Linux Advisory Watch: January 31st, 2020

    Date31 Jan 2020
    390
    Posted ByLinuxSecurity Advisories
    Linux Advisory Watch Newsletter
    Thank you for reading the Linux Advisory Watch Security Newsletter. The purpose of this document is to provide our readers with a quick summary of each week's vendor security bulletins and pointers on methods to improve the security posture of your open source system. Vulnerabilities affect nearly every vendor virtually every week, so be sure to read through to find the updates your distributor have made available.

    LinuxSecurity.com Feature Extras:

    Encryption: An Essential Yet Highly Controversial Component of Digital Security - If youve been keeping up with recent security news, you are most likely aware of the heated worldwide debate about encryption that is currently underway. Strong encryption is imperative to securing sensitive data and protecting individuals privacy online, yet governments around the world refuse to recognize this, and are continually aiming to break encryption in an effort to increase the power of their law enforcement agencies.

    Linux: An OS Capable of Effectively Meeting the US Governments Security Needs Heading into 2020 - As Open Source has become increasingly mainstream and widely accepted for its numerous benefits, the use of Linux as a flexible, transparent and highly secure operating system has also increasingly become a prominent choice among corporations, educational institutions and government sectors alike. With national security concerns at an all time high heading into 2020, it appears that the implementation of Linux could effectively meet the United States governments critical security needs for application development and installations.


     Debian: DSA-4611-1: opensmtpd security update (Jan 29)
     

    Qualys discovered that the OpenSMTPD SMTP server performed insufficient validation of email addresses which could result in the execution of arbitrary commands as root. In addition this update fixes a denial of service by triggering an opportunistic TLS downgrade.

     Debian: DSA-4610-1: webkit2gtk security update (Jan 29)
     

    The following vulnerabilities have been discovered in the webkit2gtk web engine: CVE-2019-8835

     Debian: DSA-4609-1: python-apt security update (Jan 23)
     

    Two security issues were found in the Python interface to the apt package manager; package downloads from unsigned repositories were incorrectly rejected and the hash validation relied on MD5.


     Fedora 31: webkit2gtk3 FEDORA-2020-97e849ce46 (Jan 30)
     

    * Fix issues while trying to play a video on NextCloud. * Make sure the GL video sink uses a valid WebKit shared GL context. * Fix vertical alignment of text containing arabic diacritics. * Fix build with icu 65.1. * Fix page loading errors with websites using HSTS. * Fix web process crash when displaying a KaTeX formula. * Fix several crashes and rendering issues. [WebKitGTK Security

     Fedora 31: chromium FEDORA-2020-9382ceb2f8 (Jan 30)
     

    Update to 79.0.3945.130. Fixes the following security issues: * CVE-2020-6378 * CVE-2020-6379 * CVE-2020-6380

     Fedora 31: java-latest-openjdk FEDORA-2020-2ed6716c30 (Jan 30)
     

    This is January 2020 OpenJDK security update for java-latest-openjdk packages. The sources are updated to the 13.0.2+8 tag.

     Fedora 31: ansible FEDORA-2020-caf7f7d0d9 (Jan 30)
     

    Update to bugfix release 2.9.3. See https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst

     Fedora 31: links FEDORA-2020-3eef0246a7 (Jan 30)
     

    Update to a new version. Security bug fixed: when links was connected to tor, it would send real dns requests outside the tor network when the displayed page contains .

     Fedora 31: python-pillow FEDORA-2020-df444e464e (Jan 30)
     

    Update to 6.2.2, fixes CVE-2020-5313, CVE-2020-5312, CVE-2020-5311, CVE-2020-5310.

     Fedora 31: openjpeg2 FEDORA-2020-ab8553f302 (Jan 30)
     

    This update fixes CVE-2020-6851.

     Fedora 31: mingw-openjpeg2 FEDORA-2020-ab8553f302 (Jan 30)
     

    This update fixes CVE-2020-6851.

     Fedora 30: java-latest-openjdk FEDORA-2020-ebbf986d01 (Jan 30)
     

    This is January 2020 OpenJDK security update for java-latest-openjdk packages. The sources are updated to the 13.0.2+8 tag.

