[USN-5013-2] systemd vulnerabilities

========================================================================== Ubuntu Security Notice USN-5013-2 July 20, 2021
systemd vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in systemd.
Software Description: – systemd: system and service manager
Details:
USN-5013-1 fixed several vulnerabilities in systemd. This update provides the corresponding update for Ubuntu 16.04 ESM.
Original advisory details:
It was discovered that systemd incorrectly handled certain mount paths. A local attacker could possibly use this issue to cause systemd to crash, resulting in a denial of service. (CVE-2021-33910)
Mitchell Frank discovered that systemd incorrectly handled DHCP FORCERENEW packets. A remote attacker could possibly use this issue to reconfigure servers. (CVE-2020-13529)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 16.04 ESM: systemd 229-4ubuntu21.31+esm1
After a standard system update you need to reboot your computer to make all the necessary changes.
References: ubuntu.com/security/notices/USN-5013-2 ubuntu.com/security/notices/USN-5013-1 CVE-2020-13529, CVE-2021-33910

[USN-5013-1] systemd vulnerabilities

========================================================================== Ubuntu Security Notice USN-5013-1 July 20, 2021
systemd vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 21.04 – Ubuntu 20.10 – Ubuntu 20.04 LTS – Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in systemd.
Software Description: – systemd: system and service manager
Details:
It was discovered that systemd incorrectly handled certain mount paths. A local attacker could possibly use this issue to cause systemd to crash, resulting in a denial of service. (CVE-2021-33910)
Mitchell Frank discovered that systemd incorrectly handled DHCP FORCERENEW packets. A remote attacker could possibly use this issue to reconfigure servers. (CVE-2020-13529)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 21.04: systemd 247.3-3ubuntu3.4
Ubuntu 20.10: systemd 246.6-1ubuntu1.7
Ubuntu 20.04 LTS: systemd 245.4-4ubuntu3.10
Ubuntu 18.04 LTS: systemd 237-3ubuntu10.49
After a standard system update you need to reboot your computer to make all the necessary changes.
References: ubuntu.com/security/notices/USN-5013-1 CVE-2020-13529, CVE-2021-33910
Package Information: launchpad.net/ubuntu/+source/systemd/247.3-3ubuntu3.4 launchpad.net/ubuntu/+source/systemd/246.6-1ubuntu1.7 launchpad.net/ubuntu/+source/systemd/245.4-4ubuntu3.10 launchpad.net/ubuntu/+source/systemd/237-3ubuntu10.49

[Checkmk Announce] New Checkmk stable release 2.0.0p8

Dear friends of Checkmk,
the new stable release 2.0.0p8 of Checkmk is ready for download.
This maintenance release ships with 37 changes affecting all editions of Checkmk, 2 Enterprise Edition specific changes and 0 Managed Services Edition specific changes.

Changes in all Checkmk Editions:
BI: * 12475 BI availabilty: Improved computation performance * 12660 Improved data processing speed for BI availability computations * 12662 FIX: Fixed BI tree layouts “Table: bottom up” and “Table: top down” * 12656 FIX: Fixed incorrect sorted nodes within BI aggregations
Checks & agents: * 13052 iis_app_pool_state: New check to monitor IIS Application Pool States * 12325 FIX: Stabilize Windows Agent RunAs(User/Group) plugin feature * 12986 FIX: apt: Handle Security Updates Line * 13021 FIX: Fix crash in omd_status clustered check * 12985 FIX: Local Checks: Make Min/Max Values Truly Optional * 12984 FIX: Oracle RMAN Backup Monitoring in Dataguard Environments with Archivelog on Standby Side * 13023 FIX: agent_prism: add support for multiline messages * 13051 FIX: kaspersky_av_client: unhandled execption IndexError (list index out of range) in parse function * 13063 FIX: lsi_disk: Fix setting expected disk state * 12925 FIX: sap_hana_memrate: Fix graph for memory used * 12918 FIX: ups_capacity: add missing perfometer
Core & setup: * 13072 API: addition of downtime management in distributed monitoring setup * 12954 FIX: generate default site configuration before Apache starts NOTE: Please refer to the migration notes! * 12951 FIX: response format of all host_config/folder_config REST API endpoints NOTE: Please refer to the migration notes! * 12844 FIX: REST API: Missing default tag groups in the REST API * 12952 FIX: REST API: make endpoint responses more specific NOTE: Please refer to the migration notes! * 12953 FIX: response conversion of all endpoints of REST API NOTE: Please refer to the migration notes!
HW/SW inventory: * 12519 FIX: Inventory history: Fixed table styling
Livestatus proxy: * 12659 Improved performance when querying lots of data
Other components: * 12842 FIX: NagVis: Updated to 1.9.27
Setup: * 12658 FIX: Fixed broken caching for host/service/contact groups in the GUI * 12657 FIX: Fixed slow page rendering in rule analysis mode * 12840 FIX: Host / service labels: Prevent to use label conditions in referred predefined conditions * 12987 FIX: Loss Of Absolute JVM Memory Levels During Update From 1.6 To 2.0 * 11810 FIX: mkbackup: Fix locking problems
User interface: * 12920 FIX: “Downtimes of service” is now below the topic Monitoring * 12841 FIX: Customizing the “Staleness value” had no effect * 12979 FIX: Fix “Element does not exist anymore” message in notification conditions * 12978 FIX: Fix “User guide” link in “User” menu * 12977 FIX: Fix UnboundLocalError on host import via CSV file * 13022 FIX: Fix adding temperature graph to graph collections * 12972 FIX: Fix wrong soft query limit warning * 13024 FIX: Restore SLA timeline proportions
Changes in the Checkmk Enterprise Edition:
The Checkmk Micro Core: * 13086 FIX: Log error messages from the ICMP sender again. * 12175 FIX: Postpone notifications for passively checked objects, too.
Changes in the Checkmk Managed Services Edition:

