Advisories

Linux Advisory Watch

Don't want to miss that crucial security notice?. The editorial staff at Guardian Digital will bring you complete coverage and in-depth
descriptions of all security bulletins, vulnerabilities and updated packages, all in one convenient weekly newsletter.

Linux Advisory Watch: November 20th, 2020

Linux Advisory Watch: November 20th, 2020

Thank you for reading the LinuxSecurity Linux Advisory Watch newsletter! Staying on top of the latest security advisories issued by the distro(s) you use is essential in maintaining an updated, secure Linux system. Our weekly newsletter is an easy, convenient way to track distribution security advisories - helping you keep your Linux environment safe from malware and other exploits.

Important advisories issued this week include warnings of multiple security issues in Mozilla Firefox, which could potentially result in the execution of arbitrary code, information disclosure, phishing, cross-site scripting or a DNS rebinding attack, and vulnerabilities in Google Chrome and Chromium, the worst of which could result in the arbitrary execution of code. Continue reading to learn about other significant advisories issued this week. Stay healthy, safe and secure - both on and offline!

Yours in Open Source,

Brittany Day Signature


LinuxSecurity.com Feature Extras:

WireGuard Brings Speed and Simplicity to VPN Technology - This article will briefly explore VPN protocols and potential concerns when implementing a VPN, and will dive deeper into the unique benefits that Wireguard offers users.

Open Source is Revolutionizing Careers in Cybersecurity - What You Need to Know - As technology companies are scrambling to meet businesses and consumers evolving needs, one trend has become clearly apparent - open-source is at the forefront of modern technological innovation, revolutionizing careers available in the field of cybersecurity in the process. 


  Debian: DSA-4793-1: firefox-esr security update (Nov 18)
 

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure, phishing, cross-site scripting or a DNS rebinding attack.

  Debian: DSA-4792-1: openldap security update (Nov 17)
 

Two vulnerabilities in the certificate list syntax verification and in the handling of CSN normalization were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these

  Debian: DSA-4791-1: pacemaker security update (Nov 13)
 

Ken Gaillot discovered a vulnerability in the Pacemaker cluster resource manager: If ACLs were configured for users in the "haclient" group, the ACL restrictions could be bypassed via unrestricted IPC communication, resulting in cluster-wide arbitrary code execution with

  Debian: DSA-4789-1: codemirror-js security update (Nov 12)
 

It was discovered that codemirror, a browser-based text editor implemented in JavaScript, was vulnerable to regular expression denial-of-service.

  Fedora 33: chromium 2020-2d0c0ee838 (Nov 19)
 

Update to 86.0.4240.198. Fixes the following security issues: CVE-2020-16013 CVE-2020-16016 CVE-2020-16017

  Fedora 33: mingw-libxml2 2020-ff317550e4 (Nov 19)
 

Add correct fix for CVE-2020-24977 (RHBZ#1877788), thanks: Jan de Groot.

  Fedora 31: microcode_ctl 2020-14fda1bf85 (Nov 19)
 

- Update to upstream 2.1-30. 20201110 - Addition of 06-55-0b/0xbf (CPX-SP A1) microcode at revision 0x700001e; - Addition of 06-8a-01/0x10 (LKF B2/B3) microcode at revision 0x28; - Addition of 06-8c-01/0x80 (TGL-UP3/UP4 B1) microcode at revision 0x68; - Addition of 06-a5-02/0x20 (CML-H R1) microcode at revision 0xe0; - Addition of 06-a5-03/0x22 (CML-S 6+2 G1) microcode at

  Fedora 31: xen 2020-6dd36a716c (Nov 19)
 

revised patch for XSA-286 (mitigating performance impact) ---- x86 PV guest INVLPG-like flushes may leave stale TLB entries [XSA-286, CVE-2020-27674] (#1891092) ---- x86: Race condition in Xen mapping code [XSA-345] undue deferral of IOMMU TLB flushes [XSA-346] unsafe AMD IOMMU page table updates [XSA-347]

  Fedora 32: seamonkey 2020-396a3dfb1f (Nov 19)
 

Additional fixes for AV1 codec and svg icon. ---- Update to 2.53.5 AV1 media codec now supported. Some fixes and improvements.

