Thank you for reading the LinuxSecurity Linux Advisory Watch newsletter!
Today’s newsletter is sponsored by AlmaLinux, the forever-free enterprise Linux distribution, focused on long-term stability, and providing a robust production-grade platform.
This week, important updates have been issued for c-ares, the Linux kernel and Python.
We recommend that you visit our Advisories page frequently to see the latest security advisories that have been issued by your Linux distro(s). We also now offer the ability to personalize your LinuxSecurity.com User Profile to include the latest advisories for the distros you select.
On behalf of the LinuxSecurity.com administrative team, I would like to extend a warm welcome to our site!
Yours in Open Source,
c-aresThe Discovery
Missing input validation of host names returned by Domain Name Servers (CVE-2021-3672) has been discovered in the c-ares library before version 1.17.2. The ImpactThis vulnerability could enable a remote attacker with the ability to create DNS entries to create crafted entries that output the wrong hostname, leading to domain hijacking. The FixThis problem has been fixed upstream in c-ares version 1.17.2. Upgrade to 1.17.2-1 as soon as possible. # pacman -Syu "c-ares>=1.17.2-1" Your Related Advisories:Register to Customize Your Advisories |
Linux KernelThe Discovery
Multiple important Linux kernel security bugs have been identified. They include a use after free via PI futex state (CVE-2021-3347), a race condition for removal of the HCI controller (CVE-2021-32399) and an out-of-bounds write in xt_compat_target_from_user() in net/netfilter/x_tables.c (CVE-2021-22555). The ImpactThese flaws could result in privilege escalation, system crash, DoS conditions and memory corruption. The FixDistros impacted by these vulnerabilities including ArchLinux, Debian LTS, Fedora, Gentoo, Mageia, openSUSE, RedHat, SciLinux, Slackware, SUSE and Ubuntu have released updates mitigating these issues. We recommend that users update immediately to protect the confidentiality, integrity and availability of their system. Your Related Advisories:Register to Customize Your Advisories |
PythonThe Discovery
A flaw has been found in built-in modules httplib and http.client included in Python 2 and Python 3 (CVE-2020-26116). It has been discovered that these modules do not properly validate CRLF sequences in the HTTP request method, potentially allowing manipulation to the request by injecting additional HTTP headers. The ImpactThis vulnerability could result in CRLF injection via HTTP request method in httplib/http.client, posing a threat to the confidentiality and integrity of impacted systems. The FixAn Update for python3 that fixes this issue is now available. Update promptly to secure your system and prevent compromise. Your Related Advisories:Register to Customize Your Advisories |
