Category Archives: Advisories

golang-github-chromedp-cdproto-0-0.9.20220719git285dfb4.fc36 golang-k8s-sample-controller-1.22.0-5.fc36 golang-mongodb-mongo-driver-1.4.5-7.fc36 golang-mvdan-sh-3-3.4.3-5.fc36 golang-mvdan-xurls-2.2.0-7.fc36 golang-rsc-pdf-0.1.1-11.fc36 golang-sigs-k8s-aws-iam-authenticator-0.5.2-8.fc36 golang-sourcegraph-appdash-0-0.10.20210113gitebfcffb.fc36 golang-starlark-0-0.8.20210113gite81fc95.fc36 golang-storj-drpc-0.0.31-3.fc36 golang-vbom-util-0-0.12.20190520gitefcd4e0.fc36 golang-x-debug-0-0.15.20210123gitc934e1b.fc36 golang-x-exp-0-0.44.20220330git053ad81.fc36 golang-x-lint-0-17.20210123git83fdc39.fc36 golang-x-mobile-0-0.13.20220719git8578da9.fc36 golang-x-mod-0.6.0~dev-4.20220330git9b9b3d8.fc36 golang-x-perf-0-0.16.20210123gitbdcc622.fc36 golang-x-text-0.3.7-4.fc36 golang-x-tools-0.1.10-3.fc36 golist-0.10.1-10.fc36 goloris-0-0.7.20200326gita59fafb.fc36 gomtree-0.4.0-12.fc36 google-guest-agent-20201217.02-5.fc36 gotags-1.4.1-9.fc36 gotun-0-0.15.gita9dbe4d.fc36 grafana-7.5.15-4.fc36 gron-0.7.1-3.fc36 grpcurl-1.8.6-4.fc36 hakrevdns-0-0.6.20201116git9fa2d59.fc36 hcloud-1.30.0-2.fc36 htmltest-0.15.0-4.fc36 httprobe-0.1.2-7.fc36 hugo-0.93.3-6.fc36 hulk-0-0.7.20200620git9670699.fc36 ignition-2.14.0-3.fc36 jid-0.7.6-10.fc36 kata-containers-2.3.3-2.fc36.2 kiln-0.3.1-4.fc36 kompose-1.17.0-10.fc36 kubernetes-1.24.1-3.fc36 manifest-tool-2.0.3-3.fc36 mass3-0-0.7.20200627gite1d5f1a.fc36 meg-0.2.4-7.fc36 meshbird-2.3-7.fc36 micro-2.0.8-6.fc36 moby-engine-20.10.17-5.fc36 mqttcli-0.2.3-3.fc36 nats-server-2.1.9-7.fc36 nebula-1.6.0-2.fc36 netscanner-0-0.6.20201116git8baab36.fc36 nex-20210330-4.fc36 oci-seccomp-bpf-hook-1.2.6-2.fc36 ohmybackup-0-0.7.20200526git50f2fce.fc36 open-policy-agent-0.31.0-7.fc36 origin-3.11.2-7.fc36 osbuild-composer-57-2.fc36 pack-0.27.0-3.fc36 podman-tui-0.5.0-2.fc36 popub-0-0.14.20171007git6ffa11c.fc36 powerline-go-1.22.1-3.fc36 reg-0.16.1-9.fc36 reposurgeon-4.32-3.fc36 restic-0.12.1-4.fc36 runc-1.1.2-3.fc36 shellz-1.5.0-8.fc36 shhgit-0.2-8.fc36 skopeo-1.9.0-4.fc36 snapd-2.56.2-4.fc36 snowcrash-0-0.8.20201119git49b99ad.fc36 source-to-image-1.3.1-5.fc36 stargz-snapshotter-0.12.0-2.fc36 subfinder-2.5.2-3.fc36 swig-4.0.2-17.fc36 syncthing-1.20.3-2.fc36 sysutil-0-0.8.20200615git15668db.fc36 terrier-0.0.2-7.fc36 tiedot-3.4-9.fc36 tmux-top-0.1.1-3.fc36 toolbox-0.0.99.3-6.fc36 vgrep-2.6.0-3.fc36 vultr-2.0.3-6.fc36 vultr-cli-2.14.2-3.fc36 webanalyze-0.3.1-7.fc36 weldr-client-35.5-3.fc36 wgctrl-0-0.12.20210811git4253848.fc36 xe-guest-utilities-latest-7.30.0-6.fc36 xq-0.0.7-5.fc36 yggdrasil-0.2.98^1.ffb580f-0.3.20220127gitffb580f.fc36 yubihsm-connector-3.0.3-4.fc36

Read Time:4 Minute, 20 Second

FEDORA-2022-5038c3236c

Packages in this update:

golang-github-chromedp-cdproto-0-0.9.20220719git285dfb4.fc36
golang-k8s-sample-controller-1.22.0-5.fc36
golang-mongodb-mongo-driver-1.4.5-7.fc36
golang-mvdan-sh-3-3.4.3-5.fc36
golang-mvdan-xurls-2.2.0-7.fc36
golang-rsc-pdf-0.1.1-11.fc36
golang-sigs-k8s-aws-iam-authenticator-0.5.2-8.fc36
golang-sourcegraph-appdash-0-0.10.20210113gitebfcffb.fc36
golang-starlark-0-0.8.20210113gite81fc95.fc36
golang-storj-drpc-0.0.31-3.fc36
golang-vbom-util-0-0.12.20190520gitefcd4e0.fc36
golang-x-debug-0-0.15.20210123gitc934e1b.fc36
golang-x-exp-0-0.44.20220330git053ad81.fc36
golang-x-lint-0-17.20210123git83fdc39.fc36
golang-x-mobile-0-0.13.20220719git8578da9.fc36
golang-x-mod-0.6.0~dev-4.20220330git9b9b3d8.fc36
golang-x-perf-0-0.16.20210123gitbdcc622.fc36
golang-x-text-0.3.7-4.fc36
golang-x-tools-0.1.10-3.fc36
golist-0.10.1-10.fc36
goloris-0-0.7.20200326gita59fafb.fc36
gomtree-0.4.0-12.fc36
google-guest-agent-20201217.02-5.fc36
gotags-1.4.1-9.fc36
gotun-0-0.15.gita9dbe4d.fc36
grafana-7.5.15-4.fc36
gron-0.7.1-3.fc36
grpcurl-1.8.6-4.fc36
hakrevdns-0-0.6.20201116git9fa2d59.fc36
hcloud-1.30.0-2.fc36
htmltest-0.15.0-4.fc36
httprobe-0.1.2-7.fc36
hugo-0.93.3-6.fc36
hulk-0-0.7.20200620git9670699.fc36
ignition-2.14.0-3.fc36
jid-0.7.6-10.fc36
kata-containers-2.3.3-2.fc36.2
kiln-0.3.1-4.fc36
kompose-1.17.0-10.fc36
kubernetes-1.24.1-3.fc36
manifest-tool-2.0.3-3.fc36
mass3-0-0.7.20200627gite1d5f1a.fc36
meg-0.2.4-7.fc36
meshbird-2.3-7.fc36
micro-2.0.8-6.fc36
moby-engine-20.10.17-5.fc36
mqttcli-0.2.3-3.fc36
nats-server-2.1.9-7.fc36
nebula-1.6.0-2.fc36
netscanner-0-0.6.20201116git8baab36.fc36
nex-20210330-4.fc36
oci-seccomp-bpf-hook-1.2.6-2.fc36
ohmybackup-0-0.7.20200526git50f2fce.fc36
open-policy-agent-0.31.0-7.fc36
origin-3.11.2-7.fc36
osbuild-composer-57-2.fc36
pack-0.27.0-3.fc36
podman-tui-0.5.0-2.fc36
popub-0-0.14.20171007git6ffa11c.fc36
powerline-go-1.22.1-3.fc36
reg-0.16.1-9.fc36
reposurgeon-4.32-3.fc36
restic-0.12.1-4.fc36
runc-1.1.2-3.fc36
shellz-1.5.0-8.fc36
shhgit-0.2-8.fc36
skopeo-1.9.0-4.fc36
snapd-2.56.2-4.fc36
snowcrash-0-0.8.20201119git49b99ad.fc36
source-to-image-1.3.1-5.fc36
stargz-snapshotter-0.12.0-2.fc36
subfinder-2.5.2-3.fc36
swig-4.0.2-17.fc36
syncthing-1.20.3-2.fc36
sysutil-0-0.8.20200615git15668db.fc36
terrier-0.0.2-7.fc36
tiedot-3.4-9.fc36
tmux-top-0.1.1-3.fc36
toolbox-0.0.99.3-6.fc36
vgrep-2.6.0-3.fc36
vultr-2.0.3-6.fc36
vultr-cli-2.14.2-3.fc36
webanalyze-0.3.1-7.fc36
weldr-client-35.5-3.fc36
wgctrl-0-0.12.20210811git4253848.fc36
xe-guest-utilities-latest-7.30.0-6.fc36
xq-0.0.7-5.fc36
yggdrasil-0.2.98^1.ffb580f-0.3.20220127gitffb580f.fc36
yubihsm-connector-3.0.3-4.fc36

Update description:

Rebuild to mitigate CVE-2022-{1705,32148,30631,30633,28131,30635,30632,30630,1962} in golang

See https://groups.google.com/g/golang-dev/c/frczlF8OFQ0/m/4lrZh5BHDgAJ for more information about the specific vulnerabilities.

Update to latest commit as of 20220719

Added

Experimental: nebula clients can be configured to act as relays for other nebula clients.
Primarily useful when stubborn NATs make a direct tunnel impossible. (#678)

Configuration option to report manually specified ip:ports to lighthouses. (#650)

Windows arm64 build. (#638)

punchy and most lighthouse config options now support hot reloading. (#649)

Changed

Build against go 1.18. (#656)

Promoted routines config from experimental to supported feature. (#702)

Dependencies updated. (#664)

Fixed

Packets destined for the same host that sent it will be returned on MacOS.
This matches the default behavior of other operating systems. (#501)

unsafe_route configuration will no longer crash on Windows. (#648)

A few panics that were introduced in 1.5.x. (#657, #658, #675)

Security

You can set listen.send_recv_error to control the conditions in which
recv_error messages are sent. Sending these messages can expose the fact
that Nebula is running on a host, but it speeds up re-handshaking. (#670)

Removed

x509 config stanza support has been removed. (#685)

bump to v4.2.0-rc1

fix package dir listing

resolve build issues and list new shell completion files

Release of stargz snapshotter v0.12.0. Please see the release note for details: https://github.com/containerd/stargz-snapshotter/releases/tag/v0.12.0

