As correcções de segurança
kernel-image-centos-5.14.0.120-alt1.el9
build Alexey Gladkov,
2022-06-27
- Updated to kernel-5.14.0-120.el9 (fixes: CVE-2022-1998, CVE-2022-2078):
+ block: update with 5.18 for rhel 9.1
+ fanotify: Fix stale file descriptor in copy_event_to_user()
+ netfilter: nf_tables: sanitize nft_set_desc_concat_parse()
+ ntb: update from upstream v5.17
+ redhat: spec: trigger dracut when modules are installed separately
+ [s390] s390/zcrypt: Add admask to zcdn
+ scsi: mpi3mr: Add bsg device support
+ tcp: Don't acquire inet_listen_hashbucket::lock with disabled BH.
+ vmxnet3: Update network driver for RHEL 9.1
chromium-103.0.5060.53-alt1 build Alexey Gladkov, 2022-06-25
- New version (103.0.5060.53).
- Security fixes:
- CVE-2022-2156: Use after free in Base.
- CVE-2022-2157: Use after free in Interest groups.
- CVE-2022-2158: Type Confusion in V8.
- CVE-2022-2160: Insufficient policy enforcement in DevTools.
- CVE-2022-2161: Use after free in WebApp Provider.
- CVE-2022-2162: Insufficient policy enforcement in File System API.
- CVE-2022-2163: Use after free in Cast UI and Toolbar.
- CVE-2022-2164: Inappropriate implementation in Extensions API.
- CVE-2022-2165: Insufficient data validation in URL formatting.
mediawiki-1.37.2-alt1 build Vitaly Lipatov, 2022-06-24
- new version 1.37.2 (with rpmrb script)
- (T297571, CVE-2022-28201) (T297731, CVE-2022-28203)
- (T297754, CVE-2022-28204) (T297543, CVE-2022-28202)
openssl1.1-1.1.1p-alt1 build Gleb F-Malinovskiy, 2022-06-22
- Updated to 1.1.1p (fixes CVE-2022-1292, CVE-2022-2068).
openscad-2021.01-alt4 build Anton Midyukov, 2022-06-20
- Fixes:
+ CVE-2022-0496 Out-of-bounds memory access in DXF loader (path
identification)
+ CVE-2022-0497 Out-of-bounds memory access in comment parser
+ Fix build issue with overloaded join().
- cleanup spec
dropbear-2022.82-alt1 build Vitaly Chikunov, 2022-06-19
- Update to DROPBEAR_2022.82 (2022-04-01). (Fixes: CVE-2018-15599,
CVE-2018-5399, CVE-2018-20685, CVE-2019-12953, CVE-2020-15833,
CVE-2020-36254).
- Disable DSS keys.
- Allow password auth.
- Undo authkey_fp patch (as it does not apply to the new codebase).
- Use bundled libtom{crypt,math} maintained by the authors of Dropbear.
- Doc and client packages are merged into main package.
- Add systemd services.
- Correct sftp-server path (to openssh-server binary).
apache2-2.4.54-alt1 build Anton Farygin, 2022-06-19
- 2.4.54 (Fixes: CVE-2022-31813, CVE-2022-30556, CVE-2022-30522, CVE-2022-29404,
CVE-2022-28615, CVE-2022-28614, CVE-2022-28330, CVE-2022-26377)
kernel-image-un-def-5.17.15-alt2 build Vitaly Chikunov, 2022-06-18
- Pick fixes of Intel-specific processor MMIO stale-data vulnerabilities.
(Fixes: CVE-2022-21166, CVE-2022-21125, CVE-2022-21123).
tor-0.4.7.8-alt1 build Hihin Ruslan, 2022-06-18
- Update version
- CVE-2021-3838
python-2.7.18-alt10 build Vladimir D. Seleznev, 2022-06-17
- Secutiry update (fixed: CVE-2015-20107).
- Fixed Url field.
kernel-image-centos-5.14.0.114-alt1.el9 build Alexey Gladkov, 2022-06-17
- Updated to kernel-5.14.0-114.el9 (fixes: CVE-2022-1729):
+ block: ignore RWF_HIPRI hint for sync dio
+ lpfc cs9 (rhel9.1) update
+ perf: Fix sys_perf_event_open() race against self
+ redhat/configs: Drop outdated CRYPTO_ECDH and unify CRYPTO_USER configs
+ [s390] Upgrade the zfcp driver to latest from upstream, e.g. kernel 5.18
+ Update ext4 and jbd2 to upstream v5.17
php7-7.4.30-alt1 build Anton Farygin, 2022-06-16
- 7.4.28 -> 7.4.30 (Fixes: CVE-2022-31626, CVE-2022-31625)
php8.0-8.0.20-alt1 build Anton Farygin, 2022-06-16
- 8.0.19 -> 8.0.20 (Fixes: CVE-2022-31626, CVE-2022-31625)
php8.1-8.1.7-alt1 build Anton Farygin, 2022-06-16
- 8.1.6 -> 8.1.7 (Fixes: CVE-2022-31626, CVE-2022-31625)
libexo-4.17.2-alt1 build Mikhail Efremov, 2022-06-14
- Updated Url tag.