     Fedora 30: xen FEDORA-2020-2d9a75fadb (Jan 30)
     

    arm: a CPU may speculate past the ERET instruction [XSA-312]

     Fedora 30: thunderbird FEDORA-2020-d18d24c943 (Jan 30)
     

    Update to latest upstream version

     Fedora 30: nss FEDORA-2020-9254bf8b94 (Jan 30)
     

    Updates the nss package to upstream NSS 3.49. For details about new functionality and a list of bugs fixed in this release please see the upstream release notes - https://developer.mozilla.org/en- US/docs/Mozilla/Projects/NSS/NSS_3.49_release_notes

     Fedora 31: mingw-podofo FEDORA-2020-dd79b615cd (Jan 27)
     

    This update fixes CVE-2019-20093.

     Fedora 31: podofo FEDORA-2020-dd79b615cd (Jan 27)
     

    This update fixes CVE-2019-20093.

     Fedora 30: podofo FEDORA-2020-968a89619e (Jan 25)
     

    This update fixes CVE-2019-20093.

     Fedora 30: mingw-podofo FEDORA-2020-968a89619e (Jan 25)
     

    This update fixes CVE-2019-20093.

     Fedora 31: transfig FEDORA-2020-5d0f0593ae (Jan 25)
     

    - Security fix for CVE-2019-19746, CVE-2019-19797 - New upstream release 3.2.7b - Add patch fixing CVE-2019-19746 (rhbz#1787040) - Add patch fixing CVE-2019-19797 (rhbz#1786726)

     Fedora 31: xfig FEDORA-2020-5d0f0593ae (Jan 25)
     

    - Security fix for CVE-2019-19746, CVE-2019-19797 - New upstream release 3.2.7b - Add patch fixing CVE-2019-19746 (rhbz#1787040) - Add patch fixing CVE-2019-19797 (rhbz#1786726)

     Fedora 31: community-mysql FEDORA-2020-0ca47c5a7a (Jan 25)
     

    ** MySQL 8.0.19 ** Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-19.html

     Fedora 31: fontforge FEDORA-2020-229ad63391 (Jan 25)
     

    Security fix for CVE-2020-5395:out-of-bounds write in sfd.c

     Fedora 31: elog FEDORA-2020-f49fe7f011 (Jan 25)
     

    Security fix for CVE-2019-3993, CVE-2019-3994, CVE-2019-3995, CVE-2019-3992, CVE-2019-3996

     Fedora 30: xfig FEDORA-2020-6a2824178e (Jan 24)
     

    - Security fix for CVE-2019-19746, CVE-2019-19797 - New upstream release 3.2.7b - Add patch fixing CVE-2019-19746 (rhbz#1787040) - Add patch fixing CVE-2019-19797 (rhbz#1786726)

     Fedora 30: community-mysql FEDORA-2020-cd9ec9d660 (Jan 24)
     

    ** MySQL 8.0.19 ** Release notes: https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-19.html

     Fedora 30: elog FEDORA-2020-9f8bc040c8 (Jan 24)
     

    Security fix for CVE-2019-3993, CVE-2019-3994, CVE-2019-3995, CVE-2019-3992, CVE-2019-3996

     Fedora 30: libvpx FEDORA-2020-6cd410d9e4 (Jan 24)
     

    Update to 1.8.2. Fixes several security vulnerabilities: CVE-2019-9232, CVE 2019-9433, CVE-2019-9325, CVE-2019-9371, CVE-2019-2126

     Fedora 31: thunderbird-enigmail FEDORA-2020-b48e3c177e (Jan 24)
     

    update to enigmail 2.1.5 Includes a security fix for "Unsigned MIME parts displayed as signed"

     Fedora 31: nodejs FEDORA-2020-595ce5e3cc (Jan 24)
     

    Update to 12.14.1 Add new subpackage `nodejs-full-i18n` to provide non-English locale and Unicode support.

     Fedora 31: libuv FEDORA-2020-595ce5e3cc (Jan 24)
     

    Update to 12.14.1 Add new subpackage `nodejs-full-i18n` to provide non-English locale and Unicode support.

