CERT RSS

Pretplati se na CERT RSS feed CERT RSS
Osvježeno: prije 1 sat 50 minuta

Mjesec dana Epsilona!

pon, 2021-02-15 17:48

Prije mjesec dana ugasili smo uslugu slanja preporuka koja se nalazila na adresi https://www.cert.hr/preporuke/ i pokrenuli uslugu CERT Epsilon https://epsilon.cert.hr/ koja se temelji na CVE (Common Vulnerabilities and Exposures) https://cve.mitre.org/cve/ servisu.

CERT Epsilon je repozitorij definicija javno objavljenih računalno-sigurnosnih ranjivosti. CVE obavijest sastoji se od identifikacijskog broja, opisa i najmanje jedne javne reference.

Usluzi CERT Epsilon pristupa se putem web sučelja. Namijenjena je svim korisnicima, posebno onima koji rade u području kibernetičke sigurnosti. Na jednom mjestu nudi sažete informacije o poznatim ranjivostima proizvođača i proizvoda, a koristeći pretplatu korisnici dobivaju obavijesti prema predefiniranim kriterijima na svoju adresu elektroničke pošte. Usluga se temelji na javnoj usluzi CIRCL-a (Computer Incident Response Center Luxembourg). Korisnicima omogućava pretraživanje javno poznatih podataka o računalno-sigurnosnim ranjivostima softvera i hardvera.

Više o usluzi na https://epsilon.cert.hr/terms-of-use


CERT Epsilon omogućuje korisnicima da filtriraju ranjivosti prema CVSS oznaci (engl. Common Vulnerability Scoring System), prema operacijskom sustavu, prema CVE oznaci te prema nizu ostalih parametara koji omogućava krojenje vlastitog popisa sigurnosnih preporuka.





Također, korisniku detaljni pregled ranjivosti nudi prikaz CVE oznake, CVSS oznake s dodatnim parametrima, kratak opis ranjivosti, popis referenci, opis pristupa, učinka te datuma ažuriranja i inicijalne objave ranjivosti.




Nadamo se da ste prepoznali vrijednost ove usluge i pretplatili se za primanje pravovremenih informacija o mogućim ranjivostima vaših uređaja, programa i aplikacija.

Vaša povratna informacija o funkcionalnosti, korisnosti i mogućim greškama je uvijek dobrodošla te vas molimo da vaše savjete, komentare ili pritužbe pošaljete porukom e-pošte na adrese Nacionalnog CERT-a .

The post Mjesec dana Epsilona! appeared first on CERT.hr.

Novosti oko zlonamjernog sadržaja Emotet

čet, 2021-02-11 11:42

Nacionalni CERT je od nizozemskih kolega primio podatke o potencijalno kompromitiranim računima elektroničke pošte na koji će slati obavijest. Riječ je podacima koji su prikupljeni tijekom akcije, a sadrže korisničke podatke u kojima se nalaze adrese e-pošte i korisnička imena koja su bila kompromitirana uslijed zaraze Emotet zlonamjernim sadržajem.


Podaci se odnose na korisnike koji su koristili korisničko ime koje sadrži .hr, adrese e-pošte koje završavaju na .hr te podatke koji su vezani uz internetske stranice koje završavaju .hr domenskim nastavkom.

Kako smo već pisali prošli mjesec, u zajedničkoj akciji policijskih snaga i vlasti Nizozemske, Njemačke, Sjedinjenih Američkih Država, Ujedinjenog Kraljevstva, Francuske, Litve, Kanade i Ukrajine, uz koordinaciju organizacija Europol i Eurojust, preuzeta je infrastruktura korištena za širenje zlonamjernog sadržaja Emotet.

Infrastruktura Emotet botneta je preuzeta od strane Europola i suradnika krajem prošlog mjeseca čime su zlonamjerne radnje obustavljene, ali još uvijek nije poznato na koji su se način koristili kompromitirani podaci u vremenskom razdoblju između infekcije računala/krađe podataka do preuzimanja infrastrukture. Iako konkretne informacije o načinima korištenja kompromitiranih još uvijek nisu dostupne, najvjerojatnije su korišteni za daljnje širenje zlonamjernog sadržaja prema drugim kontaktima.

Više možete pročitati na:
https://www.cert.hr/EMOTET

Također, kako biste provjerili jesu li vaši podaci vezani uz domene koje nisu .hr domena kompromitirani, pozivamo vas da ih putem stranice nizozemske policije provjerite. Upute na engleskom jeziku nalaze se na dnu stranice iznad forme u koju se unose korisnički podaci koje želite provjeriti.


Ukratko, nakon što u formu unesete vašu adresu elektroničke pošte, pritiskom na opciju “Zoek” šaljete upit prema bazi nizozemske policije. Ako se vaša adresa e-pošte ili podaci vezani uz navedenu adresu nalaze u bazi, u roku od nekoliko minuta ćete na tu istu adresu poruku potvrde. Ako vaša adresa ili podaci nisu kompromitirani, poruku nećete dobiti.

Ako se utvrdi da su vaši podaci kompromitirani, svakako savjetujemo da postupite prema gore navedenim savjetima.

The post Novosti oko zlonamjernog sadržaja Emotet appeared first on CERT.hr.

GODIŠNJI IZVJEŠTAJ RADA NACIONALNOG CERT-a za 2020. GODINU

pet, 2021-02-05 12:00

Tijekom 2020. godine CARNET-ov Nacionalni CERT provodio je proaktivne i reaktivne mjere s ciljem smanjenja rizika od pojave računalno-sigurnosnih incidenta i smanjenja štete u slučaju njihovog nastanka.

Zbog veće vidljivosti Nacionalnog CERT-a u javnosti i stalnih aktivnosti podizanja svijesti javnosti o ugrozama koje dolaze s interneta, širenju suradnje s drugim CERT-ovima, hosting providerima i ISP-evima kao i korištenju OSINT metoda (eng. Open Source Intelligence) kojima su otkrivena kompromitirana web sjedišta obrađeno je 66% incidenata više nego prošle godine.

U 2020. godini javnosti su predstavljene dvije nove usluge – CERT ETA i CERT EPSILON. Svrha CERT ETA usluge je smanjivanje količine neželjene pošte koju šalju pošiljatelji iz Hrvatske i regije (tzv. spameri), a koji često nisu obuhvaćeni poznatim globalnim listama. Usluga CERT Epsilon je nova usluga CARNET-ovog Nacionalnog CERT-a koja korisnicima omogućava pretplatu i praćenje informacija o poznatim ranjivostima unutar programskih paketa nekih korištenijih operativnih sustava i u potpunosti zamjenjuje “Sigurnosne preporuke” u 2021. godini.

CARNET-ov Nacionalni CERT nastavio je razvijati suradnju s institucijama izvan Republike Hrvatske, kao što su drugi CERT timovi, s institucijama EU-a i NATO-a te s ostalim tijelima unutar Republike Hrvatske, a sve u svrhu razvitka zajedničkih interesa u području kibernetičke sigurnosti. Tijekom 2020. godine uspješno je sudjelovao u NATO-ovoj Cyber Coalition vježbi, gdje je Republika Hrvatska sudjelovala u svojstvu igrača. Predstavnici CARNET-ovog Nacionalnog CERT-a po prvi su puta sudjelovali u International CyberEx-u, CTF natjecanju čiji je cilj jačanje sposobnosti odgovora na računalno sigurnosne incidente.

CARNET-ov Nacionalni CERT i ove je godine aktivno obilježavao Europski mjesec kibernetičke sigurnosti. Tijekom listopada 2020. godine Nacionalni CERT proveo je niz aktivnosti s ciljem podizanja razine svijesti hrvatskih građana o kibernetičkoj sigurnosti, s naglaskom na mrežnu i informacijsku sigurnost te promociju sigurnijeg korištenja interneta za sve korisnike. Nacionalni CERT preuzeo je i ulogu nacionalnog koordinatora za provedbu Europske kampanje za podizanje svijesti o kibernetičkoj sigurnosti tijekom listopada. Organizirano je prvo hrvatsko CTF natjecanje za srednjoškolce Hacknite  koje se provodilo 17. i 18. listopada 2020. godine. U natjecanju je sudjelovao 31 srednjoškolski tim iz 16 gradova i 23 srednje škole.

