BLFS Security Advisories for 10.1

BLFS Security Advisories for BLFS 10.1 and the current development books.

BLFS-10.1 was released on 2021-03-01

This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.

The links at the end of each item point to fuller details which have links to the released books.

In general, the severity is taken from upstream, if supplied, or from NVD (https://nvd.nist.gov/vuln/detail/) if an analysis is available there, but individual severity ratings at NVD can change over time. If no other information is available, 'High' will normally be assumed.

Apache ANT

10.1 076 Apache ANT Date: 2021-07-17 Severity: Moderate

Two security vulnerabilities were fixed in apache-ant-1.10.11 that could lead to out-of-memory conditions when extracting JARs, ZIPs, and TARs during a build process. To fix these, update to apache-ant-1.10.11 or later. 10.1-076

Apache HTTPD

10.1 060 Apache HTTPD Updated: 2021-06-15 Severity: Moderate

Seven vulnerabilities were fixed in httpd-2.4.48, of which three were rated as moderate by upstream. To fix these update to Apache HTTPD-2.4.48 or later. 10.1-060

APR

10.1 102 APR Date: 2021-08-26 Severity: High

In apr-1.7.0, an easily-exploitable security vulnerability exists that allows for an out-of-bounds array read by using a month greater than 12 inside of an input to some APR functions. This vulnerability was originally fixed in 2017, but the fix was not carried over into the apr-1.7.x branch due to a problem in Apache's Subversion repositories. It has been fixed with a sed in the development book, which you should apply. 10.1-102

Avahi

10.1 028 Avahi Date: 2021-04-14 Severity: Medium

A security vulnerability was discovered in Avahi that could allow a local attacker to trigger an infinite loop by writing long lines to /run/avahi-daemon/socket. To fix this, apply a sed in the Avahi page. For more details, see the advisory linked here: 10.1-028

BIND

10.1 097 BIND Date: 2021-08-19 Severity: High

In BIND-9.16.20, a trivial-to-exploit remote denial of service vulnerability was fixed. The National Vulnerability Database and ISC have rated this vulnerability as High. To fix this, update to BIND-9.16.20 or later. 10.1-097

10.1 037 BIND Date: 2021-05-01 Severity: High

In BIND-9.16.15, three security vulnerabilities were fixed, one of which can result in remote code execution on 32-bit platforms. The other two vulnerabilities result in crashes when certain queries are executed against the DNS server. To fix these, update to BIND-9.16.15 or later. 10.1-037

c-ares

10.1 090 c-ares Date: 2021-08-12 Severity: Moderate

In c-ares-1.17.2, a security vulnerability was fixed that could allow for domain hijacking due to improper input validation. The developers suggest upgrading immediately to c-ares-1.17.2. Update to c-ares-1.17.2 or later. 10.1-090

cifs-utils

10.1 030 cifs-utils Date: 2021-04-13 Severity: Medium

In cifs-utils-6.13, a security vulnerability was fixed that could lead to privilege escalation or authentication credential leaks when running the "cifs.upcall" command when Kerberos support is enabled. Update to cifs-utils-6.13 or later. 10.1-030

cURL

DHCP

10.1 053 ISC DHCP Date: 2021-05-29 Severity: High

ISC DHCP-4.4.2-P1 fixed a buffer overrun vulnerability that could lead to a disruption of network services or for DHCP leases to be improperly terminated. Update to DHCP-4.4.2-P1 or later to fix this. 10.1-053

Dovecot

10.1 066 Dovecot Date: 2021-06-29 Severity: High

Dovecot-2.3.15 fixed two security vulnerabilities which could allow for command injection and path traversal. The highest risk is emails and passwords being forwarded to an attacker-controlled address, but the path traversal is known to allow for an authentication bypass over OAuth2. Update to dovecot-2.3.15 or later to fix these. 10.1-066

Exim

10.1 038 Exim Date: 2021-05-04 Severity: Critical

Exim-4.92.4 fixed 21 vulnerabilities, several of which allowing for remote code execution, modification of mails, privilege escalation, arbitary code execution, modification/deletion of system files, and more. If you have Exim installed, update to Exim-4.92.4 immediately. 10.1-038

Exiv2

10.1 063 Exiv2 Date: 2021-06-19 Severity: High

Nine CVEs were fixed in Exiv2-0.27.4, all of which can be exploited remotely through a web browser. Most of these vulnerabilities are classified as denial of service, but some are information disclosure vulnerabilities as well as arbitrary code execution vulnerabilities. To fix these, update to exiv2-0.27.4 or later. 10.1-063.

