Linux Advisory Watch: February 12th, 2021

It was discovered that zstd, a compression utility, temporarily exposed a world-readable version of its input even if the original file had restrictive permissions.

Roman Fiedler discovered a vulnerability in the OverlayFS code in firejail, a sandbox program to restrict the running environment of untrusted applications, which could result in root privilege escalation. This update disables OverlayFS support in firejail.

Multiple security issues were discovered in the implementation of the Go programming language, which could result in denial of service and the P-224 curve implementation could generate incorrect outputs.

A remote information leak vulnerability and a remote buffer overflow vulnerability were discovered in ConnMan, a network manager for embedded devices, which could result in denial of service or the execution of arbitrary code.

Several vulnerabilities have been discovered in the chromium web browser. CVE-2020-16044

Moshe Kol and Shlomi Oberman of JSOF discovered several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server. They could result in denial of service, cache poisoning or the execution of arbitrary code.

**PHP version 7.4.15** (04 Feb 2021) **Core:** * Fixed bug php#80523 (bogus parse error on >4GB source code). (Nikita) * Fixed bug php#80384 (filter buffers entire read until file closed). (Adam Seitz, cmb) **Curl:** * Fixed bug php#80595 (Resetting POSTFIELDS to empty array breaks request). (cmb) **Date:** * Fixed bug php#80376 (last day of the month causes runway cpu usage. (Derick)

This update fixes dependency filtering that caused thunderbird to inadvertently lose requires on dbus-glib. ---- Update to latest upstream version. ---- Update to latest upstream version.

This update includes the latest stable release of _Apache Subversion_, version **1.14.1**. This release includes the fix for `CVE-2020-17525`, a remote unauthenticated denial-of-service in Subversion mod_authz_svn. The full upstream security advisory for `CVE-2020-17525` is available at: https://subversion.apache.org/security/CVE-2020-17525-advisory.txt ### User-

New upstream release 2.0.25

Update to upstream 20210208 release: * rtl_bt: Updates for RTL8822C, RTL8821C, added RTL8852A * Link Cypress brcmfmac firmwares to old brcm location * brcm NVRAM updates for Raspberry Pi, added 96boards Rock960 * QCom SM8250 (SD865) firmware for Compute, Audio DSPs, Adreno a650, venus VPU-1.0 * i915: Added firmware for DG1, ADL-S * Uodated bluetooth firmware for Intel Bluetooth

Update to spice-vdagent 0.21.0: security fixes: CVE-2020-25650, CVE-2020-25651, CVE-2020-25652, CVE-2020-25653

Security fix for CVE-2020-36242 Fixed a bug where certain sequences of update() calls when symmetrically encrypting very large payloads (>2GB) could result in an integer overflow, leading to buffer overflows.

Update to 4.03. Fixes CVE-2020-35376 and CVE-2020-25725.

New version 2.7.7 is released. Note that a security flaw was found on the previous version which may allow OS commands' injection, which is now assigned as CVE-2021-21289 . This new rpm fixes this issue.

# New in release OpenJDK 11.0.10 (2021-01-19): Live versions of these release notes can be found at: * https://bitly.com/openjdk11010 * https://builds.shipilev.net/backports-monitor/release-notes-11.0.10.txt ## Security fixes * JDK-8247619: Improve Direct Buffering of Characters ## Other changes * [JDK-8213821](https://bugs.openjdk.org/browse/JDK-8213821):

# New in release OpenJDK 8u282 (2021-01-19) Live versions of these release notes can be found at: * https://bitly.com/openjdk8u282 * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u282.txt ## Security fixes * JDK-8247619: Improve Direct Buffering of Characters ## Other changes * [JDK-8230839](https://bugs.openjdk.org/browse/JDK-8230839)

Update to 4.03. Fixes CVE-2020-35376 and CVE-2020-25725.

New version 2.7.7 is released. Note that a security flaw was found on the previous version which may allow OS commands' injection, which is now assigned as CVE-2021-21289 . This new rpm fixes this issue.

# New in release OpenJDK 8u282 (2021-01-19) Live versions of these release notes can be found at: * https://bitly.com/openjdk8u282 * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u282.txt ## Security fixes * JDK-8247619: Improve Direct Buffering of Characters ## Other changes * [JDK-8230839](https://bugs.openjdk.org/browse/JDK-8230839)

3.0.31, fixes for OVE-20210128-0001 and OVE-20210130-0001

Update to version 2.10.5.1. Resolves CVE-2020-25649.

Update to 88.0.4324.150. Fixes: CVE-2021-21142 CVE-2021-21143 CVE-2021-21144 CVE-2021-21145 CVE-2021-21146 CVE-2021-21147 CVE-2021-21148 Please keep in mind that this release fixes an actively exploited 0-day vulnerability.

