Linux Advisory Watch: March 19th, 2021

Advisories

Linux Advisory Watch: March 19th, 2021

Thank you for reading the LinuxSecurity Linux Advisory Watch newsletter! Staying on top of the latest security advisories issued by the distro(s) you use is essential in maintaining an updated, secure Linux system. Our weekly newsletter is an easy, convenient way to track distribution security advisories - helping you keep your Linux environment safe from malware and other exploits.

Yours in Open Source,

Brittany Day Signature


LinuxSecurity.com Feature Extras:

LinuxSecurity User Survey Results: How Do You Compare? - Greetings fellow Linux users! Thank you to everyone who took part in our LinuxSecurity User Survey. As you may be aware of, LinuxSecurity.com is currently in the final stages of a major redesign in an effort to enhance user experience on the site, and your input is invaluable in the remainder of this process. Its because of active, insightful community members like you that we have been able to remain the Linux communitys central resource for security news , advisories and HOWTOs for over two decades. 

Have You Taken Our LinuxSecurity User Survey? - Greetings fellow Linux security enthusiasts! Were rebuilding our site and need your help! LinuxSecurity is currently undergoing a major overhaul and we would like your input. Got a new feature idea? See something about the current site you dont like?


  Debian: DSA-4872-1: shibboleth-sp security update (Mar 18)
 

Toni Huttunen discovered that the Shibboleth service provider's template engine used to render error pages could be abused for phishing attacks. For additional information please refer to the upstream advisory at

  Debian: DSA-4871-1: tor security update (Mar 16)
 

Two vulnerabilities were discovered in Tor, a connection-based low-latency anonymous communication system, which could lead to excessive CPU usage or cause a directory authority to crash.

  Debian: DSA-4870-1: pygments security update (Mar 12)
 

It was discovered that Pygments, a syntax highlighting package written in Python, could be forced into an infinite loop, resulting in denial of service.

  Debian: DSA-4869-1: tiff security update (Mar 12)
 

Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed.

  Debian: DSA-4868-1: flatpak security update (Mar 12)
 

Anton Lydike discovered that sandbox restrictions in Flatpak, an application deployment framework for desktop apps, could by bypassed via a malicious .desktop file.

  Fedora 32: upx 2021-dff7e97510 (Mar 19)
 

Fix for CVE-2021-20285

  Fedora 33: upx 2021-4b43992608 (Mar 19)
 

Fix for CVE-2021-20285

  Fedora 33: flatpak 2021-26ad138ffa (Mar 19)
 

flatpak 1.10.2 release. This is a security update which fixes a potential attack where a flatpak application could use custom formated .desktop files to gain access to files on the host system. Other changes: * Fix memory leaks * Some test fixes * Documentation updates * G_BEGIN/END_DECLS added to library headders for c++ use * Fix for X11 cookies on OpenSUSE * Spawn portal better

  Fedora 32: switchboard-plug-bluetooth 2021-7d55c00267 (Mar 18)
 

Update to version 2.3.5, which addresses CVE-2021-21367. Release notes: https://github.com/elementary/switchboard-plug-bluetooth/releases/tag/2.3.5

  Fedora 33: qt5-qtsvg 2021-6167e8e205 (Mar 16)
 

An out of bounds read in function QRadialFetchSimd from crafted svg file may lead to information disclosure or other potential consequences. This update includes the backported upstream fix and should resolve the security issue.

  Fedora 33: switchboard-plug-bluetooth 2021-3dedd41a06 (Mar 16)
 

Update to version 2.3.5, which addresses CVE-2021-21367. Release notes: https://github.com/elementary/switchboard-plug-bluetooth/releases/tag/2.3.5

  Fedora 33: gsoap 2021-faea36a9c3 (Mar 16)
 

Backporting upstream fixes - Fixes CVE: CVE-2020-13574 CVE-2020-13575 CVE-2020-13577 CVE-2020-13578 - Fixes CVE: CVE-2020-13576

  Fedora 32: git 2021-ffd0b2108d (Mar 15)
 

Security fix for CVE-2021-21300 A specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case- insensitive file system such as NTFS, HFS+ or APFS. Note that clean/smudge filters have to be configured in advance, in the system-wide or global user

