Updated microcode packages fix security vulnerability

Updated microcode packages fix security vulnerability: Improper isolation of shared resources in some IntelR Processors may allow a privileged user to potentially enable information disclosure via local access CVE-2022-21233, intel-sa-00657. For more info, see the refenced advisory and release...

Updated libgsasl packages fix security vulnerability

GNU SASL libgsasl server-side read-out-of-bounds with malicious authenticated GSS-API client. CVE-2022-2469...

Updated gnutls packages fix security vulnerability

A double free error occurs during verification of pkcs7 signatures in gnutlspkcs7verify function. CVE-2022-2509...

Updated rsync packages fix security vulnerability

An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A...

Updated kernel-linus packages fix security vulnerabilities

This kernel update is based on upstream 5.15.62 and fixes at least the following security issues: A use-after-free flaw was found in the Linux kernel Atheros wireless adapter driver in the way a user forces the ath9khtcwaitfortarget function to fail with some input messages. This flaw allows a...

Updated chromium-browser-stable packages fix security vulnerability

The chromium-browser-stable package has been updated to the 104.0.5112.101 branch, fixing many bugs and 11 CVE. Google is aware that an exploit for CVE-2022-2856 exists in the wild. Some of the addressed CVE are listed below: Critical CVE-2022-2852: Use after free in FedCM. High CVE-2022-2854: Us...

Updated teeworlds packages fix security vulnerability

Code execution via malicious map file CVE-2021-43518...

Updated libitrpc packages fix security vulnerability

It was discovered that libtirpc incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service CVE-2021-46828...

Updated webkit2 packages fix security vulnerability

The updated packages fix security vulnerabilities and other issues...

Updated apache-mod_wsgi packages fix security vulnerability

It was discovered that mod-wsgi did not correctly remove the X-Client-IP header when processing requests from untrusted proxies. A remote attacker could use this issue to pass the header to WSGI applications, contrary to expectations CVE-2022-2255...

Updated libxml2 packages fix security vulnerability

It was discovered that libxml2 incorrectly handled certain XML files. An attacker could possibly use this issue to execute arbitrary code CVE-2016-3709...

Updated wavpack packages fix security vulnerability

Null pointer dereference in wvunpack CVE-2022-2476...

Updated nvidia390 packages fix security vulnerabilities

Updated nvidia390 packages fix security vulnerabilities: NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer nvidia.ko, where a local user with basic capabilities can cause improper input validation, which may lead to denial of service, escalation of privileges,...

Updated nvidia-current packages fix security vulnerabilities

Updated nvidia-current packages fix security vulnerabilities: NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer nvidia.ko, where a local user with basic capabilities can cause improper input validation, which may lead to denial of service, escalation of...

Updated python-django packages fix security vulnerability

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc and Extract database functions are subject to SQL injection if untrusted data is used as a kind/lookupname value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected...

Updated ruby-sinatra packages fix security vulnerability

Sinatra before 2.2.0 does not validate that the expanded path matches publicdir when serving static files. CVE-2022-29970...

Updated golang packages fix security vulnerability

A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service. CVE-2022-32189...

Updated libtiff packages fix security vulnerability

A stack overflow was discovered in the TIFFVGetField function of Tiffsplit CVE-2022-34526...

Updated poppler packages fix security vulnerability

A logic error in the Hints::Hints function of Poppler v22.03.0 allows attackers to cause a Denial of Service DoS via a crafted PDF file. CVE-2022-27337...

Updated kernel packages fix security vulnerabilities

This kernel update is based on upstream 5.15.58 and fixes at least the following security issues: Kernel lockdown bypass when UEFI secure boot is disabled / unavailable and IMA appraisal is enabled CVE-2022-21505. Aliases in the branch predictor may cause some AMD processors to predict the wrong...

Updated kernel-linus packages fix security vulnerabilities

This kernel-linus update is based on upstream 5.15.58 and fixes at least the following security issues: Kernel lockdown bypass when UEFI secure boot is disabled / unavailable and IMA appraisal is enabled CVE-2022-21505. Aliases in the branch predictor may cause some AMD processors to predict the...

Updated sqlite3 packages fix security vulnerability

It was discovered that sqlite contained an assertion failure upon queries when compiled with -DSQLITEENABLESTAT4 CVE-2022-35737...

Updated osmo packages fix security vulnerability

Phishing website URL removed from package spec file and replaced with new official site link...

Updated python-m2crypto packages fix security vulnerability

Bleichenbacher timing attacks in the RSA decryption API CVE-2020-25657...

Updated mingw-giflib packages fix security vulnerability

It was discovered that giflib 5.2.1 including mingw-giflib which has giflib 5.2.1 bundled contained a heap-buffer-overflow in function DumpScreen2RGB CVE-2022-28506...

Updated chromium-browser-stable packages fix security vulnerability

1325699 High CVE-2022-2603: Use after free in Omnibox. Reported by Anonymous on 2022-05-16 1335316 High CVE-2022-2604: Use after free in Safe Browsing. Reported by Nan Wang@eternalsakura13 and Guang Gong of 360 Alpha Lab on 2022-06-10 1338470 High CVE-2022-2605: Out of bounds read in Dawn. Report...

