This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability.
Twice in the past month KrebsOnSecurity has heard from readers who’ve had their accounts at big-three credit bureau Experian hacked and updated with a new email address that wasn’t theirs. In both cases the readers used password managers to select strong, unique passwords for their Experian accounts. Research suggests identity thieves were able to hijack the accounts simply by signing up for new accounts at Experian using the victim’s personal information and a different email address.
John Turner is a software engineer based in Salt Lake City. Turner said he created the account at Experian in 2020 to place a security freeze on his credit file, and that he used a password manager to select and store a strong, unique password for his Experian account.
Turner said that in early June 2022 he received an email from Experian saying the email address on his account had been changed. Experian’s password reset process was useless at that point because any password reset links would be sent to the new (impostor’s) email address.
An Experian support person Turner reached via phone after a lengthy hold time asked for his Social Security Number (SSN) and date of birth, as well as his account PIN and answers to his secret questions. But the PIN and secret questions had already been changed by whoever re-signed up as him at Experian.
“I was able to answer the credit report questions successfully, which authenticated me to their system,” Turner said. “At that point, the representative read me the current stored security questions and PIN, and they were definitely not things I would have used.”
Turner said he was able to regain control over his Experian account by creating a new account. But now he’s wondering what else he could do to prevent another account compromise. That’s because Experian does not offer any type of multi-factor authentication options on consumer accounts.
“The most frustrating part of this whole thing is that I received multiple ‘here’s your login information’ emails later that I attributed to the original attackers coming back and attempting to use the ‘forgot email/username’ flow, likely using my SSN and DOB, but it didn’t go to their email that they were expecting,” Turner said. “Given that Experian doesn’t support two-factor authentication of any kind — and that I don’t know how they were able to get access to my account in the first place — I’ve felt very helpless ever since.”
To be clear, Experian does have a business unit that sells one-time password services to businesses. But it does not offer this directly to consumers who sign up to manage their credit file at Experian’s website.
Arthur Rishi is a musician and co-executive director of the Boston Landmarks Orchestra. Rishi said he recently discovered his Experian account had been hijacked after receiving an alert from his credit monitoring service (not Experian’s) that someone had tried to open an account in his name at JPMorgan Chase.
Rishi said the alert surprised him because his credit file at Experian was frozen at the time, and Experian did not notify him about any activity on his account. Rishi said Chase agreed to cancel the unauthorized account application, and even rescinded its credit inquiry (each credit pull can ding your credit score slightly).
But he never could get anyone from Experian’s support to answer the phone, despite spending what seemed like eternity trying to progress through the company’s phone-based system. That’s when Rishi decided to see if he could create a new account for himself at Experian.
“I was able to open a new account at Experian starting from scratch, using my SSN, date of birth and answering some really basic questions, like what kind of car did you take out a loan for, or what city did you used to live in,’ Rishi said.
Upon completing the sign-up, Rishi noticed that his credit was unfrozen.
Like Turner, Rishi is now worried that identity thieves will just hijack his Experian account once more, and that there is nothing he can do to prevent such a scenario. For now, Rishi has decided to pay Experian $25.99 a month to more closely monitor his account for suspicious activity. Even using the paid Experian service, there were no additional multi-factor authentication options available, although he said Experian did send a one-time code to his phone via SMS recently when he logged on.
“Experian now sometimes does require MFA for me now if I use a new browser or have my VPN on,” Rishi said, but he’s not sure if Experian’s free service would have operated differently.
“I get so angry when I think about all this,” he said. “I have no confidence this won’t happen again.”
In a written statement, Experian suggested that what happened to Rishi and Turner was not a normal occurrence, and that its security and identity verification practices extend beyond what is visible to the user.
“We believe these are isolated incidents of fraud using stolen consumer information,” Experian’s statement reads. “Specific to your question, once an Experian account is created, if someone attempts to create a second Experian account, our systems will notify the original email on file.”
“We go beyond reliance on personally identifiable information (PII) or a consumer’s ability to answer knowledge-based authentication questions to access our systems,” the statement continues. “We do not disclose additional processes for obvious security reasons; however, our data and analytical capabilities verify identity elements across multiple data sources and are not visible to the consumer. This is designed to create a more positive experience for our consumers and to provide additional layers of protection. We take consumer privacy and security seriously, and we continually review our security processes to guard against constant and evolving threats posed by fraudsters.”
KrebsOnSecurity sought to replicate Turner and Rishi’s experience — to see if Experian would allow me to re-create my account using my personal information but a different email address. The experiment was done from a different computer and Internet address than the one that created the original account years ago.
