Advisories

Linux Advisory Watch

Don't want to miss that crucial security notice?. The editorial staff at Guardian Digital will bring you complete coverage and in-depth
descriptions of all security bulletins, vulnerabilities and updated packages, all in one convenient weekly newsletter.

Linux Advisory Watch: January 29th, 2021

Linux Advisory Watch: January 29th, 2021

Thank you for reading the LinuxSecurity Linux Advisory Watch newsletter! Staying on top of the latest security advisories issued by the distro(s) you use is essential in maintaining an updated, secure Linux system. Our weekly newsletter is an easy, convenient way to track distribution security advisories - helping you keep your Linux environment safe from malware and other exploits.

Important advisories issued this week include a warnings from Debian, Fedora and Red Hat of multiple security issues discovered in Firefox, which could potentially result in the execution of arbitrary code or information disclosure, and an advisory from Debian regarding a heap-based buffer overflow vulnerability in sudo, which can be exploited by any local user for root privilege escalation. Continue reading to learn about other significant advisories issued this week. Stay healthy, safe and secure - both on and offline!

Yours in Open Source,

Brittany Day Signature


LinuxSecurity.com Feature Extras:

Fileless Malware on Linux: Anatomy of an Attack - This article will provide you with answers to these questions by honing in on the anatomy of a Linux fileless malware attack - equipping you with the knowledge necessary to secure your systems and your data against this stealthy and malicious threat. Let’s begin by exploring the concept of fileless malware.

A Linux Admin's Getting Started Guide to Improving PHP Security - This article will examine how you can configure and run PHP securely to mitigate the risk of attacks and compromise, secure web applications, protect user privacy and maintain a secure and properly functioning Linux web server.


  Debian: DSA-4841-1: slurm-llnl security update (Jan 27)
 

Multiple security issues were discovered in the Simple Linux Utility for Resource Management (SLURM), a cluster resource management and job scheduling system, which could result in denial of service, information disclosure or privilege escalation.

  Debian: DSA-4840-1: firefox-esr security update (Jan 27)
 

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or information disclosure.

  Debian: DSA-4839-1: sudo security update (Jan 26)
 

The Qualys Research Labs discovered a heap-based buffer overflow vulnerability in sudo, a program designed to provide limited super user privileges to specific users. Any local user (sudoers and non-sudoers) can exploit this flaw for root privilege escalation.

  Debian: DSA-4838-1: mutt security update (Jan 25)
 

Tavis Ormandy discovered a memory leak flaw in the rfc822 group recipient parsing in Mutt, a text-based mailreader supporting MIME, GPG, PGP and threading, which could result in denial of service.

  Debian: DSA-4833-2: gst-plugins-bad1.0 regression update (Jan 24)
 

The update for gst-plugins-bad1.0 released as DSA 4833-1 choosed a package version incompatible with binNMUs and prevented upgrades to the fixed packages. Updated gst-plugins-bad1.0 packages are now available to correct this issue.

  Debian: DSA-4837-1: salt security update (Jan 24)
 

Several vulnerabilities were discovered in salt, a powerful remote execution manager. The flaws could result in authentication bypass and invocation of Salt SSH, creation of certificates with weak file permissions via the TLS execution module or shell injections with the

  Debian: DSA-4830-2: flatpak regression update (Jan 22)
 

The update for flatpak released as DSA 4830-1 introduced regressions with flatpak build and in the extra-data mechanism. Updated flatpak packages are now available to correct this issue.

  Debian: DSA-4836-1: openvswitch security update (Jan 22)
 

Two vulnerabilities were discovered in the LLPD implementation of Open vSwitch, a software-based Ethernet virtual switch, which could result in denial of service.

  Debian: DSA-4835-1: tomcat9 security update (Jan 22)
 

Two vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in information disclosure. For the stable distribution (buster), these problems have been fixed in

  Debian: DSA-4834-1: vlc security update (Jan 22)
 

Multiple vulnerabilities were discovered in the VLC media player, which could result in the execution of arbitrary code or denial of service if a malformed media file is opened.

  Fedora 33: nss 2021-1d4180de72 (Jan 28)
 

New Firefox version (85.0) with various Wayland fixes. New NSS version (3.60).

