Newsletters: Linux Advisory Watch: June 25, 2021


Linux Advisory Watch: June 25, 2021

Thank you for reading the LinuxSecurity Linux Advisory Watch newsletter! 

Today’s newsletter is sponsored by Uptycs. To close security observibility gaps across your cloud attack surface, check out the Uptycs Security Analytics Platform.

This week, important updates have been issued for nginx, python-django and salt.

We recommend that you visit our Advisories page frequently to see the latest security advisories that have been issued by your Linux distro(s). We also now offer the ability to personalize your User Profile to include the latest advisories for the distros you select. 

On behalf of the administrative team, I would like to extend a warm welcome to our newly redesigned site!

Yours in Open Source,

Brittany Day Signature


The Discovery Nginx

It was discovered that nginx, a high performance HTTP and reverse proxy server, did not properly handle DNS responses when using the "resolver" directive.

The Impact

This high-severity vulnerability (CVE-2021-23017) could lead to remote code execution (RCE) by enabling a remote attacker who is able to provide DNS responses to a nginx instance to execute arbitrary code with the privileges of the process or a Denial of Service (DoS) condition.

The Fix

All nginx users should upgrade to the latest version immediately:

  # emerge --sync

   # emerge --ask --oneshot --verbose ">=www-servers/nginx-1.20.1"

All nginx mainline users should upgrade to the latest version immediately:

  # emerge --sync

  # emerge --ask --oneshot -v ">=www-servers/nginx-1.21.0:mainline"

Your Related Advisories:

Register to Customize Your Advisories


The Discovery 


Multiple remotely exploitable security issues (CVE-2021-33203 and CVE-2021-33571) have been found in the python-django web framework before version 3.2.4.

The Impact

These vulnerabilities could enable user accounts with staff privileges to check for the existence of arbitrary files, and possibly disclose the contents of these files. Additionally, leading zeros in IPv4 addresses could be used to bypass IP-based access restrictions.

The Fix

These bugs have been fixed upstream in python-django version 3.2.4. Users should upgrade to version 3.2.4-1 immediately.

# pacman -Syu "python-django>=3.2.4-1"

Your Related Advisories:

Register to Customize Your Advisories


The Discovery Salt

OpenSUSE users are especially vulnerable this week, as multiple critical flaws have been discovered in the salt distributed remote execution system found in openSUSE Leap 15.2.

The Impact

Potential issues caused by these bugs include a missing part of the async batch implementation, a deprecated warning that breaks minion execution when "server_id_use_crc" opts is missing, parsing errors in the ansiblegate state module, command injection in the snapper module, sal-ssh regression on processing targets, race condition on salt-ssh event processing and the freezing of salt-call.

The Fix

OpenSUSE has released an important security update that solves seven vulnerabilities and contains three fixes. To install this openSUSE Security Update, use the SUSE recommended installation methods such as YaST online_update or "zypper patch".

You can also run the command listed for your product:

- openSUSE Leap 15.2:

zypper in -t patch openSUSE-2021-899=1

Your Related Advisories:

Register to Customize Your Advisories

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.