diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml index d9b34900168c..8cc834ba7632 100644 --- a/security/vuxml/vuln-2022.xml +++ b/security/vuxml/vuln-2022.xml @@ -1,3673 +1,3698 @@ + + eb -- Potential buffer overrun vulnerability + + + ja-eb + 4.4.3_5 + + + + +

Kazuhiro Ito reports:

+
+

Potential buffer overrun vulnerability is found in eb/multiplex.c.

+
+ +
+ + mailto:edict@ring.gr.jp + + + 2022-04-25 + 2022-04-26 + +
+ zeek -- potential DoS vulnerabilty zeek 4.0.6

Tim Wojtulewicz of Corelight reports:

Fix potential unbounded state growth in the FTP analyzer when receiving a specially-crafted stream of commands. This may lead to a buffer overflow and cause Zeek to crash. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerabilty.

https://github.com/zeek/zeek/releases/tag/v4.0.6 2022-04-21 2022-04-21
zgrep -- arbitrary file write gzip 1.12

RedHat reports:

An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.

CVE-2022-1271 https://bugzilla.redhat.com/show_bug.cgi?id=2073310 2022-04-07 2022-04-19
Nextcloud Calendar -- SMTP Command Injection nextcloud-calendar 3.2.2

reports:

SMTP Command Injection in Appointment Emails via Newlines: as newlines and special characters are not sanitized in the email value in the JSON request, a malicious attacker can inject newlines to break out of the `RCPT TO:<BOOKING USER'S EMAIL>` SMTP command and begin injecting arbitrary SMTP commands.

CVE-2022-24838 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8xv5-4855-24qf 2022-04-11 2022-04-17
MySQL -- Multiple vulnerabilities mysql57-server 5.7.38 mysql80-client 8.0.29 mysql80-server 8.0.29

Oracle reports:

The 2022 April Critical Patch Update contains 43 new security patches for Oracle MySQL. 11 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

https://www.oracle.com/security-alerts/cpuapr2022.html 2022-04-16 2022-04-16
chromium -- multiple vulnerabilities chromium 100.0.4896.127

Chrome Releases reports:

This release contains 2 security fixes, including:

  • [1315901] High CVE-2022-1364: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group on 2022-0-13
CVE-2022-1364 https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_14.html 2022-04-14 2022-04-15
Asterisk -- func_odbc: Possible SQL Injection asterisk16 16.25.2 asterisk18 18.11.2

The Asterisk project reports:

Some databases can use backslashes to escape certain characters, such as backticks. If input is provided to func_odbc which includes backslashes it is possible for func_odbc to construct a broken SQL query and the SQL query to fail.

CVE-2022-26651 https://downloads.asterisk.org/pub/security/AST-2022-003.html 2022-04-14 2022-04-14
Asterisk -- multiple vulnerabilities asterisk16 16.15.016.25.2 asterisk18 18.11.2

The Asterisk project reports:

AST-2022-001 - When using STIR/SHAKEN, its possible to download files that are not certificates. These files could be much larger than what you would expect to download.

AST-2022-002 - When using STIR/SHAKEN, its possible to send arbitrary requests like GET to interfaces such as localhost using the Identity header.

CVE-2022-26498 https://downloads.asterisk.org/pub/security/AST-2022-001.html CVE-2022-26499 https://downloads.asterisk.org/pub/security/AST-2022-002.html 2022-04-14 2022-04-14
Composer -- Command injection vulnerability php74-composer php80-composer php81-composer 1.10.26 php74-composer2 php80-composer2 php81-composer2 2.0.02.2.12 2.3.02.3.5

Composer developers reports:

The Composer method VcsDriver::getFileContent() with user-controlled $file or $identifier arguments is susceptible to an argument injection vulnerability. It can be leveraged to gain arbitrary command execution if the Mercurial or the Git driver are used.

CVE-2022-24828 https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6 2022-04-13 2022-04-13
Subversion -- Multiple vulnerabilities in server code subversion 1.10.01.10.8 1.11.01.14.2 mod_dav_svn 1.10.01.10.8 1.11.01.14.2 subversion-lts 1.10.01.10.8 mod_dav_svn-lts 1.10.01.10.8

Subversion project reports:

Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable.

While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed.

CVE-2021-28544 CVE-2022-24070 https://subversion.apache.org/security/CVE-2021-28544-advisory.txt https://subversion.apache.org/security/CVE-2022-24070-advisory.txt 2022-04-12 2022-04-13
Ruby -- Buffer overrun in String-to-Float conversion ruby 2.7.0,12.7.6,1 3.0.0,13.0.4,1 3.1.0,13.1.2,1 3.2.0.p1,13.2.0.p1_1,1 ruby27 2.7.0,12.7.6,1 ruby30 3.0.0,13.0.4,1 ruby31 3.1.0,13.1.2,1 ruby32 3.2.0.p1,13.2.0.p1_1,1

piao reports:

Due to a bug in an internal function that converts a String to a Float, some convertion methods like Kernel#Float and String#to_f could cause buffer over-read. A typical consequence is a process termination due to segmentation fault, but in a limited circumstances, it may be exploitable for illegal memory read.

CVE-2022-28739 https://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739/ 2022-04-12 2022-04-13
Ruby -- Double free in Regexp compilation ruby 3.0.0,13.0.4,1 3.1.0,13.1.2,1 3.2.0.p1,13.2.0.p1_1,1 ruby30 3.0.0,13.0.4,1 ruby31 3.1.0,13.1.2,1 ruby32 3.2.0.p1,13.2.0.p1_1,1

piao reports:

Due to a bug in the Regexp compilation process, creating a Regexp object with a crafted source string could cause the same memory to be freed twice. This is known as a "double free" vulnerability. Note that, in general, it is considered unsafe to create and use a Regexp object generated from untrusted input. In this case, however, following a comprehensive assessment, we treat this issue as a vulnerability.

CVE-2022-28738 https://www.ruby-lang.org/en/news/2022/04/12/double-free-in-regexp-compilation-cve-2022-28738/ 2022-04-12 2022-04-13
mutt -- mutt_decode_uuencoded() can read past the of the input line mutt 2.2.3

Tavis Ormandy reports:

mutt_decode_uuencoded(), the line length is read from the untrusted uuencoded part without validation. This could result in including private memory in message parts, for example fragments of other messages, passphrases or keys in replys

CVE-2022-1328 https://gitlab.com/muttmua/mutt/-/issues/404 2022-04-04 2022-04-12
Chromium -- mulitple vulnerabilities chromium 100.0.4896.88

Chrome Releases reports:

This release contains 11 security fixes, including:

  • [1285234] High CVE-2022-1305: Use after free in storage. Reported by Anonymous on 2022-01-07
  • [1299287] High CVE-2022-1306: Inappropriate implementation in compositing. Reported by Sven Dysthe on 2022-02-21
  • [1301873] High CVE-2022-1307: Inappropriate implementation in full screen. Reported by Irvan Kurniawan (sourc7) on 2022-03-01
  • [1283050] High CVE-2022-1308: Use after free in BFCache. Reported by Samet Bekmezci (@sametbekmezci) on 2021-12-28
  • [1106456] High CVE-2022-1309: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-07-17
  • [1307610] High CVE-2022-1310: Use after free in regular expressions. Reported by Brendon Tiszka on 2022-03-18
  • [1310717] High CVE-2022-1311: Use after free in Chrome OS shell. Reported by Nan Wang (@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-03-28
  • [1311701] High CVE-2022-1312: Use after free in storage. Reported by Leecraso and Guang Gong of 360 Vulnerability Research Institute on 2022-03-30
  • [1270539] Medium CVE-2022-1313: Use after free in tab groups. Reported by Thomas Orlita on 2021-11-16
  • [1304658] Medium CVE-2022-1314: Type Confusion in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2022-03-09
CVE-2022-1305 CVE-2022-1306 CVE-2022-1307 CVE-2022-1308 CVE-2022-1309 CVE-2022-1310 CVE-2022-1311 CVE-2022-1312 CVE-2022-1313 CVE-2022-1314 https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html 2022-04-11 2022-04-12
Django -- multiple vulnerabilities py37-django22 py38-django22 py39-django22 py310-django22 2.2.28 py37-django32 py38-django32 py39-django32 py310-django32 3.2.13 py38-django40 py39-django40 py31-django40 4.0.4

Django Release reports:

CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra().

CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL.

CVE-2022-28346 CVE-2022-28347 https://www.djangoproject.com/weblog/2022/apr/11/security-releases/ 2022-04-02 2022-04-12
FreeBSD -- zlib compression out-of-bounds write FreeBSD 13.013.0_11 12.312.3_5

Problem Description:

Certain inputs can cause zlib's compression routine to overwrite an internal buffer with compressed data. This issue may require the use of uncommon or non-default compression parameters.