  Fedora 33: containerd 2021-470fa24f5b (Mar 14)
 

Update to upstream 1.4.4 - Fix CVE-2021-21334

  Fedora 33: golang-github-containerd-cri 2021-10ce8fcbf1 (Mar 14)
 

Update to upstream aa2d5a97cdc4 for CVE-2021-21334

  Fedora 33: mingw-python-pillow 2021-15845d3abe (Mar 14)
 

This update fixes CVE-2021-27921, CVE-2021-27922 and CVE-2021-27923. ---- Backport fixes for CVE-2021-25289, CVE-2021-25290, CVE-2021-25291, CVE-2021-25292, CVE-2021-25293

  Fedora 33: python-pillow 2021-15845d3abe (Mar 14)
 

This update fixes CVE-2021-27921, CVE-2021-27922 and CVE-2021-27923. ---- Backport fixes for CVE-2021-25289, CVE-2021-25290, CVE-2021-25291, CVE-2021-25292, CVE-2021-25293

  Fedora 33: python2-pillow 2021-15845d3abe (Mar 14)
 

This update fixes CVE-2021-27921, CVE-2021-27922 and CVE-2021-27923. ---- Backport fixes for CVE-2021-25289, CVE-2021-25290, CVE-2021-25291, CVE-2021-25292, CVE-2021-25293

  Fedora 33: mingw-gdk-pixbuf 2021-755ba8968a (Mar 14)
 

Update to gdk-pixbuf-2.42.2, see https://gitlab.gnome.org/GNOME/gdk- pixbuf/-/tags/2.42.2 for details.

  Fedora 33: mingw-python3 2021-b76ede8f4d (Mar 14)
 

Update to python3-3.9.2, see https://docs.python.org/3/whatsnew/3.9.html for details.

  Fedora 33: mingw-jasper 2021-7f3323a767 (Mar 14)
 

Update to jasper-2.0.26, see https://github.com/jasper- software/jasper/releases/tag/version-2.0.26 for details.

  Fedora 33: mingw-python-jinja2 2021-2ab8ebcabc (Mar 14)
 

Update to jinja2-2.11.3, see https://github.com/pallets/jinja/releases/tag/2.11.3 for details.

  Fedora 33: mingw-glib2 2021-7c71cda8da (Mar 14)
 

Update to glib2-2.66.7, see https://gitlab.gnome.org/GNOME/glib/-/blob/2.66.7/NEWS for details.

  Fedora 32: python-pillow 2021-0ece308612 (Mar 14)
 

This update fixes CVE-2021-27921, CVE-2021-27922 and CVE-2021-27923. ---- Backport fixes for CVE-2021-25289, CVE-2021-25290, CVE-2021-25291, CVE-2021-25292, CVE-2021-25293

  Fedora 32: python2-pillow 2021-0ece308612 (Mar 14)
 

This update fixes CVE-2021-27921, CVE-2021-27922 and CVE-2021-27923. ---- Backport fixes for CVE-2021-25289, CVE-2021-25290, CVE-2021-25291, CVE-2021-25292, CVE-2021-25293

  Fedora 32: mingw-python3 2021-309bc2e727 (Mar 14)
 

Update to python3-3.8.8, see https://www.python.org/downloads/release/python-388/ for details.

  Fedora 32: mingw-jasper 2021-56a49b0bc6 (Mar 14)
 

Update to jasper-2.0.26, see https://github.com/jasper- software/jasper/releases/tag/version-2.0.26 for details.

  Fedora 32: python-django 2021-ef83e8525a (Mar 13)
 

update to 3.0.13, fix CVE-2021-23336 (rhbz#1931542)

  Fedora 33: python-django 2021-1bb399a5af (Mar 12)
 

update to 3.0.13, fix CVE-2021-23336 (rhbz#1931542)

  Fedora 32: python3.10 2021-2897f5366c (Mar 11)
 

Python 3.10.0a6. Security fix for CVE-2021-23336.

  Fedora 32: nodejs 2021-f6bd75e9d4 (Mar 11)
 

https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/

  Fedora 32: arm-none-eabi-newlib 2021-332fb9c796 (Mar 11)
 

- updated to 4.1.0

  Fedora 32: suricata 2021-6c7cfe2532 (Mar 11)
 

Various performance, accuracy and stability issues have been fixed.

