Linux Advisory Watch: April 9th, 2021

Advisories

Linux Advisory Watch: April 9th, 2021

Thank you for reading the LinuxSecurity Linux Advisory Watch newsletter! Staying on top of the latest security advisories issued by the distro(s) you use is essential in maintaining an updated, secure Linux system. Our weekly newsletter is an easy, convenient way to track distribution security advisories - helping you keep your Linux environment safe from malware and other exploits.

Important advisories issued this week include a warning from Debian regarding a use-after-free discovered in Lib3MF which could result in the execution of arbitrary code if a malformed file is opened, and an advisory issued by Fedora urging users to update to the 5.11.11 stable kernel, which contains a number of important fixes across the tree. Continue reading to learn about other significant advisories issued this week. Stay healthy, safe and secure - both on and offline!

Yours in Open Source,

Brittany Day Signature


LinuxSecurity.com Feature Extras:

Top Tips for Securing Your Linux System in 2021 - Here’s what you need to know to secure your Linux system against malware, rootkits and other dangerous attacks.

A Call to Action: Recent PHP Hack Highlights the Need for Better Security - This weekends PHP hack serves as the latest reminder of the importance of server security- and the need to do better.


  Debian: DSA-4887-1: lib3mf security update (Apr 8)
 

A use-after-free was discovered in Lib3MF, a C++ implementation of the 3D Manufacturing Format, which could result in the execution of arbitrary code if a malformed file is opened.

  Debian: DSA-4886-1: chromium security update (Apr 6)
 

Several vulnerabilites have been discovered in the chromium web browser. CVE-2021-21159

  Debian: DSA-4885-1: netty security update (Apr 5)
 

Multiple security issues were discovered in Netty, a Java NIO client/server framework, which could result in HTTP request smuggling, denial of service or information disclosure.

  Debian: DSA-4884-1: ldb security update (Apr 2)
 

Multiple vulnerabilities have been discovered in ldb, a LDAP-like embedded database built on top of TDB. CVE-2020-10730

  Debian: DSA-4883-1: underscore security update (Apr 1)
 

It was discovered that missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code.

  Debian: DSA-4882-1: openjpeg2 security update (Apr 1)
 

Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec, which could result in denial of service or the execution of arbitrary code when opening a malformed image.

  Fedora 33: perl-Net-Netmask 2021-be62be8c7c (Apr 8)
 

Security fix for CVE-2021-29424

  Fedora 32: perl-Net-Netmask 2021-c314017fcc (Apr 8)
 

Security fix for CVE-2021-29424

  Fedora 33: seamonkey 2021-2761b54dff (Apr 7)
 

Fix updating and support of legacy javascript extensions. ---- Update to 2.53.7 Enable support for module scripts. (To turn it off, toggle "dom.moduleScripts.enabled" in about:config). For sending mail, now "Thunderbird" is advertised in User-Agent header instead of "Firefox" (if any). Some performance fixes, including from upcoming releases.

  Fedora 33: samba 2021-1a8e93a285 (Apr 7)
 

Update to Samba 4.13.7 - Security fixes for CVE-2020-27840 and CVE-2021-20277 ---- Update to Samba 4.13.6 - Security fixes for CVE-2020-27840 and CVE-2021-20277

  Fedora 33: libldb 2021-1a8e93a285 (Apr 7)
 

Update to Samba 4.13.7 - Security fixes for CVE-2020-27840 and CVE-2021-20277 ---- Update to Samba 4.13.6 - Security fixes for CVE-2020-27840 and CVE-2021-20277

  Fedora 32: chromium 2021-141d8640ce (Apr 7)
 

Fix issue where chromium would crash upon accessing components/cast_*. Thanks to Gentoo for the patch. It also fixes some security issues, because why not: CVE-2021-21191 CVE-2021-21192 CVE-2021-21193

  Fedora 32: rpm 2021-662680e477 (Apr 7)
 

Security fix for CVE-2021-3421, CVE-2021-20271 and CVE-2021-20266.

  Fedora 34: seamonkey 2021-df093b89ba (Apr 6)
 

Fix updating and support of legacy javascript extensions. ---- Update to 2.53.7 Enable support for module scripts. (To turn it off, toggle "dom.moduleScripts.enabled" in about:config). For sending mail, now "Thunderbird" is advertised in User-Agent header instead of "Firefox" (if any). Some performance fixes, including from upcoming releases.

