Linux Advisory Watch: April 16th, 2021

Advisories

Linux Advisory Watch: April 16th, 2021

Thank you for subscribing to the LinuxSecurity Linux Advisory Watch newsletter! Staying on top of the latest security advisories issued by the distro(s) you use is essential in maintaining an updated, secure Linux system. Our weekly newsletter is an easy, convenient way to track distribution security advisories - helping you keep your Linux environment safe from malware and other exploits.


Important advisories issued this week include a warning from Debian regarding a php-pear security update mitigating a vulnerability that allows Tar.php in Archive_Tar to write operations with Directory Traversal due to inadequate checking of symbolic links, and an advisory from Fedora urging users to update to the 5.11.13 stable kernel, which contains a number of important fixes across the tree. Continue reading to learn about other significant advisories issued this week.

As part of our website redesign that is currently underway, we will be updating the format of our Linux Advisory Watch newsletter, and adding the ability for you to create a User Profile and customize it to include the latest advisories for the distros you are tracking. The new site will be live very soon - stay tuned for more updates in the coming weeks! Have a happy, healthy and secure weekend!

Yours in Open Source,

Brittany Day Signature


LinuxSecurity.com Feature Extras:

Apache SpamAssassin 3.4.6 Release Fixes Two Potentially Aggravating Bugs - On April 12, 2021, the Apache SpamAssassin Project announced the release of Apache SpamAssassin Version 3.4.6 mitigating two small but potentially annoying bugs introduced in Version 3.4.5, which was created to fix a few security vulnerabilities just a few weeks ago.

Is Linux A More Secure Option Than Windows For Businesses? - This article will examine why Linux is arguably the best choice for businesses looking for a flexible, cost-efficient, exceptionally secure OS. 


  Debian: DSA-4891-1: tomcat9 security update (Apr 13)
 

Two vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in information disclosure or denial of service. For the stable distribution (buster), these problems have been fixed in

  Debian: DSA-4890-1: ruby-kramdown security update (Apr 12)
 

Stan Hu discovered that kramdown, a pure Ruby Markdown parser and converter, performed insufficient namespace validation of Rouge syntax highlighting formatters.

  Debian: DSA-4889-1: mediawiki security update (Apr 10)
 

Multiple security issues were found in MediaWiki, a website engine for collaborative work, which could result in incomplete page/blocking protection, denial of service or cross-site scripting.

  Debian: DSA-4888-1: xen security update (Apr 10)
 

Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, privilege escalation or memory disclosure.

  Debian: DSA-4887-1: lib3mf security update (Apr 8)
 

A use-after-free was discovered in Lib3MF, a C++ implementation of the 3D Manufacturing Format, which could result in the execution of arbitrary code if a malformed file is opened.

  Fedora 32: seamonkey 2021-4b0a8b8629 (Apr 15)
 

Appled all the changes from the upstream 2.53.7.1 update. Fixed tab opening in background and tab choosing on a tab close. ---- Fix updating and support of legacy javascript extensions. ---- Update to 2.53.7 Enable support for module scripts. (To turn it off, toggle "dom.moduleScripts.enabled" in about:config). For sending mail, now "Thunderbird" is advertised in User-Agent header instead

  Fedora 32: libpano13 2021-596fc11138 (Apr 15)
 

Upstream release, security fix for CVE-2021-20307

  Fedora 33: python3.8 2021-2ab6f060d9 (Apr 15)
 

This is the ninth maintenance release of Python 3.8. [Changelog](https://docs.py thon.org/release/3.8.9/whatsnew/changelog.html#python-3-8-9). Contains a security fix for CVE-2021-3426.

  Fedora 33: libpano13 2021-67cbea4608 (Apr 15)
 

Upstream release, security fix for CVE-2021-20307

  Fedora 32: kernel 2021-57a7ba61f8 (Apr 14)
 

The 5.11.13 stable kernel update contains a number of important fixes across the tree.

  Fedora 33: kernel 2021-e71c033f88 (Apr 14)
 

The 5.11.13 stable kernel update contains a number of important fixes across the tree.

  Fedora 33: mosquitto 2021-da3784629e (Apr 13)
 

Update to 1.6.14 https://mosquitto.org/blog/2021/03/version-2-0-9-released/

  Fedora 33: perl-Net-CIDR-Lite 2021-d0cc9a393f (Apr 13)
 

This update disallows use of IP addresses with leading zeroes in the octet values, which could have been interpreted ambiguously as either octal or decimal values.

