Advisories

Linux Advisory Watch

Don't want to miss that crucial security notice?. The editorial staff at Guardian Digital will bring you complete coverage and in-depth
descriptions of all security bulletins, vulnerabilities and updated packages, all in one convenient weekly newsletter.

Linux Advisory Watch: June 11th, 2021

Linux Advisory Watch: June 11th, 2021

Thank you for reading the LinuxSecurity Linux Advisory Watch newsletter! Staying on top of the latest security advisories issued by the distro(s) you use is essential in maintaining an updated, secure Linux system. Our weekly newsletter is an easy, convenient way to track distribution security advisories - helping you keep your Linux environment safe from malware and other exploits.

This week, important updates were released for Firefox, Chromium and Intel microcode, among others.

Yours in Open Source,

Brittany Day Signature


LinuxSecurity.com Feature Extras:

Secure Linux Hosting for Businesses - Linux prevails as the most popular OS among hosting providers - and for good reason. Linux is secure by design , cost-efficient, compatible with the majority of key programming languages used worldwide and offers high levels of customization. 

What Is Threat Intelligence? - Thank you to Oyelakin Timilehin Valentina and Duane Dunston for contributing this article. Threat intelligence (or threat intell) is information used to understand past, present, and future threats targeting an organization. It is evidence-based knowledge about a previous, existing or emerging threat to organizational assets. Threat intelligence also includes settings, implications, mechanisms, context, and even action-oriented advice on the threat. Context mentioned here includes who the attackers are, what their motivation is, what their capabilities are, and what indicators of compromise are in your system. An Indicator of compromise (IOC) is forensic data in a system log file, for example, which identifies malicious activities on a system or network.


  Debian: DSA-4930-1: libwebp security update (Jun 10)
 

Multiple vulnerabilities were discovered in libwebp, the implementation of the WebP image format, which could result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed images are processed.

  Debian: DSA-4929-1: rails security update (Jun 9)
 

Multiple security issues were discovered in the Rails web framework which could result in denial of service. For the stable distribution (buster), these problems have been fixed in

  Debian: DSA-4928-1: htmldoc security update (Jun 9)
 

A buffer overflow was discovered in HTMLDOC, a HTML processor that generates indexed HTML, PS, and PDF, which could potentially result in the execution of arbitrary code. In addition a number of crashes were addressed.

  Debian: DSA-4927-1: thunderbird security update (Jun 4)
 

Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code. In adddition two security issues were addressed in the OpenPGP support.

  Debian: DSA-4926-1: lasso security update (Jun 3)
 

It was discovered that lasso, a library which implements SAML 2.0 and Liberty Alliance standards, did not properly verify that all assertions in a SAML response were properly signed, allowing an attacker to impersonate users or bypass access control.

  Fedora 33: firefox 2021-7b03865dbc (Jun 10)
 

- Update to Firefox 89.0

  Fedora 33: lasso 2021-508acb1153 (Jun 10)
 

CVE-2021-28091 lasso: XML signature wrapping vulnerability when parsing SAML responses

  Fedora 33: mod_auth_openidc 2021-cc85f79f63 (Jun 10)
 

1965325 - CVE-2021-20718 mod_auth_openidc: DoS in oidc_util_read_post_params() in util.c

  Fedora 33: redis 2021-0ad4bec5b1 (Jun 10)
 

**Redis 6.0.14** - Released Tue June 1 12:00:00 IST 2021 Upgrade urgency: SECURITY, Contains fixes to security issues that affect authenticated client connections. MODERATE otherwise. Fix integer overflow in STRALGO LCS (**CVE-2021-32625**) An integer overflow bug in Redis version 6.0 or newer can be exploited using the STRALGO LCS command to corrupt the heap and potentially

  Fedora 33: nginx 2021-b37cffac0d (Jun 10)
 

Fix log permissions issue ---- Security: 1-byte memory overwrite might occur during DNS server response processing if the "resolver" directive was used, allowing an attacker who is able to forge UDP packets from the DNS server to cause worker process crash or, potentially, arbitrary code execution (CVE-2021-23017).

  Fedora 34: squid 2021-c0bec55ec7 (Jun 10)
 

- version update - security update

  Fedora 34: lasso 2021-bb3ea1e191 (Jun 10)
 

CVE-2021-28091 lasso: XML signature wrapping vulnerability when parsing SAML responses

  Fedora 34: mod_auth_openidc 2021-46b017b771 (Jun 10)
 

1965325 - CVE-2021-20718 mod_auth_openidc: DoS in oidc_util_read_post_params() in util.c

  Fedora 34: redis 2021-916f861096 (Jun 10)
 

**Redis 6.2.4** - Released Tue June 1 12:00:00 IST 2021 Upgrade urgency: SECURITY, Contains fixes to security issues that affect authenticated client connections. MODERATE otherwise. Fix integer overflow in STRALGO LCS (**CVE-2021-32625**) An integer overflow bug in Redis version 6.0 or newer can be exploited using the STRALGO LCS command to corrupt the heap and potentially

  Fedora 34: nginx 2021-393d698493 (Jun 10)
 

Fix log permissions issue ---- Security: 1-byte memory overwrite might occur during DNS server response processing if the "resolver" directive was used, allowing an attacker who is able to forge UDP packets from the DNS server to cause worker process crash or, potentially, arbitrary code execution (CVE-2021-23017).

