Several vulnerabilities were discovered in WordPress, a web blogging
tool. They allowed remote attackers to perform SQL injection, create
open redirects, bypass authorization access, or perform Cross-Site
Request Forgery (CSRF) or Cross-Site Scripting (XSS) attacks.
Several issues were found in GRUB2’s font handling code, which could
result in crashes and potentially execution of arbitrary code. These
could lead to by-pass of UEFI Secure Boot on affected systems.
It was discovered that parsing errors in the mp4 module of Nginx, a
high-performance web and reverse proxy server, could result in denial
of service, memory disclosure or potentially the execution of arbitrary
code when processing a malformed mp4 file.
python3.8-3.8.15-2.fc35
Security fix for CVE-2022-37454
python3.7-3.7.15-2.fc37
Security fix for CVE-2022-37454
python3.7-3.7.15-2.fc38
Automatic update for python3.7-3.7.15-2.fc38.
* Mon Nov 14 2022 Miro Hrončok <mhroncok@redhat.com> – 3.7.15-2
– CVE-2022-37454: Fix buffer overflows in _sha3 module
Related: rhbz#2140200
python3.8-3.8.15-2.fc37
Security fix for CVE-2022-37454
python3.8-3.8.15-2.fc38
Automatic update for python3.8-3.8.15-2.fc38.
* Mon Nov 14 2022 Miro Hrončok <mhroncok@redhat.com> – 3.8.15-2
– CVE-2022-37454: Fix buffer overflows in _sha3 module
Related: rhbz#2140200
elixir-1.14.2-1.fc37
Small bugfix release – no breaking changes here.
varnish-7.0.3-2.fc36
This release includes fix for CVE-2022-45059 (VSV00010) and CVE-2022-45060 (VSV00011). From the upstream release notes:
VSV00010 Varnish Request Smuggling Vulnerability
Date: 2022-11-08
A request smuggling attack can be performed on Varnish Cache servers by requesting that certain headers are made hop-by-hop, preventing the Varnish Cache servers from forwarding critical headers to the backend. Among the headers that can be filtered this way are both Content-Length and Host, making it possible for an attacker to both break the HTTP/1 protocol framing, and bypass request to host routing in VCL.
VSV00011 Varnish HTTP/2 Request Forgery Vulnerability
Date: 2022-11-08
A request forgery attack can be performed on Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker may introduce characters through the HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This may in turn be used to successfully exploit vulnerabilities in a server behind the Varnish server.
