UTSA-2022:20006 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: OpenEXR security update

A flaw was found in OpenEXR's B44Compressor. This flaw allows an attacker who can submit a crafted file to be processed by OpenEXR, to exhaust all memory accessible to the application. The highest threat from this vulnerability is to system availability.(CVE-2021-20298) A flaw was found in OpenEXR's hufDecode functionality. This flaw allows an attacker who can pass a crafted file to be processed by OpenEXR, to trigger an undefined right shift error. The highest threat from this vulnerability is to system availability.(CVE-2021-20304) OpenEXR-devel-2.2.0-28.uel20.x86_64.rpm OpenEXR-libs-2.2.0-28.uel20.x86_64.rpm OpenEXR-2.2.0-28.uel20.x86_64.rpm OpenEXR-devel-2.2.0-28.uel20.aarch64.rpm OpenEXR-libs-2.2.0-28.uel20.aarch64.rpm OpenEXR-2.2.0-28.uel20.aarch64.rpm UTSA-2022:20012 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: python-bleach security update

fix cve/bug or enhancement python3-bleach-5.0.1-1.uel20.noarch.rpm python-bleach-help-5.0.1-1.uel20.noarch.rpm UTSA-2022:20015 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: postgresql-jdbc security update

PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds for this issue.(CVE-2022-31197) postgresql-jdbc-javadoc-42.4.1-1.uel20.noarch.rpm postgresql-jdbc-help-42.4.1-1.uel20.noarch.rpm postgresql-jdbc-42.4.1-1.uel20.noarch.rpm UTSA-2022:20018 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: rsync security update

An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).(CVE-2022-29154) rsync-3.1.3-9.uel20.x86_64.rpm rsync-3.1.3-9.uel20.aarch64.rpm rsync-help-3.1.3-9.uel20.noarch.rpm UTSA-2022:20024 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: rubygem-yajl-ruby security update

yajl-ruby is a C binding to the YAJL JSON parsing and generation library. The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. The reallocation logic at `yajl_buf.c#L64` may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk. These integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer. Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption. This vulnerability mostly impacts process availability. Maintainers believe exploitation for arbitrary code execution is unlikely. A patch is available and anticipated to be part of yajl-ruby version 1.4.2. As a workaround, avoid passing large inputs to YAJL.(CVE-2022-24795) rubygem-yajl-ruby-1.4.3-1.uel20.x86_64.rpm rubygem-yajl-ruby-1.4.3-1.uel20.aarch64.rpm rubygem-yajl-ruby-help-1.4.3-1.uel20.noarch.rpm UTSA-2022:20025 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: python-lxml security update

NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.(CVE-2022-2309) python2-lxml-4.5.2-8.uel20.x86_64.rpm python3-lxml-4.5.2-8.uel20.x86_64.rpm python-lxml-help-4.5.2-8.uel20.noarch.rpm python3-lxml-4.5.2-8.uel20.aarch64.rpm python2-lxml-4.5.2-8.uel20.aarch64.rpm UTSA-2022:20026 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: mod_wsgi security update

A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.(CVE-2022-2255) python3-mod_wsgi-4.6.4-3.uel20.x86_64.rpm python3-mod_wsgi-4.6.4-3.uel20.aarch64.rpm UTSA-2022:20029 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: gdm security update

A flaw was found in GDM in versions prior to 3.38.2.1. A race condition in the handling of session shutdown makes it possible to bypass the lock screen for a user that has autologin enabled, accessing their session without authentication. This is similar to CVE-2017-12164, but requires more difficult conditions to exploit.(CVE-2020-27837) gdm-3.38.2.1-1.uel20.x86_64.rpm gdm-devel-3.38.2.1-1.uel20.x86_64.rpm gdm-3.38.2.1-1.uel20.aarch64.rpm gdm-devel-3.38.2.1-1.uel20.aarch64.rpm UTSA-2022:20030 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: libdwarf security update

fix cve/bug or enhancement libdwarf-devel-20210528-1.uel20.x86_64.rpm libdwarf-20210528-1.uel20.x86_64.rpm libdwarf-tools-20210528-1.uel20.x86_64.rpm libdwarf-tools-20210528-1.uel20.aarch64.rpm libdwarf-20210528-1.uel20.aarch64.rpm libdwarf-devel-20210528-1.uel20.aarch64.rpm libdwarf-help-20210528-1.uel20.noarch.rpm UTSA-2022:20031 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: eclipse security update

In versions 4.18 and earlier of the Eclipse Platform, the Help Subsystem does not authenticate active help requests to the local help web server, allowing an unauthenticated local attacker to issue active help commands to the associated Eclipse Platform process or Eclipse Rich Client Platform process.(CVE-2020-27225) eclipse-tests-4.11-4.uel20.x86_64.rpm eclipse-swt-4.11-4.uel20.x86_64.rpm eclipse-platform-4.11-4.uel20.x86_64.rpm eclipse-pde-4.11-4.uel20.x86_64.rpm eclipse-equinox-osgi-4.11-4.uel20.x86_64.rpm eclipse-tests-4.11-4.uel20.aarch64.rpm eclipse-swt-4.11-4.uel20.aarch64.rpm eclipse-platform-4.11-4.uel20.aarch64.rpm eclipse-pde-4.11-4.uel20.aarch64.rpm eclipse-p2-discovery-4.11-4.uel20.noarch.rpm eclipse-jdt-4.11-4.uel20.noarch.rpm eclipse-equinox-osgi-4.11-4.uel20.aarch64.rpm eclipse-contributor-tools-4.11-4.uel20.x86_64.rpm eclipse-contributor-tools-4.11-4.uel20.aarch64.rpm UTSA-2022:20032 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libproxy security update

url::recvline in url.cpp in libproxy 0.4.x through 0.4.15 allows a remote HTTP server to trigger uncontrolled recursion via a response composed of an infinite stream that lacks a newline character. This leads to stack exhaustion.(CVE-2020-25219) libproxy-0.4.15-18.uel20.01.x86_64.rpm libproxy-webkitgtk4-0.4.15-18.uel20.01.x86_64.rpm libproxy-devel-0.4.15-18.uel20.01.x86_64.rpm libproxy-webkitgtk4-0.4.15-18.uel20.01.aarch64.rpm libproxy-0.4.15-18.uel20.01.aarch64.rpm python2-libproxy-0.4.15-18.uel20.01.noarch.rpm python3-libproxy-0.4.15-18.uel20.01.noarch.rpm libproxy-devel-0.4.15-18.uel20.01.aarch64.rpm libproxy-help-0.4.15-18.uel20.01.noarch.rpm UTSA-2022:20033 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: bison security update

GNU Bison before 3.7.1 has a use-after-free in _obstack_free in lib/obstack.c (called from gram_lex) when a '\0' byte is encountered. NOTE: there is a risk only if Bison is used with untrusted input, and the observed bug happens to cause unsafe behavior with a specific compiler/architecture. The bug report was intended to show that a crash may occur in Bison itself, not that a crash may occur in code that is generated by Bison.(CVE-2020-24240) bison-3.6.4-3.uel20.x86_64.rpm bison-lang-3.6.4-3.uel20.x86_64.rpm bison-devel-3.6.4-3.uel20.x86_64.rpm bison-lang-3.6.4-3.uel20.aarch64.rpm bison-devel-3.6.4-3.uel20.aarch64.rpm bison-3.6.4-3.uel20.aarch64.rpm bison-help-3.6.4-3.uel20.noarch.rpm UTSA-2022:20043 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: GraphicsMagick security update

fix cve/bug or enhancement GraphicsMagick-1.3.30-10.uel20.x86_64.rpm GraphicsMagick-perl-1.3.30-10.uel20.x86_64.rpm GraphicsMagick-c++-1.3.30-10.uel20.x86_64.rpm GraphicsMagick-devel-1.3.30-10.uel20.x86_64.rpm GraphicsMagick-c++-devel-1.3.30-10.uel20.x86_64.rpm GraphicsMagick-c++-devel-1.3.30-10.uel20.aarch64.rpm GraphicsMagick-devel-1.3.30-10.uel20.aarch64.rpm GraphicsMagick-perl-1.3.30-10.uel20.aarch64.rpm GraphicsMagick-1.3.30-10.uel20.aarch64.rpm GraphicsMagick-c++-1.3.30-10.uel20.aarch64.rpm GraphicsMagick-help-1.3.30-10.uel20.noarch.rpm UTSA-2022:20048 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: mc security update

An issue was discovered in Midnight Commander through 4.8.26. When establishing an SFTP connection, the fingerprint of the server is neither checked nor displayed. As a result, a user connects to the server without the ability to verify its authenticity.(CVE-2021-36370) mc-4.8.28-1.uel20.x86_64.rpm mc-4.8.28-1.uel20.aarch64.rpm mc-help-4.8.28-1.uel20.noarch.rpm UTSA-2022:20051 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: raptor2 security update

A malformed input file can lead to a segfault due to an out of bounds array access in raptor_xml_writer_start_element_common.(CVE-2020-25713) raptor2-devel-2.0.15-19.uel20.x86_64.rpm raptor2-help-2.0.15-19.uel20.x86_64.rpm raptor2-2.0.15-19.uel20.x86_64.rpm raptor2-help-2.0.15-19.uel20.aarch64.rpm raptor2-devel-2.0.15-19.uel20.aarch64.rpm raptor2-2.0.15-19.uel20.aarch64.rpm UTSA-2022:20052 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: evolution-data-server security update

evolution-data-server (eds) through 3.36.3 has a STARTTLS buffering issue that affects SMTP and POP3. When a server sends a "begin TLS" response, eds reads additional data and evaluates it in a TLS context, aka "response injection."(CVE-2020-14928) evolution-data-server-devel-3.30.1-5.uel20.x86_64.rpm evolution-data-server-3.30.1-5.uel20.x86_64.rpm evolution-data-server-perl-3.30.1-5.uel20.x86_64.rpm evolution-data-server-3.30.1-5.uel20.aarch64.rpm evolution-data-server-doc-3.30.1-5.uel20.noarch.rpm evolution-data-server-perl-3.30.1-5.uel20.aarch64.rpm evolution-data-server-langpacks-3.30.1-5.uel20.noarch.rpm evolution-data-server-devel-3.30.1-5.uel20.aarch64.rpm UTSA-2022:20053 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: targetcli security update

Open-iSCSI targetcli-fb through 2.1.52 has weak permissions for /etc/target (and for the backup directory and backup files).(CVE-2020-13867) targetcli-2.1.54-1.uel20.noarch.rpm targetcli-help-2.1.54-1.uel20.noarch.rpm UTSA-2022:20054 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: gupnp security update

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.(CVE-2020-12695) An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.x before 1.2.5. It allows DNS rebinding. A remote web server can exploit this vulnerability to trick a victim's browser into triggering actions against local UPnP services implemented using this library. Depending on the affected service, this could be used for data exfiltration, data tempering, etc.(CVE-2021-33516) gupnp-devel-1.2.4-1.uel20.x86_64.rpm gupnp-1.2.4-1.uel20.x86_64.rpm gupnp-help-1.2.4-1.uel20.noarch.rpm gupnp-1.2.4-1.uel20.aarch64.rpm gupnp-devel-1.2.4-1.uel20.aarch64.rpm UTSA-2022:20055 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: linux-firmware security update

Improper buffer restriction in some Intel(R) Wireless Bluetooth(R) products before version 21.110 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.(CVE-2020-12321) linux-firmware-20211027-1.uel20.noarch.rpm UTSA-2022:20057 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: mod_fcgid security update

A security Bypass vulnerability exists in the FcgidPassHeader Proxy in mod_fcgid through 2016-07-07.(CVE-2016-1000104) mod_fcgid-2.3.9-20.uel20.x86_64.rpm mod_fcgid-help-2.3.9-20.uel20.x86_64.rpm mod_fcgid-help-2.3.9-20.uel20.aarch64.rpm mod_fcgid-2.3.9-20.uel20.aarch64.rpm UTSA-2022:20058 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: rubygem-rack security update

A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.(CVE-2020-8184) rubygem-rack-help-2.2.3.1-1.uel20.noarch.rpm rubygem-rack-2.2.3.1-1.uel20.noarch.rpm UTSA-2022:20059 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: python-ldap security update

fix cve/bug or enhancement python3-ldap-3.1.0-4.uel20.x86_64.rpm python3-ldap-3.1.0-4.uel20.aarch64.rpm python-ldap-help-3.1.0-4.uel20.noarch.rpm UTSA-2022:20061 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: gstreamer1-plugins-good security update

DOS / potential heap overwrite in qtdemux using zlib decompression. Integer overflow in qtdemux element in qtdemux_inflate function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite.(CVE-2022-2122) DOS / potential heap overwrite in mkv demuxing using HEADERSTRIP decompression. Integer overflow in matroskaparse element in gst_matroska_decompress_data function which causes a heap overflow. Due to restrictions on chunk sizes in the matroskademux element, the overflow can't be triggered, however the matroskaparse element has no size checks.(CVE-2022-1925) DOS / potential heap overwrite in mkv demuxing using lzo decompression. Integer overflow in matroskademux element in lzo decompression function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite.(CVE-2022-1924) DOS / potential heap overwrite in mkv demuxing using bzip decompression. Integer overflow in matroskademux element in bzip decompression function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite.(CVE-2022-1923) DOS / potential heap overwrite in mkv demuxing using zlib decompression. Integer overflow in matroskademux element in gst_matroska_decompress_data function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite.(CVE-2022-1922) Integer overflow in avidemux element in gst_avi_demux_invert function which allows a heap overwrite while parsing avi files. Potential for arbitrary code execution through heap overwrite.(CVE-2022-1921) Integer overflow in matroskademux element in gst_matroska_demux_add_wvpk_header function which allows a heap overwrite while parsing matroska files. Potential for arbitrary code execution through heap overwrite.(CVE-2022-1920) gstreamer1-plugins-good-gtk-1.16.2-3.uel20.x86_64.rpm gstreamer1-plugins-good-1.16.2-3.uel20.x86_64.rpm gstreamer1-plugins-good-help-1.16.2-3.uel20.noarch.rpm gstreamer1-plugins-good-gtk-1.16.2-3.uel20.aarch64.rpm gstreamer1-plugins-good-1.16.2-3.uel20.aarch64.rpm UTSA-2022:20063 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: python-bottle security update

Bottle before 0.12.20 mishandles errors during early request binding.(CVE-2022-31799) python2-bottle-0.12.13-9.uel20.noarch.rpm python3-bottle-0.12.13-9.uel20.noarch.rpm UTSA-2022:20070 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: nodejs-hawk security update

Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`.(CVE-2022-29167) nodejs-hawk-4.1.2-2.uel20.noarch.rpm UTSA-2022:20074 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libinput security update

A format string vulnerability was found in libinput(CVE-2022-1215) libinput-1.15.6-3.uel20.x86_64.rpm libinput-devel-1.15.6-3.uel20.x86_64.rpm libinput-help-1.15.6-3.uel20.x86_64.rpm libinput-utils-1.15.6-3.uel20.x86_64.rpm libinput-devel-1.15.6-3.uel20.aarch64.rpm libinput-utils-1.15.6-3.uel20.aarch64.rpm libinput-1.15.6-3.uel20.aarch64.rpm libinput-help-1.15.6-3.uel20.aarch64.rpm UTSA-2022:20076 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: nodejs-minimist security update

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).(CVE-2021-44906) nodejs-minimist-1.2.6-1.uel20.noarch.rpm UTSA-2022:20077 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: tcl security update

** DISPUTED ** In Tcl 8.6.11, a format string vulnerability in nmakehlp.c might allow code execution via a crafted file. NOTE: multiple third parties dispute the significance of this finding.(CVE-2021-35331) tcl-8.6.10-4.uel20.x86_64.rpm tcl-devel-8.6.10-4.uel20.x86_64.rpm tcl-devel-8.6.10-4.uel20.aarch64.rpm tcl-help-8.6.10-4.uel20.noarch.rpm tcl-8.6.10-4.uel20.aarch64.rpm UTSA-2022:20078 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: redis6 security update

Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer could be exploited using the `STRALGO LCS` command to corrupt the heap and potentially result with remote code execution. The problem is fixed in version 6.2.3 and 6.0.13. An additional workaround to mitigate the problem without patching the redis-server executable is to use ACL configuration to prevent clients from using the `STRALGO LCS` command.(CVE-2021-29477) Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.(CVE-2022-24736) Redis is an in-memory database that persists on disk. By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. The Lua script execution environment in Redis provides some measures that prevent a script from creating side effects that persist and can affect the execution of the same, or different script, at a later time. Several weaknesses of these measures have been publicly known for a long time, but they had no security impact as the Redis security model did not endorse the concept of users or privileges. With the introduction of ACLs in Redis 6.0, these weaknesses can be exploited by a less privileged users to inject Lua code that will execute at a later time, when a privileged user executes a Lua script. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.(CVE-2022-24735) Redis is an open source, in-memory database that persists on disk. When using the Redis Lua Debugger, users can send malformed requests that cause the debugger’s protocol parser to read data beyond the actual buffer. This issue affects all versions of Redis with Lua debugging support (3.2 or newer). The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14.(CVE-2021-32672) redis6-6.2.7-1.uel20.x86_64.rpm redis6-devel-6.2.7-1.uel20.x86_64.rpm redis6-6.2.7-1.uel20.aarch64.rpm redis6-doc-6.2.7-1.uel20.noarch.rpm redis6-devel-6.2.7-1.uel20.aarch64.rpm UTSA-2022:20083 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: flac security update

In FLAC__bitreader_read_rice_signed_block of bitreader.c, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-156076070(CVE-2020-0499) flac-devel-1.3.3-6.uel20.x86_64.rpm flac-1.3.3-6.uel20.x86_64.rpm xmms-flac-1.3.3-6.uel20.x86_64.rpm flac-help-1.3.3-6.uel20.x86_64.rpm flac-help-1.3.3-6.uel20.aarch64.rpm flac-1.3.3-6.uel20.aarch64.rpm xmms-flac-1.3.3-6.uel20.aarch64.rpm flac-devel-1.3.3-6.uel20.aarch64.rpm UTSA-2022:20084 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: speex security update

A Divide by Zero vulnerability in the function static int read_samples of Speex v1.2 allows attackers to cause a denial of service (DoS) via a crafted WAV file.(CVE-2020-23903) speex-devel-1.2.0-5.uel20.x86_64.rpm speex-1.2.0-5.uel20.x86_64.rpm speex-1.2.0-5.uel20.aarch64.rpm speex-devel-1.2.0-5.uel20.aarch64.rpm speex-help-1.2.0-5.uel20.noarch.rpm UTSA-2022:20088 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libsndfile security update

An out-of-bounds read flaw was found in libsndfile's FLAC codec functionality. An attacker who is able to submit a specially crafted file (via tricking a user to open or otherwise) to an application linked with libsndfile and using the FLAC codec, could trigger an out-of-bounds read that would most likely cause a crash but could potentially leak memory information that could be used in further exploitation of other flaws.(CVE-2021-4156) libsndfile-1.0.28-20.uel20.x86_64.rpm libsndfile-devel-1.0.28-20.uel20.x86_64.rpm libsndfile-utils-1.0.28-20.uel20.x86_64.rpm libsndfile-utils-1.0.28-20.uel20.aarch64.rpm libsndfile-utils-help-1.0.28-20.uel20.noarch.rpm libsndfile-devel-1.0.28-20.uel20.aarch64.rpm libsndfile-1.0.28-20.uel20.aarch64.rpm UTSA-2022:20091 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: google-gson security update

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.(CVE-2022-25647) google-gson-2.8.2-4.uel20.noarch.rpm UTSA-2022:20097 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: nekohtml security update

org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.(CVE-2022-24839) nekohtml-1.9.22-9.uel20.noarch.rpm UTSA-2022:20098 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: rubygem-nokogiri security update

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue.(CVE-2022-24836) rubygem-nokogiri-doc-1.10.5-5.uel20.x86_64.rpm rubygem-nokogiri-1.10.5-5.uel20.x86_64.rpm rubygem-nokogiri-doc-1.10.5-5.uel20.aarch64.rpm rubygem-nokogiri-1.10.5-5.uel20.aarch64.rpm UTSA-2022:20099 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: python-waitress security update

Waitress is a Web Server Gateway Interface server for Python 2 and 3. When using Waitress versions 2.1.0 and prior behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends. This would allow requests to be smuggled via the front-end proxy to waitress and later behavior. There are two classes of vulnerability that may lead to request smuggling that are addressed by this advisory: The use of Python's `int()` to parse strings into integers, leading to `+10` to be parsed as `10`, or `0x01` to be parsed as `1`, where as the standard specifies that the string should contain only digits or hex digits; and Waitress does not support chunk extensions, however it was discarding them without validating that they did not contain illegal characters. This vulnerability has been patched in Waitress 2.1.1. A workaround is available. When deploying a proxy in front of waitress, turning on any and all functionality to make sure that the request matches the RFC7230 standard. Certain proxy servers may not have this functionality though and users are encouraged to upgrade to the latest version of waitress instead.(CVE-2022-24761) python3-waitress-1.1.0-5.uel20.noarch.rpm python2-waitress-1.1.0-5.uel20.noarch.rpm UTSA-2022:20103 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: xerces-j2 security update

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.(CVE-2022-23437) xerces-j2-help-2.12.2-1.uel20.noarch.rpm xerces-j2-2.12.2-1.uel20.noarch.rpm UTSA-2022:20104 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: log4j12 security update

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.(CVE-2022-23305) CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.(CVE-2022-23307) JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.(CVE-2022-23302) JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.(CVE-2021-4104) log4j12-help-1.2.17-25.uel20.noarch.rpm log4j12-1.2.17-25.uel20.noarch.rpm UTSA-2022:20106 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: mutt security update

Buffer Overflow in uudecoder in Mutt affecting all versions starting from 0.94.13 before 2.2.3 allows read past end of input line(CVE-2022-1328) mutt-2.1.3-2.uel20.x86_64.rpm mutt-help-2.1.3-2.uel20.noarch.rpm mutt-2.1.3-2.uel20.aarch64.rpm UTSA-2022:20110 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: opensc security update

Stack buffer overflow issues were found in Opensc before version 0.22.0 in various places that could potentially crash programs using the library.(CVE-2021-42782) A use after return issue was found in Opensc before version 0.22.0 in insert_pin function that could potentially crash programs using the library.(CVE-2021-42780) A heap double free issue was found in Opensc before version 0.22.0 in sc_pkcs15_free_tokeninfo.(CVE-2021-42778) opensc-0.20.0-10.uel20.x86_64.rpm opensc-help-0.20.0-10.uel20.noarch.rpm opensc-0.20.0-10.uel20.aarch64.rpm UTSA-2022:20112 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: ffmpeg security update

libavcodec/dnxhddec.c in FFmpeg 4.4 does not check the return value of the init_vlc function, a similar issue to CVE-2013-0868.(CVE-2021-38114) track_header in libavformat/vividas.c in FFmpeg 4.3.1 has an out-of-bounds write because of incorrect extradata packing.(CVE-2020-35964) libavdevice-4.2.4-4.uel20.x86_64.rpm ffmpeg-libs-4.2.4-4.uel20.x86_64.rpm ffmpeg-devel-4.2.4-4.uel20.x86_64.rpm ffmpeg-4.2.4-4.uel20.x86_64.rpm ffmpeg-devel-4.2.4-4.uel20.aarch64.rpm ffmpeg-libs-4.2.4-4.uel20.aarch64.rpm libavdevice-4.2.4-4.uel20.aarch64.rpm ffmpeg-4.2.4-4.uel20.aarch64.rpm UTSA-2022:20113 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: jdom2 security update

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.(CVE-2021-33813) jdom2-help-2.0.6-16.uel20.noarch.rpm jdom2-2.0.6-16.uel20.noarch.rpm UTSA-2022:20118 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: f2fs-tools security update

An exploitable code execution vulnerability exists in the fsck_chk_orphan_node functionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fs filesystem can cause a heap buffer overflow resulting in a code execution. An attacker can provide a malicious file to trigger this vulnerability.(CVE-2020-6108) An exploitable information disclosure vulnerability exists in the dev_read functionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fs filesystem can cause an uninitialized read resulting in an information disclosure. An attacker can provide a malicious file to trigger this vulnerability.(CVE-2020-6107) An exploitable information disclosure vulnerability exists in the init_node_manager functionality of F2fs-Tools F2fs.Fsck 1.12 and 1.13. A specially crafted filesystem can be used to disclose information. An attacker can provide a malicious file to trigger this vulnerability.(CVE-2020-6106) An exploitable code execution vulnerability exists in the multiple devices functionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fs filesystem can cause Information overwrite resulting in a code execution. An attacker can provide a malicious file to trigger this vulnerability.(CVE-2020-6105) An exploitable information disclosure vulnerability exists in the get_dnode_of_data functionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fs filesystem can cause information disclosure resulting in a information disclosure. An attacker can provide a malicious file to trigger this vulnerability.(CVE-2020-6104) f2fs-tools-1.14.0-1.uel20.x86_64.rpm f2fs-tools-devel-1.14.0-1.uel20.x86_64.rpm f2fs-tools-devel-1.14.0-1.uel20.aarch64.rpm f2fs-tools-1.14.0-1.uel20.aarch64.rpm UTSA-2022:20119 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: htslib security update

HTSlib through 1.10.2 allows out-of-bounds write access in vcf_parse_format (called from vcf_parse and vcf_read).(CVE-2020-36403) htslib-1.11-1.uel20.x86_64.rpm htslib-tools-1.11-1.uel20.x86_64.rpm htslib-devel-1.11-1.uel20.x86_64.rpm htslib-devel-1.11-1.uel20.aarch64.rpm htslib-tools-1.11-1.uel20.aarch64.rpm htslib-1.11-1.uel20.aarch64.rpm UTSA-2022:20120 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: python-reportlab security update

All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject <img src="http://127.0.0.1:5000" valign="top"/> 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF(CVE-2020-28463) python3-reportlab-3.6.10-1.uel20.x86_64.rpm python3-reportlab-3.6.10-1.uel20.aarch64.rpm python-reportlab-help-3.6.10-1.uel20.noarch.rpm UTSA-2022:20121 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: m2crypto security update

A flaw was found in all released versions of m2crypto, where they are vulnerable to Bleichenbacher timing attacks in the RSA decryption API via the timed processing of valid PKCS#1 v1.5 Ciphertext. The highest threat from this vulnerability is to confidentiality.(CVE-2020-25657) python3-m2crypto-0.30.1-5.uel20.x86_64.rpm m2crypto-0.30.1-5.uel20.x86_64.rpm python3-m2crypto-0.30.1-5.uel20.aarch64.rpm m2crypto-0.30.1-5.uel20.aarch64.rpm UTSA-2022:20128 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: xmlgraphics-commons security update

Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later.(CVE-2020-11988) xmlgraphics-commons-2.2-4.uel20.noarch.rpm UTSA-2022:20131 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: jackson-databind security update

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.(CVE-2019-17531) jackson-databind-javadoc-2.9.8-8.uel20.noarch.rpm jackson-databind-2.9.8-8.uel20.noarch.rpm UTSA-2022:20136 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: derby security update

In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. If the server is using a policy file, the policy file must permit the database location to be read for the attack to work. The default Derby Network Server policy file distributed with the affected releases includes a permissive policy as the default Network Server policy, which allows the attack to work.(CVE-2018-1313) derby-javadoc-10.13.1.1-3.uel20.noarch.rpm derby-10.13.1.1-3.uel20.noarch.rpm UTSA-2022:20137 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: xerces-c security update

The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.(CVE-2018-1311) xerces-c-devel-3.2.2-3.uel20.x86_64.rpm xerces-c-3.2.2-3.uel20.x86_64.rpm xerces-c-3.2.2-3.uel20.aarch64.rpm xerces-c-help-3.2.2-3.uel20.noarch.rpm xerces-c-devel-3.2.2-3.uel20.aarch64.rpm UTSA-2022:20139 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: perl-DBI security update

An issue was discovered in the DBI module through 1.643 for Perl. DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). NOTE: this issue exists because of an incomplete fix for CVE-2014-10401.(CVE-2014-10402) perl-DBI-1.643-2.uel20.x86_64.rpm perl-DBI-1.643-2.uel20.aarch64.rpm perl-DBI-help-1.643-2.uel20.noarch.rpm UTSA-2022:20140 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: eclipse-ecf security update

The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain.(CVE-2014-0363) eclipse-ecf-runtime-3.14.4-2.uel20.noarch.rpm eclipse-ecf-core-3.14.4-2.uel20.noarch.rpm eclipse-ecf-sdk-3.14.4-2.uel20.noarch.rpm UTSA-2022:20143 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: python-paramiko security update

In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.(CVE-2022-24302) python3-paramiko-2.7.2-2.uel20.noarch.rpm python-paramiko-help-2.7.2-2.uel20.noarch.rpm UTSA-2022:20144 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: openvpn security update

OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.(CVE-2022-0547) openvpn-2.4.8-8.uel20.x86_64.rpm openvpn-devel-2.4.8-8.uel20.x86_64.rpm openvpn-devel-2.4.8-8.uel20.aarch64.rpm openvpn-2.4.8-8.uel20.aarch64.rpm openvpn-help-2.4.8-8.uel20.noarch.rpm UTSA-2022:20145 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: wireshark security update

Infinite loop in the RTMPT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file(CVE-2021-4185) Crash in the Sysdig Event dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file(CVE-2021-4181) Excessive memory consumption in MS-WSP dissector in Wireshark 3.4.0 to 3.4.4 and 3.2.0 to 3.2.12 allows denial of service via packet injection or crafted capture file(CVE-2021-22207) Improper URL handling in Wireshark 3.4.0 to 3.4.3 and 3.2.0 to 3.2.11 could allow remote code execution via via packet injection or crafted capture file.(CVE-2021-22191) wireshark-help-2.6.2-21.uel20.x86_64.rpm wireshark-2.6.2-21.uel20.x86_64.rpm wireshark-devel-2.6.2-21.uel20.x86_64.rpm wireshark-2.6.2-21.uel20.aarch64.rpm wireshark-devel-2.6.2-21.uel20.aarch64.rpm wireshark-help-2.6.2-21.uel20.aarch64.rpm UTSA-2022:20150 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: gstreamer1-plugins-base security update

GStreamer before 1.18.4 may perform an out-of-bounds read when handling certain ID3v2 tags.(CVE-2021-3522) gstreamer1-plugins-base-1.16.2-2.uel20.x86_64.rpm gstreamer1-plugins-base-devel-1.16.2-2.uel20.x86_64.rpm gstreamer1-plugins-base-devel-1.16.2-2.uel20.aarch64.rpm gstreamer1-plugins-base-1.16.2-2.uel20.aarch64.rpm gstreamer1-plugins-base-help-1.16.2-2.uel20.noarch.rpm UTSA-2022:20153 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: festival security update

festival_server in Centre for Speech Technology Research (CSTR) Festival, probably 2.0.95-beta and earlier, places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory.(CVE-2010-3996) festival-1.96-44.uel20.x86_64.rpm festival-devel-1.96-44.uel20.x86_64.rpm festival-devel-1.96-44.uel20.aarch64.rpm festival-1.96-44.uel20.aarch64.rpm festival-help-1.96-44.uel20.noarch.rpm UTSA-2022:20158 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: nodejs-fstream security update

fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.(CVE-2019-13173) nodejs-fstream-1.0.12-1.uel20.noarch.rpm UTSA-2022:20159 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: zsh security update

