git security update

1.8.3.1-21 - Fix CVE-2019-1387...

CVE-2019-19087

Removed by vendor...

CVE-2014-0048

An issue was found in Docker before 1.6.0. Some programs and scripts in Docker are downloaded via HTTP and then executed or used in unsafe ways...

CVE-2019-20202

An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezxmlcharcontent tries to use realloc on a block that was not allocated, leading to an invalid free and segmentation fault...

go-toolset:ol8 security, bug fix, and enhancement update

...

CVE-2010-2449

Gource through 0.26 logs to a predictable file name /tmp/gource-$UID.tmp, enabling attackers to overwrite an arbitrary file via a symlink attack...

CVE-2019-13139

In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "docker build" processes remote git URLs, and results in command injection into the underlying "git...

CVE-2019-15144

In DjVuLibre 3.5.27, the sorting functionality aka GArrayTemplate::sort allows attackers to cause a denial-of-service application crash due to an Uncontrolled Recursion by crafting a PBM image file that is mishandled in libdjvu/GContainer.h...

CVE-2019-11841

A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional "Hash" Armor Headers. The...

CVE-2019-11455

A buffer over-read in UtilurlDecode in util.c in Tildeslash Monit before 5.25.3 allows a remote authenticated attacker to retrieve the contents of adjacent memory via manipulation of GET or POST parameters. The attacker can also cause a denial of service application outage...

CVE-2019-11068

libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded...

CVE-2018-4263

Multiple memory corruption issues were addressed with improved memory handling. This issue affected versions prior to iOS 11.4.1, tvOS 11.4.1, Safari 11.1.2, iTunes 12.8 for Windows, iCloud for Windows 7.6...

CVE-2019-6486

Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service CPU consumption or possibly conduct ECDH private key recovery attacks...

CVE-2018-20683

commands/rsync in Gitolite before 3.6.11, if .gitolite.rc enables rsync, mishandles the rsync command line, which allows attackers to have a "bad" impact by triggering use of an option other than -v, -n, -q, or -P...

Unbreakable Enterprise kernel security update

4.1.12-124.24.1 - pinctrl: amd: Use devmpinctrlregister for pinctrl registration Laxman Dewangan Orabug: 27539246 CVE-2017-18174 - mlock: fix mlock count can not decrease in race condition Yisheng Xie Orabug: 27677611 CVE-2017-18221 - perf/core: Fix the perfcputimemaxpercent check Tan Xiaojun...

Important: git

Issue Overview: Git before 2.19.2 on Linux and UNIX executes commands from the current working directory as if '.' were at the end of $PATH in certain cases involving the runcommand API and run-command.c, because there was a dangerous change from execvp to execv during 2017.CVE-2018-19486 Affecte...

[SECURITY] Fedora 29 Update: tmux-2.8-2.fc29

tmux is a "terminal multiplexer." It enables a number of terminals or windows to be accessed and controlled from a single terminal. tmux is intended to be a simple, modern, BSD-licensed alternative to programs such as GNU Screen...

kernel security update

2.6.18-419.0.0.0.11 - x8664/entry: Don't use IST entry for BP stack orabug 28452062 CVE-2018-8897...

CVE-2018-11565

Mahara 17.04 before 17.04.8 and 17.10 before 17.10.5 and 18.04 before 18.04.1 are vulnerable to mentioning the usernames that are already taken by people registered in the system rather than masking that information...

beep: Local privilege escalation

Background The advanced PC speaker beeper. Description A race condition, if setuid, was discovered in beep. Impact A local attacker could escalate privileges. Workaround There is no known workaround at this time. Resolution All beep users should upgrade to the latest version: emerge --sync emerge...