Ike.ninja

Several security issues were fixed in the Linux kernel.

Upstream announcement: Welcome to **phpMyAdmin 4.9.1**, a bugfix release. This is a regularly-schedule bugfix release that also includes some security hardening measures. We wish to point out that this also includes a routine fix for an issue that has been reported as CVE-2019-12922. The fix for this has been in our release queue to be part of this release, however it is the opinion of

An update for rh-nodejs10-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

e2fsprogs could be made to execute arbitrary code if it is running in a crafted ext4 partition.

An update for the nodejs:10 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

Fix KDC crash when logging PKINIT enctypes (CVE-2019-14844) This is a purely denial-of-service issue, though it is unauthenticated, and is unlikely to trigger by accident.

– double free due to subsequent call of realloc() (CVE-2019-5481) – fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482)

Exim could be made to crash or run programs if it received specially crafted network traffic.

A buffer overflow flaw was discovered in Exim, a mail transport agent. A remote attacker can take advantage of this flaw to cause a denial of service, or potentially the execution of arbitrary code.

Fix KDC crash when logging PKINIT enctypes (CVE-2019-14844) This is a purely denial-of-service issue, though it is unauthenticated, and is unlikely to trigger by accident.

It was discovered that the Go programming language did accept and normalize invalid HTTP/1.1 headers with a space before the colon, which could lead to filter bypasses or request smuggling in some setups.

In the September 2019 survey we received responses from 1,291,178,101 sites across 241,131,705 unique domain names and 9,068,313 web-facing computers. This reflects a gain of 19 million sites, 1.69 million domains and 119,000 computers.

All major vendors gained sites this month. The largest gain was for nginx with an increase of 20.6 million sites, followed by Microsoft (+2.9 million), Google (+2.1 million) and Apache (+462,000). This extends nginx’s lead as the largest web server vendor by number of sites; it gained 1.12 percentage points taking it to a 32.7% market share. nginx also showed the largest gains in number of unique domains and web-facing computers.

The largest gain within the top million sites this month was by LiteSpeed, which also saw gains in hostnames, domains, and web-facing computers. The September survey saw 1,422 more sites within the top million using this light-weight Apache alternative, an 8.0% increase. This was accompanied by increases of 480,000 sites (+2.6%), 326,000 domains (+9.4%) and 1,665 web-facing computers (+8.1%).

There are losses in market share for both Apache and nginx as the largest server vendors by number of active sites. Apache lost 22,000 active sites while nginx gained 915,000; due to large gains elsewhere this amounted to Apache losing 0.94pp and nginx losing 0.11pp. Google gained 800,000 active sites and 0.16pp of market share to retake third place from Cloudflare; Cloudflare gained 591,000 sites. The largest increase of active sites was in sites running openresty with an increase of 1.04 million.

Web Server Releases

Apache 2.4.41 was released on August 14th bringing several security fixes. This is the first release of Apache 2.4 since 2.4.39 was released on April 1st.

OpenLiteSpeed released a major new feature in version 1.6.0 on September 10th adding support for QUIC and HTTP/3 as well as a new one-click build tool and support for more platforms.

Both OpenResty and Tengine released versions incorporating the nginx patches that fix the HTTP/2 related security issues discussed in last month’s blog. OpenResty version 1.15.8.2 was released on September 8th and Tengine 2.3.2 released on August 20th.

Security fix for CVE-2019-1010228

An update for golang-github-openshift-oauth-proxy-container is now available for Red Hat OpenShift Container Platform 4.1. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

The end of the 2019 WebPros Summit has come, and it was an event for the books. We have enjoyed getting spend time with all of you, and cannot wait to do this again next year! We owe huge thanks to all of our attendees, sponsors, and exhibitors. We strive to put on the best event we possibly can for you, and joining us for these past few days is incredibly worth it. A big …