Advisories

Linux Advisory Watch

Don't want to miss that crucial security notice?. The editorial staff at Guardian Digital will bring you complete coverage and in-depth
descriptions of all security bulletins, vulnerabilities and updated packages, all in one convenient weekly newsletter.

Linux Advisory Watch: December 11th, 2020

Linux Advisory Watch: December 11th, 2020

Thank you for reading the LinuxSecurity Linux Advisory Watch newsletter! Staying on top of the latest security advisories issued by the distro(s) you use is essential in maintaining an updated, secure Linux system. Our weekly newsletter is an easy, convenient way to track distribution security advisories - helping you keep your Linux environment safe from malware and other exploits.

Important advisories issued this week include a warning from Debian of multiple file descriptor leaks discovered in the Python interface which could result in denial of service, and an advisory from Gentoo regarding various vulnerabilities found in MariaDB, the worst of which could result in privilege escalation. Continue reading to learn about other significant advisories issued this week. Wishing you a happy and secure holiday season!

Yours in Open Source,

Brittany Day Signature


LinuxSecurity.com Feature Extras:

Verifying Linux Server Security: What Every Admin Needs to Know - This article will introduce LinuxSecurity’s top methods and tools for verifying the security of your Linux servers and will point you in the direction of some other valuable resources to help you get started on this journey.

OctopusWAF: A Customizable Open-Source WAF for High Performance Applications - OctopusWAF is customizable, user-friendly and optimized for a large number of parallel connections - making it ideal for high performance AJAX applications.


  Debian: DSA-4809-1: python-apt security update (Dec 9)
 

Various memory and file descriptor leaks were discovered in the Python interface to the APT package management runtime library, which could result in denial of service.

  Debian: DSA-4808-1: apt security update (Dec 9)
 

It was discovered that missing input validation in the ar/tar implementations of APT, the high level package manager, could cause out-of-bounds reads or infinite loops, resulting in denial of service when processing malformed deb files.

  Debian: DSA-4807-1: openssl security update (Dec 8)
 

David Benjamin discovered a flaw in the GENERAL_NAME_cmp() function which could cause a NULL dereference, resulting in denial of service. Additional details can be found in the upstream advisory:

  Debian: DSA-4806-1: minidlna security update (Dec 7)
 

It was discovered that missing input validation in minidlna, a lightweight DLNA/UPnP-AV server could result in the execution of arbitrary code. In addition minidlna was susceptible to the "CallStranger" UPnP vulnerability.

  Debian: DSA-4805-1: trafficserver security update (Dec 7)
 

Two vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server: CVE-2020-17508

  Debian: DSA-4804-1: xen security update (Dec 4)
 

Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, privilege escalation or information leaks.

  Debian: DSA-4803-1: xorg-server security update (Dec 4)
 

Jan-Niklas Sohn discovered that the XKB extension of the Xorg X server performed incomplete input validation, which could result in privilege escalation.

  Debian: DSA-4802-1: thunderbird security update (Dec 3)
 

Chiaki Ishikawa discovered a stack overflow in SMTP server status handling which could potentially result in the execution of arbitrary code.

  Fedora 32: pam 2020-bd83344365 (Dec 10)
 

fix CVE-2020-27780: authentication bypass when the user doesn't exist

  Fedora 32: spice-gtk 2020-5567866bb0 (Dec 9)
 

Update to v0.39

  Fedora 32: python-authlib 2020-b90dac7fc4 (Dec 9)
 

Update matrix-synapse to 1.23.0 to resolve CVE-2020-26890. There may be breaking changes, please review prior to upgrade: https://github.com/matrix- org/synapse/blob/develop/UPGRADE.rst

  Fedora 33: chromium 2020-f43efd09e8 (Dec 9)
 

Update to 87.0.4280.88. As with pretty much every chromium release ever, this fixes some security bugs. This batch is: CVE-2020-16037 CVE-2020-16038 CVE-2020-16039 CVE-2020-16040 CVE-2020-16041 CVE-2020-16042

