Linux Advisory Watch: March 5th, 2021

Advisories

Linux Advisory Watch: March 5th, 2021

Thank you for reading the LinuxSecurity Linux Advisory Watch newsletter! Staying on top of the latest security advisories issued by the distro(s) you use is essential in maintaining an updated, secure Linux system. Our weekly newsletter is an easy, convenient way to track distribution security advisories - helping you keep your Linux environment safe from malware and other exploits.

Important advisories issued this week include warnings from Debian and SciLinux regarding several vulnerabilities  discovered in the GRUB2 bootloader and a Debian advisory warning of multiple Docker security issues, which could result in DoS, information leakage, or privilege escalation. Continue reading to learn about other significant advisories issued this week. Have a happy, safe and secure weekend!

Yours in Open Source,

Brittany Day Signature


LinuxSecurity.com Feature Extras:

Get started with CrowdSec v.1.0.X - The official release of CrowdSec v.1.0.X introduces several improvements to the previous version, including a major architectural change: the introduction of a local REST API.

Best Secure Linux Distros for Enhanced Privacy & Security - We’ve put together a list of our favorite specialized secure Linux distros and spoken with some of their lead developers to find out first-hand what makes these distros so great. This article aims to help you evaluate your options and select the distro that best meets your individual needs.


  Debian: DSA-4867-1: grub2 security update (Mar 2)
 

Several vulnerabilities have been discovered in the GRUB2 bootloader. CVE-2020-14372

  Debian: DSA-4866-1: thunderbird security update (Feb 28)
 

For the stable distribution (buster), these problems have been fixed in

  Debian: DSA-4865-1: docker.io security update (Feb 27)
 

Multiple security issues were discovered in Docker, a Linux container runtime, which could result in denial of service, an information leak or privilege escalation.

  Debian: DSA-4864-1: python-aiohttp security update (Feb 27)
 

Beast Glatisant and Jelmer Vernooij reported that python-aiohttp, a async HTTP client/server framework, is prone to an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website.

  Fedora 33: screen 2021-9107eeb95c (Mar 4)
 

Security update for CVE-2021-26937

  Fedora 33: isync 2021-ef8c2acfce (Mar 4)
 

Update to latest upstream release 1.4.1 (#1931574)

  Fedora 33: openvswitch 2021-fba11d37ee (Mar 4)
 

Updated OVS to 2.15 and DPDK to 20.11

  Fedora 33: dpdk 2021-fba11d37ee (Mar 4)
 

Updated OVS to 2.15 and DPDK to 20.11

  Fedora 32: 389-ds-base 2021-dc1a4934a5 (Mar 4)
 

- 389-ds fixes an information disclosure during unsuccessful LDAP BIND operation, CVE-2020-35518 - Dogtag PKI adopted to work with 389-ds with the fix - FreeIPA rebuilt to require new Dogtag and 389-ds versions

  Fedora 32: dogtag-pki 2021-dc1a4934a5 (Mar 4)
 

- 389-ds fixes an information disclosure during unsuccessful LDAP BIND operation, CVE-2020-35518 - Dogtag PKI adopted to work with 389-ds with the fix - FreeIPA rebuilt to require new Dogtag and 389-ds versions

  Fedora 32: freeipa 2021-dc1a4934a5 (Mar 4)
 

- 389-ds fixes an information disclosure during unsuccessful LDAP BIND operation, CVE-2020-35518 - Dogtag PKI adopted to work with 389-ds with the fix - FreeIPA rebuilt to require new Dogtag and 389-ds versions

  Fedora 32: pki-core 2021-dc1a4934a5 (Mar 4)
 

- 389-ds fixes an information disclosure during unsuccessful LDAP BIND operation, CVE-2020-35518 - Dogtag PKI adopted to work with 389-ds with the fix - FreeIPA rebuilt to require new Dogtag and 389-ds versions

  Fedora 32: screen 2021-5e9894a0c5 (Mar 3)
 

