Important: php

Issue Overview: GHSA-76gg-c692-v2mw: Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP NOTE: Fixed in 8.2.7, 8.1.20, 8.0.29 NOTE: https://github.com/php/php-src/security/advisories/GHSA-76gg-c692-v2mw NOTE:...

Medium: php

Issue Overview: Several flaws has been found in php. The pdofirebase module does not check the length of the server version string in a response packet causing a stack buffer overflow, does not verify the data and uses the wrong type to cast length leading to a crash, and does not validate the...

Important: php

Issue Overview: In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, passwordverify function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid...

Important: php

Issue Overview: A vulnerability was found in PHP due to an uninitialized array in pgqueryparams function. When using the Postgres database extension, supplying invalid parameters to the parameterized query may lead to PHP attempting to free memory, using uninitialized data as pointers. This flaw...

Important: php

Issue Overview: In PHP versions prior to 7.4.33, 8.0.25 and 8.2.12, when using imageloadfont function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar function, the read outside allocated buffer will be used. This can lead ...

Medium: gcc

Issue Overview: An issue was found in a defense in depth feature of the GCC compiler on aarch64 platforms. The stack protector feature -fstack-protector did not detect or defend against overflows of dynamically-sized local variables. This update to the GCC compiler remedies code generation for th...

Medium: gcc10

Issue Overview: An issue was found in a defense in depth feature of the GCC compiler on aarch64 platforms. The stack protector feature -fstack-protector did not detect or defend against overflows of dynamically-sized local variables. This update to the GCC compiler remedies code generation for th...

Medium: openssl

Issue Overview: Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DHcheck, DHcheckex or EVPPKEYparamcheck to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being...

Medium: gcc

Issue Overview: An issue was found in a defense in depth feature of the GCC compiler on aarch64 platforms. The stack protector feature -fstack-protector did not detect or defend against overflows of dynamically-sized local variables. This update to the GCC compiler remedies code generation for th...

Important: python3.9

Issue Overview: An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers such as HTTP servers that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer...

Low: file

Issue Overview: File before 5.43 has an stack-based buffer over-read in filecopystr in funcs.c. NOTE: "File" is the name of an Open Source project. CVE-2022-48554 Affected Packages: file Issue Correction: Run dnf update file --releasever 2023.1.20230906 or dnf update --advisory ALAS2023-2023-333...

Important: python38

Issue Overview: An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers such as HTTP servers that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer...

Medium: krb5

Issue Overview: lib/kadm5/kadmrpcxdr.c in MIT Kerberos 5 aka krb5 before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because xdrkadm5principalentrec does not validate the relationship between nkeydata and the...

Medium: avahi

Issue Overview: avahi-daemon denial of service can be caused by unprivileged users via DBus CVE-2023-1981 Affected Packages: avahi Issue Correction: Run dnf update avahi --releasever 2023.1.20230906 or dnf update --advisory ALAS2023-2023-332 --releasever 2023.1.20230906 to update your system. Mor...

Important: python3.11

Issue Overview: An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers such as HTTP servers that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer...

Medium: php56-pecl-imagick

Issue Overview: ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service. CVE-2017-1000476 The ReadXWDImage function in coders\xwd.c in ImageMagick 7.0.5-6 has a memory leak vulnerability th...

Important: amazon-ssm-agent

Issue Overview: The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server. CVE-2021-43565 A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentification with R...

Important: apache-ivy

Issue Overview: Improper Restriction of XML External Entity Reference, XML Injection aka Blind XPath Injection vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2. When Apache Ivy prior to 2.5.2 parses XML files - either its own...

Medium: binutils

Issue Overview: Heap buffer overflow vulnerability in binutils readelf before 2.40 via function displaydebugsection in file readelf.c. CVE-2022-45703 An issue was discovered in Binutils addr2line before 2.39.3, function parsemodule contains multiple out of bound reads which may cause a denial of...

Medium: indent

Issue Overview: GNU indent 2.2.13 has a heap-based buffer overflow in searchbrace in indent.c via a crafted file. CVE-2023-40305 Affected Packages: indent Issue Correction: Run dnf update indent --releasever 2023.1.20230906 or dnf update --advisory ALAS2023-2023-318 --releasever 2023.1.20230906 t...

Medium: kernel

Issue Overview: A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality. CVE-2023-20588 Affected Packages: kernel Issue Correction: Run yum update kernel or yum update --advisory ALAS-2023-1819 to update your system. New Package...

Medium: poppler

Issue Overview: In Poppler 22.07.0, PDFDoc::savePageAs in PDFDoc.c callows attackers to cause a denial-of-service application crashes with SIGABRT by crafting a PDF file in which the xref data structure is mishandled in getCatalog processing. Note that this vulnerability is caused by the incomple...

Medium: php54-pecl-imagick

Issue Overview: ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service. CVE-2017-1000476 The ReadXWDImage function in coders\xwd.c in ImageMagick 7.0.5-6 has a memory leak vulnerability th...

Medium: php71-pecl-imagick

Issue Overview: ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service. CVE-2017-1000476 The ReadXWDImage function in coders\xwd.c in ImageMagick 7.0.5-6 has a memory leak vulnerability th...

Medium: gdk-pixbuf2

Issue Overview: GNOME GdkPixbuf aka GDK-PixBuf before 2.42.8 allows a heap-based buffer overflow when compositing or clearing frames in GIF files, as demonstrated by io-gif-animation.c compositeframe. This overflow is controllable and could be abused for code execution, especially on 32-bit...