Fix extracting network metric

Read More

golang-github-morikuni-aec-1.0.0-6.fc36 golang-github-mozillazg-pinyin-0.19.0-5.fc36 golang-github-mroach-rom64-0.5.3-2.fc36 golang-github-mrunalp-fileutils-0.5.0-6.fc36 golang-github-msprev-fzf-bibtex-1.1-6.20220205gitd5df2c6.fc36 golang-github-multiformats-multibase-0.0.3-3.20220213gitf067816.fc36 golang-github-multiformats-multihash-0.1.0-3.fc36 golang-github-mvo5-uboot-0.4-11.fc36 golang-github-nats-io-nkeys-0.2.0-6.fc36 golang-github-nats-io-streaming-server-0.20.0-6.fc36 golang-github-nbutton23-zxcvbn-0.1-9.20210110gite56b841.fc36 golang-github-nicksnyder-i18n-2-2.1.2-6.fc36 golang-github-niklasfasching-org-1.6.2-3.fc36 golang-github-oklog-0.3.2-12.20190701gitca7cdf5.fc36 golang-github-oklog-ulid-2.0.2-11.fc36 golang-github-olekukonko-tablewriter-0.0.5-4.fc36 golang-github-oneofone-xxhash-1.2.8-6.fc36 golang-github-onsi-ginkgo-2-2.1.4-3.fc36 golang-github-openprinting-ipp-usb-0.9.22-2.fc36 golang-github-pact-foundation-1.5.1-7.fc36 golang-github-path-network-mmproxy-2.1-4.fc36 golang-github-pdfcpu-0.3.13-3.fc36 golang-github-pelletier-toml-1.9.4-3.fc36 golang-github-pelletier-toml-2-2.0.0~beta.8-5.fc36 golang-github-phayes-freeport-1.0.2-7.fc36 golang-github-pierrec-lz4-4.1.3-6.fc36 golang-github-pierrre-geohash-1.0.0-5.fc36 golang-github-posener-complete-1.2.3-9.fc36 golang-github-posener-complete-2-2.0.1~alpha.13-6.fc36 golang-github-pquerna-ffjson-0-0.10.20200730gitaa0246c.fc36 golang-github-pressly-goose-2.7.0-5.fc36 golang-github-projectdiscovery-chaos-client-0.2.0-3.fc36 golang-github-projectdiscovery-mapcidr-0.0.8-4.fc36 golang-github-prometheus-2.32.1-7.fc36 golang-github-prometheus-node-exporter-1.3.1-10.fc36 golang-github-prometheus-prom2json-1.3.0-9.20210811git90766c0.fc36 golang-github-prometheus-tsdb-0.10.0-9.fc36 golang-github-quay-goval-parser-0.8.6-5.fc36 golang-github-rakyll-statik-0.1.7-9.fc36 golang-github-rcrowley-metrics-0-0.29.20210110gitcf1acfc.fc36 golang-github-redteampentesting-monsoon-0.6.0-7.fc36 golang-github-rickb777-date-1.19.1-3.fc36 golang-github-rogpeppe-internal-1.8.1-3.fc36 golang-github-rubenv-sql-migrate-0-0.6.20210529gita32ed26.fc36 golang-github-rwcarlsen-goexif-0-0.10.20191017git9e8deec.fc36 golang-github-schollz-croc-9.5.2-2.fc36 golang-github-schollz-mnemonicode-1.0.1-3.fc36 golang-github-segmentio-ksuid-1.0.4-4.fc36 golang-github-shellcode33-vm-detection-0-0.7.20200715git4fd05cb.fc36 golang-github-shopify-sarama-1.27.2-6.fc36 golang-github-shopify-toxiproxy-2.1.4-11.fc36 golang-github-shulhan-bindata-3.6.1-7.fc36 golang-github-shurcool-vfsgen-0-0.12.20210113git0d455de.fc36 golang-github-skip2-qrcode-0-3.20220316gitda1b656.fc36 golang-github-skynetservices-skydns-2.5.3-23.20200802git94b2ea0.fc36 golang-github-snappy-0.0.2-7.fc36 golang-github-sophaskins-efs2tar-0-0.5.20210317git4db1b0f.fc36 golang-github-sourcegraph-syntaxhighlight-0-0.12.20180418gitbd320f5.fc36 golang-github-spyzhov-ajson-0.4.2-11.fc36 golang-github-sqshq-sampler-1.1.0-10.fc36 golang-github-task-3.14.0-3.fc36 golang-github-tdewolff-minify-2.11.10-4.fc36 golang-github-temoto-robotstxt-1.1.2-4.fc36 golang-github-theoapp-theo-agent-0.14.0-5.fc36 golang-github-theupdateframework-notary-0.7.0-7.fc36 golang-github-tinylib-msgp-1.1.5-6.fc36 golang-github-tklauser-numcpus-0.2.3-8.fc36 golang-github-tomnomnom-xtermcolor-0.1.2-9.fc36 golang-github-tscholl2-siec-0-4.20211128git9bdfc48.fc36 golang-github-twitchtv-twirp-8.1.0-5.fc36 golang-github-twpayne-waypoint-0-0.5.20210130git4f8e6bf.fc36 golang-github-u-root-iscsinl-0.1.0-5.fc36 golang-github-uber-athenadriver-1.1.12-6.fc36 golang-github-uber-jaeger-client-2.30.0-3.fc36 golang-github-ulikunitz-xz-0.5.10-5.fc36 golang-github-valyala-fasthttp-1.29.0-4.fc36 golang-github-vbatts-tar-split-0.11.1-11.fc36 golang-github-vincent-petithory-dataurl-0-0.8.20200110gitd1553a7.fc36 golang-github-xo-terminfo-0-0.7.20210113gitc22d04b.fc36 golang-github-xordataexchange-crypt-0.0.2-13.20190412gitb2862e3.fc36 golang-github-yuin-gopher-lua-0-24.20220305gitf4c35e4.fc36 golang-github-zyedidia-highlight-0-0.7.20200218git291680f.fc36 golang-gitlab-commonmark-linkify-0-0.10.20200805git64bca66.fc36 golang-google-appengine-1.6.7-6.fc36 golang-google-protobuf-1.27.1-6.fc36 golang-gopkg-neurosnap-sentences-1-1.0.6-15.fc36 golang-gopkg-square-jose-2-2.6.0-4.fc36 golang-gopkg-src-d-git-4-4.13.1-9.fc36 golang-honnef-tools-2021.1.2-3.20220304git852a31a.fc36 golang-jaytaylor-html2text-0-0.3.20220509gitbc68cce.fc36 golang-k8s-apiextensions-apiserver-1.22.0-7.fc36 golang-k8s-code-generator-1.22.0-5.fc36 golang-k8s-kube-aggregator-1.22.0-5.fc36 golang-k8s-kube-openapi-0-0.22.20210813git3c81807.fc36 golang-k8s-pod-security-admission-1.22.0-4.fc36 golang-k8s-sample-apiserver-1.22.0-6.fc36 golang-k8s-sample-cli-plugin-1.22.0-5.fc36

Read Time:4 Minute, 44 Second

FEDORA-2022-37aef44d1e

Packages in this update:

golang-github-morikuni-aec-1.0.0-6.fc36
golang-github-mozillazg-pinyin-0.19.0-5.fc36
golang-github-mroach-rom64-0.5.3-2.fc36
golang-github-mrunalp-fileutils-0.5.0-6.fc36
golang-github-msprev-fzf-bibtex-1.1-6.20220205gitd5df2c6.fc36
golang-github-multiformats-multibase-0.0.3-3.20220213gitf067816.fc36
golang-github-multiformats-multihash-0.1.0-3.fc36
golang-github-mvo5-uboot-0.4-11.fc36
golang-github-nats-io-nkeys-0.2.0-6.fc36
golang-github-nats-io-streaming-server-0.20.0-6.fc36
golang-github-nbutton23-zxcvbn-0.1-9.20210110gite56b841.fc36
golang-github-nicksnyder-i18n-2-2.1.2-6.fc36
golang-github-niklasfasching-org-1.6.2-3.fc36
golang-github-oklog-0.3.2-12.20190701gitca7cdf5.fc36
golang-github-oklog-ulid-2.0.2-11.fc36
golang-github-olekukonko-tablewriter-0.0.5-4.fc36
golang-github-oneofone-xxhash-1.2.8-6.fc36
golang-github-onsi-ginkgo-2-2.1.4-3.fc36
golang-github-openprinting-ipp-usb-0.9.22-2.fc36
golang-github-pact-foundation-1.5.1-7.fc36
golang-github-path-network-mmproxy-2.1-4.fc36
golang-github-pdfcpu-0.3.13-3.fc36
golang-github-pelletier-toml-1.9.4-3.fc36
golang-github-pelletier-toml-2-2.0.0~beta.8-5.fc36
golang-github-phayes-freeport-1.0.2-7.fc36
golang-github-pierrec-lz4-4.1.3-6.fc36
golang-github-pierrre-geohash-1.0.0-5.fc36
golang-github-posener-complete-1.2.3-9.fc36
golang-github-posener-complete-2-2.0.1~alpha.13-6.fc36
golang-github-pquerna-ffjson-0-0.10.20200730gitaa0246c.fc36
golang-github-pressly-goose-2.7.0-5.fc36
golang-github-projectdiscovery-chaos-client-0.2.0-3.fc36
golang-github-projectdiscovery-mapcidr-0.0.8-4.fc36
golang-github-prometheus-2.32.1-7.fc36
golang-github-prometheus-node-exporter-1.3.1-10.fc36
golang-github-prometheus-prom2json-1.3.0-9.20210811git90766c0.fc36
golang-github-prometheus-tsdb-0.10.0-9.fc36
golang-github-quay-goval-parser-0.8.6-5.fc36
golang-github-rakyll-statik-0.1.7-9.fc36
golang-github-rcrowley-metrics-0-0.29.20210110gitcf1acfc.fc36
golang-github-redteampentesting-monsoon-0.6.0-7.fc36
golang-github-rickb777-date-1.19.1-3.fc36
golang-github-rogpeppe-internal-1.8.1-3.fc36
golang-github-rubenv-sql-migrate-0-0.6.20210529gita32ed26.fc36
golang-github-rwcarlsen-goexif-0-0.10.20191017git9e8deec.fc36
golang-github-schollz-croc-9.5.2-2.fc36
golang-github-schollz-mnemonicode-1.0.1-3.fc36
golang-github-segmentio-ksuid-1.0.4-4.fc36
golang-github-shellcode33-vm-detection-0-0.7.20200715git4fd05cb.fc36
golang-github-shopify-sarama-1.27.2-6.fc36
golang-github-shopify-toxiproxy-2.1.4-11.fc36
golang-github-shulhan-bindata-3.6.1-7.fc36
golang-github-shurcool-vfsgen-0-0.12.20210113git0d455de.fc36
golang-github-skip2-qrcode-0-3.20220316gitda1b656.fc36
golang-github-skynetservices-skydns-2.5.3-23.20200802git94b2ea0.fc36
golang-github-snappy-0.0.2-7.fc36
golang-github-sophaskins-efs2tar-0-0.5.20210317git4db1b0f.fc36
golang-github-sourcegraph-syntaxhighlight-0-0.12.20180418gitbd320f5.fc36
golang-github-spyzhov-ajson-0.4.2-11.fc36
golang-github-sqshq-sampler-1.1.0-10.fc36
golang-github-task-3.14.0-3.fc36
golang-github-tdewolff-minify-2.11.10-4.fc36
golang-github-temoto-robotstxt-1.1.2-4.fc36
golang-github-theoapp-theo-agent-0.14.0-5.fc36
golang-github-theupdateframework-notary-0.7.0-7.fc36
golang-github-tinylib-msgp-1.1.5-6.fc36
golang-github-tklauser-numcpus-0.2.3-8.fc36
golang-github-tomnomnom-xtermcolor-0.1.2-9.fc36
golang-github-tscholl2-siec-0-4.20211128git9bdfc48.fc36
golang-github-twitchtv-twirp-8.1.0-5.fc36
golang-github-twpayne-waypoint-0-0.5.20210130git4f8e6bf.fc36
golang-github-uber-athenadriver-1.1.12-6.fc36
golang-github-uber-jaeger-client-2.30.0-3.fc36
golang-github-ulikunitz-xz-0.5.10-5.fc36
golang-github-u-root-iscsinl-0.1.0-5.fc36
golang-github-valyala-fasthttp-1.29.0-4.fc36
golang-github-vbatts-tar-split-0.11.1-11.fc36
golang-github-vincent-petithory-dataurl-0-0.8.20200110gitd1553a7.fc36
golang-github-xordataexchange-crypt-0.0.2-13.20190412gitb2862e3.fc36
golang-github-xo-terminfo-0-0.7.20210113gitc22d04b.fc36
golang-github-yuin-gopher-lua-0-24.20220305gitf4c35e4.fc36
golang-github-zyedidia-highlight-0-0.7.20200218git291680f.fc36
golang-gitlab-commonmark-linkify-0-0.10.20200805git64bca66.fc36
golang-google-appengine-1.6.7-6.fc36
golang-google-protobuf-1.27.1-6.fc36
golang-gopkg-neurosnap-sentences-1-1.0.6-15.fc36
golang-gopkg-square-jose-2-2.6.0-4.fc36
golang-gopkg-src-d-git-4-4.13.1-9.fc36
golang-honnef-tools-2021.1.2-3.20220304git852a31a.fc36
golang-jaytaylor-html2text-0-0.3.20220509gitbc68cce.fc36
golang-k8s-apiextensions-apiserver-1.22.0-7.fc36
golang-k8s-code-generator-1.22.0-5.fc36
golang-k8s-kube-aggregator-1.22.0-5.fc36
golang-k8s-kube-openapi-0-0.22.20210813git3c81807.fc36
golang-k8s-pod-security-admission-1.22.0-4.fc36
golang-k8s-sample-apiserver-1.22.0-6.fc36
golang-k8s-sample-cli-plugin-1.22.0-5.fc36

Update description:

Rebuild to mitigate CVE-2022-{1705,32148,30631,30633,28131,30635,30632,30630,1962} in golang

See https://groups.google.com/g/golang-dev/c/frczlF8OFQ0/m/4lrZh5BHDgAJ for more information about the specific vulnerabilities.

enable s390x build (rhbz#1971028)