  Fedora 33: python3.10 2021-b326fcb83f (Mar 11)
 

Python 3.10.0a6. Security fix for CVE-2021-23336.

  Fedora 33: nodejs 2021-a760169c3c (Mar 11)
 

https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/

  Fedora 33: arm-none-eabi-newlib 2021-267c08cc40 (Mar 11)
 

- updated to 4.1.0

  Fedora 33: suricata 2021-9747ed7427 (Mar 11)
 

Various performance, accuracy and stability issues have been fixed.

  RedHat: RHSA-2021-0946:01 Moderate: Red Hat Build of OpenJDK 1.8 (container (Mar 19)
 

The Red Hat Build of OpenJDK 8 (container images) is now available from the Red Hat Container Catalog. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0945:01 Moderate: Red Hat Build of OpenJDK 11 (container (Mar 19)
 

The Red Hat Build of OpenJDK 11 (container images) is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0940:01 Important: kpatch-patch security update (Mar 18)
 

An update for kpatch-patch is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0933:01 Moderate: python-django security update (Mar 18)
 

An update for python-django is now available for Red Hat OpenStack Platform 13 (Queens). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0931:01 Important: openvswitch2.11 and ovn2.11 security (Mar 18)
 

An update for openvswitch2.11 and ovn2.11 is now available for Red Hat OpenStack Platform 13 (Queens). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0934:01 Moderate: qemu-kvm-rhev security update (Mar 18)
 

An update for qemu-kvm-rhev is now available for Red Hat OpenStack Platform 13.0 (Queens). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0937:01 Important: rubygem-em-http-request security update (Mar 18)
 

An update for rubygem-em-http-request is now available for Red Hat OpenStack Platform 13 (Queens). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0916:01 Moderate: Red Hat OpenStack Platform 16.1.4 (Mar 17)
 

An update for etcd is now available for Red Hat OpenStack Platform 16.1 (Train). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0915:01 Moderate: Red Hat OpenStack Platform 16.1.4 (Mar 17)
 

An update for python-django is now available for Red Hat OpenStack Platform 16.1 (Train). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0922:01 Important: bind security update (Mar 17)
 

An update for bind is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0882:01 Low: tomcat security update (Mar 16)
 

An update for tomcat is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0883:01 Moderate: perl security update (Mar 16)
 

An update for perl is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0876:01 Moderate: nss and nss-softokn security update (Mar 16)
 

An update for nss and nss-softokn is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0877:01 Moderate: curl security update (Mar 16)
 

An update for curl is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0881:01 Moderate: python security update (Mar 16)
 

An update for python is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0878:01 Important: kernel security, bug fix, (Mar 16)
 

An update for kernel is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0857:01 Important: kernel-rt security and bug fix update (Mar 16)
 

An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0851:01 Important: pki-core security and bug fix update (Mar 16)
 

An update for pki-core is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0873:01 Moderate: Red Hat JBoss Enterprise Application (Mar 16)
 

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0860:01 Moderate: ipa security and bug fix update (Mar 16)
 

An update for ipa is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-0872:01 Moderate: Red Hat JBoss Enterprise Application (Mar 16)
 

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0856:01 Important: kernel security and bug fix update (Mar 16)
 

An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0874:01 Moderate: Red Hat JBoss Enterprise Application (Mar 16)
 

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0862:01 Important: kpatch-patch security update (Mar 16)
 

An update for kpatch-patch is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0885:01 Moderate: Red Hat JBoss Enterprise Application (Mar 16)
 

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.3. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0871:01 Moderate: Red Hat Integration Debezium 1.4.2 (Mar 16)
 

An update for Debezium MongoDB connector is now available for Red Hat Integration. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0848:01 Moderate: kernel security update (Mar 16)
 

An update for kernel is now available for Red Hat Enterprise Linux 7.3 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0831:01 Important: rh-nodejs12-nodejs security update (Mar 15)
 

An update for rh-nodejs12-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0830:01 Important: rh-nodejs14-nodejs security update (Mar 15)
 

An update for rh-nodejs14-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0827:01 Important: rh-nodejs10-nodejs security update (Mar 15)
 

