Linux Advisory Watch: January 17th, 2020

    Date17 Jan 2020
    289
    Posted ByLinuxSecurity Advisories
    Linux Advisory Watch Newsletter
    Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

    LinuxSecurity.com Feature Extras:

    Encryption: An Essential Yet Highly Controversial Component of Digital Security - If youve been keeping up with recent security news, you are most likely aware of the heated worldwide debate about encryption that is currently underway. Strong encryption is imperative to securing sensitive data and protecting individuals privacy online, yet governments around the world refuse to recognize this, and are continually aiming to break encryption in an effort to increase the power of their law enforcement agencies.

    Linux: An OS Capable of Effectively Meeting the US Governments Security Needs Heading into 2020 - As Open Source has become increasingly mainstream and widely accepted for its numerous benefits, the use of Linux as a flexible, transparent and highly secure operating system has also increasingly become a prominent choice among corporations, educational institutions and government sectors alike. With national security concerns at an all time high heading into 2020, it appears that the implementation of Linux could effectively meet the United States governments critical security needs for application development and installations.


     Debian: DSA-4602-1: xen security update (Jan 13)
     

    Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, guest-to-host privilege escalation or information leaks.

     Debian: DSA-4601-1: ldm security update (Jan 9)
     

    It was discovered that a hook script of ldm, the display manager for the Linux Terminal Server Project incorrectly parsed responses from an SSH server which could result in local root privilege escalation.

     Debian: DSA-4600-1: firefox-esr security update (Jan 9)
     

    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, data exfiltration or cross-site scripting.


     Fedora 31: ImageMagick FEDORA-2020-f006145643 (Jan 17)
     

    Security and bug fixes.

     Fedora 31: rubygem-rmagick FEDORA-2020-f006145643 (Jan 17)
     

    Security and bug fixes.

     Fedora 31: xar FEDORA-2020-6490123c7c (Jan 17)
     

    - Update to 1.6.1 - Change upstream - Exclude CVE-2010-0055 patch, includes in upstream - Exclude norpath patch, using sed - Pass FTBFS state #1676224 - General clean of the spec - Use Fedora guide lines in Source URL

     Fedora 31: gnulib FEDORA-2020-663f619e9c (Jan 17)
     

    Security fix for [CVE-2018-17942] - Update on 2020-01-07 - CVE-2018-17942

     Fedora 31: python-django FEDORA-2020-adb4f0143a (Jan 17)
     

    fix CVE-2019-19844 (rhbz#1788426)

     Fedora 31: jetty FEDORA-2020-4913d43d77 (Jan 17)
     

    Security fix for CVE-2019-17632

     Fedora 30: phpMyAdmin FEDORA-2020-cb89758335 (Jan 16)
     

    **Version 4.9.4** (2020-01-07) - issue #15724 Fix 2FA was disabled by a bug - issue [security] Fix SQL injection vulnerability on the user accounts page (PMASA-2020-1) ---- **Version 4.9.3** (2019-12-26) - issue #15570 Fix page contents go underneath of floating menubar in some cases - issue #15591 Fix php notice 'Undefined index: foreign_keys_data' on relations view when the user

     Fedora 30: gnulib FEDORA-2020-acac61cfd0 (Jan 16)
     

    Security fix for [CVE-2018-17942] - Update on 2020-01-07 - CVE-2018-17942

     Fedora 31: thunderbird FEDORA-2020-01411d96d5 (Jan 16)
     

    Update to latest upstream version

     Fedora 31: ocsinventory-agent FEDORA-2020-4c8a066b83 (Jan 16)
     

    Per Upstream, a malicious CA could result in unexpected inventory access with the System CA patch. The risk is very low. That patch is now dropped.

     Fedora 31: chromium FEDORA-2020-581537c8aa (Jan 12)
     

    Update to 79.0.3945.117. Fixes CVE-2020-6377.

