Category Archives: Advisories

Note that we will be skipping 16.14.2 since the only changes were in the bundled copy of OpenSSL, which we do not use. The relevant security patches are handled in Fedora’s openssl package.

Advisories

nodejs-16.17.1-1.fc36

September 28, 2022

Read Time:28 Second

FEDORA-2022-3793987b02

Packages in this update:

nodejs-16.17.1-1.fc36

Update description:

September Security Updates for Node.js

Update to Node.js 16.17.0

https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V16.md#16.17.0

Fix dependency typo

Update to 16.15.0

Update to Node.js 16.14.1

Note that we will be skipping 16.14.2 since the only changes were in the bundled copy of OpenSSL, which we do not use. The relevant security patches are handled in Fedora’s openssl package.

Advisories

php-8.1.11-1.fc36

September 28, 2022

Read Time:1 Minute, 16 Second

FEDORA-2022-0b77fbd9e7

Packages in this update:

php-8.1.11-1.fc36

Update description:

PHP version 8.1.11 (29 Sep 2022)

Core:

Fixed bug php#81726: phar wrapper: DOS when using quine gzip file. (CVE-2022-31628). (cmb)
Fixed bug php#81727: Don’t mangle HTTP variable names that clash with ones that have a specific semantic meaning. (CVE-2022-31629). (Derick)
Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function) (Tim Starling)
Fixed bug GH-9361 (Segmentation fault on script exit php#9379). (cmb, Christian Schneider)
Fixed bug GH-9447 (Invalid class FQN emitted by AST dump for new and class constants in constant expressions). (ilutov)

DOM:

Fixed bug php#79451 (DOMDocument->replaceChild on doctype causes double free). (Nathan Freeman)

FPM:

Fixed bug GH-8885 (FPM access.log with stderr begins to write logs to error_log after daemon reload). (Dmitry Menshikov)
Fixed bug php#77780 (“Headers already sent…” when previous connection was aborted). (Jakub Zelenka)

GMP

Fixed bug GH-9308 (GMP throws the wrong error when a GMP object is passed to gmp_init()). (Girgias)

Intl

Fixed bug GH-9421 (Incorrect argument number for ValueError in NumberFormatter). (Girgias)

PCRE:

Fixed pcre.jit on Apple Silicon. (Niklas Keller)

PDO_PGSQL:

Fixed bug GH-9411 (PgSQL large object resource is incorrectly closed). (Yurunsoft)

Reflection:

Fixed bug GH-8932 (ReflectionFunction provides no way to get the called class of a Closure). (cmb, Nicolas Grekas)

Streams:

Fixed bug GH-9316 ($http_response_header is wrong for long status line). (cmb, timwolla)

Advisories

php-8.1.11-1.fc37

September 28, 2022

Read Time:1 Minute, 16 Second

FEDORA-2022-580da6af27

Packages in this update:

php-8.1.11-1.fc37

Update description:

PHP version 8.1.11 (29 Sep 2022)

Core:

DOM:

Fixed bug php#79451 (DOMDocument->replaceChild on doctype causes double free). (Nathan Freeman)

FPM:

GMP

Fixed bug GH-9308 (GMP throws the wrong error when a GMP object is passed to gmp_init()). (Girgias)

Intl

Fixed bug GH-9421 (Incorrect argument number for ValueError in NumberFormatter). (Girgias)

PCRE:

Fixed pcre.jit on Apple Silicon. (Niklas Keller)

PDO_PGSQL:

Fixed bug GH-9411 (PgSQL large object resource is incorrectly closed). (Yurunsoft)

Reflection:

Fixed bug GH-8932 (ReflectionFunction provides no way to get the called class of a Closure). (cmb, Nicolas Grekas)

Streams:

Fixed bug GH-9316 ($http_response_header is wrong for long status line). (cmb, timwolla)

Advisories

ZDI-22-1302: Rockwell Automation ThinManager ThinServer URI Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability

September 28, 2022

Read Time:7 Second

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Rockwell Automation ThinManager. Authentication is not required to exploit this vulnerability.

Advisories