Linux Advisory Watch: October 16th, 2020

Advisories

Linux Advisory Watch: October 16th, 2020

Thank you for subscribing to the LinuxSecurity Linux Advisory Watch newsletter! Staying on top of the latest security advisories issued by the distro(s) you use is essential in maintaining an updated, secure Linux system. Our weekly newsletter is an easy, convenient way to track distribution security advisories - helping you keep your Linux environment safe from malware and other exploits.


Important advisories issued this week include warnings from CentOS and Scientific Linux of vulnerabilities in Mozilla Thunderbird and dovecot and critical openSUSE updates for qemu, tigervnc and nodejs10. Continue reading to learn about other significant advisories issued this week. Stay healthy, safe and secure - both on and offline!


LinuxSecurity.com Feature Extras:

Securing A Linux Web Server: Preventing Information Leakage - Information leakage is a serious threat to the security of a Linux server, and can result in a host of severe consequences including significant downtime and the compromise of sensitive data. Luckily, server administrators can mitigate the risk of information leakage through a series of configuration changes.

RavenDB: Pioneering Data Management with an Innovative Open-Source Approach - When it comes to using a NoSQL document database to store, manage and retrieve documents, reliability, privacy, efficiency and ease-of-use are essential in optimizing productivity and ensuring data security. However, the unfortunate reality is that many NoSQL document databases fail to embody these important characteristics, leaving users frustrated - and often at risk. 


  Debian: DSA-4772-1: httpcomponents-client security update (Oct 14)
 

Priyank Nigam discovered that HttpComponents Client, a Java HTTP agent implementation, could misinterpret malformed authority component in a request URI and pick the wrong target host for request execution.

  Debian: DSA-4771-1: spice security update (Oct 11)
 

Frediano Ziglio discovered multiple buffer overflow vulnerabilities in the QUIC image decoding process of spice, a SPICE protocol client and server library, which could result in denial of service, or possibly, execution of arbitrary code.

  Fedora 33: kernel 2020-ce117eff51 (Oct 15)
 

This update contains patches for the BleedingTooth CVEs. ---- The 5.8.15 stable kernel update contains a number of important fixes across the tree.

  Fedora 32: dnf 2020-47a7fbf50d (Oct 15)
 

libdnf 0.54.2-2 - Increase needed conflicting dnf version dnf 4.4.0-2 - Increase required libdnf version

  Fedora 32: libdnf 2020-47a7fbf50d (Oct 15)
 

libdnf 0.54.2-2 - Increase needed conflicting dnf version dnf 4.4.0-2 - Increase required libdnf version

  Fedora 32: claws-mail 2020-67d9661fe2 (Oct 15)
 

Update to 3.17.7 -- https://www.claws-mail.org/news.php

  Fedora 32: dovecot 2020-d737c57172 (Oct 13)
 

CVE-2020-12100: Parsing mails with a large number of MIME parts could have resulted in excessive CPU usage or a crash due to running out of stack memory. CVE-2020-12673: Dovecot's NTLM implementation does not correctly check message buffer size, which leads to reading past allocation which can lead to crash. CVE-2020-10967: lmtp/submission:

  Fedora 31: oniguruma 2020-d53469eceb (Oct 9)
 

Backport fix for CVE-2020-26159

  Fedora 32: oniguruma 2020-952c499e9d (Oct 9)
 

Backport fix for CVE-2020-26159

  Fedora 31: podman 2020-3a4b8fca5e (Oct 9)
 

autobuilt v2.1.0,Security fix for CVE-2020-14370

  Fedora 31: crun 2020-3a4b8fca5e (Oct 9)
 

autobuilt v2.1.0,Security fix for CVE-2020-14370

  RedHat: RHSA-2020-4255:01 Moderate: security update - Red Hat Ansible Tower (Oct 14)
 

Red Hat Ansible Tower 3.6 runner release (CVE-2019-18874) 2. Description: * Updated python-psutil version to 5.6.6 inside ansible-runner container (CVE-2019-18874)

  RedHat: RHSA-2020-4254:01 Moderate: security update - Red Hat Ansible Tower (Oct 14)
 

Red Hat Ansible Tower 3.7 runner release (CVE-2019-18874) 2. Description: * Updated python-psutil version to 5.6.6 inside ansible-runner container (CVE-2019-18874)

  RedHat: RHSA-2020-4252:01 Important: Red Hat build of Quarkus 1.7.5 release (Oct 14)
 

