An issue in the component post_applogin.php of Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below allows attackers to escalate privileges via creating crafted session tokens.

CVE-2022-36536: Copy of Универсальная страница компании

XPDF v4.04 was discovered to contain a stack overflow via the function Catalog::countPageTree() at Catalog.cc.

hi,i use AFL++ fuzz xpdf4.04,and found the Catalog::countPageTree() function in Catalog.cc may cause recursion issues via a crafted file.

Code: Select all

    gdb --args pdftopng crashfile output/

Code: Select all

    Syntax Error (1262): Dictionary key must be a name object
    Syntax Error (1265): Dictionary key must be a name object
    
    Program received signal SIGSEGV, Segmentation fault.
    
    [----------------------------------registers-----------------------------------]
    RAX: 0x5f8fd980549df300 
    RBX: 0x7fffff7ff050 --> 0x7fffff7ff060 --> 0x7ffff6ef6b41 (<malloc+193>:	mov    r15,rax)
    RCX: 0x7fffff7ff000 --> 0x0 
    RDX: 0x7fffff7ff8a0 --> 0xffffffffffffff90 
    RSI: 0x7fffff7ff050 --> 0x7fffff7ff060 --> 0x7ffff6ef6b41 (<malloc+193>:	mov    r15,rax)
    RDI: 0x7 
    RBP: 0x7fffff7ff050 --> 0x7fffff7ff060 --> 0x7ffff6ef6b41 (<malloc+193>:	mov    r15,rax)
    RSP: 0x7fffff7fefc0 
    RIP: 0x7ffff6e3fced (mov    QWORD PTR [rsp+0x38],rax)
    R8 : 0x1 
    R9 : 0x1e 
    R10: 0x7ffff7fc3000 --> 0x7ffff7fef000 --> 0x7ffff7168698 --> 0x7ffff6f07080 (repz ret)
    R11: 0x555555b47069 (<gmalloc(int)+233>:	test   rax,rax)
    R12: 0x7 
    R13: 0x1 
    R14: 0x7 
    R15: 0x7ffff6ef6b41 (<malloc+193>:	mov    r15,rax)
    EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff6e3fcdd:	mov    rbp,rsi
       0x7ffff6e3fce0:	sub    rsp,0x48
       0x7ffff6e3fce4:	mov    rax,QWORD PTR fs:0x28
    => 0x7ffff6e3fced:	mov    QWORD PTR [rsp+0x38],rax
       0x7ffff6e3fcf2:	xor    eax,eax
       0x7ffff6e3fcf4:	lea    rax,[rip+0x540f21]        # 0x7ffff7380c1c
       0x7ffff6e3fcfb:	mov    ecx,DWORD PTR [rax]
       0x7ffff6e3fcfd:	test   ecx,ecx
    [------------------------------------stack-------------------------------------]
    Invalid $SP address: 0x7fffff7fefc0
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    0x00007ffff6e3fced in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.4
    
    

