Advisories

Linux Advisory Watch

Don't want to miss that crucial security notice?. The editorial staff at Guardian Digital will bring you complete coverage and in-depth
descriptions of all security bulletins, vulnerabilities and updated packages, all in one convenient weekly newsletter.

Linux Advisory Watch: April 2nd, 2021

Linux Advisory Watch: April 2nd, 2021

Thank you for reading the LinuxSecurity Linux Advisory Watch newsletter! Staying on top of the latest security advisories issued by the distro(s) you use is essential in maintaining an updated, secure Linux system. Our weekly newsletter is an easy, convenient way to track distribution security advisories - helping you keep your Linux environment safe from malware and other exploits.

Important advisories issued this week include warnings from Debian of a flaw in Spamassassin that could result in the execution of arbitrary commands under multiple scenarios, and an issue with Thunderbird that could result in the execution of arbitrary code or information disclosure. Continue reading to learn about other significant advisories issued this week. Stay healthy, safe and secure - both on and offline!

Yours in Open Source,

Brittany Day Signature


LinuxSecurity.com Feature Extras:

A Call to Action: Recent PHP Hack Highlights the Need for Better Security - This weekends PHP hack serves as the latest reminder of the importance of server security- and the need to do better.

How To Encrypt Files on Linux - In this article, we explore the best and most reliable methods of file encryption on Linux.


  Debian: DSA-4884-1: ldb security update (Apr 2)
 

Multiple vulnerabilities have been discovered in ldb, a LDAP-like embedded database built on top of TDB. CVE-2020-10730

  Debian: DSA-4883-1: underscore security update (Apr 1)
 

It was discovered that missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code.

  Debian: DSA-4882-1: openjpeg2 security update (Apr 1)
 

Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec, which could result in denial of service or the execution of arbitrary code when opening a malformed image.

  Debian: DSA-4881-1: curl security update (Mar 31)
 

Multiple vulnerabilities were discovered in cURL, an URL transfer library: CVE-2020-8169

  Debian: DSA-4880-1: lxml security update (Mar 29)
 

Kevin Chung discovered that lxml, a Python binding for the libxml2 and libxslt libraries, did not properly sanitize its input. This would allow a malicious user to mount a cross-site scripting attack.

  Debian: DSA-4879-1: spamassassin security update (Mar 27)
 

Damian Lukowski discovered a flaw in spamassassin, a Perl-based spam filter using text analysis. Malicious rule configuration files, possibly downloaded from an updates server, could execute arbitrary commands under multiple scenarios.

  Debian: DSA-4878-1: pygments security update (Mar 27)
 

Ben Caller discovered that Pygments, a syntax highlighting package written in Python 3, used regular expressions which could result in denial of service.

  Debian: DSA-4877-1: webkit2gtk security update (Mar 27)
 

The following vulnerabilities have been discovered in the webkit2gtk web engine: CVE-2020-27918

  Debian: DSA-4876-1: thunderbird security update (Mar 25)
 

Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code or information disclosure. For the stable distribution (buster), these problems have been fixed in

  Debian: DSA-4875-1: openssl security update (Mar 25)
 

A NULL pointer dereference was found in the signature_algorithms processing in OpenSSL, a Secure Sockets Layer toolkit, which could result in denial of service.

  Fedora 33: kernel-tools 2021-2306e89112 (Apr 1)
 

The 5.11.11 stable kernel update contains a number of important fixes across the tree.

  Fedora 33: kernel-headers 2021-2306e89112 (Apr 1)
 

The 5.11.11 stable kernel update contains a number of important fixes across the tree.

  Fedora 33: kernel 2021-2306e89112 (Apr 1)
 

The 5.11.11 stable kernel update contains a number of important fixes across the tree.

  Fedora 32: kernel-headers 2021-6b0f287b8b (Apr 1)
 

The 5.11.11 stable kernel update contains a number of important fixes across the tree.