An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each

  RedHat: RHSA-2020-4251:01 Critical: flash-plugin security update (Oct 14)
 

An update for flash-plugin is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2020-4246:01 Moderate: Red Hat JBoss Enterprise Application (Oct 13)
 

An update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2020-4247:01 Moderate: Red Hat JBoss Enterprise Application (Oct 13)
 

An update is now available for Red Hat JBoss Enterprise Application Platform 7.3. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2020-4244:01 Moderate: Red Hat JBoss Enterprise Application (Oct 13)
 

An update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2020-4245:01 Moderate: Red Hat JBoss Enterprise Application (Oct 13)
 

An update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2020-4236:01 Moderate: kernel security and bug fix update (Oct 13)
 

An update for kernel is now available for Red Hat Enterprise Linux 7.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2020-4235:01 Critical: chromium-browser security update (Oct 13)
 

An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2020-4220:01 Important: OpenShift Container Platform 4.4.27 (Oct 13)
 

An update for openshift-jenkins-2-container is now available for Red Hat OpenShift Container Platform 4.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

  RedHat: RHSA-2020-4214:01 Moderate: go-toolset-1.13-golang security and bug (Oct 8)
 

An update for go-toolset-1.13 and go-toolset-1.13-golang is now available for Red Hat Developer Tools. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  RedHat: RHSA-2020-4213:01 Low: Red Hat support for Spring Boot 2.2.10 (Oct 8)
 

An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

  RedHat: RHSA-2020-4211:01 Moderate: Red Hat AMQ Interconnect 1.9.0 release (Oct 8)
 

Red Hat AMQ Interconnect 1.9.0 release packages are available for A-MQ Interconnect on RHEL 6, 7, and 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

  SUSE: 2020:2931-1 moderate: bcm43xx-firmware (Oct 15)
 

An update that contains security fixes can now be installed.

  SUSE: 2020:2930-1 moderate: crmsh (Oct 15)
 

An update that contains security fixes can now be installed.

  SUSE: 2020:2924-1 moderate: libqt5-qtsvg (Oct 14)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:2920-1 important: php7 (Oct 14)
 

An update that solves one vulnerability and has one errata is now available.

  SUSE: 2020:2906-1 important: the Linux Kernel (Oct 13)
 

An update that solves 11 vulnerabilities and has 55 fixes is now available.

  SUSE: 2020:2914-1 moderate: bind (Oct 13)
 

An update that solves 12 vulnerabilities, contains one feature and has 8 fixes is now available.

  SUSE: 2020:2908-1 important: the Linux Kernel (Oct 13)
 

An update that solves 9 vulnerabilities and has 75 fixes is now available.

  SUSE: 2020:2913-1 moderate: crmsh (Oct 13)
 

An update that contains security fixes can now be installed.

  SUSE: 2020:2907-1 important: the Linux Kernel (Oct 13)
 

An update that solves 11 vulnerabilities and has 61 fixes is now available.

  SUSE: 2020:2904-1 important: the Linux Kernel (Oct 13)
 

An update that solves 11 vulnerabilities and has 62 fixes is now available.

  SUSE: 2020:2905-1 important: the Linux Kernel (Oct 13)
 

An update that solves 11 vulnerabilities and has 61 fixes is now available.

  SUSE: 2020:2905-1 important: the Linux Kernel (Oct 13)
 

An update that solves 11 vulnerabilities and has 61 fixes is now available.

  SUSE: 2020:2904-1 important: the Linux Kernel (Oct 13)
 

An update that solves 11 vulnerabilities and has 62 fixes is now available.

  SUSE: 2020:2900-1 important: libproxy (Oct 13)
 

An update that fixes two vulnerabilities is now available.

  SUSE: 2020:2898-1 critical: tigervnc (Oct 13)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:2896-1 important: php74 (Oct 13)
 

An update that solves two vulnerabilities and has one errata is now available.

  SUSE: 2020:2901-1 important: libproxy (Oct 13)
 

An update that fixes two vulnerabilities is now available.

  SUSE: 2020:2899-1 critical: rubygem-activesupport-5_1 (Oct 13)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:2894-1 important: php5 (Oct 12)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:2880-1 critical: tigervnc (Oct 9)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:2882-1 critical: tigervnc (Oct 9)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:2881-1 critical: tigervnc (Oct 9)
 

An update that fixes one vulnerability is now available.

  SUSE: 2020:2879-1 important: the Linux Kernel (Oct 8)
 

An update that solves 9 vulnerabilities and has 105 fixes is now available.