Impact:

The out-of-bounds write may result in memory corruption and an application crash or kernel panic.

CVE-2018-25032 SA-22:08.zlib 2022-04-06 2022-04-07
FreeBSD -- 802.11 heap buffer overflow FreeBSD-kernel 13.013.0_11 12.312.3_5

Problem Description:

The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer.

Impact:

While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beacon frame may overwrite kernel memory, leading to remote code execution.

CVE-2022-23088 SA-22:07.wifi_meshid 2022-04-06 2022-04-07
FreeBSD -- mpr/mps/mpt driver ioctl heap out-of-bounds write FreeBSD-kernel 13.013.0_11 12.312.3_5

Problem Description:

Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Other heap content would be overwritten if the specified size was too small.

Impact:

Users with access to the mpr, mps or mpt device node may overwrite heap data, potentially resulting in privilege escalation. Note that the device node is only accessible to root and members of the operator group.

CVE-2022-23086 SA-22:06.ioctl 2022-04-06 2022-04-07
FreeBSD -- Bhyve e82545 device emulation out-of-bounds write FreeBSD-kernel 13.013.0_11 12.312.3_5

Problem Description:

The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an on-stack buffer to generate the modified packet header when simulating these modifications on transmitted packets.

When checksum offload is requested for a transmitted packet, the e1000 device model used a guest-provided value to specify the checksum offset in the on-stack buffer. The offset was not validated for certain packet types.

Impact:

A misbehaving bhyve guest could overwrite memory in the bhyve process on the host, possibly leading to code execution in the host context.

The bhyve process runs in a Capsicum sandbox, which (depending on the FreeBSD version and bhyve configuration) limits the impact of exploiting this issue.

CVE-2022-23087 SA-22:05.bhyve 2022-04-06 2022-04-07
FreeBSD -- Potential jail escape vulnerabilities in netmap FreeBSD-kernel 13.013.0_11 12.312.3_5

Problem Description:

The total size of the user-provided nmreq to nmreq_copyin() was first computed and then trusted during the copyin. This time-of-check to time-of-use bug could lead to kernel memory corruption. [CVE-2022-23084]

A user-provided integer option was passed to nmreq_copyin() without checking if it would overflow. This insufficient bounds checking could lead to kernel memory corruption. [CVE-2022-23085]

Impact:

On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment.

CVE-2022-23084 CVE-2022-23085 SA-22:04.netmap 2022-04-06 2022-04-07
chromium -- Type confusion in V8 chromium 100.0.4896.75

Chrome Releases reports:

This release includes one security fix:

  • [1311641] High CVE-2022-1232: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2022-03-30
CVE-2022-1232 https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop.html 2022-04-04 2022-04-05
Gitlab -- multiple vulnerabilities gitlab-ce 14.9.014.9.2 14.8.014.8.5 014.7.7

Gitlab reports:

Static passwords inadvertently set during OmniAuth-based registration

Stored XSS in notes

Stored XSS on Multi-word milestone reference

Denial of service caused by a specially crafted RDoc file

GitLab Pages access tokens can be reused on multiple domains

GitLab Pages uses default (disabled) server Timeouts and a weak TCP Keep-Alive timeout

Incorrect include in pipeline definition exposes masked CI variables in UI

Regular expression denial of service in release asset link

Latest Commit details from private projects leaked to guest users via Merge Requests

CI/CD analytics are available even when public pipelines are disabled

Absence of limit for the number of tags that can be added to a runner can cause performance issues

Client DoS through rendering crafted comments

Blind SSRF Through Repository Mirroring

Bypass of branch restriction in Asana integration

Readable approval rules by Guest user

Redact InvalidURIError error messages

Project import maps members' created_by_id users based on source user ID

CVE-2022-1162 CVE-2022-1175 CVE-2022-1190 CVE-2022-1185 CVE-2022-1148 CVE-2022-1121 CVE-2022-1120 CVE-2022-1100 CVE-2022-1193 CVE-2022-1105 CVE-2022-1099 CVE-2022-1174 CVE-2022-1188 CVE-2022-0740 CVE-2022-1189 CVE-2022-1157 CVE-2022-1111 https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/ 2022-03-31 2022-04-04
mediawiki -- multiple vulnerabilities mediawiki135 1.35.6 mediawiki136 1.36.4 mediawiki137 1.37.2

Mediawiki reports:

(T297543, CVE-2022-28202) Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete.

(T297571, CVE-2022-28201) Title::newMainPage() goes into an infinite recursion loop if it points to a local interwiki.

(T297731, CVE-2022-28203) Requesting Special:NewFiles on a wiki with many file uploads with actor as a condition can result in a DoS.

(T297754, CVE-2022-28204) Special:WhatLinksHere can result in a DoS when a page is used on a extremely large number of other pages.

CVE-2022-28201 CVE-2022-28202 CVE-2022-28203 CVE-2022-28204 https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/message/YJNXKPV5Z56NSUQ4G3SXPDUIZG5EQ7UR/ 2021-12-12 2022-04-04
dnsmasq -- heap use-after-free in dhcp6_no_relay dnsmasq 2.86_4,1 dnsmasq-devel 2.86_4,1

Petr Menšík reports:

Possible vulnerability [...] found in latest dnsmasq. It [was] found with help of oss-fuzz Google project by me and short after that independently also by Richard Johnson of Trellix Threat Labs.

It is affected only by DHCPv6 requests, which could be crafted to modify already freed memory. [...] We think it might be triggered remotely, but we do not think it could be used to execute remote code.

CVE-2022-0934 https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016272.html 2022-03-31 2022-04-03
gitea -- Open Redirect on login gitea 1.16.5

Andrew Thornton reports:

When a location containing backslashes is presented, the existing protections against open redirect are bypassed, because browsers will convert adjacent forward and backslashes within the location to double forward slashes.

CVE-2022-1058 https://huntr.dev/bounties/4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d/ 2022-03-23 2022-03-29
gitea -- Improper/incorrect authorization gitea 1.16.4

Youssef Rebahi-Gilbert reports:

When Gitea is built and configured for PAM authentication it skips checking authorization completely. Therefore expired accounts and accounts with expired passwords can still login.

CVE-2022-0905 https://huntr.dev/bounties/8d221f92-b2b1-4878-bc31-66ff272e5ceb 2022-03-06 2022-03-29
chromium -- multiple vulnerabilities chromium 100.0.4896.60

Chrome Releases reports:

This release contains 28 security fixes, including:

  • [1292261] High CVE-2022-1125: Use after free in Portals. Reported by Khalil Zhani on 2022-01-29
  • [1291891] High CVE-2022-1127: Use after free in QR Code Generator. Reported by anonymous on 2022-01-28
  • [1301920] High CVE-2022-1128: Inappropriate implementation in Web Share API. Reported by Abdel Adim (@smaury92) Oisfi of Shielder on 2022-03-01
  • [1300253] High CVE-2022-1129: Inappropriate implementation in Full Screen Mode. Reported by Irvan Kurniawan (sourc7) on 2022-02-24
  • [1142269] High CVE-2022-1130: Insufficient validation of untrusted input in WebOTP. Reported by Sergey Toshin of Oversecurity Inc. on 2020-10-25
  • [1297404] High CVE-2022-1131: Use after free in Cast UI. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2022-02-15
  • [1303410] High CVE-2022-1132: Inappropriate implementation in Virtual Keyboard. Reported by Andr.Ess on 2022-03-07
  • [1305776] High CVE-2022-1133: Use after free in WebRTC. Reported by Anonymous on 2022-03-13
  • [1308360] High CVE-2022-1134: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2022-03-21
  • [1285601] Medium CVE-2022-1135: Use after free in Shopping Cart. Reported by Wei Yuan of MoyunSec VLab on 2022-01-09
  • [1280205] Medium CVE-2022-1136: Use after free in Tab Strip. Reported by Krace on 2021-12-15
  • [1289846] Medium CVE-2022-1137: Inappropriate implementation in Extensions. Reported by Thomas Orlita on 2022-01-22
  • [1246188] Medium CVE-2022-1138: Inappropriate implementation in Web Cursor. Reported by Alesandro Ortiz on 2021-09-03
  • [1268541] Medium CVE-2022-1139: Inappropriate implementation in Background Fetch API. Reported by Maurice Dauer on 2021-11-10
  • [1303253] Medium CVE-2022-1141: Use after free in File Manager. Reported by raven at KunLun lab on 2022-03-05
  • [1303613] Medium CVE-2022-1142: Heap buffer overflow in WebUI. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2022-03-07
  • [1303615] Medium CVE-2022-1143: Heap buffer overflow in WebUI. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2022-03-07
  • [1304145] Medium CVE-2022-1144: Use after free in WebUI. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2022-03-08
  • [1304545] Medium CVE-2022-1145: Use after free in Extensions. Reported by Yakun Zhang of Baidu Security on 2022-03-09
  • [1290150] Low CVE-2022-1146: Inappropriate implementation in Resource Timing. Reported by Sohom Datta on 2022-01-23
CVE-2022-1125 CVE-2022-1127 CVE-2022-1128 CVE-2022-1129 CVE-2022-1130 CVE-2022-1131 CVE-2022-1132 CVE-2022-1133 CVE-2022-1134 CVE-2022-1135 CVE-2022-1136 CVE-2022-1137 CVE-2022-1138 CVE-2022-1139 CVE-2022-1141 CVE-2022-1142 CVE-2022-1143 CVE-2022-1144 CVE-2022-1145 CVE-2022-1146 https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html 2022-03-29 2022-03-29
powerdns-recursor -- denial of service powerdns-recursor 4.6.0

PowerDNS Team reports:

PowerDNS Security Advisory 2022-01: incomplete validation of incoming IXFR transfer in Authoritative Server and Recursor.

