Linux Advisory Watch: February 12th, 2021

Advisories

Linux Advisory Watch: February 12th, 2021

Thank you for reading the LinuxSecurity Linux Advisory Watch newsletter! Staying on top of the latest security advisories issued by the distro(s) you use is essential in maintaining an updated, secure Linux system. Our weekly newsletter is an easy, convenient way to track distribution security advisories - helping you keep your Linux environment safe from malware and other exploits.

Important advisories issued this week include a warning from Debian of several vulnerabilities discovered in the Chromium web browser and an advisory issued by Fedora regarding a fix for a PHP security bug. Continue reading to learn about other significant advisories issued this week. Stay healthy, safe and secure - both on and offline!

Yours in Open Source,

Brittany Day Signature


LinuxSecurity.com Feature Extras:

GeoIP for nftables Brings Simplicity & Flexibility to GeoIP Filtering - This article will examine the concept of GeoIP filtering and how it could add a valuable layer of security to your firewall, and will then explore how the GeoIP for nftables project is leveraging Open Source to provide intuitive, customizable GeoIP filtering on Linux.

CrowdSec: An Innovative Open-Source Massively Multiplayer Firewall for Linux - CrowdSec is a massively multiplayer firewall designed to protect Linux servers, services, containers, or virtual machines exposed on the Internet with a server-side agent. It was inspired by Fail2Ban and aims to be a modernized, collaborative version of that intrusion-prevention tool.


  Debian: DSA-4850-1: libzstd security update (Feb 10)
 

It was discovered that zstd, a compression utility, temporarily exposed a world-readable version of its input even if the original file had restrictive permissions.

  Debian: DSA-4849-1: firejail security update (Feb 9)
 

Roman Fiedler discovered a vulnerability in the OverlayFS code in firejail, a sandbox program to restrict the running environment of untrusted applications, which could result in root privilege escalation. This update disables OverlayFS support in firejail.

  Debian: DSA-4848-1: golang-1.11 security update (Feb 8)
 

Multiple security issues were discovered in the implementation of the Go programming language, which could result in denial of service and the P-224 curve implementation could generate incorrect outputs.

  Debian: DSA-4847-1: connman security update (Feb 8)
 

A remote information leak vulnerability and a remote buffer overflow vulnerability were discovered in ConnMan, a network manager for embedded devices, which could result in denial of service or the execution of arbitrary code.

  Debian: DSA-4846-1: chromium security update (Feb 7)
 

Several vulnerabilities have been discovered in the chromium web browser. CVE-2020-16044

  Debian: DSA-4844-1: dnsmasq security update (Feb 4)
 

Moshe Kol and Shlomi Oberman of JSOF discovered several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server. They could result in denial of service, cache poisoning or the execution of arbitrary code.

  Fedora 32: php 2021-ae5a54ba78 (Feb 11)
 

**PHP version 7.4.15** (04 Feb 2021) **Core:** * Fixed bug php#80523 (bogus parse error on >4GB source code). (Nikita) * Fixed bug php#80384 (filter buffers entire read until file closed). (Adam Seitz, cmb) **Curl:** * Fixed bug php#80595 (Resetting POSTFIELDS to empty array breaks request). (cmb) **Date:** * Fixed bug php#80376 (last day of the month causes runway cpu usage. (Derick)

  Fedora 32: thunderbird 2021-93149af72b (Feb 11)
 

This update fixes dependency filtering that caused thunderbird to inadvertently lose requires on dbus-glib. ---- Update to latest upstream version. ---- Update to latest upstream version.