In zsh before 5.8.1, an attacker can achieve code execution if they control a command output inside the prompt, as demonstrated by a %F argument. This occurs because of recursive PROMPT_SUBST expansion.(CVE-2021-45444) zsh-5.7.1-6.uel20.x86_64.rpm zsh-5.7.1-6.uel20.aarch64.rpm zsh-help-5.7.1-6.uel20.noarch.rpm UTSA-2022:20162 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: cyrus-sasl security update

In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.(CVE-2022-24407) cyrus-sasl-lib-2.1.27-14.uel20.x86_64.rpm cyrus-sasl-ldap-2.1.27-14.uel20.x86_64.rpm cyrus-sasl-2.1.27-14.uel20.x86_64.rpm cyrus-sasl-gssapi-2.1.27-14.uel20.x86_64.rpm cyrus-sasl-ntlm-2.1.27-14.uel20.x86_64.rpm cyrus-sasl-sql-2.1.27-14.uel20.x86_64.rpm cyrus-sasl-gs2-2.1.27-14.uel20.x86_64.rpm cyrus-sasl-md5-2.1.27-14.uel20.x86_64.rpm cyrus-sasl-devel-2.1.27-14.uel20.x86_64.rpm cyrus-sasl-plain-2.1.27-14.uel20.x86_64.rpm cyrus-sasl-scram-2.1.27-14.uel20.x86_64.rpm cyrus-sasl-2.1.27-14.uel20.aarch64.rpm cyrus-sasl-plain-2.1.27-14.uel20.aarch64.rpm cyrus-sasl-sql-2.1.27-14.uel20.aarch64.rpm cyrus-sasl-ldap-2.1.27-14.uel20.aarch64.rpm cyrus-sasl-help-2.1.27-14.uel20.noarch.rpm cyrus-sasl-devel-2.1.27-14.uel20.aarch64.rpm cyrus-sasl-scram-2.1.27-14.uel20.aarch64.rpm cyrus-sasl-md5-2.1.27-14.uel20.aarch64.rpm cyrus-sasl-lib-2.1.27-14.uel20.aarch64.rpm cyrus-sasl-gssapi-2.1.27-14.uel20.aarch64.rpm cyrus-sasl-ntlm-2.1.27-14.uel20.aarch64.rpm cyrus-sasl-gs2-2.1.27-14.uel20.aarch64.rpm UTSA-2022:20163 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: xterm security update

xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text.(CVE-2022-24130) xterm-help-334-6.uel20.x86_64.rpm xterm-334-6.uel20.x86_64.rpm xterm-334-6.uel20.aarch64.rpm xterm-help-334-6.uel20.aarch64.rpm UTSA-2022:20165 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: ghostscript security update

A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-3781) ghostscript-devel-9.52-7.uel20.x86_64.rpm ghostscript-9.52-7.uel20.x86_64.rpm ghostscript-tools-dvipdf-9.52-7.uel20.x86_64.rpm ghostscript-9.52-7.uel20.aarch64.rpm ghostscript-help-9.52-7.uel20.noarch.rpm ghostscript-devel-9.52-7.uel20.aarch64.rpm ghostscript-tools-dvipdf-9.52-7.uel20.aarch64.rpm UTSA-2022:20167 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: nodejs-jison security update

Insufficient input validation in npm package `jison` <= 0.4.18 may lead to OS command injection attacks.(CVE-2020-8178) nodejs-jison-0.4.18-2.uel20.noarch.rpm UTSA-2022:20169 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: rubygem-websocket-extensions security update

websocket-extensions ruby module prior to 0.1.5 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.(CVE-2020-7663) rubygem-websocket-extensions-doc-0.1.2-2.uel20.noarch.rpm rubygem-websocket-extensions-0.1.2-2.uel20.noarch.rpm UTSA-2022:20170 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: python-py security update

A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.(CVE-2020-29651) python2-py-1.5.4-5.uel20.noarch.rpm python3-py-1.5.4-5.uel20.noarch.rpm python-py-help-1.5.4-5.uel20.noarch.rpm UTSA-2022:20171 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: nodejs-getobject security update

Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.(CVE-2020-28282) nodejs-getobject-0.1.0-2.uel20.noarch.rpm UTSA-2022:20172 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: mysql-connector-java security update

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).(CVE-2019-2692) mysql-connector-java-8.0.16-1.uel20.noarch.rpm UTSA-2022:20173 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: xmlrpc security update

An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.(CVE-2019-17570) xmlrpc-server-3.1.3-2.uel20.noarch.rpm xmlrpc-javadoc-3.1.3-2.uel20.noarch.rpm xmlrpc-common-3.1.3-2.uel20.noarch.rpm xmlrpc-client-3.1.3-2.uel20.noarch.rpm UTSA-2022:20174 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: rubygem-rubyzip security update

In Rubyzip before 1.3.0, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed size can be spoofed. This allows attackers to cause a denial of service (disk consumption).(CVE-2019-16892) rubygem-rubyzip-doc-2.0.0-1.uel20.noarch.rpm rubygem-rubyzip-2.0.0-1.uel20.noarch.rpm UTSA-2022:20175 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: evince security update

The tiff_document_render() and tiff_document_get_thumbnail() functions in the TIFF document backend in GNOME Evince through 3.32.0 did not handle errors from TIFFReadRGBAImageOriented(), leading to uninitialized memory use when processing certain TIFF image files.(CVE-2019-11459) evince-3.30.1-4.uel20.x86_64.rpm evince-help-3.30.1-4.uel20.x86_64.rpm evince-devel-3.30.1-4.uel20.x86_64.rpm evince-help-3.30.1-4.uel20.aarch64.rpm evince-devel-3.30.1-4.uel20.aarch64.rpm evince-3.30.1-4.uel20.aarch64.rpm UTSA-2022:20180 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: cfitsio security update

In the ffghtb function in NASA CFITSIO 3.42, specially crafted images parsed via the library can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can deliver an FIT image to trigger this vulnerability and potentially gain code execution.(CVE-2018-3849) In the ffghbn function in NASA CFITSIO 3.42, specially crafted images parsed via the library can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can deliver an FIT image to trigger this vulnerability and potentially gain code execution.(CVE-2018-3848) cfitsio-3.490-1.uel20.x86_64.rpm fpack-3.490-1.uel20.x86_64.rpm cfitsio-devel-3.490-1.uel20.x86_64.rpm cfitsio-devel-3.490-1.uel20.aarch64.rpm cfitsio-help-3.490-1.uel20.noarch.rpm fpack-3.490-1.uel20.aarch64.rpm cfitsio-3.490-1.uel20.aarch64.rpm UTSA-2022:20185 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: xstream security update

XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.(CVE-2021-43859) xstream-javadoc-1.4.18-2.uel20.noarch.rpm xstream-parent-1.4.18-2.uel20.noarch.rpm xstream-benchmark-1.4.18-2.uel20.noarch.rpm xstream-hibernate-1.4.18-2.uel20.noarch.rpm xstream-1.4.18-2.uel20.noarch.rpm UTSA-2022:20186 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: freetds security update

FreeTDS through 1.1.11 has a Buffer Overflow.(CVE-2019-13508) freetds-devel-1.00.38-8.uel20.x86_64.rpm freetds-1.00.38-8.uel20.x86_64.rpm freetds-1.00.38-8.uel20.aarch64.rpm freetds-devel-1.00.38-8.uel20.aarch64.rpm freetds-help-1.00.38-8.uel20.noarch.rpm UTSA-2022:20189 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: uriparser security update

An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriNormalizeSyntax.(CVE-2021-46142) An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriFreeUriMembers and uriMakeOwner.(CVE-2021-46141) uriparser-devel-0.9.6-1.uel20.x86_64.rpm uriparser-0.9.6-1.uel20.x86_64.rpm uriparser-help-0.9.6-1.uel20.noarch.rpm uriparser-0.9.6-1.uel20.aarch64.rpm uriparser-devel-0.9.6-1.uel20.aarch64.rpm UTSA-2022:20190 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: hibernate3 security update

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.(CVE-2019-14900) hibernate3-help-3.6.10-25.uel20.noarch.rpm hibernate3-envers-3.6.10-25.uel20.noarch.rpm hibernate3-ehcache-3.6.10-25.uel20.noarch.rpm hibernate3-entitymanager-3.6.10-25.uel20.noarch.rpm hibernate3-proxool-3.6.10-25.uel20.noarch.rpm hibernate3-3.6.10-25.uel20.noarch.rpm hibernate3-testing-3.6.10-25.uel20.noarch.rpm hibernate3-c3p0-3.6.10-25.uel20.noarch.rpm UTSA-2022:20192 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: qt5-qtsvg security update

Qt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1 has an out-of-bounds write in QtPrivate::QCommonArrayOps<QPainterPath::Element>::growAppend (called from QPainterPath::addPath and QPathClipper::intersect).(CVE-2021-45930) qt5-qtsvg-devel-5.11.1-7.uel20.x86_64.rpm qt5-qtsvg-5.11.1-7.uel20.x86_64.rpm qt5-qtsvg-devel-5.11.1-7.uel20.aarch64.rpm qt5-qtsvg-5.11.1-7.uel20.aarch64.rpm UTSA-2022:20198 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: sphinx security update

SphinxSearch in Sphinx Technologies Sphinx through 3.1.1 allows directory traversal (in conjunction with CVE-2019-14511) because the mysql client can be used for CALL SNIPPETS and load_file operations on a full pathname (e.g., a file in the /etc directory). NOTE: this is unrelated to CMUSphinx.(CVE-2020-29050) sphinx-2.2.11-2.uel20.x86_64.rpm libsphinxclient-2.2.11-2.uel20.x86_64.rpm libsphinxclient-devel-2.2.11-2.uel20.x86_64.rpm sphinx-php-2.2.11-2.uel20.x86_64.rpm sphinx-java-2.2.11-2.uel20.x86_64.rpm sphinx-help-2.2.11-2.uel20.noarch.rpm sphinx-php-2.2.11-2.uel20.aarch64.rpm sphinx-2.2.11-2.uel20.aarch64.rpm libsphinxclient-devel-2.2.11-2.uel20.aarch64.rpm libsphinxclient-2.2.11-2.uel20.aarch64.rpm sphinx-java-2.2.11-2.uel20.aarch64.rpm UTSA-2022:20204 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: keepalived security update

In Keepalived through 2.2.4, the D-Bus policy does not sufficiently restrict the message destination, allowing any user to inspect and manipulate any property. This leads to access-control bypass in some situations in which an unrelated D-Bus system service has a settable (writable) property(CVE-2021-44225) keepalived-2.0.20-19.uel20.x86_64.rpm keepalived-help-2.0.20-19.uel20.noarch.rpm keepalived-2.0.20-19.uel20.aarch64.rpm UTSA-2022:20205 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: rubygem-bundler security update

`Bundler` is a package for managing application dependencies in Ruby. In `bundler` versions before 2.2.33, when working with untrusted and apparently harmless `Gemfile`'s, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the `Gemfile` itself. However, if the `Gemfile` includes `gem` entries that use the `git` option with invalid, but seemingly harmless, values with a leading dash, this can be false. To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as `git clone`. These commands are being constructed using user input (e.g. the repository URL). When building the commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. Since this value comes from the `Gemfile` file, it can contain any character, including a leading dash. To exploit this vulnerability, an attacker has to craft a directory containing a `Gemfile` file that declares a dependency that is located in a Git repository. This dependency has to have a Git URL in the form of `-u./payload`. This URL will be used to construct a Git clone command but will be interpreted as the upload-pack argument. Then this directory needs to be shared with the victim, who then needs to run a command that evaluates the Gemfile, such as `bundle lock`, inside. This vulnerability can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, the exploitability is very low, because it requires a lot of user interaction. Bundler 2.2.33 has patched this problem by inserting `--` as an argument before any positional arguments to those Git commands that were affected by this issue. Regardless of whether users can upgrade or not, they should review any untrustred `Gemfile`'s before running any `bundler` commands that may read them, since they can contain arbitrary ruby code.(CVE-2021-43809) rubygem-bundler-help-2.2.33-1.uel20.noarch.rpm rubygem-bundler-2.2.33-1.uel20.noarch.rpm UTSA-2022:20207 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: openblas security update

An out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory.(CVE-2021-4048) openblas-0.3.10-3.uel20.x86_64.rpm openblas-devel-0.3.10-3.uel20.x86_64.rpm openblas-devel-0.3.10-3.uel20.aarch64.rpm openblas-0.3.10-3.uel20.aarch64.rpm UTSA-2022:20209 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: mailman security update

In GNU Mailman before 2.1.38, a list member or moderator can get a CSRF token and craft an admin request (using that token) to set a new admin password or make other changes.(CVE-2021-44227) mailman-2.1.36-2.uel20.x86_64.rpm mailman-2.1.36-2.uel20.aarch64.rpm UTSA-2022:20212 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: redis5 security update

Redis is an open source, in-memory database that persists on disk. An integer overflow bug in the ziplist data structure used by all versions of Redis can be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves modifying the default ziplist configuration parameters (hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value) to a very large value, and then constructing specially crafted commands to create very large ziplists. The problem is fixed in Redis versions 6.2.6, 6.0.16, 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the above configuration parameters. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.(CVE-2021-32628) Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.(CVE-2021-32626) redis5-5.0.14-2.uel20.x86_64.rpm redis5-devel-5.0.14-2.uel20.x86_64.rpm redis5-doc-5.0.14-2.uel20.noarch.rpm redis5-5.0.14-2.uel20.aarch64.rpm redis5-devel-5.0.14-2.uel20.aarch64.rpm UTSA-2022:20214 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: apache-mina security update

In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater.(CVE-2021-41973) apache-mina-mina-filter-compression-2.0.21-2.uel20.noarch.rpm apache-mina-javadoc-2.0.21-2.uel20.noarch.rpm apache-mina-mina-http-2.0.21-2.uel20.noarch.rpm apache-mina-2.0.21-2.uel20.noarch.rpm apache-mina-mina-statemachine-2.0.21-2.uel20.noarch.rpm apache-mina-mina-core-2.0.21-2.uel20.noarch.rpm UTSA-2022:20218 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: tinyxml security update

TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp in tinyxmlparser.cpp via the TIXML_UTF_LEAD_0 case. It can be triggered by a crafted XML message and leads to a denial of service.(CVE-2021-42260) tinyxml-2.6.2-22.uel20.x86_64.rpm tinyxml-devel-2.6.2-22.uel20.x86_64.rpm tinyxml-devel-2.6.2-22.uel20.aarch64.rpm tinyxml-2.6.2-22.uel20.aarch64.rpm UTSA-2022:20222 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: squashfs-tools security update

squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem.(CVE-2021-41072) squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal outside of the destination directory, and thus allows writing to locations outside of the destination.(CVE-2021-40153) squashfs-tools-4.4-5.uel20.x86_64.rpm squashfs-tools-4.4-5.uel20.aarch64.rpm UTSA-2022:20224 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: SDL security update

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c.(CVE-2019-7575) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c.(CVE-2019-7574) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c.(CVE-2019-7572) SDL-1.2.15-39.uel20.x86_64.rpm SDL-devel-1.2.15-39.uel20.x86_64.rpm SDL-help-1.2.15-39.uel20.x86_64.rpm SDL-1.2.15-39.uel20.aarch64.rpm SDL-help-1.2.15-39.uel20.aarch64.rpm SDL-devel-1.2.15-39.uel20.aarch64.rpm UTSA-2022:20227 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: rubygem-excon security update

