Updated clamav packages fix security vulnerability

The updated packages fix a security vulnerability: A vulnerability in the email parsing module in Clam AntiVirus ClamAV Software version 0.103.1 and all prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability i...

Updated python3 packages fix security vulnerability

There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to...

Updated kernel packages fix security vulnerabilities

This kernel update is based on upstream 5.10.30 and fixes at least the following security issues: nfc: fix refcount leak in llcpsockbind CVE-2020-25670 nfc: fix refcount leak in llcpsockconnect CVE-2020-25671 nfc: fix memory leak in llcpsockconnect CVE-2020-25672 firewire: nosy: Fix a...

Updated kernel-linus packages fix security vulnerabilities

This kernel-linus update is based on upstream 5.10.30 and fixes at least the following security issues: nfc: fix refcount leak in llcpsockbind CVE-2020-25670 nfc: fix refcount leak in llcpsockconnect CVE-2020-25671 nfc: fix memory leak in llcpsockconnect CVE-2020-25672 firewire: nosy: Fix a...

Updated x11-server packages fix security vulnerability

Insufficient checks on the lengths of the XInput extension ChangeFeedbackControl request can lead to out of bounds memory accesses in the X server. These issues can lead to privilege escalation for authorized clients on systems where the X server is running privileged CVE-2021-3472...

Updated gstreamer1.0 packages fix security vulnerabilities

GStreamer before 1.18.4 might access already-freed memory in error code paths when demuxing certain malformed Matroska files SA-2021-0002. GStreamer before 1.18.4 might cause heap corruption when parsing certain malformed Matroska files SA-2021-0003. GStreamer before 1.18.4 might do an...

Updated chromium-browser-stable package fixes security vulnerabilities

The updated packages fix security vulnerabilities and a crash when a device does some cast traffic in the local network. See upstream release notes...

Updated thunderbird packages fix security vulnerabilities

An attacker may use Thunderbird's OpenPGP key refresh mechanism to poison an existing key CVE-2021-23991. A crafted OpenPGP key with an invalid user ID could be used to confuse the user CVE-2021-23992. Inability to send encrypted OpenPGP email after importing a crafted OpenPGP key CVE-2021-23993...

Updated pdfbox packages fix security vulnerabilities

A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox Apache PDFBox version 2.0.22 and prior 2.0.x versions CVE-2021-27807. A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects...

Updated wireshark packages fix a security vulnerability

Wireshark could open unsafe URLs CVE-2021-22191...

Updated mongodb packages fix security vulnerability

A denial of service vulnerability was discovered in mongodb whereby a user authorized to perform database queries may issue specially crafted queries, which violate an invariant in the query subsystem's support for geoNear CVE-2020-7923...

Updated rygel packages fix a security vulnerability

The rygel packages has been updated to version 0.40.1, fixing security issue and other bugs...

Updated tor packages fix security vulnerabilities

The dumpdesc function that we used to dump unparseable information to disk, was called incorrectly in several places, in a way that could lead to excessive CPU usage CVE-2021-28089. A bug in appending detached signatures to a pending consensus document could be used to crash a directory authority...

Updated velocity packages fix security vulnerability

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache...

Updated spamassassin packages fix security vulnerability

In Apache SpamAssassin before 3.4.5, malicious rule configuration .cf files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3...

Updated curl packages fix security vulnerabilities

libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. CVE-2021-22876 TLS 1.3 session ticket...

Updated webkit2 packages fix security vulnerabilities

The webkit2 package has been updated to version 2.32.0, fixing several security issues and other bugs...

Updated python-jinja2 packages fix a security vulnerability

ReDOS vulnerability where urlize could have been called with untrusted user data CVE-2020-28493...

Updated openssl packages fix security vulnerability

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signaturealgorithms extension where it was present in the initial ClientHello, but includes a signaturealgorithmscert extension then a NU...

Updated kernel packages fix security vulnerabilities

This kernel update is based on upstream 5.10.27 and fixes at least the following security issues: The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions...

Updated kernel-linus packages fix security vulnerabilities

This kernel-linus update is based on upstream 5.10.27 and fixes at least the following security issues: The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain...

Updated ant packages fix security vulnerability

Updated ant packages fix security vulnerability: As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one withou...

Updated nodejs-chownr packages fix security vulnerability

Updated nodejs-chownr package fixes security vulnerability: A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks CVE-2017-18869...

Updated nodejs-yargs-parser packages fix security vulnerability

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload CVE-2020-7608...

Updated batik packages fix security vulnerabilities

A flaw was found in the Apache Batik library, where it is vulnerable to a Server-Side Request Forgery attack SSRF via "xlink:href" attributes. This flaw allows an attacker to cause the underlying server to make arbitrary GET requests. The highest threat from this vulnerability is to system...

Updated python-bottle packages fix security vulnerability

Updated python-bottle packages fix security vulnerability: python-bottle before 0.12.19 is vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon ;, they can cause a difference in the interpretation of the...

Updated ruby-em-http-request packages fix security vulnerability

Updated ruby-em-http-request packages fix security vulnerability: A flaw was found in rubygem-em-http-request. The eventmachine library does not verify the hostname in a TLS server certificate which can allow an attacker to perform a man-in-the-middle attack. The highest threat from this...