An update for rh-nodejs10-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0835:01 Moderate: openvswitch2.13 security update (Mar 15)
 

An update for openvswitch2.13 is now available in Fast Datapath for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of

  RedHat: RHSA-2021-0837:01 Moderate: openvswitch2.11 security update (Mar 15)
 

An update for openvswitch2.11 is now available in Fast Datapath for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0834:01 Moderate: openvswitch2.11 security update (Mar 15)
 

An update for openvswitch2.11 is now available in Fast Datapath for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of

  RedHat: RHSA-2021-0819:01 Important: pki-core security update (Mar 15)
 

An update for pki-core is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0818:01 Important: wpa_supplicant security update (Mar 15)
 

An update for wpa_supplicant is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0816:01 Important: wpa_supplicant security update (Mar 15)
 

An update for wpa_supplicant is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0811:01 Low: Red Hat Integration Tech-Preview 3 Camel K (Mar 11)
 

An update to the Camel K operator image for Red Hat Integration tech-preview is now available. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact

  RedHat: RHSA-2021-0809:01 Important: wpa_supplicant security update (Mar 11)
 

An update for wpa_supplicant is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  Slackware: 2021-072-01: Slackware 14.2 kernel Security Update (Mar 13)
 

New kernel packages are available for Slackware 14.2 to fix security issues.

  Slackware: 2021-070-01: git Security Update (Mar 11)
 

New git packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix a security issue.

  SUSE: 2021:79-1 suse/sle15 Security Update (Mar 19)
 

The container suse/sle15 was updated. The following patches have been included in this update:

  SUSE: 2021:78-1 suse/sle-micro/5.0/toolbox Security Update (Mar 18)
 

The container suse/sle-micro/5.0/toolbox was updated. The following patches have been included in this update:

  SUSE: 2021:76-1 ses/7/rook/ceph Security Update (Mar 12)
 

The container ses/7/rook/ceph was updated. The following patches have been included in this update:

  SUSE: 2021:75-1 ses/7/cephcsi/csi-snapshotter Security Update (Mar 12)
 

The container ses/7/cephcsi/csi-snapshotter was updated. The following patches have been included in this update:

  SUSE: 2021:74-1 ses/7/cephcsi/csi-resizer Security Update (Mar 12)
 

The container ses/7/cephcsi/csi-resizer was updated. The following patches have been included in this update:

  SUSE: 2021:73-1 ses/7/cephcsi/csi-provisioner Security Update (Mar 12)
 

The container ses/7/cephcsi/csi-provisioner was updated. The following patches have been included in this update:

  SUSE: 2021:72-1 ses/7/cephcsi/csi-node-driver-registrar Security Update (Mar 12)
 

The container ses/7/cephcsi/csi-node-driver-registrar was updated. The following patches have been included in this update:

  SUSE: 2021:71-1 ses/7/cephcsi/csi-attacher Security Update (Mar 12)
 

The container ses/7/cephcsi/csi-attacher was updated. The following patches have been included in this update:

  SUSE: 2021:69-1 ses/7/cephcsi/cephcsi Security Update (Mar 12)
 

The container ses/7/cephcsi/cephcsi was updated. The following patches have been included in this update:

  SUSE: 2021:67-1 suse/sle-micro/5.0/toolbox Security Update (Mar 11)
 

The container suse/sle-micro/5.0/toolbox was updated. The following patches have been included in this update:

  Debian LTS: DLA-2599-1: shibboleth-sp2 security update (Mar 19)
 

Toni Huttunen discovered that the Shibboleth service provider's template engine used to render error pages could be abused for phishing attacks. For additional information please refer to the upstream advisory at

  Debian LTS: DLA-2598-1: squid3 security update (Mar 18)
 

Due to improper input validation, Squid is vulnerable to an HTTP Request Smuggling attack. This problem allows a trusted client to perform HTTP Request

  Debian LTS: DLA-2596-1: shadow security update (Mar 17)
 

Several vulnerabilities were discovered in the shadow suite of login tools. An attacker may escalate privileges in specific configurations. CVE-2017-20002

  Debian LTS: DLA-2596-1: tomcat8 security update (Mar 16)
 

Three security issues have been detected in tomcat8. CVE-2021-24122

  Debian LTS: DLA-2589-2: mupdf regression update (Mar 14)
 

DLA 2589-1 incorrectly fixed CVE-2020-26519 and also induced regression where opening a PDF document resulted in a SIGFPE crash, a floating point exception.