  Fedora 33: ceph 2020-a8f1120195 (Dec 9)
 

ceph 15.2.7 GA ---- ceph-15.2.6 GA Security fix for CVE-2020-25660

  Fedora 33: spice-gtk 2020-79a7a31fea (Dec 9)
 

Update to v0.39

  Fedora 33: matrix-synapse 2020-2578d943d2 (Dec 9)
 

Update matrix-synapse to 1.23.0 to resolve CVE-2020-26890. There may be breaking changes, please review prior to upgrade: https://github.com/matrix- org/synapse/blob/develop/UPGRADE.rst

  Fedora 33: python-canonicaljson 2020-2578d943d2 (Dec 9)
 

Update matrix-synapse to 1.23.0 to resolve CVE-2020-26890. There may be breaking changes, please review prior to upgrade: https://github.com/matrix- org/synapse/blob/develop/UPGRADE.rst

  Fedora 33: containerd 2020-baeb8dbaea (Dec 9)
 

Security fix for CVE-2020-15257

  Fedora 33: mingw-openjpeg2 2020-9cd524eeca (Dec 9)
 

Backport patch for CVE-2020-27814.

  Fedora 33: openjpeg2 2020-9cd524eeca (Dec 9)
 

Backport patch for CVE-2020-27814.

  Fedora 32: resteasy 2020-239503f5fa (Dec 8)
 

Security fix for CVE-2020-1695

  Fedora 32: vips 2020-d82261f7b1 (Dec 8)
 

Fix [CVE-2020-20739](https://nvd.nist.gov/vuln/detail/CVE-2020-20739).

  Fedora 33: resteasy 2020-df970da9fc (Dec 8)
 

Security fix for CVE-2020-1695

  Fedora 32: tcpdump 2020-c5e78886d6 (Dec 5)
 

Security fix for CVE-2020-8037

  Fedora 33: xorg-x11-server 2020-e82f9b80eb (Dec 4)
 

Security fix for CVE-2020-14360, CVE-2020-25712

  Fedora 33: fossil 2020-ac6cf99f87 (Dec 4)
 

Upgrade to fossil 2.12.1

  Fedora 32: xorg-x11-server 2020-c8a7df24d4 (Dec 4)
 

Security fix for CVE-2020-14360, CVE-2020-25712

  Fedora 32: thunderbird 2020-9493cfc1ac (Dec 4)
 

Update to latest upstream version.

  Fedora 32: fossil 2020-50be892d25 (Dec 4)
 

Upgrade to fossil 2.12.1

  Fedora 33: pdfresurrect 2020-e9f9bb77a0 (Dec 4)
 

PDFresurrect 0.21

  Fedora 32: webkit2gtk3 2020-e8a7566e80 (Dec 3)
 

Update to WebKitGTK 2.30.3: * Fix backdrop filters with rounded borders. * Fix scrolling iframes when async scrolling is enabled. * Allow applications to handle drag and drop on the web view again. * Update Outlook user agent quirk. * Fix several crashes and rendering issues. * Security fixes: CVE-2020-9983, CVE-2020-13584

  Fedora 32: xen 2020-4ff32ef9be (Dec 3)
 

stack corruption from XSA-346 change [XSA-355] ---- support zstd compressed kernels (dom0 only) based on linux kernel code

  Fedora 32: pdfresurrect 2020-92195be0e2 (Dec 3)
 

PDFresurrect 0.21

  Fedora 32: c-ares 2020-307e873389 (Dec 3)
 

Security fix for CVE-2020-8277.

  Gentoo: GLSA-202012-08: MariaDB: Multiple vulnerabilities (Dec 6)
 

Multiple vulnerabilities have been found in MariaDB, the worst of which could result in privilege escalation.

  Gentoo: GLSA-202012-07: PostgreSQL: Multiple vulnerabilities (Dec 6)
 

Multiple vulnerabilities have been found in PostgreSQL, the worst of which could result in arbitrary code execution.

  Gentoo: GLSA-202012-06: Linux-PAM: Authentication bypass (Dec 6)
 

A vulnerability has been found in Linux-PAM, allowing attackers to bypass the authentication process.

