Linux Advisory Watch: February 19th, 2021

Advisories

Linux Advisory Watch: February 19th, 2021

Thank you for reading the LinuxSecurity Linux Advisory Watch newsletter! Staying on top of the latest security advisories issued by the distro(s) you use is essential in maintaining an updated, secure Linux system. Our weekly newsletter is an easy, convenient way to track distribution security advisories - helping you keep your Linux environment safe from malware and other exploits.

Important advisories issued this week include warnings from ArchLinux and Debian of multiple PHP security vulnerabilities which could result in DoS, information disclosure, cookie forgery or incorrect encryption, and an advisory from Debian regarding a remotely triggerable vulnerability in the mod_authz_svn Subversion module, which could be exploited by an unauthenticated remote client. Continue reading to learn about other significant advisories issued this week.

We are currently rebuilding our site and would like your input! Got feedback or ideas? This is your chance to get involved and help set the direction of the future site! Stay tuned for an email regarding our LinuxSecurity User Survey, which will open Monday February 22, 2021. Stay healthy, safe and secure - both on and offline!

Yours in Open Source,

Brittany Day Signature


LinuxSecurity.com Feature Extras:

Member Profile: My Expedition Through nmap Lab How to get through the NMAP room in Tryhackme - Thank you to Oyelakin Timilehin Valentina for contributing this article. Our newest member Valentina, a Nigerian cybersecurity professional, recently went through the Tryhackme online learning platform, and shares her experiences, as well as a few quick tips on using nmap.

Open-Source Kernel Security Technologies - Kernel security is a key determinant of overall system security. Luckily, Linux now supports a range of effective open-source extensions and external tools engineered to boost kernel security. From the threats you should be aware of to the initiatives and technologies designed to reinforce and enhance the security of the Linux kernel, here's what you need to know.


  Debian: DSA-4857-1: bind9 security update (Feb 18)
 

A buffer overflow vulnerability was discovered in the SPNEGO implementation affecting the GSSAPI security policy negotiation in BIND, a DNS server implementation, which could result in denial of service (daemon crash), or potentially the execution of arbitrary code.

  Debian: DSA-4856-1: php7.3 security update (Feb 17)
 

Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in denial of service, information disclosure, cookie forgery or incorrect encryption.

  Debian: DSA-4854-1: webkit2gtk security update (Feb 17)
 

The following vulnerabilities have been discovered in the webkit2gtk web engine: CVE-2020-13558

  Debian: DSA-4855-1: openssl security update (Feb 17)
 

Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. An overflow bug in the x64_64 Montgomery squaring procedure, an integer overflow in CipherUpdate and a NULL pointer dereference flaw X509_issuer_and_serial_hash() were found, which could

  Debian: DSA-4853-1: spip security update (Feb 16)
 

It was discovered that SPIP, a website engine for publishing, would allow a malicious user to perform cross-site scripting attacks, access sensitive information, or execute arbitrary code.

  Debian: DSA-4852-1: openvswitch security update (Feb 15)
 

Joakim Hindersson discovered that Open vSwitch, a software-based Ethernet virtual switch, allowed a malicious user to cause a denial-of-service by sending a specially crafted packet.

  Debian: DSA-4851-1: subversion security update (Feb 13)
 

Thomas Akesson discovered a remotely triggerable vulnerability in the mod_authz_svn module in Subversion, a version control system. When using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option an unauthenticated remote client can take advantage of this flaw

  Fedora 32: libntlm 2020-1f643c272c (Feb 18)
 

Update to security fix 1.6 version. Fixes CVE-2019-17455

  Fedora 33: kiwix-desktop 2021-aa347d2b99 (Feb 18)
 

Always use HTTPS for the catalog downloads.

