Linux Advisory Watch: March 19th, 2021

Toni Huttunen discovered that the Shibboleth service provider's template engine used to render error pages could be abused for phishing attacks. For additional information please refer to the upstream advisory at

Two vulnerabilities were discovered in Tor, a connection-based low-latency anonymous communication system, which could lead to excessive CPU usage or cause a directory authority to crash.

It was discovered that Pygments, a syntax highlighting package written in Python, could be forced into an infinite loop, resulting in denial of service.

Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed.

Anton Lydike discovered that sandbox restrictions in Flatpak, an application deployment framework for desktop apps, could by bypassed via a malicious .desktop file.

Fix for CVE-2021-20285

Fix for CVE-2021-20285

flatpak 1.10.2 release. This is a security update which fixes a potential attack where a flatpak application could use custom formated .desktop files to gain access to files on the host system. Other changes: * Fix memory leaks * Some test fixes * Documentation updates * G_BEGIN/END_DECLS added to library headders for c++ use * Fix for X11 cookies on OpenSUSE * Spawn portal better

Update to version 2.3.5, which addresses CVE-2021-21367. Release notes: https://github.com/elementary/switchboard-plug-bluetooth/releases/tag/2.3.5

An out of bounds read in function QRadialFetchSimd from crafted svg file may lead to information disclosure or other potential consequences. This update includes the backported upstream fix and should resolve the security issue.

Update to version 2.3.5, which addresses CVE-2021-21367. Release notes: https://github.com/elementary/switchboard-plug-bluetooth/releases/tag/2.3.5

Backporting upstream fixes - Fixes CVE: CVE-2020-13574 CVE-2020-13575 CVE-2020-13577 CVE-2020-13578 - Fixes CVE: CVE-2020-13576

Security fix for CVE-2021-21300 A specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case- insensitive file system such as NTFS, HFS+ or APFS. Note that clean/smudge filters have to be configured in advance, in the system-wide or global user

Update to upstream 1.4.4 - Fix CVE-2021-21334

Update to upstream aa2d5a97cdc4 for CVE-2021-21334

This update fixes CVE-2021-27921, CVE-2021-27922 and CVE-2021-27923. ---- Backport fixes for CVE-2021-25289, CVE-2021-25290, CVE-2021-25291, CVE-2021-25292, CVE-2021-25293

This update fixes CVE-2021-27921, CVE-2021-27922 and CVE-2021-27923. ---- Backport fixes for CVE-2021-25289, CVE-2021-25290, CVE-2021-25291, CVE-2021-25292, CVE-2021-25293

This update fixes CVE-2021-27921, CVE-2021-27922 and CVE-2021-27923. ---- Backport fixes for CVE-2021-25289, CVE-2021-25290, CVE-2021-25291, CVE-2021-25292, CVE-2021-25293

Update to gdk-pixbuf-2.42.2, see https://gitlab.gnome.org/users/sign_in pixbuf/-/tags/2.42.2 for details.

Update to python3-3.9.2, see https://docs.python.org/3/whatsnew/3.9.html for details.

Update to jasper-2.0.26, see https://github.com/jasper- software/jasper/releases/tag/version-2.0.26 for details.

Update to jinja2-2.11.3, see https://github.com/pallets/jinja/releases/tag/2.11.3 for details.

Update to glib2-2.66.7, see https://gitlab.gnome.org/GNOME/glib/-/blob/2.66.7/NEWS for details.

This update fixes CVE-2021-27921, CVE-2021-27922 and CVE-2021-27923. ---- Backport fixes for CVE-2021-25289, CVE-2021-25290, CVE-2021-25291, CVE-2021-25292, CVE-2021-25293

This update fixes CVE-2021-27921, CVE-2021-27922 and CVE-2021-27923. ---- Backport fixes for CVE-2021-25289, CVE-2021-25290, CVE-2021-25291, CVE-2021-25292, CVE-2021-25293

Update to python3-3.8.8, see https://www.python.org/downloads/release/python-388/ for details.