After providing my Social Security Number (SSN), date of birth, and answering several multiple choice questions whose answers are derived almost entirely from public records, Experian promptly changed the email address associated with my credit file. It did so without first confirming that new email address could respond to messages, or that the previous email address approved the change.
Experian’s system then sent an automated message to the original email address on file, saying the account’s email address had been changed. The only recourse Experian offered in the alert was to sign in, or send an email to an Experian inbox that replies with the message, “this email address is no longer monitored.”
After that, Experian prompted me to select new secret questions and answers, as well as a new account PIN — effectively erasing the account’s previously chosen PIN and recovery questions. Once I’d changed the PIN and security questions, Experian’s site helpfully reminded me that I have a security freeze on file, and would I like to remove or temporarily lift the security freeze?
How does Experian differ from the practices of Equifax and TransUnion, the other two big consumer credit reporting bureaus? When KrebsOnSecurity tried to re-create an existing account at TransUnion using my Social Security number, TransUnion rejected the application, noting that I already had an account and prompting me to proceed through its lost password flow. The company also appears to send an email to the address on file asking to validate account changes.
Likewise, trying to recreate an existing account at Equifax using personal information tied to my existing account prompts Equifax’s systems to report that I already have an account, and to use their password reset process (which involves sending a verification email to the address on file).
KrebsOnSecurity has long urged readers in the United States to place a security freeze on their files with the three major credit bureaus. With a freeze in place, potential creditors can’t pull your credit file, which makes it very unlikely anyone will be granted new lines of credit in your name. I’ve also advised readers to plant their flag at the three major bureaus, to prevent identity thieves from creating an account for you and assuming control over your identity.
The experiences of Rishi, Turner and this author suggest Experian’s practices currently undermine both of those proactive security measures. Even so, having an active account at Experian may be the only way you find out when crooks have assumed your identity. Because at least then you should receive an email from Experian saying they gave your identity to someone else.
In April 2021, KrebsOnSecurity revealed how identity thieves were exploiting lax authentication on Experian’s PIN retrieval page to unfreeze consumer credit files. In those cases, Experian failed to send any notice via email when a freeze PIN was retrieved, nor did it require the PIN to be sent to an email address already associated with the consumer’s account.
A few days after that April 2021 story, KrebsOnSecurity broke the news that an Experian API was exposing the credit scores of most Americans.
Emory Roan, policy counsel for the Privacy Rights Clearinghouse, said Experian not offering multi-factor authentication for consumer accounts is inexcusable in 2022.
“They compound the problem by gating the recovery process with information that’s likely available or inferable from third party data brokers, or that could have been exposed in previous data breaches,” Roan said. “Experian is one of the largest Consumer Reporting Agencies in the country, trusted as one of the few essential players in a credit system Americans are forced to be part of. For them to not offer consumers some form of (free) MFA is baffling and reflects extremely poorly on Experian.”
Nicholas Weaver, a researcher for the International Computer Science Institute at University of California, Berkeley, said Experian has no real incentive to do things right on the consumer side of its business. That is, he said, unless Experian’s customers — banks and other lenders — choose to vote with their feet because too many people with frozen credit files are having to deal with unauthorized applications for new credit.
“The actual customers of the credit service don’t realize how much worse Experian is, and this isn’t the first time Experian has screwed up horribly,” Weaver said. “Experian is part of a triopoly, and I’m sure this is costing their actual customers money, because if you have a credit freeze that gets lifted and somebody loans against it, it’s the lender who eats that fraud cost.”
And unlike consumers, he said, lenders do have a choice in which of the triopoly handles their credit checks.
“I do think it’s important to point out that their real customers do have a choice, and they should switch to TransUnion and Equifax,” he added.