In RubyGem excon before 0.71.0, there was a race condition around persistent connections, where a connection which is interrupted (such as by a timeout) would leave data on the socket. Subsequent requests would then read this data, returning content from the previous response. The race condition window appears to be short, and it would be difficult to purposefully exploit this.(CVE-2019-16779) rubygem-excon-help-0.62.0-3.uel20.noarch.rpm rubygem-excon-0.62.0-3.uel20.noarch.rpm UTSA-2022:20229 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: storm security update

An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4(CVE-2021-40865) A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.(CVE-2021-38294) storm-1.2.4-1.uel20.x86_64.rpm storm-1.2.4-1.uel20.aarch64.rpm UTSA-2022:20234 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: fetchmail security update

Fetchmail before 6.4.22 fails to enforce STARTTLS session encryption in some circumstances, such as a certain situation with IMAP and PREAUTH.(CVE-2021-39272) fetchmail-6.4.22-1.uel20.x86_64.rpm fetchmail-6.4.22-1.uel20.aarch64.rpm fetchmail-help-6.4.22-1.uel20.noarch.rpm UTSA-2022:20237 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: lynx security update

Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which allows remote attackers to discover cleartext credentials because they may appear in SNI data.(CVE-2021-38165) lynx-2.8.9-6.uel20.x86_64.rpm lynx-2.8.9-6.uel20.aarch64.rpm lynx-help-2.8.9-6.uel20.noarch.rpm UTSA-2022:20239 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: jsoup security update

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.(CVE-2021-37714) jsoup-1.14.2-1.uel20.noarch.rpm UTSA-2022:20245 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: hivex security update

A flaw was found in the hivex library. This flaw allows an attacker to input a specially crafted Windows Registry (hive) file, which would cause hivex to recursively call the _get_children() function, leading to a stack overflow. The highest threat from this vulnerability is to system availability.(CVE-2021-3622) hivex-1.3.17-4.uel20.x86_64.rpm python2-hivex-1.3.17-4.uel20.x86_64.rpm ocaml-hivex-1.3.17-4.uel20.x86_64.rpm ocaml-hivex-devel-1.3.17-4.uel20.x86_64.rpm perl-hivex-1.3.17-4.uel20.x86_64.rpm hivex-devel-1.3.17-4.uel20.x86_64.rpm python3-hivex-1.3.17-4.uel20.x86_64.rpm ruby-hivex-1.3.17-4.uel20.x86_64.rpm python3-hivex-1.3.17-4.uel20.aarch64.rpm perl-hivex-1.3.17-4.uel20.aarch64.rpm python2-hivex-1.3.17-4.uel20.aarch64.rpm hivex-1.3.17-4.uel20.aarch64.rpm ocaml-hivex-1.3.17-4.uel20.aarch64.rpm hivex-help-1.3.17-4.uel20.noarch.rpm hivex-devel-1.3.17-4.uel20.aarch64.rpm ruby-hivex-1.3.17-4.uel20.aarch64.rpm ocaml-hivex-devel-1.3.17-4.uel20.aarch64.rpm UTSA-2022:20246 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: apache-commons-compress security update

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.(CVE-2021-36090) When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.(CVE-2021-35517) When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.(CVE-2021-35516) When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.(CVE-2021-35515) apache-commons-compress-help-1.21-1.uel20.noarch.rpm apache-commons-compress-1.21-1.uel20.noarch.rpm UTSA-2022:20249 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: linuxptp security update

A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. This flaw affects linuxptp versions before 3.1.1, before 2.0.1, before 1.9.3, before 1.8.1, before 1.7.1, before 1.6.1 and before 1.5.1.(CVE-2021-3570) linuxptp-2.0-5.uel20.x86_64.rpm linuxptp-help-2.0-5.uel20.noarch.rpm linuxptp-2.0-5.uel20.aarch64.rpm UTSA-2022:20250 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: tpm2-tools security update

A flaw was found in tpm2-tools in versions before 5.1.1 and before 4.3.2. tpm2_import used a fixed AES key for the inner wrapper, potentially allowing a MITM attacker to unwrap the inner portion and reveal the key being imported. The highest threat from this vulnerability is to data confidentiality.(CVE-2021-3565) tpm2-tools-5.0-3.uel20.x86_64.rpm tpm2-tools-5.0-3.uel20.aarch64.rpm tpm2-tools-help-5.0-3.uel20.noarch.rpm UTSA-2022:20254 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: rubygem-addressable security update

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected. The vulnerability is patched in version 2.8.0. As a workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking.(CVE-2021-32740) rubygem-addressable-doc-2.5.2-2.uel20.noarch.rpm rubygem-addressable-2.5.2-2.uel20.noarch.rpm UTSA-2022:20258 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: gstreamer1-plugins-bad-free security update

A flaw was found in the gstreamer h264 component of gst-plugins-bad before v1.18.1 where when parsing a h264 header, an attacker could cause the stack to be smashed, memory corruption and possibly code execution.(CVE-2021-3185) gstreamer1-plugins-bad-free-devel-1.16.2-2.uel20.x86_64.rpm gstreamer1-plugins-bad-free-1.16.2-2.uel20.x86_64.rpm gstreamer1-plugins-bad-free-devel-1.16.2-2.uel20.aarch64.rpm gstreamer1-plugins-bad-free-1.16.2-2.uel20.aarch64.rpm UTSA-2022:20261 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: rubygem-puma security update

Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in `puma` 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma.(CVE-2021-29509) rubygem-puma-3.12.6-2.uel20.x86_64.rpm rubygem-puma-doc-3.12.6-2.uel20.noarch.rpm rubygem-puma-3.12.6-2.uel20.aarch64.rpm UTSA-2022:20263 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: gnome-autoar security update

autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-36241.(CVE-2021-28650) gnome-autoar-0.2.3-6.uel20.x86_64.rpm gnome-autoar-devel-0.2.3-6.uel20.x86_64.rpm gnome-autoar-devel-0.2.3-6.uel20.aarch64.rpm gnome-autoar-0.2.3-6.uel20.aarch64.rpm UTSA-2022:20264 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: jersey security update

Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.(CVE-2021-28168) jersey-javadoc-2.28-2.uel20.noarch.rpm jersey-2.28-2.uel20.noarch.rpm jersey-test-framework-2.28-2.uel20.noarch.rpm UTSA-2022:20265 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: jasper security update

A Divide-by-zero vulnerability exists in JasPer Image Coding Toolkit 2.0 in jasper/src/libjasper/jpc/jpc_enc.c(CVE-2021-27845) jasper-2.0.14-10.uel20.x86_64.rpm jasper-utils-2.0.14-10.uel20.x86_64.rpm jasper-devel-2.0.14-10.uel20.x86_64.rpm jasper-help-2.0.14-10.uel20.x86_64.rpm jasper-2.0.14-10.uel20.aarch64.rpm jasper-utils-2.0.14-10.uel20.aarch64.rpm jasper-help-2.0.14-10.uel20.aarch64.rpm jasper-devel-2.0.14-10.uel20.aarch64.rpm UTSA-2022:20269 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: xmlbeans security update

The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.(CVE-2021-23926) xmlbeans-javadoc-2.6.0-2.uel20.noarch.rpm xmlbeans-2.6.0-2.uel20.noarch.rpm xmlbeans-manual-2.6.0-2.uel20.noarch.rpm xmlbeans-scripts-2.6.0-2.uel20.noarch.rpm UTSA-2022:20271 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: nodejs-handlebars security update

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.(CVE-2021-23383) nodejs-handlebars-4.0.13-2.uel20.noarch.rpm UTSA-2022:20272 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: nodejs-hosted-git-info security update

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.(CVE-2021-23362) nodejs-hosted-git-info-2.1.4-2.uel20.noarch.rpm UTSA-2022:20273 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: nodejs-underscore security update

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.(CVE-2021-23358) nodejs-underscore-1.9.1-2.uel20.noarch.rpm js-underscore-1.9.1-2.uel20.noarch.rpm UTSA-2022:20274 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: nodejs-path-parse security update

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.(CVE-2021-23343) nodejs-path-parse-1.0.7-1.uel20.noarch.rpm UTSA-2022:20276 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: rubygem-actionpack security update

The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication.(CVE-2021-22904) rubygem-actionpack-doc-5.2.4.4-3.uel20.noarch.rpm rubygem-actionpack-5.2.4.4-3.uel20.noarch.rpm UTSA-2022:20279 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: spice security update

A flaw was found in spice in versions before 0.14.92. A DoS tool might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection.(CVE-2021-20201) spice-server-devel-0.14.3-3.uel20.x86_64.rpm spice-server-0.14.3-3.uel20.x86_64.rpm spice-help-0.14.3-3.uel20.noarch.rpm spice-server-devel-0.14.3-3.uel20.aarch64.rpm spice-server-0.14.3-3.uel20.aarch64.rpm UTSA-2022:20281 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: babel security update

fix cve/bug or enhancement python2-babel-2.8.0-3.uel20.noarch.rpm python3-babel-2.8.0-3.uel20.noarch.rpm babel-help-2.8.0-3.uel20.noarch.rpm babel-2.8.0-3.uel20.noarch.rpm UTSA-2022:20282 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Low

Low: guava security update

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.(CVE-2020-8908) guava-testlib-25.0-5.uel20.noarch.rpm guava-help-25.0-5.uel20.noarch.rpm guava-25.0-5.uel20.noarch.rpm UTSA-2022:20283 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: rubygem-rails security update

A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.(CVE-2020-8165) A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.(CVE-2020-8162) rubygem-rails-5.2.4.4-1.uel20.noarch.rpm rubygem-rails-doc-5.2.4.4-1.uel20.noarch.rpm UTSA-2022:20284 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: rubygem-activeresource security update

There is a possible information disclosure issue in Active Resource <v5.1.1 that could allow an attacker to create specially crafted requests to access data in an unexpected way and possibly leak information.(CVE-2020-8151) rubygem-activeresource-5.0.0-2.uel20.noarch.rpm rubygem-activeresource-doc-5.0.0-2.uel20.noarch.rpm UTSA-2022:20286 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: mojarra security update

Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter.(CVE-2020-6950) mojarra-2.2.13-2.uel20.noarch.rpm mojarra-javadoc-2.2.13-2.uel20.noarch.rpm UTSA-2022:20287 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libass security update

libass 0.15.x before 0.15.1 has a heap-based buffer overflow in decode_chars (called from decode_font and process_text) because the wrong integer data type is used for subtraction.(CVE-2020-36430) libass-0.15.0-2.uel20.x86_64.rpm libass-devel-0.15.0-2.uel20.x86_64.rpm libass-help-0.15.0-2.uel20.noarch.rpm libass-0.15.0-2.uel20.aarch64.rpm libass-devel-0.15.0-2.uel20.aarch64.rpm UTSA-2022:20289 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: wavpack security update

WavPack 5.3.0 has an out-of-bounds write in WavpackPackSamples in pack_utils.c because of an integer overflow in a malloc argument. NOTE: some third-parties claim that there are later "unofficial" releases through 5.3.2, which are also affected.(CVE-2020-35738) wavpack-5.3.0-2.uel20.x86_64.rpm wavpack-devel-5.3.0-2.uel20.x86_64.rpm wavpack-5.3.0-2.uel20.aarch64.rpm wavpack-devel-5.3.0-2.uel20.aarch64.rpm wavpack-help-5.3.0-2.uel20.noarch.rpm UTSA-2022:20293 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: jackson-dataformats-binary security update

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.(CVE-2020-28491) jackson-dataformats-binary-2.9.4-6.uel20.noarch.rpm UTSA-2022:20295 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: libmaxminddb security update

libmaxminddb before 1.4.3 has a heap-based buffer over-read in dump_entry_data_list in maxminddb.c.(CVE-2020-28241) libmaxminddb-1.2.0-8.uel20.x86_64.rpm libmaxminddb-help-1.2.0-8.uel20.x86_64.rpm libmaxminddb-devel-1.2.0-8.uel20.x86_64.rpm libmaxminddb-1.2.0-8.uel20.aarch64.rpm libmaxminddb-help-1.2.0-8.uel20.aarch64.rpm libmaxminddb-devel-1.2.0-8.uel20.aarch64.rpm UTSA-2022:20298 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: xdg-utils security update

A flaw was found in the xdg-email component of xdg-utils-1.1.0-rc1 and newer. When handling mailto: URIs, xdg-email allows attachments to be discreetly added via the URI when being passed to Thunderbird. An attacker could potentially send a victim a URI that automatically attaches a sensitive file to a new email. If a victim user does not notice that an attachment was added and sends the email, this could result in sensitive information disclosure. It has been confirmed that the code behind this issue is in xdg-email and not in Thunderbird.(CVE-2020-27748) xdg-utils-1.1.3-5.uel20.noarch.rpm xdg-utils-help-1.1.3-5.uel20.noarch.rpm UTSA-2022:20300 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: spice-vdagent security update

A race condition vulnerability was found in the way the spice-vdagentd daemon handled new client connections. This flaw may allow an unprivileged local guest user to become the active agent for spice-vdagentd, possibly resulting in a denial of service or information leakage from the host. The highest threat from this vulnerability is to data confidentiality as well as system availability. This flaw affects spice-vdagent versions 0.20 and prior.(CVE-2020-25653) A flaw was found in the spice-vdagentd daemon, where it did not properly handle client connections that can be established via the UNIX domain socket in `/run/spice-vdagentd/spice-vdagent-sock`. Any unprivileged local guest user could use this flaw to prevent legitimate agents from connecting to the spice-vdagentd daemon, resulting in a denial of service. The highest threat from this vulnerability is to system availability. This flaw affects spice-vdagent versions 0.20 and prior.(CVE-2020-25652) A flaw was found in the SPICE file transfer protocol. File data from the host system can end up in full or in parts in the client connection of an illegitimate local user in the VM system. Active file transfers from other users could also be interrupted, resulting in a denial of service. The highest threat from this vulnerability is to data confidentiality as well as system availability. This flaw affects spice-vdagent versions 0.20 and prior.(CVE-2020-25651) A flaw was found in the way the spice-vdagentd daemon handled file transfers from the host system to the virtual machine. Any unprivileged local guest user with access to the UNIX domain socket path `/run/spice-vdagentd/spice-vdagent-sock` could use this flaw to perform a memory denial of service for spice-vdagentd or even other processes in the VM system. The highest threat from this vulnerability is to system availability. This flaw affects spice-vdagent versions 0.20 and previous versions.(CVE-2020-25650) spice-vdagent-0.20.0-2.uel20.x86_64.rpm spice-vdagent-0.20.0-2.uel20.aarch64.rpm spice-vdagent-help-0.20.0-2.uel20.noarch.rpm UTSA-2022:20301 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: icu security update

International Components for Unicode (ICU-20850) v66.1 was discovered to contain a use after free bug in the pkg_createWithAssemblyCode function in the file tools/pkgdata/pkgdata.cpp.(CVE-2020-21913) libicu-62.1-6.uel20.x86_64.rpm icu-62.1-6.uel20.x86_64.rpm libicu-devel-62.1-6.uel20.x86_64.rpm icu-help-62.1-6.uel20.noarch.rpm libicu-devel-62.1-6.uel20.aarch64.rpm libicu-62.1-6.uel20.aarch64.rpm icu-62.1-6.uel20.aarch64.rpm UTSA-2022:20304 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: junit security update

In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.(CVE-2020-15250) junit-help-4.12-13.uel20.noarch.rpm junit-4.12-13.uel20.noarch.rpm UTSA-2022:20307 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: PyYAML security update

A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.(CVE-2020-14343) python2-pyyaml-5.3.1-4.uel20.x86_64.rpm python3-pyyaml-5.3.1-4.uel20.x86_64.rpm python3-pyyaml-5.3.1-4.uel20.aarch64.rpm python2-pyyaml-5.3.1-4.uel20.aarch64.rpm UTSA-2022:20309 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: rubygem-kramdown security update

The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.(CVE-2020-14001) rubygem-kramdown-help-2.1.0-3.uel20.noarch.rpm rubygem-kramdown-2.1.0-3.uel20.noarch.rpm UTSA-2022:20310 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libEMF security update