CVE-2022-27227 https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html 2022-03-25 2022-03-27
powerdns -- denial of service powerdns 4.6.0

PowerDNS Team reports:

PowerDNS Security Advisory 2022-01: incomplete validation of incoming IXFR transfer in Authoritative Server and Recursor.

CVE-2022-27227 https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2022-01.html 2022-03-25 2022-03-27
chromium -- V8 type confusion chromium 99.0.4844.84

Chrome Releases reports:

This release contains 1 security fix:

  • [1309225] High CVE-2022-1096: Type Confusion in V8. Reported by anonymous on 2022-03-23

Google is aware that an exploit for CVE-2022-1096 exists in the wild.

CVE-2022-1096 https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html 2022-03-25 2022-03-25
Security Vulnerability found in ExifTool p5-Image-ExifTool 7.4412.24

Debian Security Advisory reports:

A vulnerability was discovered in libimage-exiftool-perl, a library and program to read and write meta information in multimedia files, which may result in execution of arbitrary code if a malformed DjVu file is processed.

CVE-2021-22204 https://www.cvedetails.com/cve/CVE-2021-22204/ 2021-01-04 2022-03-25
tcpslice -- heap-based use-after-free in extract_slice() tcpslice 1.5,1

The Tcpdump Group reports:

heap-based use-after-free in extract_slice()

CVE-2021-41043 https://github.com/the-tcpdump-group/tcpslice/issues/11 2021-09-13 2022-03-22
go -- multiple vulnerabilities go 1.17.8,1

The Go project reports:

regexp: stack exhaustion compiling deeply nested expressions

On 64-bit platforms, an extremely deeply nested expression can cause regexp.Compile to cause goroutine stack exhaustion, forcing the program to exit. Note this applies to very large expressions, on the order of 2MB.

CVE-2022-24921 https://github.com/golang/go/issues/51112 2022-02-09 2022-03-19
openvpn -- Potential authentication by-pass with multiple deferred authentication plug-ins openvpn 2.5.6 openvpn-mbedtls 2.5.6

David Sommerseth reports:

OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials. This issue is resolved in OpenVPN 2.4.12 and v2.5.6.

CVE-2022-0547 https://community.openvpn.net/openvpn/wiki/CVE-2022-0547 https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-256 2022-03-10 2022-03-17
wordpress -- multiple issues wordpress fr-wordpress 5.9.2,1 de-wordpress zh_CN-wordpress th_TW-wordpress ja-wordpress ru-wordpress 5.9.2

wordpress developers reports:

This security and maintenance release features 1 bug fix in addition to 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated. The security team would like to thank the following people for responsively reporting vulnerabilities, allowing them to be fixed in this release: -Melar Dev, for finding a Prototype Pollution Vulnerability in a jQuery dependency -Ben Bidner of the WordPress security team, for finding a Stored Cross Site Scripting Vulnerability -Researchers from Johns Hopkins University, for finding a Prototype Pollution Vulnerability in the block editor

https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/ 2022-03-11 2022-03-16
Weechat -- Possible man-in-the-middle attack in TLS connection to servers weechat 3.4.1

The Weechat project reports:

After changing the options weechat.network.gnutls_ca_system or weechat.network.gnutls_ca_user, the TLS verification function is lost. Consequently, any connection to a server with TLS is made without verifying the certificate, which could lead to a man-in-the-middle attack. Connection to IRC servers with TLS is affected, as well as any connection a server made by a plugin or a script using the function hook_connect.

https://weechat.org/doc/security/WSA-2022-1/ 2022-03-13 2022-03-16
OpenSSL -- Infinite loop in BN_mod_sqrt parsing certificates openssl 1.1.1n,1 openssl-devel 3.0.2 openssl-quictls 3.0.2 libressl 3.4.3 libressl-devel 3.5.1 FreeBSD 13.013.0_8 12.312.3_3 12.212.2_14

The OpenSSL project reports:

Infinite loop in BN_mod_sqrt() reachable when parsing certificates (High)

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli.

Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.

It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters.

Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters.

Thus vulnerable situations include:

  • TLS clients consuming server certificates
  • TLS servers consuming client certificates
  • Hosting providers taking certificates or private keys from customers
  • Certificate authorities parsing certification requests from subscribers
  • Anything else which parses ASN.1 elliptic curve parameters

Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue.

CVE-2022-0778 https://www.openssl.org/news/secadv/20220315.txt SA-22:03.openssl 2022-03-15 2022-03-16 2022-03-16
FreeBSD-kernel -- Multiple WiFi issues FreeBSD-kernel 13.013.0_8 12.312.3_3 12.212.2_14

Problem Description:

The paper "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation" reported a number of security vulnerabilities in the 802.11 specification related to frame aggregation and fragmentation.

Additionally, FreeBSD 12.x missed length validation of SSIDs and Information Elements (IEs).

Impact:

As reported on the FragAttacks website, the "design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings." Under suitable conditions an attacker may be able to extract sensitive data or inject data.

CVE-2020-26147 CVE-2020-24588 CVE-2020-26144 SA-22:02.wifi 2022-03-15 2022-03-16
chromium -- multiple vulnerabilities chromium 98.0.4844.74

Chrome Releases reports:

This release contains 11 security fixes, including:

  • [1299422] Critical CVE-2022-0971: Use after free in Blink Layout. Reported by Sergei Glazunov of Google Project Zero on 2022-02-21
  • [1301320] High CVE-2022-0972: Use after free in Extensions. Reported by Sergei Glazunov of Google Project Zero on 2022-02-28
  • [1297498] High CVE-2022-0973: Use after free in Safe Browsing. Reported by avaue and Buff3tts at S.S.L. on 2022-02-15
  • [1291986] High CVE-2022-0974: Use after free in Splitscreen. Reported by @ginggilBesel on 2022-01-28
  • [1295411] High CVE-2022-0975: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-02-09
  • [1296866] High CVE-2022-0976: Heap buffer overflow in GPU. Reported by Omair on 2022-02-13
  • [1299225] High CVE-2022-0977: Use after free in Browser UI. Reported by Khalil Zhani on 2022-02-20
  • [1299264] High CVE-2022-0978: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-02-20
  • [1302644] High CVE-2022-0979: Use after free in Safe Browsing. Reported by anonymous on 2022-03-03
  • [1302157] Medium CVE-2022-0980: Use after free in New Tab Page. Reported by Krace on 2022-03-02
CVE-2022-0971 CVE-2022-0972 CVE-2022-0973 CVE-2022-0974 CVE-2022-0975 CVE-2022-0976 CVE-2022-0977 CVE-2022-0978 CVE-2022-0979 CVE-2022-0980 https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_15.html 2022-03-15 2022-03-15
Apache httpd -- Multiple vulnerabilities apache24 2.4.53

The Apache httpd project reports:

  • mod_lua: Use of uninitialized value of in r:parsebody (moderate) (CVE-2022-22719)

    A carefully crafted request body can cause a read to a random memory area which could cause the process to crash.

  • HTTP request smuggling vulnerability (important) (CVE-2022-22720)

    httpd fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling

  • core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody (low) (CVE-2022-22721)

    If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes.

  • mod_sed: Read/write beyond bounds (important) (CVE-2022-23924)

    Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data.

