Vulnerability Detection Pipeline

Upcoming and New QIDs

Browse, filter by detection status, or search by CVE to get visibility into upcoming and new detections (QIDs) for all severities.

Detection Status

  • Under investigation: We are researching a detection and will publish one if it is feasible.
  • In development: We are coding a detection and will typically publish it within a few days.
  • Recently published: We have published the detection on the date indicated, and it will typically be available in the KnowledgeBase on shared platforms within a day.

Non-Qualys customers can audit their network for all published vulnerabilities by signing up for a Qualys Free Trial or Qualys Community Edition.

363 results
CVE
Title
Severity
  • CVE-2021-0474+
    In Development

    Google Android May 2021 Security Patch Missing for Huawei EMUI

    Severity
    Urgent5
    Qualys ID
    610347
    Vendor Reference
    May 2021
    CVE Reference
    CVE-2021-0474, CVE-2021-0475, CVE-2021-0473, CVE-2020-11234, CVE-2020-15436, CVE-2020-25705, CVE-2021-0484, CVE-2021-0477, CVE-2021-0472, CVE-2021-0480, CVE-2021-0466, CVE-2021-0481, CVE-2021-0476, CVE-2021-0488, CVE-2020-11231, CVE-2020-5235, CVE-2020-29368, CVE-2017-14888, CVE-2018-11302, CVE-2018-5919, CVE-2018-11893, CVE-2018-11929, CVE-2018-11947, CVE-2018-11942, CVE-2018-11983, CVE-2018-11984, CVE-2018-11987, CVE-2018-11988, CVE-2018-12006, CVE-2018-13893, CVE-2019-2277, CVE-2019-2306, CVE-2019-2299, CVE-2019-2312, CVE-2019-2314, CVE-2019-2302, CVE-2019-10506, CVE-2018-13890, CVE-2019-10507, CVE-2019-10508, CVE-2019-10542, CVE-2019-10502, CVE-2018-11934, CVE-2019-2297, CVE-2019-10563, CVE-2019-10566, CVE-2018-11852, CVE-2018-11863, CVE-2018-11886, CVE-2018-11903, CVE-2018-5911, CVE-2018-11883, CVE-2019-10530, CVE-2019-14088, CVE-2019-10623, CVE-2019-10620, CVE-2019-10624, CVE-2019-14037, CVE-2020-3646, CVE-2019-10519, CVE-2019-10521, CVE-2019-10564, CVE-2019-14099, CVE-2020-11121, CVE-2020-11130, CVE-2020-11148, CVE-2020-11150, CVE-2019-2284
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Android is a mobile operating system based on a modified version of the Linux kernel and other open source software, designed primarily for touchscreen mobile devices such as smartphones and tablets.

    Following security issues were discovered:
    CVE-2020-0000

    Affected Devices :
    HUAWEI P series: P30 Pro, P30, P20 Pro, P20
    HUAWEI Mate series: Mate 20 X, Mate 20 Pro, Mate 20, Mate 20 RS, Mate 10 Pro, Mate 10, PORSCHE DESIGN HUAWEI Mate RS

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Refer to HUAWEI Security advisory May 2021 to address this issue and obtain more information.
    Patches
    Android May 2021
  • CVE-2020-0000
    In Development

    Google Android June 2021 Security Patch Missing for LGE

    Severity
    Urgent5
    Qualys ID
    610346
    Vendor Reference
    SMR-June-2021
    CVE Reference
    CVE-2020-0000
    CVSS Scores
    Base / Temporal
    Description
    Android is a mobile operating system based on a modified version of the Linux kernel and other open source software, designed primarily for touchscreen mobile devices such as smartphones and tablets.

    Following security issues were discovered:
    CVE-2020-0000

    Affected Products :
    G series (G5, G6, G7, G8), V series(V10, V20, V30, V35, V40, V50) , Q Series(Q6, Q8) , X Series(X300, X400, X500, X cam), CV Series(CV1, CV3, CV5, CV7, CV1S, CV7AS), MH(K40, K50, Q60, Q70)

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Refer to LGE Security advisory SMR-June-2021 to address this issue and obtain more information.
    Patches
    Android SMR-June-2021
  • CVE-2020-0000
    In Development

    Google Android June 2021 Security Patch Missing for Samsung

    Severity
    Urgent5
    Qualys ID
    610345
    Vendor Reference
    SMR-June-2021
    CVE Reference
    CVE-2020-0000
    CVSS Scores
    Base / Temporal
    Description
    Android is a mobile operating system based on a modified version of the Linux kernel and other open source software, designed primarily for touchscreen mobile devices such as smartphones and tablets.

    Following security issues were discovered:
    CVE-2020-0000

    Affected Products :
    G series (G5, G6, G7, G8), V series(V10, V20, V30, V35, V40, V50) , Q Series(Q6, Q8) , X Series(X300, X400, X500, X cam), CV Series(CV1, CV3, CV5, CV7, CV1S, CV7AS), MH(K40, K50, Q60, Q70)

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Refer to Samsung Security advisory SMR-June-2021 to address this issue and obtain more information.
    Patches
    Android SMR-June-2021
  • CVE-2021-0541+
    In Development

    Google Pixel Android June 2021 Security Patch Missing

    Severity
    Urgent5
    Qualys ID
    610343
    Vendor Reference
    Pixel Update Bulletin June2021
    CVE Reference
    CVE-2021-0541, CVE-2021-0540, CVE-2021-0538, CVE-2021-0539, CVE-2020-1971, CVE-2021-0542, CVE-2021-0534, CVE-2021-0535, CVE-2021-0536, CVE-2021-0537, CVE-2021-0570, CVE-2021-0571, CVE-2021-0572, CVE-2021-0559, CVE-2021-0556, CVE-2021-0557, CVE-2021-0554, CVE-2021-0555, CVE-2021-0552, CVE-2021-0553, CVE-2021-0550, CVE-2021-0551, CVE-2021-0608, CVE-2021-0606, CVE-2021-0607, CVE-2021-0605, CVE-2021-0548, CVE-2021-0569, CVE-2021-0568, CVE-2021-0549, CVE-2021-0558, CVE-2021-0563, CVE-2021-0562, CVE-2021-0561, CVE-2021-0546, CVE-2021-0567, CVE-2021-0566, CVE-2021-0565, CVE-2021-0564, CVE-2021-0545, CVE-2021-0544, CVE-2021-0543, CVE-2021-0547
    CVSS Scores
    Base 5.9 / Temporal 5.2
    Description
    Android is a mobile operating system based on a modified version of the Linux kernel and other open source software, designed primarily for touchscreen mobile devices such as smartphones and tablets.

    Following security issues were discovered:
    CVE-2021-0541,CVE-2021-0540,CVE-2021-0538,CVE-2021-0539,CVE-2020-1971,CVE-2021-0542,CVE-2021-0534,CVE-2021-0535,CVE-2021-0536,CVE-2021-0537,CVE-2021-0570,CVE-2021-0571,CVE-2021-0572,CVE-2021-0559,CVE-2021-0556,CVE-2021-0557,CVE-2021-0554,CVE-2021-0555,CVE-2021-0552,CVE-2021-0553,CVE-2021-0550,CVE-2021-0551,CVE-2021-0608,CVE-2021-0606,CVE-2021-0607,CVE-2021-0605,CVE-2021-0548,CVE-2021-0569,CVE-2021-0568,CVE-2021-0549,CVE-2021-0558,CVE-2021-0563,CVE-2021-0562,CVE-2021-0561,CVE-2021-0546,CVE-2021-0567,CVE-2021-0566,CVE-2021-0565,CVE-2021-0564,CVE-2021-0545,CVE-2021-0544,CVE-2021-0543,CVE-2021-0547

    Affected Products :
    Pixel 4 XL, Pixel 4, Pixel 3a XL, Pixel 3a, Pixel 3 XL, Pixel 3, Pixel 2 XL, Pixel 2

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Refer to Google Pixel advisory Google Pixel Android June2021 to address this issue and obtain more information.
    Patches
    Android June 2021
  • CVE-2019-12402+
    In Development

    IBM Cognos Analytics multiple Vulnerabilities (6451705)

    Severity
    Critical4
    Qualys ID
    375626
    Vendor Reference
    6451705
    CVE Reference
    CVE-2019-12402, CVE-2020-2601, CVE-2020-4520, CVE-2019-4730, CVE-2019-12086, CVE-2020-2830, CVE-2020-2781, CVE-2020-2800, CVE-2020-2757, CVE-2020-2756, CVE-2020-2755, CVE-2020-2754, CVE-2019-4471, CVE-2020-14621, CVE-2020-14579, CVE-2020-14578, CVE-2020-14577, CVE-2020-14060, CVE-2020-14062, CVE-2019-4305, CVE-2019-4724, CVE-2019-12814, CVE-2019-2949, CVE-2020-4354, CVE-2019-17267, CVE-2020-4329, CVE-2019-4653, CVE-2019-4722, CVE-2020-4561, CVE-2020-2593, CVE-2019-4732, CVE-2019-4441, CVE-2020-4300, CVE-2020-9546, CVE-2019-14892, CVE-2019-14893, CVE-2019-12406, CVE-2017-18214, CVE-2020-2654, CVE-2018-11771, CVE-2020-2590, CVE-2018-15494, CVE-2019-14379, CVE-2019-16942, CVE-2019-1547, CVE-2019-1549, CVE-2019-1563, CVE-2020-8141, CVE-2020-8840, CVE-2019-11771, CVE-2019-2762, CVE-2019-2769, CVE-2019-2816, CVE-2019-4473, CVE-2020-11113, CVE-2020-10969, CVE-2021-20190, CVE-2019-10086, CVE-2016-1000031, CVE-2019-20330, CVE-2019-2964, CVE-2019-2973, CVE-2019-2978, CVE-2019-2981, CVE-2019-2983, CVE-2019-2989, CVE-2019-4723
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    IBM Cognos Analytics offers guided, self-service capabilities designed to solve problems and seize new opportunities quickly.

    Multiple CVEs that could steal sensitive information or execute arbitrary code on the target.

    Affected Versions:
    IBM Cognos Analytics 11.1
    IBM Cognos Analytics 11.0

    QID Detection Logic (Authenticated):
    This QID checks for vulnerable version of IBM Cognos Analytics by checking the registry file.

    Consequence
    An attacker could exploit these vulnerability to execute arbitrary code on the system.

    Solution
    Vendor has released fix to this vulnerability. Further information can be obtained from IBM
    Download link for :
    Cognos Analytics 11.1.7 Fix Pack 2 Cognos Analytics 11.0.13 Fix Pack 4
    Patches
    6451705
  • CVE-2021-31579+
    In Development

    Akkadian Provisioning Manager Multiple Vulnerabilities

    Severity
    Critical4
    Qualys ID
    730114
    Vendor Reference
    TPost
    CVE Reference
    CVE-2021-31579, CVE-2021-31580, CVE-2021-31581, CVE-2021-31582
    CVSS Scores
    Base 9 / Temporal 8.2
    Description

    The Akkadian Provisioning Manager, which is used as a third-party provisioning tool within Cisco Unified Communications environments,
    has three high-severity security vulnerabilities that can be chained together
    to enable remote code execution (RCE) with elevated privileges. CVE-2021-31579: Use of hard-coded credentials
    CVE-2021-31580 and CVE-2021-31581: Improper neutralization of special elements used in an OS command
    CVE-2021-31582: Exposure of sensitive information to an unauthorized actor.
    QID Detection Logic: Sends a Web request "/pme/database/pme/phinx.yml" to get response

    Consequence
    Successful exploitation may lead to remote code execution (RCE) with elevated privileges.
    Solution
    Akkadian has not come up with any fix.
  • CVE-2021-28651+
    In Development

    SUSE Enterprise Linux Security Update for squid (SUSE-SU-2021:1961-1)

    Severity
    Critical4
    Qualys ID
    750160
    Vendor Reference
    SUSE-SU-2021:1961-1
    CVE Reference
    CVE-2021-28651, CVE-2020-25097, CVE-2021-31806, CVE-2021-28662, CVE-2021-28652
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    This update for squid fixes the following issues: - update to 4.15: - cve-2021-28652: broken cache manager url parsing (bsc#1185918) - cve-2021-28651: memory leak in rfc 2169 response parsing (bsc#1185921) - cve-2021-28662: limit headerlookuptable_t::lookup() to badhdr and specific ids (bsc#1185919) - cve-2021-31806: handle more range requests (bsc#1185916) - cve-2020-25097: http request smuggling vulnerability (bsc#1183436) - handle more partial responses (bsc#1185923) - fix previous change to reinstante permissions macros, because the wrong path has been used (bsc#1171569).
    - use libexecdir instead of libdir to conform to recent changes in factory (bsc#1171164).
    - reinstate permissions macros for pinger binary, because the permissions package is also responsible for setting up the cap_net_raw capability, currently a fresh squid install doesn't get a capability bit at all (bsc#1171569).
    - change pinger and basic_pam_auth helper to use standard permissions.
    pinger uses cap_net_raw=ep instead (bsc#1171569)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1961-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1961-1
  • CVE-2020-11292+
    In Development

    Google Android Devices June 2021 Security Patch Missing

    Severity
    Critical4
    Qualys ID
    610344
    Vendor Reference
    Android Security Bulletin June2021
    CVE Reference
    CVE-2020-11292, CVE-2020-11291, CVE-2020-26555, CVE-2020-11176, CVE-2020-26558, CVE-2020-11304, CVE-2020-11298, CVE-2021-0530, CVE-2021-0531, CVE-2021-0532, CVE-2021-0533, CVE-2021-1925, CVE-2021-0512, CVE-2021-0513, CVE-2021-0510, CVE-2021-0511, CVE-2021-0516, CVE-2021-0517, CVE-2020-14305, CVE-2020-11267, CVE-2020-11306, CVE-2021-0520, CVE-2021-1900, CVE-2021-1937, CVE-2021-0529, CVE-2021-0528, CVE-2021-0527, CVE-2021-0526, CVE-2021-0525, CVE-2021-0523, CVE-2021-0522, CVE-2021-0521, CVE-2021-0478, CVE-2021-0505, CVE-2021-0504, CVE-2021-0507, CVE-2021-0506, CVE-2021-0509, CVE-2021-0508
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Android is a mobile operating system based on a modified version of the Linux kernel and other open source software, designed primarily for touchscreen mobile devices such as smartphones and tablets.

    Following security issues were discovered:
    CVE-2020-11292,CVE-2020-11291,CVE-2020-26555,CVE-2020-11176,CVE-2020-26558,CVE-2020-11304,CVE-2020-11298,CVE-2021-0530,CVE-2021-0531,CVE-2021-0532,CVE-2021-0533,CVE-2021-1925,CVE-2021-0512,CVE-2021-0513,CVE-2021-0510,CVE-2021-0511,CVE-2021-0516,CVE-2021-0517,CVE-2020-14305,CVE-2020-11267,CVE-2020-11306,CVE-2021-0520,CVE-2021-1900,CVE-2021-1937,CVE-2021-0529,CVE-2021-0528,CVE-2021-0527,CVE-2021-0526,CVE-2021-0525,CVE-2021-0523,CVE-2021-0522,CVE-2021-0521,CVE-2021-0478,CVE-2021-0505,CVE-2021-0504,CVE-2021-0507,CVE-2021-0506,CVE-2021-0509,CVE-2021-0508

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Refer to Google advisory Google Android June2021 to address this issue and obtain more information.
    Patches
    Android June 2021
  • CVE-2021-21285+
    In Development

    SUSE Enterprise Linux Security Update for containerd, docker, runc (SUSE-SU-2021:1954-1)

    Severity
    Critical4
    Qualys ID
    750155
    Vendor Reference
    SUSE-SU-2021:1954-1
    CVE Reference
    CVE-2021-21285, CVE-2021-21284, CVE-2021-21334, CVE-2021-30465
    CVSS Scores
    Base 6.8 / Temporal 5.9
    Description
    This update for containerd, docker, runc fixes the following issues: docker was updated to 20.10.6-ce (bsc#1184768, bsc#1182947, bsc#1181594) * switch version to use -ce suffix rather than _ce to avoid confusing other tools (bsc#1182476).
    * cve-2021-21284: fixed a potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732) * cve-2021-21285: fixed an issue where pulling a malformed docker image manifest crashes the dockerd daemon (bsc#1181730).
    * btrfs quotas being removed by docker regularly (bsc#1183855, bsc#1175081) runc was updated to v1.0.0~rc93 (bsc#1182451, bsc#1175821 bsc#1184962).
    * use the upstream runc package (bsc#1181641, bsc#1181677, bsc#1175821).
    * fixed /dev/null is not available (bsc#1168481).
    * cve-2021-30465: fixed a symlink-exchange attack vulnarability (bsc#1185405).
    containerd was updated to v1.4.4 * cve-2021-21334: fixed a potential information leak through environment variables (bsc#1183397).
    * handle a requirement from docker (bsc#1181594).

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1954-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1954-1
  • CVE-2020-14355+
    In Development

    SUSE Enterprise Linux Security Update for spice (SUSE-SU-2021:1956-1)

    Severity
    Critical4
    Qualys ID
    750157
    Vendor Reference
    SUSE-SU-2021:1956-1
    CVE Reference
    CVE-2020-14355, CVE-2021-20201
    CVSS Scores
    Base 6.6 / Temporal 5.8
    Description
    This update for spice fixes the following issues: - cve-2021-20201: client initiated renegotiation causing denial of service (bsc#1181686) - cve-2020-14355: fixed multiple buffer overflow vulnerabilities in quic decoding code (bsc#1177158)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1956-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1956-1
  • In Development

    Fedora Security Update for firefox (FEDORA-2021-7b03865dbc)

    Severity
    Urgent5
    Qualys ID
    281618
    Vendor Reference
    FEDORA-2021-7b03865dbc
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for firefox to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-7b03865dbc
  • CVE-2021-3185
    In Development

    SUSE Enterprise Linux Security Update for gstreamer-plugins-bad (SUSE-SU-2021:1944-1)

    Severity
    Critical4
    Qualys ID
    750153
    Vendor Reference
    SUSE-SU-2021:1944-1
    CVE Reference
    CVE-2021-3185
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    This update for gstreamer-plugins-bad fixes the following issues: - update to version 1.16.3: - cve-2021-3185: buffer overflow in gst_h264_slice_parse_dec_ref_pic_marking() (bsc#1181255) - amcvideodec: fix sync meta copying not taking a reference - audiobuffersplit: perform discont tracking on running time - audiobuffersplit: specify in the template caps that only interleaved audio is supported - audiobuffersplit: unset discont flag if not discontinuous - autoconvert: fix lock-less exchange or free condition - autoconvert: fix compiler warnings with g_atomic on recent glib versions - avfvideosrc: element requests camera permissions even with capture-screen property is true - codecparsers: h264parser: guard against ref_pic_markings overflow - dtlsconnection: avoid segmentation fault when no srtp capabilities are negotiated - dtls/connection: fix eof handling with openssl 1.1.1e - fdkaacdec: add support for mpegversion=2 - hls: check nettle version to ensure aes128 support - ipcpipeline: rework compiler checks - interlace: increment phase_index before checking if we're at the end of the phase - h264parser: do not allocate too large size of memory for registered user data sei - ladspa: fix unbounded integer properties - modplug: avoid division by zero - msdkdec: fix gstmsdkcontext leak - msdkenc: fix leaks on windows - musepackdec: don't fail all queries if no sample rate is known yet - openslessink: allow openslessink to handle 48khz streams.
    - opencv: allow compilation against 4.2.x - proxysink: event_function needs to handle the event when it is disconnecetd from proxysrc - vulkan: drop use of vk_result_begin_range - wasapi: added missing lock release in case of error in gst_wasapi_xxx_reset - wasapi: fix possible deadlock while downwards state change - waylandsink: clear window when pipeline is stopped - webrtc: support non-trickle ice candidates in the sdp - webrtc: unmap all non-binary buffers received via the datachannel

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1944-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1944-1
  • CVE-2020-24489+
    In Development

    SUSE Enterprise Linux Security Update for ucode-intel (SUSE-SU-2021:1933-1)

    Severity
    Critical4
    Qualys ID
    750150
    Vendor Reference
    SUSE-SU-2021:1933-1
    CVE Reference
    CVE-2020-24489, CVE-2020-24513, CVE-2020-24511, CVE-2020-24512
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    This update for ucode-intel fixes the following issues: updated to intel cpu microcode 20210608 release.
    - cve-2020-24513: a domain bypass transient execution vulnerability was discovered on some intel atom processors that use a micro-architectural incident channel. (
    Intel-sa-00465 bsc#1179833) see also: 0465.html - cve-2020-24511: the ibrs feature to mitigate spectre variant 2 transient execution side channel vulnerabilities may not fully prevent non-root (guest) branches from controlling the branch predictions of the root (host) (intel-sa-00464 bsc#1179836) see also 0464.html) - cve-2020-24512: fixed trivial data value cache-lines such as all-zero value cache-lines may lead to changes in cache-allocation or write-back behavior for such cache-lines (bsc#1179837 intel-sa-00464) see also 0464.html) - cve-2020-24489: fixed intel vt-d device pass through potential local privilege escalation (intel-sa-00442 bsc#1179839) see also 0442.html other fixes: - update for functional issues.
    Refer to [third generation intel xeon processor scalable family specification update]()for details.
    Refer to [second generation intel xeon processor scalable family specification update]() for details.
    Refer to [intel xeon processor scalable family specification update]() for details.
    Refer to [intel xeon processor d-1500, d-1500 ns and d-1600 ns spec update]( on/xeon-d-1500-specification-update.html) for details.
    Refer to [intel xeon e7-8800 and e7-4800 v3 processor specification update]( spec-update.html) for details.
    Refer to [intel xeon processor e5 v3 product family specification update]( spec-update.html?wapkw=processor+spec+update+e5) for details.
    Refer to [10th gen intel core processor families specification update]( re/10th-gen-core-families-specification-update.html) for details.
    Refer to [8th and 9th gen intel core processor family spec update]( re/8th-gen-core-spec-update.html) for details.
    Refer to [7th gen and 8th gen (u quad-core) intel processor families specification update]( e-family-spec-update.html) for details.
    Refer to [6th gen intel processor family specification update]() for details.
    Refer to [intel xeon e3-1200 v6 processor family specification update]( 0v6-spec-update.html) for details.
    Refer to [intel xeon e-2100 and e-2200 processor family specification update]( on/xeon-e-2100-specification-update.html) for details.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1933-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1933-1
  • CVE-2020-24489+
    Recently Published

    SUSE Enterprise Linux Security Update for ucode-intel (SUSE-SU-2021:1930-1)

    Severity
    Critical4
    Qualys ID
    750147
    Date Published
    June 14, 2021
    Vendor Reference
    SUSE-SU-2021:1930-1
    CVE Reference
    CVE-2020-24489, CVE-2020-24513, CVE-2020-24511, CVE-2020-24512
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    This update for ucode-intel fixes the following issues: updated to intel cpu microcode 20210608 release.
    - cve-2020-24513: a domain bypass transient execution vulnerability was discovered on some intel atom processors that use a micro-architectural incident channel. (
    Intel-sa-00465 bsc#1179833) see also: 0465.html - cve-2020-24511: the ibrs feature to mitigate spectre variant 2 transient execution side channel vulnerabilities may not fully prevent non-root (guest) branches from controlling the branch predictions of the root (host) (intel-sa-00464 bsc#1179836) see also 0464.html) - cve-2020-24512: fixed trivial data value cache-lines such as all-zero value cache-lines may lead to changes in cache-allocation or write-back behavior for such cache-lines (bsc#1179837 intel-sa-00464) see also 0464.html) - cve-2020-24489: fixed intel vt-d device pass through potential local privilege escalation (intel-sa-00442 bsc#1179839) see also 0442.html other fixes: - update for functional issues.
    Refer to [third generation intel xeon processor scalable family specification update]()for details.
    Refer to [second generation intel xeon processor scalable family specification update]() for details.
    Refer to [intel xeon processor scalable family specification update]() for details.
    Refer to [intel xeon processor d-1500, d-1500 ns and d-1600 ns spec update]( on/xeon-d-1500-specification-update.html) for details.
    Refer to [intel xeon e7-8800 and e7-4800 v3 processor specification update]( spec-update.html) for details.
    Refer to [intel xeon processor e5 v3 product family specification update]( spec-update.html?wapkw=processor+spec+update+e5) for details.
    Refer to [10th gen intel core processor families specification update]( re/10th-gen-core-families-specification-update.html) for details.
    Refer to [8th and 9th gen intel core processor family spec update]( re/8th-gen-core-spec-update.html) for details.
    Refer to [7th gen and 8th gen (u quad-core) intel processor families specification update]( e-family-spec-update.html) for details.
    Refer to [6th gen intel processor family specification update]() for details.
    Refer to [intel xeon e3-1200 v6 processor family specification update]( 0v6-spec-update.html) for details.
    Refer to [intel xeon e-2100 and e-2200 processor family specification update]( on/xeon-e-2100-specification-update.html) for details.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1930-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1930-1
  • CVE-2020-24489+
    Recently Published

    SUSE Enterprise Linux Security Update for ucode-intel (SUSE-SU-2021:1931-1)

    Severity
    Critical4
    Qualys ID
    750146
    Date Published
    June 14, 2021
    Vendor Reference
    SUSE-SU-2021:1931-1
    CVE Reference
    CVE-2020-24489, CVE-2020-24513, CVE-2020-24511, CVE-2020-24512
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    This update for ucode-intel fixes the following issues: updated to intel cpu microcode 20210608 release.
    - cve-2020-24513: a domain bypass transient execution vulnerability was discovered on some intel atom processors that use a micro-architectural incident channel. (
    Intel-sa-00465 bsc#1179833) see also: 0465.html - cve-2020-24511: the ibrs feature to mitigate spectre variant 2 transient execution side channel vulnerabilities may not fully prevent non-root (guest) branches from controlling the branch predictions of the root (host) (intel-sa-00464 bsc#1179836) see also 0464.html) - cve-2020-24512: fixed trivial data value cache-lines such as all-zero value cache-lines may lead to changes in cache-allocation or write-back behavior for such cache-lines (bsc#1179837 intel-sa-00464) see also 0464.html) - cve-2020-24489: fixed intel vt-d device pass through potential local privilege escalation (intel-sa-00442 bsc#1179839) see also 0442.html other fixes: - update for functional issues.
    Refer to [third generation intel xeon processor scalable family specification update]()for details.
    Refer to [second generation intel xeon processor scalable family specification update]() for details.
    Refer to [intel xeon processor scalable family specification update]() for details.
    Refer to [intel xeon processor d-1500, d-1500 ns and d-1600 ns spec update]( on/xeon-d-1500-specification-update.html) for details.
    Refer to [intel xeon e7-8800 and e7-4800 v3 processor specification update]( spec-update.html) for details.
    Refer to [intel xeon processor e5 v3 product family specification update]( spec-update.html?wapkw=processor+spec+update+e5) for details.
    Refer to [10th gen intel core processor families specification update]( re/10th-gen-core-families-specification-update.html) for details.
    Refer to [8th and 9th gen intel core processor family spec update]( re/8th-gen-core-spec-update.html) for details.
    Refer to [7th gen and 8th gen (u quad-core) intel processor families specification update]( e-family-spec-update.html) for details.
    Refer to [6th gen intel processor family specification update]() for details.
    Refer to [intel xeon e3-1200 v6 processor family specification update]( 0v6-spec-update.html) for details.
    Refer to [intel xeon e-2100 and e-2200 processor family specification update]( on/xeon-e-2100-specification-update.html) for details.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1931-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1931-1
  • CVE-2020-24489+
    Recently Published

    SUSE Enterprise Linux Security Update for ucode-intel (SUSE-SU-2021:1932-1)

    Severity
    Critical4
    Qualys ID
    750145
    Date Published
    June 14, 2021
    Vendor Reference
    SUSE-SU-2021:1932-1
    CVE Reference
    CVE-2020-24489, CVE-2020-24513, CVE-2020-24511, CVE-2020-24512
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    This update for ucode-intel fixes the following issues: - updated to intel cpu microcode 20210525 release.
    - cve-2020-24513: a domain bypass transient execution vulnerability was discovered on some intel atom processors that use a micro-architectural incident channel. (
    Intel-sa-00465 bsc#1179833) see also: 0465.html - cve-2020-24511: the ibrs feature to mitigate spectre variant 2 transient execution side channel vulnerabilities may not fully prevent non-root (guest) branches from controlling the branch predictions of the root (host) (intel-sa-00464 bsc#1179836) see also 0464.html) - cve-2020-24512: fixed trivial data value cache-lines such as all-zero value cache-lines may lead to changes in cache-allocation or write-back behavior for such cache-lines (bsc#1179837 intel-sa-00464) see also 0464.html) - cve-2020-24489: fixed intel vt-d device pass through potential local privilege escalation (intel-sa-00442 bsc#1179839) see also 0442.html other fixes: - update for functional issues.
    Refer to [third generation intel xeon processor scalable family specification update]()for details.
    Refer to [second generation intel xeon processor scalable family specification update]() for details.
    Refer to [intel xeon processor scalable family specification update]() for details.
    Refer to [intel xeon processor d-1500, d-1500 ns and d-1600 ns spec update]( on/xeon-d-1500-specification-update.html) for details.
    Refer to [intel xeon e7-8800 and e7-4800 v3 processor specification update]( spec-update.html) for details.
    Refer to [intel xeon processor e5 v3 product family specification update]( spec-update.html?wapkw=processor+spec+update+e5) for details.
    Refer to [10th gen intel core processor families specification update]( re/10th-gen-core-families-specification-update.html) for details.
    Refer to [8th and 9th gen intel core processor family spec update]( re/8th-gen-core-spec-update.html) for details.
    Refer to [7th gen and 8th gen (u quad-core) intel processor families specification update]( e-family-spec-update.html) for details.
    Refer to [6th gen intel processor family specification update]() for details.
    Refer to [intel xeon e3-1200 v6 processor family specification update]( 0v6-spec-update.html) for details.
    Refer to [intel xeon e-2100 and e-2200 processor family specification update]( on/xeon-e-2100-specification-update.html) for details.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1932-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1932-1
  • CVE-2020-24489+
    Recently Published

    SUSE Enterprise Linux Security Update for ucode-intel (SUSE-SU-2021:1929-1)

