Advisories

Linux Advisory Watch

Don't want to miss that crucial security notice?. The editorial staff at Guardian Digital will bring you complete coverage and in-depth
descriptions of all security bulletins, vulnerabilities and updated packages, all in one convenient weekly newsletter.

Linux Advisory Watch: January 8th, 2021

Linux Advisory Watch: January 8th, 2021

Thank you for reading the LinuxSecurity Linux Advisory Watch newsletter! Staying on top of the latest security advisories issued by the distro(s) you use is essential in maintaining an updated, secure Linux system. Our weekly newsletter is an easy, convenient way to track distribution security advisories - helping you keep your Linux environment safe from malware and other exploits.

Important advisories issued this week include warnings from Debian of two vulnerabilities in Node.js that could result in denial of service and potentially the execution of arbitrary code or HTTP request smuggling, and multiple issued with the Chromium web browser which could result in the execution of arbitrary code, denial of service or information disclosure. Continue reading to learn about other significant advisories issued this week. Stay healthy, safe and secure - both on and offline!

Yours in Open Source,

Brittany Day Signature


LinuxSecurity.com Feature Extras:

Linux Pentesting: What Is It and How Can It Improve Network Security? - This article will introduce the concept of pentesting to improve and verify network security, explain basic pentesting methodology and explore some excellent pentesting tools, distros and OSes available to Linux users in 2021.

How Reverse Engineering Can Help Secure Your Linux Systems Against Malware - This article will examine how reverse engineering can be used to secure Linux systems against malware and other exploits, and will introduce our favorite tools, toolkits and utilities for reverse engineering and malware scanning available to Linux users.


  Debian: DSA-4828-1: libxstream-java security update (Jan 7)
 

Liaogui Zhong discovered two security issues in XStream, a Java library to serialise objects to XML and back again, which could result in the deletion of files or server-side request forgery when unmarshalling.

  Debian: DSA-4827-1: firefox-esr security update (Jan 7)
 

A security issue was found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. For the stable distribution (buster), this problem has been fixed in

  Debian: DSA-4826-1: nodejs security update (Jan 6)
 

Two vulnerabilities were discovered in Node.js, which could result in denial of service and potentially the execution of arbitrary code or HTTP request smuggling.

  Debian: DSA-4806-2: minidlna regression update (Jan 5)
 

The update for minidlna released as DSA 4806-1 introduced a regression when purging the package. Updated minidlna packages are now available to correct this issue.

  Debian: DSA-4825-1: dovecot security update (Jan 4)
 

Several vulnerabilities have been discovered in the Dovecot email server. CVE-2020-24386

  Debian: DSA-4824-1: chromium security update (Jan 1)
 

Multiple security issues were discovered in the Chromium web browser, which could result in the execution of arbitrary code, denial of service or information disclosure.

  Debian: DSA-4823-1: influxdb security update (Jan 1)
 

It was discovered that incorrect validation of JWT tokens in InfluxDB, a time series, metrics, and analytics database, could result in authentication bypass.

  Debian: DSA-4822-1: p11-kit security update (Jan 1)
 

David Cook reported several memory safety issues affecting the RPC protocol in p11-kit, a library providing a way to load and enumerate PKCS#11 modules.

  Fedora 33: awstats 2020-4cba5f2846 (Jan 7)
 

Security fix for CVE-2020-35176

  Fedora 32: dia 2020-cbc0754798 (Jan 7)
 

- Added upstream patch to avoid infinite loop on filenames with invalid encoding (CVE-2019-19451, #1778767)

  Fedora 32: awstats 2020-d1aa0e030c (Jan 7)
 

Update to AWStats 7.8. Includes security fix for CVE-2020-29600 / CVE-2020-35176

  Fedora 33: rubygem-em-http-request 2020-8ccd750904 (Jan 6)
 

Security fix for CVE-2020-13482

  Fedora 32: mingw-binutils 2020-28c78a6ac3 (Jan 6)
 

Backport patches for CVE-2020-35493, CVE-2020-35494, CVE-2020-35495, CVE-2020-35496.

  Fedora 32: rubygem-em-http-request 2020-117f1b67fb (Jan 6)
 

Security fix for CVE-2020-13482.

