Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 36 articles for you...
99
security advisorysecurity issuecode executionSlackware: 2025-109-01: critical: zsh code execution threat
New zsh packages are available for Slackware 15.0 to fix a security issue. . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] zsh (SSA:2025-109-01) New zsh packages are available for Slackware 15.0 to fix a security issue. Here are the details from the Slackware 15.0 ChangeLog: +--------------------------+ patches/packages/zsh-5.9-i586-1_slack15.0.txz: Upgraded. This release fixes a security issue in zsh-5.8: Some prompt expansion sequences, such as %F, support 'arguments' which are themselves expanded in case they contain colour values, etc. This additional expansion would trigger PROMPT_SUBST evaluation, if enabled. This could be abused to execute code the user didn't expect. e.g., given a certain prompt configuration, an attacker could trick a user into executing arbitrary code by having them check out a Git branch with a specially crafted name. This is fixed in the shell itself by no longer performing PROMPT_SUBST evaluation on these prompt-expansion arguments. Note that this is a potential incompatibilty if you are relying on the previous behavior of PROMPT_SUBST. Thanks to pblsxw for the heads-up on this. For more information, see: https://www.cve.org/CVERecord?id=CVE-2021-45444 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://www.slackware.com/ for additional mirror sites near you. Updated package for Slackware 15.0: ftp://ftp.slackware.com/pub/slackware/slackware-15.0/patches/packages/zsh-5.9-i586-1_slack15.0.txz Updated package for Slackware x86_64 15.0: ftp://ftp.slackware.com/pub/slackware/slackware64-15.0/patches/packages/zsh-5.9-x86_64-1_slack15.0.txz MD5 signatures: +-------------+ Slackware 15.0 package: 061804a8d52ec3c1492bda4f05748fea zsh-5.9-i586-1_slack15.0.txz Slackware x86_6415.0 package: 3d0b84ddbbeedf0d346ef1819bb29e32 zsh-5.9-x86_64-1_slack15.0.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg zsh-5.9-i586-1_slack15.0.txz +-----+ . Revised zsh modules for Slackware 15.0 fix a vulnerability allowing potential code execution through prompt expansion.. Slackware Security, zsh Update, Security Patch. . Severity: Critical. LinuxSecurity.com Team
Apr 19, 2025
•Critical
Slackware
100
security advisorybuffer overflowprivilege escalationSUSE: 2022:14910-1 Important: zsh Security Update - 12 Issues Fixed
An update that fixes 12 vulnerabilities is now available. . SUSE Security Update: Security update for zsh ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:14910-1 Rating: important References: #1082885 #1082975 #1082977 #1082991 #1082998 #1083002 #1083250 #1084656 #1087026 #1107294 #1107296 #1163882 Cross-References: CVE-2014-10070 CVE-2014-10071 CVE-2014-10072 CVE-2016-10714 CVE-2017-18205 CVE-2017-18206 CVE-2018-0502 CVE-2018-1071 CVE-2018-1083 CVE-2018-13259 CVE-2018-7549 CVE-2019-20044 CVSS scores: CVE-2014-10070 (SUSE): 8.6 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2014-10071 (NVD) : 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2014-10071 (SUSE): 5.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2014-10072 (SUSE): 5.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2016-10714 (NVD) : 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-10714 (SUSE): 5.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2017-18205 (NVD) : 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-18205 (SUSE): 2.5 CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2017-18206 (NVD) : 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-18206 (SUSE): 5.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2018-0502 (NVD) : 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-0502 (SUSE): 7.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2018-1071 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-1071 (SUSE): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2018-1083 (NVD): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-1083 (SUSE): 7.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVE-2018-13259 (NVD) : 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-13259 (SUSE): 7.