10.1 046 Exiv2 Date: 2021-05-17 Severity: High

Five CVEs in exiv2-0.27.3, one rated as High, have been fixed upstream but as yet there is no new release. To fix these apply the patch from the development books or upgrade to a later version when one is released. 10.1-046.

Fetchmail

10.1 085 Fetchmail Date: 2021-07-30 Severity: Low

Fetchmail before version 6.4.20 was missing initialization of a variable, leading in some circumstances to reading from bad memory locations. This can cause it to log random information (information disclosure), or to segfault, stalling inbound mail. To fix this, update to fetchmail-6.4.20 or later. 10.1-085

Firefox

Firefox-78 series Updated: 2021-11-02 Severity: at End of life

If you are still using firefox-78 you should update to the current version of the firefox-91 series. See the updates for the BLFS-11.0 books.

10.1 095 Firefox Date: 2021-08-17 Severity: High

In firefox 91.0.1 one vulnerabilitiy rated as High was fixed. This vulnerability does not apply to normal builds of legacy firefox-78. To fix this, update to firefox-91.0.1 or later. 10.1-095

10.1 089 Firefox Date: 2021-08-11 Severity: High

In firefox 78.13.0 and 91.0, five vulnerabilities rated as High and one rated as moderate were fixed. To fix these either update to firefox-91.0 or later, or to legacy firefox-78.13.0 or later. 10.1-089

10.1 075 Firefox Date: 2021-07-13 Severity: High

In firefox 78.12.0 two vulnerabilities rated as High were fixed. To fix these, update to firefox-78.12.0 or later. 10.1-075

10.1 055 Firefox Date: 2021-06-01 Severity: High

In firefox 78.11.0 two vulnerabilities were fixed, one rated as High. To fix these, update to firefox-78.11.0 or later. 10.1-055

10.1 032 Firefox Date: 2021-04-19 Severity: High

In firefox 78.10.0 several vulnerabilities were fixed, two are rated as High. To fix these, update to firefox-78.10.0 or later. 10.1-032

10.1 008 Firefox Date: 2021-03-23 Severity: High

In firefox 78.9.0 several vulnerabilities were fixed, two are rated as High. To fix these, update to firefox-78.9.0 or later. 10.1-008

Flac

10.1 022 Flac Date: 2021-04-02 Severity: Medium

In Flac up to and including 1.3.3, a heap buffer overflow could lead to remote information disclosure. This has been fixed upstream but no new version has been released. To fix this apply the patch from the development books or upgrade to a later version if one is released. 10.1-022.

glib2

10.1 017 glib2 Updated: 2021-04-14 Severity: High

A medium severity security vulnerability was discovered in glib2 that may allow for arbitrary file overwrites to happen via a symlink attack. An additional high severity security vulnerabilty was discovered that allowed for unintended length truncation. To fix this, update to glib2-2.66.8 or later. 10-1-017

GnuTLS

10.1 004 GnuTLS Date: 2021-03-12 Severity: Low

The client sending a "key_share" or "pre_share_key" extension may result in dereferencing a pointer no longer valid after realloc(). To fix this, upgrade to GnuTLS 3.7.1 or later versions. 10.1-004

Gstreamer

10.1 007 Gstreamer Date: 2021-03-16 Severity: High

Five security vulnerabilities were fixed in gstreamer-1.18.4. These vulnerabilities may lead to arbitrary code execution and application crashes. To fix this, upgrade the gstreamer stack to 1.18.4 or later. 10.1-007

Intel Microcode

10.1 059 Intel Microcode Date: 2021-06-08 Severity: High

Intel microcode for Skylake and later processors has been updated to fix three vulnerabilities, a privilege escalation via Virtualization for direct I/O, rated as High, and two potential disclosures of sensitive information via local access. To fix these, update affected machines to microcode-20210608 or later. 10.1-059

JS78

10.1 088 JS78 Date: 2021-08-11 Severity: High (low for BLFS packages using this)

In the javascript JIT code of firefox-78.13.0 there is a fix for incorrect instruction reordering during JIT optimization, CVE-2021-29984. In BLFS, JS78 is used by GJS and Polkit, but neither use JIT at the moment.

