Linux Advisory Watch: December 6th, 2019

    Date06 Dec 2019
    294
    Posted ByLinuxSecurity Advisories
    Linux Advisory Watch Newsletter
    Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

    LinuxSecurity.com Feature Extras:

    Linux Kernel Security in a Nutshell: How to Secure Your Linux System - The Linux kernel is the core component of the Linux operating system, maintaining complete control over everything in the system. It is the interface between applications and data processing at the hardware level, connecting the system hardware to the application software. The kernel manages input/output requests from software, memory, processes, peripherals and security, among other hefty responsibilities. Needless to say, the Linux kernel is pretty important.

    Servers Running Linux May Get Riskier for Enterprises Next Year - The LinuxSecurity team thanksHoracio Zambrano for contributing this article. Enterprises using Linux for their cloud or data center servers may be faced with a larger threat from advanced security attackers in the near future. Based on the Linux Foundations estimates back in 2014, 75% of enterprises reported using Linux for the cloud and 79% for application deployments.


     Debian: DSA-4578-1: libvpx security update (Nov 28)
     

    Multiple security issues were found in libvpx multimedia library which could result in denial of service and potentially the execution of arbitrary code if malformed WebM files are processed.

     Debian: DSA-4577-1: haproxy security update (Nov 28)
     

    Tim Dsterhus discovered that haproxy, a TCP/HTTP reverse proxy, did not properly sanitize HTTP headers when converting from HTTP/2 to HTTP/1. This would allow a remote user to perform CRLF injections.


     Fedora 31: kernel FEDORA-2019-b86a7bdba0 (Dec 6)
     

    The 5.3.14 update contains a number of important fixes across the tree

     Fedora 31: libuv FEDORA-2019-7443ebda4b (Dec 6)
     

    Update to Node.js upstream release 12.13.1 https://nodejs.org/en/blog/release/v12.13.1/ Also fixes an issue where running `npm -g` was risky on RPM-installed systems. Fedora's packaged NPM will now install global content in /usr/local instead of /usr where it could conflict with RPM-provided versions.

     Fedora 31: nodejs FEDORA-2019-7443ebda4b (Dec 6)
     

    Update to Node.js upstream release 12.13.1 https://nodejs.org/en/blog/release/v12.13.1/ Also fixes an issue where running `npm -g` was risky on RPM-installed systems. Fedora's packaged NPM will now install global content in /usr/local instead of /usr where it could conflict with RPM-provided versions.

     Fedora 31: tnef FEDORA-2019-815807c020 (Dec 4)
     

    tnef release 1.4.18. [CVE-2019-18849](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18849) in which it may be possible to attack via a crafted email message extracted via tnef.

     Fedora 31: freeipa FEDORA-2019-c64e1612f5 (Dec 4)
     

    FreeIPA 4.8.3 is a security update release that includes fixes for two issues: * CVE-2019-10195: Don't log passwords embedded in commands in calls using batch A flaw was found in the way that FreeIPA's batch processing API logged operations. This included passing user passwords in clear text on FreeIPA masters. Batch processing of commands with passwords as arguments or options is

     Fedora 31: cyrus-imapd FEDORA-2019-03be160f9c (Dec 4)
     

    Update to version 3.0.12 of cyrus-imapd, which includes (among other fixes) a fix for CVE-2019-18928. https://www.cyrusimap.org/imap/download/release- notes/3.0/x/3.0.12.html

     Fedora 31: haproxy FEDORA-2019-b4d6be9176 (Dec 4)
     

    Update to 2.0.10 (#1772961)

     Fedora 31: squid FEDORA-2019-9538783033 (Dec 4)
     

    New version update - squid 4.9

     Fedora 30: ImageMagick FEDORA-2019-4504010099 (Dec 4)
     

    Numerous security and bug fixes.

     Fedora 30: rubygem-rmagick FEDORA-2019-4504010099 (Dec 4)
     

    Numerous security and bug fixes.

     Fedora 30: tnef FEDORA-2019-5f14b810f8 (Dec 4)
     

    tnef release 1.4.18. [CVE-2019-18849](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18849) in which it may be possible to attack via a crafted email message extracted via tnef.

