[월:] 2020년 09월

USN-4471-2: Net-SNMP regression USN-4471-1 fixed a vulnerability in Net-SNMP. The updated introduced a regression making nsExtendCacheTime not settable. This update fixes the problem adding the cacheTime feature flag. Original advisory details: Tobias Neitzel discovered that Net-SNMP incorrectly handled certain symlinks. An attacker could possibly use this issue to access sensitive information. (CVE-2020-15861) It was discovered that Net-SNMP incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2020-15862) Source: USN-4471-2: Net-SNMP regression

USN-4480-1: OpenStack Keystone vulnerabilities It was discovered that OpenStack Keystone incorrectly handled EC2 credentials. An authenticated attacker with a limited scope could possibly create EC2 credentials with escalated permissions. (CVE-2020-12689, CVE-2020-12691) It was discovered that OpenStack Keystone incorrectly handled the list of roles provided with OAuth1 access tokens. An authenticated user could possibly end up with more role assignments than intended. (CVE-2020-12690) It was discovered that OpenStack Keystone incorrectly handled EC2 signature TTL checks. A remote attacker could possibly use this issue to reuse Authorization headers. (CVE-2020-12692) Source: USN-4480-1: OpenStack Keystone vulnerabilities

USN-4479-1: Django vulnerabilities It was discovered that Django, when used with Python 3.7 or higher, incorrectly handled directory permissions. A local attacker could possibly use this issue to obtain sensitive information, or escalate permissions. Source: USN-4479-1: Django vulnerabilities