More greatest hits from Experian:
2017: Experian Site Can Give Anyone Your Credit Freeze PIN
2015: Experian Breach Affects 15 Million Customers
2015: Experian Breach Tied to NY-NJ ID Theft Ring
2015: At Experian, Security Attrition Amid Acquisitions
2015: Experian Hit With Class Action Over ID Theft Service
2014: Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records
2013: Experian Sold Consumer Data to ID Theft Service
android-tools-31.0.2-2.fc35
buildah-1.23.4-2.fc35
ceph-16.2.9-3.fc35
cheat-4.2.2-4.fc35
clipman-1.6.1-3.fc35
deepin-api-5.4.11-4.fc35
deepin-daemon-5.13.49-2.fc35
deepin-desktop-schemas-5.9.41-2.fc35
docker-distribution-2.6.2-17.git48294d9.fc35
git-octopus-2.0-0.4.beta.3.fc35.12
go-bindata-3.0.7-22.gita0ff256.fc35
godep-62-17.fc35
golang-entgo-ent-0.10.0-4.fc35
golang-github-client9-gospell-0-0.11.20190524git90dfc71.fc35
golang-github-elves-elvish-0.15.0-4.fc35
golang-github-facebook-time-0-0.7.20220304git3c26ea4.fc35
golang-github-google-dap-0.4.0-3.fc35
golang-github-gosexy-gettext-0.9-7.fc35
golang-github-hub-2.14.2-8.fc35
golang-github-jacobsa-oglemock-0-0.8.20190622gite94d794.fc35~bootstrap
golang-github-kalafut-imohash-1.0.2-3.fc35
golang-github-letsencrypt-pebble-2.3.1-5.fc35
golang-github-lofanmi-pinyin-1.0-4.fc35
golang-github-lunixbochs-vtclean-1.0.0-8.fc35
golang-github-mbndr-figlet4go-0-0.8.20191009gitd6cef5b.fc35
golang-github-mozillazg-pinyin-0.18.0-5.fc35
golang-github-msprev-fzf-bibtex-1.1-3.20210317git53c49fa.fc35
golang-github-rfjakob-gocryptfs-1.8.0-6.fc35
golang-github-rickb777-date-1.15.3-4.fc35
golang-github-sqshq-sampler-1.1.0-9.fc35
golang-github-tomnomnom-xtermcolor-0.1.2-8.fc35
golang-github-tscholl2-siec-0-3.20211128git9bdfc48.fc35
golang-github-zyedidia-highlight-0-0.6.20200218git291680f.fc35
golang-nanomsg-mangos-3-3.2.1-3.fc35
golang-rsc-pdf-0.1.1-10.fc35
golang-starlark-0-0.7.20210113gite81fc95.fc35
gomtree-0.4.0-11.fc35
gotun-0-0.14.gita9dbe4d.fc35
grafana-7.5.15-3.fc35
grafana-pcp-3.2.0-2.fc35
gron-0.7.1-2.fc35
kompose-1.17.0-9.fc35
oci-seccomp-bpf-hook-1.2.5-3.fc35
origin-3.11.2-6.fc35
osbuild-composer-56-2.fc35
pack-0.27.0-2.fc35
podman-3.4.7-2.fc35
popub-0-0.13.20171007git6ffa11c.fc35
reposurgeon-4.31-2.fc35
restic-0.12.1-3.fc35
singularity-3.8.7-2.fc35
stargz-snapshotter-0.10.2-4.fc35
tmux-top-0.1.1-2.fc35
xe-guest-utilities-latest-7.30.0-4.fc35
Rebuild for CVE-2022-{24675,28327,29526 in golang}
Multiple security issues were discovered in Chromium, which could result
in the execution of arbitrary code, denial of service or information
disclosure.
golang-github-facebookincubator-contest-0-0.4.20210706gitceebc35.fc37
golang-github-facebookincubator-dhcplb-0-0.4.20210706git2e66b27.fc37
golang-github-facebookincubator-go2chef-1.0-2.fc37
golang-github-facebookincubator-nvdtools-0.1.4-5.fc37
golang-github-gojuno-minimock-3.0.10-3.fc37
golang-github-hexdigest-gowrap-1.1.12-4.fc37
golang-github-liamg-scout-0.15.1-4.fc37
golang-github-mdlayher-ethernet-0-0.5.20201109git0394541.fc37
golang-github-niklasfasching-org-1.6.2-2.fc37
golang-github-path-network-mmproxy-2.1-3.fc37
golang-github-shopify-toxiproxy-2.1.4-10.fc37