    Severity
    Critical4
    Qualys ID
    750142
    Date Published
    June 14, 2021
    Vendor Reference
    SUSE-SU-2021:1929-1
    CVE Reference
    CVE-2020-24489, CVE-2020-24513, CVE-2020-24511, CVE-2020-24512
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    This update for ucode-intel fixes the following issues: updated to intel cpu microcode 20210608 release.
    - cve-2020-24513: a domain bypass transient execution vulnerability was discovered on some intel atom processors that use a micro-architectural incident channel. (
    Intel-sa-00465 bsc#1179833) see also: 0465.html - cve-2020-24511: the ibrs feature to mitigate spectre variant 2 transient execution side channel vulnerabilities may not fully prevent non-root (guest) branches from controlling the branch predictions of the root (host) (intel-sa-00464 bsc#1179836) see also 0464.html) - cve-2020-24512: fixed trivial data value cache-lines such as all-zero value cache-lines may lead to changes in cache-allocation or write-back behavior for such cache-lines (bsc#1179837 intel-sa-00464) see also 0464.html) - cve-2020-24489: fixed intel vt-d device pass through potential local privilege escalation (intel-sa-00442 bsc#1179839) see also 0442.html other fixes: - update for functional issues.
    Refer to [third generation intel xeon processor scalable family specification update]()for details.
    Refer to [second generation intel xeon processor scalable family specification update]() for details.
    Refer to [intel xeon processor scalable family specification update]() for details.
    Refer to [intel xeon processor d-1500, d-1500 ns and d-1600 ns spec update]( on/xeon-d-1500-specification-update.html) for details.
    Refer to [intel xeon e7-8800 and e7-4800 v3 processor specification update]( spec-update.html) for details.
    Refer to [intel xeon processor e5 v3 product family specification update]( spec-update.html?wapkw=processor+spec+update+e5) for details.
    Refer to [10th gen intel core processor families specification update]( re/10th-gen-core-families-specification-update.html) for details.
    Refer to [8th and 9th gen intel core processor family spec update]( re/8th-gen-core-spec-update.html) for details.
    Refer to [7th gen and 8th gen (u quad-core) intel processor families specification update]( e-family-spec-update.html) for details.
    Refer to [6th gen intel processor family specification update]() for details.
    Refer to [intel xeon e3-1200 v6 processor family specification update]( 0v6-spec-update.html) for details.
    Refer to [intel xeon e-2100 and e-2200 processor family specification update]( on/xeon-e-2100-specification-update.html) for details.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1929-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1929-1
  • CVE-2021-31607
    In Development

    SUSE Enterprise Linux Security Update for salt (SUSE-SU-2021:1951-1)

    Severity
    Critical4
    Qualys ID
    750154
    Vendor Reference
    SUSE-SU-2021:1951-1
    CVE Reference
    CVE-2021-31607
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    This update for salt fixes the following issues: - check if dpkgnotify is executable (bsc#1186674) - update to salt release version 3002.2 (jsc#eco-3212, jsc#sle-18033, jsc#sle-18028) - drop support for python2.
    Obsoletes `python2-salt` package (jsc#sle-18028) - fix issue parsing errors in ansiblegate state module - prevent command injection in the snapper module (bsc#1185281, cve-2021-31607) - transactional_update: detect recursion in the executor - add subpackage `salt-transactional-update` (jsc#sle-18033) - remove duplicate directories

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1951-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1951-1
  • CVE-2020-25707+
    Recently Published

    SUSE Enterprise Linux Security Update for qemu (SUSE-SU-2021:1947-1)

    Severity
    Critical4
    Qualys ID
    750152
    Date Published
    June 14, 2021
    Vendor Reference
    SUSE-SU-2021:1947-1
    CVE Reference
    CVE-2020-25707, CVE-2020-10756, CVE-2020-29129, CVE-2020-25723, CVE-2021-20257, CVE-2019-15890, CVE-2020-8608, CVE-2020-29130, CVE-2020-14364, CVE-2021-3419, CVE-2020-13754
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    This update for qemu fixes the following issues: - fix oob access during mmio operations (cve-2020-13754, bsc#1172382) - fix out-of-bounds read information disclosure in icmp6_send_echoreply (cve-2020-10756, bsc#1172380) - for the record, these issues are fixed in this package already.
    Most are alternate references to previously mentioned issues: (cve-2019-15890, bsc#1149813, cve-2020-8608, bsc#1163019, cve-2020-14364, bsc#1175534, cve-2020-25707, bsc#1178683, cve-2020-25723, bsc#1178935, cve-2020-29130, bsc#1179477, cve-2020-29129, bsc#1179484, cve-2021-20257, bsc#1182846, cve-2021-3419, bsc#1182975)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1947-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1947-1
  • CVE-2020-25707+
    In Development

    SUSE Enterprise Linux Security Update for qemu (SUSE-SU-2021:1942-1)

    Severity
    Critical4
    Qualys ID
    750149
    Vendor Reference
    SUSE-SU-2021:1942-1
    CVE Reference
    CVE-2020-25707, CVE-2020-29129, CVE-2020-17380, CVE-2020-25723, CVE-2019-15890, CVE-2020-27821, CVE-2021-3416, CVE-2020-8608, CVE-2021-20263, CVE-2020-29130, CVE-2021-3409, CVE-2020-14364, CVE-2021-3419, CVE-2020-25085
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    This update for qemu fixes the following issues: - switch method of splitting off hw-s390x-virtio-gpu-ccw.so as a module to what was accepted upstream (bsc#1181103) - fix oob access in sdhci interface (cve-2020-17380, bsc#1175144, cve-2020-25085, bsc#1176681, cve-2021-3409, bsc#1182282) - fix potential privilege escalation in virtiofsd tool (cve-2021-20263, bsc#1183373) - fix oob access (stack overflow) in rtl8139 nic emulation (cve-2021-3416, bsc#1182968) - fix heap overflow in msix emulation (cve-2020-27821, bsc#1179686) - fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425) - qemu bios fails to read stage2 loader on s390x (bsc#1186290) - for the record, these issues are fixed in this package already.
    Most are alternate references to previously mentioned issues: (cve-2019-15890, bsc#1149813, cve-2020-8608, bsc#1163019, cve-2020-14364, bsc#1175534, cve-2020-25707, bsc#1178683, cve-2020-25723, bsc#1178935, cve-2020-29130, bsc#1179477, cve-2020-29129, bsc#1179484, cve-2021-3419, bsc#1182975)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1942-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1942-1
  • CVE-2021-28091
    In Development

    Fedora Security Update for lasso (FEDORA-2021-bb3ea1e191)

    Severity
    Critical4
    Qualys ID
    281621
    Vendor Reference
    FEDORA-2021-bb3ea1e191
    CVE Reference
    CVE-2021-28091
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for lasso to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-bb3ea1e191
  • CVE-2021-30465
    Recently Published

    Red Hat Update for OpenShift Container Platform 3.11.452 bug fix and (RHSA-2021:2150)

    Severity
    Critical4
    Qualys ID
    239425
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2150
    CVE Reference
    CVE-2021-30465
    CVSS Scores
    Base / Temporal
    Description
    Red Hat OpenShift Container Platform is Red Hat's cloud computingKubernetes application platform solution designed for on-premise or privatecloud deployments.This advisory contains the RPM packages for Red Hat OpenShift ContainerPlatform 3.11.452. See the following advisory for the container images forthis release:https://access.redhat.com/errata/RHBA-2021:2149 All OpenShift Container Platform 3.11 users are advised to upgrade to theseupdated packages and images.

    Security Fix(es): runc: vulnerable to symlink exchange attack (CVE-2021-30465)

    Affected Products:

    Red Hat OpenShift Container Platform 3.11 x86_64
    Red Hat OpenShift Container Platform for Power 3.11 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2150 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2150
  • CVE-2021-20305
    Recently Published

    Red Hat Update for nettle (RHSA-2021:2280)

    Severity
    Critical4
    Qualys ID
    239414
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2280
    CVE Reference
    CVE-2021-20305
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Nettle is a cryptographic library that is designed to fit easily in almost any context: In crypto toolkits for object-oriented languages, such as C++, Python, or Pike, in applications like LSH or GNUPG, or even in kernel space.

    Security Fix(es): nettle: Out of bounds memory access in signature verification (CVE-2021-20305)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.7 x86_64
    Red Hat Enterprise Linux Server - AUS 7.7 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.7 s390x
    Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.7 ppc64
    Red Hat Enterprise Linux EUS Compute Node 7.7 x86_64
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.7 ppc64le
    Red Hat Enterprise Linux Server - TUS 7.7 x86_64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.7 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.7 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2280 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2280
  • CVE-2021-3347
    Recently Published

    Red Hat Update for kpatch-patch (RHSA-2021:2285)

    Severity
    Critical4
    Qualys ID
    239413
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2285
    CVE Reference
    CVE-2021-3347
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

    Security Fix(es): kernel: Use after free via PI futex state (CVE-2021-3347)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2285 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2285
  • CVE-2021-28091
    In Development

    Fedora Security Update for lasso (FEDORA-2021-508acb1153)

    Severity
    Critical4
    Qualys ID
    281622
    Vendor Reference
    FEDORA-2021-508acb1153
    CVE Reference
    CVE-2021-28091
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for lasso to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-508acb1153
  • CVE-2021-27219
    Recently Published

    Red Hat Update for glib2 (RHSA-2021:2204)

    Severity
    Critical4
    Qualys ID
    239421
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2204
    CVE Reference
    CVE-2021-27219
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures.

    Security Fix(es): glib: integer overflow in g_bytes_new function on 64-bit platforms due to an implicit cast from 64 bits to 32 bits (CVE-2021-27219)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.6 x86_64
    Red Hat Enterprise Linux Server - AUS 7.6 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.6 s390x
    Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.6 ppc64
    Red Hat Enterprise Linux EUS Compute Node 7.6 x86_64
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.6 ppc64le
    Red Hat Enterprise Linux Server - TUS 7.6 x86_64
    Red Hat Enterprise Linux for Power 9 7 ppc64le
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.6 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.6 x86_64
    Red Hat Enterprise Linux for IBM System z (Structure A) 7 s390x

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2204 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2204
  • CVE-2021-20201
    In Development

    SUSE Enterprise Linux Security Update for spice (SUSE-SU-2021:1927-1)

    Severity
    Critical4
    Qualys ID
    750144
    Vendor Reference
    SUSE-SU-2021:1927-1
    CVE Reference
    CVE-2021-20201
    CVSS Scores
    Base 5.3 / Temporal 4.6
    Description
    This update for spice fixes the following issues: - cve-2021-20201: client initiated renegotiation causing denial of service (bsc#1181686)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1927-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1927-1
  • CVE-2021-3500
    In Development

    SUSE Enterprise Linux Security Update for djvulibre (SUSE-SU-2021:1948-1)

    Severity
    Critical4
    Qualys ID
    750151
    Vendor Reference
    SUSE-SU-2021:1948-1
    CVE Reference
    CVE-2021-3500
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    This update for djvulibre fixes the following issues: - cve-2021-3500: stack overflow in function djvu:djvudocument:get_djvu_file() via crafted djvu file (bsc#1186253)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1948-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1948-1
  • CVE-2021-3567
    Recently Published

    SUSE Enterprise Linux Security Update for caribou (SUSE-SU-2021:1943-1)

    Severity
    Critical4
    Qualys ID
    750148
    Date Published
    June 14, 2021
    Vendor Reference
    SUSE-SU-2021:1943-1
    CVE Reference
    CVE-2021-3567
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    This update for caribou fixes the following issues: security issue fixed: - cve-2021-3567: fixed a segfault when attempting to use shifted characters (bsc#1186617).

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1943-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1943-1
  • CVE-2021-23017
    In Development

    Red Hat Update for rh-nginx118-nginx (RHSA-2021:2258)

    Severity
    Critical4
    Qualys ID
    239420
    Vendor Reference
    RHSA-2021:2258
    CVE Reference
    CVE-2021-23017
    CVSS Scores
    Base / Temporal
    Description
    nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage.

    Security Fix(es): nginx: Off-by-one in ngx_resolver_copy()
    when labels are followed by a pointer to a root domain name (CVE-2021-23017)

    Affected Products:

    Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.7 x86_64
    Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.7 s390x
    Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.7 ppc64le
    Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
    Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
    Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
    Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2258 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2258
  • CVE-2021-23017
    Recently Published

    Red Hat Update for nginx:1.18 (RHSA-2021:2259)

    Severity
    Critical4
    Qualys ID
    239419
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2259
    CVE Reference
    CVE-2021-23017
    CVSS Scores
    Base / Temporal
    Description
    nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage.

    Security Fix(es): nginx: Off-by-one in ngx_resolver_copy()
    when labels are followed by a pointer to a root domain name (CVE-2021-23017)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2259 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2259
  • CVE-2018-25011+
    Recently Published

    Red Hat Update for libwebp (RHSA-2021:2260)

    Severity
    Critical4
    Qualys ID
    239418
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2260
    CVE Reference
    CVE-2018-25011, CVE-2020-36328, CVE-2020-36329
    CVSS Scores
    Base / Temporal
    Description
    The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format (RIFF). Webmasters, web developers and browser developers can use WebP to compress, archive, and distribute digital images more efficiently.

    Security Fix(es): libwebp: heap-based buffer overflow in PutLE16()
    (CVE-2018-25011) libwebp: heap-based buffer overflow in WebPDecode*Into functions (CVE-2020-36328) libwebp: use-after-free in EmitFancyRGB()
    in dec/io_dec.c (CVE-2020-36329)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux Workstation 7 x86_64
    Red Hat Enterprise Linux Desktop 7 x86_64
    Red Hat Enterprise Linux for IBM z Systems 7 s390x
    Red Hat Enterprise Linux for Power, big endian 7 ppc64
    Red Hat Enterprise Linux for Scientific Computing 7 x86_64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2260 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2260
  • CVE-2021-29956+
    Recently Published

    Red Hat Update for thunderbird (RHSA-2021:2261)

    Severity
    Critical4
    Qualys ID
    239417
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2261
    CVE Reference
    CVE-2021-29956, CVE-2021-29957, CVE-2021-29967
    CVSS Scores
    Base / Temporal
    Description
    Mozilla Thunderbird is a standalone mail and newsgroup client.This update upgrades Thunderbird to version 78.11.0.

    Security Fix(es): Mozilla: Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11 (CVE-2021-29967) Mozilla: Thunderbird stored OpenPGP secret keys without master password protection (CVE-2021-29956) Mozilla: Partial protection of inline OpenPGP message not indicated (CVE-2021-29957)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2261 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2261
  • CVE-2021-29956+
    Recently Published

    Red Hat Update for thunderbird (RHSA-2021:2263)

    Severity
    Critical4
    Qualys ID
    239416
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2263
    CVE Reference
    CVE-2021-29956, CVE-2021-29957, CVE-2021-29967
    CVSS Scores
    Base / Temporal
    Description
    Mozilla Thunderbird is a standalone mail and newsgroup client.This update upgrades Thunderbird to version 78.11.0.

    Security Fix(es): Mozilla: Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11 (CVE-2021-29967) Mozilla: Thunderbird stored OpenPGP secret keys without master password protection (CVE-2021-29956) Mozilla: Partial protection of inline OpenPGP message not indicated (CVE-2021-29957)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux Workstation 7 x86_64
    Red Hat Enterprise Linux Desktop 7 x86_64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2263 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2263
  • CVE-2021-23017
    In Development

    Red Hat Update for rh-nginx116-nginx (RHSA-2021:2278)

    Severity
    Critical4
    Qualys ID
    239415
    Vendor Reference
    RHSA-2021:2278
    CVE Reference
    CVE-2021-23017
    CVSS Scores
    Base / Temporal
    Description
    nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage.

    Security Fix(es): nginx: Off-by-one in ngx_resolver_copy()
    when labels are followed by a pointer to a root domain name (CVE-2021-23017)

    Affected Products:

    Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.7 x86_64
    Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.7 s390x
    Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.7 ppc64le
    Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
    Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
    Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
    Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2278 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2278
  • CVE-2021-23017
    Recently Published

    Red Hat Update for nginx:1.16 (RHSA-2021:2290)

    Severity
    Critical4
    Qualys ID
    239412
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2290
    CVE Reference
    CVE-2021-23017
    CVSS Scores
    Base / Temporal
    Description
    nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage.

    Security Fix(es): nginx: Off-by-one in ngx_resolver_copy()
    when labels are followed by a pointer to a root domain name (CVE-2021-23017)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.1 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.1 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2290 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2290
  • CVE-2021-30465
    Recently Published

    Red Hat Update for container-tools:2.0 (RHSA-2021:2291)

    Severity
    Critical4
    Qualys ID
    239411
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2291
    CVE Reference
    CVE-2021-30465
    CVSS Scores
    Base / Temporal
    Description
    The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.

    Security Fix(es): runc: vulnerable to symlink exchange attack (CVE-2021-30465)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2291 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2291
  • CVE-2021-30465
    Recently Published

    Red Hat Update for container-tools:2.0 (RHSA-2021:2292)

    Severity
    Critical4
    Qualys ID
    239410
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2292
    CVE Reference
    CVE-2021-30465
    CVSS Scores
    Base / Temporal
    Description
    The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.

    Security Fix(es): runc: vulnerable to symlink exchange attack (CVE-2021-30465)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2292 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2292
  • CVE-2020-24489+
    Recently Published

    Red Hat Update for microcode_ctl (RHSA-2021:2304)

    Severity
    Critical4
    Qualys ID
    239409
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2304
    CVE Reference
    CVE-2020-24489, CVE-2020-24511, CVE-2020-24512, CVE-2020-24513
    CVSS Scores
    Base / Temporal
    Description
    The microcode_ctl packages provide microcode updates for Intel.

    Security Fix(es): hw: vt-d related privilege escalation (CVE-2020-24489) hw: improper isolation of shared resources in some Intel Processors (CVE-2020-24511) hw: observable timing discrepancy in some Intel Processors (CVE-2020-24512) hw: information disclosure on some Intel Atom processors (CVE-2020-24513) Bug Fix(es)
    and Enhancement(s): Update Intel CPU microcode to microcode-20210525 release Solution Before applying this update, make sure all previously released errata relevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.7 x86_64 Red Hat Enterprise Linux EUS Compute Node 7.7 x86_64 Red Hat Enterprise Linux Server - AUS 7.7 x86_64 Red Hat Enterprise Linux Server - TUS 7.7 x86_64 Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.7 x86_64 Fixes BZ - 1962650 - CVE-2020-24489 hw: vt-d related privilege escalation BZ - 1962666 - CVE-2020-24513 hw: information disclosure on some Intel Atom processors BZ - 1962702 - CVE-2020-24511 hw: improper isolation of shared resources in some Intel Processors BZ - 1962722 - CVE-2020-24512 hw: observable timing discrepancy in some Intel Processors CVEs CVE-2020-24489 CVE-2020-24511 CVE-2020-24512 CVE-2020-24513 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.7 x86_64
    Red Hat Enterprise Linux EUS Compute Node 7.7 x86_64
    Red Hat Enterprise Linux Server - AUS 7.7 x86_64
    Red Hat Enterprise Linux Server - TUS 7.7 x86_64
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.7 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2304 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2304
  • CVE-2020-24489+
    Recently Published

    Red Hat Update for microcode_ctl (RHSA-2021:2305)

    Severity
    Critical4
    Qualys ID
    239408
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2305
    CVE Reference
    CVE-2020-24489, CVE-2020-24511, CVE-2020-24512, CVE-2020-24513
    CVSS Scores
    Base / Temporal
    Description
    The microcode_ctl packages provide microcode updates for Intel.

    Security Fix(es): hw: vt-d related privilege escalation (CVE-2020-24489) hw: improper isolation of shared resources in some Intel Processors (CVE-2020-24511) hw: observable timing discrepancy in some Intel Processors (CVE-2020-24512) hw: information disclosure on some Intel Atom processors (CVE-2020-24513) Bug Fix(es)
    and Enhancement(s): Update Intel CPU microcode to microcode-20210525 release Solution Before applying this update, make sure all previously released errata relevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux Server 7 x86_64 Red Hat Enterprise Linux Workstation 7 x86_64 Red Hat Enterprise Linux Desktop 7 x86_64 Red Hat Enterprise Linux for Scientific Computing 7 x86_64 Fixes BZ - 1962650 - CVE-2020-24489 hw: vt-d related privilege escalation BZ - 1962666 - CVE-2020-24513 hw: information disclosure on some Intel Atom processors BZ - 1962702 - CVE-2020-24511 hw: improper isolation of shared resources in some Intel Processors BZ - 1962722 - CVE-2020-24512 hw: observable timing discrepancy in some Intel Processors CVEs CVE-2020-24489 CVE-2020-24511 CVE-2020-24512 CVE-2020-24513 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux Workstation 7 x86_64
    Red Hat Enterprise Linux Desktop 7 x86_64
    Red Hat Enterprise Linux for Scientific Computing 7 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2305 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2305
  • CVE-2020-24489+
    In Development

    Red Hat Update for microcode_ctl (RHSA-2021:2306)

    Severity
    Critical4
    Qualys ID
    239407
    Vendor Reference
    RHSA-2021:2306
    CVE Reference
    CVE-2020-24489, CVE-2020-24511, CVE-2020-24512, CVE-2020-24513
    CVSS Scores
    Base / Temporal
    Description
    The microcode_ctl packages provide microcode updates for Intel.

    Security Fix(es): hw: vt-d related privilege escalation (CVE-2020-24489) hw: improper isolation of shared resources in some Intel Processors (CVE-2020-24511) hw: observable timing discrepancy in some Intel Processors (CVE-2020-24512) hw: information disclosure on some Intel Atom processors (CVE-2020-24513) Bug Fix(es)
    and Enhancement(s): Update Intel CPU microcode to microcode-20210525 release Solution Before applying this update, make sure all previously released errata relevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64 Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64 Fixes BZ - 1962650 - CVE-2020-24489 hw: vt-d related privilege escalation BZ - 1962666 - CVE-2020-24513 hw: information disclosure on some Intel Atom processors BZ - 1962702 - CVE-2020-24511 hw: improper isolation of shared resources in some Intel Processors BZ - 1962722 - CVE-2020-24512 hw: observable timing discrepancy in some Intel Processors CVEs CVE-2020-24489 CVE-2020-24511 CVE-2020-24512 CVE-2020-24513 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2306 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2306
  • CVE-2020-24489+
    Recently Published

    Red Hat Update for microcode_ctl (RHSA-2021:2307)

    Severity
    Critical4
    Qualys ID
    239406
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2307
    CVE Reference
    CVE-2020-24489, CVE-2020-24511, CVE-2020-24512, CVE-2020-24513
    CVSS Scores
    Base / Temporal
    Description
    The microcode_ctl packages provide microcode updates for Intel.

    Security Fix(es): hw: vt-d related privilege escalation (CVE-2020-24489) hw: improper isolation of shared resources in some Intel Processors (CVE-2020-24511) hw: observable timing discrepancy in some Intel Processors (CVE-2020-24512) hw: information disclosure on some Intel Atom processors (CVE-2020-24513) Bug Fix(es)
    and Enhancement(s): Update Intel CPU microcode to microcode-20210525 release Solution Before applying this update, make sure all previously released errata relevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64 Red Hat Enterprise Linux Server - AUS 8.2 x86_64 Red Hat Enterprise Linux Server - TUS 8.2 x86_64 Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64 Fixes BZ - 1962650 - CVE-2020-24489 hw: vt-d related privilege escalation BZ - 1962666 - CVE-2020-24513 hw: information disclosure on some Intel Atom processors BZ - 1962702 - CVE-2020-24511 hw: improper isolation of shared resources in some Intel Processors BZ - 1962722 - CVE-2020-24512 hw: observable timing discrepancy in some Intel Processors CVEs CVE-2020-24489 CVE-2020-24511 CVE-2020-24512 CVE-2020-24513 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2307 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2307
  • CVE-2020-24489+
    Recently Published

    Red Hat Update for microcode_ctl (RHSA-2021:2308)

    Severity
    Critical4
    Qualys ID
    239405
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2308
    CVE Reference
    CVE-2020-24489, CVE-2020-24511, CVE-2020-24512, CVE-2020-24513
    CVSS Scores
    Base / Temporal
    Description
    The microcode_ctl packages provide microcode updates for Intel.

    Security Fix(es): hw: vt-d related privilege escalation (CVE-2020-24489) hw: improper isolation of shared resources in some Intel Processors (CVE-2020-24511) hw: observable timing discrepancy in some Intel Processors (CVE-2020-24512) hw: information disclosure on some Intel Atom processors (CVE-2020-24513) Bug Fix(es)
    and Enhancement(s): Update Intel CPU microcode to microcode-20210525 release Solution Before applying this update, make sure all previously released errata relevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 8 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64 Red Hat Enterprise Linux Server - AUS 8.4 x86_64 Red Hat Enterprise Linux Server - TUS 8.4 x86_64 Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64 Fixes BZ - 1962650 - CVE-2020-24489 hw: vt-d related privilege escalation BZ - 1962666 - CVE-2020-24513 hw: information disclosure on some Intel Atom processors BZ - 1962702 - CVE-2020-24511 hw: improper isolation of shared resources in some Intel Processors BZ - 1962722 - CVE-2020-24512 hw: observable timing discrepancy in some Intel Processors CVEs CVE-2020-24489 CVE-2020-24511 CVE-2020-24512 CVE-2020-24513 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2308 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2308
  • CVE-2020-8648+
    Recently Published

    Red Hat Update for kernel (RHSA-2021:2314)

    Severity
    Critical4
    Qualys ID
    239403
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2314
    CVE Reference
    CVE-2020-8648, CVE-2020-12362, CVE-2020-12363, CVE-2020-12364, CVE-2020-27170, CVE-2021-3347
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The kernel packages contain the Linux kernel, the core of any Linux operating system.

    Security Fix(es): kernel: Integer overflow in Intel(R)
    Graphics Drivers (CVE-2020-12362) kernel: Use after free via PI futex state (CVE-2021-3347) kernel: use-after-free in n_tty_receive_buf_common function in drivers/tty/n_tty.c (CVE-2020-8648) kernel: Improper input validation in some Intel(R)
    Graphics Drivers (CVE-2020-12363) kernel: Null pointer dereference in some Intel(R)
    Graphics Drivers (CVE-2020-12364) kernel: Speculation on pointer arithmetic against bpf_context pointer (CVE-2020-27170)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux Workstation 7 x86_64
    Red Hat Enterprise Linux Desktop 7 x86_64
    Red Hat Enterprise Linux for IBM z Systems 7 s390x
    Red Hat Enterprise Linux for Power, big endian 7 ppc64
    Red Hat Enterprise Linux for Scientific Computing 7 x86_64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le
    Red Hat Virtualization Host 4 for RHEL 7 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2314 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2314
  • CVE-2018-25011+
    Recently Published

    Red Hat Update for qt5-qtimageformats (RHSA-2021:2328)

    Severity
    Critical4
    Qualys ID
    239399
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2328
    CVE Reference
    CVE-2018-25011, CVE-2018-25014, CVE-2020-36328, CVE-2020-36329
    CVSS Scores
    Base / Temporal
    Description
    The Qt Image Formats in an add-on module for the core Qt Gui library that provides support for additional image formats including MNG, TGA, TIFF, WBMP, and WebP.

    Security Fix(es): libwebp: heap-based buffer overflow in PutLE16()
    (CVE-2018-25011) libwebp: use of uninitialized value in ReadSymbol()
    (CVE-2018-25014) libwebp: heap-based buffer overflow in WebPDecode*Into functions (CVE-2020-36328) libwebp: use-after-free in EmitFancyRGB()
    in dec/io_dec.c (CVE-2020-36329)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux Workstation 7 x86_64
    Red Hat Enterprise Linux for IBM z Systems 7 s390x
    Red Hat Enterprise Linux for Power, big endian 7 ppc64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2328 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2328
  • CVE-2021-20277
    Recently Published

    Red Hat Update for libldb (RHSA-2021:2331)

    Severity
    Critical4
    Qualys ID
    239398
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2331
    CVE Reference
    CVE-2021-20277
    CVSS Scores
    Base / Temporal
    Description
    The libldb packages provide an extensible library that implements an LDAP-like API to access remote LDAP servers, or use local TDB databases.

    Security Fix(es): samba: Out of bounds read in AD DC LDAP server (CVE-2021-20277)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.7 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.7 s390x
    Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.7 ppc64
    Red Hat Enterprise Linux EUS Compute Node 7.7 x86_64
    Red Hat Enterprise Linux Server - AUS 7.7 x86_64
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.7 ppc64le
    Red Hat Enterprise Linux Server - TUS 7.7 x86_64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.7 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.7 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2331 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2331
  • CVE-2021-31957
    Recently Published

    Red Hat Update for .NET Core 3.1 on RHEL 7 (RHSA-2021:2350)

    Severity
    Critical4
    Qualys ID
    239397
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2350
    CVE Reference
    CVE-2021-31957
    CVSS Scores
    Base / Temporal
    Description
    .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 3.1.116 and .NET Runtime 3.1.16.

    Security Fix(es): dotnet: ASP.NET Core Client Disconnect Denial of Service (CVE-2021-31957)

    Affected Products:

    dotNET on RHEL (for RHEL Server) 1 x86_64
    dotNET on RHEL (for RHEL Workstation) 1 x86_64
    dotNET on RHEL (for RHEL Compute Node) 1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2350 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2350
  • CVE-2021-31957
    Recently Published

    Red Hat Update for .NET 5.0 on RHEL 7 (RHSA-2021:2351)

    Severity
    Critical4
    Qualys ID
    239396
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2351
    CVE Reference
    CVE-2021-31957
    CVSS Scores
    Base / Temporal
    Description
    .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 5.0.204 and .NET Runtime 5.0.7.

    Security Fix(es): dotnet: ASP.NET Core Client Disconnect Denial of Service (CVE-2021-31957)

    Affected Products:

    dotNET on RHEL (for RHEL Server) 1 x86_64
    dotNET on RHEL (for RHEL Workstation) 1 x86_64
    dotNET on RHEL (for RHEL Compute Node) 1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2351 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2351
  • CVE-2021-31957
    Recently Published

    Red Hat Update for .NET Core 3.1 (RHSA-2021:2352)

    Severity
    Critical4
    Qualys ID
    239395
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2352
    CVE Reference
    CVE-2021-31957
    CVSS Scores
    Base / Temporal
    Description
    .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 3.1.116 and .NET Runtime 3.1.16.

    Security Fix(es): dotnet: ASP.NET Core Client Disconnect Denial of Service (CVE-2021-31957)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2352 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2352
  • CVE-2021-31957
    Recently Published

    Red Hat Update for .NET 5.0 (RHSA-2021:2353)

    Severity
    Critical4
    Qualys ID
    239394
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2353
    CVE Reference
    CVE-2021-31957
    CVSS Scores
    Base / Temporal
    Description
    .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 5.0.204 and .NET Runtime 5.0.7.

    Security Fix(es): dotnet: ASP.NET Core Client Disconnect Denial of Service (CVE-2021-31957)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2353 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2353
  • CVE-2018-25011+
    Recently Published

    Red Hat Update for libwebp (RHSA-2021:2354)

    Severity
    Critical4
    Qualys ID
    239393
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2354
    CVE Reference
    CVE-2018-25011, CVE-2020-36328, CVE-2020-36329
    CVSS Scores
    Base / Temporal
    Description
    The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format (RIFF). Webmasters, web developers and browser developers can use WebP to compress, archive, and distribute digital images more efficiently.

