pypy3.8-7.3.9-2.3.8.fc37
Automatic update for pypy3.8-7.3.9-2.3.8.fc37.
* Tue Jun 28 2022 Charalampos Stratakis <cstratak@redhat.com> – 7.3.9-2.3.8
– Security fix for CVE-2015-20107
– Fixes: rhbz#2075390
pypy3.7-7.3.9-2.3.7.fc37
Automatic update for pypy3.7-7.3.9-2.3.7.fc37.
* Tue Jun 28 2022 Charalampos Stratakis <cstratak@redhat.com> – 7.3.9-2.3.7
– Security fix for CVE-2015-20107
– Fixes: rhbz#2075390
pypy3.9-7.3.9-2.3.9.fc37
Automatic update for pypy3.9-7.3.9-2.3.9.fc37.
* Tue Jun 28 2022 Charalampos Stratakis <cstratak@redhat.com> – 7.3.9-2.3.9
– Security fix for CVE-2015-20107
– Fixes: rhbz#2075390
thunderbird-91.11.0-1.fc35
Update to 91.11.0
thunderbird-91.11.0-1.fc36
Update to 91.11.0
grafana-8.5.6-1.fc37
Automatic update for grafana-8.5.6-1.fc37.
* Wed Jun 29 2022 Andreas Gerstmayr <agerstmayr@redhat.com> 8.5.6-1
– update to 8.5.6 tagged upstream community sources, see CHANGELOG
– updated license to AGPLv3
– place commented sample config file in /etc/grafana/grafana.ini
– enable Go modules in build process
– adapt Node.js bundling to yarn v3 and Zero Install feature
* Sun Jun 19 2022 Robert-André Mauchin <zebob.m@gmail.com> – 7.5.15-3
– Rebuilt for CVE-2022-1996, CVE-2022-24675, CVE-2022-28327, CVE-2022-27191,
CVE-2022-29526, CVE-2022-30629
matrix-synapse-1.61.1-1.fc35
Update to v1.61.1
Fix CVE-2022-31052
matrix-synapse-1.61.1-1.fc36
Update to v1.61.1
Fix CVE-2022-31052
php-laminas-diactoros2-2.11.1-1.fc36
Release Notes for 2.11.1
This is a SECURITY release. All users are encouraged to upgrade immediately.
Added
This release adds features to allow filtering a ServerRequest as generated by LaminasDiactorosServerRequestFactory::fromGlobals() for the purposes of initialization. Examples include:
Adding a request identifier.
Using X-Forwarded-* headers to modify the URL to represent the original client request.
The features are based on a new interface, LaminasDiactororsServerRequestFilterFilterServerRequestInterface, which defines a single method:
public function __invoke(
PsrHttpMessageServerRequestInterface $request
): PsrHttpMessageServerRequestInterface
We provide two implementations, as follows:
LaminasDiactorosServerRequestFilterDoNotFilter will return the provided request verbatim.
LaminasDiactorosServerRequestFilterFilterUsingXForwardedHeaders has named constructors that allow you to define how and when X-Forwarded- headers are used to modify the URI instance associated with the request. These methods are:
* trustAny(): this method generates a filter instance that will trust all X-Forwarded- headers from any source.
* trustReservedSubnets(array $trustedHeaders = ?): this method generates a filter instance that only modifies the URL if the IP address of the requesting server is from a reserved, private subnet (localhost; classes A, B, and C subnets; and IPv6 private and local-link subnets). By default, it will trust all X-Forwarded- headers from these sources, but you may specify a list to allow via the $trustedHeaders argument.
* trustProxies(array $proxyCIDRList, array $trustedHeaders = ?): this method will generate a filter instance that only modifies the URL if the requesting server matches an entry in the $proxyCIDRList. These entries may be IP addresses, or any IPv4 or IPv6 CIDR subnets. By default, it will trust all X-Forwarded- headers from these sources, but you may specify a list to allow via the $trustedHeaders argument.
ServerRequestFactory::fromGlobals() now accepts a FilterServerRequestInterface instance as the optional argument $requestFilter. If none is provided, it uses one as produced by FilterUsingXForwardedHeaders::trustReservedSubnets().
Deprecated
The function LaminasDiactorosmarshalUriFromSapi() is deprecated, and no longer used internally.
Changed
LaminasDiactorosServerRequestFactory::fromGlobals() no longer consumes marshalUriFromSapi(), and instead inlines an alternate implementation. The new implementation does not consider X-Forwarded- headers by default when generating the associated URI instance. Internally, if no FilterServerRequestInterface implementation is provided, it defaults to using an instance returned by FilterUsingXForwardeHeaders::trustReservedSubnets(). If you previously relied on X-Forwarded- headers, you MAY need to update your code to use either the FilterUsingXForwardedHeaders::trustAny() or FilterUsingXForwardedHeaders::trustProxies() methods to generate a filter to use with ServerRequestFactory::fromGlobals().
Fixed
Fixes CVE-2022-31109
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apache HTTPD Server. Authentication is not required to exploit this vulnerability.