golang-github-skynetservices-skydns-2.5.3-22.20200802git94b2ea0.fc37
golang-github-sophaskins-efs2tar-0-0.4.20210317git4db1b0f.fc37
golang-github-task-3.14.0-2.fc37
golang-github-theoapp-theo-agent-0.14.0-4.fc37
golang-github-tinylib-msgp-1.1.5-5.fc37
golang-mvdan-sh-3-3.4.3-4.fc37
golang-x-tools-0.1.10-2.fc37
Rebuild for CVE-2022-{24675,28327,29526} in golang and other go ecosystem CVEs
These packages were missed in the initial rawhide go ecosystem rebuild a couple weeks ago
3mux-1.1.0-5.fc35
act-1.6.0-6.fc35
aerc-0.10.0-4.fc35
age-1.0.0-5.fc35
apache-cloudstack-cloudmonkey-6.2.0-3.fc35
aquatone-1.7.0-7.fc35
aron-0-0.6.20200626git7eade58.fc35
asciigraph-0.5.5-2.fc35
asnip-0-0.6.20200618git44ba98b.fc35
assetfinder-0.1.0-6.fc35
bettercap-2.32.0-4.fc35
butane-0.15.0-2.fc35
caddy-2.3.0-3.fc35
cadvisor-0.44.1-3.fc35
chisel-1.7.7-3.fc35
clash-1.6.5-3.fc35
commit-stream-0.1.2-7.fc35
containerd-1.6.6-4.fc35
direnv-2.32.1-2.fc35
dnscrypt-proxy-2.1.1-4.fc35
dnsx-1.1.0-3.fc35
douceur-0.2.0-14.fc35
duf-0.8.1-3.fc35
exercism-3.0.13-8.fc35
ffuf-1.0.2-6.fc35
geoipupdate-4.8.0-3.fc35
gh-2.13.0-3.fc35
gitjacker-0.0.2-6.fc35
glide-0.13.2-10.fc35
goaltdns-0-0.7.20200627git2b3e8a3.fc35
gobuster-3.1.0-3.fc35
godoctor-0.6-12.fc35
godotenv-1.4.0-4.fc35
gojq-0.12.8-3.fc35
golang-ariga-atlas-0.3.6-3.fc35
golang-bug-serial-1-1.3.3-2.fc35
golang-contrib-opencensus-resource-0.1.2-7.fc35
golang-etcd-bbolt-1.3.6-4.fc35
golang-gioui-0-8.20201225git18d4dbf.fc35
golang-github-a8m-envsubst-1.3.0-2.fc35
golang-github-a8m-tree-0-0.16.20210725gitce3525c.fc35
golang-github-ajstarks-deck-0-0.12.20210114git30c9fc6.fc35
golang-github-akavel-rsrc-0.10.2-4.fc35
golang-github-alecthomas-chroma-0.10.0-3.fc35
golang-github-aliyun-cli-3.0.104-4.s20220118git031f9f2.fc35
golang-github-aliyun-ossutil-1.7.9-3.fc35
golang-github-andybalholm-cascadia-1.2.0-6.fc35
golang-github-apache-beam-2-2.33.0~RC1-7.fc35
golang-github-appc-docker2aci-0.17.2-9.fc35
golang-github-appc-goaci-0.1.1-12.fc35
golang-github-appc-spec-0.8.11-14.fc35
golang-github-aryann-difflib-0-0.5.20200822gite206f87.fc35
golang-github-aws-lambda-1.24.0-3.fc35
golang-github-axgle-mahonia-0-0.13.20181112git3358181.fc35
golang-github-bifurcation-mint-0-0.9.20200724git93c820e.fc35
golang-github-bobesa-domain-util-0-0.6.20200504git4033b5f.fc35
golang-github-burntsushi-toml-1.0.0-5.fc35
golang-github-burntsushi-toml-test-0.2.0-11.20210108git9767d20.fc35
golang-github-burntsushi-xgb-0-0.15.20210108git5f9e7b3.fc35
golang-github-cactus-statsd-client-5.0.0-5.fc35
golang-github-c-bata-prompt-0.2.6-4.fc35
golang-github-cespare-xxhash-2.1.1-5.fc35
golang-github-chai2010-gettext-1.0.2-6.fc35
golang-github-cheekybits-genny-1.0.0-9.20200724git3e22f1a.fc35
golang-github-chris-ramon-douceur-0.2.0-5.20200910gitf346305.fc35
golang-github-christrenkamp-goxpath-0-0.6.20200627gitc5096ec.fc35
golang-github-chromedp-0.6.12-5.fc35
golang-github-cilium-ebpf-0.8.0-2.fc35
golang-github-client9-plaintext-0-0.8.20190703git5bf47e7.fc35
golang-github-cloudflare-0.17.0-3.fc35
golang-github-cloudflare-redoctober-0-0.9.20210114git99c99a8.fc35
golang-github-cockroachdb-pebble-0-0.6.20210108git48f5530.fc35
golang-github-colinmarc-hdfs-2-2.2.0-4.fc35
