Updated graphicsmagick packages fix security vulnerabilities & bugs

Graphicsmagick has been updated to fix several bugs and security issues...

Updated python packages fix security vulnerabilities

Possible denial of service vulnerability due to a missing check in Lib/wave.py to verify that at least one channel is provided CVE-2017-18207. Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service...

Updated poppler packages fix security vulnerability

Poppler before 0.70.0 has a NULL pointer dereference in popplerattachmentnew when called from popplerannotfileattachmentgetattachment. CVE-2018-19149...

Updated libtiff packages fix security vulnerabilities

Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service crash or possibly have unspecified other impact via a crafted TIFF file. CVE-2018-12900 LibTIFF 4.0.9 with JBIG enabled decodes arbitrarily-sized...

Updated keepalived package fixes security vulnerabilities

keepalived before version 2.0.9 didn't check for pathnames with symlinks when writing data to a temporary file upon a call to PrintData or PrintStats. This allowed local users to overwrite arbitrary files if fs.protectedsymlinks is set to 0, as demonstrated by a symlink from /tmp/keepalived.data ...

Updated ruby-i18n packages fix security vulnerability

A flaw was found in the i18n gem before 0.8.0 for Ruby. The Hashslice in lib/i18n/coreext/hash.rb allows remote attackers to cause a denial of service application crash via a call in a situation where :somekey is present in keepkeys but not present in the hash CVE-2014-10077...

Updated tcpdump package fixes security vulnerability

Fixed a stack-based buffer over-read in the printprefix function CVE-2018-19519...

Updated monit packages fix security vulnerability

There is a use-after-free in monit that shows up if you run it for a while on an active system with address sanitizer enabled...

Updated sqlite3 packages fix security vulnerability

A security issue fixed upstream in sqlite3 has been announced: https://www.openwall.com/lists/oss-security/2018/12/21/1 The issue is fixed in 3.25.3...

Updated thunderbird packages fix security vulnerabilities & bugs

The updated packages fix several bugs and some security issues...

Updated kernel packages fix security vulnerabilities

This kernel update is based on the upstream 4.14.89 and fixes at least the following security issues: Cross-hyperthread Spectre v2 mitigation is now provided by the Single Thread Indirect Branch Predictors STIBP support. Note that STIBP also requires the functionality be supported by the Intel...

Updated netty & jctools packages fix security vulnerability

handler/ssl/OpenSslEngine.java in Netty before 4.0.37.Final allows remote attackers to cause a denial of service infinite loop CVE-2016-4970...

Updated phpmyadmin packages fix security vulnerabilities

- XSS vulnerability in navigation tree was discovered - Local file inclusion through transformation feature...

Updated php packages fix security vulnerability

Bypassing disabled exec functions in PHP via imapopen CVE-2018-19518...

Updated firefox packages fix security vulnerabilities

A buffer overflow and out-of-bounds read can occur in TextureStorage11 within the ANGLE graphics library, used for WebGL content. This results in a potentially exploitable crash CVE-2018-17466. A use-after-free vulnerability can occur after deleting a selection element due to a weak reference to...

Updated thunderbird packages fix security issues & bugs

- Buffer overflow using computed size of canvas element. CVE-2018-12359 - Use-after-free when using focus. CVE-2018-12360 - Integer overflow in SwizzleData. CVE-2018-12361 - Integer overflow in SSSE3 scaler. CVE-2018-12362 - Media recorder segmentation fault when track type is changed during...

Updated libwpd packages fix security vulnerability

It was discovered there is a NULL pointer dereference in the function WP6ContentListener::defineTable in WP6ContentListener.cpp that will lead to a denial of service attack CVE-2018-19208...

Updated nss packages fix security vulnerability

Cache side-channel variant of the Bleichenbacher attack.CVE-2018-12404...

Updated tomcat packages fix security vulnerabilities

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service CVE-2018-1336. The defaults settings for the CORS filter are insecure and enable supportsCredentials for all origins. It is expected that user...

