Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -3 articles for you...
98
security advisoryRed Hat LinuxcriticalRed Hat Linux 7.2 RHSA-2001:132-04 Critical: PAM Credentials Issue
New util-linux packages are available that fix a problem with /bin/login'sPAM implementation. This could, in some non-default setups, cause users toreceive credentials of other users. It is recommended that all usersupdate to the fixed packages. . --------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory Synopsis: New util-linux packages available to fix /bin/login pam problem Advisory ID: RHSA-2001:132-04 Issue date: 2001-10-11 Updated on: 2001-10-16 Product: Red Hat Linux Keywords: login pam pam_limits Cross references: Obsoletes: RHSA-2001:095-04 ---------------------------------------------------------------------1. Topic: New util-linux packages are available that fix a problem with /bin/login's PAM implementation. This could, in some non-default setups, cause users to receive credentials of other users. It is recommended that all users update to the fixed packages. 2001-10-22: Packages are now available for Red Hat Linux 7.2. Notably, these packages also fix the problem noted in RHSA-2001:095-04 (vipw incorrectly setting permissions on some files) - this bug was accidentally reintroduced in Red Hat Linux 7.2. 2. Relevant releases/architectures: Red Hat Linux 7.1 - alpha, i386, ia64 Red Hat Linux 7.2 - i386 3. Problem description: A problem existed in /bin/login's PAM implementation; it stored the value of a static pwent buffer across PAM calls; when used with some PAM modules in non-default configuration (such as pam_limits), it would overwrite the buffer, causing a user to get credentials of another user. Thanks go to Tarhon-Onu Victor for bringing the problem to our attention, and to Olaf Kirch for providing the patch. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh[filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. Bug IDs fixed ( for more info): 51646 - pam limits drops other user privileges 6. RPMs required: Red Hat Linux 7.1: SRPMS: alpha: i386: ia64: Red Hat Linux 7.2: SRPMS: i386: 7. Verification: MD5 sum Package Name --------------------------------------------------------------------------db33b22f50978471a25fd5cc973f8f54 7.1/en/os/SRPMS/util-linux-2.11f-11.7.1.src.rpm d55f6ec42e3c0268f2ab4decb24deb53 7.1/en/os/alpha/util-linux-2.11f-11.7.1.alpha.rpm 2bf1db1cadc50f783220f70aa2b7a09c 7.1/en/os/i386/util-linux-2.11f-11.7.1.i386.rpm 568c4ec61cb9cc0ebd6313fb14d0419c 7.1/en/os/ia64/util-linux-2.11f-11.7.1.ia64.rpm 3b5448a60fa6cb5580eb690a303827a5 7.2/en/os/SRPMS/util-linux-2.11f-12.src.rpm c0f329c070e416fbb20c97670199d3fe 7.2/en/os/i386/util-linux-2.11f-12.i386.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: About You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg 8. References: Copyright(c) 2000, 2001 Red Hat, Inc. . The latest changes to util-linux tackle a security flaw related toincreased permissions in the PAM features of /bin/login on CentOS Linux systems.. Red Hat Linux,PAM,util-linux,elevated privileges,security update. . Severity: Critical. LinuxSecurity.com Team
Jun 08, 2023
•Critical
Red Hat
89
security advisorymoderateFedoraFedora 34: 2021-Df5bde9231 High: Docker Service Exploit Risk
ceph 15.2.8 GA Security fix for CVE-2020-27781. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-fcafbe7225 2021-01-03 01:10:51.976756 --------------------------------------------------------------------------------Name : ceph Product : Fedora 33 Version : 15.2.8 Release : 1.fc33 URL : Summary : User space components of the Ceph file system Description : Ceph is a massively scalable, open-source, distributed storage system that runs on commodity hardware and delivers object, block and file system storage. --------------------------------------------------------------------------------Update Information: ceph 15.2.8 GA Security fix for CVE-2020-27781 --------------------------------------------------------------------------------ChangeLog: * Wed Dec 23 2020 Kaleb S. KEITHLEY - 2:15.2.8-1 - ceph 15.2.8 GA --------------------------------------------------------------------------------References: [ 1 ] Bug #1900109 - CVE-2020-27781 Ceph: User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila https://bugzilla.redhat.com/show_bug.cgi?id=1900109 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-fcafbe7225' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Jan 02, 2021
