Several vulnerabilities were discovered in the shadow suite of login tools. An attacker may escalate privileges in specific configurations. CVE-2017-20002

The updated packages fix security vulnerabilities. At least one of them is known to be actively exploited. References: - https://bugs.mageia.org/show_bug.cgi?id=28534

An update for pki-core is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

An update for wpa_supplicant is now available for Red Hat Enterprise Linux 8.1 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

An update for wpa_supplicant is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

Update to upstream 1.4.4 - Fix CVE-2021-21334

Update to upstream aa2d5a97cdc4 for CVE-2021-21334

This update fixes CVE-2021-27921, CVE-2021-27922 and CVE-2021-27923. ---- Backport fixes for CVE-2021-25289, CVE-2021-25290, CVE-2021-25291, CVE-2021-25292, CVE-2021-25293

This update fixes CVE-2021-27921, CVE-2021-27922 and CVE-2021-27923. ---- Backport fixes for CVE-2021-25289, CVE-2021-25290, CVE-2021-25291, CVE-2021-25292, CVE-2021-25293

On case-insensitive file systems with support for symbolic links, if Git is configured globally to apply delay-capable clean/smudge filters (such as Git LFS), Git could be fooled into running remote code during a clone (CVE-2021-21300).

When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled (CVE-2021-21290). References:

Django contains a copy of urllib.parse.parse_qsl() which was added to backport some security fixes to prevent web cache poisoning. A further security fix has been issued recently such that parse_qsl() no longer allows using ; as a query parameter separator by default (CVE-2021-23336).

In MediaInfoLib in MediaArea MediaInfo 20.03, there is a stack-based buffer over-read in Streams_Fill_PerStream in Multiple/File_MpegPs.cpp (aka an off-by-one during MpegPs parsing) (CVE-2020-15395). References:

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description (CVE-2019-13990). References:

DLA 2589-1 incorrectly fixed CVE-2020-26519 and also induced regression where opening a PDF document resulted in a SIGFPE crash, a floating point exception.

An update that fixes 11 vulnerabilities is now available.

An update that solves two vulnerabilities and has 7 fixes is now available.

An update that fixes four vulnerabilities is now available.

An update that fixes one vulnerability is now available.

An update that fixes two vulnerabilities is now available.