  Fedora 33: subversion 2021-a3a0273cb2 (Feb 11)
 

This update includes the latest stable release of _Apache Subversion_, version **1.14.1**. This release includes the fix for `CVE-2020-17525`, a remote unauthenticated denial-of-service in Subversion mod_authz_svn. The full upstream security advisory for `CVE-2020-17525` is available at: https://subversion.apache.org/security/CVE-2020-17525-advisory.txt ### User-

  Fedora 33: jasper 2021-0c18ee6369 (Feb 11)
 

New upstream release 2.0.25

  Fedora 33: linux-firmware 2021-98841e94ff (Feb 11)
 

Update to upstream 20210208 release: * rtl_bt: Updates for RTL8822C, RTL8821C, added RTL8852A * Link Cypress brcmfmac firmwares to old brcm location * brcm NVRAM updates for Raspberry Pi, added 96boards Rock960 * QCom SM8250 (SD865) firmware for Compute, Audio DSPs, Adreno a650, venus VPU-1.0 * i915: Added firmware for DG1, ADL-S * Uodated bluetooth firmware for Intel Bluetooth

  Fedora 33: spice-vdagent 2021-09ce0cdfac (Feb 11)
 

Update to spice-vdagent 0.21.0: security fixes: CVE-2020-25650, CVE-2020-25651, CVE-2020-25652, CVE-2020-25653

  Fedora 33: python-cryptography 2021-8e36e7ed1a (Feb 11)
 

Security fix for CVE-2020-36242 Fixed a bug where certain sequences of update() calls when symmetrically encrypting very large payloads (>2GB) could result in an integer overflow, leading to buffer overflows.

  Fedora 32: xpdf 2021-4a437fe032 (Feb 10)
 

Update to 4.03. Fixes CVE-2020-35376 and CVE-2020-25725.

  Fedora 32: rubygem-mechanize 2021-24fdc228e4 (Feb 10)
 

New version 2.7.7 is released. Note that a security flaw was found on the previous version which may allow OS commands' injection, which is now assigned as CVE-2021-21289 . This new rpm fixes this issue.

  Fedora 32: java-11-openjdk 2021-555c9aef71 (Feb 10)
 

# New in release OpenJDK 11.0.10 (2021-01-19): Live versions of these release notes can be found at: * https://bitly.com/openjdk11010 * https://builds.shipilev.net/backports-monitor/release-notes-11.0.10.txt ## Security fixes * JDK-8247619: Improve Direct Buffering of Characters ## Other changes * [JDK-8213821](https://bugs.openjdk.java.net/browse/JDK-8213821):

  Fedora 32: java-1.8.0-openjdk 2021-4cebc3aff9 (Feb 10)
 

# New in release OpenJDK 8u282 (2021-01-19) Live versions of these release notes can be found at: * https://bitly.com/openjdk8u282 * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u282.txt ## Security fixes * JDK-8247619: Improve Direct Buffering of Characters ## Other changes * [JDK-8230839](https://bugs.openjdk.java.net/browse/JDK-8230839):

  Fedora 33: xpdf 2021-013d9a30e0 (Feb 10)
 

Update to 4.03. Fixes CVE-2020-35376 and CVE-2020-25725.

  Fedora 33: rubygem-mechanize 2021-db8ebc547e (Feb 10)
 

New version 2.7.7 is released. Note that a security flaw was found on the previous version which may allow OS commands' injection, which is now assigned as CVE-2021-21289 . This new rpm fixes this issue.

  Fedora 33: java-1.8.0-openjdk 2021-09272cf059 (Feb 10)
 

# New in release OpenJDK 8u282 (2021-01-19) Live versions of these release notes can be found at: * https://bitly.com/openjdk8u282 * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u282.txt ## Security fixes * JDK-8247619: Improve Direct Buffering of Characters ## Other changes * [JDK-8230839](https://bugs.openjdk.java.net/browse/JDK-8230839):

  Fedora 32: privoxy 2021-f08e89a0d5 (Feb 9)
 

3.0.31, fixes for OVE-20210128-0001 and OVE-20210130-0001

  Fedora 32: jackson-databind 2021-1d8254899c (Feb 9)
 

Update to version 2.10.5.1. Resolves CVE-2020-25649.

  Fedora 33: chromium 2021-05afa65d39 (Feb 9)
 

Update to 88.0.4324.150. Fixes: CVE-2021-21142 CVE-2021-21143 CVE-2021-21144 CVE-2021-21145 CVE-2021-21146 CVE-2021-21147 CVE-2021-21148 Please keep in mind that this release fixes an actively exploited 0-day vulnerability.

