Comments
lewassec
fyi, via https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/
- CVE-2018-18500
- CVE-2018-18501
- CVE-2018-18502
- CVE-2018-18503
- CVE-2018-18504
- CVE-2018-18505
- CVE-2018-18506
fyi, via https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/
- CVE-2018-18500
- CVE-2018-18501
- CVE-2018-18502
- CVE-2018-18503
- CVE-2018-18504
- CVE-2018-18505
- CVE-2018-18506
fyi: this fixes CVE-2018-19295
The 2.6.1 release contains fixes for a high severity security issue affecting Singularity 2.4.0 through 2.6.0 on modern distributions managed with systemd where mount points are mounted with shared mount propagation by default (CVE-2018-19295). A malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability to mount arbitrary directories into the host mount namespace resulting in privilege escalation on the host.
via
hallo limb, thanks for the update. can you please comment on why this is tagged as a security update? there's not much to see in the changelog at
https://download.gnome.org/sources/meld/3.19/meld-3.19.1.news
is there something i missed?
cheers
OK, thanks for clarifying
hallo smooge, thanks for the update! Since the Nagios changelog for 4.4.2 says:
Fix for CVE-2018-13441, CVE-2018-13458, CVE-2018-13457
Have CVE-2018-13458 and CVE-2018-13457 already been fixed in the past? I can't tell from the Fedora changelog.
And I saw that CVE-2016-8641 was already fixed in Nagios 4.2.3, is this a typo?
fyi: CVE-2018-16056, CVE-2018-16057, CVE-2018-16058 have been fixed in 2.6.3
2.6.4 contains fixes for CVE-2018-18227, CVE-2018-18226, CVE-2018-18225, CVE-2018-12086
fyi: CVE-2018-16056, CVE-2018-16057, CVE-2018-16058 have been fixed in 2.6.3
2.6.4 contains fixes for CVE-2018-18227, CVE-2018-18226, CVE-2018-18225, CVE-2018-12086
Hello @panovotn, thanks for the update. As far as I know only PostgreSQL 10 and 11 are vulnerable to CVE-2018-16850, see
https://www.postgresql.org/support/security/ Is there something else in 9.6 I missed? This update is marked as a security update, that's why I'm asking. Cheers
hallo @kevin, thanks for the update. fyi: CVE-2018-16837 is in the 2.7.1 Changelog as well, hidden under Bugfixes https://github.com/ansible/ansible/blob/stable-2.7/changelogs/CHANGELOG-v2.7.rst#bugfixes
user module - do not pass ssh_key_passphrase on cmdline (CVE-2018-16837)
So You may consider the updates to Ansible 2.7.1 to be 'security' updates, not 'enhancement' updates.
cheers
Thank You Lee, this will help and I'll have to recheck my google skills, sorry for the noise. best
Hallo Faxguy,
thanks for the update. Any insight on whats wrong with fylafax+ securitywise? I did not find possibly security related bugs here
https://bugzilla.redhat.com/buglist.cgi?component=hylafax%2B
or here
Best
fyi: CVE-2018-15860 was not assigned to libxkbcommon.
fyi: CVE-2018-15860 was not assigned to libxkbcommon.
hallo kwizart, thanks for the update. the recent CVEs (CVE-2018-11737,CVE-2018-11738, CVE-2018-11739, CVE-2018-11740) are still considered open issues at
did You apply a patch for those? should be these:
https://github.com/sleuthkit/sleuthkit/issues/1264
https://github.com/sleuthkit/sleuthkit/issues/1265
thanks for the update.
fyi: the CVEs mentioned have been fixed in libraw 0.18.12 as far as I know. 0.18.13 fixes two additional possible vulns w/o CVE 1. fixed possible stack overrun while reading zero-sized strings, maybe this
https://github.com/LibRaw/LibRaw/commit/e25a09e42bc05a666a28f5f55bfad02f69567712 2. fixed possible integer overflow, maybe this: https://github.com/LibRaw/LibRaw/commit/2aabf1b68a8a1dc953ca698ba79f89a80f0f5150
see
Hallo @lbazan, thanks for the update.
Can You please comment on why CVE-2013-7110 is mentioned here? I went through the 0.13.4-tagged commits at https://github.com/transifex/transifex-client/ and found that the vulnerability was fixed as https://github.com/transifex/transifex-client/issues/42 with commit https://github.com/transifex/transifex-client/commit/e0d1f8b38ec1a24e2999d63420554d8393206f58 at the end of 2013 (Version 0.10 I guess).
The changelog here reads: * Wed Jan 15 2014 - 0.10-1 - New Upstream version
but the three year old commit is tagged with 0.13.4 now. Was the CVE never fixed or has this new occurrence of the CVE something to do with Python 3.7 support of 0.13.4 that I just don't get? I'm trying to understand the patching process, I'm not trying to say that something's wrong here.
Best
EZ, thanks for the clarification and for taking care! best
Hallo @msimacek, in the Jetty CVE-announcement there are two more CVEs:
https://dev.eclipse.org/mhonarc/lists/jetty-dev/msg03191.html - CVE-2018-12536 - CVE-2018-12538 and I understand that Fedora 28 isn't affected by CVE-2018-12538 because of the version used before. But can You confirm that Fedora 27 and 28 are not affected by CVE-2018-12536? Versions affected: EOL releases - 9.2.x and older (all configurations) 9.3.x (all configurations) 9.4.x (all configurations) Thanks
fyi
typo in CVE-2018-147189, should be CVE-2018-14719
cheers