  Fedora 33: python-py 2020-8371993b6b (Jan 4)
 

#### 1.10.0 (2020-12-12) #### - Fix a regular expression DoS vulnerability in the py.path.svnwc SVN blame functionality (CVE-2020-29651) - Update vendored apipkg: 1.4 => 1.5 - Update vendored iniconfig: 1.0.0 => 1.1.1

  Fedora 33: grafana 2020-64e54abd9f (Jan 4)
 

update to upstream 7.3.6 Note regarding CVE-2020-27846: SAML is not supported in the open source version of Grafana, however the dependency on crewjam/saml is also present in the open source version. This update removes this dependency altogether.

  Fedora 33: perl-Convert-ASN1 2020-9fa782be3e (Jan 4)
 

Security fix for CVE-2013-7488

  Fedora 32: python-py 2020-db0eb54982 (Jan 4)
 

#### 1.10.0 (2020-12-12) #### - Fix a regular expression DoS vulnerability in the py.path.svnwc SVN blame functionality (CVE-2020-29651) - Update vendored apipkg: 1.4 => 1.5 - Update vendored iniconfig: 1.0.0 => 1.1.1 #### 1.9.0 (2020-06-24) #### - Add type annotation stubs for the following modules: - ``py.error`` - ``py.iniconfig`` - ``py.path`` (not including SVN paths)

  Fedora 32: grafana 2020-968067abfa (Jan 4)
 

update to upstream 7.3.6 Note regarding CVE-2020-27846: SAML is not supported in the open source version of Grafana, however the dependency on crewjam/saml is also present in the open source version. This update removes this dependency altogether.

  Fedora 32: guacamole-server 2020-bfde0ab889 (Jan 3)
 

Updated SPEC file and rebuilt for new dependencies.

  Fedora 33: guacamole-server 2020-640645e518 (Jan 3)
 

Updated SPEC file and rebuilt for new dependencies.

  Fedora 33: ceph 2020-fcafbe7225 (Jan 2)
 

ceph 15.2.8 GA Security fix for CVE-2020-27781

  RedHat: RHSA-2020-5388:01 Important: Red Hat support for Spring Boot 2.2.11 (Jan 7)
 

An update is now available for Red Hat support for Spring Boot. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each

  RedHat: RHSA-2021-0028:01 Important: Red Hat Virtualization security, (Jan 6)
 

An update for openvswitch2.11, ovn2.11, redhat-release-virtualization-host, and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 and Red Hat Virtualization Engine 4.3. Red Hat Product Security has rated this update as having a security impact

  RedHat: RHSA-2021-0019:01 Moderate: kernel security and bug fix update (Jan 5)
 

An update for kernel is now available for Red Hat Enterprise Linux 7.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0003:01 Important: kernel security and bug fix update (Jan 4)
 

An update for kernel is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0004:01 Important: kernel-rt security and bug fix update (Jan 4)
 

An update for kernel-rt is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  SUSE: 2021:19-1 ses/6/rook/ceph Security Update (Jan 8)
 

The container ses/6/rook/ceph was updated. The following patches have been included in this update:

  SUSE: 2021:18-1 ses/6/ceph/ceph Security Update (Jan 8)
 

The container ses/6/ceph/ceph was updated. The following patches have been included in this update:

  SUSE: 2021:17-1 ses/6/cephcsi/cephcsi Security Update (Jan 8)
 

The container ses/6/cephcsi/cephcsi was updated. The following patches have been included in this update:

  SUSE: 2021:14-1 harbor/harbor-trivy-adapter Security Update (Jan 5)
 

The container harbor/harbor-trivy-adapter was updated. The following patches have been included in this update:

  SUSE: 2021:13-1 harbor/harbor-test Security Update (Jan 5)
 

The container harbor/harbor-test was updated. The following patches have been included in this update:

  SUSE: 2021:12-1 harbor/harbor-registryctl Security Update (Jan 5)
 

The container harbor/harbor-registryctl was updated. The following patches have been included in this update:

  SUSE: 2021:11-1 harbor/harbor-registry Security Update (Jan 5)
 

The container harbor/harbor-registry was updated. The following patches have been included in this update:

  SUSE: 2021:10-1 harbor/harbor-redis-operator Security Update (Jan 5)
 