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2018-7549 (NVD) : 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-7549 (SUSE): 3.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2019-20044 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2019-20044 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Debuginfo 11-SP3 SUSE Linux Enterprise Debuginfo 11-SP4 SUSE Linux Enterprise Point of Sale 11-SP3 SUSE Linux Enterprise Server 11-SP4-LTSS ______________________________________________________________________________ An update that fixes 12 vulnerabilities is now available. Description: This update for zsh fixes the following issues: - CVE-2019-20044: Fixed an insecure dropping of privileges when unsetting the PRIVILEGED option (bsc#1163882). - CVE-2018-13259: Fixed an unexpected truncation of long shebang lines (bsc#1107294). - CVE-2018-7549: Fixed a crash when an empty hash table (bsc#1082991). - CVE-2018-1083: Fixed a stack-based buffer overflow when using tab completion on directories with long names (bsc#1087026). - CVE-2018-1071: Fixed a stack-based buffer overflow when executing certain commands (bsc#1084656). - CVE-2018-0502: Fixed a mishandling of shebang lines (bsc#1107296). - CVE-2017-18206: Fixed a buffer overflow related to symlink processing (bsc#1083002). - CVE-2017-18205: Fixed an application crash when using cd with no arguments (bsc#1082998). - CVE-2016-10714: Fixed a potential application crash when handling maximumlength paths (bsc#1083250). - CVE-2014-10072: Fixed a buffer overflow when scanning very long directory paths for symbolic links (bsc#1082975). - CVE-2014-10071: Fixed a buffer overflow when redirecting output to a long file descriptor (bsc#1082977). - CVE-2014-10070: Fixed a privilege escalation vulnerability via environment variables (bsc#1082885). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP4-LTSS: zypper in -t patch slessp4-zsh-14910=1 - SUSE Linux Enterprise Point of Sale 11-SP3: zypper in -t patch sleposp3-zsh-14910=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-zsh-14910=1 - SUSE Linux Enterprise Debuginfo 11-SP3: zypper in -t patch dbgsp3-zsh-14910=1 Package List: - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64): zsh-4.3.6-67.9.8.1 - SUSE Linux Enterprise Point of Sale 11-SP3 (i586): zsh-4.3.6-67.9.8.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): zsh-debuginfo-4.3.6-67.9.8.1 zsh-debugsource-4.3.6-67.9.8.1 - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64): zsh-debuginfo-4.3.6-67.9.8.1 zsh-debugsource-4.3.6-67.9.8.1 References: https://www.suse.com/security/cve/CVE-2014-10070.html https://www.suse.com/security/cve/CVE-2014-10071.html https://www.suse.com/security/cve/CVE-2014-10072.html https://www.suse.com/security/cve/CVE-2016-10714.html https://www.suse.com/security/cve/CVE-2017-18205.html https://www.suse.com/security/cve/CVE-2017-18206.html https://www.suse.com/security/cve/CVE-2018-0502.html https://www.suse.com/security/cve/CVE-2018-1071.html https://www.suse.com/security/cve/CVE-2018-1083.html https://www.suse.com/security/cve/CVE-2018-13259.html https://www.suse.com/security/cve/CVE-2018-7549.html https://www.suse.com/security/cve/CVE-2019-20044.html https://bugzilla.suse.com/1082885 https://bugzilla.suse.com/1082975 https://bugzilla.suse.com/1082977 https://bugzilla.suse.com/1082991 https://bugzilla.suse.com/1082998 https://bugzilla.suse.com/1083002 https://bugzilla.suse.com/1083250 https://bugzilla.suse.com/1084656 https://bugzilla.suse.com/1087026 https://bugzilla.suse.com/1107294 https://bugzilla.suse.com/1107296 https://bugzilla.suse.com/1163882 . SUSE Releases Critical Security Patch for bash, Tackling Ten Major Vulnerabilities with High Priority.. SUSE Linux,zsh security,security update,zsh fixes,software vulnerabilities. . Severity: Important. LinuxSecurity.com Team
Mar 14, 2022
•Important
SuSE
172
security advisorycriticalcode executionUbuntu 21.10, 20.04 LTS: USN-5325-1 Critical Zsh Security Flaws
