Linux Advisory Watch: February 5th, 2021

Advisories

Linux Advisory Watch: February 5th, 2021

Thank you for reading the LinuxSecurity Linux Advisory Watch newsletter! Staying on top of the latest security advisories issued by the distro(s) you use is essential in maintaining an updated, secure Linux system. Our weekly newsletter is an easy, convenient way to track distribution security advisories - helping you keep your Linux environment safe from malware and other exploits.

Important advisories issued this week include warnings from Debian of several vulnerabilities in dnsmasq which could result in denial of service, cache poisoning or the execution of arbitrary code, as well as multiple Linux kernel flaws that could lead to privilege escalation, denial of service or information leaks. Continue reading to learn about other significant advisories issued this week. Stay healthy, safe and secure - both on and offline!

Yours in Open Source,

Brittany Day Signature


LinuxSecurity.com Feature Extras:

How To Secure the Linux Kernel - This article will examine the importance of robust kernel security and explore various measures that administrators can take to secure the Linux kernel and protect their systems from malware and other exploits.

Fileless Malware on Linux: Anatomy of an Attack - This article will provide you with answers to these questions by honing in on the anatomy of a Linux fileless malware attack - equipping you with the knowledge necessary to secure your systems and your data against this stealthy and malicious threat. Let’s begin by exploring the concept of fileless malware.


  Debian: DSA-4844-1: dnsmasq security update (Feb 4)
 

Moshe Kol and Shlomi Oberman of JSOF discovered several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server. They could result in denial of service, cache poisoning or the execution of arbitrary code.

  Debian: DSA-4845-1: openldap security update (Feb 3)
 

Several vulnerabilities were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash, infinite loops) via

  Debian: DSA-4843-1: linux security update (Feb 1)
 

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

  Debian: DSA-4842-1: thunderbird security update (Jan 31)
 

Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service or an information leak.

  Fedora 33: java-11-openjdk 2021-5dcdf8b2b1 (Feb 4)
 

# New in release OpenJDK 11.0.10 (2021-01-19): Live versions of these release notes can be found at: * https://bitly.com/openjdk11010 * https://builds.shipilev.net/backports-monitor/release-notes-11.0.10.txt ## Security fixes * JDK-8247619: Improve Direct Buffering of Characters ## Other changes * [JDK-8213821](https://bugs.openjdk.java.net/browse/JDK-8213821):

  Fedora 33: kernel 2021-879c756377 (Feb 4)
 

The 5.10.12 stable kernel update contains a number of important fixes across the tree.

  Fedora 33: monitorix 2021-5f7da70bfe (Feb 4)
 

Security fix for [CVE-2021-3325]. This new version fixes a security bug introduced in the 3.13.0 version that lead the HTTP built-in server to bypass the Basic Authentication when the option hosts_deny is not defined, which is the default. Besides this fix, this version also updates the main configuration file to add the option hosts_deny = all by default inside the auth subsection,

  Fedora 32: kernel 2021-6e805a5051 (Feb 4)
 

The 5.10.12 stable kernel update contains a number of important fixes across the tree.

  Fedora 32: monitorix 2021-fc24737ebc (Feb 4)
 

Security fix for [CVE-2021-3325]. This new version fixes a security bug introduced in the 3.13.0 version that lead the HTTP built-in server to bypass the Basic Authentication when the option hosts_deny is not defined, which is the default. Besides this fix, this version also updates the main configuration file to add the option hosts_deny = all by default inside the auth subsection,

  Fedora 32: netpbm 2021-f62099fe51 (Feb 3)
 

New upstream version 10.94.00. Introduced new script pamhomography.