To apply these fixes, upgrade to JS-78.13.0 or later. 10.1-088

10.1 009 JS78 Date: 2021-03-23 Severity: Medium

In the javascript code of firefox-78.9.0 there are hardening fixes against Spectre attacks. To apply these, upgrade to JS-78.9.0 or later. 10.1-009

libarchive

10.1 100 libarchive Date: 2021-08-26 Severity: Medium

Some vulnerabilities (mishandling of symlinks) have been fixed in libarchive-3.5.2. The vulnerabilities may be exploited to overwrite file contents, flags, or ACL entries. To fix these, update to libarchive-3.5.2 or later. 10.1-100.

libgcrypt

10.1 101 libgcrypt Date: 2021-08-26 Severity: High

A denial of service and decryption vulnerability was fixed in libgcrypt-1.9.4. This vulnerability has existed since the year 2000. If you have libgcrypt installed, update to libgcrypt-1.9.4 as soon as possible. 10.1-101.

libjpeg-turbo

10.1 042 libjpeg-turbo Date: 2021-05-12 Severity: Low

A denial of service vulnerability (divide by zero) was fixed in libjpeg-turbo-2.1.0. Note that only the 'cjpeg' tool is affected, and the worst impact is the 'cjpeg' program crashing, thus it has been rated as Low. Update to libjpeg-turbo-2.1.0 or later. 10.1-042.

librsvg

10.1 031 librsvg Date: 2021-04-14 Severity: Medium

In librsvg-2.50.4, a security vulnerability in a bundled rust crate was fixed that could lead to variables lasting for longer than originally expected, leading to memory corruption scenarios. Update to librsvg-2.50.4 or later. 10.1-031.

Libssh2

10.1 023 Libssh2 Date: 2021-04-02 Severity: High

In Libssh2-1.9.0 and earlier, a crafted SSH server may be able to disclose sensitive information or cause a denial of service when the client connects. This has been fixed upstream but no new version has been released. To fix this apply the patch from the development books or upgrade to a later version if one is released. 10.1-023.

libuv

10.1 073 libuv Date: 2021-07-09 Severity: Moderate

A security vulnerability was fixed in libuv-1.41.1 that could lead to information disclosure in applications that use libuv's ASCII converter or the uv_getaddrinfo() function. To fix this, update to libuv-1.41.1 or later. 10.1-073.

libX11

10.1 050 libX11 Date: 2021-05-18 Severity: Critical

A security vulnerability was fixed in libX11-1.7.1 that could allow for API protocol command injection. This vulnerability has existed since 1986. This vulnerability is rated as critical because it can be exploited without user interaction and can lead to the X server's authorization protocol being disabled. Update to libX11-1.7.1 or later as soon as possible. 10.1-050.

libxml2

10.1 047 libxml2 Date: 2021-05-18 Severity: Medium

A security vulnerability was fixed in libxml2-2.9.12 that may allow for resource exhaustion when processing a crafted XML file. This may occur through an exponential entity expansion attack, and it bypasses all existing protection mechanisms. Update to libxml2-2.9.12 or later. 10.1-047.

lxml

10.1 014 lxml Date: 2021-03-27 Severity: Medium

Improper input sanitization may lead to cross-site-scripting via JavaScript code being inserted into the output of an HTML file. This was fixed by adding proper input sanitization for the HTML5 formaction attribute. To fix this, update to lxml-4.6.3. 10.1-014.

MariaDB

10.1 087 MariaDB Date: 2021-08-08 Severity: Medium

Two difficult to exploit remote denial of service vulnerabilities were fixed in MariaDB-10.6.4. Successful exploitation may result in hangs or repeatable crashes of the MariaDB database server. Update to MariaDB-10.6.4. 10.1-087

10.1 044 MariaDB Date: 2021-05-12 Severity: Medium

Two easily exploitable remote denial of service vulnerabilities were fixed in MariaDB-10.5.10. Successful exploitation may result in repeatable crashes of the MariaDB database server. Update to MariaDB-10.5.10. 10.1-004