  Gentoo: GLSA-202012-05: Chromium, Google Chrome: Multiple vulnerabilities (Dec 6)
 

Multiple vulnerabilities have been found in Chromium and Google Chrome, the worst of which could result in the arbitrary execution of code.

  Gentoo: GLSA-202012-04: Mozilla Thunderbird: Multiple vulnerabilities (Dec 6)
 

Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could lead to the execution of arbitrary code.

  Gentoo: GLSA-202012-03: Mozilla Firefox: Multiple vulnerabilities (Dec 6)
 

Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code.

  Gentoo: GLSA-202012-02: SeaMonkey: Multiple vulnerabilities (Dec 6)
 

Multiple vulnerabilities have been found in SeaMonkey, the worst of which could result in the arbitrary execution of code.

  Gentoo: GLSA-202012-01: X.Org X Server: Multiple vulnerabilities (Dec 6)
 

Multiple vulnerabilities have been found in X.org X Server, the worst of which could lead to privilege escalation.

  RedHat: RHSA-2020-5379:01 Important: mariadb-galera security update (Dec 8)
 

An update for mariadb-galera is now available for Red Hat OpenStack Platform 10 (Newton). Red Hat Product Security has rated this update as having a security impact of High. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2020-5372:01 Important: net-snmp security update (Dec 8)
 

An update for net-snmp is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2020-5369:01 Moderate: microcode_ctl security, (Dec 8)
 

An update for microcode_ctl is now available for Red Hat enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact

  RedHat: RHSA-2020-5374:01 Moderate: kernel security and bug fix update (Dec 8)
 

An update for kernel is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2020-5365:01 Moderate: Red Hat AMQ Broker 7.8 release and (Dec 8)
 

Red Hat AMQ Broker 7.8 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2020-5350:01 Important: net-snmp security update (Dec 7)
 

An update for net-snmp is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2020-5351:01 Important: ksh security update (Dec 7)
 

An update for ksh is now available for Red Hat Enterprise Linux 7.3 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2020-5352:01 Important: ksh security update (Dec 7)
 

An update for ksh is now available for Red Hat Enterprise Linux 7.2 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2020-5342:01 Important: Red Hat JBoss Enterprise Application (Dec 3)
 

An update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2020-5341:01 Important: Red Hat JBoss Enterprise Application (Dec 3)
 

An update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2020-5340:01 Important: Red Hat JBoss Enterprise Application (Dec 3)
 

An update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2020-5344:01 Important: Red Hat JBoss Enterprise Application (Dec 3)
 

An update is now available for Red Hat JBoss Enterprise Application Platform 7.3. Red Hat Product Security has rated this update as having a security impact of

  RedHat: RHSA-2020-5333:01 Moderate: go-toolset-1.14-golang security update (Dec 3)
 

An update for go-toolset-1.14-golang is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  Slackware: 2020-344-01: curl Security Update (Dec 9)
 

New curl packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.

  Slackware: 2020-342-01: seamonkey Security Update (Dec 7)
 

New seamonkey packages are available for Slackware 14.2 and -current to fix security issues.

  SUSE: 2020:771-1 suse/sles12sp5 Security Update (Dec 11)
   
  SUSE: 2020:3748-1 important: the Linux Kernel (Dec 10)
 

An update that solves 12 vulnerabilities and has 72 fixes is now available.

  SUSE: 2020:3749-1 moderate: gcc7 (Dec 10)
 

An update that solves one vulnerability, contains one feature and has 7 fixes is now available.

  SUSE: 2020:3748-1 important: the Linux Kernel (Dec 10)
 

An update that solves 12 vulnerabilities and has 72 fixes is now available.

  SUSE: 2020:3739-1 moderate: curl (Dec 10)
 

An update that fixes three vulnerabilities is now available.

  SUSE: 2020:3740-1 important: openssl-1_1 (Dec 10)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3742-1 important: xen (Dec 10)
 

An update that solves 5 vulnerabilities and has one errata is now available.