  Fedora 32: kernel-tools 2021-6b0f287b8b (Apr 1)
 

The 5.11.11 stable kernel update contains a number of important fixes across the tree.

  Fedora 32: kernel 2021-6b0f287b8b (Apr 1)
 

The 5.11.11 stable kernel update contains a number of important fixes across the tree.

  Fedora 34: kernel-headers 2021-41fb54ae9f (Apr 1)
 

The 5.11.11 stable kernel update contains a number of important fixes across the tree.

  Fedora 34: kernel-tools 2021-41fb54ae9f (Apr 1)
 

The 5.11.11 stable kernel update contains a number of important fixes across the tree.

  Fedora 34: kernel 2021-41fb54ae9f (Apr 1)
 

The 5.11.11 stable kernel update contains a number of important fixes across the tree.

  Fedora 32: busybox 2021-2024803354 (Mar 31)
 

Fix for CVE-2021-28831.

  Fedora 32: linux-firmware 2021-87e26421fb (Mar 31)
 

Update to upstream 20210315 release ---- Update to upstream 20210208 release: * rtl_bt: Updates for RTL8822C, RTL8821C, added RTL8852A * Link Cypress brcmfmac firmwares to old brcm location * brcm NVRAM updates for Raspberry Pi, added 96boards Rock960 * QCom SM8250 (SD865) firmware for Compute, Audio DSPs, Adreno a650, venus VPU-1.0 * i915: Added firmware for DG1, ADL-S * Uodated bluetooth

  Fedora 33: xmlgraphics-commons 2021-c07a9e79cf (Mar 31)
 

Security fix for CVE-2020-11988

  Fedora 34: openssl 2021-cbf14ab8f9 (Mar 31)
 

Upgrade to version 1.1.1.k Fixes CVEs CVE-2021-3449 CVE-2021-3450

  Fedora 33: busybox 2021-d20c8a4730 (Mar 30)
 

Fix for CVE-2021-28831.

  Fedora 34: spamassassin 2021-bf06dcffa8 (Mar 30)
 

Upstream version 3.4.5. See https://mail-archives.apache.org/mod_mbox/www- announce/202103.mbox/%This email address is being protected from spambots. You need JavaScript enabled to view it.%3e for details. Fixes CVE-2020-1946

  Fedora 34: xen 2021-7b4dcfcb6d (Mar 30)
 

HVM soft-reset crashes toolstack [XSA-368, CVE-2021-28687] (#1940610)

  Fedora 33: openssl 2021-d049f32a82 (Mar 30)
 

Upgrade to version 1.1.1.k

  Fedora 33: rpm 2021-8d52a8a999 (Mar 30)
 

Security fix for CVE-2021-3421, CVE-2021-20271 and CVE-2021-20266.

  Fedora 33: pdfbox 2021-8b17a2725e (Mar 30)
 

Security fix for CVE-2021-27807 and CVE-2021-27906

  Fedora 33: rubygem-kramdown 2021-4c57a892d1 (Mar 30)
 

A possible security related issue is found on rubygem-kramdown where kramdown does not restrict custom Rouge formatters within Rouge::Formatters namespace. This issue is now assigned as CVE-2021-28834. This new rpm should fix this issue.

  Fedora 32: rubygem-kramdown 2021-edc673e864 (Mar 30)
 

A possible security related issue is found on rubygem-kramdown where kramdown does not restrict custom Rouge formatters within Rouge::Formatters namespace. This issue is now assigned as CVE-2021-28834. This new rpm should fix this issue.

  Fedora 34: rpm 2021-2383d950fd (Mar 29)
 

Security fix for CVE-2021-3421, CVE-2021-20271 and CVE-2021-20266.

  Fedora 32: kernel 2021-9503fffad9 (Mar 28)
 

The 5.11.10 stable kernel update contains a "quick revert" of some 5.11.9 commits that caused noisy warnings to show up in the kernel log of some systems. ---- The 5.11.9 stable update contains a number of important fixes across the tree. ---- The 5.11.8 stable kernel update contains a number of important fixes across the tree.