  Fedora 34: perl-Net-Netmask 2021-3d96cfe6a3 (Apr 6)
 

Security fix for CVE-2021-29424

  Fedora 33: libzen 2021-3b67623d93 (Apr 5)
 

Update mediainfo.

  Fedora 33: mediainfo 2021-3b67623d93 (Apr 5)
 

Update mediainfo.

  Fedora 33: libmediainfo 2021-3b67623d93 (Apr 5)
 

Update mediainfo.

  Fedora 34: libopenmpt 2021-248c19a8ce (Apr 5)
 

https://lib.openmpt.org/libopenmpt/2021/03/20/security- update-0.5.7-releases-0.4.19-0.3.28/

  Fedora 34: curl 2021-065371f385 (Apr 5)
 

- fix TLS 1.3 session ticket proxy host mixup (CVE-2021-22890) - prevent automatic referer from leaking credentials (CVE-2021-22876)

  Fedora 34: squid 2021-ecb24e0b9d (Apr 5)
 

- Version update to 4.14 - CVE-2020-25097 fix

  Fedora 34: python-pikepdf 2021-5e598049a1 (Apr 4)
 

Update to latest version

  Fedora 33: curl 2021-cab5c9befb (Apr 3)
 

- fix TLS 1.3 session ticket proxy host mixup (CVE-2021-22890) - prevent automatic referer from leaking credentials (CVE-2021-22876)

  Fedora 33: webkit2gtk3 2021-864dc37032 (Apr 3)
 

Update to WebKitGTK 2.32.0: * NPAPI plugins support have been removed. * System font scaling factor is correctly applied now. * New permission request API for MediaKeySystem access. * New API to remove individual scripts/stylesheets using WebKitUserContentManager. * Web inspector now shows detailed information about main loop frames. * The minimum required GStreamer

  Fedora 33: spamassassin 2021-90e915cc4f (Apr 3)
 

Upstream version 3.4.5. See https://mail-archives.apache.org/mod_mbox/www- announce/202103.mbox/%This email address is being protected from spambots. You need JavaScript enabled to view it.%3e for details. Fixes CVE-2020-1946

  Fedora 32: openssl 2021-f347d1c866 (Apr 2)
 

update to version 1.1.1k

  Fedora 33: kernel-tools 2021-2306e89112 (Apr 1)
 

The 5.11.11 stable kernel update contains a number of important fixes across the tree.

  Fedora 33: kernel-headers 2021-2306e89112 (Apr 1)
 

The 5.11.11 stable kernel update contains a number of important fixes across the tree.

  Fedora 33: kernel 2021-2306e89112 (Apr 1)
 

The 5.11.11 stable kernel update contains a number of important fixes across the tree.

  Fedora 32: kernel-headers 2021-6b0f287b8b (Apr 1)
 

The 5.11.11 stable kernel update contains a number of important fixes across the tree.

  Fedora 32: kernel-tools 2021-6b0f287b8b (Apr 1)
 

The 5.11.11 stable kernel update contains a number of important fixes across the tree.

  Fedora 32: kernel 2021-6b0f287b8b (Apr 1)
 

The 5.11.11 stable kernel update contains a number of important fixes across the tree.

  Fedora 34: kernel-headers 2021-41fb54ae9f (Apr 1)
 

The 5.11.11 stable kernel update contains a number of important fixes across the tree.

  Fedora 34: kernel-tools 2021-41fb54ae9f (Apr 1)
 

The 5.11.11 stable kernel update contains a number of important fixes across the tree.

  Fedora 34: kernel 2021-41fb54ae9f (Apr 1)
 

The 5.11.11 stable kernel update contains a number of important fixes across the tree.

  RedHat: RHSA-2021-1145:01 Important: nettle security update (Apr 8)
 

An update for nettle is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-1135:01 Important: squid security update (Apr 8)
 

An update for squid is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-1129:01 Moderate: Red Hat 3scale API Management 2.10.0 (Apr 8)
 

A security update for Red Hat 3scale API Management Platform is now available from the Red Hat Container Catalog. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-1131:01 Important: openssl security update (Apr 7)
 

An update for openssl is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-1125:01 Low: virt:8.3 and virt-devel:8.3 security and bug (Apr 7)
 

An update for the virt:8.3 and virt-devel:8.3 modules is now available for Advanced Virtualization for RHEL 8.3.1. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-1093:01 Important: kernel security, bug fix, (Apr 6)
 

