CLSA-2023-1691576076 Fix CVE(s): CVE-2023-2828

SECURITY UPDATE: cache size limit exceeding may cause Denial of Service - debian/patches/CVE-2023-2828.patch: prevents the cache going over the configured memory limit max-cache-size - CVE-2023-2828...

DEBIAN-CVE-2023-25652

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to git apply --reject, a path outside the working tree can be overwritten with partially controlled contents...

CLSA-2023-1678396353 Fix CVE(s): CVE-2023-24329

SECURITY UPDATE: urllib.parse.urlparse does not enforce that a scheme must begin with an ASCII-character - debian/patches/CVE-2023-24329.patch: Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character - CVE-2023-24329...

SUSE CVE-2013-4577

A certain Debian patch for GNU GRUB uses world-readable permissions for grub.cfg, which allows local users to obtain password hashes, as demonstrated by reading the passwordpbkdf2 directive in the file...

CLSA-2023-1673905845 Fix CVE(s): CVE-2022-42898

SECURITY UPDATE: integer overflows that may lead to remote code execution - debian/patches/CVE-2022-42898.patch: add several tests to prevent integer overflow in pac parsing - CVE-2022-42898...

DEBIAN-CVE-2022-47938

An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2misc.c has an out-of-bounds read and OOPS for SMB2TREECONNECT...

CLSA-2022-1671124583 Fix CVE(s): CVE-2022-4292

SECURITY UPDATE: Using freed memory after SpellFileMissing autocmd uses bwipe - debian/patches/CVE-2022-4292.patch: Bail out if the window no longer exists - CVE-2022-4292...

CLSA-2022-1665681071 Fix CVE(s): CVE-2022-2806

SECURITY UPDATE: Exposed sensitive information - debian/patches/CVE-2022-2806.patch: filter out all password keys in sos/report/plugins/ovirt.py - CVE-2022-2806...

CLSA-2022-1665502073 Fix CVE(s): CVE-2022-41318

SECURITY UPDATE: buffer-over-read in SSPI and SMB authentication - debian/patches/CVE-2022-41318.patch: improve debugs and checks sequence to clarify cases and ensure that all are handled correctly in lib/ntlmauth/ntlmauth.cc - CVE-2022-41318...

CLSA-2022-1663184406 Fix CVE(s): CVE-2021-28861

SECURITY UPDATE: Redirection vulnerability in http.server - debian/patches/CVE-2021-28861.patch: Fix an open redirection vulnerability in the http.server module when an URI path starts with //. - CVE-2021-28861...

CLSA-2022-1660761469 Fix CVE(s): CVE-2022-2581

SECURITY UPDATE: Illegal memory access when pattern starts with illegal byte - debian/patches/CVE-2022-2581.patch: Do not match a character with an illegal byte - CVE-2022-2581...

CLSA-2022-1653499822 Fix CVE(s): CVE-2022-0318

SECURITY UPDATE: Reading beyond the end of a line - debian/patches/CVE-2022-0318.patch: For block insert only use the offset for correcting the length, adjust expected output of the relevant UTF8 block insertion test - CVE-2022-0318...

CLSA-2022-1651685129 Fix CVE(s): CVE-2019-18276

SECURITY UPDATE: privilege gain via setuid - debian/patches/CVE-2019-18276.patch: replace the use of setuid and setgid when possible with setresuid and setresgid, respectively. - CVE-2019-18276...

Vulnerabilities fixed in AWS patch solutions

Vulnerabilities have been fixed in several AWS patch solutions. These patch solutions were released by AWS to monitor for Java applications vulnerable to Log4Shell and patch these systems immediately. AWS has released three hotpatches released. A hot patch in the form of Debian or RPM packages th...

CLSA-2022-1649170534 Fix CVE(s): CVE-2022-0943

SECURITY UPDATE: Heap-based buffer overflow - debian/patches/CVE-2022-0943.patch: Don't include the NULL to the end of the line - CVE-2022-0943...

CLSA-2021-1635459358 Fix CVE(s): CVE-2021-23017

SECURITY UPDATE: Update fix for CVE-2021-23017 accoding nginx.org recomendations - debian/patches/cve-2021-23017.patch - CVE-2021-23017...

CLSA-2021-1635459350 Fix CVE(s): CVE-2021-23017

SECURITY UPDATE: Off-by-one in ngxresolvercopy when labels are followed by a pointer to a root domain name - debian/patches/fix-off-by-one-heap-write-vulnerability.patch - CVE-2021-23017...

CLSA-2021-1635459277 Fix CVE(s): CVE-2021-23240

SECURITY UPDATE: privilege escalation via symlinks - debian/patches/CVE-2021-23240.patch: fix opportunity for local unprivileged user to gain file ownership via symlinks. - CVE-2021-23240...

DEBIAN-CVE-2021-42013

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default...

Vulnerability fixed in Lynx

A vulnerability has been fixed in Lynx. A malicious person at remote can exploit the vulnerability to obtain login credentials sent over HTTPS via Lynx to a server. transmitted. To do this, the malicious party must have access to network traffic between the victim and the server. It is not...