  Fedora 33: tcmu-runner 2021-4a91649cf3 (Feb 2)
 

Fixes CVE-2020-28374 See tcmu-runner commit 2b16e96e6b63d0419d857f53e4cc67f0adb383fd tcmu-runner can't determine whether the device(s) referred to in XCOPY Copy Source/Copy Destination (CSCD) descriptors should be accessible to the initiator via transport settings, ACLs, etc. Consequently, fail XCOPY requests with CSCD descriptors which refer to any

  Fedora 32: libebml 2021-6c4215787a (Feb 2)
 

Fixes heap use-after-free when parsing malformed file (upstream issue [2989](https://gitlab.com/mbunkus/mkvtoolnix/-/issues/2989)).

  Fedora 32: jasper 2021-0a6290f865 (Feb 2)
 

New upstream version 2.0.24 with all reported CVE fixes available.

  Fedora 32: kf5-messagelib 2021-bdaf015218 (Feb 1)
 

This update rebases QtWebEngine to the latest Qt 5 release, 5.15.2, fixing dozens of security issues. (The same version is already shipped on Fedora 33 and Rawhide.) The included kf5-messagelib update backports a fix for compatibility with QtWebEngine 5.15.x. The Chromium version has been updated to 83.0.4103.122, with backported security fixes from Chromium up to version

  Fedora 32: qt5-qtwebengine 2021-bdaf015218 (Feb 1)
 

This update rebases QtWebEngine to the latest Qt 5 release, 5.15.2, fixing dozens of security issues. (The same version is already shipped on Fedora 33 and Rawhide.) The included kf5-messagelib update backports a fix for compatibility with QtWebEngine 5.15.x. The Chromium version has been updated to 83.0.4103.122, with backported security fixes from Chromium up to version

  Fedora 33: netpbm 2021-df9ede6a02 (Jan 30)
 

New upstream version 10.94.00. Introduced new script pamhomography.

  Fedora 33: libebml 2021-e84e1aaa2c (Jan 30)
 

Fixes heap use-after-free when parsing malformed file (upstream issue [2989](https://gitlab.com/mbunkus/mkvtoolnix/-/issues/2989)).

  Fedora 33: jasper 2021-2b151590d9 (Jan 30)
 

New upstream version 2.0.24 with all reported CVE fixes available.

  Fedora 32: xen 2021-16c9c40d4d (Jan 30)
 

IRQ vector leak on x86 [XSA-360]

  Fedora 32: chromium 2021-b7cc24375b (Jan 30)
 

This is probably not the update you want. Let me be clear, it does fix the security vulnerabilities in this list: CVE-2020-16044 CVE-2021-21118 CVE-2021-21119 CVE-2021-21120 CVE-2021-21121 CVE-2021-21122 CVE-2021-21123 CVE-2021-21124 CVE-2021-21125 CVE-2021-21126 CVE-2021-21127 CVE-2021-21129 CVE-2021-21130 CVE-2021-21131 CVE-2021-21132 CVE-2021-21133 CVE-2021-21134

  Fedora 33: firefox 2021-750c85601a (Jan 29)
 

Fixes startup crash.

  Fedora 33: thunderbird 2021-67a539137d (Jan 29)
 

Update to latest upstream version.

  Fedora 33: opensmtpd 2021-848fd34b0b (Jan 29)
 

**opensmtpd 6.8.0p2** New Features: - ECDSA privsep engine support for OpenSSL, sponsored by anonymous community member Bug fixes: - Fixed a resolver memory leak as well as a regex table memory leak - Fixed a bug in the filters state machine leading to a possible crash of the daemon - Fixed the logging format which output truncated process names on some systems - Fixed

  Fedora 33: mingw-python3 2021-ced31f3f0c (Jan 29)
 

This update backports a security fix for CVE-2021-3177.

  Fedora 32: opensmtpd 2021-71fbdecdf8 (Jan 29)
 

**opensmtpd 6.8.0p2** New Features: - ECDSA privsep engine support for OpenSSL, sponsored by anonymous community member Bug fixes: - Fixed a resolver memory leak as well as a regex table memory leak - Fixed a bug in the filters state machine leading to a possible crash of the daemon - Fixed the logging format which output truncated process names on some systems - Fixed

  Fedora 32: mingw-python3 2021-42ba9feb47 (Jan 29)
 

This update backports a security fix for CVE-2021-3177.