CVE-2022-22719 CVE-2022-22720 CVE-2022-22721 CVE-2022-23943 https://httpd.apache.org/security/vulnerabilities_24.html 2022-03-14 2022-03-15
Teeworlds -- Buffer Overflow teeworlds 0.7.5_2

NVD reports:

Teeworlds up to and including 0.7.5 is vulnerable to Buffer Overflow. A map parser does not validate m_Channels value coming from a map file, leading to a buffer overflow. A malicious server may offer a specially crafted map that will overwrite client's stack causing denial of service or code execution.

CVE-2021-43518 https://nvd.nist.gov/vuln/detail/CVE-2021-43518 2021-10-23 2022-03-10
Gitlab -- multiple vulnerabilities gitlab-ce 14.8.014.8.2 14.7.014.7.4 014.6.5

Gitlab reports:

Runner registration token disclosure through Quick Actions

Unprivileged users can add other users to groups through an API endpoint

Inaccurate display of Snippet contents can be potentially misleading to users

Environment variables can be leaked via the sendmail delivery method

Unauthenticated user enumeration on GraphQL API

Adding a mirror with SSH credentials can leak password

Denial of Service via user comments

CVE-2022-0735 CVE-2022-0549 CVE-2022-0751 CVE-2022-0741 CVE-2021-4191 CVE-2022-0738 CVE-2022-0489 https://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/ 2022-02-25 2022-03-09
asterisk -- multiple vulnerabilities asterisk16 16.24.1 asterisk18 18.10.1

The Asterisk project reports:

AST-2022-004 - The header length on incoming STUN messages that contain an ERROR-CODE attribute is not properly checked. This can result in an integer underflow. Note, this requires ICE or WebRTC support to be in use with a malicious remote party.

AST-2022-005 - When acting as a UAC, and when placing an outgoing call to a target that then forks Asterisk may experience undefined behavior (crashes, hangs, etc) after a dialog set is prematurely freed.

AST-2022-006 - If an incoming SIP message contains a malformed multi-part body an out of bounds read access may occur, which can result in undefined behavior. Note, its currently uncertain if there is any externally exploitable vector within Asterisk for this issue, but providing this as a security issue out of caution.

CVE-2021-37706 CVE-2022-23608 CVE-2022-21723 https://downloads.asterisk.org/pub/security/AST-2022-004.html https://downloads.asterisk.org/pub/security/AST-2022-005.html https://downloads.asterisk.org/pub/security/AST-2022-006.html 2022-03-03 2022-03-05
chromium -- multiple vulnerabilities chromium 99.0.4844.51

Chrome Releases reports:

This release contains 28 security fixes, including:

  • [1289383] High CVE-2022-0789: Heap buffer overflow in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-01-21
  • [1274077] High CVE-2022-0790: Use after free in Cast UI. Reported by Anonymous on 2021-11-26
  • [1278322] High CVE-2022-0791: Use after free in Omnibox. Reported by Zhihua Yao of KunLun Lab on 2021-12-09
  • [1285885] High CVE-2022-0792: Out of bounds read in ANGLE. Reported by Jaehun Jeong (@n3sk) of Theori on 2022-01-11
  • [1291728] High CVE-2022-0793: Use after free in Views. Reported by Thomas Orlita on 2022-01-28
  • [1294097] High CVE-2022-0794: Use after free in WebShare. Reported by Khalil Zhani on 2022-02-04
  • [1282782] High CVE-2022-0795: Type Confusion in Blink Layout. Reported by 0x74960 on 2021-12-27
  • [1295786] High CVE-2022-0796: Use after free in Media. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-02-10
  • [1281908] High CVE-2022-0797: Out of bounds memory access in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-12-21
  • [1283402] Medium CVE-2022-0798: Use after free in MediaStream. Reported by Samet Bekmezci @sametbekmezci on 2021-12-30
  • [1279188] Medium CVE-2022-0799: Insufficient policy enforcement in Installer. Reported by Abdelhamid Naceri (halov) on 2021-12-12
  • [1242962] Medium CVE-2022-0800: Heap buffer overflow in Cast UI. Reported by Khalil Zhani on 2021-08-24
  • [1231037] Medium CVE-2022-0801: Inappropriate implementation in HTML parser. Reported by Michal Bentkowski of Securitum on 2021-07-20
  • [1270052] Medium CVE-2022-0802: Inappropriate implementation in Full screen mode. Reported by Irvan Kurniawan (sourc7) on 2021-11-14
  • [1280233] Medium CVE-2022-0803: Inappropriate implementation in Permissions. Reported by Abdulla Aldoseri on 2021-12-15
  • [1264561] Medium CVE-2022-0804: Inappropriate implementation in Full screen mode. Reported by Irvan Kurniawan (sourc7) on 2021-10-29
  • [1290700] Medium CVE-2022-0805: Use after free in Browser Switcher. Reported by raven at KunLun Lab on 2022-01-25
  • [1283434] Medium CVE-2022-0806: Data leak in Canvas. Reported by Paril on 2021-12-31
  • [1287364] Medium CVE-2022-0807: Inappropriate implementation in Autofill. Reported by Alesandro Ortiz on 2022-01-14
  • [1292271] Medium CVE-2022-0808: Use after free in Chrome OS Shell. Reported by @ginggilBesel on 2022-01-29
  • [1293428] Medium CVE-2022-0809: Out of bounds memory access in WebXR. Reported by @uwu7586 on 2022-02-03
CVE-2022-0789 CVE-2022-0790 CVE-2022-0791 CVE-2022-0792 CVE-2022-0793 CVE-2022-0794 CVE-2022-0795 CVE-2022-0796 CVE-2022-0797 CVE-2022-0798 CVE-2022-0799 CVE-2022-0800 CVE-2022-0801 CVE-2022-0802 CVE-2022-0803 CVE-2022-0804 CVE-2022-0805 CVE-2022-0806 CVE-2022-0807 CVE-2022-0808 CVE-2022-0809 https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop.html 2022-03-01 2022-03-02
cyrus-sasl -- Fix off by one error cyrus-sasl 2.1.272.1.28

Cyrus SASL 2.1.x Release Notes New in 2.1.28 reports:

Fix off by one error

CVE-2019-19906 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19906 2019-12-19 2022-02-28
typo3 -- XSS vulnerability in svg-sanitize typo3-10-php74 10.4.25 typo3-11-php74 typo3-11-php80 typo3-11-php81 11.5.7

The TYPO3 project reports:

The SVG sanitizer library enshrined/svg-sanitize before version 0.15.0 did not remove HTML elements wrapped in a CDATA section. As a result, SVG content embedded in HTML (fetched as text/html) was susceptible to cross-site scripting. Plain SVG files (fetched as image/svg+xml) were not affected.

CVE-2022-23638 https://github.com/typo3/typo3/commit/9940defb21 https://typo3.org/article/typo3-psa-2022-001 2022-02-22 2022-02-27
Grafana -- Teams API IDOR grafana6 6.0.0 grafana7 7.5.15 grafana8 8.3.5

Grafana Labs reports:

On Jan. 18, an external security researcher, Kürşad ALSAN from NSPECT.IO (@nspectio on Twitter), contacted Grafana to disclose an IDOR (Insecure Direct Object Reference) vulnerability on Grafana Teams APIs. This vulnerability only impacts the following API endpoints:

  • /teams/:teamId - an authenticated attacker can view unintended data by querying for the specific team ID.
  • /teams/:search - an authenticated attacker can search for teams and see the total number of available teams, including for those teams that the user does not have access to.
  • /teams/:teamId/members - when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID.

We believe that this vulnerability is rated at CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

CVE-2022-21713 https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/ 2022-01-18 2022-02-12
Grafana -- CSRF grafana6 6.0.0 grafana7 7.5.15 grafana8 8.3.5

Grafana Labs reports:

On Jan. 18, security researchers @jub0bs and @abrahack contacted Grafana to disclose a CSRF vulnerability which allows anonymous attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).

CVE-2022-21703 https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/ 2022-01-18 2022-02-12
Grafana -- XSS grafana6 6.0.0 grafana7 7.5.15 grafana8 8.3.5

Grafana Labs reports:

On Jan. 16, an external security researcher, Jasu Viding contacted Grafana to disclose an XSS vulnerability in the way that Grafana handles data sources. Should an existing data source connected to Grafana be compromised, it could be used to inappropriately gain access to other data sources connected to the same Grafana org. We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).

CVE-2022-21702 https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/ 2022-01-16 2022-02-12
cryptopp -- ElGamal implementation allows plaintext recovery cryptopp 8.6.0

Crypto++ 8.6 release notes reports:

The ElGamal implementation in Crypto++ through 8.5 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.