  Fedora 32: mosquitto 2021-65100169e4 (Apr 13)
 

Update to 1.6.14 https://mosquitto.org/blog/2021/03/version-2-0-9-released/

  Fedora 32: perl-Net-CIDR-Lite 2021-57661d377a (Apr 13)
 

This update disallows use of IP addresses with leading zeroes in the octet values, which could have been interpreted ambiguously as either octal or decimal values.

  Fedora 32: webkit2gtk3 2021-619711d709 (Apr 11)
 

Update to WebKitGTK 2.30.6: * Update user agent quirks again for Google Docs and Google Drive * Fix several crashes and rendering issues. Security fixes: CVE-2020-27918, CVE-2020-29623, CVE-2021-1765, CVE-2021-1789, CVE-2021-1799, CVE-2021-1801, CVE-2021-1870.

  Fedora 32: python39 2021-a311bf10d4 (Apr 10)
 

Update Python to 3.9.4. [Changelog](https://docs.python.org/release/3.9.4/whatsn ew/changelog.html#changelog). Contains security fix for CVE-2021-3426.

  Fedora 32: libopenmpt 2021-88b8fd4bf1 (Apr 10)
 

Some more bug-fixes for the stable 0.4.x branch. -- https://lib.openmpt.org/libopenmpt/2021/03/20/security- update-0.5.7-releases-0.4.19-0.3.28/

  Fedora 33: grub2 2021-5497f7409b (Apr 10)
 

Update to 2.06~rc1 to fix a bunch of CVEs

  Fedora 33: libopenmpt 2021-38bacf2af2 (Apr 10)
 

Some more bug-fixes for the stable 0.4.x branch. -- https://lib.openmpt.org/libopenmpt/2021/03/20/security- update-0.5.7-releases-0.4.19-0.3.28/

  Fedora 32: python-pikepdf 2021-d97bc581be (Apr 9)
 

Security fix for XXE vulnerability, CVE-2021-29421

  Fedora 32: squid 2021-76f09062a7 (Apr 9)
 

- Version update to 4.14 - CVE-2020-25097 fix

  Fedora 32: samba 2021-c93a3a5d3f (Apr 9)
 

Update to Samba 4.12.14 - Security fixes for CVE-2020-27840 and CVE-2021-20277 ---- Update to Samba 4.12.13 - Security fixes for CVE-2020-27840 and CVE-2021-20277

  Fedora 32: libldb 2021-c93a3a5d3f (Apr 9)
 

Update to Samba 4.12.14 - Security fixes for CVE-2020-27840 and CVE-2021-20277 ---- Update to Samba 4.12.13 - Security fixes for CVE-2020-27840 and CVE-2021-20277

  Fedora 33: python-pikepdf 2021-4bf9909a76 (Apr 9)
 

Security fix for XXE vulnerability, CVE-2021-29421

  Fedora 33: squid 2021-7d86bec29e (Apr 9)
 

- Version update to 4.14 - CVE-2020-25097 fix

  Fedora 33: perl-Net-Netmask 2021-be62be8c7c (Apr 8)
 

Security fix for CVE-2021-29424

  Fedora 32: perl-Net-Netmask 2021-c314017fcc (Apr 8)
 

Security fix for CVE-2021-29424

  RedHat: RHSA-2021-1213:01 Important: libldb security update (Apr 15)
 

An update for libldb is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-1214:01 Important: libldb security update (Apr 15)
 

An update for libldb is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-1206:01 Important: gnutls and nettle security update (Apr 14)
 

An update for gnutls and nettle is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-1202:01 Important: Red Hat JBoss Web Server 3.1 Service (Apr 14)
 

An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 7. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-1203:01 Important: Red Hat JBoss Web Server 3.1 Service (Apr 14)
 

An update is now available for Red Hat JBoss Web Server 3.1, for RHEL 7 and Windows. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-1201:01 Moderate: thunderbird security update (Apr 14)
 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-1200:01 Important: Red Hat JBoss Core Services Apache (Apr 14)
 

Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 7 zip release for RHEL 7, RHEL 8 and Microsoft Windows is available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-1199:01 Important: Red Hat JBoss Core Services Apache (Apr 14)
 

Updated packages that provide Red Hat JBoss Core Services Pack Apache Server 2.4.37 and fix several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact

  RedHat: RHSA-2021-1197:01 Important: libldb security update (Apr 14)
 

An update for libldb is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-1195:01 Important: Red Hat JBoss Web Server 5.4.2 (Apr 14)
 

Updated Red Hat JBoss Web Server 5.4.2 packages are now available for Red Hat Enterprise Linux 7, and Red Hat Enterprise Linux 8. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-1192:01 Moderate: thunderbird security update (Apr 14)
 

An update for thunderbird is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-1196:01 Important: Red Hat JBoss Web Server 5.4.2 (Apr 14)
 

Red Hat JBoss Web Server 5.4.2 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8 and Windows. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-1193:01 Moderate: thunderbird security update (Apr 14)
 

An update for thunderbird is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-1169:01 Moderate: RHV Manager (ovirt-engine) 4.4.z (Apr 14)
 

An update is now available for Red Hat Virtualization Engine 4.4. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-1184:01 Moderate: RHV RHEL Host (ovirt-host) 4.4.z (Apr 14)
 

Updated host packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-1189:01 Important: Red Hat Virtualization security, (Apr 14)
 

An update is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-1186:01 Moderate: RHV Manager (ovirt-engine) 4.4.z (Apr 14)
 

An update for org.ovirt.engine-root, ovirt-engine-ui-extensions, and ovirt-web-ui is now available for Red Hat Virtualization Engine 4.4. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-1190:01 Moderate: thunderbird security update (Apr 14)
 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-1016:01 Low: OpenShift Container Platform 4.5.37 security (Apr 13)
 

Red Hat OpenShift Container Platform release 4.5.37 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-1171:01 Important: kernel security and bug fix update (Apr 13)
 

An update for kernel is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-1173:01 Important: kpatch-patch security update (Apr 13)
 

An update is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-1168:01 Important: Red Hat Advanced Cluster Management (Apr 13)
 

Red Hat Advanced Cluster Management for Kubernetes 2.2.2 General Availability release images, which fix several bugs and security issues. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-1079:01 Moderate: Red Hat Ansible Automation Platform (Apr 9)
 

Red Hat Ansible Automation Platform Resource Operator 1.2 (technical preview) images that fix several security issues. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-1145:01 Important: nettle security update (Apr 8)
 

An update for nettle is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-1135:01 Important: squid security update (Apr 8)
 

An update for squid is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-1129:01 Moderate: Red Hat 3scale API Management 2.10.0 (Apr 8)
 

A security update for Red Hat 3scale API Management Platform is now available from the Red Hat Container Catalog. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  Slackware: 2021-102-02: irssi Security Update (Apr 12)
 

New irssi packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.

  Slackware: 2021-102-01: dnsmasq Security Update (Apr 12)
 

New dnsmasq packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix a security issue.

  SUSE: 2021:105-1 suse/sles12sp5 Security Update (Apr 14)
 

The container suse/sles12sp5 was updated. The following patches have been included in this update:

  SUSE: 2021:104-1 suse/sles12sp4 Security Update (Apr 14)
 

The container suse/sles12sp4 was updated. The following patches have been included in this update:

  SUSE: 2021:100-1 suse/sle15 Security Update (Apr 9)
 

The container suse/sle15 was updated. The following patches have been included in this update:

  SUSE: 2021:99-1 ses/7/rook/ceph Security Update (Apr 9)
 

The container ses/7/rook/ceph was updated. The following patches have been included in this update:

  SUSE: 2021:98-1 ses/7/ceph/ceph Security Update (Apr 9)
 

The container ses/7/ceph/ceph was updated. The following patches have been included in this update:

  SUSE: 2021:97-1 ses/7/ceph/grafana Security Update (Apr 9)
 

The container ses/7/ceph/grafana was updated. The following patches have been included in this update:

  SUSE: 2021:96-1 ses/7/cephcsi/cephcsi Security Update (Apr 9)
 

The container ses/7/cephcsi/cephcsi was updated. The following patches have been included in this update:

  SUSE: 2021:435-1 suse-sles-15-sp2-chost-byos-v20210405-gen2 Security Update (Apr 9)
 

The container suse-sles-15-sp2-chost-byos-v20210405-gen2 was updated. The following patches have been included in this update:

  Debian LTS: DLA-2618-2: smarty3 regression update (Apr 16)
 

