fexsrv in F*EX (aka Frams’ Fast File EXchange) before fex-20160919_2 allows eval injection (for unauthenticated remote code execution).
Category Archives: Advisories
USN-5332-2: Bind vulnerability
USN-5332-1 fixed a vulnerability in Bind. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
Xiang Li, Baojun Liu, Chaoyi Lu, and Changgen Zou discovered that Bind
incorrectly handled certain bogus NS records when using forwarders. A
remote attacker could possibly use this issue to manipulate cache results.
(CVE-2021-25220)
USN-5321-2: Firefox vulnerabilities
USN-5321-1 fixed vulnerabilities in Firefox. The update didn’t include
arm64 because of a regression. This update provides the corresponding
update for arm64.
This update also removes Yandex and Mail.ru as optional search providers
in the drop-down search menu.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, spoof the browser
UI, bypass security restrictions, obtain sensitive information, or execute
arbitrary code. (CVE-2022-0843, CVE-2022-26381, CVE-2022-26382,
CVE-2022-26383, CVE-2022-26384, CVE-2022-26385)
A TOCTOU bug was discovered when verifying addon signatures during
install. A local attacker could potentially exploit this to trick a
user into installing an addon with an invalid signature.
(CVE-2022-26387)
USN-5334-1: man-db vulnerability
It was discovered that man-db incorrectly handled permission changing
operations in its daily cron job, and was therefore affected by a race
condition. An attacker could possibly use this issue to escalate privileges
and execute arbitrary code.
CVE-2021-23556
The package guake before 3.8.5 are vulnerable to Exposed Dangerous Method or Function due to the exposure of execute_command and execute_command_by_uuid methods via the d-bus interface, which makes it possible for a malicious user to run an arbitrary command via the d-bus method. **Note:** Exploitation requires the user to have installed another malicious program that will be able to send dbus signals or run terminal commands.
kernel-5.16.15-101.fc34
FEDORA-2022-9342e59a98
Packages in this update:
kernel-5.16.15-101.fc34
Update description:
The 5.16.15 stable kernel update includes a number of important fixes across the tree. It also includes a temporary revert of the feature that makes QNAP NFS mounts fail. We will carry this revert through the 5.16 series in attempt to give the vendor more time to come out with an update, or upstream to come out with a solution.
kernel-5.16.15-201.fc35
FEDORA-2022-de4474b89d
Packages in this update:
kernel-5.16.15-201.fc35
Update description:
The 5.16.15 stable kernel update includes a number of important fixes across the tree. It also includes a temporary revert of the feature that makes QNAP NFS mounts fail. We will carry this revert through the 5.16 series in attempt to give the vendor more time to come out with an update, or upstream to come out with a solution.
USN-5333-1: Apache HTTP Server vulnerabilities
Chamal De Silva discovered that the Apache HTTP Server mod_lua module
incorrectly handled certain crafted request bodies. A remote attacker could
possibly use this issue to cause the server to crash, resulting in a denial
of service. (CVE-2022-22719)
James Kettle discovered that the Apache HTTP Server incorrectly closed
inbound connection when certain errors are encountered. A remote attacker
could possibly use this issue to perform an HTTP Request Smuggling attack.
(CVE-2022-22720)
It was discovered that the Apache HTTP Server incorrectly handled large
LimitXMLRequestBody settings on certain platforms. In certain
configurations, a remote attacker could use this issue to cause the server
to crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2022-22721)
Ronald Crane discovered that the Apache HTTP Server mod_sed module
incorrectly handled memory. A remote attacker could use this issue to cause
the server to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2022-23943)
USN-5332-1: Bind vulnerabilities
Xiang Li, Baojun Liu, Chaoyi Lu, and Changgen Zou discovered that Bind
incorrectly handled certain bogus NS records when using forwarders. A
remote attacker could possibly use this issue to manipulate cache results.
(CVE-2021-25220)
It was discovered that Bind incorrectly handled certain crafted TCP
streams. A remote attacker could possibly use this issue to cause Bind to
consume resources, leading to a denial of service. This issue only affected
Ubuntu 21.10. (CVE-2022-0396)
openssl3-3.0.1-18.el8.1
FEDORA-EPEL-2022-1edabe7090
Packages in this update:
openssl3-3.0.1-18.el8.1
Update description:
Security fix for CVE-2022-0778