Monthly Archives: March 2023

Advisories

USN-5949-1: Chromium vulnerabilities

Read Time:1 Minute, 50 Second

It was discovered that Chromium could be made to write out of bounds in
several components. A remote attacker could possibly use this issue to
corrupt memory via a crafted HTML page, resulting in a denial of service,
or possibly execute arbitrary code. (CVE-2023-0930, CVE-2023-1219,
CVE-2023-1220, CVE-2023-1222)

It was discovered that Chromium contained an integer overflow in the PDF
component. A remote attacker could possibly use this issue to corrupt
memory via a crafted PDF file, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2023-0933)

It was discovered that Chromium did not properly manage memory in several
components. A remote attacker could possibly use this issue to corrupt
memory via a crafted HTML page, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2023-0941, CVE-2023-0928,
CVE-2023-0929, CVE-2023-0931, CVE-2023-1213, CVE-2023-1216, CVE-2023-1218)

It was discovered that Chromium did not correctly distinguish data types
in several components. A remote attacker could possibly use this issue to
corrupt memory via a crafted HTML page, resulting in a denial of service,
or possibly execute arbitrary code. (CVE-2023-1214, CVE-2023-1215,
CVE-2023-1235)

It was discovered that Chromium insufficiently enforced policies. An
attacker could possibly use this issue to bypass navigation restrictions.
(CVE-2023-1221, CVE-2023-1224)

It was discovered that Chromium insufficiently enforced policies in Web
Payments API. A remote attacker could possibly use this issue to bypass
content security policy via a crafted HTML page. (CVE-2023-1226)

It was discovered that Chromium contained an inappropriate implementation
in the Permission prompts component. A remote attacker could possibly use
this issue to bypass navigation restrictions via a crafted HTML page.
(CVE-2023-1229)

It was discovered that Chromium insufficiently enforced policies in
Resource Timing component. A remote attacker could possibly use this issue
to obtain sensitive information. (CVE-2023-1232, CVE-2023-1233)

It was discovered that Chromium contained an inappropriate implementation
in the Internals component. A remote attacker could possibly use this
issue to spoof the origin of an iframe via a crafted HTML page.
(CVE-2023-1236)

Read More

Advisories

alsa-plugins-1.2.7.1-5.fc38 attract-mode-2.6.2-6.fc38 audacious-plugins-4.3-2.fc38 blender-3.4.1-16.fc38 celestia-1.7.0~20230305ebfcdb1-4.fc38 chromaprint-1.5.1-8.fc38 chromium-111.0.5563.64-2.fc38 ffmpeg-6.0-1.fc38 ffmpegthumbs-22.12.3-2.fc38 gstreamer1-plugin-libav-1.22.0-2.fc38 guacamole-server-1.5.0-2.fc38 haruna-0.10.3-3.fc38 indi-3rdparty-drivers-2.0.0-2.fc38 indi-3rdparty-libraries-2.0.0-1.fc38 k3b-22.12.3-2.fc38 kpipewire-5.27.2-2.fc38 kstars-3.6.3-1.fc38 libindi-2.0.0-3.fc38 loudgain-0.6.8-13.fc38 mlt-7.14.0-2.fc38 mpv-0.35.1-3.fc38 neatvnc-0.6.0-2.fc38 notcurses-3.0.8-6.fc38 nv-codec-headers-12.0.16.0-1.fc38 phd2-2.6.11^dev4^20230212a205f63-1.fc38 qmmp-2.1.2-4.fc38 qmmp-plugin-pack-2.1.0-5.fc38 qt6-qtmultimedia-6.4.2-4.fc38 qt6-qtwebengine-6.4.2-4.fc38 retroarch-1.15.0-4.fc38 siril-1.0.6-6.fc38 stellarium-1.2-8.fc38 unpaper-7.0.0-7.fc38 wf-recorder-0.3.1-0.3.20221225gita9725f7.fc38 xine-lib-1.2.13-1.fc38