You can download Checkmk from our download page: * checkmk.com/download.php
Please mail bug reports and qualified feedback to feedback@checkmk.com. We greatly thank you for using Checkmk and wish you a successful monitoring,
Your Checkmk Team

[USN-5012-1] containerd vulnerabilities

========================================================================== Ubuntu Security Notice USN-5012-1 July 20, 2021
containerd vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 21.04 – Ubuntu 20.10 – Ubuntu 20.04 LTS – Ubuntu 18.04 LTS
Summary:
containerd could be made to overwrite file permissions.
Software Description: – containerd: daemon to control runC
Details:
It was discovered that containerd incorrectly handled file permission changes. If a user or automated system were tricked into launching a specially crafted container image, a remote attacker could change permissions on files on the host filesystem and possibly escalate privileges.
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 21.04: containerd 1.5.2-0ubuntu1~21.04.2
Ubuntu 20.10: containerd 1.5.2-0ubuntu1~20.10.2
Ubuntu 20.04 LTS: containerd 1.5.2-0ubuntu1~20.04.2
Ubuntu 18.04 LTS: containerd 1.5.2-0ubuntu1~18.04.2
After a standard system update you need to restart containerd to make all the necessary changes.
References: ubuntu.com/security/notices/USN-5012-1 CVE-2021-32760
Package Information: launchpad.net/ubuntu/+source/containerd/1.5.2-0ubuntu1~21.04.2 launchpad.net/ubuntu/+source/containerd/1.5.2-0ubuntu1~20.10.2 launchpad.net/ubuntu/+source/containerd/1.5.2-0ubuntu1~20.04.2 launchpad.net/ubuntu/+source/containerd/1.5.2-0ubuntu1~18.04.2

[gentoo-announce] [ GLSA 202107-47 ] libpano13: Format string vulnerability

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Gentoo Linux Security Advisory GLSA 202107-47 – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – security.gentoo.org/ – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Severity: Normal Title: libpano13: Format string vulnerability Date: July 20, 2021 Bugs: #780486 ID: 202107-47
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Synopsis ========
A format string vulnerability has been found in libpano13, potentially resulting in arbitrary code execution.
Background ==========
libpano13 is Helmut Dersch’s panorama toolbox library.
Affected packages =================
——————————————————————- Package / Vulnerable / Unaffected ——————————————————————- 1 media-libs/libpano13 < 2.9.20 >= 2.9.20
Description ===========
A format string issue exists within panoFileOutputNamesCreate() where unvalidated input is passed directly into the formatter.
Impact ======
A remote attacker could entice a user to open a specially crafted file using libpano13, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition.
Workaround ==========
There is no known workaround at this time.
Resolution ==========
All libpano13 users should upgrade to the latest version:
# emerge –sync # emerge –ask –oneshot –verbose “>=media-libs/libpano13-2.9.20”
References ==========
[ 1 ] CVE-2021-20307 nvd.nist.gov/vuln/detail/CVE-2021-20307
Availability ============
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
security.gentoo.org/glsa/202107-47
Concerns? =========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users’ machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at bugs.gentoo.org.
License =======
Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons – Attribution / Share Alike license.
creativecommons.org/licenses/by-sa/2.5

