5998 matches found
Updated bluez packages fix security vulnerability
Updated bluez packages fix security vulnerability: Adapter incorrectly restores Discoverable state after powered down CVE-2021-3658...
Updated rabbitmq-server packages fix security vulnerabilities
Updated rabbitmq-server packages fix security vulnerabilities: RabbitMQ all versions prior to 3.8.16 are prone to a denial of service vulnerability due to improper input validation in AMQP 1.0 client connection endpoint. A malicious user can exploit the vulnerability by sending malicious AMQP...
Updated nodejs packages fix security vulnerability
Updated nodejs packages fix security vulnerability: Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior CVE-2021-22930...
Updated fetchmail packages fix security vulnerability
Updated fetchmail packages fix security vulnerability: reportvbuild in report.c in Fetchmail before 6.4.20 sometimes omits initialization of the vsnprintf valist argument, which might allow mail servers to cause a denial of service or possibly have unspecified other impact via long error messages...
Updated php-pear packages fix security vulnerability
Updated php-pear packages fix security vulnerability: In ArchiveTar before 1.4.14, symlinks can refer to targets outside of the extracted archive CVE-2021-32610...
Updated exiv2 packages fix security vulnerability
Updated exiv2 packages fix security vulnerability: A heap-based buffer overflow vulnerability in jp2image.cpp of Exiv2 0.27.3 allows attackers to cause a denial of service DOS via crafted metadata CVE-2021-31291...
Updated varnish packages fix a security vulnerability
Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affects Varnish Enterprise 6.0.x before 6.0.8r3, and Varnish Cache 5.x and 6.x before 6.5.2, 6.6.x before 6.6.1, and 6.0 LTS before 6.0.8...
Updated aspell packages fix security vulnerability
objstack in GNU Aspell 0.60.8 has a heap-based buffer overflow in acommon::ObjStack::duptop called from acommon::StringMap::add and acommon::Config::lookuplist CVE-2019-25051...
Updated filezilla packages fix security vulnerability
filezilla embeds a PuTTY client that was vulnerable: PuTTY 0.68 through 0.73 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts where no host key for the server has been cached by...
Updated pdfbox packages fix security vulnerabilities
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions CVE-2021-31811. In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file...
Updated jdom/jdom2 packages fix a security vulnerability
An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request CVE-2021-33813...
Updated quassel packages fix a security vulnerability
Quassel through 0.13.1, when --require-ssl is enabled, launches without SSL or TLS support if a usable X.509 certificate is not found on the local system CVE-2021-34825. Also, the default IRC server has been changed from Freenode to Libera Chat, as upstream has moved their quassel channel there...
Updated python3 packages fix security vulnerabilities
Update python3 to 3.8.11 to fix several security issues. Fixes in 3.8.10 are also included. Bundled pip and setuptools were updated in 3.8.11 so python-pip needs to be updated to 21.1.3 and python-setuptools to 56.2.0 at the same time. Also, we fix the following issue: In Python before 3.9.5, the...
Updated curl packages fix security vulnerabilities
Wrong content via metalink not discarded CVE-2021-22922. Metalink download sends credentials CVE-2021-22923. Bad connection reuse due to flawed path name checks CVE-2021-22924. TELNET stack contents disclosure again CVE-2021-22925...
Updated perl-Net-Netmask package fixes a security vulnerability
The Net::Netmask module before 2.0000 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which in some situations allows attackers to bypass access control that is based on IP addresses CVE-2021-29424...
Updated virtualbox packages fix security vulnerability
This update provides the upstream 6.1.24 maintenance release that fixes at least the following security vulnerabilities: An easily exploitable vulnerability in the Oracle VM VirtualBox component: Core prior to 6.1.24 allows high privileged attacker with logon to the infrastructure where Oracle VM...
Updated netty packages fix security vulnerabilities
In Netty io.netty:netty-codec-http2 before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by Http2MultiplexHandler as it is propagated up. This is fine as long as the...
