Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -1 articles for you...
89
security advisorymoderateroundcubemailUbuntu 22.04: 2023-4bde48f8b3 Critical: Nextcloud Security Update
**Version 1.6.4** - Fix PHP8 warnings (#9142, #9160) - Fix default 'mime.types' path on Windows (#9113) - Managesieve: Fix javascript error when relational or spamtest extension is not enabled (#9139) - Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168). -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2023-735ee6d4e1 2023-11-03 18:20:20.954915 -------------------------------------------------------------------------------- Name : roundcubemail Product : Fedora 39 Version : 1.6.4 Release : 1.fc39 URL : https://roundcube.net/ Summary : Round Cube Webmail is a browser-based multilingual IMAP client Description : RoundCube Webmail is a browser-based multilingual IMAP client with an application-like user interface. It provides full functionality you expect from an e-mail client, including MIME support, address book, folder manipulation, message searching and spell checking. RoundCube Webmail is written in PHP and requires a database: MySQL, PostgreSQL and SQLite are known to work. The user interface is fully skinnable using XHTML and CSS 2. -------------------------------------------------------------------------------- Update Information: **Version 1.6.4** - Fix PHP8 warnings (#9142, #9160) - Fix default 'mime.types' path on Windows (#9113) - Managesieve: Fix javascript error when relational or spamtest extension is not enabled (#9139) - Fix cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages (#9168) -------------------------------------------------------------------------------- ChangeLog: * Mon Oct 16 2023 Remi Collet - 1.6.4-1 - update to 1.6.4 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2244535 - CVE-2023-5631 roundcube: cross-site scripting (XSS) vulnerability in handling of SVG in HTML messages https://bugzilla.redhat.com/show_bug.cgi?id=2244535 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-735ee6d4e1' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
Nov 03, 2023
•Critical
Fedora
89
security advisoryfedorasoftware updateFedora 27: 2017-19c9fc71f9 Critical XSS Threat in Cacti Update
- Update to 1.1.26 - CVE-2017-15194 Release notes: . --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2017-19c9fc71f9 2017-11-11 01:32:26.759799 --------------------------------------------------------------------------------Name : cacti Product : Fedora 27 Version : 1.1.26 Release : 1.fc27 URL : Summary : An rrd based graphing tool Description : Cacti is a complete frontend to RRDTool. It stores all of the necessary information to create graphs and populate them with data in a MySQL database. The frontend is completely PHP driven. --------------------------------------------------------------------------------Update Information: - Update to 1.1.26 - CVE-2017-15194 Release notes: --------------------------------------------------------------------------------ChangeLog: --------------------------------------------------------------------------------References: [ 1 ] Bug #1500456 - CVE-2017-15194 cacti: XSS in the URI / refresh page in include/global_session.php https://bugzilla.redhat.com/show_bug.cgi?id=1500456 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade cacti' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
Nov 11, 2017
•Critical
Fedora
98
security advisoryred hatsoftware updateRedHat 7: RHSA-2016:1857-01 Moderate: XSS Flaw in ror40-rubygem-actionpack