  Fedora 33: firefox 2021-1d4180de72 (Jan 28)
 

New Firefox version (85.0) with various Wayland fixes. New NSS version (3.60).

  Fedora 33: erlang 2021-06cbd73fba (Jan 28)
 

Erlang ver. 23.2.3 ---- Erlang ver. 23.2.2

  Fedora 32: seamonkey 2021-d4f4c994cc (Jan 28)
 

Update to 2.53.6

  Fedora 33: seamonkey 2021-4123411771 (Jan 27)
 

Update to 2.53.6

  Fedora 33: thunderbird 2021-43e458d707 (Jan 27)
 

Update to latest upstream version.

  Fedora 33: php-pear 2021-dc7de65eed (Jan 27)
 

**Archive_Tar 1.4.12** * Fix Bug #27008: Symlink out-of-path write vulnerability (CVE-2020-36193) [mrook]

  Fedora 32: nss 2021-48ff299b05 (Jan 27)
 

New Firefox version (85.0) with various Wayland fixes. New NSS version (3.60).

  Fedora 32: firefox 2021-48ff299b05 (Jan 27)
 

New Firefox version (85.0) with various Wayland fixes. New NSS version (3.60).

  Fedora 32: sudo 2021-8840cbdccd (Jan 26)
 

Security fix for CVE-2021-3156

  Fedora 32: php-pear 2021-02996612f6 (Jan 26)
 

**Archive_Tar 1.4.12** * Fix Bug #27008: Symlink out-of-path write vulnerability (CVE-2020-36193) [mrook]

  Fedora 33: sudo 2021-2cb63d912a (Jan 26)
 

Security fix for CVE-2021-3156

  Fedora 33: kernel 2021-3bcc7198c8 (Jan 26)
 

The 5.10.10 stable kernel update contains a number of important fixes across the tree.

  Fedora 33: xen 2021-7785f6c616 (Jan 24)
 

IRQ vector leak on x86 [XSA-360]

  Fedora 33: sddm 2021-7066b95c99 (Jan 23)
 

Rebase SDDM to 0.19.0

  Fedora 33: chromium 2021-48866282e5 (Jan 23)
 

This is probably not the update you want. Let me be clear, it does fix the security vulnerabilities in this list: CVE-2020-16044 CVE-2021-21118 CVE-2021-21119 CVE-2021-21120 CVE-2021-21121 CVE-2021-21122 CVE-2021-21123 CVE-2021-21124 CVE-2021-21125 CVE-2021-21126 CVE-2021-21127 CVE-2021-21129 CVE-2021-21130 CVE-2021-21131 CVE-2021-21132 CVE-2021-21133 CVE-2021-21134

  Fedora 32: python-pillow 2021-880aa7bd27 (Jan 23)
 

Backport fixes for CVE-2020-35653, CVE-2020-35654, CVE-2020-35655.

  Fedora 32: chromium 2021-d9faeff8eb (Jan 22)
 

Update to 87.0.4280.141. Fixes: CVE-2021-21106 CVE-2021-21107 CVE-2021-21108 CVE-2021-21109 CVE-2021-21110 CVE-2021-21111 CVE-2021-21112 CVE-2021-21113 CVE-2020-16043 CVE-2021-21114 CVE-2020-15995 CVE-2021-21115 CVE-2021-21116

  Fedora 33: dotnet3.1 2021-fb078913dd (Jan 21)
 

This is the January 2021 security update for .NET Core 3.1: https://github.com/dotnet/core/blob/master/release-notes/3.1/3.1.11/3.1.11.md This update includes a fix for CVE-2021-1723.

  Fedora 32: dotnet3.1 2021-77a4202036 (Jan 21)
 

This is the January 2021 security update for .NET Core 3.1: https://github.com/dotnet/core/blob/master/release-notes/3.1/3.1.11/3.1.11.md This update includes a fix for CVE-2021-1723.

  Gentoo: GLSA-202101-38: NSD: Symbolic link traversal (Jan 28)
 

A vulnerability was discovered in NSD which could allow a local attacker to cause a Denial of Service condition.