  Debian LTS: DLA-2593-1: ca-certificates whitelist Symantec CA (Mar 13)
 

This update reverts the Symantec CA blacklist (which was originally #911289). The following root certificates were added back (+): + "GeoTrust Global CA" + "GeoTrust Primary Certification Authority"

  Debian LTS: DLA-2592-1: golang-1.8 security update (Mar 13)
 

Several vulnerabilities were discovered in the Go programming language. An attacker could trigger a denial-of-service (DoS), bypasss access control, and execute arbitrary code on the developer's computer.

  Debian LTS: DLA-2591-1: golang-1.7 security update (Mar 13)
 

Several vulnerabilities were discovered in the Go programming language. An attacker could trigger a denial-of-service (DoS), bypasss access control, and execute arbitrary code on the developer's computer.

  Debian LTS: DLA-2589-1: mupdf security update (Mar 11)
 

CVE-2020-26519 A heap-based buffer overflow flaw was discovered in MuPDF, a lightweight PDF viewer, which may result in denial of

  CentOS: CESA-2021-0856: Important CentOS 7 kernel (Mar 18)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2021:0856

  CentOS: CESA-2021-0808: Important CentOS 7 wpa_supplicant (Mar 18)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2021:0808

  CentOS: CESA-2021-0851: Important CentOS 7 pki-core (Mar 18)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2021:0851

  SciLinux: SLSA-2021-0856-1 Important: kernel on SL7.x x86_64 (Mar 17)
 

kernel: Local buffer overflow in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c (CVE-2020-25211) * kernel: SCSI target (LIO) write to any block on ILO backstore (CVE-2020-28374) * kernel: locking issue in drivers/tty/tty_jobctrl.c can lead to an use- after-free (CVE-2020-29661) * kernel: malicious USB devices can lead to multiple out-of-bounds write (CVE-2019-19532) [More...]

  SciLinux: SLSA-2021-0860-1 Important: ipa on SL7.x x86_64 (Mar 17)
 

jquery: Passing HTML containing elements to manipulation methods could result in untrusted code execution (CVE-2020-11023) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE Bug Fix(es): * cannot issue certs with multiple IP addresses corresponding to different hosts * CA-less install [More...]

  SciLinux: SLSA-2021-0851-1 Important: pki-core on SL7.x x86_64 (Mar 17)
 

pki-core: Unprivileged users can renew any certificate (CVE-2021-20179) * pki-core: XSS in the certificate search results (CVE-2020-25715) * pki-core: Reflected XSS in 'path length' constraint field in CA's Agent page (CVE-2019-10146) * pki-core/pki-kra: Reflected XSS in recoveryID search field at KRA's DRM agent page in authorize recovery tab (CVE-2019-10179) * pki-core: Reflected XSS in [More...]

  SciLinux: SLSA-2021-0808-1 Important: wpa_supplicant on SL7.x x86_64 (Mar 11)
 

wpa_supplicant: Use-after-free in P2P provision discovery processing (CVE-2021-27803) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE SL7 x86_64 wpa_supplicant-2.6-12.el7_9.2.x86_64.rpm wpa_supplicant-debuginfo-2.6-12.el7_9.2.x86_64.rpm - Scientific Linux Development Team

  openSUSE: 2021:0448-1 moderate: netty (Mar 19)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0446-1 important: chromium (Mar 19)
 

An update that fixes three vulnerabilities is now available.

  openSUSE: 2021:0447-1 important: velocity (Mar 19)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0444-1 moderate: libmysofa (Mar 18)
 

An update that fixes 13 vulnerabilities is now available.

  openSUSE: 2021:0443-1 moderate: privoxy (Mar 18)
 

An update that fixes 5 vulnerabilities is now available.

  openSUSE: 2021:0436-1 important: chromium (Mar 17)
 

An update that fixes three vulnerabilities is now available.