  Fedora 33: nss 2021-1d4180de72 (Jan 28)
 

New Firefox version (85.0) with various Wayland fixes. New NSS version (3.60).

  Fedora 33: firefox 2021-1d4180de72 (Jan 28)
 

New Firefox version (85.0) with various Wayland fixes. New NSS version (3.60).

  Fedora 33: erlang 2021-06cbd73fba (Jan 28)
 

Erlang ver. 23.2.3 ---- Erlang ver. 23.2.2

  Fedora 32: seamonkey 2021-d4f4c994cc (Jan 28)
 

Update to 2.53.6

  Gentoo: GLSA-202102-02: Mozilla Thunderbird: Multiple vulnerabilities (Jan 31)
 

Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code.

  Gentoo: GLSA-202102-01: Mozilla Firefox: Multiple vulnerabilities (Jan 31)
 

Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code.

  Gentoo: GLSA-202101-38: NSD: Symbolic link traversal (Jan 28)
 

A vulnerability was discovered in NSD which could allow a local attacker to cause a Denial of Service condition.

  Gentoo: GLSA-202101-37: VLC: Buffer overflow (Jan 28)
 

A buffer overflow in VLC might allow remote attacker(s) to execute arbitrary code.

  Gentoo: GLSA-202101-36: ImageMagick: Command injection (Jan 28)
 

A vulnerability in ImageMagick's handling of PDF was discovered possibly allowing code execution.

  RedHat: RHSA-2021-0421:01 Moderate: rh-nodejs14-nodejs security update (Feb 4)
 

An update for rh-nodejs14-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0420:01 Moderate: Red Hat Quay v3.4.0 security update (Feb 4)
 

Red Hat Quay 3.4.0 is now available with bug fixes and various enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0417:01 Moderate: Red Hat AMQ Broker 7.8.1 release and (Feb 4)
 

Red Hat AMQ Broker 7.8.1 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-0411:01 Important: flatpak security update (Feb 4)
 

An update for flatpak is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0401:01 Important: Red Hat Virtualization Host security (Feb 3)
 

An update for imgbased, redhat-release-virtualization-host, and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact

  RedHat: RHSA-2021-0397:01 Important: thunderbird security update (Feb 3)
 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0395:01 Important: RHV-H security, bug fix, (Feb 3)
 

An update for redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0281:01 Important: OpenShift Container Platform 4.4.33 (Feb 3)
 

Red Hat OpenShift Container Platform release 4.4.33 is now available with updates to packages and images that fix several bugs and add enhancements. This release also includes a security update for Red Hat OpenShift Container Platform 4.4.

  RedHat: RHSA-2021-0282:01 Important: OpenShift Container Platform 4.4.33 (Feb 3)
 

Red Hat OpenShift Container Platform release 4.4.33 is now available with updates to packages and images that fix several bugs. This release includes a security update for jenkins-2-plugins, openshift, and openshift-kuryr for Red Hat OpenShift Container Platform 4.4.

  RedHat: RHSA-2021-0384:01 Important: Red Hat JBoss Fuse/A-MQ 6.3 R18 (Feb 2)
 

An update is now available for Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0383:01 Moderate: RHV-M (ovirt-engine) 4.4.z security, (Feb 2)
 

Updated ovirt-engine packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0381:01 Low: RHV-M(ovirt-engine) 4.4.z security, bug fix, (Feb 2)
 

Updated ovirt-engine packages that fix several bugs and add various enhancements are now available. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0346:01 Moderate: qemu-kvm-ma security update (Feb 2)
 

An update for qemu-kvm-ma is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-0336:01 Moderate: kernel security, bug fix, (Feb 2)
 

An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-0348:01 Moderate: glibc security and bug fix update (Feb 2)
 

