OpenImageIO-2.4.6.1-1.fc37
Update to 2.4.6.1, see release notes for details:
https://github.com/OpenImageIO/oiio/releases
Security fix for
Two men have been convicted of hacking the taxi dispatch system at the JFK airport. This enabled them to reorder the taxis on the list; they charged taxi drivers $10 to cut the line.
The number of cybersecurity mergers and acquisitions deals in 2021 set a record pace. The first three quarters of the year saw 151 transactions in the industry, according to 451 Research. That’s up from 94 for the same period in 2020. That trend is likely to continue in 2022.
Many of the 2021 transactions CSO reported were in the identity and cloud security markets, especially toward the end of the year. This trend is likely to continue as these markets consolidate.
In all markets, larger firms are looking to expand their capabilities. Recorded Future’s acquisition of SecurityTrails is an early 2022 example, as it adds attack surface monitoring technology to Recorded Future’s offerings.
Activity Watch is a free and open-source automated time tracker. Versions prior to 0.11.0 allow an attacker to execute arbitrary commands on any macOS machine with ActivityWatch running. The attacker can exploit this vulnerability by having the user visiting a website with the page title set to a malicious string. An attacker could use another application to accomplish the same, but the web browser is the most likely attack vector. This issue is patched in version 0.11.0. As a workaround, users can run the latest version of aw-watcher-window from source, or manually patch the `printAppTitle.scpt` file.
webkitgtk-2.38.3-1.fc37
Update to 2.38.3:
Fix runtime critical warnings from media player.
Fix network process crash when fetching website data on ephemeral session.
Fix the build with Ruby 3.2.
Fix several crashes and rendering issues.
Security fixes: CVE-2022-42852, CVE-2022-42856, CVE-2022-42867, CVE-2022-46692, CVE-2022-46698, CVE-2022-46699, CVE-2022-46700
webkit2gtk3-2.38.3-1.fc36
Update to 2.38.3:
Fix runtime critical warnings from media player.
Fix network process crash when fetching website data on ephemeral session.
Fix the build with Ruby 3.2.
Fix several crashes and rendering issues.
Security fixes: CVE-2022-42852, CVE-2022-42856, CVE-2022-42867, CVE-2022-46692, CVE-2022-46698, CVE-2022-46699, CVE-2022-46700
is.js is a general-purpose check library. Versions 0.9.0 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). is.js uses a regex copy-pasted from a gist to validate URLs. Trying to validate a malicious string can cause the regex to loop “forever.” This vulnerability was found using a CodeQL query which identifies inefficient regular expressions. is.js has no patch for this issue.
