Happy Friday fellow Linux geeks! This week, important updates have been issued for Apache HTTP Server, squashfs-tools and nodejs. Read on to learn about these vulnerabilities and how to secure your system against them.
Now you can personalize your LinuxSecurity.com User Profile to include the latest advisories for the distros you select, making it easier than ever to keep your system up-to-date and secure.
Have a question about or comment on one of the vulnerabilities highlighted in today's newsletter? Let's discuss!
Yours in Open Source,
Apache HTTP ServerThe DiscoveryIt was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient (CVE-2021-42013). This directory traversal vulnerability only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions. The Impact
An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution (RCE). The FixUpgrade to Apache HTTP Server 2.4.51-1. # pacman -Syu "apache>=2.4.51-1" The problem has been fixed upstream in version 2.4.51. Your Related Advisories:Register to Customize Your Advisories |
squashfs-toolsThe DiscoveryIt was discovered that unsquashfs in squashfs-tools, the tools to create and extract Squashfs filesystems, does not check for duplicate filenames within a directory (CVE-2021-41072). The ImpactAn attacker can exploit this flaw to write arbitrary files to the filesystem if a malformed Squashfs image is processed. The FixWe recommend that you upgrade your squashfs-tools packages as soon as possible to protect the security and integrity of your filesystem. Your Related Advisories:Register to Customize Your Advisories |
nodejsThe DiscoveryTwo security issues were found in the nodejs JavaScript runtime. It was discovered that the http parser accepts requests with a space (SP) right after the header name before the colon (CVE-2021-22959), and the parse ignores chunk extensions when parsing the body of chunked requests (CVE-2021-22960). The ImpactThese vulnerabilities can lead to HTTP Request Smuggling (HRS) under certain conditions. The FixUpdate to nodejs security release 14.18 to prevent HTTP Request Smuggling (HRS) attacks. This update can be installed at the Command Line with the "dnf" update program. Your Related Advisories:Register to Customize Your Advisories |