qemu-7.0.0-12.fc37
hcd-xhci: infinite loop in xhci_ring_chain_length (CVE-2020-14394)
ati-vga: out-of-bounds write in ati_2d_blt (CVE-2021-3638)
acpi erst: memory corruption issues (CVE-2022-4172)
qxl: qxl_phys2virt unsafe address translation (CVE-2022-4144)
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn. Further investigation showed that it was not a vulnerability. Notes: none.
It was discovered that NumPy did not properly manage memory when specifying
arrays of large dimensions. If a user were tricked into running malicious
Python file, an attacker could cause a denial of service. This issue only
affected Ubuntu 20.04 LTS. (CVE-2021-33430)
It was discovered that NumPy did not properly perform string comparison
operations under certain circumstances. An attacker could possibly use
this issue to cause NumPy to crash, resulting in a denial of service.
(CVE-2021-34141)
It was discovered that NumPy did not properly manage memory under certain
circumstances. An attacker could possibly use this issue to cause NumPy to
crash, resulting in a denial of service. (CVE-2021-41495, CVE-2021-41496)
firefox-107.0.1-1.fc35
Updated to latest upstream (107.0.1)
firefox-107.0.1-1.fc36
Updated to latest upstream (107.0.1)
firefox-107.0.1-1.fc37
Updated to latest upstream (107.0.1)
Galaxy is an open-source platform for data analysis. An arbitrary file read exists in Galaxy 22.01 and Galaxy 22.05 due to the switch to Gunicorn, which can be used to read any file accessible to the operating system user under which Galaxy is running. This vulnerability affects Galaxy 22.01 and higher, after the switch to gunicorn, which serve static contents directly. Additionally, the vulnerability is mitigated when using Nginx or Apache to serve /static/* contents, instead of Galaxy’s internal middleware. This issue has been patched in commit `e5e6bda4f` and will be included in future releases. Users are advised to manually patch their installations. There are no known workarounds for this vulnerability.
teler is an real-time intrusion detection and threat alert dashboard. teler prior to version 2.0.0-rc.4 is vulnerable to DOM-based cross-site scripting (XSS) in the teler dashboard. When teler requests messages from the event stream on the `/events` endpoint, the log data displayed on the dashboard are not sanitized. This only affects authenticated users and can only be exploited based on detected threats if the log contains a DOM scripting payload. This vulnerability has been fixed on version `v2.0.0-rc.4`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
The web-management application on Seagate Central NAS STCG2000300, STCG3000300, and STCG4000300 devices allows OS command injection via mv_backend_launch in cirrus/application/helpers/mv_backend_helper.php by leveraging the “start” state and sending a check_device_name request.
USN-5761-1 updated ca-certificates. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
Due to security concerns, the TrustCor certificate authority has been
marked as distrusted in Mozilla’s root store. This update removes the
TrustCor CA certificates from the ca-certificates package.
