Non-Microsoft patch update: Apple, Linux, Oracle, and more

The past year and a half has been a period of change and uncertainty for people worldwide. Much of what had been constant and routine before was suspended, including some of my regular monthly articles on this blog. But life is slowly returning to normal in many places, and I’m happy to resume rounding up the third-party patches here every 30 (ish) days. Of course, attackers who exploit software vulnerabilities didn’t take a hiatus during that time, and, in fact, computer security and the integrity of our operating systems and applications became even more important as an unprecedented number of people suddenly transitioned from working in controlled office environments to working from home. It’s been a challenge both for individuals and for company IT departments to stay ahead of the zero-day attacks and keep all those systems in all those different places updated and secured.

While managing so many systems remotely presented new challenges. According to Statistica, there were more than a thousand data breaches reported in 2020, with over 155 million people’s personal information exposed. The trend has continued into 2021, with a plethora of major breaches occurring during the first five months. Many of these happened to large, well-known companies with huge investments in security. Small and midsized organizations, while they might not be high-profile targets, are just as vulnerable.

Applying the appropriate security updates is the first and one of the most important steps in protecting your business from the same fate.

Let’s take a look at the patches released in May by some of the major software vendors. (Microsoft Patch Tuesday updates are addressed in a separate article each month; click here for the May update.)

Apple

It was a big patching month for Apple, which released thirteen security updates across its product line. The following updates were released on May 24:

  • Safari 14.1.1 for macOS Catalina and macOS Mojave. Patches 10 vulnerabilities in WebKit and WebRTC, including denial of service, information disclosure, cross-site scripting, and arbitrary code execution issues.
  • Security Update 2021-003 Catalina for macOS Catalina. Fixes 48 vulnerabilities in various operating system components, including validation, information disclosure, denial of service, elevation of privilege, memory disclosure, application termination, security bypass, and arbitrary code execution issues.
  • Security Update 2021-004 Mojave for macOS Mojave. Fixes 30 vulnerabilities in various operating system components, including validation, information disclosure, denial of service, elevation of privilege, memory disclosure, application termination, security bypass, and arbitrary code execution issues.
  • macOS Big Sur 11.4 for macOS Big Sur. This update addresses many of the same issues as those for Catalina and Mojave. A zero-day vulnerability, XCSSET Malware Access, has been discovered that caused experts to advise installing this update immediately.
  • iOS 14.6 and iPadOS 14.6 for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). Fixes 43 vulnerabilities in various components of the mobile operating system, many of which are the same issues addressed in the patches for Apple’s desktop operating systems described above.
  • tvOS 14.6 for Apple TV 4K and Apple TV HD. Fixes 26 vulnerabilities in various components of the TV operating system, including many of the same issues addressed in the desktop and mobile operating systems as described above.
  • watchOS 7.5 for Apple Watch Series 3 and later. Fixes 25 vulnerabilities in various components of the watch operating system, including many of the same issues addressed in the desktop and mobile operating systems as described above.

On May 17, Apple released:

  • Boot Camp 6.1.14 for Mac Pro (Late 2013 and later), MacBook Pro (Late 2013 and later), MacBook Air (Mid 2013 and later), Mac mini (Mid 2014 and later), iMac (Mid 2014 and later), MacBook (Early 2015 and later), iMac Pro (Late 2017). Fixes one memory corruption vulnerability that could allow elevation of privilege.

On May 4, Apple released:

  • Safari 14.1 for macOS Catalina and macOS Mojave. Fixes two vulnerabilities in Apple’s web browser, both in the WebKit component and both of which could allow arbitrary code execution.

On May 3, Apple released:

  • macOS Big Sur 11.3.1 for macOS Big Sur. Superseded by 11.4.
  • iOS 14.5.1 and iPadOS 14.5.1 for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). Superseded by 14.6.
  • iOS 12.5.3 for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). Fixes four vulnerabilities in Apple’s older mobile operating system versions, all in WebKit and WebKit Storage, all of which can allow arbitrary code execution.
  • watchOS 7.4.1 for Apple Watch Series 3 and later. Superseded by 7.5.

For more information about current and past patches and the vulnerabilities that they address, go to the Apple Support website.

Adobe

magento

Like Apple, Adobe released an unusually large number of security updates in May, affecting an array of their different products. All 12 of these were released on Adobe’s usual Patch Tuesday schedule on May 11.