The update of smarty3 released as DLA-2618-1 induced a regression due to a syntax error in sysplugins/smarty_security.php. For Debian 9 stretch, this problem has been fixed in version

  Debian LTS: DLA-2626-1: clamav security update (Apr 14)
 

A vulnerability in the email parsing module in Clam AntiVirus (ClamAV) Software version 0.103.1 and all prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is

  Debian LTS: DLA-2625-1: courier-authlib security update (Apr 14)
 

The Debian courier-authlib package before 0.71.1-2 for Courier Authentication Library creates a /run/courier/authdaemon directory with weak permissions, allowing an attacker to read user information. This may include a cleartext password in some

  Debian LTS: DLA-2624-1: libpano13 security update (Apr 12)
 

Format string vulnerability in panoFileOutputNamesCreate() in libpano13 2.9.20~rc2+dfsg-3 and earlier can lead to read and write arbitrary memory values.

  Debian LTS: DLA-2623-1: qemu security update (Apr 10)
 

Several security vulnerabilities have been discovered in QEMU, a fast processor emulator. CVE-2021-20257

  Debian LTS: DLA-2622-1: python-django security update (Apr 9)
 

It was discovered that there was a potential directory traversal issue in Django, a Python-based web development framework. The vulnerability could have been exploited by maliciously crafted

  Debian LTS: DLA-2621-1: php-pear security update (Apr 8)
 

A vulnerability was discovered in php-pear, which provides core packages from the PHP Extension and Application Repository. Tar.php in Archive_Tar allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to

  CentOS: CESA-2021-0742: Important CentOS 7 screen (Apr 14)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2021:0742

  CentOS: CESA-2021-1072: Important CentOS 7 libldb (Apr 10)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2021:1072

  CentOS: CESA-2021-1071: Important CentOS 7 kernel (Apr 10)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2021:1071

  SciLinux: SLSA-2021-1192-1 Moderate: thunderbird on x86_64 (Apr 14)
 

This update upgrades Thunderbird to version 78.9.1. * Mozilla: An attacker may use Thunderbird's OpenPGP key refresh mechanism to poison an existing key (CVE-2021-23991) * Mozilla: A crafted OpenPGP key with an invalid user ID could be used to confuse the user (CVE-2021-23992) * Mozilla: Inability to send encrypted OpenPGP email after importing a crafted OpenPGP key (CVE-2021-23993) For more [More...]

  SciLinux: SLSA-2021-1135-1 Important: squid on x86_64 (Apr 12)
 

squid: improper input validation may allow a trusted client to perform HTTP request smuggling (CVE-2020-25097) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE - Scientific Linux Development Team

  SciLinux: SLSA-2021-1145-1 Important: nettle on x86_64 (Apr 12)
 

nettle: Out of bounds memory access in signature verification (CVE-2021-20305) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE - Scientific Linux Development Team

  SciLinux: SLSA-2021-1072-1 Important: libldb on x86_64 (Apr 12)
 

samba: Out of bounds read in AD DC LDAP server (CVE-2021-20277) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE - Scientific Linux Development Team

  SciLinux: SLSA-2021-1071-1 Important: kernel on x86_64 (Apr 12)
 

kernel: out-of-bounds read in libiscsi module (CVE-2021-27364) * kernel: heap buffer overflow in the iSCSI subsystem (CVE-2021-27365) * kernel: iscsi: unrestricted access to sessions and handles (CVE-2021-27363) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE Bug Fix(es): * Customer testing [More...]

  openSUSE: 2021:0555-1 important: clamav (Apr 15)
 

An update that solves three vulnerabilities and has one errata is now available.

  openSUSE: 2021:0554-1 important: xorg-x11-server (Apr 15)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0553-1 important: fluidsynth (Apr 14)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0551-1 important: spamassassin (Apr 14)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2021:0552-1 important: python-bleach (Apr 14)
 

An update that fixes three vulnerabilities is now available.

  openSUSE: 2021:0548-1 important: umoci (Apr 13)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0545-1 important: hostapd (Apr 12)
 

An update that fixes three vulnerabilities is now available.

  openSUSE: 2021:0544-1 moderate: ceph (Apr 12)
 

An update that solves two vulnerabilities and has 12 fixes is now available.

  openSUSE: 2021:0542-1 moderate: tpm2-tss-engine (Apr 11)
 

An update that contains security fixes can now be installed.

  openSUSE: 2021:0540-1 moderate: openSUSE KMPs (Apr 11)
 