CVE-2021-40530 https://nvd.nist.gov/vuln/detail/CVE-2021-40530 2021-09-06 2022-02-24
flac -- fix encoder bug flac 1.3.4

The FLAC 1.3.4 release reports:

Fix 12 decoder bugs found by oss-fuzz.

Fix encoder bug CVE-2021-0561.

CVE-2021-0561 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0561 2022-02-20 2022-02-24
cyrus-sasl -- Escape password for SQL insert/update commands cyrus-sasl-sql 2.1.272.1.27_1

Cyrus SASL 2.1.x Release Notes New in 2.1.28 reports:

Escape password for SQL insert/update commands.

CVE-2022-24407 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24407 2022-02-04 2022-02-23
The Update Framwork -- path traversal vulnerability py37-tuf py38-tuf py39-tuf py310-tuf py311-tuf 0.18.1

NVD reports:

python-tuf is a Python reference implementation of The Update Framework (TUF). In both clients (`tuf/client` and `tuf/ngclient`), there is a path traversal vulnerability that in the worst case can overwrite files ending in `.json` anywhere on the client system on a call to `get_one_valid_targetinfo()`. It occurs because the rolename is used to form the filename, and may contain path traversal characters (ie `../../name.json`). The impact is mitigated by a few facts: It only affects implementations that allow arbitrary rolename selection for delegated targets metadata, The attack requires the ability to A) insert new metadata for the path-traversing role and B) get the role delegated by an existing targets metadata, The written file content is heavily restricted since it needs to be a valid, signed targets file. The file extension is always .json. A fix is available in version 0.19 or newer. There are no workarounds that do not require code changes. Clients can restrict the allowed character set for rolenames, or they can store metadata in files named in a way that is not vulnerable: neither of these approaches is possible without modifying python-tuf.

CVE-2021-41131 https://nvd.nist.gov/vuln/detail/CVE-2021-41131 2021-10-22 2022-02-22
seatd-launch -- remove files with escalated privileges with SUID seatd 0.6.00.6.4

Kenny Levinsen reports:

seatd-launch could use a user-specified socket path instead of the internally generated socket path, and would unlink the socket path before use to guard against collision with leftover sockets. This meant that a caller could freely control what file path would be unlinked and replaced with a user-owned seatd socket for the duration of the session.

If seatd-launch had the SUID bit set, this could be used by a malicious user to remove files with the privileges of the owner of seatd-launch, which is likely root, and replace it with a user-owned domain socket.

This does not directly allow retrieving the contents of existing files, and the user-owned socket file is at the current time not believed to be directly useful for further exploitation.

https://lists.sr.ht/~kennylevinsen/seatd-announce/%3CETEO7R.QG8B1KGD531R1%40kl.wtf%3E CVE-2022-25643 2022-02-21 2022-02-21 2022-02-22
Qt5 -- QProcess unexpected search path qt5-core 5.15.2p263_1

The Qt Company reports:

Recently, the Qt Project's security team was made aware of an issue regarding QProcess and determined it to be a security issue on Unix-based platforms only. We do not believe this to be a considerable risk for applications as the likelihood of it being triggered is minimal.

Specifically, the problem is around using QProcess to start an application without having an absolute path, and as a result, it depends on it finding it in the PATH environment variable. As a result, it may be possible for an attacker to place their copy of the executable in question inside the working/current directory for the QProcess and have it invoked that instead.

CVE-2022-25255 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25255 2022-02-17 2022-02-21
libmysoft -- Heap-based buffer overflow vulnerability libmysofa 1.2.1.13

Zhengjie Du reports:

There are some heap-buffer-overflows in mysofa2json of libmysofa. They are in function loudness, mysofa_check and readOHDRHeaderMessageDataLayout.

CVE-2021-3756 https://www.huntr.dev/bounties/7ca8d9ea-e2a6-4294-af28-70260bb53bc1/ 2021-09-27 2022-02-20
MariaDB -- Multiple vulnerabilities mariadb103-client 10.3.34 mariadb103-server 10.3.34 mariadb104-client 10.4.24 mariadb104-server 10.4.24 mariadb105-client 10.5.15 mariadb105-server 10.5.15

MariaDB reports:

MariaDB reports 5 vulnerabilities in supported versions resulting from fuzzing tests

CVE-2021-46661 CVE-2021-46663 CVE-2021-46664 CVE-2021-46665 CVE-2021-46668 https://mariadb.com/kb/en/cve/ https://mariadb.com/kb/en/mdb-10334-rn/ https://mariadb.com/kb/en/mdb-10424-rn/ https://mariadb.com/kb/en/mdb-10515-rn/ 2022-02-12 2022-02-18
go -- multiple vulnerabilities go 1.17.7,1

The Go project reports:

crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates

Some big.Int values that are not valid field elements (negative or overflowing) might cause Curve.IsOnCurve to incorrectly return true. Operating on those values may cause a panic or an invalid curve operation. Note that Unmarshal will never return such values.

math/big: prevent large memory consumption in Rat.SetString

An attacker can cause unbounded memory growth in a program using (*Rat).SetString due to an unhandled overflow.

cmd/go: prevent branches from materializing into versions

A branch whose name resembles a version tag (such as "v1.0.0" or "subdir/v2.0.0-dev") can be considered a valid version by the go command. Materializing versions from branches might be unexpected and bypass ACLs that limit the creation of tags but not branches.

CVE-2022-23806 https://github.com/golang/go/issues/50974 CVE-2022-23772 https://github.com/golang/go/issues/50699 CVE-2022-23773 https://github.com/golang/go/issues/35671 2022-02-10 2022-02-18
chromium -- multiple vulnerabilities chromium 98.0.4758.102

Chrome Releases reports:

This release contains 11 security fixes, including:

  • [1290008] High CVE-2022-0603: Use after free in File Manager. Reported by Chaoyuan Peng (@ret2happy) on 2022-01-22
  • [1273397] High CVE-2022-0604: Heap buffer overflow in Tab Groups. Reported by Krace on 2021-11-24
  • [1286940] High CVE-2022-0605: Use after free in Webstore API. Reported by Thomas Orlita on 2022-01-13
  • [1288020] High CVE-2022-0606: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-01-17
  • [1250655] High CVE-2022-0607: Use after free in GPU. Reported by 0x74960 on 2021-09-17
  • [1270333] High CVE-2022-0608: Integer overflow in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-11-16
  • [1296150] High CVE-2022-0609: Use after free in Animation. Reported by Adam Weidemann and Clément Lecigne of Google' Threat Analysis Group on 2022-02-10
  • [1285449] Medium CVE-2022-0610: Inappropriate implementation in Gamepad API. Reported by Anonymous on 2022-01-08
CVE-2022-0603 CVE-2022-0604 CVE-2022-0605 CVE-2022-0606 CVE-2022-0607 CVE-2022-0608 CVE-2022-0609 CVE-2022-0610 https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html 2022-02-14 2022-02-15
py-twisted -- cookie and authorization headers are leaked when following cross-origin redirects py37-twisted py38-twisted py39-twisted py310-twisted 22.1.0

Twisted developers report:

Cookie and Authorization headers are leaked when following cross-origin redirects in twited.web.client.RedirectAgent and twisted.web.client.BrowserLikeRedirectAgent.

https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx 2022-02-07 2022-02-13
zsh -- Arbitrary command execution vulnerability zsh 5.8.1

Marc Cornellà reports:

Some prompt expansion sequences, such as %F, support 'arguments' which are themselves expanded in case they contain colour values, etc. This additional expansion would trigger PROMPT_SUBST evaluation, if enabled. This could be abused to execute code the user didn't expect. e.g., given a certain prompt configuration, an attacker could trick a user into executing arbitrary code by having them check out a Git branch with a specially crafted name.

CVE-2021-45444 https://zsh.sourceforge.io/releases.html 2022-02-12 2022-02-12
Node.js -- January 2022 Security Releases node 12.0.012.22.9 14.0.014.18.3 16.0.016.13.2 17.0.017.3.1 node16 16.13.2 node14 14.18.3

Node.js reports:

Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.

Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)

Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.

Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)

Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.

Prototype pollution via console.table properties (Low)(CVE-2022-21824)

Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.

CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824 https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/ 2022-01-10 2022-02-12
jenkins -- DoS vulnerability in bundled XStream library jenkins 2.334 jenkins-lts 2.319.3

Jenkins Security Advisory:

Description

(Medium) SECURITY-2602 / CVE-2021-43859 (upstream issue), CVE-2022-0538 (Jenkins-specific converters)

DoS vulnerability in bundled XStream library

CVE-2021-43859 CVE-2022-0538 https://www.jenkins.io/security/advisory/2022-02-09/ 2022-02-09 2022-02-10
MariaDB -- Multiple vulnerabilities mariadb103-client 10.3.33 mariadb103-server 10.3.33 mariadb104-client 10.4.23 mariadb104-server 10.4.23 mariadb105-client 10.5.14 mariadb105-server 10.5.14

MariaDB reports:

MariaDB reports 5 vulnerabilities in supported versions without further detailed information.

