Possible authentication bypass due to improper order of signature verification and hashing in the signature verification call in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables
curl-7.82.0-8.fc36
control code in cookie denial of service (CVE-2022-35252)
curl-7.79.1-6.fc35
control code in cookie denial of service (CVE-2022-35252)
curl-7.85.0-1.fc37
new upstream release, which fixes the following vulnerability
CVE-2022-35252 – control code in cookie denial of service
cloudcompare-2.11.3-4.fc37
Security fix for CVE-2021-21897
cloudcompare-2.9.1-16.fc35
Security fix for CVE-2021-21897
cloudcompare-2.11.3-4.fc36
Security fix for CVE-2021-21897
Posted by Martin Heiland via Fulldisclosure on Sep 01
Dear subscribers,
we’re sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Product: OX App Suite
Vendor: OX Software GmbH
Internal reference: MWB-1540
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable…
mediawiki-1.37.4-1.fc36
MediaWiki 1.37.4
This is a maintenance release of the MediaWiki 1.37 branch.
Changes since MediaWiki 1.37.3
Localisation updates.
(T311568) UploadBase::setTempFile() handle $tempPath being passed as null.
(T311559) SpecialListFiles: user parameter isn’t always present.
(T311561) ImageListPager: Don’t call htmlspecialchars() on null.
(T311920) SpecialBlockList: Prevent passing null to trim().
(T311921) SpecialUserrights: Don’t pass null to str_replace.
(T311570) SpecialWithoutInterwiki: Don’t pass null through to
Title::capitalize().
(T311574, T311576) SpecialLinkSearch: Don’t pass null through to the parser.
(T312059) Update guzzlehttp/guzzle to 7.4.5 in vendor.
(T296435, T297669) cache: Add four fields to LinkCache::getSelectFields.
MediaWiki 1.37.3
This is a security and maintenance release of the MediaWiki 1.37 branch.
Changes since MediaWiki 1.37.2
Localisation updates.
(T289879) Type hints for ArrayAccess and JsonSerializable.
(T304783) TemplateParser: avoid warnings when called by NoLocalSettings.
Rebuilt vendor with composer 2.3.3.
Fix old_name in UserLogoutComplete hook.
(T289879) Address some deprecations for PHP 8.1.
(T193565) UserGroupManager: Fix dbDomain in addUserToGroup() deferred update.
(T309114) LocalFile::prerenderThumbnails: Limit the number of thumbnail jobs
triggered.
(T307982) Updated wikimedia/parsoid from v0.14.0 to v0.14.1.
(T308471) SECURITY: Escape welcomeuser message passed to showSuccessPage().
(T308473) SECURITY: Escape contributions-title msg for use within page title.
(T311272) Call parent constructor of AddSite maintenance script first.
MediaWiki: Don’t eagerly initialize action name.
Updated wikimedia/shellbox from v2.0.0 to v2.1.1.
(T311384, CVE-2022-27776) Updated guzzlehttp/guzzle from 7.2.0 to 7.4.5.
(T289926) Avoid passing null to trim() in SkinTemplate.
(T311473) rollbackEdits: Pass user identity to RollbackPage.
(T307282) Avoid passing null to strcasecmp(), for PHP 8.1.
(T311551) ShellboxClientFactory::getUrl(): Check if $this->key is null.
(T311552) ChangesListSpecialPage: Don’t pass null to FormatJson::decode().
(T311569) FileBackend::isStoragePath() Handle being passed null.
(T311544) Pass int to ApiUsageException::newWithMessage()’s $httpCode param.
(T311678) SpecialEditWatchlist: Prevent passing null to strtolower().
(T281741) ChangeTags: Fix adding CSS classes for hidden tags.
(T296642) changetags: Fix management of a ‘0’ tag.
(T311554) ChangeTags: Return early in formatSummaryRow() if $tags === null.
(T303033) Handle null in ChangeTags::modifyDisplayQuery.
Updated wikimedia/common-passwords from 0.3.0 to 0.4.0.
mediawiki-1.38.2-1.fc37
MediaWiki 1.38.2
This is a security and maintenance release of the MediaWiki 1.38 branch.
Changes since MediaWiki 1.38.1
Localisation updates.
(T309426) Repair language selector for SVGs.
(T310013) Fix default value for $wgShowEXIF and $wgUsePathInfo.
(T308471) SECURITY: Escape welcomeuser message passed to showSuccessPage().
(T308473) SECURITY: Escape contributions-title msg for use within page title.
(T311272) Call parent constructor of AddSite maintenance script first.
MediaWiki: Don’t eagerly initialize action name.
(T311384, CVE-2022-27776) Updated guzzlehttp/guzzle from 7.4.1 to 7.4.5.
(T289926) Avoid passing null to trim() in SkinTemplate.
(T289879) Address deprecations for PHP 8.1.
(T311473) rollbackEdits: Pass user identity to RollbackPage.
Upgrade wikimedia/remex-html from 3.0.1 to 3.0.2.
(T311551) ShellboxClientFactory::getUrl(): Check if $this->key is null.
(T311552) ChangesListSpecialPage: Don’t pass null to FormatJson::decode().
(T311569) FileBackend::isStoragePath() Handle being passed null.
(T311544) Pass int to ApiUsageException::newWithMessage()’s $httpCode param.
(T311678) SpecialEditWatchlist: Prevent passing null to strtolower().
(T311554) ChangeTags: Return early in formatSummaryRow() if $tags === null.
Upgrade wikimedia/common-passwords from 0.3.0 to 0.4.0.