Read More

golang-github-cpu-goacmedns-0.1.1-6.fc36 golang-github-cpuguy83-md2man-2.0.2-3.fc36 golang-github-crossdock-0-0.9.20190628git049aabb.fc36 golang-github-cucumber-godog-0.12.1-5.fc36 golang-github-cyberdotgent-route3270-0.2-4.fc36 golang-github-dave-jennifer-1.4.1-6.fc36 golang-github-deepmap-oapi-codegen-1.8.2-4.fc36 golang-github-denisbrodbeck-machineid-1.0.1-3.fc36 golang-github-dgrijalva-jwt-3.2.0-12.fc36 golang-github-dreamacro-shadowsocks2-0.1.7-7.fc36 golang-github-dustinkirkland-petname-0-0.7.20200605git8e5a1ed.fc36 golang-github-eknkc-amber-0-0.18.20190601gitcdade1c.fc36 golang-github-elazarl-bindata-assetfs-1.0.1-10.fc36 golang-github-emersion-smtp-0.15.0-5.fc36 golang-github-envoyproxy-protoc-gen-validate-0.4.1-7.fc36 golang-github-etcd-io-gofail-0-0.4.20210808gitad7f989.fc36 golang-github-euank-kmsg-parser-2.0.1-9.fc36 golang-github-evanphx-json-patch-5.5.0-4.fc36 golang-github-evanw-esbuild-0.14.38-3.fc36 golang-github-facebookincubator-contest-0-0.5.20210706gitceebc35.fc36 golang-github-facebookincubator-dhcplb-0-0.5.20210706git2e66b27.fc36 golang-github-facebookincubator-go2chef-1.0-3.fc36 golang-github-facebookincubator-nvdtools-0.1.4-6.fc36 golang-github-fernet-0-0.10.20200726giteff2850.fc36 golang-github-francoispqt-gojay-1.2.13-8.fc36 golang-github-fvbommel-util-0.0.3-6.fc36 golang-github-gdamore-tcell-1.4.0-6.fc36 golang-github-gdamore-tcell-2-2.5.0-3.fc36 golang-github-geertjohan-rice-1.0.2-6.fc36 golang-github-gobuffalo-here-0.6.2-6.fc36 golang-github-gobwas-ws-1.1.0-4.fc36 golang-github-goccy-yaml-1.9.5-3.fc36 golang-github-gocolly-colly-2-2.1.0-5.20210920git2f09941.fc36 golang-github-gogo-googleapis-1.4.1-5.fc36 golang-github-gohugoio-testmodbuilder-0-0.11.20201030git72e1e0c.fc36 golang-github-gojuno-minimock-3.0.10-4.fc36 golang-github-google-containerregistry-0.5.1-6.fc36 golang-github-google-dap-0.6.0-6.fc36 golang-github-google-jsonnet-0.17.0-6.fc36 golang-github-google-martian-3.1.0-10.fc36 golang-github-google-pprof-0-17.20210802gitc50bf4f.fc36 golang-github-google-slothfs-0-0.12.20200727git59c1163.fc36 golang-github-google-wire-0.5.0-4.fc36 golang-github-googleapis-gnostic-0.5.3-7.fc36 golang-github-googlecloudplatform-cloudsql-proxy-1.19.1-7.fc36 golang-github-gorhill-cronexpr-1.0.0-5.fc36 golang-github-gosexy-gettext-0.9-8.fc36 golang-github-grpc-ecosystem-gateway-2-2.7.3-5.fc36 golang-github-gucumber-0-0.24.20190703git7d5c79e.fc36 golang-github-haproxytech-dataplaneapi-2.4.4-5.fc36 golang-github-hashicorp-consul-migrate-0.1.0-10.20190602git678fb10.fc36 golang-github-hashicorp-hclog-0.15.0-6.fc36 golang-github-hashicorp-memdb-1.3.0-6.fc36 golang-github-hashicorp-serf-0.9.5-6.fc36 golang-github-hashicorp-sockaddr-1.0.2-12.fc36 golang-github-heistp-irtt-0.9.1-3.fc36 golang-github-hexdigest-gowrap-1.1.12-5.fc36 golang-github-hub-2.14.2-9.fc36 golang-github-insomniacslk-termhook-0-7.20210406gita267c97.fc36 golang-github-instrumenta-kubeval-0.15.0-9.fc36 golang-github-j-keck-arping-1.0.2-4.fc36 golang-github-jmespath-0.4.0-6.fc36 golang-github-jsonnet-bundler-0.4.0-9.fc36 golang-github-jwt-3.2.2-4.fc36 golang-github-kalafut-imohash-1.0.2-4.fc36 golang-github-kr-text-0.2.0-6.fc36 golang-github-krishicks-yaml-patch-0.0.10-9.20200307git05b3177.fc36 golang-github-kyokomi-emoji-2.2.8-6.fc36 golang-github-ledisdb-0.6-6.20210112gitd35789e.fc36 golang-github-leonelquinteros-gotext-1.5.0-3.fc36 golang-github-letsencrypt-pebble-2.3.1-6.fc36 golang-github-leveldb-0-0.10.20190701git259d925.fc36 golang-github-liamg-scout-0.15.1-5.fc36 golang-github-liamg-tml-0.6.0-3.fc36 golang-github-lofanmi-pinyin-1.0-5.fc36 golang-github-lunixbochs-vtclean-1.0.0-9.fc36 golang-github-magefile-mage-1.11.0-6.fc36 golang-github-mailru-easyjson-0.7.6-6.fc36 golang-github-markbates-pkger-0.17.1-6.fc36 golang-github-martinhoefling-goxkcdpwgen-0.1.0-3.fc36 golang-github-mattn-colorable-0.1.8-8.fc36 golang-github-mbndr-figlet4go-0-0.9.20191009gitd6cef5b.fc36 golang-github-mdlayher-dhcp6-0-0.9.20200429git2a67805.fc36 golang-github-mdlayher-ethernet-0-0.6.20201109git0394541.fc36 golang-github-mgutz-ansi-0-0.14.20200729gitd51e80e.fc36 golang-github-mholt-archiver-3.5.1-4.fc36 golang-github-microcosm-cc-bluemonday-1.0.17-4.fc36 golang-github-mmarkdown-mmark-2.2.10-6.fc36 golang-github-mock-1.6.0-4.fc36

Read Time:4 Minute, 15 Second

FEDORA-2022-ea8f4e232d

Packages in this update:

golang-github-cpu-goacmedns-0.1.1-6.fc36
golang-github-cpuguy83-md2man-2.0.2-3.fc36
golang-github-crossdock-0-0.9.20190628git049aabb.fc36
golang-github-cucumber-godog-0.12.1-5.fc36
golang-github-cyberdotgent-route3270-0.2-4.fc36
golang-github-dave-jennifer-1.4.1-6.fc36
golang-github-deepmap-oapi-codegen-1.8.2-4.fc36
golang-github-denisbrodbeck-machineid-1.0.1-3.fc36
golang-github-dgrijalva-jwt-3.2.0-12.fc36
golang-github-dreamacro-shadowsocks2-0.1.7-7.fc36
golang-github-dustinkirkland-petname-0-0.7.20200605git8e5a1ed.fc36
golang-github-eknkc-amber-0-0.18.20190601gitcdade1c.fc36
golang-github-elazarl-bindata-assetfs-1.0.1-10.fc36
golang-github-emersion-smtp-0.15.0-5.fc36
golang-github-envoyproxy-protoc-gen-validate-0.4.1-7.fc36
golang-github-etcd-io-gofail-0-0.4.20210808gitad7f989.fc36
golang-github-euank-kmsg-parser-2.0.1-9.fc36
golang-github-evanphx-json-patch-5.5.0-4.fc36
golang-github-evanw-esbuild-0.14.38-3.fc36
golang-github-facebookincubator-contest-0-0.5.20210706gitceebc35.fc36
golang-github-facebookincubator-dhcplb-0-0.5.20210706git2e66b27.fc36
golang-github-facebookincubator-go2chef-1.0-3.fc36
golang-github-facebookincubator-nvdtools-0.1.4-6.fc36
golang-github-fernet-0-0.10.20200726giteff2850.fc36
golang-github-francoispqt-gojay-1.2.13-8.fc36
golang-github-fvbommel-util-0.0.3-6.fc36
golang-github-gdamore-tcell-1.4.0-6.fc36
golang-github-gdamore-tcell-2-2.5.0-3.fc36
golang-github-geertjohan-rice-1.0.2-6.fc36
golang-github-gobuffalo-here-0.6.2-6.fc36
golang-github-gobwas-ws-1.1.0-4.fc36
golang-github-goccy-yaml-1.9.5-3.fc36
golang-github-gocolly-colly-2-2.1.0-5.20210920git2f09941.fc36
golang-github-gogo-googleapis-1.4.1-5.fc36
golang-github-gohugoio-testmodbuilder-0-0.11.20201030git72e1e0c.fc36
golang-github-gojuno-minimock-3.0.10-4.fc36
golang-github-googleapis-gnostic-0.5.3-7.fc36
golang-github-googlecloudplatform-cloudsql-proxy-1.19.1-7.fc36
golang-github-google-containerregistry-0.5.1-6.fc36
golang-github-google-dap-0.6.0-6.fc36
golang-github-google-jsonnet-0.17.0-6.fc36
golang-github-google-martian-3.1.0-10.fc36
golang-github-google-pprof-0-17.20210802gitc50bf4f.fc36
golang-github-google-slothfs-0-0.12.20200727git59c1163.fc36
golang-github-google-wire-0.5.0-4.fc36
golang-github-gorhill-cronexpr-1.0.0-5.fc36
golang-github-gosexy-gettext-0.9-8.fc36
golang-github-grpc-ecosystem-gateway-2-2.7.3-5.fc36
golang-github-gucumber-0-0.24.20190703git7d5c79e.fc36
golang-github-haproxytech-dataplaneapi-2.4.4-5.fc36
golang-github-hashicorp-consul-migrate-0.1.0-10.20190602git678fb10.fc36
golang-github-hashicorp-hclog-0.15.0-6.fc36
golang-github-hashicorp-memdb-1.3.0-6.fc36
golang-github-hashicorp-serf-0.9.5-6.fc36
golang-github-hashicorp-sockaddr-1.0.2-12.fc36
golang-github-heistp-irtt-0.9.1-3.fc36
golang-github-hexdigest-gowrap-1.1.12-5.fc36
golang-github-hub-2.14.2-9.fc36
golang-github-insomniacslk-termhook-0-7.20210406gita267c97.fc36
golang-github-instrumenta-kubeval-0.15.0-9.fc36
golang-github-j-keck-arping-1.0.2-4.fc36
golang-github-jmespath-0.4.0-6.fc36
golang-github-jsonnet-bundler-0.4.0-9.fc36
golang-github-jwt-3.2.2-4.fc36
golang-github-kalafut-imohash-1.0.2-4.fc36
golang-github-krishicks-yaml-patch-0.0.10-9.20200307git05b3177.fc36
golang-github-kr-text-0.2.0-6.fc36
golang-github-kyokomi-emoji-2.2.8-6.fc36
golang-github-ledisdb-0.6-6.20210112gitd35789e.fc36
golang-github-leonelquinteros-gotext-1.5.0-3.fc36
golang-github-letsencrypt-pebble-2.3.1-6.fc36
golang-github-leveldb-0-0.10.20190701git259d925.fc36
golang-github-liamg-scout-0.15.1-5.fc36
golang-github-liamg-tml-0.6.0-3.fc36
golang-github-lofanmi-pinyin-1.0-5.fc36
golang-github-lunixbochs-vtclean-1.0.0-9.fc36
golang-github-magefile-mage-1.11.0-6.fc36
golang-github-mailru-easyjson-0.7.6-6.fc36
golang-github-markbates-pkger-0.17.1-6.fc36
golang-github-martinhoefling-goxkcdpwgen-0.1.0-3.fc36
golang-github-mattn-colorable-0.1.8-8.fc36
golang-github-mbndr-figlet4go-0-0.9.20191009gitd6cef5b.fc36
golang-github-mdlayher-dhcp6-0-0.9.20200429git2a67805.fc36
golang-github-mdlayher-ethernet-0-0.6.20201109git0394541.fc36
golang-github-mgutz-ansi-0-0.14.20200729gitd51e80e.fc36
golang-github-mholt-archiver-3.5.1-4.fc36
golang-github-microcosm-cc-bluemonday-1.0.17-4.fc36
golang-github-mmarkdown-mmark-2.2.10-6.fc36
golang-github-mock-1.6.0-4.fc36

Update description:

Rebuild to mitigate CVE-2022-{1705,32148,30631,30633,28131,30635,30632,30630,1962} in golang

See https://groups.google.com/g/golang-dev/c/frczlF8OFQ0/m/4lrZh5BHDgAJ for more information about the specific vulnerabilities.