  • APSB21-15 Security update for Adobe Experience Manager – two vulnerabilities, one important and one critical.
  • APSB21-22 Security updates for Adobe InDesign – three critical vulnerabilities
  • APSB21-24 Security update for Adobe Illustrator – five critical vulnerabilities
  • APSB21-25 Security updates for Adobe InCopy – one critical vulnerability
  • APSB21-27 Security update Adobe Genuine Service – one important vulnerability
  • APSB21-29 Security update for Adobe Acrobat and Reader – ten vulnerabilities, six critical and four important
  • APSB21-30 Security updates Magento – seven vulnerabilities, one important and six moderate
  • APSB21-31 Security update Adobe Creative Cloud Desktop Application – one critical vulnerability
  • APSB21-32 Security update for Adobe Media Encoder – one important vulnerability
  • APSB21-33 Security update Adobe After Effects – three vulnerabilities, two critical and one important
  • APSB21-34 Security updates Adobe Medium – one critical vulnerability
  • APSB21-35 Security update Adobe Animate – seven vulnerabilities, two critical and five important

The most widely used of these products are Adobe Acrobat and Reader. The patch for these fixes 10 vulnerabilities, six of them rated critical, eight of them being arbitrary code execution issues. Also included are a memory leak and an elevation of privilege vulnerability.

Vulnerabilities patched in other Adobe products include denial of service, arbitrary JavaScript execution, information disclosure, improper authorization, cross-site scripting, unauthorized access to restricted resources, and security feature bypass issues.

For more information, see the security bulletin.

Google

Chrome web browser

Chrome 91 for Windows, Mac, and Linux was released by Google on May 25 and contains 32 security fixes. Issues patched include heap buffer overflow, user-after-free, out-of-bounds write, out-of-bounds read, out-of-bounds memory access, insufficient policy enforcement, and incorrect security UI in payments. Click here for more information.

Android OS

patches

The May Android Security Bulletin discusses a number of vulnerabilities addressed by patch level 2021-05-05 or later. The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. Vulnerabilities that are addressed include elevation of privilege, information disclosure, and remote code execution issues rated high severity. These exist in the Framework, kernel, AMLogic, MediaTek, Unisoc, and Qualcomm components and include 28 separate vulnerabilities.

For more information about the vulnerabilities that are addressed by the Android updates, see Android Security Bulletin—May 2021

Oracle

Oracle normally releases its critical patch updates on a quarterly cycle in January, April, July, and October. The most recent critical patch update occurred on April 19. The next scheduled release will be on July 20.

Oracle customers can read more about the current patch release on the Oracle website.

Mozilla

Firefox: On May 5, Mozilla released Firefox 88.0.1 and Firefox for Android 88.1.3. These fixed two security vulnerabilities:

CVE-2021-29953: Universal Cross-Site Scripting – Critical. A malicious webpage could have forced a Firefox for Android users into executing attacker-controlled JavaScript in the context of another domain, resulting in a Universal Cross-Site Scripting vulnerability. This issue only affected Firefox for Android. Other operating systems are unaffected.

CVE-2021-29952: Race condition in Web Render Components – High severity. When Web Render components were destructed, a race condition could have caused undefined behavior, and we presume that with enough effort may have been exploitable to run arbitrary code.

Thunderbird: On May 17, Mozilla released Thunderbird 78.10.2. This version fixed two security vulnerabilities:

CVE-2021-29957: Partial protection of inline OpenPGP message not indicated – Low impact. If a MIME-encoded email contains an OpenPGP inline signed or encrypted message part but also contains an additional unprotected part, Thunderbird did not indicate that only parts of the message are protected.

CVE-2021-29956: Thunderbird stored OpenPGP secret keys without master password protection – Low impact. OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user’s local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys and will automatically protect keys that had been imported using affected Thunderbird versions.

For more information about Mozilla security updates, click here.

Linux

patches

Popular Linux distros, as usual, have seen a number of security advisories and updates this month. During the month of May, Ubuntu issued the following fifty-five security advisories since last month’s roundup. Some of these advisories address a large number of vulnerabilities in one advisory. In some cases, there are multiple advisories for the same vulnerabilities. Other commercial Linux vendors issued a similar number of updates. For more details about the vulnerabilities listed below, see Security notices | Ubuntu