golang-github-containerd-continuity-0.2.2-3.fc35
golang-github-containerd-fuse-overlayfs-snapshotter-1.0.2-7.fc35
golang-github-containerd-stargz-snapshotter-0.10.1-3.fc35
golang-github-containernetworking-cni-1.1.1-4.fc35
golang-github-coredns-corefile-migration-1.0.11-6.fc35
golang-github-cpu-goacmedns-0.1.1-5.fc35
golang-github-cpuguy83-md2man-2.0.2-2.fc35
golang-github-crossdock-0-0.8.20190628git049aabb.fc35
golang-github-cucumber-godog-0.11.0-4.fc35
golang-github-dave-jennifer-1.4.1-5.fc35
golang-github-deepmap-oapi-codegen-1.8.2-3.fc35
golang-github-dgrijalva-jwt-3.2.0-11.fc35
golang-github-docker-distribution-2.7.1-9.20200815git35b26de.fc35
golang-github-dreamacro-shadowsocks2-0.1.7-3.fc35
golang-github-dustinkirkland-petname-0-0.5.20200605git8e5a1ed.fc35
golang-github-eknkc-amber-0-0.17.20190601gitcdade1c.fc35
golang-github-elazarl-bindata-assetfs-1.0.1-9.fc35
golang-github-emersion-smtp-0.15.0-4.fc35
golang-github-envoyproxy-protoc-gen-validate-0.4.1-6.fc35
golang-github-etcd-io-gofail-0-0.3.20210808gitad7f989.fc35
golang-github-evanphx-json-patch-5.5.0-3.fc35
golang-github-evanw-esbuild-0.14.38-2.fc35
golang-github-facebookincubator-contest-0-0.4.20210706gitceebc35.fc35
golang-github-facebookincubator-dhcplb-0-0.4.20210706git2e66b27.fc35
golang-github-facebookincubator-go2chef-1.0-2.fc35
golang-github-facebookincubator-ntp-0-0.5.20210617git69c3282.fc35
golang-github-facebookincubator-nvdtools-0.1.4-5.fc35
golang-github-fernet-0-0.9.20200726giteff2850.fc35
golang-github-francoispqt-gojay-1.2.13-7.fc35
golang-github-fvbommel-util-0.0.3-5.fc35
golang-github-gdamore-tcell-1.4.0-5.fc35
golang-github-gdamore-tcell-2-2.5.0-2.fc35
golang-github-geertjohan-rice-1.0.2-5.fc35
golang-github-gobuffalo-here-0.6.2-5.fc35
golang-github-gobwas-ws-1.1.0-3.fc35
golang-github-goccy-yaml-1.9.5-3.fc35
golang-github-gocolly-colly-2-2.1.0-4.20210920git2f09941.fc35
golang-github-gogo-googleapis-1.4.1-4.fc35
golang-github-gogo-protobuf-1.3.2-5.fc35
golang-github-gohugoio-localescompressed-1.0.1-2.fc35
golang-github-gohugoio-testmodbuilder-0-0.10.20201030git72e1e0c.fc35
golang-github-gojuno-minimock-3.0.10-3.fc35
golang-github-golangci-lint-1-0-0.5.20200828gitd2cdd8c.fc35
golang-github-googleapis-gnostic-0.5.3-6.fc35
golang-github-googlecloudplatform-cloudsql-proxy-1.19.1-6.fc35
golang-github-google-jsonnet-0.17.0-5.fc35
golang-github-google-martian-3.1.0-9.fc35
golang-github-google-pprof-0-16.20210802gitc50bf4f.fc35
golang-github-google-slothfs-0-0.11.20200727git59c1163.fc35
golang-github-google-wire-0.4.0-6.fc35
golang-github-gorhill-cronexpr-1.0.0-4.fc35
golang-github-grpc-ecosystem-gateway-2-2.7.3-4.fc35
golang-github-gucumber-0-0.23.20190703git7d5c79e.fc35
golang-github-haproxytech-client-native-2.5.3-3.fc35
golang-github-haproxytech-dataplaneapi-2.4.4-4.fc35
golang-github-hashicorp-consul-migrate-0.1.0-9.20190602git678fb10.fc35
golang-github-hashicorp-hclog-0.15.0-5.fc35
golang-github-hashicorp-memdb-1.3.0-5.fc35
golang-github-hashicorp-serf-0.9.5-5.fc35
golang-github-hashicorp-sockaddr-1.0.2-11.fc35
golang-github-hexdigest-gowrap-1.1.12-4.fc35
golang-github-hpcloud-tail-1.0.0-10.20190325gita1dbeea.fc35