An update for ror40-rubygem-actionpack is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: ror40-rubygem-actionpack security update Advisory ID: RHSA-2016:1857-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2016:1857.html Issue date: 2016-09-13 CVE Names: CVE-2016-6316 ==================================================================== 1. Summary: An update for ror40-rubygem-actionpack is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.2) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch 3. Description: Ruby on Rails is a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. SecurityFix(es): * It was discovered that Action View tag helpers did not escape quotes when using strings declared as HTML safe as attribute values. A remote attacker could use this flaw to conduct a cross-site scripting (XSS) attack. (CVE-2016-6316) Red Hat would like to thank the Ruby on Rails project for reporting this issue. Upstream acknowledges Andrew Carpenter (Critical Juncture) as the original reporter. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running applications using ror40-rubygem-actionpack must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1365008 - CVE-2016-6316 rubygem-actionview: cross-site scripting flaw in Action View 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6): Source: ror40-rubygem-actionpack-4.0.2-8.el6.src.rpm noarch: ror40-rubygem-actionpack-4.0.2-8.el6.noarch.rpm ror40-rubygem-actionpack-doc-4.0.2-8.el6.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6): Source: ror40-rubygem-actionpack-4.0.2-8.el6.src.rpm noarch: ror40-rubygem-actionpack-4.0.2-8.el6.noarch.rpm ror40-rubygem-actionpack-doc-4.0.2-8.el6.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7): Source: ror40-rubygem-actionpack-4.0.2-8.el6.src.rpm noarch: ror40-rubygem-actionpack-4.0.2-8.el6.noarch.rpm ror40-rubygem-actionpack-doc-4.0.2-8.el6.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6): Source: ror40-rubygem-actionpack-4.0.2-8.el6.src.rpm noarch: ror40-rubygem-actionpack-4.0.2-8.el6.noarch.rpm ror40-rubygem-actionpack-doc-4.0.2-8.el6.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: ror40-rubygem-actionpack-4.0.2-8.el7.src.rpm noarch: ror40-rubygem-actionpack-4.0.2-8.el7.noarch.rpm ror40-rubygem-actionpack-doc-4.0.2-8.el7.noarch.rpm Red HatSoftware Collections for Red Hat Enterprise Linux Server EUS (v. 7.1): Source: ror40-rubygem-actionpack-4.0.2-8.el7.src.rpm noarch: ror40-rubygem-actionpack-4.0.2-8.el7.noarch.rpm ror40-rubygem-actionpack-doc-4.0.2-8.el7.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.2): Source: ror40-rubygem-actionpack-4.0.2-8.el7.src.rpm noarch: ror40-rubygem-actionpack-4.0.2-8.el7.noarch.rpm ror40-rubygem-actionpack-doc-4.0.2-8.el7.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: ror40-rubygem-actionpack-4.0.2-8.el7.src.rpm noarch: ror40-rubygem-actionpack-4.0.2-8.el7.noarch.rpm ror40-rubygem-actionpack-doc-4.0.2-8.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-6316 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFX199NXlSAg2UNWIIRAjWGAJ95vFDU/L3V3Fc6JPrrMCzhb8TenQCbBgwU 4Hl+Ut1R+baT+RM3HCRoPGE=SA6M -----END PGP SIGNATURE----- -- Enterprise-watch-list mailing list
Sep 13, 2016
Red Hat
98
security advisorymoderateupdateRed Hat: RHSA-2016:1855-01 Moderate Update for XSS and Unsafe Query
An update for rh-ror42-rubygem-actionview, rh-ror42-rubygem-activerecord, and rh-ror42-rubygem-actionpack is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: rh-ror42 security update Advisory ID: RHSA-2016:1855-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2016:1855.html Issue date: 2016-09-13 CVE Names: CVE-2016-6316 CVE-2016-6317 ==================================================================== 1. Summary: An update for rh-ror42-rubygem-actionview, rh-ror42-rubygem-activerecord, and rh-ror42-rubygem-actionpack is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.2) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch 3. Description: Ruby on Rails is a model-view-controller (MVC) framework for web application development. Action View implements the view component, and Active Record implements the model component. Security Fix(es) in rubygem-actionview: * It was discovered that Action View tag helpers did not escape quotes when using strings declared as HTML safe as attribute values. A remote attacker could use this flaw to conduct a