bt

Code: Select all

    #29095 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffcdd0) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
    #29096 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffcef0) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
    #29097 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd010) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
    #29098 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd130) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
    #29099 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd250) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
    #29100 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd370) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
    #29101 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd490) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
    #29102 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd5b0) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
    #29103 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd6d0) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
    #29104 0x000055555577c369 in Catalog::countPageTree (this=this@entry=0x612000000040, pagesObj=pagesObj@entry=0x7fffffffd820) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:567
    #29105 0x000055555577d9a8 in Catalog::readPageTree (this=this@entry=0x612000000040, catDict=catDict@entry=0x7fffffffd980) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:529
    #29106 0x0000555555789d11 in Catalog::Catalog (this=0x612000000040, docA=<optimized out>) at /home/hekun/xpdf-4.04/xpdf/Catalog.cc:175
    #29107 0x0000555555a6141e in PDFDoc::setup2 (this=this@entry=0x607000000090, ownerPassword=ownerPassword@entry=0x0, userPassword=userPassword@entry=0x0, repairXRef=repairXRef@entry=0x1) at /home/hekun/xpdf-4.04/xpdf/PDFDoc.cc:318
    #29108 0x0000555555a61d9a in PDFDoc::setup (this=this@entry=0x607000000090, ownerPassword=ownerPassword@entry=0x0, userPassword=userPassword@entry=0x0) at /home/hekun/xpdf-4.04/xpdf/PDFDoc.cc:276
    #29109 0x0000555555a630d7 in PDFDoc::PDFDoc (this=0x607000000090, fileNameA=<optimized out>, ownerPassword=<optimized out>, userPassword=<optimized out>, coreA=<optimized out>) at /home/hekun/xpdf-4.04/xpdf/PDFDoc.cc:218
    #29110 0x000055555568410a in main (argc=<optimized out>, argc@entry=0x3, argv=<optimized out>, argv@entry=0x7fffffffde38) at /home/hekun/xpdf-4.04/xpdf/pdftopng.cc:180
    #29111 0x00007ffff5c23c87 in __libc_start_main (main=0x555555683210 <main(int, char**)>, argc=0x3, argv=0x7fffffffde38, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffde28) at ../csu/libc-start.c:310
    #29112 0x0000555555688dda in _start ()
    

please check it out,thanks

CVE-2022-38334: stack-overflow by Xpdf4.04 - forum.xpdfreader.com

By Deeba Ahmed
The Flexlan FXA3000 and FXA2000 series LAN devices made by the Japan-based firm contain two critical vulnerabilities tracked as CVE–2022–36158 and CVE–2022–36159.
This is a post from HackRead.com Read the original post: Critical Vulnerabilities Found in Devices That Provide WiFi on Airplanes

Necrum Security Labs’ researchers Samy Younsi and Thomas Knudsen have discovered two critical vulnerabilities in the wireless LAN devices manufactured by Contec. The company specializes in industrial automation, computing, and IoT communication technology.

**Research Details**

Reportedly, the Flexlan FXA3000 and FXA2000 series LAN devices made by the Japan-based firm contain two critical vulnerabilities tracked as CVE–2022–36158 and CVE–2022–36159.

For your information, these devices are used in airplanes to offer internet connectivity. The abovementioned series of devices offer WiFi access points in airplanes to ensure uninterrupted high-speed internet communication so that passengers could enjoy music, movies, and even purchased goodies during the flight. Hence, these vulnerabilities can allow an adversary to hack the inflight entertainment system and more.

FXA2000 (left) and FXA3000 (right)

Researchers discovered the first vulnerability (CVE–2022–36158) while performing the firmware’s reverse engineering. They identified a hidden page, which wasn’t listed in the Wireless LAN Manager interface. This page facilitates the execution of Linux commands on the device with root privileges. They could then access all system files and open the telnet port to gain complete access to the device.

The second vulnerability (CVE–2022–36159) entailed the use of hard-coded, weak cryptographic keys and backdoor accounts. While investigating, they also learned that the shadow file contained the has of two users, including root and user, and within a few minutes they could access them through a brute-force attack.

**How to Fix the Issues?**

In their blog post, researchers explained that the device owner could change the account’s user password from the web admin’s interface, which is the primary reason behind the emergence of these flaws. The root account is reserved for Contec for maintenance purposes.

Therefore, an attacker armed with the root hard-coded password can conveniently access all FXA2000 and FXA3000 series devices.

In order to fix the first issue, the hidden engineering web page must be removed from the under-production devices because the default password is weak and makes it easy for an attacker to inject a backdoor into the device using this page.

Furthermore, the company needs to generate a unique password for each device during the production phase for the second issue.

As pointed out by Eduard Kovacs of SecurityWeek, in its advisory, Contec explained that the vulnerabilities are connected to a private webpage created for developers to execute system commands and the page isn’t linked to other pages available to users. These vulnerabilities have been addressed in versions 1.16.00 for the FX3000 series and 1.39.00 for FX2000 series devices.