     Fedora 30: freeipa FEDORA-2019-8e9093da55 (Dec 4)
     

    FreeIPA 4.8.3 is a security update release that includes fixes for two issues: * CVE-2019-10195: Don't log passwords embedded in commands in calls using batch A flaw was found in the way that FreeIPA's batch processing API logged operations. This included passing user passwords in clear text on FreeIPA masters. Batch processing of commands with passwords as arguments or options is

     Fedora 30: python-pillow FEDORA-2019-19a161d540 (Dec 4)
     

    This update backports fixes for CVE-2019-16865.

     Fedora 30: cyrus-imapd FEDORA-2019-393e1cef4d (Dec 4)
     

    Update to version 3.0.12 of cyrus-imapd, which includes (among other fixes) a fix for CVE-2019-18928. https://www.cyrusimap.org/imap/download/release- notes/3.0/x/3.0.12.html

     Fedora 30: haproxy FEDORA-2019-ce146978e6 (Dec 4)
     

    Update to 1.8.23

     Fedora 30: sqlite FEDORA-2019-b1636e0b70 (Dec 4)
     

    fixed CVE-2019-16168 (rhbz#1768987)

     Fedora 31: firefox FEDORA-2019-492e5a2d98 (Dec 3)
     

    - New upstream version (Firefox 71.0) - Added gnome shell search provider

     Fedora 31: oniguruma FEDORA-2019-d942abd0d4 (Dec 3)
     

    6.9.4 final is released. This new version addresses CVE-2019-19246 (this one is already fixed in previous rpm), CVE-2019-19204 CVE-2019-19203 CVE-2019-19012. ---- Update to 6.9.4 rc3

     Fedora 31: clamav FEDORA-2019-1543eae191 (Dec 3)
     

    - Drop This email address is being protected from spambots. You need JavaScript enabled to view it. file (bz#1725810) ClamAV 0.101.5 is a security patch release that addresses the following issues. - CVE-2019-15961: A Denial-of-Service (DoS) vulnerability may occur when scanning a specially crafted email file as a result of excessively long scan times. The issue is resolved by implementing several maximums in parsing MIME messages and by

     Fedora 30: kernel FEDORA-2019-8846a1a5a2 (Dec 1)
     

    The 5.3.13 update contains a number of important fixes across the tree

     Fedora 31: kernel FEDORA-2019-91f6e7bb71 (Dec 1)
     

    The 5.3.13 update contains a number of important fixes across the tree

     Fedora 30: jhead FEDORA-2019-7efb86afdc (Nov 30)
     

    updated to 3.04 (CVE-2019-19035)

     Fedora 30: freeradius FEDORA-2019-17ed521527 (Nov 30)
     

    Security fix for CVE-2019-13456

     Fedora 30: djvulibre FEDORA-2019-7fac263417 (Nov 30)
     

    Security fix for CVE-2019-18804.

     Fedora 30: phpMyAdmin FEDORA-2019-8f55b515f1 (Nov 30)
     

    Upstream announcement: **phpMyAdmin 4.9.2 is released** 2019-11-22 Welcome to phpMyAdmin 4.9.2, a bugfix release that also contains a security fix. This security fix is part of an ongoing effort to improve the security of the Designer feature and is designated **PMASA-2019-5**. There is also an improvement for how we sanitize Git version information shown on the home page,

     Fedora 31: freeradius FEDORA-2019-ca0f5e835d (Nov 30)
     

    Security fix for CVE-2019-13456

     Fedora 31: jhead FEDORA-2019-948e6ebaeb (Nov 30)
     

    updated to 3.04 (CVE-2019-19035)

     Fedora 31: phpMyAdmin FEDORA-2019-db68ae1fca (Nov 30)
     

    Upstream announcement: **phpMyAdmin 4.9.2 is released** 2019-11-22 Welcome to phpMyAdmin 4.9.2, a bugfix release that also contains a security fix. This security fix is part of an ongoing effort to improve the security of the Designer feature and is designated **PMASA-2019-5**. There is also an improvement for how we sanitize Git version information shown on the home page,

     Fedora 31: chromium FEDORA-2019-3e46b182ff (Nov 29)
     

    Fixes CVE-2019-13723 & CVE-2019-13724

     Fedora 31: ImageMagick FEDORA-2019-ba7247edcf (Nov 29)
     

    Numerous security and bug fixes.