  Fedora 32: xen 2020-2684e0fadd (Nov 19)
 

Information leak via power sidechannel [XSA-351]

  Fedora 32: mingw-libxml2 2020-7773c53bc8 (Nov 19)
 

Add correct fix for CVE-2020-24977 (RHBZ#1877788), thanks: Jan de Groot.

  Fedora 32: firefox 2020-b4b9280811 (Nov 18)
 

- New upstream version (83.0)

  Fedora 33: firefox 2020-f9f7305137 (Nov 18)
 

- New upstream version (83.0)

  Fedora 33: seamonkey 2020-68ef4b6bc5 (Nov 16)
 

Additional fixes for AV1 codec and svg icon. ---- Update to 2.53.5 AV1 media codec now supported. Some fixes and improvements.

  Fedora 32: mingw-python3 2020-d42cb01973 (Nov 16)
 

Fix mingw{32,64}_py3_{build,install} macros. ---- Add %mingw{32,64}_py3_{build,install} macros ---- This update backports a fix for CVE-2020-26116.

  Fedora 32: libmediainfo 2020-dec3658f55 (Nov 16)
 

Update to 20.09.

  Fedora 32: mediainfo 2020-dec3658f55 (Nov 16)
 

Update to 20.09.

  Fedora 32: kernel-tools 2020-e211716d08 (Nov 15)
 

The 5.9.8 stable kernel rebase contains a number of enhancements including new hardware support, additional features, and a number of important fixes across the tree.

  Fedora 32: kernel-headers 2020-e211716d08 (Nov 15)
 

The 5.9.8 stable kernel rebase contains a number of enhancements including new hardware support, additional features, and a number of important fixes across the tree.

  Fedora 32: kernel 2020-e211716d08 (Nov 15)
 

The 5.9.8 stable kernel rebase contains a number of enhancements including new hardware support, additional features, and a number of important fixes across the tree.

  Fedora 33: kernel-headers 2020-98ccae320c (Nov 15)
 

The 5.9.8 stable kernel rebase contains a number of enhancements including new hardware support, additional features, and a number of important fixes across the tree.

  Fedora 33: kernel-tools 2020-98ccae320c (Nov 15)
 

The 5.9.8 stable kernel rebase contains a number of enhancements including new hardware support, additional features, and a number of important fixes across the tree.

  Fedora 33: kernel 2020-98ccae320c (Nov 15)
 

The 5.9.8 stable kernel rebase contains a number of enhancements including new hardware support, additional features, and a number of important fixes across the tree.

  Fedora 31: thunderbird 2020-1da8aa9dd3 (Nov 13)
 

Update to latest upstream version.

  Fedora 32: krb5 2020-27b577ab23 (Nov 13)
 

- Fix CVE-2020-28196 (DoS in ASN.1 parsing due to missing recursion depth checks) - fc32 + fc33 only: pull-up to rawhide

  Fedora 33: libxml2 2020-935f62c3d9 (Nov 13)
 

Add correct fix for CVE-2020-24977 (RHBZ#1877788), thanks: Jan de Groot.

  Fedora 33: libexif 2020-e99ef3282f (Nov 13)
 

CVE-2020-0181, CVE-2020-0198, and CVE-2020-0452

  Fedora 31: nss 2020-a857113c7a (Nov 12)
 

Updates the nss package to upstream NSS 3.58 respectively. For details about new functionality and a list of bugs fixed in this release please see the upstream release notes - https://developer.mozilla.org/en- US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes

  Fedora 32: nss 2020-bb91bf9b8e (Nov 12)
 

Updates the nss package to upstream NSS 3.58 respectively. For details about new functionality and a list of bugs fixed in this release please see the upstream release notes - https://developer.mozilla.org/en- US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes

  Gentoo: GLSA-202011-19: libexif: Multiple vulnerabilities (Nov 16)
 

Multiple vulnerabilities have been found in libexif, the worst of which could result in the arbitrary execution of code.

  Gentoo: GLSA-202011-18: Apache Ant: Insecure temporary file (Nov 15)
 

Apache Ant uses various insecure temporary files possibly allowing local code execution.

  Gentoo: GLSA-202011-17: MIT Kerberos 5: Denial of service (Nov 15)
 

A vulnerability in MIT Kerberos 5 could lead to a Denial of Service condition.

  Gentoo: GLSA-202011-16: Chromium, Google Chrome: Multiple vulnerabilities (Nov 15)
 

Multiple vulnerabilities have been found in Chromium and Google Chrome, the worst of which could result in the arbitrary execution of code.

