Updated python-requests packages fix security vulnerability

Forwarding proxy credentials to the destination server unintentionally CVE-2023-32681...

Updated libtiff packages fix security vulnerability

There is a double free or corruption in rotateImage at tiffcrop.c:8839 found in libtiff 4.4.0rc1. CVE-2022-2519 A flaw was found in libtiff 4.4.0rc1. There is a sysmalloc assertion fail in rotateImage at tiffcrop.c:8621 that can cause program crash when reading a crafted input. CVE-2022-2520 It w...

Updated kernel-linus packages fix security vulnerabilities

This kernel-linus update is based on upstream 5.15.110 and fixes atleast the following security issues: A slab-out-of-bound read problem was found in brcmfgetassocies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c. This issue could occur when associnfo-reqlen data is bigger than t...

Updated tomcat packages fix security vulnerability

Information disclosure due to concurrency bug CVE-2021-43980 Fix for CVE-2020-9484 introduced a time of check, time of use vulnerability CVE-2022-23181 Correct documentation to warn of use over untrusted networks. CVE-2022-29885 Correct documentation showing use of XSS vulnerability. CVE-2022-343...

Updated dojo packages fix security vulnerability

Dijit Editor's LinkDialog plugin of dojo 1.14.0 to 1.14.7 is vulnerable to cross-site scripting XSS attacks. CVE-2020-4051 Prototype pollution vulnerability via the setObject function. CVE-2021-23450...

Updated netatalk packages fix security vulnerability

Heap overflow leading to arbitrary code execution. CVE-2021-31439 Buffer overflow leading to remote code execution CVE-2022-0194 Improper length validation leading to remote code execution CVE-2022-23121 Buffer overflow leading to remote code execution CVE-2022-23122 Out-of-bounds read leading to...

Updated python-certifi packages fix security vulnerability

Disable bundled Trustcor root cerificate signatures generated after Wednesday November 30 00:00:00 2022. CVE-2022-23491...

Updated quartz packages fix a security vulnerability

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description CVE-2019-13990...

Updated apache packages fix security vulnerabilities

Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. CVE-2024-36387 Encoding problem in modproxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encodin...

Updated python-jinja2 packages fix security vulnerabilities

It was discovered that Jinja2 incorrectly handled certain HTML attributes that were accepted by the xmlattr filter. An attacker could use this issue to inject arbitrary HTML attribute keys and values to potentially execute a cross-site scripting XSS attack...

Updated ffmpeg packages fix security vulnerability

A null pointer dereference issue was discovered in 'FFmpeg' in decodemainheader function of libavformat/nutdec.c file. The flaw occurs because the function lacks check of the return value of avformatnewstream and triggers the null pointer dereference error, causing an application to crash...

Updated nonfree firmware packages fix security vulnerability

Updated nonfree firmwares fixees various issues, adds new / improved hardware support and fixes at least the following security issue: An issue was discovered on Broadcom Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors related to state transitions in a...

Updated php packages fix security vulnerabilities

Core: - Corrupted memory in destructor with weak references - GC does not scale well with a lot of objects created in destructor DOM: - Add some missing ZPP checks. - Fix potential memory leak in XPath evaluation results. FPM: - Fix incorrect check in fpmshmfree. Gettext: - Fixed sigabrt...

Updated curl packages fix security vulnerability

HTTP multi-header compression denial of service. CVE-2023-23916...

Updated php-smarty packages fix security vulnerability

Updated php-smarty packages to version 4 for php 8 compatibility and to fix security vulnerabilities...

Updated nodejs-yargs-parser packages fix security vulnerability

yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload CVE-2020-7608...

Updated python-rsa packages fix security vulnerability

It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA. CVE-2020-25658...

Updated libxml2 packages fix security vulnerability

In libxml2 before 2.9.14, several buffer handling functions in buf.c xmlBuf and tree.c xmlBuffer don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer...

Updated openssl and compat-openssl10 packages fix security vulnerabilities

Paul Kehrer discovered that OpenSSL incorrectly handled certain input lengths in EVP functions. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service CVE-2021-23840. Tavis Ormandy discovered that OpenSSL incorrectly handled parsing issuer...

Updated libtpms packages fix security vulnerability

An out-of-bounds write vulnerability exists in TPM2.0's Module Library allowing writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can lead to denial of service crashing the TPM chip/process ...

Updated apache packages fix security vulnerability

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default...

Updated squid packages fix security vulnerabilities

Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using --with-openssl are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squ...

Updated microcode packages fix security vulnerabilities

This update adds initial microcode updates for AMD and Intel CPUs for the following security issues: AMD: A side channel vulnerability in some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled...

Updated ruby-rack packages fix security vulnerability

A denial of service vulnerability in the Range header parsing component of Rack = 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with...

Updated php-pear-CAS packages fix security vulnerability

This update fixes a vulnerability in this lib. For details see refererenced github advisory...

Updated kernel packages fix security vulnerabilities

This kernel update is based on upstream 5.15.58 and fixes at least the following security issues: Kernel lockdown bypass when UEFI secure boot is disabled / unavailable and IMA appraisal is enabled CVE-2022-21505. Aliases in the branch predictor may cause some AMD processors to predict the wrong...

Updated virtualbox packages fix security vulnerabilities

This update provides the upstream 6.1.36 maintenance release that fixes at least the following security vulnerabilities: A vulnerability in the Oracle VM VirtualBox prior to 6.1.36 contains an easily exploitable vulnerability that allows a high privileged attacker with logon to the infrastructure...