Several security issues were fixed in Zsh.. =========================================================================Ubuntu Security Notice USN-5325-1 March 14, 2022 zsh vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 21.10 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 ESM Summary: Several security issues were fixed in Zsh. Software Description: - zsh: shell with lots of features Details: Sam Foxman discovered that Zsh incorrectly handled certain inputs. An attacker could possibly use this issue to regain dropped privileges. (CVE-2019-20044) It was discovered that Zsh incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. (CVE-2021-45444) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 21.10: zsh 5.8-6ubuntu0.1 zsh-static 5.8-6ubuntu0.1 Ubuntu 20.04 LTS: zsh 5.8-3ubuntu1.1 zsh-static 5.8-3ubuntu1.1 Ubuntu 18.04 LTS: zsh 5.4.2-3ubuntu3.2 zsh-static 5.4.2-3ubuntu3.2 Ubuntu 16.04 ESM: zsh 5.1.1-1ubuntu2.3+esm1 zsh-static 5.1.1-1ubuntu2.3+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-5325-1 CVE-2019-20044, CVE-2021-45444 Package Information: https://launchpad.net/ubuntu/+source/zsh/5.8-6ubuntu0.1 https://launchpad.net/ubuntu/+source/zsh/5.8-3ubuntu1.1 https://launchpad.net/ubuntu/+source/zsh/5.4.2-3ubuntu3.2 . Keep updated with the latest Ubuntu Security Notice USN-5325-2 concerning Zsh flaws that impact multiple versions.. Zsh Issues, Ubuntu 21.10, Ubuntu 20.04, Security Notices,System Updates. . Severity: Critical. LinuxSecurity.com Team
Mar 14, 2022
•Critical
Ubuntu
202
security advisorycommand executionpatchopenSUSE Leap 15.3 & 15.4: 2022:0735-1 Important Zsh Risks
An update that fixes two vulnerabilities is now available. . openSUSE Security Update: Security update for zsh ______________________________________________________________________________ Announcement ID: openSUSE-SU-2022:0735-1 Rating: important References: #1163882 #1196435 Cross-References: CVE-2019-20044 CVE-2021-45444 CVSS scores: CVE-2019-20044 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2019-20044 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-45444 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-45444 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Products: openSUSE Leap 15.3 openSUSE Leap 15.4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for zsh fixes the following issues: - CVE-2021-45444: Fixed a vulnerability where arbitrary shell commands could be executed related to prompt expansion (bsc#1196435). - CVE-2019-20044: Fixed a vulnerability where shell privileges would not be properly dropped when unsetting the PRIVILEGED option (bsc#1163882). Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.4: zypper in -t patch openSUSE-SLE-15.4-2022-735=1 - openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2022-735=1 Package List: - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64): zsh-5.6-7.5.1 zsh-debuginfo-5.6-7.5.1 zsh-debugsource-5.6-7.5.1 zsh-htmldoc-5.6-7.5.1 - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): zsh-5.6-7.5.1 zsh-debuginfo-5.6-7.5.1 zsh-debugsource-5.6-7.5.1 zsh-htmldoc-5.6-7.5.1 References: https://www.suse.com/security/cve/CVE-2019-20044.html https://www.suse.com/security/cve/CVE-2021-45444.html https://bugzilla.suse.com/1163882 https://bugzilla.suse.com/1196435 . Urgent patch release for zsh in openSUSE addressing vulnerability in command execution and user privilege escalation.. openSUSE Zsh Update, Shell Command Security, Command Execution Risk. . Severity: Important. LinuxSecurity.com Team
Mar 04, 2022
•Important
OpenSUSE
100
security advisorybuffer overflowcommand executionSUSE: 2022:0733-1 Important: zsh Buffer Overflow and Command Execution