  SUSE: 2020:770-1 suse/sle15 Security Update (Dec 10)
   
  SUSE: 2020:769-1 suse/sle15 Security Update (Dec 10)
 

The container suse/sle15 was updated. The following patches have been included in this update:

  SUSE: 2020:768-1 suse/sle15 Security Update (Dec 10)
 

The container suse/sle15 was updated. The following patches have been included in this update:

  SUSE: 2020:767-1 suse/sles12sp5 Security Update (Dec 10)
 

The container suse/sles12sp5 was updated. The following patches have been included in this update:

  SUSE: 2020:3735-1 moderate: curl (Dec 9)
 

An update that fixes three vulnerabilities is now available.

  SUSE: 2020:3732-1 important: openssl-1_0_0 (Dec 9)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3736-1 moderate: openssh (Dec 9)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3733-1 moderate: curl (Dec 9)
 

An update that fixes three vulnerabilities is now available.

  SUSE: 2020:14560-1 important: openssl1 (Dec 9)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3737-1 moderate: python-pip, python-scripttest (Dec 9)
 

An update that solves one vulnerability, contains one feature and has one errata is now available.

  SUSE: 2020:3722-1 important: openssl-1_1 (Dec 9)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3721-1 important: openssl-1_1 (Dec 9)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3729-1 important: clamav (Dec 9)
 

An update that solves 8 vulnerabilities, contains one feature and has one errata is now available.

  SUSE: 2020:3720-1 important: openssl-1_1 (Dec 9)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3723-1 moderate: python-urllib3 (Dec 9)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3718-1 important: the Linux Kernel (Dec 9)
 

An update that solves 7 vulnerabilities and has 36 fixes is now available.

  SUSE: 2020:3717-1 important: the Linux Kernel (Dec 9)
 

An update that solves 10 vulnerabilities and has 43 fixes is now available.

  SUSE: 2020:3718-1 important: the Linux Kernel (Dec 9)
 

An update that solves 7 vulnerabilities and has 36 fixes is now available.

  SUSE: 2020:3717-1 important: the Linux Kernel (Dec 9)
 

An update that solves 10 vulnerabilities and has 43 fixes is now available.

  SUSE: 2020:3714-1 important: the Linux Kernel (Dec 8)
 

An update that solves four vulnerabilities and has 26 fixes is now available.

  SUSE: 2020:3715-1 important: the Linux Kernel (Dec 8)
 

An update that solves 8 vulnerabilities and has 47 fixes is now available.

  SUSE: 2020:3713-1 important: the Linux Kernel (Dec 8)
 

An update that solves 15 vulnerabilities, contains one feature and has 71 fixes is now available.

  SUSE: 2020:14557-1 important: xen (Dec 8)
 

An update that solves 6 vulnerabilities and has one errata is now available.

  SUSE: 2020:763-1 ses/7/rook/ceph Security Update (Dec 8)
   
  SUSE: 2020:762-1 ses/7/prometheus-webhook-snmp Security Update (Dec 8)
   
  SUSE: 2020:753-1 ses/7/ceph/ceph Security Update (Dec 8)
   
  SUSE: 2020:750-1 ses/7/cephcsi/cephcsi Security Update (Dec 8)
   
  SUSE: 2020:3705-1 important: the Linux Kernel (Live Patch 21 for SLE 15) (Dec 8)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3651-1 important: the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Dec 7)
 

An update that fixes three vulnerabilities is now available.

  SUSE: 2020:3670-1 important: the Linux Kernel (Live Patch 7 for SLE 12 SP5) (Dec 7)
 

An update that solves three vulnerabilities and has one errata is now available.

  SUSE: 2020:3653-1 important: xen (Dec 7)
 

An update that solves 5 vulnerabilities and has one errata is now available.

  SUSE: 2020:3698-1 important: the Linux Kernel (Live Patch 12 for SLE 12 SP5) (Dec 7)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3690-1 important: the Linux Kernel (Live Patch 18 for SLE 15 SP1) (Dec 7)
 

An update that fixes two vulnerabilities is now available.