     Fedora 31: opensc FEDORA-2020-3c93790abe (Jan 24)
     

    New upstream release with security fixes for CVE-2019-15945, CVE-2019-15946, CVE-2019-19479, CVE-2019-19480, CVE-2019-19481


     RedHat: RHSA-2020-0310:01 Important: rh-java-common-xmlrpc security update (Jan 30)
     

    An update for rh-java-common-xmlrpc is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

     RedHat: RHSA-2020-0296:01 Important: openjpeg2 security update (Jan 30)
     

    An update for openjpeg2 is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

     RedHat: RHSA-2020-0295:01 Critical: firefox security update (Jan 30)
     

    An update for firefox is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which

     RedHat: RHSA-2020-0293:01 Important: SDL security update (Jan 30)
     

    An update for SDL is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

     RedHat: RHSA-2020-0292:01 Important: thunderbird security update (Jan 30)
     

    An update for thunderbird is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

     RedHat: RHSA-2020-0291:01 Important: fribidi security update (Jan 30)
     

    An update for fribidi is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

     RedHat: RHSA-2020-0279:01 Moderate: virt:rhel security update (Jan 29)
     

    An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

     RedHat: RHSA-2020-0273:01 Important: sqlite security update (Jan 29)
     

    An update for sqlite is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

     RedHat: RHSA-2020-0274:01 Important: openjpeg2 security update (Jan 29)
     

    An update for openjpeg2 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

     RedHat: RHSA-2020-0271:01 Important: libarchive security update (Jan 29)
     

    An update for libarchive is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

     RedHat: RHSA-2020-0262:01 Important: openjpeg2 security update (Jan 28)
     

    An update for openjpeg2 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

     RedHat: RHSA-2020-0250:01 Low: Red Hat JBoss Core Services Apache HTTP (Jan 27)
     

    Updated packages that provide Red Hat JBoss Core Services Pack Apache Server 2.4.37 and fix several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact

     RedHat: RHSA-2020-0251:01 Low: Red Hat JBoss Core Services Apache HTTP (Jan 27)
     

    Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 1 zip release for RHEL 6, RHEL 7 and Microsoft Windows is available. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which

     RedHat: RHSA-2020-0246:01 Important: libarchive security update (Jan 27)
     

    An update for libarchive is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

     RedHat: RHSA-2020-0243:01 Important: nss security update (Jan 27)
     

    An update for nss is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

     RedHat: RHSA-2020-0227:01 Important: sqlite security update (Jan 27)
     

    An update for sqlite is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

     RedHat: RHSA-2020-0229:01 Important: sqlite security update (Jan 27)
     

    An update for sqlite is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

     RedHat: RHSA-2020-0232:01 Important: java-11-openjdk security update (Jan 27)
     

    An update for java-11-openjdk is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

     RedHat: RHSA-2020-0231:01 Important: java-1.8.0-openjdk security update (Jan 27)
     

    An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

     RedHat: RHSA-2020-0228:01 Important: git security update (Jan 27)
     

    An update for git is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

     RedHat: RHSA-2020-0230:01 Important: python-reportlab security update (Jan 27)
     

    An update for python-reportlab is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

     RedHat: RHSA-2020-0222:01 Important: ghostscript security update (Jan 23)
     

    An update for ghostscript is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

     RedHat: RHSA-2020-0218:01 Moderate: Ansible security and bug fix update (Jan 23)
     

    An update for ansible is now available for Ansible Engine 2 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

     RedHat: RHSA-2020-0215:01 Moderate: Ansible security and bug fix update (Jan 23)
     

    An update for ansible is now available for Ansible Engine 2.9 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

     RedHat: RHSA-2020-0216:01 Moderate: Ansible security and bug fix update (Jan 23)
     

    An update for ansible is now available for Ansible Engine 2.8 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

     RedHat: RHSA-2020-0217:01 Moderate: Ansible security and bug fix update (Jan 23)
     

    An update for ansible is now available for Ansible Engine 2.7 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

     RedHat: RHSA-2020-0214:01 Important: chromium-browser security update (Jan 23)
     

    An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,


     Slackware: 2020-024-01: mozilla-thunderbird Security Update (Jan 24)
     

    New mozilla-thunderbird packages are available for Slackware 14.2 and -current to fix security issues.


     SUSE: 2020:0278-1 important: rmt-server (Jan 31)
     

    An update that solves one vulnerability and has three fixes is now available.

     SUSE: 2020:0267-1 moderate: php72 (Jan 30)
     

    An update that fixes four vulnerabilities is now available.

     SUSE: 2020:0266-1 important: tigervnc (Jan 30)
     

    An update that solves 5 vulnerabilities and has three fixes is now available.

     SUSE: 2020:0275-1 moderate: ImageMagick (Jan 30)
     

    An update that solves two vulnerabilities and has one errata is now available.

     SUSE: 2020:0264-1 important: wicked (Jan 30)
     

    An update that fixes two vulnerabilities is now available.

