FEDORA-2023-30e81e5293
Packages in this update:
c-ares-1.19.0-1.fc36
Update description:
Update to 1.19.0. Fixes CVE-2022-4904.
c-ares-1.19.0-1.fc36
Update to 1.19.0. Fixes CVE-2022-4904.
flatpak-runtime-f37-3720230216035716.1
flatpak-sdk-f37-3720230216035716.1
Updated flatpak runtime and SDK, including latest Fedora 37 security and bug-fix errata.
Specifically, one of the updated packages is nss 3.88.1 that is required by latest thunderbird 102.8.0 flatpak: https://bodhi.fedoraproject.org/updates/FEDORA-FLATPAK-2023-39d93f840d
The feature provides a sandbox layer isolating some image files from the rest of the device
A vulnerability was found in arnoldle submitByMailPlugin 1.0b2.9 and classified as problematic. This issue affects some unknown processing of the file edit_list.php. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. Upgrading to version 1.0b2.9a is able to address this issue. The name of the patch is a739f680a1623d22f52ff1371e86ca472e63756f. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-221495.
clamav-0.103.8-3.el7
Fix daily.cvd file
Split out documentation into separate -doc sub-package
(#2128276) Please port your pcre dependency to pcre2
Explicit dependency on systemd since systemd-devel no longer has this dependency on F37+
(#2136977) not requires data(clamav) on clamav-libs
(#2023371) Add documentation to preserve user permissions of DatabaseOwner
ClamAV 0.103.8 is a critical patch release with the following fixes:
CVE-2023-20032https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.
CVE-2023-20052https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.
clamav-0.103.8-3.fc36
Fix daily.cvd file
Split out documentation into separate -doc sub-package
(#2128276) Please port your pcre dependency to pcre2
Explicit dependency on systemd since systemd-devel no longer has this dependency on F37+
(#2136977) not requires data(clamav) on clamav-libs
(#2023371) Add documentation to preserve user permissions of DatabaseOwner
ClamAV 0.103.8 is a critical patch release with the following fixes:
CVE-2023-20032https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.
CVE-2023-20052https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.
An unauthorized party caused the intermittent redirection of customer websites
plasma-workspace-5.27.0-4.fc37
Add patch to disable global shortcuts at login for the SDDM Plasma Wayland configuration (#2171332)
The malware was used by a previously unknown threat actor against targets in Taiwan
A critical security vulnerability, known as CVE-2021-33621, has been discovered in Ruby’s Common Gateway Interface (CGI) that could potentially put millions of users at risk. In this article, we’ll explore what CVE-2021-33621 is, what it affects, its CVSS score, and how you can protect yourself from it.
What is CVE-2021-33621?
CVE-2021-33621 is a security vulnerability in Ruby’s CGI that allows HTTP header injection and response splitting. This vulnerability could potentially be exploited by attackers to perform cross-site scripting (XSS) attacks, steal sensitive data, or execute arbitrary code on a user’s system.
What does CVE-2021-33621 affect?
According to the Ruby vendor’s website, the vulnerability affects applications that use the CGI module and are running the following versions:
CVSS Score: The CVSS score for CVE-2021-33621 is 9.8, indicating that it is a critical vulnerability that requires immediate attention.
References: You can find more information about CVE-2021-33621 on the MITRE website (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33621) and the software vendor’s website.
How can you protect yourself from CVE-2021-33621?
To protect yourself from this vulnerability, it is recommended that you review your code to ensure that untrusted input is not being passed to any CGI functions. It is also recommended that you upgrade to a patched version of Ruby as soon as possible. You can find more information about the vulnerability and the patches on the MITRE website and the Ruby vendor’s website.