  Fedora 34: microcode_ctl 2021-8a10199ab5 (Jun 9)
 

Update to upstream 2.1-33. 20210608 * Addition of 06-55-05/0xb7 (CLX-SP A0) microcode at revision 0x3000010; * Addition of 06-6a-05/0x87 (ICX-SP C0) microcode at revision 0xc0002f0; * Addition of 06-6a-06/0x87 (ICX-SP D0) microcode at revision 0xd0002a0; * Addition of 06-86-04/0x01 (SNR B0) microcode at revision 0xb00000f; * Addition of 06-86-05/0x01 (SNR B1) microcode (in intel-

  Fedora 34: firefox 2021-af55f610eb (Jun 9)
 

- Updated to Firefox 89.0

  Fedora 33: exiv2 2021-8917c5d9d2 (Jun 9)
 

Fix security issues.

  Fedora 34: musl 2021-0cf36f9134 (Jun 7)
 

#### What's new for 1.2.2 The release adds the `_Fork` function from the upcoming edition of POSIX and takes advantage of the interpretation dropping the async-signal-safety requirement from `fork` to provide a consistent execution environment (not restricted to calling only async-signal-safe functions) after a multithreaded parent forks. This solves deadlocks which would otherwise be

  Fedora 33: musl 2021-4892dbbf76 (Jun 7)
 

#### What's new for 1.2.2 The release adds the `_Fork` function from the upcoming edition of POSIX and takes advantage of the interpretation dropping the async-signal-safety requirement from `fork` to provide a consistent execution environment (not restricted to calling only async-signal-safe functions) after a multithreaded parent forks. This solves deadlocks which would otherwise be

  Fedora 34: polkit 2021-0ec5a8a74b (Jun 6)
 

CVE-2021-3560 mitigation

  Fedora 34: transfig 2021-b71f405f40 (Jun 6)
 

- New upstream release 3.2.8a - Add patches from upstream git fixing a couple of issues which may have security implications (CVE-2021-3561)

  Fedora 33: transfig 2021-dab56300b1 (Jun 6)
 

- New upstream release 3.2.8a - Add patches from upstream git fixing a couple of issues which may have security implications (CVE-2021-3561)

  Fedora 33: wireshark 2021-67691ad99d (Jun 4)
 

New version 3.4.5, Fix for CVE-2021-22207.

  Fedora 33: dhcp 2021-8ca8263bde (Jun 4)
 

Fix for CVE-2021-25217

  Fedora 34: wireshark 2021-6e0508d69d (Jun 4)
 

New version 3.4.5, Fix for CVE-2021-22207.

  Fedora 34: mingw-exiv2 2021-8253c78bd7 (Jun 3)
 

Backport fixes for CVE-2021-32617, CVE-2021-29623.

  Fedora 34: mingw-djvulibre 2021-f3183da6bb (Jun 3)
 

Apply fix for CVE-2021-3500. ---- Apply fix for CVE-2021-32490, CVE-2021-32491, CVE-2021-32492, CVE-2021-32493

  Fedora 34: singularity 2021-08df3bb58a (Jun 3)
 

Upgrade to upstream security release 3.7.4

  Fedora 33: mingw-exiv2 2021-bdba47348c (Jun 3)
 

Backport fixes for CVE-2021-32617, CVE-2021-29623.

  Fedora 33: mingw-djvulibre 2021-3193a4c13f (Jun 3)
 

Apply fix for CVE-2021-3500. ---- Apply fix for CVE-2021-32490, CVE-2021-32491, CVE-2021-32492, CVE-2021-32493

  Fedora 33: singularity 2021-ac3ef133e8 (Jun 3)
 

Upgrade to upstream security release 3.7.4

  Fedora 33: python-lxml 2021-4cdb0f68c7 (Jun 3)
 

Fix CVE-2021-28957: missing input sanitization for formaction HTML5 attributes may lead to XSS

  RedHat: RHSA-2021-2380:01 Important: servicemesh-operator security update (Jun 10)
 

An update for servicemesh-operator is now available for OpenShift Service Mesh 2.0. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2375:01 Important: postgresql:13 security update (Jun 10)
 

An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2372:01 Important: postgresql:12 security update (Jun 10)
 

An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2370:01 Important: container-tools:3.0 security update (Jun 10)
 

An update for the container-tools:3.0 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2371:01 Important: container-tools:rhel8 security update (Jun 10)
 

An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2150:01 Important: OpenShift Container Platform 3.11.452 (Jun 9)
 

Red Hat OpenShift Container Platform release 3.11.452 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 3.11.