     SUSE: 2020:0265-1 moderate: e2fsprogs (Jan 30)
     

    An update that fixes one vulnerability is now available.

     SUSE: 2020:0263-1 important: wicked (Jan 30)
     

    An update that fixes two vulnerabilities is now available.

     SUSE: 2020:0262-1 moderate: glibc (Jan 30)
     

    An update that solves one vulnerability and has four fixes is now available.

     SUSE: 2020:0260-1 important: rmt-server (Jan 30)
     

    An update that solves one vulnerability and has three fixes is now available.

     SUSE: 2020:0261-1 important: java-1_8_0-openjdk (Jan 30)
     

    An update that fixes 7 vulnerabilities is now available.

     SUSE: 2020:0255-1 important: python-reportlab (Jan 29)
     

    An update that fixes one vulnerability is now available.

     SUSE: 2020:0251-1 moderate: aws-cli (Jan 28)
     

    An update that solves one vulnerability and has four fixes is now available.

     SUSE: 2020:0247-1 important: nodejs6 (Jan 28)
     

    An update that fixes three vulnerabilities is now available.

     SUSE: 2020:0233-1 moderate: samba (Jan 24)
     

    An update that fixes one vulnerability is now available.

     SUSE: 2020:0234-1 important: python (Jan 24)
     

    An update that solves 37 vulnerabilities and has 50 fixes is now available.

     SUSE: 2020:0231-1 important: java-1_8_0-openjdk (Jan 24)
     

    An update that fixes 7 vulnerabilities is now available.

     SUSE: 2020:0226-1 important: tomcat (Jan 24)
     

    An update that solves three vulnerabilities and has one errata is now available.

     SUSE: 2020:0228-1 moderate: slurm (Jan 24)
     

    An update that solves one vulnerability and has two fixes is now available.

     SUSE: 2020:0224-1 moderate: samba (Jan 23)
     

    An update that fixes two vulnerabilities is now available.

     SUSE: 2020:0223-1 moderate: samba (Jan 23)
     

    An update that solves three vulnerabilities and has one errata is now available.


     Ubuntu 4262-1: OpenStack Keystone vulnerability (Jan 30)
     

    OpenStack Keystone could be made to expose sensitive information over the network.

     Ubuntu 4261-1: WebKitGTK+ vulnerabilities (Jan 29)
     

    Several security issues were fixed in WebKitGTK+.

     Ubuntu 4259-1: Apache Solr vulnerability (Jan 29)
     

    Apache Solr could be made to run programs if it received specially crafted network traffic.

     Ubuntu 4254-2: Linux kernel (Xenial HWE) vulnerabilities (Jan 28)
     

    Several security issues were fixed in the Linux kernel.

     Ubuntu 4258-1: Linux kernel vulnerabilities (Jan 28)
     

    Several security issues were fixed in the Linux kernel.

     Ubuntu 4253-2: Linux kernel (HWE) vulnerability (Jan 28)
     

    he Linux kernel could be made to expose sensitive information.

     Ubuntu 4255-2: Linux kernel (HWE) vulnerabilities (Jan 28)
     

    Several security issues were fixed in the Linux kernel.

     Ubuntu 4257-1: OpenJDK vulnerabilities (Jan 28)
     

    Several security issues were fixed in OpenJDK.

     Ubuntu 4236-3: Libgcrypt vulnerability (Jan 28)
     

    Libgcrypt could be made to expose sensitive information.

     Ubuntu 4256-1: Cyrus SASL vulnerability (Jan 28)
     

    Cyrus SASL could be made to crash or execute arbitrary code if it received a specially crafted LDAP packet.

     Ubuntu 4254-1: Linux kernel vulnerabilities (Jan 27)
     

    Several security issues were fixed in the Linux kernel.

     Ubuntu 4255-1: Linux kernel vulnerabilities (Jan 27)
     

    Several security issues were fixed in the Linux kernel.

     Ubuntu 4253-1: Linux kernel vulnerability (Jan 27)
     

    The Linux kernel could be made to expose sensitive information.

     Ubuntu 4252-2: tcpdump vulnerabilities (Jan 27)
     

    Several security issues were fixed in tcpdump.

     Ubuntu 4252-1: tcpdump vulnerabilities (Jan 27)
     

    Several security issues were fixed in tcpdump.

     Ubuntu 4251-1: Tomcat vulnerabilities (Jan 27)
     

    Several security issues were fixed in Tomcat.