     Fedora 31: libvpx FEDORA-2020-65eac1b48b (Jan 12)
     

    Update to 1.8.2

     Fedora 31: makepasswd FEDORA-2020-a5b60d0c2b (Jan 11)
     

    Fixes bugzilla 1126076

     Fedora 31: kubernetes FEDORA-2020-943f4b03d2 (Jan 11)
     

    Update to v1.15.7 (CVE-2018-1002102 kubernetes: improper validation of URL redirection in the Kubernetes API server allows an attacker-controlled Kubelet to redirect API server requests from streaming endpoints)

     Fedora 31: GraphicsMagick FEDORA-2019-210b0a6e4f (Jan 11)
     

    New bugfix and security upstream release, see http://www.graphicsmagick.org/NEWS.html#december-24-2019

     Fedora 31: matio FEDORA-2019-a1a2f55fcf (Jan 11)
     

    1.5.7, fix for CVE-2019-13107

     Fedora 31: slurm FEDORA-2019-f5fe4e10d7 (Jan 11)
     

    Release of 19.05.5. Closes security issues CVE-2019-19727, CVE-2019-19728.

     Fedora 30: makepasswd FEDORA-2020-1db19e75db (Jan 11)
     

    Fixes bugzilla 1126076

     Fedora 30: GraphicsMagick FEDORA-2019-f12cb1ddab (Jan 11)
     

    New bugfix and security upstream release, see http://www.graphicsmagick.org/NEWS.html#december-24-2019

     Fedora 30: dovecot FEDORA-2019-72e5ac943a (Jan 11)
     

    Security fix for CVE-2019-19722: null pointer dereference in push notification driver


     RedHat: RHSA-2020-0134:01 Critical: .NET Core on Red Hat Enterprise Linux (Jan 16)
     

    An update for rh-dotnet30-dotnet and rh-dotnet31-dotnet is now available for .NET Core on Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which

     RedHat: RHSA-2020-0132:01 Moderate: Red Hat Process Automation Manager (Jan 16)
     

    An update is now available for Red Hat Process Automation Manager. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

     RedHat: RHSA-2020-0133:01 Moderate: Red Hat Decision Manager 7.6.0 Security (Jan 16)
     

    An update is now available for Red Hat Decision Manager. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

     RedHat: RHSA-2020-0130:01 Critical: .NET Core on Red Hat Enterprise Linux (Jan 16)
     

    An update for dotnet3.0 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

     RedHat: RHSA-2020-0124:01 Important: git security update (Jan 16)
     

    An update for git is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

     RedHat: RHSA-2020-0122:01 Important: java-11-openjdk security update (Jan 16)
     

    An update for java-11-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

     RedHat: RHSA-2020-0128:01 Important: java-11-openjdk security update (Jan 16)
     

    An update for java-11-openjdk is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

     RedHat: RHSA-2020-0127:01 Important: thunderbird security update (Jan 16)
     

    An update for thunderbird is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

     RedHat: RHSA-2020-0120:01 Important: thunderbird security update (Jan 16)
     

    An update for thunderbird is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

     RedHat: RHSA-2020-0123:01 Important: thunderbird security update (Jan 16)
     

    An update for thunderbird is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

     RedHat: RHSA-2020-0111:01 Critical: firefox security update (Jan 14)
     

    An update for firefox is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

     RedHat: RHSA-2020-0103:01 Important: kernel security and bug fix update (Jan 14)
     

    An update for kernel is now available for Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.4 Telco Extended Update Support, and Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions.

     RedHat: RHSA-2020-0101:01 Moderate: go-toolset-1.12-golang security update (Jan 14)
     

    An update for go-toolset-1.12 and go-toolset-1.12-golang is now available for Red Hat Developer Tools. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

     RedHat: RHSA-2020-0100:01 Important: kernel-rt security and bug fix update (Jan 14)
     

    An update for kernel-rt is now available for Red Hat Enterprise MRG 2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

     RedHat: RHSA-2020-0020:01 Low: OpenShift Container Platform 3.11 (Jan 14)
     

    An update for atomic-openshift is now available for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which

     RedHat: RHSA-2020-0085:01 Critical: firefox security update (Jan 13)
     

    An update for firefox is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

     RedHat: RHSA-2020-0086:01 Critical: firefox security update (Jan 13)
     

    An update for firefox is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

     RedHat: RHSA-2020-0084:01 Important: chromium-browser security update (Jan 13)
     

    An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

     RedHat: RHSA-2020-0078:01 Important: rabbitmq-server security update (Jan 13)
     

    An update for rabbitmq-server is now available for Red Hat OpenStack Platform 15 (Stein). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,


     Slackware: 2020-010-01: mozilla-thunderbird Security Update (Jan 10)
     

    New mozilla-thunderbird packages are available for Slackware 14.2 and -current to fix security issues.

