32fe278 2017-03-02 22:38:20.794912 -------------------------------------------------------------------------------- Name : xrdp Product : Fedora 24 Version : 0.9.1 Release : 5.fc24 URL : http://www.xrdp.org/ Summary : Open source remote desktop protocol (RDP) server Description : xrdp provides a fully functional RDP server compatible with a wide range of RDP clients, including FreeRDP and Microsoft RDP client. -------------------------------------------------------------------------------- Update Information: WARNING: Please note that this update comes with a slightly different syntax of sesman.ini file, so if you edited this file by hand, you may need to look at the .rpmnew file and merge any required changes by hand. This release also creates three files in /etc/xrdp directory if they don't already exist or are empty: - rsakeys.ini - cert.pem - key.pem Also note that in Fedora, the only backend that will really work is still Xvnc for now. New features - New xorgxrdp backend using existing Xorg with additional modules - Improvements to X11rdp backend - Support for IPv6 (disabled by default) - Initial support for RemoteFX Codec (disabled by default) - Support for TLS security layer (preferred over RDP layer if supported by the client) - Support for disabling deprecated SSLv3 protocol and for selecting custom cipher suites in xrdp.ini - Support for bidirectional fastpath (enabled in both directions by default) - Support clients that don't support drawing orders,such as MS RDP client for Android, ChromeRDP (disabled by default) - More configurable login screen - Support for new virtual channels: - - rdpdr: device redirection - - rdpsnd: audio output - - cliprdr: clipboard - - xrdpvr: xrdp video redirection channel (can be used along with NeutrinoRDP client) - Support for disabling virtual channels globally or by session type - Allow to specify the path for backends (Xorg, X11rdp, Xvnc) - Added files for systemd support - Multi-monitor support - xrdp-chansrv stroes logs in ${XDG_DATA_HOME}/xrdp now Security fixes - User's password could be recovered from the Xvnc password file - X11 authentication was not used -------------------------------------------------------------------------------- References: [ 1 ] Bug #1404972 - CVE-2013-1430 xrdp: Cleartext password shown in file after logging into xrdp session [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1404972 [ 2 ] Bug #1404971 - CVE-2013-1430 xrdp: Cleartext password shown in file after logging into xrdp session [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1404971 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade xrdp' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
Mar 03, 2017
•Critical
Fedora
89
security advisorysecurity updateFedoraFedora 24 Shotwell Security Advisory: Update for HTTPS Enhancements
This release turns on HTTPS encyption all over the publishing plugins. Users using Tumblr and Yandex.Fotki publishing are strongly advised to change their passwords and reauthenticate Shotwell to those services after upgrade. Users of Picasa and Youtube publishing are strongly advised to reauthenticate (Log out and back in) Shotwell to those services after upgrade. Changes in shotwell. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2017-ddee871dd1 2017-02-02 16:34:58.790356 -------------------------------------------------------------------------------- Name : shotwell Product : Fedora 24 Version : 0.24.5 Release : 1.fc24 URL : https://wiki.gnome.org/Apps/Shotwell Summary : A photo organizer for the GNOME desktop Description : Shotwell is an easy-to-use, fast photo organizer designed for the GNOME desktop. It allows you to import photos from your camera or disk, organize them by date and subject matter, even ratings. It also offers basic photo editing, like crop, red-eye correction, color adjustments, and straighten. Shotwell's non-destructive photo editor does not alter your master photos, making it easy to experiment and correct errors. -------------------------------------------------------------------------------- Update Information: This release turns on HTTPS encyption all over the publishing plugins. Usersusing Tumblr and Yandex.Fotki publishing are strongly advised to change their passwords and reauthenticate Shotwell to those services after upgrade. Users of Picasa and Youtube publishing are strongly advised to reauthenticate (Log out and back in) Shotwell to those services after upgrade. Changes in shotwell 0.24.5 release: * Publishing: Use HTTPS consistently * Updated translations Changes in shotwell 0.24.4 release: * Piwigo: Fix title and comments for uploaded images * Fix icon file name for Serbian and Korean * Improved duplicatedetection -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade shotwell' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
