Language Selection

English French German Italian Portuguese Spanish

LinuxSecurity.com Advisories

Syndicate content
The central voice for Linux and Open Source security news.
Updated: 5 days 1 hour ago

Fedora 22 ca-certificates-2015.2.4-1.0.fc22

Monday 11th of May 2015 03:05:00 PM
LinuxSecurity.com: This is an update to the set of CA certificates released with NSS version 3.18.1However, the package modifies the CA list to keep several legacy CAs still trusted for compatibility reasons. Please refer to the project URL for details.If you prefer to use the unchanged list provided by Mozilla, and if you accept any compatibility issues it may cause, an administrator may configure the system by executing the "ca-legacy disable" command.

Fedora 20 perl-XML-LibXML-2.0119-1.fc20

Sunday 10th of May 2015 08:12:00 PM
LinuxSecurity.com: Security fix for

Fedora 20 firefox-37.0.2-1.fc20

Sunday 10th of May 2015 08:10:00 PM
LinuxSecurity.com: New upstream - 37.0.2

Fedora 20 xulrunner-37.0.2-1.fc20

Sunday 10th of May 2015 08:10:00 PM
LinuxSecurity.com: New upstream - 37.0.2

Fedora 21 netcf-0.2.8-1.fc21

Sunday 10th of May 2015 08:09:00 PM
LinuxSecurity.com: Security fix for CVE 2014-8119, as well as adding a few other minor bugfixes and enhancements (support for multiple IPv4 addresses, simultaneous static & dhcp for IPv4)

Fedora 20 thunderbird-31.6.0-1.fc20

Sunday 10th of May 2015 08:09:00 PM
LinuxSecurity.com: Update to version 31.6.

