Category Archives: Advisories

xen-4.16.1-5.fc36

Read Time:11 Second

FEDORA-2022-c4ec706488

Packages in this update:

xen-4.16.1-5.fc36

Update description:

Linux disk/nic frontends data leaks [XSA-403, CVE-2022-26365,
CVE-2022-33740, CVE-2022-33741, CVE-2022-3374]

Read More

php-laminas-diactoros2-2.12.0-1.fc36

Read Time:2 Minute, 31 Second

FEDORA-2022-42c54e9e5f

Packages in this update:

php-laminas-diactoros2-2.12.0-1.fc36

Update description:

Version 2.12.0

Bug

99: Merge release 2.11.3 into 2.12.x thanks to @github-actions[bot]
92: Fix typo in property name in UploadedFileTest::setUp() thanks to @TimWolla

Enhancement

97: Ignore obviously malformed host headers when constructing a ServerRequest thanks to @TimWolla
91: Fix typo thanks to @PhantomWatson

Version 2.11.3

Bug, Enhancement

98: Fixed UploadedFile::moveTo() so it actually removes the original file when used in CLI context, and doesn’t leave orphaned files thanks to @k2rn

Version 2.11.2

Bug

95: Resolve Host header and X-Forwarded-Proto regressions thanks to @weierophinney

Release Notes for 2.11.1

This is a SECURITY release. All users are encouraged to upgrade immediately.

Added

This release adds features to allow filtering a ServerRequest as generated by LaminasDiactorosServerRequestFactory::fromGlobals() for the purposes of initialization. Examples include:

Adding a request identifier.
Using X-Forwarded-* headers to modify the URL to represent the original client request.

The features are based on a new interface, LaminasDiactororsServerRequestFilterFilterServerRequestInterface, which defines a single method:

public function __invoke(
PsrHttpMessageServerRequestInterface $request
): PsrHttpMessageServerRequestInterface

We provide two implementations, as follows:

LaminasDiactorosServerRequestFilterDoNotFilter will return the provided request verbatim.
LaminasDiactorosServerRequestFilterFilterUsingXForwardedHeaders has named constructors that allow you to define how and when X-Forwarded- headers are used to modify the URI instance associated with the request. These methods are:
* trustAny(): this method generates a filter instance that will trust all X-Forwarded-
headers from any source.
* trustReservedSubnets(array $trustedHeaders = ?): this method generates a filter instance that only modifies the URL if the IP address of the requesting server is from a reserved, private subnet (localhost; classes A, B, and C subnets; and IPv6 private and local-link subnets). By default, it will trust all X-Forwarded- headers from these sources, but you may specify a list to allow via the $trustedHeaders argument.
* trustProxies(array $proxyCIDRList, array $trustedHeaders = ?): this method will generate a filter instance that only modifies the URL if the requesting server matches an entry in the $proxyCIDRList. These entries may be IP addresses, or any IPv4 or IPv6 CIDR subnets. By default, it will trust all X-Forwarded-
headers from these sources, but you may specify a list to allow via the $trustedHeaders argument.

ServerRequestFactory::fromGlobals() now accepts a FilterServerRequestInterface instance as the optional argument $requestFilter. If none is provided, it uses one as produced by FilterUsingXForwardedHeaders::trustReservedSubnets().

Deprecated

The function LaminasDiactorosmarshalUriFromSapi() is deprecated, and no longer used internally.

Changed

LaminasDiactorosServerRequestFactory::fromGlobals() no longer consumes marshalUriFromSapi(), and instead inlines an alternate implementation. The new implementation does not consider X-Forwarded- headers by default when generating the associated URI instance. Internally, if no FilterServerRequestInterface implementation is provided, it defaults to using an instance returned by FilterUsingXForwardeHeaders::trustReservedSubnets(). If you previously relied on X-Forwarded- headers, you MAY need to update your code to use either the FilterUsingXForwardedHeaders::trustAny() or FilterUsingXForwardedHeaders::trustProxies() methods to generate a filter to use with ServerRequestFactory::fromGlobals().

Fixed

Fixes CVE-2022-31109

Read More

CVE-2021-23163

Read Time:16 Second

JFrog Artifactory prior to version 7.33.6 and 6.23.38, is vulnerable to CSRF ( Cross-Site Request Forgery) for specific endpoints. This issue affects: JFrog JFrog Artifactory JFrog Artifactory versions before 7.33.6 versions prior to 7.x; JFrog Artifactory versions before 6.23.38 versions prior to 6.x.