    Security Fix(es): libwebp: heap-based buffer overflow in PutLE16()
    (CVE-2018-25011) libwebp: heap-based buffer overflow in WebPDecode*Into functions (CVE-2020-36328) libwebp: use-after-free in EmitFancyRGB()
    in dec/io_dec.c (CVE-2020-36329)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2354 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2354
  • CVE-2021-25217
    Recently Published

    Red Hat Update for dhcp (RHSA-2021:2357)

    Severity
    Critical4
    Qualys ID
    239392
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2357
    CVE Reference
    CVE-2021-25217
    CVSS Scores
    Base / Temporal
    Description
    The Dynamic Host Configuration Protocol (DHCP)
    is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network.

    Security Fix(es): dhcp: stack-based buffer overflow when parsing statements with colon-separated hex digits in config or lease files in dhcpd and dhclient (CVE-2021-25217)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux Workstation 7 x86_64
    Red Hat Enterprise Linux Desktop 7 x86_64
    Red Hat Enterprise Linux for IBM z Systems 7 s390x
    Red Hat Enterprise Linux for Power, big endian 7 ppc64
    Red Hat Enterprise Linux for Scientific Computing 7 x86_64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2357 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2357
  • CVE-2021-25217
    Recently Published

    Red Hat Update for dhcp (RHSA-2021:2359)

    Severity
    Critical4
    Qualys ID
    239391
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2359
    CVE Reference
    CVE-2021-25217
    CVSS Scores
    Base / Temporal
    Description
    The Dynamic Host Configuration Protocol (DHCP)
    is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. The dhcp packages provide a relay agent and ISC DHCP service required to enable and administer DHCP on a network.

    Security Fix(es): dhcp: stack-based buffer overflow when parsing statements with colon-separated hex digits in config or lease files in dhcpd and dhclient (CVE-2021-25217)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2359 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2359
  • CVE-2021-32027+
    Recently Published

    Red Hat Update for postgresql:9.6 (RHSA-2021:2360)

    Severity
    Critical4
    Qualys ID
    239390
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2360
    CVE Reference
    CVE-2021-32027, CVE-2021-32028
    CVSS Scores
    Base / Temporal
    Description
    PostgreSQL is an advanced object-relational database management system (DBMS).The following packages have been upgraded to a later upstream version: postgresql (9.6.22)

    Security Fix(es): postgresql: Buffer overrun from integer overflow in array subscripting calculations (CVE-2021-32027) postgresql: Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE (CVE-2021-32028)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2360 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2360
  • CVE-2021-32027+
    Recently Published

    Red Hat Update for postgresql:10 (RHSA-2021:2361)

    Severity
    Critical4
    Qualys ID
    239389
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2361
    CVE Reference
    CVE-2021-32027, CVE-2021-32028
    CVSS Scores
    Base / Temporal
    Description
    PostgreSQL is an advanced object-relational database management system (DBMS).The following packages have been upgraded to a later upstream version: postgresql (10.17).

    Security Fix(es): postgresql: Buffer overrun from integer overflow in array subscripting calculations (CVE-2021-32027) postgresql: Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE (CVE-2021-32028)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2361 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2361
  • CVE-2021-33516
    Recently Published

    Red Hat Update for gupnp (RHSA-2021:2363)

    Severity
    Critical4
    Qualys ID
    239388
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2363
    CVE Reference
    CVE-2021-33516
    CVSS Scores
    Base / Temporal
    Description
    GUPnP is an object-oriented open source framework for creating UPnP devices and control points, written in C using GObject and libsoup. The GUPnP API is intended to be easy to use, efficient and flexible.

    Security Fix(es): gupnp: allows DNS rebinding which could result in tricking browser into triggering actions against local UPnP services (CVE-2021-33516)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat CodeReady Linux Builder for x86_64 8 x86_64
    Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le
    Red Hat CodeReady Linux Builder for ARM 64 8 aarch64
    Red Hat CodeReady Linux Builder for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64
    Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.4 aarch64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2363 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2363
  • CVE-2018-25011+
    Recently Published

    Red Hat Update for libwebp (RHSA-2021:2364)

    Severity
    Critical4
    Qualys ID
    239387
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2364
    CVE Reference
    CVE-2018-25011, CVE-2020-36328, CVE-2020-36329
    CVSS Scores
    Base / Temporal
    Description
    The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format (RIFF). Webmasters, web developers and browser developers can use WebP to compress, archive, and distribute digital images more efficiently.

    Security Fix(es): libwebp: heap-based buffer overflow in PutLE16()
    (CVE-2018-25011) libwebp: heap-based buffer overflow in WebPDecode*Into functions (CVE-2020-36328) libwebp: use-after-free in EmitFancyRGB()
    in dec/io_dec.c (CVE-2020-36329)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2364 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2364
  • CVE-2018-25011+
    Recently Published

    Red Hat Update for libwebp (RHSA-2021:2365)

    Severity
    Critical4
    Qualys ID
    239386
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2365
    CVE Reference
    CVE-2018-25011, CVE-2020-36328, CVE-2020-36329
    CVSS Scores
    Base / Temporal
    Description
    The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format (RIFF). Webmasters, web developers and browser developers can use WebP to compress, archive, and distribute digital images more efficiently.

    Security Fix(es): libwebp: heap-based buffer overflow in PutLE16()
    (CVE-2018-25011) libwebp: heap-based buffer overflow in WebPDecode*Into functions (CVE-2020-36328) libwebp: use-after-free in EmitFancyRGB()
    in dec/io_dec.c (CVE-2020-36329)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.1 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.1 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2365 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2365
  • CVE-2021-30465
    Recently Published

    Red Hat Update for container-tools:3.0 (RHSA-2021:2370)

    Severity
    Critical4
    Qualys ID
    239385
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2370
    CVE Reference
    CVE-2021-30465
    CVSS Scores
    Base / Temporal
    Description
    The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.

    Security Fix(es): runc: vulnerable to symlink exchange attack (CVE-2021-30465)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2370 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2370
  • CVE-2021-30465
    Recently Published

    Red Hat Update for container-tools:rhel8 (RHSA-2021:2371)

    Severity
    Critical4
    Qualys ID
    239384
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2371
    CVE Reference
    CVE-2021-30465
    CVSS Scores
    Base / Temporal
    Description
    The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.

    Security Fix(es): runc: vulnerable to symlink exchange attack (CVE-2021-30465)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2371 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2371
  • CVE-2018-25014+
    Recently Published

    Debian Security Update for libwebp (DSA 4930-1)

    Severity
    Critical4
    Qualys ID
    178670
    Date Published
    June 14, 2021
    Vendor Reference
    DSA 4930-1
    CVE Reference
    CVE-2018-25014, CVE-2018-25010, CVE-2020-36332, CVE-2020-36331, CVE-2020-36328, CVE-2018-25013, CVE-2018-25009, CVE-2020-36330, CVE-2020-36329, CVE-2018-25011
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Debian has released security update for libwebp to fix the vulnerabilities.



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Refer to Debian security advisory to CentOS advisory DSA 4930-1 for updates and patch information.
    Patches
    Debian DSA 4930-1
  • CVE-2021-3393+
    Recently Published

    Red Hat Update for postgresql:12 (RHSA-2021:2372)

    Severity
    Critical4
    Qualys ID
    239383
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2372
    CVE Reference
    CVE-2021-3393, CVE-2021-32027, CVE-2021-32028, CVE-2021-32029
    CVSS Scores
    Base 4.3 / Temporal 3.8
    Description
    PostgreSQL is an advanced object-relational database management system (DBMS).The following packages have been upgraded to a later upstream version: postgresql (12.7)

    Security Fix(es): postgresql: Buffer overrun from integer overflow in array subscripting calculations (CVE-2021-32027) postgresql: Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE (CVE-2021-32028) postgresql: Memory disclosure in partitioned-table UPDATE ... RETURNING (CVE-2021-32029) postgresql: Partition constraint violation errors leak values of denied columns (CVE-2021-3393)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2372 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2372
  • CVE-2021-32027+
    Recently Published

    Red Hat Update for postgresql:13 (RHSA-2021:2375)

    Severity
    Critical4
    Qualys ID
    239382
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2375
    CVE Reference
    CVE-2021-32027, CVE-2021-32028, CVE-2021-32029
    CVSS Scores
    Base 0 / Temporal 0
    Description
    PostgreSQL is an advanced object-relational database management system (DBMS).The following packages have been upgraded to a later upstream version: postgresql (13.3).

    Security Fix(es): postgresql: Buffer overrun from integer overflow in array subscripting calculations (CVE-2021-32027) postgresql: Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE (CVE-2021-32028) postgresql: Memory disclosure in partitioned-table UPDATE ... RETURNING (CVE-2021-32029)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2375 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2375
  • In Development

    Fedora Security Update for firefox (FEDORA-2021-af55f610eb)

    Severity
    Urgent5
    Qualys ID
    281617
    Vendor Reference
    FEDORA-2021-af55f610eb
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for firefox to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-af55f610eb
  • CVE-2021-33501
    Under Investigation

    Overwolf Client Remote Code Execution Vulnerability

    Severity
    Critical4
    Qualys ID
    375621
    CVE Reference
    CVE-2021-33501
    CVSS Scores
    Base 9.6 / Temporal 8.6
    Description
    Overwolf is a software platform designed to help developers create extensions for video games, which are then offered to users through Overwolf's App.

    CVE-2021-33501: Unauthenticated attackers can achieve RCE on vulnerable clients by combining a reflected cross-site scripting (XSS) bug with a Chromium Embedded Framework (CEF) sandbox escape.

    Affected Versions:
    Overwolf Client 0.169.0.22 and earlier
    QID Detection Logic(Authenticated):
    This QID checks for the vulnerable version of overwolf with registry HKLM\SOFTWARE\WOW6432Node\Overwolf and using CurrentVersion

    Consequence
    Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code execution on the target system.
    Solution
    Customers are advised to download the latest version of overwolf client from here.
    Patches
    Overwolf
  • CVE-2020-26147+
    In Development

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2021:1912-1)

    Severity
    Critical4
    Qualys ID
    750140
    Vendor Reference
    SUSE-SU-2021:1912-1
    CVE Reference
    CVE-2020-26147, CVE-2020-24587, CVE-2021-33200, CVE-2020-26139, CVE-2020-26145, CVE-2021-23133, CVE-2021-32399, CVE-2021-33034, CVE-2020-24586, CVE-2021-3491, CVE-2020-26141, CVE-2021-23134
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The suse linux enterprise 15 sp1 kernel was updated to receive various security and bugfixes.
    the following security bugs were fixed: - cve-2021-33200: enforcing incorrect limits for pointer arithmetic operations by the bpf verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484).
    - cve-2021-33034: fixed a use-after-free when destroying an hci_chan.
    This could lead to writing an arbitrary values. (
    Bsc#1186111) - cve-2020-26139: fixed a denial-of-service when an access point (ap) forwards eapol frames to other clients even though the sender has not yet successfully authenticated to the ap. (
    Bnc#1186062) - cve-2021-23134: a use after free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (
    Bnc#1186060) - cve-2021-23133: fixed a race condition in sctp sockets, which could lead to privilege escalation from the context of a network service or an unprivileged process. (
    Bnc#1184675) - cve-2021-3491: fixed a potential heap overflow in mem_rw().
    This vulnerability is related to the provide_buffers operation, which allowed the max_rw_count limit to be bypassed (bsc#1185642).
    - cve-2021-32399: fixed a race condition when removing the hci controller (bnc#1184611).
    - cve-2020-24586: the 802.11 standard that underpins wi-fi protected access (wpa, wpa2, and wpa3) and wired equivalent privacy (wep) doesn't require that received fragments be cleared from memory after (re)connecting to a network.
    Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859).
    - cve-2020-24587: the 802.11 standard that underpins wi-fi protected access (wpa, wpa2, and wpa3) and wired equivalent privacy (wep) doesn't require that all fragments of a frame are encrypted under the same key.
    an adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the wep, ccmp, or gcmp encryption key is periodically renewed (bnc#1185859 bnc#1185862).
    - cve-2020-26147: the wep, wpa, wpa2, and wpa3 implementations reassemble fragments, even though some of them were sent in plaintext.
    This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the wep, ccmp, or gcmp data-confidentiality protocol is used (bnc#1185859).
    - cve-2020-26145: an issue was discovered with samsung galaxy s3 i9305 4.4.4 devices.
    The wep, wpa, wpa2, and wpa3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames.
    An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (
    Bnc#1185860) - cve-2020-26141: an issue was discovered in the alfa driver for awus036h, where the message integrity check (authenticity) of fragmented tkip frames was not verified.
    An adversary can abuse this to inject and possibly decrypt packets in wpa or wpa2 networks that support the tkip data-confidentiality protocol. (
    Bnc#1185987)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1912-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1912-1
  • CVE-2020-26147+
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2021:1913-1)

    Severity
    Critical4
    Qualys ID
    750139
    Date Published
    June 14, 2021
    Vendor Reference
    SUSE-SU-2021:1913-1
    CVE Reference
    CVE-2020-26147, CVE-2020-24587, CVE-2021-33200, CVE-2020-26139, CVE-2020-26145, CVE-2021-23133, CVE-2021-32399, CVE-2021-33034, CVE-2020-24586, CVE-2021-3491, CVE-2020-26141, CVE-2021-23134
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The suse linux enterprise 12 sp5 kernel was updated to receive various security and bugfixes.
    the following security bugs were fixed: - cve-2021-33200: enforcing incorrect limits for pointer arithmetic operations by the bpf verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484).
    - cve-2021-33034: fixed a use-after-free when destroying an hci_chan.
    This could lead to writing an arbitrary values. (
    Bsc#1186111) - cve-2020-26139: fixed a denial-of-service when an access point (ap) forwards eapol frames to other clients even though the sender has not yet successfully authenticated to the ap. (
    Bnc#1186062) - cve-2021-23134: a use after free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (
    Bnc#1186060) - cve-2021-3491: fixed a potential heap overflow in mem_rw().
    This vulnerability is related to the provide_buffers operation, which allowed the max_rw_count limit to be bypassed (bsc#1185642).
    - cve-2021-32399: fixed a race condition when removing the hci controller (bnc#1184611).
    - cve-2020-24586: the 802.11 standard that underpins wi-fi protected access (wpa, wpa2, and wpa3) and wired equivalent privacy (wep) doesn't require that received fragments be cleared from memory after (re)connecting to a network.
    Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859).
    - cve-2020-24587: the 802.11 standard that underpins wi-fi protected access (wpa, wpa2, and wpa3) and wired equivalent privacy (wep) doesn't require that all fragments of a frame are encrypted under the same key.
    an adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the wep, ccmp, or gcmp encryption key is periodically renewed (bnc#1185859 bnc#1185862).
    - cve-2020-26147: the wep, wpa, wpa2, and wpa3 implementations reassemble fragments, even though some of them were sent in plaintext.
    This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the wep, ccmp, or gcmp data-confidentiality protocol is used (bnc#1185859).
    - cve-2020-26145: an issue was discovered with samsung galaxy s3 i9305 4.4.4 devices.
    The wep, wpa, wpa2, and wpa3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames.
    An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (
    Bnc#1185860) - cve-2020-26141: an issue was discovered in the alfa driver for awus036h, where the message integrity check (authenticity) of fragmented tkip frames was not verified.
    An adversary can abuse this to inject and possibly decrypt packets in wpa or wpa2 networks that support the tkip data-confidentiality protocol. (
    Bnc#1185987) - cve-2021-23133: fixed a race condition in sctp sockets, which could lead to privilege escalation from the context of a network service or an unprivileged process. (
    Bnc#1184675)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1913-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1913-1
  • CVE-2017-8779
    Recently Published

    Ubuntu Security Notification for rpcbind vulnerability (USN-4986-1)

    Severity
    Critical4
    Qualys ID
    198404
    Date Published
    June 14, 2021
    Vendor Reference
    USN-4986-1
    CVE Reference
    CVE-2017-8779
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Rpcbind incorrectly handled certain large data sizes.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    a remote attacker could use this issue to cause rpcbind to consume resources, leading to a denial of service..
    Solution
    Refer to Ubuntu advisory: USN-4986-1 for affected packages and patching details, or update with your package manager.
    Patches
    Ubuntu Linux USN-4986-1
  • CVE-2020-14355
    Recently Published

    SUSE Enterprise Linux Security Update for spice-gtk (SUSE-SU-2021:1911-1)

    Severity
    Critical4
    Qualys ID
    750135
    Date Published
    June 14, 2021
    Vendor Reference
    SUSE-SU-2021:1911-1
    CVE Reference
    CVE-2020-14355
    CVSS Scores
    Base 6.6 / Temporal 5.8
    Description
    This update for spice-gtk fixes the following issues: - cve-2020-14355: fixed multiple buffer overflow vulnerabilities in quic decoding code (bsc#1177158)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1911-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1911-1
  • CVE-2021-29155+
    In Development

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2021:1915-1)

    Severity
    Critical4
    Qualys ID
    750137
    Vendor Reference
    SUSE-SU-2021:1915-1
    CVE Reference
    CVE-2021-29155, CVE-2021-29650
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    The suse linux enterprise 15 sp2 rt kernel was updated to receive various security and bugfixes.
    the following security bugs were fixed: - cve-2021-29650: fixed an issue with the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).
    - cve-2021-29155: fixed an issue that was discovered in kernel/bpf/verifier.c that performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat spectre mitigations and obtain sensitive information from kernel memory.
    Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation was not correctly accounted for when restricting subsequent operations (bnc#1184942).

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1915-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1915-1
  • CVE-2021-29967+
    Recently Published

    SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2021:1919-1)

    Severity
    Critical4
    Qualys ID
    750141
    Date Published
    June 14, 2021
    Vendor Reference
    SUSE-SU-2021:1919-1
    CVE Reference
    CVE-2021-29967, CVE-2021-29951, CVE-2021-29964
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    This update for mozillafirefox fixes the following issues: firefox extended support release 78.11.0 esr (bsc#1186696) * cve-2021-29964: out of bounds-read when parsing a `wm_copydata` message * cve-2021-29967: memory safety bugs fixed in firefox

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1919-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1919-1
  • CVE-2021-30544+
    Recently Published

    Google Chrome Prior To 91.0.4472.101 Multiple Vulnerabilities

    Severity
    Urgent5
    Qualys ID
    375622
    Date Published
    June 11, 2021
    Vendor Reference
    91.0.4472.101
    CVE Reference
    CVE-2021-30544, CVE-2021-30545, CVE-2021-30546, CVE-2021-30547, CVE-2021-30548, CVE-2021-30549, CVE-2021-30550, CVE-2021-30551, CVE-2021-30552, CVE-2021-30553
    CVSS Scores
    Base 5.6 / Temporal 4.9
    Description
    Google Chrome is a web browser for multiple platforms developed by Google.

    Affected Versions:
    Google Chrome Prior to 91.0.4472.101

    QID Detection Logic(Authenticated):
    This QID checks for vulnerable versions of Google Chrome on Windows and MAC OS.

    Consequence
    Successful exploitation of these vulnerabilities may result in the attacker executing arbitrary code execution on the target system.

    Solution
    Customers are advised to upgrade to latest version: 91.0.4472.101
    For further details refer to Google Chrome 91.0.4472.101
    Patches
    91.0.4472.101
  • CVE-2020-10756+
    In Development

    SUSE Enterprise Linux Security Update for qemu (SUSE-SU-2021:1918-1)

    Severity
    Critical4
    Qualys ID
    750138
    Vendor Reference
    SUSE-SU-2021:1918-1
    CVE Reference
    CVE-2020-10756, CVE-2021-20257, CVE-2021-3419, CVE-2019-15890, CVE-2020-25707, CVE-2020-25723, CVE-2020-8608, CVE-2020-14364, CVE-2020-29130, CVE-2020-29129
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    This update for qemu fixes the following issues: - cve-2020-10756: fix out-of-bounds read information disclosure in icmp6_send_echoreply (bsc#1172380)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1918-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1918-1
  • In Development

    Fedora Security Update for microcode_ctl (FEDORA-2021-8a10199ab5)

    Severity
    Critical4
    Qualys ID
    281616
    Vendor Reference
    FEDORA-2021-8a10199ab5
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for microcode_ctl to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-8a10199ab5
  • CVE-2018-25011+
    In Development

    Oracle Enterprise Linux Security Update for qt5-qtimageformats (ELSA-2021-2328)

    Severity
    Critical4
    Qualys ID
    159254
    Vendor Reference
    ELSA-2021-2328
    CVE Reference
    CVE-2018-25011, CVE-2020-36329, CVE-2020-36328, CVE-2018-25014
    CVSS Scores
    Base 0 / Temporal 0
    Description
    Oracle Enterprise Linux has released a security update for qt5-qtimageformats to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 7

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-2328.
    Patches
    Oracle Linux ELSA-2021-2328
  • CVE-2018-25010+
    Recently Published

    Debian Security Update for libwebp (DLA 2677-1)

    Severity
    Critical4
    Qualys ID
    178660
    Date Published
    June 14, 2021
    Vendor Reference
    DLA 2677-1
    CVE Reference
    CVE-2018-25010, CVE-2020-36331, CVE-2018-25011, CVE-2020-36330, CVE-2020-36328, CVE-2018-25014, CVE-2018-25012, CVE-2018-25013, CVE-2020-36329, CVE-2018-25009
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Debian has released security update for libwebp to fix the vulnerabilities.



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Refer to Debian security advisory to CentOS advisory DLA 2677-1 for updates and patch information.
    Patches
    Debian DLA 2677-1
  • CVE-2018-25010+
    Recently Published

    Debian Security Update for libwebp (DLA 2672-1)

    Severity
    Critical4
    Qualys ID
    178659
    Date Published
    June 14, 2021
    Vendor Reference
    DLA 2672-1
    CVE Reference
    CVE-2018-25010, CVE-2020-36331, CVE-2018-25011, CVE-2020-36330, CVE-2020-36328, CVE-2018-25014, CVE-2018-25012, CVE-2018-25013, CVE-2020-36329, CVE-2018-25009
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Debian has released security update for libwebp to fix the vulnerabilities.



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Refer to Debian security advisory to CentOS advisory DLA 2672-1 for updates and patch information.
    Patches
    Debian DLA 2672-1
  • CVE-2021-3185
    Recently Published

    SUSE Enterprise Linux Security Update for gstreamer-plugins-bad (SUSE-SU-2021:1904-1)

    Severity
    Critical4
    Qualys ID
    750131
    Date Published
    June 10, 2021
    Vendor Reference
    SUSE-SU-2021:1904-1
    CVE Reference
    CVE-2021-3185
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    This update for gstreamer-plugins-bad fixes the following issues: - cve-2021-3185: h264parser: guard against ref_pic_markings overflow (bsc#1181255

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1904-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1904-1
  • CVE-2016-10228+
    In Development

    Oracle Enterprise Linux Security Update for glibc (ELSA-2021-9280)

    Severity
    Critical4
    Qualys ID
    159249
    Vendor Reference
    ELSA-2021-9280
    CVE Reference
    CVE-2016-10228, CVE-2019-9169, CVE-2020-27618, CVE-2021-3326, CVE-2019-25013
    CVSS Scores
    Base 9.8 / Temporal 7.8
    Description
    Oracle Enterprise Linux has released a security update for glibc to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 8

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-9280.
    Patches
    Oracle Linux ELSA-2021-9280
  • CVE-2021-30465
    In Development

    SUSE Enterprise Linux Security Update for runc (SUSE-SU-2021:1885-1)

    Severity
    Critical4
    Qualys ID
    750127
    Vendor Reference
    SUSE-SU-2021:1885-1
    CVE Reference
    CVE-2021-30465
    CVSS Scores
    Base 8.5 / Temporal 7.4
    Description
    This update for runc fixes the following issues: - cve-2021-30465: fixed a symlink-exchange attack (bsc#1185405).

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1885-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1885-1
  • CVE-2020-24587+
    In Development

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2021:1889-1)

    Severity
    Critical4
    Qualys ID
    750126
    Vendor Reference
    SUSE-SU-2021:1889-1
    CVE Reference
    CVE-2020-24587, CVE-2020-26141, CVE-2020-26145, CVE-2020-24586, CVE-2021-33200, CVE-2021-32399, CVE-2021-23134, CVE-2020-24588, CVE-2021-3491, CVE-2020-26139, CVE-2020-26147, CVE-2021-33034
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The suse linux enterprise 15 sp2 rt kernel was updated to receive various security and bugfixes.
    the following security bugs were fixed: - cve-2021-33200: enforcing incorrect limits for pointer arithmetic operations by the bpf verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484).
    - cve-2021-33034: fixed a use-after-free when destroying an hci_chan.
    This could lead to writing an arbitrary values. (
    Bsc#1186111) - cve-2020-26139: fixed a denial-of-service when an access point (ap) forwards eapol frames to other clients even though the sender has not yet successfully authenticated to the ap. (
    Bnc#1186062) - cve-2021-23134: a use after free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (
    Bnc#1186060) - cve-2021-3491: fixed a potential heap overflow in mem_rw().
    This vulnerability is related to the provide_buffers operation, which allowed the max_rw_count limit to be bypassed (bsc#1185642).
    - cve-2021-32399: fixed a race condition when removing the hci controller (bnc#1184611).
    - cve-2020-24586: the 802.11 standard that underpins wi-fi protected access (wpa, wpa2, and wpa3) and wired equivalent privacy (wep) doesn't require that received fragments be cleared from memory after (re)connecting to a network.
    Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859).
    - cve-2020-24587: the 802.11 standard that underpins wi-fi protected access (wpa, wpa2, and wpa3) and wired equivalent privacy (wep) doesn't require that all fragments of a frame are encrypted under the same key.
    an adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the wep, ccmp, or gcmp encryption key is periodically renewed (bnc#1185859 bnc#1185862).
    - cve-2020-26147: the wep, wpa, wpa2, and wpa3 implementations reassemble fragments, even though some of them were sent in plaintext.
    This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the wep, ccmp, or gcmp data-confidentiality protocol is used (bnc#1185859).
    - cve-2020-24588: the 802.11 standard that underpins wi-fi protected access (wpa, wpa2, and wpa3) and wired equivalent privacy (wep) doesn't require that the a-msdu flag in the plaintext qos header field is authenticated.
    Against devices that support receiving non-ssp a-msdu frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (
    Bnc#1185861) - cve-2020-26145: an issue was discovered with samsung galaxy s3 i9305 4.4.4 devices.
    The wep, wpa, wpa2, and wpa3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames.
    An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (
    Bnc#1185860) - cve-2020-26141: an issue was discovered in the alfa driver for awus036h, where the message integrity check (authenticity) of fragmented tkip frames was not verified.
    An adversary can abuse this to inject and possibly decrypt packets in wpa or wpa2 networks that support the tkip data-confidentiality protocol. (
    Bnc#1185987)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1889-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1889-1
  • CVE-2020-24587+
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2021:1887-1)

    Severity
    Critical4
    Qualys ID
    750125
    Date Published
    June 10, 2021
    Vendor Reference
    SUSE-SU-2021:1887-1
    CVE Reference
    CVE-2020-24587, CVE-2020-26141, CVE-2020-26145, CVE-2020-24586, CVE-2021-33200, CVE-2021-32399, CVE-2021-23134, CVE-2021-3491, CVE-2020-26139, CVE-2020-26147, CVE-2021-33034, CVE-2021-23133
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The suse linux enterprise 12 sp5 azure kernel was updated to receive various security and bugfixes.
    the following security bugs were fixed: - cve-2021-33200: enforcing incorrect limits for pointer arithmetic operations by the bpf verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484).
    - cve-2021-33034: fixed a use-after-free when destroying an hci_chan.
    This could lead to writing an arbitrary values. (
    Bsc#1186111) - cve-2020-26139: fixed a denial-of-service when an access point (ap) forwards eapol frames to other clients even though the sender has not yet successfully authenticated to the ap. (
    Bnc#1186062) - cve-2021-23134: a use after free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (
    Bnc#1186060) - cve-2021-3491: fixed a potential heap overflow in mem_rw().
    This vulnerability is related to the provide_buffers operation, which allowed the max_rw_count limit to be bypassed (bsc#1185642).
    - cve-2021-32399: fixed a race condition when removing the hci controller (bnc#1184611).
    - cve-2020-24586: the 802.11 standard that underpins wi-fi protected access (wpa, wpa2, and wpa3) and wired equivalent privacy (wep) doesn't require that received fragments be cleared from memory after (re)connecting to a network.
    Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859).
    - cve-2020-24587: the 802.11 standard that underpins wi-fi protected access (wpa, wpa2, and wpa3) and wired equivalent privacy (wep) doesn't require that all fragments of a frame are encrypted under the same key.
    an adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the wep, ccmp, or gcmp encryption key is periodically renewed (bnc#1185859 bnc#1185862).
    - cve-2020-26147: the wep, wpa, wpa2, and wpa3 implementations reassemble fragments, even though some of them were sent in plaintext.
    This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the wep, ccmp, or gcmp data-confidentiality protocol is used (bnc#1185859).
    - cve-2020-26145: an issue was discovered with samsung galaxy s3 i9305 4.4.4 devices.
    The wep, wpa, wpa2, and wpa3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames.
    An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (
    Bnc#1185860) - cve-2020-26141: an issue was discovered in the alfa driver for awus036h, where the message integrity check (authenticity) of fragmented tkip frames was not verified.
    An adversary can abuse this to inject and possibly decrypt packets in wpa or wpa2 networks that support the tkip data-confidentiality protocol. (
    Bnc#1185987) - cve-2021-23133: fixed a race condition in sctp sockets, which could lead to privilege escalation from the context of a network service or an unprivileged process. (
    Bnc#1184675)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1887-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1887-1
  • CVE-2020-24587+
    In Development

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2021:1888-1)