  Gentoo: GLSA-202011-15: libmaxminddb: Denial of service (Nov 14)
 

A vulnerability in libmaxminddb could lead to a Denial of Service condition.

  RedHat: RHSA-2020-5149:01 Moderate: Release of OpenShift Serverless 1.11.0 (Nov 18)
 

Release of OpenShift Serverless 1.11.0 2. Description: Red Hat OpenShift Serverless 1.11.0 is a generally available release of the OpenShift Serverless Operator. This version of the OpenShift Serverless

  RedHat: RHSA-2020-5146:01 Important: thunderbird security update (Nov 18)
 

An update for thunderbird is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2020-5139:01 Critical: firefox security update (Nov 17)
 

An update for firefox is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2020-5138:01 Critical: firefox security update (Nov 17)
 

An update for firefox is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2020-5135:01 Critical: firefox security update (Nov 17)
 

An update for firefox is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2020-5129:01 Important: net-snmp security update (Nov 17)
 

An update for net-snmp is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

  RedHat: RHSA-2020-5102:01 Moderate: OpenShift Container Platform 3.11.318 (Nov 16)
 

An update for jenkins-2-plugins is now available for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2020-5112:01 Moderate: rh-postgresql12-postgresql security (Nov 16)
 

An update for rh-postgresql12-postgresql is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2020-5110:01 Moderate: rh-postgresql10-postgresql security (Nov 16)
 

An update for rh-postgresql10-postgresql is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2020-5111:01 Moderate: virt:8.2 and virt-devel:8.2 security (Nov 16)
 

An update for the virt:8.2 and virt-devel:8.2 modules is now available for Advanced Virtualization for RHEL 8.2.1. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2020-5104:01 Critical: firefox security update (Nov 12)
 

An update for firefox is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2020-5099:01 Critical: firefox security update (Nov 12)
 

An update for firefox is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2020-5100:01 Critical: firefox security update (Nov 12)
 

An update for firefox is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  SUSE: 2020:3455-1 important: postgresql10 (Nov 20)
 

An update that fixes three vulnerabilities is now available.

  SUSE: 2020:14548-1 important: MozillaFirefox (Nov 20)
 

An update that fixes 12 vulnerabilities is now available.

  SUSE: 2020:3457-1 moderate: ucode-intel (Nov 20)
 

An update that fixes three vulnerabilities is now available.

  SUSE: 2020:3458-1 important: MozillaFirefox (Nov 20)
 

An update that fixes 12 vulnerabilities is now available.

  SUSE: 2020:3459-1 moderate: ceph (Nov 20)
 

An update that solves one vulnerability and has 8 fixes is now available.

  SUSE: 2020:3433-1 important: the Linux Kernel (Live Patch 30 for SLE 12 SP3) (Nov 19)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3423-1 moderate: buildah (Nov 19)
 

An update that fixes two vulnerabilities is now available.

  SUSE: 2020:3424-1 moderate: wpa_supplicant (Nov 19)
 

An update that fixes 19 vulnerabilities, contains one feature is now available.

  SUSE: 2020:3425-1 important: postgresql12 (Nov 19)
 

An update that fixes three vulnerabilities is now available.

  SUSE: 2020:3441-1 important: the Linux Kernel (Live Patch 19 for SLE 15) (Nov 19)
 

An update that fixes three vulnerabilities is now available.

  SUSE: 2020:3449-1 important: the Linux Kernel (Live Patch 16 for SLE 15) (Nov 19)
 

An update that fixes four vulnerabilities is now available.

  SUSE: 2020:3413-1 important: xen (Nov 19)
 

An update that solves one vulnerability and has two fixes is now available.

  SUSE: 2020:3412-1 important: xen (Nov 19)
 

An update that solves one vulnerability and has two fixes is now available.

  SUSE: 2020:3414-1 important: xen (Nov 19)
 

An update that solves one vulnerability, contains one feature and has two fixes is now available.

  SUSE: 2020:3418-1 moderate: MozillaThunderbird (Nov 19)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3416-1 important: xen (Nov 19)
 

An update that solves one vulnerability and has one errata is now available.

  SUSE: 2020:3415-1 important: xen (Nov 19)
 

An update that solves one vulnerability and has one errata is now available.

