A vulnerability was found in stevejagodzinski DevNewsAggregator. It has been rated as critical. Affected by this issue is the function getByName of the file php/data_access/RemoteHtmlContentDataAccess.php. The manipulation of the argument name leads to sql injection. The name of the patch is b9de907e7a8c9ca9d75295da675e58c5bf06b172. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217484.
USN-5782-1 fixed vulnerabilities in Firefox. The update introduced
several minor regressions. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that Firefox was using an out-of-date libusrsctp library.
An attacker could possibly use this library to perform a reentrancy issue
on Firefox. (CVE-2022-46871)
Nika Layzell discovered that Firefox was not performing a check on paste
received from cross-processes. An attacker could potentially exploit this
to obtain sensitive information. (CVE-2022-46872)
Pete Freitag discovered that Firefox did not implement the unsafe-hashes
CSP directive. An attacker who was able to inject markup into a page
otherwise protected by a Content Security Policy may have been able to
inject an executable script. (CVE-2022-46873)
Matthias Zoellner discovered that Firefox was not keeping the filename
ending intact when using the drag-and-drop event. An attacker could
possibly use this issue to add a file with a malicious extension, leading
to execute arbitrary code. (CVE-2022-46874)
Hafiizh discovered that Firefox was not handling fullscreen notifications
when the browser window goes into fullscreen mode. An attacker could
possibly use this issue to spoof the user and obtain sensitive information.
(CVE-2022-46877)
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information across domains, or execute arbitrary code. (CVE-2022-46878,
CVE-2022-46879)
It was discovered that Libksba incorrectly handled parsing CRL signatures.
A remote attacker could use this issue to cause Libksba to crash, resulting
in a denial of service, or possibly execute arbitrary code.
It was discovered that GNOME Files incorrectly handled certain filenames.
An attacker could possibly use this issue to cause GNOME Files to crash,
leading to a denial of service.
A vulnerability classified as problematic has been found in web-cyradm. This affects an unknown part of the file search.php. The manipulation of the argument searchstring leads to sql injection. It is recommended to apply a patch to fix this issue. The identifier VDB-217449 was assigned to this vulnerability.
python2.7-2.7.18-26.fc37
Security fix for CVE-2022-45061: CPU denial of service via inefficient IDNA decoder
python2.7-2.7.18-23.fc36
Security fix for CVE-2022-45061: CPU denial of service via inefficient IDNA decoder
A vulnerability has been discovered in Brocade Fabric OS, which could allow an attacker to execute arbitrary commands on the targeted system. Brocade Fabric OS software is used by IBM b-type SAN directors and switches. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on a Brocade Fabric OS switch. Depending on the setup of the device, an attacker would then be capable of modifying zoning, disabling the switch, disabling ports, and modifying the switch’s IP address.
php-8.1.14-1.fc37
PHP version 8.1.14 (05 Jan 2023)
Core:
Fixed bug GH-9905 (constant() behaves inconsistent when class is undefined). (cmb)
Fixed bug GH-9918 (License information for xxHash is not included in README.REDIST.BINS file). (Akama Hitoshi)
Fixed bug GH-9650 (Can’t initialize heap: [0x000001e7]). (Michael Voříšek)
Fixed potentially undefined behavior in Windows ftok(3) emulation. (cmb)
Date:
Fixed bug GH-9699 (DateTimeImmutable::diff differences in 8.1.10 onwards – timezone related). (Derick)