Javnost je o aktivnostima informirana putem web sjedišta Nacionalnog CERT-a (www.cert.hr), a posebno valja izdvojiti situacije kada su objavljivana upozorenja prilikom čega je promet značajno premašivao prošlogodišnje brojke. Informirana je javnost i putem društvenih mreža Facebook (@CERT.hr) i Twitter (@HRCERT). Odrađeno je više od 15 intervjua i izjava za časopise te tiskane i digitalne medije.


CARNET-ov Nacionalni CERT aktivno je uključen u projekt e-Škole: Cjelovita informatizacija procesa poslovanja škola i nastavnih procesa u svrhu stvaranja digitalno zrelih škola za 21. stoljeće”. Odjel za Nacionalni CERT provodi aktivnosti u projektnom elementu “Sigurnost” s ciljem postizanja adekvatne razine sigurnosti CARNET mrežne infrastrukture, infrastrukture podatkovnih centara, sigurnost ustanova i javno dostupnih usluga i aplikacija. Provodi se sveobuhvatna procjena usluga i aplikacija razvijenih unutar projekta kako bi se ostvarila njihova spremnost za postavljanje u produkcijsku okolinu. S projektnim partnerom ICENT (Inovacijski centar Nikola Tesla) provode se istraživačke aktivnosti s ciljem poboljšavanja i održavanja kibernetičke sigurnosti informacijskih sustava e-Škola.

 

Nacionalni CERT je u 2020. godini nastavio s provedbom projekta sufinanciranog sredstvima Europske unije putem Instrumenta za povezivanje Europe (eng. CEF – Connecting Europe Facility) pod nazivom Grow2CERT – Povećanje zrelosti Nacionalnog CERT-a za čvršću suradnju u zajednici kibernetičke sigurnosti. Cilj projekta je povećati pripravnost Nacionalnog CERT-a za odgovor na kibernetičke prijetnje i incidente. Između ostalog, projektom se nastavlja razvoj platforme PiXi za razmjenu informacija o računalno-sigurnosnim prijetnjama i incidentima na nacionalnoj razini.


Zaključno, Nacionalni CERT je u 2020. godini ostvario značajne pomake na području nacionalne i međunarodne suradnje, daljnjeg usavršavanja djelatnika te na području povećanja razine spremnosti na odgovor na sve složenije sigurnosne izazove.

 

Godišnji izvještaj rada Nacionalnog CERT-a u 2020. godini



The post GODIŠNJI IZVJEŠTAJ RADA NACIONALNOG CERT-a za 2020. GODINU appeared first on CERT.hr.

Potraga za boljim internetom

pon, 2021-02-01 13:33

Približava se 9. veljače, Dan sigurnijeg interneta pa vas pozivamo da nam se pridružite u zajedničkom obilježavanju toga dana i provedbi aktivnosti kojima ćemo zajednički podići kompetencije za primjereno, odgovorno, svrhovito i sigurno korištenje interneta i svih digitalnih tehnologija. 

Udruga Suradnici u učenju i CARNET-ov odjel za Nacionalni CERT za vas pripremaju cjelodnevnu online konferenciju na sam Dan sigurnijeg interneta 9. veljače 2021. Očekuju vas prijedlozi kako postati Internet genijalac, pomagat ćemo dabrici Darki u otkrivanju digitalnog svijeta, ući ćemo u svijet eTwinning projekata, saznati kako pozitivno i poticajno komunicirati i surađivati u virtualnom okružju te gdje se nalaze komore jeke i filter mjehurići.

U nastavku pogledajte program te se registrirajte za sudjelovanje na konferenciji. 

Pozivamo sve učenike i učitelje da su uključe u našu Potragu za boljim i sigurnijim internetom koja će biti otvorena cijeli utorak, a u kojoj vas očekuju zahtjevni, ali zanimljivi interaktivni zadaci. Nastavljamo i tradiciju posebnog izdanja našeg digitalnog časopisa Pogled kroz prozor.

Program konferencije 

9:30      Otvaranje virtualnog prostora konferencije 

10:00    Za početak  – Suradnici u učenju i CARNET-ov odjel za Nacionalni CERT 

10:10     Dabrica Darka otkriva digitalni svijet –  Dominik Cvetkovski i Darko Rakić, Suradnici u učenju i poduzetnički inkubator Pismo 

10:30    Odgovorna zabava na internetu  –  Svan Hlača, CARNET-ov odjel za Nacionalni CERT

11:00     Pravo djece na zaštitu i sudjelovanje u digitalnom okruženju –  Helenca Pirnat Dragičević, Pravobraniteljica za djecu

11:45     Budi Internet genijalac –  Google i Suradnici u učenju

12:30    eTwinning  kao sigurna mreža za međunarodnu suradnju –  Arjana Blažić, eTwinning ambasadorica, Agencija za mobilnost i programe europske unije

13:00    Zaštita osobnih podataka djece u digitalnom okruženju –  Iva Ivanković, Agencija za zaštitu osobnih podataka

13:30    Minecraft svijet za sigurniji Internet –  Ana Mutak i Matija Torlak, Microsoft

14:15     Kako podučavati djecu i mlade o sigurnom korištenju interneta –  Ana Dokler, portal Medijska pismenost, Agencija za elektroničke medije

14:45    Prepoznajete li komore jeke i filter mjehuriće –  Helena Valečić, Suradnici u učenju

15:15     Digitalna pismenost od vrtića –  Marija Renić, udruga Roda

15:45    Kako se zaštititi u svijetu elektroničkih komunikacija –  Gordana Kulišić, HAKOM

16:15     Pozitivna i poticajna komunikacija i suradnja u virtualnom okružju –  Nikolina Marinić, Suradnici u učenju

16:45    Potraga za boljim internetom – kako su se snašli učenici i učitelji

17:00     Zatvaranje konferencije




The post Potraga za boljim internetom appeared first on CERT.hr.

Preuzeta infrastruktura koju je koristio Emotet!

sri, 2021-01-27 17:24

U zajedničkoj akciji policijskih snaga i vlasti Nizozemske, Njemačke, Sjedinjenih Američkih Država, Ujedinjenog Kraljevstva, Francuske, Litve, Kanade i Ukrajine, uz koordinaciju organizacija Europol i Eurojust, preuzeta je infrastruktura korištena za širenje zlonamjernog sadržaja Emotet.

Infrastruktura se sastojala od više stotina poslužitelja na lokacijama diljem svijeta koji su obavljali više različitih radnji, od upravljanja zaraženim uređajima do širenja zlonamjernog sadržaja što je onemogućavanje rada same mreže činilo iznimno teškim zadatkom.

Međutim, ujedinjenim naporom navedenih službi i organizacija stvorena je i ostvarena akcija preuzimanja mreže, a kulminirala je ovotjednom akcijom sudstva i policijskih snaga.

Također, nizozemska policija je otkrila bazu korisničkih podataka u kojima se nalaze adrese e-pošte, korisnička imena i lozinke koje su napadači prikupili.

Putem ove poveznice možete provjeriti jesu li vaši podaci kompromitirani.

O Emotet-u smo već pisali, a pročitati više možete ovdje.

U nastavku se nalazi infografika koju je izradio Europol koja opisuje kako je infrastruktura preuzeta.



Također, ovdje možete pronaći i video snimku kojeg su objavile ukrajinske policijske snage koji pokazuje kako je tekla akcija.

The post Preuzeta infrastruktura koju je koristio Emotet! appeared first on CERT.hr.

