In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).
USN-5378-1 fixed a vulnerability in Gzip. This update provides
the corresponding update for Ubuntu 14.04 ESM and 16.04 ESM.
Original advisory details:
Cleemy Desu Wayo discovered that Gzip incorrectly handled certain
filenames. If a user or automated system were tricked into performing zgrep
operations with specially crafted filenames, a remote attacker could
overwrite arbitrary files.
dhcp-4.4.3-2.fc35
Security fix for CVE-2021-25220
New version 4.4.3
Add keama migration utility
dhcp-4.4.3-2.fc36
Security fix for CVE-2021-25220
New version 4.4.3
Add keama migration utility
USN-5378-2 fixed a vulnerability in XZ Utils. This update provides
the corresponding update for Ubuntu 14.04 ESM and 16.04 ESM.
Original advisory details:
Cleemy Desu Wayo discovered that Gzip incorrectly handled certain
filenames. If a user or automated system were tricked into performing zgrep
operations with specially crafted filenames, a remote attacker could
overwrite arbitrary files.
golang-x-crypto-0-0.43.20220412git7b82a4e.fc34
Update for CVE-2022-27191
golang-x-crypto-0-0.43.20220412git7b82a4e.fc36
Update for CVE-2022-27191
golang-x-crypto-0-0.43.20220412git7b82a4e.fc35
Update for CVE-2022-27191
Froxlor through 0.10.22 does not perform validation on user input passed in the customermail GET parameter. The value of this parameter is reflected in the login webpage, allowing the injection of arbitrary HTML tags.
Cleemy Desu Wayo discovered that XZ Utils incorrectly handled certain
filenames. If a user or automated system were tricked into performing
xzgrep operations with specially crafted filenames, a remote attacker could
overwrite arbitrary files.