Fixed bug GH-9700 (DateTime::createFromFormat: Parsing TZID string is too greedy). (Derick)
Fixed bug GH-9866 (Time zone bug with DateTimeInterface::diff()). (Derick)
Fixed bug GH-9880 (DateTime diff returns wrong sign on day count when using a timezone). (Derick)
FPM:
Fixed bug GH-9959 (Solaris port event mechanism is still broken after bug php#66694). (Petr Sumbera)
Fixed bug php#68207 (Setting fastcgi.error_header can result in a WARNING). (Jakub Zelenka)
Fixed bug GH-8517 (Random crash of FPM master process in fpm_stdio_child_said). (Jakub Zelenka)
MBString:
Fixed bug GH-9535 (The behavior of mb_strcut in mbstring has been changed in PHP8.1). (Nathan Freeman)
Opcache:
Fixed bug GH-9968 (Segmentation Fault during OPCache Preload). (Arnaud, michdingpayc)
OpenSSL:
Fixed bug GH-9064 (PHP fails to build if openssl was built with –no-ec). (Jakub Zelenka)
Fixed bug GH-10000 (OpenSSL test failures when OpenSSL compiled with no-dsa). (Jakub Zelenka)
Pcntl:
Fixed bug GH-9298 (Signal handler called after rshutdown leads to crash). (Erki Aring)
PDO_Firebird:
Fixed bug GH-9971 (Incorrect NUMERIC value returned from PDO_Firebird). (cmb)
PDO/SQLite:
Fixed bug php#81740 (PDO::quote() may return unquoted string). (CVE-2022-31631) (cmb)
Session:
Fixed GH-9932 (session name silently fails with . and [). (David Carlier)
SPL:
Fixed GH-9883 (SplFileObject::__toString() reads next line). (Girgias)
Fixed GH-10011 (Trampoline autoloader will get reregistered and cannot be unregistered). (Girgias)
SQLite3:
Fixed bug php#81742 (open_basedir bypass in SQLite3 by using file URI). (cmb)
php-8.1.14-1.fc36
PHP version 8.1.14 (05 Jan 2023)
Core:
Fixed bug GH-9905 (constant() behaves inconsistent when class is undefined). (cmb)
Fixed bug GH-9918 (License information for xxHash is not included in README.REDIST.BINS file). (Akama Hitoshi)
Fixed bug GH-9650 (Can’t initialize heap: [0x000001e7]). (Michael Voříšek)
Fixed potentially undefined behavior in Windows ftok(3) emulation. (cmb)
Date:
Fixed bug GH-9699 (DateTimeImmutable::diff differences in 8.1.10 onwards – timezone related). (Derick)
Fixed bug GH-9700 (DateTime::createFromFormat: Parsing TZID string is too greedy). (Derick)
Fixed bug GH-9866 (Time zone bug with DateTimeInterface::diff()). (Derick)
Fixed bug GH-9880 (DateTime diff returns wrong sign on day count when using a timezone). (Derick)
FPM:
Fixed bug GH-9959 (Solaris port event mechanism is still broken after bug php#66694). (Petr Sumbera)
Fixed bug php#68207 (Setting fastcgi.error_header can result in a WARNING). (Jakub Zelenka)
Fixed bug GH-8517 (Random crash of FPM master process in fpm_stdio_child_said). (Jakub Zelenka)
MBString:
Fixed bug GH-9535 (The behavior of mb_strcut in mbstring has been changed in PHP8.1). (Nathan Freeman)
Opcache:
Fixed bug GH-9968 (Segmentation Fault during OPCache Preload). (Arnaud, michdingpayc)
OpenSSL:
Fixed bug GH-9064 (PHP fails to build if openssl was built with –no-ec). (Jakub Zelenka)
Fixed bug GH-10000 (OpenSSL test failures when OpenSSL compiled with no-dsa). (Jakub Zelenka)
Pcntl:
Fixed bug GH-9298 (Signal handler called after rshutdown leads to crash). (Erki Aring)
PDO_Firebird:
Fixed bug GH-9971 (Incorrect NUMERIC value returned from PDO_Firebird). (cmb)
PDO/SQLite:
Fixed bug php#81740 (PDO::quote() may return unquoted string). (CVE-2022-31631) (cmb)
Session:
Fixed GH-9932 (session name silently fails with . and [). (David Carlier)
SPL:
Fixed GH-9883 (SplFileObject::__toString() reads next line). (Girgias)
Fixed GH-10011 (Trampoline autoloader will get reregistered and cannot be unregistered). (Girgias)
SQLite3:
Fixed bug php#81742 (open_basedir bypass in SQLite3 by using file URI). (cmb)