  SUSE: 2020:3656-1 important: the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Dec 7)
 

An update that fixes four vulnerabilities is now available.

  SUSE: 2020:3648-1 important: the Linux Kernel (Live Patch 38 for SLE 12 SP2) (Dec 7)
 

An update that fixes 5 vulnerabilities is now available.

  SUSE: 2020:3642-1 important: MozillaThunderbird (Dec 7)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3631-1 important: xen (Dec 7)
 

An update that solves 5 vulnerabilities and has one errata is now available.

  SUSE: 2020:3632-1 important: mutt (Dec 7)
 

An update that solves one vulnerability and has two fixes is now available.

  SUSE: 2020:3628-1 moderate: fontforge (Dec 4)
 

An update that fixes two vulnerabilities is now available.

  SUSE: 2020:3629-1 moderate: python-cryptography (Dec 4)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3627-1 important: xen (Dec 4)
 

An update that solves 5 vulnerabilities and has one errata is now available.

  SUSE: 2020:3630-1 important: postgresql12 (Dec 4)
 

An update that fixes 5 vulnerabilities is now available.

  SUSE: 2020:3624-1 moderate: crowbar-openstack, grafana, influxdb, python-urllib3 (Dec 4)
 

An update that fixes 5 vulnerabilities, contains one feature is now available.

  SUSE: 2020:3625-1 important: mariadb (Dec 4)
 

An update that fixes 10 vulnerabilities is now available.

  SUSE: 2020:3615-1 important: xen (Dec 3)
 

An update that solves 5 vulnerabilities and has one errata is now available.

  SUSE: 2020:3613-1 moderate: rpmlint (Dec 3)
 

An update that contains security fixes can now be installed.

  SUSE: 2020:3614-1 important: gdm (Dec 3)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3611-1 important: xen (Dec 3)
 

An update that solves 5 vulnerabilities and has one errata is now available.

  SUSE: 2020:3612-1 important: xen (Dec 3)
 

An update that solves one vulnerability and has one errata is now available.

  Debian LTS: DLA-2490-1: x11vnc security update (Dec 10)
 

Guenal Davalan reported a flaw in x11vnc, a VNC server to allow remote access to an existing X session. x11vnc creates shared memory segments with 0777 mode. A local attacker can take advantage of this flaw for

  Debian LTS: DLA-2489-1: minidlna security update (Dec 10)
 

It was discovered that missing input validation in minidlna, a lightweight DLNA/UPnP-AV server could result in the execution of arbitrary code. In addition minidlna was susceptible to the "CallStranger" UPnP

  Debian LTS: DLA-2340-2: sqlite3 (Dec 10)
 

The update of sqlite3 released as DLA-2340-1 contained an incomplete fix for CVE-2019-20218. Updated sqlite3 packages are now available to correct this issue.

  Debian LTS: DLA-2483-1: linux-4.19 security update (Dec 10)
 

Several vulnerabilities have been discovered in the Linux kernel that may lead to the execution of arbitrary code, privilege escalation, denial of service or information leaks.

  Debian LTS: DLA-2488-1: python-apt security update (Dec 9)
 

Various memory and file descriptor leaks were discovered in the Python interface to the APT package management runtime library, which could result in denial of service.

  Debian LTS: DLA-2487-1: apt security update (Dec 9)
 

It was discovered that missing input validation in the ar/tar implementations of APT, the high level package manager, could cause out-of-bounds reads or infinite loops, resulting in denial of service when processing malformed deb files.

  Debian LTS: DLA-2486-1: xorg-server security update (Dec 9)
 

Jan-Niklas Sohn discovered that the XKB extension of the Xorg X server performed incomplete input validation, which could result in privilege escalation.

