Language Selection

English French German Italian Portuguese Spanish

LinuxSecurity.com Advisories

Syndicate content LinuxSecurity - Security Advisories
The central voice for Linux and Open Source security news.
Updated: 2 hours 8 min ago

openSUSE: 2022:0043-1 moderate: systemd>

Tuesday 11th of January 2022 07:22:08 AM
An update that solves one vulnerability and has two fixes is now available.

Debian: DSA-5039-1: wordpress security update>

Tuesday 11th of January 2022 05:13:25 AM
Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform SQL injection, run unchecked SQL queries, bypass hardening, or perform Cross-Site Scripting (XSS) attacks.

Mageia 2022-0012: ghostscript security update>

Tuesday 11th of January 2022 03:13:40 AM
Use-after-free in sampled_data_sample (called from sampled_data_continue and interp). (CVE-2021-45944) Heap-based buffer overflow in sampled_data_finish (called from sampled_data_continue and interp). (CVE-2021-45949)

Mageia 2022-0011: python-django security update>

Tuesday 11th of January 2022 03:13:39 AM
UserAttributeSimilarityValidator incurred significant overhead evaluating submitted password that were artificially large in relative to the comparison values. On the assumption that access to user registration was unrestricted this provided a potential vector for a denial-of-service attack. (CVE-2021-45115)

Mageia 2022-0010: squashfs-tools security update>

Tuesday 11th of January 2022 03:13:38 AM
squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal outside of the destination directory, and thus allows writing to locations outside of the destination. (CVE-2021-40153)

Mageia 2022-0009: osgi-core/apache-commons-compress security update>

Tuesday 11th of January 2022 03:13:37 AM
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. (CVE-2021-35515) When reading a specially crafted 7Z archive, Compress can be made to

Mageia 2022-0008: suricata security update>

Tuesday 11th of January 2022 03:13:36 AM
Critical evasion in suricata (CVE-2021-35063) References: - https://bugs.mageia.org/show_bug.cgi?id=29012 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FO5R7STJBL3XHZDUREUDZ33DZA6MBITT/

Ubuntu 5219-1: Linux kernel vulnerability>

Tuesday 11th of January 2022 12:45:40 AM
The system could be made to crash or run programs as an administrator.

Ubuntu 5218-1: Linux kernel (OEM) vulnerabilities>

Tuesday 11th of January 2022 12:45:26 AM
Several security issues were fixed in the Linux kernel.

Ubuntu 5217-1: Linux kernel (OEM) vulnerabilities>

Tuesday 11th of January 2022 12:45:06 AM
Several security issues were fixed in the Linux kernel.

Oracle: ELSA-2022-9011: Oracle Important Security Update>

Monday 10th of January 2022 10:57:28 PM
The following updated rpms for Oracle Linux Cloud Native Environment 1.0 ha= ve been uploaded to the Unbreakable Linux Network:

Oracle: ELSA-2022-9011: Oracle Important Security Update>

Monday 10th of January 2022 10:57:21 PM
The following updated rpms for Oracle Linux Cloud Native Environment 1.1 ha= ve been uploaded to the Unbreakable Linux Network:

Oracle6: ELSA-2022-9014: Extended Important Security Update>

Monday 10th of January 2022 10:55:37 PM
The following updated rpms for Oracle Linux 6 Extended Lifecycle Support (ELS) have been uploaded to the Unbreakable Linux Network:

Debian LTS: DLA-2876-1: vim security update>

Monday 10th of January 2022 05:50:21 PM
Multiple issues have been discovered in vim: an enhanced vi text editor: CVE-2017-17087 fileio.c in Vim sets the group ownership of a .swp file to the editor's primary

Debian LTS: DLA-2875-1: clamav security update>

Monday 10th of January 2022 12:54:03 PM
Version 0.102 of ClamAV, an anti-virus toolkit, is end-of-life. ClamAV has been updated to version 0.103 to be able to receive virus signature updates.