[gentoo-announce] [ GLSA 202107-46 ] mpv: Format string vulnerability

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Gentoo Linux Security Advisory GLSA 202107-46 – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – security.gentoo.org/ – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Severity: Normal Title: mpv: Format string vulnerability Date: July 20, 2021 Bugs: #780474 ID: 202107-46
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Synopsis ========
A format string vulnerability was found in mpv, potentially resulting in arbitrary code execution.
Background ==========
Video player based on MPlayer/mplayer2.
Affected packages =================
——————————————————————- Package / Vulnerable / Unaffected ——————————————————————- 1 media-video/mpv < 0.33.1 >= 0.33.1
Description ===========
mpv uses untrusted input within format strings.
Impact ======
A remote attacker could entice a user to open a specially crafted m3u playlist file using mpv, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition.
Workaround ==========
There is no known workaround at this time.
Resolution ==========
All mpv users should upgrade to the latest version:
# emerge –sync # emerge –ask –oneshot –verbose “>=media-video/mpv-0.33.1”
References ==========
[ 1 ] CVE-2021-30145 nvd.nist.gov/vuln/detail/CVE-2021-30145
Availability ============
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
security.gentoo.org/glsa/202107-46
Concerns? =========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users’ machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at bugs.gentoo.org.
License =======
Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons – Attribution / Share Alike license.
creativecommons.org/licenses/by-sa/2.5

[gentoo-announce] [ GLSA 202107-45 ] PyCharm Community, Professional: Remote code execution

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Gentoo Linux Security Advisory GLSA 202107-45 – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – security.gentoo.org/ – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Severity: Normal Title: PyCharm Community, Professional: Remote code execution Date: July 20, 2021 Bugs: #797892 ID: 202107-45
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Synopsis ========
A vulnerability has been found in PyCharm Community and Professional, potentially resulting in arbitrary code execution.
Background ==========
PyCharm is the Python IDE for professional developers.
Affected packages =================
——————————————————————- Package / Vulnerable / Unaffected ——————————————————————- 1 dev-util/pycharm-community < 2021.1.2 >= 2021.1.2 2 dev-util/pycharm-professional < 2021.1.2 >= 2021.1.2 ——————————————————————- 2 affected packages
Description ===========
Insufficient validation exists within PyCharm’s checks for fetching projects from VCS.
Impact ======
If a victim can be enticed into fetching a VCS project via PyCharm, a remote attacker could achieve remote code execution.
Workaround ==========
There is no known workaround at this time.
Resolution ==========
All PyCharm Community users should upgrade to the latest version:
# emerge –sync # emerge –ask –oneshot -v “>=dev-util/pycharm-community-2021.1.2”
All PyCharm Professional users should upgrade to the latest version:
# emerge –sync # emerge -a –oneshot -v “>=dev-util/pycharm-professional-2021.1.2”
References ==========
[ 1 ] CVE-2021-30005 nvd.nist.gov/vuln/detail/CVE-2021-30005
Availability ============
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
security.gentoo.org/glsa/202107-45
Concerns? =========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users’ machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at bugs.gentoo.org.
License =======
Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons – Attribution / Share Alike license.
creativecommons.org/licenses/by-sa/2.5

[gentoo-announce] [ GLSA 202107-44 ] libslirp: Multiple vulnerabilities

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Gentoo Linux Security Advisory GLSA 202107-44 – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – security.gentoo.org/ – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Severity: Low Title: libslirp: Multiple vulnerabilities Date: July 20, 2021 Bugs: #796347 ID: 202107-44
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Synopsis ========
Multiple vulnerabilities have been found in libslirp, the worst of which could result in a Denial of Service condition.
Background ==========
libslirp is a TCP/IP emulator used to provide virtual networking services.
Affected packages =================
——————————————————————- Package / Vulnerable / Unaffected ——————————————————————- 1 net-libs/libslirp < 4.6.0 >= 4.6.0
Description ===========
Multiple vulnerabilities have been discovered in libslirp. Please review the CVE identifiers referenced below for details.
Impact ======
Please review the referenced CVE identifiers for details.
Workaround ==========
There is no known workaround at this time.
Resolution ==========
All libslirp users should upgrade to the latest version:
# emerge –sync # emerge –ask –oneshot –verbose “>=net-libs/libslirp-4.6.0”
References ==========
[ 1 ] CVE-2021-3592 nvd.nist.gov/vuln/detail/CVE-2021-3592 [ 2 ] CVE-2021-3593 nvd.nist.gov/vuln/detail/CVE-2021-3593 [ 3 ] CVE-2021-3594 nvd.nist.gov/vuln/detail/CVE-2021-3594 [ 4 ] CVE-2021-3595 nvd.nist.gov/vuln/detail/CVE-2021-3595
Availability ============
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
security.gentoo.org/glsa/202107-44
Concerns? =========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users’ machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at bugs.gentoo.org.
License =======
Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons – Attribution / Share Alike license.
creativecommons.org/licenses/by-sa/2.5