     Slackware: 2020-009-01: mozilla-firefox Security Update (Jan 9)
     

    New mozilla-firefox packages are available for Slackware 14.2 and -current to fix a security issue.


     SUSE: 2020:0121-1 moderate: LibreOffice (Jan 17)
     

    An update that solves one vulnerability and has two fixes is now available.

     SUSE: 2020:0118-1 moderate: fontforge (Jan 16)
     

    An update that fixes two vulnerabilities is now available.

     SUSE: 2020:0110-1 important: slurm (Jan 16)
     

    An update that solves three vulnerabilities and has three fixes is now available.

     SUSE: 2020:0111-1 moderate: Mesa (Jan 16)
     

    An update that fixes one vulnerability is now available.

     SUSE: 2020:0112-1 important: tigervnc (Jan 16)
     

    An update that fixes 5 vulnerabilities is now available.

     SUSE: 2020:0113-1 important: tigervnc (Jan 16)
     

    An update that fixes 5 vulnerabilities is now available.

     SUSE: 2020:0114-1 important: python3 (Jan 16)
     

    An update that solves 26 vulnerabilities and has 30 fixes is now available.

     SUSE: 2020:0115-1 moderate: shibboleth-sp (Jan 16)
     

    An update that fixes one vulnerability is now available.

     SUSE: 2020:0104-1 important: nodejs10 (Jan 15)
     

    An update that fixes three vulnerabilities is now available.

     SUSE: 2020:0101-1 moderate: php7 (Jan 14)
     

    An update that fixes four vulnerabilities is now available.

     SUSE: 2020:0099-1 moderate: openssl-1_1 (Jan 14)
     

    An update that solves four vulnerabilities and has two fixes is now available.

     SUSE: 2020:0102-1 moderate: man (Jan 14)
     

    An update that contains security fixes can now be installed.

     SUSE: 2020:0087-1 moderate: libsolv, libzypp, zypper (Jan 13)
     

    An update that solves one vulnerability and has 10 fixes is now available.

     SUSE: 2020:0086-1 moderate: e2fsprogs (Jan 13)
     

    An update that fixes one vulnerability is now available.

     SUSE: 2020:0078-1 important: MozillaFirefox (Jan 13)
     

    An update that fixes 7 vulnerabilities is now available.

     SUSE: 2020:0081-1 moderate: crowbar-core, crowbar-openstack, openstack-horizon-plugin-monasca-ui, openstack-monasca-api, openstack-monasca-log-api, openstack-neutron, rubygem-puma, rubygem-rest-client (Jan 13)
     

    An update that solves three vulnerabilities and has one errata is now available.

     SUSE: 2020:0079-1 moderate: libzypp (Jan 13)
     

    An update that fixes one vulnerability is now available.

     SUSE: 2020:14268-1 important: MozillaFirefox (Jan 10)
     

    An update that fixes 7 vulnerabilities is now available.

     SUSE: 2020:0069-1 moderate: openssl-1_1 (Jan 10)
     

    An update that solves one vulnerability and has three fixes is now available.

     SUSE: 2020:0065-1 moderate: containerd, docker, docker-runc, golang-github-docker-libnetwork (Jan 10)
     

    An update that solves one vulnerability and has 5 fixes is now available.

     SUSE: 2020:0068-1 important: MozillaFirefox (Jan 10)
     

    An update that fixes 7 vulnerabilities is now available.

     SUSE: 2020:0064-1 moderate: openssl-1_0_0 (Jan 10)
     

    An update that fixes one vulnerability is now available.

     SUSE: 2020:0063-1 important: nodejs10 (Jan 10)
     

    An update that fixes three vulnerabilities is now available.

     SUSE: 2020:14267-1 important: log4j (Jan 9)
     

    An update that fixes one vulnerability is now available.

     SUSE: 2020:0059-1 moderate: nodejs12 (Jan 9)
     

    An update that solves 9 vulnerabilities and has one errata is now available.

     SUSE: 2020:14266-1 moderate: apache2-mod_perl (Jan 9)
     

    An update that fixes one vulnerability is now available.

     SUSE: 2020:0051-1 moderate: java-1_7_1-ibm (Jan 9)
     

    An update that fixes 11 vulnerabilities is now available.

     SUSE: 2020:0050-1 moderate: mariadb (Jan 9)
     

    An update that fixes one vulnerability is now available.

