Linux Advisory Watch: October 15, 2021 | LinuxSecurity.com

Advisories

Linux Advisory Watch: October 15, 2021

Happy Friday fellow Linux geeks! This week, important updates have been issued for Apache HTTP Server, Firefox and Libntlm. Read on to learn about these vulnerabilities and how to secure your system against them. 

Now you can personalize your LinuxSecurity.com User Profile to include the latest advisories for the distros you select, making it easier than ever to keep your system up-to-date and secure.

Have a question about or comment on one of the vulnerabilities highlighted in today's newsletter? Let's discuss!

Yours in Open Source,

Brittany Day Signature

Apache HTTP Server

The Discovery 

It was discovered that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient (CVE-2021-42013), enabling an attacker to use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed.

The Impact

This zero-day vulnerability could lead to remote code execution (RCEghostscript) if CGI scripts are also enabled for these aliased paths. Additionally, this flaw could leak the source of interpreted files such as CGI scripts.

The Fix

A fix has been included in Apache HTTP Server version 2.4.50, which was made available on October 4th. We strongly recommend upgrading your software builds as soon as possible to prevent attacks.

Your Related Advisories:

Register to Customize Your Advisories

Firefox

The Discovery 

Multiple security issues were found in Firefox (CVE-2021-32810, CVE-2021-38496, CVE-2021-38497, CVE-2021-38498, CVE-2021-38500, CVE-2021-38501). It was discovered that Firefox could be made to crash or run programs as your login if it opened a malicious website.firefox

The Impact

If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these flaws to cause a denial of service (DoS), spoof another origin, or execute arbitrary code.

The Fix

Updated Firefox packages fix these issues. We urge you to upgrade your firefox-esr packages promptly to protect against these dangerous vulnerabilities.

Your Related Advisories:

Register to Customize Your Advisories

Libntlm 

The Discovery

libsndfile

It was discovered that the Libntlm NTLM authentication library incorrectly handled specially crafted NTLM requests (CVE-2019-17455).

The Impact

An attacker could exploit this flaw to cause Libntlm to crash or to execute arbitrary code.

The Fix

Libntlm has released a fix for this vulnerability. We recommend updating your system now to protect the security, integrity and availability of your system. In general, a standard system update will make all the necessary changes.

Your Related Advisories:

Register to Customize Your Advisories

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.