The container harbor/harbor-redis-operator was updated. The following patches have been included in this update:

  SUSE: 2021:9-1 harbor/harbor-redis Security Update (Jan 5)
 

The container harbor/harbor-redis was updated. The following patches have been included in this update:

  SUSE: 2021:8-1 harbor/harbor-portal Security Update (Jan 5)
 

The container harbor/harbor-portal was updated. The following patches have been included in this update:

  SUSE: 2021:7-1 harbor/harbor-notary-signer Security Update (Jan 5)
 

The container harbor/harbor-notary-signer was updated. The following patches have been included in this update:

  SUSE: 2021:6-1 harbor/harbor-notary-server Security Update (Jan 5)
 

The container harbor/harbor-notary-server was updated. The following patches have been included in this update:

  SUSE: 2021:5-1 harbor/harbor-nginx Security Update (Jan 5)
 

The container harbor/harbor-nginx was updated. The following patches have been included in this update:

  SUSE: 2021:4-1 harbor/harbor-jobservice Security Update (Jan 5)
 

The container harbor/harbor-jobservice was updated. The following patches have been included in this update:

  SUSE: 2021:2-1 harbor/harbor-db Security Update (Jan 5)
 

The container harbor/harbor-db was updated. The following patches have been included in this update:

  SUSE: 2021:1-1 harbor/harbor-core Security Update (Jan 5)
 

The container harbor/harbor-core was updated. The following patches have been included in this update:

  Debian LTS: DLA-2520-1: golang-websocket security update (Jan 7)
 

There was an integer overflow vulnerability concerning the length of websocket frames received via a websocket connection. An attacker could use this flaw to cause a denial of service attack on an HTTP Server allowing websocket connections.

  Debian LTS: DLA-2519-1: pacemaker security update (Jan 6)
 

Several security vulnerabilities were addressed in pacemaker, a cluster resource manager. CVE-2018-16877

  Debian LTS: DLA-2518-1: cairo security update (Jan 5)
 

LibreOffice slideshow aborts with stack smashing in cairos composite_boxes. For Debian 9 stretch, this problem has been fixed in version

  Debian LTS: DLA-2516-1: gssproxy security update (Jan 4)
 

It was discovered that there was an issue in the gssproxy privilege separation caused by gssproxy not unlocking cond_mutex prior to calling pthread_exit.

  Debian LTS: DLA-2515-1: csync2 security update (Jan 4)
 

It was discovered that csync2, a cluster synchronization tool, did not correctly check for the return value from GnuTLS security routines. It neglected to repeatedly call this function as required by the design of the API.

  Debian LTS: DLA-2514-1: flac security update (Jan 4)
 

Two vulnerabilities were fixed in flac, the library for the Free Lossless Audio Codec. CVE-2017-6888

  Debian LTS: DLA-2513-1: p11-kit security update (Jan 4)
 

Several memory safety issues affecting the RPC protocol were fixed in p11-kit, a library providing a way to load and enumerate PKCS#11 modules.

  Debian LTS: DLA-2512-1: libhibernate3-java security update (Jan 3)
 

A flaw was found in hibernate-core. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.

  Debian LTS: DLA-2507-1: libxstream-java security update (Dec 31)
 

Several security vulnerabilities were discovered in XStream, a Java library to serialize objects to XML and back again. CVE-2020-26258

  ArchLinux: 202101-4: dovecot: multiple issues (Jan 5)
 

The package dovecot before version 2.3.13-1 is vulnerable to multiple issues including information disclosure and denial of service.

  ArchLinux: 202101-3: poppler: arbitrary code execution (Jan 5)
 

The package poppler before version 21.01.0-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202101-2: roundcubemail: cross-site scripting (Jan 5)
 

The package roundcubemail before version 1.4.10-1 is vulnerable to cross-site scripting.

  ArchLinux: 202101-1: rsync: man-in-the-middle (Jan 5)
 

The package rsync before version 3.2.3-2 is vulnerable to man-in-the- middle.

  ArchLinux: 202012-26: qemu: multiple issues (Dec 31)
 

The package qemu before version 5.2.0-1 is vulnerable to multiple issues including arbitrary code execution and denial of service.