Fedora
100
security advisorymoderateSUSESUSE: 2018:1652-1 Moderate: slurm User Credentials Issue
An update that solves one vulnerability and has one errata is now available. . SUSE Security Update: Security update for slurm ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:1652-1 Rating: moderate References: #1091063 #1095508 Cross-References: CVE-2018-10995 Affected Products: SUSE Linux Enterprise Module for HPC 12 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for slurm to version 17.02.11 fixes the following issues: This security issue was fixed: - CVE-2018-10995: Ensure proper handling of user names (aka user_name fields) and group ids (aka gid fields) (bsc#1095508). This non-security issue was fixed: - Move config files to slurm-config package to provide slurmdbd with the slurm user (bsc#1091063). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Module for HPC 12: zypper in -t patch SUSE-SLE-Module-HPC-12-2018-1114=1 Package List: - SUSE Linux Enterprise Module for HPC 12 (aarch64 x86_64): libpmi0-17.02.11-6.19.1 libpmi0-debuginfo-17.02.11-6.19.1 libslurm31-17.02.11-6.19.1 libslurm31-debuginfo-17.02.11-6.19.1 perl-slurm-17.02.11-6.19.1 perl-slurm-debuginfo-17.02.11-6.19.1 slurm-17.02.11-6.19.1 slurm-auth-none-17.02.11-6.19.1 slurm-auth-none-debuginfo-17.02.11-6.19.1 slurm-config-17.02.11-6.19.1 slurm-debuginfo-17.02.11-6.19.1 slurm-debugsource-17.02.11-6.19.1 slurm-devel-17.02.11-6.19.1 slurm-doc-17.02.11-6.19.1 slurm-lua-17.02.11-6.19.1 slurm-lua-debuginfo-17.02.11-6.19.1 slurm-munge-17.02.11-6.19.1 slurm-munge-debuginfo-17.02.11-6.19.1 slurm-pam_slurm-17.02.11-6.19.1 slurm-pam_slurm-debuginfo-17.02.11-6.19.1 slurm-plugins-17.02.11-6.19.1 slurm-plugins-debuginfo-17.02.11-6.19.1 slurm-sched-wiki-17.02.11-6.19.1 slurm-slurmdb-direct-17.02.11-6.19.1 slurm-slurmdbd-17.02.11-6.19.1 slurm-slurmdbd-debuginfo-17.02.11-6.19.1 slurm-sql-17.02.11-6.19.1 slurm-sql-debuginfo-17.02.11-6.19.1 slurm-torque-17.02.11-6.19.1 slurm-torque-debuginfo-17.02.11-6.19.1 References: https://www.suse.com/security/cve/CVE-2018-10995.html https://bugzilla.suse.com/1091063 https://bugzilla.suse.com/1095508 . SUSE Security Patch for slurm resolves a moderate vulnerability concerning user authentication management in high-performance computing tools.. SUSE Security Update, slurm Patch, HPC Security, User Credentials, Error Handling. . LinuxSecurity.com Team
Jun 11, 2018
SuSE
172
security advisoryremote accessDoS attackUbuntu 17.04: 3275-1 Critical OpenJDK 8 DoS and Access Issues
Several security issues were fixed in OpenJDK 8.. =========================================================================Ubuntu Security Notice USN-3275-1 May 11, 2017 openjdk-8 vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 17.04 - Ubuntu 16.10 - Ubuntu 16.04 LTS Summary: Several security issues were fixed in OpenJDK 8. Software Description: - openjdk-8: Open Source Java implementation Details: It was discovered that OpenJDK improperly re-used cached NTLM connections in some situations. A remote attacker could possibly use this to cause a Java application to perform actions with the credentials of a different user. (CVE-2017-3509) It was discovered that an untrusted library search path flaw existed in the Java Cryptography Extension (JCE) component of OpenJDK. A local attacker could possibly use this to gain the privileges of a Java