     SUSE: 2020:0054-1 important: log4j (Jan 9)
     

    An update that fixes one vulnerability is now available.

     SUSE: 2020:0053-1 important: log4j (Jan 9)
     

    An update that fixes one vulnerability is now available.


     Ubuntu 4241-1: Thunderbird vulnerabilities (Jan 16)
     

    Several security issues were fixed in Thunderbird.

     Ubuntu 4240-1: Kamailio vulnerability (Jan 16)
     

    kamailio could be made to crash if it opened a specially crafted file.

     Ubuntu 4235-2: nginx vulnerability (Jan 15)
     

    nginx could be made to expose sensitive information over the network.

     Ubuntu 4221-2: libpcap vulnerability (Jan 15)
     

    Applications using libpcap could be made to crash if given specially crafted data.

     Ubuntu 4239-1: PHP vulnerabilities (Jan 15)
     

    Several security issues were fixed in PHP.

     Ubuntu 4237-2: SpamAssassin vulnerabilities (Jan 15)
     

    Several security issues were fixed in SpamAssassin.

     Ubuntu 4238-1: SDL_image vulnerabilities (Jan 14)
     

    Several security issues were fixed in SDL_image.

     Ubuntu 4236-2: Libgcrypt vulnerability (Jan 14)
     

    Libgcrypt could be made to expose sensitive information.

     Ubuntu 4237-1: SpamAssassin vulnerabilities (Jan 13)
     

    Several security issues were fixed in SpamAssassin.

     Ubuntu 4236-1: Libgcrypt vulnerability (Jan 13)
     

    Libgcrypt could be made to expose sensitive information.

     Ubuntu 4235-1: nginx vulnerability (Jan 13)
     

    nginx could be made to expose sensitive information over the network.

     Ubuntu 4047-2: libvirt update vulnerability (Jan 13)
     

    Several security issues were fixed in libvirt.

     Ubuntu 4234-1: Firefox vulnerabilities (Jan 10)
     

    Firefox could be made to crash or run programs as your login if it opened a malicious website.

     Ubuntu: Ubuntu 19.04 (Disco Dingo) reaches End of Life on January 23 2020 (Jan 9)
     

     Ubuntu 4233-1: GnuTLS update (Jan 9)
     

    SHA1 has been marked as untrusted in GnuTLS.


     Debian LTS: DLA-2063-1: debian-lan-config security update (Jan 15)
     

    In debian-lan-config < 0.26, configured too permissive ACLs for the Kerberos admin server allowed password changes for other Kerberos user principals.

     Debian LTS: DLA-2060-1: phpmyadmin security update (Jan 15)
     

    In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid

     [SECURITY] DLA-2066-1 gthumb security update (Jan 14)
     

    A heap-based buffer overflow in _cairo_image_surface_create_from_jpeg() in extensions/cairo_io/cairo-image-surface-jpeg.c in gThumb and Pix

     Debian LTS: DLA-2067-1: wordpress security update (Jan 14)
     

    An input sanitization bypass was discovered in Wordpress, a popular content management framework. An attacker can use this flaw to send malicious scripts to an unsuspecting user.

     Debian LTS: DLA-2065-1: apache-log4j1.2 security update (Jan 12)
     

    Included in Log4j 1.2, a logging library for Java, is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for

     Debian LTS: DLA-2064-1: ldm security update (Jan 10)
     

    It was discovered that a hook script of ldm, the display manager for the Linux Terminal Server Project incorrectly parsed responses from an SSH server which could result in local root privilege escalation.

     Debian LTS: DLA-2062-1: sa-exim security update (Jan 9)
     

    It was found that sa-exim, the SpamAssassin filter for Exim, allows attackers to execute arbitrary code if users are allowed to run custom rules. A similar issue was fixed in spamassassin, CVE-2018-11805, which caused a functional regression in sa-exim. This update restores the

     Debian LTS: DLA-2061-1: firefox-esr security update (Jan 9)
     

    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, data exfiltration or cross-site scripting.


     ArchLinux: 202001-5: chromium: multiple issues (Jan 17)
     

    The package chromium before version 79.0.3945.130-1 is vulnerable to multiple issues including arbitrary code execution and insufficient validation.

     ArchLinux: 202001-4: thunderbird: multiple issues (Jan 14)
     

    The package thunderbird before version 68.4.1-1 is vulnerable to multiple issues including arbitrary code execution and insufficient validation.

