FEDORA-2023-19900752a6

Packages in this update:

webkit2gtk3-2.38.4-1.fc36

Update description:

Improve GStreamer multimedia playback across the board with improved codec selection logic, better handling of latency, and improving frame discard to avoid audio/video desynchronization, among other fixes.
Disable HLS media playback by default, which makes web sites use MSE instead. If needed WEBKIT_GST_ENABLE_HLS_SUPPORT=1 can be set in the environment to enable it back.
Disable threaded rendering in GTK4 builds by default, as it was causing crashes.
Fix MediaSession API not showing artwork images.
Fix MediaSession MPRIS usage when running inside a Flatpak sandbox.
Fix input element controls to correctly scale when applying a zoom factor different than the default.
Fix leakage of Web processes in certain situations.
Fix several crashes and rendering issues.
Security fixes: CVE-2023-23517, CVE-2023-23518, CVE-2022-42826, and many additional security issues

Read More

FortiGuard Labs is aware of a report that a new wiper malware was used to in recent attacks targeting Ukraine. Dubbed SwiftSlicer, the wiper malware overwrites files in specified directories in the affected machines and deletes shadow copies to prevent file recovery.Why is this Significant?This is significant because SwiftSlicer is a new destructive malware used in real attacks. SwiftSlicer overwrites files in attacker specified folders and deletes shadow copies, which makes file recovery difficult.What is SwiftSlicer?SwiftSlicer is a wiper malware that is written in Go-language. The malware is designed to overwrite non-system drives as well as files under %CSIDL_SYSTEM%drivers and %CSIDL_SYSTEM_DRIVE%WindowsNTDS. It also leverages the Windows Management Instrumentation Command-line (WMIC) tool to delete shadow copies.Other vendors have attributed SwiftSlicer to Sandworm Team who is believed to be a Russian threat actor responsible for destructive attacks such as NotPetya and Olympic Destroyer and cyber-attacks against the Ukrainian electrical grid in 2015 and 2016.How Widespread is SwiftSlicer?As of this writing, there is no report that indicates SwiftSlicer was used to target non-Ukrainian organizations.What is the Status of Protection?FortiGuard Labs provides the following AV signature for SwiftSlicer:W32/Malicious_Behavior.VEX

Read More

It was discovered that LibTIFF incorrectly handled certain malformed
images. If a user or automated system were tricked into opening a
specially crafted image, a remote attacker could crash the application,
leading to a denial of service, or possibly execute arbitrary code with
user privileges. This issue was only fixed in Ubuntu 14.04 ESM.
(CVE-2019-14973, CVE-2019-17546, CVE-2020-35523, CVE-2020-35524,
CVE-2022-3970)

It was discovered that LibTIFF was incorrectly acessing a data structure
when processing data with the tiffcrop tool, which could lead to a heap
buffer overflow. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2022-48281)

Read More

FEDORA-2023-f9e2ad8b73

Packages in this update:

wireshark-3.6.11-1.fc36

Update description:

New version 4.0.3.

Read More

FEDORA-2023-9ddb9b9757

Packages in this update:

wireshark-4.0.3-1.fc37

Update description:

New version 4.0.3.

Read More

FEDORA-2023-c9ab30c8e3

Packages in this update:

kernel-6.1.9-100.fc36

Update description:

The 6.1.9 stable kernel update contains a number of important fixes across the tree.

Read More

FEDORA-2023-4006357f7e

Packages in this update:

kernel-6.1.9-200.fc37

Update description:

The 6.1.9 stable kernel update contains a number of important fixes across the tree.

Read More

FEDORA-2023-74b702f058

Packages in this update:

php-symfony4-4.4.50-1.fc37

Update description:

Version 4.4.50 (2023-02-01)

security cve-2022-24895 [Security/Http] Remove CSRF tokens from storage on successful login (nicolas-grekas)
security cve-2022-24894 [HttpKernel] Remove private headers before storing responses with HttpCache (nicolas-grekas)

Read More

FEDORA-2023-aecde14648

Packages in this update:

php-symfony4-4.4.50-1.fc36

Update description:

Version 4.4.50 (2023-02-01)

security cve-2022-24895 [Security/Http] Remove CSRF tokens from storage on successful login (nicolas-grekas)
security cve-2022-24894 [HttpKernel] Remove private headers before storing responses with HttpCache (nicolas-grekas)

Read More

It was discovered that Long Range ZIP incorrectly handled pointers. If
a user or an automated system were tricked into opening a certain
specially crafted ZIP file, an attacker could possibly use this issue
to cause a denial of service. This issue only affected Ubuntu 14.04 ESM,
Ubuntu 16.04 ESM, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2020-25467)

It was discovered that Long Range ZIP incorrectly handled pointers. If
a user or an automated system were tricked into opening a certain
specially crafted ZIP file, an attacker could possibly use this issue
to cause a denial of service. This issue only affected Ubuntu 18.04 LTS
and Ubuntu 20.04 LTS. (CVE-2021-27345, CVE-2021-27347)

It was discovered that Long Range ZIP incorrectly handled pointers. If
a user or an automated system were tricked into opening a certain
specially crafted ZIP file, an attacker could possibly use this issue
to cause a denial of service. This issue only affected Ubuntu 16.04 ESM,
Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2022-26291)

It was discovered that Long Range ZIP incorrectly handled memory allocation,
which could lead to a heap memory corruption. An attacker could possibly use
this issue to cause denial of service. This issue affected Ubuntu 14.04 ESM,
Ubuntu 16.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and
Ubuntu 22.10. (CVE-2022-28044)

Read More