     Fedora 31: rubygem-rmagick FEDORA-2019-ba7247edcf (Nov 29)
     

    Numerous security and bug fixes.

     Fedora 31: python-pillow FEDORA-2019-e7c83bdf19 (Nov 29)
     

    This update backports fixes for CVE-2019-16865.

     Fedora 31: djvulibre FEDORA-2019-18cf104b5d (Nov 29)
     

    Security fix for CVE-2019-18804.

     Fedora 31: grub2 FEDORA-2019-e99ebf23c8 (Nov 28)
     

    Fix a grub hidden-menu regression and a bug in blscfg variable expansion ---- Security fix for CVE-2019-14865

     Fedora 31: nss FEDORA-2019-3f6ab3b846 (Nov 28)
     

    Updates the nss package to upstream NSS 3.47.1. For details about new functionality and a list of bugs fixed in this release please see the upstream release notes - https://developer.mozilla.org/en- US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes


     RedHat: RHSA-2019-4111:01 Critical: firefox security update (Dec 5)
     

    An update for firefox is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

     RedHat: RHSA-2019-4107:01 Critical: firefox security update (Dec 5)
     

    An update for firefox is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

     RedHat: RHSA-2019-4108:01 Critical: firefox security update (Dec 5)
     

    An update for firefox is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

     RedHat: RHSA-2019-4110:01 Moderate: java-1.7.1-ibm security update (Dec 5)
     

    An update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

     RedHat: RHSA-2019-4109:01 Moderate: java-1.7.1-ibm security update (Dec 5)
     

    An update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

     RedHat: RHSA-2019-4082:01 Moderate: OpenShift Container Platform 4.1 (Dec 4)
     

    An update for ose-cluster-authentication-operator-container, ose-cluster-config-operator-container, and ose-cluster-kube-apiserver-operator-container is now available for Red Hat OpenShift Container Platform 4.1.

     RedHat: RHSA-2019-4081:01 Moderate: OpenShift Container Platform 4.1 (Dec 4)
     

    An update for ose-cluster-kube-apiserver-operator-container is now available for Red Hat OpenShift Container Platform 4.1. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

     RedHat: RHSA-2019-4075:01 Moderate: OpenShift Container Platform 4.2 (Dec 3)
     

    An update for ose-cluster-kube-apiserver-operator-container and ose-cluster-kube-scheduler-operator-container is now available for Red Hat OpenShift Container Platform 4.2. Red Hat Product Security has rated this update as having a security impact

     RedHat: RHSA-2019-4074:01 Moderate: OpenShift Container Platform 4.2 runc (Dec 3)
     

    An update for runc is now available for Red Hat OpenShift Container Platform 4.2. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

     RedHat: RHSA-2019-4071:01 Important: Red Hat Process Automation Manager (Dec 3)
     

    An update is now available for Red Hat Process Automation Manager. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

     RedHat: RHSA-2019-4069:01 Important: Red Hat Decision Manager 7.5.1 (Dec 3)
     

    An update is now available for Red Hat Decision Manager. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

     RedHat: RHSA-2019-4062:01 Important: python-jinja2 security update (Dec 3)
     

    An update for python-jinja2 is now available for Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.4 Telco Extended Update Support, and Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions.

     RedHat: RHSA-2019-4061:01 Important: patch security update (Dec 3)
     

    An update for patch is now available for Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.4 Telco Extended Update Support, and Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions.

     RedHat: RHSA-2019-4058:01 Important: kernel security and bug fix update (Dec 3)
     

    An update for kernel is now available for Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.4 Telco Extended Update Support, and Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions.