  Fedora 33: privoxy 2021-6fe9346693 (Feb 9)
 

3.0.31, fixes for OVE-20210128-0001 and OVE-20210130-0001

  Fedora 32: pngcheck 2021-e24167b0e8 (Feb 8)
 

Buffer overflow fixes: 1. Fix buffer overflow on large MNG LOOP chunk (RHBZ#1908559). 2. Fix a buffer overrun for certain invalid MNG PPLT chunk contents (RHBZ#1907428).

  Fedora 33: pngcheck 2021-674d704f6c (Feb 8)
 

Buffer overflow fixes: 1. Fix buffer overflow on large MNG LOOP chunk (RHBZ#1908559). 2. Fix a buffer overrun for certain invalid MNG PPLT chunk contents (RHBZ#1907428).

  Fedora 33: zeromq 2021-8b3202b783 (Feb 7)
 

- Upstream upgrade - Fixes #1921879, #1921972, #1921973, #1921975, #1921976, #1921979, #1921981, #1921983, #1921983, #1921985, #1921987, #1921989, #1921992, #1921994

  Fedora 32: python-pygments 2021-33abbae37b (Feb 6)
 

Security fix for [PUT CVEs HERE]

  Fedora 32: wireshark 2021-138674557c (Feb 6)
 

Security fix for CVE-2020-26418, CVE-2020-26419, CVE-2020-26420, CVE-2020-26421 Update to version 3.4.2 Fix %post script on Silverblue

  Fedora 32: mingw-jasper 2021-b1b17185fc (Feb 6)
 

Update to jasper-2.0.24, see https://github.com/jasper- software/jasper/releases/tag/version-2.0.24 for details. Backport fix for CVE-2021-3272.

  Fedora 33: wpa_supplicant 2021-5f268ab238 (Feb 6)
 

security fix for CVE-2021-0326 see also: https://w1.fi/security/2020-2/

  Fedora 33: python-pygments 2021-175e686ca6 (Feb 6)
 

Backport upstream patch to fix CVE (#1922137)

  Fedora 33: wireshark 2021-f3011da665 (Feb 6)
 

Security fix for CVE-2020-26418, CVE-2020-26419, CVE-2020-26420, CVE-2020-26421 Update to version 3.4.2 Fix %post script on Silverblue

  Fedora 33: mingw-jasper 2021-8ecb3686ca (Feb 6)
 

Update to jasper-2.0.24, see https://github.com/jasper- software/jasper/releases/tag/version-2.0.24 for details. Backport fix for CVE-2021-3272.

  Fedora 33: python3.10 2021-851c6e4e2d (Feb 5)
 

Update to 3.10.0a5. Security fix for CVE-2021-3177.

  Fedora 33: php 2021-6edfd606d3 (Feb 5)
 

**PHP version 7.4.15** (04 Feb 2021) **Core:** * Fixed bug php#80523 (bogus parse error on >4GB source code). (Nikita) * Fixed bug php#80384 (filter buffers entire read until file closed). (Adam Seitz, cmb) **Curl:** * Fixed bug php#80595 (Resetting POSTFIELDS to empty array breaks request). (cmb) **Date:** * Fixed bug php#80376 (last day of the month causes runway cpu usage. (Derick)

  Fedora 33: mingw-binutils 2021-354441fcdd (Feb 5)
 

Security fix for CVE-2021-20197

  Fedora 33: mingw-SDL2 2021-9d65b22041 (Feb 5)
 

Backport patches for CVE-2020-14409, CVE-2020-14410.

  Fedora 33: java-11-openjdk 2021-5dcdf8b2b1 (Feb 4)
 

# New in release OpenJDK 11.0.10 (2021-01-19): Live versions of these release notes can be found at: * https://bitly.com/openjdk11010 * https://builds.shipilev.net/backports-monitor/release-notes-11.0.10.txt ## Security fixes * JDK-8247619: Improve Direct Buffering of Characters ## Other changes * [JDK-8213821](https://bugs.openjdk.java.net/browse/JDK-8213821):

  Fedora 33: kernel 2021-879c756377 (Feb 4)
 

The 5.10.12 stable kernel update contains a number of important fixes across the tree.