    Severity
    Critical4
    Qualys ID
    750121
    Vendor Reference
    SUSE-SU-2021:1888-1
    CVE Reference
    CVE-2020-24587, CVE-2020-26141, CVE-2020-26145, CVE-2020-24586, CVE-2021-33200, CVE-2021-32399, CVE-2021-23134, CVE-2020-24588, CVE-2021-3491, CVE-2020-26139, CVE-2020-26147, CVE-2021-33034
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The suse linux enterprise 15 sp2 azure kernel was updated to receive various security and bugfixes.
    the following security bugs were fixed: - cve-2021-33200: enforcing incorrect limits for pointer arithmetic operations by the bpf verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484).
    - cve-2021-33034: fixed a use-after-free when destroying an hci_chan.
    This could lead to writing an arbitrary values. (
    Bsc#1186111) - cve-2020-26139: fixed a denial-of-service when an access point (ap) forwards eapol frames to other clients even though the sender has not yet successfully authenticated to the ap. (
    Bnc#1186062) - cve-2021-23134: a use after free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (
    Bnc#1186060) - cve-2021-3491: fixed a potential heap overflow in mem_rw().
    This vulnerability is related to the provide_buffers operation, which allowed the max_rw_count limit to be bypassed (bsc#1185642).
    - cve-2021-32399: fixed a race condition when removing the hci controller (bnc#1184611).
    - cve-2020-24586: the 802.11 standard that underpins wi-fi protected access (wpa, wpa2, and wpa3) and wired equivalent privacy (wep) doesn't require that received fragments be cleared from memory after (re)connecting to a network.
    Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859).
    - cve-2020-24587: the 802.11 standard that underpins wi-fi protected access (wpa, wpa2, and wpa3) and wired equivalent privacy (wep) doesn't require that all fragments of a frame are encrypted under the same key.
    an adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the wep, ccmp, or gcmp encryption key is periodically renewed (bnc#1185859 bnc#1185862).
    - cve-2020-26147: the wep, wpa, wpa2, and wpa3 implementations reassemble fragments, even though some of them were sent in plaintext.
    This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the wep, ccmp, or gcmp data-confidentiality protocol is used (bnc#1185859).
    - cve-2020-26145: an issue was discovered with samsung galaxy s3 i9305 4.4.4 devices.
    The wep, wpa, wpa2, and wpa3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames.
    An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (
    Bnc#1185860) - cve-2020-26141: an issue was discovered in the alfa driver for awus036h, where the message integrity check (authenticity) of fragmented tkip frames was not verified.
    An adversary can abuse this to inject and possibly decrypt packets in wpa or wpa2 networks that support the tkip data-confidentiality protocol. (
    Bnc#1185987) - cve-2020-24588: the 802.11 standard that underpins wi-fi protected access (wpa, wpa2, and wpa3) and wired equivalent privacy (wep) doesn't require that the a-msdu flag in the plaintext qos header field is authenticated.
    Against devices that support receiving non-ssp a-msdu frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (
    Bnc#1185861)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1888-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1888-1
  • CVE-2020-24587+
    In Development

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2021:1890-1)

    Severity
    Critical4
    Qualys ID
    750118
    Vendor Reference
    SUSE-SU-2021:1890-1
    CVE Reference
    CVE-2020-24587, CVE-2020-26141, CVE-2020-26145, CVE-2020-24586, CVE-2021-33200, CVE-2021-32399, CVE-2021-23134, CVE-2020-24588, CVE-2021-3491, CVE-2020-26139, CVE-2020-26147, CVE-2021-33034
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The suse linux enterprise 15 sp2 kernel was updated to receive various security and bugfixes.
    the following security bugs were fixed: - cve-2021-33200: enforcing incorrect limits for pointer arithmetic operations by the bpf verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484).
    - cve-2021-33034: fixed a use-after-free when destroying an hci_chan.
    This could lead to writing an arbitrary values. (
    Bsc#1186111) - cve-2020-26139: fixed a denial-of-service when an access point (ap) forwards eapol frames to other clients even though the sender has not yet successfully authenticated to the ap. (
    Bnc#1186062) - cve-2021-23134: a use after free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (
    Bnc#1186060) - cve-2021-3491: fixed a potential heap overflow in mem_rw().
    This vulnerability is related to the provide_buffers operation, which allowed the max_rw_count limit to be bypassed (bsc#1185642).
    - cve-2021-32399: fixed a race condition when removing the hci controller (bnc#1184611).
    - cve-2020-24586: the 802.11 standard that underpins wi-fi protected access (wpa, wpa2, and wpa3) and wired equivalent privacy (wep) doesn't require that received fragments be cleared from memory after (re)connecting to a network.
    Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859).
    - cve-2020-24587: the 802.11 standard that underpins wi-fi protected access (wpa, wpa2, and wpa3) and wired equivalent privacy (wep) doesn't require that all fragments of a frame are encrypted under the same key.
    an adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the wep, ccmp, or gcmp encryption key is periodically renewed (bnc#1185859 bnc#1185862).
    - cve-2020-26147: the wep, wpa, wpa2, and wpa3 implementations reassemble fragments, even though some of them were sent in plaintext.
    This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the wep, ccmp, or gcmp data-confidentiality protocol is used (bnc#1185859).
    - cve-2020-24588: the 802.11 standard that underpins wi-fi protected access (wpa, wpa2, and wpa3) and wired equivalent privacy (wep) doesn't require that the a-msdu flag in the plaintext qos header field is authenticated.
    Against devices that support receiving non-ssp a-msdu frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. (
    Bnc#1185861) - cve-2020-26145: an issue was discovered with samsung galaxy s3 i9305 4.4.4 devices.
    The wep, wpa, wpa2, and wpa3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames.
    An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (
    Bnc#1185860) - cve-2020-26141: an issue was discovered in the alfa driver for awus036h, where the message integrity check (authenticity) of fragmented tkip frames was not verified.
    An adversary can abuse this to inject and possibly decrypt packets in wpa or wpa2 networks that support the tkip data-confidentiality protocol. (
    Bnc#1185987)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1890-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1890-1
  • CVE-2020-24587+
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2021:1891-1)

    Severity
    Critical4
    Qualys ID
    750117
    Date Published
    June 10, 2021
    Vendor Reference
    SUSE-SU-2021:1891-1
    CVE Reference
    CVE-2020-24587, CVE-2020-26141, CVE-2020-26145, CVE-2020-24586, CVE-2021-33200, CVE-2021-32399, CVE-2021-23134, CVE-2021-3491, CVE-2020-26139, CVE-2020-26147, CVE-2021-33034, CVE-2021-23133
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The suse linux enterprise 12 sp4 kernel was updated to receive various security and bugfixes.
    the following security bugs were fixed: - cve-2021-33200: enforcing incorrect limits for pointer arithmetic operations by the bpf verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484).
    - cve-2021-33034: fixed a use-after-free when destroying an hci_chan.
    This could lead to writing an arbitrary values. (
    Bsc#1186111) - cve-2020-26139: fixed a denial-of-service when an access point (ap) forwards eapol frames to other clients even though the sender has not yet successfully authenticated to the ap. (
    Bnc#1186062) - cve-2021-23134: a use after free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (
    Bnc#1186060) - cve-2021-23133: fixed a race condition in sctp sockets, which could lead to privilege escalation from the context of a network service or an unprivileged process. (
    Bnc#1184675) - cve-2021-3491: fixed a potential heap overflow in mem_rw().
    This vulnerability is related to the provide_buffers operation, which allowed the max_rw_count limit to be bypassed (bsc#1185642).
    - cve-2021-32399: fixed a race condition when removing the hci controller (bnc#1184611).
    - cve-2020-24586: the 802.11 standard that underpins wi-fi protected access (wpa, wpa2, and wpa3) and wired equivalent privacy (wep) doesn't require that received fragments be cleared from memory after (re)connecting to a network.
    Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859).
    - cve-2020-24587: the 802.11 standard that underpins wi-fi protected access (wpa, wpa2, and wpa3) and wired equivalent privacy (wep) doesn't require that all fragments of a frame are encrypted under the same key.
    an adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the wep, ccmp, or gcmp encryption key is periodically renewed (bnc#1185859 bnc#1185862).
    - cve-2020-26147: the wep, wpa, wpa2, and wpa3 implementations reassemble fragments, even though some of them were sent in plaintext.
    This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the wep, ccmp, or gcmp data-confidentiality protocol is used (bnc#1185859).
    - cve-2020-26145: an issue was discovered with samsung galaxy s3 i9305 4.4.4 devices.
    The wep, wpa, wpa2, and wpa3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames.
    An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (
    Bnc#1185860) - cve-2020-26141: an issue was discovered in the alfa driver for awus036h, where the message integrity check (authenticity) of fragmented tkip frames was not verified.
    An adversary can abuse this to inject and possibly decrypt packets in wpa or wpa2 networks that support the tkip data-confidentiality protocol. (
    Bnc#1185987)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1891-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1891-1
  • CVE-2021-20718
    Recently Published

    SUSE Enterprise Linux Security Update for apache2-mod_auth_openidc (SUSE-SU-2021:1900-1)

    Severity
    Critical4
    Qualys ID
    750132
    Date Published
    June 10, 2021
    Vendor Reference
    SUSE-SU-2021:1900-1
    CVE Reference
    CVE-2021-20718
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    This update for apache2-mod_auth_openidc fixes the following issues: - cve-2021-20718: fixed possible remote denial-of-service (dos) via unspecified vectors (bsc#1186291).

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1900-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1900-1
  • CVE-2020-29130+
    Recently Published

    SUSE Enterprise Linux Security Update for qemu (SUSE-SU-2021:1895-1)

    Severity
    Critical4
    Qualys ID
    750129
    Date Published
    June 10, 2021
    Vendor Reference
    SUSE-SU-2021:1895-1
    CVE Reference
    CVE-2020-29130, CVE-2021-20257, CVE-2021-3419, CVE-2020-10756, CVE-2020-25707, CVE-2019-15890, CVE-2020-29129, CVE-2020-14364, CVE-2020-25723, CVE-2020-8608, CVE-2020-13754
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    This update for qemu fixes the following issues: - fix oob access during mmio operations (cve-2020-13754, bsc#1172382) - fix out-of-bounds read information disclosure in icmp6_send_echoreply (cve-2020-10756, bsc#1172380) - for the record, these issues are fixed in this package already.
    Most are alternate references to previously mentioned issues: (cve-2019-15890, bsc#1149813, cve-2020-8608, bsc#1163019, cve-2020-14364, bsc#1175534, cve-2020-25707, bsc#1178683, cve-2020-25723, bsc#1178935, cve-2020-29130, bsc#1179477, cve-2020-29129, bsc#1179484, cve-2021-20257, bsc#1182846, cve-2021-3419, bsc#1182975)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1895-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1895-1
  • CVE-2020-29130+
    Recently Published

    SUSE Enterprise Linux Security Update for qemu (SUSE-SU-2021:1894-1)

    Severity
    Critical4
    Qualys ID
    750124
    Date Published
    June 10, 2021
    Vendor Reference
    SUSE-SU-2021:1894-1
    CVE Reference
    CVE-2020-29130, CVE-2021-20257, CVE-2021-20221, CVE-2021-3419, CVE-2020-10756, CVE-2020-25707, CVE-2019-15890, CVE-2020-14364, CVE-2020-25723, CVE-2020-8608, CVE-2020-13754
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    This update for qemu fixes the following issues: - fix oob access during mmio operations (cve-2020-13754, bsc#1172382) - fix out-of-bounds read information disclosure in icmp6_send_echoreply (cve-2020-10756, bsc#1172380) - fix out-of-bound heap buffer access via an interrupt id field (cve-2021-20221, bsc#1181933) - for the record, these issues are fixed in this package already.
    Most are alternate references to previously mentioned issues: (cve-2019-15890, bsc#1149813, cve-2020-8608, bsc#1163019, cve-2020-14364, bsc#1175534, cve-2020-25707, bsc#1178683, cve-2020-25723, bsc#1178935, cve-2020-29130, bsc#1179477, cve-2021-20257, bsc#1182846, cve-2021-3419, bsc#1182975, bsc#1094725)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1894-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1894-1
  • CVE-2020-29130+
    In Development

    SUSE Enterprise Linux Security Update for qemu (SUSE-SU-2021:1893-1)

    Severity
    Critical4
    Qualys ID
    750120
    Vendor Reference
    SUSE-SU-2021:1893-1
    CVE Reference
    CVE-2020-29130, CVE-2021-20257, CVE-2021-3419, CVE-2020-10756, CVE-2020-25707, CVE-2019-15890, CVE-2020-25085, CVE-2020-14364, CVE-2020-25723, CVE-2020-8608, CVE-2020-29129
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    This update for qemu fixes the following issues: - cve-2020-25085: fix out-of-bounds access issue while doing multi block sdma (bsc#1176681) - cve-2020-10756: fix out-of-bounds read information disclosure in icmp6_send_echoreply(bsc#1172380) - fix issue where s390 guest fails to find zipl boot menu index (bsc#1183979) - qemu bios fails to read stage2 loader on s390x (bsc#1186290) - host cpu microcode revision will be visible inside vms when the proper cpu-model is used (jsc#sle-17785): - for the record, these issues are fixed in this package already.
    Most are alternate references to previously mentioned issues: (cve-2019-15890, bsc#1149813, cve-2020-8608, bsc#1163019, cve-2020-14364, bsc#1175534, cve-2020-25707, bsc#1178683, cve-2020-25723, bsc#1178935, cve-2020-29130, bsc#1179477, cve-2020-29129, bsc#1179484, cve-2021-20257, bsc#1182846, cve-2021-3419, bsc#1182975)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1893-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1893-1
  • CVE-2021-20243+
    Recently Published

    Debian Security Update for imagemagick (DLA 2672-1)

    Severity
    Critical4
    Qualys ID
    178654
    Date Published
    June 14, 2021
    Vendor Reference
    DLA 2672-1
    CVE Reference
    CVE-2021-20243, CVE-2021-20312, CVE-2021-20245, CVE-2021-20313, CVE-2021-20309, CVE-2020-27751
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Debian has released security update for imagemagick to fix the vulnerabilities.



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Debian security advisory to CentOS advisory DLA 2672-1 for updates and patch information.
    Patches
    Debian DLA 2672-1
  • CVE-2021-31535
    In Development

    SUSE Enterprise Linux Security Update for libX11 (SUSE-SU-2021:1897-1)

    Severity
    Critical4
    Qualys ID
    750130
    Vendor Reference
    SUSE-SU-2021:1897-1
    CVE Reference
    CVE-2021-31535
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    This update for libx11 fixes the following issues: - regression in the fix for cve-2021-31535, causing segfaults for xforms applications like fdesign (bsc#1186643)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1897-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1897-1
  • CVE-2021-29964+
    In Development

    SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2021:1884-1)

    Severity
    Critical4
    Qualys ID
    750119
    Vendor Reference
    SUSE-SU-2021:1884-1
    CVE Reference
    CVE-2021-29964, CVE-2021-29951, CVE-2021-29967
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    This update for mozillafirefox fixes the following issues: firefox extended support release 78.11.0 esr (bsc#1186696) * cve-2021-29964: out of bounds-read when parsing a `wm_copydata` message * cve-2021-29967: memory safety bugs fixed in firefox

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1884-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1884-1
  • CVE-2018-25011+
    In Development

    Oracle Enterprise Linux Security Update for libwebp (ELSA-2021-2260)

    Severity
    Critical4
    Qualys ID
    159246
    Vendor Reference
    ELSA-2021-2260
    CVE Reference
    CVE-2018-25011, CVE-2020-36329, CVE-2020-36328
    CVSS Scores
    Base 0 / Temporal 0
    Description
    Oracle Enterprise Linux has released a security update for libwebp to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 7

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-2260.
    Patches
    Oracle Linux ELSA-2021-2260
  • CVE-2021-28624+
    Under Investigation

    Adobe Photoshop Heap-based Buffer Overflow Vulnerability (APSB21-38)

    Severity
    Urgent5
    Qualys ID
    375616
    Vendor Reference
    APSB21-38
    CVE Reference
    CVE-2021-28624, CVE-2021-28582
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Adobe Photoshop is an application that allows users to view and edit various graphic formats. This update resolves an arbitrary code execution vulnerability.

    Affected Versions:
    Adobe Photoshop 2020 version 21.2.8 and earlier
    Adobe Photoshop 2021 version 22.4.1 and earlier

    QID Detection Logic:
    Windows(Authenticated): This QID checks for vulnerable version of 'Photoshop.exe' file.

    Consequence
    Successful exploitation can result in arbitrary code execution on target system.

    Solution
    Adobe has released Photoshop version 212.9 and 22.4.2 in APSB21-38 to address this vulnerability.
    Patches
    APSB21-38
  • CVE-2019-17567+
    Recently Published

    Apache HTTP Server Multiple Vulnerabilities

    Severity
    Critical4
    Qualys ID
    730109
    Date Published
    June 14, 2021
    Vendor Reference
    Apache HTTP Server 2.4.48
    CVE Reference
    CVE-2019-17567, CVE-2020-13938, CVE-2020-13950, CVE-2020-35452, CVE-2021-26690, CVE-2021-26691, CVE-2021-30641
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Apache HTTP Server is an HTTP web server application.

    Affected Versions:
    Apache HTTP Server versions prior to 2.4.46.

    NOTE:
    CVE-2021-26691, CVE-2021-26690, CVE-2020-35452, CVE-2020-13938 affects to Apache HTTP Server versions 2.4.46, 2.4.43, 2.4.41, 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0.
    CVE-2019-17567 affects to Apache HTTP Server versions 2.4.46, 2.4.43, 2.4.41, 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6
    CVE-2021-30641 affects to Apache HTTP Server versions 2.4.46, 2.4.43, 2.4.41, 2.4.39
    CVE-2020-13950 affects to Apache HTTP Server versions 2.4.46, 2.4.43, 2.4.41
    QID Detection Logic:(Unauthenticated)
    This QID checks for server banner to detect if the target is running vulnerable version of apache httpd.

    Consequence
    Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code on the target.
    Solution
    Customers are advised to update Apache httpd 2.4.48.
    For more information, visit here.
    Patches
    Apache HTTP Server 2.4.47
  • CVE-2021-27258
    In Development

    SolarWinds Orion Platform Privilege Escalation Vulnerability

    Severity
    Critical4
    Qualys ID
    375613
    Vendor Reference
    SolarWinds Orion Platform Security Updates 2020.2.4
    CVE Reference
    CVE-2021-27258
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    SolarWinds Orion is an IT performance monitoring platform

    This vulnerability allows remote attackers to execute escalate privileges on affected installations of SolarWinds Orion Platform. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SaveUserSetting endpoint. The issue results from improper restriction of this endpoint to unprivileged users.

    Affected Versions:
    SolarWinds Orion products prior to Orion Platform 2020.2.4

    QID Detection Logic (Authenticated):
    The QID extracts Solarwinds Orion installation path from registry key "HKLM\SOFTWARE\SolarWinds\Orion\Core", value "InstallPath", then compare file version of "SolarWinds.Orion.Core.BusinessLayer.dll" with patched versions
    When registry keys are not accessible, we skip the path extracting, directly check file versions of "%ProgramFiles%\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll" and "%ProgramFiles(x86)%\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll".

    Consequence
    An attacker could exploit this vulnerability can lead to Improper Access Control Privilege Escalation. An attacker can leverage this vulnerability to escalate privileges their privileges from Guest to Administrator.
    Solution

    Customers are advised to refer to Orion Platform 2020.2.4 Release Notes

    Patches
    SolarWinds Orion Platform Security Updates 2020.2.4
  • CVE-2021-31980
    Under Investigation

    Microsoft Intune Management Extension Remote Code Execution Vulnerability - June 2021

    Severity
    Critical4
    Qualys ID
    91776
    Vendor Reference
    CVE-2021-31980
    CVE Reference
    CVE-2021-31980
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Microsoft Intune Management Extension is prone to Remote Code Execution Vulnerability.

    Consequence
    Successful exploitation allows remote code execution.

    Solution
    Users are advised to check CVE-2021-31980 for more information.

    Patches
    CVE-2021-31980
  • CVE-2017-18640
    In Development

    SUSE Enterprise Linux Security Update for snakeyaml (SUSE-SU-2021:1876-1)

    Severity
    Critical4
    Qualys ID
    750114
    Vendor Reference
    SUSE-SU-2021:1876-1
    CVE Reference
    CVE-2017-18640
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    This update for snakeyaml fixes the following issues: - upgrade to 1.28 - cve-2017-18640: the alias feature allows entity expansion during a load operation (bsc#1159488, bsc#1186088)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1876-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1876-1
  • CVE-2018-25012+
    In Development

    SUSE Enterprise Linux Security Update for libwebp (SUSE-SU-2021:1860-1)

    Severity
    Urgent5
    Qualys ID
    750108
    Vendor Reference
    SUSE-SU-2021:1860-1
    CVE Reference
    CVE-2018-25012, CVE-2020-36332, CVE-2020-36328, CVE-2020-36329, CVE-2018-25011, CVE-2020-36330, CVE-2018-25009, CVE-2018-25013, CVE-2020-36331, CVE-2018-25010
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    This update for libwebp fixes the following issues: - cve-2018-25010: fixed heap-based buffer overflow in applyfilter() (bsc#1185685).
    - cve-2020-36330: fixed heap-based buffer overflow in chunkverifyandassign() (bsc#1185691).
    - cve-2020-36332: fixed extreme memory allocation when reading a file (bsc#1185674).
    - cve-2020-36329: fixed use-after-free in emitfancyrgb() (bsc#1185652).
    - cve-2018-25012: fixed heap-based buffer overflow in getle24() (bsc#1185690).
    - cve-2020-36328: fixed heap-based buffer overflow in webpdecode*into functions (bsc#1185688).
    - cve-2018-25013: fixed heap-based buffer overflow in shiftbytes() (bsc#1185654).
    - cve-2020-36331: fixed heap-based buffer overflow in chunkassigndata() (bsc#1185686).
    - cve-2018-25009: fixed heap-based buffer overflow in getle16() (bsc#1185673).
    - cve-2018-25011: fixed fail on multiple image chunks (bsc#1186247).

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1860-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1860-1
  • Recently Published

    Zebra Printer Accessible Using Default Credentials

    Severity
    Urgent5
    Qualys ID
    730107
    Date Published
    June 14, 2021
    Vendor Reference
    Zebra
    CVSS Scores
    Base 9.8 / Temporal 9
    Description
    To directly access the Zebra Print Server you will be prompted for a username and password. The default user name and password is admin and 1234.

    QID Detection Logic:
    QID checks if the login page can be accessible using default credentials (username: admin, password: 1234).

    Consequence

    A remote attacker could exploit this to perform sensitive actions and take control over the device.

    Solution

    Customers are advised not to use default credentials for Zebra Printer.

  • CVE-2020-15586+
    Recently Published

    Red Hat Update for OpenShift Container Platform 4.7.13 packages and (RHSA-2021:2122)

    Severity
    Critical4
    Qualys ID
    239381
    Date Published
    June 14, 2021
    Vendor Reference
    RHSA-2021:2122
    CVE Reference
    CVE-2020-15586, CVE-2020-16845, CVE-2021-21642, CVE-2021-21643, CVE-2021-21644, CVE-2021-21645
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.13. See the following advisory for the container images for this release:https://access.redhat.com/errata/RHSA-2021:2121

    Security Fix(es): jenkins-2-plugins/config-file-provider: Does not configure its XML parser to prevent XML external entity (XXE)
    attacks. (CVE-2021-21642) golang: data race in certain net/http servers including ReverseProxy can lead to DoS (CVE-2020-15586) golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (CVE-2020-16845) jenkins-2-plugins/config-file-provider: Does not correctly perform permission checks in several HTTP endpoints. (CVE-2021-21643) jenkins-2-plugins/config-file-provider: does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF)
    vulnerability. (CVE-2021-21644) jenkins-2-plugins/config-file-provider: Does not perform permission checks in several HTTP endpoints. (CVE-2021-21645)

    Affected Products:

    Red Hat OpenShift Container Platform 4.7 for RHEL 8 x86_64
    Red Hat OpenShift Container Platform 4.7 for RHEL 7 x86_64
    Red Hat OpenShift Container Platform for Power 4.7 for RHEL 8 ppc64le
    Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.7 for RHEL 8 s390x

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2122 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2122
  • CVE-2021-31916+
    Recently Published

    Ubuntu Security Notification for Linux kernel vulnerabilities (USN-4982-1)

    Severity
    Critical4
    Qualys ID
    198401
    Date Published
    June 14, 2021
    Vendor Reference
    USN-4982-1
    CVE Reference
    CVE-2021-31916, CVE-2021-28950, CVE-2021-29264, CVE-2021-28971, CVE-2021-28964, CVE-2021-28972, CVE-2021-3483, CVE-2020-25672, CVE-2021-29647, CVE-2020-25671, CVE-2020-25670, CVE-2021-28688, CVE-2020-25673
    CVSS Scores
    Base 6.7 / Temporal 5.8
    Description
    The nfc llcp protocol implementation in the linux kernel contained a reference counting error.
    The nfc llcp protocol implementation in the linux kernel did not properly deallocate memory in certain error situations.
    The nfc llcp protocol implementation in the linux kernel did not properly handle error conditions in some situations, leading to an infinite loop.
    The xen paravirtualization backend in the linux kernel did not properly deallocate memory in some situations.
    The fuse user space file system implementation in the linux kernel did not properly handle bad inodes in some situations.
    The btrfs file system implementation in the linux kernel contained a race condition during certain cloning operations.
    The perf subsystem in the linux kernel did not properly handle certain pebs records properly for some intel haswell processors.
    The rpa pci hotplug driver implementation in the linux kernel did not properly handle device name writes via sysfs, leading to a buffer overflow.
    The freescale gianfar ethernet driver for the linux kernel did not properly handle receive queue overrun when jumbo frames were enabled in some situations.
    The qualcomm ipc router implementation in the linux kernel did not properly initialize memory passed to user space.
    The block device manager (dm) implementation in the linux kernel contained a buffer overflow in the ioctl for listing devices.
    The ieee 1394 (firewire) nosy packet sniffer driver in the linux kernel did not properly perform reference counting in some situations, leading to a use-after-free vulnerability.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    a local attacker could use this to cause a denial of service (system crash) (cve-2020-25670).
    A local attacker could use this to cause a denial of service (memory exhaustion) (cve-2020-25671, cve-2020-25672).
    A local attacker could use this to cause a denial of service. (
    cve-2020-25673).
    A local attacker could use this to cause a denial of service (memory exhaustion).
    (cve-2021-28688).
    A local attacker could possibly use this to cause a denial of service.
    (cve-2021-28950).
    a local attacker could possibly use this to cause a denial of service (system crash) (cve-2021-28964).
    A local attacker could use this to cause a denial of service (system crash) (cve-2021-28971).
    A privileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
    (cve-2021-28972).
    An attacker could use this to cause a denial of service (system crash) (cve-2021-29264).
    A local attacker could use this to expose sensitive information (kernel memory).
    (cve-2021-29647).
    A privileged local attacker could use this to cause a denial of service (system crash) (cve-2021-31916).
    A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (
    cve-2021-3483).
    Solution
    Refer to Ubuntu advisory: USN-4982-1 for affected packages and patching details, or update with your package manager.
    Patches
    Ubuntu Linux USN-4982-1
  • CVE-2020-12464+
    Recently Published

    Amazon Linux Security Advisory for kernel: ALAC2012-2020-020

    Severity
    Critical4
    Qualys ID
    352300
    Date Published
    June 14, 2021
    CVE Reference
    CVE-2020-12464, CVE-2020-13974, CVE-2020-12770, CVE-2020-0543, CVE-2020-10751, CVE-2020-13143, CVE-2019-19786, CVE-2020-12826, CVE-2020-12771, CVE-2019-19462, CVE-2019-19319, CVE-2020-10690, CVE-2020-12769, CVE-2020-11565, CVE-2020-10732, CVE-2020-10757, CVE-2020-10711, CVE-2020-1749
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Package updates are available for amazon linux that fix the following vulnerabilities: cve-2020-1749: cve-2020-13974: cve-2020-13143: cve-2020-12826: cve-2020-12771: cve-2020-12770: cve-2020-12769: cve-2020-12464: cve-2020-11565: cve-2020-10757: cve-2020-10751: cve-2020-10732: cve-2020-10711: cve-2020-10690: cve-2020-0543: cve-2019-19786: cve-2019-19462: cve-2019-19319:

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Administrators are advised to apply the appropriate software updates.
    Patches
    Amazon Linux Bare Metal ALAC2012-2020-020
  • CVE-2021-20201+
    Recently Published

    SUSE Enterprise Linux Security Update for spice (SUSE-SU-2021:1901-1)

    Severity
    Critical4
    Qualys ID
    750133
    Date Published
    June 10, 2021
    Vendor Reference
    SUSE-SU-2021:1901-1
    CVE Reference
    CVE-2021-20201, CVE-2020-14355
    CVSS Scores
    Base 6.6 / Temporal 5.8
    Description
    This update for spice fixes the following issues: - cve-2021-20201: client initiated renegotiation causing denial of service (bsc#1181686) - cve-2020-14355: fixed multiple buffer overflow vulnerabilities in quic decoding code (bsc#1177158)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1901-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1901-1
  • CVE-2021-20201
    Recently Published

    SUSE Enterprise Linux Security Update for spice (SUSE-SU-2021:1906-1)

    Severity
    Critical4
    Qualys ID
    750134
    Date Published
    June 10, 2021
    Vendor Reference
    SUSE-SU-2021:1906-1
    CVE Reference
    CVE-2021-20201
    CVSS Scores
    Base 5.3 / Temporal 4.6
    Description
    This update for spice fixes the following issues: - cve-2021-20201: client initiated renegotiation causing denial of service (bsc#1181686)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1906-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1906-1
  • CVE-2021-29964+
    Recently Published

    SUSE Enterprise Linux Security Update for MozillaFirefox (SUSE-SU-2021:1886-1)

    Severity
    Critical4
    Qualys ID
    750123
    Date Published
    June 10, 2021
    Vendor Reference
    SUSE-SU-2021:1886-1
    CVE Reference
    CVE-2021-29964, CVE-2021-29951, CVE-2021-29967
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    This update for mozillafirefox fixes the following issues: firefox extended support release 78.11.0 esr (bsc#1186696) * cve-2021-29964: out of bounds-read when parsing a `wm_copydata` message * cve-2021-29967: memory safety bugs fixed in firefox

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1886-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1886-1
  • CVE-2021-31535
    Recently Published

    SUSE Enterprise Linux Security Update for libX11 (SUSE-SU-2021:1892-1)

    Severity
    Critical4
    Qualys ID
    750122
    Date Published
    June 10, 2021
    Vendor Reference
    SUSE-SU-2021:1892-1
    CVE Reference
    CVE-2021-31535
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    This update for libx11 fixes the following issues: - regression in the fix for cve-2021-31535, causing segfaults for xforms applications like fdesign (bsc#1186643)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1892-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1892-1
  • Recently Published

    SUSE Enterprise Linux Security Update for shim (SUSE-SU-2021:1880-1)

    Severity
    Critical4
    Qualys ID
    750116
    Date Published
    June 10, 2021
    Vendor Reference
    SUSE-SU-2021:1880-1
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    This update for shim fixes the following issues: - update to the unified shim binary for sbat support (bsc#1182057) - shim-install: always assume "removable" for azure to avoid the endless reset loop (bsc#1185464).

