Updated webkit2 packages fix security vulnerability

The webkit2 package has been updated to version 2.34.1, fixing several security issues and other bugs. See release notes for details...

Updated opencryptoki packages fix security vulnerability

It was discovered that openCryptoki incorrectly handled certain EC keys. An attacker could possibly use this issue to cause a invalid curve attack...

Updated fossil packages fix security vulnerability

Client-side TLS so that it verifies that the server hostname matches its certificate Fixed in fossil 2.14.2. A data exfiltration bug in the server Fixed in fossil 2.14.1...

Updated qtbase5 packages fix security vulnerability

It was discovered that Qt incorrectly handled certain XBM image files. If a user or automated system were tricked into opening a specially crafted PPM file, a remote attacker could cause Qt to crash, resulting in a denial of service. CVE-2020-17507 It was discovered that Qt incorrectly handled...

Updated kernel-linus packages fix security vulnerabilities

This kernel-linus update is based on upstream 5.10.75 and fixes at least the following security issues: A memory leak in the ccprunaesgcmcmd function in drivers/crypto/ ccp/ccp-ops.c in the Linux kernel allows malicious users to cause a denial of service memory consumption CVE-2021-3744. A memory...

Updated kernel packages fix security vulnerabilities

This kernel update is based on upstream 5.10.75 and fixes at least the following security issues: A memory leak in the ccprunaesgcmcmd function in drivers/crypto/ ccp/ccp-ops.c in the Linux kernel allows malicious users to cause a denial of service memory consumption CVE-2021-3744. A memory leak...

Updated virtualbox packages fix security vulnerabilities

This update provides the upstream 6.1.28 maintenance release that fixes at least the following security vulnerabilities: Vulnerability in the Oracle VM VirtualBox prior to 6.1.28 contains an easily exploitable vulnerability that allows high privileged attacker with logon to the infrastructure whe...

Updated docker-containerd packages fix security vulnerability

A bug was found in containerd where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set...

Updated ansible packages fix security vulnerability

Do not include params in exception when a call to setoptions fails. Additionally, block the exception that is returned from being displayed to stdout. CVE-2021-3620...

Updated flatpak packages fix security vulnerability

Flatpak apps with direct access to AFUNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process, by manipulating the VFS using recent mount-related...

Updated tomcat packages fix security vulnerability

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. CVE-2021-30640 Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not...

Updated aom packages fix security vulnerability

aomdsp/graintable.c in libaom in AOMedia before 2021-03-30 has a use-after-free. CVE-2021-30474...

Updated libslirp packages fix security vulnerability

Invalid pointer initialization issues were found in the SLiRP networking implementation of QEMU. In the bootpinput function while processing a udp packet that is smaller than the size of the 'bootpt' structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory fr...

Updated redis packages fix security vulnerability

CVE-2021-32626: Specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. CVE-2021-32627: An integer overflow bug in Redis 5.0 or...

Updated vim packages fix security vulnerability

CVE-2021-3778: vim: Heap-based Buffer Overflow in utfptr2char Fix: patch 8.2.3409: reading beyond end of line with invalid utf-8 character When vim 8.2 is built with --with-features=huge --enable-gui=none and address sanitizer, a heap-buffer overflow occurs when running: echo "Ywp2XTCqCi4KeQpAMA=...

Updated plib packages fix security vulnerability

Integer overflow vulnerability that could result in arbitrary code execution. The vulnerability is found in ssgLoadTGA function in src/ssg/ssgLoadTGA.cxx file...

Updated golang packages fix security vulnerability

The fix for CVE-2021-33196 can be bypassed by crafted inputs. As a result, the NewReader and OpenReader functions in archive/zip can still cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size...

Updated mediawiki packages fix security vulnerability

XSS vulnerability in Special:Search. CVE-2021-41798 ApiQueryBacklinks can cause a full table scan. CVE-2021-41799 Fix PoolCounter protection of Special:Contributions. CVE-2021-41800 ReplaceText continues performing actions if the user no longer has the correct permission such as by being blocked...

Updated xstream/xmlpull/mxparser packages fix security vulnerability

Multiple security vulnerabilities have been discovered in XStream. See references for details...

Updated grilo packages fix security vulnerability

Michael Catanzaro reported a problem in Grilo, a framework for discovering and browsing media. TLS certificate verification is not enabled on the SoupSessionAsync objects created by Grilo, leaving users vulnerable to network MITM attacks...

Updated python-flask-restx packages fix security vulnerability

Regular expression denial of service in emailregex...

Updated python-mpmath packages fix security vulnerability

Fix CVE-2021-29063 regular expression denial of service...