     Ubuntu 4250-1: MySQL vulnerabilities (Jan 27)
     

    Several security issues were fixed in MySQL.

     Ubuntu: Ubuntu 19.04 (Disco Dingo) End of Life reached on January 23 2020 (Jan 23)
     

     Ubuntu 4230-2: ClamAV vulnerability (Jan 23)
     

    ClamAV could be made to crash if it opened a specially crafted file.

     Ubuntu 4233-2: GnuTLS update (Jan 23)
     

    USN-4233-1 marked SHA1 as untrusted in GnuTLS with no workaround.

     Ubuntu 4247-3: python-apt vulnerabilities (Jan 23)
     

    Several security issues were fixed in python-apt.

     Ubuntu 4249-1: e2fsprogs vulnerability (Jan 23)
     

    e2fsprogs could be made to execute arbitrary code if it was running in a crafted ext4 partition.


     Debian LTS: DLA-2090-1: qemu security update (Jan 30)
     

    tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanag es memory, as demonstrated by IRC DCC commands in EMU_IRC.

     Debian LTS: DLA-2089-1: openjpeg2 security update (Jan 30)
     

    opj_t1_clbl_decode_processor in openjp2/t1.c of OpenJPEG had a heap-based buffer overflow in the qmfbid==1 case, a similar but different issue than CVE-2020-6851.

     Debian LTS: DLA-2088-1: libsolv security update (Jan 30)
     

    repodata_schema2id in repodata.c in libsolv, a dependency solver library, had a heap-based buffer over-read via a last schema whose length could be less than the length of the input schema.

     Debian LTS: DLA-2078-1: libxmlrpc3-java security update (Jan 30)
     

    An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code.

     Debian LTS: DLA-2087-1: suricata security update (Jan 30)
     

    Two vulnerabilities have recently been discovered in the stream-tcp code of the intrusion detection and prevention tool Suricata.

     Debian LTS: DLA-2086-1: wget security update (Jan 29)
     

    An issue has been found in wget, a tool to retrieve files from the web. A race condition might occur as files rejected by an access list are kept on the disk for the duration of a HTTP connection.

     Debian LTS: DLA-2085-1: zlib security update (Jan 29)
     

    Several issues have been found in zlib, a compression library. They are basically about improper big-endian CRC calculation, improper left shift of negative integers and improper pointer arithmetic.

     Debian LTS: DLA-2084-1: graphicsmagick security update (Jan 29)
     

    Three issues have been found in graphicsmagick, a collection of image processing tools. They are basically a heap-based buffer over-read, heap-based buffer

     Debian LTS: DLA-2079-1: otrs2 security update (Jan 29)
     

    Several vulnerabilities have been discovered in the otrs2 package that may lead to unauthorized access, remote code execution and spoofing.

     Debian LTS: DLA-2083-1: hiredis security update (Jan 29)
     

    It was discovered that there were a large number of NULL pointer dereferences due to unchecked return values from malloc and friends in hiredis, a minimalistic C client library.

     Debian LTS: DLA-2082-1: unzip security update (Jan 28)
     

    An issue has been found in unzip, a de-archiver for .zip files. While processing a password protected archive, a heap-based buffer overflow could happen, that allows an attacker to perform a denial of

     Debian LTS: DLA-2081-1: openjpeg2 security update (Jan 28)
     

    OpenJPEG had a heap-based buffer overflow in opj_t1_clbl_decode_processor in libopenjp2.so.

     Debian LTS: DLA-2077-1: tomcat7 security update (Jan 27)
     

    Two security vulnerabilities have been fixed in the Tomcat servlet and JSP engine. CVE-2019-12418

     Debian LTS: DLA-2080-1: iperf3 security update (Jan 27)
     

    An issue has been found in iperf3, an Internet Protocol bandwidth measuring tool. Bad handling of UTF8/16 strings in an embedded library could cause a

     Debian LTS: DLA-2076-1: slirp security update (Jan 26)
     

    An issue has been found in slirp, a SLIP/PPP emulator using a dial up shell account. Due to bad memory handling in slirp a heap-based buffer overflow or other

     Debian LTS: DLA-2075-1: jsoup security update (Jan 26)
     

    An issue has been found in jsoup, a Java HTML parser that makes sense of real-world HTML soup. Due to bad handling of missing '>' at EOF a cross-site scripting (XSS) vulnerability could appear.