application. (CVE-2017-3511) It was discovered that the Java API for XML Processing (JAXP) component in OpenJDK did not properly enforce size limits when parsing XML documents. An attacker could use this to cause a denial of service (processor and memory consumption). (CVE-2017-3526) It was discovered that the FTP client implementation in OpenJDK did not properly sanitize user inputs. If a user was tricked into opening a specially crafted FTP URL, a remote attacker could use this to manipulate the FTP connection. (CVE-2017-3533) It was discovered that OpenJDK allowed MD5 to be used as an algorithm for JAR integrity verification. An attacker could possibly use this to modify the contents of a JAR file without detection. (CVE-2017-3539) It was discovered that the SMTP client implementation in OpenJDK did not properly sanitize sender and recipient addresses. A remote attacker could use this to specially craft email addresses and gain control of a Java application's SMTP connections. (CVE-2017-3544) Update instructions: The problem can be correctedby updating your system to the following package versions: Ubuntu 17.04: openjdk-8-jre 8u131-b11-0ubuntu1.17.04.1 openjdk-8-jre-headless 8u131-b11-0ubuntu1.17.04.1 openjdk-8-jre-zero 8u131-b11-0ubuntu1.17.04.1 Ubuntu 16.10: openjdk-8-jre 8u131-b11-0ubuntu1.16.10.2 openjdk-8-jre-headless 8u131-b11-0ubuntu1.16.10.2 openjdk-8-jre-jamvm 8u131-b11-0ubuntu1.16.10.2 openjdk-8-jre-zero 8u131-b11-0ubuntu1.16.10.2 Ubuntu 16.04 LTS: openjdk-8-jre 8u131-b11-0ubuntu1.16.04.2 openjdk-8-jre-headless 8u131-b11-0ubuntu1.16.04.2 openjdk-8-jre-jamvm 8u131-b11-0ubuntu1.16.04.2 openjdk-8-jre-zero 8u131-b11-0ubuntu1.16.04.2 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any Java applications or applets to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-3275-1 CVE-2017-3509, CVE-2017-3511, CVE-2017-3526, CVE-2017-3533, CVE-2017-3539, CVE-2017-3544 Package Information: https://launchpad.net/ubuntu/+source/openjdk-8/8u131-b11-0ubuntu1.17.04.1 https://launchpad.net/ubuntu/+source/openjdk-8/8u131-b11-0ubuntu1.16.10.2 https://launchpad.net/ubuntu/+source/openjdk-8/8u131-b11-0ubuntu1.16.04.2 . Concerns regarding security in OpenJDK 8 for Ubuntu involve risks related to unauthorized access and potential denial-of-service threats.. OpenJDK Update, Ubuntu Advisory, Java Security Fix, Java Access Issues. . Severity: Critical. LinuxSecurity.com Team
May 11, 2017
•Critical
Ubuntu
98
security advisorymoderatered hatRed Hat: RHSA-2015:0430-01 Moderate: Virt-Who Auth Fix and Enhancements
An updated virt-who package that fixes one security issue, several bugs, and adds various enhancements is now available for Red Hat Enterprise Linux 7. [More...]. ==================================================================== Red Hat Security Advisory Synopsis: Moderate: virt-who security, bug fix, and enhancement update Advisory ID: RHSA-2015:0430-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2015:0430.html Issue date: 2015-03-05 CVE Names: CVE-2014-0189 ==================================================================== 1. Summary: An updated virt-who package that fixes one security issue, several bugs, and adds various enhancements is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - noarch Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Enterprise Linux Workstation (v. 7) - noarch 3. Description: The virt-who package provides an agent that collects information about virtual guests present in the system and reports them to the subscription manager. It was discovered that the /etc/sysconfig/virt-who configuration file, which may contain hypervisor authentication credentials, was world-readable. A local user could use this flaw to obtain authentication credentials from this file. (CVE-2014-0189) Red Hat would like to thank Sal Castiglione for reporting this issue. The virt-who package has been upgraded to upstream version 0.11, which provides a