Updated thunderbird packages fix security vulnerabilities

Updated thunderbird packages fix security vulnerabilities: Due to a data race in the crossbeam-deque in the crossbeam crate, one or more tasks in the worker queue could have been be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this...

Updated libreoffice packages fix security vulnerability

LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to...

Updated apache packages fix security vulnerability

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default...

Updated firefox packages fix security vulnerability

Due to a data race in the crossbeam-deque in the crossbeam crate, one or more tasks in the worker queue could have been be popped twice instead of other tasks that are forgotten and never popped. If tasks are allocated on the heap, this could have caused a double free and a memory leak...

Updated libss7 packages fix security vulnerability

Unsafe use of strncpy. rhbz1932066...

Updated libcryptopp packages fix security vulnerability

The ElGamal implementation in Crypto++ through 8.5 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's...

Updated fail2ban packages fix security vulnerability

fail2ban is a daemon to ban hosts that cause multiple authentication errors. In versions 0.9.7 and prior, 0.10.0 through 0.10.6, and 0.11.0 through 0.11.2, there is a vulnerability that leads to possible remote code execution in the mailing action mail-whois. Command mail from mailutils package...

Updated cockpit packages fix security vulnerability

Restrict frame embedding to same origin...

Updated nodejs packages fix security vulnerability

Multiple security fixes for nodejs. See references for details...

Updated opendmarc packages fix security vulnerability

OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field CVE-2019-20790. OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject authentication...

Updated weechat packages fix security vulnerability

A crafted WebSocket frame could result in a crash in the weechat Relay plugin...

Updated apache packages fix security vulnerabilities

The updated packages fix a security vulnerabilities: While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in...

Updated kernel packages fix security vulnerabilities

This kernel update is based on upstream 5.10.70 and fixes at least the following security issues: Use-after-free vulnerability in the Linux kernel exploitable by a local attacker due to reuse of a DCCP socket with an attached dccpshctxccid object as a listener after being released CVE-2020-16119...

Updated kernel-linus packages fix security vulnerabilities

This kernel-linus update is based on upstream 5.10.70 and fixes at least the following security issues: Use-after-free vulnerability in the Linux kernel exploitable by a local attacker due to reuse of a DCCP socket with an attached dccpshctxccid object as a listener after being released...

Updated sqlite packages fix security vulnerability

The updated sqlite packages fix a security vulnerability: Use after free in sqlite in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page CVE-2021-30569...

Updated python packages fix security vulnerability

Denial of service when identifying crafted invalid RFCs Security fix for CVE-2021-3737: python client can enter an infinite loop on a 100 Continue response from the server...

Updated chromium-browser-stable packages fix security vulnerability

The chromium-browser-stable package has been updated to 94.0.4606.61 version that fixes multiples security vulnerabilities. From 90.0.4430.72 released on April 14, 2021 to 94.0.4606.61 version, see upstream advisories...

Updated perl-DBI packages fix security vulnerability

An issue was discovered in the DBI module through 1.643 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the fdir attribute in the data source name DSN. CVE-2014-10402...

Updated libspf2 packages fix security vulnerability

Updated libspf2 packages fix buffer overflow...

Updated icu packages fix security vulnerability

Double free in ICU in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-30535...

Updated python-rsa packages fix security vulnerability

It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA. CVE-2020-25658...

Updated c-ares packages fix security vulnerability

Missing input validation on hostnames returned by DNS servers. CVE-2021-3672...

Updated apache-mod_auth_openidc packages fix security vulnerability

In versions prior to 2.4.9, oidcvalidateredirecturl does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. CVE-2021-32786 In modauthopenidc before version 2.4.9, the AES GCM encrypti...

Updated php packages fix security vulnerabilities

Updated php packages fix security vulnerabilities: - Integer overflow in mysqlirealescapestring - Symlinks are followed when creating PHAR archive - shmop can't read beyond 2147483647 bytes - Integer overflow on substrreplace - Heap buffer overflow via strrepeat - Integer Overflow when...

Updated qtwebengine5 packages fix security vulnerability

Updated qtwebengine5 packages fix security vulnerabilities: The qtwebengine5 package has been updated to version 5.15.6, fixing several security issues in the bundled chromium code...

Updated mosquitto packages fix security vulnerability

Mosquitto is updated to 2.0.12 to fix security vulnerability: In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client...

Updated webkit2 packages fix security vulnerability

Updated webkit2 packages fix security vulnerabilities: The webkit2 package has been updated to version 2.32.4, fixing various bugs and the following security issue: Processing maliciously crafted web content may lead to arbitrary code execution CVE-2021-30858...

Updated libgcrypt packages fix security vulnerability

The updated packages fix a security vulnerability: The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defin...