An update for glibc is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-0338:01 Moderate: kernel-rt security and bug fix update (Feb 2)
 

An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-0347:01 Moderate: qemu-kvm security and bug fix update (Feb 2)
 

An update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-0343:01 Moderate: perl security update (Feb 2)
 

An update for perl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-0339:01 Important: linux-firmware security update (Feb 2)
 

An update for linux-firmware is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0358:01 Important: net-snmp security update (Feb 2)
 

An update for net-snmp is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0292:01 Important: Red Hat support for Spring Boot 2.3.6 (Feb 2)
 

An update is now available for Red Hat support for Spring Boot. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each

  RedHat: RHSA-2021-0354:01 Important: kernel-alt security update (Feb 2)
 

An update for kernel-alt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0329:01 Moderate: Red Hat AMQ Broker 7.4.6 release and (Feb 2)
 

Red Hat AMQ Broker 7.4.6 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-0327:01 Important: Red Hat Single Sign-On 7.4.5 security (Feb 1)
 

A security update is now available for Red Hat Single Sign-On 7.4 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0319:01 Moderate: Red Hat Single Sign-On 7.4.5 security (Feb 1)
 

New Red Hat Single Sign-On 7.4.5 packages are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0320:01 Moderate: Red Hat Single Sign-On 7.4.5 security (Feb 1)
 

New Red Hat Single Sign-On 7.4.5 packages are now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0318:01 Moderate: Red Hat Single Sign-On 7.4.5 security (Feb 1)
 

New Red Hat Single Sign-On 7.4.5 packages are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0317:01 Moderate: Red Hat JBoss EAP XP 1.0.4.GA release (Feb 1)
 

An update is now available for Red Hat JBoss Enterprise Application Platform XP. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0307:01 Important: flatpak security update (Feb 1)
 

An update for flatpak is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0306:01 Important: flatpak security update (Feb 1)
 

An update for flatpak is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0304:01 Important: flatpak security update (Feb 1)
 

An update for flatpak is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0299:01 Important: thunderbird security update (Jan 28)
 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0298:01 Important: thunderbird security update (Jan 28)
 

An update for thunderbird is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0297:01 Important: thunderbird security update (Jan 28)
 

An update for thunderbird is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  SUSE: 2021:45-1 suse/sle15 Security Update (Feb 4)
 

The container suse/sle15 was updated. The following patches have been included in this update:

  SUSE: 2021:4-1 suse-sles-15-sp2-chost-byos-v20210202-hvm-ssd-x86_64 Security Update (Feb 4)
 

The container suse-sles-15-sp2-chost-byos-v20210202-hvm-ssd-x86_64 was updated. The following patches have been included in this update:

  SUSE: 2021:3-1 sles-15-sp2-chost-byos-v20210202 Security Update (Feb 4)
 

The container sles-15-sp2-chost-byos-v20210202 was updated. The following patches have been included in this update:

  SUSE: 2021:2-1 sles-15-sp1-chost-byos-v20210202 Security Update (Feb 4)
 

The container sles-15-sp1-chost-byos-v20210202 was updated. The following patches have been included in this update:

  SUSE: 2021:1-1 suse-sles-15-sp1-chost-byos-v20210202-hvm-ssd-x86_64 Security Update (Feb 4)
 

The container suse-sles-15-sp1-chost-byos-v20210202-hvm-ssd-x86_64 was updated. The following patches have been included in this update:

  Debian LTS: DLA-2545-1: open-build-service security update (Feb 3)
 

CVE-2020-8020 An improper neutralization of input during web page generation vulnerability in open-build-service allows remote attackers to

  Debian LTS: DLA-2544-1: openldap security update (Feb 3)
 

Several vulnerabilities were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash, infinite loops) via

  Debian LTS: DLA-2543-1: libdatetime-timezone-perl new upstream version (Feb 2)
 

This update includes the changes in tzdata 2021a for the Perl bindings. For the list of changes, see DLA-2542-1. For Debian 9 stretch, this problem has been fixed in version

  Debian LTS: DLA-2542-1: tzdata new upstream version (Feb 2)
 

This update includes the changes in tzdata 2021a. Notable changes are: - South Sudan changed from +03 to +02 on 2021-02-01.