ScaleViewPortExtEx in libemf.cpp in libEMF (aka ECMA-234 Metafile Library) 1.0.12 allows an integer overflow and denial of service via a crafted EMF file.(CVE-2020-13999) libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows a use-after-free.(CVE-2020-11866) libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows out-of-bounds memory access.(CVE-2020-11865) libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows denial of service (issue 2 of 2).(CVE-2020-11864) libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows denial of service (issue 1 of 2).(CVE-2020-11863) libEMF-help-1.0.13-1.uel20.x86_64.rpm libEMF-1.0.13-1.uel20.x86_64.rpm libEMF-devel-1.0.13-1.uel20.x86_64.rpm libEMF-help-1.0.13-1.uel20.aarch64.rpm libEMF-1.0.13-1.uel20.aarch64.rpm libEMF-devel-1.0.13-1.uel20.aarch64.rpm UTSA-2022:20311 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: velocity-tools security update

The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.(CVE-2020-13959) velocity-tools-javadoc-2.0-2.uel20.noarch.rpm velocity-tools-2.0-2.uel20.noarch.rpm UTSA-2022:20313 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libupnp security update

Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.(CVE-2020-13848) libupnp-1.8.4-3.uel20.x86_64.rpm libupnp-devel-1.8.4-3.uel20.x86_64.rpm libupnp-1.8.4-3.uel20.aarch64.rpm libupnp-devel-1.8.4-3.uel20.aarch64.rpm UTSA-2022:20317 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: gssproxy security update

** DISPUTED ** gssproxy (aka gss-proxy) before 0.8.3 does not unlock cond_mutex before pthread exit in gp_worker_main() in gp_workers.c. NOTE: An upstream comment states "We are already on a shutdown path when running the code in question, so a DoS there doesn't make any sense, and there has been no additional information provided us (as upstream) to indicate why this would be a problem."(CVE-2020-12658) gssproxy-help-0.8.3-1.uel20.x86_64.rpm gssproxy-0.8.3-1.uel20.x86_64.rpm gssproxy-help-0.8.3-1.uel20.aarch64.rpm gssproxy-0.8.3-1.uel20.aarch64.rpm UTSA-2022:20320 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Low

Low: file-roller security update

fr-archive-libarchive.c in GNOME file-roller through 3.36.1 allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location.(CVE-2020-11736) file-roller-3.30.1-3.uel20.x86_64.rpm file-roller-nautilus-3.30.1-3.uel20.x86_64.rpm file-roller-3.30.1-3.uel20.aarch64.rpm file-roller-nautilus-3.30.1-3.uel20.aarch64.rpm UTSA-2022:20321 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: python-sqlalchemy security update

SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.(CVE-2019-7548) SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.(CVE-2019-7164) python3-sqlalchemy-1.2.19-3.uel20.x86_64.rpm python2-sqlalchemy-1.2.19-3.uel20.x86_64.rpm python3-sqlalchemy-1.2.19-3.uel20.aarch64.rpm python2-sqlalchemy-1.2.19-3.uel20.aarch64.rpm python-sqlalchemy-help-1.2.19-3.uel20.noarch.rpm UTSA-2022:20322 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: gnome-shell security update

It was discovered that the gnome-shell lock screen since version 3.15.91 did not properly restrict all contextual actions. An attacker with physical access to a locked workstation could invoke certain keyboard shortcuts, and potentially other actions.(CVE-2019-3820) gnome-shell-3.30.1-10.uel20.x86_64.rpm gnome-shell-3.30.1-10.uel20.aarch64.rpm gnome-shell-help-3.30.1-10.uel20.noarch.rpm UTSA-2022:20324 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: aspell security update

objstack in GNU Aspell 0.60.8 has a heap-based buffer overflow in acommon::ObjStack::dup_top (called from acommon::StringMap::add and acommon::Config::lookup_list).(CVE-2019-25051) libaspell.a in GNU Aspell before 0.60.8 has a buffer over-read for a string ending with a single '\0' byte, if the encoding is set to ucs-2 or ucs-4 outside of the application, as demonstrated by the ASPELL_CONF environment variable.(CVE-2019-20433) aspell-0.60.6.1-29.uel20.x86_64.rpm aspell-help-0.60.6.1-29.uel20.x86_64.rpm aspell-devel-0.60.6.1-29.uel20.x86_64.rpm aspell-0.60.6.1-29.uel20.aarch64.rpm aspell-devel-0.60.6.1-29.uel20.aarch64.rpm aspell-help-0.60.6.1-29.uel20.aarch64.rpm UTSA-2022:20325 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: python-psutil security update

psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.(CVE-2019-18874) python2-psutil-5.4.3-9.uel20.x86_64.rpm python3-psutil-5.4.3-9.uel20.x86_64.rpm python2-psutil-5.4.3-9.uel20.aarch64.rpm python3-psutil-5.4.3-9.uel20.aarch64.rpm UTSA-2022:20330 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: memcached security update

memcached 1.5.16, when UNIX sockets are used, has a stack-based buffer over-read in conn_to_str in memcached.c.(CVE-2019-15026) memcached-selinux-1.5.10-6.uel20.x86_64.rpm memcached-devel-1.5.10-6.uel20.x86_64.rpm memcached-1.5.10-6.uel20.x86_64.rpm memcached-help-1.5.10-6.uel20.noarch.rpm memcached-devel-1.5.10-6.uel20.aarch64.rpm memcached-1.5.10-6.uel20.aarch64.rpm memcached-selinux-1.5.10-6.uel20.aarch64.rpm UTSA-2022:20331 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: kf5-kconfig security update

In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.(CVE-2019-14744) kf5-kconfig-5.55.0-3.uel20.x86_64.rpm kf5-kconfig-core-5.55.0-3.uel20.x86_64.rpm kf5-kconfig-gui-5.55.0-3.uel20.x86_64.rpm kf5-kconfig-devel-5.55.0-3.uel20.x86_64.rpm kf5-kconfig-gui-5.55.0-3.uel20.aarch64.rpm kf5-kconfig-5.55.0-3.uel20.aarch64.rpm kf5-kconfig-devel-5.55.0-3.uel20.aarch64.rpm kf5-kconfig-core-5.55.0-3.uel20.aarch64.rpm UTSA-2022:20333 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: jackson security update

A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.(CVE-2019-10172) jackson-help-1.9.11-16.uel20.noarch.rpm jackson-1.9.11-16.uel20.noarch.rpm UTSA-2022:20334 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: audiofile security update

Integer overflow in modules/MSADPCM.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file.(CVE-2017-6839) Integer overflow in sfcommands/sfconvert.c in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file.(CVE-2017-6838) Heap-based buffer overflow in the decodeBlockWAVE function in IMA.cpp in Audio File Library (aka audiofile) 0.3.6, 0.3.5, 0.3.4, 0.3.3, 0.3.2, 0.3.1, 0.3.0 and 0.2.7 allows remote attackers to cause a denial of service (crash) via a crafted file.(CVE-2017-6831) The decodeSample function in IMA.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via a crafted file.(CVE-2017-6829) Heap-based buffer overflow in the readValue function in FileHandle.cpp in audiofile (aka libaudiofile and Audio File Library) 0.3.6 allows remote attackers to have unspecified impact via a crafted WAV file.(CVE-2017-6828) audiofile-0.3.6-25.uel20.x86_64.rpm audiofile-devel-0.3.6-25.uel20.x86_64.rpm audiofile-devel-0.3.6-25.uel20.aarch64.rpm audiofile-0.3.6-25.uel20.aarch64.rpm audiofile-help-0.3.6-25.uel20.noarch.rpm UTSA-2022:20335 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: libpng12 security update

Unspecified vulnerability in libpng before 1.6.20, as used in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-07-01, allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 23265085.(CVE-2016-3751) Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image.(CVE-2015-8126) Buffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng before 1.5.21 and 1.6.x before 1.6.16 allows context-dependent attackers to execute arbitrary code via IDAT data with a large width, a different vulnerability than CVE-2014-9495.(CVE-2015-0973) Heap-based buffer overflow in the png_combine_row function in libpng before 1.5.21 and 1.6.x before 1.6.16, when running on 64-bit systems, might allow context-dependent attackers to execute arbitrary code via a "very wide interlaced" PNG image.(CVE-2014-9495) Multiple integer overflows in libpng before 1.5.14rc03 allow remote attackers to cause a denial of service (crash) via a crafted image to the (1) png_set_sPLT or (2) png_set_text_2 function, which triggers a heap-based buffer overflow.(CVE-2013-7354) Integer overflow in the png_set_unknown_chunks function in libpng/pngset.c in libpng before 1.5.14beta08 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a crafted image, which triggers a heap-based buffer overflow.(CVE-2013-7353) The png_do_expand_palette function in libpng before 1.6.8 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via (1) a PLTE chunk of zero bytes or (2) a NULL palette, related to pngrtran.c and pngset.c.(CVE-2013-6954) Integer signedness error in the png_inflate function in pngrutil.c in libpng before 1.4.10beta01, as used in Google Chrome before 17.0.963.83 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file, a different vulnerability than CVE-2011-3026.(CVE-2011-3045) Multiple off-by-one errors in libpng before 1.2.32beta01, and 1.4 before 1.4.0beta34, allow context-dependent attackers to cause a denial of service (crash) or have unspecified other impact via a PNG image with crafted zTXt chunks, related to (1) the png_push_read_zTXt function in pngread.c, and possibly related to (2) pngtest.c.(CVE-2008-3964) libpng12-1.2.57-12.uel20.x86_64.rpm libpng12-devel-1.2.57-12.uel20.x86_64.rpm libpng12-1.2.57-12.uel20.aarch64.rpm libpng12-devel-1.2.57-12.uel20.aarch64.rpm UTSA-2022:20336 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: gstreamer-plugins-good security update

The gst_aac_parse_sink_setcaps function in gst/audioparsers/gstaacparse.c in gst-plugins-good in GStreamer before 1.10.3 allows remote attackers to cause a denial of service (invalid memory read and crash) via a crafted audio file.(CVE-2016-10198) gstreamer-plugins-good-0.10.31-24.uel20.x86_64.rpm gstreamer-plugins-good-0.10.31-24.uel20.aarch64.rpm UTSA-2022:20337 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: vorbis-tools security update

oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted raw file.(CVE-2014-9640) vorbis-tools-1.4.0-31.uel20.x86_64.rpm vorbis-tools-help-1.4.0-31.uel20.noarch.rpm vorbis-tools-1.4.0-31.uel20.aarch64.rpm UTSA-2022:20340 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: nodejs-jsonpointer security update

This affects the package jsonpointer before 5.0.0. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.(CVE-2021-23807) nodejs-jsonpointer-5.0.0-1.uel20.noarch.rpm UTBA-2022:20342 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

lightdm bugfix

解决救援模式segfault问题(BZ-84637) lightdm-qt5-devel-1.30.0-11.up2.uel20.01.x86_64.rpm lightdm-qt5-1.30.0-11.up2.uel20.01.x86_64.rpm lightdm-1.30.0-11.up2.uel20.01.x86_64.rpm lightdm-gobject-devel-1.30.0-11.up2.uel20.01.x86_64.rpm lightdm-gobject-1.30.0-11.up2.uel20.01.x86_64.rpm lightdm-gobject-devel-1.30.0-11.up2.uel20.01.aarch64.rpm lightdm-gobject-1.30.0-11.up2.uel20.01.aarch64.rpm lightdm-qt5-1.30.0-11.up2.uel20.01.aarch64.rpm lightdm-qt5-devel-1.30.0-11.up2.uel20.01.aarch64.rpm lightdm-1.30.0-11.up2.uel20.01.aarch64.rpm UTBA-2022:20349 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

liburing/fio bugfix

解决io_uring测试segfault问题(BZ-129697) liburing-1.0.7-3.0.1.uel20.x86_64.rpm liburing-1.0.7-3.0.1.uel20.aarch64.rpm fio-3.22-1.0.1.uel20.01.x86_64.rpm fio-help-3.22-1.0.1.uel20.01.x86_64.rpm fio-help-3.22-1.0.1.uel20.01.aarch64.rpm fio-3.22-1.0.1.uel20.01.aarch64.rpm UTBA-2022:20352 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

podman/ima-evm-utils bugfix

解决安装依赖问题(BZ-149361) podman-0.10.1-8.up1.uel20.x86_64.rpm podman-help-0.10.1-8.up1.uel20.x86_64.rpm python3-podman-0.10.1-8.up1.uel20.noarch.rpm podman-help-0.10.1-8.up1.uel20.aarch64.rpm podman-0.10.1-8.up1.uel20.aarch64.rpm python3-pypodman-0.10.1-8.up1.uel20.noarch.rpm podman-docker-0.10.1-8.up1.uel20.noarch.rpm ima-evm-utils-libs-1.3.2-12.uel20.9.x86_64.rpm ima-evm-utils-1.3.2-12.uel20.9.x86_64.rpm ima-evm-utils-devel-1.3.2-12.uel20.9.x86_64.rpm ima-evm-utils-help-1.3.2-12.uel20.9.noarch.rpm ima-evm-utils-libs-1.3.2-12.uel20.9.aarch64.rpm ima-evm-utils-1.3.2-12.uel20.9.aarch64.rpm ima-evm-utils-devel-1.3.2-12.uel20.9.aarch64.rpm UTBA-2022:20358 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

gparted bugfix

解决分区编辑器多个菜单的选项之间有明显的空白问题(BZ-141329) gparted-1.2.0-1.uel20.04.x86_64.rpm gparted-help-1.2.0-1.uel20.04.x86_64.rpm gparted-help-1.2.0-1.uel20.04.aarch64.rpm gparted-1.2.0-1.uel20.04.aarch64.rpm UTBA-2022:20359 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