MC

10.1 096 MC Date: 2021-08-19 Severity: High

A security vulnerability exists in MC before 4.8.27 that could allow for a spoofing attack because SSH Fingerprints are not verified upon a successful SFTP connection. To fix this, update to MC-4.8.27. 10.1-096

MIT Kerberos V5

10.1 086 MIT Kerberos V5 Date: 2021-08-08 Severity: Medium

A denial of service attack (daemon crash) may be performed by a rare attacker in a rarely used configuration. If you are using Kerberos as anything other than a build dependency, you should update immediately. To fix this, update to MIT Kerberos V5-1.19.2. 10.1-086

MuPDF

10.1 003 MuPDF Date: 2021-03-10 Severity: Medium

A double free may lead to memory corruption and other potential consequences. To fix this, apply the patch in the link. 10.1-003

Nettle

10.1 013 Nettle Date: 2021-03-27 Severity: High

A serious bug was found in the way that Nettle handles ECDSA signature verification that can lead to crashes, improper output, or other unspecified impacts. Update to Nettle-3.7.2 as soon as possible. 10.1-013.

NetworkManager

10.1 068 NetworkManager Date: 2021-06-30 Severity: Medium

In NetworkManager-1.32.2, a security vulnerability was fixed that could allow for a remote attacker to reconfigure your network settings in rare circumstances if a rare plugin (dhcp=systemd) was enabled. If you're using systemd-networkd to handle getting IP addresses via DHCP, update to NetworkManager-1.32.2 or later. 10.1-068

10.1 029 NetworkManager Date: 2021-04-14 Severity: Low

In NetworkManager-1.30.2, a security vulnerability was discovered that could result in an attacker crashing NetworkManager by setting a 'match.path' value in a Network file. To fix this, apply the sed in BLFS linked in the advisory. 10.1-029

Node.js

10.1 091 node.js Updated: 2021-08-31 Severity: Critical

Node.js-14.17.5 fixed three vulnerabilities, one rated as critical. To fix these, update to v14.17.5 or later. 10.1-091

10.1 084 node.js Date: 2021-07-30 Severity: High

Node.js-14.17.4 fixed a vulnerability to a use after free attack, where an attacker might be able to exploit the memory corruption to change process behaviour. Update to v14.17.4 or later. 10.1-084

10.1 070 node.js Date: 2021-07-09 Severity: Medium

Node.JS-14.17.2 fixed a security vulnerability that could lead to information disclosures in programs using Node's DNS module lookup() function. Update to v14.17.3 or later. 10.1-070

10.1 025 node.js Date: 2021-04-09 Severity: High

Node.JS-14.16.1 fixed three security vulnerabilities. Two are in OpenSSL and you should have already fixed those (10.1-011), the third is in the y18n package used in npm. Update to v14.16.1 or later. 10.1-025

ntfs-3g

10.1 105 ntfs-3g Date: 2021-08-31 Severity: Critical

21 security vulnerabilites were fixed in ntfs-3g-2021.8.22 that could lead to arbitrary code execution when processing NTFS metadata. The ntfs-3g developers suggest updating to 2021.8.22 immediately. These vulnerabilities can be exploited automatically when automounting is setup in Desktop Environments. Update to ntfs-3g-2021.8.22 or higher. 10.1-105

OpenJDK

10.1 094 OpenJDK Date: 2021-08-17 Severity: High

Six vulnerabilities were fixed in OpenJDK-16.0.2 that could allow for complete takeover of the JDK environment, unauthorized modification of data, and denial of service. Updating to OpenJDK-16.0.2 via the binary or the source version is recommended. Update to OpenJDK-16.0.2 or higher. 10.1-094

OpenSSH

10.1 036 OpenSSH Date: 2021-05-01 Severity: Medium

A vulnerability was fixed in OpenSSH-8.6p1 that was introduced in OpenSSH-8.5p1. OpenSSH-8.5p1 added the LogVerbose flag, which can be used to escape the sandbox of the lower-privileged process and lead to privilege escalation. Update to OpenSSH-8.6p1 if you use the LogVerbose option. 10.1-036

10.1 001 OpenSSH Date: 2021-03-03 Severity: Medium

A difficult to exploit double-free security vulnerability was discovered in OpenSSH. Update to OpenSSH-8.5p1 if you use the "ssh-agent" program. 10.1-001

PDFBox (FOP)

