Application 2: CentOS, Debian, Mageia, Red Hat, Scientific Linux, Ubuntu
Application 3: Debian, Fedora, Gentoo, Mageia, openSUSE, Red Hat, Scientific Linux, Ubuntu
2 - 3 min read
Thank you for reading the LinuxSecurity Linux Advisory Watch newsletter! Staying on top of the latest security advisories is essential in maintaining an updated, secure Linux system. Our weekly newsletter is an easy, convenient way to track the security updates available for the software and applications you are using - helping you keep your Linux environment safe from malware and other exploits.
This week, important updates have been issued for Polkit, PostgreSQL and Squid:
A seven-year-old flaw, tracked as CVE-2021-3560, has been discovered in the Polkit auth system service used on most Linux distributions using systemd. When a requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts, the process cannot get a unique uid and pid of the process, and cannot verify the privileges of the requesting process as a result.
CVE-2021-3560 enables an unprivileged local user to get a root shell on a Linux system using Polkit version 0.113 (or later), such as those running RHEL 8, Fedora 21 (or later), Debian testing (“bullseye”), or Ubuntu 20.04. It’s easy to exploit with a few standard command line tools, as shown in this brief video. This high-priority bug poses a serious threat to data confidentiality and integrity, as well as system availability.
CVE-2021-3560 was fixed on June 3, 2021. If your distro has been impacted by this critical vulnerability, we urge you to update as soon as possible!
An important flaw (CVE-2021-32027) has been found in PostgreSQL, an advanced object-relational database management system. While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory.
This high-severity vulnerability - which is easy to exploit and requires no user interaction - could result in remote code execution (RCE), threatening data confidentiality, integrity and system availability.
Updates mitigating this vulnerability have been released by the distros impacted, which include CentOS, Debian, Mageia, RedHat, SciLinux and Ubuntu.
An important security bug (CVE-2020-25097) has been found in the Squid proxy caching server. Because of improper validation while parsing the request URI, Squid is vulnerable to HTTP request smuggling.
Exploiting this flaw, a trusted client can easily perform an HTTP request smuggling attack with no user interaction and access services otherwise forbidden by Squid, threatening the confidentiality of sensitive data.
A fix has been released for this vulnerability. Users should check the security advisories issued by their distro and update immediately if they are at risk.
We recommend that you visit our Advisories page frequently to see the latest security advisories that have been issued by your Linux distro(s). We also now offer the ability to personalize your LinuxSecurity.com User Profile to include the latest advisories for the distros you select.
On behalf of the LinuxSecurity.com administrative team, I would like to extend a warm welcome to our newly redesigned site!