FEDORA-2024-583e4098b9
Packages in this update:
zbar-0.23.93-1.fc38
Update description:
0.23.93, fixes for two CVEs
zbar-0.23.93-1.fc38
0.23.93, fixes for two CVEs
zbar-0.23.93-1.fc39
0.23.93, fixes for two CVEs
The figure comes from XM Cyber’s 2024 State of Security Posture Report, exploring how organizations approach cybersecurity challenges
golang-x-crypto-0.18.0-1.fc40
Automatic update for golang-x-crypto-0.18.0-1.fc40.
* Tue Jan 9 2024 Mark E. Fuller <mark.e.fuller@gmx.de> – 0.18.0-1
– update to v0.18.0, close rhbz#2255095 – CVE-2023-48795 golang-x-crypto:
ssh: Prefix truncation attack on Binary Packet Protocol
Youssef Rebahi-Gilbert discovered that Monit did not properly process
credentials for disabled accounts. An attacker could possibly use this
issue to login to the platform with an expired account and a valid
password.
redis-7.2.4-1.fc39
Redis 7.2.4 Released Tue 09 Jan 2024 10:45:52 IST
Upgrade urgency SECURITY: See security fixes below.
Security fixes
(CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory
buffers which can result in incorrect accounting of buffer sizes and lead to
heap overflow and potential remote code execution.
Bug fixes
Fix crashes of cluster commands clusters with mixed versions of 7.0 and 7.2 (#12805, #12832)
Fix slot ownership not being properly handled when deleting a slot from a node (#12564)
Fix atomicity issues with the RedisModuleEvent_Key module API event (#12733)
2023 saw an increased number of deals in the cybersecurity industry, but the overall investment in the sector dropped, Pinpoint revealed
redis-7.0.15-1.fc38
Redis 7.0.15 Released Tue 09 Jan 2024 10:45:52 IST
Upgrade urgency SECURITY: See security fixes below.
Security fixes
(CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory
buffers which can result in incorrect accounting of buffer sizes and lead to
heap overflow and potential remote code execution.
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
USN-6038-1 fixed several vulnerabilities in Go 1.18. This update provides
the corresponding updates for Go 1.13 and Go 1.16.
CVE-2022-29526 and CVE-2022-30630 only affected Go 1.16.
Original advisory details:
It was discovered that the Go net/http module incorrectly handled
Transfer-Encoding headers in the HTTP/1 client. A remote attacker could
possibly use this issue to perform an HTTP Request Smuggling attack.
(CVE-2022-1705)
It was discovered that Go did not properly manage memory under certain
circumstances. An attacker could possibly use this issue to cause a panic
resulting into a denial of service. (CVE-2022-1962, CVE-2022-27664,
CVE-2022-28131, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632,
CVE-2022-30633, CVE-2022-30635, CVE-2022-32189, CVE-2022-41715,
CVE-2022-41717, CVE-2023-24534, CVE-2023-24537)
It was discovered that Go did not properly implemented the maximum size of
file headers in Reader.Read. An attacker could possibly use this issue to
cause a panic resulting into a denial of service. (CVE-2022-2879)
It was discovered that the Go net/http module incorrectly handled query
parameters in requests forwarded by ReverseProxy. A remote attacker could
possibly use this issue to perform an HTTP Query Parameter Smuggling attack.
(CVE-2022-2880)
It was discovered that Go did not properly manage the permissions for
Faccessat function. A attacker could possibly use this issue to expose
sensitive information. (CVE-2022-29526)
It was discovered that Go did not properly generate the values for
ticket_age_add in session tickets. An attacker could possibly use this
issue to observe TLS handshakes to correlate successive connections by
comparing ticket ages during session resumption. (CVE-2022-30629)
It was discovered that Go did not properly manage client IP addresses in
net/http. An attacker could possibly use this issue to cause ReverseProxy
to set the client IP as the value of the X-Forwarded-For header.
(CVE-2022-32148)
It was discovered that Go did not properly validate backticks (`) as
Javascript string delimiters, and do not escape them as expected. An
attacker could possibly use this issue to inject arbitrary Javascript code
into the Go template. (CVE-2023-24538)