CVE-2022-24052 CVE-2022-24051 CVE-2022-24050 CVE-2022-24048 CVE-2021-46659 https://mariadb.com/kb/en/cve/ https://mariadb.com/kb/en/mdb-10333-rn/ https://mariadb.com/kb/en/mdb-10423-rn/ https://mariadb.com/kb/en/mdb-10514-rn/ 2022-02-10 2022-02-10 2022-02-17
xrdp -- privilege escalation xrdp 0.9.17,10.9.18.1,1 xrdp-devel 0.9.17,10.9.18.1,1

xrdp project reports:

An integer underflow leading to a heap overflow in the sesman server allows any unauthenticated attacker which is accessible to a sesman server (listens by default on localhost when installing xrdp, but can be remote if configured otherwise) to execute code as root.

CVE-2022-23613 https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-8h98-h426-xf32 2022-01-23 2022-02-08 2022-02-15
Gitlab -- multiple vulnerabilities gitlab-ce 14.7.014.7.1 14.6.014.6.4 014.5.4

Gitlab reports:

Arbitrary POST requests via special HTML attributes in Jupyter Notebooks

DNS Rebinding vulnerability in Irker IRC Gateway integration

Missing certificate validation for external CI services

Blind SSRF Through Project Import

Open redirect vulnerability in Jira Integration

Issue link was disclosing the linked issue

Service desk email accessible by project non-members

Authenticated users can search other users by their private email

"External status checks" can be accepted by users below developer access if the user is either author or assignee of the target merge request

Deleting packages in bulk from package registries may cause table locks

Autocomplete enabled on specific pages

Possible SSRF due to not blocking shared address space

System notes reveals private project path when Issue is moved to a public project

Timeout for pages using Markdown

Certain branch names could not be protected

CVE-2022-0427 CVE-2022-0425 CVE-2022-0123 CVE-2022-0136 CVE-2022-0283 CVE-2022-0390 CVE-2022-0373 CVE-2022-0371 CVE-2021-39943 CVE-2022-0477 CVE-2022-0167 CVE-2022-0249 CVE-2022-0344 CVE-2022-0488 CVE-2021-39931 https://about.gitlab.com/releases/2022/02/03/security-release-gitlab-14-7-1-released/ 2022-02-03 2022-02-04
chromium -- multiple vulnerabilities chromium 98.0.4758.80

Chrome Releases reports:

This release contains 27 security fixes, including:

  • [1284584] High CVE-2022-0452: Use after free in Safe Browsing. Reported by avaue at S.S.L. on 2022-01-05
  • [1284916] High CVE-2022-0453: Use after free in Reader Mode. Reported by Rong Jian of VRI on 2022-01-06
  • [1287962] High CVE-2022-0454: Heap buffer overflow in ANGLE. Reported by Seong-Hwan Park (SeHwa) of SecunologyLab on 2022-01-17
  • [1270593] High CVE-2022-0455: Inappropriate implementation in Full Screen Mode. Reported by Irvan Kurniawan (sourc7) on 2021-11-16
  • [1289523] High CVE-2022-0456: Use after free in Web Search. Reported by Zhihua Yao of KunLun Lab on 2022-01-21
  • [1274445] High CVE-2022-0457: Type Confusion in V8. Reported by rax of the Group0x58 on 2021-11-29
  • [1267060] High CVE-2022-0458: Use after free in Thumbnail Tab Strip. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-11-05
  • [1244205] High CVE-2022-0459: Use after free in Screen Capture. Reported by raven (@raid_akame) on 2021-08-28
  • [1250227] Medium CVE-2022-0460: Use after free in Window Dialog. Reported by 0x74960 on 2021-09-16
  • [1256823] Medium CVE-2022-0461: Policy bypass in COOP. Reported by NDevTK on 2021-10-05
  • [1270470] Medium CVE-2022-0462: Inappropriate implementation in Scroll. Reported by Youssef Sammouda on 2021-11-16
  • [1268240] Medium CVE-2022-0463: Use after free in Accessibility. Reported by Zhihua Yao of KunLun Lab on 2021-11-09
  • [1270095] Medium CVE-2022-0464: Use after free in Accessibility. Reported by Zhihua Yao of KunLun Lab on 2021-11-14
  • [1281941] Medium CVE-2022-0465: Use after free in Extensions. Reported by Samet Bekmezci @sametbekmezci on 2021-12-22
  • [1115460] Medium CVE-2022-0466: Inappropriate implementation in Extensions Platform. Reported by David Erceg on 2020-08-12
  • [1239496] Medium CVE-2022-0467: Inappropriate implementation in Pointer Lock. Reported by Alesandro Ortiz on 2021-08-13
  • [1252716] Medium CVE-2022-0468: Use after free in Payments. Reported by Krace on 2021-09-24
  • [1279531] Medium CVE-2022-0469: Use after free in Cast. Reported by Thomas Orlita on 2021-12-14
  • [1269225] Low CVE-2022-0470: Out of bounds memory access in V8. Reported by Looben Yang on 2021-11-11
CVE-2022-0452 CVE-2022-0453 CVE-2022-0454 CVE-2022-0455 CVE-2022-0456 CVE-2022-0457 CVE-2022-0458 CVE-2022-0459 CVE-2022-0460 CVE-2022-0461 CVE-2022-0462 CVE-2022-0463 CVE-2022-0464 CVE-2022-0465 CVE-2022-0466 CVE-2022-0467 CVE-2022-0468 CVE-2022-0469 CVE-2022-0470 https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html 2022-02-01 2022-02-02
h2o -- uninitialised memory access in HTTP3 h2o-devel 2.3.0.d.20220131

Emil Lerner reports:

When receiving QUIC frames in certain order, HTTP/3 server-side implementation of h2o can be misguided to treat uninitialized memory as HTTP/3 frames that have been received. When h2o is used as a reverse proxy, an attacker can abuse this vulnerability to send internal state of h2o to backend servers controlled by the attacker or third party. Also, if there is an HTTP endpoint that reflects the traffic sent from the client, an attacker can use that reflector to obtain internal state of h2o.

This internal state includes traffic of other connections in unencrypted form and TLS session tickets.

This vulnerability exists in h2o server with HTTP/3 support, between commit 93af138 and d1f0f65. None of the released versions of h2o are affected by this vulnerability.

CVE-2021-43848 https://github.com/h2o/h2o/security/advisories/GHSA-f9xw-j925-m4m4 2021-01-31 2022-02-02
FreeBSD -- vt console buffer overflow FreeBSD 13.013.0_6 12.212.2_12

Problem Description:

Under certain conditions involving use of the highlight buffer while text is scrolling on the console, console data may overwrite data structures associated with the system console or other kernel memory.

Impact:

Users with access to the system console may be able to cause system misbehaviour.

CVE-2021-29632 SA-22:01.vt 2022-01-11 2022-02-02
samba -- Multiple Vulnerabilities samba413 4.13.17 samba414 4.14.12 samba415 4.15.5

The Samba Team reports:

  • CVE-2021-43566: Malicious client using an SMB1 or NFS race to allow a directory to be created in an area of the server file system not exported under the share definition.
  • CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share.
  • CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution.
  • CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services.
CVE-2021-43566 CVE-2021-44141 CVE-2021-44142 CVE-2022-0336 https://www.samba.org/samba/security/CVE-2021-43566.html https://www.samba.org/samba/security/CVE-2021-44141.html https://www.samba.org/samba/security/CVE-2021-44142.html https://www.samba.org/samba/security/CVE-2022-0336.html 2022-01-31 2022-02-01
Rust -- Race condition enabling symlink following rust 1.58.1 rust-nightly 1.60.0.20220202

The Rust Security Response WG was notified that the std::fs::remove_dir_all standard library function is vulnerable to a race condition enabling symlink following (CWE-363). An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete.

CVE-2022-21658 https://blog.rust-lang.org/2022/01/20/cve-2022-21658.html 2022-01-20 2022-01-31 2022-02-03
varnish -- Request Smuggling Vulnerability varnish6 6.6.2 varnish4 4.1.11r6

Varnish Cache Project reports:

A request smuggling attack can be performed on HTTP/1 connections on Varnish Cache servers. The smuggled request would be treated as an additional request by the Varnish server, go through normal VCL processing, and injected as a spurious response on the client connection.

