rsync-3.4.0-1.fc40
New version 3.4.0. Contains fixes for CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747.
Multiple Vulnerabilities have been discovered in Ivanti Avalanche, the most severe of which could allow for authentication bypass. Ivanti Avalanche is a mobile device management system. Network security features allow one to manage wireless settings (including encryption and authentication) and apply those settings on a schedule throughout the network. Successful exploitation could allow for a remote unauthenticated attacker to bypass authentication. Depending on the privileges associated with the logged-on user, an attacker could then install programs; view, change, or delete data. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
It was discovered that Git incorrectly handled certain URLs when
asking for credentials. An attacker could possibly use this
issue to mislead the user into typing passwords for trusted
sites that would then be sent to untrusted sites instead.
(CVE-2024-50349)
It was discovered that git incorrectly handled line endings when
using credential helpers. (CVE-2024-52006)
Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not
properly handle certain error conditions, leading to a NULL pointer
dereference. A local attacker could possibly trigger this vulnerability to
cause a denial of service. (CVE-2022-38096)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
– ARM32 architecture;
– ARM64 architecture;
– S390 architecture;
– x86 architecture;
– Power management core;
– GPU drivers;
– InfiniBand drivers;
– Network drivers;
– S/390 drivers;
– SCSI subsystem;
– TTY drivers;
– BTRFS file system;
– Ext4 file system;
– EROFS file system;
– F2FS file system;
– File systems infrastructure;
– BPF subsystem;
– Socket messages infrastructure;
– Bluetooth subsystem;
– Memory management;
– Amateur Radio drivers;
– Ethernet bridge;
– Networking core;
– IPv4 networking;
– Network traffic control;
– Sun RPC protocol;
– VMware vSockets driver;
– SELinux security module;
(CVE-2024-42240, CVE-2024-36938, CVE-2024-35967, CVE-2024-36953,
CVE-2022-48938, CVE-2024-38553, CVE-2024-35904, CVE-2024-35965,
CVE-2024-26947, CVE-2024-36968, CVE-2024-43892, CVE-2024-38597,
CVE-2023-52498, CVE-2021-47501, CVE-2024-44942, CVE-2024-42077,
CVE-2024-53057, CVE-2024-46724, CVE-2024-35963, CVE-2022-48943,
CVE-2024-42068, CVE-2024-42156, CVE-2022-48733, CVE-2023-52639,
CVE-2021-47101, CVE-2023-52821, CVE-2024-44940, CVE-2024-36952,
CVE-2021-47001, CVE-2024-38538, CVE-2024-40910, CVE-2021-47076,
CVE-2024-35966, CVE-2024-50264, CVE-2024-35951, CVE-2023-52488,
CVE-2023-52497, CVE-2024-49967)
It was discovered that Django incorrectly handled certain IPv6
strings. An attacker could possibly use this issue to cause a
denial of service.
SDL2_sound-2.0.4-1.fc41
Latest stable release from upstream. Changelog: https://github.com/icculus/SDL_sound/releases/tag/v2.0.4 . NOTE: dr_libs are unbundled.
Fixes:
CVE-2023-45676: Multi-byte write heap buffer overflow in start_decoder()
CVE-2023-45677: Heap buffer out of bounds write in start_decoder()
CVE-2023-45679: Attempt to free an uninitialized memory pointer in vorbis_deinit()
CVE-2023-45680: Null pointer dereference in vorbis_deinit()
CVE-2023-45679: Attempt to free an uninitialized memory pointer in vorbis_deinit()
CVE-2023-45680: Null pointer dereference in vorbis_deinit()
CVE-2023-45682: Wild address read in vorbis_decode_packet_rest()
SDL2_sound-2.0.4-1.fc40
Latest stable release from upstream. Changelog: https://github.com/icculus/SDL_sound/releases/tag/v2.0.4 . NOTE: dr_libs are unbundled.
Fixes:
CVE-2023-45676: Multi-byte write heap buffer overflow in start_decoder()
CVE-2023-45677: Heap buffer out of bounds write in start_decoder()
CVE-2023-45679: Attempt to free an uninitialized memory pointer in vorbis_deinit()
CVE-2023-45680: Null pointer dereference in vorbis_deinit()
CVE-2023-45679: Attempt to free an uninitialized memory pointer in vorbis_deinit()
CVE-2023-45680: Null pointer dereference in vorbis_deinit()
CVE-2023-45682: Wild address read in vorbis_decode_packet_rest()
Wei Hao discovered that PowerDNS Authoritative Server incorrectly handled
memory when accessing certain files. An attacker could possibly use this
issue to achieve arbitrary code execution. (CVE-2018-1046)
It was discovered that PowerDNS Authoritative Server and PowerDNS Recursor
incorrectly handled memory when receiving certain remote input. An attacker
could possibly use this issue to cause denial of service. (CVE-2018-10851)
Kees Monshouwer discovered that PowerDNS Authoritative Server and PowerDNS
Recursor incorrectly handled request validation after having cached
malformed input. An attacker could possibly use this issue to cause denial
of service. (CVE-2018-14626)
Toshifumi Sakaguchi discovered that PowerDNS Recursor incorrectly handled
requests after having cached malformed input. An attacker could possibly
use this issue to cause denial of service. (CVE-2018-14644)
Nathaniel Ferguson discovered that PowerDNS Authoritative Server
incorrectly handled memory when receiving certain remote input. An attacker
could possibly use this issue to obtain sensitive information.
(CVE-2020-17482)
Nicolas Dehaine and Dmitry Shabanov discovered that PowerDNS Authoritative
Server and PowerDNS Recursor incorrectly handled IXFR requests in certain
circumstances. An attacker could possibly use this issue to cause denial of
service. (CVE-2022-27227)