  Gentoo: GLSA-202101-37: VLC: Buffer overflow (Jan 28)
 

A buffer overflow in VLC might allow remote attacker(s) to execute arbitrary code.

  Gentoo: GLSA-202101-36: ImageMagick: Command injection (Jan 28)
 

A vulnerability in ImageMagick's handling of PDF was discovered possibly allowing code execution.

  Gentoo: GLSA-202101-35: phpMyAdmin: Multiple vulnerabilities (Jan 27)
 

Multiple vulnerabilities have been found in phpMyAdmin, allowing remote attackers to conduct XSS.

  Gentoo: GLSA-202101-34: Telegram Desktop: Multiple vulnerabilities (Jan 27)
 

Multiple vulnerabilities have been found in Telegram, the worst of which could result in information disclosure.

  Gentoo: GLSA-202101-33: sudo: Multiple vulnerabilities (Jan 26)
 

Multiple vulnerabilities have been found in sudo, the worst of which could result in privilege escalation.

  Gentoo: GLSA-202101-31: Cacti: Remote code execution (Jan 26)
 

A vulnerability in Cacti could lead to remote code execution.

  Gentoo: GLSA-202101-32: Mutt, NeoMutt: Information disclosure (Jan 26)
 

A weakness was discovered in Mutt and NeoMutt's TLS handshake handling

  Gentoo: GLSA-202101-30: Qt WebEngine: Multiple vulnerabilities (Jan 25)
 

Multiple vulnerabilities have been found in Qt WebEngine, the worst of which could result in the arbitrary execution of code.

  Gentoo: GLSA-202101-29: OpenJPEG: Multiple vulnerabilities (Jan 25)
 

Multiple vulnerabilities have been found in OpenJPEG, the worst of which could result in the arbitrary execution of code.

  Gentoo: GLSA-202101-28: ncurses: Multiple vulnerabilities (Jan 25)
 

Multiple vulnerabilities have been found in ncurses, the worst of which could result in a Denial of Service condition.

  Gentoo: GLSA-202101-27: FreeRADIUS: Root privilege escalation (Jan 25)
 

Multiple vulnerabilities were discovered in Gentoo's systemd unit for FreeRADIUS which could lead to root privilege escalation.

  Gentoo: GLSA-202101-26: f2fs-tools: Multiple vulnerabilities (Jan 25)
 

Multiple vulnerabilities have been found in f2fs-tools, the worst of which could result in the arbitrary execution of code.

  Gentoo: GLSA-202101-25: Mutt: Denial of service (Jan 25)
 

A vulnerability in Mutt could lead to a Denial of Service condition.

  Gentoo: GLSA-202101-24: cfitsio: Multiple vulnerabilities (Jan 25)
 

Multiple vulnerabilities have been found in cfitsio, the worst of which could result in the arbitrary execution of code.

  Gentoo: GLSA-202101-23: PEAR Archive_Tar: Directory traversal (Jan 25)
 

Multiple vulnerabilities have been found in PEAR Archive_Tar, the worst of which could result in the arbitrary execution of code.

  Gentoo: GLSA-202101-22: libvirt: Unintended access to /dev/mapper/control (Jan 25)
 

A vulnerability in libvirt may allow root privilege escalation.

  Gentoo: GLSA-202101-21: Flatpak: Sandbox escape (Jan 24)
 

A vulnerability was discovered in Flatpak which could allow a remote attacker to execute arbitrary code.

  Gentoo: GLSA-202101-20: glibc: Multiple vulnerabilities (Jan 24)
 

Multiple vulnerabilities have been found in glibc, the worst of which could result in the arbitrary execution of code.

  Gentoo: GLSA-202101-19: OpenJDK: Multiple vulnerabilities (Jan 24)
 

Multiple vulnerabilities have been found in OpenJDK, the worst of which could result in the arbitrary execution of code.

  Gentoo: GLSA-202101-18: Python: Multiple vulnerabilities (Jan 24)
 

Multiple vulnerabilities have been found in Python, the worst of which could result in the arbitrary execution of code.

  Gentoo: GLSA-202101-17: Dnsmasq: Multiple vulnerabilities (Jan 22)
 

Multiple vulnerabilities have been found in Dnsmasq, the worst of which may allow remote attackers to execute arbitrary code.

