Linux Advisory Watch: November 5, 2021 | LinuxSecurity.com

Advisories

Linux Advisory Watch: November 5, 2021

Happy Friday fellow Linux geeks! This week, important updates have been issued for PHP, OpenJDK and Bind. Read on to learn about these vulnerabilities and how to secure your system against them. 

Now you can personalize your LinuxSecurity.com User Profile to include the latest advisories for the distros you select, making it easier than ever to keep your system up-to-date and secure.

Have a question about or comment on one of the vulnerabilities highlighted in today's newsletter? Let's discuss!

Yours in Open Source,

Brittany Day Signature

PHP

The Discovery 

It was discovered that PHP-FPM in PHP could be made to run a program as an administrator if it received specially crafted input (CVE-2021-21703).

The Impact

An attacker could exploit this out-of-bounds read and write flaw to execute arbitrary code or cause a crash.
ghostscript

The Fix

We recommend that you upgrade your php7.0 packages immediately to protect the security, integrity and availability of your system. In general, a standard system update will make all the necessary changes.

Your Related Advisories:

Register to Customize Your Advisories

OpenJDK

The Discovery 

Multiple important security bugs have been found in the OpenJDK Java runtime environment and software development kit.
firefox

The Impact

These issues result in a loop in HTTP Server triggered during TLS session close (CVE-2021-35565), excessive memory allocation (CVE-2021-35556, CVE-2021-35559, CVE-2021-35561, CVE-2021-35586), non-constant comparison and unexpected exception raised during TLS handshakes (CVE-2021-35603, CVE-2021-35578) and incorrect principal selection when using Kerberos Constrained Delegation (CVE-2021-35567).

The Fix

The vulnerabilities have been remedied in OpenJDK 11.0.13. Update now! This update can be installed with the "dnf" update program.

Your Related Advisories:

Register to Customize Your Advisories

Bind

The Discovery

It was discovered that the lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance (CVE-2021-25219).
libsndfile

The Impact

Exploitation of this flaw can result in Denial of Service (large delays for responses for client queries and DNS timeouts on client hosts).

The Fix

Bind has released a fix for this vulnerability. In general, a standard system update will make all the necessary changes.

Your Related Advisories:

Register to Customize Your Advisories

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.