1.  Reporter Gets His Email Hacked on The Plane
2.  This map shows free WiFi passwords from airports worldwide
3.  Vulnerable In-flight WiFi lets hackers remotely takeover modern aircraft
4.  Flight tracking service Flightradar24 hacked; 230,000 accounts affected
5.  Inflight Entertainment Service Provider Gogo Launches Bug Bounty Program

Critical Vulnerabilities Found in Devices That Provide WiFi on Airplanes

Mplayer SVN-r38374-13.0.1 is vulnerable to Memory Leak via vf.c and vf_vo.c.

**#2390 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

vf

Version:

unspecified

Severity:

normal

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Summary of the bug: Found a .viv file for mplayer where asan reports a memory leak.  
How to reproduce:Use the attached file to reproduce this issue (ASAN-recompilation are required)  
version: SVN-r38374-13.0.1  
kernel version:ubuntu 20.04; Linux 5.15.0-46-generic  
complier version:clang 13.0.1-2ubuntu2~20.04.1  

mplayer and ASAN output:  

Player SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team  

Playing /home/ldy/sample/useful/03-KimagureOrangeRoad.viv.  
libavformat version 58.29.100 (external)  
VIVO file format detected.  
VIDEO: \[viv2\] 320x240 24bpp 10.000 fps 0.0 kbps ( 0.0 kbyte/s)  
\[gl\] using extended formats. Use -vo gl:nomanyfmts if playback fails.  
\==========================================================================  
Requested video codec family \[vivo\] (vfm=vfw) not available.  
Enable it at compilation.  
Cannot find codec matching selected -vo and video format 0x32766976.  
\==========================================================================  
Clip info:  

> title: <No Title>  
> author: NV  
> copyright: <No Copyright>  
> encoder: VivoActive VideoNow 3.0 for Windows  

Load subtitles in /home/ldy/sample/useful/  
\==========================================================================  
Requested audio codec family \[vivoaudio\] (afm=acm) not available.  
Enable it at compilation.  
Opening audio decoder: \[ffmpeg\] FFmpeg/libavcodec audio decoders  
libavcodec version 58.54.100 (external)  
Cannot find codec 'siren' in libavcodec...  
ADecoder init failed :(  
ADecoder init failed :(  
Cannot find codec for audio format 0x112.  
Audio: no sound  
Video: no video  

Exiting... (End of file)  

\=================================================================  
\==3993864==ERROR: LeakSanitizer: detected memory leaks  

Direct leak of 576 byte(s) in 1 object(s) allocated from:  

> #0 0x55ac7b1e06dd in malloc (/home/ldy/good\_mplayer/asan\_playr/mplayer+0x33e6dd)  
> #1 0x55ac7b42992e in vf\_open\_plugin /home/ldy/good\_mplayer/mplayer/libmpcodecs/vf.c:478:8  

Indirect leak of 24 byte(s) in 1 object(s) allocated from:  

> #0 0x55ac7b1e0872 in interceptor\_calloc (/home/ldy/good\_mplayer/asan\_playr/mplayer+0x33e872)  
> #1 0x55ac7b50a2cd in vf\_open /home/ldy/good\_mplayer/mplayer/libmpcodecs/vf\_vo.c:215:14  

SUMMARY: AddressSanitizer: 600 byte(s) leaked in 2 allocation(s).

CVE-2022-38600: #2390 (memory leak in vf.c and vf_vo.c) – MPlayer

A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to configure the kubevirt to read arbitrary files on the host filesystem which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/<> is not accessible.

**Impact**

Users with the permission to create VMIs can construct VMI specs which allow them to read arbitrary files on the host. There are three main attack vectors:

1.  Some path fields on the VMI spec were not properly validated and allowed passing in relative paths which would have been mounted into the virt-launcher pod. The fields are: spec.domain.firmware.kernelBoot.container.kernelPath, spec.domain.firmware.kernelBoot.container.initrdPath as well as spec.volumes[*].containerDisk.path.