10.1 061 PDFBox (FOP) Date: 2021-06-15 Severity: Medium

Two security vulnerabilities were fixed that could lead to infinite loops or OutOfMemory exceptions when processing crafted input. Update the supplemental JARs (PDFBox and FontBox) in FOP to 2.0.24 if you have FOP installed. 10.1-061

10.1 010 PDFBox (FOP) Date: 2021-03-25 Severity: Medium

PHP

10.1 069 PHP Date: 2021-07-01 Severity: Moderate

In PHP-8.0.8, two security vulnerabilities were fixed that could lead to remote code execution and attacker-controlled redirects. However, both options are used in uncommon situations. Update to PHP-8.0.8 if you use a Firebird database or if you are processing URLs in a PHP file. 10.1-069

Polkit

10.1 058 Polkit Date: 2021-06-06 Severity: High

In Polkit-0.119, a security vulnerability was fixed that could allow for local users to bypass authentication checks and execute commands in the context of the root user. This is due to improper error value detection. Update to Polkit-0.119 to fix this. 10.1-058

PostgreSQL

10.1 092 PostgreSQL Date: 2021-08-13 Severity: High

A security vulnerability was fixed in PostgreSQL-13.4 that could allow for authenticated database users to read arbitrary bytes in server memory via a purpose crafted query. A workaround is present in the advisory, but updating to PostgreSQL-13.4 or later is suggested. 10.1-092

10.1 049 PostgreSQL Date: 2021-05-18 Severity: Medium

Three security vulnerabilities were fixed in PostgreSQL-13.3 that could allow for a remote attacker to read and write arbitrary locations in memory by executing certain database commands. Update to PostgreSQL-13.3 or later. 10.1-049

Python 2

10.1 019 Python 2 Date: 2021-03-31 Severity: Critical

Multiple vulnerabilities are fixed in Python 3, but Python 2 has not (and won't) receive any fixes since it is EOL'ed. It's recommended to stop using Python 2 and port the applications to use Python 3 instead. If you decide to keep using Python 2 anyway, you should at least rebuild it with a security patch. 10.1-019

Python 3

10.1 071 Python (LFS and BLFS) Date: 2021-07-09 Severity: Medium

In Python3 before 3.9.6, a security vulnerability exists that could allow for resource exhaustion due to an infinite loop in the mod:http.client Python module. Update to Python-3.9.6 or later. 10.1-071

10.1 035 Python (LFS and BLFS) Date: 2021-04-29 Severity: High

In Python3 before 3.9.4 'pydoc' can be used to read arbitrary files, including those containing sensitive data. Update to Python-3.9.4 or later. 10.1-035

Qt5

10.1 064 Qt5 Date: 2021-06-21 Severity: Medium

An Out Of Bounds Read was discovered in the SVG component of Qt. This has been fixed upstream in the paid-for commercial releases, but for the free versions it is necessary to patch it. 10.1-064

QtWebEngine

10.1 103 QtWebEngine Date: 2021-08-29 Severity: High

Many more CVEs (from Chromium) in QtWebEngine, most rated as High, have been fixed in the 5.15.6 version. Update to this or to a later version. 10.1-103

10.1 065 QtWebEngine Date: 2021-06-21 Severity: High

Several more CVEs (from Chromium) in QtWebEngine have been fixed. Update to the upstream_fixes-2 patch on top of the 20210401 tarball, or to a later version. 10.1-065

10.1 040 QtWebEngine Updated: 2021-05-07 Severity: Critical

Many CVEs (from Chromium) in QtWebEngine have been fixed. Update to the upstream_fixes-1 patch on top of the 20210401 tarball, or to a later version. 10.1-040

10.1 026 QtWebEngine Updated: 2021-04-09 Severity: High

Several CVEs (from Chromium) in QtWebEngine have been fixed in the snapshot dated 20210401. Update to this, or a later BLFS snapshot, using the instructions to install it as 5.15.2 to match the installed Qt5 version. 10.1-026

10.1 002 QtWebEngine UpDated: 2021-03-19 Severity: High

Many CVEs in QtWebEngine-5.15.2 have been fixed in version 5.15.3, but the release tarball and the rest of 5.15.3 is not yet available to non-commercial customers. Update to qtwebengine-5.15.3 (using a tarball taken from git, with instructions to install it as 5.15.2 to match the installed Qt5 version). 10.1-002