  Fedora 32: firefox 2021-9fac28274f (Mar 28)
 

New upstream version (87.0) Release notes are available here - https://www.mozilla.org/en-US/firefox/87.0/releasenotes/

  Fedora 34: webkit2gtk3 2021-8070916f7a (Mar 28)
 

Update to WebKitGTK 2.32.0: * NPAPI plugins support have been removed. * System font scaling factor is correctly applied now. * New permission request API for MediaKeySystem access. * New API to remove individual scripts/stylesheets using WebKitUserContentManager. * Web inspector now shows detailed information about main loop frames. * The minimum required GStreamer

  Fedora 34: jasper 2021-2213a29364 (Mar 28)
 

New upstream release 2.0.27

  Fedora 33: qt 2021-e0f30b4500 (Mar 27)
 

An out of bounds read in function QRadialFetchSimd from crafted svg file may lead to information disclosure or other potential consequences. This update includes the backported upstream fix and should resolve the security issue.

  Fedora 34: xmlgraphics-commons 2021-aa2936e810 (Mar 27)
 

Security fix for CVE-2020-11988

  Fedora 32: xen 2021-a468f36bbe (Mar 26)
 

HVM soft-reset crashes toolstack [XSA-368, CVE-2021-28687] (#1940610)

  Fedora 32: dotnet3.1 2021-265a3c7cb9 (Mar 26)
 

This is the monthly .NET Core 3.1 update for March 2021. Release notes: https://github.com/dotnet/core/blob/main/release-notes/3.1/3.1.13/3.1.13.md This update includes a fix for CVE-2021-26701: .NET Core Remote Code Execution Vulnerability

  Fedora 33: xen 2021-0b784a4d02 (Mar 26)
 

HVM soft-reset crashes toolstack [XSA-368, CVE-2021-28687] (#1940610)

  Fedora 33: dotnet3.1 2021-3da33cdc80 (Mar 26)
 

This is the monthly .NET Core 3.1 update for March 2021. Release notes: https://github.com/dotnet/core/blob/main/release-notes/3.1/3.1.13/3.1.13.md This update includes a fix for CVE-2021-26701: .NET Core Remote Code Execution Vulnerability

  Fedora 34: firefox 2021-4ecf29361f (Mar 26)
 

New upstream version (87.0) Release notes are available here - https://www.mozilla.org/en-US/firefox/87.0/releasenotes/

  Fedora 34: libldb 2021-c2d8628d33 (Mar 26)
 

Update to Samba 4.14.2 Security fixes for CVE-2020-27840, CVE-2020-27840

  Fedora 34: samba 2021-c2d8628d33 (Mar 26)
 

Update to Samba 4.14.2 Security fixes for CVE-2020-27840, CVE-2020-27840

  Fedora 34: busybox 2021-e82915eee1 (Mar 26)
 

Fix for CVE-2021-28831.

  Fedora 33: firefox 2021-c504fa63be (Mar 26)
 

New upstream version (87.0) Release notes are available here - https://www.mozilla.org/en-US/firefox/87.0/releasenotes/

  Fedora 33: kernel 2021-68b0dd2373 (Mar 26)
 

The 5.11.9 stable update contains a number of important fixes across the tree.

  Fedora 33: CGAL 2021-9de542ab4c (Mar 26)
 

New upstream release CGAL-5.1.3. Security fix for CVE-2020-28601, CVE-2020-28636, CVE-2020-35628, CVE-2020-35636.

  Fedora 32: dotnet5.0 2021-138728e59b (Mar 25)
 

This is the monthly .NET update for March 2021. Release notes: https://github.com/dotnet/core/blob/main/release-notes/5.0/5.0.4/5.0.4.md This update also contains fixes for CVE-2021-26701.

  Fedora 34: kernel 2021-e636ce53df (Mar 25)
 

The 5.11.9 stable update contains a number of important fixes across the tree.