  • USN-4973-1: Python vulnerability – 01 June 2021. Python could allow unintended access to network services.CVE-2021-29921
  • USN-4972-1: PostgreSQL vulnerabilities – 01 June 2021. Several security issues were fixed in PostgreSQL. CVE-2021-32029, CVE-2021-32028, CVE-2021-32027
  • USN-4971-1: libwebp vulnerabilities – 01 June 2021. libwebp could be made to crash or run programs as your login if it opened a specially crafted file. CVE-2020-36331, CVE-2018-25010, CVE-2018-25011, and eight others
  • USN-4970-1: GUPnP vulnerability – 01 June 2021. GUPnP could allow unintended access to network services. CVE-2021-33516
  • USN-4968-2: LZ4 vulnerability – 31 May 2021. LZ4 could be made to crash or run programs if it opened a specially crafted file. CVE-2021-3520
  • USN-4967-2: nginx vulnerability – 27 May 2021. nginx could be made to crash or run programs if it received specially crafted network traffic. CVE-2021-23017
  • USN-4969-2: DHCP vulnerability – 27 May 2021. DHCP could be made to crash if it received specially crafted network traffic. CVE-2021-25217
  • USN-4969-1: DHCP vulnerability – 27 May 2021. DHCP could be made to crash if it received specially crafted network traffic. CVE-2021-25217
  • USN-4968-1: LZ4 vulnerability – 26 May 2021. LZ4 could be made to crash or run programs if it opened a specially crafted file. CVE-2021-3520
  • USN-4967-1: nginx vulnerability – 26 May 2021. nginx could be made to crash or run programs if it received specially crafted network traffic. CVE-2021-23017
  • USN-4966-2: libx11 vulnerability – 25 May 2021. libx11 could allow unintended access to services. CVE-2021-31535
  • USN-4965-2: Apport vulnerabilities – 25 May 2021. Several security issues were fixed in Apport. CVE-2021-32549, CVE-2021-32555, CVE-2021-32551, and eight others
  • USN-4966-1: libx11 vulnerability – 25 May 2021. libx11 could allow unintended access to services. CVE-2021-31535
  • USN-4965-1: Apport vulnerabilities – 25 May 2021. Several security issues were fixed in Apport. CVE-2021-32549, CVE-2021-32554, CVE-2021-32547, and eight others
  • USN-4964-1: Exiv2 vulnerabilities – 25 May 2021. Several security issues were fixed in Exiv2. CVE-2021-29464, CVE-2021-29463, CVE-2021-32617, and two others
  • USN-4962-1: Babel vulnerability – 19 May 2021. Babel code be made to execute arbitrary code if it received a specially crafted input. CVE-2021-20095
  • USN-4963-1: Pillow vulnerabilities – 19 May 2021. Pillow could be made to crash or hang if it opened a specially crafted file. CVE-2021-28677, CVE-2021-28675, CVE-2021-28678, and three others
  • USN-4961-1: pip vulnerability – 19 May 2021. pip could be made to install different git revisions.
  • USN-4960-1: runC vulnerability – 19 May 2021. runC could be made to overwrite files as the administrator.CVE-2021-30465
  • USN-4945-2: Linux kernel (Raspberry Pi) vulnerabilities – 19 May 2021. Several security issues were fixed in the Linux kernel. CVE-2021-29265, CVE-2021-28660, CVE-2021-30002, and four others
  • USN-4959-1: GStreamer Base Plugins vulnerability – 18 May 2021. GStreamer Base Plugins could be made to expose sensitive information if it received a specially crafted input. CVE-2021-3522
  • USN-4957-2: DjVuLibre vulnerabilities – 18 May 2021. Several security issues were fixed in DjVuLibre. CVE-2021-32491, CVE-2021-32492, CVE-2021-32493, and 2 others
  • USN-4958-1: Caribou vulnerability – 17 May 2021. Applications using Caribou could be made to crash if given specially crafted input.
  • USN-4957-1: DjVuLibre vulnerabilities – 17 May 2021. Several security issues were fixed in DjVuLibre. CVE-2021-32493, CVE-2021-32490, CVE-2021-3500, and two others
  • USN-4956-1: Eventlet vulnerability – 17 May 2021. Eventlet could be made denial of service if it received a specially crafted request. CVE-2021-21419
  • USN-4955-1: Please vulnerabilities – 17 May 2021. Several security issues were fixed in Please. CVE-2021-31155, CVE-2021-31154, CVE-2021-31153
  • USN-4628-3: Intel Microcode vulnerabilities – 17 May 2021. Several security issues were fixed in Intel Microcode. CVE-2020-8698, CVE-2020-8696, CVE-2020-8695
  • USN-4954-1: GNU C Library vulnerabilities – 14 May 2021. Several security issues were fixed in GNU C Library. CVE-2009-5155, CVE-2020-6096