  ArchLinux: 202012-25: firefox: multiple issues (Dec 31)
 

The package firefox before version 84.0-1 is vulnerable to multiple issues including arbitrary code execution, content spoofing and information disclosure.

  ArchLinux: 202012-24: openssl: denial of service (Dec 31)
 

The package openssl before version 1.1.1.i-1 is vulnerable to denial of service.

  ArchLinux: 202012-23: thunderbird: multiple issues (Dec 31)
 

The package thunderbird before version 78.6.0-1 is vulnerable to multiple issues including arbitrary code execution, content spoofing and information disclosure.

  ArchLinux: 202012-22: tensorflow: multiple issues (Dec 31)
 

The package tensorflow before version 2.4.0-1 is vulnerable to multiple issues including information disclosure and denial of service.

  ArchLinux: 202012-21: openjpeg2: multiple issues (Dec 31)
 

The package openjpeg2 before version 2.4.0-1 is vulnerable to multiple issues including arbitrary code execution and denial of service.

  SciLinux: SLSA-2021-0024-1 Important: ImageMagick on SL7.x x86_64 (Jan 5)
 

ImageMagick: Shell injection via PDF password could result in arbitrary code execution (CVE-2020-29599) SL7 x86_64 ImageMagick-6.9.10.68-5.el7_9.i686.rpm ImageMagick-6.9.10.68-5.el7_9.x86_64.rpm ImageMagick-c++-6.9.10.68-5.el7_9.i686.rpm ImageMagick-c++-6.9.10.68-5.el7_9.x86_64.rpm ImageMagick-debuginfo-6.9.10.68-5.el7_9.i686.rpm ImageMagick-debuginfo-6.9.10.68-5.el7 [More...]

  openSUSE: 2021:0027-1 moderate: gimp (Jan 7)
 

An update that fixes three vulnerabilities is now available.

  openSUSE: 2021:0026-1 important: dovecot23 (Jan 7)
 

An update that fixes three vulnerabilities is now available.

  openSUSE: 2021:0025-1 important: kitty (Jan 7)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0024-1 moderate: python-notebook (Jan 7)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0016-1 moderate: privoxy (Jan 5)
 

An update that contains security fixes can now be installed.

  openSUSE: 2021:0017-1 moderate: privoxy (Jan 5)
 

An update that contains security fixes can now be installed.

  openSUSE: 2021:0012-1 moderate: jetty-minimal (Jan 4)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0006-1 moderate: privoxy (Jan 1)
 

An update that contains security fixes can now be installed.

  openSUSE: 2020:2367-1 moderate: groovy (Dec 31)
 

An update that fixes one vulnerability is now available.

  Mageia 2021-0005: vlc security update (Jan 4)
 

The vlc package has been updated to version 3.0.12.1, which includes security enhancements in the web interface, as well as other fixes and enhancements. See the upstream NEWS file for details.

  Mageia 2021-0004: rawtherapee security update (Jan 4)
 

There is a floating point exception in dcraw_common.cpp of libRAW. It will lead to remote denial of service attack. This code is embedded in rawtherapee (CVE-2017-13735). References:

  Mageia 2021-0003: gdm security update (Jan 4)
 

Kevin Backhouse discovered that GDM incorrectly launched the initial setup tool when the accountsservice daemon was not reachable. A local attacker able to cause accountsservice to crash or stop responding could trick GDM into launching the initial setup tool and create a privileged user (CVE-2020-16125).

  Mageia 2021-0002: libxml2 security update (Jan 4)
 

libxml2 v2.9.10 and earlier has a global Buffer Overflow vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c (CVE-2020-24977). References: - https://bugs.mageia.org/show_bug.cgi?id=27300

  Mageia 2021-0001: audacity security update (Jan 2)
 

Audacity through 2.3.3 saves temporary files to /var/tmp/audacity-$USER by default. After Audacity creates the temporary directory, it sets its permissions to 755. Any user on the system can read and play the temporary audio .au files located there (CVE-2020-11867).

  Mageia 2020-0483: minidlna security update (Dec 31)
 

It was discovered that minidlna does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue (CVE-2020-12695).

  Mageia 2020-0482: curl security update (Dec 31)
 

Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data. (CVE-2020-8231). A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.