  Fedora 34: grub2 2021-c5ed9c3970 (Mar 25)
 

Fix a couple of merge mistakes made when rebasing to 2.06~rc1 ---- Update to 2.06~rc1 to fix a bunch of CVEs ---- Fix config file generation failing due invalid petitboot version value ---- Fix keyboards that report IBM PC AT scan codes (rmetrich)

  Fedora 34: pdfbox 2021-93469e0030 (Mar 25)
 

Security fix for CVE-2021-27807 and CVE-2021-27906

  Fedora 34: rubygem-kramdown 2021-139a6a2f9d (Mar 25)
 

New version 2.3.1 is released. Note that a possible security related issue is found on the previous version of rubygem-kramdown where kramdown does not restrict custom Rouge formatters within Rouge::Formatters namespace. This issue is now assigned as CVE-2021-28834. This new rpm should fix this issue.

  Gentoo: GLSA-202103-04: SQLite: Remote code execution (Mar 31)
 

A vulnerability in SQLite could lead to remote code execution.

  Gentoo: GLSA-202103-03: OpenSSL: Multiple vulnerabilities (Mar 31)
 

Multiple vulnerabilities have been found in OpenSSL, the worst of which could allow remote attackers to cause a Denial of Service condition.

  Gentoo: GLSA-202103-02: Redis: Remote code execution (Mar 31)
 

A vulnerability in Redis could lead to remote code execution.

  Gentoo: GLSA-202103-01: Salt: Multiple vulnerabilities (Mar 31)
 

Multiple vulnerabilities have been found in Salt, the worst of which could allow remote attacker to execute arbitrary commands.

  RedHat: RHSA-2021-1050:01 Moderate: openvswitch2.11 security update (Mar 31)
 

An update for openvswitch2.11 is now available in Red Hat Virtualization. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-1051:01 Moderate: RHV-H enhancement and security update (Mar 31)
 

An update for redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0943:01 Moderate: Red Hat build of Eclipse Vert.x 4.0.3 (Mar 31)
 

An update is now available for Red Hat build of Eclipse Vert.x. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For

  RedHat: RHSA-2021-0956:01 Low: OpenShift Container Platform 4.6.23 security (Mar 30)
 

Red Hat OpenShift Container Platform release 4.6.23 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-1044:01 Moderate: Red Hat Process Automation Manager (Mar 30)
 

An update is now available for Red Hat Process Automation Manager. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-1039:01 Important: mariadb security update (Mar 30)
 

An update for mariadb is now available for Red Hat OpenStack Platform 13 (Queens). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-1031:01 Important: kpatch-patch security update (Mar 30)
 

An update for kpatch-patch is now available for Red Hat Enterprise Linux 7.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-1027:01 Moderate: curl security update (Mar 30)
 

An update for curl is now available for Red Hat Enterprise Linux 7.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-1026:01 Moderate: nss-softokn security update (Mar 30)
 

An update for nss-softokn is now available for Red Hat Enterprise Linux 7.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-1030:01 Low: tomcat security update (Mar 30)
 

An update for tomcat is now available for Red Hat Enterprise Linux 7.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-1032:01 Moderate: perl security update (Mar 30)
 

An update for perl is now available for Red Hat Enterprise Linux 7.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-1028:01 Important: kernel security and bug fix update (Mar 30)
 

An update for kernel is now available for Red Hat Enterprise Linux 7.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0957:01 Moderate: OpenShift Container Platform 4.7.4 (Mar 30)
 

Red Hat OpenShift Container Platform release 4.7.4 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0958:01 Moderate: OpenShift Container Platform 4.7.4 (Mar 30)
 

Red Hat OpenShift Container Platform release 4.7.4 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-1024:01 Important: openssl security update (Mar 29)
 

An update for openssl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-1004:01 Moderate: Red Hat build of Quarkus 1.11.6 release (Mar 29)
 

An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For

  RedHat: RHSA-2021-1002:01 Important: flatpak security update (Mar 29)
 

