CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

CVE-2023-6905

CVE-2023-6903

CVE-2023-6904

CVE-2023-3907

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue.

Expand Up

@@ -7,18 +7,18 @@ class TagManager

include RoutingHelper

  

def web\_domain?(domain)

domain.nil? || domain.delete('/').casecmp(Rails.configuration.x.web\_domain).zero?

domain.nil? || domain.delete\_suffix('/').casecmp(Rails.configuration.x.web\_domain).zero?

end

  

def local\_domain?(domain)

domain.nil? || domain.delete('/').casecmp(Rails.configuration.x.local\_domain).zero?

domain.nil? || domain.delete\_suffix('/').casecmp(Rails.configuration.x.local\_domain).zero?

end

  

def normalize\_domain(domain)

return if domain.nil?

  

uri \= Addressable::URI.new

uri.host \= domain.delete('/')

uri.host \= domain.delete\_suffix('/')

uri.normalized\_host

end

  

Expand Down

Headline

CVE-2023-42451: Merge pull request from GHSA-v3xf-c9qf-j667 · mastodon/mastodon@eeab356

CVE: Latest News