Security update for CVE-2021-26937

  Fedora 32: isync 2021-954ebabcf7 (Mar 3)
 

Update to latest upstream release 1.4.1 (#1931574)

  Fedora 33: freeipa 2021-7458e2d835 (Mar 3)
 

- 389-ds fixes an information disclosure during unsuccessful LDAP BIND operation, CVE-2020-35518 - Dogtag PKI adopted to work with 389-ds with the fix - FreeIPA rebuilt to require new Dogtag and 389-ds versions

  Fedora 33: pki-core 2021-7458e2d835 (Mar 3)
 

- 389-ds fixes an information disclosure during unsuccessful LDAP BIND operation, CVE-2020-35518 - Dogtag PKI adopted to work with 389-ds with the fix - FreeIPA rebuilt to require new Dogtag and 389-ds versions

  Fedora 33: dogtag-pki 2021-7458e2d835 (Mar 3)
 

- 389-ds fixes an information disclosure during unsuccessful LDAP BIND operation, CVE-2020-35518 - Dogtag PKI adopted to work with 389-ds with the fix - FreeIPA rebuilt to require new Dogtag and 389-ds versions

  Fedora 33: 389-ds-base 2021-7458e2d835 (Mar 3)
 

- 389-ds fixes an information disclosure during unsuccessful LDAP BIND operation, CVE-2020-35518 - Dogtag PKI adopted to work with 389-ds with the fix - FreeIPA rebuilt to require new Dogtag and 389-ds versions

  Fedora 34: dogtag-pki 2021-263244c071 (Mar 3)
 

- 389-ds fixes an information disclosure during unsuccessful LDAP BIND operation, CVE-2020-35518 - Dogtag PKI adopted to work with 389-ds with the fix - FreeIPA rebuilt to require new Dogtag and 389-ds versions

  Fedora 34: freeipa 2021-263244c071 (Mar 3)
 

- 389-ds fixes an information disclosure during unsuccessful LDAP BIND operation, CVE-2020-35518 - Dogtag PKI adopted to work with 389-ds with the fix - FreeIPA rebuilt to require new Dogtag and 389-ds versions

  Fedora 34: pki-core 2021-263244c071 (Mar 3)
 

- 389-ds fixes an information disclosure during unsuccessful LDAP BIND operation, CVE-2020-35518 - Dogtag PKI adopted to work with 389-ds with the fix - FreeIPA rebuilt to require new Dogtag and 389-ds versions

  Fedora 34: 389-ds-base 2021-263244c071 (Mar 3)
 

- 389-ds fixes an information disclosure during unsuccessful LDAP BIND operation, CVE-2020-35518 - Dogtag PKI adopted to work with 389-ds with the fix - FreeIPA rebuilt to require new Dogtag and 389-ds versions

  Fedora 33: wpa_supplicant 2021-3430f96019 (Mar 2)
 

Security fix for CVE-2021-27803

  Fedora 33: salt 2021-5756fbf8a6 (Mar 2)
 

Update to CVE release 3002.5-1 for Python 3 Fixed on this release: CVE-2021-25283 Fixed in 3002.3: CVE-2020-28243 CVE-2020-28972 CVE-2020-35662 CVE-2021-3148 CVE-2021-3144 CVE-2021-25281 CVE-2021-25282 CVE-2021-25283 CVE-2021-25284 CVE-2021-25284 CVE-2021-3197

  Fedora 32: salt 2021-904a2dbc0c (Mar 2)
 

Update to CVE release 3001.6-1 for Python 3 Fixed in 3001.5: CVE-2020-28243 CVE-2020-28972 CVE-2020-35662 CVE-2021-3148 CVE-2021-3144 CVE-2021-25281 CVE-2021-25282 CVE-2021-25283 CVE-2021-25284 CVE-2021-3197

  Fedora 32: webkit2gtk3 2021-e03b328043 (Mar 2)
 

* Bring back the WebKitPluginProcess that was removed by mistake. (It will disappear again soon.) * Fix RunLoop objects leaked in worker threads. * Use Internet Explorer quirk for Google Docs. (Yes, even this new quirk is broken already.) * Security fixes: CVE-2020-13558

  Fedora 32: ansible 2021-9a0903469c (Mar 1)
 

Update to security and bugfix release 2.9.18.

