Oracle Linux 8 : llvm-toolset:ol8 (ELSA-2021-4743)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2021-4743 advisory. clang 12.0.1-4.0.1 - Use all available CPU cores for build - Recognize Oracle Linux distros OraBug: 29422714 12.0.1-4 - Trojan source clang-tidy patchset fix...

Oracle Linux 8 : gcc-toolset-10-gcc (ELSA-2021-4585)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2021-4585 advisory. 10.3.1-1.2.0.1 - Fix Orabug 32423691- gcc10 SEGV for every test in sregress: ORA-7445ksmplruaddbatchksm same bug as PR tree-optimization/100053:...

Oracle Linux 8 : gcc-toolset-11-gcc (ELSA-2021-4586)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2021-4586 advisory. 11.2.1-1.2.0.1 - Add -ftrivial-auto-var-init support from GCC12 Reviewed-by: Jose E. Marchesi - Add CTF/BTF support Reviewed-by: Qing Zhao 11.2.1-1.2 - add...

Oracle Linux 8 : gcc-toolset-11-binutils (ELSA-2021-4594)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2021-4594 advisory. 2.36.1-1.0.1.1 - Forward port Oracle patches from 2.36.1-1.0.1 - Reviewed-by: Jose E. Marchesi 2.36.1-1.1 - Add ability to control the display of unicode...

Oracle Linux 8 : gcc (ELSA-2021-4587)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2021-4587 advisory. 8.5.0-4.0.1 - Merge oracle patches to security errata 8.5.0-4. Reviewed-by: Jose E. Marchesi 8.5.0-4 - add -Wbidirectional patch 2008391 Tenable has extracted t...

Oracle Linux 8 : binutils (ELSA-2021-4595)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2021-4595 advisory. 2.30-108.0.2.1 - Forward-port Oracle patches from 2.30-108.0.2 to 2.30-108.0.2.1 - Reviewed-by: Jose E. Marchesi 2.30-108.0.2 - Forward-port the following updat...

Oracle Linux 8 : annobin (ELSA-2021-4593)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2021-4593 advisory. 9.72-1.2 - Bump NVR and rebuild to use the new gcc. 2017362 9.72-1.1 - Annocheck: Add test for multibyte characters in symbol names. 2017362 9.72-1 - Rebase to...

Oracle Linux 8 : gcc-toolset-11-annobin (ELSA-2021-4591)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2021-4591 advisory. 9.85-1.1 - Annocheck: Add test for multibyte characters in symbol names. 2017367 Tenable has extracted the preceding description block directly from the Oracle...

Moderate: gcc security update

The gcc packages provide compilers for C, C++, Java, Fortran, Objective C, and Ada 95 GNU, as well as related support libraries. Security Fixes: Developer environment: Unicode's bidirectional BiDi override characters can cause trojan source attacks CVE-2021-42574 The following changes were...

ALSA-2021:4586 Moderate: gcc-toolset-11-gcc security update

The gcc packages provide compilers for C, C++, Java, Fortran, Objective C, and Ada 95 GNU, as well as related support libraries. Security Fixes: Developer environment: Unicode's bidirectional BiDi override characters can cause trojan source attacks CVE-2021-42574 The following changes were...

gcc-toolset-11-gcc security update

An update is available for gcc-toolset-11-gcc. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The gcc packages provide compilers for C, C++, Java, Fortran,...

RLSA-2021:4586 Moderate: gcc-toolset-11-gcc security update

The gcc packages provide compilers for C, C++, Java, Fortran, Objective C, and Ada 95 GNU, as well as related support libraries. Security Fixes: Developer environment: Unicode's bidirectional BiDi override characters can cause trojan source attacks CVE-2021-42574 The following changes were...

Moderate: gcc-toolset-10-gcc security update

The gcc packages provide compilers for C, C++, Java, Fortran, Objective C, and Ada 95 GNU, as well as related support libraries. Security Fixes: Developer environment: Unicode's bidirectional BiDi override characters can cause trojan source attacks CVE-2021-42574 The following changes were...

Low: Red Hat Security Advisory: gcc security and bug fix update

An update for gcc is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE lin...

RLSA-2021:4386 Low: gcc security and bug fix update

The gcc packages provide compilers for C, C++, Java, Fortran, Objective C, and Ada 95 GNU, as well as related support libraries. Security Fixes: libiberty: Integer overflow in demangletemplate function CVE-2018-20673 For more details about the security issues, including the impact, a CVSS score,...

Low: gcc security and bug fix update

The gcc packages provide compilers for C, C++, Java, Fortran, Objective C, and Ada 95 GNU, as well as related support libraries. Security Fixes: libiberty: Integer overflow in demangletemplate function CVE-2018-20673 For more details about the security issues, including the impact, a CVSS score,...

Compilers permit Unicode control and homoglyph characters

Overview Attacks that allow for unintended control of Unicode and homoglyphic characters, described by the researchers in this report leverage text encoding that may cause source code to be interpreted differently by a compiler than it appears visually to a human reviewer. Source code compilers,...

Denial Of Service (DoS)

rust:edge is vulnerable to denial of service. The vulnerability exists as it permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters causing an...

Trojan Source CVE-2021-42572: No Panic Necessary

What is this thing? Researchers at the University of Cambridge and the University of Edinburgh recently published a paper on an attack technique they call “Trojan Source.” The attack targets a weakness in text-encoding standard Unicode—which allows computers to handle text across many different...

New 'Trojan Source' Technique Lets Hackers Hide Vulnerabilities in Source Code

A novel class of vulnerabilities could be leveraged by threat actors to inject visually deceptive malware in a way that's semantically permissible but alters the logic defined by the source code, effectively opening the door to more first-party and supply chain risks. Dubbed "Trojan Source...