  Debian LTS: DLA-2485-1: golang-golang-x-net-dev security update (Dec 9)
 

The http2 server support in this package was vulnerable to certain types of DOS attacks. CVE-2019-9512

  Debian LTS: DLA-2484-1: python-certbot - switch to ACMEv2 API (Dec 8)
 

Let's Encrypt's ACMEv1 API is deprecated and in the process of being shut down. Beginning with brownouts in January 2021, and ending with a total shutdown in June 2021, the Let's Encrypt APIs will become unavailable. To prevent users having disruptions to their certificate

  Debian LTS: DLA-2481-1: openldap security update (Dec 4)
 

Two vulnerabilities in the certificate list syntax verification and in the handling of CSN normalization were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these

  Debian LTS: DLA-2480-1: salt security update (Dec 4)
 

Several vulnerabilities were discovered in salt. CVE-2020-16846

  Debian LTS: DLA-2482-1: debian-security-support security update (Dec 4)
 

debian-security-support, the Debian security support coverage checker, has been updated in stretch-security. This marks the end of life of the mongodb package in stretch due to

  Debian LTS: DLA-2479-1: thunderbird security update (Dec 4)
 

Chiaki Ishikawa discovered a stack overflow in SMTP server status handling which could potentially result in the execution of arbitrary code.

  ArchLinux: 202012-11: libproxy-mozjs: denial of service (Dec 9)
 

The package libproxy-mozjs before version 0.4.16-1 is vulnerable to denial of service.

  ArchLinux: 202012-10: libproxy: denial of service (Dec 9)
 

The package libproxy before version 0.4.16-1 is vulnerable to denial of service.

  ArchLinux: 202012-9: libproxy-webkit: denial of service (Dec 9)
 

The package libproxy-webkit before version 0.4.16-1 is vulnerable to denial of service.

  ArchLinux: 202012-8: containerd: privilege escalation (Dec 9)
 

The package containerd before version 1.4.3-1 is vulnerable to privilege escalation.

  ArchLinux: 202012-7: libslirp: information disclosure (Dec 9)
 

The package libslirp before version 4.4.0-1 is vulnerable to information disclosure.

  ArchLinux: 202012-6: xorg-server: arbitrary code execution (Dec 9)
 

The package xorg-server before version 1.20.10-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202012-3: tomcat9: information disclosure (Dec 9)
 

The package tomcat9 before version 9.0.40-1 is vulnerable to information disclosure.

  ArchLinux: 202012-5: ant: arbitrary code execution (Dec 9)
 

The package ant before version 1.10.9-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202012-4: tomcat8: information disclosure (Dec 9)
 

The package tomcat8 before version 8.5.60-1 is vulnerable to information disclosure.

  ArchLinux: 202012-3: tomcat9: information disclosure (Dec 9)
 

The package tomcat9 before version 9.0.40-1 is vulnerable to information disclosure.

  ArchLinux: 202012-2: cimg: arbitrary code execution (Dec 9)
 

The package cimg before version 2.9.4-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202012-1: python-lxml: cross-site scripting (Dec 9)
 

The package python-lxml before version 4.6.2-1 is vulnerable to cross- site scripting.

  ArchLinux: 202011-29: musl: arbitrary code execution (Dec 5)
 

The package musl before version 1.2.1-2 is vulnerable to arbitrary code execution.

  ArchLinux: 202011-28: webkit2gtk: arbitrary code execution (Dec 5)
 

The package webkit2gtk before version 2.30.3-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202011-27: opensc: arbitrary code execution (Dec 5)
 

The package opensc before version 0.21.0-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202011-26: gitea: insufficient validation (Dec 5)
 

The package gitea before version 1.12.6-1 is vulnerable to insufficient validation.

  ArchLinux: 202011-25: mutt: silent downgrade (Dec 5)
 

The package mutt before version 2.0.2-1 is vulnerable to silent downgrade.

  ArchLinux: 202011-24: neomutt: silent downgrade (Dec 5)
 

The package neomutt before version 20201120-1 is vulnerable to silent downgrade.

  ArchLinux: 202011-23: matrix-synapse: denial of service (Dec 5)
 

The package matrix-synapse before version 1.20.1-1 is vulnerable to denial of service.

  ArchLinux: 202011-22: ceph: multiple issues (Dec 5)
 

The package ceph before version 15.2.6-1 is vulnerable to multiple issues including authentication bypass, content spoofing, cross-site scripting and private key recovery.