CVE-2022-23959 https://varnish-cache.org/security/VSV00008.html https://docs.varnish-software.com/security/VSV00008/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23959 2022-01-25 2022-01-29
OpenEXR -- Heap-buffer-overflow in Imf_3_1::LineCompositeTask::execute openexr 3.1.4

Cary Phillips reports:

[OpenEXR Version 3.1.4 is a] patch release that [...] addresses one public security vulnerability: CVE-2021-45942 Heap-buffer-overflow in Imf_3_1::LineCompositeTask::execute [and several] specific OSS-fuzz issues [...].

CVE-2021-45942 https://github.com/AcademySoftwareFoundation/openexr/blob/v3.1.4/CHANGES.md#version-314-january-26-2022 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41416 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41999 https://github.com/AcademySoftwareFoundation/openexr/pull/1209 2021-11-26 2022-01-28
OpenSSL -- BN_mod_exp incorrect results on MIPS openssl 1.1.1m,1 openssl-devel 3.0.1 openssl-quictls 3.0.1

The OpenSSL project reports:

BN_mod_exp may produce incorrect results on MIPS (Moderate)

There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701.

CVE-2021-4160 https://www.openssl.org/news/secadv/20220128.txt 2022-01-28 2022-01-28
mustache - Possible Remote Code Execution phpmustache 2.14.1

huntr.dev reports:

In Mustache.php v2.0.0 through v2.14.0, Sections tag can lead to arbitrary php code execution even if strict_callables is true when section value is controllable.

CVE-2022-0323 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0323 2022-01-20 2022-01-27
polkit -- Local Privilege Escalation polkit 0.120_1

Qualys reports:

We discovered a Local Privilege Escalation (from any user to root) in polkit's pkexec, a SUID-root program that is installed by default on every major Linux distribution.

CVE-2021-4034 https://seclists.org/oss-sec/2022/q1/80 ports/261482 2022-01-25 2022-01-26
strongswan - Incorrect Handling of Early EAP-Success Messages strongswan 5.9.5

Strongswan Release Notes reports:

Fixed a vulnerability in the EAP client implementation that was caused by incorrectly handling early EAP-Success messages. It may allow to bypass the client and in some scenarios even the server authentication, or could lead to a denial-of-service attack. This vulnerability has been registered as CVE-2021-45079.

CVE-2021-45079 https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-(cve-2021-45079).html 2021-12-16 2022-01-25
strongswan - denial-of-service vulnerability in the gmp plugin/denial-of-service vulnerability in the in-memory certificate cache strongswan 5.9.4

Strongswan Release Notes reports:

Fixed a denial-of-service vulnerability in the gmp plugin that was caused by an integer overflow when processing RSASSA-PSS signatures with very large salt lengths. This vulnerability has been registered as CVE-2021-41990.

Fixed a denial-of-service vulnerability in the in-memory certificate cache if certificates are replaced and a very large random value caused an integer overflow. This vulnerability has been registered as CVE-2021-41991.

CVE-2021-41990 CVE-2021-41991 https://www.strongswan.org/blog/2021/10/18/strongswan-vulnerability-(cve-2021-41990).html https://www.strongswan.org/blog/2021/10/18/strongswan-vulnerability-(cve-2021-41991).html 2021-10-04 2022-01-25
aide -- heap-based buffer overflow aide 0.17.4

David Bouman reports:

AIDE before 0.17.4 allows local users to obtain root privileges via crafted file metadata (such as XFS extended attributes or tmpfs ACLs), because of a heap-based buffer overflow.

Aide uses a fixed size (16k bytes) for the return buffer in encode_base64/decode_base64 functions. This results in a segfault if aide processes a file with too large extended attribute value or ACL.

CVE-2021-45417 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45417 2022-01-15 2022-01-23
chromium -- multiple vulnerabilities chromium 97.0.4692.99

Chrome Releases reports:

This release contains 26 security fixes, including:

  • [1284367] Critical CVE-2022-0289: Use after free in Safe browsing. Reported by Sergei Glazunov of Google Project Zero on 2022-01-05
  • [1260134][1260007] High CVE-2022-0290: Use after free in Site isolation. Reported by Brendon Tiszka and Sergei Glazunov of Google Project Zero on 2021-10-15
  • [1281084] High CVE-2022-0291: Inappropriate implementation in Storage. Reported by Anonymous on 2021-12-19
  • [1270358] High CVE-2022-0292: Inappropriate implementation in Fenced Frames. Reported by Brendon Tiszka on 2021-11-16
  • [1283371] High CVE-2022-0293: Use after free in Web packaging. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-12-30
  • [1273017] High CVE-2022-0294: Inappropriate implementation in Push messaging. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-11-23
  • [1278180] High CVE-2022-0295: Use after free in Omnibox. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2021-12-09
  • [1283375] High CVE-2022-0296: Use after free in Printing. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2021-12-30
  • [1274316] High CVE-2022-0297: Use after free in Vulkan. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-11-28
  • [1212957] High CVE-2022-0298: Use after free in Scheduling. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-05-25
  • [1275438] High CVE-2022-0300: Use after free in Text Input Method Editor. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-12-01
  • [1276331] High CVE-2022-0301: Heap buffer overflow in DevTools. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-12-03
  • [1278613] High CVE-2022-0302: Use after free in Omnibox. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2021-12-10
  • [1281979] High CVE-2022-0303: Race in GPU Watchdog. Reported by Yigit Can YILMAZ (@yilmazcanyigit) on 2021-12-22
  • [1282118] High CVE-2022-0304: Use after free in Bookmarks. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-12-22
  • [1282354] High CVE-2022-0305: Inappropriate implementation in Service Worker API. Reported by @uwu7586 on 2021-12-23
  • [1283198] High CVE-2022-0306: Heap buffer overflow in PDFium. Reported by Sergei Glazunov of Google Project Zero on 2021-12-29
  • [1281881] Medium CVE-2022-0307: Use after free in Optimization Guide. Reported by Samet Bekmezci @sametbekmezci on 2021-12-21
  • [1282480] Medium CVE-2022-0308: Use after free in Data Transfer. Reported by @ginggilBesel on 2021-12-24
  • [1240472] Medium CVE-2022-0309: Inappropriate implementation in Autofill. Reported by Alesandro Ortiz on 2021-08-17
  • [1283805] Medium CVE-2022-0310: Heap buffer overflow in Task Manager. Reported by Samet Bekmezci @sametbekmezci on 2022-01-03
  • [1283807] Medium CVE-2022-0311: Heap buffer overflow in Task Manager. Reported by Samet Bekmezci @sametbekmezci on 2022-01-03
CVE-2022-0289 CVE-2022-0290 CVE-2022-0291 CVE-2022-0292 CVE-2022-0293 CVE-2022-0294 CVE-2022-0295 CVE-2022-0296 CVE-2022-0297 CVE-2022-0298 CVE-2022-0300 CVE-2022-0301 CVE-2022-0302 CVE-2022-0303 CVE-2022-0304 CVE-2022-0305 CVE-2022-0306 CVE-2022-0307 CVE-2022-0308 CVE-2022-0309 CVE-2022-0310 CVE-2022-0311 https://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop_19.html 2022-01-19 2022-01-20
MySQL -- Multiple vulnerabilities mysql-connector-odbc 8.0.28 mysql-connector-c++ 8.0.28 mysql-connector-java 8.0.28 mysql-connector-java51 8.0.28 mysql-server55 5.5.63 mysql-server56 5.6.52 mysql-server57 5.7.37 mysql-server80 8.0.27

Oracle reports:

This Critical Patch Update contains 78 new security patches for Oracle MySQL. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle MySQL is 7.4

CVE-2021-22946 CVE-2021-3712 CVE-2022-21278 CVE-2022-21351 CVE-2022-21363 CVE-2022-21358 CVE-2022-21352 CVE-2022-21367 CVE-2022-21301 CVE-2022-21378 CVE-2022-21302 CVE-2022-21254 CVE-2022-21348 CVE-2022-21270 CVE-2022-21256 CVE-2022-21379 CVE-2022-21362 CVE-2022-21374 CVE-2022-21253 CVE-2022-21264 CVE-2022-21297 CVE-2022-21339 CVE-2022-21342 CVE-2022-21370 CVE-2022-21304 CVE-2022-21344 CVE-2022-21303 CVE-2022-21368 CVE-2022-21245 CVE-2022-21265 CVE-2022-21249 CVE-2022-21372 https://www.oracle.com/security-alerts/cpujan2022.html#AppendixMSQL 2022-01-18 2022-01-19
Prosody XMPP server advisory 2022-01-13 prosody 0.11.12

The Prosody teaM reports:

It was discovered that an internal Prosody library to load XML based on does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).

