Linux Advisory Watch: June 18, 2021

Thank you for reading the LinuxSecurity Linux Advisory Watch newsletter! Staying on top of the latest security advisories is essential in maintaining an updated, secure Linux system. Our weekly newsletter is an easy, convenient way to track the security updates available for the software and applications you are using - helping you keep your Linux environment safe from malware and other exploits.

This week, important updates have been issued for Polkit, PostgreSQL and Squid:

Polkit The Discovery  A seven-year-old flaw, tracked as CVE-2021-3560, has been discovered in the Polkit auth system service used on most Linux distributions using systemd. When a requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts, the process cannot get a unique uid and pid of the process, and cannot verify the privileges of the requesting process as a result.  The Impact CVE-2021-3560 enables an unprivileged local user to get a root shell on a Linux system using Polkit version 0.113 (or later), such as those running RHEL 8, Fedora 21 (or later), Debian testing (“bullseye”), or Ubuntu 20.04. It’s easy to exploit with a few standard command line tools, as shown in this brief video. This high-priority bug poses a serious threat to data confidentiality and integrity, as well as system availability. The Fix CVE-2021-3560 was fixed on June 3, 2021. If your distro has been impacted by this critical vulnerability, we urge you to update as soon as possible! Your Related Advisories: Register to Customize Your Advisories

PostgreSQL The Discovery  An important flaw (CVE-2021-32027) has been found in PostgreSQL, an advanced object-relational database management system. While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory. The Impact This high-severity vulnerability - which is easy to exploit and requires no user interaction - could result in remote code execution (RCE), threatening data confidentiality, integrity and system availability. The Fix Updates mitigating this vulnerability have been released by the distros impacted, which include CentOS, Debian, Mageia, RedHat, SciLinux and Ubuntu. Your Related Advisories: Register to Customize Your Advisories div for preview ad-image @TODO use resized image dimensions here

Squid The Discovery An important security bug (CVE-2020-25097) has been found in the Squid proxy caching server. Because of improper validation while parsing the request URI, Squid is vulnerable to HTTP request smuggling. The Impact Exploiting this flaw, a trusted client can easily perform an HTTP request smuggling attack with no user interaction and access services otherwise forbidden by Squid, threatening the confidentiality of sensitive data. The Fix A fix has been released for this vulnerability. Users should check the security advisories issued by their distro and update immediately if they are at risk. Your Related Advisories: Register to Customize Your Advisories

We recommend that you visit our Advisories page frequently to see the latest security advisories that have been issued by your Linux distro(s). We also now offer the ability to personalize your LinuxSecurity.com User Profile to include the latest advisories for the distros you select. 

On behalf of the LinuxSecurity.com administrative team, I would like to extend a warm welcome to our newly redesigned site!

Yours in Open Source,