#perl

Tauri is a framework for building binaries for all major desktop platforms. Due to missing canonicalization when `readDir` is called recursively, it was possible to display directory listings outside of the defined `fs` scope. This required a crafted symbolic link or junction folder inside an allowed path of the `fs` scope. No arbitrary file content could be leaked. The issue has been resolved in version 1.0.6 and the implementation now properly checks if the requested (sub) directory is a symbolic link outside of the defined `scope`. Users are advised to upgrade. Users unable to upgrade should disable the `readDir` endpoint in the `allowlist` inside the `tauri.conf.json`.

A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal 2.2.4 via the input variable in main.js.

A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to configure the kubevirt to read arbitrary files on the host filesystem which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/<> is not accessible.

Prototype pollution vulnerability in stealjs steal 2.2.4 via the optionName variable in main.js.

A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal 2.2.4 via the source and sourceWithComments variable in main.js.

Ubuntu Security Notice 5613-1 - It was discovered that Vim was not properly performing bounds checks when executing spell suggestion commands. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim was using freed memory when dealing with regular expressions through its old regular expression engine. If a user were tricked into opening a specially crafted file, an attacker could crash the application, leading to a denial of service, or possibly achieve code execution.

Ubuntu Security Notice 5612-1 - Pietro Borrello, Andreas Kogler, Martin Schwarzl, Daniel Gruss, Michael Schwarz and Moritz Lipp discovered that some Intel processors did not properly clear data between subsequent xAPIC MMIO reads. This could allow a local attacker to compromise SGX enclaves.

Ubuntu Security Notice 5606-2 - USN-5606-1 fixed a vulnerability in poppler. Unfortunately it was missing a commit to fix it properly. This update provides the corresponding fix for Ubuntu 18.04 LTS and Ubuntu 16.04 ESM. It was discovered that poppler incorrectly handled certain PDF. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

Red Hat Security Advisory 2022-6526-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains the following OpenShift Virtualization 4.11.0 images: RHEL-8-CNV-4.11. Issues addressed include denial of service, memory leak, and out of bounds read vulnerabilities.

The entire security team should share in the responsibility to secure sensitive data.