  Fedora 33: webkit2gtk3 2021-ab674d56bc (Feb 17)
 

* Bring back the WebKitPluginProcess that was removed by mistake. (It will disappear again soon.) * Fix RunLoop objects leaked in worker threads. * Use Internet Explorer quirk for Google Docs. (Yes, even this new quirk is broken already.) * Security fixes: CVE-2020-13558

  Fedora 32: jasper 2021-7716e59d84 (Feb 17)
 

New upstream release 2.0.25

  Fedora 33: roundcubemail 2021-434b65378a (Feb 17)
 

**Release 1.4.11** - Display a nice error informing about no PHP8 support - Elastic: Fix compatibility with Less v3 and v4 (#7813) - Fix bug with managesieve_domains in Settings > Forwarding form (#7849) - Fix errors in MSSQL database update scripts (#7853) - **Security**: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content

  Fedora 32: roundcubemail 2021-aef54ec149 (Feb 17)
 

**Release 1.4.11** - Display a nice error informing about no PHP8 support - Elastic: Fix compatibility with Less v3 and v4 (#7813) - Fix bug with managesieve_domains in Settings > Forwarding form (#7849) - Fix errors in MSSQL database update scripts (#7853) - **Security**: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content

  Fedora 32: spice-vdagent 2021-510977db25 (Feb 17)
 

Update to spice-vdagent 0.21.0: security fixes: CVE-2020-25650, CVE-2020-25651, CVE-2020-25652, CVE-2020-25653

  Fedora 32: chromium 2021-7fb30b9381 (Feb 17)
 

Update to 88.0.4324.150. Fixes: CVE-2021-21142 CVE-2021-21143 CVE-2021-21144 CVE-2021-21145 CVE-2021-21146 CVE-2021-21147 CVE-2021-21148 Please keep in mind that this release fixes an actively exploited 0-day vulnerability.

  Fedora 33: audacity 2021-8aaccdbb5f (Feb 14)
 

Use system lv2, midi. ---- Explicitly specify system ogg. ---- Switch from Python 2->3 ---- 2.4.2

  Fedora 33: community-mysql 2021-db50ab62d3 (Feb 14)
 

** MySQL 8.0.23 ** & **MySQL connector ODBC 8.0.23** Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-23.html https://dev.mysql.com/doc/relnotes/connector-odbc/en/news-8-0-23.html Oracle CPU: https://www.oracle.com/security-alerts/cpujan2021.html#AppendixMSQL

  Fedora 33: mysql-connector-odbc 2021-db50ab62d3 (Feb 14)
 

** MySQL 8.0.23 ** & **MySQL connector ODBC 8.0.23** Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-23.html https://dev.mysql.com/doc/relnotes/connector-odbc/en/news-8-0-23.html Oracle CPU: https://www.oracle.com/security-alerts/cpujan2021.html#AppendixMSQL

  Fedora 32: community-mysql 2021-b1d1655cef (Feb 14)
 

** MySQL 8.0.23 ** & **MySQL connector ODBC 8.0.23** Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-23.html https://dev.mysql.com/doc/relnotes/connector-odbc/en/news-8-0-23.html Oracle CPU: https://www.oracle.com/security-alerts/cpujan2021.html#AppendixMSQL

  Fedora 32: mysql-connector-odbc 2021-b1d1655cef (Feb 14)
 

** MySQL 8.0.23 ** & **MySQL connector ODBC 8.0.23** Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-23.html https://dev.mysql.com/doc/relnotes/connector-odbc/en/news-8-0-23.html Oracle CPU: https://www.oracle.com/security-alerts/cpujan2021.html#AppendixMSQL

  Fedora 32: kernel 2021-f8ede2fdfc (Feb 13)
 

The 5.10.15 stable kernel update contains a number of important fixes across the tree. ---- The 5.10.14 stable kernel updates contain a number of important fixes across the tree.

  Fedora 33: kernel 2021-76aaa904e2 (Feb 13)
 

The 5.10.15 stable kernel update contains a number of important fixes across the tree.

  Fedora 33: zypper 2021-ebc1c35c5d (Feb 12)
 

Update to Zypper 1.14.42 and libzypp 17.25.6 to remediate CVE-2017-9271

  Fedora 33: libzypp 2021-ebc1c35c5d (Feb 12)
 

Update to Zypper 1.14.42 and libzypp 17.25.6 to remediate CVE-2017-9271

  Fedora 33: python-django 2021-5329c680f7 (Feb 12)
 

CVE-2021-3281: Potential directory-traversal via archive.extract()

  Fedora 32: python3.10 2021-d5cde50865 (Feb 12)
 

Update to 3.10.0a5 Security fix for CVE-2021-3177.