3.0.31, fixes for OVE-20210128-0001 and OVE-20210130-0001

Buffer overflow fixes: 1. Fix buffer overflow on large MNG LOOP chunk (RHBZ#1908559). 2. Fix a buffer overrun for certain invalid MNG PPLT chunk contents (RHBZ#1907428).

Buffer overflow fixes: 1. Fix buffer overflow on large MNG LOOP chunk (RHBZ#1908559). 2. Fix a buffer overrun for certain invalid MNG PPLT chunk contents (RHBZ#1907428).

- Upstream upgrade - Fixes #1921879, #1921972, #1921973, #1921975, #1921976, #1921979, #1921981, #1921983, #1921983, #1921985, #1921987, #1921989, #1921992, #1921994

Security fix for [PUT CVEs HERE]

Security fix for CVE-2020-26418, CVE-2020-26419, CVE-2020-26420, CVE-2020-26421 Update to version 3.4.2 Fix %post script on Silverblue

Update to jasper-2.0.24, see https://github.com/jasper- software/jasper/releases/tag/version-2.0.24 for details. Backport fix for CVE-2021-3272.

security fix for CVE-2021-0326 see also: https://w1.fi/security/2020-2/

Backport upstream patch to fix CVE (#1922137)

Security fix for CVE-2020-26418, CVE-2020-26419, CVE-2020-26420, CVE-2020-26421 Update to version 3.4.2 Fix %post script on Silverblue

Update to jasper-2.0.24, see https://github.com/jasper- software/jasper/releases/tag/version-2.0.24 for details. Backport fix for CVE-2021-3272.

Update to 3.10.0a5. Security fix for CVE-2021-3177.

**PHP version 7.4.15** (04 Feb 2021) **Core:** * Fixed bug php#80523 (bogus parse error on >4GB source code). (Nikita) * Fixed bug php#80384 (filter buffers entire read until file closed). (Adam Seitz, cmb) **Curl:** * Fixed bug php#80595 (Resetting POSTFIELDS to empty array breaks request). (cmb) **Date:** * Fixed bug php#80376 (last day of the month causes runway cpu usage. (Derick)

Security fix for CVE-2021-20197

Backport patches for CVE-2020-14409, CVE-2020-14410.

# New in release OpenJDK 11.0.10 (2021-01-19): Live versions of these release notes can be found at: * https://bitly.com/openjdk11010 * https://builds.shipilev.net/backports-monitor/release-notes-11.0.10.txt ## Security fixes * JDK-8247619: Improve Direct Buffering of Characters ## Other changes * [JDK-8213821](https://bugs.openjdk.org/browse/JDK-8213821):

The 5.10.12 stable kernel update contains a number of important fixes across the tree.

Security fix for [CVE-2021-3325]. This new version fixes a security bug introduced in the 3.13.0 version that lead the HTTP built-in server to bypass the Basic Authentication when the option hosts_deny is not defined, which is the default. Besides this fix, this version also updates the main configuration file to add the option hosts_deny = all by default inside the auth subsection,

The 5.10.12 stable kernel update contains a number of important fixes across the tree.

Security fix for [CVE-2021-3325]. This new version fixes a security bug introduced in the 3.13.0 version that lead the HTTP built-in server to bypass the Basic Authentication when the option hosts_deny is not defined, which is the default. Besides this fix, this version also updates the main configuration file to add the option hosts_deny = all by default inside the auth subsection,

An update for openvswitch2.13 is now available for Fast Datapath for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

Red Hat JBoss Web Server 5.4.1 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8 and Windows. Red Hat Product Security has rated this release as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

Updated Red Hat JBoss Web Server 5.4.1 packages are now available for Red Hat Enterprise Linux 7, and Red Hat Enterprise Linux 8. Red Hat Product Security has rated this release as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

An update is now available for Red Hat JBoss Web Server 3.1, for RHEL 7 and Windows. Red Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which

An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 7. Red Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

An update for rh-nodejs12-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 6 zip release for RHEL 7, RHEL 8 and Microsoft Windows is available. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which

Updated packages that provide Red Hat JBoss Core Services Pack Apache Server 2.4.37 and fix several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact

An update for .NET 5.0 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

An update for .NET Core 2.1 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

An update for rh-dotnet50-dotnet is now available for .NET on Red Hat Enterprise Linux. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

An update for rh-dotnet31-dotnet is now available for .NET Core on Red Hat Enterprise Linux. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

An update for rh-dotnet21-dotnet is now available for .NET Core on Red Hat Enterprise Linux. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

An update for .NET Core 3.1 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

An update for qemu-kvm-rhev is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 and Red Hat Virtualization Engine 4.3. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

Red Hat OpenShift Container Platform release 4.5.31 is now available with updates to packages and images that fix several bugs. This release also includes a security update for Red Hat OpenShift Container Platform 4.5.

