FEDORA-2023-5a91738e22
Packages in this update:
liferea-1.14.1-1.fc38
Update description:
Security fix for CVE-2023-1350
liferea-1.14.1-1.fc38
Security fix for CVE-2023-1350
liferea-1.14.1-1.fc36
Security fix for CVE-2023-1350
Dave McDaniel discovered that the SQLite3 bindings for Node.js were
susceptible to the execution of arbitrary JavaScript code if a binding
parameter is a crafted object.
A Buffer Overflow vulnerabilityexists in Pev 0.81 via the pe_exports function from exports.c.. The array offsets_to_Names is dynamically allocated on the stack using exp->NumberOfFunctions as its size. However, the loop uses exp->NumberOfNames to iterate over it and set its components value. Therefore, the loop code assumes that exp->NumberOfFunctions is greater than ordinal at each iteration. This can lead to arbitrary code execution.
13 vulnerabilities were found in the E11 smart intercom devices by Chinese manufacturer Akuvox
The recently identified Dark Pink advanced persistent threat (APT) group is likely behind a fresh set of KamiKakaBot malware attacks on ASEAN governments and military entities, according to Netherlands-based cybersecurity company ElecticIQ.
The attacks, which took place in February, were “almost identical” to those reported by Russia-based cybersecurity firm Group-IB on January 11, ElectricIQ said. Multiple overlapping techniques used in the campaigns helped EclecticIQ analysts attribute the recent attacks as likely to be the work of the Dark Pink APT group.
The recently identified Dark Pink advanced persistent threat (APT) group is likely behind a fresh set of KamiKakaBot malware attacks on ASEAN governments and military entities, according to Netherlands-based cybersecurity company ElecticIQ.
The attacks, which took place in February, were “almost identical” to those reported by Russia-based cybersecurity firm Group-IB on January 11, 2023, ElectricIQ said. Multiple overlapping techniques used in the campaigns helped EclecticIQ analysts to attribute the recent attacks as likely to be the work of the Dark Pink APT group.
The relationship between Europe and ASEAN countries is being exploited with social engineering lures
It was discovered that Chromium could be made to write out of bounds in
several components. A remote attacker could possibly use this issue to
corrupt memory via a crafted HTML page, resulting in a denial of service,
or possibly execute arbitrary code. (CVE-2023-0930, CVE-2023-1219,
CVE-2023-1220, CVE-2023-1222)
It was discovered that Chromium contained an integer overflow in the PDF
component. A remote attacker could possibly use this issue to corrupt
memory via a crafted PDF file, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2023-0933)
It was discovered that Chromium did not properly manage memory in several
components. A remote attacker could possibly use this issue to corrupt
memory via a crafted HTML page, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2023-0941, CVE-2023-0928,
CVE-2023-0929, CVE-2023-0931, CVE-2023-1213, CVE-2023-1216, CVE-2023-1218)
It was discovered that Chromium did not correctly distinguish data types
in several components. A remote attacker could possibly use this issue to
corrupt memory via a crafted HTML page, resulting in a denial of service,
or possibly execute arbitrary code. (CVE-2023-1214, CVE-2023-1215,
CVE-2023-1235)
It was discovered that Chromium insufficiently enforced policies. An
attacker could possibly use this issue to bypass navigation restrictions.
(CVE-2023-1221, CVE-2023-1224)
It was discovered that Chromium insufficiently enforced policies in Web
Payments API. A remote attacker could possibly use this issue to bypass
content security policy via a crafted HTML page. (CVE-2023-1226)
It was discovered that Chromium contained an inappropriate implementation
in the Permission prompts component. A remote attacker could possibly use
this issue to bypass navigation restrictions via a crafted HTML page.
(CVE-2023-1229)
It was discovered that Chromium insufficiently enforced policies in
Resource Timing component. A remote attacker could possibly use this issue
to obtain sensitive information. (CVE-2023-1232, CVE-2023-1233)
It was discovered that Chromium contained an inappropriate implementation
in the Internals component. A remote attacker could possibly use this
issue to spoof the origin of an iframe via a crafted HTML page.
(CVE-2023-1236)
Infostealers observed to be delivered via these videos included Vidar, RedLine and Raccoon