FEDORA-2022-357cc1a81b
Packages in this update:
knot-resolver-5.5.3-1.fc35
Update description:
Latest upstream version 5.5.3 with fix for CVE-2022-40188
knot-resolver-5.5.3-1.fc35
Latest upstream version 5.5.3 with fix for CVE-2022-40188
bind-9.18.7-1.fc38
bind-dyndb-ldap-11.10-6.fc38
Upstream release notes
python3.6-3.6.15-12.fc38
Automatic update for python3.6-3.6.15-12.fc38.
* Wed Sep 14 2022 Lumír Balhar <lbalhar@redhat.com> – 3.6.15-12
– Fix for CVE-2021-28861
Resolves: rhbz#2120785
redis-7.0.5-1.fc37
Redis 7.0.5 – Released Wed Sep 21 20:00:00 IST 2022
Upgrade urgency: SECURITY, contains fixes to security issues.
Security Fixes:
(CVE-2022-35951) Executing a XAUTOCLAIM command on a stream key in a specific
state, with a specially crafted COUNT argument, may cause an integer overflow,
a subsequent heap overflow, and potentially lead to remote code execution.
The problem affects Redis versions 7.0.0 or newer
[reported by Xion (SeungHyun Lee) of KAIST GoN].
Module API changes
Fix RM_Call execution of scripts when used with M/W/S flags to properly
handle script flags (#11159)
Fix RM_SetAbsExpire and RM_GetAbsExpire API registration (#11025, #8564)
Bug Fixes
Fix a hang when eviction is combined with lazy-free and maxmemory-eviction-tenacity is set to 100 (#11237)
Fix a crash when a replica may attempt to set itself as its master as a result of a manual failover (#11263)
Fix a bug where a cluster-enabled replica node may permanently set its master’s hostname to ‘?’ (#10696)
Fix a crash when a Lua script returns a meta-table (#11032)
Fixes for issues in previous releases of Redis 7.0
Fix redis-cli to do DNS lookup before sending CLUSTER MEET (#11151)
Fix crash when a key is lazy expired during cluster key migration (#11176)
Fix AOF rewrite to fsync the old AOF file when a new one is created (#11004)
Fix some crashes involving a list containing entries larger than 1GB (#11242)
Correctly handle scripts with a non-read-only shebang on a cluster replica (#11223)
Fix memory leak when unloading a module (#11147)
Fix bug with scripts ignoring client tracking NOLOOP (#11052)
Fix client-side tracking breaking protocol when FLUSHDB / FLUSHALL / SWAPDB is used inside MULTI-EXEC (#11038)
Fix ACL: BITFIELD with GET and also SET / INCRBY can be executed with read-only key permission (#11086)
Fix missing sections for INFO ALL when also requesting a module info section (#11291)
Rhodri James discovered a heap use-after-free vulnerability in the
doContent function in Expat, an XML parsing C library, which could
result in denial of service or potentially the execution of arbitrary
code, if a malformed XML file is processed.
Several vulnerabilities were discovered in BIND, a DNS server
implementation.
A vulnerability in Keylime before 6.3.0 allows an attacker to craft a request to the agent that resets the U and V keys as if the agent were being re-added to a verifier. This could lead to a remote code execution.
Rapid7 InsightVM suffers from an information exposure issue whereby, when the user’s session has ended due to inactivity, an attacker can use the Inspect Element browser feature to remove the login panel and view the details available in the last webpage visited by previous user
thunderbird-102.3.0-1.fc37
Update to 102.3.0 ;
https://www.mozilla.org/en-US/security/advisories/mfsa2022-42/ ;
https://www.thunderbird.net/en-US/thunderbird/102.3.0/releasenotes/
thunderbird-102.3.0-1.fc35
Update to 102.3.0 ;
https://www.mozilla.org/en-US/security/advisories/mfsa2022-42/ ;
https://www.thunderbird.net/en-US/thunderbird/102.3.0/releasenotes/