  Fedora 33: ansible 2021-e9478617ae (Mar 1)
 

Update to security and bugfix release 2.9.18.

  Fedora 33: chromium 2021-aa764a8531 (Feb 28)
 

Update to 88.0.4324.182. Fixes CVE-2021-21149 CVE-2021-21150 CVE-2021-21151 CVE-2021-21152 CVE-2021-21153 CVE-2021-21154 CVE-2021-21155 CVE-2021-21156 CVE-2021-21157

  Fedora 33: firefox 2021-e440aa9307 (Feb 27)
 

- New upstream version (86.0)

  Fedora 33: kernel 2021-7143aca8cb (Feb 26)
 

The 5.10.18 stable kernel update contains a number of important fixes across the tree.

  Fedora 33: rygel 2021-20b9876f11 (Feb 26)
 

rygel 0.40.1 release. For details, see https://mail.gnome.org/archives/ftp- release-list/2021-February/msg00105.html

  Fedora 32: kernel 2021-8d45d297c6 (Feb 26)
 

The 5.10.18 stable kernel update contains a number of important fixes across the tree.

  Fedora 33: libpq 2021-3286ac2acc (Feb 25)
 

Update postgresql and libpq to the new upstream release.

  Fedora 33: postgresql 2021-3286ac2acc (Feb 25)
 

Update postgresql and libpq to the new upstream release.

  Fedora 33: xen 2021-47f53a940a (Feb 25)
 

Linux: display frontend "be-alloc" mode is unsupported (comment only) [XSA-363, CVE-2021-26934] (#1929549) arm: The cache may not be cleaned for newly allocated scrubbed pages [XSA-364, CVE-2021-26933] (#1929547)

  Fedora 33: containernetworking-plugins 2021-fb466fb623 (Feb 25)
 

bump podman to v3.0.1, Security fix for CVE-2021-20206 ---- Resolves: #1919391, #1926796 - Security fix for CVE-2021-20206 ---- Autobuilt v1.19.3 ---- Autobuilt v1.19.2 ---- Autobuilt v1.19.1 ---- Autobuilt v1.19.0 ---- harden cgo based golang binaries ---- Autobuilt v0.9.1

  Fedora 33: containers-common 2021-fb466fb623 (Feb 25)
 

bump podman to v3.0.1, Security fix for CVE-2021-20206 ---- Resolves: #1919391, #1926796 - Security fix for CVE-2021-20206 ---- Autobuilt v1.19.3 ---- Autobuilt v1.19.2 ---- Autobuilt v1.19.1 ---- Autobuilt v1.19.0 ---- harden cgo based golang binaries ---- Autobuilt v0.9.1

  Fedora 33: podman 2021-fb466fb623 (Feb 25)
 

bump podman to v3.0.1, Security fix for CVE-2021-20206 ---- Resolves: #1919391, #1926796 - Security fix for CVE-2021-20206 ---- Autobuilt v1.19.3 ---- Autobuilt v1.19.2 ---- Autobuilt v1.19.1 ---- Autobuilt v1.19.0 ---- harden cgo based golang binaries ---- Autobuilt v0.9.1

  Fedora 33: skopeo 2021-fb466fb623 (Feb 25)
 

bump podman to v3.0.1, Security fix for CVE-2021-20206 ---- Resolves: #1919391, #1926796 - Security fix for CVE-2021-20206 ---- Autobuilt v1.19.3 ---- Autobuilt v1.19.2 ---- Autobuilt v1.19.1 ---- Autobuilt v1.19.0 ---- harden cgo based golang binaries ---- Autobuilt v0.9.1

