Stay Informed
This week, read about:
- New Android Malware Steals Financial Data from 378 Banking and Wallet Apps.
- Open Wearables Initiative Highlights Standards in Open-Source Algorithms.
- Eclipse Foundation and OpenAtom Foundation Forge a Strategic Initiative Focused on OpenHarmony OS.
Key Security, Maintenance, and Features Releases
Security Updates
PHP 7.4.24, 7.3.31 and 8.0.11
7.4.24
Fixed bug #81302 (Stream position after stream filter removed).
Fixed bug #81346 (Non-seekable streams don't update position after write).
Fixed bug #73122 (Integer Overflow when concatenating strings).
7.3.31
Fixed bug #81420 (ZipArchive::extractTo extracts outside of destination). (CVE-2021-21706)
8.0.11
Fixed bug #81302 (Stream position after stream filter removed).
Fixed bug #81346 (Non-seekable streams don't update position after write).
Fixed bug #73122 (Integer Overflow when concatenating strings).
OpenSSH 8.8
sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has been set to run the command as a different user. Instead these commands would inherit the groups that sshd(8) was started with.
Depending on system configuration, inherited groups may allow AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to gain unintended privilege.
Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are enabled by default in sshd_config(5).
Non-Security Updates
ISC BIND 9.16.21
https://downloads.isc.org/isc/bind9/9.16.21/doc/arm/html/notes.html#notes-for-bind-9-16-21
A recent change to the internal memory structure of zone databases inadvertently neglected to update the MAPAPI value for zone files in map format. This caused version 9.16.20 of named to attempt to load files into memory that were no longer compatible, triggering an assertion failure on startup. The MAPAPI value has now been updated, so named rejects outdated files when encountering them. [GL #2872]
Zone files in map format whose size exceeded 2 GB failed to load. This has been fixed. [GL #2878]
named was unable to run as a Windows Service under certain circumstances. This has been fixed. [GL #2837]
Stale data in the cache could cause named to send non-minimized queries despite QNAME minimization being enabled. This has been fixed. [GL #2665]