number of bug fixes and enhancements over the previous version. The most notable bug fixes and enhancements include: * Support for remote libvirt. * A fix for using encrypted passwords. * Bug fixes and enhancements that increase thestability of virt-who. (BZ#1122489) This update also fixes the following bugs: * Prior to this update, the virt-who agent failed to read the list of virtual guests provided by the VDSM daemon. As a consequence, when in VDSM mode, the virt-who agent was not able to send updates about virtual guests to Subscription Asset Manager (SAM) and Red Hat Satellite. With this update, the agent reads the list of guests when in VDSM mode correctly and reports to SAM and Satellite as expected. (BZ#1153405) * Previously, virt-who used incorrect information when connecting to Red Hat Satellite 5. Consequently, virt-who could not connect to Red Hat Satellite 5 servers. The incorrect parameter has been corrected, and virt-who can now successfully connect to Red Hat Satellite 5. (BZ#1158859) * Prior to this update, virt-who did not decode the hexadecimal representation of a password before decrypting it. As a consequence, the decrypted password did not match the original password, and attempts to connect using the password failed. virt-who has been updated to decode the encrypted password and, as a result, virt-who now handles storing credentials using encrypted passwords as expected. (BZ#1161607) In addition, this update adds the following enhancement: * With this update, virt-who is able to read the list of guests from a remote libvirt hypervisor. (BZ#1127965) Users of virt-who are advised to upgrade to this updated package, which corrects these issues and adds these enhancements. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1065421 - Remove dependency on 'libvirt' RPM 1076290 - virt-who creat a null system in SAM server in esx mode 1082981 - Faild to add Hyper-V 2012 to SAM as virt-who communication with Hyper-V failed 1086517 - virt-who failed when testing against Satellite 5.6 due to missing folder/var/lib/virt-who in RHEL 7 1088732 - CVE-2014-0189 virt-who: plaintext hypervisor passwords in world-readable /etc/sysconfig/virt-who configuration file 1098448 - virt-who dies when the system is being unregistered 1122489 - virt-who rebase 1127965 - [RFE] Please add libvirt parameter for using Red Hat Enterprise Linux for Virtual Datacenter in kvm environments. 1153405 - virt-who can't work in the VDSM mode 1158759 - Wrong permission for configuration file /etc/sysconfig/virt-who on rhel7.1 1158803 - Can't display the running mode in the virt-who log 1158859 - virt-who uses wrong server when connecting to satellite 1159187 - "/etc/virt-who.d" hasn't been created by default. 1161434 - Take over one minute to stop/restart virt-who service in ESX mode. 1161607 - virt-who not able to decrypt encrypted password 1162049 - syslog.target depenancy 1163021 - Failed to send host/guest associate to SAM when virt-who run at esx mode 1168111 - [VDSM mode]Failed to send host/guest associate to SAM when there is a vm in the host 1168122 - virt-who incorrectly says that VM is from 'None' hypervisor 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: virt-who-0.11-5.el7.src.rpm noarch: virt-who-0.11-5.el7.noarch.rpm Red Hat Enterprise Linux Server (v. 7): Source: virt-who-0.11-5.el7.src.rpm noarch: virt-who-0.11-5.el7.noarch.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: virt-who-0.11-5.el7.src.rpm noarch: virt-who-0.11-5.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2014-0189 https://access.redhat.com/security/updates/classification#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2015 Red Hat, Inc. . The revised virt-who tool boosts security through important patches and enhancements for Red HatEnterprise Linux, significantly enhancing system reliability.. Red Hat Enterprise Linux, Virt-Who Security, Authentication Fix, Package Updates, System Stability. . LinuxSecurity.com Team