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1880-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1880-1
  • Recently Published

    EOL/Obsolete Software: Open Secure Sockets Layer (OpenSSL) 0.9.8 through 1.1.0 Detected

    Severity
    Urgent5
    Qualys ID
    105980
    Date Published
    June 10, 2021
    Vendor Reference
    OpenSSL End of Life Policy
    CVSS Scores
    Base 9.8 / Temporal 9
    Description
    OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols OpenSSL Versions 1.1.0, 1.0.1, 1.0.0 and 0.9.8 are no longer supported. No further releases or security fixes will be available Users of these older versions are encouraged to upgrade to 1.1.1 as soon as possible. Affected Versions and EOL:
    OpenSSL Version 0.9.8 : 31st December 2015
    OpenSSL Version 1.0.0 : 31st December 2015
    OpenSSL Version 1.0.1 : 31st December 2016

    Consequence
    The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is more vulnerable to viruses and other attacks.

    Solution
    Customers are advised to upgrade to the latest supported version of OpenSSL. Refer to OpenSSL Downloads for more details.
  • CVE-2021-1675+
    Recently Published

    Microsoft Windows Security Update for June 2021

    Severity
    Urgent5
    Qualys ID
    91772
    Date Published
    June 9, 2021
    Vendor Reference
    KB5003635, KB5003637, KB5003638, KB5003646, KB5003661, KB5003667, KB5003671, KB5003681, KB5003687, KB5003694, KB5003695, KB5003696, KB5003697
    CVE Reference
    CVE-2021-1675, CVE-2021-26414, CVE-2021-31199, CVE-2021-31201, CVE-2021-31951, CVE-2021-31952, CVE-2021-31953, CVE-2021-31954, CVE-2021-31955, CVE-2021-31956, CVE-2021-31958, CVE-2021-31959, CVE-2021-31960, CVE-2021-31962, CVE-2021-31968, CVE-2021-31969, CVE-2021-31970, CVE-2021-31971, CVE-2021-31972, CVE-2021-31973, CVE-2021-31974, CVE-2021-31975, CVE-2021-31976, CVE-2021-31977, CVE-2021-33742
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Microsoft releases the security update for Windows June 2021

    The KB Articles associated with the update:
    KB5003635
    KB5003637
    KB5003638
    KB5003646
    KB5003661
    KB5003667
    KB5003671
    KB5003681
    KB5003687
    KB5003694
    KB5003695
    KB5003696
    KB5003697

    This QID checks for the file version of ntoskrnl.exe

    The following versions of ntoskrnl.exe with their corresponding KBs are verified:
    KB5003635 -
    KB5003637 -
    KB5003638 -
    KB5003646 -
    KB5003661 -
    KB5003667 -
    KB5003671 -
    KB5003681 -
    KB5003687 -
    KB5003694 -
    KB5003695 -
    KB5003696 -
    KB5003697 -

    Consequence
    A remote attacker could exploit this vulnerability and execute code on the target system.
    Solution
    Please refer to the Security Update Guide, KB5003635
    KB5003637
    KB5003638
    KB5003646
    KB5003661
    KB5003667
    KB5003671
    KB5003681
    KB5003687
    KB5003694
    KB5003695
    KB5003696
    KB5003697
    for more information pertaining to these vulnerabilities.

    Patches
    Windows Microsoft Security Update Guide
  • CVE-2021-31978+
    Recently Published

    Microsoft Defender Multiple Vulnerabilities - June 2021

    Severity
    Urgent5
    Qualys ID
    91771
    Date Published
    June 9, 2021
    Vendor Reference
    CVE-2021-31978, CVE-2021-31985
    CVE Reference
    CVE-2021-31978, CVE-2021-31985
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Microsoft Defender is prone to Remote Code Exection and Denial of Serveice Vulnerabilities.

    Affected Software:
    Windows Defender

    QID Detection Logic (Authenticated):
    Detection checks for mpengine.dll file version less than 1.1.18200.3

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Users are advised to check CVE-2021-31978 and CVE-2021-31985 for more information.

    Patches
    CVE-2021-31978, CVE-2021-31985
  • CVE-2021-3185
    Recently Published

    SUSE Enterprise Linux Security Update for gstreamer-plugins-bad (SUSE-SU-2021:1875-1)

    Severity
    Critical4
    Qualys ID
    750113
    Date Published
    June 9, 2021
    Vendor Reference
    SUSE-SU-2021:1875-1
    CVE Reference
    CVE-2021-3185
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    This update for gstreamer-plugins-bad fixes the following issues: - cve-2021-3185: fixed buffer overflow in gst_h264_slice_parse_dec_ref_pic_marking (bsc#1181255).

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1875-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1875-1
  • CVE-2021-28551+
    Recently Published

    Adobe Security Update for Adobe Acrobat and Reader( APSB21-37)

    Severity
    Critical4
    Qualys ID
    375611
    Date Published
    June 9, 2021
    Vendor Reference
    APSB21-37
    CVE Reference
    CVE-2021-28551, CVE-2021-28554, CVE-2021-28552, CVE-2021-28631, CVE-2021-28632
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Adobe Acrobat is a family of application software and Web services developed by Adobe Inc. to view, create, manipulate, print, and manage files in Portable Document Format. The family comprises Acrobat Reader, Acrobat, and Acrobat.com.

    Adobe has released security updates to address the fix for Out-of-Bounds Read,Out-of-Bounds Write,Type Confusion,User After Free and Heap Overflow Vulnerabilities.

    Affected Versions:
    Acrobat DC Continuous 2021.001.20155 and earlier versions(windows and macOS)
    Acrobat Reader DC Continuous 2021.001.20155 and earlier versions (Windows and macOS )
    Acrobat 2020 Classic 2020, 2020.001.30025 and earlier versions (Windows and macOS)
    Acrobat Reader 2020 Classic 2020, 2020.001.30025 and earlier versions (Windows and macOS)
    Acrobat 2017 Classic 2017, 2017.011.30196 and earlier version (Windows and macOS)
    Acrobat Reader 2017 Classic 2017, 2017.011.30196 and earlier version (Windows and macOS)
    QID Detection Logic (Authenticated):
    Operating System: Windows
    This QID looks for the vulnerable version of Acrobat.dll, AcroRd32.dll and nppdf32.dll files.

    QID Detection Logic (Authenticated):
    Operating System: MacOS
    This QID looks for the vulnerable version of Adobe Reader and Acrobat from the installed application list.

    Consequence
    An attacker could exploit this vulnerability to compromise Confidentiality, Integrity and or Availability.

    Solution
    Adobe has released fix to address this issue. Customers are advised to refer to APSB21-37 for updates pertaining to this vulnerability.

    Patches
    APSB21-37
  • CVE-2021-33739
    Recently Published

    Microsoft Windows DWM Core Library Elevation of Privilege Vulnerability - June 2021

    Severity
    Critical4
    Qualys ID
    91777
    Date Published
    June 9, 2021
    Vendor Reference
    KB5003635, KB5003637
    CVE Reference
    CVE-2021-33739
    CVSS Scores
    Base 8.4 / Temporal 7.3
    Description
    Microsoft DWM Core Library is prone to Elevation of Privilege Vulnerability.

    QID Detection Logic (Authenticated):
    The detection gets the version of dwmcore.dll.

    The KB Articles associated with the update:
    KB5003635
    KB5003637

    Consequence
    A remote attacker could exploit this vulnerability and escalate privileges on the target system.
    Solution
    Please refer to the CVE-2021-33739 for more information pertaining to these vulnerabilities.

    Patches
    Windows CVE-2021-33739
  • CVE-2021-33741
    Recently Published

    Microsoft Edge Based On Chromium Prior to 91.0.864.41 Elevation of Privilege Vulnerability

    Severity
    Critical4
    Qualys ID
    375618
    Date Published
    June 9, 2021
    Vendor Reference
    CVE-2021-33741
    CVE Reference
    CVE-2021-33741
    CVSS Scores
    Base 8.2 / Temporal 7.1
    Description
    Microsoft Edge is a cross-platform web browser developed by Microsoft.

    Affected Versions:
    Microsoft Edge Based On Chromium versions before 91.0.864.41

    QID Detection Logic: (authenticated)
    Operating System: Windows
    The install path is checked via registry "HKLM\SOFTWARE\Clients\StartMenuInternet\Microsoft Edge\shell\open\command". The version is checked via file msedge.exe.

    Operating System: MacOS
    The QID checks for the version of Microsoft Edge Based On Chromium app.

    Consequence
    Successful exploitation of this vulnerability will allow Elevation of Privilege.

    Solution
    Customers are advised to upgrade to version 91.0.864.41 or later
    Patches
    CVE-2021-33741
  • CVE-2021-31983+
    Recently Published

    Microsoft Paint 3D Remote Code Execution Vulnerability - June 2021

    Severity
    Critical4
    Qualys ID
    91774
    Date Published
    June 9, 2021
    Vendor Reference
    CVE-2021-31945, CVE-2021-31946, CVE-2021-31983
    CVE Reference
    CVE-2021-31983, CVE-2021-31946, CVE-2021-31945
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Microsoft Paint 3D is prone to Remote Code Execution Vulnerability.

    QID Detection Logic (Authenticated):
    The detection gets the version of Microsoft.MSPaint by querying wmi class Win32_InstalledStoreProgram.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Users are advised to check CVE-2021-31983, CVE-2021-31946 and CVE-2021-31945 for more information.

    Patches
    CVE-2021-31945, CVE-2021-31946, CVE-2021-31983
  • CVE-2021-31944+
    Recently Published

    Microsoft 3D Viewer Multiple Vulnerabilities - June 2021

    Severity
    Critical4
    Qualys ID
    91773
    Date Published
    June 9, 2021
    Vendor Reference
    CVE-2021-31942, CVE-2021-31943, CVE-2021-31944
    CVE Reference
    CVE-2021-31944, CVE-2021-31943, CVE-2021-31942
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Microsoft 3D Viewer is prone to Remote Code Execution and Information Disclosure Vulnerability.

    QID Detection Logic (Authenticated):
    The detection gets the version of Microsoft.Microsoft3DViewer by querying wmi class Win32_InstalledStoreProgram.

    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Users are advised to check CVE-2021-31944, CVE-2021-31943 and CVE-2021-31942 for more information.

    Patches
    CVE-2021-31942, CVE-2021-31943, CVE-2021-31944
  • CVE-2021-31939+
    Recently Published

    Microsoft Office and Microsoft Office Services and Web Apps Security Update June 2021

    Severity
    Critical4
    Qualys ID
    110384
    Date Published
    June 9, 2021
    Vendor Reference
    KB5001943, KB5001947, KB5001950, KB5001951, KB5001953, KB5001955, KB5001956, KB5001963
    CVE Reference
    CVE-2021-31939, CVE-2021-31941, CVE-2021-31940, CVE-2021-31949
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Microsoft has released June 2021 security updates to fix multiple security vulnerabilities.

    This security update contains the following KBs:

    KB5001943
    KB5001956
    KB5001950
    KB5001951
    KB5001953
    KB5001955
    KB5001947
    KB5001963

    QID Detection Logic:
    This authenticated QID checks the file versions from the Microsoft advisory with the versions on the affected office system.

    Note: Office click-2-run and Office 365 installations need to be updated manually or need to be set to automatic update. There is no direct download for the patch.

    Consequence
    Successful exploitation allows an attacker to execute code remotely.

    Solution
    Refer to Microsoft Security Guidance, KB5001943, KB5001947, KB5001950, KB5001951, KB5001953, KB5001955, KB5001956, KB5001963 for more details pertaining to this vulnerability.

    Patches
    Microsoft Office and Microsoft Office Services and Web Apps Security Update June 2021
  • CVE-2021-31949+
    Recently Published

    Microsoft Outlook Remote Code Execution Vulnerability Security Update June 2021

    Severity
    Critical4
    Qualys ID
    110385
    Date Published
    June 9, 2021
    Vendor Reference
    KB5001934, KB5001942
    CVE Reference
    CVE-2021-31949, CVE-2021-31941
    CVSS Scores
    Base 7.1 / Temporal 6.2
    Description
    Microsoft has released June 2021 security updates for outlook to fix a Remote Code Execution vulnerability.

    This security update contains the following KBs:
    KB5001942
    KB5001934
    QID Detection Logic:
    This authenticated QID checks the file versions from the Microsoft advisory with the versions on affected outlook applications.

    Note: Office click-2-run and Office 365 installations need to be updated manually or need to be set to automatic update. There is no direct download for the patch.

    Consequence
    Successful exploitation will lead to Remote Code Execution.

    Solution
    Refer to Microsoft Security Guide, KB5001942, KB5001934 for more details pertaining to this vulnerability.

    Patches
    Microsoft Office and Microsoft Office Services and Web Apps Security Update June 2021
  • CVE-2021-31966+
    Recently Published

    Microsoft SharePoint Enterprise Server Multiple Vulnerabilities June 2021

    Severity
    Critical4
    Qualys ID
    110383
    Date Published
    June 9, 2021
    Vendor Reference
    KB4011698, KB5001922, KB5001939, KB5001944, KB5001945, KB5001946, KB5001954, KB5001962
    CVE Reference
    CVE-2021-31966, CVE-2021-31965, CVE-2021-31964, CVE-2021-31963, CVE-2021-31950, CVE-2021-31948, CVE-2021-26420
    CVSS Scores
    Base 7.1 / Temporal 6.4
    Description
    Microsoft has released June security updates to fix multiple security vulnerabilities.

    This security update contains the following KBs:

    KB5001944
    KB5001945
    KB5001962
    KB5001939
    KB5001946
    KB5001922
    KB5001954
    KB4011698

    QID Detection Logic:
    This authenticated QID checks the file versions from the above Microsoft KB article with the versions on the affected SharePoint system.

    Consequence
    Successful exploitation allows an attacker to execute code remotely.

    Solution
    Refer to Microsoft Security Guidance KB4011698 KB5001922 KB5001939 KB5001944 KB5001945 KB5001946 KB5001954 KB5001962 for more details pertaining to this vulnerability.

    Patches
    Microsoft Office and Microsoft Office Services and Web Apps Security Update June 2021
  • CVE-2021-3406
    Recently Published

    Fedora Security Update for keylime (FEDORA-2021-b7854ccfe4)

    Severity
    Urgent5
    Qualys ID
    281595
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-b7854ccfe4
    CVE Reference
    CVE-2021-3406
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for keylime to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-b7854ccfe4
  • CVE-2021-22883+
    Recently Published

    Fedora Security Update for nodejs (FEDORA-2021-6aaba80ba2)

    Severity
    Urgent5
    Qualys ID
    281554
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-6aaba80ba2
    CVE Reference
    CVE-2021-22883, CVE-2021-22884
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for nodejs to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-6aaba80ba2
  • CVE-2021-22883+
    Recently Published

    Fedora Security Update for nodejs (FEDORA-2021-f6bd75e9d4)

    Severity
    Urgent5
    Qualys ID
    281553
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-f6bd75e9d4
    CVE Reference
    CVE-2021-22883, CVE-2021-22884
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for nodejs to fix the vulnerability.

    Affected OS:
    Fedora 32



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-f6bd75e9d4
  • CVE-2021-22883+
    Recently Published

    Fedora Security Update for nodejs (FEDORA-2021-a760169c3c)

    Severity
    Urgent5
    Qualys ID
    281552
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-a760169c3c
    CVE Reference
    CVE-2021-22883, CVE-2021-22884
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for nodejs to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-a760169c3c
  • CVE-2021-29967
    Recently Published

    Red Hat Update for firefox (RHSA-2021:2206)

    Severity
    Urgent5
    Qualys ID
    239372
    Date Published
    June 9, 2021
    Vendor Reference
    RHSA-2021:2206
    CVE Reference
    CVE-2021-29967
    CVSS Scores
    Base / Temporal
    Description
    Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.This update upgrades Firefox to version 78.11.0 ESR.

    Security Fix(es): Mozilla: Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11 (CVE-2021-29967)

    Affected Products:

    Red Hat Enterprise Linux Server 7 x86_64
    Red Hat Enterprise Linux Workstation 7 x86_64
    Red Hat Enterprise Linux Desktop 7 x86_64
    Red Hat Enterprise Linux for IBM z Systems 7 s390x
    Red Hat Enterprise Linux for Power, big endian 7 ppc64
    Red Hat Enterprise Linux for Power, little endian 7 ppc64le

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2206 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2206
  • CVE-2021-29967
    Recently Published

    Red Hat Update for firefox (RHSA-2021:2208)

    Severity
    Urgent5
    Qualys ID
    239371
    Date Published
    June 9, 2021
    Vendor Reference
    RHSA-2021:2208
    CVE Reference
    CVE-2021-29967
    CVSS Scores
    Base / Temporal
    Description
    Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.This update upgrades Firefox to version 78.11.0 ESR.

    Security Fix(es): Mozilla: Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11 (CVE-2021-29967)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2208 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2208
  • CVE-2021-29967
    Recently Published

    Red Hat Update for firefox (RHSA-2021:2214)

    Severity
    Urgent5
    Qualys ID
    239370
    Date Published
    June 9, 2021
    Vendor Reference
    RHSA-2021:2214
    CVE Reference
    CVE-2021-29967
    CVSS Scores
    Base / Temporal
    Description
    Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.This update upgrades Firefox to version 78.11.0 ESR.

    Security Fix(es): Mozilla: Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11 (CVE-2021-29967)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.1 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.1 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2214 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2214
  • CVE-2021-29967
    Recently Published

    Red Hat Update for firefox (RHSA-2021:2233)

    Severity
    Urgent5
    Qualys ID
    239367
    Date Published
    June 9, 2021
    Vendor Reference
    RHSA-2021:2233
    CVE Reference
    CVE-2021-29967
    CVSS Scores
    Base / Temporal
    Description
    Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.This update upgrades Firefox to version 78.11.0 ESR.

    Security Fix(es): Mozilla: Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11 (CVE-2021-29967)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2233 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2233
  • CVE-2021-26937
    Recently Published

    Fedora Security Update for screen (FEDORA-2021-9107eeb95c)

    Severity
    Critical4
    Qualys ID
    281599
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-9107eeb95c
    CVE Reference
    CVE-2021-26937
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for screen to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-9107eeb95c
  • CVE-2021-26937
    Recently Published

    Fedora Security Update for screen (FEDORA-2021-5e9894a0c5)

    Severity
    Critical4
    Qualys ID
    281598
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-5e9894a0c5
    CVE Reference
    CVE-2021-26937
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for screen to fix the vulnerability.

    Affected OS:
    Fedora 32



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-5e9894a0c5
  • CVE-2021-25284+
    Recently Published

    Fedora Security Update for salt (FEDORA-2021-43eb5584ad)

    Severity
    Critical4
    Qualys ID
    281582
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-43eb5584ad
    CVE Reference
    CVE-2021-25284, CVE-2021-25282, CVE-2021-3197, CVE-2021-3148, CVE-2020-28243, CVE-2020-28972, CVE-2020-35662, CVE-2021-25283, CVE-2021-25281, CVE-2021-3144
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for salt to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-43eb5584ad
  • CVE-2021-25284+
    Recently Published

    Fedora Security Update for salt (FEDORA-2021-5756fbf8a6)

    Severity
    Critical4
    Qualys ID
    281581
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-5756fbf8a6
    CVE Reference
    CVE-2021-25284, CVE-2021-25282, CVE-2021-3148, CVE-2020-28243, CVE-2020-28972, CVE-2020-35662, CVE-2021-25283, CVE-2021-25281, CVE-2021-3144, CVE-2021-3197
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for salt to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-5756fbf8a6
  • CVE-2021-25284+
    Recently Published

    Fedora Security Update for salt (FEDORA-2021-904a2dbc0c)

    Severity
    Critical4
    Qualys ID
    281580
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-904a2dbc0c
    CVE Reference
    CVE-2021-25284, CVE-2021-25282, CVE-2021-3197, CVE-2021-3148, CVE-2020-28243, CVE-2020-28972, CVE-2020-35662, CVE-2021-25283, CVE-2021-25281, CVE-2021-3144
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for salt to fix the vulnerability.

    Affected OS:
    Fedora 32



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-904a2dbc0c
  • CVE-2015-8011
    Recently Published

    Red Hat Update for Red Hat OpenStack Platform 10.0 (openvswitch) (RHSA-2021:2205)

    Severity
    Critical4
    Qualys ID
    239373
    Date Published
    June 9, 2021
    Vendor Reference
    RHSA-2021:2205
    CVE Reference
    CVE-2015-8011
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Open vSwitch provides standard network bridging functions and support forthe OpenFlow protocol for remote per-flow control of traffic.

    Security Fix(es): buffer overflow in the lldp_decode function in daemon/protocols/lldp.c (CVE-2015-8011)

    Affected Products:

    Red Hat OpenStack 10 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2205 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2205
  • CVE-2021-21381
    Recently Published

    Fedora Security Update for flatpak (FEDORA-2021-fe7decc595)

    Severity
    Critical4
    Qualys ID
    281512
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-fe7decc595
    CVE Reference
    CVE-2021-21381
    CVSS Scores
    Base 8.2 / Temporal 7.1
    Description
    Fedora has released a security update for flatpak to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could also use this vulnerability to change partial contents or configuration on the system and information disclosure.Denial of service can appear in some cases too.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-fe7decc595
  • CVE-2021-21381
    Recently Published

    Fedora Security Update for flatpak (FEDORA-2021-26ad138ffa)

    Severity
    Critical4
    Qualys ID
    281511
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-26ad138ffa
    CVE Reference
    CVE-2021-21381
    CVSS Scores
    Base 8.2 / Temporal 7.1
    Description
    Fedora has released a security update for flatpak to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could also use this vulnerability to change partial contents or configuration on the system and information disclosure.Denial of service can appear in some cases too.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-26ad138ffa
  • CVE-2020-8625
    Recently Published

    Fedora Security Update for bind (FEDORA-2021-28f97e232d)

    Severity
    Critical4
    Qualys ID
    281608
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-28f97e232d
    CVE Reference
    CVE-2020-8625
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Fedora has released a security update for bind to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-28f97e232d
  • CVE-2020-8625
    Recently Published

    Fedora Security Update for bind (FEDORA-2021-0595625865)

    Severity
    Critical4
    Qualys ID
    281607
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-0595625865
    CVE Reference
    CVE-2020-8625
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Fedora has released a security update for bind to fix the vulnerability.

    Affected OS:
    Fedora 32



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-0595625865
  • CVE-2020-8625
    Recently Published

    Fedora Security Update for bind (FEDORA-2021-8b4744f152)

    Severity
    Critical4
    Qualys ID
    281600
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-8b4744f152
    CVE Reference
    CVE-2020-8625
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Fedora has released a security update for bind to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-8b4744f152
  • CVE-2021-20179
    In Development

    Fedora Security Update for dogtag (FEDORA-2021-c0d6637ca5)

    Severity
    Critical4
    Qualys ID
    281505
    Vendor Reference
    FEDORA-2021-c0d6637ca5
    CVE Reference
    CVE-2021-20179
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Fedora has released a security update for dogtag to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could also use this vulnerability to change partial contents or configuration on the system and information disclosure.Denial of service can appear in some cases too.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-c0d6637ca5
  • CVE-2020-0466+
    Recently Published

    Red Hat Update for kpatch-patch (RHSA-2021:2167)

    Severity
    Critical4
    Qualys ID
    239380
    Date Published
    June 9, 2021
    Vendor Reference
    RHSA-2021:2167
    CVE Reference
    CVE-2020-0466, CVE-2020-28374
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

    Security Fix(es): kernel: use after free in eventpoll.c may lead to escalation of privilege (CVE-2020-0466) kernel: SCSI target (LIO)
    write to any block on ILO backstore (CVE-2020-28374)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2167 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2167
  • CVE-2020-0466+
    Recently Published

    Red Hat Update for kernel (RHSA-2021:2185)

    Severity
    Critical4
    Qualys ID
    239374
    Date Published
    June 9, 2021
    Vendor Reference
    RHSA-2021:2185
    CVE Reference
    CVE-2020-0466, CVE-2020-12114, CVE-2020-12362, CVE-2020-28374
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    The kernel packages contain the Linux kernel, the core of any Linux operating system.

    Security Fix(es): kernel: use after free in eventpoll.c may lead to escalation of privilege (CVE-2020-0466) kernel: Integer overflow in Intel(R)
    Graphics Drivers (CVE-2020-12362) kernel: SCSI target (LIO)
    write to any block on ILO backstore (CVE-2020-28374) kernel: DoS by corrupting mountpoint reference counter (CVE-2020-12114)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64
    Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.2 aarch64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2185 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2185
  • CVE-2020-36322+
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (SUSE-SU-2021:1870-1)

    Severity
    Critical4
    Qualys ID
    750112
    Date Published
    June 9, 2021
    Vendor Reference
    SUSE-SU-2021:1870-1
    CVE Reference
    CVE-2020-36322, CVE-2021-29154, CVE-2021-28950
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    This update for the linux kernel 4.4.180-94_138 fixes several issues.
    the following security issues were fixed: - cve-2020-36322: fixed an issue inside the fuse filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, could have caused a system crash.
    Note: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as cve-2021-28950 (bsc#1184952).
    - cve-2021-29154: fixed bpf jit compilers that allowed to execute arbitrary code within the kernel context (bsc#1184710)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1870-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1870-1
  • CVE-2020-36322+
    Recently Published

    SUSE Enterprise Linux Security Update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (SUSE-SU-2021:1865-1)

    Severity
    Critical4
    Qualys ID
    750111
    Date Published
    June 9, 2021
    Vendor Reference
    SUSE-SU-2021:1865-1
    CVE Reference
    CVE-2020-36322, CVE-2021-29154, CVE-2021-28950
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    This update for the linux kernel 4.4.180-94_130 fixes several issues.
    the following security issues were fixed: - fix a kernel warning during sysfs read (bsc#1186235) - cve-2020-36322: an issue was discovered in the fuse filesystem implementation in the linux kernel aka cid-5d069dbe8aaf.
    fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash.
    Note: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as cve-2021-28950 (bsc#1184952).
    - cve-2021-29154: bpf jit compilers in the linux kernel have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context.
    This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c (bsc#1184710)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1865-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1865-1
  • CVE-2020-28599
    Recently Published

    Fedora Security Update for openscad (FEDORA-2021-793da7882b)

    Severity
    Critical4
    Qualys ID
    281591
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-793da7882b
    CVE Reference
    CVE-2020-28599
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Fedora has released a security update for openscad to fix the vulnerability.

    Affected OS:
    Fedora 32



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-793da7882b
  • CVE-2020-28599
    Recently Published

    Fedora Security Update for openscad (FEDORA-2021-8349f28cb9)

    Severity
    Critical4
    Qualys ID
    281590
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-8349f28cb9
    CVE Reference
    CVE-2020-28599
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Fedora has released a security update for openscad to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-8349f28cb9
  • CVE-2021-33200
    In Development

    Fedora Security Update for kernel (FEDORA-2021-0b35886add)

    Severity
    Critical4
    Qualys ID
    281488
    Vendor Reference
    FEDORA-2021-0b35886add
    CVE Reference
    CVE-2021-33200
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Fedora has released a security update for kernel to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-0b35886add
  • CVE-2021-33200
    In Development

    Fedora Security Update for kernel (FEDORA-2021-646098b5b8)

    Severity
    Critical4
    Qualys ID
    281487
    Vendor Reference
    FEDORA-2021-646098b5b8
    CVE Reference
    CVE-2021-33200
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Fedora has released a security update for kernel to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-646098b5b8
  • CVE-2021-28038+
    In Development

    Ubuntu Security Notification for Linux kernel vulnerabilities (USN-4984-1)

    Severity
    Critical4
    Qualys ID
    198403
    Vendor Reference
    USN-4984-1
    CVE Reference
    CVE-2021-28038, CVE-2021-29647, CVE-2021-28950, CVE-2021-28952, CVE-2021-28964, CVE-2021-28972, CVE-2021-3483, CVE-2021-33033, CVE-2021-28688, CVE-2021-28971, CVE-2021-30002, CVE-2021-31916, CVE-2021-28660
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The xen netback backend in the linux kernel did not properly handle certain error conditions under paravirtualization.
    The realtek rtl8188eu wireless device driver in the linux kernel did not properly validate ssid lengths in some situations.
    The xen paravirtualization backend in the linux kernel did not properly deallocate memory in some situations.
    The fuse user space file system implementation in the linux kernel did not properly handle bad inodes in some situations.
    The audio driver for qualcomm sdm845 systems in the linux kernel did not properly validate port id numbers.
    The btrfs file system implementation in the linux kernel contained a race condition during certain cloning operations.
    The perf subsystem in the linux kernel did not properly handle certain pebs records properly for some intel haswell processors.
    The rpa pci hotplug driver implementation in the linux kernel did not properly handle device name writes via sysfs, leading to a buffer overflow.
    The qualcomm ipc router implementation in the linux kernel did not properly initialize memory passed to user space.
    The video4linux subsystem in the linux kernel did not properly deallocate memory in some situations.
    The block device manager (dm) implementation in the linux kernel contained a buffer overflow in the ioctl for listing devices.
    The cipso implementation in the linux kernel did not properly perform reference counting in some situations, leading to use- after-free vulnerabilities.
    The ieee 1394 (firewire) nosy packet sniffer driver in the linux kernel did not properly perform reference counting in some situations, leading to a use-after-free vulnerability.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    an attacker in a guest vm could possibly use this to cause a denial of service (host domain crash) (cve-2021-28038).
    An attacker could use this to cause a denial of service (system crash).
    (cve-2021-28660).
    A local attacker could use this to cause a denial of service (memory exhaustion).
    (cve-2021-28688).
    A local attacker could possibly use this to cause a denial of service.
    (cve-2021-28950).
    A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (
    cve-2021-28952).
    a local attacker could possibly use this to cause a denial of service (system crash) (cve-2021-28964).
    A local attacker could use this to cause a denial of service (system crash) (cve-2021-28971).
    A privileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
    (cve-2021-28972).
    A local attacker could use this to expose sensitive information (kernel memory).
    (cve-2021-29647).
    A local attacker could use this to cause a denial of service (memory exhaustion).
    (cve-2021-30002).
    A privileged local attacker could use this to cause a denial of service (system crash) (cve-2021-31916).
    An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (
    cve-2021-33033).
    A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (
    cve-2021-3483).
    Solution
    Refer to Ubuntu advisory: USN-4984-1 for affected packages and patching details, or update with your package manager.
    Patches
    Ubuntu Linux USN-4984-1
  • CVE-2021-27803
    Recently Published

    Fedora Security Update for wpa_supplicant (FEDORA-2021-99cad2b81f)

    Severity
    Critical4
    Qualys ID
    281577
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-99cad2b81f
    CVE Reference
    CVE-2021-27803
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for wpa_supplicant to fix the vulnerability.