  Fedora 33: buildah 2021-fb466fb623 (Feb 25)
 

bump podman to v3.0.1, Security fix for CVE-2021-20206 ---- Resolves: #1919391, #1926796 - Security fix for CVE-2021-20206 ---- Autobuilt v1.19.3 ---- Autobuilt v1.19.2 ---- Autobuilt v1.19.1 ---- Autobuilt v1.19.0 ---- harden cgo based golang binaries ---- Autobuilt v0.9.1

  Fedora 32: xen 2021-4c819bf1ad (Feb 25)
 

Linux: display frontend "be-alloc" mode is unsupported (comment only) [XSA-363, CVE-2021-26934] (#1929549) arm: The cache may not be cleaned for newly allocated scrubbed pages [XSA-364, CVE-2021-26933] (#1929547)

  Fedora 33: xterm 2021-e7a8e79fa8 (Feb 25)
 

Security fix for CVE-2021-27135

  Fedora 32: libpq 2021-3db6876545 (Feb 25)
 

Update to the latest upstream release.

  Fedora 32: postgresql 2021-3db6876545 (Feb 25)
 

Update to the latest upstream release.

  Fedora 32: libmysofa 2021-4e40ccb5e6 (Feb 25)
 

Fixes various security issues by upgrading to the current 1.2 version.

  RedHat: RHSA-2021-0736:01 Critical: java-1.8.0-ibm security update (Mar 4)
 

An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0735:01 Important: nodejs:10 security update (Mar 4)
 

An update for the nodejs:10 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0734:01 Important: nodejs:12 security update (Mar 4)
 

An update for the nodejs:12 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0733:01 Critical: java-1.7.1-ibm security update (Mar 4)
 

An update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0727:01 Important: bind security update (Mar 4)
 

An update for bind is now available for Red Hat Enterprise Linux 7.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0719:01 Moderate: Red Hat Advanced Cluster Management (Mar 3)
 

Red Hat Advanced Cluster Management for Kubernetes 2.0.8 General Availability release, which fixes bugs and security issues. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0717:01 Critical: java-1.8.0-ibm security update (Mar 3)
 

An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0711:01 Important: virt:rhel and virt-devel:rhel security (Mar 3)
 

An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0637:01 Important: OpenShift Container Platform 3.11.394 (Mar 3)
 

Red Hat OpenShift Container Platform release 3.11.394 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0710:01 Important: container-tools:2.0 security update (Mar 3)
 

An update for the container-tools:2.0 module is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0428:01 Important: OpenShift Container Platform 4.5.33 (Mar 2)
 

Red Hat OpenShift Container Platform release 4.5.33 is now available with updates to packages and images that fix several bugs and add enhancements. This release also includes a security update for Red Hat OpenShift Container Platform 4.5.

  RedHat: RHSA-2021-0429:01 Important: OpenShift Container Platform 4.5.33 (Mar 2)
 

Red Hat OpenShift Container Platform release 4.5.33 is now available with updates to packages and images that fix several bugs. This release also includes a security update for Red Hat OpenShift Container Platform 4.5.

  RedHat: RHSA-2021-0701:01 Moderate: grub2 security update (Mar 2)
 

An update for grub2 is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0700:01 Moderate: grub2 security update (Mar 2)
 

An update for grub2 is now available for Red Hat Enterprise Linux 7.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0699:01 Moderate: grub2 security update (Mar 2)
 

An update for grub2 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-0702:01 Moderate: grub2 security update (Mar 2)
 

An update for grub2 is now available for Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.4 Telco Extended Update Support, and Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions.