An update that fixes three vulnerabilities is now available. . SUSE Security Update: Security update for zsh ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:0733-1 Rating: important References: #1089030 #1163882 #1196435 Cross-References: CVE-2018-1100 CVE-2019-20044 CVE-2021-45444 CVSS scores: CVE-2018-1100 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-1100 (SUSE): 7.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVE-2019-20044 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2019-20044 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-45444 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-45444 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Products: HPE Helion Openstack 8 SUSE Linux Enterprise Server 12-SP2-BCL SUSE Linux Enterprise Server 12-SP3-BCL SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for zsh fixes the following issues: - CVE-2021-45444: Fixed a vulnerability where arbitrary shell commands could be executed related to prompt expansion (bsc#1196435). - CVE-2019-20044: Fixed a vulnerability where shellprivileges would not be properly dropped when unsetting the PRIVILEGED option (bsc#1163882). - CVE-2018-1100: Fixed a potential code execution via a stack-based buffer overflow in utils.c:checkmailpath() (bsc#1089030). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2022-733=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2022-733=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2022-733=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2022-733=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2022-733=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2022-733=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-733=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2022-733=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2022-733=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2022-733=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2022-733=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2022-733=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): zsh-5.0.5-6.19.1 zsh-debuginfo-5.0.5-6.19.1 zsh-debugsource-5.0.5-6.19.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): zsh-5.0.5-6.19.1 zsh-debuginfo-5.0.5-6.19.1 zsh-debugsource-5.0.5-6.19.1 - SUSE OpenStack Cloud 9 (x86_64): zsh-5.0.5-6.19.1 zsh-debuginfo-5.0.5-6.19.1 zsh-debugsource-5.0.5-6.19.1 - SUSE OpenStack Cloud 8 (x86_64): zsh-5.0.5-6.19.1 zsh-debuginfo-5.0.5-6.19.1 zsh-debugsource-5.0.5-6.19.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): zsh-5.0.5-6.19.1 zsh-debuginfo-5.0.5-6.19.1 zsh-debugsource-5.0.5-6.19.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): zsh-5.0.5-6.19.1 zsh-debuginfo-5.0.5-6.19.1 zsh-debugsource-5.0.5-6.19.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): zsh-5.0.5-6.19.1 zsh-debuginfo-5.0.5-6.19.1 zsh-debugsource-5.0.5-6.19.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): zsh-5.0.5-6.19.1 zsh-debuginfo-5.0.5-6.19.1 zsh-debugsource-5.0.5-6.19.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): zsh-5.0.5-6.19.1 zsh-debuginfo-5.0.5-6.19.1 zsh-debugsource-5.0.5-6.19.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): zsh-5.0.5-6.19.1 zsh-debuginfo-5.0.5-6.19.1 zsh-debugsource-5.0.5-6.19.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): zsh-5.0.5-6.19.1 zsh-debuginfo-5.0.5-6.19.1 zsh-debugsource-5.0.5-6.19.1 - HPE Helion Openstack 8 (x86_64): zsh-5.0.5-6.19.1 zsh-debuginfo-5.0.5-6.19.1 zsh-debugsource-5.0.5-6.19.1 References: https://www.suse.com/security/cve/CVE-2018-1100.html https://www.suse.com/security/cve/CVE-2019-20044.html https://www.suse.com/security/cve/CVE-2021-45444.html https://bugzilla.suse.com/1089030 https://bugzilla.suse.com/1163882 https://bugzilla.suse.com/1196435 . SUSE Security Update for bash resolves several security vulnerabilities deemed critical. Ensure patches are applied without delay.. zsh Update, SUSE Patch, Shell Security Issues. . Severity: Important. LinuxSecurity.com Team
Mar 04, 2022
•Important
SuSE
100
security advisorysoftware updateprivilege escalationSUSE 15 Critical Update: Important zsh Command Execution Fix
