A vulnerability in the key-based SSH authentication mechanism of Cisco Policy Suite could allow an unauthenticated, remote attacker to log in to an affected system as the root user. This vulnerability is due to the re-use of static SSH keys across installations. An attacker could exploit this vulnerability by extracting a key from a system under their control. A successful exploit could allow the attacker to log in to an affected system as the root user.

*   Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.
    
    Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:  
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
    
    Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
    
    The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool.
    
    When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
    
    In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
    
    **Customers Without Service Contracts**
    
    Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
    
    Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
    
    **Fixed Releases**
    
    Customers are advised to take appropriate actions as indicated in the following table:
    
    Cisco Policy Suite Software Release
    
    Vulnerability status
    
    Remediation action
    
    Earlier than 20.2.0
    
    Vulnerable
    
    Upgrade to 21.1.0.
    
    20.2.0
    
    Vulnerable
    
    Contact TAC to get a patch installed.
    
    21.1.0
    
    Vulnerable
    
    Change the default SSH keys.
    
    21.2.0 and later
    
    Not vulnerable
    
    See footnote 1
    
    1\. Releases 21.2.0 and later will automatically create new SSH keys during installation but not during an upgrade. If a device is upgraded from 21.1.0, the keys should still be changed by using the following procedure.
    
    **Change the Default SSH Keys**
    
    To generate new SSH keys and propagate them to all the machines in the deployment, follow these steps:
    
    **Step 1**
    
    To generate new keys, execute the following command on installer VM (Cluster Manager):
    
    > /var/qps/install/current/scripts/bin/support/manage\_sshkey.sh --create
    
    **Step 2**
    
    Update keys on CPS VMs and installer VM (Cluster Manager):
    
    > /var/qps/install/current/scripts/bin/support/manage\_sshkey.sh --update
    
    This procedure is documented in CPS Migration and Upgrade Guide, Release 21.1.0.
    
    The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

CVE-2021-40119: Cisco Security Advisory: Cisco Policy Suite Static SSH Keys Vulnerability

Command injection is possible in the puppetlabs-mysql module prior to version 13.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.

*   Forge
*   Documentation
*   Get Support
*   Education
*   Events
*   Shop

BlogContact Sales

Try Puppet 

*   Why Puppet
*   Products
*   Services
*   Open Source
*   Resources
*   Partners
*   About Puppet by Perforce

*   Why Puppet
*   Products
*   Services
*   Open Source
*   Resources
*   Partners
*   About Puppet by Perforce
*   
*   Forge
*   Documentation
*   Get Support
*   Education
*   Events
*   Shop

Search Puppet.com

Puppet is the industry standard for IT automation.

Modernize, manage and bring your hybrid infrastructure into compliance through Puppet's powerful continuous automation.

*   Why Puppet 
*   Try Puppet 

**Guidebook**

*   What is Configuration Management
*   What is IT Compliance
*   What is IT Automation

**Use Cases**

*   Application delivery & operations
*   Continuous configuration automation
*   Continuous compliance
*   Continuous delivery
*   Patch management
*   Puppet for government
*   IT process automation & orchestration
*   Windows infrastructure automation

**Get Puppet Enterprise**

First 10 nodes are free!

*   Try it now 
*   Request a demo 

**Products**

*   Puppet Enterprise
*   Continuous Delivery for Puppet Enterprise
*   Puppet Comply

**Pricing & Packaging**

*   Pricing
*   Support services plans
*   Professional services

**Integrations**

*   Amazon Web Services
*   Google Cloud Platform
*   Hashicorp
*   PowerShell DSC
*   Windows Azure
*   ServiceNow
*   Splunk
*   VMware
*   All integrations

**Puppet Education**

Puppet Education is your learning portal for tools and best practices to address common business challenges.

*   Puppet Education 

**Professional services**

*   Start automating
*   Accelerate delivery
*   Integrate your toolchain
*   Harden infrastructure
*   Partner for success
*   Scale DevOps
*   All professional services

**Support**

*   Puppet support
*   Technical support packages
*   Technical account management

**Custom consulting services**

Get up and running quickly with a custom solution that addresses your unique business goals and easily allows for growth as your needs evolve.

*   Learn more 

**Puppet Forge**

Find thousands of component modules built by the community and guidance on using them in your own infrastructure.

*   Visit Puppet Forge 

**Ecosystem**

*   Puppet developer experience
*   Trusted contributors
*   GitHub
*   Vox Pupuli

**Open Source Projects**

*   Open source Puppet
*   Bolt
*   All open source projects
*   Compare our enterprise products

**Community**

*   Community
*   Puppet Champions
*   Puppet Test Pilots
*   Community calendar
*   Community Slack
*   Pulling the Strings Podcast
*   Puppet and Perforce Community FAQ

**Contribute**

*   Contribute written content
*   Contribute to open source projects
*   Puppet Idea Portal

**State of DevOps Report**

Since launching our first DevOps survey in 2012, we’ve learned a lot about the power of DevOps to transform organizations.