  RedHat: RHSA-2021-0704:01 Moderate: grub2 security update (Mar 2)
 

An update for grub2 is now available for Red Hat Enterprise Linux 7.2 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0703:01 Moderate: grub2 security update (Mar 2)
 

An update for grub2 is now available for Red Hat Enterprise Linux 7.3 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0697:01 Moderate: grub2 security update (Mar 2)
 

An update for grub2 is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0696:01 Moderate: grub2 security update (Mar 2)
 

An update for grub2 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2021-0698:01 Moderate: grub2 security update (Mar 2)
 

An update for grub2 is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2021-0706:01 Important: container-tools:2.0 security update (Mar 2)
 

An update for the container-tools:2.0 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0705:01 Important: container-tools:1.0 security update (Mar 2)
 

An update for the container-tools:1.0 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0691:01 Important: bind security update (Mar 2)
 

An update for bind is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0692:01 Important: bind security update (Mar 2)
 

An update for bind is now available for Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.4 Telco Extended Update Support, and Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions.

  RedHat: RHSA-2021-0693:01 Important: bind security update (Mar 2)
 

An update for bind is now available for Red Hat Enterprise Linux 7.3 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0694:01 Important: bind security update (Mar 2)
 

An update for bind is now available for Red Hat Enterprise Linux 7.2 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0686:01 Important: kernel security and bug fix update (Mar 2)
 

An update for kernel is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0689:01 Important: kpatch-patch security update (Mar 2)
 

An update is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0671:01 Important: bind security update (Mar 1)
 

An update for bind is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0672:01 Important: bind security update (Mar 1)
 

An update for bind is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0681:01 Important: podman security update (Mar 1)
 

An update for podman is now available for Red Hat Enterprise Linux 7 Extras. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2021-0670:01 Important: bind security update (Mar 1)
 

An update for bind is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2021-0669:01 Important: bind security update (Mar 1)
 

An update for bind is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  SUSE: 2021:61-1 suse/sles12sp5 Security Update (Mar 4)
 

The container suse/sles12sp5 was updated. The following patches have been included in this update:

  SUSE: 2021:59-1 suse/sle15 Security Update (Feb 28)
 

The container suse/sle15 was updated. The following patches have been included in this update:

  SUSE: 2021:58-1 suse/sle15 Security Update (Feb 27)
 

The container suse/sle15 was updated. The following patches have been included in this update:

  SUSE: 2021:57-1 suse/sles12sp5 Security Update (Feb 26)
 

The container suse/sles12sp5 was updated. The following patches have been included in this update:

  Debian LTS: DLA-2581-1: wpa security update (Mar 2)
 

A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.

  Debian LTS: DLA-2580-1: adminer security update (Mar 2)
 

Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected.

  Debian LTS: DLA-2579-1: spip security update (Mar 2)
 

It was discovered that SPIP, a website engine for publishing, would allow a malicious user to perform cross-site scripting attacks, access sensitive information, or execute arbitrary code.

  Debian LTS: DLA-2577-1: python-pysaml2 security update (Feb 26)
 

Several issues have been found in python-pysaml2, a pure python implementation of SAML Version 2 Standard. CVE-2017-1000433

  Debian LTS: DLA-2575-1: firefox-esr security update (Feb 25)
 

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or information disclosure.

  ArchLinux: 202102-43: thrift: denial of service (Mar 1)
 

The package thrift before version 0.14.0-1 is vulnerable to denial of service.

  ArchLinux: 202102-42: openssl: multiple issues (Mar 1)
 

The package openssl before version 1.1.1.j-1 is vulnerable to multiple issues including denial of service and incorrect calculation.

  ArchLinux: 202102-41: tar: denial of service (Mar 1)
 

The package tar before version 1.34-1 is vulnerable to denial of service.

  ArchLinux: 202102-40: bind: arbitrary code execution (Mar 1)
 

The package bind before version 9.16.12-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202102-39: ipmitool: arbitrary code execution (Mar 1)
 

The package ipmitool before version 1.8.18-7 is vulnerable to arbitrary code execution.

  ArchLinux: 202102-38: isync: directory traversal (Mar 1)
 

The package isync before version 1.3.5-1 is vulnerable to directory traversal.