  • USN-4953-1: AWStats vulnerabilities – 13 May 2021. Several security issues were fixed in AWStats.CVE-2020-35176, CVE-2017-1000501, CVE-2020-29600
  • USN-4932-2: Django vulnerability – 13 May 2021. Django could be made to overwrite files. CVE-2021-31542
  • USN-4952-1: MySQL vulnerabilities – 12 May 2021. Several security issues were fixed in MySQL. CVE-2021-2154, CVE-2021-2293, CVE-2021-2203, and 30 others
  • USN-4951-1: Flatpak vulnerability – 12 May 2021. A Flatpak application could access files that it would not normally be permitted to access. CVE-2021-21381
  • USN-4950-1: Linux kernel vulnerabilities – 11 May 2021. Several security issues were fixed in the Linux kernel. CVE-2021-3489, CVE-2021-3490,
  • USN-4949-1: Linux kernel vulnerabilities – 11 May 2021. Several security issues were fixed in the Linux kernel. CVE-2021-29265, CVE-2021-29264, CVE-2021-3489, and nine others
  • USN-4948-1: Linux kernel (OEM) vulnerabilities – 11 May 2021. Several security issues were fixed in the Linux kernel. CVE-2021-3489, CVE-2021-29649, CVE-2021-28951, and 18 others
  • USN-4946-1: Linux kernel vulnerabilities – 11 May 2021. Several security issues were fixed in the Linux kernel. CVE-2021-20292, CVE-2021-26930, CVE-2021-29264, and six others
  • USN-4947-1: Linux kernel (OEM) vulnerabilities – 11 May 2021. Several security issues were fixed in the Linux kernel. CVE-2020-35519, CVE-2021-29650, CVE-2021-29646, and two others
  • USN-4945-1: Linux kernel vulnerabilities – 11 May 2021. Several security issues were fixed in the Linux kernel. CVE-2021-29265, CVE-2021-28660, CVE-2021-28375, and four others
  • USN-4944-1: MariaDB vulnerabilities – 11 May 2021. Several security issues were fixed in MariaDB.
  • USN-4943-1: XStream vulnerabilities – 11 May 2021. Several security issues were fixed in XStream library. CVE-2020-26258, CVE-2021-21351, CVE-2021-21342, and 11 others
  • USN-4942-1: Firefox vulnerability – 10 May 2021. Firefox could be made to crash or run programs as your login if it opened a malicious website. CVE-2021-29952
  • USN-4941-1: Exiv2 vulnerabilities – 10 May 2021. Several security issues were fixed in Exiv2. CVE-2021-29458, CVE-2021-3482, CVE-2021-29470, and one other
  • USN-4940-1: PyYAML vulnerability – 10 May 2021. PyYAML could be made to run programs if it opened a specially crafted YAML file. CVE-2020-14343
  • USN-4939-1: WebKitGTK vulnerabilities – 10 May 2021. Several security issues were fixed in WebKitGTK.CVE-2021-1871, CVE-2021-1844, CVE-2021-1788
  • USN-4936-1: Thunderbird vulnerabilities – 06 May 2021. Several security issues were fixed in Thunderbird. CVE-2021-23969, CVE-2021-23978, CVE-2021-23968, and two others
  • USN-4938-1: Unbound vulnerabilities – 06 May 2021. Several security issues were fixed in Unbound. CVE-2019-25031, CVE-2019-25035, CVE-2019-25040, and 10 others
  • USN-4934-2: Exim vulnerabilities – 06 May 2021. Several security issues were fixed in Exim. CVE-2020-28011, CVE-2020-28009, CVE-2021-27216, and 13 others
  • USN-4937-1: GNOME Autoar vulnerability – 06 May 2021. GNOME Autoar could be made to overwrite files. CVE-2021-28650
  • USN-4935-1: NVIDIA graphics drivers vulnerabilities – 04 May 2021. Several security issues were fixed in NVIDIA graphics drivers. CVE-2021-1076, CVE-2021-1077
  • USN-4934-1: Exim vulnerabilities – 04 May 2021. Several security issues were fixed in Exim. CVE-2020-28022, CVE-2020-28026, CVE-2020-28009, and 18 others
  • USN-4932-1: Django vulnerability – 04 May 2021. Django could be made to overwrite files. CVE-2021-31542
  • USN-4933-1: OpenVPN vulnerabilities – 04 May 2021. Several security issues were fixed in OpenVPN. CVE-2020-15078, CVE-2020-11810
  • USN-4918-3: ClamAV regression – 03 May 2021. USN-4918-1 introduced a regression in ClamAV that could cause it to fail to scan.
  • USN-4931-1: Samba vulnerabilities – 03 May 2021. Several security issues were fixed in Samba. CVE-2020-14318, CVE-2020-14323, CVE-2020-14383, and 1 other
  • LSN-0076-1: Kernel Live Patch Security Notice – 03 May 2021. Several security issues were fixed in the kernel. CVE-2021-29154, CVE-2021-3493

Featured image: Shutterstock

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top