Example:

apiVersion: \[kubevirt.io/v1\](http://kubevirt.io/v1)
kind: VirtualMachineInstance
metadata:
  name: vmi-fedora
spec:
  domain:
    devices:
      disks:
      - disk:
          bus: virtio
        name: containerdisk
      - disk:
          bus: virtio
        name: cloudinitdisk
      - disk:
          bus: virtio
        name: containerdisk1
      rng: {}
    resources:
      requests:
        memory: 1024M
  terminationGracePeriodSeconds: 0
  volumes:
  - containerDisk:
      image: \[quay.io/kubevirt/cirros-container-disk-demo:v0.52.0\](http://quay.io/kubevirt/cirros-container-disk-demo:v0.52.0)
    name: containerdisk
  - containerDisk:
      image: \[quay.io/kubevirt/cirros-container-disk-demo:v0.52.0\](http://quay.io/kubevirt/cirros-container-disk-demo:v0.52.0)
      path: test3/../../../../../../../../etc/passwd
    name: containerdisk1
  - cloudInitNoCloud:
      userData: |
        #!/bin/sh
        echo 'just something to make cirros happy'
    name: cloudinitdisk

2.  Instead of passing in relative links on the API, using malicious links in the containerDisk itself can have the same effect:

FROM <anybase>
RUN mkdir -p /etc/ && touch /etc/passwd
RUN mkdir -p /disks/ && ln -s /etc/passwd /disks/disk.img

3.  KubeVirt allows PVC hotplugging. The hotplugged PVC is under user-control and it is possible to place absolute links there. Since containerDisk and hotplug code use the same mechanism to provide the disk to the virt-launcher pod, it can be used too to do arbitrary host file reads.

In all three cases it is then possible to at lest read any host file:

    $ sudo cat /dev/vdc
    root:x:0:0:root:/root:/bin/bash
    bin:x:1:1:bin:/bin:/sbin/nologin
    daemon:x:2:2:daemon:/sbin:/sbin/nologin
    adm:x:3:4:adm:/var/adm:/sbin/nologin
    lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
    [...]
    

**Patches**

KubeVirt 0.55.1 provides patches to fix the vulnerability.

**Workarounds**

*   Ensure that the HotplugVolumes feature-gate is disabled
*   ContainerDisk support can't be disabled. The only known way to mitigate this issue is create with e.g. policy controller a conditiontemplate which ensures that no containerDisk gets added and that spec.domain.firmware.kernelBoot is not used on VirtualMachineInstances.|
*   Ensure that SELinux is enabled. It blocks most attempts to read host files but does not provide a 100% guarantee (like vm-to-vm read may still work).

**References**

Disclosure notice form the discovering party: GHSA-cvx8-ppmc-78hm

**For more information**

For interested vendors which have to provide a fix for their supported versions, the following PRs are providing the fix:

*   #8198
*   #8268

**Credits**

Oliver Brooks and James Klopchic of NCC Group  
Diane Dubois and Roman Mohr of Google

CVE-2022-1798: Arbitrary file read on host

Red Hat Security Advisory 2022-6542-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include file overwrite and traversal vulnerabilities.

Red Hat Security Advisory 2022-6542-01

Red Hat Security Advisory 2022-6540-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: webkit2gtk3 security update  
Advisory ID:       RHSA-2022:6540-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6540  
Issue date:        2022-09-15  
CVE Names:         CVE-2022-32893  
====================================================================  
1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the  
GTK platform.

The following packages have been upgraded to a later upstream version:  
webkit2gtk3 (2.36.7).