UPOZORENJE – U TIJEKU JE UCJENJIVAČKA KAMPANJA

pet, 2021-01-22 14:30

Danas bilježimo povećan broj lažnih ucjenjivačkih poruka kojima napadač pokušava iznuditi novčanu dobit od žrtve, a prema posljednjim informacijama na račun za uplatu u trenutku pisanja ovog upozorenja nije izvršena ni jedna uplata. Također, specifično je kako je poruka jezično bolje napisana što je razlikuje od dosadašnjih kampanja.

Važno je napomenuti kako poruka elektroničke pošte ne sadrži nikakav zlonamjerni sadržaj, a korisnike savjetujemo da ovu i sve ostale poruke ovoga tipa zanemare te uklone iz svojeg sandučića elektroničke pošte.

Niže je primjer ucjenjivačke “scam” poruke.

The post UPOZORENJE – U TIJEKU JE UCJENJIVAČKA KAMPANJA appeared first on CERT.hr.

Sigurnosni nedostaci programskog paketa nodejs14

uto, 2021-01-19 12:59
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LSU

openSUSE Security Update: Security update for nodejs14
______________________________________________________________________________

Announcement ID: openSUSE-SU-2021:0066-1
Rating: moderate
References: #1178882 #1180553 #1180554
Cross-References: CVE-2020-8265 CVE-2020-8277 CVE-2020-8287

Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for nodejs14 fixes the following issues:

– New upstream LTS version 14.15.4:
* CVE-2020-8265: use-after-free in TLSWrap (High) bug in TLS
implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method
does not return an error, this object is passed back to the caller as
part of a StreamWriteResult structure. This may be exploited to
corrupt memory leading to a Denial of Service or potentially other
exploits (bsc#1180553)
* CVE-2020-8287: HTTP Request Smuggling allow two copies of a header
field in a http request. For example, two Transfer-Encoding header
fields. In this case Node.js identifies the first header field and
ignores the second. This can lead to HTTP Request Smuggling
(https://cwe.mitre.org/data/definitions/444.html). (bsc#1180554)

– New upstream LTS version 14.15.3:
* deps:
+ upgrade npm to 6.14.9
+ update acorn to v8.0.4
* http2: check write not scheduled in scope destructor
* stream: fix regression on duplex end

– New upstream LTS version 14.15.1:
* deps: Denial of Service through DNS request (High). A Node.js
application that allows an attacker to trigger a DNS request for a
host of their choice could trigger a Denial of Service by getting the
application to resolve a DNS record with a larger number of responses
(bsc#1178882, CVE-2020-8277)

This update was imported from the SUSE:SLE-15-SP2:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.2:

zypper in -t patch openSUSE-2021-66=1

Package List:

– openSUSE Leap 15.2 (noarch):

nodejs14-docs-14.15.4-lp152.5.1

– openSUSE Leap 15.2 (x86_64):

nodejs14-14.15.4-lp152.5.1
nodejs14-debuginfo-14.15.4-lp152.5.1
nodejs14-debugsource-14.15.4-lp152.5.1
nodejs14-devel-14.15.4-lp152.5.1
npm14-14.15.4-lp152.5.1

References:

https://www.suse.com/security/cve/CVE-2020-8265.html
https://www.suse.com/security/cve/CVE-2020-8277.html
https://www.suse.com/security/cve/CVE-2020-8287.html
https://bugzilla.suse.com/1178882
https://bugzilla.suse.com/1180553
https://bugzilla.suse.com/1180554

The post Sigurnosni nedostaci programskog paketa nodejs14 appeared first on CERT.hr.

Sigurnosni nedostaci programskog paketa nodejs10

uto, 2021-01-19 12:59
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LSU

openSUSE Security Update: Security update for nodejs10
______________________________________________________________________________

Announcement ID: openSUSE-SU-2021:0065-1
Rating: moderate
References: #1179491 #1180553 #1180554
Cross-References: CVE-2020-1971 CVE-2020-8265 CVE-2020-8287

Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for nodejs10 fixes the following issues:

– New upstream LTS version 10.23.1:
* CVE-2020-8265: use-after-free in TLSWrap (High) bug in TLS
implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method
does not return an error, this object is passed back to the caller as
part of a StreamWriteResult structure. This may be exploited to
corrupt memory leading to a Denial of Service or potentially other
exploits (bsc#1180553)
* CVE-2020-8287: HTTP Request Smuggling allow two copies of a header
field in a http request. For example, two Transfer-Encoding header
fields. In this case Node.js identifies the first header field and
ignores the second. This can lead to HTTP Request Smuggling
(https://cwe.mitre.org/data/definitions/444.html). (bsc#1180554)
* CVE-2020-1971: OpenSSL – EDIPARTYNAME NULL pointer de-reference (High)
This is a vulnerability in OpenSSL which may be exploited through
Node.js. (bsc#1179491)

– New upstream LTS version 10.23.0:
* deps: upgrade npm to 6.14.8
* n-api:
+ create N-API version 7
+ expose napi_build_version variable

This update was imported from the SUSE:SLE-15:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.2:

zypper in -t patch openSUSE-2021-65=1

Package List:

– openSUSE Leap 15.2 (i586 x86_64):

nodejs10-10.23.1-lp152.2.9.1
nodejs10-debuginfo-10.23.1-lp152.2.9.1
nodejs10-debugsource-10.23.1-lp152.2.9.1
nodejs10-devel-10.23.1-lp152.2.9.1
npm10-10.23.1-lp152.2.9.1

– openSUSE Leap 15.2 (noarch):

nodejs10-docs-10.23.1-lp152.2.9.1

References:

https://www.suse.com/security/cve/CVE-2020-1971.html
https://www.suse.com/security/cve/CVE-2020-8265.html
https://www.suse.com/security/cve/CVE-2020-8287.html
https://bugzilla.suse.com/1179491
https://bugzilla.suse.com/1180553
https://bugzilla.suse.com/1180554

The post Sigurnosni nedostaci programskog paketa nodejs10 appeared first on CERT.hr.

Sigurnosni nedostaci programskog paketa nodejs12

uto, 2021-01-19 12:59
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LSU

openSUSE Security Update: Security update for nodejs12
______________________________________________________________________________

Announcement ID: openSUSE-SU-2021:0064-1
Rating: moderate
References: #1178882 #1179491 #1180553 #1180554
Cross-References: CVE-2020-1971 CVE-2020-8265 CVE-2020-8277
CVE-2020-8287
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________

An update that fixes four vulnerabilities is now available.

Description:

This update for nodejs12 fixes the following issues:

– New upstream LTS version 12.20.1:
* CVE-2020-8265: use-after-free in TLSWrap (High) bug in TLS
implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method
does not return an error, this object is passed back to the caller as
part of a StreamWriteResult structure. This may be exploited to
corrupt memory leading to a Denial of Service or potentially other
exploits (bsc#1180553)
* CVE-2020-8287: HTTP Request Smuggling allow two copies of a header
field in a http request. For example, two Transfer-Encoding header
fields. In this case Node.js identifies the first header field and
ignores the second. This can lead to HTTP Request Smuggling
(https://cwe.mitre.org/data/definitions/444.html). (bsc#1180554)
* CVE-2020-1971: OpenSSL – EDIPARTYNAME NULL pointer de-reference (High)
This is a vulnerability in OpenSSL which may be exploited through
Node.js. (bsc#1179491)

– New upstream LTS version 12.20.0:
* deps:
+ update llhttp ‘2.1.2’ -> ‘2.1.3’
+ update uv ‘1.39.0’ -> ‘1.40.0’
+ update uvwasi ‘0.0.10’ -> ‘0.0.11’
* fs: add .ref() and .unref() methods to watcher classes
* http: added scheduling option to http agent
* module:
+ exports pattern support
+ named exports for CJS via static analysis
* n-api: add more property defaults (gh#35214)