*   State of DevOps retrospective
*   Scaling DevOps

*   Get the 2021 State of DevOps Report 

**Product Documentation**

*   Puppet Enterprise
*   Continuous Delivery for Puppet Enterprise
*   Puppet Comply
*   Puppet Remediate
*   All documentation

**Resource library**

*   Blog
*   Ebooks
*   Reports
*   Solution briefs
*   Videos
*   Webinars
*   White papers

**Customers**

*   Our customers
*   Customer videos
*   Customer stories

**Partners**

*   Technology partners
*   Channel partners
*   Solution providers
*   Become a partner
*   Partner Portal login

**Featured Partners**

**About Us**

Puppet automates your infrastructure so you can innovate. We find, fix, and predict in order to prevent surprises and maintain your desired state.

**Puppet by Perforce**

*   Mission
*   Diversity, equity & inclusion
*   Contact Us

**Working at Puppet by Perforce**

*   Open positions

**Press & news**

*   Press room
*   Press releases
*   News mentions

**Events**

It's our community that makes Puppet great. Connect with Puppet users and employees.

*   Watch On Demand: Puppetize Digital 2021
*   All events

*   **Posted 2022-10-03**
*   **Assessed Risk Level: High**
*   **CVSS 3.1 Base Score: 8.4**

Command injection is possible in the puppetlabs-mysql module prior to version 13.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.

**Status:**

**Affected software versions:**

*   Puppetlabs-mysql Module <13.0.0

**Resolved in:**

*   Puppetlabs-mysql Module 13.0.0

CVE-2022-3276: CVE-2022-3276 - Puppetlabs-mysql Command Injection

Command injection is possible in the puppetlabs-apt module prior to version 9.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.

*   Forge
*   Documentation
*   Get Support
*   Education
*   Events
*   Shop

BlogContact Sales

Try Puppet 

*   Why Puppet
*   Products
*   Services
*   Open Source
*   Resources
*   Partners
*   About Puppet by Perforce

*   Why Puppet
*   Products
*   Services
*   Open Source
*   Resources
*   Partners
*   About Puppet by Perforce
*   
*   Forge
*   Documentation
*   Get Support
*   Education
*   Events
*   Shop

Search Puppet.com

Puppet is the industry standard for IT automation.

Modernize, manage and bring your hybrid infrastructure into compliance through Puppet's powerful continuous automation.

*   Why Puppet 
*   Try Puppet 

**Guidebook**

*   What is Configuration Management
*   What is IT Compliance
*   What is IT Automation

**Use Cases**

*   Application delivery & operations
*   Continuous configuration automation
*   Continuous compliance
*   Continuous delivery
*   Patch management
*   Puppet for government
*   IT process automation & orchestration
*   Windows infrastructure automation

**Get Puppet Enterprise**

First 10 nodes are free!

*   Try it now 
*   Request a demo 

**Products**

*   Puppet Enterprise
*   Continuous Delivery for Puppet Enterprise
*   Puppet Comply

**Pricing & Packaging**

*   Pricing
*   Support services plans
*   Professional services

**Integrations**

*   Amazon Web Services
*   Google Cloud Platform
*   Hashicorp
*   PowerShell DSC
*   Windows Azure
*   ServiceNow
*   Splunk
*   VMware
*   All integrations

**Puppet Education**

Puppet Education is your learning portal for tools and best practices to address common business challenges.

*   Puppet Education 

**Professional services**

*   Start automating
*   Accelerate delivery
*   Integrate your toolchain
*   Harden infrastructure
*   Partner for success
*   Scale DevOps
*   All professional services

**Support**

*   Puppet support
*   Technical support packages
*   Technical account management

**Custom consulting services**

Get up and running quickly with a custom solution that addresses your unique business goals and easily allows for growth as your needs evolve.

*   Learn more 

**Puppet Forge**

Find thousands of component modules built by the community and guidance on using them in your own infrastructure.

*   Visit Puppet Forge 

**Ecosystem**

*   Puppet developer experience
*   Trusted contributors
*   GitHub
*   Vox Pupuli

**Open Source Projects**

*   Open source Puppet
*   Bolt
*   All open source projects
*   Compare our enterprise products

**Community**

*   Community
*   Puppet Champions
*   Puppet Test Pilots
*   Community calendar
*   Community Slack
*   Pulling the Strings Podcast
*   Puppet and Perforce Community FAQ

**Contribute**

*   Contribute written content
*   Contribute to open source projects
*   Puppet Idea Portal

**State of DevOps Report**

Since launching our first DevOps survey in 2012, we’ve learned a lot about the power of DevOps to transform organizations.