Update to jasper-2.0.26, see https://github.com/jasper- software/jasper/releases/tag/version-2.0.26 for details.

update to 3.0.13, fix CVE-2021-23336 (rhbz#1931542)

update to 3.0.13, fix CVE-2021-23336 (rhbz#1931542)

Python 3.10.0a6. Security fix for CVE-2021-23336.

https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/

- updated to 4.1.0

Various performance, accuracy and stability issues have been fixed.

Python 3.10.0a6. Security fix for CVE-2021-23336.

https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/

- updated to 4.1.0

Various performance, accuracy and stability issues have been fixed.

The Red Hat Build of OpenJDK 8 (container images) is now available from the Red Hat Container Catalog. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

The Red Hat Build of OpenJDK 11 (container images) is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

An update for kpatch-patch is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

An update for python-django is now available for Red Hat OpenStack Platform 13 (Queens). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

An update for openvswitch2.11 and ovn2.11 is now available for Red Hat OpenStack Platform 13 (Queens). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

An update for qemu-kvm-rhev is now available for Red Hat OpenStack Platform 13.0 (Queens). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

An update for rubygem-em-http-request is now available for Red Hat OpenStack Platform 13 (Queens). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

An update for etcd is now available for Red Hat OpenStack Platform 16.1 (Train). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

An update for python-django is now available for Red Hat OpenStack Platform 16.1 (Train). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

An update for bind is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

An update for tomcat is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which

An update for perl is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

An update for nss and nss-softokn is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

An update for curl is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

An update for python is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

An update for kernel is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

An update for pki-core is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

An update for ipa is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

An update for kpatch-patch is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.3. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

An update for Debezium MongoDB connector is now available for Red Hat Integration. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

An update for kernel is now available for Red Hat Enterprise Linux 7.3 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

An update for rh-nodejs12-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

An update for rh-nodejs14-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

An update for rh-nodejs10-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

An update for openvswitch2.13 is now available in Fast Datapath for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of

An update for openvswitch2.11 is now available in Fast Datapath for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

An update for openvswitch2.11 is now available in Fast Datapath for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of

An update for pki-core is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

An update for wpa_supplicant is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

An update for wpa_supplicant is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

An update to the Camel K operator image for Red Hat Integration tech-preview is now available. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact

An update for wpa_supplicant is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

New kernel packages are available for Slackware 14.2 to fix security issues.

New git packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix a security issue.

The container suse/sle15 was updated. The following patches have been included in this update:

The container suse/sle-micro/5.0/toolbox was updated. The following patches have been included in this update:

The container ses/7/rook/ceph was updated. The following patches have been included in this update:

The container ses/7/cephcsi/csi-snapshotter was updated. The following patches have been included in this update:

The container ses/7/cephcsi/csi-resizer was updated. The following patches have been included in this update:

The container ses/7/cephcsi/csi-provisioner was updated. The following patches have been included in this update:

The container ses/7/cephcsi/csi-node-driver-registrar was updated. The following patches have been included in this update:

The container ses/7/cephcsi/csi-attacher was updated. The following patches have been included in this update:

The container ses/7/cephcsi/cephcsi was updated. The following patches have been included in this update:

The container suse/sle-micro/5.0/toolbox was updated. The following patches have been included in this update:

Toni Huttunen discovered that the Shibboleth service provider's template engine used to render error pages could be abused for phishing attacks. For additional information please refer to the upstream advisory at

Due to improper input validation, Squid is vulnerable to an HTTP Request Smuggling attack. This problem allows a trusted client to perform HTTP Request

Several vulnerabilities were discovered in the shadow suite of login tools. An attacker may escalate privileges in specific configurations. CVE-2017-20002

Three security issues have been detected in tomcat8. CVE-2021-24122

DLA 2589-1 incorrectly fixed CVE-2020-26519 and also induced regression where opening a PDF document resulted in a SIGFPE crash, a floating point exception.