    Affected OS:
    Fedora 32



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-99cad2b81f
  • CVE-2021-27803
    Recently Published

    Fedora Security Update for wpa_supplicant (FEDORA-2021-9b00febe54)

    Severity
    Critical4
    Qualys ID
    281576
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-9b00febe54
    CVE Reference
    CVE-2021-27803
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for wpa_supplicant to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-9b00febe54
  • CVE-2021-27803
    Recently Published

    Fedora Security Update for wpa_supplicant (FEDORA-2021-3430f96019)

    Severity
    Critical4
    Qualys ID
    281575
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-3430f96019
    CVE Reference
    CVE-2021-27803
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for wpa_supplicant to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-3430f96019
  • CVE-2021-27219
    Recently Published

    Red Hat Update for glib2 (RHSA-2021:2170)

    Severity
    Critical4
    Qualys ID
    239378
    Date Published
    June 9, 2021
    Vendor Reference
    RHSA-2021:2170
    CVE Reference
    CVE-2021-27219
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures.

    Security Fix(es): glib: integer overflow in g_bytes_new function on 64-bit platforms due to an implicit cast from 64 bits to 32 bits (CVE-2021-27219)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64
    Red Hat CodeReady Linux Builder for x86_64 8 x86_64
    Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le
    Red Hat CodeReady Linux Builder for ARM 64 8 aarch64
    Red Hat CodeReady Linux Builder for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.4 aarch64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2170 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2170
  • CVE-2021-27219
    Recently Published

    Red Hat Update for glib2 (RHSA-2021:2171)

    Severity
    Critical4
    Qualys ID
    239377
    Date Published
    June 9, 2021
    Vendor Reference
    RHSA-2021:2171
    CVE Reference
    CVE-2021-27219
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures.

    Security Fix(es): glib: integer overflow in g_bytes_new function on 64-bit platforms due to an implicit cast from 64 bits to 32 bits (CVE-2021-27219)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64
    Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 8.2 s390x
    Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.2 aarch64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2171 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2171
  • CVE-2021-27219
    Recently Published

    Red Hat Update for glib2 (RHSA-2021:2172)

    Severity
    Critical4
    Qualys ID
    239376
    Date Published
    June 9, 2021
    Vendor Reference
    RHSA-2021:2172
    CVE Reference
    CVE-2021-27219
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures.

    Security Fix(es): glib: integer overflow in g_bytes_new function on 64-bit platforms due to an implicit cast from 64 bits to 32 bits (CVE-2021-27219)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.1 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.1 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64
    Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 8.1 s390x
    Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.1 aarch64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2172 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2172
  • CVE-2021-27219
    Recently Published

    Red Hat Update for glib2 (RHSA-2021:2175)

    Severity
    Critical4
    Qualys ID
    239375
    Date Published
    June 9, 2021
    Vendor Reference
    RHSA-2021:2175
    CVE Reference
    CVE-2021-27219
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures.

    Security Fix(es): glib: integer overflow in g_bytes_new function on 64-bit platforms due to an implicit cast from 64 bits to 32 bits (CVE-2021-27219)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 7.7 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.7 s390x
    Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.7 ppc64
    Red Hat Enterprise Linux EUS Compute Node 7.7 x86_64
    Red Hat Enterprise Linux Server - AUS 7.7 x86_64
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.7 ppc64le
    Red Hat Enterprise Linux Server - TUS 7.7 x86_64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.7 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.7 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2175 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2175
  • CVE-2021-25217
    Recently Published

    Fedora Security Update for dhcp (FEDORA-2021-08cdb4dc34)

    Severity
    Critical4
    Qualys ID
    281494
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-08cdb4dc34
    CVE Reference
    CVE-2021-25217
    CVSS Scores
    Base 7.4 / Temporal 6.4
    Description
    Fedora has released a security update for dhcp to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-08cdb4dc34
  • CVE-2021-25217
    Recently Published

    Fedora Security Update for dhcp (FEDORA-2021-8ca8263bde)

    Severity
    Critical4
    Qualys ID
    281493
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-8ca8263bde
    CVE Reference
    CVE-2021-25217
    CVSS Scores
    Base 7.4 / Temporal 6.4
    Description
    Fedora has released a security update for dhcp to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-8ca8263bde
  • CVE-2021-3501+
    Recently Published

    Red Hat Update for kernel (RHSA-2021:2168)

    Severity
    Critical4
    Qualys ID
    239379
    Date Published
    June 9, 2021
    Vendor Reference
    RHSA-2021:2168
    CVE Reference
    CVE-2021-3501, CVE-2021-3543
    CVSS Scores
    Base 7.1 / Temporal 6.2
    Description
    The kernel packages contain the Linux kernel, the core of any Linux operating system.

    Security Fix(es): kernel: userspace applications can misuse the KVM API to cause a write of 16 bytes at an offset up to 32 GB from vcpu->run (CVE-2021-3501) kernel: nitro_enclaves stale file descriptors on failed usercopy (CVE-2021-3543)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Virtualization Host 4 for RHEL 8 x86_64
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64
    Red Hat CodeReady Linux Builder for x86_64 8 x86_64
    Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le
    Red Hat CodeReady Linux Builder for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.4 aarch64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2168 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2168
  • CVE-2021-3405
    Recently Published

    Fedora Security Update for libebml (FEDORA-2021-9a0fff8455)

    Severity
    Critical4
    Qualys ID
    281574
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-9a0fff8455
    CVE Reference
    CVE-2021-3405
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    Fedora has released a security update for libebml to fix the vulnerability.

    Affected OS:
    Fedora 32



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-9a0fff8455
  • CVE-2021-3405
    Recently Published

    Fedora Security Update for libebml (FEDORA-2021-aa78f97893)

    Severity
    Critical4
    Qualys ID
    281573
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-aa78f97893
    CVE Reference
    CVE-2021-3405
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    Fedora has released a security update for libebml to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-aa78f97893
  • CVE-2021-3405
    Recently Published

    Fedora Security Update for libebml (FEDORA-2021-e283997bb9)

    Severity
    Critical4
    Qualys ID
    281572
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-e283997bb9
    CVE Reference
    CVE-2021-3405
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    Fedora has released a security update for libebml to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-e283997bb9
  • CVE-2021-28957
    Recently Published

    Fedora Security Update for python (FEDORA-2021-4cdb0f68c7)

    Severity
    Critical4
    Qualys ID
    281501
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-4cdb0f68c7
    CVE Reference
    CVE-2021-28957
    CVSS Scores
    Base 6.1 / Temporal 5.3
    Description
    Fedora has released a security update for python to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-4cdb0f68c7
  • CVE-2021-29136
    Recently Published

    SUSE Enterprise Linux Security Update for umoci (SUSE-SU-2021:1863-1)

    Severity
    Critical4
    Qualys ID
    750110
    Date Published
    June 9, 2021
    Vendor Reference
    SUSE-SU-2021:1863-1
    CVE Reference
    CVE-2021-29136
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    This update for umoci fixes the following issues: - update to v0.4.7 (bsc#1184147).
    - cve-2021-29136: fixed overwriting of host files via malicious layer (bsc#1184147).

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1863-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1863-1
  • CVE-2021-3446
    Recently Published

    Fedora Security Update for libtpms (FEDORA-2021-8b584e5ebb)

    Severity
    Critical4
    Qualys ID
    281565
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-8b584e5ebb
    CVE Reference
    CVE-2021-3446
    CVSS Scores
    Base 5.5 / Temporal 4.8
    Description
    Fedora has released a security update for libtpms to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could also use this vulnerability to change partial contents or configuration on the system and information disclosure.Denial of service can appear in some cases too.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-8b584e5ebb
  • CVE-2021-32062
    Recently Published

    Fedora Security Update for mapserver (FEDORA-2021-faab70f09a)

    Severity
    Critical4
    Qualys ID
    281503
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-faab70f09a
    CVE Reference
    CVE-2021-32062
    CVSS Scores
    Base 5.3 / Temporal 4.6
    Description
    Fedora has released a security update for mapserver to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-faab70f09a
  • CVE-2021-32062
    Recently Published

    Fedora Security Update for mapserver (FEDORA-2021-74dadee887)

    Severity
    Critical4
    Qualys ID
    281502
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-74dadee887
    CVE Reference
    CVE-2021-32062
    CVSS Scores
    Base 5.3 / Temporal 4.6
    Description
    Fedora has released a security update for mapserver to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-74dadee887
  • CVE-2021-3500
    Recently Published

    SUSE Enterprise Linux Security Update for djvulibre (SUSE-SU-2021:1857-1)

    Severity
    Critical4
    Qualys ID
    750107
    Date Published
    June 9, 2021
    Vendor Reference
    SUSE-SU-2021:1857-1
    CVE Reference
    CVE-2021-3500
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    This update for djvulibre fixes the following issues: - cve-2021-3500: stack overflow in function djvu:djvudocument:get_djvu_file() via crafted djvu file (bsc#1186253)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1857-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1857-1
  • Recently Published

    Fedora Security Update for libtpms (FEDORA-2021-e0f390c951)

    Severity
    Critical4
    Qualys ID
    281564
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-e0f390c951
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for libtpms to fix the vulnerability.

    Affected OS:
    Fedora 32



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-e0f390c951
  • Recently Published

    Fedora Security Update for libtpms (FEDORA-2021-caf9e04ef1)

    Severity
    Critical4
    Qualys ID
    281563
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-caf9e04ef1
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for libtpms to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-caf9e04ef1
  • CVE-2021-3560
    Recently Published

    Fedora Security Update for polkit (FEDORA-2021-0ec5a8a74b)

    Severity
    Critical4
    Qualys ID
    281486
    Date Published
    June 9, 2021
    Vendor Reference
    FEDORA-2021-0ec5a8a74b
    CVE Reference
    CVE-2021-3560
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for polkit to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-0ec5a8a74b
  • CVE-2021-3551
    Recently Published

    Red Hat Update for pki-core:10.6 (RHSA-2021:2235)

    Severity
    Critical4
    Qualys ID
    239366
    Date Published
    June 9, 2021
    Vendor Reference
    RHSA-2021:2235
    CVE Reference
    CVE-2021-3551
    CVSS Scores
    Base / Temporal
    Description
    The Public Key Infrastructure (PKI)
    Core contains fundamental packages required by Red Hat Certificate System.

    Security Fix(es): pki-server: Dogtag installer "pkispawn" logs admin credentials into a world-readable log file (CVE-2021-3551) The PKI installer "pkispawn" logs admin credentials into aworld-readable log file. It also looks like the installer is passing thepassword as an insecure command line argument. The credentials are the389-DS LDAP server's Directory Manager credentials. The DirectoryManager is 389-DS' equivalent of unrestricted root account. The userbypasses permission checks and grants full access to data. In an IdM /FreeIPA installation the DM user is able to read and manipulate KerberosKDC master password, Kerberos keytabs, hashed user passwords, and more.Any and all IdM and FreeIPA installations with PKI 10.10 should beconsidered compromised.

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2235 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2235
  • CVE-2021-3560
    Recently Published

    Red Hat Update for polkit (RHSA-2021:2236)

    Severity
    Critical4
    Qualys ID
    239365
    Date Published
    June 9, 2021
    Vendor Reference
    RHSA-2021:2236
    CVE Reference
    CVE-2021-3560
    CVSS Scores
    Base / Temporal
    Description
    The polkit packages provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones.

    Security Fix(es): polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync()
    (CVE-2021-3560)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.1 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.1 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2236 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2236
  • CVE-2021-3560
    Recently Published

    Red Hat Update for polkit (RHSA-2021:2237)

    Severity
    Critical4
    Qualys ID
    239364
    Date Published
    June 9, 2021
    Vendor Reference
    RHSA-2021:2237
    CVE Reference
    CVE-2021-3560
    CVSS Scores
    Base / Temporal
    Description
    The polkit packages provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones.

    Security Fix(es): polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync()
    (CVE-2021-3560)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.2 x86_64
    Red Hat Enterprise Linux Server - AUS 8.2 x86_64
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.2 s390x
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.2 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.2 x86_64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.2 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.2 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.2 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2237 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2237
  • CVE-2021-3560
    Recently Published

    Red Hat Update for polkit (RHSA-2021:2238)

    Severity
    Critical4
    Qualys ID
    239363
    Date Published
    June 9, 2021
    Vendor Reference
    RHSA-2021:2238
    CVE Reference
    CVE-2021-3560
    CVSS Scores
    Base / Temporal
    Description
    The polkit packages provide a component for controlling system-wide privileges. This component provides a uniform and organized way for non-privileged processes to communicate with privileged ones.

    Security Fix(es): polkit: local privilege escalation using polkit_system_bus_name_get_creds_sync()
    (CVE-2021-3560)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2238 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2238
  • CVE-2021-23017
    In Development

    Red Hat Update for rh-nginx118-nginx (RHSA-2021:2258)

    Severity
    Critical4
    Qualys ID
    239362
    Vendor Reference
    RHSA-2021:2258
    CVE Reference
    CVE-2021-23017
    CVSS Scores
    Base / Temporal
    Description
    nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage.

    Security Fix(es): nginx: Off-by-one in ngx_resolver_copy()
    when labels are followed by a pointer to a root domain name (CVE-2021-23017)

    Affected Products:

    Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.7 x86_64
    Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7.7 s390x
    Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7.7 ppc64le
    Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
    Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
    Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
    Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2258 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2258
  • CVE-2021-29956+
    Recently Published

    Red Hat Update for thunderbird (RHSA-2021:2262)

    Severity
    Critical4
    Qualys ID
    239361
    Date Published
    June 9, 2021
    Vendor Reference
    RHSA-2021:2262
    CVE Reference
    CVE-2021-29956, CVE-2021-29957, CVE-2021-29967
    CVSS Scores
    Base / Temporal
    Description
    Mozilla Thunderbird is a standalone mail and newsgroup client.This update upgrades Thunderbird to version 78.11.0.

    Security Fix(es): Mozilla: Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11 (CVE-2021-29967) Mozilla: Thunderbird stored OpenPGP secret keys without master password protection (CVE-2021-29956) Mozilla: Partial protection of inline OpenPGP message not indicated (CVE-2021-29957)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.1 x86_64
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.1 ppc64le
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.1 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.1 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2262 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2262
  • CVE-2021-29956+
    Recently Published

    Red Hat Update for thunderbird (RHSA-2021:2264)

    Severity
    Critical4
    Qualys ID
    239360
    Date Published
    June 9, 2021
    Vendor Reference
    RHSA-2021:2264
    CVE Reference
    CVE-2021-29956, CVE-2021-29957, CVE-2021-29967
    CVSS Scores
    Base / Temporal
    Description
    Mozilla Thunderbird is a standalone mail and newsgroup client.This update upgrades Thunderbird to version 78.11.0.

    Security Fix(es): Mozilla: Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11 (CVE-2021-29967) Mozilla: Thunderbird stored OpenPGP secret keys without master password protection (CVE-2021-29956) Mozilla: Partial protection of inline OpenPGP message not indicated (CVE-2021-29957)

    Affected Products:

    Red Hat Enterprise Linux for x86_64 8 x86_64
    Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
    Red Hat Enterprise Linux Server - AUS 8.4 x86_64
    Red Hat Enterprise Linux for IBM z Systems 8 s390x
    Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
    Red Hat Enterprise Linux for Power, little endian 8 ppc64le
    Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
    Red Hat Enterprise Linux Server - TUS 8.4 x86_64
    Red Hat Enterprise Linux for ARM 64 8 aarch64
    Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
    Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 8.4 ppc64le
    Red Hat Enterprise Linux Server - Update Services for SAP Solutions 8.4 x86_64

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:2264 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:2264
  • CVE-2021-3560
    In Development

    SUSE Enterprise Linux Security Update for polkit (SUSE-SU-2021:1843-1)

    Severity
    Critical4
    Qualys ID
    750104
    Vendor Reference
    SUSE-SU-2021:1843-1
    CVE Reference
    CVE-2021-3560
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    This update for polkit fixes the following issues: - cve-2021-3560: fixed a local privilege escalation using polkit_system_bus_name_get_creds_sync() (bsc#1186497).

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1843-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1843-1
  • CVE-2021-29964+
    Recently Published

    Mozilla Thunderbird Multiple Vulnerabilities (MFSA2021-26)

    Severity
    Critical4
    Qualys ID
    375609
    Date Published
    June 9, 2021
    Vendor Reference
    MFSA2021-26
    CVE Reference
    CVE-2021-29964, CVE-2021-29967
    CVSS Scores
    Base / Temporal
    Description
    Thunderbird is a free and open-source cross-platform email client developed for Windows, OS X, and Linux, with a mobile version for Android.

    Affected Products:
    Prior to Mozilla Thunderbird 78.11.0

    Note:
    CVE-2021-29964: This bug only affects Thunderbird on Windows. Other operating systems are unaffected.

    QID Detection Logic (Authenticated):
    This checks for vulnerable version of Thunderbird.

    Consequence
    Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code execution on the target.
    Solution
    Vendor has released fix to address these vulnerabilities. Refer to MFSA2021-26
    Patches
    MFSA2021-26
  • CVE-2018-25013+
    In Development

    SUSE Enterprise Linux Security Update for libwebp (SUSE-SU-2021:1830-1)

    Severity
    Urgent5
    Qualys ID
    750093
    Vendor Reference
    SUSE-SU-2021:1830-1
    CVE Reference
    CVE-2018-25013, CVE-2020-36329, CVE-2018-25010, CVE-2020-36331, CVE-2020-36332, CVE-2018-25009, CVE-2020-36330, CVE-2018-25011, CVE-2018-25012
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    This update for libwebp fixes the following issues: - cve-2018-25010: fixed heap-based buffer overflow in applyfilter() (bsc#1185685).
    - cve-2020-36330: fixed heap-based buffer overflow in chunkverifyandassign() (bsc#1185691).
    - cve-2020-36332: fixed extreme memory allocation when reading a file (bsc#1185674).
    - cve-2020-36329: fixed use-after-free in emitfancyrgb() (bsc#1185652).
    - cve-2018-25012: fixed heap-based buffer overflow in getle24() (bsc#1185690).
    - cve-2018-25013: fixed heap-based buffer overflow in shiftbytes() (bsc#1185654).
    - cve-2020-36331: fixed heap-based buffer overflow in chunkassigndata() (bsc#1185686).
    - cve-2018-25009: fixed heap-based buffer overflow in getle16() (bsc#1185673).
    - cve-2018-25011: fixed fail on multiple image chunks (bsc#1186247).

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1830-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1830-1
  • CVE-2021-21342+
    In Development

    SUSE Enterprise Linux Security Update for xstream (SUSE-SU-2021:1840-1)

    Severity
    Critical4
    Qualys ID
    750094
    Vendor Reference
    SUSE-SU-2021:1840-1
    CVE Reference
    CVE-2021-21342, CVE-2021-21351, CVE-2021-21349, CVE-2021-21344, CVE-2021-21347, CVE-2021-21341, CVE-2021-21348, CVE-2021-21345, CVE-2021-21346, CVE-2021-21350, CVE-2021-21343
    CVSS Scores
    Base 9.9 / Temporal 8.6
    Description
    This update for xstream fixes the following issues: - upgrade to 1.4.16 - cve-2021-21351: remote attacker to load and execute arbitrary code (bsc#1184796) - cve-2021-21349: ssrf can lead to a remote attacker to request data from internal resources (bsc#1184797) - cve-2021-21350: arbitrary code execution (bsc#1184380) - cve-2021-21348: remote attacker could cause denial of service by consuming maximum cpu time (bsc#1184374) - cve-2021-21347: remote attacker to load and execute arbitrary code from a remote host (bsc#1184378) - cve-2021-21344: remote attacker could load and execute arbitrary code from a remote host (bsc#1184375) - cve-2021-21342: server-side forgery (bsc#1184379) - cve-2021-21341: remote attacker could cause a denial of service by allocating 100% cpu time (bsc#1184377) - cve-2021-21346: remote attacker could load and execute arbitrary code (bsc#1184373) - cve-2021-21345: remote attacker with sufficient rights could execute commands (bsc#1184372) - cve-2021-21343: replace or inject objects, that result in the deletion of files on the local host (bsc#1184376)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1840-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1840-1
  • CVE-2021-28651+
    In Development

    SUSE Enterprise Linux Security Update for squid (SUSE-SU-2021:1838-1)

    Severity
    Critical4
    Qualys ID
    750098
    Vendor Reference
    SUSE-SU-2021:1838-1
    CVE Reference
    CVE-2021-28651, CVE-2021-28652, CVE-2020-25097, CVE-2021-28662, CVE-2021-31806
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    This update for squid fixes the following issues: - update to 4.15: - cve-2021-28652: broken cache manager url parsing (bsc#1185918) - cve-2021-28651: memory leak in rfc 2169 response parsing (bsc#1185921) - cve-2021-28662: limit headerlookuptable_t::lookup() to badhdr and specific ids (bsc#1185919) - cve-2021-31806: handle more range requests (bsc#1185916) - cve-2020-25097: http request smuggling vulnerability (bsc#1183436) - handle more partial responses (bsc#1185923) - fix previous change to reinstante permissions macros, because the wrong path has been used (bsc#1171569).
    - use libexecdir instead of libdir to conform to recent changes in factory (bsc#1171164).
    - reinstate permissions macros for pinger binary, because the permissions package is also responsible for setting up the cap_net_raw capability, currently a fresh squid install doesn't get a capability bit at all (bsc#1171569).
    - change pinger and basic_pam_auth helper to use standard permissions.
    pinger uses cap_net_raw=ep instead (bsc#1171569)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1838-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1838-1
  • CVE-2020-25672+
    Recently Published

    Ubuntu Security Notification for Linux kernel vulnerabilities (USN-4979-1)

    Severity
    Critical4
    Qualys ID
    198398
    Date Published
    June 9, 2021
    Vendor Reference
    USN-4979-1
    CVE Reference
    CVE-2020-25672, CVE-2021-31916, CVE-2021-28964, CVE-2020-25670, CVE-2021-3483, CVE-2021-3428, CVE-2020-25671, CVE-2021-33033, CVE-2021-28971, CVE-2021-29647, CVE-2021-28660, CVE-2020-25673, CVE-2021-28972
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    The nfc llcp protocol implementation in the linux kernel contained a reference counting error.
    The nfc llcp protocol implementation in the linux kernel did not properly deallocate memory in certain error situations.
    The nfc llcp protocol implementation in the linux kernel did not properly handle error conditions in some situations, leading to an infinite loop.
    The realtek rtl8188eu wireless device driver in the linux kernel did not properly validate ssid lengths in some situations.
    The btrfs file system implementation in the linux kernel contained a race condition during certain cloning operations.
    The perf subsystem in the linux kernel did not properly handle certain pebs records properly for some intel haswell processors.
    The rpa pci hotplug driver implementation in the linux kernel did not properly handle device name writes via sysfs, leading to a buffer overflow.
    The qualcomm ipc router implementation in the linux kernel did not properly initialize memory passed to user space.
    The block device manager (dm) implementation in the linux kernel contained a buffer overflow in the ioctl for listing devices.
    The cipso implementation in the linux kernel did not properly perform reference counting in some situations, leading to use- after-free vulnerabilities.
    The ext4 file system implementation in the linux kernel contained an integer overflow when handling metadata inode extents.
    The ieee 1394 (firewire) nosy packet sniffer driver in the linux kernel did not properly perform reference counting in some situations, leading to a use-after-free vulnerability.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    a local attacker could use this to cause a denial of service (system crash) (cve-2020-25670).
    A local attacker could use this to cause a denial of service (memory exhaustion) (cve-2020-25671, cve-2020-25672).
    A local attacker could use this to cause a denial of service. (
    cve-2020-25673).
    An attacker could use this to cause a denial of service (system crash).
    (cve-2021-28660).
    a local attacker could possibly use this to cause a denial of service (system crash) (cve-2021-28964).
    A local attacker could use this to cause a denial of service (system crash) (cve-2021-28971).
    A privileged attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
    (cve-2021-28972).
    A local attacker could use this to expose sensitive information (kernel memory).
    (cve-2021-29647).
    A privileged local attacker could use this to cause a denial of service (system crash) (cve-2021-31916).
    An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (
    cve-2021-33033).
    An attacker could use this to construct a malicious ext4 file system image that, when mounted, could cause a denial of service (system crash) (cve-2021-3428).
    A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (
    cve-2021-3483).
    Solution
    Refer to Ubuntu advisory: USN-4979-1 for affected packages and patching details, or update with your package manager.
    Patches
    Ubuntu Linux USN-4979-1
  • CVE-2019-15890+
    In Development

    SUSE Enterprise Linux Security Update for qemu (SUSE-SU-2021:1837-1)

    Severity
    Critical4
    Qualys ID
    750097
    Vendor Reference
    SUSE-SU-2021:1837-1
    CVE Reference
    CVE-2019-15890, CVE-2021-20257, CVE-2020-25723, CVE-2020-25085, CVE-2020-14364, CVE-2020-10756, CVE-2020-29129, CVE-2020-25707, CVE-2021-3419, CVE-2020-8608, CVE-2020-29130
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    This update for qemu fixes the following issues: - fix out-of-bounds access issue while doing multi block sdma (cve-2020-25085, bsc#1176681) - fix out-of-bounds read information disclosure in icmp6_send_echoreply (cve-2020-10756, bsc#1172380) - qemu bios fails to read stage2 loader on s390x (bsc#1186290) - change dependency from config_vfio back to config_linux (bsc#1179725) - for the record, these issues are fixed in this package already.
    Most are alternate references to previously mentioned issues: (cve-2019-15890, bsc#1149813, cve-2020-8608, bsc#1163019, cve-2020-14364, bsc#1175534, cve-2020-25707, bsc#1178683, cve-2020-25723, bsc#1178935, cve-2020-29130, bsc#1179477, cve-2020-29129, bsc#1179484, cve-2021-20257, bsc#1182846, cve-2021-3419, bsc#1182975)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1837-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1837-1
  • CVE-2021-25217
    In Development

    SUSE Enterprise Linux Security Update for dhcp (SUSE-SU-2021:1841-1)

    Severity
    Critical4
    Qualys ID
    750096
    Vendor Reference
    SUSE-SU-2021:1841-1
    CVE Reference
    CVE-2021-25217
    CVSS Scores
    Base 7.4 / Temporal 6.4
    Description
    This update for dhcp fixes the following issues: - cve-2021-25217: a buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient (bsc#1186382)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1841-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1841-1
  • CVE-2021-3531+
    In Development

    SUSE Enterprise Linux Security Update for ceph (SUSE-SU-2021:1835-1)

    Severity
    Critical4
    Qualys ID
    750100
    Vendor Reference
    SUSE-SU-2021:1835-1
    CVE Reference
    CVE-2021-3531, CVE-2021-3509, CVE-2021-3524
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    Update to 15.2.12-83-g528da226523:
    - (CVE-2021-3509) fix cookie injection issue (bsc#1186021)
    - (CVE-2021-3531) RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name (bsc#1186020)
    - (CVE-2021-3524) sanitize \r in s3 CORSConfigurations ExposeHeader (bsc#1185619)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1835-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1835-1
  • CVE-2021-3531+
    In Development

    SUSE Enterprise Linux Security Update for ceph (SUSE-SU-2021:1834-1)

    Severity
    Critical4
    Qualys ID
    750099
    Vendor Reference
    SUSE-SU-2021:1834-1
    CVE Reference
    CVE-2021-3531, CVE-2021-3509, CVE-2021-3524
    CVSS Scores
    Base 6.5 / Temporal 5.7
    Description
    Update to 15.2.12-83-g528da226523:
    - (CVE-2021-3509) fix cookie injection issue (bsc#1186021)
    - (CVE-2021-3531) RGWSwiftWebsiteHandler::is_web_dir checks empty subdir_name (bsc#1186020)
    - (CVE-2021-3524) sanitize \r in s3 CORSConfigurations ExposeHeader (bsc#1185619)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1834-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1834-1
  • CVE-2021-23017
    In Development

    SUSE Enterprise Linux Security Update for nginx (SUSE-SU-2021:1839-1)

    Severity
    Critical4
    Qualys ID
    750095
    Vendor Reference
    SUSE-SU-2021:1839-1
    CVE Reference
    CVE-2021-23017
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    This update for nginx fixes the following issues: - cve-2021-23017: nginx dns resolver off-by-one heap write (bsc#1186126)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1839-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1839-1
  • CVE-2021-23017
    Recently Published

    Amazon Linux Security Advisory for nginx: ALAS-2021-1507

    Severity
    Critical4
    Qualys ID
    352378
    Date Published
    June 9, 2021
    Vendor Reference
    ALAS-2021-1507
    CVE Reference
    CVE-2021-23017
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    <DIV ID="issue_overview"> a flaw was found in nginx.
    An off-by-one error while processing dns responses allows a network attacker to write a dot character out of bounds in a heap allocated buffer which can allow overwriting the least significant byte of next heap chunk metadata likely leading to a remote code execution in certain circumstances.
    The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (
    cve-2021-23017 ) </DIV>

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Please refer to Amazon advisory: ALAS-2021-1507 for affected packages and patching details, or update with your package manager.
    Patches
    Amazon Linux ALAS-2021-1507
  • CVE-2021-29964+
    Recently Published

    Mozilla Firefox ESR Multiple Vulnerabilities (MFSA2021-24)

    Severity
    Critical4
    Qualys ID
    375607
    Date Published
    June 7, 2021
    Vendor Reference
    MFSA2021-24
    CVE Reference
    CVE-2021-29964, CVE-2021-29967
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Firefox is a free and open-source web browser developed for Windows, OS X, and Linux, with a mobile version for Android.

    Affected Products:
    Prior to Firefox ESR 78.11

    QID Detection Logic (Authenticated) :
    This checks for vulnerable version of Firefox browser.

    Consequence
    Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code execution on the target.
    Solution
    Vendor has released fix to address these vulnerabilities. Refer to MFSA2021-24
    Patches
    MFSA2021-24
  • CVE-2021-3560
    Recently Published

    SUSE Enterprise Linux Security Update for polkit (SUSE-SU-2021:1842-1)

    Severity
    Critical4
    Qualys ID
    750103
    Date Published
    June 7, 2021
    Vendor Reference
    SUSE-SU-2021:1842-1
    CVE Reference
    CVE-2021-3560
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    This update for polkit fixes the following issues: - cve-2021-3560: fixed a local privilege escalation using polkit_system_bus_name_get_creds_sync() (bsc#1186497).

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1842-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1842-1
  • CVE-2021-3560
    Recently Published

    SUSE Enterprise Linux Security Update for polkit (SUSE-SU-2021:1844-1)

    Severity
    Critical4
    Qualys ID
    750102
    Date Published
    June 7, 2021
    Vendor Reference
    SUSE-SU-2021:1844-1
    CVE Reference
    CVE-2021-3560
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    This update for polkit fixes the following issues: - cve-2021-3560: fixed a local privilege escalation using polkit_system_bus_name_get_creds_sync() (bsc#1186497).