Feb 02, 2017
•Important
Fedora
89
security advisoryfedorasoftware updateFedora 25: Shotwell Security Update: Enhances HTTPS and Authentications
This release turns on HTTPS encyption all over the publishing plugins. Users using Tumblr and Yandex.Fotki publishing are strongly advised to change their passwords and reauthenticate Shotwell to those services after upgrade. Users of Picasa and Youtube publishing are strongly advised to reauthenticate (Log out and back in) Shotwell to those services after upgrade. Changes in shotwell. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2017-8c3c43cc4f 2017-02-02 16:35:20.084125 -------------------------------------------------------------------------------- Name : shotwell Product : Fedora 25 Version : 0.24.5 Release : 1.fc25 URL : https://wiki.gnome.org/Apps/Shotwell Summary : A photo organizer for the GNOME desktop Description : Shotwell is an easy-to-use, fast photo organizer designed for the GNOME desktop. It allows you to import photos from your camera or disk, organize them by date and subject matter, even ratings. It also offers basic photo editing, like crop, red-eye correction, color adjustments, and straighten. Shotwell's non-destructive photo editor does not alter your master photos, making it easy to experiment and correct errors. -------------------------------------------------------------------------------- Update Information: This release turns on HTTPS encyption all over the publishing plugins. Usersusing Tumblr and Yandex.Fotki publishing are strongly advised to change their passwords and reauthenticate Shotwell to those services after upgrade. Users of Picasa and Youtube publishing are strongly advised to reauthenticate (Log out and back in) Shotwell to those services after upgrade. Changes in shotwell 0.24.5 release: * Publishing: Use HTTPS consistently * Updated translations Changes in shotwell 0.24.4 release: * Piwigo: Fix title and comments for uploaded images * Fix icon file name for Serbian and Korean * Improved duplicatedetection -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade shotwell' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
Feb 02, 2017
•Critical
Fedora
89
security advisoryfedorasoftware updateFedora 24: slock Crash Fix Advisory for Shadow Hash Issue
This release fixes CVE-2016-6866, a crash when verifying a password for a user without a valid shadow hash entry.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2016-985b68721b 2016-09-09 16:20:18.939263 -------------------------------------------------------------------------------- Name : slock Product : Fedora 24 Version : 1.3 Release : 2.fc24 URL : http://tools.suckless.org/slock/ Summary : Simple X display locker Description : This is the simplest X screen locker we are aware of. It is stable and quite a lot people in this community are using it every day when they are out with friends or fetching some food from the local pub. -------------------------------------------------------------------------------- Update Information: This release fixes CVE-2016-6866, a crash when verifying a password for a user without a valid shadow hash entry. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1368369 - CVE-2016-6866 slock: Null pointer dereference results in segmentation fault https://bugzilla.redhat.com/show_bug.cgi?id=1368369 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update slock' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list
Sep 09, 2016
•Critical
Fedora
89
security advisoryFedoracrash fixFedora 36: FEDORA-2023-7c2b21f6b4 high: xorg-server Buffer Overflow
This release fixes CVE-2016-6866, a crash when verifying a password for a user without a valid shadow hash entry.. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2016-1b7e66c08b 2016-09-05 17:51:00.341573 -------------------------------------------------------------------------------- Name : slock Product : Fedora 25 Version : 1.3 Release : 2.fc25 URL : http://tools.suckless.org/slock/ Summary : Simple X display locker Description : This is the simplest X screen locker we are aware of. It is stable and quite a lot people in this community are using it every day when they are out with friends or fetching some food from the local pub. -------------------------------------------------------------------------------- Update Information: This release fixes CVE-2016-6866, a crash when verifying a password for a user without a valid shadow hash entry. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1368369 - CVE-2016-6866 slock: Null pointer dereference results in segmentation fault https://bugzilla.redhat.com/show_bug.cgi?id=1368369 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update slock' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list
Sep 05, 2016
Fedora
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!