  RedHat: RHSA-2021-2363:01 Important: gupnp security update (Jun 9)
 

An update for gupnp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-2364:01 Important: libwebp security update (Jun 9)
 

An update for libwebp is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2365:01 Important: libwebp security update (Jun 9)
 

An update for libwebp is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2361:01 Important: postgresql:10 security update (Jun 9)
 

An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2360:01 Important: postgresql:9.6 security update (Jun 9)
 

An update for the postgresql:9.6 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2357:01 Important: dhcp security update (Jun 9)
 

An update for dhcp is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-2359:01 Important: dhcp security update (Jun 9)
 

An update for dhcp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-2355:01 Important: kernel security and bug fix update (Jun 9)
 

An update for kernel is now available for Red Hat Enterprise Linux 7.6 Advanced Update Support, Red Hat Enterprise Linux 7.6 Telco Extended Update Support, and Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions.

  RedHat: RHSA-2021-2356:01 Important: nettle security update (Jun 9)
 

An update for nettle is now available for Red Hat Enterprise Linux 7.6 Advanced Update Support, Red Hat Enterprise Linux 7.6 Telco Extended Update Support, and Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions.

  RedHat: RHSA-2021-2303:01 Important: microcode_ctl security, (Jun 8)
 

An update for microcode_ctl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2305:01 Important: microcode_ctl security, (Jun 8)
 

An update for microcode_ctl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2304:01 Important: microcode_ctl security, (Jun 8)
 

An update for microcode_ctl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2301:01 Important: microcode_ctl security, (Jun 8)
 

An update for microcode_ctl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2308:01 Important: microcode_ctl security, (Jun 8)
 

An update for microcode_ctl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2351:01 Important: .NET 5.0 on RHEL 7 security and bugfix (Jun 8)
 

An update for rh-dotnet50-dotnet is now available for .NET on Red Hat Enterprise Linux. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2307:01 Important: microcode_ctl security, (Jun 8)
 

An update for microcode_ctl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2350:01 Important: .NET Core 3.1 on RHEL 7 security and (Jun 8)
 

An update for rh-dotnet31-dotnet is now available for .NET Core on Red Hat Enterprise Linux. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2306:01 Important: microcode_ctl security, (Jun 8)
 

An update for microcode_ctl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2300:01 Important: microcode_ctl security, (Jun 8)
 

An update for microcode_ctl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2353:01 Important: .NET 5.0 security and bugfix update (Jun 8)
 

An update for .NET 5.0 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-2352:01 Important: .NET Core 3.1 security and bugfix (Jun 8)
 

An update for .NET Core 3.1 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2302:01 Important: microcode_ctl security, (Jun 8)
 

An update for microcode_ctl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2299:01 Important: microcode_ctl security, (Jun 8)
 

An update for microcode_ctl is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2354:01 Important: libwebp security update (Jun 8)
 

An update for libwebp is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-2328:01 Important: qt5-qtimageformats security update (Jun 8)
 

An update for qt5-qtimageformats is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2323:01 Moderate: 389-ds-base security and bug fix update (Jun 8)
 

An update for 389-ds-base is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-2316:01 Important: kernel-rt security and bug fix update (Jun 8)
 

An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-2322:01 Moderate: qemu-kvm security update (Jun 8)
 

An update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-2313:01 Moderate: samba security and bug fix update (Jun 8)
 

An update for samba is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-2318:01 Moderate: hivex security update (Jun 8)
 

An update for hivex is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-2314:01 Important: kernel security and bug fix update (Jun 8)
 

An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-2331:01 Important: libldb security update (Jun 8)
 

An update for libldb is now available for Red Hat Enterprise Linux 7.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2293:01 Important: kernel security update (Jun 8)
 

An update for kernel is now available for Red Hat Enterprise Linux 7.3 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2291:01 Important: container-tools:2.0 security update (Jun 8)
 

An update for the container-tools:2.0 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2292:01 Important: container-tools:2.0 security update (Jun 8)
 

An update for the container-tools:2.0 module is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2290:01 Important: nginx:1.16 security update (Jun 8)
 

An update for the nginx:1.16 module is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 8.1 Extended Update Support, and Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact

  RedHat: RHSA-2021-2285:01 Important: kpatch-patch security update (Jun 8)
 

An update is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-2280:01 Important: nettle security update (Jun 7)
 

An update for nettle is now available for Red Hat Enterprise Linux 7.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2278:01 Important: rh-nginx116-nginx security update (Jun 7)
 

An update for rh-nginx116-nginx is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2264:01 Important: thunderbird security update (Jun 7)
 