     ArchLinux: 202001-3: firefox: arbitrary code execution (Jan 13)
     

    The package firefox before version 72.0.1-1 is vulnerable to arbitrary code execution.

     ArchLinux: 202001-2: file: arbitrary code execution (Jan 13)
     

    The package file before version 5.38-1 is vulnerable to arbitrary code execution.


     CentOS: CESA-2020-0085: Critical CentOS 7 firefox (Jan 15)
     

    Upstream details at : https://access.redhat.com/errata/RHSA-2020:0085

     CentOS: CESA-2020-0086: Critical CentOS 6 firefox (Jan 14)
     

    Upstream details at : https://access.redhat.com/errata/RHSA-2020:0086


     SciLinux: SLSA-2020-0123-1 Important: thunderbird on SL6.x i386/x86_64 (Jan 17)
     

    Mozilla: IonMonkey type confusion with StoreElementHole and FallibleStoreElement (CVE-2019-17026) * Mozilla: Bypass of @namespace CSS sanitization during pasting (CVE-2019-17016) * Mozilla: Type Confusion in XPCVariant.cpp (CVE-2019-17017) * Mozilla: Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4 (CVE-2019-17024) * Mozilla: CSS sanitization does not escape HTML tags (CVE-2019- [More...]

     SciLinux: SLSA-2020-0120-1 Important: thunderbird on SL7.x x86_64 (Jan 17)
     

    Mozilla: IonMonkey type confusion with StoreElementHole and FallibleStoreElement (CVE-2019-17026) * Mozilla: Bypass of @namespace CSS sanitization during pasting (CVE-2019-17016) * Mozilla: Type Confusion in XPCVariant.cpp (CVE-2019-17017) * Mozilla: Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4 (CVE-2019-17024) * Mozilla: CSS sanitization does not escape HTML tags (CVE-2019- [More...]

     SciLinux: SLSA-2020-0124-1 Important: git on SL7.x x86_64 (Jan 16)
     

    git: Remote code execution in recursive clones with nested submodules (CVE-2019-1387) SL7 x86_64 git-1.8.3.1-21.el7_7.x86_64.rpm git-daemon-1.8.3.1-21.el7_7.x86_64.rpm git-debuginfo-1.8.3.1-21.el7_7.x86_64.rpm git-gnome-keyring-1.8.3.1-21.el7_7.x86_64.rpm git-svn-1.8.3.1-21.el7_7.x86_64.rpm noarch emacs-git-1.8.3.1-21.el7_7.noarch.rpm emacs-git-el-1.8.3.1-21.el [More...]

     SciLinux: SLSA-2020-0122-1 Important: java-11-openjdk on SL7.x x86_64 (Jan 16)
     

    OpenJDK: Use of unsafe RSA-MD5 checkum in Kerberos TGS (Security, 8229951) (CVE-2020-2601) * OpenJDK: Serialization filter changes via jdk.serialFilter property modification (Serialization, 8231422) (CVE-2020-2604) * OpenJDK: Improper checks of SASL message properties in GssKrb5Base (Security, 8226352) (CVE-2020-2590) * OpenJDK: Incorrect isBuiltinStreamHandler causing URL normalization iss [More...]

     SciLinux: SLSA-2020-0085-1 Critical: firefox on SL7.x x86_64 (Jan 13)
     

    This update upgrades Firefox to version 68.4.1 ESR. * Mozilla: IonMonkey type confusion with StoreElementHole and FallibleStoreElement (CVE-2019-17026) * Mozilla: Bypass of @namespace CSS sanitization during pasting (CVE-2019-17016) * Mozilla: Type Confusion in XPCVariant.cpp (CVE-2019-17017) * Mozilla: Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4 (CVE-2019-17024) * Mozilla: [More...]