  ArchLinux: 202102-37: python: multiple issues (Mar 1)
 

The package python before version 3.9.2-1 is vulnerable to multiple issues including arbitrary code execution and url request injection.

  ArchLinux: 202102-36: python-cryptography: incorrect calculation (Mar 1)
 

The package python-cryptography before version 3.4-1 is vulnerable to incorrect calculation.

  ArchLinux: 202102-35: python-httplib2: denial of service (Mar 1)
 

The package python-httplib2 before version 0.19.0-1 is vulnerable to denial of service.

  ArchLinux: 202102-34: intel-ucode: information disclosure (Mar 1)
 

The package intel-ucode before version 20210216-1 is vulnerable to information disclosure.

  ArchLinux: 202102-33: salt: multiple issues (Mar 1)
 

The package salt before version 3002.5-3 is vulnerable to multiple issues including access restriction bypass, arbitrary command execution, certificate verification bypass, cross-site scripting, insufficient validation, privilege escalation, directory traversal and information disclosure.

  ArchLinux: 202102-32: mumble: arbitrary code execution (Feb 25)
 

The package mumble before version 1.3.4-1 is vulnerable to arbitrary code execution.

  ArchLinux: 202102-31: postgresql: information disclosure (Feb 25)
 

The package postgresql before version 13.2-1 is vulnerable to information disclosure.

  ArchLinux: 202102-30: ansible-base: information disclosure (Feb 25)
 

The package ansible-base before version 2.10.6-1 is vulnerable to information disclosure.

  ArchLinux: 202102-29: keycloak: cross-site scripting (Feb 25)
 

The package keycloak before version 12.0.3-1 is vulnerable to cross- site scripting.

  CentOS: CESA-2021-0671: Important CentOS 7 bind (Mar 2)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2021:0671

  CentOS: CESA-2021-0661: Important CentOS 7 thunderbird (Feb 27)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2021:0661

  CentOS: CESA-2021-0656: Critical CentOS 7 firefox (Feb 27)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2021:0656

  CentOS: CESA-2021-0024: Important CentOS 7 ImageMagick (Feb 27)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2021:0024

  CentOS: CESA-2020-5408: Important CentOS 7 xorg-x11-server (Feb 27)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2020:5408

  CentOS: CESA-2020-5402: Important CentOS 7 libexif (Feb 27)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2020:5402

  SciLinux: SLSA-2021-0699-1 Important: grub2 on SL7.x x86_64 (Mar 3)
 

grub2: acpi command allows privileged user to load crafted ACPI tables when Secure Boot is enabled (CVE-2020-14372) * grub2: Use-after-free in rmmod command (CVE-2020-25632) * grub2: Out-of-bounds write in grub_usb_device_initialize() (CVE-2020-25647) * grub2: Stack buffer overflow in grub_parser_split_cmdline() (CVE-2020-27749) * grub2: cutmem command allows privileged user to remove memo [More...]

  SciLinux: SLSA-2021-0671-1 Important: bind on SL7.x x86_64 (Mar 1)
 

bind: Buffer overflow in the SPNEGO implementation affecting GSSAPI security policy negotiation (CVE-2020-8625) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE SL7 x86_64 bind-debuginfo-9.11.4-26.P2.el7_9.4.i686.rpm bind-debuginfo-9.11.4-26.P2.el7_9.4.x86_64.rpm bind-export-libs-9 [More...]

  openSUSE: 2021:0377-1 moderate: ImageMagick (Mar 3)
 

An update that fixes four vulnerabilities is now available.

  openSUSE: 2021:0376-1 important: webkit2gtk3 (Mar 3)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0375-1 important: bind (Mar 3)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0374-1 moderate: java-1_8_0-openjdk (Mar 3)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0372-1 important: nodejs10 (Mar 3)
 

An update that fixes three vulnerabilities is now available.