  SUSE: 2020:3378-1 moderate: podman (Nov 19)
 

An update that solves one vulnerability and has two fixes is now available.

  SUSE: 2020:3374-1 moderate: ucode-intel (Nov 19)
 

An update that fixes three vulnerabilities is now available.

  SUSE: 2020:3369-1 moderate: go1.14 (Nov 19)
 

An update that solves three vulnerabilities and has one errata is now available.

  SUSE: 2020:3368-1 moderate: go1.15 (Nov 19)
 

An update that solves three vulnerabilities and has one errata is now available.

  SUSE: 2020:3385-1 moderate: perl-DBI (Nov 19)
 

An update that fixes two vulnerabilities is now available.

  SUSE: 2020:14546-1 moderate: microcode_ctl (Nov 19)
 

An update that fixes three vulnerabilities is now available.

  SUSE: 2020:3402-1 important: the Linux Kernel (Live Patch 9 for SLE 15 SP1) (Nov 19)
 

An update that fixes two vulnerabilities is now available.

  SUSE: 2020:3400-1 important: the Linux Kernel (Live Patch 7 for SLE 15 SP1) (Nov 19)
 

An update that fixes three vulnerabilities is now available.

  SUSE: 2020:3375-1 moderate: krb5 (Nov 19)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3380-1 moderate: wpa_supplicant (Nov 19)
 

An update that fixes 22 vulnerabilities, contains one feature is now available.

  SUSE: 2020:3373-1 moderate: ucode-intel (Nov 19)
 

An update that fixes three vulnerabilities is now available.

  SUSE: 2020:3389-1 important: the Linux Kernel (Live Patch 1 for SLE 15 SP2) (Nov 19)
 

An update that fixes three vulnerabilities is now available.

  SUSE: 2020:3383-1 important: MozillaFirefox (Nov 19)
 

An update that fixes 12 vulnerabilities is now available.

  SUSE: 2020:3372-1 moderate: ucode-intel (Nov 19)
 

An update that fixes three vulnerabilities is now available.

  SUSE: 2020:3384-1 moderate: perl-DBI (Nov 19)
 

An update that fixes two vulnerabilities is now available.

  SUSE: 2020:3376-1 moderate: wireshark (Nov 19)
 

An update that fixes two vulnerabilities is now available.

  SUSE: 2020:3377-1 moderate: krb5 (Nov 19)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3379-1 moderate: krb5 (Nov 19)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3367-1 moderate: libzypp, zypper (Nov 19)
 

An update that solves one vulnerability and has two fixes is now available.

  SUSE: 2020:683-1 suse/sle15 Security Update (Nov 19)
   
  SUSE: 2020:3358-1 moderate: tcpdump (Nov 17)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3360-1 moderate: tcpdump (Nov 17)
 

An update that fixes 29 vulnerabilities is now available.

  SUSE: 2020:3359-1 moderate: java-11-openjdk (Nov 17)
 

An update that fixes 8 vulnerabilities is now available.

  SUSE: 2020:3354-1 important: kernel-firmware (Nov 17)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3352-1 important: raptor (Nov 17)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3353-1 important: kernel-firmware (Nov 17)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3350-1 important: raptor (Nov 16)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3351-1 important: raptor (Nov 16)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3349-1 important: kernel-firmware (Nov 16)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3343-1 moderate: postgresql, postgresql96, postgresql10 and postgresql12 (Nov 16)
 

An update that contains security fixes and contains three features can now be installed.

  SUSE: 2020:3331-1 important: MozillaFirefox (Nov 16)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3330-1 important: kernel-firmware (Nov 16)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3333-1 important: gdm (Nov 16)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3326-1 moderate: the Linux Kernel (Nov 13)
 

An update that solves 7 vulnerabilities, contains one feature and has 47 fixes is now available.

  SUSE: 2020:3326-1 moderate: the Linux Kernel (Nov 13)
 

An update that solves 7 vulnerabilities, contains one feature and has 47 fixes is now available.

  SUSE: 2020:3314-1 important: openldap2 (Nov 12)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3311-1 important: MozillaFirefox (Nov 12)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3315-1 important: openldap2 (Nov 12)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:3309-1 important: ansible, ardana-ansible, ardana-cinder, ardana-glance, ardana (Nov 12)
 

An update that solves 53 vulnerabilities, contains 14 features and has 5 fixes is now available.