Read More

CVE-2021-45721

Read Time:19 Second

JFrog Artifactory prior to version 7.29.8 and 6.23.38 is vulnerable to Reflected Cross-Site Scripting (XSS) through one of the XHR parameters in Users REST API endpoint. This issue affects: JFrog JFrog Artifactory JFrog Artifactory versions before 7.36.1 versions prior to 7.29.8; JFrog Artifactory versions before 6.23.41 versions prior to 6.23.38.

Read More

subversion-1.14.2-5.fc36

Read Time:40 Second

FEDORA-2022-2af658b090

Packages in this update:

subversion-1.14.2-5.fc36

Update description:

This update includes the latest stable release of Apache Subversion, version 1.14.2. This update addresses two security issues, CVE-2021-28544 and CVE-2022-24070.

For more information see https://subversion.apache.org/security/CVE-2022-24070-advisory.txt and https://subversion.apache.org/security/CVE-2021-28544-advisory.txt

Client-side bugfixes:

Don’t show unreadable copyfrom paths in ‘svn log -v’
Fix -r option documentation for some svnadmin subcommands
Fix error message encoding when system() call fails
Fix assertion failure in conflict resolver

Client-side improvements and bugfixes:

Support multiple working copy formats (1.8-onward, 1.15)

Server-side bugfixes:

Fix use-after-free of object-pools when running in httpd (issue SVN-4880)

Read More

subversion-1.14.2-5.fc35

Read Time:40 Second

FEDORA-2022-13cc09ecf2

Packages in this update:

subversion-1.14.2-5.fc35

Update description:

This update includes the latest stable release of Apache Subversion, version 1.14.2. This update addresses two security issues, CVE-2021-28544 and CVE-2022-24070.

For more information see https://subversion.apache.org/security/CVE-2022-24070-advisory.txt and https://subversion.apache.org/security/CVE-2021-28544-advisory.txt

Client-side bugfixes:

Don’t show unreadable copyfrom paths in ‘svn log -v’
Fix -r option documentation for some svnadmin subcommands
Fix error message encoding when system() call fails
Fix assertion failure in conflict resolver

Client-side improvements and bugfixes:

Support multiple working copy formats (1.8-onward, 1.15)

Server-side bugfixes:

Fix use-after-free of object-pools when running in httpd (issue SVN-4880)

Read More

php-8.1.8-1.fc36

Read Time:1 Minute, 36 Second

FEDORA-2022-ec0491574d

Packages in this update:

php-8.1.8-1.fc36

Update description:

PHP version 8.1.8 (07 Jul 2022)

Core:

Fixed bug GH-8338 (Intel CET is disabled unintentionally). (Chen, Hu)
Fixed leak in Enum::from/tryFrom for internal enums when using JIT (ilutov)
Fixed calling internal methods with a static return type from extension code. (Sara)
Fixed bug GH-8655 (Casting an object to array does not unwrap refcount=1 references). (Nicolas Grekas)
Fixed potential use after free in php_binary_init(). (Heiko Weber)

CLI:

Fixed GH-8827 (Intentionally closing std handles no longer possible). (cmb)

Curl:

Fixed CURLOPT_TLSAUTH_TYPE is not treated as a string option. (Pierrick)

Date:

Fixed bug php#72963 (Null-byte injection in CreateFromFormat and related functions). (Derick)
Fixed bug php#74671 (DST timezone abbreviation has incorrect offset). (Derick)
Fixed bug php#77243 (Weekdays are calculated incorrectly for negative years). (Derick)
Fixed bug php#78139 (timezone_open accepts invalid timezone string argument). (Derick)

Fileinfo:

Fixed bug php#81723 (Heap buffer overflow in finfo_buffer). (CVE-2022-31627) (cmb)

FPM:

Fixed bug php#67764 (fpm: syslog.ident don’t work). (Jakub Zelenka)

GD:

Fixed imagecreatefromavif() memory leak. (cmb)

MBString:

mb_detect_encoding recognizes all letters in Czech alphabet (alexdowad)
mb_detect_encoding recognizes all letters in Hungarian alphabet (alexdowad)
Fixed bug GH-8685 (pcre not ready at mbstring startup). (Remi)
Backwards-compatible mappings for 0x5C/0x7E in Shift-JIS are restored, after they had been changed in 8.1.0. (Alex Dowad)

ODBC:

Fixed handling of single-key connection strings. (Calvin Buckley)

OPcache:

Fixed bug GH-8591 (tracing JIT crash after private instance method change). (Arnaud, Dmitry, Oleg Stepanischev)

OpenSSL:

Fixed bug php#50293 (Several openssl functions ignore the VCWD). (Jakub Zelenka, cmb)
Fixed bug php#81713 (NULL byte injection in several OpenSSL functions working with certificates). (Jakub Zelenka)

PDO_ODBC:

Fixed handling of single-key connection strings. (Calvin Buckley)

Read More