golang-github-insomniacslk-termhook-0-6.20210406gita267c97.fc35
golang-github-instrumenta-kubeval-0.15.0-8.fc35
golang-github-intel-goresctrl-0.2.0-6.fc35
golang-github-jamesclonk-vultr-2.0.2-4.fc35
golang-github-j-keck-arping-1.0.1-4.fc35
golang-github-jmespath-0.4.0-5.fc35
golang-github-jsonnet-bundler-0.4.0-8.fc35
golang-github-jwt-3.2.2-3.fc35
golang-github-krishicks-yaml-patch-0.0.10-8.20200307git05b3177.fc35
golang-github-kr-text-0.2.0-5.fc35
golang-github-kyokomi-emoji-2.2.8-5.fc35
golang-github-ledisdb-0.6-5.20210112gitd35789e.fc35
golang-github-leonelquinteros-gotext-1.5.0-2.fc35
golang-github-leveldb-0-0.9.20190701git259d925.fc35
golang-github-liamg-scout-0.12.0-5.fc35
golang-github-liamg-tml-0.3.0-4.fc35
golang-github-magefile-mage-1.11.0-5.fc35
golang-github-mailru-easyjson-0.7.6-5.fc35
golang-github-markbates-pkger-0.17.1-5.fc35
golang-github-martinhoefling-goxkcdpwgen-0.1.0-2.fc35
golang-github-maruel-panicparse-1.6.0-5.fc35
golang-github-mattermost-xml-roundtrip-validator-0-0.5.20210103git8fd2afa.fc35
golang-github-mattn-colorable-0.1.8-7.fc35
golang-github-mdlayher-dhcp6-0-0.8.20200429git2a67805.fc35
golang-github-mdlayher-ethernet-0-0.5.20201109git0394541.fc35
golang-github-mgutz-ansi-0-0.13.20200729gitd51e80e.fc35
golang-github-mholt-archiver-3.5.1-3.fc35
golang-github-microcosm-cc-bluemonday-1.0.17-3.fc35
golang-github-mmarkdown-mmark-2.2.10-5.fc35
golang-github-moby-buildkit-0.9.0-4.fc35~bootstrap
golang-github-mock-1.4.4-4.fc35
golang-github-morikuni-aec-1.0.0-5.fc35
golang-github-mrunalp-fileutils-0.5.0-5.fc35
golang-github-multiformats-multibase-0.0.3-2.20220213gitf067816.fc35
golang-github-multiformats-multihash-0.1.0-2.fc35
golang-github-mvo5-uboot-0.4-10.fc35
golang-github-nats-io-nkeys-0.2.0-5.fc35
golang-github-nats-io-streaming-server-0.20.0-5.fc35
golang-github-nbutton23-zxcvbn-0.1-8.20210110gite56b841.fc35
golang-github-nicksnyder-i18n-2-2.1.2-5.fc35
golang-github-niklasfasching-org-1.6.2-2.fc35
golang-github-nxadm-tail-1.4.6-4.fc35
golang-github-oklog-0.3.2-11.20190701gitca7cdf5.fc35
golang-github-oklog-ulid-2.0.2-10.fc35
golang-github-olekukonko-tablewriter-0.0.5-3.fc35
golang-github-oneofone-xxhash-1.2.8-5.fc35
golang-github-onsi-ginkgo-2-2.1.4-2.fc35
golang-github-pact-foundation-1.5.1-6.fc35
golang-github-path-network-mmproxy-2.1-3.fc35
golang-github-pdfcpu-0.3.13-2.fc35
golang-github-pelletier-toml-1.9.4-2.fc35
golang-github-pelletier-toml-2-2.0.0~beta.8-4.fc35
golang-github-phayes-freeport-1.0.2-6.fc35
golang-github-pierrec-lz4-4.1.3-5.fc35
golang-github-pierrre-geohash-1.0.0-4.fc35
golang-github-pkg-diff-0-0.4.20210406git20ebb0f.fc35
golang-github-posener-complete-1.2.3-8.fc35
golang-github-posener-complete-2-2.0.1~alpha.13-5.fc35
golang-github-pquerna-ffjson-0-0.9.20200730gitaa0246c.fc35
golang-github-pressly-goose-2.7.0-4.fc35
golang-github-projectdiscovery-chaos-client-0.2.0-2.fc35
golang-github-projectdiscovery-mapcidr-0.0.8-3.fc35
golang-github-prometheus-2.32.1-6.fc35
golang-github-prometheus-alertmanager-0.23.0-10.fc35
golang-github-prometheus-node-exporter-1.3.1-9.fc35
golang-github-prometheus-prom2json-1.3.0-8.20210811git90766c0.fc35
