Category Archives: Advisories

USN-5394-1: WebKitGTK vulnerabilities

Read Time:16 Second

A large number of security issues were discovered in the WebKitGTK Web and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of service
attacks, and arbitrary code execution.

Read More

curl-7.82.0-3.fc36

Read Time:16 Second

FEDORA-2022-3517572083

Packages in this update:

curl-7.82.0-3.fc36

Update description:

fix credential leak on redirect (CVE-2022-27774)
fix auth/cookie leak on redirect (CVE-2022-27776)
fix bad local IPv6 connection reuse (CVE-2022-27775)
fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)

Read More

curl-7.79.1-2.fc35

Read Time:16 Second

FEDORA-2022-411f088574

Packages in this update:

curl-7.79.1-2.fc35

Update description:

fix credential leak on redirect (CVE-2022-27774)
fix auth/cookie leak on redirect (CVE-2022-27776)
fix bad local IPv6 connection reuse (CVE-2022-27775)
fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)

Read More

curl-7.76.1-14.fc34

Read Time:16 Second

FEDORA-2022-fc5776b142

Packages in this update:

curl-7.76.1-14.fc34

Update description:

fix credential leak on redirect (CVE-2022-27774)
fix auth/cookie leak on redirect (CVE-2022-27776)
fix bad local IPv6 connection reuse (CVE-2022-27775)
fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)

Read More

CVE-2021-33436

Read Time:16 Second

NoMachine for Windows prior to version 6.15.1 and 7.5.2 suffer from local privilege escalation due to the lack of safe DLL loading. This vulnerability allows local non-privileged users to perform DLL Hijacking via any writable directory listed under the system path and ultimately execute code as NT AUTHORITYSYSTEM.

Read More

USN-5392-1: Mutt vulnerabilities

Read Time:18 Second

It was discovered that Mutt incorrectly handled certain requests.
An attacker could possibly use this issue to expose sensitive information.
This issue only affected Ubuntu 20.04 LTS. (CVE-2021-32055)

It was discovered that Mutt incorrectly handled certain input.
An attacker could possibly use this issue to cause a crash,
or expose sensitive information. (CVE-2022-1328)

Read More

USN-5371-2: nginx vulnerability

Read Time:42 Second

USN-5371-1 fixed several vulnerabilities in nginx.
This update provides the fix for CVE-2021-3618 for Ubuntu 22.04 LTS.

Original advisory details:

It was discovered that nginx Lua module mishandled certain inputs.
An attacker could possibly use this issue to perform an HTTP Request
Smuggling attack. This issue only affects Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2020-11724)

It was discovered that nginx Lua module mishandled certain inputs.
An attacker could possibly use this issue to disclose sensitive
information. This issue only affects Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2020-36309)

It was discovered that nginx mishandled the use of
compatible certificates among multiple encryption protocols.
If a remote attacker were able to intercept the communication,
this issue could be used to redirect traffic between subdomains.
(CVE-2021-3618)

Read More

redis-6.2.7-1.fc36

Read Time:1 Minute, 39 Second

FEDORA-2022-6ed1ce2838

Packages in this update:

redis-6.2.7-1.fc36

Update description:

Redis 6.2.7 – Released Wed Apr 27 12:00:00 IDT 2022

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

(CVE-2022-24736) An attacker attempting to load a specially crafted Lua script
can cause NULL pointer dereference which will result with a crash of the
redis-server process. This issue affects all versions of Redis.
[reported by Aviv Yahav].
(CVE-2022-24735) By exploiting weaknesses in the Lua script execution
environment, an attacker with access to Redis can inject Lua code that will
execute with the (potentially higher) privileges of another Redis user.
[reported by Aviv Yahav].

Potentially Breaking Fixes

LPOP/RPOP with count against non-existing list return null array (#10095)
LPOP/RPOP used to produce wrong replies when count is 0 (#9692)

Performance and resource utilization improvements

Speed optimization in command execution pipeline (#10502)
Fix regression in Z[REV]RANGE commands (by-rank) introduced in Redis 6.2 (#10337)

Platform / toolchain support related improvements

Fix RSS metrics on NetBSD and OpenBSD (#10116, #10149)
Fix OpenSSL 3.0.x related issues (#10291)

Bug Fixes

Lua: Add checks for min-slave-* configs when evaluating Lua scripts (#10160)
Lua: fix crash on a script call with many arguments, a regression in v6.2.6 (#9809)
Tracking: Make invalidation messages always after command’s reply (#9422)
Fix excessive stream trimming due to an overflow (#10068)
Add missed error counting for INFO errorstats (#9646)
Fix geo search bounding box check causing missing results (#10018)
Improve EXPIRE TTL overflow detection (#9839)
Modules: Fix thread safety violation when a module thread adds an error reply, broken in 6.2 (#10278)
Modules: Fix missing and duplicate error stats (#10278)
Module APIs: release clients blocked on module commands in cluster resharding
and down state (#9483)
Sentinel: Fix memory leak with TLS (#9753)
Sentinel: Fix issues with hostname support (#10146)
Sentinel: Fix election failures on certain container environments (#10197)

Read More

redis-6.2.7-1.fc34

Read Time:1 Minute, 39 Second

FEDORA-2022-a0a4c7eb31

Packages in this update:

redis-6.2.7-1.fc34

Update description:

Redis 6.2.7 – Released Wed Apr 27 12:00:00 IDT 2022

Upgrade urgency: SECURITY, contains fixes to security issues.

Security Fixes:

(CVE-2022-24736) An attacker attempting to load a specially crafted Lua script
can cause NULL pointer dereference which will result with a crash of the
redis-server process. This issue affects all versions of Redis.
[reported by Aviv Yahav].
(CVE-2022-24735) By exploiting weaknesses in the Lua script execution
environment, an attacker with access to Redis can inject Lua code that will
execute with the (potentially higher) privileges of another Redis user.
[reported by Aviv Yahav].

Potentially Breaking Fixes

LPOP/RPOP with count against non-existing list return null array (#10095)
LPOP/RPOP used to produce wrong replies when count is 0 (#9692)

Performance and resource utilization improvements

Speed optimization in command execution pipeline (#10502)
Fix regression in Z[REV]RANGE commands (by-rank) introduced in Redis 6.2 (#10337)

Platform / toolchain support related improvements

Fix RSS metrics on NetBSD and OpenBSD (#10116, #10149)
Fix OpenSSL 3.0.x related issues (#10291)

Bug Fixes

Lua: Add checks for min-slave-* configs when evaluating Lua scripts (#10160)
Lua: fix crash on a script call with many arguments, a regression in v6.2.6 (#9809)
Tracking: Make invalidation messages always after command’s reply (#9422)
Fix excessive stream trimming due to an overflow (#10068)
Add missed error counting for INFO errorstats (#9646)
Fix geo search bounding box check causing missing results (#10018)
Improve EXPIRE TTL overflow detection (#9839)
Modules: Fix thread safety violation when a module thread adds an error reply, broken in 6.2 (#10278)
Modules: Fix missing and duplicate error stats (#10278)
Module APIs: release clients blocked on module commands in cluster resharding
and down state (#9483)
Sentinel: Fix memory leak with TLS (#9753)
Sentinel: Fix issues with hostname support (#10146)
Sentinel: Fix election failures on certain container environments (#10197)

Read More