  Fedora 32: php 2021-ae5a54ba78 (Feb 11)
 

**PHP version 7.4.15** (04 Feb 2021) **Core:** * Fixed bug php#80523 (bogus parse error on >4GB source code). (Nikita) * Fixed bug php#80384 (filter buffers entire read until file closed). (Adam Seitz, cmb) **Curl:** * Fixed bug php#80595 (Resetting POSTFIELDS to empty array breaks request). (cmb) **Date:** * Fixed bug php#80376 (last day of the month causes runway cpu usage. (Derick)

  Fedora 32: thunderbird 2021-93149af72b (Feb 11)
 

This update fixes dependency filtering that caused thunderbird to inadvertently lose requires on dbus-glib. ---- Update to latest upstream version. ---- Update to latest upstream version.

  Fedora 33: subversion 2021-a3a0273cb2 (Feb 11)
 

This update includes the latest stable release of _Apache Subversion_, version **1.14.1**. This release includes the fix for `CVE-2020-17525`, a remote unauthenticated denial-of-service in Subversion mod_authz_svn. The full upstream security advisory for `CVE-2020-17525` is available at: https://subversion.apache.org/security/CVE-2020-17525-advisory.txt ### User-

  Fedora 33: jasper 2021-0c18ee6369 (Feb 11)
 

New upstream release 2.0.25

  Fedora 33: linux-firmware 2021-98841e94ff (Feb 11)
 

Update to upstream 20210208 release: * rtl_bt: Updates for RTL8822C, RTL8821C, added RTL8852A * Link Cypress brcmfmac firmwares to old brcm location * brcm NVRAM updates for Raspberry Pi, added 96boards Rock960 * QCom SM8250 (SD865) firmware for Compute, Audio DSPs, Adreno a650, venus VPU-1.0 * i915: Added firmware for DG1, ADL-S * Uodated bluetooth firmware for Intel Bluetooth

  Fedora 33: spice-vdagent 2021-09ce0cdfac (Feb 11)
 

Update to spice-vdagent 0.21.0: security fixes: CVE-2020-25650, CVE-2020-25651, CVE-2020-25652, CVE-2020-25653

  Fedora 33: python-cryptography 2021-8e36e7ed1a (Feb 11)
 

Security fix for CVE-2020-36242 Fixed a bug where certain sequences of update() calls when symmetrically encrypting very large payloads (>2GB) could result in an integer overflow, leading to buffer overflows.

  RedHat: RHSA-2021-0611:01 Important: xterm security update (Feb 18)
 

An update for xterm is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0423:01 Important: OpenShift Container Platform 4.6.17 (Feb 17)
 

Red Hat OpenShift Container Platform release 4.6.17 is now available with updates to packages and images that fix several bugs. This release includes a security update for Red Hat OpenShift Container Platform 4.6.

  security update (Feb 17)
 

An update is now available for Red Hat Decision Manager. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  7.10.0 security u (Feb 17)
 

An update is now available for Red Hat Process Automation Manager. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0599:01 Moderate: redhat-ds:11 security and bug fix update (Feb 16)
 

An update for the redhat-ds:11 module is now available for Red Hat Directory Server 11.1 for RHEL 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0549:01 Moderate: nodejs:12 security update (Feb 16)
 

An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0558:01 Important: kernel security, bug fix, (Feb 16)
 

An update for kernel is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0548:01 Moderate: nodejs:10 security update (Feb 16)
 

An update for the nodejs:10 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0538:01 Moderate: nss security and bug fix update (Feb 16)
 

An update for nss is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-0531:01 Moderate: container-tools:rhel8 security, bug fix, (Feb 16)
 

An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0551:01 Moderate: nodejs:14 security and bug fix update (Feb 16)
 

An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0557:01 Moderate: perl security update (Feb 16)
 

An update for perl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-0537:01 Important: kernel-rt security and bug fix update (Feb 16)
 

An update for kernel-rt is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0436:01 Moderate: OpenShift Container Platform 4.6 (Feb 16)
 

An update for compliance-content-container, ose-compliance-openscap-container, ose-compliance-operator-container, and ose-compliance-operator-metadata-container is now available for Red Hat OpenShift Container Platform 4.6.

