Linux Advisory Watch: August 13, 2021

Thank you for reading the LinuxSecurity Linux Advisory Watch newsletter! 

Today’s newsletter is sponsored by Uptycs. To close security observibility gaps across your cloud attack surface, check out the Uptycs Security Analytics Platform.

This week, important updates have been issued for OpenJDK, Lasso and Thunderbird.

We recommend that you visit our Advisories page frequently to see the latest security advisories that have been issued by your Linux distro(s). We also now offer the ability to personalize your LinuxSecurity.com User Profile to include the latest advisories for the distros you select. 

On behalf of the LinuxSecurity.com administrative team, I would like to extend a warm welcome to our newly redesigned site!

Yours in Open Source,

Thunderbird The Discovery  Several important security vulnerabilities have been discovered in the Mozilla Thunderbird mail and newsgroup client.  The Impact These issues include a out of bounds write in ANGLE impacting the Chromium browser (CVE-2021-30547), a use-after-free in accessibility features of a document (CVE-2021-29970), memory safety bugs in Firefox 90 and Firefox ESR 78.12, and a flaw that could allow IMAP server responses sent by a MITM prior to STARTTLS to be processed (CVE-2021-29969). The Fix These problems have been fixed in Thunderbird version 78.12.0. Update to Thunderbird  version 78.12.0 as soon as possible to protect sensitive data and prevent compromise. Your Related Advisories: Register to Customize Your Advisories

OpenSSH The Discovery  A vulnerability has been discovered in the way that OpenSSH handles requests (CVE-2018-15473), which could introduce a regression in certain environments. Robert Swiecki also discovered that OpenSSH incorrectly handles certain messages (CVE-2016-10708). The Impact These issues could be exploited by an attacker to access sensitive information. The Fix OpenSSH has released fixes for these bugs. In general, a standard system update will make all the necessary changes. Your Related Advisories: Register to Customize Your Advisories

Lasso The Discovery An important XML signature wrapping vulnerability when parsing SAML responses (CVE-2021-28091) has been identified in Lasso, a popular library used by many Linux distros which implements the Liberty Alliance Single SignOn standards, including the SAML and SAML2 specifications The Impact This security issue could allow an attacker to modify a valid SAML response to include an unsigned SAML assertion, which could be used to impersonate another valid user recognized by the service using Lasso. The greatest threat that this vulnerability poses is to data confidentiality and integrity, as well as service availability. The Fix An update is now available for Lasso that fixes this issue. We recommend that users update their systems immediately to safeguard sensitive information and prevent downtime. Your Related Advisories: Register to Customize Your Advisories