cross-site scripting (XSS)attack. (CVE-2016-6316) Security Fix(es) in rubygem-activerecord: * A flaw was found in the way Active Record handled certain special values in dynamic finders and relations. If a Ruby on Rails application performed JSON parameter parsing, a remote attacker could possibly manipulate search conditions in SQL queries generated by the application. (CVE-2016-6317) Red Hat would like to thank the Ruby on Rails project for reporting these issues. Upstream acknowledges Andrew Carpenter (Critical Juncture) as the original reporter of CVE-2016-6316; and joernchen (Phenoelit) as the original reporter of CVE-2016-6317. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1365008 - CVE-2016-6316 rubygem-actionview: cross-site scripting flaw in Action View 1365017 - CVE-2016-6317 rubygem-activerecord: unsafe query generation in Active Record 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-ror42-rubygem-actionpack-4.2.6-3.el7.src.rpm rh-ror42-rubygem-actionview-4.2.6-3.el7.src.rpm rh-ror42-rubygem-activerecord-4.2.6-3.el7.src.rpm noarch: rh-ror42-rubygem-actionpack-4.2.6-3.el7.noarch.rpm rh-ror42-rubygem-actionpack-doc-4.2.6-3.el7.noarch.rpm rh-ror42-rubygem-actionview-4.2.6-3.el7.noarch.rpm rh-ror42-rubygem-actionview-doc-4.2.6-3.el7.noarch.rpm rh-ror42-rubygem-activerecord-4.2.6-3.el7.noarch.rpm rh-ror42-rubygem-activerecord-doc-4.2.6-3.el7.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v.7.1): Source: rh-ror42-rubygem-actionpack-4.2.6-3.el7.src.rpm rh-ror42-rubygem-actionview-4.2.6-3.el7.src.rpm rh-ror42-rubygem-activerecord-4.2.6-3.el7.src.rpm noarch: rh-ror42-rubygem-actionpack-4.2.6-3.el7.noarch.rpm rh-ror42-rubygem-actionpack-doc-4.2.6-3.el7.noarch.rpm rh-ror42-rubygem-actionview-4.2.6-3.el7.noarch.rpm rh-ror42-rubygem-actionview-doc-4.2.6-3.el7.noarch.rpm rh-ror42-rubygem-activerecord-4.2.6-3.el7.noarch.rpm rh-ror42-rubygem-activerecord-doc-4.2.6-3.el7.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.2): Source: rh-ror42-rubygem-actionpack-4.2.6-3.el7.src.rpm rh-ror42-rubygem-actionview-4.2.6-3.el7.src.rpm rh-ror42-rubygem-activerecord-4.2.6-3.el7.src.rpm noarch: rh-ror42-rubygem-actionpack-4.2.6-3.el7.noarch.rpm rh-ror42-rubygem-actionpack-doc-4.2.6-3.el7.noarch.rpm rh-ror42-rubygem-actionview-4.2.6-3.el7.noarch.rpm rh-ror42-rubygem-actionview-doc-4.2.6-3.el7.noarch.rpm rh-ror42-rubygem-activerecord-4.2.6-3.el7.noarch.rpm rh-ror42-rubygem-activerecord-doc-4.2.6-3.el7.noarch.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-ror42-rubygem-actionpack-4.2.6-3.el7.src.rpm rh-ror42-rubygem-actionview-4.2.6-3.el7.src.rpm rh-ror42-rubygem-activerecord-4.2.6-3.el7.src.rpm noarch: rh-ror42-rubygem-actionpack-4.2.6-3.el7.noarch.rpm rh-ror42-rubygem-actionpack-doc-4.2.6-3.el7.noarch.rpm rh-ror42-rubygem-actionview-4.2.6-3.el7.noarch.rpm rh-ror42-rubygem-actionview-doc-4.2.6-3.el7.noarch.rpm rh-ror42-rubygem-activerecord-4.2.6-3.el7.noarch.rpm rh-ror42-rubygem-activerecord-doc-4.2.6-3.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-6316 https://access.redhat.com/security/cve/CVE-2016-6317 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . Morecontact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFX1977XlSAg2UNWIIRAgmUAJ9CAZsdFov2snrXXLOrRTt0sUrfxgCgpwgG F0o+B5gJPw4TXZWYKzOkv5I=n1+g -----END PGP SIGNATURE----- -- Enterprise-watch-list mailing list
Sep 13, 2016
Red Hat
89
security advisoryfedoracritical fixFedora 22: Security Advisory for phpMyAdmin XSS Critical Fix