  CentOS: CESA-2020-5235: Important CentOS 7 thunderbird (Dec 9)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2020:5235

  CentOS: CESA-2020-5239: Important CentOS 7 firefox (Dec 9)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2020:5239

  SciLinux: SLSA-2020-5350-1 Important: net-snmp on SL7.x x86_64 (Dec 7)
 

net-snmp: Improper Privilege Management in EXTEND MIB may lead to privileged commands execution (CVE-2020-15862) SL7 x86_64 net-snmp-5.7.2-49.el7_9.1.x86_64.rpm net-snmp-agent-libs-5.7.2-49.el7_9.1.i686.rpm net-snmp-agent-libs-5.7.2-49.el7_9.1.x86_64.rpm net-snmp-debuginfo-5.7.2-49.el7_9.1.i686.rpm net-snmp-debuginfo-5.7.2-49.el7_9.1.x86_64.rpm net-snmp-libs-5.7.2-49 [More...]

  openSUSE: 2020:2227-1 moderate: pngcheck (Dec 10)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2020:2226-1 moderate: minidlna (Dec 10)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2020:2222-1 moderate: nsd (Dec 10)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2020:2222-1 moderate: nsd (Dec 10)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2020:2223-1 important: openssl-1_1 (Dec 10)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2020:2220-1 moderate: pngcheck (Dec 10)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2020:2216-1 important: chromium (Dec 9)
 

An update that fixes 6 vulnerabilities is now available.

  openSUSE: 2020:2213-1 important: chromium (Dec 9)
 

An update that fixes 6 vulnerabilities is now available.

  openSUSE: 2020:2211-1 important: python (Dec 8)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2020:2205-1 moderate: rpmlint (Dec 8)
 

An update that contains security fixes can now be installed.

  openSUSE: 2020:2204-1 moderate: minidlna (Dec 8)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2020:2192-1 important: xen (Dec 7)
 

An update that solves 5 vulnerabilities and has one errata is now available.

  openSUSE: 2020:2188-1 important: java-1_8_0-openjdk (Dec 7)
 

An update that contains security fixes can now be installed.

  openSUSE: 2020:2198-1 moderate: pngcheck (Dec 7)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2020:2184-1 important: python-pip (Dec 7)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2020:2185-1 important: python-setuptools (Dec 7)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2020:2190-1 important: python3 (Dec 7)
 

An update that solves one vulnerability and has one errata is now available.

  openSUSE: 2020:2194-1 moderate: minidlna (Dec 7)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2020:2193-1 important: the Linux Kernel (Dec 7)
 

An update that solves 7 vulnerabilities and has 45 fixes is now available.

  openSUSE: 2020:2189-1 important: python (Dec 7)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2020:2186-1 important: xorg-x11-server (Dec 7)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2020:2187-1 important: MozillaThunderbird (Dec 7)
 

An update that fixes 12 vulnerabilities is now available.

  openSUSE: 2020:2181-1 important: chromium (Dec 7)
 

An update that fixes 6 vulnerabilities is now available.

  openSUSE: 2020:2177-1 moderate: pngcheck (Dec 6)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2020:2178-1 important: opera (Dec 6)
   
  openSUSE: 2020:2173-1 moderate: python-cryptography (Dec 6)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2020:2169-1 important: python-pip (Dec 5)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2020:2170-1 important: java-1_8_0-openjdk (Dec 5)
 

An update that contains security fixes can now be installed.

  openSUSE: 2020:2168-1 moderate: rclone (Dec 5)
   
  openSUSE: 2020:2161-1 important: the Linux Kernel (Dec 4)
 

An update that solves 11 vulnerabilities and has 57 fixes is now available.

  openSUSE: 2020:2162-1 important: xen (Dec 4)
 

An update that solves 5 vulnerabilities and has one errata is now available.

  openSUSE: 2020:2160-1 moderate: minidlna (Dec 4)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2020:2158-1 moderate: neomutt (Dec 4)
   
  openSUSE: 2020:2157-1 moderate: neomutt (Dec 4)
   
  openSUSE: 2020:2152-1 important: python3 (Dec 3)
 

An update that solves one vulnerability and has one errata is now available.