Red Hat OpenShift Container Platform release 4.6.16 is now available with updates to packages and images that fix several bugs. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

Red Hat OpenShift Container Platform release 4.6.16 is now available with updates to packages and images that fix several bugs. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

A security update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

An update is now available for Red Hat build of Thorntail. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each

An update for rh-nodejs14-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

Red Hat Quay 3.4.0 is now available with bug fixes and various enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

Red Hat AMQ Broker 7.8.1 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

An update for flatpak is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

New dnsmasq packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.

New dnsmasq packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.

The container suse-sles-15-sp2-chost-byos-v20210202-gen2 was updated. The following patches have been included in this update:

The container suse-sles-15-sp1-chost-byos-v20210202-gen2 was updated. The following patches have been included in this update:

The container suse-sles-15-chost-byos-v20210202-hvm-ssd-x86_64 was updated. The following patches have been included in this update:

The container caasp/v4.5/cilium-operator was updated. The following patches have been included in this update:

The container caasp/v4.5/cilium was updated. The following patches have been included in this update:

The container suse/sle15 was updated. The following patches have been included in this update:

The container suse-sles-15-sp2-chost-byos-v20210202-hvm-ssd-x86_64 was updated. The following patches have been included in this update:

The container sles-15-sp2-chost-byos-v20210202 was updated. The following patches have been included in this update:

The container sles-15-sp1-chost-byos-v20210202 was updated. The following patches have been included in this update:

The container suse-sles-15-sp1-chost-byos-v20210202-hvm-ssd-x86_64 was updated. The following patches have been included in this update:

Roman Fiedler discovered a vulnerability in the OverlayFS code in firejail, a sandbox program to restrict the running environment of untrusted applications, which could result in root privilege escalation. This update disables OverlayFS support in firejail.

Claudio Bozzato of Cisco Talos discovered an exploitable integer overflow vulnerability in the flattenIncrementally function in the xcf2png and xcf2pnm binaries of xcftools. An integer overflow can occur while walking through tiles that could be exploited to corrupt memory and execute arbitrary code. In order

A remote information leak vulnerability and a remote buffer overflow vulnerability were discovered in ConnMan, a network manager for embedded devices, which could result in denial of service or the execution of

Two issues have been found in slirp, a SLIP/PPP emulator using a dial up shell account.

Various overflow errors were identified and fixed. CVE-2020-27814

CVE-2020-0256 In LoadPartitionTable of gpt.cc, there is a possible out of bounds write due to a missing bounds check. This

Multiple vulnerabilites were discovered in privoxy, a privacy enhancing HTTP proxy, like memory leaks, dereference of a NULL-pointer, et al.

Several vulnerabilities were fixed in Wireshark, a network sniffer. CVE-2019-13619

CVE-2020-8695 Observable discrepancy in the RAPL interface for some Intel(R) Processors may allow a privileged user to

The package helm before version 3.5.2-1 is vulnerable to insufficient validation.

The package privoxy before version 3.0.31-1 is vulnerable to denial of service.

The package python2-jinja before version 2.11.3-1 is vulnerable to denial of service.

The package python-jinja before version 2.11.3-1 is vulnerable to denial of service.

The package python-django before version 3.1.6-1 is vulnerable to directory traversal.

The package glibc before version 2.33-1 is vulnerable to denial of service.

The package lib32-glibc before version 2.33-1 is vulnerable to denial of service.

The package php before version 8.0.2-1 is vulnerable to denial of service.

The package php7 before version 7.4.15-1 is vulnerable to denial of service.

The package cups before version 1:2.3.3op2-1 is vulnerable to information disclosure.

The package docker before version 1:20.10.3-1 is vulnerable to multiple issues including denial of service and privilege escalation.

The package gitlab before version 13.8.2-1 is vulnerable to information disclosure.

The package minio before version 2021.01.30-1 is vulnerable to directory traversal.

The package ansible before version 2.10.7-1 is vulnerable to information disclosure.

The package opendoas before version 6.8.1-2 is vulnerable to privilege escalation.

The package nextcloud before version 20.0.6-1 is vulnerable to directory traversal.

The package chromium before version 88.0.4324.150-1 is vulnerable to multiple issues including arbitrary code execution and incorrect calculation.

The package opera before version 74.0.3911.75-1 is vulnerable to multiple issues including arbitrary code execution, insufficient validation, content spoofing and incorrect calculation.

The package vivaldi before version 3.6.2165.36-1 is vulnerable to multiple issues including arbitrary code execution, insufficient validation, content spoofing and incorrect calculation.

The package wireshark-cli before version 3.4.3-1 is vulnerable to denial of service.

The package thunderbird before version 78.7.0-1 is vulnerable to multiple issues including arbitrary code execution, information disclosure and insufficient validation.

The package firefox before version 85.0-1 is vulnerable to multiple issues including arbitrary code execution, incorrect calculation and information disclosure.