phpMyAdmin 4.5.5.1 (2016-02-29) fixes multiple XSS vulnerabilities, please see PMASA-2016-10, PMASA-2016-11, and PMASA-2016-12 for details; additionally it fixes a vulnerability allowing man- in-the-middle attack on an API call to GitHub, see PMASA-2016-13 for details. It also inclues fixes for the following bugs: - issue #11971 CREATE UNIQUE. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2016-02ee5b4002 2016-03-13 19:42:32.347711 -------------------------------------------------------------------------------- Name : phpMyAdmin Product : Fedora 22 Version : 4.5.5.1 Release : 1.fc22 URL : https://www.phpmyadmin.net/ Summary : Handle the administration of MySQL over the World Wide Web Description : phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the World Wide Web. Most frequently used operations are supported by the user interface (managing databases, tables, fields, relations, indexes, users, permissions), while you still have the ability to directly execute any SQL statement. Features include an intuitive web interface, support for most MySQL features (browse and drop databases, tables, views, fields and indexes, create, copy, drop, rename and alter databases, tables, fields and indexes, maintenance server, databases and tables, with proposals on server configuration, execute, edit and bookmark any SQL-statement, even batch-queries, manage MySQL usersand privileges, manage stored procedures and triggers), import data from CSV and SQL, export data to various formats: CSV, SQL, XML, PDF, OpenDocument Text and Spreadsheet, Word, Excel, LATEX and others, administering multiple servers, creating PDF graphics of your database layout, creating complex queries using Query-by-example (QBE), searching globally in a database or a subset of it, transforming stored data into any format using a set of predefined functions, like displaying BLOB-data as image or download-link and muchmore... -------------------------------------------------------------------------------- Update Information: phpMyAdmin 4.5.5.1 (2016-02-29) =============================== This release fixes multiple XSS vulnerabilities, please see PMASA-2016-10, PMASA-2016-11, and PMASA-2016-12 for details; additionally it fixes a vulnerability allowing man- in-the-middle attack on an API call to GitHub, see PMASA-2016-13 for details. It also inclues fixes for the following bugs: - issue #11971 CREATE UNIQUE INDEX index type is not recognized by parser. - issue #11982 Row count wrong when grouping joined tables. - issue #12012 Column definition with default value and comment in CREATE TABLE exported faulty. - issue #12020 New statement but no delimiter and unexpected token with REPLACE. - issue #12029 Fixed incorrect usage of SQL parser context in SQL export - issue #12048 Fixed inclusion of gettext library from SQL parser -------------------------------------------------------------------------------- References: [ 1 ] Bug #1313698 - CVE-2016-2559 CVE-2016-2562 phpmyadmin: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1313698 [ 2 ] Bug #1313225 - CVE-2016-2560 CVE-2016-2561 phpmyadmin: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1313225 [ 3 ] Bug #1310918 - phpMyAdmin-4.5.5.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=1310918 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update phpMyAdmin' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at -------------------------------------------------------------------------------- _______________________________________________ package-announce mailinglist
Mar 14, 2016
•Critical
Fedora
89
security advisoryfedoracriticalFedora 21 FEDORA-2015-13664 Critical: RT Software Update
Security fix for CVE-2015-5475. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2015-13664 2015-08-27 19:40:20.010788 -------------------------------------------------------------------------------- Name : rt Product : Fedora 21 Version : 4.2.12 Release : 1.fc21 URL : https://requesttracker.com/request-tracker/ Summary : Request tracker Description : RT is an enterprise-grade ticketing system which enables a group of people to intelligently and efficiently manage tasks, issues, and requests submitted by a community of users. -------------------------------------------------------------------------------- Update Information: Security fix for CVE-2015-5475 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1254111 - CVE-2015-5475 CVE-2015-6506 rt: multiple XSS flaws https://bugzilla.redhat.com/show_bug.cgi?id=1254111 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update rt' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list