  Mageia 2020-0455: chromium-browser-stable security update (Dec 9)
 

The updated packages fix some problems found in version 86 and security vulnerabilities. References: - https://bugs.mageia.org/show_bug.cgi?id=27630

  Mageia 2020-0454: x11vnc security update (Dec 8)
 

scan.c in x11vnc 0.9.16 uses IPC_CREAT|0777 in shmget calls, which allows access by actors other than the current user. (CVE-2020-29074) References: - https://bugs.mageia.org/show_bug.cgi?id=27684

  Mageia 2020-0453: php-pear security update (Dec 8)
 

Filename manipulation vulnerabilities (CVE-2020-28948 / CVE-2020-28949) Updated also Archive_Tar to 1.4.11. References: - https://bugs.mageia.org/show_bug.cgi?id=27664

  Mageia 2020-0452: oniguruma security update (Dec 8)
 

In Oniguruma, an attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c (CVE-2020-26159). References:

  Mageia 2020-0451: python and python3 security update (Dec 8)
 

It was discovered that incorrectly handled certain ZIP files. An attacker could possibly use this issue to cause a denial of service (CVE-2019-9674). It was discovered that Python documentation had a misleading information. A security issue could be possibly caused by wrong assumptions of this

  Mageia 2020-0450: thunderbird security update (Dec 5)
 

When reading SMTP server status codes, Thunderbird writes an integer value to a position on the stack that is intended to contain just one byte. Depending on processor architecture and stack layout, this leads to stack corruption that may be exploitable (CVE-2020-26970).

  Mageia 2020-0449: pdfresurrect security update (Dec 5)
 

In PDFResurrect before 0.20, lack of header validation checks causes a heap-buffer-overflow in pdf_get_version() (CVE-2020-20740). References: - https://bugs.mageia.org/show_bug.cgi?id=27704

  Mageia 2020-0448: mutt security update (Dec 5)
 

Mutt before 2.0.2 did not ensure that $ssl_force_tls was processed if an IMAP server's initial server response was invalid. The connection was not properly closed, and the code could continue attempting to authenticate. This could result in authentication credentials being exposed on an unencrypted connection, or to a machine-in-the-middle (CVE-2020-28896).

  Mageia 2020-0447: privoxy security update (Dec 5)
 

Privoxy has been updated to version 3.0.29 to fix 8 security issues. References: - https://bugs.mageia.org/show_bug.cgi?id=27678 - https://www.openwall.com/lists/oss-security/2020/11/29/1

  Mageia 2020-0446: xdg-utils security update (Dec 3)
 

Jens Mueller discovered that xdg-utils incorrectly handled certain URI. An attacker could possibly use this issue to expose sensitive information (CVE-2020-27748). References:

  Mageia 2020-0445: poppler security update (Dec 3)
 

buffer overflow in pdftohtml could result in a DoS (CVE-2020-27778). References: - https://bugs.mageia.org/show_bug.cgi?id=27687 - https://ubuntu.com/security/notices/USN-4646-1

  Mageia 2020-0444: pngcheck security update (Dec 3)
 

This update fixes a potential global buffer overflow in the check_chunk_name function via a crafted png file. References: - https://bugs.mageia.org/show_bug.cgi?id=27658

  Mageia 2020-0443: cimg security update (Dec 3)
 

Multiple heap buffer overflows. (CVE-2020-25693) References: - https://bugs.mageia.org/show_bug.cgi?id=27651 - https://www.debian.org/lts/security/2020/dla-2462

  Mageia 2020-0442: tor security update (Dec 3)
 

When completing a channel, relays now check more thoroughly to make sure that it matches any pending circuits before attaching those circuits. Previously, address correctness and Ed25519 identities were not checked in this case, but only when extending circuits on an existing channel (TROVE-2020-005).

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.