Linux Advisory Watch: January 7, 2022 | LinuxSecurity.com

Advisories

Linux Advisory Watch: January 7, 2022

Happy Friday fellow Linux geeks! This week, important updates have been issued for djvulibre, aria2 and log4j. Read on to learn about these vulnerabilities and how to secure your system against them. 

Now you can personalize your LinuxSecurity.com User Profile to include the latest advisories for the distros you select, making it easier than ever to keep your system up-to-date and secure.

Have a question about or comment on one of the vulnerabilities highlighted in today's newsletter? Let's discuss!

Yours in Open Source,

Brittany Day Signature

djvulibre

The Discovery 

Several dangerous vulnerabilities were discovered in djvulibre, a library and set of tools to handle documents in the DjVu format (CVE-2019-15142, CVE-2019-15143, CVE-2019-15144 and CVE-2019-15145).

ghostscript

The Impact

An attacker could exploit these flaws to crash document viewers and possibly execute arbitrary code through crafted DjVu files.

The Fix

A djvulibre security update has been released that fixes these issues. We recommend that you upgrade your djvulibre packages as soon as possible.

Your Related Advisories:

Register to Customize Your Advisories

aria2

The Discovery 

It was discovered in the download utility aria2 that --log was leaking HTTP user credentials in local log files (CVE-2019-3500).
firefox

The Impact

This bug could result in the compromise of sensitive information that could be used for malicious purposes.

The Fix

A security update released for aria2 mitigates this flaw. We urge you to upgrade your aria2 packages promptly.

Your Related Advisories:

Register to Customize Your Advisories

log4j

The Discovery

A security bug has been found in Log4j 1.x when the application is configured to use JMSAppender (CVE-2021-4104). JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data when an attacker has write access to the Log4j configuration. 

The Impactlibsndfile

A malicious actor can exploit this flaw by providing TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution (RCE) in a similar fashion to CVE-2021-44228.

The Fix

A log4j security update has been released that fixes this vulnerability. Update now!

Your Related Advisories:

Register to Customize Your Advisories

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.