- Updated to 4.17.2 (fixes: CVE-2022-32278).
kernel-image-centos-5.14.0.111-alt1.el9 build Alexey Gladkov, 2022-06-14
- Updated to kernel-5.14.0-111.el9 (fixes: CVE-2022-1966):
+ Add pinctrl support for ADL-N
+ block, loop: support partitions without scanning
+ [Intel 9.1 FEAT] [RPL-P] perf: PerfMon support
+ ipv4: do not use per netns icmp sockets
+ netfilter: nf_tables: disallow non-stateful expression in sets earlier
+ remoteproc: updates
+ scsi: fnic: Finish scsi_cmnd before dropping the spinlock
+ turbostat: fix PC6 displaying on some systems
golang-1.18.3-alt1 build Alexey Shabalin, 2022-06-12
- New version (1.18.3) (Fixes: CVE-2022-30580, CVE-2022-30634, CVE-2022-30629, CVE-2022-29804).
containerd-1.6.6-alt1 build Vladimir Didenko, 2022-06-08
- 1.6.6 (Fixes: CVE-2022-31030)
qemu-7.0.0-alt1 build Alexey Shabalin, 2022-06-07
- 7.0.0.
- Split out qemu-virtiofsd subpackage.
- Backport patches from upstream for fix virtio-scsi.
- Fixes for the following security vulnerabilities:
+ CVE-2021-3507 hw/block/fdc: Prevent end-of-track overrun
+ CVE-2021-4206 ui/cursor: fix integer overflow in cursor_alloc
+ CVE-2021-4207 display/qxl-render: fix race condition in qxl_cursor
+ CVE-2021-3611 hw/audio/intel-hda: Restrict DMA engine to memories
+ CVE-2022-26353 virtio-net: fix map leaking on error during receive
+ CVE-2022-26354 vhost-vsock: detach the virqueue element in case of error
+ CVE-2021-3929 hw/nvme: fix
kernel-image-centos-5.14.0.106-alt1.el9 build Alexey Gladkov, 2022-06-07
- Updated to kernel-5.14.0-106.el9 (fixes: CVE-2022-24448):
+ clk: qcom: rpmhcc: add sc8280xp support to the RPMh clock controller
+ Documentation: add description for net.core.gro_normal_batch
+ Documentation/sysctl: document max_rcu_stall_to_panic
+ drivers/char: fix unused variable warning in mem.c
+ Fixes for nfs_atomic_open()
+ mm, compaction: fast_find_migrateblock() should return pfn in the target zone
+ PTP: backport fixes from upstream
+ [RHEL 9.1.0] IDXD fixes
+ [s390] Upgrade the qeth driver to latest from upstream
vim-8.2.5062-alt1 build Alexander Danilov, 2022-06-06
- Updated to 8.2.5062 (fixes CVE-2022-1898).
rsyslog-8.2204.1-alt1 build Alexey Shabalin, 2022-06-06
- 8.2204.1 (Fixes: CVE-2022-24903)
firefox-esr-91.10.0-alt1 build Pavel Vasenkov, 2022-06-03
- New ESR version.
- Security fixes:
+ CVE-2022-31736 Cross-Origin resource's length leaked
+ CVE-2022-31737 Heap buffer overflow in WebGL
+ CVE-2022-31738 Browser window spoof using fullscreen mode
+ CVE-2022-31739 Attacker-influenced path traversal when saving downloaded files
+ CVE-2022-31740 Register allocation problem in WASM on arm64
+ CVE-2022-31741 Uninitialized variable leads to invalid memory read
+ CVE-2022-31742 Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information
+ CVE-2022-31747 Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10
thunderbird-91.10.0-alt1 build Pavel Vasenkov, 2022-06-03
- New version.
- Security fixes:
+ CVE-2022-31736 Cross-Origin resource's length leaked
+ CVE-2022-31737 Heap buffer overflow in WebGL
+ CVE-2022-31738 Browser window spoof using fullscreen mode
+ CVE-2022-31739 Attacker-influenced path traversal when saving downloaded files
+ CVE-2022-31740 Register allocation problem in WASM on arm64
+ CVE-2022-31741 Uninitialized variable leads to invalid memory read
+ CVE-2022-1834 Braille space character caused incorrect sender email to be shown for a digitally signed email
+ CVE-2022-31742 Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information
+ CVE-2022-31747 Memory safety bugs fixed in Thunderbird 91.10
firefox-101.0-alt1 build Alexey Gladkov, 2022-06-01
- New release (101.0).
- Use internal cbindgen again.
- Security fixes:
+ CVE-2022-31736: Cross-Origin resource's length leaked
+ CVE-2022-31737: Heap buffer overflow in WebGL
+ CVE-2022-31738: Browser window spoof using fullscreen mode
+ CVE-2022-31739: Attacker-influenced path traversal when saving downloaded files
+ CVE-2022-31740: Register allocation problem in WASM on arm64
+ CVE-2022-31741: Uninitialized variable leads to invalid memory read
+ CVE-2022-31742: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information
+ CVE-2022-31743: HTML Parsing incorrectly ended HTML comments prematurely
+ CVE-2022-31744: CSP bypass enabling stylesheet injection
+ CVE-2022-31745: Incorrect Assertion caused by unoptimized array shift operations
+ CVE-2022-1919: Memory Corruption when manipulating webp images
+ CVE-2022-31747: Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10
+ CVE-2022-31748: Memory safety bugs fixed in Firefox 101
projeto & código: Vladimir Lettiev aka crux © 2004-2005,
Andrew Avramenko aka liks © 2007-2008
mantenedor atual: Michael Shigorin
mantenedor da tradução: Fernando Martini aka fmartini © 2009
mantenedor atual: Michael Shigorin
mantenedor da tradução: Fernando Martini aka fmartini © 2009