– New upstream LTS version 12.19.1:
* deps: Denial of Service through DNS request (High). A Node.js
application that allows an attacker to trigger a DNS request for a
host of their choice could trigger a Denial of Service by getting the
application to resolve a DNS record with a larger number of responses
(bsc#1178882, CVE-2020-8277)

– New upstream LTS version 12.19.0:
* crypto: add randomInt function
* deps:
+ upgrade to libuv 1.39.0
+ deps: upgrade npm to 6.14.7
+ deps: upgrade to libuv 1.38.1
* doc: deprecate process.umask() with no arguments
* module:
+ package “imports” field
+ module: deprecate module.parent
* n-api: create N-API version 7
* zlib: switch to lazy init for zlib streams

This update was imported from the SUSE:SLE-15-SP2:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.2:

zypper in -t patch openSUSE-2021-64=1

Package List:

– openSUSE Leap 15.2 (x86_64):

nodejs12-12.20.1-lp152.3.9.1
nodejs12-debuginfo-12.20.1-lp152.3.9.1
nodejs12-debugsource-12.20.1-lp152.3.9.1
nodejs12-devel-12.20.1-lp152.3.9.1
npm12-12.20.1-lp152.3.9.1

– openSUSE Leap 15.2 (noarch):

nodejs12-docs-12.20.1-lp152.3.9.1

References:

https://www.suse.com/security/cve/CVE-2020-1971.html
https://www.suse.com/security/cve/CVE-2020-8265.html
https://www.suse.com/security/cve/CVE-2020-8277.html
https://www.suse.com/security/cve/CVE-2020-8287.html
https://bugzilla.suse.com/1178882
https://bugzilla.suse.com/1179491
https://bugzilla.suse.com/1180553
https://bugzilla.suse.com/1180554

The post Sigurnosni nedostaci programskog paketa nodejs12 appeared first on CERT.hr.

Sigurnosni nedostatak programskog paketa ampache

uto, 2021-01-19 12:59
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LUB

==========================================================================
Ubuntu Security Notice USN-4693-1
January 14, 2021

ampache vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Ampache.

Software Description:
– ampache: web-based audio file management system

Details:

It was discovered that an SQL injection vulnerability exists in the Ampache
search engine. Any user able to perform searches could dump any data contained
in the database. An attacker could use this to disclose sensitive information.
(CVE-2019-12385)

It was discovered that an XSS vulnerability in Ampache. An attacker could use
this vulnerability to force an admin to create a new privileged user.
(CVE-2019-12386)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
ampache 3.6-rzb2779+dfsg-0ubuntu9.2
ampache-common 3.6-rzb2779+dfsg-0ubuntu9.2

After a standard system update you need to restart ampache to make
all the necessary changes.

References:
https://usn.ubuntu.com/4693-1
CVE-2019-12385, CVE-2019-12386

Package Information:
https://launchpad.net/ubuntu/+source/ampache/3.6-rzb2779+dfsg-0ubuntu9.2
—–BEGIN PGP SIGNATURE—–

iQIzBAABCgAdFiEEkCdEQ5T6DutSveCybUp5kL3izGYFAmABlYoACgkQbUp5kL3i
zGZPURAAiuwFivHJctQrgL7Oe+eOQXn0zGPgekuhGG0NUcn7k1wQP9xWQjWS72JQ
wHN2szjGKf/YBOfqSUm7LaUbZ1W2nz1RaeSRLW2Bl8QwnKxqM5hPlnS7y/xVsQpH
SErFlVzxHdP3yUmhIahyiG3urH5uIRqGxFqdUK9AMytN5pdSeoi0KQZ/j8mjTY2b
1UH2qfOBoWWlucMsbeSZVdzZd1gs0njCjCXYz7mmBLl6/bivJE7QE8qJLF2b7QvU
1NWTn4EdxPjxCAM3wMK8tXQq5NmUmebiYMIw5JmM63XPTFZgB0JYhV3vk64r+Uz5
L+9/vnGngBMG9v6b5PH7a2XQl296qCN1UuJPWDB3jki69rlpYsHDp0aGd2ma+Agd
u3ekGLEgVb8MTlQbbRhadUkzN+AdiPuHtpM8H/VlSN9bnfb9UMep2ecEJXU6VqZ0
HjZdzS9KsHXgkVUeKTWg7Lj0OuGE0ez3+wZhQwSuSMoG8NxunSug17mHtYnas+zD
nUI6EAyqcFIgzyUuPtISvKS3zTpDAtDkl0zbILSjOy5za9DVUdYnN/eF1S5Zw6X9
0hejgpsmp61yEajCby+3kkPpqaqD4bprDI5t+TYbGa9keBuxZnaioxH8o/Zvw6ip
hGPWiQfNGkF+M/9SC+0ydXWP2gdlx0zijBXlnCl6xFAz3KlGF4k=
=pZTB
—–END PGP SIGNATURE—–

The post Sigurnosni nedostatak programskog paketa ampache appeared first on CERT.hr.

Sigurnosni nedostatak programskog paketa ruby redcarpet

uto, 2021-01-19 12:59
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LDE

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

– ————————————————————————-
Debian Security Advisory DSA-4831-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
January 15, 2021 https://www.debian.org/security/faq
– ————————————————————————-

Package : ruby-redcarpet
CVE ID : CVE-2020-26298
Debian Bug : 980057

Johan Smits discovered that ruby-redcarpet, a markdown parser, did not
properly validate its input. This would allow an attacker to mount a
cross-site scripting attack.

For the stable distribution (buster), this problem has been fixed in
version 3.4.0-4+deb10u1.

We recommend that you upgrade your ruby-redcarpet packages.

For the detailed security status of ruby-redcarpet please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-redcarpet

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
—–BEGIN PGP SIGNATURE—–

iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmABkzwACgkQEL6Jg/PV
nWSUJAf/S5a13rCfo6KGpWr3h1YAyuUlH8pFdM3zytlvX7tLDZMIQon1OL0fKecP
lPDVE90EJoLBUUxdF1rSYWSQDS4fbCvSVuzcUqGrwgWvmEjL3rUTqaK189KB32sE
1wmGfqz0MS0ZBSAkPWLqkuMgRhP4SL2H78W9nssdLlC/eZ9G0kM1gTVOzQlrRVrc
BNKX73zMfwP2LREWXpjMCpu6IxfNHaIWQHjWbDwWb92qbz0LAnujExo0PoKWGsvR
5DSYS+rasHfUr8VWGopKMZQp4AfFBKH+oAG2qpPpwGwRda9bI88yfT6hXtctpfDz
kn5ERoIrC6OgXOEO9LnbLAUsEtCSSg==
=D3qU
—–END PGP SIGNATURE—–

The post Sigurnosni nedostatak programskog paketa ruby redcarpet appeared first on CERT.hr.

Sigurnosni nedostatak programskog paketa Mozilla Firefox

uto, 2021-01-19 12:59
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LSU

openSUSE Security Update: Security update for MozillaFirefox
______________________________________________________________________________

Announcement ID: openSUSE-SU-2021:0063-1
Rating: important
References: #1180623
Cross-References: CVE-2020-16044
Affected Products:
openSUSE Leap 15.1
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for MozillaFirefox fixes the following issues:

– Firefox Extended Support Release 78.6.1 ESR
* Fixed: Critical security issue MFSA 2021-01 (bsc#1180623)
* CVE-2020-16044 Use-after-free write when handling a malicious
COOKIE-ECHO SCTP chunk

This update was imported from the SUSE:SLE-15:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.1:

zypper in -t patch openSUSE-2021-63=1

Package List:

– openSUSE Leap 15.1 (x86_64):

MozillaFirefox-78.6.1-lp151.2.85.1
MozillaFirefox-branding-upstream-78.6.1-lp151.2.85.1
MozillaFirefox-buildsymbols-78.6.1-lp151.2.85.1
MozillaFirefox-debuginfo-78.6.1-lp151.2.85.1
MozillaFirefox-debugsource-78.6.1-lp151.2.85.1
MozillaFirefox-devel-78.6.1-lp151.2.85.1
MozillaFirefox-translations-common-78.6.1-lp151.2.85.1
MozillaFirefox-translations-other-78.6.1-lp151.2.85.1

References:

https://www.suse.com/security/cve/CVE-2020-16044.html
https://bugzilla.suse.com/1180623

The post Sigurnosni nedostatak programskog paketa Mozilla Firefox appeared first on CERT.hr.