  Fedora 33: monitorix 2021-5f7da70bfe (Feb 4)
 

Security fix for [CVE-2021-3325]. This new version fixes a security bug introduced in the 3.13.0 version that lead the HTTP built-in server to bypass the Basic Authentication when the option hosts_deny is not defined, which is the default. Besides this fix, this version also updates the main configuration file to add the option hosts_deny = all by default inside the auth subsection,

  Fedora 32: kernel 2021-6e805a5051 (Feb 4)
 

The 5.10.12 stable kernel update contains a number of important fixes across the tree.

  Fedora 32: monitorix 2021-fc24737ebc (Feb 4)
 

Security fix for [CVE-2021-3325]. This new version fixes a security bug introduced in the 3.13.0 version that lead the HTTP built-in server to bypass the Basic Authentication when the option hosts_deny is not defined, which is the default. Besides this fix, this version also updates the main configuration file to add the option hosts_deny = all by default inside the auth subsection,

  RedHat: RHSA-2021-0497:01 Moderate: openvswitch2.13 security and bug fix (Feb 11)
 

An update for openvswitch2.13 is now available for Fast Datapath for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0495:01 Moderate: Red Hat JBoss Web Server 5.4.1 Security (Feb 11)
 

Red Hat JBoss Web Server 5.4.1 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8 and Windows. Red Hat Product Security has rated this release as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0494:01 Moderate: Red Hat JBoss Web Server 5.4.1 Security (Feb 11)
 

Updated Red Hat JBoss Web Server 5.4.1 packages are now available for Red Hat Enterprise Linux 7, and Red Hat Enterprise Linux 8. Red Hat Product Security has rated this release as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0491:01 Low: Red Hat JBoss Web Server 3.1 Service Pack 11 (Feb 11)
 

An update is now available for Red Hat JBoss Web Server 3.1, for RHEL 7 and Windows. Red Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0489:01 Low: Red Hat JBoss Web Server 3.1 Service Pack 11 (Feb 11)
 

An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 7. Red Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-0485:01 Moderate: rh-nodejs12-nodejs security update (Feb 11)
 

An update for rh-nodejs12-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0488:01 Low: Red Hat JBoss Core Services Apache HTTP (Feb 11)
 

Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 6 zip release for RHEL 7, RHEL 8 and Microsoft Windows is available. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0486:01 Low: Red Hat JBoss Core Services Apache HTTP (Feb 11)
 

Updated packages that provide Red Hat JBoss Core Services Pack Apache Server 2.4.37 and fix several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact

  RedHat: RHSA-2021-0476:01 Important: dotnet5.0 security and bugfix update (Feb 10)
 

An update for .NET 5.0 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0474:01 Important: dotnet security and bugfix update (Feb 10)
 

An update for .NET Core 2.1 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0473:01 Important: .NET 5.0 on Red Hat Enterprise Linux (Feb 10)
 

An update for rh-dotnet50-dotnet is now available for .NET on Red Hat Enterprise Linux. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0472:01 Important: .NET Core 3.1 on Red Hat Enterprise (Feb 10)
 

An update for rh-dotnet31-dotnet is now available for .NET Core on Red Hat Enterprise Linux. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0470:01 Important: .NET Core 2.1 on Red Hat Enterprise (Feb 10)
 

An update for rh-dotnet21-dotnet is now available for .NET Core on Red Hat Enterprise Linux. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0471:01 Important: dotnet3.1 security and bugfix update (Feb 10)
 

An update for .NET Core 3.1 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0459:01 Moderate: qemu-kvm-rhev security update (Feb 9)
 

An update for qemu-kvm-rhev is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 and Red Hat Virtualization Engine 4.3. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0313:01 Important: OpenShift Container Platform 4.5.31 (Feb 9)
 

Red Hat OpenShift Container Platform release 4.5.31 is now available with updates to packages and images that fix several bugs. This release also includes a security update for Red Hat OpenShift Container Platform 4.5.