Updated perl-Net-CIDR-Lite package fixes a security vulnerability
It was discovered that the perl Net-CIDR-Lite module did not correctly handle IP addresses with IP octets containing leading zeros. Leading zeros were ignored, while the underlying system can treat such octets as octal numbers and interpret them differently. For example, IP address of 010.0.0.1 w...
Updated python-urllib3 package fixes security vulnerabilities
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy if an SSLContext isn't given via proxyconfig doesn't verify the hostname of the certificate. This means certificates for...
Updated transfig package fixes a security vulnerability
An Out of Bounds flaw was found fig2dev version 3.2.8a. A flawed bounds check in readobjects could allow an attacker to provide a crafted malicious input causing the application to either crash or in some cases cause memory corruption. The highest threat from this vulnerability is to integrity as...
Updated perl-Mojolicious package fixes security vulnerability
This update backports some significant security fixes relating to session security from the upstream 9.19 release. See upstream references for more informations...
Updated xstream packages fix security vulnerabilities
In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream CVE-2021-21341...
Updated nodejs packages fix security vulnerabilities
This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require'y18n'; y18n.setLocale'proto'; y18n.updateLocalepolluted: true; console.logpolluted; // true CVE-2020-7774. The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Servic...
Updated python-pip packages fix security vulnerabilities
A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository CVE-2021-3572. The bundled python-urllib3 was also vulnerable to: The urllib3 library 1.26.x before 1.26.4 for...
Updated redis package fixes security vulnerabilities
An integer overflow bug in Redis version 6.0 or newer could be exploited using the STRALGO LCS command to corrupt the heap and potentially result with remote code execution CVE-2021-29477. An integer overflow bug in Redis 6.2 before 6.2.3 could be exploited to corrupt the heap and potentially...
Updated lib3mf packages fix security vulnerability
A use-after-free vulnerability exists in the NMR::COpcPackageReader::releaseZIP functionality of 3MF Consortium lib3mf 2.0.0. A specially crafted 3MF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability CVE-2021-21772. A new package 'act' is...
Updated golang packages fix security vulnerabilities
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader for xml.NewTokenDecoder returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method CVE-2021-27918. net/http in Go before 1.15.12 and 1.16.x before 1.16....
Updated kernel packages fix security vulnerabilities
This kernel update is based on upstream 5.10.52 and fixes at least the following security issues: There is a race condition in net/can/bcm.c that can lead to local privilege escalation to root CVE-2021-3609. A vulnerability was found in the Linux kernel. Missing size validations on inbound SCTP...
Updated kernel-linus packages fix security vulnerabilities
This kernel-linus update is based on upstream 5.10.52 and fixes at least the following security issues: There is a race condition in net/can/bcm.c that can lead to local privilege escalation to root CVE-2021-3609. A vulnerability was found in the Linux kernel. Missing size validations on inbound...
Updated systemd packages fix security vulnerabilities
This systemd update provides the v246.15 maintenance release and fixes at least the following security issues: An exploitable denial-of-service vulnerability exists in Systemd 245. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK...
Updated perl-Convert-ASN1 package fixes security vulnerability
perl-Convert-ASN1 aka the Convert::ASN1 module for Perl through 0.27 allows remote attackers to cause an infinite loop via unexpected input CVE-2013-7488...
Updated wireshark packages fix a security vulnerability
Crash in DNP dissector in Wireshark 3.4.0 to 3.4.6 and 3.2.0 to 3.2.14 allows denial of service via packet injection or crafted capture file CVE-2021-22235...
Updated tomcat packages fix security vulnerabilities
When responding to new h2c connection requests, Apache Tomcat versions 9.0.0.M1 to 9.0.41 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request CVE-2021-25122. The fix for...
Updated rvxt-unicode, mxrvt, eterm packages fix security vulnerability
rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow potentially remote code execution because of improper handling of certain escape sequences ESC G Q. A response is terminated by a newline CVE-2021-33477...