Ruby

10.1 074 Ruby Date: 2021-07-09 Severity: High

Three security vulnerabilities were fixed in Ruby-3.0.2, ranging from attackers executing arbitrary commands via malicious RDoc files, manipulation of Net::FTP to return information about other systems, and a TLS bypass in Net::SMTP. It's suggested that you update to Ruby-3.0.2 as soon as possible. 10.1-074

10.1 039 Ruby Date: 2021-05-04 Severity: Medium

An XML round-trip vulnerability was discovered in the REXML gem bundled with Ruby, and was fixed and released with ruby-3.0.1. This could lead to malicious code injection in XML files, or other unspecified impacts. Update to ruby-3.0.1 or later. 10.1-039

Rust

10.1 041 Rust Date: 2021-05-11 Severity: Critical

Eight vulnerabilities have been found in the rust standard library before 1.52.0, or in crates which use it. Update to rustc-1.52.0 or later. 10.1-041

rxvt-unicode

10.1 048 rxvt-unicode Date: 2021-05-18 Severity: Critical

A flaw in rxvt-unicode may result in remote code execution, and an exploit is available in the wild. This was fixed in rxvt-unicode-9.26. Update to rxvt-unicode-9.26 as soon as possible. 10.1-048

Samba

10.1 045 Samba Date: 2021-05-12 Severity: Critical

Samba-4.14.4 fixed a security vulnerability which, in some rare cases, could allow for a user to delete or modify files on network shares that they are not supposed to have access to. This vulnerability could allow for data confidentiality and integrity impacts, but also for crashes of the smbd server process. Update to Samba-4.14.4 (or 4.13.8) as soon as possible. 10.1-045

10.1 016 Samba Date: 2021-03-28 Severity: High

Samba-4.14.2 fixed two security vulnerabilities, which may lead to denial of service or disclosure of sensitive information. Update to Samba-4.14.2 or 4.13.7 as soon as possible. 10.1-016

Seamonkey

10.1 104 Seamonkey Date: 2021-08-29 Severity: High

The fixes from firefox-78.13.0 are understood to be included in seamonkey-2.53.9. To fix these, update to seamonkey-2.53.9 or later. 10.1-104

10.1 082 Seamonkey Date: 2021-07-23 Severity: High

Fixes from firefox-78.12.0 were included in seamonkey-2.53.8.1. To fix these, update to seamonkey-2.53.8.1 or later. 10.1-082

10.1 067 Seamonkey Date: 2021-06-30 Severity: Critical

Fixes from firefox-78.8.0 to 78.11.0 were included in seamonkey-2.53.8. This includes several Critical and High severity vulnerabilities. Update to seamonkey-2.53.8 or later as soon as possible. 10.1-067

10.1 021 Seamonkey Date: 2021-03-31 Severity: Critical

Fixes from firefox-78.6.1 to 78.8.0 were included in seamonkey-2.53.6. This includes several Critical and High severity vulnerabilities. Update to seamonkey-2.53.7 or later as soon as possible. 10.1-021

systemd

10.1 081 systemd (LFS and BLFS) Date: 2021-07-23 Severity: High

In systemd-220 and later, a security vulnerability exists that will allow for a local attacker to crash your system by mounting a FUSE filesystem that with a file path longer than 8MB present. The crash occurs when reading /proc/self/mountinfo, and manifests itself as a kernel panic due to PID1 (init) crashing. Because fo the changes coming in LFS 11.0, updating to systemd-249 (with the patch) is not feasible. However, a patch has been created for LFS 10.1/systemd-247. See the advisory linked for more information. The patch replaces the current systemd-247-security_fix-1.patch. 10.1-081

10.1 072 systemd (LFS and BLFS) Date: 2021-07-09 Severity: Medium

In systemd-249, a security vulnerability was fixed that could allow for a remote attacker to reconfigure the network on your system. Because of the changes coming in LFS 11.0, updating to systemd-249 is not feasible. However, a patch has been created for LFS 10.1/systemd-249. See the advisory linked for more information. 10.1-072

Thunderbird

In general, flaws in Mozilla advisories for Thunderbird cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