  openSUSE: 2021:0373-1 important: MozillaFirefox (Mar 3)
 

An update that fixes four vulnerabilities is now available.

  openSUSE: 2021:0370-1 moderate: avahi (Mar 2)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0363-1 important: qemu (Mar 1)
 

An update that solves four vulnerabilities and has four fixes is now available.

  openSUSE: 2021:0356-1 important: nodejs14 (Feb 27)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2021:0357-1 important: nodejs12 (Feb 27)
 

An update that fixes three vulnerabilities is now available.

  openSUSE: 2021:0358-1 important: glibc (Feb 27)
 

An update that solves 5 vulnerabilities and has one errata is now available.

  openSUSE: 2021:0349-1 important: python-cryptography (Feb 26)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0348-1 moderate: pcp (Feb 26)
 

An update that contains security fixes can now be installed.

  openSUSE: 2021:0347-1 critical: salt (Feb 26)
 

An update that solves 10 vulnerabilities and has two fixes is now available.

  openSUSE: 2021:0345-1 moderate: gnuplot (Feb 26)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2021:0341-1 moderate: nghttp2 (Feb 25)
 

An update that solves one vulnerability and has one errata is now available.

  openSUSE: 2021:0338-1 important: python-djangorestframework (Feb 25)
 

An update that fixes one vulnerability is now available.

  Mageia 2021-0113: jasper security update (Mar 4)
 

jp2_decode in jp2/jp2_dec.c in libjasper in JasPer 2.0.24 has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components (CVE-2021-3272). A flaw was found in jasper. An out of bounds read issue was found in jp2_decode

  Mageia 2021-0112: xpdf security update (Mar 4)
 

In Xpdf 4.02, SplashOutputDev::endType3Char(GfxState *state) SplashOutputDev.cc:3079 is trying to use the freed `t3GlyphStack->cache`, which causes an `heap-use-after-free` problem. The codes of a previous fix for nested Type 3 characters wasn't correctly handling the case where a Type 3 char referred to another char in the same Type 3 font (CVE-2020-25725).

  Mageia 2021-0111: gnome-autoar security update (Mar 4)
 

Yiit Can Ylmaz discovered that GNOME Autoar could extract files outside of the intended directory. If a user were tricked into extracting a specially crafted archive, a remote attacker could create files in arbitrary locations, possibly leading to code execution (CVE-2020-36241).

  Mageia 2021-0110: bind security update (Mar 4)
 

A buffer overflow vulnerability was discovered in the SPNEGO implementation affecting the GSSAPI security policy negotiation in BIND, which could result in denial of service (daemon crash), or potentially the execution of arbitrary code (CVE-2020-8625).

  Mageia 2021-0109: screen security update (Mar 4)
 

Felix Weinmann reported a flaw in the handling of combining characters in screen, which can result in denial of service, or potentially the execution of arbitrary code via a specially crafted UTF-8 character sequence (CVE-2021-26937).

  Mageia 2021-0108: openssl and compat-openssl10 security update (Mar 4)
 

Paul Kehrer discovered that OpenSSL incorrectly handled certain input lengths in EVP functions. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service (CVE-2021-23840). Tavis Ormandy discovered that OpenSSL incorrectly handled parsing issuer

  Mageia 2021-0107: webkit2 security update (Mar 4)
 

The webkit2 package has been updated to version 2.30.5, fixing several security issues and other bugs. References: - https://bugs.mageia.org/show_bug.cgi?id=28370

  Mageia 2021-0106: chromium-browser-stable security update (Mar 4)
 

The updated packages fix security vulnerabilities. References: - https://bugs.mageia.org/show_bug.cgi?id=28369 - https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_16.html

  Mageia 2021-0105: openldap security update (Mar 4)
 

It was discovered that OpenLDAP incorrectly handled Certificate Exact Assertion processing. A remote attacker could possibly use this issue to cause OpenLDAP to crash, resulting in a denial of service (CVE-2020-36221). It was discovered that OpenLDAP incorrectly handled saslAuthzTo processing. A