     Debian LTS: DLA-2074-1: python-apt security update (Jan 23)
     

    Several issues have been found in python-apt, a python interface to libapt-pkg. CVE-2019-15795

     Debian LTS: DLA-2059-1: git security update (Jan 23)
     

    Several vulnerabilities have been discovered in git, a fast, scalable, distributed revision control system.


     CentOS: CESA-2020-0194: Important CentOS 7 apache-commons-beanutils (Jan 28)
     

    Upstream details at : https://access.redhat.com/errata/RHSA-2020:0194

     CentOS: CESA-2020-0196: Important CentOS 7 java-1.8.0-openjdk (Jan 28)
     

    Upstream details at : https://access.redhat.com/errata/RHSA-2020:0196

     CentOS: CESA-2020-0227: Important CentOS 7 sqlite (Jan 28)
     

    Upstream details at : https://access.redhat.com/errata/RHSA-2020:0227

     CentOS: CESA-2020-0203: Important CentOS 7 libarchive (Jan 28)
     

    Upstream details at : https://access.redhat.com/errata/RHSA-2020:0203

     CentOS: CESA-2020-0195: Important CentOS 7 python-reportlab (Jan 28)
     

    Upstream details at : https://access.redhat.com/errata/RHSA-2020:0195

     CentOS: CESA-2020-0262: Important CentOS 7 openjpeg2 (Jan 28)
     

    Upstream details at : https://access.redhat.com/errata/RHSA-2020:0262

     CentOS: CESA-2020-0197: Important CentOS 6 python-reportlab (Jan 28)
     

    Upstream details at : https://access.redhat.com/errata/RHSA-2020:0197

     CentOS: CESA-2020-0199: Critical CentOS 6 openslp (Jan 28)
     

    Upstream details at : https://access.redhat.com/errata/RHSA-2020:0199

     CentOS: CESA-2020-0157: Important CentOS 6 java-1.8.0-openjdk (Jan 28)
     

    Upstream details at : https://access.redhat.com/errata/RHSA-2020:0157


     SciLinux: SLSA-2020-0262-1 Important: openjpeg2 on SL7.x x86_64 (Jan 30)
     

    openjpeg: Heap-based buffer overflow in opj_t1_clbl_decode_processor() (CVE-2020-6851) SL7 x86_64 openjpeg2-2.3.1-2.el7_7.i686.rpm openjpeg2-2.3.1-2.el7_7.x86_64.rpm openjpeg2-debuginfo-2.3.1-2.el7_7.i686.rpm openjpeg2-debuginfo-2.3.1-2.el7_7.x86_64.rpm openjpeg2-devel-2.3.1-2.el7_7.i686.rpm openjpeg2-devel-2.3.1-2.el7_7.x86_64.rpm openjpeg2-tools-2.3.1-2.el7_7. [More...]

     SciLinux: SLSA-2020-0227-1 Important: sqlite on SL7.x x86_64 (Jan 28)
     

    sqlite: fts3: improve shadow table corruption detection (CVE-2019-13734) SL7 x86_64 sqlite-3.7.17-8.el7_7.1.i686.rpm sqlite-3.7.17-8.el7_7.1.x86_64.rpm sqlite-debuginfo-3.7.17-8.el7_7.1.i686.rpm sqlite-debuginfo-3.7.17-8.el7_7.1.x86_64.rpm lemon-3.7.17-8.el7_7.1.x86_64.rpm sqlite-devel-3.7.17-8.el7_7.1.i686.rpm sqlite-devel-3.7.17-8.el7_7.1.x86_64.rpm sqlite- [More...]


     openSUSE: 2020:0146-1: important: apt-cacher-ng (Jan 29)
     

    An update that fixes two vulnerabilities is now available.

     openSUSE: 2020:0145-1: moderate: GraphicsMagick (Jan 29)
     

    An update that fixes three vulnerabilities is now available.

     openSUSE: 2020:0140-1: important: sarg (Jan 29)
     

    An update that fixes one vulnerability is now available.

     openSUSE: 2020:0139-1: moderate: rubygem-excon (Jan 29)
     

    An update that fixes one vulnerability is now available.

     openSUSE: 2020:0142-1: moderate: shadowsocks-libev (Jan 29)
     

    An update that fixes two vulnerabilities is now available.

     openSUSE: 2020:0147-1: important: java-1_8_0-openjdk (Jan 29)
     

