Thank you for reading the LinuxSecurity Linux Advisory Watch newsletter! 

Today’s newsletter is sponsored by Uptycs. To close security observibility gaps across your cloud attack surface, check out the Uptycs Security Analytics Platform.

This week, important updates have been issued for nginx, python-django and salt.

We recommend that you visit our Advisories page frequently to see the latest security advisories that have been issued by your Linux distro(s). We also now offer the ability to personalize your LinuxSecurity.com User Profile to include the latest advisories for the distros you select. 

On behalf of the LinuxSecurity.com administrative team, I would like to extend a warm welcome to our newly redesigned site!

Yours in Open Source,

Brittany Signature 150 Esm W150

nginx

The Discovery Nginx Esm W160

It was discovered that nginx, a high performance HTTP and reverse proxy server, did not properly handle DNS responses when using the "resolver" directive.

The Impact

This high-severity vulnerability (CVE-2021-23017) could lead to remote code execution (RCE) by enabling a remote attacker who is able to provide DNS responses to a nginx instance to execute arbitrary code with the privileges of the process or a Denial of Service (DoS) condition.

The Fix

All nginx users should upgrade to the latest version immediately:

  # emerge --sync

   # emerge --ask --oneshot --verbose ">=www-servers/nginx-1.20.1"

All nginx mainline users should upgrade to the latest version immediately:

  # emerge --sync

  # emerge --ask --oneshot -v ">=www-servers/nginx-1.21.0:mainline"

Your Related Advisories:

Register to Customize Your Advisories

python-django

The Discovery 

Django Esm W269

Multiple remotely exploitable security issues (CVE-2021-33203 and CVE-2021-33571) have been found in the python-django web framework before version 3.2.4.

The Impact

These vulnerabilities could enable user accounts with staff privileges to check for the existence of arbitrary files, and possibly disclose the contents of these files. Additionally, leading zeros in IPv4 addresses could be used to bypass IP-based access restrictions.

The Fix

These bugs have been fixed upstream in python-django version 3.2.4. Users should upgrade to version 3.2.4-1 immediately.

# pacman -Syu "python-django>=3.2.4-1"

Your Related Advisories:

Register to Customize Your Advisories

div for preview ad-image
@TODO use resized image dimensions here Banner 4 690x80 1708123250

salt

The Discovery Salt Esm W157

OpenSUSE users are especially vulnerable this week, as multiple critical flaws have been discovered in the salt distributed remote execution system found in openSUSE Leap 15.2.

The Impact

Potential issues caused by these bugs include a missing part of the async batch implementation, a deprecated warning that breaks minion execution when "server_id_use_crc" opts is missing, parsing errors in the ansiblegate state module, command injection in the snapper module, sal-ssh regression on processing targets, race condition on salt-ssh event processing and the freezing of salt-call.

The Fix

OpenSUSE has released an important security update that solves seven vulnerabilities and contains three fixes. To install this openSUSE Security Update, use the SUSE recommended installation methods such as YaST online_update or "zypper patch".

You can also run the command listed for your product:

- openSUSE Leap 15.2:

zypper in -t patch openSUSE-2021-899=1

Your Related Advisories:

Register to Customize Your Advisories