     RedHat: RHSA-2019-4056:01 Important: kernel security update (Dec 3)
     

    An update for kernel is now available for Red Hat Enterprise Linux 6.5 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

     RedHat: RHSA-2019-4057:01 Important: kernel-rt security and bug fix update (Dec 3)
     

    An update for kernel-rt is now available for Red Hat Enterprise MRG 2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

     RedHat: RHSA-2019-4045:01 Important: Red Hat Single Sign-On 7.3.5 security (Dec 2)
     

    A security update is now available for Red Hat Single Sign-On 7.3 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

     RedHat: RHSA-2019-4042:01 Important: Red Hat Single Sign-On 7.3.5 security (Dec 2)
     

    New Red Hat Single Sign-On 7.3.5 packages are now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

     RedHat: RHSA-2019-4041:01 Important: Red Hat Single Sign-On 7.3.5 security (Dec 2)
     

    New Red Hat Single Sign-On 7.3.5 packages are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

     RedHat: RHSA-2019-4040:01 Important: Red Hat Single Sign-On 7.3.5 security (Dec 2)
     

    New Red Hat Single Sign-On 7.3.5 packages are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

     RedHat: RHSA-2019-4037:01 Important: Red Hat Data Grid 7.3.2 security update (Dec 2)
     

    An update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

     RedHat: RHSA-2019-4024:01 Important: SDL security update (Dec 2)
     

    An update for SDL is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

     RedHat: RHSA-2019-4023:01 Moderate: samba security and bug fix update (Dec 2)
     

    An update for samba is now available for Red Hat Gluster Storage 3.5 on Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which


     Slackware: 2019-337-01: mozilla-firefox Security Update (Dec 3)
     

    New mozilla-firefox packages are available for Slackware 14.2 and -current to fix security issues.


     SUSE: 2019:14237-1 moderate: permissions (Dec 5)
     

    An update that solves one vulnerability and has one errata is now available.

     SUSE: 2019:3188-1 moderate: dnsmasq (Dec 5)
     

    An update that solves two vulnerabilities and has three fixes is now available.

     SUSE: 2019:3183-1 moderate: permissions (Dec 5)
     

    An update that solves two vulnerabilities and has three fixes is now available.

     SUSE: 2019:3182-1 moderate: permissions (Dec 5)
     

    An update that solves two vulnerabilities and has one errata is now available.

     SUSE: 2019:3190-1 moderate: munge (Dec 5)
     

    An update that fixes one vulnerability is now available.

     SUSE: 2019:3179-1 moderate: dpdk (Dec 5)
     

    An update that solves one vulnerability and has four fixes is now available.

     SUSE: 2019:3192-1 moderate: opencv (Dec 5)
     

    An update that solves three vulnerabilities and has one errata is now available.

     SUSE: 2019:3176-1 important: clamav (Dec 5)
     

    An update that fixes one vulnerability is now available.

     SUSE: 2019:3191-1 moderate: cloud-init (Dec 5)
     

    An update that solves one vulnerability and has 6 fixes is now available.

     SUSE: 2019:3180-1 moderate: permissions (Dec 5)
     

    An update that solves two vulnerabilities and has one errata is now available.

     SUSE: 2019:3177-1 important: clamav (Dec 5)
     

    An update that fixes one vulnerability is now available.

     SUSE: 2019:14236-1 important: clamav (Dec 5)
     

    An update that fixes one vulnerability is now available.

     SUSE: 2019:3189-1 moderate: dnsmasq (Dec 5)
     

    An update that solves two vulnerabilities and has three fixes is now available.

     SUSE: 2019:3184-1 important: ffmpeg (Dec 5)
     

    An update that fixes four vulnerabilities is now available.

     SUSE: 2019:3125-1 important: haproxy (Nov 29)
     

    An update that solves one vulnerability and has three fixes is now available.

     SUSE: 2019:3126-1 important: haproxy (Nov 29)
     

    An update that solves one vulnerability and has three fixes is now available.

     SUSE: 2019:3127-1 moderate: python-Django (Nov 29)
     

    An update that fixes two vulnerabilities is now available.

     SUSE: 2019:14235-1 important: tightvnc (Nov 29)
     

    An update that fixes four vulnerabilities is now available.

     SUSE: 2019:3092-1 moderate: libarchive (Nov 28)
     

    An update that fixes 10 vulnerabilities is now available.

     SUSE: 2019:3095-1 moderate: libtomcrypt (Nov 28)
     

    An update that fixes one vulnerability is now available.

     SUSE: 2019:3094-1 moderate: ncurses (Nov 28)
     

    An update that solves three vulnerabilities and has one errata is now available.

     SUSE: 2019:3090-1 important: ucode-intel (Nov 28)
     

    An update that contains security fixes can now be installed.