*   State of DevOps retrospective
*   Scaling DevOps

*   Get the 2021 State of DevOps Report 

**Product Documentation**

*   Puppet Enterprise
*   Continuous Delivery for Puppet Enterprise
*   Puppet Comply
*   Puppet Remediate
*   All documentation

**Resource library**

*   Blog
*   Ebooks
*   Reports
*   Solution briefs
*   Videos
*   Webinars
*   White papers

**Customers**

*   Our customers
*   Customer videos
*   Customer stories

**Partners**

*   Technology partners
*   Channel partners
*   Solution providers
*   Become a partner
*   Partner Portal login

**Featured Partners**

**About Us**

Puppet automates your infrastructure so you can innovate. We find, fix, and predict in order to prevent surprises and maintain your desired state.

**Puppet by Perforce**

*   Mission
*   Diversity, equity & inclusion
*   Contact Us

**Working at Puppet by Perforce**

*   Open positions

**Press & news**

*   Press room
*   Press releases
*   News mentions

**Events**

It's our community that makes Puppet great. Connect with Puppet users and employees.

*   Watch On Demand: Puppetize Digital 2021
*   All events

*   **Posted 2022-10-03**
*   **Assessed Risk Level: High**
*   **CVSS 3.1 Base Score: 8.4**

Command injection is possible in the puppetlabs-apt module prior to version 9.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.

**Status:**

**Affected software versions:**

*   Puppetlabs-apt module <9.0.0

**Resolved in:**

*   Puppetlabs-apt module 9.0.0

CVE-2022-3275: CVE-2022-3275 - Puppetlabs-apt Command Injection

Six payouts issued for bugs uncovered in Theia, Vertex AI, Compute Engine, and Cloud Workstations

Six payouts issued for bugs uncovered in Theia, Vertex AI, Compute Engine, and Cloud Workstations

Vulnerabilities in four Google Cloud Platform (GCP) projects have earned a pair of security researchers more than $22,000 in bug bounties.

The most lucrative project for hacker duo Sreeram KL and Sivanesh Ashok was machine learning training and deployment platform Vertex AI, which netted them a pair of $5,000 payouts for a server-side request forgery (SSRF) bug and subsequent patch bypass.

Documented in a blog post by Sreeram, the flaw resided in Vertex AI’s workbench feature, which enables the creation of Jupyter notebook-based development environments on the cloud.

By abusing the SSRF vulnerability and duping victims into clicking a malicious URL, attackers could potentially seize control of an authorization token and thereafter all of the victim’s GCP projects, as demonstrated in the video below.

  
**SSRF bug**

When the researchers found a URL that seemed to offer scope for SSRF, “requesting the original URL resulted in a response that looked like the output of an authenticated request sent to compute.googleapis.com,” said Sreeram. “From previous experience, I know these endpoints use the authorization header for credentials.”

Fuzzing surfaced a URL – https://{INSTANCE-ID}-dot-us-central1.notebooks.googleusercontent.com/aipn/v2/proxy/{attacker.com}/compute.googleapis.com/ – that bypassed this check, said Sreeram. “Furthermore, the vulnerable endpoint was a request with no CSRF protection (pretty common),” said Sreeram.

YOU MIGHT ALSO LIKE US government announces third Hack The Pentagon challenge

As for finding attack targets, a victim’s subdomain is readily ascertained because subdomains are leaked to several third-party domains, such as github.com, “via referer in the general application flow”.

Google addressed the issue by adding cross-site request forgery (CSRF) protection to the endpoints and improving verification of the domain.

**Patch bypass**

After the fix was rolled out, however, Sreeram and Ashok noticed that changing compute.googleapis.com to something.google.com failed to trigger an error as it had previously.

Circumventing the fix therefore needed an open redirection in \*.google.com, they surmised.

With JavaScript-based redirections not an option – since the server didn’t parse the language – they turned to Google web feed management service FeedBurner. The researchers found that when the user deactivates the proxy, the service will redirect URLs to their domain rather than proxying their RSS feed.

The exploit concluded with a CSRF bypass that leveraged a technique developed in 2020 by ‘@s1r1us’ targeting Jupyter Lab.

The second fix involved ending support for \*.google.com as a proxy URL.

“While finding this issue, we gained insight into the workings of managed GCP products, which helped us find other bugs in GCP,” Sreeram told The Daily Swig.

  
**Theia, Compute Engine, Workstations bugs**

This included exploiting the workbench feature again in Theia, the integrated development environment (IDE) Google uses in Cloud Shell, as disclosed in a separate blog post published by Sreeram.

Because user-managed instances used the project’s default compute engine service account, the research duo were able to compromise the entire project by exploiting a known XSS vulnerability (CVE-2021-41038) to fetch the service account token from the metadata server. This earned the pair a further $3133.70 bounty.

Catch up with the latest bug bounty news

The first security flaw they found in GCP, as documented by Ashok, was an SSH key injection issue in Google Cloud’s Compute Engine.

Generating a $5,000 windfall with a $1,000 bounty bonus, the vulnerability resided in the SSH-in-browser function and could lead to remote code execution (RCE) in a victim’s Compute Engine instance (as demonstrated in the proof-of-concept video above).