An update for flatpak is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0992:01 Important: firefox security update (Mar 25)
 

An update for firefox is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-0996:01 Important: thunderbird security update (Mar 25)
 

An update for thunderbird is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0991:01 Important: firefox security update (Mar 25)
 

An update for firefox is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0994:01 Important: thunderbird security update (Mar 25)
 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0989:01 Important: firefox security update (Mar 25)
 

An update for firefox is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0993:01 Important: thunderbird security update (Mar 25)
 

An update for thunderbird is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0995:01 Important: thunderbird security update (Mar 25)
 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0990:01 Important: firefox security update (Mar 25)
 

An update for firefox is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-0988:01 Moderate: rhvm-appliance security, bug fix, (Mar 25)
 

An update for rhvm-appliance is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0833:01 Moderate: OpenShift Container Platform 3.11.404 (Mar 25)
 

Red Hat OpenShift Container Platform release 3.11.404 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0986:01 Low: AMQ Online 1.7.0 release and security update (Mar 25)
 

An update of the Red Hat OpenShift Container Platform 3.11 and 4.6/4.7 container images is now available for Red Hat AMQ Online. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which

  Slackware: 2021-090-02: seamonkey Security Update (Mar 31)
 

New seamonkey packages are available for Slackware 14.2 and -current to fix security issues.

  Slackware: 2021-090-01: curl Security Update (Mar 31)
 

New curl packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.

  Slackware: 2021-086-01: xterm Security Update (Mar 27)
 

New xterm packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.

  SUSE: 2021:93-1 suse/sle15 Security Update (Apr 2)
 

The container suse/sle15 was updated. The following patches have been included in this update:

  SUSE: 2021:92-1 suse/sle15 Security Update (Apr 2)
 

The container suse/sle15 was updated. The following patches have been included in this update:

  SUSE: 2021:87-1 suse/sle15 Security Update (Mar 30)
 

The container suse/sle15 was updated. The following patches have been included in this update:

  SUSE: 2021:86-1 suse/sle15 Security Update (Mar 30)
 

The container suse/sle15 was updated. The following patches have been included in this update:

  SUSE: 2021:85-1 suse/sle15 Security Update (Mar 30)
 

The container suse/sle15 was updated. The following patches have been included in this update:

  SUSE: 2021:84-1 suse/sles12sp5 Security Update (Mar 30)
 

The container suse/sles12sp5 was updated. The following patches have been included in this update:

  Debian LTS: DLA-2615-1: spamassassin security update (Apr 1)
 

Damian Lukowski discovered a flaw in spamassassin, a Perl-based spam filter using text analysis. Malicious rule configuration files, possibly downloaded from an updates server, could execute arbitrary commands under multiple scenarios.

  Debian LTS: DLA-2614-1: busybox security update (Apr 1)
 

The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.

  Debian LTS: DLA-2613-1: underscore security update (Mar 31)
 

node-underscore and libjs-underscore are vulnerable to Arbitrary Code Execution via the template function, particulary when a variable property is passed as an argument as it is not sanitized.

  Debian LTS: DLA-2612-1: leptonlib security update (Mar 31)
 

Several issues have been found by ClusterFuzz in leptonlib, an image processing library.

  Debian LTS: DLA-2611-1: ldb security update (Mar 31)
 

Two issues have been found in ldb, an LDAP-like embedded database, for example used with samba.

  ArchLinux: 202103-27: python2: multiple issues (Mar 26)
 

The package python2 before version 2.7.18-3 is vulnerable to multiple issues including arbitrary code execution, url request injection and denial of service.

  ArchLinux: 202103-26: godot: arbitrary code execution (Mar 26)
 

The package godot before version 3.2.3-2 is vulnerable to arbitrary code execution.

  ArchLinux: 202103-25: wpewebkit: multiple issues (Mar 26)
 

The package wpewebkit before version 2.30.6-1 is vulnerable to multiple issues including arbitrary code execution, access restriction bypass, information disclosure and sandbox escape.