     SUSE: 2019:3091-1 important: ucode-intel (Nov 28)
     

    An update that solves two vulnerabilities and has two fixes is now available.

     SUSE: 2019:3097-1 moderate: cloud-init (Nov 28)
     

    An update that solves one vulnerability and has 6 fixes is now available.

     SUSE: 2019:3089-1 important: ucode-intel (Nov 28)
     

    An update that contains security fixes can now be installed.

     SUSE: 2019:3086-1 moderate: libidn2 (Nov 28)
     

    An update that fixes two vulnerabilities is now available.

     SUSE: 2019:3085-1 libxml2 (Nov 28)
     

    An update that contains security fixes can now be installed.

     SUSE: 2019:3087-1 libxml2 (Nov 28)
     

    An update that contains security fixes can now be installed.


     Ubuntu 4214-1: RabbitMQ vulnerability (Dec 5)
     

    RabbitMQ could be made to execute arbitrary code if it received a specially crafted input.

     Ubuntu 4213-1: Squid vulnerabilities (Dec 4)
     

    Several security issues were fixed in Squid.

     Ubuntu 4212-1: HAProxy vulnerability (Dec 4)
     

    HAProxy could be made to execute arbitrary code if it received a specially crafted HTTP/2 header.

     Ubuntu 4182-4: Intel Microcode regression (Dec 4)
     

    USN-4182-2 introduced a regression in the Intel Microcode for some Skylake processors.

     Ubuntu 4182-3: Intel Microcode regression (Dec 4)
     

    USN-4182-1 introduced a regression in the Intel Microcode for some Skylake processors.

     Ubuntu 4194-2: postgresql-common vulnerability (Dec 3)
     

    postgresql-common could be made to create arbitrary directories.

     Ubuntu 4207-1: GraphicsMagick vulnerabilities (Dec 3)
     

    Several security issues were fixed in GraphicsMagick.

     Ubuntu 4206-1: GraphicsMagick vulnerabilities (Dec 3)
     

    Several security issues were fixed in GraphicsMagick.

     Ubuntu 4211-2: Linux kernel (Xenial HWE) vulnerabilities (Dec 2)
     

    Several security issues were fixed in the Linux kernel.

     Ubuntu 4211-1: Linux kernel vulnerabilities (Dec 2)
     

    Several security issues were fixed in the Linux kernel.

     Ubuntu 4210-1: Linux kernel vulnerabilities (Dec 2)
     

    Several security issues were fixed in the Linux kernel.

     Ubuntu 4209-1: Linux kernel vulnerabilities (Dec 2)
     

    Several security issues were fixed in the Linux kernel.

     Ubuntu 4208-1: Linux kernel vulnerabilities (Dec 2)
     

    Several security issues were fixed in the Linux kernel.

     Ubuntu 4205-1: SQLite vulnerabilities (Dec 2)
     

    Several security issues were fixed in SQLite.

     Ubuntu 4204-1: psutil vulnerability (Nov 28)
     

    psutil could be made to crash or run programs.


     Debian LTS: DLA-2021-1: libav security update (Dec 5)
     

    Several security issues were fixed in libav, a multimedia library for processing audio and video files.

     Debian LTS: DLA-2020-1: libonig security update (Dec 4)
     

    Several vulnerabilities were discovered in the Oniguruma regular expressions library, notably used in PHP mbstring.

     Debian LTS: DLA-2019-1: exiv2 security update (Dec 2)
     

    A corrupted or specially crafted CRW images might exceed the overall buffersize to cause a denial of service.

     Debian LTS: DLA-2017-2: asterisk regression update (Dec 1)
     

    The backport of the CVE-2019-13161 fix caused a regression and has been reverted. For Debian 8 "Jessie", this problem has been fixed in version

     Debian LTS: DLA-2018-1: proftpd-dfsg security update (Nov 30)
     

    In mod_tls a crash with empty CRL was fixed. For Debian 8 "Jessie", this problem has been fixed in version 1.3.5e+r1.3.5-2+deb8u5.

