A regression was discovered in the Http2UpgradeHandler class of Tomcat 9
introduced by the patch to fix CVE-2023-44487 (Rapid Reset Attack). A wrong
value for the overheadcount variable forced HTTP2 connections to close early.
Yearly Archives: 2023
DSA-5528 node-babel7 – security update
William Khem-Marquez discovered that using malicious plugins for the
the Babel JavaScript compiler could result in arbitrary code execution
during compilation
CVE-2018-25091
urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the authorization header to be exposed to unintended hosts or transmitted in cleartext. NOTE: this issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive).
matrix-synapse-1.80.0-7.fc37
FEDORA-2023-954c2ec5bd
Packages in this update:
matrix-synapse-1.80.0-7.fc37
Update description:
Backport fix for CVE-2023-45129
CVE-2022-43868
IBM Security Verify Access OIDC Provider could disclose directory information that could aid attackers in further attacks against the system. IBM X-Force ID: 239445.
CVE-2022-43740
IBM Security Verify Access OIDC Provider could allow a remote user to cause a denial of service due to uncontrolled resource consumption. IBM X-Force ID: 238921.
CVE-2022-33165
IBM Security Directory Server 6.4.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 228582.
CVE-2022-33161
IBM Security Directory Server 6.4.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. X-Force ID: 228569.
CVE-2022-32755
IBM Security Directory Server 6.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 228505.
gdb-13.2-10.fc39
FEDORA-2023-89ade611ee
Packages in this update:
gdb-13.2-10.fc39
Update description:
Backport upstream commit d28fbc7197b which fixes RHBZ 2233965, Security fix for CVE-2022-48065