The researchers also earned a further $3,133.70 for an authorization bypass in Cloud Workstations, which provides fully managed development environments for security-sensitive enterprises. Ashok outlined this find in a fourth blog post.

The pair earned a total of $22,267 from six separate bug bounty payouts.

The Daily Swig has invited Google to comment on these vulnerabilities but no response yet. We’ll update the article should that change.

DON’T FORGET TO READ Squaring the CircleCI: DevOps platform publishes post-mortem on recent breach

Google pays hacker duo $22k in bug bounties for flaws in multiple cloud projects

Have you been scammed online? Here are some tips to limit the damage and follow up steps you may find useful

Unfortunately, people getting scammed online is a frequent event. Scammers are getting better at social engineering and are using Artificial Intelligence (AI) to sound more authentic and eliminate any spelling errors.

It really can happen to anyone, so there’s no need to feel embarrassed if you have been scammed. Importantly, acting quickly can limit the damage. So here are some things you can do if you’ve been scammed.

**1\. Stop all communication immediately**

Cut off contact with the scammer. Don’t reply to messages or calls, as this can prevent further manipulation or requests for even more money or information.

**2\. Secure your accounts**

Change the passwords on all your online accounts, especially financial and email accounts. Use strong, unique passwords and enable multi-factor authentication (MFA) wherever possible. Start with the ones the scammer may have gained access to, but don’t stop there and check all your important accounts as well.

**3\. Monitor your financial statements**

Check your bank, credit card, and payment service accounts for unauthorized transactions. Report suspicious activity to your banks and credit card company immediately to freeze or reverse fraudulent charges. Let them know what went down and find out how they can help you.

It’s really important that you don’t click on sponsored search results when searching for help with resolving a scam. This kind of topic is seen by scammers as a perfect opportunity to scam you even more and they are known to outbid the rightful owners of certain brands. If you’re using a search engine, type the domain name yourself or scroll down to the regular search results.

**5\. Place fraud alerts and check credit reports**

Contact credit bureaus to place fraud alerts on your file. This warns lenders to verify your identity before opening new accounts. Regularly review your credit reports for unfamiliar activity. If this is an option where you live, add a security freeze, more commonly called a credit freeze, to all of your credit reports for free.

*   In the US, for a credit freeze contact Experian, Equifax, and TransUnion.
*   In Canada, for credit monitoring and alerts contact Equifax Canada and TransUnion Canada.
*   In the UK, for credit reports and monitoring contact Experian, Equifax, and TransUnion UK.

**6\. Try to recover your lost funds**

Sadly, recovering your lost funds will not always be possible. However, you may have some options:

*   If you paid the scammer by credit card, request a chargeback through your card provider.
*   If you paid via bank transfer or wire, contact your bank immediately since they may be able to initiate a recall in some cases.
*   If you sent the money via payment apps (e.g. PayPal, Venmo, Cash App), contact the provider to inquire about recovery options.

Never fall for people that claim they can recover payments in cryptocurrencies. These are known as recovery scams.

**7\. Gather evidence**

Keep all records related to the scam: emails, texts, receipts, screenshots, and any communication details. This documentation supports investigations and helps law enforcement track scammers.

**8\. Scan your device**

If you clicked any links or downloaded something during the course of the scam, make sure to scan your device with an antimalware solution. The scammer could have planted something for later use.

**9\. Report the scam**

Reporting is crucial. It helps authorities track criminal patterns and may assist in recovering lost funds. Report to the appropriate national agencies, local police, and the platform where the scam occurred. For more details, see our article on how to report online scams.

**10\. Set up ongoing protection**

Firstly, make sure to protect your device with a security solution like Malwarebytes Premium. Then, protect yourself in the browser using our free Browser Guard. Finally, if you want to check if something is a scam, Scam Guard—our new feature in Malwarebytes Mobile Security—allows you to upload a text, email, or DM to find out if it’s legit or a scam.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Been scammed online? Here&#8217;s what to do 

Improper access control in the firmware for some Intel(R) E810 Ethernet Controllers before version 1.6.2.9 may allow a privileged user to potentially enable denial of service via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Ethernet Controllers and Adapters Advisory**

**Summary: **

Potential security vulnerabilities in some Intel® Ethernet Controllers and Adapters may allow denial of service.  Intel is releasing firmware updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2021-33126

Description: Improper access control in the firmware for some Intel(R) 700 and 722 Series Ethernet Controllers and Adapters before versions 8.5 and 1.5.5 may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score: 5.1 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H

CVEID: CVE-2021-33128

Description: Improper access control in the firmware for some Intel(R) E810 Ethernet Controllers before version 1.6.0.6 may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score: 5.1 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 

CVEID: CVE-2022-28709

Description: Improper access control in the firmware for some Intel(R) E810 Ethernet Controllers before version 1.6.1.9 may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score: 4.1 Medium

CVSS Vector:  CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

**Affected Products:**

Intel® 700 Series Ethernet Controllers and Adapters before version 8.5.