This update reverts the Symantec CA blacklist (which was originally #911289). The following root certificates were added back (+): + "GeoTrust Global CA" + "GeoTrust Primary Certification Authority"

Several vulnerabilities were discovered in the Go programming language. An attacker could trigger a denial-of-service (DoS), bypasss access control, and execute arbitrary code on the developer's computer.

Several vulnerabilities were discovered in the Go programming language. An attacker could trigger a denial-of-service (DoS), bypasss access control, and execute arbitrary code on the developer's computer.

CVE-2020-26519 A heap-based buffer overflow flaw was discovered in MuPDF, a lightweight PDF viewer, which may result in denial of

Upstream details at : https://access.redhat.com/errata/RHSA-2021:0856

Upstream details at : https://access.redhat.com/errata/RHSA-2021:0808

Upstream details at : https://access.redhat.com/errata/RHSA-2021:0851

kernel: Local buffer overflow in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c (CVE-2020-25211) * kernel: SCSI target (LIO) write to any block on ILO backstore (CVE-2020-28374) * kernel: locking issue in drivers/tty/tty_jobctrl.c can lead to an use- after-free (CVE-2020-29661) * kernel: malicious USB devices can lead to multiple out-of-bounds write (CVE-2019-19532) [More...]

jquery: Passing HTML containing elements to manipulation methods could result in untrusted code execution (CVE-2020-11023) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE Bug Fix(es): * cannot issue certs with multiple IP addresses corresponding to different hosts * CA-less install [More...]

pki-core: Unprivileged users can renew any certificate (CVE-2021-20179) * pki-core: XSS in the certificate search results (CVE-2020-25715) * pki-core: Reflected XSS in 'path length' constraint field in CA's Agent page (CVE-2019-10146) * pki-core/pki-kra: Reflected XSS in recoveryID search field at KRA's DRM agent page in authorize recovery tab (CVE-2019-10179) * pki-core: Reflected XSS in [More...]

wpa_supplicant: Use-after-free in P2P provision discovery processing (CVE-2021-27803) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE SL7 x86_64 wpa_supplicant-2.6-12.el7_9.2.x86_64.rpm wpa_supplicant-debuginfo-2.6-12.el7_9.2.x86_64.rpm - Scientific Linux Development Team

An update that fixes one vulnerability is now available.

An update that fixes three vulnerabilities is now available.

An update that fixes one vulnerability is now available.

An update that fixes 13 vulnerabilities is now available.

An update that fixes 5 vulnerabilities is now available.

An update that fixes three vulnerabilities is now available.

An update that fixes one vulnerability is now available.

An update that fixes two vulnerabilities is now available.

An update that fixes one vulnerability is now available.

An update that solves two vulnerabilities and has one errata is now available.

An update that solves one vulnerability and has one errata is now available.

An update that solves one vulnerability and has two fixes is now available.

An update that fixes two vulnerabilities is now available.

An update that contains security fixes can now be installed.

An update that solves one vulnerability and has three fixes is now available.

An update that fixes 10 vulnerabilities is now available.

An update that fixes 11 vulnerabilities is now available.

An update that solves two vulnerabilities and has 7 fixes is now available.

An update that fixes four vulnerabilities is now available.

An update that fixes one vulnerability is now available.

An update that fixes two vulnerabilities is now available.

An update that solves one vulnerability and has one errata is now available.

An update that fixes one vulnerability is now available.

Discover fetches the description and related texts of some applications/plugins from store.kde.org. That text is displayed to the user, after turning into a clickable link any part of the text that looks like a link. This is done for any kind of link, be it smb:// nfs:// etc. when in fact it only makes sense for http/https links. Opening links that the user has clicked on is not very

A potential attack where a flatpak application could use custom formatted .desktop files to gain access to files on the host system (CVE-2021-21381). References: - https://bugs.mageia.org/show_bug.cgi?id=28575

The Apache XML Graphics Commons library is vulnerable to SSRF via the XMPParser that allow an attacker to cause the underlying server to make arbitrary GET requests (CVE-2020-11988). References:

Sandbox escape where a malicious application can execute code outside the sandbox by controlling the environment of the "flatpak run" command when spawning a sub-sandbox (CVE-2021-21261). A potential attack where a flatpak application could use custom formatted

The updated packages fix security vulnerabilities. At least one of them is known to be actively exploited. References: - https://bugs.mageia.org/show_bug.cgi?id=28534

A flaw was found in the way ksh evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely (CVE-2019-14868).