  RedHat: RHSA-2021-0308:01 Important: OpenShift Container Platform 4.6.16 (Feb 8)
 

Red Hat OpenShift Container Platform release 4.6.16 is now available with updates to packages and images that fix several bugs. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0310:01 Moderate: OpenShift Container Platform 4.6.16 (Feb 8)
 

Red Hat OpenShift Container Platform release 4.6.16 is now available with updates to packages and images that fix several bugs. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0433:01 Moderate: Red Hat Data Grid 8.1.1 security update (Feb 8)
 

A security update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-0295:01 Important: Red Hat build of Thorntail 2.7.3 (Feb 8)
 

An update is now available for Red Hat build of Thorntail. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each

  RedHat: RHSA-2021-0421:01 Moderate: rh-nodejs14-nodejs security update (Feb 4)
 

An update for rh-nodejs14-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0420:01 Moderate: Red Hat Quay v3.4.0 security update (Feb 4)
 

Red Hat Quay 3.4.0 is now available with bug fixes and various enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0417:01 Moderate: Red Hat AMQ Broker 7.8.1 release and (Feb 4)
 

Red Hat AMQ Broker 7.8.1 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-0411:01 Important: flatpak security update (Feb 4)
 

An update for flatpak is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  Slackware: 2021-040-01: dnsmasq Security Update (Feb 9)
 

New dnsmasq packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.

  Slackware: 2021-040-01: dnsmasq Security Update (Feb 9)
 

New dnsmasq packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.

  SUSE: 2021:7-1 suse-sles-15-sp2-chost-byos-v20210202-gen2 Security Update (Feb 10)
 

The container suse-sles-15-sp2-chost-byos-v20210202-gen2 was updated. The following patches have been included in this update:

  SUSE: 2021:6-1 suse-sles-15-sp1-chost-byos-v20210202-gen2 Security Update (Feb 10)
 

The container suse-sles-15-sp1-chost-byos-v20210202-gen2 was updated. The following patches have been included in this update:

  SUSE: 2021:5-1 suse-sles-15-chost-byos-v20210202-hvm-ssd-x86_64 Security Update (Feb 10)
 

The container suse-sles-15-chost-byos-v20210202-hvm-ssd-x86_64 was updated. The following patches have been included in this update:

  SUSE: 2021:51-1 caasp/v4.5/cilium-operator Security Update (Feb 9)
 

The container caasp/v4.5/cilium-operator was updated. The following patches have been included in this update:

  SUSE: 2021:50-1 caasp/v4.5/cilium Security Update (Feb 9)
 

The container caasp/v4.5/cilium was updated. The following patches have been included in this update:

  SUSE: 2021:45-1 suse/sle15 Security Update (Feb 4)
 

The container suse/sle15 was updated. The following patches have been included in this update:

  SUSE: 2021:4-1 suse-sles-15-sp2-chost-byos-v20210202-hvm-ssd-x86_64 Security Update (Feb 4)
 

The container suse-sles-15-sp2-chost-byos-v20210202-hvm-ssd-x86_64 was updated. The following patches have been included in this update:

  SUSE: 2021:3-1 sles-15-sp2-chost-byos-v20210202 Security Update (Feb 4)
 

The container sles-15-sp2-chost-byos-v20210202 was updated. The following patches have been included in this update:

  SUSE: 2021:2-1 sles-15-sp1-chost-byos-v20210202 Security Update (Feb 4)
 

The container sles-15-sp1-chost-byos-v20210202 was updated. The following patches have been included in this update:

  SUSE: 2021:1-1 suse-sles-15-sp1-chost-byos-v20210202-hvm-ssd-x86_64 Security Update (Feb 4)
 

The container suse-sles-15-sp1-chost-byos-v20210202-hvm-ssd-x86_64 was updated. The following patches have been included in this update:

  Debian LTS: DLA-2554-1: firejail security update (Feb 11)
 

Roman Fiedler discovered a vulnerability in the OverlayFS code in firejail, a sandbox program to restrict the running environment of untrusted applications, which could result in root privilege escalation. This update disables OverlayFS support in firejail.

