This update ships updated CPU microcode for some types of Intel CPUs and
provides mitigations for security vulnerabilities.
Category Archives: Advisories
webkit2gtk3-2.36.4-1.fc36
FEDORA-2022-fdb75e7766
Packages in this update:
webkit2gtk3-2.36.4-1.fc36
Update description:
Fix the new ATSPI accessibility implementation to add the missing Collection interface for the loaded document.
Fix the MediaSession implementation to make the MPRIS object names more sandbox friendly, which plays better with Flatpak and WebKit’s own Bubblewrap-based sandboxing.
Fix leaked Web Processes in some particular situations.
Fix several crashes and rendering issues.
Security fixes: CVE-2022-22662, CVE-2022-26710
webkit2gtk3-2.36.4-1.fc35
FEDORA-2022-6b749525f3
Packages in this update:
webkit2gtk3-2.36.4-1.fc35
Update description:
Fix the new ATSPI accessibility implementation to add the missing Collection interface for the loaded document.
Fix the MediaSession implementation to make the MPRIS object names more sandbox friendly, which plays better with Flatpak and WebKit’s own Bubblewrap-based sandboxing.
Fix leaked Web Processes in some particular situations.
Fix several crashes and rendering issues.
Security fixes: CVE-2022-22662, CVE-2022-26710
Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
CVE-2021-44915
Taocms 3.0.2 was discovered to contain a blind SQL injection vulnerability via the function Edit category.
USN-5504-1: Firefox vulnerabilities
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, spoof the
browser UI, bypass CSP restrictions, bypass sandboxed iframe restrictions,
obtain sensitive information, bypass the HTML sanitizer, or execute
arbitrary code. (CVE-2022-2200, CVE-2022-34468, CVE-2022-34470,
CVE-2022-34473, CVE-2022-34474, CVE-2022-34475, CVE-2022-34476,
CVE-2022-34477, CVE-2022-34479, CVE-2022-34480, CVE-2022-34481,
CVE-2022-34484, CVE-2022-34485)
It was discovered that Firefox could be made to save an image with an
executable extension in the filename when dragging and dropping an image
in some circumstances. If a user were tricked into dragging and dropping
a specially crafted image, an attacker could potentially exploit this to
trick the user into executing arbitrary code. (CVE-2022-34482,
CVE-2022-34483)
It was discovered that a compromised server could trick Firefox into an
addon downgrade in some circumstances. An attacker could potentially
exploit this to trick the browser into downgrading an addon to a prior
version. (CVE-2022-34471)
It was discovered that an unavailable PAC file caused OCSP requests to
be blocked, resulting in incorrect error pages being displayed.
(CVE-2022-34472)
libgit2-1.3.1-1.fc36
FEDORA-2022-dc3e8972a1
Packages in this update:
libgit2-1.3.1-1.fc36
Update description:
This is an upstream security release. For details, please review the upstream announcement.
Additionally, this drops the pre-built version 1.1 of the library which previous builds carried (it isn’t used by any other Fedora package and violates packaging guidelines).
CVE-2021-43116
An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change the returned package, which lets a malicious user login.
USN-5503-1: GnuPG vulnerability
Demi Marie Obenour discovered that GnuPG incorrectly handled injection in
the status message. A remote attacker could possibly use this issue to
forge signatures.
USN-5502-1: OpenSSL vulnerability
Alex Chernyakhovsky discovered that OpenSSL incorrectly handled AES OCB
mode when using the AES-NI assembly optimized implementation on 32-bit
x86 platforms. A remote attacker could possibly use this issue to obtain
sensitive information.