Thank you for reading the LinuxSecurity Linux Advisory Watch newsletter! 

Today’s newsletter is sponsored by RoseHosting. For fast, secure and fully-managed Linux hosting, check out RoseHosting VPS hosting.

This week, important updates have been issued for PHP, polkit and djvulibre.

We recommend that you visit our Advisories page frequently to see the latest security advisories that have been issued by your Linux distro(s). We also now offer the ability to personalize your LinuxSecurity.com User Profile to include the latest advisories for the distros you select. 

On behalf of the LinuxSecurity.com administrative team, I would like to extend a warm welcome to our newly redesigned site!

Yours in Open Source,

Brittany Signature 150

PHP
The Discovery PHP

Several remotely exploitable vulnerabilities have been discovered in the php7.0 and php5 HTML-embedded scripting language interpreters. These flaws include incorrect handling of certain PHAR files (CVE-2020-7068), URLs with passwords (CVE-2020-7071), certain malformed XML data when being parsed by the SOAP extension (CVE-2021-21702), the pdo_firebase module (CVE-2021-21704) and the FILTER_VALIDATE_URL check (CVE-2021-21705).

The Impact

These issues could allow a remote attacker to cause PHP to crash, resulting in a denial of service (DoS), perform a server-side request forgery attack, or possibly obtain sensitive information.

The Fix

These problems can be corrected by updating your php7.0 and php5 package versions. In general, a standard system update will make all the necessary changes.

Your Related Advisories:

Register to Customize Your Advisories

polkit

PolkitThe Discovery 

A high-severity vulnerability in polkit, a toolkit for managing policies related to unprivileged processes communicating with privileged processes, has been discovered (CVE-2021-3560). The issue involves the function polkit_system_bus_name_get_creds_sync() being called without checking for errors, temporarily treating the authentication request as if it were coming from root.

The Impact

This flaw could lead to local root privilege escalation.

The Fix

All polkit users should upgrade to the latest version:

 # emerge --sync

  # emerge --ask --oneshot --verbose ">=sys-auth/polkit-0.119"

Your Related Advisories:

Register to Customize Your Advisories

div for preview ad-image
@TODO use resized image dimensions here Banner 1 690x80 1708123077

djvulibre
The DiscoveryDjvulibre

An out-of-bounds write bug has been found in DJVU::DjVuTXT::decode() in DjVuText.cpphe in the djvulibre DjVu image format library and tools.

The Impact

An attacker could potentially exploit this flaw to execute arbitrary code or cause a crash.

The Fix

Users should upgrade their djvulibre packages to fix this issue. In general, a standard system update will make all the necessary changes.

Your Related Advisories:

Register to Customize Your Advisories