CVE-2022-0217 https://prosody.im/security/advisory_20220113/ 2022-01-10 2022-01-14
WordPress -- Multiple Vulnerabilities wordpress 5.8.3,1

The WordPress project reports:

  • Issue with stored XSS through post slugs
  • Issue with Object injection in some multisite installations
  • SQL injection vulnerability in WP_Query
  • SQL injection vulnerability in WP_Meta_Query
https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/ 2022-01-06 2022-01-13
clamav -- invalid pointer read that may cause a crash clamav 0.104.2,1 clamav-lts 0.103.5,1

Laurent Delosieres reports:

Fix for invalid pointer read that may cause a crash. This issue affects 0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json option) is enabled.

CVE-2022-20698 https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html 2022-01-12 2022-01-12
jenkins -- multiple vulnerabilities jenkins 2.330 jenkins-lts 2.319.2

Jenkins Security Advisory:

Description

(Medium) SECURITY-2558 / CVE-2022-20612

CSRF vulnerability in build triggers

CVE-2022-20612 https://www.jenkins.io/security/advisory/2022-01-12/ 2022-01-12 2022-01-12
Gitlab -- Multiple Vulnerabilities gitlab-ce 14.6.014.6.2 14.5.014.5.3 7.714.4.5

Gitlab reports:

Arbitrary file read via group import feature

Stored XSS in notes

Lack of state parameter on GitHub import project OAuth

Vulnerability related fields are available to unauthorized users on GraphQL API

Deleting packages may cause table locks

IP restriction bypass via GraphQL

Repository content spoofing using Git replacement references

Users can import members from projects that they are not a maintainer on through API

Possibility to direct user to malicious site through Slack integration

Bypassing file size limits to the NPM package repository

User with expired password can still access sensitive information

Incorrect port validation allows access to services on ports 80 and 443 if GitLab is configured to run on another port

CVE-2021-39946 CVE-2022-0154 CVE-2022-0152 CVE-2022-0151 CVE-2022-0172 CVE-2022-0090 CVE-2022-0125 CVE-2022-0124 CVE-2021-39942 CVE-2022-0093 CVE-2021-39927 https://about.gitlab.com/releases/2022/01/11/security-release-gitlab-14-6-2-released/ 2022-01-11 2022-01-12
uriparser -- Multiple vulnerabilities uriparser 0.9.6

Upstream project reports:

Fix a bug affecting both uriNormalizeSyntax* and uriMakeOwner* functions where the text range in .hostText would not be duped using malloc but remain unchanged (and hence "not owned") for URIs with an IPv4 or IPv6 address hostname; depending on how an application uses uriparser, this could lead the application into a use-after-free situation. As the second half, fix uriFreeUriMembers* functions that would not free .hostText memory for URIs with an IPv4 or IPv6 address host; also, calling uriFreeUriMembers* multiple times on a URI of this very nature would result in trying to free pointers to stack (rather than heap) memory. Fix functions uriNormalizeSyntax* for out-of-memory situations (i.e. malloc returning NULL) for URIs containing empty segments (any of user info, host text, query, or fragment) where previously pointers to stack (rather than heap) memory were freed.

CVE-2021-46141 CVE-2021-46142 https://github.com/uriparser/uriparser/blob/uriparser-0.9.6/ChangeLog 2022-01-06 2022-01-09
Django -- multiple vulnerabilities py37-django22 py38-django22 py39-django22 2.2.26 py37-django32 py38-django32 py39-django32 3.2.11 py37-django40 py38-django40 py39-django40 4.0.1

Django Release reports:

CVE-2021-45115: Denial-of-service possibility in UserAttributeSimilarityValidator.

CVE-2021-45116: Potential information disclosure in dictsort template filter.

CVE-2021-45452: Potential directory-traversal via Storage.save().

CVE-2021-45115 CVE-2021-45116 CVE-2021-45452 https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ 2021-12-20 2022-01-06
routinator -- multiple vulnerabilities routinator 0.10.1

nlnetlabs reports:

Release 0.10.2 contains fixes for the following issues:

  • Medium CVE-2021-43172: Infinite length chain of RRDP repositories. Credit: Koen van Hove. Date: 2021-11-09
  • Medium CVE-2021-43173: Hanging RRDP request. Credit: Koen van Hove. Date: 2021-11-09
  • Medium CVE-2021-43174: gzip transfer encoding caused out-of-memory crash. Credit Koen van Hove. Date: 2021-11-09
CVE-2021-43172 CVE-2021-43173 CVE-2021-43174 https://nlnetlabs.nl/projects/rpki/security-advisories/ 2021-11-09 2022-01-05
chromium -- multiple vulnerabilities chromium 97.0.4692.71

Chrome Releases reports:

This release contains 37 security fixes, including:

  • [$TBD][1275020] Critical CVE-2022-0096: Use after free in Storage. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-11-30
  • [1117173] High CVE-2022-0097: Inappropriate implementation in DevTools. Reported by David Erceg on 2020-08-17
  • [1273609] High CVE-2022-0098: Use after free in Screen Capture. Reported by @ginggilBesel on 2021-11-24
  • [1245629] High CVE-2022-0099: Use after free in Sign-in. Reported by Rox on 2021-09-01
  • [1238209] High CVE-2022-0100: Heap buffer overflow in Media streams API. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-08-10
  • [1249426] High CVE-2022-0101: Heap buffer overflow in Bookmarks. Reported by raven (@raid_akame) on 2021-09-14
  • [1260129] High CVE-2022-0102: Type Confusion in V8 . Reported by Brendon Tiszka on 2021-10-14
  • [1272266] High CVE-2022-0103: Use after free in SwiftShader. Reported by Abraruddin Khan and Omair on 2021-11-21
  • [1273661] High CVE-2022-0104: Heap buffer overflow in ANGLE. Reported by Abraruddin Khan and Omair on 2021-11-25
  • [1274376] High CVE-2022-0105: Use after free in PDF. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-11-28
  • [1278960] High CVE-2022-0106: Use after free in Autofill. Reported by Khalil Zhani on 2021-12-10
  • [1248438] Medium CVE-2022-0107: Use after free in File Manager API. Reported by raven (@raid_akame) on 2021-09-10
  • [1248444] Medium CVE-2022-0108: Inappropriate implementation in Navigation. Reported by Luan Herrera (@lbherrera_) on 2021-09-10
  • [1261689] Medium CVE-2022-0109: Inappropriate implementation in Autofill. Reported by Young Min Kim (@ylemkimon), CompSec Lab at Seoul National University on 2021-10-20
  • [1237310] Medium CVE-2022-0110: Incorrect security UI in Autofill. Reported by Alesandro Ortiz on 2021-08-06
  • [1241188] Medium CVE-2022-0111: Inappropriate implementation in Navigation. Reported by garygreen on 2021-08-18
  • [1255713] Medium CVE-2022-0112: Incorrect security UI in Browser UI. Reported by Thomas Orlita on 2021-10-04
  • [1039885] Medium CVE-2022-0113: Inappropriate implementation in Blink. Reported by Luan Herrera (@lbherrera_) on 2020-01-07
  • [1267627] Medium CVE-2022-0114: Out of bounds memory access in Web Serial. Reported by Looben Yang on 2021-11-06
  • [1268903] Medium CVE-2022-0115: Uninitialized Use in File API. Reported by Mark Brand of Google Project Zero on 2021-11-10
  • [1272250] Medium CVE-2022-0116: Inappropriate implementation in Compositing. Reported by Irvan Kurniawan (sourc7) on 2021-11-20
  • [1115847] Low CVE-2022-0117: Policy bypass in Service Workers. Reported by Dongsung Kim (@kid1ng) on 2020-08-13
  • [1238631] Low CVE-2022-0118: Inappropriate implementation in WebShare. Reported by Alesandro Ortiz on 2021-08-11
  • [1262953] Low CVE-2022-0120: Inappropriate implementation in Passwords. Reported by CHAKRAVARTHI (Ruler96) on 2021-10-25
CVE-2022-0096 CVE-2022-0097 CVE-2022-0098 CVE-2022-0099 CVE-2022-0100 CVE-2022-0101 CVE-2022-0102 CVE-2022-0103 CVE-2022-0104 CVE-2022-0105 CVE-2022-0106 CVE-2022-0107 CVE-2022-0108 CVE-2022-0109 CVE-2022-0110 CVE-2022-0111 CVE-2022-0112 CVE-2022-0113 CVE-2022-0114 CVE-2022-0115 CVE-2022-0116 CVE-2022-0117 CVE-2022-0118 CVE-2022-0120 https://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html 2022-01-04 2022-01-05