As correcções de segurança
node-16.17.1-alt1
build Vitaly Lipatov,
2022-09-30
- new version 16.17.1 (with rpmrb script)
- set npm >= 8.15.0
- CVE-2022-32212: DNS rebinding in --inspect on macOS (High)
- CVE-2022-32213: bypass via obs-fold mechanic (Medium)
- CVE-2022-35255: Weak randomness in WebCrypto keygen
- CVE-2022-35256: HTTP Request Smuggling - Incorrect Parsing of Header Fields (Medium)
php8.1-8.1.11-alt1 build Anton Farygin, 2022-09-30
- 8.1.10 -> 8.1.11 (fixes: CVE-2022-31628, CVE-2022-31629)
php8.0-8.0.24-alt1 build Anton Farygin, 2022-09-30
- 8.0.23 -> 8.0.24 (Fixes: CVE-2022-31629)
chromium-106.0.5249.61-alt1 build Alexey Gladkov, 2022-09-28
- New version (106.0.5249.61).
- Security fixes:
- CVE-2022-3201: Insufficient validation of untrusted input in Developer Tools.
- CVE-2022-3304: Use after free in CSS.
- CVE-2022-3305: Use after free in Survey.
- CVE-2022-3306: Use after free in Survey.
- CVE-2022-3307: Use after free in Media.
- CVE-2022-3308: Insufficient policy enforcement in Developer Tools.
- CVE-2022-3309: Use after free in Assistant.
- CVE-2022-3310: Insufficient policy enforcement in Custom Tabs.
- CVE-2022-3311: Use after free in Import.
- CVE-2022-3312: Insufficient validation of untrusted input in VPN.
- CVE-2022-3313: Incorrect security UI in Full Screen.
- CVE-2022-3314: Use after free in Logging.
- CVE-2022-3315: Type confusion in Blink.
- CVE-2022-3316: Insufficient validation of untrusted input in Safe Browsing.
- CVE-2022-3317: Insufficient validation of untrusted input in Intents.
- CVE-2022-3318: Use after free in ChromeOS Notifications.
kernel-image-centos-5.14.0.168-alt1.el9 build Alexey Gladkov, 2022-09-27
- Updated to kernel-5.14.0-168.el9 (fixes: CVE-2022-20141, CVE-2022-3077):
+ ACPI: Improve fwnode serial multi-instantiate driver
+ assoc_array: Fix BUG_ON during garbage collect
+ Backport fscache/cachefiles rework for 9.2
+ BPF and XDP rebase to v5.17
+ drm/amdgpu: Only disable prefer_shadow on hawaii
+ drm/hyperv : Removing the restruction of VRAM allocation with PCI bar size
+ drm/nouveau/kms/nv140-: Disable interlacing
+ i2c: ismt: prevent memory corruption in ismt_access()
+ i40e: Fix kernel crash during module removal
+ ice: Allow operation with reduced device MSI-X
+ igmp: Add ip_mc_list lock in ip_check_mc_rcu
+ ixgbe: Add locking to prevent panic when setting sriov_numvfs to zero
+ Merge tag 'kernel-5.14.0-162.3.1.el9'
+ nohz/full, sched/rt: Fix missed tick-reenabling bug in dequeue_task_rt()
+ NUMA related scheduler improvements
+ nvme-fc: fix the fc_appid_store return value
+ powerpc/mobility: Extend the NMI watchdog timer during the LPM
+ powerpc/perf: Optimize clearing the pending PMI and remove WARN_ON for PMI check in power_pmu_disable
+ rcu: Update RCU code base to v5.19 for 9.2 RT
+ Revert "net: macsec: update SCI upon MAC address change."