[gentoo-announce] [ GLSA 202107-43 ] RPM: Multiple vulnerabilities

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Gentoo Linux Security Advisory GLSA 202107-43 – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – security.gentoo.org/ – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Severity: Normal Title: RPM: Multiple vulnerabilities Date: July 20, 2021 Bugs: #778533, #787944 ID: 202107-43
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Synopsis ========
Multiple vulnerabilities have been found in RPM, the worst of which could result in remote code execution.
Background ==========
The Red Hat Package Manager (RPM) is a command line driven package management system capable of installing, uninstalling, verifying, querying, and updating computer software packages.
Affected packages =================
——————————————————————- Package / Vulnerable / Unaffected ——————————————————————- 1 app-arch/rpm < 4.16.1.3 >= 4.16.1.3
Description ===========
Multiple vulnerabilities have been discovered in RPM. Please review the CVE identifiers referenced below for details.
Impact ======
Please review the referenced CVE identifiers for details.
Workaround ==========
There is no known workaround at this time.
Resolution ==========
All RPM users should upgrade to the latest version:
# emerge –sync # emerge –ask –oneshot –verbose “>=app-arch/rpm-4.16.1.3”
References ==========
[ 1 ] CVE-2021-20266 nvd.nist.gov/vuln/detail/CVE-2021-20266 [ 2 ] CVE-2021-20271 nvd.nist.gov/vuln/detail/CVE-2021-20271 [ 3 ] CVE-2021-3421 nvd.nist.gov/vuln/detail/CVE-2021-3421
Availability ============
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
security.gentoo.org/glsa/202107-43
Concerns? =========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users’ machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at bugs.gentoo.org.
License =======
Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons – Attribution / Share Alike license.
creativecommons.org/licenses/by-sa/2.5

[gentoo-announce] [ GLSA 202107-42 ] PJSIP: Multiple vulnerabilities

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Gentoo Linux Security Advisory GLSA 202107-42 – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – security.gentoo.org/ – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Severity: Low Title: PJSIP: Multiple vulnerabilities Date: July 20, 2021 Bugs: #775359 ID: 202107-42
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Synopsis ========
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in a Denial of Service condition.
Background ==========
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE.
Affected packages =================
——————————————————————- Package / Vulnerable / Unaffected ——————————————————————- 1 net-libs/pjproject < 2.10-r1 >= 2.10-r1
Description ===========
Multiple vulnerabilities have been discovered in PJSIP. Please review the CVE identifiers referenced below for details.
Impact ======
Please review the referenced CVE identifiers for details.
Workaround ==========
There is no known workaround at this time.
Resolution ==========
All PJSIP users should upgrade to the latest version:
# emerge –sync # emerge –ask –oneshot –verbose “>=net-libs/pjproject-2.10-r1”
References ==========
[ 1 ] CVE-2020-15260 nvd.nist.gov/vuln/detail/CVE-2020-15260 [ 2 ] CVE-2021-21375 nvd.nist.gov/vuln/detail/CVE-2021-21375
Availability ============
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
security.gentoo.org/glsa/202107-42
Concerns? =========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users’ machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at bugs.gentoo.org.
License =======
Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons – Attribution / Share Alike license.
creativecommons.org/licenses/by-sa/2.5

GParted 1.3.1 Released

GParted is the GNOME Partition Editor for creating, reorganizing, and deleting disk partitions.
The GParted 1.3.1 release includes bug fixes and language translation updates.
Key changes include:      – Fix recognition of SD/MMC device names      –  Make XFS copy duplicate the file system label and UUID
Visit gparted.org for more details.
_______________________________________________ gnome-announce-list mailing list gnome-announce-list@gnome.org mail.gnome.org/mailman/listinfo/gnome-announce-list

[LSN-0078-1] Linux kernel vulnerability

Linux kernel vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 20.04 LTS – Ubuntu 18.04 LTS – Ubuntu 16.04 ESM
Summary
Several security issues were fixed in the kernel.
Software Description
– linux – Linux kernel – linux-gcp – Linux kernel for Google Cloud Platform (GCP) systems – linux-gke – Linux kernel for Google Container Engine (GKE) systems – linux-gkeop – Linux kernel for Google Container Engine (GKE) systems – linux-oem – Linux kernel for OEM systems
Details
Norbert Slusarek discovered a race condition in the CAN BCM networking protocol of the Linux kernel leading to multiple use-after-free vulnerabilities. A local attacker could use this issue to execute arbitrary code. (CVE-2021-3609)
Update instructions
The problem can be corrected by updating your kernel livepatch to the following versions:
Ubuntu 20.04 LTS gcp – 78.1 generic – 78.1 gke – 78.1 gkeop – 78.1 lowlatency – 78.1
Ubuntu 18.04 LTS generic – 78.1 gke – 78.1 gkeop – 78.1 lowlatency – 78.1 oem – 78.1
Ubuntu 16.04 ESM generic – 78.1 lowlatency – 78.1
Support Information
Kernels older than the levels listed below do not receive livepatch updates. If you are running a kernel version earlier than the one listed below, please upgrade your kernel as soon as possible.
Ubuntu 20.04 LTS linux-aws – 5.4.0-1009 linux-azure – 5.4.0-1010 linux-gcp – 5.4.0-1009 linux-gke – 5.4.0-1033 linux-gkeop – 5.4.0-1009 linux-oem – 5.4.0-26 linux – 5.4.0-26
Ubuntu 18.04 LTS linux-aws – 4.15.0-1054 linux-gke-4.15 – 4.15.0-1076 linux-gke-5.4 – 5.4.0-1009 linux-gkeop-5.4 – 5.4.0-1007 linux-hwe-5.4 – 5.4.0-26 linux-oem – 4.15.0-1063 linux – 4.15.0-69
Ubuntu 16.04 ESM linux-aws – 4.4.0-1098 linux-azure – 4.15.0-1063 linux-azure – 4.15.0-1078 linux-hwe – 4.15.0-69 linux – 4.4.0-168
Ubuntu 14.04 ESM linux-lts-xenial – 4.4.0-168
References
– CVE-2021-3609

