Language Selection

English French German Italian Portuguese Spanish Advisories

Syndicate content
The central voice for Linux and Open Source security news.
Updated: 11 hours 15 min ago

[updates-announce] MGASA-2018-0428: Updated perl-Dancer2 packages fix security vulnerabilities

Saturday 3rd of November 2018 12:56:00 PM Dancer2 0.206000 addresses several potential security issues. There is a potential RCE with regards to Storable. Dancer2 adds session ID validation to the session engine so that session backends based on Storable can reject malformed session IDs that may lead to exploitation of the RCE. Parsing requests now uses HTTP::Entity::Parser which reduces the amount of code needed

[updates-announce] MGASA-2018-0429: Updated python-cryptography packages fix security vulnerability

Saturday 3rd of November 2018 12:56:00 PM The python-cryptography and python-cryptography-vectors packages have been updated to version 2.3.1 and fixes the following security issue: The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to

Mageia 2018-0431: axis security update

Saturday 3rd of November 2018 12:56:00 PM Updated axis packages fix security vulnerability: Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services (CVE-2018-8032).

Mageia 2018-0430: lighttpd security update

Saturday 3rd of November 2018 12:56:00 PM Updated lighttpd package fixes security vulnerabilities: Potential path traversal with specific configs or in some use cases in mod_alias.

Mageia 2018-0427: dnsmasq security update

Saturday 3rd of November 2018 12:56:00 PM Updated dnsmasq packages fix a security issue Upstream dnsmasq run as nobody user which could lead to security issue if multiple services run as this same user.

Debian: DSA-4332-1: ruby2.3 security update

Saturday 3rd of November 2018 10:24:00 AM Several vulnerabilities have been discovered in the interpreter for the Ruby language. The Common Vulnerabilities and Exposures project identifies the following problems:

Debian: DSA-4331-1: curl security update

Friday 2nd of November 2018 08:16:00 PM Two vulnerabilities were discovered in cURL, an URL transfer library. CVE-2018-16839

RedHat: RHSA-2018-3456:01 Low: Red Hat Satellite Server 5 - 90 day End Of

Friday 2nd of November 2018 03:28:00 PM This is the 90 day notification of the End Of Life (EOL) plans for the following versions of Red Hat Satellite 5: * Red Hat Satellite 5.6 * Red Hat Satellite 5.7

Debian: DSA-4330-1: chromium-browser security update

Friday 2nd of November 2018 11:47:00 AM Several vulnerabilities have been discovered in the chromium web browser. CVE-2018-5179

ArchLinux: 201811-2: linux-lts: denial of service

Thursday 1st of November 2018 09:06:00 PM The package linux-lts before version 4.14.75-1 is vulnerable to denial of service.

ArchLinux: 201811-1: linux: denial of service

Thursday 1st of November 2018 09:04:00 PM The package linux before version 4.18.13.arch1-1 is vulnerable to denial of service.

Ubuntu 3805-2: curl vulnerability

Thursday 1st of November 2018 05:21:00 PM Several security issues were fixed in curl.

Debian LTS: DLA-1563-1: tzdata new upstream version

Thursday 1st of November 2018 02:56:00 PM tzdata upstream released version 2018g. Notables changes since 2018e (previous version available in jessie)

Debian LTS: DLA-1562-1: poppler security update

Wednesday 31st of October 2018 10:38:00 PM Various security issues were discovered in the poppler PDF rendering shared library.

Debian LTS: DLA-1561-1: phpldapadmin security update

Wednesday 31st of October 2018 06:11:00 PM It was discovered that there was a cross-site scripting (XSS) vulnerability in phpldapadmin, a web-based interface for administering LDAP servers. For Debian 8 "Jessie", this problem has been fixed in version

SciLinux: Important: java-1.7.0-openjdk on SL6.x i386/x86_64

Wednesday 31st of October 2018 04:15:00 PM OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169) * OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149) * OpenJDK: Incorrect handling of unsigned attributes in signed Jar manifests (Security, 8194534) (CVE-2018-3136) * OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139) * OpenJ [More...]

SciLinux: Important: thunderbird on SL6.x i386/x86_64

Wednesday 31st of October 2018 04:14:00 PM This update upgrades Thunderbird to version 60.2.1. * Mozilla: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 (CVE-2018-12376) * Mozilla: Use-after-free in driver timers (CVE-2018-12377) * Mozilla: Use-after-free in IndexedDB (CVE-2018-12378) * Mozilla: Proxy bypass using automount and autofs (CVE-2017-16541) * Mozilla: Out-of-bounds write with malicious MAR file (CVE-2018-1237 [More...]