An update for kernel is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-1086:01 Moderate: 389-ds:1.4 security and bug fix update (Apr 6)
 

An update for the 389-ds:1.4 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-1081:01 Important: kernel-rt security and bug fix update (Apr 6)
 

An update for kernel-rt is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-1072:01 Important: libldb security update (Apr 6)
 

An update for libldb is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-1073:01 Important: flatpak security update (Apr 6)
 

An update for flatpak is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-1074:01 Important: flatpak security update (Apr 6)
 

An update for flatpak is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-1071:01 Important: kernel security and bug fix update (Apr 6)
 

An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-1069:01 Important: kpatch-patch security update (Apr 6)
 

An update for kpatch-patch is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-1068:01 Important: flatpak security update (Apr 6)
 

An update for flatpak is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-1070:01 Important: kernel-rt security and bug fix update (Apr 6)
 

An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-1064:01 Moderate: virt:rhel and virt-devel:rhel security (Apr 5)
 

An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-1005:01 Moderate: OpenShift Container Platform 4.7.5 (Apr 5)
 

Red Hat OpenShift Container Platform release 4.7.5 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-1007:01 Moderate: OpenShift Container Platform 4.7.5 (Apr 5)
 

Red Hat OpenShift Container Platform release 4.7.5 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-1063:01 Important: openssl security update (Apr 5)
 

An update for openssl is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-1006:01 Moderate: OpenShift Container Platform 4.7.5 (Apr 5)
 

Red Hat OpenShift Container Platform release 4.7.5 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  SUSE: 2021:100-1 suse/sle15 Security Update (Apr 9)
 

The container suse/sle15 was updated. The following patches have been included in this update:

  SUSE: 2021:99-1 ses/7/rook/ceph Security Update (Apr 9)
 

The container ses/7/rook/ceph was updated. The following patches have been included in this update:

  SUSE: 2021:98-1 ses/7/ceph/ceph Security Update (Apr 9)
 

The container ses/7/ceph/ceph was updated. The following patches have been included in this update:

  SUSE: 2021:97-1 ses/7/ceph/grafana Security Update (Apr 9)
 

The container ses/7/ceph/grafana was updated. The following patches have been included in this update:

  SUSE: 2021:96-1 ses/7/cephcsi/cephcsi Security Update (Apr 9)
 

The container ses/7/cephcsi/cephcsi was updated. The following patches have been included in this update:

  SUSE: 2021:435-1 suse-sles-15-sp2-chost-byos-v20210405-gen2 Security Update (Apr 9)
 

The container suse-sles-15-sp2-chost-byos-v20210405-gen2 was updated. The following patches have been included in this update:

  SUSE: 2021:430-1 sles-15-sp2-chost-byos-v20210405 Security Update (Apr 7)
 

The container sles-15-sp2-chost-byos-v20210405 was updated. The following patches have been included in this update:

  SUSE: 2021:429-1 suse-sles-15-sp2-chost-byos-v20210405-hvm-ssd-x86_64 Security Update (Apr 7)
 

The container suse-sles-15-sp2-chost-byos-v20210405-hvm-ssd-x86_64 was updated. The following patches have been included in this update:

  SUSE: 2021:95-1 suse/sles12sp4 Security Update (Apr 3)
 

The container suse/sles12sp4 was updated. The following patches have been included in this update:

  SUSE: 2021:94-1 suse/sles12sp3 Security Update (Apr 3)
 

The container suse/sles12sp3 was updated. The following patches have been included in this update:

  SUSE: 2021:93-1 suse/sle15 Security Update (Apr 2)
 

The container suse/sle15 was updated. The following patches have been included in this update:

  SUSE: 2021:92-1 suse/sle15 Security Update (Apr 2)
 

The container suse/sle15 was updated. The following patches have been included in this update:

  Debian LTS: DLA-2621-1: php-pear security update (Apr 8)
 

A vulnerability was discovered in php-pear, which provides core packages from the PHP Extension and Application Repository. Tar.php in Archive_Tar allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to

  Debian LTS: DLA-2619-1: python3.5 security update (Apr 5)
 

Three security issues have been discovered in python3.5: CVE-2021-3177

  Debian LTS: DLA-2618-1: smarty3 security update (Apr 5)
 

Several vulnerabilities were discovered in smarty3, a template engine for PHP. CVE-2018-13982

  Debian LTS: DLA-2617-1: php-nette security update (Apr 4)
 

Cyku Hong from DEVCORE discovered that php-nette, a PHP MVC framework, is vulnerable to a code injection attack by passing specially formed parameters to URL that may possibly leading to remote code execution.