[gentoo-announce] [ GLSA 202107-41 ] Dovecot: Multiple vulnerabilities

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Gentoo Linux Security Advisory GLSA 202107-41 – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – security.gentoo.org/ – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Severity: Low Title: Dovecot: Multiple vulnerabilities Date: July 18, 2021 Bugs: #797349 ID: 202107-41
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Synopsis ========
Multiple vulnerabilities have been found in Dovecot, the worst of which could result in a Denial of Service condition.
Background ==========
Dovecot is an open source IMAP and POP3 email server.
Affected packages =================
——————————————————————- Package / Vulnerable / Unaffected ——————————————————————- 1 net-mail/dovecot < 2.3.14.1 >= 2.3.14.1
Description ===========
Multiple vulnerabilities have been discovered in Dovecot. Please review the CVE identifiers referenced below for details.
Impact ======
Please review the referenced CVE identifiers for details.
Workaround ==========
There is no known workaround at this time.
Resolution ==========
All Dovecot users should upgrade to the latest version:
# emerge –sync # emerge –ask –oneshot –verbose “>=net-mail/dovecot-2.3.14.1”
References ==========
[ 1 ] CVE-2021-29157 nvd.nist.gov/vuln/detail/CVE-2021-29157 [ 2 ] CVE-2021-33515 nvd.nist.gov/vuln/detail/CVE-2021-33515
Availability ============
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
security.gentoo.org/glsa/202107-41
Concerns? =========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users’ machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at bugs.gentoo.org.
License =======
Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons – Attribution / Share Alike license.
creativecommons.org/licenses/by-sa/2.5

[gentoo-announce] [ GLSA 202107-40 ] MediaWiki: Multiple vulnerabilities

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Gentoo Linux Security Advisory GLSA 202107-40 – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – security.gentoo.org/ – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Severity: Low Title: MediaWiki: Multiple vulnerabilities Date: July 17, 2021 Bugs: #780654, #797661 ID: 202107-40
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Synopsis ========
Multiple vulnerabilities have been found in MediaWiki, the worst of which could result in a Denial of Service condition.
Background ==========
MediaWiki is a collaborative editing software used by large projects such as Wikipedia.
Affected packages =================
——————————————————————- Package / Vulnerable / Unaffected ——————————————————————- 1 www-apps/mediawiki < 1.36.1 >= 1.36.1
Description ===========
Multiple vulnerabilities have been discovered in MediaWiki. Please review the CVE identifiers referenced below for details.
Impact ======
Please review the referenced CVE identifiers for details.
Workaround ==========
There is no known workaround at this time.
Resolution ==========
All MediaWiki users should upgrade to the latest version:
# emerge –sync # emerge –ask –oneshot –verbose “>=www-apps/mediawiki-1.36.1”
References ==========
[ 1 ] CVE-2021-30152 nvd.nist.gov/vuln/detail/CVE-2021-30152 [ 2 ] CVE-2021-30154 nvd.nist.gov/vuln/detail/CVE-2021-30154 [ 3 ] CVE-2021-30155 nvd.nist.gov/vuln/detail/CVE-2021-30155 [ 4 ] CVE-2021-30157 nvd.nist.gov/vuln/detail/CVE-2021-30157 [ 5 ] CVE-2021-30158 nvd.nist.gov/vuln/detail/CVE-2021-30158 [ 6 ] CVE-2021-30159 nvd.nist.gov/vuln/detail/CVE-2021-30159 [ 7 ] CVE-2021-30458 nvd.nist.gov/vuln/detail/CVE-2021-30458 [ 8 ] CVE-2021-35197 nvd.nist.gov/vuln/detail/CVE-2021-35197
Availability ============
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
security.gentoo.org/glsa/202107-40
Concerns? =========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users’ machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at bugs.gentoo.org.
License =======
Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons – Attribution / Share Alike license.
creativecommons.org/licenses/by-sa/2.5