  openSUSE: 2021:0435-1 moderate: python (Mar 17)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0430-1 moderate: openssl-1_0_0 (Mar 16)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2021:0418-1 moderate: 389-ds (Mar 16)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0427-1 moderate: openssl-1_1 (Mar 16)
 

An update that solves two vulnerabilities and has one errata is now available.

  openSUSE: 2021:0423-1 moderate: postgresql12 (Mar 16)
 

An update that solves one vulnerability and has one errata is now available.

  openSUSE: 2021:0429-1 moderate: python-markdown2 (Mar 16)
 

An update that solves one vulnerability and has two fixes is now available.

  openSUSE: 2021:0416-1 moderate: connman (Mar 16)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2021:0428-1: freeradius-server (Mar 16)
 

An update that contains security fixes can now be installed.

  openSUSE: 2021:0415-1 moderate: froxlor (Mar 16)
 

An update that solves one vulnerability and has three fixes is now available.

  openSUSE: 2021:0413-1 important: opera (Mar 15)
 

An update that fixes 10 vulnerabilities is now available.

  openSUSE: 2021:0408-1 important: openldap2 (Mar 14)
 

An update that fixes 11 vulnerabilities is now available.

  openSUSE: 2021:0410-1 important: crmsh (Mar 14)
 

An update that solves two vulnerabilities and has 7 fixes is now available.

  openSUSE: 2021:0407-1 important: kernel-firmware (Mar 14)
 

An update that fixes four vulnerabilities is now available.

  openSUSE: 2021:0405-1 important: git (Mar 14)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0406-1 important: glib2 (Mar 14)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2021:0409-1 important: stunnel (Mar 14)
 

An update that solves one vulnerability and has one errata is now available.

  openSUSE: 2021:0404-1 important: wpa_supplicant (Mar 14)
 

An update that fixes one vulnerability is now available.

  Mageia 2021-0146: discover security update (Mar 18)
 

Discover fetches the description and related texts of some applications/plugins from store.kde.org. That text is displayed to the user, after turning into a clickable link any part of the text that looks like a link. This is done for any kind of link, be it smb:// nfs:// etc. when in fact it only makes sense for http/https links. Opening links that the user has clicked on is not very

  Mageia 2021-0145: flatpak security update (Mar 18)
 

A potential attack where a flatpak application could use custom formatted .desktop files to gain access to files on the host system (CVE-2021-21381). References: - https://bugs.mageia.org/show_bug.cgi?id=28575

  Mageia 2021-0144: xmlgraphics-commons security update (Mar 18)
 

The Apache XML Graphics Commons library is vulnerable to SSRF via the XMPParser that allow an attacker to cause the underlying server to make arbitrary GET requests (CVE-2020-11988). References:

  Mageia 2021-0143: flatpak security update (Mar 18)
 

Sandbox escape where a malicious application can execute code outside the sandbox by controlling the environment of the "flatpak run" command when spawning a sub-sandbox (CVE-2021-21261). A potential attack where a flatpak application could use custom formatted

  Mageia 2021-0142: chromium-browser-stable security update (Mar 17)
 

The updated packages fix security vulnerabilities. At least one of them is known to be actively exploited. References: - https://bugs.mageia.org/show_bug.cgi?id=28534

  Mageia 2021-0141: ksh security update (Mar 17)
 

A flaw was found in the way ksh evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely (CVE-2019-14868).

  Mageia 2021-0140: microcode security update (Mar 17)
 

This update adds new microcode updates to mitigate CVE-2020-8696 for Intel Skylake server (50654) and Cascade Lake Server (50656 & 50657) processors. The new microcode update mitigates an issue when using an active JTAG agent like In Target Probe (ITP), Direct Connect Interface (DCI) or a Baseboard Management Controller (BMC) to take the CPU JTAG/TAP out of reset and then

  Mageia 2021-0139: batik security update (Mar 17)
 

The Apache Batik library is vulnerable to SSRF via the NodePickerPanel that allow an attacker to cause the underlying server to make arbitrary GET requests (CVE-2020-11987). References:

  Mageia 2021-0138: glibc security update (Mar 17)
 

Updated glibc packages fix a security vulnerability: The nameserver caching daemon (nscd), when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system (CVE-2021-27645).