     Debian LTS: DLA-2017-1: asterisk security update (Nov 30)
     

    Several vulnerabilites are fixed in Asterisk, an Open Source PBX and telephony toolkit. CVE-2019-13161

     Debian LTS: DLA-1698-2: file regression update (Nov 30)
     

    This update fixes a regression in introduced in 1:5.22+15-2+deb8u5 causing truncated output of the interpreter name, thanks to Christoph Biedl for reporting the problem and cause.

     Debian LTS: DLA-2005-1: tnef security update (Nov 29)
     

    In tnef, an attacker may be able to write to the victim's .ssh/authorized_keys file via an e-mail message with a crafted winmail.dat application/ms-tnef attachment, because of a heap-based

     Debian LTS: DLA-2004-1: 389-ds-base security update (Nov 29)
     

    A flaw was found in the 'deref' plugin of 389-ds-base where it could use the 'search' permission to display attribute values.

     Debian LTS: DLA-2016-1: ssvnc security update (Nov 29)
     

    Several vulnerabilities have been identified in the VNC code of ssvnc, an encryption-capable VNC client..

     Debian LTS: DLA-2015-1: nss security update (Nov 29)
     

    Handling of Netscape Certificate Sequences in CERT_DecodeCertPackage() may haved crash with a NULL deref leading to a Denial-of-Service.

     Debian LTS: DLA-2014-1: vino security update (Nov 29)
     

    Several vulnerabilities have been identified in the VNC code of vino, a desktop sharing utility for the GNOME desktop environment.


     ArchLinux: 201912-1: firefox: multiple issues (Dec 5)
     

    The package firefox before version 71.0-1 is vulnerable to multiple issues including arbitrary code execution, denial of service, information disclosure and privilege escalation.

     ArchLinux: 201911-14: intel-ucode: multiple issues (Dec 3)
     

    The package intel-ucode before version 20191112-1 is vulnerable to multiple issues including information disclosure, private key recovery and denial of service.

     ArchLinux: 201911-13: libtiff: denial of service (Dec 3)
     

    The package libtiff before version 4.1.0-1 is vulnerable to denial of service.


     CentOS: CESA-2019-3979: Important CentOS 7 kernel (Dec 3)
     

    Upstream details at : https://access.redhat.com/errata/RHSA-2019:3979

     CentOS: CESA-2019-3976: Low CentOS 7 tcpdump (Dec 3)
     

    Upstream details at : https://access.redhat.com/errata/RHSA-2019:3976

     CentOS: CESA-2019-3981: Important CentOS 7 389-ds-base (Dec 3)
     

    Upstream details at : https://access.redhat.com/errata/RHSA-2019:3981

     CentOS: CESA-2019-3888: Important CentOS 7 ghostscript (Dec 3)
     

    Upstream details at : https://access.redhat.com/errata/RHSA-2019:3888


     SciLinux: SLSA-2019-4024-1 Important: SDL on SL7.x x86_64 (Dec 3)
     

    SDL: CVE-2019-13616 not fixed in Red Hat Enterprise Linux 7 erratum RHSA-2019:3950 (CVE-2019-14906) SL7 x86_64 SDL-1.2.15-15.el7_7.i686.rpm SDL-1.2.15-15.el7_7.x86_64.rpm SDL-debuginfo-1.2.15-15.el7_7.i686.rpm SDL-debuginfo-1.2.15-15.el7_7.x86_64.rpm SDL-devel-1.2.15-15.el7_7.i686.rpm SDL-devel-1.2.15-15.el7_7.x86_64.rpm SDL-static-1.2.15-15.el7_7.i686.rpm SD [More...]

     SciLinux: SLSA-2019-3976-1 Low: tcpdump on SL7.x x86_64 (Dec 3)
     

    tcpdump: Stack-based buffer over-read in print-hncp.c:print_prefix() via crafted pcap (CVE-2018-19519) SL7 x86_64 tcpdump-4.9.2-4.el7_7.1.x86_64.rpm tcpdump-debuginfo-4.9.2-4.el7_7.1.x86_64.rpm - Scientific Linux Development Team

     SciLinux: SLSA-2019-3981-1 Important: 389-ds-base on SL7.x x86_64 (Dec 2)
     

