Linux Advisory Watch: September 3, 2021

Advisories

Linux Advisory Watch: September 3, 2021

Thank you for reading the LinuxSecurity Linux Advisory Watch newsletter! 

Today’s newsletter is sponsored by AlmaLinux, the forever-free enterprise Linux distribution, focused on long-term stability, and providing a robust production-grade platform.

This week, important updates have been issued for c-ares, the Linux kernel and Python.

We recommend that you visit our Advisories page frequently to see the latest security advisories that have been issued by your Linux distro(s). We also now offer the ability to personalize your LinuxSecurity.com User Profile to include the latest advisories for the distros you select. 

On behalf of the LinuxSecurity.com administrative team, I would like to extend a warm welcome to our site!

Yours in Open Source,

Brittany Day Signature


c-ares

The Discovery 

firefox

Missing input validation of host names returned by Domain Name Servers (CVE-2021-3672) has been discovered in the c-ares library before version 1.17.2.

The Impact

This vulnerability could enable a remote attacker with the ability to create DNS entries to create crafted entries that output the wrong hostname, leading to domain hijacking.

The Fix

This problem has been fixed upstream in c-ares version 1.17.2.

Upgrade to 1.17.2-1 as soon as possible.

# pacman -Syu "c-ares>=1.17.2-1"

Your Related Advisories:

Register to Customize Your Advisories

Linux Kernel

The Discovery 

firefox

Multiple important Linux kernel security bugs have been identified. They include a use after free via PI futex state (CVE-2021-3347), a race condition for removal of the HCI controller (CVE-2021-32399) and an out-of-bounds write in xt_compat_target_from_user() in net/netfilter/x_tables.c (CVE-2021-22555).

The Impact

These flaws could result in privilege escalation, system crash, DoS conditions and memory corruption.

The Fix

Distros impacted by these vulnerabilities including ArchLinux, Debian LTS, Fedora, Gentoo, Mageia, openSUSE, RedHat, SciLinux, Slackware, SUSE and Ubuntu have released updates mitigating these issues. We recommend that users update immediately to protect the confidentiality, integrity and availability of their system.

Your Related Advisories:

Register to Customize Your Advisories

Python

The Discovery

libsndfile

A flaw has been found in built-in modules httplib and http.client included in Python 2 and Python 3 (CVE-2020-26116). It has been discovered that these modules do not properly validate CRLF sequences in the HTTP request method, potentially allowing manipulation to the request by injecting additional HTTP headers. 

The Impact

This vulnerability could result in CRLF injection via HTTP request method in httplib/http.client, posing a threat to the confidentiality and integrity of impacted systems.

The Fix

An Update for python3 that fixes this issue is now available. Update promptly to secure your system and prevent compromise.

Your Related Advisories:

Register to Customize Your Advisories

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.