An update for thunderbird is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-2260:01 Important: libwebp security update (Jun 7)
 

An update for libwebp is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-2263:01 Important: thunderbird security update (Jun 7)
 

An update for thunderbird is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-2261:01 Important: thunderbird security update (Jun 7)
 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2259:01 Important: nginx:1.18 security update (Jun 7)
 

An update for the nginx:1.18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2262:01 Important: thunderbird security update (Jun 7)
 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2258:01 Important: rh-nginx118-nginx security update (Jun 7)
 

An update for rh-nginx118-nginx is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2229:01 Moderate: rh-ruby27-ruby security, bug fix, (Jun 3)
 

An update for rh-ruby27-ruby is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-2230:01 Moderate: rh-ruby26-ruby security, bug fix, (Jun 3)
 

An update for rh-ruby26-ruby is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-2238:01 Important: polkit security update (Jun 3)
 

An update for polkit is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-2237:01 Important: polkit security update (Jun 3)
 

An update for polkit is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-2243:01 Low: rust-toolset-1.49 and rust-toolset-1.49-rust (Jun 3)
 

New rust-toolset-1.49 packages are now available as a part of Red Hat Developer Tools for Red Hat Enterprise Linux. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-2239:01 Moderate: Red Hat Virtualization Host security (Jun 3)
 

An update for imgbased, redhat-release-virtualization-host, and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact

  RedHat: RHSA-2021-2233:01 Critical: firefox security update (Jun 3)
 

An update for firefox is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-2236:01 Important: polkit security update (Jun 3)
 

An update for polkit is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  Slackware: 2021-158-02: polkit Security Update (Jun 7)
 

New polkit packages are available for Slackware 14.2 and -current to fix a security issue.

  Slackware: 2021-158-01: httpd Security Update (Jun 7)
 

New httpd packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.

  SUSE: 2021:536-1 sles-15-sp2-chost-byos-v20210610 Security Update (Jun 11)
 

The container sles-15-sp2-chost-byos-v20210610 was updated. The following patches have been included in this update:

  SUSE: 2021:537-1 suse-sles-15-sp2-chost-byos-v20210610-hvm-ssd-x86_64 Security Update (Jun 11)
 

The container suse-sles-15-sp2-chost-byos-v20210610-hvm-ssd-x86_64 was updated. The following patches have been included in this update:

  SUSE: 2021:241-1 ses/7/rook/ceph Security Update (Jun 3)
 

The container ses/7/rook/ceph was updated. The following patches have been included in this update:

  SUSE: 2021:240-1 ses/7/ceph/ceph Security Update (Jun 3)
 

The container ses/7/ceph/ceph was updated. The following patches have been included in this update:

  SUSE: 2021:239-1 ses/7/cephcsi/cephcsi Security Update (Jun 3)
 

The container ses/7/cephcsi/cephcsi was updated. The following patches have been included in this update:

  SUSE: 2021:238-1 ses/6/rook/ceph Security Update (Jun 3)
 

The container ses/6/rook/ceph was updated. The following patches have been included in this update:

  SUSE: 2021:237-1 ses/6/ceph/ceph Security Update (Jun 3)
 

The container ses/6/ceph/ceph was updated. The following patches have been included in this update:

  SUSE: 2021:236-1 ses/6/cephcsi/cephcsi Security Update (Jun 3)
 

The container ses/6/cephcsi/cephcsi was updated. The following patches have been included in this update:

  Ubuntu 4986-3: rpcbind regression (Jun 10)
 

USN-4986-1 caused a regression in rpcbind.

  Ubuntu 4971-2: libwebp vulnerabilities (Jun 10)
 

libwebp could be made to crash or run programs as your login if it opened a specially crafted file.

  Ubuntu 4986-2: rpcbind vulnerability (Jun 9)
 

rpcbind could be made to consume resources and crash if it received specially crafted network traffic.

  Ubuntu 4985-1: Intel Microcode vulnerabilities (Jun 9)
 

Several security issues were fixed in Intel Microcode.

  Ubuntu 4986-1: rpcbind vulnerability (Jun 9)
 

rpcbind could be made to consume resources and crash if it received specially crafted network traffic.

  Ubuntu 4937-2: GNOME Autoar regression (Jun 7)
 

USN-4937-1 introduced a regression in GNOME Autoar.

  Ubuntu 4969-3: DHCP regression (Jun 7)
 

USN-4969-1 introduced a regression in DHCP.

  Ubuntu 4984-1: Linux kernel vulnerabilities (Jun 4)
 

Several security issues were fixed in the Linux kernel.

  Ubuntu 4983-1: Linux kernel (OEM) vulnerabilities (Jun 3)
 

Several security issues were fixed in the Linux kernel.

  Ubuntu 4982-1: Linux kernel vulnerabilities (Jun 3)
 

Several security issues were fixed in the Linux kernel.