  Mageia 2021-0104: nonfree firmware security update (Mar 4)
 

Updated nonfree firmwares fixees various issues, adds new / improved hardware support and fixes atleast the following security issue: An issue was discovered on Broadcom Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors (related to

  Mageia 2021-0103: nonfree firmware security update (Mar 4)
 

Updated nonfree firmwares fixees various issues, adds new / improved hardware support and fixes atleast the following security issue: An issue was discovered on Broadcom Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors (related to

  Mageia 2021-0102: kernel-linus security update (Mar 4)
 

This kernel-linus update is based on upstream 5.10.19 and fixes atleast the following security issues: An issue was discovered in the Linux kernel 3.11 through 5.10.16, as used by Xen. To service requests to the PV backend, the driver maps grant

  Mageia 2021-0101: kernel security update (Mar 4)
 

This kernel update is based on upstream 5.10.19 and fixes atleast the following security issues: An issue was discovered in the Linux kernel 3.11 through 5.10.16, as used by Xen. To service requests to the PV backend, the driver maps grant

  Mageia 2021-0100: kernel-linus security update (Mar 4)
 

This kernel-linus update is based on upstream 5.10.19 and fixes atleast the following security issues: There is a vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config params CONFIG_BPF_SYSCALL=y, CONFIG_BPF=y,

  Mageia 2021-0099: kernel security update (Mar 4)
 

This kernel update is based on upstream 5.10.19 and fixes atleast the following security issues: There is a vulnerability in the linux kernel versions higher than 5.2 (if kernel compiled with config params CONFIG_BPF_SYSCALL=y, CONFIG_BPF=y,

  Mageia 2021-0098: libtiff security update (Mar 4)
 

The updated libtiff packages fix security vulnerabilities: - Integer overflow in tif_getimage.c (CVE-2020-35523). - Heap-based buffer overflow in TIFF2PDF tool (CVE-2020-35524). References:

  Mageia 2021-0097: firefox security update (Mar 4)
 

If Content Security Policy blocked frame navigation, the full destination of a redirect served in the frame was reported in the violation report; as opposed to the original frame URI. This could be used to leak sensitive information contained in such URIs (CVE-2021-23968).

  Mageia 2021-0096: thunderbird security update (Mar 4)
 

If Content Security Policy blocked frame navigation, the full destination of a redirect served in the frame was reported in the violation report; as opposed to the original frame URI. This could be used to leak sensitive information contained in such URIs (CVE-2021-23968).

  Mageia 2021-0095: wpa_supplicant security update (Mar 2)
 

A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range (CVE-2021-27803).

  Mageia 2021-0094: xterm security update (Mar 2)
 

xterm through Patch #365 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted UTF-8 character sequence. (CVE-2021-27135). References:

  Mageia 2021-0093: openjpeg2 security update (Mar 2)
 

A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions prior to 2.4.0. This flaw allows an attacker to provide crafted input to openjpeg during conversion and encoding, causing an out-of-bounds write. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2020-27844).

  Mageia 2021-0092: nodejs security update (Feb 28)
 

Two vulnerabilities were discovered in Node.js, which could result in denial of service or DNS rebinding attacks. Upgrade from Mageia 7 to 8 problem fixed. References:

  Mageia 2021-0091: subversion security update (Feb 28)
 

Subversion has been updated to fix a remote unauthenticated denial-of-service in Subversion mod_authz_svn. References: - https://bugs.mageia.org/show_bug.cgi?id=28348

  Mageia 2021-0090: pix security update (Feb 28)
 

A heap-based buffer overflow in _cairo_image_surface_create_from_jpeg() in extensions/cairo_io/cairo-image-surface-jpeg.c in Linux Mint Pix before 2.4.5 allows attackers to cause a crash and potentially execute arbitrary code via a crafted JPEG file (CVE-2019-20326).

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.