Updated zziplib packages fix security vulnerability
Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value "zzipfileread" in the function "unzzipcatfile" CVE-2020-18442...
Updated glibc packages fix security vulnerability
An integer overflow flaw was found in glibc that may result in reading of arbitrary memory when wordexp is used with a specially crafted untrusted regular expression input CVE-2021-35942...
Updated libuv packages fix security vulnerability
Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uvidnatoascii is used to convert strings to ASCII. The pointer p is read and increased without checking whether it is beyond pe, with the latter holding a pointer to the end of the buffer. This can lead to...
Updated mbedtls packages fix security vulnerabilities
This update provides Mbed TLS 2.16.11, with a number of bug fixes, including security fixes. The intermediate version 2.16.10 are included security fixes. See the referenced release notes and advisories for details...
Updated python-django package fixes security vulnerabilities
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability CVE-2021-28658. In Django 2.2 before 2.2.21, 3.1 before 3.1.9, an...
Updated thunderbird packages fix security vulnerabilities
IMAP server responses sent by a MITM prior to STARTTLS could be processed CVE-2021-29969. Use-after-free in accessibility features of a document CVE-2021-29970. Out of bounds write in ANGLE CVE-2021-30547. Memory safety bugs fixed in Thunderbird 78.12 CVE-2021-29976...
Updated firefox packages fix security vulnerabilities
A malicious webpage could have triggered a use-after-free in accessibility features of a document, causing memory corruption and a potentially exploitable crash when accessibility was enabled CVE-2021-29970. Mozilla developers Valentin Gosu, Randell Jesup, Emil Ghitta, Tyson Smith, and Olli Petta...
Updated tpm2-tools package fixes security vulnerability
A flaw was found in tpm2-tools. tpm2import used a fixed AES key for the inner wrapper, potentially allowing a MITM attacker to unwrap the inner portion and reveal the key being imported. The highest threat from this vulnerability is to data confidentiality CVE-2021-3565...
Updated aom packages fix security vulnerabilities
aomimage.c in libaom in AOMedia before 2021-04-07 frees memory that is not located on the heap CVE-2021-30473. aomdsp/graintable.c in libaom in AOMedia before 2021-03-30 has a use-after-free CVE-2021-30474. aomdsp/noisemodel.c in libaom in AOMedia before 2021-03-24 has a buffer overflow...
Updated libsolv packages fix a security vulnerability
Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver testcasereadPool pool, FILE fp, const char testcase, Queue job, char resultp, int resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service CVE-2021-3200...
Updated ffmpeg packages fix security vulnerabilities
This update provides ffmpeg version 4.3.2, which fixes several security vulnerabilities and other bugs which were corrected upstream...
Updated mosquitto packages fix security vulnerability
Updated mosquitto packages fix security vulnerability: If an authenticated client connected with MQTT v5 sent a crafted CONNECT message to the broker a memory leak would occur. For other fixes in this update, see the mosquitto.org blog reference...
Updated freeradius packages fix security vulnerabilities
Moved logrotate options into specific parts for each log as "global" options will persist past and clobber global options in the main logrotate config bsc1180525. Fixed plaintext password entries in logfiles bsc1184016. The freeradius package has been updated to version 3.0.22, fixing these issue...
Updated php-phpmailer package fixes security vulnerability
PHPMailer contained a vulnerability that can result in untrusted code being called CVE-2021-3603. See upstream release notes...
Updated kernel-linus packages fix security vulnerabilities
This kernel-linus update is based on upstream 5.10.48 and fixes at least the following security issues: The Linux kernel through 5.8.13 does not properly enforce the Secure Boot Forbidden Signature Database aka dbx protection mechanism. This affects certs/blacklist.c and certs/systemkeyring.c...
Updated mediawiki packages fix a security vulnerability
In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API which a "sitewide block" should have prevented...