Updated rpm packages fix security vulnerabilities

This update from 4.16.1.2 to 4.16.1.3 fixes bugs several bugs the RPM package manager, including several security issues: Fix arbitrary data copied from signature header past signature checking CVE-2021-3421 Fix signature check bypass with corrupted package CVE-2021-20271 Fix missing bounds check...

Updated python and python3 packages fix security vulnerability

Updated python and python3 security vulnerability: The package python/cpython is vulnerable to Web Cache Poisoning via urllib.parse.parseqsl and urllib.parse.parseqs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon ;, they can cause a...

Updated privoxy packages fix security vulnerabilities

Updated privoxy package fixes security vulnerabilities: The privoxy package has been updated to version 3.0.32, fixing five security issues and several other bugs...

Updated fwupd packages fix a security vulnerability

A PGP signature bypass was found in fwupd, which could lead to possible installation of unsigned firmware CVE-2020-10759...

Updated glib2.0 packages fix security vulnerability

An issue was discovered in GNOME GLib before 2.66.8. When gfilereplace is used with GFILECREATEREPLACEDESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is...

Updated python-aiohttp package fixes security vulnerability

Beast Glatisant and Jelmer Vernooij reported that python-aiohttp is prone to an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website CVE-2021-21330...

Updated radare2 packages fix security vulnerabilities

radare2 4.5.0 misparses DWARF information in executable files, causing a segmentation fault in parsetypedef in typedwarf.c via a malformed DWATname in the .debuginfo section CVE-2020-16269. radare2 4.5.0 misparses signature information in PE files, causing a segmentation fault in...

Updated thunderbird packages fix security vulnerabilities

Texture upload into an unbound backing buffer resulted in an out-of-bound read. CVE-2021-23981 Angle graphics library out of date. CVE-2021-4127 Internal network hosts could have been probed by a malicious webpage. CVE-2021-23982 Malicious extensions could have spoofed popup information...

Updated zeromq packages fix security vulnerabilities

Memory leak in client induced by malicious server without CURVE/ZAP rhbz1921972. Stack overflow on server running PUB/XPUB socket rhbz1921976. Heap overflow when receiving malformed ZMTP v1 packets rhbz1921983. Memory leaks via metadata messages processed by PUB sockets rhbz1921989. Also, the...

Updated firefox packages fix security vulnerabilities

Texture upload into an unbound backing buffer resulted in an out-of-bound read. CVE-2021-23981 Angle graphics library out of date. CVE-2021-4127 Internal network hosts could have been probed by a malicious webpage. CVE-2021-23982 Malicious extensions could have spoofed popup information...

Updated redis packages fix security vulnerability

It was discovered that there were a number of integer overflow issues in Redis. It is currently believed that the issues only affect 32-bit based systems CVE-2021-21309...

Updated openscad package fixes a security vulnerability

A stack-based buffer overflow vulnerability exists in the importstl.cc:importstl functionality of Openscad openscad-2020.12-RC2. A specially crafted STL file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability CVE-2020-28599...

Updated imagemagick packages fix security vulnerabilities

A flaw was found in ImageMagick in coders/jp2.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability CVE-2021-20241. A flaw was found in...

Updated jackson-databind packages fix security vulnerabilities

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled either globally or for a specific property for an externally exposed JSON endpoint, the service has the mysql-connector-java jar 8.0.14 or earlier in the classpath, and an...

Updated unbound packages fix a security vulnerability

Unbound contains a local vulnerability that would allow for a local symlink attack. When writing the PID file Unbound creates the file if it is not there, or opens an existing file for writing. In case the file was already present, it would follow symlinks if the file happened to be a symlink...

Updated kernel-linus packages fix security issues

This kernel-linus update is based on upstream 5.10.25 and fixes at least the following security issues: A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau driver functionality in versions prior to 5.12-rc1 in the way the user calls ioctl DRMIOCTLNOUVEAUCHANNELALLOC. This...

Updated kernel packages fix security issues

This kernel update is based on upstream 5.10.25 and fixes at least the following security issues: Unprivileged BPF programs running on affected systems can bypass the protection and execute speculatively out-of-bounds loads from any location within the kernel memory. This can be abused to extract...

Updated glibc packages fixes security vulnerabilities

Updated glibc packages fix a security vulnerabilities: The iconv function in the GNU C Library aka glibc or libc6 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead t...

Updated htmlunit packages fix security vulnerability

It was discovered that HtmlUnit incorrectly initialized Rhino engine. An Attacker could possibly use this issue to execute arbitrary Java code CVE-2020-5529...

Updated koji packages fix security vulnerability

Koji through 1.17.0 allows remote Directory Traversal, with resulting Privilege Escalation...

Updated python-cairosvg packages fix security vulnerability

When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service REDoS. If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time CVE-2021-21236...

Updated discover package fixes a security vulnerability

Discover fetches the description and related texts of some applications/plugins from store.kde.org. That text is displayed to the user, after turning into a clickable link any part of the text that looks like a link. This is done for any kind of link, be it smb:// nfs:// etc. when in fact it only...

Updated flatpak packages fix a security vulnerability

A potential attack where a flatpak application could use custom formatted .desktop files to gain access to files on the host system CVE-2021-21381...