  Ubuntu 4635-1: Kerberos vulnerability (Nov 17)
 

Kerberos could be made to consume unlimited resources if it received specially crafted ASN.1.

  Ubuntu 4634-1: OpenLDAP vulnerabilities (Nov 17)
 

OpenLDAP could be made to crash if it received specially crafted network traffic.

  Ubuntu 4633-1: PostgreSQL vulnerabilities (Nov 17)
 

Several security issues were fixed in PostgreSQL.

  Ubuntu 4607-2: OpenJDK regressions (Nov 12)
 

USN-4607-1 introduced a regression in OpenJDK.

  Ubuntu 4631-1: libmaxminddb vulnerability (Nov 12)
 

libmaxminddb could be made to crash if it received specially crafted data.

  Ubuntu 4171-6: Apport regression (Nov 12)
 

USN-4171-1 introduced a regression in Apport.

  Ubuntu 4628-2: Intel Microcode regression (Nov 12)
 

USN-4628-1 introduced a regression in the Intel Microcode for some processors.

  Debian LTS: DLA-2458-1: drupal7 security update (Nov 19)
 

Two vulnerabilities were discovered in Drupal, a fully-featured content management framework. CVE-2020-13666

  Debian LTS: DLA-2457-1: firefox-esr security update (Nov 19)
 

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure, phishing, cross-site scripting or a DNS rebinding attack.

  Debian LTS: DLA-2432-1: jupyter-notebook security update (Nov 19)
 

Several vulnerabilities have been discovered in jupyter-notebook. CVE-2018-8768

  Debian LTS: DLA-2455-1: packer security update (Nov 19)
 

golang-go.crypto was recently updated with a fix for CVE-2020-9283. This in turn requires all packages that use the affected code to be recompiled in order to pick up the security fix.

  Debian LTS: DLA-2454-1: rclone security update (Nov 19)
 

golang-go.crypto was recently updated with a fix for CVE-2019-11840. This in turn requires all packages that use the affected code to be recompiled in order to pick up the security fix.

  Debian LTS: DLA-2447-2: pacemaker regression update (Nov 17)
 

The update of pacemaker released as DLA-2447-1 caused a regression when the communication between the Corosync cluster engine and pacemaker takes place. A permission problem prevents IPC requests between cluster nodes. The patch for CVE-2020-25654 has been reverted until a better solution can be found.

  Debian LTS: DLA-2453-1: restic security update (Nov 17)
 

golang-go.crypto was recently updated with a fix for CVE-2020-9283. This in turn requires all packages that use the affected code to be recompiled in order to pick up the security fix.

  Debian LTS: DLA-2452-2: libdatetime-timezone-perl regression update (Nov 16)
 

2.09-1+2020d accidentally did omit changes to some files, resulting in warnings. For Debian 9 stretch, this problem has been fixed in version

  Debian LTS: DLA-2452-1: libdatetime-timezone-perl new upstream (Nov 15)
 

This update includes the changes in tzdata 2020d for the Perl bindings. For the list of changes, see DLA-2424-1. For Debian 9 stretch, this problem has been fixed in version

  Debian LTS: DLA-2451-1: libvncserver security update (Nov 15)
 

An issue has been found in libvncserver, an API to write one's own VNC server. Due to some missing checks, a divide by zero could happen, which could

  Debian LTS: DLA-2450-1: libproxy security update (Nov 13)
 

Li Fei found that libproxy, a library for automatic proxy configuration management, was vulnerable to a buffer overflow vulnerability when receiving a large PAC file from a server without a Content-Length header in the response.

  Debian LTS: DLA-2449-1: thunderbird security update (Nov 13)
 

A use-after-free was found in Thunderbird, which could potentially result in the execution of arbitrary code. For Debian 9 stretch, this problem has been fixed in version

  ArchLinux: 202011-12: firefox: multiple issues (Nov 18)
 

The package firefox before version 83.0-1 is vulnerable to multiple issues including arbitrary code execution, access restriction bypass, content spoofing, cross-site scripting, information disclosure, insufficient validation, denial of service and incorrect calculation.

  ArchLinux: 202011-11: chromium: multiple issues (Nov 18)
 

The package chromium before version 87.0.4280.66-1 is vulnerable to multiple issues including access restriction bypass, arbitrary code execution, insufficient validation, content spoofing and information disclosure.