*   Firmware version, as reported by the device, corresponding to the release numbers above are:  
    
*   Software Release Version 26.6: Device reports 8.5, NVM version 8.50.

Intel® 722 Series Ethernet Controllers and Adapters before version 1.5.5.

*   Firmware version, as reported by the device, corresponding to the release numbers above are:
    *   Software Release Version 26.6: Device reports 1.5.5, NVM version 5.50.

Intel® E810 Ethernet Controllers and Adapters before version 1.6.0.6.

*   Firmware versions, as reported by the device, corresponding to the release numbers above are:
    *   Software Release version 26.4: Device Reports 1.6.0.6., NVM version 3.0.

Intel® E810 Ethernet Controllers and Adapters before version1.6.1.9

*   Firmware versions, as reported by the device, corresponding to the release numbers above are:
    *   Software Release Version 26.8: Device reports 1.6.1.9, NVM version 3.10.

**Recommendations:**

Intel recommends updating the firmware for impacted Intel® Ethernet Controllers and Adapters to the versions provided below or later.

*   Intel® 700 Series Ethernet Controllers and Adapters before version 8.5.
*   Intel® 722 Series Ethernet Controllers and Adapters before version 1.5.5.
*   Intel® E810 Ethernet Controllers and Adapters before version 1.6.1.9

Updates are available for download at this location:

https://downloadcenter.intel.com/product/36773/Ethernet-Products

**Acknowledgements:**

The following issues were found internally by Intel employees.  Intel would like to thank Dmitry Shvarts and Dmitry Tsimbler. 

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

08/09/2022

Initial Release

1.1

08/18/2022

Updated versions for:

CVE-2021-33128, CVE-2022-28709.

Affected products section.

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-28709: INTEL-SA-00593

Red Hat Security Advisory 2023-4053-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.45. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 4.11.45 bug fix and security update  
Advisory ID:       RHSA-2023:4053-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4053  
Issue date:        2023-07-19  
CVE Names:         CVE-2019-17594 CVE-2019-17595 CVE-2019-18218   
                   CVE-2019-20838 CVE-2020-14155 CVE-2020-24370   
                   CVE-2020-35525 CVE-2020-35527 CVE-2021-3580   
                   CVE-2021-3634 CVE-2021-20231 CVE-2021-20232   
                   CVE-2021-23177 CVE-2021-31566 CVE-2021-36084   
                   CVE-2021-36085 CVE-2021-36086 CVE-2021-36087   
                   CVE-2021-40528 CVE-2022-1271 CVE-2022-1586   
                   CVE-2022-1785 CVE-2022-1897 CVE-2022-1927   
                   CVE-2022-4304 CVE-2022-4450 CVE-2022-21235   
                   CVE-2022-24407 CVE-2022-29824 CVE-2022-34903   
                   CVE-2022-37434 CVE-2022-38177 CVE-2022-38178   
                   CVE-2022-40674 CVE-2022-42010 CVE-2022-42011   
                   CVE-2022-42012 CVE-2022-42898 CVE-2022-47629   
                   CVE-2023-0215 CVE-2023-0361 CVE-2023-1281   
                   CVE-2023-24329 CVE-2023-32233   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.11.45 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.11.

Red Hat Product Security has rated this update as having a security impact  
of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.11.45. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHBA-2023:4052

Space precludes documenting all of the container images in this advisory.  
See the following Release Notes documentation, which will be updated  
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

Security Fix(es):

* github.com/Masterminds/vcs: Command Injection via argument injection  
(CVE-2022-21235)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.11 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

You may download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests  
may be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

The sha values for the release are

(For x86_64 architecture)  
The image digest is  
sha256:c6771b12bd873c0e3e5fbc7afa600d92079de6534dcb52f09cb1d22ee49608a9

(For s390x architecture)  
The image digest is  
sha256:622b5361f95d1d512ea84f363ac06155cbb9ee28e85ccaae1acd80b98b660fa8

(For ppc64le architecture)  
The image digest is  
sha256:50c131cf85dfb00f258af350a46b85eff8fb8084d3e1617520cd69b59caeaff7

(For aarch64 architecture)  
The image digest is  
sha256:9e575c4ece9caaf31acbef246ccad71959cd5bf634e7cb284b0849ddfa205ad7

All OpenShift Container Platform 4.11 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2215317 - CVE-2022-21235 github.com/Masterminds/vcs: Command Injection via argument injection

5. JIRA issues fixed (https://issues.redhat.com/):

OCPBUGS-15446 - (release-4.11) gather "gateway-mode-config" config map from "openshift-network-operator" namespace  
OCPBUGS-15532 - visiting Configurations page returns error Cannot read properties of undefined (reading 'apiGroup')  
OCPBUGS-15645 - Can't use git lfs in BuildConfig git source with strategy Docker  
OCPBUGS-15739 - Environment cannot find Python  
OCPBUGS-15758 - [release-4.11] Bump Jenkins and Jenkins Agent Base image versions  
OCPBUGS-15942 - 9% of OKD tests failing on error: tag latest failed: Internal error occurred: registry.centos.org/dotnet/dotnet-31-centos7:latest: Get "https://registry.centos.org/v2/": dial tcp: lookup registry.centos.org on 172.30.0.10:53: no such host  
OCPBUGS-15966 - [4.12] MetalLB contains incorrect data Correct and incorrect MetalLB resources coexist should have correct statuses

