From mboxrd@z Thu Jan 1 00:00:00 1970 From: The IPFire Project To: ipfire-announce@lists.ipfire.org Subject: IPFire 2.21 - Core Update 130 released Date: Tue, 16 Apr 2019 21:53:57 +0100 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2708345677625545270==" List-Id: --===============2708345677625545270== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://blog.ipfire.org/post/ipfire-2-21-core-update-130-released Just a couple of days after the release of IPFire 2.21 - Core Update 130, the= next release is available. This is an emergency update with various bug fixe= s and a large number of security fixes. Security IPFire 2.21 - Core Update 130 contains security updates for the following pac= kages: =E2=80=A2 Apache 2.4.39: The Apache Web Server, which runs the IPFire Web Use= r Interface, was vulnerable for various privilege escalations (CVE-2019-0211)= , access control bypasses (CVE-2019-0215, CVE-2019-0217), DoS attacks (CVE-20= 19-0197), buffer overflow (CVE-2019-0196) and a URL normalisation inconsisten= cy (CVE-2019-0220). They are all regarded to be of "low" severity. =E2=80=A2 wget 1.20.3: wget has had multiple vulnerabilities that allowed an = attacker to execute arbitrary code (CVE-2019-5953). =E2=80=A2 clamav 0.101.2: ClamAV, the virus scanner, has had multiple vulnera= bilities that allowed DoS and a buffer overflow in a bundled third-party libr= ary. Although some of these vulnerabilities are only of low severity, we recommend= to install this update as soon as possible! IPsec Regression The last update introduced a regression in the IPsec stack that caused that t= he firewall could no longer access any hosts on the remote side when the tunn= el was run in tunnel mode without any VTI/GRE interfaces. This update fixes t= hat. --===============2708345677625545270==--