Happy Friday fellow Linux geeks! This week, important updates have been issued for djvulibre, aria2 and log4j. Read on to learn about these vulnerabilities and how to secure your system against them.
Now you can personalize your LinuxSecurity.com User Profile to include the latest advisories for the distros you select, making it easier than ever to keep your system up-to-date and secure.
Have a question about or comment on one of the vulnerabilities highlighted in today's newsletter? Let's discuss!
Yours in Open Source,
djvulibreThe DiscoverySeveral dangerous vulnerabilities were discovered in djvulibre, a library and set of tools to handle documents in the DjVu format (CVE-2019-15142, CVE-2019-15143, CVE-2019-15144 and CVE-2019-15145). The ImpactAn attacker could exploit these flaws to crash document viewers and possibly execute arbitrary code through crafted DjVu files. The FixA djvulibre security update has been released that fixes these issues. We recommend that you upgrade your djvulibre packages as soon as possible. Your Related Advisories:Register to Customize Your Advisories |
aria2The DiscoveryIt was discovered in the download utility aria2 that --log was leaking HTTP user credentials in local log files (CVE-2019-3500). The ImpactThis bug could result in the compromise of sensitive information that could be used for malicious purposes. The FixA security update released for aria2 mitigates this flaw. We urge you to upgrade your aria2 packages promptly. Your Related Advisories:Register to Customize Your Advisories |
log4jThe DiscoveryA security bug has been found in Log4j 1.x when the application is configured to use JMSAppender (CVE-2021-4104). JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data when an attacker has write access to the Log4j configuration. The ImpactA malicious actor can exploit this flaw by providing TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution (RCE) in a similar fashion to CVE-2021-44228. The FixA log4j security update has been released that fixes this vulnerability. Update now! Your Related Advisories:Register to Customize Your Advisories |