6. References:

https://access.redhat.com/security/cve/CVE-2019-17594  
https://access.redhat.com/security/cve/CVE-2019-17595  
https://access.redhat.com/security/cve/CVE-2019-18218  
https://access.redhat.com/security/cve/CVE-2019-20838  
https://access.redhat.com/security/cve/CVE-2020-14155  
https://access.redhat.com/security/cve/CVE-2020-24370  
https://access.redhat.com/security/cve/CVE-2020-35525  
https://access.redhat.com/security/cve/CVE-2020-35527  
https://access.redhat.com/security/cve/CVE-2021-3580  
https://access.redhat.com/security/cve/CVE-2021-3634  
https://access.redhat.com/security/cve/CVE-2021-20231  
https://access.redhat.com/security/cve/CVE-2021-20232  
https://access.redhat.com/security/cve/CVE-2021-23177  
https://access.redhat.com/security/cve/CVE-2021-31566  
https://access.redhat.com/security/cve/CVE-2021-36084  
https://access.redhat.com/security/cve/CVE-2021-36085  
https://access.redhat.com/security/cve/CVE-2021-36086  
https://access.redhat.com/security/cve/CVE-2021-36087  
https://access.redhat.com/security/cve/CVE-2021-40528  
https://access.redhat.com/security/cve/CVE-2022-1271  
https://access.redhat.com/security/cve/CVE-2022-1586  
https://access.redhat.com/security/cve/CVE-2022-1785  
https://access.redhat.com/security/cve/CVE-2022-1897  
https://access.redhat.com/security/cve/CVE-2022-1927  
https://access.redhat.com/security/cve/CVE-2022-4304  
https://access.redhat.com/security/cve/CVE-2022-4450  
https://access.redhat.com/security/cve/CVE-2022-21235  
https://access.redhat.com/security/cve/CVE-2022-24407  
https://access.redhat.com/security/cve/CVE-2022-29824  
https://access.redhat.com/security/cve/CVE-2022-34903  
https://access.redhat.com/security/cve/CVE-2022-37434  
https://access.redhat.com/security/cve/CVE-2022-38177  
https://access.redhat.com/security/cve/CVE-2022-38178  
https://access.redhat.com/security/cve/CVE-2022-40674  
https://access.redhat.com/security/cve/CVE-2022-42010  
https://access.redhat.com/security/cve/CVE-2022-42011  
https://access.redhat.com/security/cve/CVE-2022-42012  
https://access.redhat.com/security/cve/CVE-2022-42898  
https://access.redhat.com/security/cve/CVE-2022-47629  
https://access.redhat.com/security/cve/CVE-2023-0215  
https://access.redhat.com/security/cve/CVE-2023-0361  
https://access.redhat.com/security/cve/CVE-2023-1281  
https://access.redhat.com/security/cve/CVE-2023-24329  
https://access.redhat.com/security/cve/CVE-2023-32233  
https://access.redhat.com/security/updates/classification/#important  
https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkt2rsAAoJENzjgjWX9erEDZUP/34f/AgUOiiVZ6B7LrKb8xYN  
sEAom2h8cUMUzX2LLY0N/Wfa/Zhq555tRHaitThG/vJN5ETrPFu7gWoizisFLHWl  
ovCf5sDkSX0WAhVywcdJIxLOge9Mt719HJk+zX5edhHMQMrmfZ7YVR55DAODnwuX  
2nj6DR2XixfK1INosMoZm/xtZg+e6v9fzMY6oTCeAufyaim3YAbZwi3Kmdj0ye4s  
/y6ooyaZIzTzNTRhTwYsIGrHBZwr1NUt8RnVxX4XMID1HWHf3gAcEy1dez9QnSIp  
BFzEweZS51cpA0Dn1/AQrK7F+NYLFhdZNlPCDJj+DRSHwDbb0CgcDrFk0otufkYy  
fNOumjMCTj+IdLQpiLSPXRjN1krbg1FdlqlBKRBNgXMYAicticrMMm9jGcggmbOE  
N84ANhaamgzw+IElEByihieVO/81alQYZP9TjT8Wfu+CSGvHUP4DnCLvJYCuRaeg  
oIc8ItWfzoVBMVizzOK8Dei5Bvg8ZrVG7ePAyQP0gtYlAJQ/pE5BLEhJXSLlvyGb  
0Wd/Sj0djLTn8ADV8TvA7NfwyxbU8ce3IhuS7zvtGqpFRWb0kYoYh+16Onmhq5iw  
X/Jd9JqAWknGjZfy3OHa8kFgVnq5qqNmI3wGBRKs4gUOoxrceUXMFR3YbUxuU9Lp  
129R2QWY1i5pRtAPA1gV  
=OZCr  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4053-01

Typemill v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the upload function. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

![@b1ackc4t](https://avatars.githubusercontent.com/u/53211324?s=88&u=d7eb1f1ff20efc09c1519f115d3d3502e3caf01f&v=4)

![@trendschau](https://avatars.githubusercontent.com/u/2714547?s=88&u=1078f54ba1970fade875b5f9a482159f17c8836c&v=4)

thank you for reporting, the upload-feature is for registered users only.

