Category Archives: Advisories

openvpn-2.5.6-1.el9

Read Time:19 Second

FEDORA-EPEL-2022-7a48f758c5

Packages in this update:

openvpn-2.5.6-1.el9

Update description:

This is a maintenance release of OpenVPN 2.5 with a security fix when used in server mode (CVE-2022-0547). The other changes are available in Changes.rst.

NOTE: Please read the CVE description carefully if you use authentication plug-ins with a server configuration.

Read More

openvpn-2.4.12-1.el8

Read Time:29 Second

FEDORA-EPEL-2022-883139a5ce

Packages in this update:

openvpn-2.4.12-1.el8

Update description:

This is a security and bugfix release of OpenVPN 2.4 with a security fix when used in server mode (CVE-2022-0547). The other changes are available in Changes.rst.

NOTE: Please read the CVE description carefully if you use authentication plug-ins with a server configuration.

WARNING: OpenVPN 2.4 will from now only receive security and critical bug fixes for the next 12 months. Please consider to upgrade to OpenVPN 2.5 via Fedora Copr builds.

Read More

openvpn-2.4.12-1.el7

Read Time:29 Second

FEDORA-EPEL-2022-3f443e2e1e

Packages in this update:

openvpn-2.4.12-1.el7

Update description:

This is a security and bugfix release of OpenVPN 2.4 with a security fix when used in server mode (CVE-2022-0547). The other changes are available in Changes.rst.

NOTE: Please read the CVE description carefully if you use authentication plug-ins with a server configuration.

WARNING: OpenVPN 2.4 will from now only receive security and critical bug fixes for the next 12 months. Please consider to upgrade to OpenVPN 2.5 via Fedora Copr builds.

Read More

USN-5333-2: Apache HTTP Server vulnerabilities

Read Time:57 Second

USN-5333-1 fixed several vulnerabilities in Apache. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.

Original advisory details:

Chamal De Silva discovered that the Apache HTTP Server mod_lua module
incorrectly handled certain crafted request bodies. A remote attacker could
possibly use this issue to cause the server to crash, resulting in a denial
of service. (CVE-2022-22719)

James Kettle discovered that the Apache HTTP Server incorrectly closed
inbound connection when certain errors are encountered. A remote attacker
could possibly use this issue to perform an HTTP Request Smuggling attack.
(CVE-2022-22720)

It was discovered that the Apache HTTP Server incorrectly handled large
LimitXMLRequestBody settings on certain platforms. In certain
configurations, a remote attacker could use this issue to cause the server
to crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2022-22721)

Ronald Crane discovered that the Apache HTTP Server mod_sed module
incorrectly handled memory. A remote attacker could use this issue to cause
the server to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2022-23943)

Read More

USN-5332-2: Bind vulnerability

Read Time:19 Second

USN-5332-1 fixed a vulnerability in Bind. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.

Original advisory details:

Xiang Li, Baojun Liu, Chaoyi Lu, and Changgen Zou discovered that Bind
incorrectly handled certain bogus NS records when using forwarders. A
remote attacker could possibly use this issue to manipulate cache results.
(CVE-2021-25220)

Read More

USN-5321-2: Firefox vulnerabilities

Read Time:42 Second

USN-5321-1 fixed vulnerabilities in Firefox. The update didn’t include
arm64 because of a regression. This update provides the corresponding
update for arm64.

This update also removes Yandex and Mail.ru as optional search providers
in the drop-down search menu.

Original advisory details:

Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, spoof the browser
UI, bypass security restrictions, obtain sensitive information, or execute
arbitrary code. (CVE-2022-0843, CVE-2022-26381, CVE-2022-26382,
CVE-2022-26383, CVE-2022-26384, CVE-2022-26385)

A TOCTOU bug was discovered when verifying addon signatures during
install. A local attacker could potentially exploit this to trick a
user into installing an addon with an invalid signature.
(CVE-2022-26387)

Read More