FEDORA-2023-9d50269499

Packages in this update:

python-fastapi-0.92.0-1.fc38
python-starlette-0.25.0-1.fc38

Update description:

python-starlette 0.25.0

Fixed

Limit the number of fields and files when parsing multipart/form-data on the MultipartParser

python-fastapi 0.92.0

🚨 This is a security fix. Please upgrade as soon as possible.

Upgrades

⬆ Upgrade Starlette to 0.25.0.
This solves a vulnerability that could allow denial of service attacks by using many small multipart fields/files (parts), consuming high CPU and memory.
Only applications using forms (e.g. file uploads) could be affected.
For most cases, upgrading won’t have any breaking changes.

Read More

Posted by Thomas Weber on Feb 14

CyberDanube Security Research 20230213-0
——————————————————————————-
                title| Multiple Vulnerabilities
              product| JetWave4221 HP-E, JetWave 2212G, JetWave
2212X/2212S,
                     | JetWave 2211C, JetWave 2411/2111, JetWave
2411L/2111L,
                     | JetWave 2414/2114, JetWave…

Read More

Posted by Stefan Kanthak on Feb 14

Hi @ll,

almost 4 years ago, with Windows 10 1903, after more than a year
beta-testing in insider previews, Microsoft finally released UTF-8
support for the -A interfaces of the Windows API.

0) <https://docs.microsoft.com/en-us/windows/uwp/design/globalizing/use-utf8-code-page#activeCodePage>

| If the ANSI code page is configured for UTF-8, -A APIs typically
| operate in UTF-8. This model has the benefit of supporting
| existing…

Read More

Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Feb 14

SEC Consult Vulnerability Lab Security Advisory < 20230214-0 >
=======================================================================
title: Multiple XSS Vulnerabilities
product: B&R Systems Diagnostics Manager
vulnerable version: >=3.00 and <=C4.93
fixed version: >=D4.93
CVE number: CVE-2022-4286
impact: medium
homepage: https://www.br-automation.com…

Read More

Posted by Apple Product Security via Fulldisclosure on Feb 14

APPLE-SA-2023-02-13-3 Safari 16.3.1

Safari 16.3.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213638.

WebKit
Available for: macOS Big Sur and macOS Monterey
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Apple is aware of a report that this issue
may have been actively exploited.
Description: A type confusion issue was addressed…

Read More

Posted by Apple Product Security via Fulldisclosure on Feb 14

APPLE-SA-2023-02-13-2 macOS Ventura 13.2.1

macOS Ventura 13.2.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213633.

Kernel
Available for: macOS Ventura
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: A use after free issue was addressed with improved
memory management.
CVE-2023-23514: Xinru Chi of Pangu Lab, Ned Williamson of…

Read More

Posted by Apple Product Security via Fulldisclosure on Feb 14

APPLE-SA-2023-02-13-1 iOS 16.3.1 and iPadOS 16.3.1

iOS 16.3.1 and iPadOS 16.3.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213635.

Kernel
Available for: iPhone 8 and later, iPad Pro (all models), iPad Air
3rd generation and later, iPad 5th generation and later, and iPad
mini 5th generation and later
Impact: An app may be able to execute arbitrary code with kernel…

Read More

Posted by Martin Heiland via Fulldisclosure on Feb 14

Dear subscribers,

we’re sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at YesWeHack.

A CSAF representation of this advisory has been published at
https://documentation.open-xchange.com/security/advisories/.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH

Internal reference:…

Read More

Posted by Julien Ahrens (RCE Security) on Feb 14

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: Quiz And Survey Master
Vendor URL: https://wordpress.org/plugins/quiz-master-next/
Type: Missing Authentication for Critical Function [CWE-306]
Date found: 2023-01-13
Date published: 2023-02-08
CVSSv3 Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVE: CVE-2023-0291

2. CREDITS
==========…

Read More

Posted by Julien Ahrens (RCE Security) on Feb 14

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: Quiz And Survey Master
Vendor URL: https://wordpress.org/plugins/quiz-master-next/
Type: Cross-Site Request Forgery (CSRF) [CWE-352]
Date found: 2023-01-13
Date published: 2023-02-08
CVSSv3 Score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVE: CVE-2023-0292

2. CREDITS
==========
This…

Read More