Fedora 20 prosody-0.9.8-1.fc20

Sunday 10th of May 2015 07:54:00 PM
LinuxSecurity.com: Prosody 0.9.8=============A summary of changes in this release:High---- * Ensure only valid UTF-8 is passed to libidn. It was found (CVE-2015-2059) that libidn can read beyond the boundaries of the provided buffer when an input string contains invalid UTF-8 sequences.Systems where Prosody is compiled to use libICU are not affected by this issue.Medium------ * DNS: Fix traceback caused when DNS server IP is unroutable (issue 473) * HTTP client: More robust handling of chunked encoding across packet boundaries * Stanza router: Fix handling of 'error' 's with multiple childrenMinor----- * c2s: Fix error reply when clients try to bind multiple resources on the same stream (issue 484) * s2s: Ensure to/from attributes are always present on stream headers, even if empty (issue 468) * Build scripts: Add --libdir option to ./configure to simplify building on some platforms * Fix traceback in datamanager when used outside of Prosody (e.g. in some migration tools) * mod_admin_telnet: Fix potential traceback in server:memory() command (issue 471) * HTTP server: Improved debug loggingProsody 0.9.7=============A summary of changes in this release: * util.stanza: Don't XML-escape whitespace * prosodyctl: Fix traceback in 'about' command with LuaRocks 2.2.0Prosody 0.9.6=============Note: This release disables SSLv3 by default, which has been shown to be insecure when used by clients. Clients that only support SSLv3 will no longer be able to connect. There are not many of these nowadays, but they exist.A summary of changes in this release: * certmanager, net.http: Disable SSLv3 by default * net.http.parser: Support status code 101 and allow handling of the received data by plugins * util.filters: Ignore filters being added twice (fixes issues on removal, i.e. when some plugins are reloaded/unloaded) * mod_s2s: Close offending s2s streams missing an 'id' attribute with a stream error instead of throwing an unhandled error * Networking API: Add 'ondetach' callback for listener objects, to prevent leaks when connections have their listener changed * core.stanza_router: Stricter validation of stanzas * mod_admin_adhoc: Mark 'accountjids' field as required in 'end user sessions' command (thanks Lloyd) * mod_admin_adhoc: Add required to field in user deletion form too * net.dns: Avoid duplicate cache entries * util.stanza: Escape newlines and tabs ( ) when serializing stanzas. * util/dataforms: Make sure we iterate over field tags only * mod_s2s: Capitalize log message * mod_pubsub: Fix error type of 'forbidden' (change from 'cancel' to 'auth')Prosody 0.9.5=============A summary of changes in this release: * C2S: Fix traceback if a client opens a stream to component, which could cause a crash in combination with some versions of LuaEvent * C2S, S2S: Log received invalid stream headers * S2S: Fix case where stream headers were sometimes sent twice * DNS: Ensure all pending requests get notified of a timeout when looking up a record * DNS: Fix duplicated cache insertions by limiting outstanding queries per name to one * xmppstream: Disable LuaExpat's buffering * xmppstream: Disable CharacterData merging after stream restarts * xmppstream: Pass invalid stream headers to error handling * Privacy lists: Correctly sort privacy list rules by order * prosody: Check dependencies later in the startup sequence * Config: Delay importing LuaFileSystem until needed by an Include line * Config: Normalize VirtualHost and Component names * prosodyctl: Normalize JIDs for adduser/passwd/deluser * POSIX: Fix error reporting from disk space allocation * POSIX: Verify that 'pidfile' is a string, show friendly error otherwise * Dependency checking: Check that prosody is running under Lua 5.1. We don't currently support any other versions. (LuaJIT identifies as 5.1) * Compliance: Reset stream ID when resetting stream * Compression: Log compression setup errors * Console: Fix commands for adding and replacing name servers * Console MUC commands: Fix error when a non-existent host is entered * Filters: Prevent filters from being added twice * Network: Transfer all available data between linked sockets * dataforms: Add support for XEP-0221: Data Forms Media ElementProsody 0.9.4=============A summary of changes in this release: * Compression: Disallow compression on unauthenticated streams * Core: Limit default read size and maximum stanza size * Core: Enable SASL EXTERNAL by default for component s2s * S2S: Warn if `s2s_secure_auth` and `s2s_require_encryption` have been set in conflicting ways * S2S: Warn if no local network addresses were found, preventing successful s2s * MUC: Fix traceback when a non-occupant tried to change an occupant's role * MUC: API: Fire an event when temporary rooms are destroyed after the last person leaves * Telnet: Fixed traceback when listing users * Telnet: Apply normalization to JIDs in user management commands * HTTP: Fix directory detection in file server on Windows * Plugins: Fix paths on Windows * MOTD: Don't strip blank lines from the message provided in the config * prosodyctl: Better error reporting when generating certificates * Makefile: Improve FreeBSD compatibility * Multiple fixes to our migration tools, and support for importing MUCs from ejabberdProsody 0.9.3=============A summary of changes in this release: * A config file passed as command line argument is no longer forgotten when config is reloaded * MUC: Allow admins to always bypass restrict_room_creation * Strip trailing '.' when normalizing hostnames * HTTP: Prevent silent connection failures * Components: Alow easier overriding of component authentication by plugins * Components: Enable TCP keepalives * Migrator: Better error reporting and improved robustness * S2S: Include IP in log messages, if hostname is unavailable * TLS: Log error when initialization failsProsody 0.9.2=============Note: If you are upgrading from 0.8.x or earlier, please read the 0.9.0 upgrade notes at http://prosody.im/doc/release/0.9.0!A summary of changes in this release: * Debian/Ubuntu packages fixed to always generate per-system certs * TLS: Improved cipher string, and use Prosody's preferred ciphers instead of the client's * MUC: Fix for Spark clients not displaying room listsFor more details behind the security improvements, see the release announcement at http://blog.prosody.im/prosody-0-9-2-released/.

Fedora 21 proftpd-1.3.5-5.fc21

Sunday 10th of May 2015 07:50:00 PM
LinuxSecurity.com: Vadim Melihow reported a critical issue with proftpd installations that use the mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy allows these commands to be used by unauthenticated clientsUpstream report: http://bugs.proftpd.org/show_bug.cgi?id=4169Note that mod_copy is not loaded/enabled by default in the Fedora package.