10.1 093 Thunderbird Date: 2021-08-13 Severity: Critical

Several security vulnerabilities were fixed in Thunderbird-91.0, including some that deal with Thunderbird itself and not it's HTML engine. One of the vulnerabilities can allow for remote attackers to inject attachments, mails, and folders into an IMAP session configured with STARTTLS. Update to Thunderbird-91.0 or later. 10.1-093

10.1 056 Thunderbird Date: 2021-06-06 Severity: High

One security vulnerability was fixed in Thunderbird-78.11.0 which was rated as high. This has to do with a memory safety problem. To fix these, update to Thunderbird-78.11.0 or later. 10.1-056

10.1 033 Thunderbird Date: 2021-04-26 Severity: High

Nine security vulnerabilities were fixed in Thunderbird-78.10.0, of which two were rated as High. To fix these update to 78.10.0 or later. 10.1-033

10.1 027 Thunderbird Date: 2021-04-11 Severity: Moderate

In Thunderbird before 78.9.1 there were three vulnerabilities rated as Moderate. To fix these update to 78.9.1 or later. 10.1-027

10.1 012 Thunderbird Date: 2021-02-26 Severity: High

In Thunderbird before 78.9.0 there were two vulnerabilities rated as High. To fix these update to 78.9.0 or later. 10.1-012

WebKitGTK

10.1 083 WebKitGTK Date: 2021-07-26 Severity: Critical

WebKitGTK+-2.32.3 fixed six arbitrary code execution vulnerabilities, two cross-site-scripting vulnerabilities, two information leak vulnerabilities, and a port scanning vulnerability. Several of these are being exploited in the wild. Update to WebKitGTK+-2.32.3 as soon as possible. 10.1-083

10.1 018 WebKitGTK Date: 2021-03-31 Severity: Critical

WebKitGTK-2.32.0 fixed three security arbitary code execution vulnerabilities. Update to WebKitGTK-2.32.0 as soon as possible. 10.1-018

10.1 015 WebKitGTK Date: 2021-03-28 Severity: Critical

WebKitGTK-2.30.6 fixed seven security vulnerabilities, one of which is currently being exploited in the wild. The vulnerabilities include improper data deletion, sandbox escapes, arbitrary code execution, and access to restricted ports on arbitrary servers. Update to WebKitGTK-2.30.6 as soon as possible. 10.1-015

Wireshark

10.1 077 Wireshark Date: 2021-07-20 Severity: Low

Wireshark-3.4.7 fixed a vulnerability that could allow for a remote attacker to crash the Wireshark process by injecting a malformed DNP packet into the stream. If you use the DNP protocol (unlikely unless you are working on an automation system), update to Wireshark-3.4.7. 10.1-077

10.1 057 Wireshark Date: 2021-06-05 Severity: Low

In Wireshark before 3.4.6, a security vulnerability existed that could allow a remote attacker to crash the Wireshark process due to a CPU resource exhaustion issue. This existed in the DVB-S2-BB packet, which is very uncommon. Update to Wireshark-3.4.6 if you are on a network with a satellite receiver installed. 10.1-057

10.1 043 Wireshark Date: 2021-05-21 Severity: Medium

In Wireshark before 3.4.5, a security vulnerability existed that could allow a remote attacker to consume excessive amounts of RAM and CPU resources through a malformed packet in the MS-WSP packet dissector. Update to Wireshark-3.4.5 if you are on a network with Windows PCs. 10.1-043

10.1 006 Wireshark Date: 2021-03-16 Severity: High

In Wireshark before 3.4.4, a security vulnerability existed that could result in unsafe URLs being opened via a malicious capture packet file. This vulnerability existed for 17 years. Update to Wireshark-3.4.4. 10.1-006

XDG-Utils

10.1 024 XDG-Utils Date: 2021-04-02 Severity: Medium

In the xdg-email component of xdg-utils 1.1.0rc1 and newer, an attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. Until this is fixed upstream, either do not use mailto links, or always double-check there are no unwanted attachments before sending emails. 10.1-024

Xorg-Server

10.1 034 Xorg-Server Date 2021-04-29 Severity: High

In Xorg-Server before version 1.20.11 an integer underflow in the Xinput extension can lead to out of bounds memory accesses. This can lead to local privilege escalations (to root) if the X server is running privileged. Update to Xorg-Server-1.20.11 or later. 10.1-034