  Debian LTS: DLA-2541-1: thunderbird security update (Feb 2)
 

Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service or an information leak.

  Debian LTS: DLA-2539-1: firefox-esr security update (Feb 2)
 

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or information disclosure.

  Debian LTS: DLA-2540-1: python-django security update (Feb 1)
 

It was discovered that there was a potential directory-traversal in Django, a Python-based web development framework. For Debian 9 "Stretch", this problem has been fixed in version

  Debian LTS: DLA-2538-1: mariadb-10.1 security update (Jan 31)
 

Two vulnerabilities were fixed by upgrading the MariaDB database server packages to the latest version on the 10.1 branch. For Debian 9 stretch, these problems have been fixed in version

  Debian LTS: DLA-2431-2: libonig regression update (Jan 30)
 

It was discovered that CVE-2020-26159 in the Oniguruma regular expressions library, notably used in PHP mbstring, was a false-positive. In consequence the patch for CVE-2020-26159 was reverted. For reference, the original advisory text follows.

  Debian LTS: DLA-2536-1: libsdl2 security update (Jan 30)
 

Several issues have been found in libsdl2, a library for portable low level access to a video framebuffer, audio output, mouse, and keyboard. All issues are related to either buffer overflow, integer overflow or

  ArchLinux: 202101-45: libgcrypt: arbitrary code execution (Jan 29)
 

The package libgcrypt before version 1.9.1-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202101-44: home-assistant: information disclosure (Jan 29)
 

The package home-assistant before version 2021.1.4-1 is vulnerable to information disclosure.

  ArchLinux: 202101-43: mutt: denial of service (Jan 29)
 

The package mutt before version 2.0.5-1 is vulnerable to denial of service.

  ArchLinux: 202101-42: libvirt: arbitrary code execution (Jan 29)
 

The package libvirt before version 1:7.0.0-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202101-41: jenkins: multiple issues (Jan 28)
 

The package jenkins before version 2.275-1 is vulnerable to multiple issues including cross-site scripting, directory traversal, incorrect calculation, arbitrary filesystem access, denial of service, information disclosure and insufficient validation.

  ArchLinux: 202101-40: flatpak: sandbox escape (Jan 28)
 

The package flatpak before version 1.10.0-1 is vulnerable to sandbox escape.

  ArchLinux: 202101-39: erlang: certificate verification bypass (Jan 28)
 

The package erlang before version 23.2.2-1 is vulnerable to certificate verification bypass.

  ArchLinux: 202101-38: dnsmasq: multiple issues (Jan 28)
 

The package dnsmasq before version 2.83-1 is vulnerable to multiple issues including arbitrary code execution, denial of service and insufficient validation.

  ArchLinux: 202101-37: virtualbox: multiple issues (Jan 28)
 

The package virtualbox before version 6.1.18-1 is vulnerable to multiple issues including arbitrary code execution, insufficient validation, denial of service and information disclosure.

  ArchLinux: 202101-36: podofo: multiple issues (Jan 28)
 

The package podofo before version 0.9.7-1 is vulnerable to multiple issues including arbitrary code execution and denial of service.

  ArchLinux: 202101-35: vlc: arbitrary code execution (Jan 28)
 

The package vlc before version 3.0.12-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202101-34: gptfdisk: arbitrary code execution (Jan 28)
 

The package gptfdisk before version 1.0.6-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202101-33: linux: directory traversal (Jan 28)
 

The package linux before version 5.10.7.arch1-1 is vulnerable to directory traversal.

  ArchLinux: 202101-32: linux-hardened: directory traversal (Jan 28)
 

The package linux-hardened before version 5.10.7.a-1 is vulnerable to directory traversal.