google-noto-fonts\atune bugfix

修改产品标识(BZ-139685) google-noto-sans-deseret-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-lycian-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-lydian-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-ogham-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-phoenician-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-tagbanwa-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-hatran-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-old-south-arabian-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-old-italic-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-inscriptional-pahlavi-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-imperial-aramaic-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-nabataean-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-inscriptional-parthian-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-old-permic-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-tagalog-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-mro-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-bassa-vah-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-buginese-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-hanunoo-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-old-north-arabian-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-rejang-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-sora-sompeng-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-ugaritic-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-pau-cin-hau-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-runic-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-gothic-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-samaritan-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-buhid-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-carian-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-lisu-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-limbu-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-old-persian-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-shavian-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-caucasian-albanian-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-cypriot-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-old-turkic-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-batak-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-fonts-common-20181223-1.up1.uel20.noarch.rpm google-noto-sans-ol-chiki-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-palmyrene-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-meetei-mayek-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-takri-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-multani-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-osmanya-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-new-tai-lue-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-kayah-li-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-pahawh-hmong-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-duployan-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-osage-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-elbasan-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-khudawadi-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-ahom-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-tai-le-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-mahajani-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-sundanese-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-avestan-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-tifinagh-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-lepcha-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-kharoshthi-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-warang-citi-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-syloti-nagri-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-mandaic-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-miao-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-mende-kikakui-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-tai-viet-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-psalter-pahlavi-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-meroitic-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-phags-pa-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-saurashtra-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-nko-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-brahmi-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-glagolitic-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-adlam-unjoined-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-sharada-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-khojki-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-modi-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-manichaean-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-syriac-estrangela-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-syriac-eastern-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-coptic-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-tai-tham-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-thaana-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-balinese-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-syriac-western-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-old-hungarian-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-linear-a-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-chakma-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-lao-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-hebrew-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-linear-b-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-lao-ui-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-armenian-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-myanmar-ui-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-kufi-arabic-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-devanagari-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-sinhala-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-tamil-ui-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-hebrew-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-tibetan-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-georgian-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-bengali-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-kannada-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-thai-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-ethiopic-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-thaana-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-syriac-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-display-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-bengali-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-myanmar-ui-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-arabic-ui-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-armenian-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-display-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-symbols-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-tamil-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-kannada-ui-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-sinhala-ui-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-armenian-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-khmer-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-lao-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-myanmar-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-lao-ui-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-malayalam-ui-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-khmer-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-khmer-ui-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-tibetan-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-thai-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-display-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-display-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-khmer-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-cuneiform-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-tamil-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-lao-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-thai-ui-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-tamil-slanted-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-tamil-slanted-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-mono-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-malayalam-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-bhaiksuki-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-lao-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-grantha-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-canadian-aboriginal-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-devanagari-ui-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-ethiopic-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-devanagari-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-symbols2-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-gurmukhi-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-tamil-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-oriya-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-khmer-ui-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-ethiopic-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-hebrew-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-gurmukhi-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-music-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-adlam-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-tirhuta-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-bengali-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-kannada-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-devanagari-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-mongolian-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-myanmar-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-arabic-ui-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-marchen-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-naskh-arabic-ui-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-nastaliq-urdu-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-malayalam-ui-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-gujarati-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-tamil-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-cham-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-gujarati-ui-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-malayalam-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-gujarati-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-tamil-ui-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-symbols-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-bengali-ui-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-math-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-tibetan-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-bengali-ui-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-kannada-ui-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-canadian-aboriginal-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-cherokee-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-kaithi-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-telugu-ui-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-naskh-arabic-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-georgian-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-thai-ui-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-bamum-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-gurmukhi-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-cham-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-anatolian-hieroglyphs-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-myanmar-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-telugu-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-arabic-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-oriya-ui-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-gujarati-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-khmer-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-myanmar-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-telugu-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-georgian-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-thai-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-kannada-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-sinhala-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-vai-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-georgian-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-yi-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-javanese-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-gurmukhi-ui-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-malayalam-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-mono-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-armenian-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-arabic-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-kannada-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-hebrew-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-devanagari-ui-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-sinhala-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-cherokee-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-egyptian-hieroglyphs-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-ethiopic-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-thai-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-sinhala-vf-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-sans-newa-fonts-20181223-1.up1.uel20.noarch.rpm google-noto-serif-fonts-20181223-1.up1.uel20.noarch.rpm UTBA-2022:20361 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

netdata/autotrace bugfix

解决安装依赖问题(BZ-137513) netdata-freeipmi-1.31.0-3.uel20.x86_64.rpm netdata-1.31.0-3.uel20.x86_64.rpm netdata-1.31.0-3.uel20.aarch64.rpm netdata-conf-1.31.0-3.uel20.noarch.rpm netdata-data-1.31.0-3.uel20.noarch.rpm netdata-freeipmi-1.31.0-3.uel20.aarch64.rpm autotrace-0.31.1-53.up1.uel20.x86_64.rpm autotrace-devel-0.31.1-53.up1.uel20.x86_64.rpm autotrace-help-0.31.1-53.up1.uel20.noarch.rpm autotrace-devel-0.31.1-53.up1.uel20.aarch64.rpm autotrace-0.31.1-53.up1.uel20.aarch64.rpm UTSA-2022:20365 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: virglrenderer security update

An out-of-bounds write issue was found in the VirGL virtual OpenGL renderer (virglrenderer). This flaw allows a malicious guest to create a specially crafted virgil resource and then issue a VIRTGPU_EXECBUFFER ioctl, leading to a denial of service or possible code execution.(CVE-2022-0135) virglrenderer-0.7.0-5.uel20.x86_64.rpm virglrenderer-devel-0.7.0-5.uel20.x86_64.rpm virglrenderer-0.7.0-5.uel20.aarch64.rpm virglrenderer-devel-0.7.0-5.uel20.aarch64.rpm UTSA-2022:20367 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: intel-sgx-ssl security update

In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).(CVE-2022-2068) The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).(CVE-2022-0778) The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).(CVE-2022-1292) AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).(CVE-2022-2097) intel-sgx-ssl-devel-2.10-4.uel20.x86_64.rpm intel-sgx-ssl-2.10-4.uel20.x86_64.rpm UTSA-2022:20379 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: libjpeg-turbo security update

A crafted input file could cause a null pointer dereference in jcopy_sample_rows() when processed by libjpeg-turbo.(CVE-2020-35538) libjpeg-turbo-2.0.5-3.up1.uel20.x86_64.rpm libjpeg-turbo-devel-2.0.5-3.up1.uel20.x86_64.rpm libjpeg-turbo-devel-2.0.5-3.up1.uel20.aarch64.rpm libjpeg-turbo-help-2.0.5-3.up1.uel20.noarch.rpm libjpeg-turbo-2.0.5-3.up1.uel20.aarch64.rpm UTSA-2022:20380 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: fribidi security update

A segmentation fault (SEGV) flaw was found in the Fribidi package and affects the fribidi_remove_bidi_marks() function of the lib/fribidi.c file. This flaw allows an attacker to pass a specially crafted file to Fribidi, leading to a crash and causing a denial of service.(CVE-2022-25310) A heap-based buffer overflow flaw was found in the Fribidi package and affects the fribidi_cap_rtl_to_unicode() function of the fribidi-char-sets-cap-rtl.c file. This flaw allows an attacker to pass a specially crafted file to the Fribidi application with the '--caprtl' option, leading to a crash and causing a denial of service.(CVE-2022-25309) A stack-based buffer overflow flaw was found in the Fribidi package. This flaw allows an attacker to pass a specially crafted file to the Fribidi application, which leads to a possible memory leak or a denial of service.(CVE-2022-25308) fribidi-1.0.10-2.uel20.x86_64.rpm fribidi-devel-1.0.10-2.uel20.x86_64.rpm fribidi-1.0.10-2.uel20.aarch64.rpm fribidi-devel-1.0.10-2.uel20.aarch64.rpm UTSA-2022:20382 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: wayland security update

fix cve/bug or enhancement wayland-1.17.0-3.uel20.x86_64.rpm wayland-devel-1.17.0-3.uel20.x86_64.rpm wayland-devel-1.17.0-3.uel20.aarch64.rpm wayland-help-1.17.0-3.uel20.noarch.rpm wayland-1.17.0-3.uel20.aarch64.rpm UTSA-2022:20384 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: python-pip security update

Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.(CVE-2020-14422) An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.(CVE-2021-33503) python3-pip-20.2.2-6.uel20.noarch.rpm python-pip-help-20.2.2-6.uel20.noarch.rpm python2-pip-20.2.2-6.uel20.noarch.rpm python-pip-wheel-20.2.2-6.uel20.noarch.rpm UTSA-2022:20398 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: dovecot security update

An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.(CVE-2022-30550) dovecot-2.3.15-5.uel20.x86_64.rpm dovecot-help-2.3.15-5.uel20.x86_64.rpm dovecot-devel-2.3.15-5.uel20.x86_64.rpm dovecot-2.3.15-5.uel20.aarch64.rpm dovecot-devel-2.3.15-5.uel20.aarch64.rpm dovecot-help-2.3.15-5.uel20.aarch64.rpm UTSA-2022:20400 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: xalan-j2 security update

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.(CVE-2022-34169) xalan-j2-2.7.1-39.uel20.noarch.rpm xalan-j2-xsltc-2.7.1-39.uel20.noarch.rpm UTSA-2022:20409 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: bcel security update

fix cve/bug or enhancement bcel-6.2-5.uel20.noarch.rpm UTSA-2022:20414 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: lighttpd security update

In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.(CVE-2022-37797) lighttpd-1.4.67-1.uel20.x86_64.rpm lighttpd-mod_authn_gssapi-1.4.67-1.uel20.x86_64.rpm lighttpd-fastcgi-1.4.67-1.uel20.x86_64.rpm lighttpd-mod_authn_pam-1.4.67-1.uel20.x86_64.rpm lighttpd-mod_mysql_vhost-1.4.67-1.uel20.x86_64.rpm lighttpd-mod_authn_mysql-1.4.67-1.uel20.x86_64.rpm lighttpd-mod_authn_gssapi-1.4.67-1.uel20.aarch64.rpm lighttpd-filesystem-1.4.67-1.uel20.noarch.rpm lighttpd-mod_authn_mysql-1.4.67-1.uel20.aarch64.rpm lighttpd-1.4.67-1.uel20.aarch64.rpm lighttpd-mod_mysql_vhost-1.4.67-1.uel20.aarch64.rpm lighttpd-fastcgi-1.4.67-1.uel20.aarch64.rpm lighttpd-mod_authn_pam-1.4.67-1.uel20.aarch64.rpm UTSA-2022:20416 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: mod_security_crs security update

fix cve/bug or enhancement mod_security_crs-3.2.2-1.uel20.noarch.rpm UTSA-2022:20417 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: squid security update

fix cve/bug or enhancement squid-4.9-13.uel20.x86_64.rpm squid-4.9-13.uel20.aarch64.rpm UTSA-2022:20420 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: strongswan security update

strongSwan before 5.9.8 allows remote attackers to cause a denial of service in the revocation plugin by sending a crafted end-entity (and intermediate CA) certificate that contains a CRL/OCSP URL that points to a server (under the attacker's control) that doesn't properly respond but (for example) just does nothing after the initial TCP handshake, or sends an excessive amount of application data.(CVE-2022-40617) strongswan-5.7.2-10.uel20.x86_64.rpm strongswan-help-5.7.2-10.uel20.noarch.rpm strongswan-5.7.2-10.uel20.aarch64.rpm UTSA-2022:20431 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libexif security update

In exif_data_load_data_content of exif-data.c, there is a possible UBSAN abort due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-146428941(CVE-2020-0198) In exif_data_load_data_thumbnail of exif-data.c, there is a possible denial of service due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145075076(CVE-2020-0181) In exif_data_save_data_entry of exif-data.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-148705132(CVE-2020-0093) In libexif, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege in the media content provider with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112537774(CVE-2019-9278) libexif-0.6.21-25.uel20.x86_64.rpm libexif-devel-0.6.21-25.uel20.x86_64.rpm libexif-0.6.21-25.uel20.aarch64.rpm libexif-devel-0.6.21-25.uel20.aarch64.rpm libexif-help-0.6.21-25.uel20.noarch.rpm UTSA-2022:20432 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: firefox security update

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.(CVE-2022-40674) firefox-79.0-9.up1.uel20.x86_64.rpm firefox-79.0-9.up1.uel20.aarch64.rpm UTSA-2022:20434 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: protobuf security update

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.(CVE-2022-3171) protobuf-compiler-3.14.0-6.uel20.x86_64.rpm protobuf-lite-3.14.0-6.uel20.x86_64.rpm protobuf-devel-3.14.0-6.uel20.x86_64.rpm protobuf-3.14.0-6.uel20.x86_64.rpm protobuf-lite-devel-3.14.0-6.uel20.x86_64.rpm protobuf-3.14.0-6.uel20.aarch64.rpm python3-protobuf-3.14.0-6.uel20.noarch.rpm protobuf-devel-3.14.0-6.uel20.aarch64.rpm protobuf-lite-devel-3.14.0-6.uel20.aarch64.rpm protobuf-lite-3.14.0-6.uel20.aarch64.rpm protobuf-bom-3.14.0-6.uel20.noarch.rpm protobuf-java-3.14.0-6.uel20.noarch.rpm protobuf-compiler-3.14.0-6.uel20.aarch64.rpm protobuf-javadoc-3.14.0-6.uel20.noarch.rpm protobuf-parent-3.14.0-6.uel20.noarch.rpm protobuf-java-util-3.14.0-6.uel20.noarch.rpm protobuf-javalite-3.14.0-6.uel20.noarch.rpm UTSA-2022:20437 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: lighttpd security update

A resource leak in gw_backend.c in lighttpd 1.4.56 through 1.4.66 could lead to a denial of service (connection-slot exhaustion) after a large amount of anomalous TCP behavior by clients. It is related to RDHUP mishandling in certain HTTP/1.1 chunked situations. Use of mod_fastcgi is, for example, affected. This is fixed in 1.4.67.(CVE-2022-41556) lighttpd-1.4.67-1.uel20.x86_64.rpm lighttpd-mod_authn_gssapi-1.4.67-1.uel20.x86_64.rpm lighttpd-fastcgi-1.4.67-1.uel20.x86_64.rpm lighttpd-mod_authn_pam-1.4.67-1.uel20.x86_64.rpm lighttpd-mod_mysql_vhost-1.4.67-1.uel20.x86_64.rpm lighttpd-mod_authn_mysql-1.4.67-1.uel20.x86_64.rpm lighttpd-mod_authn_gssapi-1.4.67-1.uel20.aarch64.rpm lighttpd-filesystem-1.4.67-1.uel20.noarch.rpm lighttpd-mod_authn_mysql-1.4.67-1.uel20.aarch64.rpm lighttpd-1.4.67-1.uel20.aarch64.rpm lighttpd-mod_mysql_vhost-1.4.67-1.uel20.aarch64.rpm lighttpd-fastcgi-1.4.67-1.uel20.aarch64.rpm lighttpd-mod_authn_pam-1.4.67-1.uel20.aarch64.rpm UTSA-2022:20440 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: uboot-tools security update

nfs_lookup_reply in net/nfs.c in Das U-Boot through 2022.04 (and through 2022.07-rc2) has an unbounded memcpy with a failed length check, leading to a buffer overflow. NOTE: this issue exists because of an incorrect fix for CVE-2019-14196.(CVE-2022-30767) uboot-tools-2020.07-7.uel20.x86_64.rpm uboot-images-armv8-2020.07-7.uel20.noarch.rpm uboot-tools-help-2020.07-7.uel20.noarch.rpm uboot-tools-2020.07-7.uel20.aarch64.rpm uboot-images-elf-2020.07-7.uel20.aarch64.rpm UTSA-2022:20442 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: python-joblib security update

The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the pre_dispatch flag in Parallel() class due to the eval() statement.(CVE-2022-21797) python3-joblib-0.14.0-4.uel20.noarch.rpm UTSA-2022:20446 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: mariadb-connector-c security update

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).(CVE-2022-37434) mariadb-connector-c-devel-3.0.6-9.uel20.x86_64.rpm mariadb-connector-c-3.0.6-9.uel20.x86_64.rpm mariadb-connector-c-devel-3.0.6-9.uel20.aarch64.rpm mariadb-connector-c-3.0.6-9.uel20.aarch64.rpm UTSA-2022:20449 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: apache-sshd security update

Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.(CVE-2022-45047) apache-sshd-javadoc-2.9.2-1.uel20.noarch.rpm apache-sshd-2.9.2-1.uel20.noarch.rpm UTSA-2022:20455 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: ntfs-3g security update

A buffer overflow was discovered in NTFS-3G before 2022.10.3. Crafted metadata in an NTFS image can cause code execution. A local attacker can exploit this if the ntfs-3g binary is setuid root. A physically proximate attacker can exploit this if NTFS-3G software is configured to execute upon attachment of an external storage device.(CVE-2022-40284) ntfs-3g-devel-2022.5.17-2.uel20.x86_64.rpm ntfs-3g-2022.5.17-2.uel20.x86_64.rpm ntfs-3g-help-2022.5.17-2.uel20.x86_64.rpm ntfs-3g-2022.5.17-2.uel20.aarch64.rpm ntfs-3g-help-2022.5.17-2.uel20.aarch64.rpm ntfs-3g-devel-2022.5.17-2.uel20.aarch64.rpm UTSA-2022:20460 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: pixman security update

In libpixman in Pixman before 0.42.2, there is an out-of-bounds write (aka heap-based buffer overflow) in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y.(CVE-2022-44638) pixman-devel-0.40.0-2.uel20.x86_64.rpm pixman-0.40.0-2.uel20.x86_64.rpm pixman-devel-0.40.0-2.uel20.aarch64.rpm pixman-0.40.0-2.uel20.aarch64.rpm UTSA-2022:20462 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: exiv2 security update

