It was reported that firejail does not respect the end-of-options separator ("--"), allowing an attacker with control over the command line options of the sandboxed application, to write data to a specified file (CVE-2020-17367). It was reported that firejail when redirecting output via --output or
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers (CVE-2020-9490).
An access flaw was found in targetcli, where the /etc/target and underneath backup directory/files were world-readable. This flaw allows a local attacker to access potentially sensitive information such as authentication credentials from the /etc/target/saveconfig.json and backup files. The highest threat from this vulnerability is to confidentiality (CVE-2020-13867).
Servers where the Handler concurrently reads the request body and writes a response can encounter a data race and crash. The httputil.ReverseProxy Handler is affected (CVE-2020-15586). Certain invalid inputs to ReadUvarint or ReadVarint could cause those functions
The code in src/sftpserver.c did not verify the validity of certain pointers and expected them to be valid. A NULL pointer dereference could have been occurred that typically causes a crash and thus a denial-of-service (CVE-2020-16135).
A maliciously crafted archive with "../" in the file paths would install files anywhere in the user's home directory upon extraction (CVE-2020-16116). References: - https://bugs.mageia.org/show_bug.cgi?id=27023
A vulnerability in the endpoint software of Cisco AMP for Endpoints and Clam AntiVirus could allow an authenticated, local attacker to cause the running software to delete arbitrary files on the system. The vulnerability is due to a race condition that could occur when scanning malicious files. An attacker with local shell access could exploit this vulnerability by executing a script that
common/session.c in Claws Mail before 3.17.6 has a protocol violation because suffix data after STARTTLS is mishandled (CVE-2020-15917). References: - https://bugs.mageia.org/show_bug.cgi?id=27040
Potential leak of redirect targets when loading scripts in a worker. (CVE-2020-15652) WebRTC data channel leaks internal address to peer. (CVE-2020-6514)
XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692). References: - https://bugs.mageia.org/show_bug.cgi?id=27017 - https://access.redhat.com/errata/RHSA-2020:3176
WebRTC used the memory address of a class instance as a connection identifier. Unfortunately, this value is often transmitted to the peer, which allows bypassing ASLR (CVE-2020-6514). Crafted media files could lead to a race in texture caches, resulting in a
Updated webkit2 packages fix security vulnerabilities: The webkit2 package has been updated to version 2.28.3, fixing several security issues and other bugs.
The znc package has been updated to version 1.8.1, containing several bugfixes and enhancements. See the upstream change logs for details. References: - https://bugs.mageia.org/show_bug.cgi?id=26886
Updated mumble package fixes security vulnerability: OCB2 is known to be broken under certain conditions: https://eprint.iacr.org/2019/311
The updated packages fix a security vulnerability: In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected
Fix insufficient output escaping bug in file attachment names (CVE-2020-13625). References: - https://bugs.mageia.org/show_bug.cgi?id=26760
An integer overflow in the getnum function in lua_struct.c CVE-2020-14147 References: - https://bugs.mageia.org/show_bug.cgi?id=26978
Multiple security vulnerabilites in virtualbox allow unauthorized access to critical data or takeover of Oracle VM VirtualBox. See CVE references for details. References:
Updated dnsmasq package fix insecure default configuration potentially making it an open resolver (CVE-2020-14312). In its default configuration, dnsmasq listen and answer query from any address even outside of the local subnet. Thus, it may inadvertently
Bypass of boundary checks in nio.Buffer via concurrent access. (CVE-2020-14583) Incomplete bounds checks in Affine Transformations. (CVE-2020-14593)
Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.
Cloud Security Cryptography Desktop Security Firewall Government Hacks/Cracks IoT Security Network Security Organizations/Events Privacy Security Projects Security Trends Security Vulnerabilities Server Security Vendors/Products
Debian Debian LTS Fedora Gentoo Mageia Oracle openSUSE RockyLinux Slackware SuSE Ubuntu
Harden My Filesystem Learn Tips and Tricks Secure My E-mail Secure My Firewall Secure My Network Secure My Webserver Strengthen My Privacy
Best Secure Linux Distros for Enhanced Privacy & Security The Truth About Linux Malware & How to Protect Your System Is Linux A More Secure Option Than Windows For Businesses? How Secure Is Linux? Top Tips for Securing Your Linux System
Advertise Contribute Your Article Legal Notice RSS Feeds Contact Us Terms of Service Privacy Policy
Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.
