6011 matches found
Updated spice packages fix security vulnerability
Updated spice packages fix security vulnerability: A flaw was found in spice in versions before 0.14.92. A DoS tool might make it easier for remote attackers to cause a denial of service CPU consumption by performing many renegotiations within a single connection CVE-2021-20201...
Updated qtwebengine5 packages fix security vulnerabilities
Updated qtwebengine5 packages fix security vulnerabilities: The qtwebengine5 package has been updated to version 5.15.5, fixing several security issues in the bundled chromium code...
Updated thunderbird packages fix security vulnerabilities
Updated thunderbird packages fix security vulnerabilities: Uninitialized memory in a canvas object could have caused an incorrect free leading to memory corruption and a potentially exploitable crash CVE-2021-29980. Instruction reordering during JIT optimization resulted in a sequence of...
Updated glibc packages fix security issue
The recent fix for CVE-2021-33574 released in MGASA-2021-0308 introduced a NULL pointer dereference because mqnotify.c mishandles certain NOTIFYREMOVED data, that will result in segmentation fault. This update adds the missing NULL pointer check to resolve this issue CVE-2021-38604...
Updated webkit2 packages fix security vulnerabilities
Updated webkit2 packages fix security vulnerabilities: A use-after-free vulnerability exists in the way certain events are processed for ImageLoader objects of Webkit WebKitGTK 2.30.4. A specially crafted web page can lead to a potential information leak and further memory corruption. In order to...
Updated dino packages fix security vulnerability
Updated dino packages fix security vulnerability: Dino before 0.1.2 and 0.2.x before 0.2.1 allows Directory Traversal only for creation of new files via URI-encoded path separators CVE-2021-33896...
Updated firefox packages fix security vulnerabilities
Updated firefox packages fix security vulnerabilities: Uninitialized memory in a canvas object could have caused an incorrect free leading to memory corruption and a potentially exploitable crash CVE-2021-29980. Instruction reordering during JIT optimization resulted in a sequence of instructions...
Updated libvirt packages fix security vulnerability
Updated libvirt packages fix security vulnerability: insecure sVirt label generation CVE-2021-3631...
Updated mariadb packages fix security vulnerabilities
Updated mariadb packages fix security vulnerabilities: A security issue has been found in the InnoDB component of MariaDB before version 10.6.4. A difficult to exploit vulnerability allows a high privileged attacker with network access via multiple protocols to compromise the MariaDB server...
Updated kernel packages fix security vulnerabilities
This kernel update is based on upstream 5.10.56 and fixes at least the following security issues: In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism...
Updated kernel-linus packages fix security vulnerabilities
This kernel-linus update is based on upstream 5.10.56 and fixes at least the following security issues: In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection...
Updated libsndfile packages fix security vulnerability
Updated libsndfile packages fix security vulnerability: A heap buffer overflow vulnerability in msadpcmdecodeblock of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted WAV file CVE-2021-3246...
Updated python-pillow packages fix security vulnerabilities
Updated python-pillow packages fix security vulnerabilities: An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2kugrayala CVE-2021-25287. An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2kugrayi...
Updated nodejs packages fix security vulnerability
Updated nodejs packages fix security vulnerability: Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior CVE-2021-22930...
Updated php-pear packages fix security vulnerability
Updated php-pear packages fix security vulnerability: In ArchiveTar before 1.4.14, symlinks can refer to targets outside of the extracted archive CVE-2021-32610...
Updated fetchmail packages fix security vulnerability
Updated fetchmail packages fix security vulnerability: reportvbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf valist argument, which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages...
Updated rabbitmq-server packages fix security vulnerabilities
Updated rabbitmq-server packages fix security vulnerabilities: RabbitMQ all versions prior to 3.8.16 are prone to a denial of service vulnerability due to improper input validation in AMQP 1.0 client connection endpoint. A malicious user can exploit the vulnerability by sending malicious AMQP...
Updated bluez packages fix security vulnerability
Updated bluez packages fix security vulnerability: Adapter incorrectly restores Discoverable state after powered down CVE-2021-3658...
Updated exiv2 packages fix security vulnerability
Updated exiv2 packages fix security vulnerability: A heap-based buffer overflow vulnerability in jp2image.cpp of Exiv2 0.27.3 allows attackers to cause a denial of service DOS via crafted metadata CVE-2021-31291...
Updated aspell packages fix security vulnerability
objstack in GNU Aspell 0.60.8 has a heap-based buffer overflow in acommon::ObjStack::duptop called from acommon::StringMap::add and acommon::Config::lookuplist CVE-2019-25051...
Updated varnish packages fix a security vulnerability
Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8...
Updated perl-Net-Netmask package fixes a security vulnerability
The Net::Netmask module before 2.0000 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which in some situations allows attackers to bypass access control that is based on IP addresses CVE-2021-29424...
Updated transfig package fixes a security vulnerability
An Out of Bounds flaw was found fig2dev version 3.2.8a. A flawed bounds check in readobjects could allow an attacker to provide a crafted malicious input causing the application to either crash or in some cases cause memory corruption. The highest threat from this vulnerability is to integrity as...
Updated curl packages fix security vulnerabilities
Wrong content via metalink not discarded CVE-2021-22922. Metalink download sends credentials CVE-2021-22923. Bad connection reuse due to flawed path name checks CVE-2021-22924. TELNET stack contents disclosure again CVE-2021-22925...