  Gentoo: GLSA-202101-16: KDE Connect: Denial of service (Jan 22)
 

A vulnerability in KDE Connect could lead to a Denial of Service condition.

  Gentoo: GLSA-202101-15: VirtualBox: Multiple vulnerabilities (Jan 22)
 

Multiple vulnerabilities have been found in VirtualBox, the worst of which could result in privilege escalation.

  Gentoo: GLSA-202101-14: Mozilla Thunderbird: Remote code execution (Jan 22)
 

Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code.

  Gentoo: GLSA-202101-13: Chromium, Google Chrome: Multiple vulnerabilities (Jan 22)
 

Multiple vulnerabilities have been found in Chromium and Google Chrome, the worst of which could result in the arbitrary execution of code.

  Gentoo: GLSA-202101-12: Wireshark: Multiple vulnerabilities (Jan 22)
 

Multiple vulnerabilities have been found in Wireshark, the worst of which could result in a Denial of Service condition.

  Gentoo: GLSA-202101-11: Zabbix: Root privilege escalation (Jan 21)
 

Multiple vulnerabilities were discovered in Gentoo's ebuild for Zabbix which could lead to root privilege escalation.

  RedHat: RHSA-2021-0299:01 Important: thunderbird security update (Jan 28)
 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0298:01 Important: thunderbird security update (Jan 28)
 

An update for thunderbird is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0297:01 Important: thunderbird security update (Jan 28)
 

An update for thunderbird is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0290:01 Important: firefox security update (Jan 27)
 

An update for firefox is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0289:01 Important: firefox security update (Jan 27)
 

An update for firefox is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0288:01 Important: firefox security update (Jan 27)
 

An update for firefox is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0285:01 Important: firefox security update (Jan 27)
 

An update for firefox is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0223:01 Important: sudo security update (Jan 26)
 

An update for sudo is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0222:01 Important: sudo security update (Jan 26)
 

An update for sudo is now available for Red Hat Enterprise Linux 7.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0221:01 Important: sudo security update (Jan 26)
 

An update for sudo is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0224:01 Important: sudo security update (Jan 26)
 

An update for sudo is now available for Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.4 Telco Extended Update Support, and Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions.

  RedHat: RHSA-2021-0227:01 Important: sudo security update (Jan 26)
 

An update for sudo is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0219:01 Important: sudo security update (Jan 26)
 

An update for sudo is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0225:01 Important: sudo security update (Jan 26)
 

An update for sudo is now available for Red Hat Enterprise Linux 7.3 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0218:01 Important: sudo security update (Jan 26)
 

An update for sudo is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0220:01 Important: sudo security update (Jan 26)
 

An update for sudo is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0226:01 Important: sudo security update (Jan 26)
 

An update for sudo is now available for Red Hat Enterprise Linux 7.2 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0258:01 Moderate: cryptsetup security update (Jan 26)
 

An update for cryptsetup is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0266:01 Moderate: gnome-settings-daemon security update (Jan 26)
 

An update for gnome-settings-daemon is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0257:01 Important: net-snmp security update (Jan 26)
 

An update for net-snmp is now available for Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.4 Telco Extended Update Support, and Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions.

  RedHat: RHSA-2021-0171:01 Moderate: OpenShift Container Platform 4.6.13 bug (Jan 25)
 

Red Hat OpenShift Container Platform release 4.6.13 is now available with updates to packages and images that fix several bugs. This release also includes a security update for Red Hat OpenShift Container Platform 4.6.