[gentoo-announce] [ GLSA 202107-39 ] Apache Commons FileUpload: Multiple vulnerabilities

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Gentoo Linux Security Advisory GLSA 202107-39 – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – security.gentoo.org/ – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Severity: Low Title: Apache Commons FileUpload: Multiple vulnerabilities Date: July 17, 2021 Bugs: #739350 ID: 202107-39
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Synopsis ========
Multiple vulnerabilities have been found in Apache Commons FileUpload, the worst of which could result in a Denial of Service condition.
Background ==========
The Apache Commons FileUpload package makes it easy to add robust, high-performance, file upload capability to your servlets and web applications.
Affected packages =================
——————————————————————- Package / Vulnerable / Unaffected ——————————————————————- 1 dev-java/commons-fileupload <= 1.3 Vulnerable! ------------------------------------------------------------------- NOTE: Certain packages are still vulnerable. Users should migrate to another package if one is available or wait for the existing packages to be marked stable by their architecture maintainers. Description =========== Multiple vulnerabilities have been discovered in Apache Commons FileUpload. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== Gentoo has discontinued support for Apache Commons FileUpload. We recommend that users unmerge it: # emerge --ask --depclean "dev-java/commons-fileupload" NOTE: The Gentoo developer(s) maintaining Apache Commons FileUpload have discontinued support at this time. It may be possible that a new Gentoo developer will update Apache Commons FileUpload at a later date. We do not have a suggestion for a replacement at this time. References ========== [ 1 ] CVE-2013-0248 nvd.nist.gov/vuln/detail/CVE-2013-0248 [ 2 ] CVE-2014-0050 nvd.nist.gov/vuln/detail/CVE-2014-0050 [ 3 ] CVE-2016-3092 nvd.nist.gov/vuln/detail/CVE-2016-3092
Availability ============
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
security.gentoo.org/glsa/202107-39
Concerns? =========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users’ machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at bugs.gentoo.org.
License =======
Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons – Attribution / Share Alike license.
creativecommons.org/licenses/by-sa/2.5

[gentoo-announce] [ GLSA 202107-38 ] Apache: Multiple vulnerabilities

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Gentoo Linux Security Advisory GLSA 202107-38 – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – security.gentoo.org/ – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Severity: Low Title: Apache: Multiple vulnerabilities Date: July 17, 2021 Bugs: #795231 ID: 202107-38
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Synopsis ========
Multiple vulnerabilities have been found in Apache, the worst of which could result in a Denial of Service condition.
Background ==========
The Apache HTTP server is one of the most popular web servers on the Internet.
Affected packages =================
——————————————————————- Package / Vulnerable / Unaffected ——————————————————————- 1 www-servers/apache < 2.4.48 >= 2.4.48
Description ===========
Multiple vulnerabilities have been discovered in Apache. Please review the CVE identifiers referenced below for details.
Impact ======
Please review the referenced CVE identifiers for details.
Workaround ==========
There is no known workaround at this time.
Resolution ==========
All Apache users should upgrade to the latest version:
# emerge –sync # emerge –ask –oneshot –verbose “>=www-servers/apache-2.4.48”
References ==========
[ 1 ] CVE-2019-17567 nvd.nist.gov/vuln/detail/CVE-2019-17567 [ 2 ] CVE-2020-13950 nvd.nist.gov/vuln/detail/CVE-2020-13950 [ 3 ] CVE-2020-35452 nvd.nist.gov/vuln/detail/CVE-2020-35452 [ 4 ] CVE-2021-26690 nvd.nist.gov/vuln/detail/CVE-2021-26690 [ 5 ] CVE-2021-26691 nvd.nist.gov/vuln/detail/CVE-2021-26691 [ 6 ] CVE-2021-30641 nvd.nist.gov/vuln/detail/CVE-2021-30641 [ 7 ] CVE-2021-31618 nvd.nist.gov/vuln/detail/CVE-2021-31618
Availability ============
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
security.gentoo.org/glsa/202107-38
Concerns? =========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users’ machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at bugs.gentoo.org.
License =======
Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons – Attribution / Share Alike license.
creativecommons.org/licenses/by-sa/2.5

[ANNOUNCEMENT] Gnote 41.alpha released

Gnote 41.alpha has been released!
You can download it here: download.gnome.org/sources/gnote/41/
New Features: * Build system changed to meson * Plugins now stored in plugins folder instead of addins
Fixes: * Fix synchronization when files are larger than 64k (#50) * Stopped using lots of Glib and Gtk deprecations
Translations: * Updated translations: – Brazilian Portuguese (pt_BR) – Catalan (ca) – Chinese (China) (zh_CN) – Danish (da) – Indonesian (id) – Polish (pl) – Romanian (ro) – Ukrainian (uk) – Serbian (sr) – Spanish (es) – Swedish (sv) * Added Dutch translation (nl) * Updated Lithuanian manual (lt) * Updated Polish manual (pl) * Updated Ukrainian manual (uk) * Updated Swedish manual (sv)