Fedora 20 libreoffice-4.2.8.2-8.fc20

Sunday 10th of May 2015 07:46:00 PM
LinuxSecurity.com: CVE-2015-1774: out-of-bounds write in HWP file filter

Fedora 20 netcf-0.2.8-1.fc20

Sunday 10th of May 2015 07:40:00 PM
LinuxSecurity.com: Security fix for CVE 2014-8119, as well as adding a few other minor bugfixes and enhancements (support for multiple IPv4 addresses, simultaneous static & dhcp for IPv4)

Fedora 22 texlive-2014-8.20140525_r34255.fc22

Sunday 10th of May 2015 07:40:00 PM
LinuxSecurity.com: insecure use of /tmp in mktexlsr

Fedora 21 perl-XML-LibXML-2.0119-1.fc21

Sunday 10th of May 2015 07:35:00 PM
LinuxSecurity.com: Security fix for

Debian: 3256-1: libtasn1-6: Summary

Sunday 10th of May 2015 01:54:00 PM
LinuxSecurity.com: Security Report Summary

Mandriva: 2015:231: perl-XML-LibXML

Thursday 7th of May 2015 04:29:00 AM
LinuxSecurity.com: Updated perl-XML-LibXML package fixes security vulnerability: Tilmann Haak from xing.com discovered that XML::LibXML did not respect the expand_entities parameter to disable processing of external entities in some circumstances. This may allow attackers to gain [More...]

Debian: 3252-1: sqlite3: Summary

Wednesday 6th of May 2015 04:24:00 PM
LinuxSecurity.com: Security Report Summary

Ubuntu: 2582-1: Oxide vulnerabilities

Wednesday 6th of May 2015 10:02:00 AM
LinuxSecurity.com: Several security issues were fixed in Oxide.

Mandriva: 2015:230: squid

Wednesday 6th of May 2015 08:05:00 AM
LinuxSecurity.com: Updated squid packages fix security vulnerability: Squid configured with client-first SSL-bump does not correctly validate X509 server certificate domain / hostname fields (CVE-2015-3455). [More...] _______________________________________________________________________

Mandriva: 2015:229: net-snmp

Wednesday 6th of May 2015 08:01:00 AM
LinuxSecurity.com: Updated net-snmp packages fix security vulnerability: It was discovered that the snmp_pdu_parse() function could leave incompletely parsed varBind variables in the list of variables. A remote, unauthenticated attacker could exploit this flaw to cause a [More...]

Mandriva: 2015:228: nodejs

Wednesday 6th of May 2015 07:55:00 AM
LinuxSecurity.com: Updated nodejs package fixes security vulnerability: It was found that libuv does not call setgoups before calling setuid/setgid. This may potentially allow an attacker to gain elevated privileges (CVE-2015-0278). [More...]

Red Hat: 2015:0938-01: openstack-glance: Moderate Advisory

Tuesday 5th of May 2015 08:19:00 PM
LinuxSecurity.com: Updated openstack-glance packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux OpenStack Platform 6.0. Red Hat Product Security has rated this update as having Moderate security [More...]

More in Tux Machines

Why a Rolling Release Model is the Way to Go for Any OS

In the last year or so, I've noticed that rolling-release distributions are becoming more and more popular among Linux users, and even big names like Ubuntu are considering the switch to a rolling update development model, but I think all operating systems should use the rolling release model. Read more

Waha Linux 8.0 Brings Debian 8 "Jessie" to the Arab Community - Gallery

The Waha Project has had the great pleasure of informing us about the immediate availability for download of the final version of their Waha Linux 8.0 distributions designed specifically for the Arab community. Read more

SystemRescueCd 4.5.3 Is Powered by Linux Kernel 3.14.43 LTS, Includes TestDisk 7.0

On May 25, François Dupoux had the pleasure of informing us about the immediate availability for download of a new maintenance release of his SystemRescueCd 4.5 distro. Read more

Nitpicking Linux

If you present someone to the Linux world as GNU/Linux, you spend the next fifteen minutes trying to explain GNU. It’s difficult to explain in just a few minutes, it’s difficult to pronounce and it confuses the new Linux user. However, I make it a practice to bookmark websites that explain what GNU is and why it’s critical to Linux, and I tell people why it’s important to read about the subject when they have time. Read more