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1844-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1844-1
  • CVE-2021-3468+
    Recently Published

    SUSE Enterprise Linux Security Update for avahi (SUSE-SU-2021:1845-1)

    Severity
    Critical4
    Qualys ID
    750101
    Date Published
    June 7, 2021
    Vendor Reference
    SUSE-SU-2021:1845-1
    CVE Reference
    CVE-2021-3468, CVE-2021-26720
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    This update for avahi fixes the following issues: - cve-2021-3468: avoid infinite loop by handling hup event in client_work (bsc#1184521).
    - cve-2021-26720: drop privileges when invoking avahi-daemon-check-dns.sh (bsc#1180827) - update avahi-daemon-check-dns.sh from debian.
    Our previous version relied on ifconfig, route, and init.d.
    - add sudo to requires: used to drop privileges.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1845-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1845-1
  • CVE-2021-3468
    Recently Published

    SUSE Enterprise Linux Security Update for avahi (SUSE-SU-2021:1494-2)

    Severity
    Critical4
    Qualys ID
    750105
    Date Published
    June 7, 2021
    Vendor Reference
    SUSE-SU-2021:1494-2
    CVE Reference
    CVE-2021-3468
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    This update for avahi fixes the following issues: - cve-2021-3468: avoid infinite loop by handling hup event in client_work (bsc#1184521).

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1494-2 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1494-2
  • CVE-2021-29965+
    Recently Published

    Mozilla Firefox Multiple Vulnerabilities (MFSA2021-23)

    Severity
    Critical4
    Qualys ID
    375606
    Date Published
    June 7, 2021
    Vendor Reference
    MFSA2021-23
    CVE Reference
    CVE-2021-29965, CVE-2021-29960, CVE-2021-29961, CVE-2021-29964, CVE-2021-29959, CVE-2021-29967, CVE-2021-29966
    CVSS Scores
    Base / Temporal
    Description
    Firefox is a free and open-source web browser developed for Windows, OS X, and Linux, with a mobile version for Android.

    Affected Products:
    Prior to Firefox 89

    QID Detection Logic (Authenticated) :
    This checks for vulnerable version of Firefox browser.

    Consequence
    Successful exploitation of this vulnerability could compromise confidentiality, integrity and availability

    Solution
    Vendor has released fix to address these vulnerabilities. Refer to MFSA 2021-23
    Patches
    MFSA2021-23
  • CVE-2020-1747+
    Recently Published

    EulerOS Security Update for PyYAML (EulerOS-SA-2021-1937)

    Severity
    Urgent5
    Qualys ID
    670388
    Date Published
    June 7, 2021
    Vendor Reference
    EulerOS-SA-2021-1937
    CVE Reference
    CVE-2020-1747, CVE-2020-14343
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Euler has released a security update for pyyaml to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP9

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released a security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1937
    Patches
    EulerOS-SA-2021-1937
  • CVE-2020-1747+
    Recently Published

    EulerOS Security Update for PyYAML (EulerOS-SA-2021-1958)

    Severity
    Urgent5
    Qualys ID
    670367
    Date Published
    June 7, 2021
    Vendor Reference
    EulerOS-SA-2021-1958
    CVE Reference
    CVE-2020-1747, CVE-2020-14343
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Euler has released a security update for PyYAML to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP9

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released a security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1958
    Patches
    EulerOS-SA-2021-1958
  • CVE-2021-26701
    Recently Published

    Fedora Security Update for dotnet5.0 (FEDORA-2021-904d0bd496)

    Severity
    Urgent5
    Qualys ID
    281460
    Date Published
    June 7, 2021
    Vendor Reference
    FEDORA-2021-904d0bd496
    CVE Reference
    CVE-2021-26701
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for dotnet5.0 to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-904d0bd496
  • CVE-2021-26701
    Recently Published

    Fedora Security Update for dotnet5.0 (FEDORA-2021-1b22f31541)

    Severity
    Urgent5
    Qualys ID
    281459
    Date Published
    June 7, 2021
    Vendor Reference
    FEDORA-2021-1b22f31541
    CVE Reference
    CVE-2021-26701
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for dotnet5.0 to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-1b22f31541
  • CVE-2021-26701
    Recently Published

    Fedora Security Update for dotnet5.0 (FEDORA-2021-138728e59b)

    Severity
    Urgent5
    Qualys ID
    281458
    Date Published
    June 7, 2021
    Vendor Reference
    FEDORA-2021-138728e59b
    CVE Reference
    CVE-2021-26701
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for dotnet5.0 to fix the vulnerability.

    Affected OS:
    Fedora 32



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-138728e59b
  • CVE-2021-26701
    Recently Published

    Fedora Security Update for dotnet3.1 (FEDORA-2021-e2d218afe6)

    Severity
    Urgent5
    Qualys ID
    281454
    Date Published
    June 7, 2021
    Vendor Reference
    FEDORA-2021-e2d218afe6
    CVE Reference
    CVE-2021-26701
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for dotnet3.1 to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-e2d218afe6
  • CVE-2021-26701
    Recently Published

    Fedora Security Update for dotnet3.1 (FEDORA-2021-3da33cdc80)

    Severity
    Urgent5
    Qualys ID
    281453
    Date Published
    June 7, 2021
    Vendor Reference
    FEDORA-2021-3da33cdc80
    CVE Reference
    CVE-2021-26701
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for dotnet3.1 to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-3da33cdc80
  • CVE-2021-26701
    Recently Published

    Fedora Security Update for dotnet3.1 (FEDORA-2021-265a3c7cb9)

    Severity
    Urgent5
    Qualys ID
    281452
    Date Published
    June 7, 2021
    Vendor Reference
    FEDORA-2021-265a3c7cb9
    CVE Reference
    CVE-2021-26701
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Fedora has released a security update for dotnet3.1 to fix the vulnerability.

    Affected OS:
    Fedora 32



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-265a3c7cb9
  • CVE-2021-3185
    In Development

    SUSE Enterprise Linux Security Update for gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly (SUSE-SU-2021:1819-1)

    Severity
    Critical4
    Qualys ID
    750088
    Vendor Reference
    SUSE-SU-2021:1819-1
    CVE Reference
    CVE-2021-3185
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    This update for gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly fixes the following issues: gstreamer was updated to version 1.16.3 (bsc#1181255): - delay creation of threadpools - bin: fix `deep-element-removed` log message - buffer: fix meta sequence number fallback on rpi - bufferlist: foreach: always remove as parent if buffer is changed - bus: make setting/replacing/clearing the sync handler thread-safe - elementfactory: fix missing features in case a feature moves to another filename - element: when removing a ghost pad also unset its target - meta: intern registered impl string - registry: use a toolchain-specific registry file on windows - systemclock: invalid internal time calculation causes non-increasing clock time on windows - value: don't write to `const char *` - value: fix segfault comparing empty gvaluearrays - revert floating enforcing - aggregator: fix iteration direction in skip_buffers - sparsefile: fix possible crash when seeking - baseparse: cache fix - baseparse: fix memory leak when subclass skips whole input buffer - baseparse: set the private duration before posting a duration-changed message - basetransform: allow not passthrough if generate_output is implemented - identity: fix a minor leak using meta_str - queue: protect against lost wakeups for iterm_del condition - queue2: avoid races when posting buffering messages - queue2: fix missing/dropped buffering messages at startup - identity: unblock condition variable on flush_start - check: use `g_thread_yield()` instead of `g_usleep(1)` - tests: use cpu_family for arch checks - gst-launch: follow up to missing `s/g_print/gst_print/g` - gst-inspect: add define guard for `g_log_writer_supports_color()` - gst-launch: go back down to `gst_state_null` in one step.
    - opencv: allow compilation against 4.2.x - proxysink: event_function needs to handle the event when it is disconnecetd from proxysrc - vulkan: drop use of vk_result_begin_range - wasapi: added missing lock release in case of error in gst_wasapi_xxx_reset - wasapi: fix possible deadlock while downwards state change - waylandsink: clear window when pipeline is stopped - webrtc: support non-trickle ice candidates in the sdp - webrtc: unmap all non-binary buffers received via the datachannel - meson: build with neon 0.31 - drop upstream fixed patch: gstreamer-h264parser-fix-overflow.patch - h264parser: guard against ref_pic_markings overflow (bsc#1181255 cve-2021-3185) - disable the kate/libtiger plugin.
    kate streams for karaoke are not used anymore, and the source tarball for libtiger is no longer available upstream. (
    - typefind: consider mpeg-ps psm to be a pes type - uridecodebin3: default to non-0 buffer-size and buffer-duration, otherwise it could potentially cause big memory allocations over time - videoaggregator: don't configure null chroma-site/colorimetry - videorate/videoscale/audioresample: ensure that the caps returned from... - build: replace bashisms in configure for wayland and gles3

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1819-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1819-1
  • CVE-2020-17438
    Recently Published

    EulerOS Security Update for open-iscsi (EulerOS-SA-2021-1932)

    Severity
    Critical4
    Qualys ID
    670393
    Date Published
    June 7, 2021
    Vendor Reference
    EulerOS-SA-2021-1932
    CVE Reference
    CVE-2020-17438
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Euler has released a security update for open-iscsi to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP9

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released a security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1932
    Patches
    EulerOS-SA-2021-1932
  • CVE-2021-23336+
    Recently Published

    EulerOS Security Update for python3 (EulerOS-SA-2021-1936)

    Severity
    Critical4
    Qualys ID
    670389
    Date Published
    June 7, 2021
    Vendor Reference
    EulerOS-SA-2021-1936
    CVE Reference
    CVE-2021-23336, CVE-2021-3177
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Euler has released a security update for python3 to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP9

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released a security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1936
    Patches
    EulerOS-SA-2021-1936
  • CVE-2020-17438
    Recently Published

    EulerOS Security Update for open-iscsi (EulerOS-SA-2021-1953)

    Severity
    Critical4
    Qualys ID
    670372
    Date Published
    June 7, 2021
    Vendor Reference
    EulerOS-SA-2021-1953
    CVE Reference
    CVE-2020-17438
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Euler has released a security update for open-iscsi to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP9

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released a security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1953
    Patches
    EulerOS-SA-2021-1953
  • CVE-2021-23336+
    Recently Published

    EulerOS Security Update for python3 (EulerOS-SA-2021-1957)

    Severity
    Critical4
    Qualys ID
    670368
    Date Published
    June 7, 2021
    Vendor Reference
    EulerOS-SA-2021-1957
    CVE Reference
    CVE-2021-23336, CVE-2021-3177
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Euler has released a security update for python3 to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP9

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released a security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1957
    Patches
    EulerOS-SA-2021-1957
  • CVE-2021-29921
    Recently Published

    Ubuntu Security Notification for Python vulnerability (USN-4973-1)

    Severity
    Critical4
    Qualys ID
    198392
    Date Published
    June 7, 2021
    Vendor Reference
    USN-4973-1
    CVE Reference
    CVE-2021-29921
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    The python stdlib ipaddress api incorrectly handled octal strings.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    a remote attacker could possibly use this issue to perform a wide variety of attacks, including bypassing certain access restrictions..
    Solution
    Refer to Ubuntu advisory: USN-4973-1 for affected packages and patching details, or update with your package manager.
    Patches
    Ubuntu Linux USN-4973-1
  • CVE-2018-25014+
    Recently Published

    Ubuntu Security Notification for libwebp vulnerabilities (USN-4971-1)

    Severity
    Critical4
    Qualys ID
    198390
    Date Published
    June 7, 2021
    Vendor Reference
    USN-4971-1
    CVE Reference
    CVE-2018-25014, CVE-2020-36331, CVE-2020-36329, CVE-2018-25009, CVE-2018-25011, CVE-2020-36330, CVE-2018-25012, CVE-2018-25013, CVE-2018-25010, CVE-2020-36328, CVE-2020-36332
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Libwebp incorrectly handled certain malformed images.

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    if a user or automated system were tricked into opening a specially crafted image file, a remote attacker could use this issue to cause libwebp to crash, resulting in a denial of service, or possibly execute arbitrary code..
    Solution
    Refer to Ubuntu advisory: USN-4971-1 for affected packages and patching details, or update with your package manager.
    Patches
    Ubuntu Linux USN-4971-1
  • CVE-2020-12460
    Recently Published

    Debian Security Update for opendmarc (DLA 2639-1)

    Severity
    Critical4
    Qualys ID
    178648
    Date Published
    June 7, 2021
    Vendor Reference
    DLA 2639-1
    CVE Reference
    CVE-2020-12460
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Debian has released security update for opendmarc to fix the vulnerabilities.



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Refer to Debian security advisory to CentOS advisory DLA 2639-1 for updates and patch information.
    Patches
    Debian DLA 2639-1
  • CVE-2018-15756+
    Recently Published

    Debian Security Update for libspring-java (DLA 2635-1)

    Severity
    Critical4
    Qualys ID
    178647
    Date Published
    June 7, 2021
    Vendor Reference
    DLA 2635-1
    CVE Reference
    CVE-2018-15756, CVE-2018-11040, CVE-2018-1270, CVE-2018-11039
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Debian has released security update for libspring-java to fix the vulnerabilities.



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Refer to Debian security advisory to CentOS advisory DLA 2635-1 for updates and patch information.
    Patches
    Debian DLA 2635-1
  • CVE-2020-27779+
    Recently Published

    EulerOS Security Update for grub2 (EulerOS-SA-2021-1927)

    Severity
    Critical4
    Qualys ID
    670398
    Date Published
    June 7, 2021
    Vendor Reference
    EulerOS-SA-2021-1927
    CVE Reference
    CVE-2020-27779, CVE-2020-14372, CVE-2020-25632, CVE-2021-20225, CVE-2021-20233, CVE-2020-27749, CVE-2020-25647
    CVSS Scores
    Base 8.2 / Temporal 7.1
    Description
    Euler has released a security update for grub2 to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP9

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released a security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1927
    Patches
    EulerOS-SA-2021-1927
  • CVE-2020-27779+
    Recently Published

    EulerOS Security Update for grub2 (EulerOS-SA-2021-1948)

    Severity
    Critical4
    Qualys ID
    670376
    Date Published
    June 7, 2021
    Vendor Reference
    EulerOS-SA-2021-1948
    CVE Reference
    CVE-2020-27779, CVE-2020-14372, CVE-2020-25632, CVE-2021-20225, CVE-2021-20233, CVE-2020-27749, CVE-2020-25647
    CVSS Scores
    Base 8.2 / Temporal 7.1
    Description
    Euler has released a security update for grub2 to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP9

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released a security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1948
    Patches
    EulerOS-SA-2021-1948
  • CVE-2020-27779+
    In Development

    Debian Security Update for grub2 (DSA 4867-1)

    Severity
    Critical4
    Qualys ID
    178629
    Vendor Reference
    DSA 4867-1
    CVE Reference
    CVE-2020-27779, CVE-2020-27749, CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2021-20225, CVE-2021-20233
    CVSS Scores
    Base 8.2 / Temporal 7.1
    Description
    Debian has released security update for grub2 to fix the vulnerabilities.



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Refer to Debian security advisory to CentOS advisory DSA 4867-1 for updates and patch information.
    Patches
    Debian DSA 4867-1
  • CVE-2020-36183+
    Recently Published

    Debian Security Update for jackson-databind (DLA 2638-1)

    Severity
    Critical4
    Qualys ID
    178642
    Date Published
    June 7, 2021
    Vendor Reference
    DLA 2638-1
    CVE Reference
    CVE-2020-36183, CVE-2020-35728, CVE-2020-36185, CVE-2020-36181, CVE-2020-36186, CVE-2020-25649, CVE-2021-20190, CVE-2020-35491, CVE-2020-36180, CVE-2020-36182, CVE-2020-24750, CVE-2020-36179, CVE-2020-36188, CVE-2020-35490, CVE-2020-36189, CVE-2020-36184, CVE-2020-24616, CVE-2020-36187
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Debian has released security update for jackson-databind to fix the vulnerabilities.



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Refer to Debian security advisory to CentOS advisory DLA 2638-1 for updates and patch information.
    Patches
    Debian DLA 2638-1
  • CVE-2021-27363+
    Recently Published

    EulerOS Security Update for kernel (EulerOS-SA-2021-1929)

    Severity
    Critical4
    Qualys ID
    670396
    Date Published
    June 7, 2021
    Vendor Reference
    EulerOS-SA-2021-1929
    CVE Reference
    CVE-2021-27363, CVE-2021-27365, CVE-2021-27364, CVE-2020-25639, CVE-2020-16120, CVE-2020-0465, CVE-2021-3348, CVE-2021-3347
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Euler has released a security update for kernel to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP9

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released a security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1929
    Patches
    EulerOS-SA-2021-1929
  • CVE-2021-27363+
    Recently Published

    EulerOS Security Update for kernel (EulerOS-SA-2021-1950)

    Severity
    Critical4
    Qualys ID
    670375
    Date Published
    June 7, 2021
    Vendor Reference
    EulerOS-SA-2021-1950
    CVE Reference
    CVE-2021-27363, CVE-2021-27365, CVE-2021-27364, CVE-2020-16120, CVE-2021-20177, CVE-2021-3178, CVE-2021-3348, CVE-2021-3347
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Euler has released a security update for kernel to fix the vulnerabilities.

    Affected OS: EulerOS V2.0SP9

    Consequence
    An arbitrary attacker may exploit this vulnerability to compromise the system.
    Solution
    The Vendor has released a security update to fix the vulnerability. For more information please visit EulerOS-SA-2021-1950
    Patches
    EulerOS-SA-2021-1950
  • CVE-2020-25862+
    Recently Published

    Debian Security Update for wireshark (DLA 2547-1)

    Severity
    Critical4
    Qualys ID
    178650
    Date Published
    June 7, 2021
    Vendor Reference
    DLA 2547-1
    CVE Reference
    CVE-2020-25862, CVE-2020-9428, CVE-2020-15466, CVE-2020-26575, CVE-2019-13619, CVE-2020-9430, CVE-2019-19553, CVE-2020-13164, CVE-2020-26421, CVE-2020-25863, CVE-2020-7045, CVE-2020-28030, CVE-2020-26418, CVE-2020-9431, CVE-2020-11647, CVE-2019-16319
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Debian has released security update for wireshark to fix the vulnerabilities.



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Refer to Debian security advisory to CentOS advisory DLA 2547-1 for updates and patch information.
    Patches
    Debian DLA 2547-1
  • Recently Published

    Fedora Security Update for nodejs (FEDORA-2021-568b18102a)

    Severity
    Critical4
    Qualys ID
    281337
    Date Published
    June 7, 2021
    Vendor Reference
    FEDORA-2021-568b18102a
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for nodejs to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-568b18102a
  • Recently Published

    Fedora Security Update for nodejs (FEDORA-2021-c11da301be)

    Severity
    Critical4
    Qualys ID
    281336
    Date Published
    June 7, 2021
    Vendor Reference
    FEDORA-2021-c11da301be
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for nodejs to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-c11da301be
  • Recently Published

    Fedora Security Update for nodejs (FEDORA-2021-d934acdb42)

    Severity
    Critical4
    Qualys ID
    281335
    Date Published
    June 7, 2021
    Vendor Reference
    FEDORA-2021-d934acdb42
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for nodejs to fix the vulnerability.

    Affected OS:
    Fedora 32



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-d934acdb42
  • CVE-2021-30465
    Recently Published

    Red Hat Update for OpenShift Container Platform 4.6.30 packages and (RHSA-2021:1566)

    Severity
    Critical4
    Qualys ID
    239357
    Date Published
    June 7, 2021
    Vendor Reference
    RHSA-2021:1566
    CVE Reference
    CVE-2021-30465
    CVSS Scores
    Base 0 / Temporal 0
    Description
    Red Hat OpenShift Container Platform is Red Hat's cloud computingKubernetes application platform solution designed for on-premise or privatecloud deployments.This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.30. See the following advisory for the container images for this release:https://access.redhat.com/errata/RHBA-2021:1565 The runC tool is a lightweight, portable implementation of the Open Container Format (OCF)
    that provides container runtime.

    Security Fix(es): runc: vulnerable to symlink exchange attack (CVE-2021-30465)

    Affected Products:

    Red Hat OpenShift Container Platform 4.6 for RHEL 8 x86_64
    Red Hat OpenShift Container Platform 4.6 for RHEL 7 x86_64
    Red Hat OpenShift Container Platform for Power 4.6 for RHEL 8 ppc64le
    Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.6 for RHEL 8 s390x

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    On successful exploitation, it could allow an attacker to execute code.
    Solution
    Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

    Refer to Red Hat security advisory RHSA-2021:1566 to address this issue and obtain more information.

    Patches
    Red Hat Enterprise Linux RHSA-2021:1566
  • CVE-2020-9041
    Recently Published

    Couchbase Sync Gateway Denial of service Vulnerability

    Severity
    Critical4
    Qualys ID
    730090
    Date Published
    June 7, 2021
    Vendor Reference
    Couchbase Sync Gateway
    CVE Reference
    CVE-2020-9041
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Sync Gateway is the synchronization server in a Couchbase for Mobile and Edge deployment.

    CVE-2020-9041: The Cluster Management and Views endpoints are vulnerable to the "Slowloris" denial-of-service attack as they don't more aggressively terminate slow connections.

    Affected Products:
    Couchbase Sync Gateway through 2.7.0

    QID Detection Logic(Unauthenticated):
    This QID sends a GET request and identify the vulnerable version of Couchbase sync Gateway.

    Consequence
    Allows an attacker to take down a target web endpoint by sending requests that periodically send additional headers and never terminate.

    Solution
    Customers are advised to refer to Couchbase Sync Gateway for more information.

    Patches
    Couchbase Sync Gateway
  • CVE-2021-23010
    Recently Published

    F5 BIG-IP ASM WebSocket vulnerability(K18570111)

    Severity
    Critical4
    Qualys ID
    375530
    Date Published
    June 7, 2021
    Vendor Reference
    K18570111
    CVE Reference
    CVE-2021-23010
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    F5 BIG-IP ASM (Application Security Manager) is a flexible web application firewall that secures web applications in traditional, virtual, and private cloud environments.

    CVE-2021-23010: When the BIG-IP ASM system processes WebSocket requests with JSON payloads using the default JSON content profile in the ASM security policy, the BIG-IP ASM bd process may produce a core file.

    Vulnerable Component: BIG-IP ASM

    Affected Versions:
    16.0.0 - 16.0.1
    15.1.0 - 15.1.1
    14.1.0 - 14.1.3
    13.1.0 - 13.1.3
    12.1.0 - 12.1.5

    QID Detection Logic(Authenticated):
    This QID checks for the vulnerable versions of F5 BIG-IP devices using the tmsh command.

    Consequence
    When this vulnerability is exploited, the BIG-IP ASM bd process may produce a core file, interrupt traffic processing, and cause a failover event.

    Solution
    The vendor has released any patch, for more information please visit: K18570111

    Workaround:
    To mitigate this vulnerability, you can use the ASM Security menu to create a new custom JSON content profile and then apply it to Allowed WebSocket URLs.

    Patches
    K18570111
  • CVE-2020-10713+
    Recently Published

    HPE Aruba OS Multiple Security Vulnerabilities (ARUBA-PSA-2020-012)

    Severity
    Urgent5
    Qualys ID
    43816
    Date Published
    June 7, 2021
    Vendor Reference
    ARUBA-PSA-2020-012
    CVE Reference
    CVE-2020-10713, CVE-2020-24633, CVE-2020-24634, CVE-2020-24637
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Aruba Networks provides data networking solutions for enterprises and businesses worldwide.

    A remote code execution vulnerability is present in network-listening components in some versions of Aruba OS. Affected Versions:

    For CVE-2020-10713, CVE-2020-24637
    Affected Versions:
    ArubaOS 8.5.0.10, 8.6.0.5, 8.7.0.0 and below
    Resolution:
    ArubaOS 8.5.0.11, 8.6.0.6, 8.7.1.0 and above

    For CVE-2020-24634
    Affected Versions:
    ArubaOS 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below
    Resolution:
    ArubaOS 8.2.2.10, 8.3.0.14, 8.5.0.11, 8.6.0.6, 8.7.1.0 and above
    SD-WAN 2.1.0.2, 2.2.0.1 and above

    For CVE-2020-24633
    Affected Versions:
    ArubaOS 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below
    Resolution:
    ArubaOS 6.4.4.24, 6.5.4.18, 8.2.2.10, 8.3.0.14, 8.5.0.11, 8.6.0.6, 8.7.1.0 and above

    NOTE:
    6.4.x.x and 6.5.x.x branches are not affected by CVE-2020-24634.

    QID Detection Logic (Unauthenticated):
    This QID gets the vulnerable Aruba OS version via SNMP.

    Consequence
    Successful exploitation of the vulnerability will allow attackers to install new potentially malicious firmware on Aruba Access Points.

    Solution

    Please refer to ARUBA-PSA-2020-012 for more information about patching the vulnerability.

    Note:Not all vulnerabilities in this advisory affect all ArubaOS branches. If an ArubaOS branch is not listed as affected, it means that any ArubaOS version in that given branch is not affected.
    For example, the 6.4.x.x and 6.5.x.x branches are not affected by CVE-2020-24634.

    Patches
    ARUBA-PSA-2020-012
  • CVE-2021-21985
    Recently Published

    VMware vCenter Server Remote Code Execution (RCE) Vulnerability (VMSA-2021-0010) (UNAUTHENTICATED))

    Severity
    Urgent5
    Qualys ID
    730102
    Date Published
    June 3, 2021
    Vendor Reference
    VMSA-2021-0010
    CVE Reference
    CVE-2021-21985
    CVSS Scores
    Base 9.8 / Temporal 8.8
    Description
    VMware vCenter is the centralized management tool for the vSphere suite.

    The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. (CVE-2021-21985)

    Affected Versions:
    VMware vCenter Server 7.0 prior to build 17958471
    VMware vCenter Server 6.7 prior to build 18010531
    VMware vCenter Server 6.5 prior to build 17994927

    QID Detection Logic (Unauthenticated):
    The QID sends a POST request to " /ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getHostCapabilityData" to detect if the target is vulnerable or not.
    Note: If the workaround mentioned by the vendor is applied, QID will not flag.

    Consequence
    Successful exploitation of the vulnerability will allow remote code execution.

    Solution
    VMware has released patch for VMware vCenter Server 7.0/6.7/6.5 ,

    Refer to VMware advisory VMSA-2021-0010 for more information.

    Workaround:
    Affected Plugins must be set to "incompatible." Disabling a plugin from within the UI does not prevent exploitation. Please refer to KB article KB83829 for more information.

    Patches
    VMSA-2021-0010
  • CVE-2021-0249
    Recently Published

    Juniper Junos UTM Vulnerability (JSA11142)

    Severity
    Urgent5
    Qualys ID
    43832
    Date Published
    June 3, 2021
    Vendor Reference
    JSA11142
    CVE Reference
    CVE-2021-0249
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Juniper Junos is the network operating system used in Juniper Networks hardware systems.

    A remote attacker may be able to cause a PFE buffer overflow to arbitrarily remotely execute code or commands on the target device with UTM enabled Affected releases are Junos OS:
    115.1X49 versions prior to 15.1X49-D190;
    17.4 versions prior to 17.4R2-S9;
    17.4R3 and later versions prior to 18.1R3-S9;
    18.2 versions prior to 18.2R3-S1;
    18.3 versions prior to 18.3R2-S3, 18.3R3;
    18.4 versions prior to 18.4R2-S3, 18.4R3;
    19.1 versions prior to 19.1R1-S4, 19.1R2;
    19.2 versions prior to 19.2R1-S1, 19.2R2.
    QID detection logic: (Authenticated)
    It checks for vulnerable Junos OS version.

    Consequence
    Successful exploitation allows attacker to execute remote code.

    Solution
    The vendor has released fixes.
    The following software releases have been updated to resolve these specific issues:
    The following software releases have been updated to resolve this specific issue: 15.1X49-D190, 17.4R2-S9, 18.1R3-S9, 18.2R3-S1, 18.3R2-S3, 18.3R3, 18.4R2-S3, 18.4R3, 19.1R1-S4, 19.1R2, 19.2R1-S1, 19.2R2, 19.3R1, and all subsequent releases.

    For more information please visit JSA11142.

    Patches
    JSA11142
  • Recently Published

    Fedora Security Update for firefox (FEDORA-2021-9fac28274f)

    Severity
    Urgent5
    Qualys ID
    281422
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-9fac28274f
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for firefox to fix the vulnerability.

    Affected OS:
    Fedora 32



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-9fac28274f
  • Recently Published

    Fedora Security Update for firefox (FEDORA-2021-4ecf29361f)

    Severity
    Urgent5
    Qualys ID
    281421
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-4ecf29361f
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for firefox to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-4ecf29361f
  • Recently Published

    Fedora Security Update for firefox (FEDORA-2021-c504fa63be)

    Severity
    Urgent5
    Qualys ID
    281420
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-c504fa63be
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for firefox to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-c504fa63be
  • CVE-2021-1788+
    Recently Published

    Debian Security Update for webkit2gtk (DSA 4923-1)

    Severity
    Critical4
    Qualys ID
    178637
    Date Published
    June 3, 2021
    Vendor Reference
    DSA 4923-1
    CVE Reference
    CVE-2021-1788, CVE-2021-1844, CVE-2021-1871
    CVSS Scores
    Base 9.8 / Temporal 8.5
    Description
    Debian has released security update for webkit2gtk to fix the vulnerabilities.



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Refer to Debian security advisory to CentOS advisory DSA 4923-1 for updates and patch information.
    Patches
    Debian DSA 4923-1
  • CVE-2021-21161+
    Recently Published

    Fedora Security Update for chromium (FEDORA-2021-c88a96bd4b)

    Severity
    Critical4
    Qualys ID
    281482
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-c88a96bd4b
    CVE Reference
    CVE-2021-21161, CVE-2021-21171, CVE-2021-21175, CVE-2021-21174, CVE-2021-21178, CVE-2021-21188, CVE-2021-21154, CVE-2021-21167, CVE-2021-21183, CVE-2021-21165, CVE-2021-21159, CVE-2021-21155, CVE-2021-21151, CVE-2021-21160, CVE-2021-21169, CVE-2021-21164, CVE-2021-21181, CVE-2021-21166, CVE-2021-21190, CVE-2021-21172, CVE-2021-21182, CVE-2021-21168, CVE-2021-21189, CVE-2021-21177, CVE-2021-21187, CVE-2021-21162, CVE-2021-21184, CVE-2021-21180, CVE-2021-21163, CVE-2021-21156, CVE-2021-21153, CVE-2021-21170, CVE-2021-21173, CVE-2021-21179, CVE-2021-21157, CVE-2021-21185, CVE-2021-21149, CVE-2021-21186, CVE-2021-21176, CVE-2021-21150, CVE-2021-21152
    CVSS Scores
    Base 9.6 / Temporal 8.3
    Description
    Fedora has released a security update for chromium to fix the vulnerability.