An update that contains security fixes can now be installed.

  openSUSE: 2021:0535-1 moderate: bcc (Apr 10)
 

An update that contains security fixes can now be installed.

  openSUSE: 2021:0536-1 moderate: openexr (Apr 10)
 

An update that fixes three vulnerabilities is now available.

  openSUSE: 2021:0533-1 important: isync (Apr 10)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0532-1 important: the Linux Kernel (Apr 10)
 

An update that solves 21 vulnerabilities and has 74 fixes is now available.

  openSUSE: 2021:0531-1 moderate: gssproxy (Apr 9)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0520-1 important: flatpak, libostree, xdg-desktop-portal, xdg-desktop-porta (Apr 9)
 

An update that solves one vulnerability and has three fixes is now available.

  openSUSE: 2021:0519-1 important: hostapd (Apr 9)
 

An update that fixes three vulnerabilities is now available.

  openSUSE: 2021:0522-1 important: fwupd (Apr 9)
 

An update that solves one vulnerability and has one errata is now available.

  openSUSE: 2021:0521-1 important: fwupdate (Apr 9)
 

An update that contains security fixes can now be installed.

  Mageia 2021-0190: x11-server security update (Apr 15)
 

Insufficient checks on the lengths of the XInput extension ChangeFeedbackControl request can lead to out of bounds memory accesses in the X server. These issues can lead to privilege escalation for authorized clients

  Mageia 2021-0189: thunderbird security update (Apr 15)
 

An attacker may use Thunderbird's OpenPGP key refresh mechanism to poison an existing key (CVE-2021-23991). A crafted OpenPGP key with an invalid user ID could be used to confuse the user (MOZ-2021-23992).

  Mageia 2021-0188: chromium-browser-stable security update (Apr 15)
 

The updated packages fix security vulnerabilities and a crash when a device does some cast traffic in the local network. (See upstream release notes). References: - https://bugs.mageia.org/show_bug.cgi?id=28702

  Mageia 2021-0187: gstreamer1.0 security update (Apr 15)
 

GStreamer before 1.18.4 might access already-freed memory in error code paths when demuxing certain malformed Matroska files (SA-2021-0002). GStreamer before 1.18.4 might cause heap corruption when parsing certain malformed Matroska files (SA-2021-0003).

  Mageia 2021-0186: curl security update (Apr 12)
 

libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. (CVE-2021-22876)

  Mageia 2021-0185: wireshark security update (Apr 12)
 

Wireshark could open unsafe URLs (CVE-2021-22191). References: - https://bugs.mageia.org/show_bug.cgi?id=28687 - https://www.wireshark.org/security/wnpa-sec-2021-03

  Mageia 2021-0184: pdfbox security update (Apr 12)
 

A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox Apache PDFBox version 2.0.22 and prior 2.0.x versions (CVE-2021-27807). A carefully crafted PDF file can trigger an OutOfMemory-Exception while

  Mageia 2021-0183: velocity security update (Apr 12)
 

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2 (CVE-2020-13936).

  Mageia 2021-0182: spamassassin security update (Apr 12)
 

In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places. (CVE-2020-1946)

  Mageia 2021-0181: webkit2 security update (Apr 12)
 

The webkit2 package has been updated to version 2.32.0, fixing several security issues and other bugs. References: - https://bugs.mageia.org/show_bug.cgi?id=28671

  Mageia 2021-0180: tor security update (Apr 12)
 

The dump_desc() function that we used to dump unparseable information to disk, was called incorrectly in several places, in a way that could lead to excessive CPU usage (CVE-2021-28089). A bug in appending detached signatures to a pending consensus document could be

  Mageia 2021-0179: rygel security update (Apr 12)
 

The rygel packages has been updated to version 0.40.1, fixing security issue and other bugs. References: - https://bugs.mageia.org/show_bug.cgi?id=28477

  Mageia 2021-0178: python-jinja2 security update (Apr 12)
 

ReDOS vulnerability where urlize could have been called with untrusted user data (CVE-2020-28493). References: - https://bugs.mageia.org/show_bug.cgi?id=28461

  Mageia 2021-0177: mongodb security update (Apr 12)
 

A denial of service vulnerability was discovered in mongodb whereby a user authorized to perform database queries may issue specially crafted queries, which violate an invariant in the query subsystem's support for geoNear (CVE-2020-7923).

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.