Language Selection

English French German Italian Portuguese Spanish

LinuxSecurity.com Advisories

Syndicate content
The central voice for Linux and Open Source security news.
Updated: 4 hours 40 min ago

RedHat: RHSA-2018-2925:01 Important: kernel security and bug fix update

Tuesday 16th of October 2018 11:55:00 PM
LinuxSecurity.com: An update for kernel is now available for Red Hat Enterprise Linux 6.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

Debian: DSA-4321-1: graphicsmagick security update

Tuesday 16th of October 2018 09:57:00 PM
LinuxSecurity.com: Several vulnerabilities have been discovered in GraphicsMagick, a set of command-line applications to manipulate image files, which could result in denial of service or the execution of arbitrary code if malformed image files are processed.

Debian: DSA-4320-1: asterisk security update

Tuesday 16th of October 2018 09:54:00 PM
LinuxSecurity.com: Multiple vulnerabilities have been discovered in Asterisk, an open source PBX and telephony toolkit, which may result in denial of service or information disclosure.

Ubuntu 3789-2: ClamAV vulnerabilities

Tuesday 16th of October 2018 07:38:00 PM
LinuxSecurity.com: ClamAV could be made to crash if it opened a specially crafted file.

RedHat: RHSA-2018-2933:01 Important: kernel security and bug fix update

Tuesday 16th of October 2018 06:56:00 PM
LinuxSecurity.com: An update for kernel is now available for Red Hat Enterprise Linux 6.5 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

RedHat: RHSA-2018-2930:01 Important: Red Hat JBoss Operations Network

Tuesday 16th of October 2018 05:06:00 PM
LinuxSecurity.com: An update is now available for Red Hat JBoss Operations Network. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

CentOS: CESA-2018-2921: Important CentOS 7 tomcat

Tuesday 16th of October 2018 04:57:00 PM
LinuxSecurity.com: Upstream details at : https://access.redhat.com/errata/RHSA-2018:2921

Debian LTS: DLA-1547-1: libpdfbox-java security update

Tuesday 16th of October 2018 04:02:00 PM
LinuxSecurity.com: It was discovered that there was a denial-of-service vulnerability in libpdfbox-java, a PDF library for Java. A malicious PDF file could have triggered an extremely long running

RedHat: RHSA-2018-2927:01 Important: Satellite 6.4 security, bug fix,

Tuesday 16th of October 2018 03:31:00 PM
LinuxSecurity.com: An update is now available for Red Hat Satellite 6.4 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

Ubuntu 3794-1: MoinMoin vulnerability

Tuesday 16th of October 2018 03:04:00 PM
LinuxSecurity.com: MoinMoin could be made to expose sensitive information if it received a specially crafted input.

RedHat: RHSA-2018-2924:01 Important: kernel security and bug fix update

Tuesday 16th of October 2018 02:50:00 PM
LinuxSecurity.com: An update for kernel is now available for Red Hat Enterprise Linux 6.6 Advanced Update Support and Red Hat Enterprise Linux 6.6 Telco Extended Update Support. Red Hat Product Security has rated this update as having a security impact

SciLinux: Important: tomcat on SL7.x (noarch)

Tuesday 16th of October 2018 02:25:00 PM
LinuxSecurity.com: tomcat: A bug in the UTF-8 decoder can lead to DoS (CVE-2018-1336) SL7 noarch tomcat-servlet-3.0-api-7.0.76-8.el7_5.noarch.rpm tomcat-7.0.76-8.el7_5.noarch.rpm tomcat-admin-webapps-7.0.76-8.el7_5.noarch.rpm tomcat-docs-webapp-7.0.76-8.el7_5.noarch.rpm tomcat-el-2.2-api-7.0.76-8.el7_5.noarch.rpm tomcat-javadoc-7.0.76-8.el7_5.noarch.rpm tomcat-jsp-2.2-api-7.0.76-8. [More...]

Ubuntu 3792-2: Net-SNMP vulnerability

Tuesday 16th of October 2018 12:10:00 PM
LinuxSecurity.com: Net-SNMP could be made to crash if it received specially crafted network traffic.

RedHat: RHSA-2018-2921:01 Important: tomcat security update

Tuesday 16th of October 2018 08:35:00 AM
LinuxSecurity.com: An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

RedHat: RHSA-2018-2918:01 Important: ghostscript security update

Tuesday 16th of October 2018 02:26:00 AM
LinuxSecurity.com: An update for ghostscript is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

Ubuntu 3793-1: Thunderbird vulnerabilities

Monday 15th of October 2018 10:30:00 PM
LinuxSecurity.com: Several security issues were fixed in Thunderbird.

