fyi: this fixes CVE-2018-19295
The 2.6.1 release contains fixes for a high severity security issue affecting Singularity 2.4.0 through 2.6.0 on modern distributions managed with systemd where mount points are mounted with shared mount propagation by default (CVE-2018-19295). A malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability to mount arbitrary directories into the host mount namespace resulting in privilege escalation on the host.
hallo limb, thanks for the update. can you please comment on why this is tagged as a security update? there's not much to see in the changelog at
is there something i missed?
hallo smooge, thanks for the update! Since the Nagios changelog for 4.4.2 says:
Fix for CVE-2018-13441, CVE-2018-13458, CVE-2018-13457
Have CVE-2018-13458 and CVE-2018-13457 already been fixed in the past? I can't tell from the Fedora changelog.
And I saw that CVE-2016-8641 was already fixed in Nagios 4.2.3, is this a typo?
hallo @kevin, thanks for the update. fyi: CVE-2018-16837 is in the 2.7.1 Changelog as well, hidden under Bugfixes https://github.com/ansible/ansible/blob/stable-2.7/changelogs/CHANGELOG-v2.7.rst#bugfixes
user module - do not pass ssh_key_passphrase on cmdline (CVE-2018-16837)
So You may consider the updates to Ansible 2.7.1 to be 'security' updates, not 'enhancement' updates.
thanks for the update. Any insight on whats wrong with fylafax+ securitywise? I did not find possibly security related bugs here
hallo kwizart, thanks for the update. the recent CVEs (CVE-2018-11737,CVE-2018-11738, CVE-2018-11739, CVE-2018-11740) are still considered open issues at
did You apply a patch for those? should be these:
thanks for the update.
fyi: the CVEs mentioned have been fixed in libraw 0.18.12 as far as I know. 0.18.13 fixes two additional possible vulns w/o CVE 1. fixed possible stack overrun while reading zero-sized strings, maybe this
https://github.com/LibRaw/LibRaw/commit/e25a09e42bc05a666a28f5f55bfad02f69567712 2. fixed possible integer overflow, maybe this: https://github.com/LibRaw/LibRaw/commit/2aabf1b68a8a1dc953ca698ba79f89a80f0f5150
Hallo @lbazan, thanks for the update.
Can You please comment on why CVE-2013-7110 is mentioned here? I went through the 0.13.4-tagged commits at https://github.com/transifex/transifex-client/ and found that the vulnerability was fixed as https://github.com/transifex/transifex-client/issues/42 with commit https://github.com/transifex/transifex-client/commit/e0d1f8b38ec1a24e2999d63420554d8393206f58 at the end of 2013 (Version 0.10 I guess).
The changelog here reads: * Wed Jan 15 2014 - 0.10-1 - New Upstream version
but the three year old commit is tagged with 0.13.4 now. Was the CVE never fixed or has this new occurrence of the CVE something to do with Python 3.7 support of 0.13.4 that I just don't get? I'm trying to understand the patching process, I'm not trying to say that something's wrong here.
Hallo @msimacek, in the Jetty CVE-announcement there are two more CVEs:
https://dev.eclipse.org/mhonarc/lists/jetty-dev/msg03191.html - CVE-2018-12536 - CVE-2018-12538 and I understand that Fedora 28 isn't affected by CVE-2018-12538 because of the version used before. But can You confirm that Fedora 27 and 28 are not affected by CVE-2018-12536? Versions affected: EOL releases - 9.2.x and older (all configurations) 9.3.x (all configurations) 9.4.x (all configurations) Thanks