#perl

Ubuntu Security Notice 6571-1 - Youssef Rebahi-Gilbert discovered that Monit did not properly process credentials for disabled accounts. An attacker could possibly use this issue to login to the platform with an expired account and a valid password.

### Impact When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation `document.proof` was not factored into the final `verified` value (`true`/`false`) on the presentation record. Below is an example result from verifying a JSON-LD Presentation where there is an error noted in the processing (mismatched challenge), but the overall result is incorrectly `"verified": true`: ```json { "verified": true, "presentation_result": { "verified": false, "document": { "@context": [ "https://www.w3.org/2018/credentials/v1" ], "type": [ "VerifiablePresentation" ], "verifiableCredential": [ { "@context": [ "https://www.w3.org/2018/credentials/v1", "https://w3id.org/citizenship/v1" ], "type": [ "VerifiableCredential", "PermanentResident" ], "issuer": "did:sov...

Ubuntu Security Notice 6038-2 - USN-6038-1 fixed several vulnerabilities in Go 1.18. This update provides the corresponding updates for Go 1.13 and Go 1.16. CVE-2022-29526 and CVE-2022-30630 only affected Go 1.16. It was discovered that the Go net/http module incorrectly handled Transfer-Encoding headers in the HTTP/1 client. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.

SSH-Snake is a powerful tool designed to perform automatic network traversal using SSH private keys discovered on systems, with the objective of creating a comprehensive map of a network and its dependencies, identifying to what extent a network can be compromised using SSH and SSH private keys starting from a particular system. SSH-Snake can automatically reveal the relationship between systems which are connected via SSH, which would normally take a tremendous amount of time and effort to perform manually.suffers from bypass and traversal vulnerabilities.

Intrasrv Simple Web Server version 1.0 suffers from a denial of service vulnerability.

### Summary A log injection vulnerability was identified in `pyload`. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. ### Details `pyload` will generate a log entry when attempting to sign in with faulty credentials. This entry will be in the form of `Login failed for user 'USERNAME'`. However, when supplied with a username containing a newline, this newline is not properly escaped. Newlines are also the delimiter between log entries. This allows the attacker to inject new log entries into the log file. ### PoC Run `pyload` in the default configuration by running the following command ``` pyload ``` We can now sign in as the pyload user and view the logs at `http://localhost:8000/logs`.  Any unauthenticated attacker can now make the following request to inject arbitrary logs. ``` curl 'http://...

Femitter FTP Server version 1.03 remote denial of service exploit.

__io_uaddr_map() in io_uring suffers from dangerous handling of the multi-page region.

File Sharing Wizard version 1.5.0 remote denial of service exploit.

httpdx version 1.5.4 remote denial of service exploit.