Aug 27, 2015
•Critical
Fedora
98
security advisoryred hatbug fixRed Hat 6 RHSA-2015:1462-01 Moderate: ipa XSS Security Issues
Updated ipa packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security [More...]. ==================================================================== Red Hat Security Advisory Synopsis: Moderate: ipa security and bug fix update Advisory ID: RHSA-2015:1462-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2015:1462.html Issue date: 2015-07-22 Updated on: 2015-03-04 CVE Names: CVE-2010-5312 CVE-2012-6662 ==================================================================== 1. Summary: Updated ipa packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Two cross-site scripting (XSS) flaws were found in jQuery, which impacted the Identity Management web administrative interface, and could allow an authenticated user to inject arbitrary HTML or web script into the interface. (CVE-2010-5312, CVE-2012-6662) Note: The IdM version provided by this update no longer uses jQuery. Bug fixes: * Theipa-server-install, ipa-replica-install, and ipa-client-install utilities are not supported on machines running in FIPS-140 mode. Previously, IdM did not warn users about this. Now, IdM does not allow running the utilities in FIPS-140 mode, and displays an explanatory message. (BZ#1131571) * If an Active Directory (AD) server was specified or discovered automatically when running the ipa-client-install utility, the utility produced a traceback instead of informing the user that an IdM server is expected in this situation. Now, ipa-client-install detects the AD server and fails with an explanatory message. (BZ#1132261) * When IdM servers were configured to require the TLS protocol version 1.1 (TLSv1.1) or later in the httpd server, the ipa utility failed. With this update, running ipa works as expected with TLSv1.1 or later. (BZ#1154687) * In certain high-load environments, the Kerberos authentication step of the IdM client installer can fail. Previously, the entire client installation failed in this situation. This update modifies ipa-client-install to prefer the TCP protocol over the UDP protocol and to retry the authentication attempt in case of failure. (BZ#1161722) * If ipa-client-install updated or created the /etc/nsswitch.conf file, the sudo utility could terminate unexpectedly with a segmentation fault. Now, ipa-client-install puts a new line character at the end of nsswitch.conf if it modifies the last line of the file, fixing this bug. (BZ#1185207) * The ipa-client-automount utility failed with the "UNWILLING_TO_PERFORM" LDAP error when the nsslapd-minssf Red Hat Directory Server configuration parameter was set to "1". This update modifies ipa-client-automount to use encrypted connection for LDAP searches by default, and the utility now finishes successfully even with nsslapd-minssf specified. (BZ#1191040) * If installing an IdM server failed after the Certificate Authority (CA) installation, the "ipa-server-install --uninstall" command did not perform a proper cleanup. After the user issued"ipa-server-install --uninstall" and then attempted to install the server again, the installation failed. Now, "ipa-server-install --uninstall" removes the CA-related files in the described situation, and ipa-server-install no longer fails with the mentioned error message. (BZ#1198160) * Running ipa-client-install added the "sss" entry to the sudoers line in nsswitch.conf even if "sss" was already configured and the entry was present in the file. Duplicate "sss" then caused sudo to become unresponsive. Now, ipa-client-install no longer adds "sss" if it is already present in nsswitch.conf. (BZ#1198339) * After running ipa-client-install, it was not possible to log in using SSH under certain circumstances. Now, ipa-client-install