Read More

3mux-1.1.0-6.fc36 act-1.6.0-7.fc36 aerc-0.10.0-5.fc36 age-1.0.0-6.fc36 antlr4-project-4.9.3-6.fc36 apache-cloudstack-cloudmonkey-6.2.0-4.fc36 apptainer-1.0.3-2.fc36 aquatone-1.7.0-8.fc36 aron-0-0.7.20200626git7eade58.fc36 asciigraph-0.5.5-3.fc36 asnip-0-0.7.20200618git44ba98b.fc36 assetfinder-0.1.0-7.fc36 astral-0.1.2-2.fc36 bettercap-2.32.0-5.fc36 buildah-1.26.2-2.fc36 butane-0.15.0-2.fc36 caddy-2.4.6-4.fc36 cadvisor-0.44.1-4.fc36 cheat-4.2.2-5.fc36 chisel-1.7.7-4.fc36 clash-1.8.0-5.fc36 clipman-1.6.1-4.fc36 commit-stream-0.1.2-8.fc36 containerd-1.6.6-5.fc36 cri-o-1.24.1-3.fc36 darkman-1.3.1-0.4.20220624gitc265698.fc36 deepin-gir-generator-2.1.0-4.fc36 direnv-2.32.1-3.fc36 dnscrypt-proxy-2.1.1-5.fc36 dnsx-1.1.0-4.fc36 docker-distribution-2.6.2-18.git48294d9.fc36 doctl-1.78.0-2.fc36 douceur-0.2.0-15.fc36 duf-0.8.1-4.fc36 ffuf-1.0.2-7.fc36 fzf-0.30.0-4.fc36 geoipupdate-4.9.0-3.fc36 git-lfs-3.1.2-5.fc36 git-octopus-2.0-0.4.beta.3.fc36.13 git-time-metric-1.3.5-16.fc36 gitjacker-0.0.2-9.fc36 glide-0.13.2-11.fc36 gmailctl-0.10.4-4.fc36 go-bindata-3.0.7-23.gita0ff256.fc36 goaltdns-0-0.8.20200627git2b3e8a3.fc36 gobuster-3.1.0-4.fc36 godep-62-18.fc36 godoctor-0.6-13.fc36 godotenv-1.4.0-5.fc36 gojq-0.12.8-4.fc36 golang-ariga-atlas-0.3.6-4.fc36 golang-bug-serial-1-1.3.5-4.fc36 golang-contrib-opencensus-resource-0.1.2-8.fc36 golang-entgo-ent-0.10.0-5.fc36 golang-etcd-bbolt-1.3.6-5.fc36 golang-gioui-0-9.20201225git18d4dbf.fc36 golang-github-a8m-envsubst-1.3.0-3.fc36 golang-github-a8m-tree-0-0.17.20210725gitce3525c.fc36 golang-github-acme-lego-4.4.0-7.fc36 golang-github-ajstarks-deck-0-0.13.20210114git30c9fc6.fc36 golang-github-akavel-rsrc-0.10.2-5.fc36 golang-github-alecthomas-chroma-0.10.0-4.fc36 golang-github-aliyun-ossutil-1.7.9-4.fc36 golang-github-apache-beam-2-2.33.0~RC1-8.fc36 golang-github-appc-docker2aci-0.17.2-10.fc36 golang-github-appc-goaci-0.1.1-13.fc36 golang-github-appc-spec-0.8.11-15.fc36 golang-github-aryann-difflib-0-0.6.20200822gite206f87.fc36 golang-github-aws-lambda-1.26.0-5.fc36 golang-github-axgle-mahonia-0-0.14.20181112git3358181.fc36 golang-github-bifurcation-mint-0-0.10.20200724git93c820e.fc36 golang-github-bobesa-domain-util-0-0.7.20200504git4033b5f.fc36 golang-github-boltdb-bolt-1.3.1-16.fc36 golang-github-burntsushi-toml-1.0.0-6.fc36 golang-github-burntsushi-toml-test-0.2.0-12.20210108git9767d20.fc36 golang-github-burntsushi-xgb-0-0.16.20210108git5f9e7b3.fc36 golang-github-c-bata-prompt-0.2.6-5.fc36 golang-github-cactus-statsd-client-5.0.0-6.fc36 golang-github-cespare-xxhash-2.1.2-4.fc36 golang-github-chai2010-gettext-1.0.2-7.fc36 golang-github-chris-ramon-douceur-0.2.0-6.20200910gitf346305.fc36 golang-github-christrenkamp-goxpath-0-0.7.20200627gitc5096ec.fc36 golang-github-cilium-ebpf-0.8.0-3.fc36 golang-github-client9-gospell-0-0.12.20190524git90dfc71.fc36 golang-github-client9-plaintext-0-0.9.20190703git5bf47e7.fc36 golang-github-cloudflare-0.21.0-4.fc36 golang-github-cloudflare-redoctober-0-0.13.20210114git99c99a8.fc36 golang-github-cockroachdb-pebble-0-0.9.20210108git48f5530.fc36 golang-github-colinmarc-hdfs-2-2.2.0-5.fc36 golang-github-containerd-continuity-0.2.2-4.fc36 golang-github-containerd-fuse-overlayfs-snapshotter-1.0.2-8.fc36 golang-github-containernetworking-cni-1.1.1-5.fc36 golang-github-coredns-corefile-migration-1.0.11-7.fc36

Read Time:3 Minute, 47 Second

FEDORA-2022-5ef0bd9a27

Packages in this update:

3mux-1.1.0-6.fc36
act-1.6.0-7.fc36
aerc-0.10.0-5.fc36
age-1.0.0-6.fc36
antlr4-project-4.9.3-6.fc36
apache-cloudstack-cloudmonkey-6.2.0-4.fc36
apptainer-1.0.3-2.fc36
aquatone-1.7.0-8.fc36
aron-0-0.7.20200626git7eade58.fc36
asciigraph-0.5.5-3.fc36
asnip-0-0.7.20200618git44ba98b.fc36
assetfinder-0.1.0-7.fc36
astral-0.1.2-2.fc36
bettercap-2.32.0-5.fc36
buildah-1.26.2-2.fc36
butane-0.15.0-2.fc36
caddy-2.4.6-4.fc36
cadvisor-0.44.1-4.fc36
cheat-4.2.2-5.fc36
chisel-1.7.7-4.fc36
clash-1.8.0-5.fc36
clipman-1.6.1-4.fc36
commit-stream-0.1.2-8.fc36
containerd-1.6.6-5.fc36
cri-o-1.24.1-3.fc36
darkman-1.3.1-0.4.20220624gitc265698.fc36
deepin-gir-generator-2.1.0-4.fc36
direnv-2.32.1-3.fc36
dnscrypt-proxy-2.1.1-5.fc36
dnsx-1.1.0-4.fc36
docker-distribution-2.6.2-18.git48294d9.fc36
doctl-1.78.0-2.fc36
douceur-0.2.0-15.fc36
duf-0.8.1-4.fc36
ffuf-1.0.2-7.fc36
fzf-0.30.0-4.fc36
geoipupdate-4.9.0-3.fc36
gitjacker-0.0.2-9.fc36
git-lfs-3.1.2-5.fc36
git-octopus-2.0-0.4.beta.3.fc36.13
git-time-metric-1.3.5-16.fc36
glide-0.13.2-11.fc36
gmailctl-0.10.4-4.fc36
goaltdns-0-0.8.20200627git2b3e8a3.fc36
go-bindata-3.0.7-23.gita0ff256.fc36
gobuster-3.1.0-4.fc36
godep-62-18.fc36
godoctor-0.6-13.fc36
godotenv-1.4.0-5.fc36
gojq-0.12.8-4.fc36
golang-ariga-atlas-0.3.6-4.fc36
golang-bug-serial-1-1.3.5-4.fc36
golang-contrib-opencensus-resource-0.1.2-8.fc36
golang-entgo-ent-0.10.0-5.fc36
golang-etcd-bbolt-1.3.6-5.fc36
golang-gioui-0-9.20201225git18d4dbf.fc36
golang-github-a8m-envsubst-1.3.0-3.fc36
golang-github-a8m-tree-0-0.17.20210725gitce3525c.fc36
golang-github-acme-lego-4.4.0-7.fc36
golang-github-ajstarks-deck-0-0.13.20210114git30c9fc6.fc36
golang-github-akavel-rsrc-0.10.2-5.fc36
golang-github-alecthomas-chroma-0.10.0-4.fc36
golang-github-aliyun-ossutil-1.7.9-4.fc36
golang-github-apache-beam-2-2.33.0~RC1-8.fc36
golang-github-appc-docker2aci-0.17.2-10.fc36
golang-github-appc-goaci-0.1.1-13.fc36
golang-github-appc-spec-0.8.11-15.fc36
golang-github-aryann-difflib-0-0.6.20200822gite206f87.fc36
golang-github-aws-lambda-1.26.0-5.fc36
golang-github-axgle-mahonia-0-0.14.20181112git3358181.fc36
golang-github-bifurcation-mint-0-0.10.20200724git93c820e.fc36
golang-github-bobesa-domain-util-0-0.7.20200504git4033b5f.fc36
golang-github-boltdb-bolt-1.3.1-16.fc36
golang-github-burntsushi-toml-1.0.0-6.fc36
golang-github-burntsushi-toml-test-0.2.0-12.20210108git9767d20.fc36
golang-github-burntsushi-xgb-0-0.16.20210108git5f9e7b3.fc36
golang-github-cactus-statsd-client-5.0.0-6.fc36
golang-github-c-bata-prompt-0.2.6-5.fc36
golang-github-cespare-xxhash-2.1.2-4.fc36
golang-github-chai2010-gettext-1.0.2-7.fc36
golang-github-chris-ramon-douceur-0.2.0-6.20200910gitf346305.fc36
golang-github-christrenkamp-goxpath-0-0.7.20200627gitc5096ec.fc36
golang-github-cilium-ebpf-0.8.0-3.fc36
golang-github-client9-gospell-0-0.12.20190524git90dfc71.fc36
golang-github-client9-plaintext-0-0.9.20190703git5bf47e7.fc36
golang-github-cloudflare-0.21.0-4.fc36
golang-github-cloudflare-redoctober-0-0.13.20210114git99c99a8.fc36
golang-github-cockroachdb-pebble-0-0.9.20210108git48f5530.fc36
golang-github-colinmarc-hdfs-2-2.2.0-5.fc36
golang-github-containerd-continuity-0.2.2-4.fc36
golang-github-containerd-fuse-overlayfs-snapshotter-1.0.2-8.fc36
golang-github-containernetworking-cni-1.1.1-5.fc36
golang-github-coredns-corefile-migration-1.0.11-7.fc36

Update description:

Rebuild to mitigate CVE-2022-{1705,32148,30631,30633,28131,30635,30632,30630,1962} in golang

See https://groups.google.com/g/golang-dev/c/frczlF8OFQ0/m/4lrZh5BHDgAJ for more information about the specific vulnerabilities.

Read More

Drupal core – Moderately critical – Multiple vulnerabilities – SA-CORE-2022-015

Read Time:1 Minute, 15 Second
Project: 
Date: 
2022-July-20
Vulnerability: 
Multiple vulnerabilities
Description: 

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.

This advisory is not covered by Drupal Steward.

Solution: 

Install the latest version:

If you are using Drupal 9.4, update to Drupal 9.4.3.
If you are using Drupal 9.3, update to Drupal 9.3.19.

All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core does not include the Media module and therefore is not affected.

Reported By: 
Heine of the Drupal Security Team
Fixed By: 
Lee Rowlands of the Drupal Security Team
Alex Pott of the Drupal Security Team
Samuel Mortenson
xjm of the Drupal Security Team
Heine of the Drupal Security Team
Joseph Zhao, provisional member of the Drupal Security Team
Vijay Mani, provisional member of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Neil Drumm of the Drupal Security Team
Benji Fisher, provisional member of the Drupal Security Team
Jen Lampton, provisional member of the Drupal Security Team
Dave Long, provisional member of the Drupal Security Team

Read More

Drupal core – Critical – Arbitrary PHP code execution – SA-CORE-2022-014

Read Time:2 Minute, 31 Second
Project: 
Date: 
2022-July-20
Vulnerability: 
Arbitrary PHP code execution
Description: 

Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010).

However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files’ filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core’s default .htaccess files and possible remote code execution.

This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.

Solution: 

Install the latest version:

If you are using Drupal 9.4, update to Drupal 9.4.3.
If you are using Drupal 9.3, update to Drupal 9.3.19.

All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.

Drupal 7 core is not affected.

Auditing your files directory’s .htaccess to ensure it has not been overwritten or overridden in a subdirectory

If your web server uses Apache httpd with AllowOverride, you should check within your files directories and subdirectories to ensure that any .htaccess files present are intentional. You can search for files named .htaccess by running the following command in the roots of both your public and private files directory:

find ./ -name “.htaccess” -print

Drupal automatically creates .htaccess files like the following in the root of the public files directory:

# Turn off all options we don’t need.
Options -Indexes -ExecCGI -Includes -MultiViews

# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
# Override the handler again if we’re run later in the evaluation list.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>

# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php7.c>
php_flag engine off
</IfModule>
<IfModule mod_php.c>
php_flag engine off
</IfModule>

Check with your system administrator for the correct .htaccess configuration for the given files directory.

This advisory is not covered by Drupal Steward.

Reported By: 
Fixed By: 
Peter Wolanin of the Drupal Security Team
xjm of the Drupal Security Team
Drew Webber of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Greg Knaddison of the Drupal Security Team
Jen Lampton, provisional member of the Drupal Security Team
Lee Rowlands of the Drupal Security Team
Dave Long, provisional member of the Drupal Security Team

Read More