Sigurnosni nedostaci programskog paketa OpenShift Serverless

uto, 2021-01-19 12:59
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LRH

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Release of OpenShift Serverless 1.12.0
Advisory ID: RHSA-2021:0146-01
Product: Red Hat OpenShift Serverless
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0146
Issue date: 2021-01-14
CVE Names: CVE-2018-20843 CVE-2019-5018 CVE-2019-13050
CVE-2019-13627 CVE-2019-14889 CVE-2019-15903
CVE-2019-16168 CVE-2019-19221 CVE-2019-19906
CVE-2019-19956 CVE-2019-20218 CVE-2019-20387
CVE-2019-20388 CVE-2019-20454 CVE-2020-1730
CVE-2020-1751 CVE-2020-1752 CVE-2020-1971
CVE-2020-6405 CVE-2020-7595 CVE-2020-9327
CVE-2020-10029 CVE-2020-13630 CVE-2020-13631
CVE-2020-13632 CVE-2020-24553 CVE-2020-24659
CVE-2020-28362 CVE-2020-28366 CVE-2020-28367
=====================================================================

1. Summary:

Release of OpenShift Serverless 1.12.0

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each
vulnerability. For more information, see the CVE links in the References
section.

2. Description:

Red Hat OpenShift Serverless 1.12.0 is a generally available release of the
OpenShift Serverless Operator.

This version of the OpenShift Serverless
Operator is supported on Red Hat OpenShift Container Platform version 4.6,
and includes security and bug fixes and enhancements. For more information,
see the documentation listed in the References section.

Security Fix(es):

* golang: default Content-Type setting in net/http/cgi and net/http/fcgi
could cause XSS (CVE-2020-24553)

* golang: math/big: panic during recursive division of very large numbers
(CVE-2020-28362)

* golang: malicious symbol names can lead to code execution at build time
(CVE-2020-28366)

* golang: improper validation of cgo flags can lead to code execution at
build time (CVE-2020-28367)

For more details about the security issues and their impact, the CVSS
score, acknowledgements, and other related information, see the CVE pages
listed in the References section.

3. Solution:

See the documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/
4.6/html/serverless_applications/index

4. Bugs fixed (https://bugzilla.redhat.com/):

1874857 – CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS
1897635 – CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers
1897643 – CVE-2020-28366 golang: malicious symbol names can lead to code execution at build time
1897646 – CVE-2020-28367 golang: improper validation of cgo flags can lead to code execution at build time
1906381 – Release of OpenShift Serverless Serving 1.12.0
1906382 – Release of OpenShift Serverless Eventing 1.12.0

5. References:

https://access.redhat.com/security/cve/CVE-2018-20843
https://access.redhat.com/security/cve/CVE-2019-5018
https://access.redhat.com/security/cve/CVE-2019-13050
https://access.redhat.com/security/cve/CVE-2019-13627
https://access.redhat.com/security/cve/CVE-2019-14889
https://access.redhat.com/security/cve/CVE-2019-15903
https://access.redhat.com/security/cve/CVE-2019-16168
https://access.redhat.com/security/cve/CVE-2019-19221
https://access.redhat.com/security/cve/CVE-2019-19906
https://access.redhat.com/security/cve/CVE-2019-19956
https://access.redhat.com/security/cve/CVE-2019-20218
https://access.redhat.com/security/cve/CVE-2019-20387
https://access.redhat.com/security/cve/CVE-2019-20388
https://access.redhat.com/security/cve/CVE-2019-20454
https://access.redhat.com/security/cve/CVE-2020-1730
https://access.redhat.com/security/cve/CVE-2020-1751
https://access.redhat.com/security/cve/CVE-2020-1752
https://access.redhat.com/security/cve/CVE-2020-1971
https://access.redhat.com/security/cve/CVE-2020-6405
https://access.redhat.com/security/cve/CVE-2020-7595
https://access.redhat.com/security/cve/CVE-2020-9327
https://access.redhat.com/security/cve/CVE-2020-10029
https://access.redhat.com/security/cve/CVE-2020-13630
https://access.redhat.com/security/cve/CVE-2020-13631
https://access.redhat.com/security/cve/CVE-2020-13632
https://access.redhat.com/security/cve/CVE-2020-24553
https://access.redhat.com/security/cve/CVE-2020-24659
https://access.redhat.com/security/cve/CVE-2020-28362
https://access.redhat.com/security/cve/CVE-2020-28366
https://access.redhat.com/security/cve/CVE-2020-28367
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless_applications/index

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBYAB9FtzjgjWX9erEAQhy4w/8DkWBfDN8NTwDn5G3DQm7avlhwkCoRMUQ
Vt2xCRU6oj06m1xmmixHjbXldN9E8xmJCA9MPfRolKfqFvgxgLs0ZfQNo51qZu2B
IlnB/flgg2xT6j5LRSB6gUILkgeKnnTQOoldrc6W4snz+TwPxVUDGLWx4UlaO2n1
giniC6RESaACoMBZYijKjaM/PAo665Fajfs91bgcg7YnnYtu6Zbs561CoRDg7rR1
nC9zqJDfPQXj01GhKqkscVxDjhWRxo9Dvk7bdT9fSMK9o6EZiRnE4HXNm4FjzLIw
FXQ1Pd7T6Car3iwN0ZMRLn/aEYPzc3h4d3tAMQj+NwHLX0MnXB61+e2bkoFGEluF
PCTis0uhfQaL9unbrQ1NVKMMcbbztlGh9hjY//RLX/aTvYrGqi2sBlnA6n14dRPy
rc6fdK3GdVI4doC1SnIMI7ZvWv3Jt5Wq5l/AnxWm/+pn68ibIMPyC0vU82bffUtA
aiei6JPY7u3O+JqrlQYVQ2tICySnM2bEbP98emg0bedzkD9JfFOQpg8sxkm+V1qm
Tu2xl/v5jHr70nICzVUF3paztwCvMyeD63pYbtWXPqQmc1IIpCUgTQQwpC+G93Uf
wu2FJ4Vqb2tiqRkI4Ju3WJd1qKyTz+83pkuKHwe845n7D8kRFxEYpmE50lT7eAab
A3H5xDIIYLk=
=2gLp
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

The post Sigurnosni nedostaci programskog paketa OpenShift Serverless appeared first on CERT.hr.

Sigurnosni nedostaci programske biblioteke mingw openjpeg2

uto, 2021-01-19 12:59
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LFE

——————————————————————————–
Fedora Update Notification
FEDORA-2020-d32853a28d
2021-01-15 01:20:50.315040
——————————————————————————–

Name : mingw-openjpeg2
Product : Fedora 32
Version : 2.3.1
Release : 11.fc32
URL : https://github.com/uclouvain/openjpeg
Summary : MinGW Windows openjpeg2 library
Description :
MinGW Windows openjpeg2 library.