  ArchLinux: 202103-24: webkit2gtk: multiple issues (Mar 26)
 

The package webkit2gtk before version 2.30.6-1 is vulnerable to multiple issues including arbitrary code execution, access restriction bypass, information disclosure and sandbox escape.

  ArchLinux: 202103-23: dotnet-sdk-3.1: arbitrary code execution (Mar 26)
 

The package dotnet-sdk-3.1 before version 3.1.13.sdk113-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202103-22: dotnet-runtime-3.1: arbitrary code execution (Mar 26)
 

The package dotnet-runtime-3.1 before version 3.1.13.sdk113-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202103-21: dotnet-sdk: arbitrary code execution (Mar 26)
 

The package dotnet-sdk before version 5.0.4.sdk104-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202103-20: dotnet-runtime: arbitrary code execution (Mar 26)
 

The package dotnet-runtime before version 5.0.4.sdk104-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202103-19: vivaldi: multiple issues (Mar 26)
 

The package vivaldi before version 3.7.2218.45-1 is vulnerable to multiple issues including arbitrary code execution, insufficient validation, access restriction bypass, content spoofing, incorrect calculation and information disclosure.

  ArchLinux: 202103-18: libebml: arbitrary code execution (Mar 26)
 

The package libebml before version 1.4.2-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202103-17: dotnet-sdk: multiple issues (Mar 26)
 

The package dotnet-sdk before version 5.0.3.sdk103-2 is vulnerable to multiple issues including arbitrary code execution and denial of service.

  ArchLinux: 202103-16: dotnet-runtime: multiple issues (Mar 26)
 

The package dotnet-runtime before version 5.0.3.sdk103-2 is vulnerable to multiple issues including arbitrary code execution and denial of service.

  ArchLinux: 202103-15: awstats: directory traversal (Mar 26)
 

The package awstats before version 7.8-3 is vulnerable to directory traversal.

  ArchLinux: 202103-14: groovy: privilege escalation (Mar 26)
 

The package groovy before version 2.5.14-1 is vulnerable to privilege escalation.

  ArchLinux: 202103-13: gitlab: arbitrary code execution (Mar 26)
 

The package gitlab before version 13.9.4-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202103-12: busybox: denial of service (Mar 26)
 

The package busybox before version 1.32.1-4 is vulnerable to denial of service.

  ArchLinux: 202103-11: mkinitcpio-busybox: denial of service (Mar 26)
 

The package mkinitcpio-busybox before version 1.32.1-3 is vulnerable to denial of service.

  ArchLinux: 202103-10: openssl: multiple issues (Mar 26)
 

The package openssl before version 1.1.1.k-1 is vulnerable to multiple issues including certificate verification bypass and denial of service.

  CentOS: CESA-2021-0996: Important CentOS 7 thunderbird (Mar 26)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2021:0996

  CentOS: CESA-2021-0992: Important CentOS 7 firefox (Mar 26)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2021:0992

  SciLinux: SLSA-2021-1002-1 Important: flatpak on x86_64 (Mar 29)
 

flatpak: "file forwarding" feature can be used to gain unprivileged access to files (CVE-2021-21381) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE - Scientific Linux Development Team

  SciLinux: SLSA-2021-0992-1 Important: firefox on x86_64 (Mar 25)
 

This update upgrades Firefox to version 78.9.0 ESR. * Mozilla: Texture upload into an unbound backing buffer resulted in an out-of-bound read (CVE-2021-23981) * Mozilla: Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9 (CVE-2021-23987) * Mozilla: Internal network hosts could have been probed by a malicious webpage (CVE-2021-23982) * Mozilla: Malicious extensions could have spoofed [More...]

