flatpak-runtime-f37-3720230120192930.1
flatpak-sdk-f37-3720230120192930.1
Updated flatpak runtime and SDK, including latest Fedora 37 security and bug-fix errata.
In addition to regular package updates, this also adds additional gstreamer1-plugins-ugly-free and jxl-pixbuf-loader packages to the runtime.
OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, Custom Layout enabled admin users to execute arbitrary commands via block methods. Versions 19.4.22 and 20.0.19 contain patches for this issue.
Magneto LTS (Long Term Support) is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is clicked and user submits new password. This issue is patched in versions 19.4.22 and 20.0.19. There are no workarounds.
chromium-109.0.5414.119-1.el9
Update to 109.0.5414.119. Fixes the following security issues:
CVE-2023-0471 CVE-2023-0472 CVE-2023-0473 CVE-2023-0474
chromium-109.0.5414.119-1.fc37
Update to 109.0.5414.119. Fixes the following security issues:
CVE-2023-0471 CVE-2023-0472 CVE-2023-0473 CVE-2023-0474
In Apache::Session::Browseable before 1.3.6, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.
In Apache::Session::LDAP before 0.5, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.
Posted by Apple Product Security via Fulldisclosure on Jan 26
APPLE-SA-2023-01-24-1 tvOS 16.3
tvOS 16.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213601.
AppleMobileFileIntegrity
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed by enabling hardened runtime.
CVE-2023-23499: Wojciech Reguła (@_r3ggi) of SecuRing…
Posted by Oliver Schwarz via Fulldisclosure on Jan 26
Advisory ID: SYSS-2022-047
Product: Razer Synapse
Manufacturer: Razer Inc.
Affected Version(s): Versions before 3.7.0830.081906
Tested Version(s): 3.7.0731.072516
Vulnerability Type: Improper Certificate Validation (CWE-295)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2022-08-02
Solution Date: 2022-09-06
Public Disclosure:…
java-1.8.0-openjdk-1.8.0.362.b09-1.fc36
CVE-2023-21830
CVE-2023-21843
JDK-8285021: Improve CORBA communication
JDK-8286496: Improve Thread labels
JDK-8288516: Enhance font creation
JDK-8289350: Better media supports
JDK-8293554: Enhanced DH Key Exchanges
JDK-8293598: Enhance InetAddress address handling
JDK-8293717: Objective view of ObjectView
JDK-8293734: Improve BMP image handling
JDK-8293742: Better Banking of Sounds
JDK-8295687: Better BMP bounds
Loading a linked ICC profile within a BMP image is now disabled by default. To re-enable it, set the new system property
sun.imageio.bmp.enabledLinkedProfiles to true. This new property replaces the old property, sun.imageio.plugins.bmp.disableLinkedProfiles.
Previously, the SoundbankReader implementation, com.sun.media.sound.JARSoundbankReader, would download a JAR soundbank from a URL. This behaviour is now disabled by default. To re-enable it, set the new system property jdk.sound.jarsoundbank to true.
The JDK’s CORBA implementation now refuses by default to deserialize objects, unless they have the “IOR:” prefix. The previous behaviour can be re-enabled by setting the new property com.sun.CORBA.ORBAllowDeserializeObject to true.
JARs signed with SHA-1 algorithms are now restricted by default and created as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the
certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those
certificates have been revoked. These restrictions also apply to signed JCE providers.
To reduce the compatibility risk for JARs that have been previously timestamped, there is one exception to this policy:
Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be restricted.
This exception may be removed in a future JDK release. To determine if your signed JARs are affected by this change, run:
$ jarsigner -verify -verbose -certs
on the signed JAR, and look for instances of “SHA1” or “SHA-1” and “disabled” and a warning that the JAR will be treated as unsigned in the output.
For example:
Signed by “CN=”Signer””
Digest algorithm: SHA-1 (disabled)
Signature algorithm: SHA1withRSA (disabled), 2048-bit key
WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01
JARs affected by these new restrictions should be replaced or re-signed with stronger algorithms.
Users can, at their own risk, remove these restrictions by modifying the java.security configuration file (or override it by using the java.security.properties system property) and removing “SHA1 usage SignedJAR & denyAfter 2019-01-01” from the
jdk.certpath.disabledAlgorithms security property and “SHA1 denyAfter 2019-01-01” from the jdk.jar.disabledAlgorithms security property.