  Ubuntu 4981-1: Squid vulnerabilities (Jun 3)
 

Several security issues were fixed in Squid.

  Ubuntu 4980-1: polkit vulnerability (Jun 3)
 

The system could be made to run programs as an administrator.

  Debian LTS: DLA-2684-1: lasso security update (Jun 10)
 

A vulnerability was discovered in lasso, a library for Liberty Alliance and SAML protocols, which results to a improper verification of a cryptographic signature.

  Debian LTS: DLA-2683-1: rxvt security update (Jun 9)
 

rxvt, VT102 terminal emulator for the X Window System, allowed (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q).

  Debian LTS: DLA-2682-1: mrxvt security update (Jun 9)
 

mrxvt, lightweight multi-tabbed X terminal emulator, allowed (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q).

  Debian LTS: DLA-2681-1: eterm security update (Jun 9)
 

eterm, an enlightened terminal emulator, allowed (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q).

  Debian LTS: DLA-2680-1: nginx security update (Jun 7)
 

Jamie Landeg-Jones and Manfred Paul discovered a buffer overflow vulnerability in NGINX, a small, powerful, scalable web/proxy server. NGINX has a buffer overflow for years that exceed four digits, as demonstrated

  Debian LTS: DLA-2679-1: thunderbird security update (Jun 7)
 

Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code. In addition two security issues were addressed in the OpenPGP support.

  Debian LTS: DLA-2678-1: ruby-nokogiri security update (Jun 6)
 

An XXE vulnerability was found in Nokogiri, a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. XML Schemas parsed by Nokogiri::XML::Schema were trusted by default, allowing

  Debian LTS: DLA-2677-1: libwebp security update (Jun 6)
 

Multiple security issues have been discovered in libwebp CVE-2018-25009

  Debian LTS: DLA-2672-1: libwebp security update (Jun 5)
 

Multiple security issues have been discovered in libwebp CVE-2018-25009

  Debian LTS: DLA-2675-1: caribou regression update (Jun 3)
 

It was found that the fix for CVE-2020-25712 in the Xorg X server, addressed in DLA-2486-1, caused a regression in caribou, making it crash whenever special (shifted) characters were entered.

  Debian LTS: DLA-2674-1: isc-dhcp security update (Jun 3)
 

Jon Franklin and Pawel Wieczorkiewicz found an issue in the ISC DHCP client and server when parsing lease information, which could lead to denial of service via application crash.

  Debian LTS: DLA-2673-1: firefox-esr security update (Jun 3)
 

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.

  Debian LTS: DLA-2672-1: imagemagick security update (Jun 3)
 

Multiple security issues have been discovered in imagemagick. CVE-2020-27751

  ArchLinux: 202106-30: wireshark-cli: denial of service (Jun 11)
 

The package wireshark-cli before version 3.4.6-1 is vulnerable to denial of service.

  ArchLinux: 202106-29: kube-apiserver: insufficient validation (Jun 11)
 

The package kube-apiserver before version 1.21.1-1 is vulnerable to insufficient validation.

  ArchLinux: 202106-28: nettle: denial of service (Jun 11)
 

The package nettle before version 3.7.3-1 is vulnerable to denial of service.

  ArchLinux: 202106-27: isync: arbitrary code execution (Jun 11)
 

The package isync before version 1.4.2-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202106-26: python-websockets: private key recovery (Jun 11)
 

The package python-websockets before version 9.1-1 is vulnerable to private key recovery.

  ArchLinux: 202106-25: python-urllib3: denial of service (Jun 11)
 

The package python-urllib3 before version 1.26.5-1 is vulnerable to denial of service.

  ArchLinux: 202106-24: polkit: privilege escalation (Jun 11)
 

The package polkit before version 0.119-1 is vulnerable to privilege escalation.

  ArchLinux: 202106-23: apache: denial of service (Jun 11)
 

The package apache before version 2.4.48-1 is vulnerable to denial of service.

  ArchLinux: 202106-22: thunderbird: arbitrary code execution (Jun 11)
 

The package thunderbird before version 78.11.0-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202106-21: gitlab: multiple issues (Jun 11)
 

The package gitlab before version 13.12.2-1 is vulnerable to multiple issues including denial of service, information disclosure, access restriction bypass, authentication bypass, cross-site scripting and content spoofing.

  ArchLinux: 202106-20: inetutils: arbitrary code execution (Jun 11)
 

The package inetutils before version 2.0-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202106-19: keycloak: incorrect calculation (Jun 3)
 

The package keycloak before version 13.0.1-1 is vulnerable to incorrect calculation.

  ArchLinux: 202106-18: packagekit: information disclosure (Jun 3)
 

The package packagekit before version 1.2.3-1 is vulnerable to information disclosure.