  SciLinux: SLSA-2021-0996-1 Important: thunderbird on x86_64 (Mar 25)
 

This update upgrades Thunderbird to version 78.9.0. * Mozilla: Texture upload into an unbound backing buffer resulted in an out-of-bound read (CVE-2021-23981) * Mozilla: Memory safety bugs fixed in Firefox 87 and Firefox ESR 78.9 (CVE-2021-23987) * Mozilla: Internal network hosts could have been probed by a malicious webpage (CVE-2021-23982) * Mozilla: Malicious extensions could have spoofed [More...]

  openSUSE: 2021:0494-1: tar (Apr 2)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0495-1 moderate: ovmf (Apr 2)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2021:0487-1 important: MozillaFirefox (Mar 30)
 

An update that fixes four vulnerabilities is now available.

  openSUSE: 2021:0485-1 important: eclipse (Mar 30)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0481-1 moderate: zstd (Mar 27)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2021:0482-1 moderate: evolution-data-server (Mar 27)
 

An update that solves two vulnerabilities and has one errata is now available.

  openSUSE: 2021:0480-1 moderate: go1.15 (Mar 27)
 

An update that solves one vulnerability and has one errata is now available.

  openSUSE: 2021:0476-1 important: openssl-1_1 (Mar 25)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0474-1 moderate: tor (Mar 25)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2021:0471-1 important: ruby2.5 (Mar 25)
 

An update that solves one vulnerability and has one errata is now available.

  openSUSE: 2021:0472-1 important: libass (Mar 25)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0473-1 important: hawk2 (Mar 25)
 

An update that solves two vulnerabilities and has one errata is now available.

  openSUSE: 2021:0468-1 important: nghttp2 (Mar 25)
 

An update that solves one vulnerability and has one errata is now available.

  openSUSE: 2021:0470-1 important: gnutls (Mar 25)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2021:0469-1 important: ldb (Mar 25)
 

An update that fixes two vulnerabilities is now available.

  Mageia 2021-0167: rpm security update (Apr 2)
 

This update from 4.16.1.2 to 4.16.1.3 fixes bugs several bugs the RPM package manager, including several security issues: * Fix arbitrary data copied from signature header past signature checking (CVE-2021-3421) * Fix signature check bypass with corrupted package (CVE-2021-20271)

  Mageia 2021-0166: privoxy security update (Apr 2)
 

Updated privoxy package fixes security vulnerabilities: The privoxy package has been updated to version 3.0.32, fixing five security issues and several other bugs.

  Mageia 2021-0165: python and python3 security update (Apr 2)
 

Updated python and python3 security vulnerability: The package python/cpython is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using

  Mageia 2021-0164: thunderbird security update (Mar 30)
 

Texture upload into an unbound backing buffer resulted in an out-of-bound read. (CVE-2021-23981) Angle graphics library out of date. (MOZ-2021-0002)

  Mageia 2021-0163: firefox security update (Mar 30)
 

Texture upload into an unbound backing buffer resulted in an out-of-bound read. (CVE-2021-23981) Angle graphics library out of date. (MOZ-2021-0002)

  Mageia 2021-0162: glib2.0 security update (Mar 30)
 

An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that

  Mageia 2021-0161: python-aiohttp security update (Mar 30)
 

Beast Glatisant and Jelmer Vernooij reported that python-aiohttp is prone to an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website (CVE-2021-21330). References:

  Mageia 2021-0160: radare2 security update (Mar 30)
 

radare2 4.5.0 misparses DWARF information in executable files, causing a segmentation fault in parse_typedef in type_dwarf.c via a malformed DW_AT_name in the .debug_info section (CVE-2020-16269). radare2 4.5.0 misparses signature information in PE files, causing a

  Mageia 2021-0159: zeromq security update (Mar 30)
 

Memory leak in client induced by malicious server without CURVE/ZAP (rhbz#1921972). Stack overflow on server running PUB/XPUB socket (rhbz#1921976).

  Mageia 2021-0158: fwupd security update (Mar 30)
 

A PGP signature bypass was found in fwupd, which could lead to possible installation of unsigned firmware (CVE-2020-10759). References: - https://bugs.mageia.org/show_bug.cgi?id=26854

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.