[USN-4604-1] MySQL vulnerabilities

 ---------- Forwarded message ---------

From: Marc Deslauriers <marc.deslauriers@canonical.com>

Date: Oct 27, 2020 8:43PM

Multiple security issues were discovered in MySQL and this update includes

new upstream MySQL versions to fix these issues.

MySQL has been updated to 8.0.22 in Ubuntu 20.04 LTS and Ubuntu 20.10.

Ubuntu 16.04 LTS and Ubuntu 18.04 LTS have been updated to MySQL 5.7.32.

In addition to security fixes, the updated packages contain bug fixes, new

features, and possibly incompatible changes.

References:

  https://usn.ubuntu.com/4604-1

  CVE-2019-14775, CVE-2020-14672, CVE-2020-14760, CVE-2020-14765,

  CVE-2020-14769, CVE-2020-14771, CVE-2020-14773, CVE-2020-14775,

  CVE-2020-14776, CVE-2020-14777, CVE-2020-14785, CVE-2020-14786,

  CVE-2020-14789, CVE-2020-14790, CVE-2020-14791, CVE-2020-14793,

  CVE-2020-14794, CVE-2020-14800, CVE-2020-14804, CVE-2020-14809,

  CVE-2020-14812, CVE-2020-14814, CVE-2020-14821, CVE-2020-14827,

  CVE-2020-14828, CVE-2020-14829, CVE-2020-14830, CVE-2020-14836,

  CVE-2020-14837, CVE-2020-14838, CVE-2020-14839, CVE-2020-14844,

  CVE-2020-14845, CVE-2020-14846, CVE-2020-14848, CVE-2020-14852,

  CVE-2020-14853, CVE-2020-14860, CVE-2020-14861, CVE-2020-14866,

  CVE-2020-14867, CVE-2020-14868, CVE-2020-14869, CVE-2020-14870,

  CVE-2020-14873, CVE-2020-14878, CVE-2020-14888, CVE-2020-14891,

  CVE-2020-14893

LM: elementary OS 5.2

 

REF: https://blog.cloudflare.com/introducing-cloudflare-one/

[USN-4602-1] Perl vulnerabilities

 ---------- Forwarded message ---------

From: Marc Deslauriers <marc.deslauriers@canonical.com>

Date: Oct 26, 2020 7:45PM

ManhND discovered that Perl incorrectly handled certain regular

expressions. In environments where untrusted regular expressions are

evaluated, a remote attacker could possibly use this issue to cause Perl to

crash, resulting in a denial of service, or possibly execute arbitrary

code. (CVE-2020-10543)

Hugo van der Sanden and Slaven Rezic discovered that Perl incorrectly

handled certain regular expressions. In environments where untrusted

regular expressions are evaluated, a remote attacker could possibly use

this issue to cause Perl to crash, resulting in a denial of service, or

possibly execute arbitrary code. (CVE-2020-10878)

Sergey Aleynikov discovered that Perl incorrectly handled certain regular

expressions. In environments where untrusted regular expressions are

evaluated, a remote attacker could possibly use this issue to cause Perl to

crash, resulting in a denial of service, or possibly execute arbitrary

code. (CVE-2020-12723)

References:

  https://usn.ubuntu.com/4602-1

  CVE-2020-10543, CVE-2020-10878, CVE-2020-12723

Introducing Cloudflare One

 

REF: https://blog.cloudflare.com/introducing-cloudflare-one/

[LSN-0073-1] Linux kernel vulnerability

 ---------- Forwarded message ---------

From: benjamin.romer@canonical.com

Date: Oct 26, 2020 7:45PM

Andy Nguyen discovered that the Bluetooth L2CAP implementation in the

Linux kernel contained a type-confusion error. A physically proximate

remote attacker could use this to cause a denial of service (system

crash) or possibly execute arbitrary code. (CVE-2020-12351)

Andy Nguyen discovered that the Bluetooth A2MP implementation in the

Linux kernel did not properly initialize memory in some situations. A

physically proximate remote attacker could use this to expose sensitive

information (kernel memory). (CVE-2020-12352)

Andy Nguyen discovered that the Bluetooth HCI event packet parser in the

Linux kernel did not properly handle event advertisements of certain

sizes, leading to a heap-based buffer overflow. A physically proximate

remote attacker could use this to cause a denial of service (system

crash) or possibly execute arbitrary code. (CVE-2020-24490)

References

-   CVE-2020-12351

-   CVE-2020-12352

-   CVE-2020-24490

LM: KDE neon 5.20.0

REF: https://www.linux-magazine.com/Issues/2020/241/This-Month-s-DVD

MagicSoft Recorder ver 3.3.2

It adds support for recording HEVC 10 bit with nVidia cards using containers : mov, mp4, mkv and ts

The supported video modes are 720p, 1080p and 4K

The software can be freely downloaded from our website 

https://www.magicsoft.tv

Plex is now included in Reelgood’s database for free streaming content

 

As Seen on

Plex is now included in Reelgood’s database for free streaming content, which means you can keep track of what you want to see, what you have seen, and more.