  Debian LTS: DLA-2553-1: xcftools security update (Feb 9)
 

Claudio Bozzato of Cisco Talos discovered an exploitable integer overflow vulnerability in the flattenIncrementally function in the xcf2png and xcf2pnm binaries of xcftools. An integer overflow can occur while walking through tiles that could be exploited to corrupt memory and execute arbitrary code. In order

  Debian LTS: DLA-2552-1: connman security update (Feb 9)
 

A remote information leak vulnerability and a remote buffer overflow vulnerability were discovered in ConnMan, a network manager for embedded devices, which could result in denial of service or the execution of

  Debian LTS: DLA-2551-1: slirp security update (Feb 9)
 

Two issues have been found in slirp, a SLIP/PPP emulator using a dial up shell account.

  Debian LTS: DLA-2550-1: openjpeg2 security update (Feb 9)
 

Various overflow errors were identified and fixed. CVE-2020-27814

  Debian LTS: DLA-2549-1: gdisk security update (Feb 8)
 

CVE-2020-0256 In LoadPartitionTable of gpt.cc, there is a possible out of bounds write due to a missing bounds check. This

  Debian LTS: DLA-2548-1: privoxy security update (Feb 6)
 

Multiple vulnerabilites were discovered in privoxy, a privacy enhancing HTTP proxy, like memory leaks, dereference of a NULL-pointer, et al.

  Debian LTS: DLA-2547-1: wireshark security update (Feb 6)
 

Several vulnerabilities were fixed in Wireshark, a network sniffer. CVE-2019-13619

  Debian LTS: DLA-2546-1: intel-microcode security update (Feb 5)
 

CVE-2020-8695 Observable discrepancy in the RAPL interface for some Intel(R) Processors may allow a privileged user to

  ArchLinux: 202102-22: helm: insufficient validation (Feb 12)
 

The package helm before version 3.5.2-1 is vulnerable to insufficient validation.

  ArchLinux: 202102-21: privoxy: denial of service (Feb 12)
 

The package privoxy before version 3.0.31-1 is vulnerable to denial of service.

  ArchLinux: 202102-20: python2-jinja: denial of service (Feb 12)
 

The package python2-jinja before version 2.11.3-1 is vulnerable to denial of service.

  ArchLinux: 202102-19: python-jinja: denial of service (Feb 12)
 

The package python-jinja before version 2.11.3-1 is vulnerable to denial of service.

  ArchLinux: 202102-18: python-django: directory traversal (Feb 12)
 

The package python-django before version 3.1.6-1 is vulnerable to directory traversal.

  ArchLinux: 202102-17: glibc: denial of service (Feb 12)
 

The package glibc before version 2.33-1 is vulnerable to denial of service.

  ArchLinux: 202102-16: lib32-glibc: denial of service (Feb 12)
 

The package lib32-glibc before version 2.33-1 is vulnerable to denial of service.

  ArchLinux: 202102-15: php: denial of service (Feb 12)
 

The package php before version 8.0.2-1 is vulnerable to denial of service.

  ArchLinux: 202102-14: php7: denial of service (Feb 12)
 

The package php7 before version 7.4.15-1 is vulnerable to denial of service.

  ArchLinux: 202102-13: cups: information disclosure (Feb 12)
 

The package cups before version 1:2.3.3op2-1 is vulnerable to information disclosure.

  ArchLinux: 202102-12: docker: multiple issues (Feb 12)
 

The package docker before version 1:20.10.3-1 is vulnerable to multiple issues including denial of service and privilege escalation.

  ArchLinux: 202102-11: gitlab: information disclosure (Feb 12)
 

The package gitlab before version 13.8.2-1 is vulnerable to information disclosure.

  ArchLinux: 202102-10: minio: directory traversal (Feb 12)
 

The package minio before version 2021.01.30-1 is vulnerable to directory traversal.

  ArchLinux: 202102-9: ansible: information disclosure (Feb 12)
 

The package ansible before version 2.10.7-1 is vulnerable to information disclosure.

  ArchLinux: 202102-8: opendoas: privilege escalation (Feb 12)
 

The package opendoas before version 6.8.1-2 is vulnerable to privilege escalation.

  ArchLinux: 202102-7: nextcloud: directory traversal (Feb 12)
 

The package nextcloud before version 20.0.6-1 is vulnerable to directory traversal.

  ArchLinux: 202102-6: chromium: multiple issues (Feb 12)
 

The package chromium before version 88.0.4324.150-1 is vulnerable to multiple issues including arbitrary code execution and incorrect calculation.