——————————————————————————–
Update Information:

This update backports patches for CVE-2020-27841, CVE-2020-27842,
CVE-2020-27843, CVE-2020-27845. —- This update backports patches for
CVE-2020-27824 and CVE-2020-27823. —- Backport patch for CVE-2020-27814.
——————————————————————————–
ChangeLog:

* Thu Dec 17 2020 Sandro Mani <manisandro@gmail.com> – 2.3.1-11
* Backport patches for CVE-2020-27841, CVE-2020-27842, CVE-2020-27843, CVE-2020-27845
* Thu Dec 10 2020 Sandro Mani <manisandro@gmail.com> – 2.3.1-10
* Backport patches for CVE-2020-27824 and CVE-2020-27823
* Sat Nov 28 2020 Sandro Mani <manisandro@gmail.com> – 2.3.1-9
– Backport patch for CVE-2020-27814
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> – 2.3.1-8
– Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
——————————————————————————–
References:

[ 1 ] Bug #1902000 – CVE-2020-27814 openjpeg2: openjpeg: Heap-buffer-overflow in lib/openjp2/mqc.c could result in DoS [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1902000
[ 2 ] Bug #1902001 – CVE-2020-27814 mingw-openjpeg2: openjpeg: Heap-buffer-overflow in lib/openjp2/mqc.c could result in DoS [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1902001
[ 3 ] Bug #1905725 – CVE-2020-27824 openjpeg2: openjpeg: global-buffer-overflow read in lib-openjp2 [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1905725
[ 4 ] Bug #1906220 – CVE-2020-27823 openjpeg2: openjpeg: Heap-buffer-overflow write in lib-openjp2 [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1906220
[ 5 ] Bug #1907674 – CVE-2020-27841 openjpeg2: openjpeg: heap-based buffer overflows in lib/openjp2/pi.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1907674
[ 6 ] Bug #1907675 – CVE-2020-27841 mingw-openjpeg2: openjpeg: heap-based buffer overflows in lib/openjp2/pi.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1907675
[ 7 ] Bug #1907681 – CVE-2020-27842 openjpeg2: openjpeg: null pointer dereference in opj_tgt_reset function in lib/openjp2/tgt.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1907681
[ 8 ] Bug #1907682 – CVE-2020-27842 mingw-openjpeg2: openjpeg: null pointer dereference in opj_tgt_reset function in lib/openjp2/tgt.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1907682
[ 9 ] Bug #1907686 – CVE-2020-27843 openjpeg2: openjpeg: out-of-bounds read in opj_t2_encode_packet function in openjp2/t2.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1907686
[ 10 ] Bug #1907688 – CVE-2020-27843 mingw-openjpeg2: openjpeg: out-of-bounds read in opj_t2_encode_packet function in openjp2/t2.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1907688
[ 11 ] Bug #1907702 – CVE-2020-27845 openjpeg2: openjpeg: heap-based buffer overflow in functions opj_pi_next_rlcp, opj_pi_next_rpcl and opj_pi_next_lrcp in openjp2/pi.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1907702
[ 12 ] Bug #1907703 – CVE-2020-27845 mingw-openjpeg2: openjpeg: heap-based buffer overflow in functions opj_pi_next_rlcp, opj_pi_next_rpcl and opj_pi_next_lrcp in openjp2/pi.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1907703
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-d32853a28d’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

The post Sigurnosni nedostaci programske biblioteke mingw openjpeg2 appeared first on CERT.hr.

Sigurnosni nedostaci programske biblioteke openjpeg2

uto, 2021-01-19 12:59
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LFE

——————————————————————————–
Fedora Update Notification
FEDORA-2020-d32853a28d
2021-01-15 01:20:50.315040
——————————————————————————–

Name : openjpeg2
Product : Fedora 32
Version : 2.3.1
Release : 10.fc32
URL : https://github.com/uclouvain/openjpeg
Summary : C-Library for JPEG 2000
Description :
The OpenJPEG library is an open-source JPEG 2000 library developed in order to
promote the use of JPEG 2000.

This package contains
* JPEG 2000 codec compliant with the Part 1 of the standard (Class-1 Profile-1
compliance).
* JP2 (JPEG 2000 standard Part 2 – Handling of JP2 boxes and extended multiple
component transforms for multispectral and hyperspectral imagery)

——————————————————————————–
Update Information:

This update backports patches for CVE-2020-27841, CVE-2020-27842,
CVE-2020-27843, CVE-2020-27845. —- This update backports patches for
CVE-2020-27824 and CVE-2020-27823. —- Backport patch for CVE-2020-27814.
——————————————————————————–
ChangeLog:

* Thu Dec 17 2020 Sandro Mani <manisandro@gmail.com> – 2.3.1-10
* Backport patches for CVE-2020-27841, CVE-2020-27842, CVE-2020-27843, CVE-2020-27845
* Thu Dec 10 2020 Sandro Mani <manisandro@gmail.com> – 2.3.1-9
* Backport patches for CVE-2020-27824 and CVE-2020-27823
* Sat Nov 28 2020 Sandro Mani <manisandro@gmail.com> – 2.3.1-8
– Backport patch for CVE-2020-27814
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> – 2.3.1-7
– Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
——————————————————————————–
References:

[ 1 ] Bug #1902000 – CVE-2020-27814 openjpeg2: openjpeg: Heap-buffer-overflow in lib/openjp2/mqc.c could result in DoS [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1902000
[ 2 ] Bug #1902001 – CVE-2020-27814 mingw-openjpeg2: openjpeg: Heap-buffer-overflow in lib/openjp2/mqc.c could result in DoS [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1902001
[ 3 ] Bug #1905725 – CVE-2020-27824 openjpeg2: openjpeg: global-buffer-overflow read in lib-openjp2 [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1905725
[ 4 ] Bug #1906220 – CVE-2020-27823 openjpeg2: openjpeg: Heap-buffer-overflow write in lib-openjp2 [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1906220
[ 5 ] Bug #1907674 – CVE-2020-27841 openjpeg2: openjpeg: heap-based buffer overflows in lib/openjp2/pi.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1907674
[ 6 ] Bug #1907675 – CVE-2020-27841 mingw-openjpeg2: openjpeg: heap-based buffer overflows in lib/openjp2/pi.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1907675
[ 7 ] Bug #1907681 – CVE-2020-27842 openjpeg2: openjpeg: null pointer dereference in opj_tgt_reset function in lib/openjp2/tgt.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1907681
[ 8 ] Bug #1907682 – CVE-2020-27842 mingw-openjpeg2: openjpeg: null pointer dereference in opj_tgt_reset function in lib/openjp2/tgt.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1907682
[ 9 ] Bug #1907686 – CVE-2020-27843 openjpeg2: openjpeg: out-of-bounds read in opj_t2_encode_packet function in openjp2/t2.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1907686
[ 10 ] Bug #1907688 – CVE-2020-27843 mingw-openjpeg2: openjpeg: out-of-bounds read in opj_t2_encode_packet function in openjp2/t2.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1907688
[ 11 ] Bug #1907702 – CVE-2020-27845 openjpeg2: openjpeg: heap-based buffer overflow in functions opj_pi_next_rlcp, opj_pi_next_rpcl and opj_pi_next_lrcp in openjp2/pi.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1907702
[ 12 ] Bug #1907703 – CVE-2020-27845 mingw-openjpeg2: openjpeg: heap-based buffer overflow in functions opj_pi_next_rlcp, opj_pi_next_rpcl and opj_pi_next_lrcp in openjp2/pi.c [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1907703
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-d32853a28d’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

The post Sigurnosni nedostaci programske biblioteke openjpeg2 appeared first on CERT.hr.

Sigurnosni nedostaci programskog paketa Red Hat OpenShift Serverless Client

pet, 2021-01-15 15:43
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LRH

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat OpenShift Serverless Client kn 1.12.0
Advisory ID: RHSA-2021:0145-01
Product: Red Hat OpenShift Serverless
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0145
Issue date: 2021-01-14
CVE Names: CVE-2020-24553 CVE-2020-28362 CVE-2020-28366
CVE-2020-28367
=====================================================================

1. Summary:

Red Hat OpenShift Serverless Client kn 1.12.0

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each
vulnerability. For more information, see the CVE links in the References
section.

2. Relevant releases/architectures:

Openshift Serverless 1 on RHEL 8Base – x86_64

3. Description:

Red Hat OpenShift Serverless Client kn CLI is delivered as an RPM package
for installation on RHEL platforms, and as binaries for non-Linux
platforms.