  ArchLinux: 202106-17: rabbitmq: denial of service (Jun 3)
 

The package rabbitmq before version 3.8.16-1 is vulnerable to denial of service.

  ArchLinux: 202106-16: pam-u2f: authentication bypass (Jun 3)
 

The package pam-u2f before version 1.1.1-1 is vulnerable to authentication bypass.

  ArchLinux: 202106-15: postgresql: multiple issues (Jun 3)
 

The package postgresql before version 13.3-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure.

  ArchLinux: 202106-14: ruby-bundler: insufficient validation (Jun 3)
 

The package ruby-bundler before version 2.2.18-1 is vulnerable to insufficient validation.

  ArchLinux: 202106-13: zint: arbitrary code execution (Jun 3)
 

The package zint before version 2.9.1-2 is vulnerable to arbitrary code execution.

  ArchLinux: 202106-12: redis: arbitrary code execution (Jun 3)
 

The package redis before version 6.2.4-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202106-11: dhcp: arbitrary code execution (Jun 3)
 

The package dhcp before version 4.4.2.P1-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202106-10: dhclient: arbitrary code execution (Jun 3)
 

The package dhclient before version 4.4.2.P1-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202106-9: lib32-libcurl-gnutls: information disclosure (Jun 3)
 

The package lib32-libcurl-gnutls before version 7.77.0-1 is vulnerable to information disclosure.

  ArchLinux: 202106-8: libcurl-gnutls: information disclosure (Jun 3)
 

The package libcurl-gnutls before version 7.77.0-1 is vulnerable to information disclosure.

  ArchLinux: 202106-7: lib32-libcurl-compat: multiple issues (Jun 3)
 

The package lib32-libcurl-compat before version 7.77.0-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure.

  ArchLinux: 202106-6: libcurl-compat: multiple issues (Jun 3)
 

The package libcurl-compat before version 7.77.0-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure.

  ArchLinux: 202106-5: lib32-curl: multiple issues (Jun 3)
 

The package lib32-curl before version 7.77.0-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure.

  ArchLinux: 202106-4: curl: multiple issues (Jun 3)
 

The package curl before version 7.77.0-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure.

  ArchLinux: 202106-3: firefox: multiple issues (Jun 3)
 

The package firefox before version 89.0-1 is vulnerable to multiple issues including arbitrary code execution, content spoofing, information disclosure and access restriction bypass.

  ArchLinux: 202106-2: chromium: multiple issues (Jun 3)
 

The package chromium before version 91.0.4472.77-1 is vulnerable to multiple issues including arbitrary code execution, information disclosure, insufficient validation and content spoofing.

  ArchLinux: 202106-1: opera: multiple issues (Jun 3)
 

The package opera before version 76.0.4017.154-1 is vulnerable to multiple issues including arbitrary code execution, content spoofing, incorrect calculation and information disclosure.

  SciLinux: SLSA-2021-2328-1 Important: qt5-qtimageformats on SL7.x x86_64 (Jun 9)
 

libwebp: heap-based buffer overflow in PutLE16() (CVE-2018-25011) * libwebp: use of uninitialized value in ReadSymbol() (CVE-2018-25014) * libwebp: heap-based buffer overflow in WebPDecode*Into functions (CVE-2020-36328) * libwebp: use-after-free in EmitFancyRGB() in dec/io_dec.c (CVE-2020-36329) For more details about the security issue(s), including the impact, a CVSS score, acknowledgme [More...]

  SciLinux: SLSA-2021-2313-1 Moderate: samba on SL7.x x86_64 (Jun 9)
 

samba: Negative idmap cache entries can cause incorrect group entries in the Samba file server process token (CVE-2021-20254) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE Bug Fix(es): * smb.service stops when samba rpms are updated * samba printing dumps core --- SL7 x86_64 libsmbclient- [More...]

  SciLinux: SLSA-2021-2318-1 Moderate: hivex on SL7.x x86_64 (Jun 9)
 

hivex: Buffer overflow when provided invalid node key length (CVE-2021-3504) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE --- SL7 x86_64 hivex-1.3.10-6.11.el7_9.i686.rpm hivex-1.3.10-6.11.el7_9.x86_64.rpm hivex-debuginfo-1.3.10-6.11.el7_9.i686.rpm hivex-debuginfo-1.3.10-6.11.el7_9.x86_64.r [More...]

  SciLinux: SLSA-2021-2322-1 Moderate: qemu-kvm on SL7.x x86_64 (Jun 9)
 

QEMU: ide: atapi: OOB access while processing read commands (CVE-2020-29443) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE --- SL7 x86_64 qemu-img-1.5.3-175.el7_9.4.x86_64.rpm qemu-kvm-1.5.3-175.el7_9.4.x86_64.rpm qemu-kvm-common-1.5.3-175.el7_9.4.x86_64.rpm qemu-kvm-debuginfo-1.5.3-175.el7_ [More...]