I will fix that asap and upload a hotfix version.

![@trendschau](https://avatars.githubusercontent.com/u/2714547?s=88&u=1078f54ba1970fade875b5f9a482159f17c8836c&v=4)

just published the hotfix 1.5.3.1. I added a separate extension check and repeated the mimetype check when the file is uploaded to the temporary folder. If mimetype fails there, then the file is deleted immediately. Also updated the htaccess.

Vulnerability reported in #268 is still fixed.

The reason behind this security whole: Some environments did not support the mimetype extraction of a base64 string, so as a quick fix I made it conditiionally and this opened up for this vulnerability. Now solved properly be checking the mimetype of the stored file which works in all environments.

Thank you for reporting again!

![@MeteoLukas](https://avatars.githubusercontent.com/u/56596733?s=88&u=d1048d53bbf071d85ff560c8c90e9315472774f4&v=4)

Hi @trendschau  
I'm new to Typemill, successfully installed Version 1.5.3.1 yesterday but found an issue with file upload. Folders and files have the appropriate permission and I can upload a picture with a FTP client to /media/... but not using the "image upload" button in the editor view. The image does not upload fully, meaning that the "loading" GIF below the uploaded image does not stop rotating waiting a few minutes. Similarly, for file upload, the file does not upload.  
Since this might be related to this fix, I thought about leaving a comment here. Thanks for checking, I hope that it's not related to my infrastructure...

![@trendschau](https://avatars.githubusercontent.com/u/2714547?s=88&u=1078f54ba1970fade875b5f9a482159f17c8836c&v=4)

I cannot reproduce that error. Can you please open your developer tools in the browser, upload an image or file again and check the errors in the dev-tools? You should see something in the tabs "console" and/or "network".

![@MeteoLukas](https://avatars.githubusercontent.com/u/56596733?s=88&u=d1048d53bbf071d85ff560c8c90e9315472774f4&v=4)

Thanks for your quick response, here the error:  
![wikifehler](https://user-images.githubusercontent.com/56596733/160829620-c37dbb6f-9621-4f0e-9075-10d586cc329d.png)  
Update: I installed Typemill on a different host and it works there. Might be a different configuration? they are both running PHP 8.0

![@trendschau](https://avatars.githubusercontent.com/u/2714547?s=88&u=1078f54ba1970fade875b5f9a482159f17c8836c&v=4)

Can you click on "network" and then inspect the call to api/v1/image? Just click on the call and then open the tab "response" and please post the content of the response, there should be a detailed error message. Before you do that, please go to the settings in the admin area, scroll down to developer settings and activate the checkbox for report errors so that all error details are visible.

![@MeteoLukas](https://avatars.githubusercontent.com/u/56596733?s=88&u=d1048d53bbf071d85ff560c8c90e9315472774f4&v=4)

Thanks @trendschau for the hint. I found the error:  
I got "Access denied by security policy" coming from the WAF (mod security). Allowing the image upload process, I'm now able to upload images.  
In case this helps others: I'm using Hoststar and in the settings -> Hosting -> ModSecurity you can allow processes that recently failed...

CVE-2022-28053: V1.5.3: Unrestricted File Upload Vulnerability · Issue #325 · typemill/typemill

Insertion of information into log file in firmware for some Intel(R) SSD DC may allow a privileged user to potentially enable information disclosure via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® SSD DC Firmware Advisory**

**Summary: **

A potential security vulnerability in some Intel® Solid State Drive (SSD) Data Center (DC) products may allow information disclosure.  Intel is releasing firmware updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2021-0148

Description: Insertion of information into log file in firmware for some Intel(R) SSD DC may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 7.9 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

**Affected Products:**

Intel® SSD DC D4512 before version ET10.

Intel® P4510 series (U.2) before version VDV10182.

Intel® P4510 series (EDSFF) before version VDV10284.

Intel® P4511 series (EDSFF) before version VDV10284.

Intel® P4511 series (M.2) before version VDV10384.

Intel® P4610 series (U.2) before version VDV10182.

Intel® P4618 series before version VDV10182.

Intel® SSD D3-S4510 Series (SFF, M.2) before version XCV10140.

Intel SSD D7-P5608 Series before version 2CV1R106.