Security Fix(es):

* webkitgtk: processing maliciously crafted web content may lead to  
arbitrary code execution (CVE-2022-32893)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2121645 - CVE-2022-32893 webkitgtk: processing maliciously crafted web content may lead to arbitrary code execution

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
webkit2gtk3-2.36.7-1.el8_6.src.rpm

aarch64:  
webkit2gtk3-2.36.7-1.el8_6.aarch64.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_6.aarch64.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_6.aarch64.rpm  
webkit2gtk3-devel-2.36.7-1.el8_6.aarch64.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_6.aarch64.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_6.aarch64.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_6.aarch64.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_6.aarch64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_6.aarch64.rpm

ppc64le:  
webkit2gtk3-2.36.7-1.el8_6.ppc64le.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_6.ppc64le.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_6.ppc64le.rpm  
webkit2gtk3-devel-2.36.7-1.el8_6.ppc64le.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_6.ppc64le.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_6.ppc64le.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_6.ppc64le.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_6.ppc64le.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_6.ppc64le.rpm

s390x:  
webkit2gtk3-2.36.7-1.el8_6.s390x.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_6.s390x.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_6.s390x.rpm  
webkit2gtk3-devel-2.36.7-1.el8_6.s390x.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_6.s390x.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_6.s390x.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_6.s390x.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_6.s390x.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_6.s390x.rpm

x86_64:  
webkit2gtk3-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-2.36.7-1.el8_6.x86_64.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_6.x86_64.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_6.x86_64.rpm  
webkit2gtk3-devel-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-devel-2.36.7-1.el8_6.x86_64.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_6.x86_64.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_6.x86_64.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_6.x86_64.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_6.x86_64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_6.i686.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-32893  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyMk0dzjgjWX9erEAQgJiw/+LYAkLQ3B+egDz2T8gBO2HzEtHgA8L7TO  
aFWvgGSnt32NlsOLFg1R3FxvGRVurR5Vgx2QN4tvVi/iYIgGw1WTSCC2GaiamjoP  
AawahjPf08LboH3d96QHN7rumXeXLUcymQyG4p4BPnEOqYPaKKdmj5CPaGWM/o+l  
ECo8POkVp0mHb4HOCL8iudG5aKDmEB5OqHfQS0XmFU3392yazpD6Y1DwpIfCNAhb  
ptdcqHrycH+QFUdd3YmtQj567R5+q/DAKFN60KHdwT+JeiRwdV9k89cAoWIJA6Hh  
3ZxRuVbc108rySf/9tdZSjl7nw4IbLwcbScUwUHfHzjFfS3h7u+kkDLL10c4sfWf  
psc1mGVUXzLN6qBaWiY96bXOUOzX72LkC0LqhgDOfjBvaGzJjFwfydDgql/TPkSZ  
478+0r5JD6sFsboLugtqhXMLNpJtxYGBSMUA31Bjmf8jWGwKrzZCbxUMuQIHk7VG  
4M9gdZbu5wQw6fhksOlHGowoXEvc6UTB36eSLvZ76OK65yoXmpOXTFjIFfmDACkV  
M4GVQGpNglQWn/4jBXjebEeFC86baScn97NpCL41FK9AXlP7xBPaCN++DjAYDlbg  
NJf8tizErS4zMa1moMYL2DEac/nhLJDwtKaCvftcdRPrVnQZEZto7Chvf1FgNAJc  
+nurAiBV/zc=W4oO  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6540-01

Red Hat Security Advisory 2022-6539-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.109 and .NET Runtime 6.0.9.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: .NET 6.0 security and bugfix update  
Advisory ID:       RHSA-2022:6539-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6539  
Issue date:        2022-09-15  
CVE Names:         CVE-2022-38013  
====================================================================  
1. Summary:

An update for .NET 6.0 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, s390x, x86_64

3. Description:

.NET is a managed-software framework. It implements a subset of the .NET  
framework APIs and several new APIs, and it includes a CLR implementation.

New versions of .NET that address a security vulnerability are now  
available. The updated versions are .NET SDK 6.0.109 and .NET Runtime  
6.0.9.

Security Fix(es):

* dotnet: DenialOfService - ASP.NET Core MVC vulnerable to stack overflow  
via ModelStateDictionary recursion. (CVE-2022-38013)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2125124 - CVE-2022-38013 dotnet: DenialOfService - ASP.NET Core MVC vulnerable to stack overflow via ModelStateDictionary recursion.