  ArchLinux: 202101-31: linux-zen: directory traversal (Jan 28)
 

The package linux-zen before version 5.10.7.zen1-1 is vulnerable to directory traversal.

  ArchLinux: 202101-30: linux-lts: directory traversal (Jan 28)
 

The package linux-lts before version 5.4.89-1 is vulnerable to directory traversal.

  ArchLinux: 202101-29: lldpd: information disclosure (Jan 28)
 

The package lldpd before version 1.0.8-1 is vulnerable to information disclosure.

  ArchLinux: 202101-28: openvswitch: multiple issues (Jan 28)
 

The package openvswitch before version 2.14.1-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure.

  ArchLinux: 202101-27: go: multiple issues (Jan 28)
 

The package go before version 2:1.15.7-1 is vulnerable to multiple issues including arbitrary command execution and incorrect calculation.

  ArchLinux: 202101-26: gobby: denial of service (Jan 28)
 

The package gobby before version 1:0.5.0+116+g295e697-1 is vulnerable to denial of service.

  CentOS: CESA-2021-0339: Important CentOS 7 linux-firmware (Feb 3)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2021:0339

  CentOS: CESA-2021-0347: Moderate CentOS 7 qemu-kvm (Feb 3)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2021:0347

  CentOS: CESA-2021-0343: Moderate CentOS 7 perl (Feb 3)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2021:0343

  CentOS: CESA-2021-0348: Moderate CentOS 7 glibc (Feb 3)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2021:0348

  SciLinux: SLSA-2021-0336-1 Moderate: kernel on SL7.x x86_64 (Feb 2)
 

kernel: use-after-free in fs/block_dev.c (CVE-2020-15436) * kernel: Nfsd failure to clear umask after processing an open or create (CVE-2020-35513) Bug Fix(es): * double free issue in filelayout_alloc_commit_info * Regression: Plantronics Device SHS2355-11 PTT button does not work after update to 7.7 * Openstack network node reports unregister_netdevice: waiting for qr- 3cec0c92-9a to bec [More...]

  SciLinux: SLSA-2021-0297-1 Important: thunderbird on SL7.x x86_64 (Jan 28)
 

This update upgrades Thunderbird to version 78.7.0. * Mozilla: Cross-origin information leakage via redirected PDF requests (CVE-2021-23953) * Mozilla: Type confusion when using logical assignment operators in JavaScript switch statements (CVE-2021-23954) * Mozilla: Memory safety bugs fixed in Firefox 85 and Firefox ESR 78.7 (CVE-2021-23964) * Mozilla: IMAP Response Injection when using STAR [More...]

  openSUSE: 2021:0231-1 moderate: segv_handler (Feb 2)
 

An update that contains security fixes can now be installed.

  openSUSE: 2021:0229-1 moderate: segv_handler (Feb 2)
 

An update that contains security fixes can now be installed.

  openSUSE: 2021:0227-1 moderate: messagelib (Feb 2)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0223-1 important: MozillaFirefox (Feb 1)
 

An update that fixes 5 vulnerabilities is now available.

  openSUSE: 2021:0222-1 important: MozillaFirefox (Feb 1)
 

An update that fixes 5 vulnerabilities is now available.

  openSUSE: 2021:0221-1 moderate: jackson-databind (Feb 1)
 

An update that fixes three vulnerabilities is now available.

  openSUSE: 2021:0208-1 important: MozillaThunderbird (Jan 30)
 

An update that fixes 6 vulnerabilities is now available.

  openSUSE: 2021:0209-1 important: MozillaThunderbird (Jan 30)
 

An update that fixes 6 vulnerabilities is now available.

  openSUSE: 2021:0207-1 moderate: segv_handler (Jan 30)
 

An update that contains security fixes can now be installed.

  openSUSE: 2021:0198-1 moderate: segv_handler (Jan 30)
 