     SciLinux: SLSA-2020-0086-1 Critical: firefox on SL6.x i386/x86_64 (Jan 13)
     

    This update upgrades Firefox to version 68.4.1 ESR. * Mozilla: IonMonkey type confusion with StoreElementHole and FallibleStoreElement (CVE-2019-17026) * Mozilla: Bypass of @namespace CSS sanitization during pasting (CVE-2019-17016) * Mozilla: Type Confusion in XPCVariant.cpp (CVE-2019-17017) * Mozilla: Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4 (CVE-2019-17024) * Mozilla: [More...]


     openSUSE: 2020:0067-1: moderate: icingaweb2 (Jan 16)
     

    An update that solves 5 vulnerabilities and has one errata is now available.

     openSUSE: 2020:0067-1: moderate: icingaweb2 (Jan 16)
     

    An update that solves 5 vulnerabilities and has one errata is now available.

     openSUSE: 2020:0062-1: moderate: openssl-1_1 (Jan 15)
     

    An update that solves one vulnerability and has three fixes is now available.

     openSUSE: 2020:0060-1: important: MozillaFirefox (Jan 15)
     

    An update that fixes 7 vulnerabilities is now available.

     openSUSE: 2020:0058-1: important: virglrenderer (Jan 15)
     

    An update that fixes four vulnerabilities is now available.

     openSUSE: 2020:0059-1: important: nodejs8 (Jan 15)
     

    An update that fixes three vulnerabilities is now available.

     openSUSE: 2020:0055-1: moderate: GraphicsMagick (Jan 14)
     

    An update that fixes three vulnerabilities is now available.

     openSUSE: 2020:0057-1: moderate: singularity (Jan 14)
     

    An update that fixes one vulnerability is now available.

     openSUSE: 2020:0056-1: important: phpMyAdmin (Jan 14)
     

    An update that fixes three vulnerabilities is now available.

     openSUSE: 2020:0053-1: important: chromium (Jan 14)
     

    An update that fixes four vulnerabilities is now available.

     openSUSE: 2020:0051-1: important: log4j (Jan 14)
     

    An update that fixes one vulnerability is now available.

     openSUSE: 2020:0036-1: moderate: rubygem-excon (Jan 13)
     

    An update that fixes one vulnerability is now available.

     openSUSE: 2020:0014-1: moderate: php7-imagick (Jan 13)
     

    An update that fixes one vulnerability is now available.

     openSUSE: 2020:0021-1: moderate: dia (Jan 13)
     

    An update that fixes one vulnerability is now available.

     openSUSE: 2020:0022-1: moderate: libgcrypt (Jan 13)
     

    An update that solves one vulnerability and has two fixes is now available.

     openSUSE: 2020:0020-1: moderate: shibboleth-sp (Jan 13)
     

    An update that fixes one vulnerability is now available.

     openSUSE: 2020:0014-1: moderate: php7-imagick (Jan 13)
     

    An update that fixes one vulnerability is now available.

     openSUSE: 2020:0015-1: moderate: trousers (Jan 13)
     

    An update that fixes one vulnerability is now available.

     openSUSE: 2020:0024-1: moderate: ffmpeg-4 (Jan 13)
     

    An update that fixes 5 vulnerabilities is now available.

     openSUSE: 2020:0038-1: important: tomcat (Jan 13)
     

    An update that fixes three vulnerabilities is now available.

     openSUSE: 2020:0024-1: moderate: ffmpeg-4 (Jan 13)
     

    An update that fixes 5 vulnerabilities is now available.

     openSUSE: 2020:0011-1: important: xen (Jan 13)
     

    An update that contains security fixes can now be installed.

     openSUSE: 2020:0045-1: moderate: containerd, docker, docker-runc, golang-github-docker-libnetwork (Jan 13)
     

    An update that solves one vulnerability and has 5 fixes is now available.

     openSUSE: 2020:0031-1: moderate: proftpd (Jan 13)
     

    An update that solves 5 vulnerabilities and has two fixes is now available.

     openSUSE: 2020:0010-1: important: chromium, re2 (Jan 13)
     

    An update that fixes 21 vulnerabilities is now available.

     openSUSE: 2020:0009-1: important: chromium (Jan 12)
     

    An update that fixes four vulnerabilities is now available.

     openSUSE: 2020:0008-1: moderate: mozilla-nspr, mozilla-nss (Jan 11)
     

    An update that fixes three vulnerabilities is now available.

     openSUSE: 2020:0007-1: important: chromium (Jan 11)
     

    An update that fixes one vulnerability is now available.

     openSUSE: 2020:0006-1: important: chromium (Jan 11)
     

    An update that fixes four vulnerabilities is now available.

     openSUSE: 2020:0004-1: important: chromium (Jan 10)
     

    An update that fixes four vulnerabilities is now available.

     openSUSE: 2020:0004-1: important: chromium (Jan 10)
     

    An update that fixes four vulnerabilities is now available.

     openSUSE: 2020:0002-1: important: MozillaFirefox (Jan 9)
     

    An update that fixes 8 vulnerabilities is now available.

     openSUSE: 2020:0003-1: important: MozillaThunderbird (Jan 9)
     

    An update that contains security fixes can now be installed.


