907431 matches found
DLA-3623-1 linux-5.10 - security update
Bulletin has no description...
DLA-3614-1 python3.7 - security update
Bulletin has no description...
CVE-2023-42795
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling...
CVE-2023-5156
A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash...
ALSA-2023:5061 Moderate: dmidecode security update
The dmidecode packages provide utilities for extracting Intel 64 and Intel Itanium hardware information from the system BIOS or Extensible Firmware Interface EFI, depending on the SMBIOS/DMI standard. This information typically includes system manufacturer, model name, serial number, BIOS version...
RLSA-2023:3847 Moderate: kernel security, bug fix, and enhancement update
The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fixes: kernel: tls: race condition in dotlsgetsockopt may lead to use-after-free or NULL pointer dereference CVE-2023-28466 For more details about the security issues, including the impact, a CVSS score...
CVE-2022-48565
An XML External Entity XXE issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities...
DLA-3524-1 linux - security update
Bulletin has no description...
ASB-A-283006437
In restorePermissionState of PermissionManagerServiceImpl.java, there is a possible way for an app to keep permissions that should be revoked due to incorrect permission flags cleared during an update. This could lead to local escalation of privilege with User execution privileges needed. User...
ALSA-2023:4378 Important: kernel-rt security and bug fix update
The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fixes: kernel: ipvlan: out-of-bounds write caused by unclear skb-cb CVE-2023-3090 kernel: clsflower: out-of-bounds write in flsetgeneveopt...
DLA-3512-1 linux-5.10 - security update
Bulletin has no description...
DLA-3500-1 python-django - security update
Bulletin has no description...
ALSA-2023:4202 Important: webkit2gtk3 security update
WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fixes: webkitgtk: memory corruption issue leading to arbitrary code execution CVE-2023-32435 webkitgtk: type confusion issue leading to arbitrary code execution CVE-2023-32439 For more details about th...
DSA-5453-1 linux - security update
Bulletin has no description...
ALSA-2023:3922 Critical: go-toolset:rhel8 security update
Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fixes: golang: cmd/go: go command may generate unexpected code at build time when using cgo CVE-2023-29402 golang: cmd/go: go command may execute arbitrary code at build time when...
ALSA-2023:3840 Moderate: sqlite security update
SQLite is a C library that implements an SQL database engine. A large subset of SQL92 is supported. A complete database is stored in a single disk file. The API is designed for convenience and ease of use. Applications that link against SQLite can enjoy the power and flexibility of an SQL databas...
CVE-2023-34241 CUPS vulnerable to use-after-free in cupsdAcceptClient()
OpenPrinting CUPS is a standards-based, open source printing system for Linux and other Unix-like operating systems. Starting in version 2.0.0 and prior to version 2.4.6, CUPS logs data of free memory to the logging service AFTER the connection has been closed, when it should have logged the data...
ALSA-2023:2458 Important: kernel security, bug fix, and enhancement update
The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fixes: use-after-free in l2capconnect and l2capleconnectreq in net/bluetooth/l2capcore.c CVE-2022-42896 net/ulp: use-after-free in listening ULP sockets CVE-2023-0461 cpu: AMD CPUs may transiently execu...
DSA-5397-1 wpewebkit - security update
Bulletin has no description...
GHSA-5CX2-VQ3H-X52C Apache superset missing check for default SECRET_KEY
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRETKEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset...
DSA-5390-1 chromium - security update
Bulletin has no description...
ALSA-2023:1743 Important: nodejs:14 security, bug fix, and enhancement update
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The following packages have been upgraded to a later upstream version: nodejs 14.21.3. Security Fixes: decode-uri-component: improper input validation resulting i...
GO-2023-1704 Excessive memory allocation in net/http and net/textproto
HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than requir...
GHSA-42C3-WVWW-GCQJ Pimcore Remote Code Execution vulnerability in Search function
Impact Attacker can get full DB and maybe RCE knowing the WEBROOT path Patches Update to version 10.5.19 or apply this patch manually https://github.com/pimcore/pimcore/commit/367b74488808d71ec3f66f4ca9e8df5217c2c8d2.patch Workarounds Apply patch...
CVE-2023-0464
A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of...
CVE-2023-25575 Secured properties in API Platform Core may be accessible within collections
API Platform Core is the server component of API Platform: hypermedia and GraphQL APIs. Resource properties secured with the security option of the ApiPlatform\Metadata\ApiProperty attribute can be disclosed to unauthorized users. The problem affects most serialization formats, including raw JSON...
