This vulnerability allows local attackers to escalate privileges on affected installations of xhyve. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability.
This update ships updated CPU microcode for some types of Intel CPUs and
provides mitigations for security vulnerabilities.
webkit2gtk3-2.36.4-1.fc36
Fix the new ATSPI accessibility implementation to add the missing Collection interface for the loaded document.
Fix the MediaSession implementation to make the MPRIS object names more sandbox friendly, which plays better with Flatpak and WebKit’s own Bubblewrap-based sandboxing.
Fix leaked Web Processes in some particular situations.
Fix several crashes and rendering issues.
Security fixes: CVE-2022-22662, CVE-2022-26710
webkit2gtk3-2.36.4-1.fc35
Fix the new ATSPI accessibility implementation to add the missing Collection interface for the loaded document.
Fix the MediaSession implementation to make the MPRIS object names more sandbox friendly, which plays better with Flatpak and WebKit’s own Bubblewrap-based sandboxing.
Fix leaked Web Processes in some particular situations.
Fix several crashes and rendering issues.
Security fixes: CVE-2022-22662, CVE-2022-26710
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Taocms 3.0.2 was discovered to contain a blind SQL injection vulnerability via the function Edit category.
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, spoof the
browser UI, bypass CSP restrictions, bypass sandboxed iframe restrictions,
obtain sensitive information, bypass the HTML sanitizer, or execute
arbitrary code. (CVE-2022-2200, CVE-2022-34468, CVE-2022-34470,
CVE-2022-34473, CVE-2022-34474, CVE-2022-34475, CVE-2022-34476,
CVE-2022-34477, CVE-2022-34479, CVE-2022-34480, CVE-2022-34481,
CVE-2022-34484, CVE-2022-34485)
It was discovered that Firefox could be made to save an image with an
executable extension in the filename when dragging and dropping an image
in some circumstances. If a user were tricked into dragging and dropping
a specially crafted image, an attacker could potentially exploit this to
trick the user into executing arbitrary code. (CVE-2022-34482,
CVE-2022-34483)
It was discovered that a compromised server could trick Firefox into an
addon downgrade in some circumstances. An attacker could potentially
exploit this to trick the browser into downgrading an addon to a prior
version. (CVE-2022-34471)
It was discovered that an unavailable PAC file caused OCSP requests to
be blocked, resulting in incorrect error pages being displayed.
(CVE-2022-34472)
libgit2-1.3.1-1.fc36
This is an upstream security release. For details, please review the upstream announcement.
Additionally, this drops the pre-built version 1.1 of the library which previous builds carried (it isn’t used by any other Fedora package and violates packaging guidelines).
An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change the returned package, which lets a malicious user login.
Demi Marie Obenour discovered that GnuPG incorrectly handled injection in
the status message. A remote attacker could possibly use this issue to
forge signatures.