no longer corrupts the sshd_config file, and the sshd service can start as expected, and logging in using SSH works in the described situation. (BZ#1201454) * An incorrect definition of the dc attribute in the /usr/share/ipa/05rfc2247.ldif file caused bogus error messages to be returned during migration. The attribute has been fixed, but the bug persists if the copy-schema-to-ca.py script was run on Red Hat Enterprise Linux 6.6 prior to running it on Red Hat Enterprise Linux 6.7. To work around this problem, manually copy /usr/share/ipa/schema/05rfc2247.ldif to /etc/dirsrv/slapd-PKI-IPA/schema/ and restart IdM. (BZ#1220788) All ipa users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1132261 - ipa-client-install failing produces a traceback instead of useful error message 1146870 - ipa-client-install fails with "KerbTransport instance has no attribute '__conn'" traceback 1154687 - POODLE: force using safe ciphers (non-SSLv3) in IPA client and server 1166041 -CVE-2010-5312 jquery-ui: XSS vulnerability in jQuery.ui.dialog title option 1166064 - CVE-2012-6662 jquery-ui: XSS vulnerability in default content in Tooltip widget 1185207 - ipa-client dont end new line character in /etc/nsswitch.conf 1198339 - ipa-client-install adds extra sss to sudoers in nsswitch.conf 1201454 - ipa breaks sshd config 1205660 - ipa-client rpm should require keyutils 1207649 - host certificate not issued to client during ipa-client-install 1220788 - request to backport ticket 3578 to RHEL6. Provoking migration to 7.1 issues. 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ipa-3.0.0-47.el6.src.rpm i386: ipa-client-3.0.0-47.el6.i686.rpm ipa-debuginfo-3.0.0-47.el6.i686.rpm ipa-python-3.0.0-47.el6.i686.rpm x86_64: ipa-client-3.0.0-47.el6.x86_64.rpm ipa-debuginfo-3.0.0-47.el6.x86_64.rpm ipa-python-3.0.0-47.el6.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: ipa-admintools-3.0.0-47.el6.i686.rpm ipa-debuginfo-3.0.0-47.el6.i686.rpm ipa-server-3.0.0-47.el6.i686.rpm ipa-server-selinux-3.0.0-47.el6.i686.rpm ipa-server-trust-ad-3.0.0-47.el6.i686.rpm x86_64: ipa-admintools-3.0.0-47.el6.x86_64.rpm ipa-debuginfo-3.0.0-47.el6.x86_64.rpm ipa-server-3.0.0-47.el6.x86_64.rpm ipa-server-selinux-3.0.0-47.el6.x86_64.rpm ipa-server-trust-ad-3.0.0-47.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ipa-3.0.0-47.el6.src.rpm x86_64: ipa-client-3.0.0-47.el6.x86_64.rpm ipa-debuginfo-3.0.0-47.el6.x86_64.rpm ipa-python-3.0.0-47.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: ipa-admintools-3.0.0-47.el6.x86_64.rpm ipa-debuginfo-3.0.0-47.el6.x86_64.rpm ipa-server-3.0.0-47.el6.x86_64.rpm ipa-server-selinux-3.0.0-47.el6.x86_64.rpm ipa-server-trust-ad-3.0.0-47.el6.x86_64.rpm Red Hat Enterprise Linux Server (v.6): Source: ipa-3.0.0-47.el6.src.rpm i386: ipa-admintools-3.0.0-47.el6.i686.rpm ipa-client-3.0.0-47.el6.i686.rpm ipa-debuginfo-3.0.0-47.el6.i686.rpm ipa-python-3.0.0-47.el6.i686.rpm ipa-server-3.0.0-47.el6.i686.rpm ipa-server-selinux-3.0.0-47.el6.i686.rpm ipa-server-trust-ad-3.0.0-47.el6.i686.rpm ppc64: ipa-admintools-3.0.0-47.el6.ppc64.rpm ipa-client-3.0.0-47.el6.ppc64.rpm ipa-debuginfo-3.0.0-47.el6.ppc64.rpm ipa-python-3.0.0-47.el6.ppc64.rpm s390x: ipa-admintools-3.0.0-47.el6.s390x.rpm ipa-client-3.0.0-47.el6.s390x.rpm ipa-debuginfo-3.0.0-47.el6.s390x.rpm ipa-python-3.0.0-47.el6.s390x.rpm x86_64: ipa-admintools-3.0.0-47.el6.x86_64.rpm ipa-client-3.0.0-47.el6.x86_64.rpm ipa-debuginfo-3.0.0-47.el6.x86_64.rpm ipa-python-3.0.0-47.el6.x86_64.rpm ipa-server-3.0.0-47.el6.x86_64.rpm ipa-server-selinux-3.0.0-47.el6.x86_64.rpm ipa-server-trust-ad-3.0.0-47.el6.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ipa-3.0.0-47.el6.src.rpm i386: ipa-admintools-3.0.0-47.el6.i686.rpm ipa-client-3.0.0-47.el6.i686.rpm ipa-debuginfo-3.0.0-47.el6.i686.rpm ipa-python-3.0.0-47.el6.i686.rpm ipa-server-3.0.0-47.el6.i686.rpm ipa-server-selinux-3.0.0-47.el6.i686.rpm ipa-server-trust-ad-3.0.0-47.el6.i686.rpm x86_64: ipa-admintools-3.0.0-47.el6.x86_64.rpm ipa-client-3.0.0-47.el6.x86_64.rpm ipa-debuginfo-3.0.0-47.el6.x86_64.rpm ipa-python-3.0.0-47.el6.x86_64.rpm ipa-server-3.0.0-47.el6.x86_64.rpm ipa-server-selinux-3.0.0-47.el6.x86_64.rpm ipa-server-trust-ad-3.0.0-47.