SUSE: 2022:38-1 suse/sles/15.3/virt-operator Security Update>

Monday 10th of January 2022 12:35:18 PM
The container suse/sles/15.3/virt-operator was updated. The following patches have been included in this update:

SUSE: 2022:37-1 suse/sles/15.3/libguestfs-tools Security Update>

Monday 10th of January 2022 12:35:05 PM
The container suse/sles/15.3/libguestfs-tools was updated. The following patches have been included in this update:

SUSE: 2022:35-1 suse/sles/15.3/virt-handler Security Update>

Monday 10th of January 2022 12:34:28 PM
The container suse/sles/15.3/virt-handler was updated. The following patches have been included in this update:

SUSE: 2022:34-1 suse/sles/15.3/virt-controller Security Update>

Monday 10th of January 2022 12:34:13 PM
The container suse/sles/15.3/virt-controller was updated. The following patches have been included in this update:

SUSE: 2022:33-1 suse/sles/15.3/virt-api Security Update>

Monday 10th of January 2022 12:33:59 PM
The container suse/sles/15.3/virt-api was updated. The following patches have been included in this update:

More in Tux Machines

Proprietary Traps: AD, AV1 Patent Pools, More Outsourcing to Microsoft

  • Overcoming A Common Admin Black Hole: Linux Management [Ed: Shilling Microsoft's proprietary junk (AD) and then alleging Linux has a "black hole"]

    I’ll admit that we never “got there” from a governance standpoint with those Linux devices; a silo was predestined because we were built around Active Directory domain controllers that shunned Linux devices.

  • Firefox Gets AV1 VA-API Acceleration Sorted Out

    Thanks to Red Hat developer Martin Stránský, he has managed to get the Video Acceleration API (VA-API) working for AV1 content within the Firefox web browser. After working on it the past month, the necessary bits have come together for supporting AV1 VA-API playback within Firefox on Linux. See the Mozilla.org BugZilla for tracking the progress on the effort. The latest AV1 activity in general for Mozilla can be tracked via hg.mozilla.org.

  • Hacks.Mozilla.Org: Contributing to MDN: Meet the Contributors [Ed: Mozilla outsourced again to Microsoft and its proprietary software; Mozilla became worthless; it'll be history in a few years due to bad leadership]

    If you’ve ever built anything with web technologies, you’re probably familiar with MDN Web Docs. With about 13,000 pages documenting how to use programming languages such as HTML, CSS and JavaScript, the site has about 8,000 people using it at any given moment. MDN relies on contributors to help maintain its ever-expanding and up to date documentation. Supported by companies such as Open Web Docs, Google, w3c, Microsoft, Samsung and Igalia (to name a few), contributions also come from community members. These contributions take many different forms, from fixing issues to contributing code to helping newcomers and localizing content. We reached out to 4 long-time community contributors to talk about how and why they started contributing, why they kept going, and ask what advice they have for new contributors. [...] Since the end of 2020, the translation of MDN articles happen on the new GitHub based platform. [...] Our seasoned contributors suggest starting with reporting issues and trying to fix them, follow the issue trackers and getting familiarized with GitHub.

Hardware: EInk Phone, Arduino, and More

  • Bryan Quigley: Small EInk Phone

    To be shipped with one of the main Linux phone OSes (Manjaro with KDE Plasma, etc).

  • A DIY CAD Mouse You Can Actually Build

    When you spend a lot of time on the computer doing certain more specialised tasks (no, we’re not talking about browsing cat memes on twitter) you start to think that your basic trackpad or mouse is, let’s say, lacking a certain something. We think that something may be called ‘usability’ or maybe ease-of-use? Any which way, lots of heavy CAD users gush over their favourite mouse stand-ins, and one particularly interesting class of input devices is the Space Mouse, which is essentially patented up-to-the-hilt and available only from 3DConnexion. But what about open source alternatives you can build yourselves? Enter stage left, the Orbion created by [FaqT0tum.] This simple little build combines an analog joystick with a rotary knob, with a rear button and OLED display on the front completing the user interface.