Upstream details at : https://access.redhat.com/errata/RHSA-2021:0411

flatpak: sandbox escape via spawn portal (CVE-2021-21261) SL7 x86_64 flatpak-1.0.9-10.el7_9.x86_64.rpm flatpak-debuginfo-1.0.9-10.el7_9.x86_64.rpm flatpak-libs-1.0.9-10.el7_9.x86_64.rpm flatpak-builder-1.0.0-10.el7_9.x86_64.rpm flatpak-devel-1.0.9-10.el7_9.x86_64.rpm - Scientific Linux Development Team

An update that fixes two vulnerabilities is now available.

An update that solves three vulnerabilities and has 5 fixes is now available.

An update that fixes one vulnerability is now available.

An update that fixes one vulnerability is now available.

An update that fixes three vulnerabilities is now available.

An update that fixes one vulnerability is now available.

An update that solves two vulnerabilities and has one errata is now available.

An update that contains security fixes can now be installed.

An update that fixes three vulnerabilities is now available.

An update that fixes 6 vulnerabilities is now available.

An update that fixes one vulnerability is now available.

An update that fixes two vulnerabilities is now available.

An update that fixes three vulnerabilities is now available.

An update that fixes 6 vulnerabilities is now available.

An update that fixes two vulnerabilities is now available.

An update that solves 7 vulnerabilities and has 49 fixes is now available.

An update that solves one vulnerability and has one errata is now available.

An update that solves two vulnerabilities and has one errata is now available.

An update that solves 79 vulnerabilities and has 676 fixes is now available.

gssproxy (aka gss-proxy) before 0.8.3 does not unlock cond_mutex before pthread exit in gp_worker_main() in gp_workers.c (CVE-2020-12658). References: - https://bugs.mageia.org/show_bug.cgi?id=28019

An XSS issue has been discovered in phpLDAPadmin before 1.2.6.2 that allows users to store malicious values that may be executed by other users at a later time via get_request in lib/function.php (CVE-2020-35132). References:

A flaw was found in the gstreamer h264 component of gst-plugins-bad before v1.18.1 where when parsing a h264 header, an attacker could cause the stack to be smashed, memory corruption and possibly code execution. (CVE-2021-3185). References:

Messages with too many tiny nested MIME parts can lead to memory exhaustion on split(), resulting in denial of service (rhbz#1835353) This update limits the number of nested MIME parts to 10 (by default), to avoid a possible memory exhaustion issue with lots of tiny MIME parts.

Updated nethack packages fix security vulnerabilities: NetHack 3.6.x before 3.6.4 is prone to a buffer overflow vulnerability when reading very long lines from configuration files. This affects systems that have NetHack installed suid/sgid, and shared systems that allow users to

The php packages are updated to version 7.3.27 to fix a Null Dereference in SoapClient (SOAP). (CVE-2021-21702). Note also php packages version 7.4.15-1.mga7 are available in backports/updates.

A vulnerability was discovered in how wpa_supplicant processing P2P (Wi-Fi Direct) group information from active group owners. The actual parsing of that information validates field lengths appropriately, but processing of the parsed information misses a length check when storing a copy of the secondary device types. This can result in writing

phppgadmin through 7.12.1 allows sensitive actions to be performed without validating that the request originated from the application. One such area, database.php does not verify the source of an HTTP request. This can be leveraged by a remote attacker to trick a logged-in administrator to visit a malicious page with a CSRF exploit and execute arbitrary system commands on the

A bug that could cause segfault if GPT header claimed partition entries are oversized (CVE-2020-0256). A bug that could cause a crash if a badly-formatted MBR disk was read (CVE-2021-0308).

When serving resources from a network location using the NTFS file system it was possible to bypass security constraints and/or view the source code for JSPs in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances

It was discovered that Mutt incorrectly handled certain email messages. An attacker could possibly use this issue to cause a denial of service because rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of service (mailbox unavailability) by sending email messages with sequences of semicolon characters in RFC822 address fields (aka terminators of empty groups).

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a

It was discovered that there was an issue in nodejs-ini, where an application could be exploited by a malicious input file. This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context

In KDE KMail, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the

Cross-origin information leakage via redirected PDF requests. (CVE-2021-23953) Type confusion when using logical assignment operators in JavaScript switch statements. (CVE-2021-23954)

A flaw was found in python. A stack-based buffer overflow was discovered in the ctypes module provided within Python. Applications that use ctypes without carefully validating the input passed to it may be vulnerable to this flaw, which would allow an attacker to overflow a buffer on the stack and crash the application. The highest threat from this vulnerability is to system

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's `Kernel.open` method. Processes are vulnerable only if the undocumented method `Nokogiri::CSS::Tokenizer#load_file` is being called with unsafe user input as the filename (CVE-2019-5477).