Updated flash-player-plugin packages fix security vulnerability

Use after free flaw enabling arbitrary code execution. CVE-2018-15982 Insecure Library Loading DLL hijacking flaw enabling privilege escalation. CVE-2018-15983...

Updated kio-extras packages fix security vulnerability

The HTML thumbnailer was incorrectly accessing some content of remote URLs listed in HTML files. This meant that the owners of the servers referred in HTML files in your system could have seen in their access logs your IP address every time the thumbnailer tried to create the thumbnail...

Updated messagelib packages fix security vulnerability

Some HTML emails can trick messagelib into opening a new browser window when displaying said email as HTML. This happens even if the option to allow the HTML emails to access remote servers is disabled in KMail settings. This means that the owners of the servers referred in the email can see in...

Updated apache-mod_perl packages fix security vulnerability

A flaw was found in modperl 2.0 through 2.0.10 which allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because contrary to the documentation there is no configuration option that permits Perl code for the administrator's control of HTTP request processi...

Updated python-requests packages fix security vulnerability

It was discovered that Requests incorrectly handled certain HTTP headers. An attacker could possibly use this issue to access sensitive information CVE-2018-18074...

Updated kdeconnect-kde packages fix security vulnerability

The kdeconnect-kde package has been updated to version 1.3.3, which fixes an issue with modern encryption algorithms being disabled with SSH, and also fixes several bugs and updates compatibility with the Android app...

Updated yaml-cpp packages fix security vulnerability

The SingleDocParser::HandleNode function in yaml-cpp aka LibYaml-C++ 0.5.1 allows remote attackers to cause a denial of service stack consumption and application crash via a crafted YAML file. CVE-2017-5950...

Updated icecast packages fix security vulnerability

Buffer overflows in URL auth code if there is a "mount" definition that enables URL authentication. A malicious client could send long HTTP headers, leading to a buffer overflow and potential remote code execution CVE-2018-18820...

Updated openssl packages fix security vulnerabilities

The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a Affected 1.1.1. Fixed in OpenSSL 1.1.0j Affected 1.1.0-1.1.0i. Fixed in OpenSSL 1.0.2q...

Updated libpng(12) packages fix security vulnerability

In libpng until version 1.6.35, a wrong calculation of rowfactor in the pngcheckchunklength function pngrutil.c may trigger an integer overflow and resultant divide-by-zero while processing a crafted PNG file, leading to a denial of service. CVE-2018-13785 This update fixes it, also providing the...

Updated mariadb packages fix security vulnerabilities

Some easily exploitable vulnerabilities allowing high privileged attacker with network access via multiple protocols to compromise MySQL Server have been fixed...

Updated Ghostscript packages fixes security issues

The ghostscript 9.26 update is focusing on security issues, including solving several well publicised real and potential exploits. For other fixes in this release, see the referenced News...

Updated flash-player-plugin packages fix security vulnerability

A critical vulnerability in Adobe Flash Player 31.0.0.148 and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user. CVE-2018-15981...

Updated poppler packages fix security vulnerabilities

In Poppler 0.68.0, the Parser::getObj function in Parser.cc may cause infinite recursion via a crafted file. A remote attacker can leverage this for a DoS attack. CVE-2018-16646 An issue was discovered in Poppler 0.71.0. There is a reachable abort in Object.h, will lead to denial of service becau...

Updated roundcubemail packages fix security vulnerability & bugs

This is a service release to update the stable version 1.3 of Roundcube Webmail. It contains fixes to several bugs backported from the master branch including a security fix for a reported XSS vulnerability in handling invalid style tag content plus updates to ensure compatibility with PHP 7.3 an...

Updated gettext packages fix security vulnerability

An issue was discovered in GNU gettext 0.19.8. There is a double free in defaultaddmessage in read-catalog.c, related to an invalid free in pogramparse in po-gram-gen.y, as demonstrated by lt-msgfmt. CVE-2018-18751...