This update adds new microcode updates to mitigate CVE-2020-8696 for Intel Skylake server (50654) and Cascade Lake Server (50656 & 50657) processors. The new microcode update mitigates an issue when using an active JTAG agent like In Target Probe (ITP), Direct Connect Interface (DCI) or a Baseboard Management Controller (BMC) to take the CPU JTAG/TAP out of reset and then

The Apache Batik library is vulnerable to SSRF via the NodePickerPanel that allow an attacker to cause the underlying server to make arbitrary GET requests (CVE-2020-11987). References:

Updated glibc packages fix a security vulnerability: The nameserver caching daemon (nscd), when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system (CVE-2021-27645).

On case-insensitive file systems with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone (CVE-2021-21300).

When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled (CVE-2021-21290). References:

Django contains a copy of urllib.parse.parse_qsl() which was added to backport some security fixes to prevent web cache poisoning. A further security fix has been issued recently such that parse_qsl() no longer allows using ; as a query parameter separator by default (CVE-2021-23336).

In MediaInfoLib in MediaArea MediaInfo 20.03, there is a stack-based buffer over-read in Streams_Fill_PerStream in Multiple/File_MpegPs.cpp (aka an off-by-one during MpegPs parsing) (CVE-2020-15395). References:

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description (CVE-2019-13990). References:

User data leak in snmp_facts module (CVE-2021-20178). The bitbucket_pipeline_variable module exposed secured values (CVE-2021-20180).

User data leak in snmp_facts module (CVE-2021-20178). Multiple collections exposed secured values (CVE-2021-20191). In basic.py, no_log with fallback option (CVE-2021-20228). The ansible package has been patched to fix these issues.

This update fixes cross-site scripting (XSS) via HTML messages with malicious CSS content (CVE-2021-26925). References: - https://bugs.mageia.org/show_bug.cgi?id=28387

In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow (CVE-2020-36242). References:

A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c may lead to local execution of arbitrary code in the user context (CVE-2021-3410). References: - https://bugs.mageia.org/show_bug.cgi?id=28556

Double free when executing print_set_output() (CVE-2020-25559). Additionally, a missing require for gnuplot has been added to gnuplot-qt package.

A flaw was found in Ceph where Ceph stores mgr module passwords in clear text. This issue can be found by searching the mgr logs for Grafana and dashboard with passwords visible. The highest threat from this vulnerability is to confidentiality (CVE-2020-25678).

Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text (CVE-2021-27229). References:

In Mechanize, from v2.0.0 until v2.7.7, there is a command injection vulnerability. Affected versions of Mechanize allow for OS commands to be injected using several classes' methods which implicitly use Ruby's Kernel#open method (CVE-2021-21289).

* Fix various instances within GLib where `g_memdup()` was vulnerable to a silent integer truncation and heap overflow problem (discovered by Kevin Backhouse, work by Philip Withnall) (#2319) * Fix some issues with handling over-long (invalid) input when parsing for

A malicious server which responds with long series of \xa0 characters in the www-authenticate header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server (CVE-2021-21240). References:

A user having an UPDATE privilege on a partitioned table but lacking the SELECT privilege on some column may be able to acquire denied-column values from an error message (CVE-2021-3393). A user having a SELECT privilege on an individual column can craft a special

Roman Fiedler discovered a vulnerability in the OverlayFS code in firejail, which could result in root privilege escalation. This update disables OverlayFS support in firejail (CVE-2021-26910). References:

A vulnerability was discovered in the PyYAML library, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the

The client side in OpenSSH 5.7 through 8.3 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client) (CVE-2020-14145).