CentOS: CESA-2018-2918: Important CentOS 7 ghostscript

Monday 15th of October 2018 09:01:00 PM
LinuxSecurity.com: Upstream details at : https://access.redhat.com/errata/RHSA-2018:2918

CentOS: CESA-2018-2916: Important CentOS 7 spamassassin

Monday 15th of October 2018 09:01:00 PM
LinuxSecurity.com: Upstream details at : https://access.redhat.com/errata/RHSA-2018:2916

Debian: DSA-4319-1: spice security update

Monday 15th of October 2018 07:01:00 PM
LinuxSecurity.com: Frediano Ziglio reported a missing check in the script to generate demarshalling code in the SPICE protocol client and server library. The generated demarshalling code is prone to multiple buffer overflows. An authenticated attacker can take advantage of this flaw to cause a denial

Ubuntu 3792-1: Net-SNMP vulnerability

Monday 15th of October 2018 06:24:00 PM
LinuxSecurity.com: Net-SNMP could be made to crash if it received specially crafted network traffic.

More in Tux Machines

Browsing the web with Min, a minimalist open source web browser

Does the world need another web browser? Even though the days of having a multiplicity of browsers to choose from are long gone, there still are folks out there developing new applications that help us use the web. One of those new-fangled browsers is Min. As its name suggests (well, suggests to me, anyway), Min is a minimalist browser. That doesn't mean it's deficient in any significant way, and its open source, Apache 2.0 license piques my interest. Read more

Security: Patches, FUD and Voting Machines

  • libssh 0.8.4 and 0.7.6 security and bugfix release

    libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.

  • A Cybersecurity Weak Link: Linux and IoT [Ed: Blaming "Linux" for companies that put default passwords on all their products? Windows has back doors.]
  • Undetectably bypass voting machines' anti-tamper mechanism with a bit of a soda-can

    But University of Michigan grad student Matt Bernhard has demonstrated that he can bypass the tamper-evident seals in seconds, using a shim made from a slice of a soda can. The bypass is undetectable and doesn't damage the seal, which can be resecured after an attacker gains access to the system.

  • Security Seals Used to Protect Voting Machines Can Be Easily Opened With Shim Crafted from a Soda Can

    Bernhard, who is an expert witness for election integrity activists in a lawsuit filed in Georgia to force officials to get rid of paperless voting machines used in that state, said the issue of security ties and seals came up in the lawsuit earlier this year when Fulton County Elections Director Richard Barron told the court that his Georgia county relies on tamper-evident metal and plastic ties to seal voting machines and prevent anyone with physical access to the machines from subverting them while they sit in polling places days before an election.

    [...]

    He noted that defeating ties and seals in non-tamper-evident ways isn’t the only method to wreak havoc on an election in Michigan. The state has a unique law that prohibits ballots from being used in a recount if the number of voters doesn't match the number of ballots cast at a precinct or if the seal on a ballot box is broken or has a different serial number than what it should have. Someone who wanted to wreak havoc on an election or alter an election outcome in Michigan could purposely tamper with ballot box seals in a way that is evident or simply replace them with a seal bearing a different serial number in order to get ballots excluded from a recount. The law came into sharp relief after the 2016 presidential election when Green Party candidate Jill Stein sought to get a statewide recount in Michigan and two other critical swing states and found that some precincts in Wayne County couldn't be recounted because the number of voters who signed the poll books—which get certified with a seal signed by officials—didn't match the number of ballots scanned on the voting machines.

OSS: Hedera Hashgraph, Service Providers, and Renaming the Bro Project

  • Hedera Hashgraph Distributed Ledger Technology Shares New Open-Source SDK [Ed: Hedera needs to delete GitHub, however, as the new head of GitHub killed Java projects like Hedera's]
    Hedera Hashgraph, one of the DApp facilitators within the blockchain industry recently announced that it has released its Software Development Kit (SDK) in Java.
  • Service Providers Should Adapt to Open Source World
    Finding differing opinions on open source with the telecom industry isn't hard to do, especially where orchestration is concerned. That's why a panel discussion on open source and MANO at the Light Reading NFV-Carrier SDN event in Denver seemed an odd place to find such outspoken agreement on that topic, but there it was. Four smart guys, none shy with their opinions, all seemed to agree on key points around open source, the need for standards, the role of vendors and the lack of internal software skills. But they also agreed that telecom service providers are struggling a bit to understand how to proceed in an open source world and still need some fundamental internal changes.
  • Renaming the Bro Project
    More than 20 years ago I chose the name "Bro" as "an Orwellian reminder that monitoring comes hand in hand with the potential for privacy violations", as the original Bro paper put it. Today that warning is needed more than ever ... but it's clear that now the name "Bro" is alas much more of a distraction than a reminder. On the Leadership Team of the Bro Project, we heard clear concerns from the Bro community that the name "Bro" has taken on strongly negative connotations, such as "Bro culture". These send a sharp, anti-inclusive - and wholly unintended and undesirable - message to those who might use Bro. The problems were significant enough that during BroCon community sessions, several people have mentioned substantial difficulties in getting their upper management to even consider using open-source software with such a seemingly ill-chosen, off-putting name.

Back End: Apache Kafka, 'Serverless'