Mageia 2022-0310: python-ldap security update
It was discovered that Python LDAP incorrectly handled certain regular expressions. A remote attacker could possibly use this issue to cause a denial of service (CVE-2021-46823). References:
It was discovered that Python LDAP incorrectly handled certain regular expressions. A remote attacker could possibly use this issue to cause a denial of service (CVE-2021-46823). References:
An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin (CVE-2022-38472).
This kernel update is based on upstream 5.15.62 and fixes at least the following security issues: A use-after-free flaw was found in the Linux kernel Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to
The chromium-browser-stable package has been updated to the 104.0.5112.101 branch, fixing many bugs and 11 CVE. Google is aware that an exploit for CVE-2022-2856 exists in the wild. Some of the addressed CVE are listed below: Critical CVE-2022-2852: Use after free in FedCM.
Move UNIX socket dir from /tmp to /run to avoid local attackers being able to place bogus directories in its stead. (CVE-2022-21950) References: - https://bugs.mageia.org/show_bug.cgi?id=30755
This kernel update is based on upstream 5.15.62 and fixes at least the following security issues: A use-after-free flaw was found in the Linux kernel Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to
Updated microcode packages fix security vulnerability: Improper isolation of shared resources in some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access (CVE-2022-21233, intel-sa-00657).
Advisory text to describe the update. Wrap lines at ~75 chars. Update to version 1.16.2 fixes many bugs (along with versions 1.13.1, 1.13.2, 1.14.0, 1.15.0, 1.16.0 and 1.16.1), and protects against CVE-2022-3069[89]
An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite
A double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function. (CVE-2022-2509) References: - https://bugs.mageia.org/show_bug.cgi?id=30691
Mouse Position spoofing with CSS transforms. (CVE-2022-36319) Directory indexes for bundled resources reflected URL parameters. (CVE-2022-36318) References:
Fixed AD restrictions bypass associated with changing passwords (bsc#1201495). (CVE-2022-2031) Fixed a memory leak in SMB1 (bsc#1201496). (CVE-2022-32742) Fixed an arbitrary password change request for any AD user (bsc#1201493). (CVE-2022-32744)
GNU SASL libgsasl server-side read-out-of-bounds with malicious authenticated GSS-API client. (CVE-2022-2469) References: - https://bugs.mageia.org/show_bug.cgi?id=30670
ftbench.c in FreeType Demo Programs through 2.12.1 has a heap-based buffer overflow. (CVE-2022-31782) References: - https://bugs.mageia.org/show_bug.cgi?id=30659
An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege
Multiple buffer overflows were discovered in Kicad, a suite of programs for the creation of printed circuit boards, which could result in the execution of arbitrary code if malformed Gerber/Excellon files, as follows.
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in
Advisory text to describe the update. Wrap lines at ~75 chars. Modpack Installer buffer overflow. (CVE-2022-6083) References:
Code execution via malicious map file (CVE-2021-43518) References: - https://bugs.mageia.org/show_bug.cgi?id=30717 - https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./thread/JIYZ7EVY6NZBM7FQF6GVUARYO6MKSEAT/
Null pointer dereference in wvunpack (CVE-2022-2476) References: - https://bugs.mageia.org/show_bug.cgi?id=30713 - https://lists.suse.com/pipermail/sle-security-updates/2022-August/011810.html