  RedHat: RHSA-2021-0528:01 Moderate: python security update (Feb 16)
 

An update for python is now available for Red Hat Enterprise Linux 7.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0525:01 Important: net-snmp security update (Feb 16)
 

An update for net-snmp is now available for Red Hat Enterprise Linux 7.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0526:01 Moderate: kernel security and bug fix update (Feb 16)
 

An update for kernel is now available for Red Hat Enterprise Linux 7.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0530:01 Moderate: java-1.8.0-ibm security update (Feb 16)
 

An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0521:01 Moderate: rh-nodejs10-nodejs security update (Feb 15)
 

An update for rh-nodejs10-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0508:01 Important: subversion:1.10 security update (Feb 15)
 

An update for the subversion:1.10 module is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0507:01 Important: subversion:1.10 security update (Feb 15)
 

An update for the subversion:1.10 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0509:01 Important: subversion:1.10 security update (Feb 15)
 

An update for the subversion:1.10 module is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0497:01 Moderate: openvswitch2.13 security and bug fix (Feb 11)
 

An update for openvswitch2.13 is now available for Fast Datapath for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0495:01 Moderate: Red Hat JBoss Web Server 5.4.1 Security (Feb 11)
 

Red Hat JBoss Web Server 5.4.1 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8 and Windows. Red Hat Product Security has rated this release as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0494:01 Moderate: Red Hat JBoss Web Server 5.4.1 Security (Feb 11)
 

Updated Red Hat JBoss Web Server 5.4.1 packages are now available for Red Hat Enterprise Linux 7, and Red Hat Enterprise Linux 8. Red Hat Product Security has rated this release as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0491:01 Low: Red Hat JBoss Web Server 3.1 Service Pack 11 (Feb 11)
 

An update is now available for Red Hat JBoss Web Server 3.1, for RHEL 7 and Windows. Red Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0489:01 Low: Red Hat JBoss Web Server 3.1 Service Pack 11 (Feb 11)
 

An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 7. Red Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-0485:01 Moderate: rh-nodejs12-nodejs security update (Feb 11)
 

An update for rh-nodejs12-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0488:01 Low: Red Hat JBoss Core Services Apache HTTP (Feb 11)
 

Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 6 zip release for RHEL 7, RHEL 8 and Microsoft Windows is available. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0486:01 Low: Red Hat JBoss Core Services Apache HTTP (Feb 11)
 

Updated packages that provide Red Hat JBoss Core Services Pack Apache Server 2.4.37 and fix several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact

  Debian LTS: DLA-2564-1: php-horde-text-filter security update (Feb 19)
 

Alex Birnberg discovered a cross-site scripting (XSS) vulnerability in the Horde Application Framework, more precisely its Text Filter API. An attacker could take control of a user's mailbox by sending a crafted e-mail.

  Debian LTS: DLA-2567-1: unrar-free security update (Feb 18)
 

Several issues have been found in unrar-free, an unarchiver for .rar files. CVE-2017-14120

  Debian LTS: DLA-2566-1: libbsd security update (Feb 18)
 

An issue has been found in libbsd, a library with utility functions from BSD systems. A non-NUL terminated symbol name in the string table might result in an

  Debian LTS: DLA-2560-1: qemu security update (Feb 18)
 

Several vulnerabilities were discovered in QEMU, a fast processor emulator (notably used in KVM and Xen HVM virtualization). An attacker could trigger a denial-of-service (DoS), information leak, and possibly execute arbitrary code with the privileges of the QEMU

  Debian LTS: DLA-2561-1: ruby-mechanize security update (Feb 16)
 

Mechanize is an open-source Ruby library that makes automated web interaction easy. In Mechanize, from v2.0.0 until v2.7.7, there is a command injection vulnerability.

  Debian LTS: DLA-2559-1: busybox security update (Feb 15)
 

Busybox, utility programs for small and embedded systems, was affected by several security vulnerabilities. The Common Vulnerabilities and Exposures project identifies the following issues.