    389-ds-base: Read permission check bypass via the deref plugin (CVE-2019-14824) SL7 x86_64 389-ds-base-1.3.9.1-12.el7_7.x86_64.rpm 389-ds-base-debuginfo-1.3.9.1-12.el7_7.x86_64.rpm 389-ds-base-devel-1.3.9.1-12.el7_7.x86_64.rpm 389-ds-base-libs-1.3.9.1-12.el7_7.x86_64.rpm 389-ds-base-snmp-1.3.9.1-12.el7_7.x86_64.rpm - Scientific Linux Development Team


     openSUSE: 2019:2645-1: important: haproxy (Dec 4)
     

    An update that solves one vulnerability and has three fixes is now available.

     openSUSE: 2019:2633-1: moderate: cloud-init (Dec 4)
     

    An update that solves one vulnerability and has 6 fixes is now available.

     openSUSE: 2019:2628-1: moderate: calamares (Dec 3)
     

    An update that solves one vulnerability and has one errata is now available.

     openSUSE: 2019:2626-1: important: haproxy (Dec 3)
     

    An update that solves one vulnerability and has three fixes is now available.

     openSUSE: 2019:2632-1: moderate: libarchive (Dec 3)
     

    An update that fixes 5 vulnerabilities is now available.

     openSUSE: 2019:2631-1: important: ucode-intel (Dec 3)
     

    An update that contains security fixes can now be installed.

     openSUSE: 2019:2629-1: libxml2 (Dec 3)
     

    An update that contains security fixes can now be installed.

     openSUSE: 2019:2615-1: moderate: libarchive (Dec 3)
     

    An update that fixes 5 vulnerabilities is now available.

     openSUSE: 2019:2620-1: important: ucode-intel (Dec 3)
     

    An update that contains security fixes can now be installed.

     openSUSE: 2019:2612-1: libxml2 (Dec 3)
     

    An update that contains security fixes can now be installed.

     openSUSE: 2019:2611-1: moderate: libidn2 (Dec 3)
     

    An update that fixes two vulnerabilities is now available.

     openSUSE: 2019:2613-1: moderate: libidn2 (Dec 3)
     

    An update that fixes two vulnerabilities is now available.

     openSUSE: openSUSE Leap 15.0 has reached end of SUSE support (Dec 3)
     

    openSUSE: openSUSE Leap 15.0 has reached end of SUSE support

     openSUSE: 2019:2607-1: moderate: Recommended openafs (Dec 2)
     

    An update that contains security fixes can now be installed.

     openSUSE: 2019:2608-1: moderate: freerdp (Dec 2)
     

    An update that fixes two vulnerabilities is now available.

     openSUSE: 2019:2604-1: moderate: freerdp (Dec 1)
     

    An update that fixes two vulnerabilities is now available.

     openSUSE: 2019:2599-1: moderate: phpMyAdmin (Dec 1)
     

    An update that fixes one vulnerability is now available.

     openSUSE: 2019:2599-1: moderate: phpMyAdmin (Dec 1)
     

    An update that fixes one vulnerability is now available.

     openSUSE: 2019:2598-1: important: strongswan (Dec 1)
     

    An update that fixes 5 vulnerabilities is now available.

     openSUSE: 2019:2597-1: moderate: clamav (Dec 1)
     

    An update that solves two vulnerabilities and has one errata is now available.

     openSUSE: 2019:2595-1: moderate: clamav (Nov 30)
     

    An update that solves two vulnerabilities and has one errata is now available.

     openSUSE: 2019:2594-1: important: strongswan (Nov 30)
     

    An update that fixes 5 vulnerabilities is now available.

     openSUSE: 2019:2596-1: moderate: cpio (Nov 30)
     

    An update that fixes one vulnerability is now available.

     openSUSE: 2019:2593-1: moderate: cpio (Nov 30)
     

    An update that fixes one vulnerability is now available.

     openSUSE: 2019:2591-1: important: webkit2gtk3 (Nov 30)
     

    An update that fixes 42 vulnerabilities is now available.

     openSUSE: 2019:2587-1: important: webkit2gtk3 (Nov 30)
     

    An update that fixes 42 vulnerabilities is now available.

     openSUSE: 2019:2588-1: moderate: bluez (Nov 30)
     

    An update that fixes one vulnerability is now available.

     openSUSE: 2019:2585-1: moderate: bluez (Nov 30)
     

    An update that fixes one vulnerability is now available.