  ArchLinux: 202102-5: opera: multiple issues (Feb 12)
 

The package opera before version 74.0.3911.75-1 is vulnerable to multiple issues including arbitrary code execution, insufficient validation, content spoofing and incorrect calculation.

  ArchLinux: 202102-4: vivaldi: multiple issues (Feb 12)
 

The package vivaldi before version 3.6.2165.36-1 is vulnerable to multiple issues including arbitrary code execution, insufficient validation, content spoofing and incorrect calculation.

  ArchLinux: 202102-3: wireshark-cli: denial of service (Feb 12)
 

The package wireshark-cli before version 3.4.3-1 is vulnerable to denial of service.

  ArchLinux: 202102-2: thunderbird: multiple issues (Feb 12)
 

The package thunderbird before version 78.7.0-1 is vulnerable to multiple issues including arbitrary code execution, information disclosure and insufficient validation.

  ArchLinux: 202102-1: firefox: multiple issues (Feb 12)
 

The package firefox before version 85.0-1 is vulnerable to multiple issues including arbitrary code execution, incorrect calculation and information disclosure.

  CentOS: CESA-2021-0411: Important CentOS 7 flatpak (Feb 9)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2021:0411

  SciLinux: SLSA-2021-0411-1 Important: flatpak on SL7.x x86_64 (Feb 5)
 

flatpak: sandbox escape via spawn portal (CVE-2021-21261) SL7 x86_64 flatpak-1.0.9-10.el7_9.x86_64.rpm flatpak-debuginfo-1.0.9-10.el7_9.x86_64.rpm flatpak-libs-1.0.9-10.el7_9.x86_64.rpm flatpak-builder-1.0.0-10.el7_9.x86_64.rpm flatpak-devel-1.0.9-10.el7_9.x86_64.rpm - Scientific Linux Development Team

  openSUSE: 2021:0279-1 moderate: privoxy (Feb 12)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2021:0278-1 important: containerd, docker, docker-runc, golang-github-docker-lib (Feb 12)
 

An update that solves three vulnerabilities and has 5 fixes is now available.

  openSUSE: 2021:0277-1 important: librepo (Feb 12)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0276-1 important: chromium (Feb 11)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0274-1 moderate: nextcloud (Feb 11)
 

An update that fixes three vulnerabilities is now available.

  openSUSE: 2021:0272-1 moderate: rclone (Feb 10)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0270-1 important: python (Feb 10)
 

An update that solves two vulnerabilities and has one errata is now available.

  openSUSE: 2021:0269-1 important: java-11-openjdk (Feb 10)
 

An update that contains security fixes can now be installed.

  openSUSE: 2021:0271-1 important: firejail (Feb 10)
 

An update that fixes three vulnerabilities is now available.

  openSUSE: 2021:0268-1 important: chromium (Feb 10)
 

An update that fixes 6 vulnerabilities is now available.

  openSUSE: 2021:0267-1 important: chromium (Feb 9)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0265-1 moderate: privoxy (Feb 8)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2021:0262-1 moderate: nextcloud (Feb 8)
 

An update that fixes three vulnerabilities is now available.

  openSUSE: 2021:0259-1 important: chromium (Feb 7)
 

An update that fixes 6 vulnerabilities is now available.

  openSUSE: 2021:0253-1 moderate: cups (Feb 5)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2021:0241-1 important: the Linux Kernel (Feb 5)
 

An update that solves 7 vulnerabilities and has 49 fixes is now available.

  openSUSE: 2021:0239-1 important: openvswitch (Feb 5)
 

An update that solves one vulnerability and has one errata is now available.

  openSUSE: 2021:0237-1 important: rubygem-nokogiri (Feb 5)
 

An update that solves two vulnerabilities and has one errata is now available.

  openSUSE: 2021:0242-1 moderate: RT kernel (Feb 5)
 

An update that solves 79 vulnerabilities and has 676 fixes is now available.