  RedHat: RHSA-2021-0172:01 Moderate: OpenShift Container Platform 4.6.13 (Jan 25)
 

Red Hat OpenShift Container Platform release 4.6.13 is now available with updates to packages and images that fix several bugs. A security update for cri-o, openshift, openshift-clients, openshift-kuryr, and skopeo is now also available for Red Hat OpenShift Container Platform

  RedHat: RHSA-2021-0247:01 Important: Red Hat JBoss Enterprise Application (Jan 25)
 

An update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0246:01 Important: Red Hat JBoss Enterprise Application (Jan 25)
 

An update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0248:01 Important: Red Hat JBoss Enterprise Application (Jan 25)
 

An update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0250:01 Important: Red Hat JBoss Enterprise Application (Jan 25)
 

An update is now available for Red Hat JBoss Enterprise Application Platform 7.3. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0245:01 Moderate: dnsmasq security update (Jan 25)
 

An update for dnsmasq is now available for Red Hat Enterprise Linux 7.3 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0240:01 Moderate: dnsmasq security update (Jan 25)
 

An update for dnsmasq is now available for Red Hat Enterprise Linux 7.2 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  Slackware: 2021-026-01: sudo Security Update (Jan 26)
 

New sudo packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.

  Slackware: 2021-024-01: seamonkey Security Update (Jan 24)
 

New seamonkey packages are available for Slackware 14.2 and -current to fix security issues.

  SUSE: 2021:30-1 suse/sle15 Security Update (Jan 23)
 

The container suse/sle15 was updated. The following patches have been included in this update:

  Debian LTS: DLA-2535-1: ansible security update (Jan 27)
 

CVE-2017-7481 Ansible fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject

  Debian LTS: DLA-2534-1: sudo security update (Jan 26)
 

The Qualys Research Labs discovered a heap-based buffer overflow vulnerability in sudo, a program designed to provide limited super user privileges to specific users. Any local user (sudoers and non-sudoers) can exploit this flaw for root privilege escalation.

  Debian LTS: DLA-2532-1: debian-security-support security update (Jan 25)
 

debian-security-support, the Debian security support coverage checker, has been updated in stretch-security to mark the end of life of the reel package. See https://lists.debian.org/debian-lts/2021/01/msg00016.html for further

  Debian LTS: DLA-2531-1: python-bottle security update (Jan 24)
 

The package src:python-bottle before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a

  ArchLinux: 202101-41: jenkins: multiple issues (Jan 28)
 

The package jenkins before version 2.275-1 is vulnerable to multiple issues including cross-site scripting, directory traversal, incorrect calculation, arbitrary filesystem access, denial of service, information disclosure and insufficient validation.

  ArchLinux: 202101-40: flatpak: sandbox escape (Jan 28)
 

The package flatpak before version 1.10.0-1 is vulnerable to sandbox escape.

  ArchLinux: 202101-39: erlang: certificate verification bypass (Jan 28)
 

The package erlang before version 23.2.2-1 is vulnerable to certificate verification bypass.

  ArchLinux: 202101-38: dnsmasq: multiple issues (Jan 28)
 

The package dnsmasq before version 2.83-1 is vulnerable to multiple issues including arbitrary code execution, denial of service and insufficient validation.

  ArchLinux: 202101-37: virtualbox: multiple issues (Jan 28)
 

The package virtualbox before version 6.1.18-1 is vulnerable to multiple issues including arbitrary code execution, insufficient validation, denial of service and information disclosure.

  ArchLinux: 202101-36: podofo: multiple issues (Jan 28)
 

The package podofo before version 0.9.7-1 is vulnerable to multiple issues including arbitrary code execution and denial of service.

  ArchLinux: 202101-35: vlc: arbitrary code execution (Jan 28)
 

The package vlc before version 3.0.12-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202101-34: gptfdisk: arbitrary code execution (Jan 28)
 

The package gptfdisk before version 1.0.6-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202101-33: linux: directory traversal (Jan 28)
 

The package linux before version 5.10.7.arch1-1 is vulnerable to directory traversal.

  ArchLinux: 202101-32: linux-hardened: directory traversal (Jan 28)
 

The package linux-hardened before version 5.10.7.a-1 is vulnerable to directory traversal.

  ArchLinux: 202101-31: linux-zen: directory traversal (Jan 28)
 

The package linux-zen before version 5.10.7.zen1-1 is vulnerable to directory traversal.

  ArchLinux: 202101-30: linux-lts: directory traversal (Jan 28)
 

The package linux-lts before version 5.4.89-1 is vulnerable to directory traversal.

  ArchLinux: 202101-29: lldpd: information disclosure (Jan 28)
 

The package lldpd before version 1.0.8-1 is vulnerable to information disclosure.

