Two critical flaws were also recently found and fixed in the ClamAV open-source antivirus engine that could lead to remote code execution (RCE) and remote information leakage on susceptible devices. Learn if you are a risk, and how to protect yourself now!

Important Python and WebKitGTK updates have also been released to address remotely exploitable bugs that could lead to arbitrary code execution, denial of service (DoS), and cross-site scripting (XSS) attacks. It is crucial that all impacted users update immediately to protect against downtime and compromise.

Our own Dave Wreski also evaluated Vali Cyber's ZeroLock, the latest ransomware protection developed specifically for Linux servers, and how it can be used to keep your critical systems and sensitive data protected from the dramatic increase in attacks against Linux we've seen over the last year.

Continue reading to learn about other significant issues that have been fixed, and how to secure your systems against them.

Yours in Open Source,

Brittany Signature 150 Esm W150

ClamAV

The Discovery 

Two critical flaws were recently found in the ClamAV open-source antivirus engine, including a vulnerability in the HFS+ file parser (CVE-2023-20032) and a vulnerability in the DMG file parser (CVE-2023-20052).

Clamav Logo Esm W141

The Impact

These issues could result in remote code execution (RCE) and remote information leakage on susceptible devices (those running ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier).

The Fix

ClamAV has released patch versions 0.103.8, 0.105.2 and 1.0.1, which mitigate these flaws. We urge all users to update now to protect against attacks leading to compromise and prevent unauthorized disclosure of sensitive information. 

Your Related Advisories:

Register to Customize Your Advisories

Python

The Discovery 

Several high-severity security issues were found in Python involving the incorrect handling of certain inputs (CVE-2015-20107, CVE-2021-28861, CVE-2022-37454, CVE-2022-42919, CVE-2022-45061 and CVE-2023-24329).

Python Esm W225

The Impact

These vulnerabilities could allow a remote attacker to execute arbitrary code or cause a denial of service (DoS).

The Fix

An update for Python that fixes these issues is now available. We strongly recommend that you update immediately to protect against these bugs, which have a high confidentiality, integrity and availability impact on affected systems.

Your Related Advisories:

Register to Customize Your Advisories

WebKitGTK

The Discovery 

An important type confusion vulnerability was discovered in the WebKitGTK Web and JavaScript engines (CVE-2023-23529).

Webkitgtk Esm W225

The Impact

This bug could enable a remote attacker to exploit a variety of issues related to web browser security, including cross-site scripting (XSS) attacks, denial of service (DoS) attacks, and arbitrary code execution.

The Fix

Distros continue to release important updates mitigating this issue. We recommend that you update as soon as possible to protect against attacks leading to downtime and compromise.

Your Related Advisories:

Register to Customize Your Advisories