Updated perl-Net-CIDR-Lite package fixes a security vulnerability
It was discovered that the perl Net-CIDR-Lite module did not correctly handle IP addresses with IP octets containing leading zeros. Leading zeros were ignored, while the underlying system can treat such octets as octal numbers and interpret them differently. For example, IP address of 010.0.0.1 w...
Updated python-urllib3 package fixes security vulnerabilities
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy if an SSLContext isn't given via proxyconfig doesn't verify the hostname of the certificate. This means certificates for...
Updated virtualbox packages fix security vulnerability
This update provides the upstream 6.1.24 maintenance release that fixes at least the following security vulnerabilities: An easily exploitable vulnerability in the Oracle VM VirtualBox component: Core prior to 6.1.24 allows high privileged attacker with logon to the infrastructure where Oracle VM...
Updated jdom/jdom2 packages fix a security vulnerability
An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request CVE-2021-33813...
Updated netty packages fix security vulnerabilities
In Netty io.netty:netty-codec-http2 before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by Http2MultiplexHandler as it is propagated up. This is fine as long as the...
Updated pdfbox packages fix security vulnerabilities
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions CVE-2021-31811. In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file...
Updated filezilla packages fix security vulnerability
filezilla embeds a PuTTY client that was vulnerable: PuTTY 0.68 through 0.73 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts where no host key for the server has been cached by...
Updated perl-Mojolicious package fixes security vulnerability
This update backports some significant security fixes relating to session security from the upstream 9.19 release. See upstream references for more informations...
Updated quassel packages fix a security vulnerability
Quassel through 0.13.1, when --require-ssl is enabled, launches without SSL or TLS support if a usable X.509 certificate is not found on the local system CVE-2021-34825. Also, the default IRC server has been changed from Freenode to Libera Chat, as upstream has moved their quassel channel there...
Updated python3 packages fix security vulnerabilities
Update python3 to 3.8.11 to fix several security issues. Fixes in 3.8.10 are also included. Bundled pip and setuptools were updated in 3.8.11 so python-pip needs to be updated to 21.1.3 and python-setuptools to 56.2.0 at the same time. Also, we fix the following issue: In Python before 3.9.5, the...
Updated python-pip packages fix security vulnerabilities
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository CVE-2021-3572. The bundled python-urllib3 was also vulnerable to: The urllib3 library 1.26.x before 1.26.4 for...
Updated xstream packages fix security vulnerabilities
In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream CVE-2021-21341...
Updated redis package fixes security vulnerabilities
An integer overflow bug in Redis version 6.0 or newer could be exploited using the STRALGO LCS command to corrupt the heap and potentially result with remote code execution CVE-2021-29477. An integer overflow bug in Redis 6.2 before 6.2.3 could be exploited to corrupt the heap and potentially...
Updated nodejs packages fix security vulnerabilities
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require'y18n'; y18n.setLocale'proto'; y18n.updateLocalepolluted: true; console.logpolluted; // true CVE-2020-7774. The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Servic...
Updated lib3mf packages fix security vulnerability
A use-after-free vulnerability exists in the NMR::COpcPackageReader::releaseZIP functionality of 3MF Consortium lib3mf 2.0.0. A specially crafted 3MF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability CVE-2021-21772. A new package 'act' is...
Updated golang packages fix security vulnerabilities
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader for xml.NewTokenDecoder returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method CVE-2021-27918. net/http in Go before 1.15.12 and 1.16.x before 1.16....
Updated kernel-linus packages fix security vulnerabilities
This kernel-linus update is based on upstream 5.10.52 and fixes at least the following security issues: There is a race condition in net/can/bcm.c that can lead to local privilege escalation to root CVE-2021-3609. A vulnerability was found in the Linux kernel. Missing size validations on inbound...
Updated systemd packages fix security vulnerabilities
This systemd update provides the v246.15 maintenance release and fixes at least the following security issues: An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK...
Updated kernel packages fix security vulnerabilities
This kernel update is based on upstream 5.10.52 and fixes at least the following security issues: There is a race condition in net/can/bcm.c that can lead to local privilege escalation to root CVE-2021-3609. A vulnerability was found in the Linux kernel. Missing size validations on inbound SCTP...
Updated wireshark packages fix a security vulnerability
Crash in DNP dissector in Wireshark 3.4.0 to 3.4.6 and 3.2.0 to 3.2.14 allows denial of service via packet injection or crafted capture file CVE-2021-22235...
Updated perl-Convert-ASN1 package fixes security vulnerability
perl-Convert-ASN1 aka the Convert::ASN1 module for Perl through 0.27 allows remote attackers to cause an infinite loop via unexpected input CVE-2013-7488...
Updated rvxt-unicode, mxrvt, eterm packages fix security vulnerability
rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow potentially remote code execution because of improper handling of certain escape sequences ESC G Q. A response is terminated by a newline CVE-2021-33477...
Updated tomcat packages fix security vulnerabilities
When responding to new h2c connection requests, Apache Tomcat versions 9.0.0.M1 to 9.0.41 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request CVE-2021-25122. The fix for...
Updated glibc packages fix security vulnerability
An integer overflow flaw was found in glibc that may result in reading of arbitrary memory when wordexp is used with a specially crafted untrusted regular expression input CVE-2021-35942...
Updated libuv packages fix security vulnerability
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uvidnatoascii is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to...
Updated zziplib packages fix security vulnerability
Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value "zzipfileread" in the function "unzzipcatfile" CVE-2020-18442...