  ArchLinux: 202101-28: openvswitch: multiple issues (Jan 28)
 

The package openvswitch before version 2.14.1-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure.

  ArchLinux: 202101-27: go: multiple issues (Jan 28)
 

The package go before version 2:1.15.7-1 is vulnerable to multiple issues including arbitrary command execution and incorrect calculation.

  ArchLinux: 202101-26: gobby: denial of service (Jan 28)
 

The package gobby before version 1:0.5.0+116+g295e697-1 is vulnerable to denial of service.

  ArchLinux: 202101-25: sudo: multiple issues (Jan 26)
 

The package sudo before version 1.9.5.p2-1 is vulnerable to multiple issues including privilege escalation and information disclosure.

  CentOS: CESA-2021-0221: Important CentOS 7 sudo (Jan 26)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2021:0221

  CentOS: CESA-2021-0153: Moderate CentOS 7 dnsmasq (Jan 25)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2021:0153

  CentOS: CESA-2021-0162: Important CentOS 7 xstream (Jan 25)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2021:0162

  CentOS: CESA-2020-5350: Important CentOS 7 net-snmp (Jan 25)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2020:5350

  SciLinux: SLSA-2021-0297-1 Important: thunderbird on SL7.x x86_64 (Jan 28)
 

This update upgrades Thunderbird to version 78.7.0. * Mozilla: Cross-origin information leakage via redirected PDF requests (CVE-2021-23953) * Mozilla: Type confusion when using logical assignment operators in JavaScript switch statements (CVE-2021-23954) * Mozilla: Memory safety bugs fixed in Firefox 85 and Firefox ESR 78.7 (CVE-2021-23964) * Mozilla: IMAP Response Injection when using STAR [More...]

  SciLinux: SLSA-2021-0290-1 Important: firefox on SL7.x x86_64 (Jan 27)
 

This update upgrades Firefox to version 78.7.0 ESR. * Mozilla: Cross-origin information leakage via redirected PDF requests (CVE-2021-23953) * Mozilla: Type confusion when using logical assignment operators in JavaScript switch statements (CVE-2021-23954) * Mozilla: Memory safety bugs fixed in Firefox 85 and Firefox ESR 78.7 (CVE-2021-23964) * Mozilla: HTTPS pages could have been intercepted [More...]

  SciLinux: SLSA-2021-0221-1 Important: sudo on SL7.x x86_64 (Jan 26)
 

sudo: Heap buffer overflow in argument parsing (CVE-2021-3156) SL7 x86_64 sudo-1.8.23-10.el7_9.1.x86_64.rpm sudo-debuginfo-1.8.23-10.el7_9.1.x86_64.rpm sudo-debuginfo-1.8.23-10.el7_9.1.i686.rpm sudo-devel-1.8.23-10.el7_9.1.i686.rpm sudo-devel-1.8.23-10.el7_9.1.x86_64.rpm - Scientific Linux Development Team

  SciLinux: SLSA-2021-0162-1 Important: xstream on SL7.x (noarch) (Jan 26)
 

XStream: remote code execution due to insecure XML deserialization when relying on blocklists (CVE-2020-26217) SL7 noarch xstream-1.3.1-12.el7_9.noarch.rpm xstream-javadoc-1.3.1-12.el7_9.noarch.rpm - Scientific Linux Development Team

  openSUSE: 2021:0180-1 moderate: python-autobahn (Jan 28)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0176-1 moderate: python-autobahn (Jan 27)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0177-1 important: chromium (Jan 27)
 

An update that fixes 26 vulnerabilities is now available.

  openSUSE: 2021:0173-1 important: chromium (Jan 27)
 

An update that fixes 26 vulnerabilities is now available.

  openSUSE: 2021:0169-1 important: sudo (Jan 27)
 

An update that solves three vulnerabilities and has one errata is now available.

  openSUSE: 2021:0170-1 important: sudo (Jan 27)
 

An update that solves three vulnerabilities and has one errata is now available.

  openSUSE: 2021:0166-1 important: chromium (Jan 26)
 

An update that fixes 26 vulnerabilities is now available.