  Debian LTS: DLA-2616-1: libxstream-java security update (Apr 3)
 

In XStream there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream.

  Debian LTS: DLA-2615-1: spamassassin security update (Apr 1)
 

Damian Lukowski discovered a flaw in spamassassin, a Perl-based spam filter using text analysis. Malicious rule configuration files, possibly downloaded from an updates server, could execute arbitrary commands under multiple scenarios.

  Debian LTS: DLA-2614-1: busybox security update (Apr 1)
 

The gunzip decompressor of Busybox, tiny utilities for small and embedded systems, mishandled the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.

  openSUSE: 2021:0520-1 important: flatpak, libostree, xdg-desktop-portal, xdg-desktop-porta (Apr 9)
 

An update that solves one vulnerability and has three fixes is now available.

  openSUSE: 2021:0519-1 important: hostapd (Apr 9)
 

An update that fixes three vulnerabilities is now available.

  openSUSE: 2021:0522-1 important: fwupd (Apr 9)
 

An update that solves one vulnerability and has one errata is now available.

  openSUSE: 2021:0521-1 important: fwupdate (Apr 9)
 

An update that contains security fixes can now be installed.

  openSUSE: 2021:0516-1 important: isync (Apr 7)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0515-1 important: chromium (Apr 7)
 

An update that fixes 6 vulnerabilities is now available.

  openSUSE: 2021:0513-1 important: chromium (Apr 5)
 

An update that fixes 6 vulnerabilities is now available.

  openSUSE: 2021:0510-1 moderate: curl (Apr 4)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2021:0512-1 moderate: OpenIPMI (Apr 4)
 

An update that contains security fixes can now be installed.

  openSUSE: 2021:0496-1 important: tomcat (Apr 2)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2021:0494-1: tar (Apr 2)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0495-1 moderate: ovmf (Apr 2)
 

An update that fixes two vulnerabilities is now available.

  Mageia 2021-0176: openssl security update (Apr 5)
 

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service

  Mageia 2021-0175: kernel-linus security update (Apr 3)
 

This kernel-linus update is based on upstream 5.10.27 and fixes atleast the following security issues: The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values.

  Mageia 2021-0174: kernel security update (Apr 3)
 

This kernel update is based on upstream 5.10.27 and fixes atleast the following security issues: The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values.

  Mageia 2021-0173: ant security update (Apr 3)
 

Updated ant packages fix security vulnerability: As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file

  Mageia 2021-0172: ruby-em-http-request security update (Apr 2)
 

Updated ruby-em-http-request packages fix security vulnerability: A flaw was found in rubygem-em-http-request. The eventmachine library does not verify the hostname in a TLS server certificate which can allow an attacker to perform a man-in-the-middle attack. The highest threat from this

  Mageia 2021-0171: python-bottle security update (Apr 2)
 

Updated python-bottle packages fix security vulnerability: python-bottle before 0.12.19 is vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the

  Mageia 2021-0170: nodejs-yargs-parser security update (Apr 2)
 

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload (CVE-2020-7608). References: - https://bugs.mageia.org/show_bug.cgi?id=27975

  Mageia 2021-0169: nodejs-chownr security update (Apr 2)
 

Updated nodejs-chownr package fixes security vulnerability: A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks (CVE-2017-18869).

  Mageia 2021-0168: batik security update (Apr 2)
 

A flaw was found in the Apache Batik library, where it is vulnerable to a Server-Side Request Forgery attack (SSRF) via "xlink:href" attributes. This flaw allows an attacker to cause the underlying server to make arbitrary GET requests. The highest threat from this vulnerability is to system integrity (CVE-2019-17566).

  Mageia 2021-0167: rpm security update (Apr 2)
 

This update from 4.16.1.2 to 4.16.1.3 fixes bugs several bugs the RPM package manager, including several security issues: * Fix arbitrary data copied from signature header past signature checking (CVE-2021-3421) * Fix signature check bypass with corrupted package (CVE-2021-20271)

  Mageia 2021-0166: privoxy security update (Apr 2)
 

Updated privoxy package fixes security vulnerabilities: The privoxy package has been updated to version 3.0.32, fixing five security issues and several other bugs.

  Mageia 2021-0165: python and python3 security update (Apr 2)
 

Updated python and python3 security vulnerability: The package python/cpython is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.