SciLinux: Critical: python-paramiko on SL6.x (noarch)

Wednesday 31st of October 2018 04:13:00 PM python-paramiko: Authentication bypass in (CVE-2018-1000805) SL6 noarch python-paramiko-1.7.5-5.el6_10.noarch.rpm python-paramiko-1.7.5-4.el6_7.1.noarch.rpm python-paramiko-1.7.5-4.el6_6.1.noarch.rpm - Scientific Linux Development Team

Ubuntu 3805-1: curl vulnerabilities

Wednesday 31st of October 2018 01:17:00 PM Several security issues were fixed in curl.

ArchLinux: 201810-16: gitlab: multiple issues

Wednesday 31st of October 2018 11:04:00 AM The package gitlab before version 11.4.3-1 is vulnerable to multiple issues including arbitrary code execution, cross-site request forgery, cross-site scripting and information disclosure.

More in Tux Machines

KDE: This week in Usability & Productivity and KBibTeX's Latest

  • This week in Usability & Productivity, part 45
    Let’s have a bit more Usability & Productivity, shall we? The KDE Applications 18.12 release is right around the corner, and we got a lot of great improvements to some core KDE apps–some for that upcoming release, and some for the next one. And lots of other things too, of course!
  • Running KBibTeX from Git repository has become easier
    A common problem with bug reports received for KBibTeX is that the issue may already be fixed in the latest master in Git or that I can provide a fix which gets submitted to Git but then needs to be tested by the original bug reporter to verify that the issue has been indeed fixed for good. For many distributions, no ‘Git builds’ are available (or the bug reporter does not know if they exist or how to get them installed) or the bug reporter does not know how to fetch the source code, compile it, and run KBibTeX, despite the (somewhat too technical) documentation. Therefore, I wrote a Bash script called which performs all the necessary (well, most) steps to get from zero to a running KBibTeX. The nicest thing is that all files (cloned Git repo, compiled and installed KBibTeX) are placed inside /tmp which means no root or sudo are required, nor are any permanent modifications made to the user&aposs system.

FreeBSD 12.0-RC1 Released, Fixes Ryzen 2 Temperature Reporting

Arguably most user-facing with this week's FreeBSD 12.0-RC1 release is updating the amdsmn/amdtemp drivers for attaching to Ryzen 2 host bridges. Additionally, the amdtemp driver has been fixed for correctly reporting the AMD Ryzen Threadripper 2990WX core temperature. The 2990WX temperature reporting is the same fix Linux initially needed to for a 27 degree offset to report the correct temperature. It's just taken FreeBSD longer to add Ryzen 2 / Threadripper 2 temperature bits even though they had beat the Linux kernel crew with the initial Zen CPU temperature reporting last year. Read more Also: MeetBSD 2018: Michael W Lucas Why BSD?

GPU/Graphics: DRM/KMS and CUDA

  • Google's Pixel 3 Is Using The MSM DRM Driver, More Android Phones Moving To DRM/KMS Code
    It turns out Google's recently announced Pixel 3 smartphone is making use of the MSM Direct Rendering Manager driver associated with the Freedreno open-source Qualcomm graphics project. Google is also getting more Android vendors moving over to using DRM/KMS drivers to power their graphics/display. Alistair Strachan of Google presented at this week's Linux Plumbers Conference and the growing adoption of Direct Rendering Manager / Kernel Mode-Setting drivers by Android devices.
  • Red Hat Developers Working Towards A Vendor-Neutral Compute Stack To Take On NVIDIA's CUDA
    At this week's Linux Plumbers Conference, David Airlie began talking about the possibility of a vendor-neutral compute stack across Intel, Radeon, and NVIDIA GPU platforms that could potentially take on NVIDIA's CUDA dominance. There has been the work on open-source NVIDIA (Nouveau) SPIR-V compute support all year and that's ongoing with not yet having reached mainline Mesa. That effort has been largely worked on by Karol Herbst and Rob Clark, both open-source GPU driver developers at Red Hat. There has also been other compute-motivated open-source driver/infrastructure work out of Red Hat like Jerome Glisse's ongoing kernel work around Heterogeneous Memory Management (HMM). There's also been the Radeon RADV driver that Red Hat's David Airlie co-founded and continues contributing significantly to its advancement. And then there has been other graphics/compute contributions too with Red Hat remaining one of the largest upstream contributors to the ecosystem.

Endless OS Switching To The BFQ I/O Scheduler For More Responsive Linux Desktop

While Con Kolivas' kernel patch series decided to do away with BFQ support, the GNOME-aligned Endless OS Linux distribution has decided to do the opposite in move from CFQ as the default I/O scheduler over to BFQ. Endless OS has decided to switch to the BFQ (Budget Fair Queuing) I/O scheduler since it prioritizes interactive workloads and should make for a better experience for its users particularly when applications may be upgrading in the background. During heavy background I/O, Endless found that their launch time of LibreOffice went from taking 16 seconds with CFQ to just three seconds when using BFQ. Other tests were also positive for improving the interactivity/responsiveness of the system particularly during heavy background I/O. Read more