FEDORA-2022-45bf6d4b88
Packages in this update:
matrix-synapse-1.61.1-1.fc36
Update description:
Update to v1.61.1
Fix CVE-2022-31052
matrix-synapse-1.61.1-1.fc36
Update to v1.61.1
Fix CVE-2022-31052
php-laminas-diactoros2-2.11.1-1.fc36
Release Notes for 2.11.1
This is a SECURITY release. All users are encouraged to upgrade immediately.
Added
This release adds features to allow filtering a ServerRequest as generated by LaminasDiactorosServerRequestFactory::fromGlobals() for the purposes of initialization. Examples include:
Adding a request identifier.
Using X-Forwarded-* headers to modify the URL to represent the original client request.
The features are based on a new interface, LaminasDiactororsServerRequestFilterFilterServerRequestInterface, which defines a single method:
public function __invoke(
PsrHttpMessageServerRequestInterface $request
): PsrHttpMessageServerRequestInterface
We provide two implementations, as follows:
LaminasDiactorosServerRequestFilterDoNotFilter will return the provided request verbatim.
LaminasDiactorosServerRequestFilterFilterUsingXForwardedHeaders has named constructors that allow you to define how and when X-Forwarded- headers are used to modify the URI instance associated with the request. These methods are:
* trustAny(): this method generates a filter instance that will trust all X-Forwarded- headers from any source.
* trustReservedSubnets(array $trustedHeaders = ?): this method generates a filter instance that only modifies the URL if the IP address of the requesting server is from a reserved, private subnet (localhost; classes A, B, and C subnets; and IPv6 private and local-link subnets). By default, it will trust all X-Forwarded- headers from these sources, but you may specify a list to allow via the $trustedHeaders argument.
* trustProxies(array $proxyCIDRList, array $trustedHeaders = ?): this method will generate a filter instance that only modifies the URL if the requesting server matches an entry in the $proxyCIDRList. These entries may be IP addresses, or any IPv4 or IPv6 CIDR subnets. By default, it will trust all X-Forwarded- headers from these sources, but you may specify a list to allow via the $trustedHeaders argument.
ServerRequestFactory::fromGlobals() now accepts a FilterServerRequestInterface instance as the optional argument $requestFilter. If none is provided, it uses one as produced by FilterUsingXForwardedHeaders::trustReservedSubnets().
Deprecated
The function LaminasDiactorosmarshalUriFromSapi() is deprecated, and no longer used internally.
Changed
LaminasDiactorosServerRequestFactory::fromGlobals() no longer consumes marshalUriFromSapi(), and instead inlines an alternate implementation. The new implementation does not consider X-Forwarded- headers by default when generating the associated URI instance. Internally, if no FilterServerRequestInterface implementation is provided, it defaults to using an instance returned by FilterUsingXForwardeHeaders::trustReservedSubnets(). If you previously relied on X-Forwarded- headers, you MAY need to update your code to use either the FilterUsingXForwardedHeaders::trustAny() or FilterUsingXForwardedHeaders::trustProxies() methods to generate a filter to use with ServerRequestFactory::fromGlobals().
Fixed
Fixes CVE-2022-31109
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apache HTTPD Server. Authentication is not required to exploit this vulnerability.
This vulnerability allows local attackers to create a denial-of-service condition on affected installations of ABB e-Design. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
This vulnerability allows local attackers to escalate privileges on affected installations of ABB e-Design. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
This vulnerability allows local attackers to escalate privileges on affected installations of ZyXel AP Configurator. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
This vulnerability allows local attackers to bypass System Integrity Protection on affected installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
This vulnerability allows local attackers to bypass System Integrity Protection on affected installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code or spoofing.
vim-8.2.5172-1.fc35
Security fixes for CVE-2022-2124, CVE-2022-2129, CVE-2022-2125, CVE-2022-2126, CVE-2022-1720, CVE-2022-2175, CVE-2022-2182, CVE-2022-2183, CVE-2022-2231, CVE-2022-2210, CVE-2022-2207, CVE-2022-2208, CVE-2022-2206