[Openvpn-announce] OpenVPN 2.5-rc2 released

 ---------- Forwarded message ---------

From: Samuli Seppänen <samuli@openvpn.net>

Date: Wed, Sep 30, 2020 at 7:57 PM

OpenVPN 2.5 is a new major release with many new features:

    Client-specific tls-crypt keys (--tls-crypt-v2)

    Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN

data channel

    Improved Data channel cipher negotiation

    Removal of BF-CBC support in default configuration

    Asynchronous (deferred) authentication support for auth-pam plugin

    Deferred client-connect

    Faster connection setup

    Netlink support

    Wintun support

    IPv6-only operation

    Improved Windows 10 detection

    Linux VRF support

    TLS 1.3 support

    Support setting DHCP search domain

    Handle setting of tun/tap interface MTU on Windows

    HMAC based auth-token support

    VLAN support

    Support building of .msi installers for Windows

    Allow unicode search string in --cryptoapicert option (Windows)

    Support IPv4 configs with /31 netmasks now

    New option --block-ipv6 to reject all IPv6 packets (ICMPv6)

    MSI installer (Windows)

    The MSI installer now bundles EasyRSA 3, a modern take on OpenVPN CA

      management

Cloudflare’s Always Online and the Internet Archive Team Up to Fight Origin Errors

 

Enabling the new Always Online

REF: https://blog.cloudflare.com/cloudflares-always-online-and-the-internet-archive-team-up-to-fight-origin-errors/

[USN-4599-1] Firefox vulnerabilities

 ---------- Forwarded message ---------

From: Chris Coulson <chris.coulson@canonical.com>

Date: Oct 23, 2020 7:33PM

Multiple security issues were discovered in Firefox. If a user were

tricked in to opening a specially crafted website, an attacker could

potentially exploit these to cause a denial of service, spoof the prompt

for opening an external application, obtain sensitive information, or

execute arbitrary code.

References:

  https://usn.ubuntu.com/4599-1

  CVE-2020-15254, CVE-2020-15680, CVE-2020-15681, CVE-2020-15682,

  CVE-2020-15683, CVE-2020-15684, CVE-2020-15969

Roku Express Exclusive upgrade

 

Exclusive upgrade for you

Save over 30% on the compact-but-mighty Roku Express, plus get free shipping! You’ll love the smooth streaming, and enjoy all the latest Roku features, software updates, and streaming channels. The included High Speed HDMI^® Cable makes setup a cinch, so you’ll be up and streaming in no time.

[LSN-0072-1] linux kernel vulnerability

 ---------- Forwarded message ---------

From: benjamin.romer@canonical.com

Date: Oct 15, 2020 1:44AM

It was discovered that the F2FS file system implementation in the Linux

kernel did not properly perform bounds checking on xattrs in some

situations. A local attacker could possibly use this to expose sensitive

information (kernel memory). (CVE-2020-0067)

It was discovered that the Serial CAN interface driver in the Linux

kernel did not properly initialize data. A local attacker could use this

to expose sensitive information (kernel memory). (CVE-2020-11494)

Mauricio Faria de Oliveira discovered that the aufs implementation in

the Linux kernel improperly managed inode reference counts in the

vfsub_dentry_open() method. A local attacker could use this

vulnerability to cause a denial of service. (CVE-2020-11935)

Piotr Krysiuk discovered that race conditions existed in the file system

implementation in the Linux kernel. A local attacker could use this to

cause a denial of service (system crash). (CVE-2020-12114)

Or Cohen discovered that the AF_PACKET implementation in the Linux

kernel did not properly perform bounds checking in some situations. A

local attacker could use this to cause a denial of service (system

crash) or possibly execute arbitrary code. (CVE-2020-14386)

Hador Manor discovered that the DCCP protocol implementation in the

Linux kernel improperly handled socket reuse, leading to a

use-after-free vulnerability. A local attacker could use this to cause a

denial of service (system crash) or possibly execute arbitrary code.

(CVE-2020-16119)

Giuseppe Scrivano discovered that the overlay file system in the Linux

kernel did not properly perform permission checks in some situations. A

local attacker could possibly use this to bypass intended restrictions

and gain read access to restricted files. (CVE-2020-16120)

References

-   CVE-2020-0067

-   CVE-2020-11494

-   CVE-2020-11935

-   CVE-2020-12114

-   CVE-2020-14386

-   CVE-2020-16119

-   CVE-2020-16120

Cloudflare Automatically Blocks Botnet DDoS Attack Topping At 654 Gbps

 

Moobot Targets 654 Gbps towards a Magic Transit Customer

REF: https://blog.cloudflare.com/moobot-vs-gatebot-cloudflare-automatically-blocks-botnet-ddos-attack-topping-at-654-gbps/

ActivePython 3.7 Update

ActivePython 3.7 Community Edition (CE) for Windows and Linux has been updated to v3.7.8, resolving recently discovered vulnerabilities associated with Bleach, Pillow and Django.

Download it from the ActiveState Platform.

Roku OS 9.4 introduces BrightScript exception handling

 

Roku OS 9.4 introduces BrightScript exception handling