Read Time:1 Minute, 38 Second

FEDORA-2023-a5e10b188a

Packages in this update:

alsa-plugins-1.2.7.1-5.fc38
attract-mode-2.6.2-6.fc38
audacious-plugins-4.3-2.fc38
blender-3.4.1-16.fc38
celestia-1.7.0~20230305ebfcdb1-4.fc38
chromaprint-1.5.1-8.fc38
chromium-111.0.5563.64-2.fc38
ffmpeg-6.0-1.fc38
ffmpegthumbs-22.12.3-2.fc38
gstreamer1-plugin-libav-1.22.0-2.fc38
guacamole-server-1.5.0-2.fc38
haruna-0.10.3-3.fc38
indi-3rdparty-drivers-2.0.0-2.fc38
indi-3rdparty-libraries-2.0.0-1.fc38
k3b-22.12.3-2.fc38
kpipewire-5.27.2-2.fc38
kstars-3.6.3-1.fc38
libindi-2.0.0-3.fc38
loudgain-0.6.8-13.fc38
mlt-7.14.0-2.fc38
mpv-0.35.1-3.fc38
neatvnc-0.6.0-2.fc38
notcurses-3.0.8-6.fc38
nv-codec-headers-12.0.16.0-1.fc38
phd2-2.6.11^dev4^20230212a205f63-1.fc38
qmmp-2.1.2-4.fc38
qmmp-plugin-pack-2.1.0-5.fc38
qt6-qtmultimedia-6.4.2-4.fc38
qt6-qtwebengine-6.4.2-4.fc38
retroarch-1.15.0-4.fc38
siril-1.0.6-6.fc38
stellarium-1.2-8.fc38
unpaper-7.0.0-7.fc38
wf-recorder-0.3.1-0.3.20221225gita9725f7.fc38
xine-lib-1.2.13-1.fc38

Update description:

FFmpeg 6.0 upgrade.

update to 111.0.5563.64. Fixes the following security issues:

CVE-2023-0927 CVE-2023-0928 CVE-2023-0929 CVE-2023-0930 CVE-2023-0931 CVE-2023-0932 CVE-2023-0933 CVE-2023-0941 CVE-2023-1213 CVE-2023-1214 CVE-2023-1215 CVE-2023-1216 CVE-2023-1217 CVE-2023-1218 CVE-2023-1219 CVE-2023-1220 CVE-2023-1221 CVE-2023-1222 CVE-2023-1223 CVE-2023-1224 CVE-2023-1225 CVE-2023-1226 CVE-2023-1227

Read More

Advisories

USN-5948-1: Werkzeug vulnerabilities

Read Time:21 Second

It was discovered that Werkzeug did not properly handle the parsing of
nameless cookies. A remote attacker could possibly use this issue to
shadow other cookies. (CVE-2023-23934)

It was discovered that Werkzeug could be made to process unlimited number
of multipart form data parts. A remote attacker could possibly use this
issue to cause Werkzeug to consume resources, leading to a denial of
service. (CVE-2023-25577)

Read More

News

Blackbaud penalized $3M for not disclosing the full scope of ransomware attack

Read Time:22 Second

Software firm Blackbaud has agreed to pay a $3 million penalty for failing to disclose the full scope of the ransomware attack it suffered in 2020, according to the US Securities and Exchange Commission (SEC).

South Carolina headquartered Blackbaud provides donor relationship management software to various non-profit organizations, including charities, higher education institutions, K-12 schools, healthcare organizations, religious organizations, and cultural organizations.

To read this article in full, please click here

Read More

Advisories

USN-5946-1: XStream vulnerabilities

Read Time:1 Minute, 11 Second

Lai Han discovered that XStream incorrectly handled certain inputs.
If a user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause a denial
of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2021-39140)

It was discovered that XStream incorrectly handled certain inputs. If
a user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04
LTS. (CVE-2021-39139, CVE-2021-39141, CVE-2021-39144, CVE-2021-39145,
CVE-2021-39146, CVE-2021-39147, CVE-2021-39148, CVE-2021-39149,
CVE-2021-39151, CVE-2021-39153, CVE-2021-39154)

It was discovered that XStream incorrectly handled certain inputs. If
a user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to obtain
sensitive information. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2021-39150, CVE-2021-39152)

Lai Han discovered that XStream incorrectly handled certain inputs.
If a user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause a denial
of service. (CVE-2022-41966)

Read More

Advisories

USN-5947-1: Twig vulnerabilities

Read Time:40 Second

Fabien Potencier discovered that Twig was not properly enforcing sandbox
policies when dealing with objects automatically cast to strings by PHP.
An attacker could possibly use this issue to expose sensitive information.
This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 18.04 ESM.
(CVE-2019-9942)

Marlon Starkloff discovered that Twig was not properly enforcing closure
constraints in some of its array filtering functions. An attacker could
possibly use this issue to execute arbitrary code. This issue was only
fixed in Ubuntu 20.04 ESM. (CVE-2022-23614)

Dariusz Tytko discovered that Twig was not properly verifying input data
utilized when defining pathnames used to access files in a system. An
attacker could possibly use this issue to access unauthorized resources
and expose sensitive information. (CVE-2022-39261)

Read More