    Affected OS:
    Fedora 32



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-c88a96bd4b
  • CVE-2021-21191+
    Recently Published

    Fedora Security Update for chromium (FEDORA-2021-141d8640ce)

    Severity
    Critical4
    Qualys ID
    281400
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-141d8640ce
    CVE Reference
    CVE-2021-21191, CVE-2021-21192, CVE-2021-21193
    CVSS Scores
    Base 8.8 / Temporal 7.7
    Description
    Fedora has released a security update for chromium to fix the vulnerability.

    Affected OS:
    Fedora 32



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-141d8640ce
  • CVE-2020-25097
    Recently Published

    Fedora Security Update for squid (FEDORA-2021-76f09062a7)

    Severity
    Critical4
    Qualys ID
    281389
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-76f09062a7
    CVE Reference
    CVE-2020-25097
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Fedora has released a security update for squid to fix the vulnerability.

    Affected OS:
    Fedora 32



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could also use this vulnerability to change partial contents or configuration on the system and information disclosure.Denial of service can appear in some cases too.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-76f09062a7
  • CVE-2020-25097
    Recently Published

    Fedora Security Update for squid (FEDORA-2021-ecb24e0b9d)

    Severity
    Critical4
    Qualys ID
    281388
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-ecb24e0b9d
    CVE Reference
    CVE-2020-25097
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Fedora has released a security update for squid to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could also use this vulnerability to change partial contents or configuration on the system and information disclosure.Denial of service can appear in some cases too.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-ecb24e0b9d
  • CVE-2020-25097
    Recently Published

    Fedora Security Update for squid (FEDORA-2021-7d86bec29e)

    Severity
    Critical4
    Qualys ID
    281387
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-7d86bec29e
    CVE Reference
    CVE-2020-25097
    CVSS Scores
    Base 8.6 / Temporal 7.5
    Description
    Fedora has released a security update for squid to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could also use this vulnerability to change partial contents or configuration on the system and information disclosure.Denial of service can appear in some cases too.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-7d86bec29e
  • CVE-2021-20233+
    Recently Published

    Debian Security Update for grub2 (DSA 4867-1)

    Severity
    Critical4
    Qualys ID
    178614
    Date Published
    June 3, 2021
    Vendor Reference
    DSA 4867-1
    CVE Reference
    CVE-2021-20233, CVE-2020-25632, CVE-2021-20225, CVE-2020-25647, CVE-2020-27779, CVE-2020-27749, CVE-2020-14372
    CVSS Scores
    Base 8.2 / Temporal 7.1
    Description
    Debian has released security update for grub2 to fix the vulnerabilities.



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Refer to Debian security advisory to CentOS advisory DSA 4867-1 for updates and patch information.
    Patches
    Debian DSA 4867-1
  • CVE-2021-20179
    Recently Published

    Fedora Security Update for pki (FEDORA-2021-6c412a4601)

    Severity
    Critical4
    Qualys ID
    281481
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-6c412a4601
    CVE Reference
    CVE-2021-20179
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Fedora has released a security update for pki to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could also use this vulnerability to change partial contents or configuration on the system and information disclosure.Denial of service can appear in some cases too.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-6c412a4601
  • CVE-2021-20179
    Recently Published

    Fedora Security Update for pki (FEDORA-2021-344dd24c84)

    Severity
    Critical4
    Qualys ID
    281480
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-344dd24c84
    CVE Reference
    CVE-2021-20179
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Fedora has released a security update for pki to fix the vulnerability.

    Affected OS:
    Fedora 32



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could also use this vulnerability to change partial contents or configuration on the system and information disclosure.Denial of service can appear in some cases too.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-344dd24c84
  • CVE-2021-21772
    Recently Published

    Fedora Security Update for lib3mf (FEDORA-2021-6945629745)

    Severity
    Critical4
    Qualys ID
    281464
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-6945629745
    CVE Reference
    CVE-2021-21772
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Fedora has released a security update for lib3mf to fix the vulnerability.

    Affected OS:
    Fedora 32



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-6945629745
  • CVE-2021-21772
    Recently Published

    Fedora Security Update for lib3mf (FEDORA-2021-bb1b7591c4)

    Severity
    Critical4
    Qualys ID
    281463
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-bb1b7591c4
    CVE Reference
    CVE-2021-21772
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Fedora has released a security update for lib3mf to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-bb1b7591c4
  • CVE-2021-21772
    Recently Published

    Fedora Security Update for lib3mf (FEDORA-2021-b73f9c96ee)

    Severity
    Critical4
    Qualys ID
    281462
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-b73f9c96ee
    CVE Reference
    CVE-2021-21772
    CVSS Scores
    Base 8.1 / Temporal 7.1
    Description
    Fedora has released a security update for lib3mf to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-b73f9c96ee
  • CVE-2020-14363
    Recently Published

    Amazon Linux Security Advisory for libX11: AL2012-2020-330

    Severity
    Critical4
    Qualys ID
    352377
    Date Published
    June 3, 2021
    CVE Reference
    CVE-2020-14363
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Package updates are available for amazon linux that fix the following vulnerabilities: cve-2020-14363: an integer overflow vulnerability leading to a double-free was found in libx11.
    This flaw allows a local privileged attacker to cause an application compiled with libx11 to crash, or in some cases, result in arbitrary code execution.
    The highest threat from this flaw is to confidentiality, integrity as well as system availability.
    1872473: cve-2020-14363 libx11: integer overflow leads to double free in locale handling

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
    Solution
    Administrators are advised to apply the appropriate software updates.
    Patches
    Amazon Linux Bare Metal AL2012-2020-330
  • CVE-2021-28971+
    Recently Published

    Fedora Security Update for kernel (FEDORA-2021-e636ce53df)

    Severity
    Critical4
    Qualys ID
    281425
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-e636ce53df
    CVE Reference
    CVE-2021-28971, CVE-2021-28964, CVE-2021-28952, CVE-2021-28972, CVE-2021-28951
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Fedora has released a security update for kernel to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-e636ce53df
  • CVE-2021-28971+
    Recently Published

    Fedora Security Update for kernel (FEDORA-2021-68b0dd2373)

    Severity
    Critical4
    Qualys ID
    281424
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-68b0dd2373
    CVE Reference
    CVE-2021-28971, CVE-2021-28964, CVE-2021-28952, CVE-2021-28972, CVE-2021-28951
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Fedora has released a security update for kernel to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-68b0dd2373
  • CVE-2021-3472
    Recently Published

    Fedora Security Update for xorg (FEDORA-2021-0e2981e013)

    Severity
    Critical4
    Qualys ID
    281313
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-0e2981e013
    CVE Reference
    CVE-2021-3472
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Fedora has released a security update for xorg to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-0e2981e013
  • CVE-2021-3472
    Recently Published

    Fedora Security Update for xorg (FEDORA-2021-112d542766)

    Severity
    Critical4
    Qualys ID
    281312
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-112d542766
    CVE Reference
    CVE-2021-3472
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Fedora has released a security update for xorg to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-112d542766
  • CVE-2021-3472
    Recently Published

    Fedora Security Update for xorg (FEDORA-2021-139f3fc21c)

    Severity
    Critical4
    Qualys ID
    281311
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-139f3fc21c
    CVE Reference
    CVE-2021-3472
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Fedora has released a security update for xorg to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-139f3fc21c
  • CVE-2021-3472
    Recently Published

    Fedora Security Update for xorg (FEDORA-2021-f7b4c97879)

    Severity
    Critical4
    Qualys ID
    281310
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-f7b4c97879
    CVE Reference
    CVE-2021-3472
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Fedora has released a security update for xorg to fix the vulnerability.

    Affected OS:
    Fedora 32



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-f7b4c97879
  • CVE-2021-25215+
    In Development

    SUSE Enterprise Linux Security Update for bind (SUSE-SU-2021:1826-1)

    Severity
    Critical4
    Qualys ID
    750091
    Vendor Reference
    SUSE-SU-2021:1826-1
    CVE Reference
    CVE-2021-25215, CVE-2021-25214
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    This update for bind fixes the following issues: - cve-2021-25214: fixed a broken inbound incremental zone update (ixfr) which could have caused named to terminate unexpectedly (bsc#1185345).
    - cve-2021-25215: fixed an assertion check which could have failed while answering queries for dname records that required the dname to be processed to resolve itself (bsc#1185345).
    - switched from /var/run to /run (bsc#1185073) - hardening: compiled binary with pie flags to make it position independent

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1826-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1826-1
  • CVE-2021-28090+
    Recently Published

    Fedora Security Update for tor (FEDORA-2021-e68317166d)

    Severity
    Critical4
    Qualys ID
    281469
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-e68317166d
    CVE Reference
    CVE-2021-28090, CVE-2021-28089
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for tor to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-e68317166d
  • CVE-2021-20277+
    Recently Published

    Fedora Security Update for libldb (FEDORA-2021-c2d8628d33)

    Severity
    Critical4
    Qualys ID
    281423
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-c2d8628d33
    CVE Reference
    CVE-2021-20277, CVE-2020-27840
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for libldb to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-c2d8628d33
  • CVE-2021-20277+
    Recently Published

    Fedora Security Update for libldb (FEDORA-2021-c93a3a5d3f)

    Severity
    Critical4
    Qualys ID
    281412
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-c93a3a5d3f
    CVE Reference
    CVE-2021-20277, CVE-2020-27840
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for libldb to fix the vulnerability.

    Affected OS:
    Fedora 32



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-c93a3a5d3f
  • CVE-2021-20277+
    Recently Published

    Fedora Security Update for libldb (FEDORA-2021-1a8e93a285)

    Severity
    Critical4
    Qualys ID
    281411
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-1a8e93a285
    CVE Reference
    CVE-2021-20277, CVE-2020-27840
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for libldb to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-1a8e93a285
  • CVE-2021-25217
    Recently Published

    SUSE Enterprise Linux Security Update for dhcp (SUSE-SU-2021:1822-1)

    Severity
    Critical4
    Qualys ID
    750089
    Date Published
    June 3, 2021
    Vendor Reference
    SUSE-SU-2021:1822-1
    CVE Reference
    CVE-2021-25217
    CVSS Scores
    Base 7.4 / Temporal 6.4
    Description
    This update for dhcp fixes the following issues: - cve-2021-25217: a buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient (bsc#1186382)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1822-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1822-1
  • CVE-2021-3449+
    Recently Published

    Fedora Security Update for Open Secure Sockets Layer (OpenSSL) (FEDORA-2021-cbf14ab8f9)

    Severity
    Critical4
    Qualys ID
    281398
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-cbf14ab8f9
    CVE Reference
    CVE-2021-3449, CVE-2021-3450
    CVSS Scores
    Base 7.4 / Temporal 6.4
    Description
    Fedora has released a security update for openssl to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could also use this vulnerability to change partial contents or configuration on the system and information disclosure.Denial of service can appear in some cases too.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-cbf14ab8f9
  • CVE-2021-3520
    In Development

    SUSE Enterprise Linux Security Update for lz4 (SUSE-SU-2021:1825-1)

    Severity
    Critical4
    Qualys ID
    750092
    Vendor Reference
    SUSE-SU-2021:1825-1
    CVE Reference
    CVE-2021-3520
    CVSS Scores
    Base 6.2 / Temporal 5.4
    Description
    This update for lz4 fixes the following issues: - cve-2021-3520: fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438).

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1825-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1825-1
  • Recently Published

    SUSE Enterprise Linux Security Update for shim (SUSE-SU-2021:1824-1)

    Severity
    Critical4
    Qualys ID
    750090
    Date Published
    June 3, 2021
    Vendor Reference
    SUSE-SU-2021:1824-1
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    This update for shim fixes the following issues: - update to the unified shim binary for sbat support (bsc#1182057)

    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
    Consequence
    Successful exploitation allows attacker to compromise the system.
    Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:1824-1 to address this issue and obtain further details.
    Patches
    SUSE Enterprise Linux SUSE-SU-2021:1824-1
  • Recently Published

    Fedora Security Update for tor (FEDORA-2021-e219483023)

    Severity
    Critical4
    Qualys ID
    281468
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-e219483023
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for tor to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-e219483023
  • Recently Published

    Fedora Security Update for tor (FEDORA-2021-7cd0c1fb70)

    Severity
    Critical4
    Qualys ID
    281467
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-7cd0c1fb70
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for tor to fix the vulnerability.

    Affected OS:
    Fedora 32



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-7cd0c1fb70
  • Recently Published

    Fedora Security Update for Open Secure Sockets Layer (OpenSSL) (FEDORA-2021-d049f32a82)

    Severity
    Critical4
    Qualys ID
    281399
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-d049f32a82
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for openssl to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-d049f32a82
  • Recently Published

    Fedora Security Update for Open Secure Sockets Layer (OpenSSL) (FEDORA-2021-f347d1c866)

    Severity
    Critical4
    Qualys ID
    281394
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-f347d1c866
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for openssl to fix the vulnerability.

    Affected OS:
    Fedora 32



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-f347d1c866
  • Recently Published

    Fedora Security Update for seamonkey (FEDORA-2021-df093b89ba)

    Severity
    Critical4
    Qualys ID
    281381
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-df093b89ba
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for seamonkey to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-df093b89ba
  • Recently Published

    Fedora Security Update for seamonkey (FEDORA-2021-2761b54dff)

    Severity
    Critical4
    Qualys ID
    281380
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-2761b54dff
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for seamonkey to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-2761b54dff
  • Recently Published

    Fedora Security Update for singularity (FEDORA-2021-2e174e8a96)

    Severity
    Critical4
    Qualys ID
    281357
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-2e174e8a96
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for singularity to fix the vulnerability.

    Affected OS:
    Fedora 32



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-2e174e8a96
  • Recently Published

    Fedora Security Update for singularity (FEDORA-2021-601ee898f7)

    Severity
    Critical4
    Qualys ID
    281356
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-601ee898f7
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for singularity to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-601ee898f7
  • Recently Published

    Fedora Security Update for singularity (FEDORA-2021-e49f5e66f8)

    Severity
    Critical4
    Qualys ID
    281355
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-e49f5e66f8
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for singularity to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-e49f5e66f8
  • Recently Published

    Fedora Security Update for seamonkey (FEDORA-2021-d1fdd76443)

    Severity
    Critical4
    Qualys ID
    281333
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-d1fdd76443
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for seamonkey to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-d1fdd76443
  • Recently Published

    Fedora Security Update for seamonkey (FEDORA-2021-d1551cdb15)

    Severity
    Critical4
    Qualys ID
    281332
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-d1551cdb15
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for seamonkey to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-d1551cdb15
  • Recently Published

    Fedora Security Update for seamonkey (FEDORA-2021-4b0a8b8629)

    Severity
    Critical4
    Qualys ID
    281331
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-4b0a8b8629
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for seamonkey to fix the vulnerability.

    Affected OS:
    Fedora 32



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-4b0a8b8629
  • Recently Published

    Fedora Security Update for os (FEDORA-2021-aa39748257)

    Severity
    Critical4
    Qualys ID
    281315
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-aa39748257
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for os to fix the vulnerability.

    Affected OS:
    Fedora 34



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-aa39748257
  • Recently Published

    Fedora Security Update for os (FEDORA-2021-186bca5b58)

    Severity
    Critical4
    Qualys ID
    281314
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-186bca5b58
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for os to fix the vulnerability.

    Affected OS:
    Fedora 33



    Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-186bca5b58
  • CVE-2020-15078
    Recently Published

    Fedora Security Update for openvpn (FEDORA-2021-242ef81244)

    Severity
    Urgent5
    Qualys ID
    281285
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-242ef81244
    CVE Reference
    CVE-2020-15078
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for openvpn to fix the vulnerability.

    Affected OS:
    Fedora 33

    Consequence
    Malicious users could also use this vulnerability to change partial contents or configuration on the system and information disclosure.Denial of service can appear in some cases too.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-242ef81244
  • CVE-2020-15078
    Recently Published

    Fedora Security Update for openvpn (FEDORA-2021-b805c26afa)

    Severity
    Urgent5
    Qualys ID
    281284
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-b805c26afa
    CVE Reference
    CVE-2020-15078
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for openvpn to fix the vulnerability.

    Affected OS:
    Fedora 34

    Consequence
    Malicious users could also use this vulnerability to change partial contents or configuration on the system and information disclosure.Denial of service can appear in some cases too.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-b805c26afa
  • Recently Published

    Fedora Security Update for firefox (FEDORA-2021-d1dbb4a38f)

    Severity
    Urgent5
    Qualys ID
    281290
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-d1dbb4a38f
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for firefox to fix the vulnerability.

    Affected OS:
    Fedora 34

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-d1dbb4a38f
  • Recently Published

    Fedora Security Update for firefox (FEDORA-2021-5ed46601f6)

    Severity
    Urgent5
    Qualys ID
    281289
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-5ed46601f6
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for firefox to fix the vulnerability.

    Affected OS:
    Fedora 33

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-5ed46601f6
  • CVE-2020-15078
    Recently Published

    Fedora Security Update for openvpn (FEDORA-2021-d6b9d8497b)

    Severity
    Urgent5
    Qualys ID
    281286
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-d6b9d8497b
    CVE Reference
    CVE-2020-15078
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for openvpn to fix the vulnerability.

    Affected OS:
    Fedora 32

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-d6b9d8497b
  • CVE-2021-21232+
    Recently Published

    Fedora Security Update for chromium (FEDORA-2021-c3754414e7)

    Severity
    Critical4
    Qualys ID
    281205
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-c3754414e7
    CVE Reference
    CVE-2021-21232, CVE-2021-21230, CVE-2021-21222, CVE-2021-21217, CVE-2021-21213, CVE-2021-21201, CVE-2021-21227, CVE-2021-21194, CVE-2021-21223, CVE-2021-21197, CVE-2021-21207, CVE-2021-21208, CVE-2021-21212, CVE-2021-21206, CVE-2021-21210, CVE-2021-21211, CVE-2021-21198, CVE-2021-21219, CVE-2021-21203, CVE-2021-21226, CVE-2021-21229, CVE-2021-21199, CVE-2021-21214, CVE-2021-21231, CVE-2021-21216, CVE-2021-21228, CVE-2021-21202, CVE-2021-21195, CVE-2021-21221, CVE-2021-21220, CVE-2021-21205, CVE-2021-21209, CVE-2021-21224, CVE-2021-21204, CVE-2021-21218, CVE-2021-21225, CVE-2021-21233, CVE-2021-21215, CVE-2021-21196
    CVSS Scores
    Base 9.6 / Temporal 8.3
    Description
    Fedora has released a security update for chromium to fix the vulnerability.

    Affected OS:
    Fedora 34

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-c3754414e7
  • CVE-2021-21232+
    Recently Published

    Fedora Security Update for chromium (FEDORA-2021-ff893e12c5)

    Severity
    Critical4
    Qualys ID
    281204
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-ff893e12c5
    CVE Reference
    CVE-2021-21232, CVE-2021-21230, CVE-2021-21222, CVE-2021-21217, CVE-2021-21213, CVE-2021-21201, CVE-2021-21227, CVE-2021-21194, CVE-2021-21223, CVE-2021-21197, CVE-2021-21207, CVE-2021-21208, CVE-2021-21212, CVE-2021-21206, CVE-2021-21210, CVE-2021-21211, CVE-2021-21198, CVE-2021-21219, CVE-2021-21203, CVE-2021-21226, CVE-2021-21229, CVE-2021-21199, CVE-2021-21214, CVE-2021-21231, CVE-2021-21216, CVE-2021-21228, CVE-2021-21202, CVE-2021-21195, CVE-2021-21221, CVE-2021-21220, CVE-2021-21205, CVE-2021-21209, CVE-2021-21224, CVE-2021-21204, CVE-2021-21218, CVE-2021-21225, CVE-2021-21233, CVE-2021-21215, CVE-2021-21196
    CVSS Scores
    Base 9.6 / Temporal 8.3
    Description
    Fedora has released a security update for chromium to fix the vulnerability.

    Affected OS:
    Fedora 32

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-ff893e12c5
  • CVE-2021-21232+
    Recently Published

    Fedora Security Update for chromium (FEDORA-2021-35d2bb4627)

    Severity
    Critical4
    Qualys ID
    281203
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-35d2bb4627
    CVE Reference
    CVE-2021-21232, CVE-2021-21230, CVE-2021-21222, CVE-2021-21217, CVE-2021-21213, CVE-2021-21201, CVE-2021-21227, CVE-2021-21194, CVE-2021-21223, CVE-2021-21197, CVE-2021-21207, CVE-2021-21208, CVE-2021-21212, CVE-2021-21206, CVE-2021-21210, CVE-2021-21211, CVE-2021-21198, CVE-2021-21219, CVE-2021-21203, CVE-2021-21226, CVE-2021-21229, CVE-2021-21199, CVE-2021-21214, CVE-2021-21231, CVE-2021-21216, CVE-2021-21228, CVE-2021-21202, CVE-2021-21195, CVE-2021-21221, CVE-2021-21220, CVE-2021-21205, CVE-2021-21209, CVE-2021-21224, CVE-2021-21204, CVE-2021-21218, CVE-2021-21225, CVE-2021-21233, CVE-2021-21215, CVE-2021-21196
    CVSS Scores
    Base 9.6 / Temporal 8.3
    Description
    Fedora has released a security update for chromium to fix the vulnerability.

    Affected OS:
    Fedora 33

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-35d2bb4627
  • CVE-2021-31204
    Recently Published

    Fedora Security Update for dotnet5.0 (FEDORA-2021-721731dc86)

    Severity
    Critical4
    Qualys ID
    281153
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-721731dc86
    CVE Reference
    CVE-2021-31204
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Fedora has released a security update for dotnet5.0 to fix the vulnerability.

    Affected OS:
    Fedora 34

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-721731dc86
  • CVE-2021-31204
    Recently Published

    Fedora Security Update for dotnet5.0 (FEDORA-2021-d551431950)

    Severity
    Critical4
    Qualys ID
    281152
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-d551431950
    CVE Reference
    CVE-2021-31204
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Fedora has released a security update for dotnet5.0 to fix the vulnerability.

    Affected OS:
    Fedora 33

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-d551431950
  • CVE-2021-31204
    Recently Published

    Fedora Security Update for dotnet5.0 (FEDORA-2021-a3c205f5b2)

    Severity
    Critical4
    Qualys ID
    281151
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-a3c205f5b2
    CVE Reference
    CVE-2021-31204
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Fedora has released a security update for dotnet5.0 to fix the vulnerability.

    Affected OS:
    Fedora 32

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-a3c205f5b2
  • CVE-2021-31204
    Recently Published

    Fedora Security Update for dotnet3.1 (FEDORA-2021-13e3bd248f)

    Severity
    Critical4
    Qualys ID
    281150
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-13e3bd248f
    CVE Reference
    CVE-2021-31204
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Fedora has released a security update for dotnet3.1 to fix the vulnerability.

    Affected OS:
    Fedora 34

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-13e3bd248f
  • CVE-2021-31204
    Recently Published

    Fedora Security Update for dotnet3.1 (FEDORA-2021-f25eb9e302)

    Severity
    Critical4
    Qualys ID
    281149
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-f25eb9e302
    CVE Reference
    CVE-2021-31204
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Fedora has released a security update for dotnet3.1 to fix the vulnerability.

    Affected OS:
    Fedora 33

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-f25eb9e302
  • CVE-2021-31204
    Recently Published

    Fedora Security Update for dotnet3.1 (FEDORA-2021-c06b64b5ee)

    Severity
    Critical4
    Qualys ID
    281148
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-c06b64b5ee
    CVE Reference
    CVE-2021-31204
    CVSS Scores
    Base 7.8 / Temporal 6.8
    Description
    Fedora has released a security update for dotnet3.1 to fix the vulnerability.

    Affected OS:
    Fedora 32

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-c06b64b5ee
  • CVE-2021-25214+
    Recently Published

    Fedora Security Update for bind (FEDORA-2021-ace61cbee1)

    Severity
    Critical4
    Qualys ID
    281229
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-ace61cbee1
    CVE Reference
    CVE-2021-25214, CVE-2021-25215
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for bind to fix the vulnerability.

    Affected OS:
    Fedora 34

    Consequence
    This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-ace61cbee1
  • CVE-2021-25214+
    Recently Published

    Fedora Security Update for bind (FEDORA-2021-47f23870ec)

    Severity
    Critical4
    Qualys ID
    281228
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-47f23870ec
    CVE Reference
    CVE-2021-25214, CVE-2021-25215
    CVSS Scores
    Base 7.5 / Temporal 6.5
    Description
    Fedora has released a security update for bind to fix the vulnerability.

    Affected OS:
    Fedora 33

    Consequence
    This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-47f23870ec
  • CVE-2021-20288
    Recently Published

    Fedora Security Update for ceph (FEDORA-2021-e29c1ee892)

    Severity
    Critical4
    Qualys ID
    281288
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-e29c1ee892
    CVE Reference
    CVE-2021-20288
    CVSS Scores
    Base 7.2 / Temporal 6.3
    Description
    Fedora has released a security update for ceph to fix the vulnerability.

    Affected OS:
    Fedora 34

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-e29c1ee892
  • CVE-2021-20288
    Recently Published

    Fedora Security Update for ceph (FEDORA-2021-e65b9fb52e)

    Severity
    Critical4
    Qualys ID
    281287
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-e65b9fb52e
    CVE Reference
    CVE-2021-20288
    CVSS Scores
    Base 7.2 / Temporal 6.3
    Description
    Fedora has released a security update for ceph to fix the vulnerability.

    Affected OS:
    Fedora 33

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-e65b9fb52e
  • CVE-2021-20288
    Recently Published

    Fedora Security Update for ceph (FEDORA-2021-168fbed46f)

    Severity
    Critical4
    Qualys ID
    281282
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-168fbed46f
    CVE Reference
    CVE-2021-20288
    CVSS Scores
    Base 7.2 / Temporal 6.3
    Description
    Fedora has released a security update for ceph to fix the vulnerability.

    Affected OS:
    Fedora 32

    Consequence
    This vulnerability could be exploited to gain remote access to sensitive information and execute commands.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-168fbed46f
  • CVE-2021-2161+
    Recently Published

    Fedora Security Update for java (FEDORA-2021-f71b592e07)

    Severity
    Critical4
    Qualys ID
    281273
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-f71b592e07
    CVE Reference
    CVE-2021-2161, CVE-2021-2163
    CVSS Scores
    Base 5.9 / Temporal 5.2
    Description
    Fedora has released a security update for java to fix the vulnerability.

    Affected OS:
    Fedora 32

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-f71b592e07
  • CVE-2021-2161+
    Recently Published

    Fedora Security Update for java (FEDORA-2021-8b80ef64f1)

    Severity
    Critical4
    Qualys ID
    281272
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-8b80ef64f1
    CVE Reference
    CVE-2021-2161, CVE-2021-2163
    CVSS Scores
    Base 5.9 / Temporal 5.2
    Description
    Fedora has released a security update for java to fix the vulnerability.

    Affected OS:
    Fedora 33

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-8b80ef64f1
  • CVE-2021-2161+
    Recently Published

    Fedora Security Update for java (FEDORA-2021-25b47f16af)

    Severity
    Critical4
    Qualys ID
    281271
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-25b47f16af
    CVE Reference
    CVE-2021-2161, CVE-2021-2163
    CVSS Scores
    Base 5.9 / Temporal 5.2
    Description
    Fedora has released a security update for java to fix the vulnerability.

    Affected OS:
    Fedora 34

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-25b47f16af
  • CVE-2021-2161+
    Recently Published

    Fedora Security Update for java (FEDORA-2021-6eb9bbbf0c)

    Severity
    Critical4
    Qualys ID
    281270
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-6eb9bbbf0c
    CVE Reference
    CVE-2021-2161, CVE-2021-2163
    CVSS Scores
    Base 5.9 / Temporal 5.2
    Description
    Fedora has released a security update for java to fix the vulnerability.

    Affected OS:
    Fedora 33

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 33 Update

    Patches
    Fedora 33 FEDORA-2021-6eb9bbbf0c
  • CVE-2021-2161+
    Recently Published

    Fedora Security Update for java (FEDORA-2021-65aa196c14)

    Severity
    Critical4
    Qualys ID
    281269
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-65aa196c14
    CVE Reference
    CVE-2021-2161, CVE-2021-2163
    CVSS Scores
    Base 5.9 / Temporal 5.2
    Description
    Fedora has released a security update for java to fix the vulnerability.

    Affected OS:
    Fedora 34

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 34 Update

    Patches
    Fedora 34 FEDORA-2021-65aa196c14
  • Recently Published

    Fedora Security Update for java (FEDORA-2021-b88e86b753)

    Severity
    Critical4
    Qualys ID
    281268
    Date Published
    June 3, 2021
    Vendor Reference
    FEDORA-2021-b88e86b753
    CVSS Scores
    Base 4.2 / Temporal 3.7
    Description
    Fedora has released a security update for java to fix the vulnerability.

    Affected OS:
    Fedora 32

    Consequence
    Malicious users could use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    Fedora has issued updated packages to fix this vulnerability.

    For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
    Fedora 32 Update

    Patches
    Fedora 32 FEDORA-2021-b88e86b753
  • CVE-2020-24303+
    Recently Published

    Oracle Enterprise Linux Security Update for grafana (ELSA-2021-1859)

    Severity
    Urgent5
    Qualys ID
    159224
    Date Published
    June 3, 2021
    Vendor Reference
    ELSA-2021-1859
    CVE Reference
    CVE-2020-24303, CVE-2020-27846
    CVSS Scores
    Base 9.8 / Temporal 7.8
    Description
    Oracle Enterprise Linux has released a security update for grafana to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 8

    Consequence
    This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-1859.
    Patches
    Oracle Linux ELSA-2021-1859
  • CVE-2020-1472+
    Recently Published

    Oracle Enterprise Linux Security Update for samba (ELSA-2021-1647)

    Severity
    Urgent5
    Qualys ID
    159201
    Date Published
    June 3, 2021
    Vendor Reference
    ELSA-2021-1647
    CVE Reference
    CVE-2020-1472, CVE-2020-14318, CVE-2020-14323
    CVSS Scores
    Base 10 / Temporal 8.3
    Description
    Oracle Enterprise Linux has released a security update for samba to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 8

    Consequence
    This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-1647.
    Patches
    Oracle Linux ELSA-2021-1647
  • CVE-2020-36317+
    Recently Published

    Oracle Enterprise Linux Security Update for rust-toolset:ol8 (ELSA-2021-1935)

    Severity
    Critical4
    Qualys ID
    159229
    Date Published
    June 3, 2021
    Vendor Reference
    ELSA-2021-1935
    CVE Reference
    CVE-2020-36317, CVE-2020-36318
    CVSS Scores
    Base 9.8 / Temporal 7.8
    Description
    Oracle Enterprise Linux has released a security update for rust-toolset:ol8 to fix the vulnerabilities.

    Affected Product:
    Oracle Linux 8

    Consequence
    This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.
    Solution
    To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

    ELSA-2021-1935.
    Patches
    Oracle Linux ELSA-2021-1935