+ [s390]: [IBM 9.2 FEAT] Static PIE Support - kernel part
+ [s390]: RHEL9.0 - zfcp: fix missing auto port scan and thus missing target ports
+ sched/fair: Introduce SIS_UTIL to search idle CPU based on sum of util_avg
+ scsi: restore setting of scmd->scsi_done() in EH and reset ioctl paths
+ sysctl: returns -EINVAL when a negative value is passed to proc_doulongvec_minmax
+ x86/boot: Don't propagate uninitialized boot_params->cc_blob_address
expat-2.4.9-alt1 build Vladimir D. Seleznev, 2022-09-24
- Updated to 2.4.9 (fixes: CVE-2022-40674 Heap use-after-free vulnerability in
function doContent).
unbound-1.16.3-alt1 build Alexei Takaseev, 2022-09-22
- 1.16.3
- (Fixes CVE-2022-30698, CVE-2022-30699, CVE-2022-3204)
firefox-105.0-alt1 build Alexey Gladkov, 2022-09-21
- New release (105.0).
- Security fixes:
+ CVE-2022-40959: Bypassing FeaturePolicy restrictions on transient pages
+ CVE-2022-40960: Data-race when parsing non-UTF-8 URLs in threads
+ CVE-2022-40958: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix
+ CVE-2022-40961: Stack-buffer overflow when initializing Graphics
+ CVE-2022-40956: Content-Security-Policy base-uri bypass
+ CVE-2022-40957: Incoherent instruction cache when building WASM on ARM64
+ CVE-2022-40962: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3
enlightenment-0.25.4-alt1 build Yuri N. Sedunov, 2022-09-20
- 0.25.4 (fixed CVE-2022-37706)
pdns-4.6.3-alt1 build Alexey Shabalin, 2022-09-15
- 4.6.3 (Fixes: CVE-2020-17482, CVE-2020-17482, CVE-2020-24696, CVE-2020-24697, CVE-2020-24698,
CVE-2021-36754, CVE-2022-27227)
- Removed random, lua, mydns, opendbx backends.
vim-9.0.0463-alt1 build Alexander Danilov, 2022-09-14
- Updated to 9.0.0463 (fixes CVE-2022-2816, CVE-2022-2817, CVE-2022-2819,
CVE-2022-2874, CVE-2022-2889, CVE-2022-2923, CVE-2022-2946, CVE-2022-3099,
CVE-2022-3037, CVE-2022-3016, CVE-2022-2982, CVE-2022-2980, CVE-2022-2862,
CVE-2022-2849, CVE-2022-2845, CVE-2022-3153, CVE-2022-3134, CVE-2021-3984,
CVE-2021-4019, CVE-2022-1927).
glpi-10.0.3-alt1 build Pavel Zilke, 2022-09-14
- New version 10.0.3
- This release fixes several critical security issues that has been recently discovered. Update is strongly recommended!
- Security fixes:
+ CVE-2022-35945 : XSS through registration API
+ CVE-2022-31143 : Leak of sensitive information through login page error
+ CVE-2022-31187 : Stored XSS through global search (CVE-2022-31187)
+ CVE-2022-35914 : [critical] Command injection using a third-party library script
+ CVE-2022-35946 : SQL injection through plugin controller
+ CVE-2022-35947 : [critical] Authentication via SQL injection
+ CVE-2022-36112 : Blind Server-Side Request Forgery (SSRF) in RSS feeds and planning
golang-1.18.6-alt1 build Alexey Shabalin, 2022-09-14
- New version (1.18.6) (Fixes: CVE-2022-27664).
docker-engine-20.10.18-alt1 build Vladimir Didenko, 2022-09-12
- 20.10.18 (Fixes: CVE-2022-36109)
samba-4.16.4-alt2 build Evgeny Sinelnikov, 2022-09-08
- Add support (Heimdal only) of "ignore requester sid" global option for the
correct operation of trust relationships with oldest versions of MS AD without
KB5008380 Authentication updates (CVE-2021-42287).
zoneminder-1.36.25-alt1 build Anton Farygin, 2022-09-07
- 1.36.12 -> 1.36.25 (Fixes: CVE-2022-29806)
sofia-sip-1.13.8-alt1 build Anton Farygin, 2022-09-06
- 1.13.8 (Fixes: CVE-2022-31001)
kernel-image-centos-5.14.0.162-alt1.el9 build Alexey Gladkov, 2022-09-06
- Updated to kernel-5.14.0-162.el9 (fixes: CVE-2022-2585):
+ Fix: posix cpu timer use-after-free
+ Revert "ixgbevf: Add support for new mailbox communication between PF and VF"
thunderbird-102.2.1-alt1 build Pavel Vasenkov, 2022-09-06
- New version.