     Mageia 2019-0352: glib2.0 security update (Nov 30)
     

    The updated packages fix a security vulnerability: file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used. (CVE-2019-12450)

     Mageia 2019-0351: httpie security update (Nov 30)
     

    Updated httpie packages fix security vulnerability: HTTPie is vulnerable to Open Redirect that allows an attacker to write an arbitrary file with supplied filename and content to the current directory, by redirecting a request from HTTP to a crafted URL pointing

     Mageia 2019-0350: python-sqlalchemy security update (Nov 30)
     

    Updated python-sqlalchemy packages fix security vulnerabilities: SQL Injection via the order_by parameter (CVE-2019-7164). SQL Injection via the group_by parameter (CVE-2019-7548).

     Mageia 2019-0349: glibc security update (Nov 30)
     

    Updated glibc packages fixes the following security issue: On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local

     Mageia 2019-0348: gnupg2 security update (Nov 30)
     

    gnupg2 is updated to 2.2.18 and fix security vulnerability: Web of Trust forgeries using collisions in SHA-1 signatures (CVE-2019-14855) * Note that this change removes all SHA-1 based key signature newer than 2019-01-19 from the web-of-trust. This includes all key signature created

     Mageia 2019-0347: chromium-browser-stable security update (Nov 30)
     

    Chromium-browser 78.0.3904.108 fixes security issues: Multiple flaws were found in the way Chromium 78.0.3904.87 processes various types of web content, where loading a web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose

     Mageia 2019-0346: djvulibre security update (Nov 30)
     

    The updated packages fix security vulnerabilities: In DjVuLibre 3.5.27, DjVmDir.cpp in the DJVU reader component allows attackers to cause a denial-of-service (application crash in GStringRep::strdup in libdjvu/GString.cpp caused by a heap-based buffer

     Mageia 2019-0345: mosquitto security update (Nov 30)
     

    Updated mosquitto packages fix security vulnerability: A vulnerability was discovered in mosquitto, allowing a malicious MQTT client to cause a denial of service (stack overflow and daemon crash), by sending a specially crafted SUBSCRIBE packet containing a topic with

     Mageia 2019-0344: unbound security update (Nov 30)
     

    Updated unbound package to version 1.9.5 to fix a potential security vulnerability. In case users recompiled the Mageia package with `--enable-ipsecmod`, and ipsecmod is enabled and used in the configuration, shell code execution would end up being possible after receiving a specially crafted answer (CVE-2019-18934).

     Mageia 2019-0343: libssh2 security update (Nov 30)
     

    The updated packages fix a security vulnerability: In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory

     Mageia 2019-0342: nginx security update (Nov 30)
     

    Updated nginx packages fix security vulnerabilities: When using HTTP/2 a client might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516).

     Mageia 2019-0341: zipios++ security update (Nov 30)
     

    Updated zipios++ packages fix security vulnerability: Mike Salvatore discovered that Zipios mishandled certain malformed ZIP files. An attacker could use this vulnerability to cause a denial of service or consume system resources (CVE-2019-13453).

     Mageia 2019-0340: libreoffice security update (Nov 30)
     

    Updated libreoffice packages fix security vulnerabilities: LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle

     Mageia 2019-0339: dbus security update (Nov 30)
     

    dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication

     Mageia 2019-0338: bzip2 security update (Nov 30)
     

    The updated packages fix a security vulnerability: BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors. (CVE-2019-12900)

     Mageia 2019-0337: curl security update (Nov 30)
     

    The updated packages fix security vulnerabilities: An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1. (CVE-2019-5435)

    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the LinuxSecurity Privacy news articles?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/25-what-do-you-think-of-the-linuxsecurity-privacy-news-articles?task=poll.vote&format=json
    25
    radio
    [{"id":"90","title":"Love them!","votes":"5","type":"x","order":"1","pct":100,"resources":[]},{"id":"91","title":"I'm indifferent","votes":"0","type":"x","order":"2","pct":0,"resources":[]},{"id":"92","title":"Not interested in this topic","votes":"0","type":"x","order":"3","pct":0,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.