    An update that fixes 7 vulnerabilities is now available.

     openSUSE: 2020:0148-1: moderate: mailman (Jan 29)
     

    An update that fixes one vulnerability is now available.

     openSUSE: 2020:0137-1: moderate: mumble (Jan 29)
     

    An update that fixes one vulnerability is now available.

     openSUSE: 2020:0124-1: important: apt-cacher-ng (Jan 29)
     

    An update that fixes two vulnerabilities is now available.

     openSUSE: 2020:0123-1: important: git (Jan 29)
     

    An update that solves 9 vulnerabilities and has two fixes is now available.

     openSUSE: 2020:0122-1: moderate: samba (Jan 29)
     

    An update that solves three vulnerabilities and has one errata is now available.

     openSUSE: 2020:0119-1: moderate: storeBackup (Jan 28)
     

    An update that fixes one vulnerability is now available.

     openSUSE: 2020:0121-1: moderate: sarg (Jan 28)
     

    An update that fixes three vulnerabilities is now available.

     openSUSE: 2020:0115-1: moderate: libredwg (Jan 28)
     

    An update that fixes 7 vulnerabilities is now available.

     openSUSE: 2020:0117-1: important: sarg (Jan 28)
     

    An update that fixes one vulnerability is now available.

     openSUSE: 2020:0113-1: important: java-11-openjdk (Jan 28)
     

    An update that fixes 7 vulnerabilities is now available.

     openSUSE: 2020:0105-1: important: libvpx (Jan 26)
     

    An update that fixes 5 vulnerabilities is now available.

     openSUSE: 2020:0103-1: moderate: arc (Jan 25)
     

    An update that fixes one vulnerability is now available.

     openSUSE: 2020:0102-1: important: libssh (Jan 25)
     

    An update that fixes one vulnerability is now available.

     openSUSE: 2020:0096-1: moderate: libredwg (Jan 23)
     

    An update that fixes 7 vulnerabilities is now available.


     Mageia 2020-0072: mariadb security update (Jan 30)
     

    Updated MariaDB packages fix security vulnerabilities: Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized

     Mageia 2020-0071: openjpeg2 security update (Jan 30)
     

    Updated openjpeg2 packages fix security vulnerability: OpenJPEG through 2.3.1 has a heap-based buffer overflow in opj_t1_clbl_decode_processor in libopenjp2.so (CVE-2020-6851).

     Mageia 2020-0070: sqlite3 security update (Jan 30)
     

    Updated sqlite3 packages fix security vulnerabilities: An out of bounds write flaw (CVE-2019-13734), insufficient data validation flaw (CVE-2019-13750), uninitialized use flaw (CVE-2019-13751), and out of bounds read flaws (CVE-2019-13752, CVE-2019-13753) in SQLite before 3.31.0.

     Mageia 2020-0069: java-1.8.0-openjdk security update (Jan 30)
     

    The updated packages fix security vulnerabilities: Improper checks of SASL message properties in GssKrb5Base (Security, 8226352) (CVE-2020-2590)

     Mageia 2020-0068: gdal security update (Jan 30)
     

    Updated gdal packages fix security vulnerability: Double free vulnerability in OGRExpatRealloc (CVE-2019-17545). Also, the gdalinfo command, which had been built incorrectly,

     Mageia 2020-0067: webkit2 security update (Jan 28)
     

    Updated webkit2 packages fix security vulnerabilities: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2019-8835, CVE-2019-8844, CVE-2019-8846).

     Mageia 2020-0066: php security update (Jan 28)
     

    Updated php packages fix security vulnerabilities: Two buffer overflows in string and mbstring handling have been found (CVE-2020-7059, CVE-2020-7060).

     Mageia 2020-0065: virtualbox security update (Jan 28)
     

    This update provides the upstream 6.0.16 and fixes the following security vulnerabilities: An easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to

     Mageia 2020-0064: sysstat security update (Jan 28)
     

    Updated sysstat package fixes security vulnerability: Double free in check_file_actlst in sa_common.c (CVE-2019-19725). References:

     Mageia 2020-0063: python-pip security update (Jan 28)
     

    Updated python-pip packages fix security vulnerabilities: The python-pip package bundles a copy of python-urllib3, which was affected by security issues. The bundled copy was updated to fix these issues (CVE-2019-11324, CVE-2019-11236).