  openSUSE: 2021:0165-1 important: virtualbox (Jan 25)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2021:0162-1 moderate: mutt (Jan 25)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0161-1 moderate: mutt (Jan 25)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0160-1 moderate: stunnel (Jan 25)
 

An update that contains security fixes can now be installed.

  openSUSE: 2021:0154-1 moderate: wavpack (Jan 24)
 

An update that fixes 13 vulnerabilities is now available.

  openSUSE: 2021:0153-1 moderate: wavpack (Jan 24)
 

An update that fixes 13 vulnerabilities is now available.

  openSUSE: 2021:0150-1 moderate: gdk-pixbuf (Jan 24)
 

An update that solves one vulnerability and has one errata is now available.

  openSUSE: 2021:0152-1 moderate: python-autobahn (Jan 24)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0148-1 moderate: ImageMagick (Jan 24)
 

An update that fixes 35 vulnerabilities is now available.

  openSUSE: 2021:0147-1 critical: hawk2 (Jan 24)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0145-1 moderate: viewvc (Jan 23)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0144-1 critical: hawk2 (Jan 23)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0140-1 important: xstream (Jan 22)
 

An update that fixes three vulnerabilities is now available.

  openSUSE: 2021:0138-1 moderate: opera (Jan 22)
 

An update that fixes 13 vulnerabilities is now available.

  openSUSE: 2021:0139-1 moderate: opera (Jan 22)
 

An update that fixes 13 vulnerabilities is now available.

  openSUSE: 2021:0136-1 moderate: ImageMagick (Jan 22)
 

An update that fixes 35 vulnerabilities is now available.

  openSUSE: 2021:0132-1 moderate: python-autobahn (Jan 21)
 

An update that fixes one vulnerability is now available.

  Mageia 2021-0056: sudo security update (Jan 26)
 

A serious heap-based buffer overflow has been discovered in sudo that is exploitable by any local user. It has been given the name Baron Samedit by its discoverer. The bug can be leveraged to elevate privileges to root, even if the user is not listed in the sudoers file. User authentication is not required to exploit the bug (CVE-2021-3156).

  Mageia 2021-0055: python-urllib3 security update (Jan 25)
 

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest() (CVE-2020-26137). References:

  Mageia 2021-0054: python-pip security update (Jan 25)
 

It was discovered that pip did not properly sanitize the filename during pip install. A remote attacker could possible use this issue to read and write arbitrary files on the host filesystem as root, resulting in a directory traversal attack (CVE-2019-20916).

  Mageia 2021-0053: glibc security update (Jan 23)
 

Security fixes: - fix buffer overrun in EUC-KR conversion module [bz #2497] (CVE-2019-25013) - arm: CVE-2020-6096: Fix multiarch memcpy for negative length [BZ #25620] - arm: CVE-2020-6096: fix memcpy and memmove for negative length [BZ #25620] - iconv: Fix incorrect UCS4 inner loop bounds [BZ #26923] (CVE-2020-29562)

  Mageia 2021-0052: undertow security update (Jan 22)
 

A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling (CVE-2020-10719). References:

  Mageia 2021-0051: blosc security update (Jan 22)
 

A heap-based buffer overflow vulnerability was found in the blosc library. Depending on how the library is used, if there is a lack of space to write compressed data, an attacker might exploit this flaw to crash the program or potentially execute arbitrary code (CVE-2020-29367).

  Mageia 2021-0050: php-oojs-oojs-ui security update (Jan 22)
 

The php-oojs-oojs-ui package has been updated to version 0.41.0 to pick up all of the latest fixes from upstream mediawiki. References: - https://bugs.mageia.org/show_bug.cgi?id=27824

  Mageia 2021-0049: crmsh security update (Jan 22)
 

The crm configure and hb_report commands failed to sanitize sensitive information by default (bsc#1163581). An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands

  Mageia 2021-0048: perl-DBI security update (Jan 22)
 

An issue was discovered in the DBI module before 1.643 for Perl. The hv_fetch() documentation requires checking for NULL and the code does that. But, shortly thereafter, it calls SvOK(profile), causing a NULL pointer dereference. (CVE-2019-20919).

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.