Medium: ImageMagick

Issue Overview: ImageMagick before 6.9.12-91 allows attackers to cause a denial of service memory consumption in Magick::Draw. CVE-2023-39978 Affected Packages: ImageMagick Issue Correction: Run dnf update ImageMagick --releasever 2023.1.20230906 or dnf update --advisory ALAS2023-2023-320...

Medium: php70-pecl-imagick

Issue Overview: ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service. CVE-2017-1000476 The ReadXWDImage function in coders\xwd.c in ImageMagick 7.0.5-6 has a memory leak vulnerability th...

Medium: ruby20

Issue Overview: An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in matchat during regular expression searching. A logical error involving order of validation and access in matchat could...

Medium: hwloc

Issue Overview: An issue was discovered in open-mpi hwloc 2.1.0 allows attackers to cause a denial of service or other unspecified impacts via glibc-cpuset in topology-linux.c. CVE-2022-47022 Affected Packages: hwloc Issue Correction: Run dnf update hwloc --releasever 2023.1.20230906 or dnf updat...

Important: kernel

Issue Overview: A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality. CVE-2023-20588 The fix for XSA-423 added logic to Linux'es netback driver to deal with a frontend splitting a packet in a way such that not all of the...

Medium: php72-pecl-imagick

Issue Overview: ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service. CVE-2017-1000476 The ReadXWDImage function in coders\xwd.c in ImageMagick 7.0.5-6 has a memory leak vulnerability th...

Medium: dmidecode

Issue Overview: Dmidecode before 3.5 allows -dump-bin to overwrite a local file. This has security relevance because, for example, execution of Dmidecode via Sudo is plausible. CVE-2023-30630 Affected Packages: dmidecode Issue Correction: Run dnf update dmidecode --releasever 2023.1.20230906 or d...

Important: cni-plugins

Issue Overview: http2/hpack: avoid quadratic complexity in hpack decoding CVE-2022-41723 The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send...

Important: amazon-ecr-credential-helper

Issue Overview: http2/hpack: avoid quadratic complexity in hpack decoding CVE-2022-41723 Affected Packages: amazon-ecr-credential-helper Issue Correction: Run dnf update amazon-ecr-credential-helper --releasever 2023.1.20230906 or dnf update --advisory ALAS2023-2023-337 --releasever 2023.1.202309...

Important: php8.2

Issue Overview: In PHP versions 8.0. before 8.0.30, 8.1. before 8.1.22, and 8.2. before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it ...

Important: php8.1

Issue Overview: GHSA-76gg-c692-v2mw: Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP NOTE: Fixed in 8.2.7, 8.1.20, 8.0.29 NOTE: https://github.com/php/php-src/security/advisories/GHSA-76gg-c692-v2mw NOTE:...

Important: postgresql15

Issue Overview: IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct dollar quoting, '', or "". If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an...

Important: dotnet6.0

Issue Overview: .NET and Visual Studio Remote Code Execution Vulnerability CVE-2023-35390 .NET Core and Visual Studio Denial of Service Vulnerability CVE-2023-38178 .NET and Visual Studio Denial of Service Vulnerability CVE-2023-38180 Affected Packages: dotnet6.0 Issue Correction: Run dnf update...

Important: java-1.8.0-openjdk

Issue Overview: Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE component: Scripting. Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access vi...

Medium: php55-pecl-imagick

Issue Overview: ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service. CVE-2017-1000476 The ReadXWDImage function in coders\xwd.c in ImageMagick 7.0.5-6 has a memory leak vulnerability th...

Low: amazon-ssm-agent

Issue Overview: No CVE associated with this advisory Affected Packages: amazon-ssm-agent Issue Correction: Run dnf update amazon-ssm-agent --releasever 2023.1.20230906 or dnf update --advisory ALAS2023-2023-339 --releasever 2023.1.20230906 to update your system. More information on how to update...

Medium: poppler

Issue Overview: An issue was discovered in Poppler 22.08.0. There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an embedded file. CVE-2022-38349 Affected Packages: poppler Issue Correction: Run...

Important: ca-certificates

Issue Overview: Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an...

Medium: cups

Issue Overview: An authentication issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.7.7, macOS Monterey 12.6.6, macOS Ventura 13.4. An unauthenticated user may be able to access recently printed documents. CVE-2023-32360 Affected Packages: cups Issue...

Medium: libtiff

Issue Overview: A NULL pointer dereference flaw was found in Libtiff's LZWDecode function in the libtiff/tiflzw.c file. This flaw allows a local attacker to craft specific input data that can cause the program to dereference a NULL pointer when decompressing a TIFF format file, resulting in a...

Medium: poppler

Issue Overview: Buffer Overflow vulnerability in HtmlOutputDev::page in poppler 0.75.0 allows attackers to cause a denial of service. CVE-2020-18839 Affected Packages: poppler Issue Correction: Run yum update poppler or yum update --advisory ALAS-2023-1823 to update your system. New Packages: i68...

Medium: krb5

Issue Overview: lib/kadm5/kadmrpcxdr.c in MIT Kerberos 5 aka krb5 before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because xdrkadm5principalentrec does not validate the relationship between nkeydata and the...

Important: clamav

Issue Overview: A vulnerability in the filesystem image parser for Hierarchical File System Plus HFS+ of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service DoS condition on an affected device. This vulnerability is due to an incorrect check for completion when a...

Important: clamav

Issue Overview: A vulnerability in the filesystem image parser for Hierarchical File System Plus HFS+ of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service DoS condition on an affected device. This vulnerability is due to an incorrect check for completion when a...

Important: rust

Issue Overview: Cargo downloads the Rust project's dependencies and compiles the project. Cargo prior to version 0.72.2, bundled with Rust prior to version 1.71.1, did not respect the umask when extracting crate archives on UNIX-like systems. If the user downloaded a crate containing files...