  CentOS: CESA-2020-5099: Critical CentOS 7 firefox (Nov 19)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2020:5099

  CentOS: CESA-2020-5083: Moderate CentOS 7 microcode_ctl (Nov 19)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2020:5083

  CentOS: CESA-2020-5023: Moderate CentOS 7 kernel (Nov 18)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2020:5023

  CentOS: CESA-2020-5003: Low CentOS 7 fence-agents (Nov 18)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2020:5003

  CentOS: CESA-2020-5012: Moderate CentOS 7 librepo (Nov 18)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2020:5012

  CentOS: CESA-2020-5011: Moderate CentOS 7 bind (Nov 18)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2020:5011

  CentOS: CESA-2020-5040: Moderate CentOS 7 libvirt (Nov 18)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2020:5040

  CentOS: CESA-2020-5002: Moderate CentOS 7 curl (Nov 18)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2020:5002

  CentOS: CESA-2020-5004: Low CentOS 7 resource-agents (Nov 18)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2020:5004

  CentOS: CESA-2020-5020: Low CentOS 7 tomcat (Nov 18)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2020:5020

  CentOS: CESA-2020-5021: Moderate CentOS 7 qt5-qtbase (Nov 18)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2020:5021

  CentOS: CESA-2020-5021: Moderate CentOS 7 qt (Nov 18)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2020:5021

  CentOS: CESA-2020-5010: Moderate CentOS 7 python3 (Nov 18)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2020:5010

  CentOS: CESA-2020-5009: Moderate CentOS 7 python (Nov 18)
 

Upstream details at : https://access.redhat.com/errata/RHSA-2020:5009

  SciLinux: SLSA-2020-5104-1 Critical: firefox on SL6.x i386/x86_64 (Nov 17)
 

Mozilla: Write side effects in MCallGetProperty opcode not accounted for (CVE-2020-26950) SL6 x86_64 firefox-78.4.1-1.el6_10.x86_64.rpm firefox-debuginfo-78.4.1-1.el6_10.x86_64.rpm i386 firefox-78.4.1-1.el6_10.i686.rpm - Scientific Linux Development Team

  openSUSE: 2020:1970-1 important: tor (Nov 19)
   
  openSUSE: 2020:1970-1 important: tor (Nov 19)
   
  openSUSE: 2020:1969-1 moderate: slurm_18_08 (Nov 19)
   
  openSUSE: 2020:1961-1 important: gdm (Nov 19)
   
  openSUSE: 2020:1962-1 important: kernel-firmware (Nov 19)
   
  openSUSE: 2020:1966-1 important: moinmoin-wiki (Nov 19)
   
  openSUSE: 2020:1960-1 important: kernel-firmware (Nov 19)
   
  openSUSE: 2020:1959-1 important: raptor (Nov 18)
   
  openSUSE: 2020:1949-1 important: raptor (Nov 17)
   
  openSUSE: 2020:1943-1 important: chromium (Nov 16)
   
  openSUSE: 2020:1937-1 important: chromium (Nov 15)
   
  openSUSE: 2020:1930-1 important: u-boot (Nov 15)
   
  openSUSE: 2020:1929-1 important: chromium (Nov 15)
   
  openSUSE: 2020:1927-1 moderate: ImageMagick (Nov 15)
   
  openSUSE: 2020:1923-1 moderate: ucode-intel (Nov 14)
   
  openSUSE: 2020:1922-1 moderate: python-waitress (Nov 14)
   
  openSUSE: 2020:1918-1 important: openldap2 (Nov 14)
   
  openSUSE: 2020:1919-1 important: MozillaFirefox (Nov 14)
   
  openSUSE: 2020:1920-1 important: openldap2 (Nov 14)
   
  openSUSE: 2020:1916-1 moderate: SDL (Nov 14)
   
  openSUSE: 2020:1915-1 moderate: ucode-intel (Nov 14)
   
  openSUSE: 2020:1910-1 moderate: zeromq (Nov 14)
   
  openSUSE: 2020:1911-1 moderate: python-waitress (Nov 14)
   
  openSUSE: 2020:1909-1 important: MozillaFirefox (Nov 14)
   
  openSUSE: 2020:1907-1 moderate: zeromq (Nov 13)
   
  openSUSE: 2020:1906-1 important: the Linux Kernel (Nov 13)
   
  Mageia 2020-0427: firefox and nss security update (Nov 19)
 

When drawing a transparent image on top of an unknown cross-origin image, the Skia library drawImage function took a variable amount of time depending on the content of the underlying image. This resulted in potential cross-origin information exposure of image content through timing side-channel attacks (CVE-2020-16012).

