FEDORA-2022-20e0f8d1cd
Packages in this update:
curl-7.79.1-6.fc35
Update description:
control code in cookie denial of service (CVE-2022-35252)
curl-7.79.1-6.fc35
control code in cookie denial of service (CVE-2022-35252)
curl-7.85.0-1.fc37
new upstream release, which fixes the following vulnerability
CVE-2022-35252 – control code in cookie denial of service
cloudcompare-2.11.3-4.fc37
Security fix for CVE-2021-21897
cloudcompare-2.9.1-16.fc35
Security fix for CVE-2021-21897
cloudcompare-2.11.3-4.fc36
Security fix for CVE-2021-21897
Posted by Martin Heiland via Fulldisclosure on Sep 01
Dear subscribers,
we’re sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Product: OX App Suite
Vendor: OX Software GmbH
Internal reference: MWB-1540
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable…
mediawiki-1.37.4-1.fc36
MediaWiki 1.37.4
This is a maintenance release of the MediaWiki 1.37 branch.
Changes since MediaWiki 1.37.3
Localisation updates.
(T311568) UploadBase::setTempFile() handle $tempPath being passed as null.
(T311559) SpecialListFiles: user parameter isn’t always present.
(T311561) ImageListPager: Don’t call htmlspecialchars() on null.
(T311920) SpecialBlockList: Prevent passing null to trim().
(T311921) SpecialUserrights: Don’t pass null to str_replace.
(T311570) SpecialWithoutInterwiki: Don’t pass null through to
Title::capitalize().
(T311574, T311576) SpecialLinkSearch: Don’t pass null through to the parser.
(T312059) Update guzzlehttp/guzzle to 7.4.5 in vendor.
(T296435, T297669) cache: Add four fields to LinkCache::getSelectFields.
MediaWiki 1.37.3
This is a security and maintenance release of the MediaWiki 1.37 branch.
Changes since MediaWiki 1.37.2
Localisation updates.
(T289879) Type hints for ArrayAccess and JsonSerializable.
(T304783) TemplateParser: avoid warnings when called by NoLocalSettings.
Rebuilt vendor with composer 2.3.3.
Fix old_name in UserLogoutComplete hook.
(T289879) Address some deprecations for PHP 8.1.
(T193565) UserGroupManager: Fix dbDomain in addUserToGroup() deferred update.
(T309114) LocalFile::prerenderThumbnails: Limit the number of thumbnail jobs
triggered.
(T307982) Updated wikimedia/parsoid from v0.14.0 to v0.14.1.
(T308471) SECURITY: Escape welcomeuser message passed to showSuccessPage().
(T308473) SECURITY: Escape contributions-title msg for use within page title.
(T311272) Call parent constructor of AddSite maintenance script first.
MediaWiki: Don’t eagerly initialize action name.
Updated wikimedia/shellbox from v2.0.0 to v2.1.1.
(T311384, CVE-2022-27776) Updated guzzlehttp/guzzle from 7.2.0 to 7.4.5.
(T289926) Avoid passing null to trim() in SkinTemplate.
(T311473) rollbackEdits: Pass user identity to RollbackPage.
(T307282) Avoid passing null to strcasecmp(), for PHP 8.1.
(T311551) ShellboxClientFactory::getUrl(): Check if $this->key is null.
(T311552) ChangesListSpecialPage: Don’t pass null to FormatJson::decode().
(T311569) FileBackend::isStoragePath() Handle being passed null.
(T311544) Pass int to ApiUsageException::newWithMessage()’s $httpCode param.
(T311678) SpecialEditWatchlist: Prevent passing null to strtolower().
(T281741) ChangeTags: Fix adding CSS classes for hidden tags.
(T296642) changetags: Fix management of a ‘0’ tag.
(T311554) ChangeTags: Return early in formatSummaryRow() if $tags === null.
(T303033) Handle null in ChangeTags::modifyDisplayQuery.
Updated wikimedia/common-passwords from 0.3.0 to 0.4.0.
mediawiki-1.38.2-1.fc37
MediaWiki 1.38.2
This is a security and maintenance release of the MediaWiki 1.38 branch.
Changes since MediaWiki 1.38.1
Localisation updates.
(T309426) Repair language selector for SVGs.
(T310013) Fix default value for $wgShowEXIF and $wgUsePathInfo.
(T308471) SECURITY: Escape welcomeuser message passed to showSuccessPage().
(T308473) SECURITY: Escape contributions-title msg for use within page title.
(T311272) Call parent constructor of AddSite maintenance script first.
MediaWiki: Don’t eagerly initialize action name.
(T311384, CVE-2022-27776) Updated guzzlehttp/guzzle from 7.4.1 to 7.4.5.
(T289926) Avoid passing null to trim() in SkinTemplate.
(T289879) Address deprecations for PHP 8.1.
(T311473) rollbackEdits: Pass user identity to RollbackPage.
Upgrade wikimedia/remex-html from 3.0.1 to 3.0.2.
(T311551) ShellboxClientFactory::getUrl(): Check if $this->key is null.
(T311552) ChangesListSpecialPage: Don’t pass null to FormatJson::decode().
(T311569) FileBackend::isStoragePath() Handle being passed null.
(T311544) Pass int to ApiUsageException::newWithMessage()’s $httpCode param.
(T311678) SpecialEditWatchlist: Prevent passing null to strtolower().
(T311554) ChangeTags: Return early in formatSummaryRow() if $tags === null.
Upgrade wikimedia/common-passwords from 0.3.0 to 0.4.0.
cloudcompare-2.11.3-4.fc38
Automatic update for cloudcompare-2.11.3-4.fc38.
* Thu Aug 25 2022 Miro Hrončok <mhroncok@redhat.com> – 2.11.3-4
– Security fix for CVE-2021-21897
– Fixes: rhbz#2080986
A vulnerability was found in the Linux kernel, where accessing a deallocated instance in printer_ioctl() printer_ioctl() tries to access of a printer_dev instance. However, use-after-free arises because it had been freed by gprinter_free().