Updated firefox packages fix security vulnerability

When visiting directory listings for chrome:// URLs as source text, some parameters were reflected CVE-2022-36318. When combining CSS properties for overflow and transform, the mouse cursor could interact with different coordinates than displayed CVE-2022-36319...

Updated webmin packages fix security vulnerability

The webmin package has been updated to version 1.998, fixing XSS issues in the HTTP Tunnel and Read Mail modules, along with several other bugs...

Updated gdk-pixbuf2.0 packages fix security vulnerability

It was discovered that gdk-pixbuf contained a buffer overwrite in io-gif-animation.c compositeframe exploitable using a crafted GIF CVE-2021-46829...

Updated python-ujson packages fix security vulnerability

Add support for arbitrary size integers. Replace 'wchart' string decoding implementation with a 'uint32t'-based one; fix handling of surrogates on decoding CVE-2022-31116 Potential double free of buffer during string decoding - Fix memory leak on encoding errors when the buffer was resized -...

Updated chromium-browser-stable packages fix security vulnerability

The chromium-browser-stable package has been updated to version 103.0.5060.134 branch, fixing many bugs and 11 CVE. Some of them are listed below. Use after free in Guest View. CVE-2022-2477 Use after free in PDF. CVE-2022-2478 Insufficient validation of untrusted input in File. CVE-2022-2479 Use...

Updated logrotate packages fix security vulnerability

Improved coredump handing for SUID binaries. bsc1192449...

Updated libtiff packages fix security vulnerability

Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. CVE-2022-2056, CVE-2022-2057, CVE-2022-2058...

Updated virtualbox packages fix security vulnerabilities

This update provides the upstream 6.1.36 maintenance release that fixes at least the following security vulnerabilities: A vulnerability in the Oracle VM VirtualBox prior to 6.1.36 contains an easily exploitable vulnerability that allows a high privileged attacker with logon to the infrastructure...

Updated kernel-linus packages fix security vulnerabilities

This kernel-linus update is based on upstream 5.15.55 and fixes at least the following security issues: There are use-after-free vulnerabilities caused by timer handler in net/rose/rosetimer.c of linux that allow attackers to crash linux kernel without any privileges CVE-2022-2318. Xen Block and...

Updated kernel packages fix security vulnerabilities

This kernel update is based on upstream 5.15.55 and fixes at least the following security issues: There are use-after-free vulnerabilities caused by timer handler in net/rose/rosetimer.c of linux that allow attackers to crash linux kernel without any privileges CVE-2022-2318. Xen Block and Networ...

Updated java packages fix security vulnerability

OpenJDK: Defective secure validation in Apache Santuario Libraries, 8278008 CVE-2022-21476 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions JAXP, 8270504 CVE-2022-21426 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler Libraries, 8277672...

Updated golang packages fix security vulnerability

net/http: improper sanitization of Transfer-Encoding header The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to...

Updated python-coookiecutter packages fix security vulnerability

Command Injection via hg argument CVE-2022-24065...

Updated gerbv packages fix security vulnerability

An out-of-bounds write vulnerability exists in the drill format T-code tool number functionality of Gerbv 2.7.0, dev commit b5f1eacd, and the forked version of Gerbv commit 71493260. CVE-2021-40391 An out-of-bounds write vulnerability exists in the RS-274X aperture macro variables handling...

Updated pgadmin4 packages fix security vulnerability

A malicious, but authorised and authenticated user can construct an HTTP request using their existing CSRF token and session cookie to manually upload files to any location that the operating system user account under which pgAdmin is running has permission to write. CVE-2022-0959 In addition,...

Updated gnupg2 packages fix security vulnerability

In unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints e.g., use of GPGME are met, allows signature forgery via injection into the status line. CVE-2022-34903...

Updated x11-server packages fix security vulnerabilities

Updated x11-server packages fix security vulnerabilities: ProcXkbSetGeometry Out-Of-Bounds Access. The handler for the ProcXkbSetGeometry request of the Xkb extension does not properly validate the request length leading to out of bounds memory write CVE-2022-2319. ProcXkbSetDeviceInfo...

Updated webkit2 packages fix security vulnerability

The webkit2 package has been updated to version 2.36.4, fixing several security issues and other bugs...

Updated openssl packages fix security vulnerability

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption...

Updated curl packages fix security vulnerability

Set-Cookie denial of service. CVE-2022-32205 HTTP compression denial of service. CVE-2022-32206 Unpreserved file permissions. CVE-2022-32207 FTP-KRB bad message verification. CVE-2022-32208...

Updated firefox packages fix security vulnerability

If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution CVE-2022-2200. An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing...

Updated ruby-git packages fix security vulnerability

Command Injection via git argument injection CVE-2022-25648...

Updated squid packages fix security vulnerability

Denial of Service in Gopher Processing. CVE-2021-46784...

Updated thunderbird packages fix security vulnerability

A popup window could be resized in a way to overlay the address bar with web content. CVE-2022-34479 Use-after-free in nsSHistory. CVE-2022-34470 CSP sandbox header without allow-scripts can be bypassed via retargeted javascript: URI. CVE-2022-34468 An email with a mismatching OpenPGP signature...