  Ubuntu 4546-2: Firefox regressions (Oct 16)
 

USN-4546-1 caused some minor regressions in Firefox.

  Ubuntu 4584-1: HtmlUnit vulnerability (Oct 15)
 

HtmlUnit could be made to crash or run programs as an administrator if it opened a specially crafted file.

  Ubuntu 4585-1: Newsbeuter vulnerabilities (Oct 15)
 

Newsbeuter could be made to crash or run programs as your login if it opened a malicious file.

  Ubuntu 4582-1: Vim vulnerabilities (Oct 14)
 

Several security issues were fixed in Vim.

  Ubuntu 0072-1: linux kernel vulnerability (Oct 14)
   
  Ubuntu 4580-1: Linux kernel vulnerability (Oct 13)
 

The system could be made to crash or possibly run programs as an administrator.

  Ubuntu 4579-1: Linux kernel vulnerabilities (Oct 13)
 

Several security issues were fixed in the Linux kernel.

  Ubuntu 4578-1: Linux kernel vulnerabilities (Oct 13)
 

Several security issues were fixed in the Linux kernel.

  Ubuntu 4577-1: Linux kernel vulnerabilities (Oct 13)
 

Several security issues were fixed in the Linux kernel.

  Ubuntu 4576-1: Linux kernel vulnerabilities (Oct 13)
 

Several security issues were fixed in the Linux kernel.

  Ubuntu 4575-1: dom4j vulnerability (Oct 13)
 

dom4j could be made to expose sensitive information or run programs if it received specially crafted input.

  Debian LTS: DLA-2407-1: tomcat8 security update (Oct 14)
 

It was discovered that there was an issue in Apache Tomcat 8, the Java application server. An excessive number of concurrent streams could have resulted in users seeing responses for unexpected resources.

  Debian LTS: DLA-2405-1: httpcomponents-client security update (Oct 10)
 

Oleg Kalnichevski discovered that httpcomponents-client, a Java library for building HTTP-aware applications, can misinterpret a malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request

  Debian LTS: DLA-2404-1: eclipse-wtp security update (Oct 9)
 

In Eclipse Web Tools Platform, a component of the Eclipse IDE, XML and DTD files referring to external entities could be exploited to send the contents of local files to a remote server when edited or validated, even when external entity resolution is disabled in the user

  Debian LTS: DLA-2403-1: rails security update (Oct 9)
 

A potential Cross-Site Scripting (XSS) vulnerability was found in rails, a ruby based MVC framework. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the

  Debian LTS: DLA-2402-1: golang-go.crypto security update (Oct 8)
 

CVE-2019-11840 An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto. If more than 256 GiB of keystream is

  ArchLinux: 202010-1: chromium: multiple issues (Oct 14)
 

The package chromium before version 86.0.4240.75-1 is vulnerable to multiple issues including arbitrary code execution, access restriction bypass, information disclosure and insufficient validation.

  openSUSE: 2020:1666-1: critical: tigervnc (Oct 13)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2020:1664-1: important: qemu (Oct 13)
 

An update that solves four vulnerabilities and has two fixes is now available.

  openSUSE: 2020:1660-1: important: nodejs10 (Oct 12)
 

An update that solves two vulnerabilities and has one errata is now available.

  openSUSE: 2020:1658-1: moderate: permissions (Oct 11)
 

An update that contains security fixes can now be installed.

  openSUSE: 2020:1655-1: important: the Linux Kernel (Oct 11)
 

An update that solves 12 vulnerabilities and has 59 fixes is now available.

  openSUSE: 2020:1652-1: moderate: nextcloud (Oct 10)
 

An update that fixes 5 vulnerabilities is now available.

  openSUSE: 2020:1650-1: important: kdeconnect-kde (Oct 10)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2020:1646-1: moderate: grafana (Oct 10)
 

An update that fixes two vulnerabilities is now available.

  openSUSE: 2020:1647-1: important: kdeconnect-kde (Oct 10)
 

An update that fixes one vulnerability is now available.

  openSUSE: 2020:1644-1: moderate: nodejs8 (Oct 10)
 

An update that solves one vulnerability and has one errata is now available.

  Mageia 2020-0382: mariadb security update (Oct 13)
 

This update fixes CVE-2020-15180 References: - https://bugs.mageia.org/show_bug.cgi?id=27375 - https://mariadb.com/kb/en/mariadb-10325-release-notes/

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.