An update that contains security fixes can now be installed.

  openSUSE: 2021:0195-1 moderate: nodejs8 (Jan 30)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0194-1 moderate: go1.14 (Jan 29)
 

An update that solves two vulnerabilities and has one errata is now available.

  openSUSE: 2021:0190-1 moderate: go1.14 (Jan 29)
 

An update that solves two vulnerabilities and has one errata is now available.

  openSUSE: 2021:0188-1 moderate: messagelib (Jan 29)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0192-1 moderate: go1.15 (Jan 29)
 

An update that solves two vulnerabilities and has one errata is now available.

  openSUSE: 2021:0186-1 important: chromium (Jan 29)
 

An update that fixes 26 vulnerabilities is now available.

  openSUSE: 2021:0180-1 moderate: python-autobahn (Jan 28)
 

An update that fixes one vulnerability is now available.

  Mageia 2021-0070: mutt security update (Feb 5)
 

It was discovered that Mutt incorrectly handled certain email messages. An attacker could possibly use this issue to cause a denial of service because rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of service (mailbox unavailability) by sending email messages with sequences of semicolon characters in RFC822 address fields (aka terminators of empty groups).

  Mageia 2021-0069: nodejs security update (Feb 5)
 

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a

  Mageia 2021-0068: nodejs-ini security update (Feb 5)
 

It was discovered that there was an issue in nodejs-ini, where an application could be exploited by a malicious input file. This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context

  Mageia 2021-0067: messagelib security update (Feb 4)
 

In KDE KMail, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the

  Mageia 2021-0066: thunderbird security update (Feb 4)
 

Cross-origin information leakage via redirected PDF requests. (CVE-2021-23953) Type confusion when using logical assignment operators in JavaScript switch statements. (CVE-2021-23954)

  Mageia 2021-0064: python and python3 security update (Feb 4)
 

A flaw was found in python. A stack-based buffer overflow was discovered in the ctypes module provided within Python. Applications that use ctypes without carefully validating the input passed to it may be vulnerable to this flaw, which would allow an attacker to overflow a buffer on the stack and crash the application. The highest threat from this vulnerability is to system

  Mageia 2021-0063: ruby-nokogiri security update (Feb 4)
 

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename (CVE-2019-5477).

  Mageia 2021-0062: kernel-linus security update (Feb 1)
 

This kernel-linus update is based on upstream 5.10.12 and fixes atleast the following security issue: An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free during fault handling, allowing local

  Mageia 2021-0061: kernel security update (Jan 31)
 

This kernel update is based on upstream 5.10.12 and fixes atleast the following security issues: fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to

  Mageia 2021-0060: php-pear security update (Jan 31)
 

The updated php-pear packages fix a security vulnerability in component Archive_tar, a symlink out-of-path write vulnerability. Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links. (CVE-2020-36193).

  Mageia 2021-0059: dnsmasq security update (Jan 29)
 

Multiples vulnerabilities have been discovered in dnsmasq up to version 2.82: - subtle errors in dnsmasq's protections against cache-poisoning attacks (CVE-2020-25684, CVE-2020-25685 and CVE-2020-25686) - buffer overflow in dnsmasq's DNSSEC code (CVE-2020-25681, CVE-2020-25682, CVE-2020-25683 and CVE-2020-25687)

  Mageia 2021-0058: kernel-linus security update (Jan 29)
 

This kernel-linus update is based on upstream 5.10.11 and fixes atleast the following security issue: SCSI EXTENDED COPY (XCOPY) requests sent to a Linux SCSI target (LIO) allow an attacker to read or write anywhere on any LIO backstore configured

  Mageia 2021-0057: db53 security update (Jan 29)
 

Vulnerability in the Data Store component of Oracle Berkeley DB. Easily exploitable vulnerability allows low privileged attacker having Local Logon privilege with logon to the infrastructure where Data Store executes to compromise Data Store. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Data

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.