Read Time:2 Second
Researchers discover malicious npm packages
Monthly Archives: July 2022
subversion-1.14.2-5.fc36
Read Time:40 Second
FEDORA-2022-2af658b090
Packages in this update:
subversion-1.14.2-5.fc36
Update description:
This update includes the latest stable release of Apache Subversion, version 1.14.2. This update addresses two security issues, CVE-2021-28544 and CVE-2022-24070.
For more information see https://subversion.apache.org/security/CVE-2022-24070-advisory.txt and https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
Client-side bugfixes:
Don’t show unreadable copyfrom paths in ‘svn log -v’
Fix -r option documentation for some svnadmin subcommands
Fix error message encoding when system() call fails
Fix assertion failure in conflict resolver
Client-side improvements and bugfixes:
Support multiple working copy formats (1.8-onward, 1.15)
Server-side bugfixes:
Fix use-after-free of object-pools when running in httpd (issue SVN-4880)
subversion-1.14.2-5.fc35
Read Time:40 Second
FEDORA-2022-13cc09ecf2
Packages in this update:
subversion-1.14.2-5.fc35
Update description:
This update includes the latest stable release of Apache Subversion, version 1.14.2. This update addresses two security issues, CVE-2021-28544 and CVE-2022-24070.
For more information see https://subversion.apache.org/security/CVE-2022-24070-advisory.txt and https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
Client-side bugfixes:
Don’t show unreadable copyfrom paths in ‘svn log -v’
Fix -r option documentation for some svnadmin subcommands
Fix error message encoding when system() call fails
Fix assertion failure in conflict resolver
Client-side improvements and bugfixes:
Support multiple working copy formats (1.8-onward, 1.15)
Server-side bugfixes:
Fix use-after-free of object-pools when running in httpd (issue SVN-4880)
php-8.1.8-1.fc36
Read Time:1 Minute, 36 Second
FEDORA-2022-ec0491574d
Packages in this update:
php-8.1.8-1.fc36
Update description:
PHP version 8.1.8 (07 Jul 2022)
Core:
Fixed bug GH-8338 (Intel CET is disabled unintentionally). (Chen, Hu)
Fixed leak in Enum::from/tryFrom for internal enums when using JIT (ilutov)
Fixed calling internal methods with a static return type from extension code. (Sara)
Fixed bug GH-8655 (Casting an object to array does not unwrap refcount=1 references). (Nicolas Grekas)
Fixed potential use after free in php_binary_init(). (Heiko Weber)
CLI:
Fixed GH-8827 (Intentionally closing std handles no longer possible). (cmb)
Curl:
Fixed CURLOPT_TLSAUTH_TYPE is not treated as a string option. (Pierrick)
Date:
Fixed bug php#72963 (Null-byte injection in CreateFromFormat and related functions). (Derick)
Fixed bug php#74671 (DST timezone abbreviation has incorrect offset). (Derick)
Fixed bug php#77243 (Weekdays are calculated incorrectly for negative years). (Derick)
Fixed bug php#78139 (timezone_open accepts invalid timezone string argument). (Derick)
Fileinfo:
Fixed bug php#81723 (Heap buffer overflow in finfo_buffer). (CVE-2022-31627) (cmb)
FPM:
Fixed bug php#67764 (fpm: syslog.ident don’t work). (Jakub Zelenka)
GD:
Fixed imagecreatefromavif() memory leak. (cmb)
MBString:
mb_detect_encoding recognizes all letters in Czech alphabet (alexdowad)
mb_detect_encoding recognizes all letters in Hungarian alphabet (alexdowad)
Fixed bug GH-8685 (pcre not ready at mbstring startup). (Remi)
Backwards-compatible mappings for 0x5C/0x7E in Shift-JIS are restored, after they had been changed in 8.1.0. (Alex Dowad)
ODBC:
Fixed handling of single-key connection strings. (Calvin Buckley)
OPcache:
Fixed bug GH-8591 (tracing JIT crash after private instance method change). (Arnaud, Dmitry, Oleg Stepanischev)
OpenSSL:
Fixed bug php#50293 (Several openssl functions ignore the VCWD). (Jakub Zelenka, cmb)
Fixed bug php#81713 (NULL byte injection in several OpenSSL functions working with certificates). (Jakub Zelenka)
PDO_ODBC:
Fixed handling of single-key connection strings. (Calvin Buckley)
ZDI-22-949: (0Day) xhyve e1000 Stack-based Buffer Overflow Local Privilege Escalation Vulnerability
Read Time:11 Second
This vulnerability allows local attackers to escalate privileges on affected installations of xhyve. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability.
DSA-5178 intel-microcode – security update
Read Time:6 Second
This update ships updated CPU microcode for some types of Intel CPUs and
provides mitigations for security vulnerabilities.
webkit2gtk3-2.36.4-1.fc36
Read Time:24 Second
FEDORA-2022-fdb75e7766
Packages in this update:
webkit2gtk3-2.36.4-1.fc36
Update description:
Fix the new ATSPI accessibility implementation to add the missing Collection interface for the loaded document.
Fix the MediaSession implementation to make the MPRIS object names more sandbox friendly, which plays better with Flatpak and WebKit’s own Bubblewrap-based sandboxing.
Fix leaked Web Processes in some particular situations.
Fix several crashes and rendering issues.
Security fixes: CVE-2022-22662, CVE-2022-26710
webkit2gtk3-2.36.4-1.fc35
Read Time:24 Second
FEDORA-2022-6b749525f3
Packages in this update:
webkit2gtk3-2.36.4-1.fc35
Update description:
Fix the new ATSPI accessibility implementation to add the missing Collection interface for the loaded document.
Fix the MediaSession implementation to make the MPRIS object names more sandbox friendly, which plays better with Flatpak and WebKit’s own Bubblewrap-based sandboxing.
Fix leaked Web Processes in some particular situations.
Fix several crashes and rendering issues.
Security fixes: CVE-2022-22662, CVE-2022-26710
Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution
Read Time:32 Second
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
APT campaign targeting SOHO routers highlights risks to remote workers
Read Time:43 Second
A targeted attack campaign has been compromising home and small-business routers since late 2020 with the goal of hijacking network communications and infecting local computers with stealthy and sophisticated backdoors. Attacks against home routers are not new, but the implants used by attackers in this case were designed for local network reconnaissance and lateral movement instead of just abusing the router itself.
“The rapid shift to remote work in spring of 2020 presented a fresh opportunity for threat actors to subvert traditional defense-in-depth protections by targeting the weakest points of the new network perimeter—devices that are routinely purchased by consumers but rarely monitored or patched—small office/home office (SOHO) routers,” researchers from Black Lotus Labs, the threat intelligence arm of telecommunications company Lumen Technologies said in a recent report.