Updated nodejs packages fix security vulnerabilities

The nodejs package has been updated to the latest version in the 10.x branch, which is 10.22.1 at this time. It fixes several security issues and other bugs. See the upstream changelog and advisories for details...

Updated ruby-rack packages fix security vulnerability

A reliance on cookies without validation/integrity check security vulnerability exists in rack 2.2.3 that makes it is possible for an attacker to forge a secure or host-only cookie prefix CVE-2020-8184...

Updated wpa_supplicant packages fix security vulnerability

The implementations of SAE in hostapd before 2.10 and wpasupplicant before 2.10 are vulnerable to side channel attacks as a result of cache access patterns. NOTE: this issue exists because of an incomplete fix for CVE-2019-9494...

Updated kernel packages fix security vulnerabilities

This kernel update is based on upstream 5.15.117 and fixes atleast the following security issues: In the Linux kernel through 6.2.7, fs/ntfs3/inode.c has an invalid kfree because it does not validate MFT flags before replaying logs CVE-2022-48425. An out-of-bounds memory access flaw was found in...

Updated golang packages fix security vulnerability

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. CVE-2022-41723 Large handshake records may cause panics in crypto/tls. CVE-2022-41724 Denial of service from excessive...

Updated log4j packages fix security vulnerability

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map MDC input data when the logging configuration uses a non-default Pattern Layout with either a Context...

Updated jruby packages fix security vulnerabilities

Response Splitting attack in the HTTP server of WEBrick CVE-2017-17742. Delete directory using symlink when decompressing tar CVE-2019-8320. Escape sequence injection vulnerability in verbose CVE-2019-8321. Escape sequence injection vulnerability in gem owner CVE-2019-8322. Escape sequence...

Updated busybox packages fix a security vulnerability

Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file"...

Updated libxpm packages fix security vulnerability

libXpm incorrectly handled calling external helper binaries. If libXpm was being used by a setuid binary, a local attacker could possibly use this issue to escalate privileges. CVE-2022-4883 libXpm incorrectly handled certain XPM files. If a user or automated system were tricked into opening a...

Updated chromium-browser-stable packages fix security vulnerability

1325699 High CVE-2022-2603: Use after free in Omnibox. Reported by Anonymous on 2022-05-16 1335316 High CVE-2022-2604: Use after free in Safe Browsing. Reported by Nan Wang@eternalsakura13 and Guang Gong of 360 Alpha Lab on 2022-06-10 1338470 High CVE-2022-2605: Out of bounds read in Dawn. Report...

Updated kernel packages fix security vulnerabilities

This kernel update is based on upstream 5.15.43 and fixes at least the following security issues: A race condition in the perf subsystem allows for a local privilege escalation. NOTE: Mageia kernels by default has disabled the perf usage for unprivileged users, effectively rendering this...

Updated busybox packages fix security vulnerability

A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input. CVE-2021-42376 An attacker-controlled...

Updated dcmtk packages fix security vulnerability

Jinsheng Ba discovered that DCMTK incorrectly handled certain requests. If a user or an automated system were tricked into opening a certain specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. CVE-2021-41687, CVE-2021-41688, CVE-2021-41689,...

Updated virtualbox packages fix security vulnerability

Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. CVE-2023-21884 Unauthenticated attacker with network access via multiple protocols to compromise Oracle VM...

Updated libxml2 packages fix security vulnerabilities

The updated packages fix security vulnerabilities: Use-after-free in xmlEncodeEntitiesInternal in entities.c. CVE-2021-3516 Heap-based buffer overflow in xmlEncodeEntitiesInternal in entities.c. CVE-2021-3517 Use-after-free in xmlXIncludeDoProcess in xinclude.c. CVE-2021-3518 NULL pointer...

Updated kernel packages fix security vulnerabilities

This kernel update provides an update to the kernel 5.2 series, currently based on 5.2.7 adding support for newer hardware and other new features. It also fixes at least the following security issues: A Spectre SWAPGS gadget was found in the Linux kernel's implementation of system interrupts. An...

Updated sox packages fix security vulnerability

CVE-2019-13590: sox-fmt validation CVE-2021-3643 and CVE-2021-23210: voc validation CVE-2021-23159 and CVE-2021-23172: hcom validation CVE-2021-33844: wav validation CVE-2021-40426: sphere validation CVE-2022-31650: aiff validation CVE-2022-31651: reject implausible rate...

Updated docker packages fix security vulnerability

Server side request forgery CVE-2022-29153 Bypass primary group restrictions due to a flaw in the supplementary group access setup CVE-2022-36109 Imported Nodes/Services Information leak in moby-engine. CVE-2022-3920...

Updated struts packages fix CVE-2014-0114

Updated struts packages fix security vulnerability: It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running...

Virtualbox 6.0.6 fixes security vulnerabilities

This update provides an update to the new Virtualbox 6.0 branch, currently 6.0.6. It also fixes the following security issues. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox...

Updated jakarta-commons-httpclient and httpcomponents-client packages fix security vulnerability

Updated jakarta-commons-httpclient and httpcomponents-client packages fix security vulnerability: The Jakarta Commons HttpClient and Apache httpcomponents HttpClient components may be susceptible to a 'Man in the Middle Attack' due to a flaw in the default hostname verification during SSL/TLS whe...

Updated libssh2 packages fix a security vulnerability (Terrapin Attack)

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted from the extension negotiation message, and a client and server may consequently end up with a connecti...

Updated samba packages fix security vulnerability

There is a limited write heap buffer overflow in the GSSAPI unwrapdes and unwrapdes3 routines of Heimdal included in Samba. Some SMB1 write requests were not correctly range checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be written into...