Red Hat OpenShift Serverless Client kn 1.12.0 provides a CLI to interact
with Red Hat OpenShift Serverless 1.12.0, and includes security and bug
fixes and enhancements. For more information, see the release notes listed
in the References section.

Security Fix(es):

* golang: default Content-Type setting in net/http/cgi and net/http/fcgi
could cause XSS (CVE-2020-24553)

* golang: math/big: panic during recursive division of very large numbers
(CVE-2020-28362)

* golang: malicious symbol names can lead to code execution at build time
(CVE-2020-28366)

* golang: improper validation of cgo flags can lead to code execution at
build time (CVE-2020-28367)

For more details about the security issues and their impact, the CVSS
score, acknowledgements, and other related information, see the CVE pages
listed in the References section.

4. Solution:

See the documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/
4.6/html/serverless_applications/index

5. Bugs fixed (https://bugzilla.redhat.com/):

1874857 – CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS
1897635 – CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers
1897643 – CVE-2020-28366 golang: malicious symbol names can lead to code execution at build time
1897646 – CVE-2020-28367 golang: improper validation of cgo flags can lead to code execution at build time
1906386 – Release of OpenShift Serverless Client 1.12.0

6. Package List:

Openshift Serverless 1 on RHEL 8Base:

Source:
openshift-serverless-clients-0.18.4-2.el8.src.rpm

x86_64:
openshift-serverless-clients-0.18.4-2.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-24553
https://access.redhat.com/security/cve/CVE-2020-28362
https://access.redhat.com/security/cve/CVE-2020-28366
https://access.redhat.com/security/cve/CVE-2020-28367
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless_applications/installing-openshift-serverless-1#installing-kn

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBYABJwtzjgjWX9erEAQiEFg//VA66Q5K3IfNl5ky03WPvGpN0lbcOGu7e
tL77eEw6lr4co45+8G38PlVQCf3EGE2OR6rYXFrEozirJvhiR0pljFz82GQjzYWx
BStrXhfcw4TSI95+rLmuOc2yxKda2F2CSRfO1lGJJDugCoVrZrAS2elBzObAv6eI
Gekll4TC37MhLw2d8gCNvjKbT6b0khDoAXntr/WzceqTRpPUuhvOcxDMzD6AWJDE
5ljIwGCCNii/HO3+UHK1zdCu965R9unr3JmfPvrJaRaYTHQMsmrxLlv0R59aTOPp
6MgHLy0Qx1tA5hdABYNkwDB7UjDaUvoQPuDN7djgMPFL1R4XBun0kNsfibt0P+5g
rYvvClNeKga822jlTVrMDEGHb69++Ba+mYXwsf1TUhII7wGBxm93ytrVIABblqnf
HO5AoT7qBsONj5Sm03YEbJ1SZ4KgLA2U9L1xBssg6I4N9KDo5mfLJJxzmOemd2Dp
7Vzjefb7WIaVxleSHW7aZngyRC5O0a2nWcFYCjm8/lKRUhn1egRyC5Z8I62bFvs4
iejUveFz4yRV8WtKuY9u2ey7xNtuxpBDGDF3zxwzXvOqa7gYKkN38XobAS3OR5bm
aeCR1Th4MopuHjqFldtE0BjBYQ7mPZ/VKzROXyU5zIibV89dIZz5lwpi45/BSZ/Y
6/zPPdn2CC0=
=Tj70
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

The post Sigurnosni nedostaci programskog paketa Red Hat OpenShift Serverless Client appeared first on CERT.hr.

Sigurnosni nedostatak programskog paketa kernel rt

pet, 2021-01-15 15:43
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LRH

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: kernel-rt security and bug fix update
Advisory ID: RHSA-2021:0136-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0136
Issue date: 2021-01-14
CVE Names: CVE-2020-25641
=====================================================================

1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 8.2
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Real Time EUS (v. 8.2) – x86_64
Red Hat Enterprise Linux Real Time for NFV EUS (v. 8.2) – x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: soft-lockups in iov_iter_copy_from_user_atomic() could result in
DoS (CVE-2020-25641)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* kernel-rt: update RT source tree to the latest RHEL-8.2.z6 Batch source
tree (BZ#1902783)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1881424 – CVE-2020-25641 kernel: soft-lockups in iov_iter_copy_from_user_atomic() could result in DoS

6. Package List:

Red Hat Enterprise Linux Real Time for NFV EUS (v. 8.2):

Source:
kernel-rt-4.18.0-193.40.1.rt13.90.el8_2.src.rpm

x86_64:
kernel-rt-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-core-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-debug-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-debug-core-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-debug-debuginfo-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-debug-devel-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-debug-kvm-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-debug-modules-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-debug-modules-extra-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-debuginfo-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-debuginfo-common-x86_64-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-devel-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-kvm-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-modules-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-modules-extra-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm

Red Hat Enterprise Linux Real Time EUS (v. 8.2):

Source:
kernel-rt-4.18.0-193.40.1.rt13.90.el8_2.src.rpm

x86_64:
kernel-rt-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-core-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-debug-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-debug-core-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-debug-debuginfo-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-debug-devel-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-debug-modules-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-debug-modules-extra-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-debuginfo-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-debuginfo-common-x86_64-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-devel-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-modules-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm
kernel-rt-modules-extra-4.18.0-193.40.1.rt13.90.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-25641
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBYAAdstzjgjWX9erEAQj+0Q//fnNAghl7TpvhF5DuBXVdSNFrIrzrOalk
Kl1KkoDRxdGatNirxwl7WOQ7zAkxlBP3F6YiMLROhBivgUUwvQasPQIC8cG0eAbz
P6omt/uqz0c6JhlNdBgJfaKcxiRtifQsMIaUnqIdq+q+OcA51xPOZOfb7+t3PP2n
mDptthRMaIuTX0Qw9AUQF3VfBzZDw396bHQ5dKpsO1TL9dbkjwYw9iEm0+hNnmBk
cMiv5ZCdDTVQRMSXwc4lOrQyTBPdE41N9UkGwP8w4T5zBsMQ0IP5FVJ0MNmjF8hI
LQc1YT2BTqzdTqfGJnnqkYYUjk7G3FteKGiDCYR6KM6kYChQHbLxXYiLhEhE3y0G
AsYUX3CZFPnyeCQESaiw3ZrJWLRC1OCusQNRVmwyClPSMsBVBJCl8sJMcU5EHIpn
6I4v/C2V83q+jfkmwo5zVm+jrmIPRNRVIhnDadkLsVlsTcQ8caASQxDziQmrSz2X
O1j4bJtqPOWGB+HOUdvFksC4lEle6VusljxqG4mKeSed/aMzWCYy5ptt4aw1bIvy
pF5ctwiRbM/ExwkSZjnkc/8VirYlQ5SsSiz/DhfAwzxfcg2aqVwMZylhQUsn3oWP
hehpJGohboJfbGX9TcPtj8errPCbp22R+DeR+s1rVtcVbvWtAaJ1J5+UI1U2Y1Gv
/gdj7/KEhvw=
=NwWQ
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

The post Sigurnosni nedostatak programskog paketa kernel rt appeared first on CERT.hr.

Ranjivosti više Cisco proizvoda

pet, 2021-01-15 15:43
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: CIS

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Below is the list of Cisco Security Advisories published by Cisco PSIRT on 2021-January-13.

The following PSIRT security advisories (4 High) were published at 16:00 UTC today.