  Debian LTS: DLA-2558-1: xterm security update (Feb 13)
 

xterm through Patch #365 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted UTF-8 character sequence.

  Debian LTS: DLA-2557-1: linux-4.19 security update (Feb 12)
 

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  Debian LTS: DLA-2556-1: unbound1.9 security update (Feb 12)
 

Several security vulnerabilities have been corrected in unbound, a validating, recursive, caching DNS resolver. Support for the unbound DNS server has been resumed, the sources can be found in the unbound1.9 source package.

  Debian LTS: DLA-2554-1: firejail security update (Feb 11)
 

Roman Fiedler discovered a vulnerability in the OverlayFS code in firejail, a sandbox program to restrict the running environment of untrusted applications, which could result in root privilege escalation. This update disables OverlayFS support in firejail.

  ArchLinux: 202102-22: helm: insufficient validation (Feb 12)
 

The package helm before version 3.5.2-1 is vulnerable to insufficient validation.

  ArchLinux: 202102-21: privoxy: denial of service (Feb 12)
 

The package privoxy before version 3.0.31-1 is vulnerable to denial of service.

  ArchLinux: 202102-20: python2-jinja: denial of service (Feb 12)
 

The package python2-jinja before version 2.11.3-1 is vulnerable to denial of service.

  ArchLinux: 202102-19: python-jinja: denial of service (Feb 12)
 

The package python-jinja before version 2.11.3-1 is vulnerable to denial of service.

  ArchLinux: 202102-18: python-django: directory traversal (Feb 12)
 

The package python-django before version 3.1.6-1 is vulnerable to directory traversal.

  ArchLinux: 202102-17: glibc: denial of service (Feb 12)
 

The package glibc before version 2.33-1 is vulnerable to denial of service.

  ArchLinux: 202102-16: lib32-glibc: denial of service (Feb 12)
 

The package lib32-glibc before version 2.33-1 is vulnerable to denial of service.

  ArchLinux: 202102-15: php: denial of service (Feb 12)
 

The package php before version 8.0.2-1 is vulnerable to denial of service.

  ArchLinux: 202102-14: php7: denial of service (Feb 12)
 

The package php7 before version 7.4.15-1 is vulnerable to denial of service.

  ArchLinux: 202102-13: cups: information disclosure (Feb 12)
 

The package cups before version 1:2.3.3op2-1 is vulnerable to information disclosure.

  ArchLinux: 202102-12: docker: multiple issues (Feb 12)
 

The package docker before version 1:20.10.3-1 is vulnerable to multiple issues including denial of service and privilege escalation.

  ArchLinux: 202102-11: gitlab: information disclosure (Feb 12)
 

The package gitlab before version 13.8.2-1 is vulnerable to information disclosure.

  ArchLinux: 202102-10: minio: directory traversal (Feb 12)
 

The package minio before version 2021.01.30-1 is vulnerable to directory traversal.

  ArchLinux: 202102-9: ansible: information disclosure (Feb 12)
 

The package ansible before version 2.10.7-1 is vulnerable to information disclosure.

  ArchLinux: 202102-8: opendoas: privilege escalation (Feb 12)
 

The package opendoas before version 6.8.1-2 is vulnerable to privilege escalation.

  ArchLinux: 202102-7: nextcloud: directory traversal (Feb 12)
 

The package nextcloud before version 20.0.6-1 is vulnerable to directory traversal.

  ArchLinux: 202102-6: chromium: multiple issues (Feb 12)
 

The package chromium before version 88.0.4324.150-1 is vulnerable to multiple issues including arbitrary code execution and incorrect calculation.

  ArchLinux: 202102-5: opera: multiple issues (Feb 12)
 

The package opera before version 74.0.3911.75-1 is vulnerable to multiple issues including arbitrary code execution, insufficient validation, content spoofing and incorrect calculation.

  ArchLinux: 202102-4: vivaldi: multiple issues (Feb 12)
 

The package vivaldi before version 3.6.2165.36-1 is vulnerable to multiple issues including arbitrary code execution, insufficient validation, content spoofing and incorrect calculation.

  ArchLinux: 202102-3: wireshark-cli: denial of service (Feb 12)
 

The package wireshark-cli before version 3.4.3-1 is vulnerable to denial of service.