Intel SSD D7-P5500 Series before versions 1.2.0, 2CV1C030, 2CV1R106 and 2CV1L029.

Intel SSD D7-P5600 Series before versions 1.2.0, 2CV1L029 and 2CV1C030.

Intel SSD D5-P4320 Series all versions.

Intel SSD D5-P4420 Series all versions.

Intel SSD D5-P4326 Series all versions.

Intel SSD DC P4500 Series all versions.

Intel SSD DC P4501 Series all versions.

Intel SSD DC P4600 Series all versions.

Intel SSD DC P4608 Series all versions.

**Recommendations:**

Intel recommends that users of Intel® SSD DC products update to the latest version provided by the system manufacturer that addresses this issue.

For generic firmware updates, download the Intel® Memory and Storage (IMAS) Tool Intel® Memory and Storage Tool CLI (Command-Line Interface)

Product Family

Mitigated Version or higher

Intel® SSD DC D4512

ET10

Intel® SSD DC P4510 Series (U.2)

VDV10182

Intel® SSD DC P4618 Series

VDV10182

Intel® SSD DC P4610 Series

VDV10182

Intel® SSD DC P4510 Series (EDSFF)

VDV10284

Intel® SSD DC P4511 Series (EDSFF)

VDV10284

Intel® SSD DC P4511 Series (M.2)

VDV10384

Intel SSD D5-P4320 Series

See workaround for non-Opal products below.

Intel SSD D5-P4420 Series

Intel SSD D5-P4326 Series

Intel® SSD DC P4500 Series

See workaround for non-Opal products below.

Intel® SSD DC P4600 Series

Intel® SSD DC P4501 Series

Intel® SSD DC P4608 Series

Intel® SSD DC S4510 Series (SFF)

XCV10140

Intel® SSD DC S4610 Series (M.2)

XC311140

Intel® SSD DC S4610 Series (SFF)

XCV10140

Intel® SSD DC S4610 Series (M.2)

XC311140

Intel SSD D7-P5608 Series

2CV1R106

Intel SSD D7-P5500 Series

1.1.5, 2CV1C030, 2CV1R106, 2CV1L029

Intel SSD D7-P5600 Series

1.1.5, 2CV1L029, 2CV1C030

For Non-Opal products, a workaround for this issue is to use the Block Erase capability supported by the device in one of the following ways:

1.  For affected NVMe devices, the Format NVM command can be used with Secure Erase Settings set to User Data Erase (001b).
2.  For affected NVMe devices that support the Sanitize command, the Sanitize command can be used with Sanitize Action (SANACT) set to either "Start a Block Erase sanitize operation" (010b) or "Start an Overwrite sanitize operation" (011b).
3.  For affected SATA devices, the BLOCK ERASE EXT or OVERWRITE EXT commands can be used.

**Acknowledgements:**

The following issue was found internally by Intel employees.  Intel would like to thank Ciprian Elies.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.  

**Revision History**

Revision

Date

Description

1.0

11/09/2021

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2020

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2021-0148: INTEL-SA-00535

Debian Linux Security Advisory 5413-1 - An issue has been found in sniproxy, a transparent TLS and HTTP layer 4 proxy with SNI support. Due to bad handling of wildcard backend hosts, a crafted HTTP or TLS packet might lead to remote arbitrary code execution.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5413-1                   security@debian.orghttps://www.debian.org/security/                        Thorsten AlteholzMay 26, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : sniproxyCVE ID         : CVE-2023-25076Debian Bug     : 1033752An issue has been found in sniproxy, a transparent TLS and HTTP layer 4proxy with SNI support. Due to bad handling of wildcard backend hosts,a crafted HTTP or TLS packet might lead to remote arbitrary codeexecution.For the stable distribution (bullseye), this problem has been fixed inversion 0.6.0-2+deb11u1.We recommend that you upgrade your sniproxy packages.For the detailed security status of sniproxy please refer toits security tracker page at:https://security-tracker.debian.org/tracker/sniproxyFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmRwsRMACgkQO1LKKgqv2VRavQgAuKHflNXCnnu4VYTdqVME/Gkm37TyaxmrIaWliakXlQcz56ZIVBAdbko4mUgqaWBleXcSXRNe/D+9I8ugQUSVzWXNXqOcu9Z+nQzlpHpB+wQR/rMrC97Ep00NLcEELevoz20uDf6ufU+AQixYyfthvncwKcj0TFp4G4VcQboB5CocCVhlXvqEtimch/M117hfKEsD5AJWY04vXicmCqZWrtEjKUSNkZkrRKT/7u4DTkYcYgYsPBKCT0vPGf2XpWEP0bJb7vRyrPq5BnoLXJclF/t6CqD4L9MtBP1gwHPrtJQmgYdjyWm7wKvKAKXINGSUIYDZKOw/3EEkzL2tHOSxng===0CH/-----END PGP SIGNATURE-----

Search

lenovo warranty check/lookup | check warranty status | lenovo support us