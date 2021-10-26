Security Leftovers
diffoscope 197 released
The diffoscope maintainers are pleased to announce the release of diffoscope version 197. This version includes the following changes:
[ Chris Lamb ] * Drop unnecessary has_same_content_as logging calls. [ Mattia Rizzolo ] * Ignore the new "binary-with-bad-dynamic-table" Lintian tag. * Support pgpdump 0.34 in the tests. and testing the fix.
Vulnerability in the USB Gadget Linux kernel subsystem, potentially allowing code execution - itsfoss.net
A vulnerability ( CVE-2021-39685 ) has been identified in USB Gadget , a subsystem of the Linux kernel that provides a programming interface for creating client USB devices and software simulation of USB devices that could lead to a kernel leak, crash, or arbitrary code execution at the kernels. The attack is carried out by an unprivileged local user through manipulation of various device classes implemented on the basis of the USB Gadget API, such as rndis, hid, uac1, uac1_legacy, and uac2.
The problem has been fixed in the Linux kernel updates 5.15.8 , 5.10.85, 5.4.165, 4.19.221, 4.14.258, 4.9.293 and 4.4.295 published the other day . In distributions, the problem remains unresolved ( Debian , Ubuntu , RHEL , SUSE , Fedora , Arch ). An exploit prototype has been prepared to demonstrate the vulnerability .
Security updates for Friday
Security updates have been issued by Debian (kernel), Fedora (dr_libs, libsndfile, and podman), openSUSE (fetchmail, log4j, log4j12, logback, python3, and seamonkey), Oracle (go-toolset:ol8, idm:DL1, and nodejs:16), Red Hat (go-toolset-1.16 and go-toolset-1.16-golang, ipa, rh-postgresql12-postgresql, rh-postgresql13-postgresql, and samba), Slackware (xorg), SUSE (log4j, log4j12, and python3), and Ubuntu (apache-log4j2 and openjdk-8, openjdk-lts).