[gentoo-announce] [ GLSA 202107-37 ] Apache Commons Collections: Remote code execution

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Gentoo Linux Security Advisory GLSA 202107-37 – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – security.gentoo.org/ – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Severity: Normal Title: Apache Commons Collections: Remote code execution Date: July 16, 2021 Bugs: #739348 ID: 202107-37
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Synopsis ========
Apache Commons Collections unsafely deserializes untrusted input, potentially resulting in arbitrary code execution.
Background ==========
Apache Commons Collections extends the JCF classes with new interfaces, implementations and utilities.
Affected packages =================
——————————————————————- Package / Vulnerable / Unaffected ——————————————————————- 1 dev-java/commons-collections < 3.2.2 >= 3.2.2
Description ===========
Some classes in the Apache Commons Collections functor package deserialized potentially untrusted input by default.
Impact ======
Deserializing untrusted input using Apache Commons Collections could result in remote code execution.
Workaround ==========
There is no known workaround at this time.
Resolution ==========
All Apache Commons Collections users should upgrade to the latest version:
# emerge –sync # emerge –ask –oneshot -v “>=dev-java/commons-collections-3.2.2”
References ==========
[ 1 ] CVE-2017-15708 nvd.nist.gov/vuln/detail/CVE-2017-15708
Availability ============
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
security.gentoo.org/glsa/202107-37
Concerns? =========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users’ machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at bugs.gentoo.org.
License =======
Copyright 2021 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons – Attribution / Share Alike license.
creativecommons.org/licenses/by-sa/2.5

[CentOS-announce] CESA-2021:2741 Important CentOS 7 firefox Security Update

CentOS Errata and Security Advisory 2021:2741 Important
Upstream details at : access.redhat.com/errata/RHSA-2021:2741
The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename )
x86_64: d09bdd004c3fac87661119d619afb43d9ad9824ef8a2e58fa51c55f0211f12d9 firefox-78.12.0-1.el7.centos.i686.rpm 6a6db0a030199ad5a8e0edde0f8458ca5391f94ac4ccd7a93c3c186326026cc3 firefox-78.12.0-1.el7.centos.x86_64.rpm
Source: fd28ed7ab0523d22a76adadf6f4da17f29f7bba08cc83e43af80bf3e0bd490b0 firefox-78.12.0-1.el7.centos.src.rpm

