USN-6852-1 fixed a vulnerability in Wget. This update provides
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
Original advisory details:
It was discovered that Wget incorrectly handled semicolons in the userinfo
subcomponent of a URI. A remote attacker could possibly trick a user into
connecting to a different host than expected.
It was discovered that FontForge incorrectly handled filenames. If a user or an
automated system were tricked into opening a specially crafted input file, a
remote attacker could possibly use this issue to perform a command injection.
(CVE-2024-25081)
It was discovered that FontForge incorrectly handled archives and compressed
files. If a user or an automated system were tricked into opening a specially
crafted input file, a remote attacker could possibly use this issue to perform
command injection. (CVE-2024-25082)
What is the attack?Over 100,000+ sites have been impacted by a supply chain attack involving the Polyfill.io service. Polyfill is a popular tool used for enhancing browser capabilities by hundreds of thousands of sites to ensure that all website visitors can use the same codebase for unsupported functionality. Earlier this year, the polyfill.io domain was purchased, and the script was modified to redirect users to malicious and scam sites.What is the recommended Mitigation?Given the confirmed malicious operations, owners of websites using polyfill.io are advised to remove it immediately and search their code repositories for instances of polyfill.io. Users are also advised to consider using alternate services provided by Cloudflare and Fastly.What FortiGuard Coverage is available?FortiGuard Labs’ research team is investigating the coverage and has blocked all the known Indicators of compromise (IoCs).
It was discovered that OpenSSL failed to choose an appropriately short
private key size when computing shared-secrets in the Diffie-Hellman Key
Agreement Protocol. A remote attacker could possibly use this issue to cause
OpenSSL to consume resources, resulting in a denial of service.
Fabian Vogt discovered that the KDE session management server
insufficiently restricted ICE connections from localhost, which could
allow a local attacker to execute arbitrary code as another user on
next boot.
python-waitress-1.4.3-2.el7
Backport upstream fix for CVE-2022-24761.
USN-6566-1 fixed several vulnerabilities in SQLite. This update provides
the corresponding fix for CVE-2023-7104 for Ubuntu 18.04 LTS.
Original advisory details:
It was discovered that SQLite incorrectly handled certain memory operations
in the sessions extension. A remote attacker could possibly use this issue
to cause SQLite to crash, resulting in a denial of service.
rust-blowfish-0.9.1-2.el9
rust-dsa-0.6.3-1.el9
rust-num-bigint-dig-0.8.4-1.el9
rust-rand_isaac-0.3.0-6.el9
rust-rsa-0.9.6-2.el9
rust-sequoia-gpg-agent-0.4.2-1.el9
rust-sequoia-keystore-0.5.1-1.el9
rust-sequoia-openpgp-1.21.1-1.el9
rust-sequoia-sq-0.37.0-3.el9
Update the sequoia-openpgp crate to version 1.21.1. Addresses RUSTSEC-2024-0345.
Update the sequoia-keystore crate to version 0.5.1.
Update the sequoia-gpg-agent crate to version 0.4.2.
This update also includes rebuilds of all affected applications that are affected by RUSTSEC-2024-0345 and a regression in sequoia-openpgp 1.21.0.
rust-sequoia-chameleon-gnupg-0.10.0-3.fc39
rust-sequoia-gpg-agent-0.4.2-1.fc39
rust-sequoia-keystore-0.5.1-1.fc39
rust-sequoia-openpgp-1.21.1-1.fc39
rust-sequoia-sq-0.37.0-3.fc39
Update the sequoia-openpgp crate to version 1.21.1. Addresses RUSTSEC-2024-0345.
Update the sequoia-keystore crate to version 0.5.1.
Update the sequoia-gpg-agent crate to version 0.4.2.
This update also includes rebuilds of all affected applications that are affected by RUSTSEC-2024-0345 and a regression in sequoia-openpgp 1.21.0.
rust-sequoia-chameleon-gnupg-0.10.0-3.fc40
rust-sequoia-gpg-agent-0.4.2-1.fc40
rust-sequoia-keystore-0.5.1-1.fc40
rust-sequoia-openpgp-1.21.1-1.fc40
rust-sequoia-sq-0.37.0-3.fc40
Update the sequoia-openpgp crate to version 1.21.1. Addresses RUSTSEC-2024-0345.
Update the sequoia-keystore crate to version 0.5.1.
Update the sequoia-gpg-agent crate to version 0.4.2.
This update also includes rebuilds of all affected applications that are affected by RUSTSEC-2024-0345 and a regression in sequoia-openpgp 1.21.0.