  Mageia 2021-0081: gssproxy security update (Feb 11)
 

gssproxy (aka gss-proxy) before 0.8.3 does not unlock cond_mutex before pthread exit in gp_worker_main() in gp_workers.c (CVE-2020-12658). References: - https://bugs.mageia.org/show_bug.cgi?id=28019

  Mageia 2021-0080: phpldapadmin security update (Feb 11)
 

An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2 that allows users to store malicious values that may be executed by other users at a later time via get_request in lib/function.php (CVE-2020-35132). References:

  Mageia 2021-0079: gstreamer1.0-plugins-bad security update (Feb 10)
 

A flaw was found in the gstreamer h264 component of gst-plugins-bad before v1.18.1 where when parsing a h264 header, an attacker could cause the stack to be smashed, memory corruption and possibly code execution. (CVE-2021-3185). References:

  Mageia 2021-0078: perl-Email-MIME and perl-Email-MIME-ContentType security update (Feb 10)
 

Messages with too many tiny nested MIME parts can lead to memory exhaustion on split(), resulting in denial of service (rhbz#1835353) This update limits the number of nested MIME parts to 10 (by default), to avoid a possible memory exhaustion issue with lots of tiny MIME parts.

  Mageia 2021-0077: nethack security update (Feb 10)
 

Updated nethack packages fix security vulnerabilities: NetHack 3.6.x before 3.6.4 is prone to a buffer overflow vulnerability when reading very long lines from configuration files. This affects systems that have NetHack installed suid/sgid, and shared systems that allow users to

  Mageia 2021-0076: php security update (Feb 8)
 

The php packages are updated to version 7.3.27 to fix a Null Dereference in SoapClient (SOAP). (CVE-2021-21702). Note also php packages version 7.4.15-1.mga7 are available in backports/updates.

  Mageia 2021-0075: wpa_supplicant security update (Feb 8)
 

A vulnerability was discovered in how wpa_supplicant processing P2P (Wi-Fi Direct) group information from active group owners. The actual parsing of that information validates field lengths appropriately, but processing of the parsed information misses a length check when storing a copy of the secondary device types. This can result in writing

  Mageia 2021-0074: phppgadmin security update (Feb 8)
 

phppgadmin through 7.12.1 allows sensitive actions to be performed without validating that the request originated from the application. One such area, database.php does not verify the source of an HTTP request. This can be leveraged by a remote attacker to trick a logged-in administrator to visit a malicious page with a CSRF exploit and execute arbitrary system commands on the

  Mageia 2021-0073: gdisk security update (Feb 6)
 

A bug that could cause segfault if GPT header claimed partition entries are oversized (CVE-2020-0256). A bug that could cause a crash if a badly-formatted MBR disk was read (CVE-2021-0308).

  Mageia 2021-0072: tomcat security update (Feb 6)
 

When serving resources from a network location using the NTFS file system it was possible to bypass security constraints and/or view the source code for JSPs in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances

  Mageia 2021-0070: mutt security update (Feb 5)
 

It was discovered that Mutt incorrectly handled certain email messages. An attacker could possibly use this issue to cause a denial of service because rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of service (mailbox unavailability) by sending email messages with sequences of semicolon characters in RFC822 address fields (aka terminators of empty groups).

  Mageia 2021-0069: nodejs security update (Feb 5)
 

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a

  Mageia 2021-0068: nodejs-ini security update (Feb 5)
 

It was discovered that there was an issue in nodejs-ini, where an application could be exploited by a malicious input file. This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context

  Mageia 2021-0067: messagelib security update (Feb 4)
 

In KDE KMail, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the

  Mageia 2021-0066: thunderbird security update (Feb 4)
 

Cross-origin information leakage via redirected PDF requests. (CVE-2021-23953) Type confusion when using logical assignment operators in JavaScript switch statements. (CVE-2021-23954)

  Mageia 2021-0064: python and python3 security update (Feb 4)
 

A flaw was found in python. A stack-based buffer overflow was discovered in the ctypes module provided within Python. Applications that use ctypes without carefully validating the input passed to it may be vulnerable to this flaw, which would allow an attacker to overflow a buffer on the stack and crash the application. The highest threat from this vulnerability is to system

  Mageia 2021-0063: ruby-nokogiri security update (Feb 4)
 

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename (CVE-2019-5477).

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.