- Security fixes:
+ CVE-2022-3033 Leaking of sensitive information when composing a response to an HTML email with a META refresh tag
+ CVE-2022-3032 Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked
+ CVE-2022-3034 An iframe element in an HTML email could trigger a network request
+ CVE-2022-36059 Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack
chromium-105.0.5195.102-alt1 build Alexey Gladkov, 2022-09-05
- New version (105.0.5195.102).
- Security fixes:
- CVE-2022-3075: Insufficient data validation in Mojo.
gem-rails-6.1.6.1-alt1 build Pavel Skrylev, 2022-09-01
- ^ 6.1.4.1 -> 6.1.6.1
- ! CVEs
+ CVE-2022-32224
+ CVE-2022-27777
+ CVE-2022-21831
+ CVE-2022-23633
+ CVE-2022-23633
+ CVE-2021-44528
chromium-105.0.5195.52-alt1 build Alexey Gladkov, 2022-09-01
- New version (105.0.5195.52).
- Security fixes:
- CVE-2022-3038: Use after free in Network Service.
- CVE-2022-3039: Use after free in WebSQL.
- CVE-2022-3040: Use after free in Layout.
- CVE-2022-3041: Use after free in WebSQL.
- CVE-2022-3042: Use after free in PhoneHub.
- CVE-2022-3043: Heap buffer overflow in Screen Capture.
- CVE-2022-3044: Inappropriate implementation in Site Isolation.
- CVE-2022-3045: Insufficient validation of untrusted input in V8.
- CVE-2022-3046: Use after free in Browser Tag.
- CVE-2022-3047: Insufficient policy enforcement in Extensions API.
- CVE-2022-3048: Inappropriate implementation in Chrome OS lockscreen.
- CVE-2022-3049: Use after free in SplitScreen.
- CVE-2022-3050: Heap buffer overflow in WebUI.
- CVE-2022-3051: Heap buffer overflow in Exosphere.
- CVE-2022-3052: Heap buffer overflow in Window Manager.
- CVE-2022-3053: Inappropriate implementation in Pointer Lock.
- CVE-2022-3054: Insufficient policy enforcement in DevTools.
- CVE-2022-3055: Use after free in Passwords.
- CVE-2022-3056: Insufficient policy enforcement in Content Security Policy.
- CVE-2022-3057: Inappropriate implementation in iframe Sandbox.
- CVE-2022-3058: Use after free in Sign-In Flow.
- CVE-2022-3071: Use after free in Tab Strip.
cifs-utils-6.15-alt1 build Evgeny Sinelnikov, 2022-08-31
- Update to stable release 6.15 (Samba#15025, Samba#15026)
- mount.cifs: fix length check for ip option parsing (fixes: CVE-2022-27239)
- mount.cifs: fix verbose messages on option parsing (fixes: CVE-2022-29869)
curl-7.85.0-alt1 build Anton Farygin, 2022-08-31
- 7.84.0 -> 7.85.0
- Fixes:
* CVE-2022-35252: control code in cookie denial of service
kernel-image-centos-5.14.0.160-alt1.el9 build Alexey Gladkov, 2022-08-26
- Updated to kernel-5.14.0-160.el9 (fixes: CVE-2022-1679, CVE-2022-26373):
+ ath9k: fix use-after-free in ath9k_hif_usb_rx_cb
+ Chelsio FCoE Initiator Driver (csiostor) update to upstream 5.19-rc4
+ iavf: Fix VLAN_V2 addition/rejection
+ net: qcom/emac: Fix improper merge resolution in device_get_mac_address
+ nvme-fc: restart admin queue if the caller needs to restart queue
+ Pull updated changes for gve driver from upstream
+ x86/speculation: Post-barrier Return Stack Buffer Predictions (CVE-2022-26373)
projeto & código: Vladimir Lettiev aka crux © 2004-2005,
Andrew Avramenko aka liks © 2007-2008
mantenedor atual: Michael Shigorin
mantenedor da tradução: Fernando Martini aka fmartini © 2009
mantenedor atual: Michael Shigorin
mantenedor da tradução: Fernando Martini aka fmartini © 2009