An update that fixes two vulnerabilities is now available. . SUSE Security Update: Security update for zsh ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:0732-1 Rating: important References: #1163882 #1196435 Cross-References: CVE-2019-20044 CVE-2021-45444 CVSS scores: CVE-2019-20044 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2019-20044 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-45444 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-45444 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Server for SAP 15 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for zsh fixes the following issues: - CVE-2021-45444: Fixed a vulnerability where arbitrary shell commands could be executed related to prompt expansion (bsc#1196435). - CVE-2019-20044: Fixed a vulnerability where shell privileges would not be properly dropped when unsetting the PRIVILEGED option (bsc#1163882). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2022-732=1 - SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2022-732=1 - SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -tpatch SUSE-SLE-Product-HPC-15-2022-732=1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2022-732=1 Package List: - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): zsh-5.6-3.11.1 zsh-debuginfo-5.6-3.11.1 zsh-debugsource-5.6-3.11.1 - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): zsh-5.6-3.11.1 zsh-debuginfo-5.6-3.11.1 zsh-debugsource-5.6-3.11.1 - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): zsh-5.6-3.11.1 zsh-debuginfo-5.6-3.11.1 zsh-debugsource-5.6-3.11.1 - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): zsh-5.6-3.11.1 zsh-debuginfo-5.6-3.11.1 zsh-debugsource-5.6-3.11.1 References: https://www.suse.com/security/cve/CVE-2019-20044.html https://www.suse.com/security/cve/CVE-2021-45444.html https://bugzilla.suse.com/1163882 https://bugzilla.suse.com/1196435 . SUSE Security Patch for zsh addresses severe command execution and permission-related vulnerabilities. Essential update ready for installation!. SUSE Linux, Zsh Security, Software Patch, Command Execution, Privilege Escalation. . Severity: Important. LinuxSecurity.com Team
Mar 04, 2022
•Important
SuSE
100
security advisorypatchimportantSUSE 15-SP4: 2022:0735-1 Important: zsh Shell Risks Resolved
An update that fixes two vulnerabilities is now available. . SUSE Security Update: Security update for zsh ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:0735-1 Rating: important References: #1163882 #1196435 Cross-References: CVE-2019-20044 CVE-2021-45444 CVSS scores: CVE-2019-20044 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2019-20044 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-45444 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-45444 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Affected Products: SUSE CaaS Platform 4.0 SUSE Enterprise Storage 6 SUSE Enterprise Storage 7 SUSE Linux Enterprise Desktop 15-SP3 SUSE Linux Enterprise Desktop 15-SP4 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS SUSE Linux Enterprise High Performance Computing 15-SP3 SUSE Linux Enterprise High Performance Computing 15-SP4 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP4 SUSE Linux Enterprise Realtime Extension 15-SP2 SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP2-BCL SUSE Linux Enterprise Server 15-SP2-LTSS SUSE Linux Enterprise Server 15-SP3 SUSE Linux Enterprise Server 15-SP4 SUSE Linux Enterprise Server for SAP 15-SP1 SUSE Linux Enterprise Server for SAP 15-SP2 SUSE Linux Enterprise Server for SAP Applications 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15-SP4 SUSE Manager Proxy 4.1 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.1 SUSE Manager Server 4.1 SUSE Manager Server 4.2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for zsh fixes the following issues: - CVE-2021-45444: Fixed a vulnerability where arbitrary shell commands could be executed related to prompt expansion (bsc#1196435). - CVE-2019-20044: Fixed a vulnerability where shell privileges would not be properly dropped when unsetting the PRIVILEGED option (bsc#1163882). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Server 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-735=1 - SUSE Manager Retail Branch Server 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-735=1 - SUSE Manager Proxy 4.1: zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-735=1 - SUSE Linux Enterprise Server for SAP 15-SP2: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-735=1 - SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2022-735=1 - SUSE Linux Enterprise Server 15-SP2-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-735=1 - SUSE Linux Enterprise Server 15-SP2-BCL: zypper in -t