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2010-5312 https://access.redhat.com/security/cve/CVE-2012-6662 https://access.redhat.com/security/updates/classification#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2015 Red Hat, Inc. . Canonical's Timely securityupdate outlines kernel patches for critical vulnerabilities and enhancements for Ubuntu 20.04, reinforcing system integrity.. ipa Security, Red Hat Update, RHEL 6 Advisory, Moderate Security Fixes, XSS Vulnerability. . LinuxSecurity.com Team
Jul 22, 2015
Red Hat
99
security advisorysecurity updatecriticalSlackware 14.0: 2013-067-02 Urgent: Httpd Vulnerability Patch Applied
New httpd packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix security issues. . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] httpd (SSA:2013-062-01) New httpd packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix security issues. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/httpd-2.4.4-i486-1_slack14.0.txz: Upgraded. This update provides bugfixes and enhancements. Two security issues are fixed: * Various XSS flaws due to unescaped hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp. [Jim Jagielski, Stefan Fritsch, Niels Heinen ] * XSS in mod_proxy_balancer manager interface. [Jim Jagielski, Niels Heinen ] For more information, see: https://www.cve.org/CVERecord?id=CVE-2012-3499 https://www.cve.org/CVERecord?id=CVE-2012-4558 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (https://osuosl.org/) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://www.slackware.com/ for additional mirror sites near you. Updated package for Slackware 12.1: Updated package for Slackware 12.2: Updated package for Slackware 13.0: Updated package for Slackware x86_64 13.0: Updated package for Slackware 13.1: Updated package for Slackware x86_64 13.1: Updated package for Slackware 13.37: Updated package for Slackware x86_64 13.37: Updated package for Slackware 14.0: Updated package for Slackware x86_64 14.0: Updated package for Slackware -current: Updated package for Slackware x86_64 -current: MD5 signatures: +-------------+ Slackware 12.1 package: cdc26999b5fd2787f1eaef285dad47bc httpd-2.2.24-i486-1_slack12.1.tgz Slackware 12.2 package: 7671b12ad7b163c1aba0fb7278349c0d httpd-2.2.24-i486-1_slack12.2.tgz Slackware 13.0 package: 5ca815faf37f28c2e365f47643d7b9a4 httpd-2.2.24-i486-1_slack13.0.txz Slackware x86_64 13.0 package: 715fa297d5451dafdbe1b296565b3a08 httpd-2.2.24-x86_64-1_slack13.0.txz Slackware 13.1 package: 4246568ea7eada4c3c4dc6bd95464784 httpd-2.2.24-i486-1_slack13.1.txz Slackware x86_64 13.1 package: 2ee64f87af8563132fccfe53e9f0f4c9 httpd-2.2.24-x86_64-1_slack13.1.txz Slackware 13.37 package: 252c123e2a3c03aff1aa2112050de945 httpd-2.2.24-i486-1_slack13.37.txz Slackware x86_64 13.37 package: 9a5fcc681c89c131478910d999e25170 httpd-2.2.24-x86_64-1_slack13.37.txz Slackware 14.0 package: 32d6ffa35ea58aaf4d9e325b857c4e11 httpd-2.4.4-i486-1_slack14.0.txz Slackware x86_64 14.0 package: 889197760474094bce962f900f5258b1 httpd-2.4.4-x86_64-1_slack14.0.txz Slackware -current package: ae7a5606e6ec97ec74ab64bf7cde5c03 n/httpd-2.4.4-i486-1.txz Slackware x86_64 -current package: 09c32bd3fef0741e0743c0590e72f9d2 n/httpd-2.4.4-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg httpd-2.4.4-i486-1_slack14.0.txz Then, restart Apache httpd: # /etc/rc.d/rc.httpd stop # /etc/rc.d/rc.httpd start +-----+ . Slackware's httpd update resolves severe XSS vulnerabilities; package enhancements ready for multiple versions.. httpd Update, Slackware Security, XSS Flaw Fix, Package Upgrade. . Severity: Important. LinuxSecurity.com Team
Mar 03, 2013
•Important
Slackware
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!