[USN-5010-1] QEMU vulnerabilities

========================================================================== Ubuntu Security Notice USN-5010-1 July 15, 2021
qemu vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 21.04 – Ubuntu 20.10 – Ubuntu 20.04 LTS – Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in QEMU.
Software Description: – qemu: Machine emulator and virtualizer
Details:
Lei Sun discovered that QEMU incorrectly handled certain MMIO operations. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2020-15469)
Wenxiang Qian discovered that QEMU incorrectly handled certain ATAPI commands. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 21.04. (CVE-2020-29443)
Cheolwoo Myung discovered that QEMU incorrectly handled SCSI device emulation. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2020-35504, CVE-2020-35505, CVE-2021-3392)
Alex Xu discovered that QEMU incorrectly handled the virtio-fs shared file system daemon. An attacker inside the guest could possibly use this issue to read and write to host devices. This issue only affected Ubuntu 20.10. (CVE-2020-35517)
It was discovered that QEMU incorrectly handled ARM Generic Interrupt Controller emulation. An attacker inside the guest could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 20.10. (CVE-2021-20221)
Alexander Bulekov, Cheolwoo Myung, Sergej Schumilo, Cornelius Aschermann, and Simon Werner discovered that QEMU incorrectly handled e1000 device emulation. An attacker inside the guest could possibly use this issue to cause QEMU to hang, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 20.10. (CVE-2021-20257)
It was discovered that QEMU incorrectly handled SDHCI controller emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. In the default installation, when QEMU is used in combination with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2021-3409)
It was discovered that QEMU incorrectly handled certain NIC emulation devices. An attacker inside the guest could possibly use this issue to cause QEMU to hang or crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 20.10. (CVE-2021-3416)
Remy Noel discovered that QEMU incorrectly handled the USB redirector device. An attacker inside the guest could possibly use this issue to cause QEMU to consume resources, resulting in a denial of service. (CVE-2021-3527)
It was discovered that QEMU incorrectly handled the virtio vhost-user GPU device. An attacker inside the guest could possibly use this issue to cause QEMU to consume resources, leading to a denial of service. This issue only affected Ubuntu 20.04 LTS, Ubuntu 20.10, and Ubuntu 21.04. (CVE-2021-3544)
It was discovered that QEMU incorrectly handled the virtio vhost-user GPU device. An attacker inside the guest could possibly use this issue to obtain sensitive host information. This issue only affected Ubuntu 20.04 LTS, Ubuntu 20.10, and Ubuntu 21.04. (CVE-2021-3545)
It was discovered that QEMU incorrectly handled the virtio vhost-user GPU device. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. In the default installation, when QEMU is used in combination with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 20.04 LTS, Ubuntu 20.10, and Ubuntu 21.04. (CVE-2021-3546)
It was discovered that QEMU incorrectly handled the PVRDMA device. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. In the default installation, when QEMU is used in combination with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 20.04 LTS, Ubuntu 20.10, and Ubuntu 21.04. (CVE-2021-3582, CVE-2021-3607, CVE-2021-3608)
It was discovered that QEMU SLiRP networking incorrectly handled certain udp packets. An attacker inside a guest could possibly use this issue to leak sensitive information from the host. (CVE-2021-3592, CVE-2021-3593, CVE-2021-3594, CVE-2021-3595)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 21.04: qemu-system 1:5.2+dfsg-9ubuntu3.1 qemu-system-arm 1:5.2+dfsg-9ubuntu3.1 qemu-system-mips 1:5.2+dfsg-9ubuntu3.1 qemu-system-misc 1:5.2+dfsg-9ubuntu3.1 qemu-system-ppc 1:5.2+dfsg-9ubuntu3.1 qemu-system-s390x 1:5.2+dfsg-9ubuntu3.1 qemu-system-sparc 1:5.2+dfsg-9ubuntu3.1 qemu-system-x86 1:5.2+dfsg-9ubuntu3.1 qemu-system-x86-microvm 1:5.2+dfsg-9ubuntu3.1 qemu-system-x86-xen 1:5.2+dfsg-9ubuntu3.1
Ubuntu 20.10: qemu-system 1:5.0-5ubuntu9.9 qemu-system-arm 1:5.0-5ubuntu9.9 qemu-system-mips 1:5.0-5ubuntu9.9 qemu-system-misc 1:5.0-5ubuntu9.9 qemu-system-ppc 1:5.0-5ubuntu9.9 qemu-system-s390x 1:5.0-5ubuntu9.9 qemu-system-sparc 1:5.0-5ubuntu9.9 qemu-system-x86 1:5.0-5ubuntu9.9 qemu-system-x86-microvm 1:5.0-5ubuntu9.9 qemu-system-x86-xen 1:5.0-5ubuntu9.9
Ubuntu 20.04 LTS: qemu-system 1:4.2-3ubuntu6.17 qemu-system-arm 1:4.2-3ubuntu6.17 qemu-system-mips 1:4.2-3ubuntu6.17 qemu-system-misc 1:4.2-3ubuntu6.17 qemu-system-ppc 1:4.2-3ubuntu6.17 qemu-system-s390x 1:4.2-3ubuntu6.17 qemu-system-sparc 1:4.2-3ubuntu6.17 qemu-system-x86 1:4.2-3ubuntu6.17 qemu-system-x86-microvm 1:4.2-3ubuntu6.17 qemu-system-x86-xen 1:4.2-3ubuntu6.17
Ubuntu 18.04 LTS: qemu-system 1:2.11+dfsg-1ubuntu7.37 qemu-system-arm 1:2.11+dfsg-1ubuntu7.37 qemu-system-mips 1:2.11+dfsg-1ubuntu7.37 qemu-system-misc 1:2.11+dfsg-1ubuntu7.37 qemu-system-ppc 1:2.11+dfsg-1ubuntu7.37 qemu-system-s390x 1:2.11+dfsg-1ubuntu7.37 qemu-system-sparc 1:2.11+dfsg-1ubuntu7.37 qemu-system-x86 1:2.11+dfsg-1ubuntu7.37
After a standard system update you need to restart all QEMU virtual machines to make all the necessary changes.
References: ubuntu.com/security/notices/USN-5010-1 CVE-2020-15469, CVE-2020-29443, CVE-2020-35504, CVE-2020-35505, CVE-2020-35517, CVE-2021-20221, CVE-2021-20257, CVE-2021-3392, CVE-2021-3409, CVE-2021-3416, CVE-2021-3527, CVE-2021-3544, CVE-2021-3545, CVE-2021-3546, CVE-2021-3582, CVE-2021-3592, CVE-2021-3593, CVE-2021-3594, CVE-2021-3595, CVE-2021-3607, CVE-2021-3608
Package Information: launchpad.net/ubuntu/+source/qemu/1:5.2+dfsg-9ubuntu3.1 launchpad.net/ubuntu/+source/qemu/1:5.0-5ubuntu9.9 launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.17 launchpad.net/ubuntu/+source/qemu/1:2.11+dfsg-1ubuntu7.37