  • KiCAD 6.0: What Made It And What Didn’t | Hackaday

    I’ve been following the development of KiCAD for a number of years now, and using it as my main electronics CAD package daily for a the last six years or thereabouts, so the release of KiCAD 6.0 is quite exciting to an electronics nerd like me. The release date had been pushed out a bit, as this is such a huge update, and has taken a little longer than anticipated. But, it was finally tagged and pushed out to distribution on Christmas day, with some much deserved fanfare in the usual places. So now is a good time to look at which features are new in KiCAD 6.0 — actually 6.0.1 is the current release at time of writing due to some bugfixes — and which features originally planned for 6.0 are now being postponed to the 7.0 roadmap and beyond.

Programming Leftovers

  • C: sigprocmask Function Usage

    You may have heard about socket programming in C. One of the socket functions is the “sigprocmask” function. This function has been usually utilized in the code to inspect or alter the signal mask of the calling function. The signal mask is a term used for a group of signals that are presently blocked and cannot be conveyed for the calling function. Such kind of signal is known as “Blocked Signals.” You can say that a process can still receive the blocked signals, but it will not be used until they are unblocked and released, i.e., raised. Until then, it will be pending. Therefore, within today’s guide, we will be discussing the use of the sigprocmask function in C programming. Let’s have a start. After the Ubuntu 20.04 successful login, you need to launch the shell of the Ubuntu 20.04 system first after the login. So, try out the “Ctrl+Alt+T” shortcut simply on the desktop screen. It will launch the terminal shell for you in some seconds. Make sure to update your system using the apt package of your system. After that, you have to execute the “touch” instruction along with the file name you want to generate, i.e., to create the C file via the shell. This newly created file can be found in the “home” folder of your system’s file explorer. You can try opening it with the “text” editor to create code in it. Another way to open it in the shell is using the “GNU Nano” editor using the “nano” keyword with a file name as demonstrated beneath.

  • C: sigaction function usage

    A sigaction() is a function that allows to call/observe or examine a specific action associated with a particular signal. It is thought to consider a signal and sigaction function on the same page. But in reality, it has not occurred. The signal() function does not block other signals when the current handler’s execution is under process. At the same time, the sigaction function can block other signals until the current handler has returned.

  • delegation of authority from the systems programming perspective – Ariadne's Space

    As I have been griping on Twitter lately, about how I dislike the design of modern UNIX operating systems, an interesting conversation about object capabilities came up with the author of musl-libc. This conversation caused me to realize that systems programmers don’t really have a understanding of object capabilities, and how they can be used to achieve environments that are aligned with the principle of least authority. In general, I think this is largely because we’ve failed to effectively disseminate the research output in this area to the software engineering community at large — for various reasons, people complete their distributed systems degrees and go to work in decentralized finance, as unfortunately, Coinbase pays better. An unfortunate reality is that the security properties guaranteed by Web3 platforms are built around object capabilities, by necessity – the output of a transaction, which then gets consumed for another transaction, is a form of object capability. And while Web3 is largely a planet-incinerating Ponzi scheme run by grifters, object capabilities are a useful concept for building practical security into real-world systems. Most literature on this topic try to describe these concepts in the framing of, say, driving a car: by default, nobody has permission to drive a given car, so it is compliant with the principle of least authority, meanwhile the car’s key can interface with the ignition, and allow the car to be driven. In this example, the car’s key is an object capability: it is an opaque object, that can be used to acquire the right to drive the car. Afterwards, they usually go on to describe the various aspects of their system without actually discussing why anybody would want this.

  • Pip Install: Install and Remove Python Packages
  • A dog-cat-horse-turtle problem

    Sometimes the text-processing problems posted on Stack Exchange have so many solutions, it's hard to decide which is best. A problem like that was posted in the "Unix & Linux" section in December 2021...

Istio / Announcing Istio 1.12.2

This release fixes the security vulnerability described in our January 18th post, ISTIO-SECURITY-2022-001 as well as a few minor bug fixes to improve robustness. This release note describes what’s different between Istio 1.12.1 and Istio 1.12.2. Read more Also: ISTIO-SECURITY-2022-001