Thank you for reading the LinuxSecurity Linux Advisory Watch newsletter! 

Today’s newsletter is sponsored by RoseHosting. For fast, secure and fully-managed Linux hosting, check out RoseHosting VPS hosting.

This week, important updates have been issued for Dovecot, the Intel microcode and the Linux kernel (KVM). Ubuntu users are at heightened risk this week, as an array of important kernel security issues impacting Ubuntu and its derivatives have been discovered and fixed.

We recommend that you visit our Advisories page frequently to see the latest security advisories that have been issued by your Linux distro(s). We also now offer the ability to personalize your LinuxSecurity.com User Profile to include the latest advisories for the distros you select. 

On behalf of the LinuxSecurity.com administrative team, I would like to extend a warm welcome to our newly redesigned site!

Yours in Open Source,

Brittany Signature 150

Dovecot
The Discovery Dovecot

Two remotely exploitable vulnerabilities have been identified in Dovecot before version 2.3.14.1 (CVE-2021-29157 and CVE-2021-33515). CVE-2021-29157 involves the incorrect escape of the kid and azp fields in JWT tokens, while CVE-2021-33515 affects the SMTP submission service.

The Impact

Both of these Dovecot vulnerabilities can result in information disclosure. CVE-2021-29157 may be used to supply attacker controlled keys to validate tokens in some configurations when an attacker is able to write files to the local disk, enabling a local user to login as any user and access their emails. CVE-2021-33515 (impacting the SMTP submission service) allows an on-path attacker who has sending permissions on the submission server to inject plaintext commands before the STARTLS negotiation that would be executed after STARTTLS finished with the client, and potentially steal user credentials and emails by doing so. 

The Fix

These  issues have been fixed upstream in Dovecot version 2.3.15. Users should upgrade to version 2.3.15-1 immediately to protect sensitive information.

# pacman -Syu "dovecot>=2.3.15-1"

Your Related Advisories:

Register to Customize Your Advisories

Intel Microcode
The Discovery Intel

Various security vulnerabilities have been discovered in the Intel CPU microcode including a domain-bypass transient execution vulnerability in some Intel Atom(R) processors (CVE-2020-24513), an observable timing discrepancy in some Intel(R) processors (CVE-2020-24512), improper isolation of shared resources in some Intel(R) processors (CVE-2020-24511) and incomplete cleanup in some Intel(R) VT-d products.

The Impact

These flaws could be exploited by a local attacker to carry out privilege escalation attacks and side channel attacks, and could enable information disclosure.

The Fix

Intel has updated its CPU microcode to fix these bugs. Users should upgrade their intel-microcode packages immediately to prevent compromise.

Your Related Advisories:

Register to Customize Your Advisories

div for preview ad-image
@TODO use resized image dimensions here Banner 1 690x80 1708123077

Linux kernel (KVM)
The DiscoveryKVM

Several security issues have been discovered in the Linux kernel (KVM). They include a race condition in the CAN BCM networking protocol resulting in multiple use-after-free

vulnerabilities (CVE-2021-3609), improper enforcement of limits for pointer operations (CVE-2021-33200) and various flaws in the Linux kernel’s WiFi implementation, among other issues.

The Impact

These flaws pose various threats to a Linux system including execution of arbitrary code, denial of service (system crash) and information leakage, among other exploits.

The Fix

These vulnerabilities have been fixed in the Linux kernel for Ubuntu 21.04.

This update provides the corresponding updates for the Linux KVM kernel for Ubuntu 21.04.

Your Related Advisories:

Register to Customize Your Advisories