  Mageia 2020-0426: libexif security update (Nov 15)
 

In exif_entry_get_value of exif-entry.c, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution if a third party app used this library to process remote image data with no additional execution privileges needed. User interaction is not needed for exploitation. (CVE-2020-0452)

  Mageia 2020-0425: kleopatra security update (Nov 15)
 

The Kleopatra component before 20.07.80 for GnuPG allows remote attackers to execute arbitrary code because openpgp4fpr: URLs are supported without safe handling of command-line options. The Qt platformpluginpath command-line option can be used to load an arbitrary library. (CVE-2020-24972).

  Mageia 2020-0424: golang security update (Nov 15)
 

A flaw was found in Go standard library packages. Both the net/http/cgi and net/http/fcgi packages use a default Content-Type response header value of "text/html", rather than "text/plain". An attacker could exploit this in applications using these packages by uploading crafted files, allowing for a cross-site scripting attack (XSS) (CVE-2020-24553).

  Mageia 2020-0423: ruby security update (Nov 13)
 

A potential HTTP request smuggling vulnerability in WEBrick was reported. WEBrick was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to smuggle a request (CVE-2020-25613).

  Mageia 2020-0422: microcode security update (Nov 13)
 

Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2020-8694) Observable discrepancy in the RAPL interface for some Intel(R) Processors may

  Mageia 2020-0421: firefox and thunderbird security update (Nov 13)
 

Write side effects in MCallGetProperty opcode not accounted for. In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. (CVE-2020-26950)

  Mageia 2020-0420: arpwatch security update (Nov 13)
 

A buffer overflow from long hostnames. (rhbz#1563939) References: - https://bugs.mageia.org/show_bug.cgi?id=27570 - https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./thread/GE44PAF52D6HCPKQ3EYTGSSXBPT5UPYU/

  Mageia 2020-0419: bluez security update (Nov 13)
 

In BlueZ before 5.55, a double free was found in the gatttool disconnect_cb() routine from shared/att.c. A remote attacker could potentially cause a denial of service or code execution, during service discovery, due to a redundant disconnect MGMT event. (CVE-2020-27153)

  Mageia 2020-0418: timezone and java-1.8.0-openjdk security update (Nov 13)
 

High memory usage during deserialization of Proxy class with many interfaces. (CVE-2020-14779) Credentials sent over unencrypted LDAP connection. (CVE-2020-14781)

  Mageia 2020-0417: tpm2-tss security update (Nov 13)
 

FAPI PolicyPCR not instatiating correctly (CVE-2020-24455). Note that all TPM object created with a PolicyPCR with the currentPcrs and currentPcrsAndBank options have been created with an incorrect policy that omits PCR checks. All such objects have to be recreated.

  Mageia 2020-0416: kdeconnect-kde security update (Nov 13)
 

An attacker on your local network could send maliciously crafted packets to other hosts running kdeconnect on the network, causing them to use large amounts of CPU, memory or network connections, which could be used in a Denial of Service attack within the network. (CVE-2020-26164)

  Mageia 2020-0415: packagekit security update (Nov 13)
 

It was discovered that packagekit was subject to a vulnerability where the InstallFiles, GetFilesLocal and GetDetailsLocal methods of the DBus interface to PackageKit accesses given files before checking for authorization. This allows non-privileged users to learn the MIME type of any file on the system. (CVE-2020-16121)

  Mageia 2020-0414: lilypond security update (Nov 13)
 

It was discovered that Lilypond, a program for typesetting sheet music, did not restrict the inclusion of Postscript and SVG commands when operating in safe mode, which could result in the execution of arbitrary code when rendering a typesheet file with embedded Postscript code. (CVE-2020-17353)

  Mageia 2020-0413: chromium-browser-stable security update (Nov 13)
 

The chromium-browser-stable package has been updated to 86.0.4240.198 version that fixes multiples security vulnerabilities. From 81.0.4044.138 (released on May 9th, 2020) to 86.0.4240.198 version, see upstream advisories.

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.