     Mageia 2020-0041: kernel security update (Jan 17)
     

    This update is based on upstream 5.4.12 and fixes atleast the following security vulnerabilities: Intel GPU Hardware prior to Gen11 does not clear EU state during a context switch. This can result in information leakage between

     Mageia 2020-0040: libjpeg security update (Jan 17)
     

    The updated packages fix security vulnerabilities: A signed integer overflow and subsequent segfault that occurred when attempting to decompress images with more than 715827882 pixels using the 64-bit C version of TJBench.

     Mageia 2020-0039: e2fsprogs security update (Jan 17)
     

    Updated e2fsprogs packages fix security vulnerability: A code execution vulnerability in the directory rehashing functionality (CVE-2019-5188).

     [updates-announce] MGASA-2020-0038: Updated makepasswd fix insecure default length of password (Jan 13)
     

    Updated makepasswd fix insecure default length of password By default, makepasswd generates password with a length between 6 to 8 characters (48 to 64bits). This update raise the default to 16 characters (128 bits).

     Mageia 2020-0037: graphicsmagick security update (Jan 13)
     

    GraphicsMagick has been updated to fix security issues. References: - https://bugs.mageia.org/show_bug.cgi?id=26056 - http://www.graphicsmagick.org/NEWS.html#december-24-2019

     Mageia 2020-0036: kernel security update (Jan 13)
     

    This update is based on upstream 5.4.10 and fixes atleast the following security issues: ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE)

     Mageia 2020-0035: unbound security update (Jan 13)
     

    Updated unbound package to version 1.9.6 to fix various potential security vulnerabilities. References: - https://bugs.mageia.org/show_bug.cgi?id=25974

     Mageia 2020-0034: thunderbird security update (Jan 11)
     

    Updated thunderbird packages fix security vulnerabilities: Bypass of @namespace CSS sanitization during pasting (CVE-2019-17016) Type Confusion in XPCVariant.cpp (CVE-2019-17017)

     Mageia 2020-0033: phpmyadmin security update (Jan 11)
     

    Updated phpmyadmin package fix security vulnerability: A SQL injection flaw has been discovered in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL

     Mageia 2020-0032: ming security update (Jan 11)
     

    The updated packages fix security vulnerabilities: A NULL pointer dereference was discovered in newVar3 in util/decompile.c in libming 0.4.8. The vulnerability causes a segmentation fault and application crash, which leads to denial of service. (CVE-2018-7866)

     Mageia 2020-0031: pcsc-lite security update (Jan 11)
     

    The pcsc-lite package has been updated to version 1.8.26, which fixes a memory leak and other bugs. See the ChangeLog for details. References: - https://bugs.mageia.org/show_bug.cgi?id=25869

     Mageia 2020-0030: opencv security update (Jan 11)
     

    The updated packages fix security vulnerabilities: An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1. There is an out of bounds read in the function cv::predictOrdered in modules/objdetect/src/cascadedetect.hpp, which

     Mageia 2020-0029: oniguruma security update (Jan 11)
     

    Updated oniguruma packages fix security vulnerabilities: A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular

     Mageia 2020-0028: libtomcrypt security update (Jan 11)
     

    Updated libtomcrypt packages fix security vulnerability: Improper detection of invalid UTF-8 sequences that could have led to DoS or information disclosure via crafted DER-encoded data (CVE-2019-17362).

     Mageia 2020-0027: firefox security update (Jan 9)
     

    When pasting a tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration (CVE-2019-17016).

    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the LinuxSecurity Privacy news articles?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/25-what-do-you-think-of-the-linuxsecurity-privacy-news-articles?task=poll.vote&format=json
    25
    radio
    [{"id":"90","title":"Love them!","votes":"31","type":"x","order":"1","pct":91.18,"resources":[]},{"id":"91","title":"I'm indifferent","votes":"2","type":"x","order":"2","pct":5.88,"resources":[]},{"id":"92","title":"Not interested in this topic","votes":"1","type":"x","order":"3","pct":2.94,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.