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
dotnet6.0-6.0.109-1.el8_6.src.rpm

aarch64:  
aspnetcore-runtime-6.0-6.0.9-1.el8_6.aarch64.rpm  
aspnetcore-targeting-pack-6.0-6.0.9-1.el8_6.aarch64.rpm  
dotnet-6.0.109-1.el8_6.aarch64.rpm  
dotnet-apphost-pack-6.0-6.0.9-1.el8_6.aarch64.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el8_6.aarch64.rpm  
dotnet-host-6.0.9-1.el8_6.aarch64.rpm  
dotnet-host-debuginfo-6.0.9-1.el8_6.aarch64.rpm  
dotnet-hostfxr-6.0-6.0.9-1.el8_6.aarch64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el8_6.aarch64.rpm  
dotnet-runtime-6.0-6.0.9-1.el8_6.aarch64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el8_6.aarch64.rpm  
dotnet-sdk-6.0-6.0.109-1.el8_6.aarch64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el8_6.aarch64.rpm  
dotnet-targeting-pack-6.0-6.0.9-1.el8_6.aarch64.rpm  
dotnet-templates-6.0-6.0.109-1.el8_6.aarch64.rpm  
dotnet6.0-debuginfo-6.0.109-1.el8_6.aarch64.rpm  
dotnet6.0-debugsource-6.0.109-1.el8_6.aarch64.rpm  
netstandard-targeting-pack-2.1-6.0.109-1.el8_6.aarch64.rpm

s390x:  
aspnetcore-runtime-6.0-6.0.9-1.el8_6.s390x.rpm  
aspnetcore-targeting-pack-6.0-6.0.9-1.el8_6.s390x.rpm  
dotnet-6.0.109-1.el8_6.s390x.rpm  
dotnet-apphost-pack-6.0-6.0.9-1.el8_6.s390x.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el8_6.s390x.rpm  
dotnet-host-6.0.9-1.el8_6.s390x.rpm  
dotnet-host-debuginfo-6.0.9-1.el8_6.s390x.rpm  
dotnet-hostfxr-6.0-6.0.9-1.el8_6.s390x.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el8_6.s390x.rpm  
dotnet-runtime-6.0-6.0.9-1.el8_6.s390x.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el8_6.s390x.rpm  
dotnet-sdk-6.0-6.0.109-1.el8_6.s390x.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el8_6.s390x.rpm  
dotnet-targeting-pack-6.0-6.0.9-1.el8_6.s390x.rpm  
dotnet-templates-6.0-6.0.109-1.el8_6.s390x.rpm  
dotnet6.0-debuginfo-6.0.109-1.el8_6.s390x.rpm  
dotnet6.0-debugsource-6.0.109-1.el8_6.s390x.rpm  
netstandard-targeting-pack-2.1-6.0.109-1.el8_6.s390x.rpm

x86_64:  
aspnetcore-runtime-6.0-6.0.9-1.el8_6.x86_64.rpm  
aspnetcore-targeting-pack-6.0-6.0.9-1.el8_6.x86_64.rpm  
dotnet-6.0.109-1.el8_6.x86_64.rpm  
dotnet-apphost-pack-6.0-6.0.9-1.el8_6.x86_64.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el8_6.x86_64.rpm  
dotnet-host-6.0.9-1.el8_6.x86_64.rpm  
dotnet-host-debuginfo-6.0.9-1.el8_6.x86_64.rpm  
dotnet-hostfxr-6.0-6.0.9-1.el8_6.x86_64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el8_6.x86_64.rpm  
dotnet-runtime-6.0-6.0.9-1.el8_6.x86_64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el8_6.x86_64.rpm  
dotnet-sdk-6.0-6.0.109-1.el8_6.x86_64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el8_6.x86_64.rpm  
dotnet-targeting-pack-6.0-6.0.9-1.el8_6.x86_64.rpm  
dotnet-templates-6.0-6.0.109-1.el8_6.x86_64.rpm  
dotnet6.0-debuginfo-6.0.109-1.el8_6.x86_64.rpm  
dotnet6.0-debugsource-6.0.109-1.el8_6.x86_64.rpm  
netstandard-targeting-pack-2.1-6.0.109-1.el8_6.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el8_6.aarch64.rpm  
dotnet-host-debuginfo-6.0.9-1.el8_6.aarch64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el8_6.aarch64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el8_6.aarch64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el8_6.aarch64.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.109-1.el8_6.aarch64.rpm  
dotnet6.0-debuginfo-6.0.109-1.el8_6.aarch64.rpm  
dotnet6.0-debugsource-6.0.109-1.el8_6.aarch64.rpm