  SciLinux: SLSA-2021-2323-1 Moderate: 389-ds-base on SL7.x x86_64 (Jun 9)
 

389-ds-base: information disclosure during the binding of a DN (CVE-2020-35518) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE Bug Fix(es): * Add new access log keywords for time spent in work queue and actual operation time --- SL7 x86_64 389-ds-base-1.3.10.2-12.el7_9.x86_64.rpm 389-ds-ba [More...]

  SciLinux: SLSA-2021-2260-1 Important: libwebp on SL7.x x86_64 (Jun 9)
 

libwebp: heap-based buffer overflow in PutLE16() (CVE-2018-25011) * libwebp: heap-based buffer overflow in WebPDecode*Into functions (CVE-2020-36328) * libwebp: use-after-free in EmitFancyRGB() in dec/io_dec.c (CVE-2020-36329) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE --- SL7 x86_64 [More...]

  SciLinux: SLSA-2021-2263-1 Important: thunderbird on SL7.x x86_64 (Jun 9)
 

This update upgrades Thunderbird to version 78.11.0. * Mozilla: Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11 (CVE-2021-29967) * Mozilla: Thunderbird stored OpenPGP secret keys without master password protection (CVE-2021-29956) * Mozilla: Partial protection of inline OpenPGP message not indicated (CVE-2021-29957) For more details about the security issue(s), including the imp [More...]

  SciLinux: SLSA-2021-2206-1 Critical: firefox on SL7.x x86_64 (Jun 3)
 

This update upgrades Firefox to version 78.11.0 ESR. * Mozilla: Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11 (CVE-2021-29967) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE --- SL7 x86_64 - firefox-78.11.0-3.el7_9.i686.rpm - firefox-78.11.0-3.el7_9.x86_64.rpm - firefox-deb [More...]

  openSUSE: 2021:0861-1 moderate: python-HyperKitty (Jun 9)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0858-1 important: MozillaFirefox (Jun 9)
 

An update that fixes three vulnerabilities is now available.

  openSUSE: 2021:0857-1 important: libX11 (Jun 9)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0855-1 important: snakeyaml (Jun 8)
 

An update that solves one vulnerability and has one errata is now available.

  openSUSE: 2021:0851-1 moderate: python-py (Jun 7)
 

An update that solves one vulnerability and has one errata is now available.

  openSUSE: 2021:0853-1 moderate: csync2 (Jun 7)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2021:0846-1 important: umoci (Jun 7)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0845-1 moderate: inn (Jun 6)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0843-1 important: the Linux Kernel (Jun 6)
 

An update that solves 12 vulnerabilities and has 23 fixes is now available.

  openSUSE: 2021:0841-1 moderate: redis (Jun 5)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0840-1 important: chromium (Jun 4)
 

An update that fixes 21 vulnerabilities is now available.

  openSUSE: 2021:0838-1 important: polkit (Jun 4)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0833-1 important: ceph (Jun 3)
 

An update that fixes three vulnerabilities is now available.

  openSUSE: 2021:0835-1 important: nginx (Jun 3)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0834-1 important: dhcp (Jun 3)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0832-1 important: xstream (Jun 3)
 

An update that fixes 11 vulnerabilities is now available.

  openSUSE: 2021:0829-1 important: opera (Jun 3)
 

An update that fixes 15 vulnerabilities is now available.

  openSUSE: 2021:0828-1 important: opera (Jun 3)
 

An update that fixes 15 vulnerabilities is now available.

  openSUSE: 2021:0830-1 moderate: inn (Jun 3)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0826-1 moderate: upx (Jun 3)
 

An update that fixes one vulnerability is now available.

  Mageia 2021-0244: polkit security update (Jun 8)
 

A flaw was found in polkit. When a requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts, the process cannot get a unique uid and pid of the process and it cannot verify the privileges of the requesting process (CVE-2021-3560). References: - https://bugs.mageia.org/show_bug.cgi?id=29076 - https://access.redhat.com/errata/RHSA-2021:2238

  Mageia 2021-0243: curl security update (Jun 8)
 

TELNET stack contents disclosure (CVE-2021-22898). References: - https://bugs.mageia.org/show_bug.cgi?id=28971 - https://curl.se/docs/CVE-2021-22898.html

  Mageia 2021-0242: thunderbird security update (Jun 8)
 

The updated packages fix security vulnerabilities: Out of bounds-read when parsing a `WM_COPYDATA` message. (CVE-2021-29964) Memory safety bugs fixed in Thunderbird 78.11. (CVE-2021-29967)

  Mageia 2021-0241: upx security update (Jun 8)
 

The updated package fixes security vulnerabilities: A heap buffer overflow read was discovered in upx 4.0.0, because the check in p_lx_elf.cpp is not perfect. (CVE-2020-24119)

  Mageia 2021-0240: exiv2 security update (Jun 8)
 

The updated packages fix security vulnerabilities: Heap-based buffer overflow in Jp2Image::readMetadata(). (CVE-2021-3482) Heap-based buffer overflow in Exiv2::Jp2Image::doWriteMetadata.

