Two security issues were identified in the ngx_http_mp4_module, which might allow an attacker to cause a worker process crash or worker process memory disclosure by using a specially crafted mp4 file, or might have potential other impact. (CVE-2022-41741, CVE-2022-41742)
libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. (CVE-2022-40674) References: - https://bugs.mageia.org/show_bug.cgi?id=30986
CVE-2022-39253: A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. CVE-2022-39260: Allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes.
Heimdal was not properly handling logical conditions that related to memory management operations. An attacker could possibly use this issue to cause a denial of service. (CVE-2022-3116) References:
NULL pointer dereference in krb5-appl telnetd. (CVE-2022-39028) References: - https://bugs.mageia.org/show_bug.cgi?id=30918 - https://lists.suse.com/pipermail/sle-security-updates/2022-September/012454.html
http-parser could be made to expose sensitive data if it received a specially crafted request. (CVE-2020-8287) References: - https://bugs.mageia.org/show_bug.cgi?id=30740
Authentication bypass and code execution vulnerability. (CVE-2022-26691) References: - https://bugs.mageia.org/show_bug.cgi?id=30480 - https://openprinting.github.io/cups-2.4.2/
A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files. (CVE-2022-26505) References: - https://bugs.mageia.org/show_bug.cgi?id=30115
This update provides the upstream 6.1.40 maintenance release that fixes at least the following security vulnerabilities: Vulnerability in the Oracle VM VirtualBox prior to 6.1.40 contains a difficult to exploit vulnerability that allows high privileged attacker