Table of Contents:

1) Cisco AnyConnect Secure Mobility Client for Windows DLL Injection Vulnerability – SIR: High

2) Cisco Connected Mobile Experiences Privilege Escalation Vulnerability – SIR: High

3) Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface Command Injection Vulnerabilities – SIR: High

4) Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface Remote Command Execution and Denial of Service Vulnerabilities – SIR: High

+——————————————————————–

1) Cisco AnyConnect Secure Mobility Client for Windows DLL Injection Vulnerability

CVE-2021-1237

SIR: High

CVSS Score v(3.1): 7.8

URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-injec-pQnryXLf [“https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-dll-injec-pQnryXLf”]

+——————————————————————–

2) Cisco Connected Mobile Experiences Privilege Escalation Vulnerability

CVE-2021-1144

SIR: High

CVSS Score v(3.1): 8.8

URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmxpe-75Asy9k [“https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmxpe-75Asy9k”]

+——————————————————————–

3) Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface Command Injection Vulnerabilities

CVE-2021-1146, CVE-2021-1147, CVE-2021-1148, CVE-2021-1149, CVE-2021-1150

SIR: High

CVSS Score v(3.1): 7.2

URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-command-inject-LBdQ2KRN [“https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-sa-rv-command-inject-LBdQ2KRN”]

+——————————————————————–

4) Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface Remote Command Execution and Denial of Service Vulnerabilities

CVE-2021-1159, CVE-2021-1160, CVE-2021-1161, CVE-2021-1162, CVE-2021-1163, CVE-2021-1164, CVE-2021-1165, CVE-2021-1166, CVE-2021-1167, CVE-2021-1168, CVE-2021-1169, CVE-2021-1170, CVE-2021-1171, CVE-2021-1172, CVE-2021-1173, CVE-2021-1174, CVE-2021-1175, CVE-2021-1176, CVE-2021-1177, CVE-2021-1178, CVE-2021-1179, CVE-2021-1180, CVE-2021-1181, CVE-2021-1182, CVE-2021-1183, CVE-2021-1184, CVE-2021-1185, CVE-2021-1186, CVE-2021-1187, CVE-2021-1188, CVE-2021-1189, CVE-2021-1190, CVE-2021-1191, CVE-2021-1192, CVE-2021-1193, CVE-2021-1194, CVE-2021-1195, CVE-2021-1196, CVE-2021-1197, CVE-2021-1198, CVE-2021-1199, CVE-2021-1200, CVE-2021-1201, CVE-2021-1202, CVE-2021-1203, CVE-2021-1204, CVE-2021-1205, CVE-2021-1206, CVE-2021-1207, CVE-2021-1208, CVE-2021-1209, CVE-2021-1210, CVE-2021-1211, CVE-2021-1212, CVE-2021-1213, CVE-2021-1214, CVE-2021-1215, CVE-2021-1216, CVE-2021-1217, CVE-2021-1307, CVE-2021-1360

SIR: High

CVSS Score v(3.1): 7.2

URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-overflow-WUnUgv4U [“https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-sa-rv-overflow-WUnUgv4U”]
—–BEGIN PGP SIGNATURE—–

iQKDBAEBAgBtBQJf/x4GZhxDaXNjbyBQcm9kdWN0IFNlY3VyaXR5IEluY2lkZW50
IFJlc3BvbnNlIFRlYW0gKENpc2NvIFBTSVJUIGtleSAyMDIwLTIwMjEgW3JlZnJl
c2hdKSA8cHNpcnRAY2lzY28uY29tPgAKCRCbFvaOC+BFevJ4D/406xVTY2jOcOoi
uVm5NyelW8JvndHa9pUhpUUpnsSuxgnAHzPlhJt72BqbMwKmkf2LtM2J4tEWma1j
5ellH7H9supIAxWx/niKdhIk4yxRVqN2CGVllY9WNK8ifbh3mjgF+ueRBLKjEOqx
0SUy3ujfwtx3ut3rpC9vXBnhpU0OMFzphzTZQO+L0TqsZyUxhKPzgAi3hNbBquEm
6RCt2Zf1rl5LlaDdhUmKCNsyw5nRFI3gN5wmovDZ2IyZUyivaFHIOMU5Sb58vgsl
KSd+BtW7ZQxnUtIlsIRcFt3G/iwNZSy1QdglhONJ/qqg9tlH0axYgpoGNngBu0vL
moJb39B2MS72t+J9qR6Zmdm2oISvlHg3w0Wl082SFQAcHtHiOWaVjsFiXPbbLkxB
s71Ah2kVKGR6rdc04vlnzj4YlPbB3r53/KcD/GDoJ9PCptPPSVN71kc9hFyqjFhA
Ic6iTYfZ2/f4AeLcHMU6+jD0iooAlFbgltJxRRq9eJfY00tJ8iphlRsymjBhp8Vq
BiU+DnjxWD5P+vL0z+LEm6eebOZ6bJEgJ11A7KFSCmVtdKCOfHxuAmTle5Pb6DJI
x1Gv3VUMcf0pNl3gyKq5saSdLYls5vPbwICP+TGe93J8S5JP25oF+SQPrWd+n91U
c7MijIBkaYjBlOtud2vRo9kCmqxlDg==
=OGQF
—–END PGP SIGNATURE—–

_______________________________________________
cust-security-announce mailing list
cust-security-announce@cisco.com
To unsubscribe, send the command “unsubscribe” in the subject of your message to cust-security-announce-leave@cisco.com

The post Ranjivosti više Cisco proizvoda appeared first on CERT.hr.

Sigurnosni nedostatak programskog paketa kernel headers

pet, 2021-01-15 15:43
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LFE

——————————————————————————–
Fedora Update Notification
FEDORA-2021-3465ada1ca
2021-01-14 01:37:01.293109
——————————————————————————–

Name : kernel-headers
Product : Fedora 33
Version : 5.10.6
Release : 200.fc33
URL : http://www.kernel.org/
Summary : Header files for the Linux kernel for use by glibc
Description :
Kernel-headers includes the C header files that specify the interface
between the Linux kernel and userspace libraries and programs. The
header files define structures and constants that are needed for
building most standard programs and are also needed for rebuilding the
glibc package.

——————————————————————————–
Update Information:

The 5.10.6 stable kernel rebase contains new features, additional hardware
support, and a number of important fixes across the tree.
——————————————————————————–
ChangeLog:

* Mon Jan 11 2021 Justin M. Forbes <jforbes@fedoraproject.org> – 5.10.6-200
– Linux v5.10.6 rebase
——————————————————————————–
References:

[ 1 ] Bug #1913348 – CVE-2020-36158 kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value
https://bugzilla.redhat.com/show_bug.cgi?id=1913348
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2021-3465ada1ca’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

The post Sigurnosni nedostatak programskog paketa kernel headers appeared first on CERT.hr.

Sigurnosni nedostatak jezgre operacijskog sustava

pet, 2021-01-15 15:43
  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LFE

——————————————————————————–
Fedora Update Notification
FEDORA-2021-3465ada1ca
2021-01-14 01:37:01.293109
——————————————————————————–

Name : kernel
Product : Fedora 33
Version : 5.10.6
Release : 200.fc33
URL : https://www.kernel.org/
Summary : The Linux kernel
Description :
The kernel meta package

——————————————————————————–
Update Information:

The 5.10.6 stable kernel rebase contains new features, additional hardware
support, and a number of important fixes across the tree.
——————————————————————————–
ChangeLog:

* Mon Jan 11 2021 Justin M. Forbes <jforbes@fedoraproject.org> – 5.10.6-200
– Linux v5.10.6 rebase
– Fix bluetooth controller initialization (rhbz 1898495)
– Fix CVE-2020-36158 (rhbz 1913348 1913349)
——————————————————————————–
References:

[ 1 ] Bug #1913348 – CVE-2020-36158 kernel: buffer overflow in mwifiex_cmd_802_11_ad_hoc_start function in drivers/net/wireless/marvell/mwifiex/join.c via a long SSID value
https://bugzilla.redhat.com/show_bug.cgi?id=1913348
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2021-3465ada1ca’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

The post Sigurnosni nedostatak jezgre operacijskog sustava appeared first on CERT.hr.

Stranice