It was discovered that eSpeak NG did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a denial of service, or execute arbitrary code. References:
Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via the set_encoder_id function in /fftools/ffmpeg_enc.c component. (CVE-2023-50010) Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the
SSL_select_next_proto buffer overread. (CVE-2024-5535) References: - https://bugs.mageia.org/show_bug.cgi?id=33337 - https://openssl.org/news/secadv/20240627.txt
An illegal memory access flaw was found in the binutils package. Parsing an ELF file containing corrupt symbol version information may result in a denial of service. This issue is the result of an incomplete fix for CVE-2020-16599. (CVE-2022-4285) A potential heap based buffer overflow was found in
mingw-python-idna: python-idna: potential DoS via resource consumption via specially crafted inputs to idna.encode() References: - https://bugs.mageia.org/show_bug.cgi?id=33132
imageio can attempt to download shared freeimage libraries from https://github.com/imageio/imageio-binaries/tree/master/freeimage. The code fetches straight from master and provides no way of verifying whether the correct file was fetched. As a result, if the repository is attacked in the future, all prior versions of imageio would be silently
It was discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash the program, resulting in a denial of service. (CVE-2019-11471) Reza Mirzazade Farkhani discovered that libheif incorrectly handled certain image data. An attacker could possibly use this issue to crash
Possible out-of-bounds read or write when reading malformed MED files. (r19389). [Null-pointer write (32bit platforms) or excessive memory allocation (64bit platforms) when reading close to 4GiB of data from unseekable files (r20336, r20338).
Heap Buffer Overflow in the erofsfsck_dirent_iter function in fsck/main.c in erofs-utils v1.6 allows remote attackers to execute arbitrary code via a crafted erofs filesystem image. References:
url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent. (CVE-2024-38428)
ansible-core: possible information leak in tasks that ignore ANSIBLE_NO_LOG configuration (CVE-2024-0690) References:
Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)
Arbitrary shell command evaluation in Org mode (GNU Emacs) References: - https://bugs.mageia.org/show_bug.cgi?id=33326 - https://www.openwall.com/lists/oss-security/2024/06/23/1
Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users
Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it
High CVE-2024-6100: Type Confusion in V8. Reported by Seunghyun Lee (@0x10n) participating in SSD Secure Disclosure's TyphoonPWN 2024 on 2024-06-04 High CVE-2024-6101: Inappropriate implementation in WebAssembly. Reported by @ginggilBesel on 2024-05-31
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 7.0.16. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful
Use-after-free in networking. (CVE-2024-5702) Use-after-free in JavaScript object transplant. (CVE-2024-5688) External protocol handlers leaked by timing attack. (CVE-2024-5690) Sandboxed iframes were able to bypass sandbox restrictions to open a new window. (CVE-2024-5691)
The chromium-browser-stable package has been updated to the 126.0.6478.61 release. It includes 21 security fixes. Some of them are: * High CVE-2024-5830: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2024-05-24
Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.
Cloud Security Cryptography Desktop Security Firewall Government Hacks/Cracks IoT Security Network Security Organizations/Events Privacy Security Projects Security Trends Security Vulnerabilities Server Security Vendors/Products
Debian Debian LTS Fedora Gentoo Mageia Oracle openSUSE RockyLinux Slackware SuSE Ubuntu
Harden My Filesystem Learn Tips and Tricks Secure My E-mail Secure My Firewall Secure My Network Secure My Webserver Strengthen My Privacy
Best Secure Linux Distros for Enhanced Privacy & Security The Truth About Linux Malware & How to Protect Your System Is Linux A More Secure Option Than Windows For Businesses? How Secure Is Linux? Top Tips for Securing Your Linux System
Advertise Contribute Your Article Legal Notice RSS Feeds Contact Us Terms of Service Privacy Policy
Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.