s390x:  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el8_6.s390x.rpm  
dotnet-host-debuginfo-6.0.9-1.el8_6.s390x.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el8_6.s390x.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el8_6.s390x.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el8_6.s390x.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.109-1.el8_6.s390x.rpm  
dotnet6.0-debuginfo-6.0.109-1.el8_6.s390x.rpm  
dotnet6.0-debugsource-6.0.109-1.el8_6.s390x.rpm

x86_64:  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el8_6.x86_64.rpm  
dotnet-host-debuginfo-6.0.9-1.el8_6.x86_64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el8_6.x86_64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el8_6.x86_64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el8_6.x86_64.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.109-1.el8_6.x86_64.rpm  
dotnet6.0-debuginfo-6.0.109-1.el8_6.x86_64.rpm  
dotnet6.0-debugsource-6.0.109-1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-38013  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyMk1tzjgjWX9erEAQgw+g//amwE2QaQf5yW7EW8rt67JALUZTNashe0  
Mb7PqAALg2u0GD6ceXurkCkB3SoH40phFOZyAmgH3A60rSXLcsBvFGSp/dNjYY9y  
RYOyqRsU9QmCbCpv8/L4zL1RStoYEpnSpPUUGEXca9gdz5DZfOC2U9e9Dnn+pL4J  
cQYeELp6HnozVKTjGK8tPXw5WbLK2mgGVcDojJjf8JajykeJfXUCIR+RMQo/HNLZ  
vuW3TPzCY6gRs15mwY/96z/7Tvluk4/XIb2dT43YRpeBTvgl4f+QTRUsgTiIRJMI  
s6Q8LSC4BYE/e2KoUWoB7qATqxoghn/qrhaMs+FolQf0Q4c7ks4M6oEf9Du0oLuk  
AqCkXFKmzXxwxcMxMqxzALJFM3YagG+eaWp9IDh8R/TLNsSsleydf6SaWsl+N9zO  
IIm040FWCbgdwYQIp0WbQONbC8T6Uf7hmZKO1G6b3q6dTaGcNMRrvBirHyNpAXn5  
4J3rLPBj4yl9vkAe2pbPjhw5AftLk9Evr0HXaksS5pW9yGKVf6RvAbGTu+04+zut  
Gr9f/t3Bqr2McEzvvRAUgcHEyA2b+CtQiqm+dhbo8REVxdHT9tnF3EUgpbbdZa3z  
4yqS5t5t+SqjvfBbSbqiCxjdkLBpbGJsWRfKm8CBDS7Qc9q5kJOvE9HIbETAXFMl  
niuMj2fXmOA»Yx  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6539-01

Red Hat Security Advisory 2022-6526-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains the following OpenShift Virtualization 4.11.0 images: RHEL-8-CNV-4.11. Issues addressed include denial of service, memory leak, and out of bounds read vulnerabilities.

Red Hat Security Advisory 2022-6526-01

Red Hat Security Advisory 2022-6522-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 3.1.423 and .NET Runtime 3.1.29.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: .NET Core 3.1 on RHEL 7 security and bugfix update  
Advisory ID:       RHSA-2022:6522-01  
Product:           .NET Core on Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6522  
Issue date:        2022-09-14  
CVE Names:         CVE-2022-38013  
====================================================================  
1. Summary:

An update for .NET Core 3.1 is now available for Red Hat Enterprise Linux  
7.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64  
.NET Core on Red Hat Enterprise Linux Server (v. 7) - x86_64  
.NET Core on Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

.NET is a managed-software framework. It implements a subset of the .NET  
framework APIs and several new APIs, and it includes a CLR implementation.