  Mageia 2021-0137: git security update (Mar 14)
 

On case-insensitive file systems with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone (CVE-2021-21300).

  Mageia 2021-0136: netty security update (Mar 14)
 

When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled (CVE-2021-21290). References:

  Mageia 2021-0135: python-django security update (Mar 14)
 

Django contains a copy of urllib.parse.parse_qsl() which was added to backport some security fixes to prevent web cache poisoning. A further security fix has been issued recently such that parse_qsl() no longer allows using ; as a query parameter separator by default (CVE-2021-23336).

  Mageia 2021-0134: mediainfo security update (Mar 14)
 

In MediaInfoLib in MediaArea MediaInfo 20.03, there is a stack-based buffer over-read in Streams_Fill_PerStream in Multiple/File_MpegPs.cpp (aka an off-by-one during MpegPs parsing) (CVE-2020-15395). References:

  Mageia 2021-0133: quartz security update (Mar 14)
 

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description (CVE-2019-13990). References:

  Mageia 2021-0132: ansible security update (Mar 11)
 

User data leak in snmp_facts module (CVE-2021-20178). The bitbucket_pipeline_variable module exposed secured values (CVE-2021-20180).

  Mageia 2021-0131: ansible security update (Mar 11)
 

User data leak in snmp_facts module (CVE-2021-20178). Multiple collections exposed secured values (CVE-2021-20191). In basic.py, no_log with fallback option (CVE-2021-20228). The ansible package has been patched to fix these issues.

  Mageia 2021-0130: roundcubemail security update (Mar 11)
 

This update fixes cross-site scripting (XSS) via HTML messages with malicious CSS content (CVE-2021-26925). References: - https://bugs.mageia.org/show_bug.cgi?id=28387

  Mageia 2021-0129: python-cryptography security update (Mar 11)
 

In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow (CVE-2020-36242). References:

  Mageia 2021-0128: libcaca security update (Mar 11)
 

A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c may lead to local execution of arbitrary code in the user context (CVE-2021-3410). References: - https://bugs.mageia.org/show_bug.cgi?id=28556

  Mageia 2021-0127: gnuplot security update (Mar 11)
 

Double free when executing print_set_output() (CVE-2020-25559). Additionally, a missing require for gnuplot has been added to gnuplot-qt package.

  Mageia 2021-0126: ceph security update (Mar 11)
 

A flaw was found in Ceph where Ceph stores mgr module passwords in clear text. This issue can be found by searching the mgr logs for Grafana and dashboard with passwords visible. The highest threat from this vulnerability is to confidentiality (CVE-2020-25678).

  Mageia 2021-0125: mumble security update (Mar 11)
 

Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text (CVE-2021-27229). References:

  Mageia 2021-0124: ruby-mechanize security update (Mar 11)
 

In Mechanize, from v2.0.0 until v2.7.7, there is a command injection vulnerability. Affected versions of Mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel#open method (CVE-2021-21289).

  Mageia 2021-0123: glib2.0 security update (Mar 11)
 

* Fix various instances within GLib where `g_memdup()` was vulnerable to a silent integer truncation and heap overflow problem (discovered by Kevin Backhouse, work by Philip Withnall) (#2319) * Fix some issues with handling over-long (invalid) input when parsing for

  Mageia 2021-0122: python-httplib2 security update (Mar 11)
 

A malicious server which responds with long series of \xa0 characters in the www-authenticate header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server (CVE-2021-21240). References:

  Mageia 2021-0121: postgresql security update (Mar 11)
 

A user having an UPDATE privilege on a partitioned table but lacking the SELECT privilege on some column may be able to acquire denied-column values from an error message (CVE-2021-3393). A user having a SELECT privilege on an individual column can craft a special

  Mageia 2021-0120: firejail security update (Mar 11)
 

Roman Fiedler discovered a vulnerability in the OverlayFS code in firejail, which could result in root privilege escalation. This update disables OverlayFS support in firejail (CVE-2021-26910). References:

  Mageia 2021-0119: python-yaml security update (Mar 11)
 

A vulnerability was discovered in the PyYAML library, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the

  Mageia 2021-0118: openssh security update (Mar 11)
 

The client side in OpenSSH 5.7 through 8.3 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client) (CVE-2020-14145).

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.