Researchers discover malicious npm packages
Daily Archives: July 6, 2022
subversion-1.14.2-5.fc36
FEDORA-2022-2af658b090
Packages in this update:
subversion-1.14.2-5.fc36
Update description:
This update includes the latest stable release of Apache Subversion, version 1.14.2. This update addresses two security issues, CVE-2021-28544 and CVE-2022-24070.
For more information see https://subversion.apache.org/security/CVE-2022-24070-advisory.txt and https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
Client-side bugfixes:
Don’t show unreadable copyfrom paths in ‘svn log -v’
Fix -r option documentation for some svnadmin subcommands
Fix error message encoding when system() call fails
Fix assertion failure in conflict resolver
Client-side improvements and bugfixes:
Support multiple working copy formats (1.8-onward, 1.15)
Server-side bugfixes:
Fix use-after-free of object-pools when running in httpd (issue SVN-4880)
subversion-1.14.2-5.fc35
FEDORA-2022-13cc09ecf2
Packages in this update:
subversion-1.14.2-5.fc35
Update description:
This update includes the latest stable release of Apache Subversion, version 1.14.2. This update addresses two security issues, CVE-2021-28544 and CVE-2022-24070.
For more information see https://subversion.apache.org/security/CVE-2022-24070-advisory.txt and https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
Client-side bugfixes:
Don’t show unreadable copyfrom paths in ‘svn log -v’
Fix -r option documentation for some svnadmin subcommands
Fix error message encoding when system() call fails
Fix assertion failure in conflict resolver
Client-side improvements and bugfixes:
Support multiple working copy formats (1.8-onward, 1.15)
Server-side bugfixes:
Fix use-after-free of object-pools when running in httpd (issue SVN-4880)
php-8.1.8-1.fc36
FEDORA-2022-ec0491574d
Packages in this update:
php-8.1.8-1.fc36
Update description:
PHP version 8.1.8 (07 Jul 2022)
Core:
Fixed bug GH-8338 (Intel CET is disabled unintentionally). (Chen, Hu)
Fixed leak in Enum::from/tryFrom for internal enums when using JIT (ilutov)
Fixed calling internal methods with a static return type from extension code. (Sara)
Fixed bug GH-8655 (Casting an object to array does not unwrap refcount=1 references). (Nicolas Grekas)
Fixed potential use after free in php_binary_init(). (Heiko Weber)
CLI:
Fixed GH-8827 (Intentionally closing std handles no longer possible). (cmb)
Curl:
Fixed CURLOPT_TLSAUTH_TYPE is not treated as a string option. (Pierrick)
Date:
Fixed bug php#72963 (Null-byte injection in CreateFromFormat and related functions). (Derick)
Fixed bug php#74671 (DST timezone abbreviation has incorrect offset). (Derick)
Fixed bug php#77243 (Weekdays are calculated incorrectly for negative years). (Derick)
Fixed bug php#78139 (timezone_open accepts invalid timezone string argument). (Derick)
Fileinfo:
Fixed bug php#81723 (Heap buffer overflow in finfo_buffer). (CVE-2022-31627) (cmb)
FPM:
Fixed bug php#67764 (fpm: syslog.ident don’t work). (Jakub Zelenka)
GD:
Fixed imagecreatefromavif() memory leak. (cmb)
MBString:
mb_detect_encoding recognizes all letters in Czech alphabet (alexdowad)
mb_detect_encoding recognizes all letters in Hungarian alphabet (alexdowad)
Fixed bug GH-8685 (pcre not ready at mbstring startup). (Remi)
Backwards-compatible mappings for 0x5C/0x7E in Shift-JIS are restored, after they had been changed in 8.1.0. (Alex Dowad)
ODBC:
Fixed handling of single-key connection strings. (Calvin Buckley)
OPcache:
Fixed bug GH-8591 (tracing JIT crash after private instance method change). (Arnaud, Dmitry, Oleg Stepanischev)
OpenSSL:
Fixed bug php#50293 (Several openssl functions ignore the VCWD). (Jakub Zelenka, cmb)
Fixed bug php#81713 (NULL byte injection in several OpenSSL functions working with certificates). (Jakub Zelenka)
PDO_ODBC:
Fixed handling of single-key connection strings. (Calvin Buckley)
ZDI-22-949: (0Day) xhyve e1000 Stack-based Buffer Overflow Local Privilege Escalation Vulnerability
This vulnerability allows local attackers to escalate privileges on affected installations of xhyve. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability.
DSA-5178 intel-microcode – security update
This update ships updated CPU microcode for some types of Intel CPUs and
provides mitigations for security vulnerabilities.