golang-github-prometheus-tsdb-0.10.0-8.fc35
golang-github-quay-claircore-0.5.4-5.fc35
golang-github-quay-goval-parser-0.8.6-4.fc35
golang-github-rakyll-statik-0.1.7-4.fc35
golang-github-rcrowley-metrics-0-0.28.20210110gitcf1acfc.fc35
golang-github-redteampentesting-monsoon-0.6.0-6.fc35
golang-github-rogpeppe-internal-1.8.1-2.fc35
golang-github-rubenv-sql-migrate-0-0.4.20210529gita32ed26.fc35
golang-github-rwcarlsen-goexif-0-0.9.20191017git9e8deec.fc35
golang-github-segmentio-ksuid-1.0.4-3.fc35
golang-github-shellcode33-vm-detection-0-0.6.20200715git4fd05cb.fc35
golang-github-shopify-toxiproxy-2.1.4-10.fc35
golang-github-shulhan-bindata-3.6.1-4.fc35
golang-github-shurcool-vfsgen-0-0.11.20210113git0d455de.fc35
golang-github-skip2-qrcode-0-2.20220316gitda1b656.fc35
golang-github-skynetservices-skydns-2.5.3-22.20200802git94b2ea0.fc35
golang-github-snappy-0.0.2-6.fc35
golang-github-sophaskins-efs2tar-0-0.4.20210317git4db1b0f.fc35
golang-github-sourcegraph-syntaxhighlight-0-0.11.20180418gitbd320f5.fc35
golang-github-spf13-cobra-1.4.0-3.fc35
golang-github-spyzhov-ajson-0.4.2-10.fc35
golang-github-task-3.14.0-2.fc35
golang-github-tdewolff-minify-2.11.10-3.fc35
golang-github-temoto-robotstxt-1.1.1-5.fc35
golang-github-theoapp-theo-agent-0.14.0-4.fc35
golang-github-theupdateframework-notary-0.7.0-6.fc35
golang-github-tinylib-msgp-1.1.5-5.fc35
golang-github-tklauser-numcpus-0.2.3-7.fc35
golang-github-twitchtv-twirp-8.1.0-4.fc35
golang-github-twpayne-waypoint-0-0.4.20210130git4f8e6bf.fc35
golang-github-uber-athenadriver-1.1.12-5.fc35
golang-github-ulikunitz-xz-0.5.10-4.fc35
golang-github-u-root-iscsinl-0.1.0-4.fc35
golang-github-valyala-fasthttp-1.19.0-4.fc35
golang-github-vbatts-tar-split-0.11.1-10.fc35
golang-github-vincent-petithory-dataurl-0-0.7.20200110gitd1553a7.fc35
golang-github-vmware-govmomi-0.24.0-5.fc35
golang-github-xordataexchange-crypt-0.0.2-12.20190412gitb2862e3.fc35
golang-github-xo-terminfo-0-0.6.20210113gitc22d04b.fc35
golang-gitlab-commonmark-linkify-0-0.9.20200805git64bca66.fc35
golang-google-appengine-1.6.7-5.fc35
golang-google-protobuf-1.27.1-3.fc35
golang-gopkg-neurosnap-sentences-1-1.0.6-14.fc35
golang-gopkg-square-jose-2-2.6.0-3.fc35
golang-gopkg-src-d-git-4-4.13.1-8.fc35
golang-honnef-tools-2021.1-2.fc35
golang-jaytaylor-html2text-0-0.2.20220509gitbc68cce.fc35
golang-k8s-apiextensions-apiserver-1.22.0-6.fc35
golang-k8s-code-generator-1.22.0-4.fc35
golang-k8s-kube-aggregator-1.22.0-4.fc35
golang-k8s-kube-openapi-0-0.19.20210813git3c81807.fc35
golang-k8s-pod-security-admission-1.22.0-3.fc35
golang-k8s-sample-apiserver-1.22.0-5.fc35
golang-k8s-sample-cli-plugin-1.22.0-2.fc35
golang-k8s-sample-controller-1.22.0-4.fc35
golang-modernc-golex-1.0.1-5.fc35
golang-mongodb-mongo-driver-1.4.5-6.fc35
golang-mvdan-sh-3-3.4.3-4.fc35
golang-mvdan-xurls-2.2.0-6.fc35
golang-sourcegraph-appdash-0-0.9.20210113gitebfcffb.fc35
golang-storj-drpc-0.0.31-2.fc35
golang-vbom-util-0-0.11.20190520gitefcd4e0.fc35
golang-x-build-0-0.21.20201229git0a4bf69.fc35
golang-x-mod-0.6.0~dev-3.20220330git9b9b3d8.fc35
golang-x-perf-0-0.15.20210123gitbdcc622.fc35
golang-x-text-0.3.7-3.fc35~bootstrap