Updated apache packages fix security vulnerabilities

modauthnzldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two...

Updated soundtouch packages fix security vulnerabilities

Assertion failure in BPMDetect class in BPMDetect.cpp CVE-2018-17096. Out-of-bounds heap write in WavOutFile::write CVE-2018-17097. Heap corruption in WavFileBase class in WavFile.cpp CVE-2018-17098...

Updated 389-ds-base packages fix security vulnerability

It was discovered that mishandled search requests in servers/slapd/search.c:dosearch in 389-ds-base allows for denial of service CVE-2018-14648...

Updated hylafax+ packages fix security vulnerability

Luis Merino, Markus Vervier and Eric Sesterhenn discovered that missing input sanitising in the Hylafax fax software could potentially result in the execution of arbitrary code via a malformed fax message CVE-2018-17141...

Updated squid packages fix security vulnerabilities

Due to incorrect input handling, Squid is vulnerable to a Cross-Site Scripting vulnerability when generating HTTPS response messages about TLS errors CVE-2018-19131. Due to a memory leak in SNMP query rejection code, Squid is vulnerable to a denial of service attack CVE-2018-19132...

Updated nginx package fixes security vulnerabilities

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption CVE-2018-16843. nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage...

Updated libmspack/cabextract packages fix security vulnerabilities

Hanno Böck discovered that libmspack incorrectly handled certain CHM files. An attacker could possibly use this issue to cause a denial of service CVE-2018-14679, CVE-2018-14680. Jakub Wilk discovered that libmspack incorrectly handled certain KWAJ files. An attacker could possibly use this issue...

Updated jhead package fixes security vulnerabilities

The ProcessGpsInfo function may have allowed a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because of inconsistency between float and double in a sprintf format string during TAGGPSALT handling CVE-2018-16554. The ProcessGpsInfo...

Updated sdl2/mingw-SDL2 packages fix security vulnerabilities

This update fixes various security vulnerabilities affecting the SDL2image library, listed below. The fixes are provided in SDL2image 2.0.4, which depends on SDL2 2.0.8 or later. As such, the SDL2 and SDL2mixer libraries are also updated to their current stable releases, providing various bug fix...

Updated ruby-rack packages fix security vulnerability

There is a possible XSS vulnerability in Rack. Carefully crafted requests can impact the data returned by the scheme method on Rack::Request.Applications that expect the scheme to be limited to "http" or "https" and do not escape the return value could be vulnerable to an XSS attack CVE-2018-1647...

Updated patch packages fix security vulnerabilities

A NULL pointer dereference flaw was found in the way patch processed patch files. An attacker could potentially use this flaw to crash patch by tricking it into processing crafted patches CVE-2018-6951. A double-free flaw was found in the way the patch utility processed patch files. An attacker...

Updated mutt packages fix security vulnerability

It was discovered that Mutt incorrectly handled certain requests. An attacker could possibly use this to execute arbitrary code CVE-2018-14350, CVE-2018-14352, CVE-2018-14354, CVE-2018-14359, CVE-2018-14358, CVE-2018-14353 ,CVE-2018-14357. It was discovered that Mutt incorrectly handled certain...

Updated teeworlds packages fix security vulnerability

It was discovered that incorrect connection setup in the server for Teeworlds, an online multi-player platform 2D shooter, could result in denial of service via forged connection packets rendering all game server slots occupied CVE-2018-18541. This update fixes it...

Updated gdal packages fix security vulnerabilities

A flaw was found in gdal up to version 2.3.0. A Heap-buffer-overflow in GTiffOddBitsBand::IReadBlock. A flaw was found in gdal. A Heap-buffer-overflow in NITFRasterBand::Unpack. A flaw was found in gdal up to version 2.3.0. An Index-out-of-bounds in CPLErrorSetState...

Updated php-pear-CAS packages fix security vulnerabilities

Updated php-pear-CAS packages fix security vulnerabilities: An XSS vulnerabilities has been fixed for proxy mode...