patchSUSE-SLE-Product-SLES-15-SP2-BCL-2022-735=1 - SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-735=1 - SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2022-735=1 - SUSE Linux Enterprise Realtime Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-735=1 - SUSE Linux Enterprise Module for Basesystem 15-SP4: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2022-735=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-735=1 - SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-735=1 - SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-735=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-735=1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-735=1 - SUSE Enterprise Storage 7: zypper in -t patch SUSE-Storage-7-2022-735=1 - SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2022-735=1 - SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: - SUSE Manager Server 4.1 (ppc64le s390x x86_64): zsh-5.6-7.5.1 zsh-debuginfo-5.6-7.5.1 zsh-debugsource-5.6-7.5.1 - SUSE Manager Retail Branch Server 4.1 (x86_64): zsh-5.6-7.5.1 zsh-debuginfo-5.6-7.5.1 zsh-debugsource-5.6-7.5.1 - SUSE Manager Proxy 4.1 (x86_64): zsh-5.6-7.5.1 zsh-debuginfo-5.6-7.5.1 zsh-debugsource-5.6-7.5.1 - SUSELinux Enterprise Server for SAP 15-SP2 (ppc64le x86_64): zsh-5.6-7.5.1 zsh-debuginfo-5.6-7.5.1 zsh-debugsource-5.6-7.5.1 - SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): zsh-5.6-7.5.1 zsh-debuginfo-5.6-7.5.1 zsh-debugsource-5.6-7.5.1 - SUSE Linux Enterprise Server 15-SP2-LTSS (aarch64 ppc64le s390x x86_64): zsh-5.6-7.5.1 zsh-debuginfo-5.6-7.5.1 zsh-debugsource-5.6-7.5.1 - SUSE Linux Enterprise Server 15-SP2-BCL (x86_64): zsh-5.6-7.5.1 zsh-debuginfo-5.6-7.5.1 zsh-debugsource-5.6-7.5.1 - SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): zsh-5.6-7.5.1 zsh-debuginfo-5.6-7.5.1 zsh-debugsource-5.6-7.5.1 - SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): zsh-5.6-7.5.1 zsh-debuginfo-5.6-7.5.1 zsh-debugsource-5.6-7.5.1 - SUSE Linux Enterprise Realtime Extension 15-SP2 (x86_64): zsh-5.6-7.5.1 zsh-debuginfo-5.6-7.5.1 zsh-debugsource-5.6-7.5.1 - SUSE Linux Enterprise Module for Basesystem 15-SP4 (aarch64 ppc64le s390x x86_64): zsh-5.6-7.5.1 zsh-debuginfo-5.6-7.5.1 zsh-debugsource-5.6-7.5.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): zsh-5.6-7.5.1 zsh-debuginfo-5.6-7.5.1 zsh-debugsource-5.6-7.5.1 - SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (aarch64 x86_64): zsh-5.6-7.5.1 zsh-debuginfo-5.6-7.5.1 zsh-debugsource-5.6-7.5.1 - SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (aarch64 x86_64): zsh-5.6-7.5.1 zsh-debuginfo-5.6-7.5.1 zsh-debugsource-5.6-7.5.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): zsh-5.6-7.5.1 zsh-debuginfo-5.6-7.5.1 zsh-debugsource-5.6-7.5.1 - SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): zsh-5.6-7.5.1 zsh-debuginfo-5.6-7.5.1 zsh-debugsource-5.6-7.5.1 - SUSE Enterprise Storage 7 (aarch64 x86_64): zsh-5.6-7.5.1 zsh-debuginfo-5.6-7.5.1 zsh-debugsource-5.6-7.5.1 - SUSE Enterprise Storage 6 (aarch64 x86_64): zsh-5.6-7.5.1 zsh-debuginfo-5.6-7.5.1 zsh-debugsource-5.6-7.5.1 - SUSE CaaS Platform 4.0 (x86_64): zsh-5.6-7.5.1 zsh-debuginfo-5.6-7.5.1 zsh-debugsource-5.6-7.5.1 References: https://www.suse.com/security/cve/CVE-2019-20044.html https://www.suse.com/security/cve/CVE-2021-45444.html https://bugzilla.suse.com/1163882 https://bugzilla.suse.com/1196435 . Patches addressing critical vulnerabilities in zsh released via SUSE update. Comprehensive guidance offered for straightforward implementation.. SUSE Update,zsh Security Fix,Shell Command Threats. . Severity: Important. LinuxSecurity.com Team
Mar 04, 2022
•Important
SuSE
197
security advisorycriticaldebianDebian 9 DLA-2926-1 Critical Zsh Command Execution Risk
It was discovered that zsh, a powerful shell and scripting language, did not prevent recursive prompt expansion. This would allow an attacker to execute arbitrary commands into a user's shell, for instance by tricking a vcs_info user into checking out a git branch . - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2926-1
Feb 18, 2022
•Critical
Debian LTS
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!