golang-x-tools-0.1.10-2.fc35
goloris-0-0.6.20200326gita59fafb.fc35
google-guest-agent-20201217.02-4.fc35
gopass-1.13.1-3.fc35
gotags-1.4.1-8.fc35
grpcurl-1.8.6-3.fc35
hakrevdns-0-0.5.20201116git9fa2d59.fc35
hcloud-1.29.5-2.fc35
htmltest-0.15.0-3.fc35
httpdump-0-0.6.20200714gite6fa868.fc35
httprobe-0.1.2-6.fc35
hulk-0-0.6.20200620git9670699.fc35
ignition-2.14.0-3.fc35
jid-0.7.6-9.fc35
kiln-0.3.1-3.fc35
manifest-tool-1.0.3-5.fc35
mass3-0-0.6.20200627gite1d5f1a.fc35
meg-0.2.4-6.fc35
meshbird-2.3-6.fc35
micro-2.0.8-5.fc35
moby-engine-20.10.17-4.fc35
mqttcli-0.2.3-2.fc35
nats-server-2.1.9-6.fc35
netscanner-0-0.5.20201116git8baab36.fc35
nex-20210330-2.fc35
ohmybackup-0-0.6.20200526git50f2fce.fc35
podman-tui-0.2.1-2.fc35
powerline-go-1.22.1-2.fc35
reg-0.16.1-8.fc35
runc-1.1.2-2.fc35
shellz-1.5.0-7.fc35
shhgit-0.2-7.fc35
snapd-2.56.2-2.fc35
snowcrash-0-0.7.20201119git49b99ad.fc35
source-to-image-1.3.1-4.fc35
sysutil-0-0.7.20200615git15668db.fc35
terrier-0.0.2-6.fc35
tiedot-3.4-8.fc35
tinygo-0.23.0-5.fc35
vgrep-2.5.6-2.fc35
vultr-1.15.0-9.fc35
vultr-cli-2.14.2-2.fc35
webanalyze-0.3.1-6.fc35
weldr-client-35.5-2.fc35
wgctrl-0-0.11.20210811git4253848.fc35
xq-0.0.7-4.fc35
yggdrasil-0.2.98^1.ffb580f-0.2.20220127gitffb580f.fc35
yubihsm-connector-3.0.2-2.fc35
Rebuild for CVE-2022-{24675,28327,29526} in golang and other go ecosystem CVEs
This contains the result from the mass rebuild in F35 for all packages that
require golang and provide binaries to mitigate the following CVEs:
golang itself:
CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode
CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar
CVE-2022-29526 golang: syscall: faccessat checks wrong group
(There are some Go CVEs that are a little bit older that will also be
mitigated by the rebuild for packages that haven’t been updated recently)
CVEs in other golang libraries that affect a subset of Go packages:
CVE-2022-21698 golang-github-prometheus-client: prometheus/client_golang:
Denial of service using InstrumentHandlerCounter
CVE-2022-1996 go-restful: Authorization Bypass Through User-Controlled Key
Initial import for golang-github-a8m-envsubst
Resolves: rhbz#2074406
Initial package
Resolves: rhbz#2074438
Update to v3.14.0 (close rhbz#2105612)
Fix merge
Update to 1.22.1 – Close: rhbz#2077577
Things haven’t gone as smoothly as Microsoft (and, indeed, the rest of us) might have hoped…
In a move to broaden its portfolio of cybersecurity products, Boston-based threat intelligence collection and analysis firm Recorded Future has reached an agreement to purchase Dutch malware analysis company Hatching
Recorded Future offers a wide range of different types of intelligence on digital threats, using proprietary predictive analytics to track public documents, potentially compromised credentials, and dark web traffic for insights into potential threats to client organizations. The addition of Hatching—whose specialty is malware sandboxing and analysis—broadens the company’s portfolio substantially.
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2015. Notes: none.
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2015. Notes: none.