CVE-2023-23918
A privilege escalation vulnerability exists in Node.js 19.6.1, 18.14.1, 16.19.1 and 14.21.3 that made it possible to bypass the experimental Permissions https://nodejs.org/api/permissions.html feature in Node.js and access non authorized modules by using process.mainModule.require. This only...
ALSA-2023:0848 Moderate: php:8.0 security update
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. The following packages have been upgraded to a later upstream version: php 8.0. BZ2161666 Security Fixes: XKCP: buffer overflow in the SHA-3 reference implementation CVE-2022-37454 php: standard insecure cookie...
ALSA-2023:0852 Moderate: httpd:2.4 security and bug fix update
The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fixes: httpd: moddav: out-of-bounds read/write of zero byte CVE-2006-20001 httpd: modproxyajp: Possible request smuggling CVE-2022-36760 httpd: modproxy: HTTP response splitting...
GHSA-824J-WQM8-89MJ .NET Remote Code Execution Vulnerability
Microsoft Security Advisory CVE-2023-21808: .NET Remote Code Execution Vulnerability Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update thei...
GHSA-R4F8-F93X-5QH3 TYPO3 is vulnerable to Cross-Site Scripting via frontend rendering
CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L/E:F/RL:O/RC:C 8.2 Problem TYPO3 core component GeneralUtility::getIndpEnv uses the unfiltered server environment variable PATHINFO, which allows attackers to inject malicious content. In combination with the TypoScript setting...
DSA-5345-1 chromium - security update
Bulletin has no description...
DLA-3298-1 ruby-rack - security update
Bulletin has no description...
DSA-5330-1 curl - security update
Bulletin has no description...
DLA-3282-1 git - security update
Bulletin has no description...
RLSA-2023:0339 Moderate: sqlite security update
SQLite is a C library that implements an SQL database engine. A large subset of SQL92 is supported. A complete database is stored in a single disk file. The API is designed for convenience and ease of use. Applications that link against SQLite can enjoy the power and flexibility of an SQL databas...
ALSA-2023:0328 Moderate: go-toolset and golang security and bug fix update
Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The golang packages provide the Go programming language compiler. Security Fixes: golang: archive/tar: unbounded memory consumption when reading headers CVE-2022-2879 golang: net/http/httputi...
CVE-2023-22853
Tiki before 24.1, when featurecreatewebhelp is enabled, allows lib/structures/structlib.php PHP Object Injection because of an eval...
ALSA-2023:0101 Important: kernel security and bug fix update
The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fixes: kernel: memory corruption in AX88179178A based USB ethernet device. CVE-2022-2964 kernel: i915: Incorrect GPU TLB flush can lead to random memory access CVE-2022-4139 For more details about the...
ALSA-2023:0021 Important: webkit2gtk3 security update
WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Security Fixes: webkitgtk: processing maliciously crafted web content may lead to an arbitrary code execution CVE-2022-42856 For more details about the security issues, including the impact, a CVSS score,...
CVE-2022-46173 Elrond go Processing: fallback search of SCRs when not found in the main cache
Elrond-GO is a go implementation for the Elrond Network protocol. Versions prior to 1.3.50 are subject to a processing issue where nodes are affected when trying to process a cross-shard relayed transaction with a smart contract deploy transaction data. The problem was a bad correlation between t...
CVE-2022-41881
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except...
GHSA-43FP-RHV2-5GV8 Certifi removing TrustCor root certificate
Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a...
GO-2022-1113 Server-side request forgery in github.com/oam-dev/kubevela
When using Helm Chart as the component delivery method, the request address of the warehouse is not restricted, and there is a blind SSRF vulnerability...
DLA-3228-1 node-json-schema - security update
Bulletin has no description...
GHSA-QQFF-4VW4-F6HX Cap'n Proto and its Rust implementation vulnerable to out-of-bounds read due to logic error handling list-of-list
The Cap'n Proto library and capnp Rust package are vulnerable to out-of-bounds read due to logic error handling list-of-list. If a message consumer expects data of type "list of pointers", and if the consumer performs certain specific actions on such data, then a message producer can cause the...
CVE-2022-36227
In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the...
DSA-5283-1 jackson-databind - security update
Bulletin has no description...
ALSA-2022:8418 Low: mingw-glib2 security and bug fix update
GLib provides the core application building blocks for libraries and applications written in C. It provides the core object system used in GNOME, the main loop implementation, and a large set of utility functions for strings and common data structures. Security Fixes: glib: gfilereplace with...
GHSA-VP35-85Q5-9F25 Container build can leak any path on the host into the container
Description Moby is the open source Linux container runtime and set of components used to build a variety of downstream container runtimes, including Docker CE, Mirantis Container Runtime formerly Docker EE, and Docker Desktop. Moby allows for building container images using a set of build...