Happy Friday fellow Linux geeks! This week, important updates have been issued for Apache HTTP Server, squashfs-tools and nodejs. Read on to learn about these vulnerabilities and how to secure your system against them. 

Now you can personalize your LinuxSecurity.com User Profile to include the latest advisories for the distros you select, making it easier than ever to keep your system up-to-date and secure.

Have a question about or comment on one of the vulnerabilities highlighted in today's newsletter? Let's discuss!

Yours in Open Source,

Brittany Signature 150

Apache HTTP Server

The Discovery 

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient (CVE-2021-42013). This directory traversal vulnerability only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

The Impact
Apache2

An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests

can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution (RCE).

The Fix

Upgrade to Apache HTTP Server 2.4.51-1.

# pacman -Syu "apache>=2.4.51-1"

The problem has been fixed upstream in version 2.4.51.

Your Related Advisories:

Register to Customize Your Advisories

squashfs-tools

The Discovery 

It was discovered that unsquashfs in squashfs-tools, the tools to create and extract Squashfs filesystems, does not check for duplicate filenames within a directory (CVE-2021-41072).
Squashfs

The Impact

An attacker can exploit this flaw to write arbitrary files to the filesystem if a malformed Squashfs image is processed.

The Fix

We recommend that you upgrade your squashfs-tools packages as soon as possible to protect the security and integrity of your filesystem.

Your Related Advisories:

Register to Customize Your Advisories

nodejs

The Discovery

Two security issues were found in the nodejs JavaScript runtime. It was discovered that the http parser accepts requests with a space (SP) right after the header name before the colon (CVE-2021-22959), and the parse ignores chunk extensions when parsing the body of chunked requests (CVE-2021-22960).Nodejs

The Impact

These vulnerabilities can lead to HTTP Request Smuggling (HRS) under certain conditions.

The Fix

Update to nodejs security release 14.18 to prevent HTTP Request Smuggling (HRS) attacks. This update can be installed at the Command Line with the "dnf" update program.

Your Related Advisories:

Register to Customize Your Advisories