  ArchLinux: 202102-2: thunderbird: multiple issues (Feb 12)
 

The package thunderbird before version 78.7.0-1 is vulnerable to multiple issues including arbitrary code execution, information disclosure and insufficient validation.

  ArchLinux: 202102-1: firefox: multiple issues (Feb 12)
 

The package firefox before version 85.0-1 is vulnerable to multiple issues including arbitrary code execution, incorrect calculation and information disclosure.

  openSUSE: 2021:0304-1 important: screen (Feb 18)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0305-1 important: php7 (Feb 18)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0303-1 important: jasper (Feb 18)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2021:0302-1 important: python-bottle (Feb 16)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0300-1 moderate: mumble (Feb 16)
 

An update that contains security fixes can now be installed.

  openSUSE: 2021:0296-1 important: opera (Feb 15)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0295-1 important: librepo (Feb 15)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0284-1 important: wpa_supplicant (Feb 13)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0283-1 important: openvswitch (Feb 13)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0280-1 important: subversion (Feb 12)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0279-1 moderate: privoxy (Feb 12)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2021:0278-1 important: containerd, docker, docker-runc, golang-github-docker-lib (Feb 12)
 

An update that solves three vulnerabilities and has 5 fixes is now available.

  openSUSE: 2021:0277-1 important: librepo (Feb 12)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0276-1 important: chromium (Feb 11)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0274-1 moderate: nextcloud (Feb 11)
 

An update that fixes three vulnerabilities is now available.

  Mageia 2021-0089: privoxy security update (Feb 19)
 

Fixed a memory leak when decompression fails "unexpectedly". (CVE-2021-20216) Prevent an assertion from getting triggered by a crafted CGI request. (CVE-2021-20217) References:

  Mageia 2021-0088: veracrypt security update (Feb 19)
 

IDRIX, Truecrypt Veracrypt, Truecrypt Prior to 1.23-Hotfix-1 (Veracrypt), all versions (Truecrypt) is affected by a Buffer Overflow that can lead to information disclosure of kernel stack through a locally executed code with IOCTL request to driver (CVE-2019-1010208).

  Mageia 2021-0087: coturn security update (Feb 19)
 

When sending a CONNECT request with the XOR-PEER-ADDRESS value of 0.0.0.0, a malicious user would be able to relay packets to the loopback interface. Additionally, when coturn is listening on IPv6, which is default, the loopback interface can also be reached by making use of either [::1] or [::] as the peer address (CVE-2020-26262).

  Mageia 2021-0086: mediawiki security update (Feb 19)
 

In MediaWiki before 1.31.11, the messages userrights-expiry-current and userrights-expiry-none can contain raw HTML. XSS can happen when a user visits Special:UserRights but does not have rights to change all userrights, and the table on the left side has unchangeable groups in it. The right column with the changeable groups is not affected and is escaped correctly

  Mageia 2021-0085: kernel-linus security update (Feb 15)
 

This kernel-linus update is based on upstream 5.10.14 and fixes atleast the following security issues: nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-free that could be triggered by local

  Mageia 2021-0084: kernel security update (Feb 15)
 

This kernel update is based on upstream 5.10.14 and fixes atleast the following security issues: A local privilege escalation was discovered in the Linux kernel before 5.10.13. Multiple race conditions in the AF_VSOCK implementation are

  Mageia 2021-0083: chromium-browser security update (Feb 15)
 

The updated packages fix security vulnerabilities. One of those problems is a security issue in V8 engine that is actively exploited. References: - https://bugs.mageia.org/show_bug.cgi?id=28180

  Mageia 2021-0081: gssproxy security update (Feb 11)
 

gssproxy (aka gss-proxy) before 0.8.3 does not unlock cond_mutex before pthread exit in gp_worker_main() in gp_workers.c (CVE-2020-12658). References: - https://bugs.mageia.org/show_bug.cgi?id=28019

  Mageia 2021-0080: phpldapadmin security update (Feb 11)
 

An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2 that allows users to store malicious values that may be executed by other users at a later time via get_request in lib/function.php (CVE-2020-35132). References:

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.