     Mageia 2020-0062: libmp4v2 security update (Jan 28)
     

    Updated libmp4v2 packages fix security vulnerabilities: The libmp4v2 library through version 2.1.0 is vulnerable to an integer underflow when parsing an MP4Atom in mp4atom.cpp. An attacker could exploit this to cause a denial of service via crafted MP4 file (CVE-2018-14325).

     Mageia 2020-0061: libbsd security update (Jan 28)
     

    It was discovered that libbsd incorrectly handled certain strings, due to an out-of-bounds read during a comparison for a symbol name from the string table (strtab) in nlist.c. An attacker could possibly use this issue to access sensitive information (CVE-2019-20367).

     Mageia 2020-0060: ansible security update (Jan 28)
     

    A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the

     Mageia 2020-0059: python-reportlab security update (Jan 28)
     

    A code injection vulnerability in python-reportlab allows an attacker to execute code while parsing a color attribute. An application that uses python-reportlab to parse untrusted input files may be vulnerable to this flaw and allow remote code execution (CVE-2019-17626).

     Mageia 2020-0058: samba security update (Jan 28)
     

    The implementation of ACL inheritance in the Samba AD DC was not complete, and so absent a 'full-sync' replication, ACLs could get out of sync between domain controllers (CVE-2019-14902). When processing untrusted string input Samba can read past the end of

     Mageia 2020-0057: fontforge security update (Jan 28)
     

    FontForge 20190801 has a use-after-free in SFD_GetFontMetaData in sfd.c (CVE-2020-5395) FontForge 20190801 has a heap-based buffer overflow in the Type2NotDefSplines() function in splinesave.c (CVE-2020-5496)

     Mageia 2020-0056: gthumb security update (Jan 28)
     

    A heap-based buffer overflow in _cairo_image_surface_create_from_jpeg() in extensions/cairo_io/cairo-image-surface-jpeg.c in gThumb and Pix allows attackers to cause a crash and potentially execute arbitrary code via a crafted JPEG file (CVE-2019-20326).

     Mageia 2020-0055: python3 security update (Jan 28)
     

    The python3 package has been updated to version 3.7.6, which fixes security issues and other bugs. See the upstream changelog for details. References: - https://bugs.mageia.org/show_bug.cgi?id=26081

     Mageia 2020-0054: tomcat security update (Jan 28)
     

    When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The

     Mageia 2020-0053: mbedtls security update (Jan 28)
     

    This update from mbedTLS 2.16.2 to mbedTLS 2.16.4 fixes several security vulnerabilities, among which: The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to implement blinding. Because of this for the same key and message the

     Mageia 2020-0052: glpi security update (Jan 28)
     

    The glpi package has been updated to version 9.4.5, fixing several bugs and security issues. See the upstream announcements for details. References: - https://bugs.mageia.org/show_bug.cgi?id=25931

     Mageia 2020-0051: c3p0 security update (Jan 28)
     

    An XML external entity processing vulnerability was found in extractXmlConfigFromInputStream function in c3p0 (CVE-2018-20433). c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive

     Mageia 2020-0050: opencontainers-runc security update (Jan 28)
     

    runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory (CVE-2019-16884).

     Mageia 2020-0049: libsass security update (Jan 28)
     

    Use-after-free vulnerability in sass_context.cpp:handle_error (CVE-2018-11499). Null pointer dereference in Sass::Selector_List::populate_extends (CVE-2018-19797).

     Mageia 2020-0048: libqb security update (Jan 28)
     

    Insecure treatment of IPC temporary files which could allow a local attacker to overwrite privileged system files (CVE-2019-12779). References: - https://bugs.mageia.org/show_bug.cgi?id=25751

     Mageia 2020-0047: libmediainfo security update (Jan 28)
     

    Out-of-bounds read in function MediaInfoLib:File__Tags_Helper:Synched_Test (CVE-2019-11372). Out-of-bounds read in function File__Analyze:Get_L8 (CVE-2019-11373).

    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the LinuxSecurity Privacy news articles?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/25-what-do-you-think-of-the-linuxsecurity-privacy-news-articles?task=poll.vote&format=json
    25
    radio
    [{"id":"90","title":"Love them!","votes":"31","type":"x","order":"1","pct":91.18,"resources":[]},{"id":"91","title":"I'm indifferent","votes":"2","type":"x","order":"2","pct":5.88,"resources":[]},{"id":"92","title":"Not interested in this topic","votes":"1","type":"x","order":"3","pct":2.94,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.