Category Archives: Advisories

webkit2gtk3-2.36.3-1.fc36

Read Time:32 Second

FEDORA-2022-e883576e1c

Packages in this update:

webkit2gtk3-2.36.3-1.fc36

Update description:

Update to 2.36.3:

Support capturing already encoded video streams, which takes advantage of encoding done in hardware by devices which support this feature.
Avoid using experimental GStreamer elements for video demuxing.
Avoid using the legacy GStreamer VA-API decoding plug-ins, which often cause rendering issues and are not much maintained. Their usage can be re-enabled setting WEBKIT_GST_ENABLE_LEGACY_VAAPI=1 in the environment.
Fix playback of YouTube streams which use dynamic ad insertion.
Fix display capture with Pipewire.
Fix several crashes and rendering issues.

Read More

USN-5459-1: cifs-utils vulnerabilities

Read Time:45 Second

Aurélien Aptel discovered that cifs-utils invoked a shell when requesting a
password. In certain environments, a local attacker could possibly use this
issue to escalate privileges. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2020-14342)

It was discovered that cifs-utils incorrectly used host credentials when
mounting a krb5 CIFS file system from within a container. An attacker
inside a container could possibly use this issue to obtain access to
sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu
20.04 LTS. (CVE-2021-20208)

It was discovered that cifs-utils incorrectly handled certain command-line
arguments. A local attacker could possibly use this issue to obtain root
privileges. (CVE-2022-27239)

It was discovered that cifs-utils incorrectly handled verbose logging. A
local attacker could possibly use this issue to obtain sensitive
information. (CVE-2022-29869)

Read More

buildah-1.23.4-1.fc35

Read Time:10 Second

FEDORA-2022-396c568c5e

Packages in this update:

buildah-1.23.4-1.fc35

Update description:

bump to v1.23.4, security fix for CVE-2022-21698

Add missing container networking dependencies (#2081834)

Read More

CVE-2021-26633

Read Time:11 Second

SQL injection and Local File Inclusion (LFI) vulnerabilities in MaxBoard can cause information leakage and privilege escalation. This vulnerabilities can be exploited by manipulating a variable with a desired value and inserting and arbitrary file.

Read More

CVE-2021-26634

Read Time:16 Second

SQL injection and file upload attacks are possible due to insufficient validation of input values in some parameters and variables of files compromising Maxboard, which may lead to arbitrary code execution or privilege escalation. Attackers can use these vulnerabilities to perform attacks such as stealing server management rights using a web shell.

Read More

CVE-2021-26635

Read Time:17 Second

In the code that verifies the file size in the ark library, it is possible to manipulate the offset read from the target file due to the wrong use of the data type. An attacker could use this vulnerability to cause a stack buffer overflow and as a result, perform an attack such as remote code execution.

Read More

CVE-2021-32546

Read Time:34 Second

Missing input validation in internal/db/repo_editor.go in Gogs before 0.12.8 allows an attacker to execute code remotely. An unprivileged attacker (registered user) can overwrite the Git configuration in his repository. This leads to Remote Command Execution, because that configuration can contain an option such as sshCommand, which is executed when a master branch is a remote branch (using an ssh:// URI). The remote branch can also be configured by editing the Git configuration file. One can create a new file in a new repository, using the GUI, with “” as its name, and then rename this file to .git/config with the custom configuration content (and then save it).

Read More