Mar 05, 2015
Red Hat
172
security advisoryUbuntuuser credentialsUbuntu 7.10, 8.04 LTS: USN-727-1 Low: User Credentials Exposure
It was discovered that network-manager-applet did not properly enforce permissions when responding to dbus requests. A local user could perform dbus queries to view other users' network connection passwords and pre-shared keys. (CVE-2009-0365) [More...]. ==========================================================Ubuntu Security Notice USN-727-1 March 03, 2009 network-manager-applet vulnerabilities CVE-2009-0365, CVE-2009-0578 ========================================================== A security issue affects the following Ubuntu releases: Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 7.10: network-manager-gnome 0.6.5-0ubuntu11~7.10.1 Ubuntu 8.04 LTS: network-manager-gnome 0.6.6-0ubuntu3.1 Ubuntu 8.10: network-manager-gnome 0.7~~svn20081020t000444-0ubuntu1.8.10.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that network-manager-applet did not properly enforce permissions when responding to dbus requests. A local user could perform dbus queries to view other users' network connection passwords and pre-shared keys. (CVE-2009-0365) It was discovered that network-manager-applet did not properly enforce permissions when responding to dbus modify and delete requests. A local user could use dbus to modify or delete other users' network connections. This issue only applied to Ubuntu 8.10. (CVE-2009-0578) Updated packages for Ubuntu 7.10: Source archives: Size/MD5: 7691 a46630110934b343c4ca8e9a36ed915f Size/MD5: 1024 de8efd3c74908e6c2b211705e599f08d Size/MD5: 728673 ad8e3feccbb1fcb9627f876cba6dcb0e amd64 architecture (Athlon64, Opteron, EM64T Xeon): Size/MD5: 145754 148c33705c10ad4d070f4f94a16e8718 i386 architecture (x86 compatible Intel/AMD): Size/MD5: 138020 b2799201f3ffe0519217eeb3b14fdb6d lpia architecture (Low Power Intel Architecture): Size/MD5: 137380 924c344d2874f098198d7cf85fd875ee powerpc architecture (Apple Macintosh G3/G4/G5): Size/MD5: 147252 718e0776e184ccf7b2af79b4d28b7a6d sparc architecture (Sun SPARC/UltraSPARC): Size/MD5: 138660 dd0e6039514e65dfdbf90b1b81bb3810 Updated packages for Ubuntu 8.04 LTS: Source archives: Size/MD5: 11001 c5f9ed4f19e0efc956074a0c8f51a5b2 Size/MD5: 1020 181665f28e65a036c5e00de77b82b780 Size/MD5: 808916 f01275d74ed277b1a587cbb411811297 amd64 architecture (Athlon64, Opteron, EM64T Xeon): Size/MD5: 176034 0c9a763eca6983abf1f92bf6591e4fea i386 architecture (x86 compatible Intel/AMD): Size/MD5: 165398 ff7cb4aa3d452ef58c78eef8b9867136 lpia architecture (Low Power Intel Architecture): Size/MD5: 164806 0c59ab436eb451169a5f141174db9e9b powerpc architecture (Apple Macintosh G3/G4/G5): Size/MD5: 178224 e5d54ccb3fea2a24231eae94548deb96 sparc architecture (Sun SPARC/UltraSPARC): Size/MD5: 165134 83480e1cce024d7ac57df99901c30034 Updated packages for Ubuntu 8.10: Source archives: Size/MD5: 45842 868c74bce7081563ad9f9e3d9213a12e Size/MD5: 1745 2e3fa86787038792390ee42bf583ff68 Size/MD5: 668729 af829714605058afb3cf77c5d419ae83 amd64 architecture (Athlon64, Opteron, EM64T Xeon): Size/MD5: 312726 e908146a408b9f979bdbcd97eb6d5321 i386 architecture (x86 compatible Intel/AMD): Size/MD5: 298752 7f7de4a66ab8158b09fc3a8e6b5b51b2 lpia architecture (Low Power Intel Architecture): Size/MD5: 297408 d1011545dbce454951903801c81237a1 powerpc architecture (Apple Macintosh G3/G4/G5): Size/MD5: 309074 1dd0558d633b648761ceb913fe4d5452 sparcarchitecture (Sun SPARC/UltraSPARC): Size/MD5: 301496 5edc29edd0c0861bedb46b33a146bb44 . Several permissions-related challenges with network-manager-applet may result in a risk of compromising user authentication details on Ubuntu.. network-manager, permission flaws, user security, dbus vulnerabilities, Ubuntu updates. . Severity: Low. LinuxSecurity.com Team
Mar 03, 2009
•Low
Ubuntu
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!