Page tree
Skip to end of metadata
Go to start of metadata

CentOS Linux—the open, enterprise-class, platform upon which Lumeta solutions are builtand third-party packages such as Postgres and Oracle JRE—are continuously monitored by industry  and community groups to uncover flaws. Upgrade packages that fix these CentOS flaws (aka CVEs, Common Vulnerabilities and Exposures) are made available from CentOS and third parties (Postgres, Oracle JRE) on an ongoing basis. 

This page lists security enhancements on our radar.  It's those CVEs that Lumeta is actively addressing and expects to have fully resolved in the upcoming releases of Lumeta Enterprise Edition.

CVERepairDate3rd Party Patch
Vulnerability
 Resolved_Version & GA Date
IdentifierPKGReportedAvailable?LumetaNotes on vulnerabilityLumetaLumeta_GA
CVE-2019-5436curl-7.29.0-59.el7.x86_64
CentOS yesyes

A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.

https://access.redhat.com/security/cve/cve-2019-5436

4.2.0.04/27/2021
CVE-2019-15903expat-2.1.0-12.el7.x86_64
CentOS yesyes

In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.


4.2.0.0
4/27/2021
CVE-2019-5482curl-7.29.0-59.el7.x86_64
CentOS yesyes

Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.

https://access.redhat.com/security/cve/cve-2019-5482

4.2.0.0
4/27/2021
CVE-2020-9383perf-3.10.0-1160.6.1.el7.x86_64
CentOS yesyes

An out-of-bounds (OOB) memory access flaw was found in the floppy driver module in the Linux kernel

https://access.redhat.com/security/cve/CVE-2020-9383

4.2.0.0
4/27/2021
CVE-2019-19126glibc-2.17-323.el7_9.x86_64
CentOS yesyes

On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.

https://access.redhat.com/security/cve/cve-2019-19126

4.2.0.0
4/27/2021
CVE-2019-14907samba-winbind-modules-4.10.16-9.el7_9.x86_64
CentOS yesyes

All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where if it is set with "log level = 3" (or above) then the string obtained from the client, after a failed character conversion, is printed. Such strings can be provided during the NTLMSSP authentication exchange. In the Samba AD DC in particular, this may cause a long-lived process(such as the RPC server) to terminate. (In the file server case, the most likely target, smbd, operates as process-per-client and so a crash there is harmless).

https://access.redhat.com/security/cve/cve-2019-14907

4.2.0.0
4/27/2021
CVE-2019-25013glibc-2.17-323.el7_9.x86_64
CentOS yesyes

The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read.

https://access.redhat.com/security/cve/cve-2019-25013

4.2.0.0
4/27/2021



 

  • No labels