New versions of .NET that address a security vulnerability are now  
available. The updated versions are .NET SDK 3.1.423 and .NET Runtime  
3.1.29.

Security Fix(es):

* dotnet: DenialOfService - ASP.NET Core MVC vulnerable to stack overflow  
via ModelStateDictionary recursion. (CVE-2022-38013)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2125124 - CVE-2022-38013 dotnet: DenialOfService - ASP.NET Core MVC vulnerable to stack overflow via ModelStateDictionary recursion.

6. Package List:

.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7):

Source:  
rh-dotnet31-dotnet-3.1.423-1.el7_9.src.rpm

x86_64:  
rh-dotnet31-aspnetcore-runtime-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-aspnetcore-targeting-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-apphost-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-debuginfo-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-host-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-hostfxr-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-runtime-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-sdk-3.1-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-sdk-3.1-source-built-artifacts-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-targeting-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-templates-3.1-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-netstandard-targeting-pack-2.1-3.1.423-1.el7_9.x86_64.rpm

.NET Core on Red Hat Enterprise Linux Server (v. 7):

Source:  
rh-dotnet31-dotnet-3.1.423-1.el7_9.src.rpm

x86_64:  
rh-dotnet31-aspnetcore-runtime-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-aspnetcore-targeting-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-apphost-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-debuginfo-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-host-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-hostfxr-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-runtime-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-sdk-3.1-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-sdk-3.1-source-built-artifacts-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-targeting-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-templates-3.1-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-netstandard-targeting-pack-2.1-3.1.423-1.el7_9.x86_64.rpm

.NET Core on Red Hat Enterprise Linux Workstation (v. 7):

Source:  
rh-dotnet31-dotnet-3.1.423-1.el7_9.src.rpm

x86_64:  
rh-dotnet31-aspnetcore-runtime-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-aspnetcore-targeting-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-apphost-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-debuginfo-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-host-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-hostfxr-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-runtime-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-sdk-3.1-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-sdk-3.1-source-built-artifacts-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-targeting-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-templates-3.1-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-netstandard-targeting-pack-2.1-3.1.423-1.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-38013  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyInutzjgjWX9erEAQjThg/+MKqPc3jlUrNqUAS1LZhSCO6m0uW0uHeX  
XWJwV1fejIn8e2zo/DigEzqjDtXMAB8hizNNJbZJcubq/3o51WM2MWJOl/At8yIm  
zoAYuPOu+DmKbfWvHWQs/FrUMB4zyNXqmLWOZ1D0A7jf8ua7CJxJOtAdmm78uBFz  
EblFEzpNykOMsfWCvJJJ//NivHPlxiaQsS6P5oBFzlErSwHKFzjNpmpiErw4SA1T  
Z5GZSTpSBTrLKfjS1ZGV1tVAXMifISZbZUqg4NAbra6Zf2gfkyYs2wsRyn3fJ+JH  
o0aVY76ANHu3g98hW/Ng3T0ET9edLGOTAz15X4VX5DuFBqHTQFoKOEaDF/nZsN//  
a3eFpGRr4AQ1w8q+dWE20gzlr7o1w65Q1ltdsgXfqxrehLn1ApXIiWlhyoCWXxiW  
kqvicwdOdjJDK56MeZnFu6CjCGZqnR61WuZjbPqBty/Rkl2rHej4KFL2Q7s0CbQU  
Dh4hFEov9ZL2Qx7pCzYrk9G2RB7ljWfw+9vE4UP2FEiwgCK5qKxbmlkQbggULQxQ  
A6YGpvj/KamjagCktrnRC3BWEw8O1ulJChqR5TnllKt9+yunpKVJaVfOyAJNOVi7  
JHrYj9JN/v2H98dmzNstrgJNDD/ePy0HZARTi/gMc06pPZoncpE+vedXMEJsUplM  
uKQk6IAD4Go=WeAO  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#linux