  Mageia 2021-0239: cgal security update (Jun 8)
 

Updated cgal packages fix security vulnerabilities: An oob read vulnerability exists in Nef_2/PM_io_parser.h PM_io_parser::read_vertex() Face_of[] OOB read. An attacker can provide malicious input to trigger this vulnerability (CVE-2020-28601).

  Mageia 2021-0238: cgal security update (Jun 8)
 

Updated cgal packages fix security vulnerabilities: An oob read vulnerability exists in Nef_2/PM_io_parser.h PM_io_parser::read_vertex() Face_of[] OOB read. An attacker can provide malicious input to trigger this vulnerability (CVE-2020-28601).

  Mageia 2021-0237: squid security update (Jun 8)
 

Updated squid packages fix security vulnerabilities: Due to improper input validation Squid is vulnerable to an HTTP Request Smuggling attack. This problem allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by Squid

  Mageia 2021-0236: firefox security update (Jun 8)
 

Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11 Mozilla developers Gabriele Svelto, Anny Gakhokidze, Alexandru Michis, Christian Holler reported memory safety bugs present in Firefox 88 and Firefox ESR 78.11. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2021-29967). This update also fixes:

  Mageia 2021-0235: mpv security update (Jun 8)
 

Fixed format string vulnerability allows user-assisted remote attackers to achieve code execution via a crafted m3u playlist file (CVE-2021-30145). References: - https://bugs.mageia.org/show_bug.cgi?id=29058 - https://lists.opensuse.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./thread/QVXB4F67QODLPKYBZX7SBXTE7ESGKGOD/

  Mageia 2021-0234: librsvg security update (Jun 8)
 

This update patches the vendored `smallvec` Rust crate in librsvg to fix a security vulnerability: The Iterator implementation mishandles destructors, leading to a double free (CVE-2021-25900). References:

  Mageia 2021-0233: tar security update (Jun 8)
 

A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability (CVE-2021-20193). References: - https://bugs.mageia.org/show_bug.cgi?id=29049 - https://lists.opensuse.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./thread/XRDSUUE3LUKBDRLPB7GTT5QZRPV5J7O4/

  Mageia 2021-0232: libxml2 security update (Jun 8)
 

Exponential entity expansion attack bypasses all existing protection mechanisms. (CVE-2021-3541). References: - https://bugs.mageia.org/show_bug.cgi?id=29039 - https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./thread/NYSYJVWYEQHFG2TBIQJRJ5COUR5LNFJJ/

  Mageia 2021-0231: dnsmasq security update (Jun 8)
 

A flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the network, able to find the outgoing port used by dnsmasq, only needs to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. This flaw makes a DNS Cache Poisoning attack much easier (CVE-2021-3448). This kind of configuration is the default when network-manager uses dnsmasq. References: - https://bugs.mageia.org/show_bug.cgi?id=29030

  Mageia 2021-0230: libpano13 security update (Jun 8)
 

Format string vulnerability in panoFileOutputNamesCreate() in libpano13 2.9.20.rc2 and earlier can lead to read and write arbitrary memory values (CVE-2021-20307). References: - https://bugs.mageia.org/show_bug.cgi?id=28997 - https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./thread/JE6YZSXNVD6WZ3AG3ENL2DIHQFF24LYX/

  Mageia 2021-0229: lz4 security update (Jun 8)
 

An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well (CVE-2021-3520). References: - https://bugs.mageia.org/show_bug.cgi?id=28990 - https://www.debian.org/security/2021/dsa-4919

  Mageia 2021-0228: graphviz security update (Jun 8)
 

Buffer Overflow in Graphviz Graph Visualization Tools from commit ID f8b9e035 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by loading a crafted file into the "lib/common/shapes.c" component. (CVE-2020-18032) References: - https://bugs.mageia.org/show_bug.cgi?id=28989 - https://www.debian.org/security/2021/dsa-4914

  Mageia 2021-0227: vlc security update (Jun 8)
 

A remote user could create a specifically crafted file that could trigger some various issues. It is possible to trigger a remote code execution through a specifically crafted playlist, and tricking the user into interacting with that playlist elements. It is also possible to trigger read or write buffer overflows with some crafted files or by a MITM attack on the automatic updater

  Mageia 2021-0226: libebml security update (Jun 8)
 

Updated libebml packages fix security vulnerabilities: Heap use-after-free when parsing malformed file. A flaw was found in libebml before 1.4.2. A heap overflow bug exists in the implementation of EbmlString::ReadData and EbmlUnicodeString::ReadData in libebml (CVE-2021-3405).

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.