FEDORA-FLATPAK-2022-cdc846885c
Packages in this update:
flatpak-runtime-f37-3720221025175532.2
flatpak-sdk-f37-3720221025175532.2
Update description:
Security fixes for openssl CVE-2022-3602 and CVE-2022-3786
flatpak-runtime-f37-3720221025175532.2
flatpak-sdk-f37-3720221025175532.2
Security fixes for openssl CVE-2022-3602 and CVE-2022-3786
flatpak-runtime-f36-3620221025180145.2
flatpak-sdk-f36-3620221025180145.2
Security fixes for openssl CVE-2022-3602 and CVE-2022-3786
Add google-noto-sans-mono-vf-fonts to runtime
See https://github.com/fedora-silverblue/issue-tracker/issues/299
As with the recent addition of the serif fonts, this is necessary for flatpaks to show monospace fonts correctly in some cases. We believe fontconfig should manage to fall back correctly to a different font in these cases, but currently it does not, so it makes sense to add the Fedora default font to the runtime as a mitigation.
Of those thinking of leaving their current organization, a third would do so within the next six months, according to the research
Passwords have always been a pain point in securing computing infrastructure. Complexity and length are key components of a strong password, but both make it inherently difficult for a human to remember. Additionally, passwords should be changed periodically, fine when you’re working with a handful of devices, but when your network is distributed geographically with hundreds, or thousands of computers things get more complex. Fortunately, Microsoft has had a solution to this problem in the form of Local Administrator Password Solution (LAPS), though it’s certainly not marketed as heavily as other Microsoft solutions. LAPS is a utility that enables local administrator passwords to be set programmatically based on a provided schedule using the complexity parameters you define.
Cybersecurity vendor Netacea has announced the launch of a new Business Logic Intelligence Service (BLIS) designed to give customers actionable insight to help them tackle malicious bot activity and security threats. The firm said that the tiered, fee-based service will provide organizations with bot threat intelligence based on research including analysis of dark web forums and marketplaces. Earlier this year, the 2022 Imperva Bad Bot Report revealed an uptick in malicious bot activity driving online fraud and cyberattacks with bots becoming more sophisticated and better equipped to evade detection.
python-yara-4.2.3-1.el8
yara-4.2.3-1.el8
Fix CVE-2021-45429
firefox-106.0.3-1.fc35
Updated to 106.0.3
New upstream version (106.0.1)
Today, the OpenSSL Project released a new version of OpenSSL (v3.0.7). Last week’s early announcement indicated at first this was a CRITICAL vulnerability and included a fix for it. There was various chatter that this recent disclosure could be potentially similar to HEARTBLEED , but after today’s announcement the issue was downgraded from CRITICAL to HIGH.Two vulnerabilities were disclosed, both are X.509 Email Address Buffer Overflows, and are vulnerable to denial of service attacks and the other, remote code execution.Why is this Significant?This is significant because the critical vulnerability exists in OpenSSL which is a widely adopted cryptographical toolkit used to achieve secure communications over the internet. Past critical vulnerabilities in OpenSSL resulted in remote code execution and information leaks, where the highest profile disclosure was HeartBleed back in 2014. What are the Details of the Critical Vulnerability in OpenSSL?Disclosed today by OpenSSL are two vulnerabilities:CVE-2022-3602 – X.509 Email Address 4-byte Buffer Overflow A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution.CVE-2022-3786 – X.509 Email Address Variable Length Buffer Overflow A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.’ character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service).Are there Reports of Exploitation in the Wild?According to OpenSSL, no.What is the CVE Assignment for the Vulnerability?CVE-2022-3602 and CVE-2022-3786 have been assigned to these vulnerabilities.What is the CVSS score?According to OpenSSL, they do not provide CVSS scores.What is the Status of Protection?There is no information available to allow FortiGuard Labs to investigate protection. We are monitoring the situation closely and will update this Threat Signal when protection information becomes available. For further information on products affected by this latest disclosure, please reference the OpenSSL3 critical vulnerability from Fortinet PSIRT in the Appendix section.Any Recommended Mitigation?OpenSSL suggests users operating TLS servers may consider disabling TLS client authentication, if it is being used, until fixes are applied. FortiGuard Labs highly recommends organizations utilizing OpenSSL update OpenSSL to version 3.0.7.
Nicky Mouha discovered a buffer overflow in the sha3 module of PyPy, a
fast, compliant alternative implementation of the Python language.
xen-4.15.3-7.fc35
Xenstore: Guests can crash xenstored [XSA-414, CVE-2022-42309]
Xenstore: Guests can create orphaned Xenstore nodes [XSA-415,
CVE-2022-42310]
Xenstore: guests can let run xenstored out of memory [XSA-326,
CVE-2022-42311, CVE-2022-42312, CVE-2022-42313, CVE-2022-42314,
CVE-2022-42315, CVE-2022-42316, CVE-2022-42317, CVE-2022-42318]
Xenstore: Guests can cause Xenstore to not free temporary memory
[XSA-416, CVE-2022-42319]
Xenstore: Guests can get access to Xenstore nodes of deleted domains
[XSA-417, CVE-2022-42320]
Xenstore: Guests can crash xenstored via exhausting the stack
[XSA-418, CVE-2022-42321]
Xenstore: Cooperating guests can create arbitrary numbers of nodes
[XSA-419, CVE-2022-42322, CVE-2022-42323]
Oxenstored 32->31 bit integer truncation issues [XSA-420, CVE-2022-42324]
Xenstore: Guests can create arbitrary number of nodes via transactions
[XSA-421, CVE-2022-42325, CVE-2022-42326]
add patch to fix an incorrect backport
Arm: unbounded memory consumption for 2nd-level page tables [XSA-409,
CVE-2022-33747] (#2135268)
P2M pool freeing may take excessively long [XSA-410, CVE-2022-33746]
(#2135641)
lock order inversion in transitive grant copy handling [XSA-411,
CVE-2022-33748] (#2135263)