A vulnerability was found in Exiv2. It has been classified as critical. Affected is the function QuickTimeVideo::userDataDecoder of the file quicktimevideo.cpp of the component QuickTime Video Handler. The manipulation leads to integer overflow. It is possible to launch the attack remotely. The name of the patch is bf4f28b727bdedbd7c88179c30d360e54568a62e. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-212496.(CVE-2022-3756) A vulnerability was found in Exiv2 and classified as problematic. This issue affects the function QuickTimeVideo::userDataDecoder of the file quicktimevideo.cpp of the component QuickTime Video Handler. The manipulation leads to null pointer dereference. The attack may be initiated remotely. The name of the patch is 6bb956ad808590ce2321b9ddf6772974da27c4ca. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-212495.(CVE-2022-3755) exiv2-devel-0.27.5-2.uel20.x86_64.rpm exiv2-0.27.5-2.uel20.x86_64.rpm exiv2-devel-0.27.5-2.uel20.aarch64.rpm exiv2-help-0.27.5-2.uel20.noarch.rpm exiv2-0.27.5-2.uel20.aarch64.rpm UTSA-2022:20463 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: deltarpm security update

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).(CVE-2022-37434) python3-deltarpm-3.6.2-5.uel20.x86_64.rpm drpmsync-3.6.2-5.uel20.x86_64.rpm python2-deltarpm-3.6.2-5.uel20.x86_64.rpm deltarpm-3.6.2-5.uel20.x86_64.rpm python3-deltarpm-3.6.2-5.uel20.aarch64.rpm deltarpm-help-3.6.2-5.uel20.noarch.rpm drpmsync-3.6.2-5.uel20.aarch64.rpm python2-deltarpm-3.6.2-5.uel20.aarch64.rpm deltarpm-3.6.2-5.uel20.aarch64.rpm UTSA-2022:20464 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libconfuse security update

cfg_tilde_expand in confuse.c in libConfuse 3.3 has a heap-based buffer over-read.(CVE-2022-40320) libconfuse-3.3-2.uel20.x86_64.rpm libconfuse-devel-3.3-2.uel20.x86_64.rpm libconfuse-3.3-2.uel20.aarch64.rpm libconfuse-devel-3.3-2.uel20.aarch64.rpm UTSA-2022:20479 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: qemu security update

An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition.(CVE-2022-4144) qemu-4.1.0-76.up2.uel20.x86_64.rpm qemu-img-4.1.0-76.up2.uel20.x86_64.rpm qemu-guest-agent-4.1.0-76.up2.uel20.x86_64.rpm qemu-seabios-4.1.0-76.up2.uel20.x86_64.rpm qemu-block-curl-4.1.0-76.up2.uel20.x86_64.rpm qemu-block-rbd-4.1.0-76.up2.uel20.x86_64.rpm qemu-block-ssh-4.1.0-76.up2.uel20.x86_64.rpm qemu-block-iscsi-4.1.0-76.up2.uel20.x86_64.rpm qemu-4.1.0-76.up2.uel20.aarch64.rpm qemu-guest-agent-4.1.0-76.up2.uel20.aarch64.rpm qemu-img-4.1.0-76.up2.uel20.aarch64.rpm qemu-block-ssh-4.1.0-76.up2.uel20.aarch64.rpm qemu-block-rbd-4.1.0-76.up2.uel20.aarch64.rpm qemu-block-curl-4.1.0-76.up2.uel20.aarch64.rpm qemu-block-iscsi-4.1.0-76.up2.uel20.aarch64.rpm qemu-help-4.1.0-76.up2.uel20.noarch.rpm UTSA-2022:20481 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: proftpd security update

mod_radius in ProFTPD before 1.3.7c allows memory disclosure to RADIUS servers because it copies blocks of 16 characters.(CVE-2021-46854) proftpd-1.3.7a-2.uel20.x86_64.rpm proftpd-mysql-1.3.7a-2.uel20.x86_64.rpm proftpd-sqlite-1.3.7a-2.uel20.x86_64.rpm proftpd-postgresql-1.3.7a-2.uel20.x86_64.rpm proftpd-devel-1.3.7a-2.uel20.x86_64.rpm proftpd-utils-1.3.7a-2.uel20.x86_64.rpm proftpd-ldap-1.3.7a-2.uel20.x86_64.rpm proftpd-1.3.7a-2.uel20.aarch64.rpm proftpd-devel-1.3.7a-2.uel20.aarch64.rpm proftpd-utils-1.3.7a-2.uel20.aarch64.rpm proftpd-postgresql-1.3.7a-2.uel20.aarch64.rpm proftpd-sqlite-1.3.7a-2.uel20.aarch64.rpm proftpd-mysql-1.3.7a-2.uel20.aarch64.rpm proftpd-ldap-1.3.7a-2.uel20.aarch64.rpm UTSA-2022:20482 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: libtar security update

After tar_close(), libtar.c releases the memory pointed to by pointer t. After tar_close() is called in the list() function, it continues to use pointer t: free_longlink_longname(t->th_buf) . As a result, the released memory is used (use-after-free).(CVE-2021-33640) libtar-help-1.2.20-20.uel20.x86_64.rpm libtar-devel-1.2.20-20.uel20.x86_64.rpm libtar-1.2.20-20.uel20.x86_64.rpm libtar-help-1.2.20-20.uel20.aarch64.rpm libtar-devel-1.2.20-20.uel20.aarch64.rpm libtar-1.2.20-20.uel20.aarch64.rpm UTSA-2022:20483 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: freerdp security update

FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP may attempt integer addition on too narrow types leads to allocation of a buffer too small holding the data written. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. This issue has been addressed in version 2.9.0 and all users are advised to upgrade. Users unable to upgrade should not use the `/usb` redirection switch.(CVE-2022-39320) FreeRDP is a free remote desktop protocol library and clients. Affected versions of FreeRDP are missing a range check for input offset index in ZGFX decoder. A malicious server can trick a FreeRDP based client to read out of bound data and try to decode it. This issue has been addressed in version 2.9.0. There are no known workarounds for this issue.(CVE-2022-39317) freerdp-2.8.1-3.uel20.x86_64.rpm freerdp-devel-2.8.1-3.uel20.x86_64.rpm libwinpr-devel-2.8.1-3.uel20.x86_64.rpm libwinpr-2.8.1-3.uel20.x86_64.rpm freerdp-help-2.8.1-3.uel20.x86_64.rpm libwinpr-devel-2.8.1-3.uel20.aarch64.rpm freerdp-help-2.8.1-3.uel20.aarch64.rpm libwinpr-2.8.1-3.uel20.aarch64.rpm freerdp-devel-2.8.1-3.uel20.aarch64.rpm freerdp-2.8.1-3.uel20.aarch64.rpm UTSA-2022:20485 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Low

Low: kubernetes security update

A security issue was discovered with Kubernetes that could enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack.(CVE-2021-25740) kubernetes-help-1.20.2-16.uel20.x86_64.rpm kubernetes-kubelet-1.20.2-16.uel20.x86_64.rpm kubernetes-node-1.20.2-16.uel20.x86_64.rpm kubernetes-kubeadm-1.20.2-16.uel20.x86_64.rpm kubernetes-client-1.20.2-16.uel20.x86_64.rpm kubernetes-master-1.20.2-16.uel20.x86_64.rpm kubernetes-1.20.2-16.uel20.x86_64.rpm kubernetes-node-1.20.2-16.uel20.aarch64.rpm kubernetes-1.20.2-16.uel20.aarch64.rpm kubernetes-client-1.20.2-16.uel20.aarch64.rpm kubernetes-kubelet-1.20.2-16.uel20.aarch64.rpm kubernetes-help-1.20.2-16.uel20.aarch64.rpm kubernetes-master-1.20.2-16.uel20.aarch64.rpm kubernetes-kubeadm-1.20.2-16.uel20.aarch64.rpm UTSA-2022:20487 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: mongodb security update

A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects: MongoDB Inc. MongoDB Server v4.4 versions prior to 4.4.0-rc7; v4.2 versions prior to 4.2.8; v4.0 versions prior to 4.0.19.(CVE-2020-7923) mongodb-4.0.23-1.uel20.x86_64.rpm mongodb-test-4.0.23-1.uel20.x86_64.rpm mongodb-server-4.0.23-1.uel20.x86_64.rpm mongodb-test-4.0.23-1.uel20.aarch64.rpm mongodb-4.0.23-1.uel20.aarch64.rpm mongodb-help-4.0.23-1.uel20.noarch.rpm mongodb-server-4.0.23-1.uel20.aarch64.rpm UTSA-2023:20001 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: python-setuptools security update

Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.(CVE-2022-40897) python2-setuptools-44.1.1-2.uel20.noarch.rpm python-setuptools-help-44.1.1-2.uel20.noarch.rpm python-setuptools-44.1.1-2.uel20.noarch.rpm python3-setuptools-44.1.1-2.uel20.noarch.rpm UTSA-2023:20004 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: byacc security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2021-33642) ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2021-33641) byacc-1.9.20200330-2.uel20.x86_64.rpm byacc-help-1.9.20200330-2.uel20.noarch.rpm byacc-1.9.20200330-2.uel20.aarch64.rpm UTSA-2023:20018 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: freeradius security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2022-41861) ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2022-41860) freeradius-krb5-3.0.15-25.uel20.x86_64.rpm python2-freeradius-3.0.15-25.uel20.x86_64.rpm freeradius-perl-3.0.15-25.uel20.x86_64.rpm freeradius-mysql-3.0.15-25.uel20.x86_64.rpm freeradius-ldap-3.0.15-25.uel20.x86_64.rpm freeradius-3.0.15-25.uel20.x86_64.rpm freeradius-sqlite-3.0.15-25.uel20.x86_64.rpm freeradius-postgresql-3.0.15-25.uel20.x86_64.rpm freeradius-utils-3.0.15-25.uel20.x86_64.rpm freeradius-devel-3.0.15-25.uel20.x86_64.rpm freeradius-help-3.0.15-25.uel20.x86_64.rpm freeradius-3.0.15-25.uel20.aarch64.rpm freeradius-postgresql-3.0.15-25.uel20.aarch64.rpm freeradius-sqlite-3.0.15-25.uel20.aarch64.rpm freeradius-mysql-3.0.15-25.uel20.aarch64.rpm freeradius-devel-3.0.15-25.uel20.aarch64.rpm freeradius-krb5-3.0.15-25.uel20.aarch64.rpm freeradius-perl-3.0.15-25.uel20.aarch64.rpm python2-freeradius-3.0.15-25.uel20.aarch64.rpm freeradius-help-3.0.15-25.uel20.aarch64.rpm freeradius-utils-3.0.15-25.uel20.aarch64.rpm freeradius-ldap-3.0.15-25.uel20.aarch64.rpm UTSA-2023:20010 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: net-snmp security update

handle_ipv6IpForwarding in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP 5.4.3 through 5.9.3 has a NULL Pointer Exception bug that can be used by a remote attacker to cause the instance to crash via a crafted UDP packet, resulting in Denial of Service.(CVE-2022-44793) handle_ipDefaultTTL in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP 5.8 through 5.9.3 has a NULL Pointer Exception bug that can be used by a remote attacker (who has write access) to cause the instance to crash via a crafted UDP packet, resulting in Denial of Service.(CVE-2022-44792) net-snmp-perl-5.9-8.up1.uel20.x86_64.rpm python3-net-snmp-5.9-8.up1.uel20.x86_64.rpm net-snmp-5.9-8.up1.uel20.x86_64.rpm net-snmp-devel-5.9-8.up1.uel20.x86_64.rpm net-snmp-gui-5.9-8.up1.uel20.x86_64.rpm net-snmp-libs-5.9-8.up1.uel20.x86_64.rpm net-snmp-5.9-8.up1.uel20.aarch64.rpm net-snmp-perl-5.9-8.up1.uel20.aarch64.rpm net-snmp-libs-5.9-8.up1.uel20.aarch64.rpm net-snmp-devel-5.9-8.up1.uel20.aarch64.rpm net-snmp-gui-5.9-8.up1.uel20.aarch64.rpm python3-net-snmp-5.9-8.up1.uel20.aarch64.rpm net-snmp-help-5.9-8.up1.uel20.noarch.rpm UTSA-2023:20014 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: linux-firmware security update

Integer overflow in the firmware for some Intel(R) Graphics Drivers for Windows * before version 26.20.100.7212 and before Linux kernel version 5.5 may allow a privileged user to potentially enable an escalation of privilege via local access.(CVE-2020-12362) linux-firmware-20211027-1.uel20.noarch.rpm UTSA-2023:20017 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: opusfile security update

A null pointer dereference issue was discovered in functions op_get_data and op_open1 in opusfile.c in xiph opusfile 0.9 thru 0.12 allows attackers to cause denial of service or other unspecified impacts.(CVE-2022-47021) opusfile-0.11-7.uel20.x86_64.rpm opusfile-devel-0.11-7.uel20.x86_64.rpm opusfile-devel-0.11-7.uel20.aarch64.rpm opusfile-0.11-7.uel20.aarch64.rpm UTSA-2023:20018 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: pkgconf security update

In pkgconf through 1.9.3, variable duplication can cause unbounded string expansion due to incorrect checks in libpkgconf/tuple.c:pkgconf_tuple_parse. For example, a .pc file containing a few hundred bytes can expand to one billion bytes.(CVE-2023-24056) pkgconf-1.7.3-2.uel20.x86_64.rpm pkgconf-devel-1.7.3-2.uel20.x86_64.rpm pkgconf-devel-1.7.3-2.uel20.aarch64.rpm pkgconf-1.7.3-2.uel20.aarch64.rpm pkgconf-help-1.7.3-2.uel20.noarch.rpm UTSA-2023:20020 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: SDL2 security update

A potential memory leak issue was discovered in SDL2 in GLES_CreateTexture() function in SDL_render_gles.c. The vulnerability allows an attacker to cause a denial of service attack. The vulnerability affects SDL2 v2.0.4 and above. SDL-1.x are not affected.(CVE-2022-4743) SDL2-2.0.12-2.uel20.x86_64.rpm SDL2-devel-2.0.12-2.uel20.x86_64.rpm SDL2-2.0.12-2.uel20.aarch64.rpm SDL2-devel-2.0.12-2.uel20.aarch64.rpm UTSA-2023:20024 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: rubygem-activesupport security update

A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.(CVE-2023-22796) rubygem-activesupport-doc-5.2.4.4-2.uel20.noarch.rpm rubygem-activesupport-5.2.4.4-2.uel20.noarch.rpm UTSA-2023:20027 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: rubygem-globalid security update

A ReDoS based DoS vulnerability in the GlobalID <1.0.1 which could allow an attacker supplying a carefully crafted input can cause the regular expression engine to take an unexpected amount of time. All users running an affected release should either upgrade or use one of the workarounds immediately.(CVE-2023-22799) rubygem-globalid-doc-0.4.2-4.uel20.noarch.rpm rubygem-globalid-0.4.2-4.uel20.noarch.rpm UTSA-2023:20028 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: haproxy security update

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.(CVE-2023-25725) ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-0056) haproxy-2.2.16-4.uel20.x86_64.rpm haproxy-help-2.2.16-4.uel20.noarch.rpm haproxy-2.2.16-4.uel20.aarch64.rpm UTSA-2023:20030 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: apr-util security update

Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime Utility (APR-util) 1.6.1 and prior versions.(CVE-2022-25147) apr-util-pgsql-1.6.1-15.uel20.x86_64.rpm apr-util-1.6.1-15.uel20.x86_64.rpm apr-util-devel-1.6.1-15.uel20.x86_64.rpm apr-util-odbc-1.6.1-15.uel20.x86_64.rpm apr-util-pgsql-1.6.1-15.uel20.aarch64.rpm apr-util-devel-1.6.1-15.uel20.aarch64.rpm apr-util-1.6.1-15.uel20.aarch64.rpm apr-util-odbc-1.6.1-15.uel20.aarch64.rpm UTSA-2023:20031 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: libtiff security update

LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3609, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.(CVE-2023-0804) LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3516, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.(CVE-2023-0803) LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3724, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.(CVE-2023-0802) LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and tools/tiffcrop.c:6778, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.(CVE-2023-0801) LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3502, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.(CVE-2023-0800) LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3701, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.(CVE-2023-0799) LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3400, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.(CVE-2023-0798) LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and tools/tiffcrop.c:6921, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.(CVE-2023-0797) LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3592, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.(CVE-2023-0796) LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3488, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.(CVE-2023-0795) libtiff-4.3.0-10.uel20.x86_64.rpm libtiff-devel-4.3.0-10.uel20.x86_64.rpm libtiff-devel-4.3.0-10.uel20.aarch64.rpm libtiff-4.3.0-10.uel20.aarch64.rpm libtiff-help-4.3.0-10.uel20.noarch.rpm UTSA-2023:20035 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: python-cryptography security update

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.(CVE-2023-23931) python2-cryptography-3.3.1-3.uel20.x86_64.rpm python3-cryptography-3.3.1-3.uel20.x86_64.rpm python3-cryptography-3.3.1-3.uel20.aarch64.rpm python2-cryptography-3.3.1-3.uel20.aarch64.rpm python-cryptography-help-3.3.1-3.uel20.noarch.rpm UTSA-2023:20036 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: edk2 security update

A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest initialization will fail. There is a missing check for the return value from the initialization function which later leads to invalid usage of the digest API most likely leading to a crash. The unavailability of an algorithm can be caused by using FIPS enabled configuration of providers or more commonly by not loading the legacy provider. PKCS7 data is processed by the SMIME library calls and also by the time stamp (TS) library calls. The TLS implementation in OpenSSL does not call these functions however third party applications would be affected if they call these functions to verify signatures on untrusted data.(CVE-2023-0401) There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.(CVE-2023-0286) The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7. Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL cms and smime command line applications are similarly affected.(CVE-2023-0215) The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.(CVE-2022-4450) edk2-ovmf-202002-15.up1.uel20.noarch.rpm edk2-devel-202002-15.up1.uel20.x86_64.rpm edk2-devel-202002-15.up1.uel20.aarch64.rpm edk2-aarch64-202002-15.up1.uel20.noarch.rpm edk2-help-202002-15.up1.uel20.noarch.rpm python3-edk2-devel-202002-15.up1.uel20.noarch.rpm UTSA-2023:20039 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: nodejs security update

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.(CVE-2023-0286) The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7. Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL cms and smime command line applications are similarly affected.(CVE-2023-0215) The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.(CVE-2022-4450) A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.(CVE-2022-4304) npm-6.14.16-1.12.22.11.3.uel20.x86_64.rpm nodejs-12.22.11-3.uel20.x86_64.rpm nodejs-libs-12.22.11-3.uel20.x86_64.rpm v8-devel-7.8.279.23-1.12.22.11.3.uel20.x86_64.rpm nodejs-devel-12.22.11-3.uel20.x86_64.rpm nodejs-full-i18n-12.22.11-3.uel20.x86_64.rpm npm-6.14.16-1.12.22.11.3.uel20.aarch64.rpm nodejs-docs-12.22.11-3.uel20.noarch.rpm nodejs-12.22.11-3.uel20.aarch64.rpm nodejs-devel-12.22.11-3.uel20.aarch64.rpm v8-devel-7.8.279.23-1.12.22.11.3.uel20.aarch64.rpm nodejs-libs-12.22.11-3.uel20.aarch64.rpm nodejs-full-i18n-12.22.11-3.uel20.aarch64.rpm UTSA-2023:20044 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: harfbuzz security update

hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.(CVE-2023-25193) harfbuzz-2.8.1-4.uel20.x86_64.rpm harfbuzz-devel-2.8.1-4.uel20.x86_64.rpm harfbuzz-help-2.8.1-4.uel20.noarch.rpm harfbuzz-2.8.1-4.uel20.aarch64.rpm harfbuzz-devel-2.8.1-4.uel20.aarch64.rpm UTSA-2023:20045 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libxpm security update

A flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH environment variable.(CVE-2022-4883) A flaw was found in libXpm. This issue occurs when parsing a file with a comment not closed; the end-of-file condition will not be detected, leading to an infinite loop and resulting in a Denial of Service in the application linked to the library.(CVE-2022-46285) A flaw was found in libXpm. When processing a file with width of 0 and a very large height, some parser functions will be called repeatedly and can lead to an infinite loop, resulting in a Denial of Service in the application linked to the library.(CVE-2022-44617) libXpm-3.5.13-2.uel20.x86_64.rpm libXpm-devel-3.5.13-2.uel20.x86_64.rpm libXpm-devel-3.5.13-2.uel20.aarch64.rpm libXpm-3.5.13-2.uel20.aarch64.rpm libXpm-help-3.5.13-2.uel20.noarch.rpm UTSA-2023:20046 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: leptonica security update

An issue in the Leptonica linked library (v1.79.0) allows attackers to cause an arithmetic exception leading to a Denial of Service (DoS) via a crafted JPEG file.(CVE-2022-38266) leptonica-tools-1.79.0-3.uel20.x86_64.rpm leptonica-1.79.0-3.uel20.x86_64.rpm leptonica-devel-1.79.0-3.uel20.x86_64.rpm leptonica-1.79.0-3.uel20.aarch64.rpm leptonica-devel-1.79.0-3.uel20.aarch64.rpm leptonica-tools-1.79.0-3.uel20.aarch64.rpm UTSA-2023:20047 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: pesign security update

A flaw was found in pesign. The pesign package provides a systemd service used to start the pesign daemon. This service unit runs a script to set ACLs for /etc/pki/pesign and /run/pesign directories to grant access privileges to users in the 'pesign' group. However, the script doesn't check for symbolic links. This could allow an attacker to gain access to privileged files and directories via a path traversal attack.(CVE-2022-3560) pesign-0.113-5.uel20.x86_64.rpm pesign-help-0.113-5.uel20.x86_64.rpm pesign-help-0.113-5.uel20.aarch64.rpm pesign-0.113-5.uel20.aarch64.rpm UTSA-2023:20048 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: apr security update

Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime (APR) version 1.7.0.(CVE-2022-24963) apr-devel-1.7.0-5.uel20.x86_64.rpm apr-1.7.0-5.uel20.x86_64.rpm apr-devel-1.7.0-5.uel20.aarch64.rpm apr-help-1.7.0-5.uel20.noarch.rpm apr-1.7.0-5.uel20.aarch64.rpm UTSA-2023:20052 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: tpm2-tss security update

tpm2-tss is an open source software implementation of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2 Software Stack (TSS2). In affected versions `Tss2_RC_SetHandler` and `Tss2_RC_Decode` both index into `layer_handler` with an 8 bit layer number, but the array only has `TPM2_ERROR_TSS2_RC_LAYER_COUNT` entries, so trying to add a handler for higher-numbered layers or decode a response code with such a layer number reads/writes past the end of the buffer. This Buffer overrun, could result in arbitrary code execution. An example attack would be a MiTM bus attack that returns 0xFFFFFFFF for the RC. Given the common use case of TPM modules an attacker must have local access to the target machine with local system privileges which allows access to the TPM system. Usually TPM access requires administrative privilege.(CVE-2023-22745) tpm2-tss-help-3.0.3-2.uel20.noarch.rpm UTSA-2023:20059 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libX11 security update

A vulnerability was found in X.org libX11 and classified as problematic. This issue affects the function _XFreeX11XCBStructure of the file xcb_disp.c. The manipulation of the argument dpy leads to memory leak. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211055.(CVE-2022-3555) A vulnerability has been found in X.org libX11 and classified as problematic. This vulnerability affects the function _XimRegisterIMInstantiateCallback of the file modules/im/ximcp/imsClbk.c. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211054 is the identifier assigned to this vulnerability.(CVE-2022-3554) libX11-1.6.9-6.uel20.x86_64.rpm libX11-devel-1.6.9-6.uel20.x86_64.rpm libX11-1.6.9-6.uel20.aarch64.rpm libX11-help-1.6.9-6.uel20.noarch.rpm libX11-devel-1.6.9-6.uel20.aarch64.rpm UTSA-2023:20060 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: apache-commons-fileupload security update

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.(CVE-2023-24998) apache-commons-fileupload-help-1.4-2.uel20.noarch.rpm apache-commons-fileupload-1.4-2.uel20.noarch.rpm UTSA-2023:20061 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: snakeyaml security update

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.(CVE-2022-41854) Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.(CVE-2022-38752) Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.(CVE-2022-38751) Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.(CVE-2022-38750) Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.(CVE-2022-38749) The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.(CVE-2022-25857) snakeyaml-javadoc-1.32-1.uel20.noarch.rpm snakeyaml-1.32-1.uel20.noarch.rpm UTSA-2023:20062 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: qt5-qtbase security update

Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).(CVE-2021-38593) qt5-qtbase-devel-5.11.1-13.up6.uel20.x86_64.rpm qt5-qtbase-5.11.1-13.up6.uel20.x86_64.rpm qt5-qtbase-odbc-5.11.1-13.up6.uel20.x86_64.rpm qt5-qtbase-mysql-5.11.1-13.up6.uel20.x86_64.rpm qt5-qtbase-postgresql-5.11.1-13.up6.uel20.x86_64.rpm qt5-qtbase-gui-5.11.1-13.up6.uel20.x86_64.rpm qt5-qtbase-odbc-5.11.1-13.up6.uel20.aarch64.rpm qt5-qtbase-5.11.1-13.up6.uel20.aarch64.rpm qt5-qtbase-common-5.11.1-13.up6.uel20.noarch.rpm qt5-qtbase-devel-5.11.1-13.up6.uel20.aarch64.rpm qt5-qtbase-postgresql-5.11.1-13.up6.uel20.aarch64.rpm qt5-qtbase-gui-5.11.1-13.up6.uel20.aarch64.rpm qt5-qtbase-mysql-5.11.1-13.up6.uel20.aarch64.rpm UTSA-2023:20064 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: python3 security update

An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.(CVE-2023-24329) python3-devel-3.7.9-33.up1.uel20.x86_64.rpm python3-3.7.9-33.up1.uel20.x86_64.rpm python3-debug-3.7.9-33.up1.uel20.x86_64.rpm python3-devel-3.7.9-33.up1.uel20.aarch64.rpm python3-3.7.9-33.up1.uel20.aarch64.rpm python3-debug-3.7.9-33.up1.uel20.aarch64.rpm python3-help-3.7.9-33.up1.uel20.noarch.rpm UTSA-2023:20067 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libfastjson security update

json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.(CVE-2020-12762) libfastjson-devel-0.99.9-3.uel20.01.x86_64.rpm libfastjson-0.99.9-3.uel20.01.x86_64.rpm libfastjson-devel-0.99.9-3.uel20.01.aarch64.rpm libfastjson-0.99.9-3.uel20.01.aarch64.rpm UTSA-2023:20068 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: emacs security update

org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for GNU Emacs allows attackers to execute arbitrary commands via a file name or directory name that contains shell metacharacters.(CVE-2023-28617) emacs-27.1-9.uel20.x86_64.rpm emacs-devel-27.1-9.uel20.x86_64.rpm emacs-common-27.1-9.uel20.x86_64.rpm emacs-lucid-27.1-9.uel20.x86_64.rpm emacs-nox-27.1-9.uel20.x86_64.rpm emacs-common-27.1-9.uel20.aarch64.rpm emacs-27.1-9.uel20.aarch64.rpm emacs-lucid-27.1-9.uel20.aarch64.rpm emacs-nox-27.1-9.uel20.aarch64.rpm emacs-terminal-27.1-9.uel20.noarch.rpm emacs-devel-27.1-9.uel20.aarch64.rpm emacs-filesystem-27.1-9.uel20.noarch.rpm emacs-help-27.1-9.uel20.noarch.rpm UTSA-2023:20071 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: liblouis security update

Buffer Overflow vulnerability found in Liblouis Lou_Trace v.3.24.0 allows a remote attacker to cause a denial of service via the resolveSubtable function at compileTranslationTabel.c.(CVE-2023-26769) liblouis-devel-3.7.0-4.uel20.x86_64.rpm liblouis-3.7.0-4.uel20.x86_64.rpm liblouis-utils-3.7.0-4.uel20.x86_64.rpm python3-louis-3.7.0-4.uel20.noarch.rpm liblouis-devel-3.7.0-4.uel20.aarch64.rpm liblouis-utils-3.7.0-4.uel20.aarch64.rpm python2-louis-3.7.0-4.uel20.noarch.rpm liblouis-3.7.0-4.uel20.aarch64.rpm liblouis-help-3.7.0-4.uel20.noarch.rpm UTSA-2023:20073 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: dnsmasq security update

An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020.(CVE-2023-28450) dnsmasq-help-2.82-12.uel20.x86_64.rpm dnsmasq-2.82-12.uel20.x86_64.rpm dnsmasq-help-2.82-12.uel20.aarch64.rpm dnsmasq-2.82-12.uel20.aarch64.rpm UTSA-2023:20074 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: json-smart security update

[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.(CVE-2023-1370) json-smart-javadoc-2.2-2.uel20.noarch.rpm json-smart-2.2-2.uel20.noarch.rpm UTSA-2023:20077 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: undertow security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-1108) undertow-1.4.0-5.uel20.noarch.rpm undertow-javadoc-1.4.0-5.uel20.noarch.rpm UTSA-2023:20078 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: poppler security update

A logic error in the Hints::Hints function of Poppler v22.03.0 allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.(CVE-2022-27337) poppler-glib-0.90.0-2.uel20.x86_64.rpm poppler-utils-0.90.0-2.uel20.x86_64.rpm poppler-cpp-0.90.0-2.uel20.x86_64.rpm poppler-qt5-0.90.0-2.uel20.x86_64.rpm poppler-0.90.0-2.uel20.x86_64.rpm poppler-glib-devel-0.90.0-2.uel20.x86_64.rpm poppler-cpp-devel-0.90.0-2.uel20.x86_64.rpm poppler-qt5-devel-0.90.0-2.uel20.x86_64.rpm poppler-devel-0.90.0-2.uel20.x86_64.rpm poppler-0.90.0-2.uel20.aarch64.rpm poppler-qt5-devel-0.90.0-2.uel20.aarch64.rpm poppler-cpp-0.90.0-2.uel20.aarch64.rpm poppler-qt5-0.90.0-2.uel20.aarch64.rpm poppler-utils-0.90.0-2.uel20.aarch64.rpm poppler-glib-0.90.0-2.uel20.aarch64.rpm poppler-devel-0.90.0-2.uel20.aarch64.rpm poppler-glib-devel-0.90.0-2.uel20.aarch64.rpm poppler-cpp-devel-0.90.0-2.uel20.aarch64.rpm poppler-help-0.90.0-2.uel20.noarch.rpm poppler-glib-doc-0.90.0-2.uel20.noarch.rpm UTSA-2023:20081 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: libmicrohttpd security update

GNU libmicrohttpd before 0.9.76 allows remote DoS (Denial of Service) due to improper parsing of a multipart/form-data boundary in the postprocessor.c MHD_create_post_processor() method. This allows an attacker to remotely send a malicious HTTP POST packet that includes one or more '\0' bytes in a multipart/form-data boundary field, which - assuming a specific heap layout - will result in an out-of-bounds read and a crash in the find_boundary() function.(CVE-2023-27371) libmicrohttpd-0.9.59-8.up1.uel20.x86_64.rpm libmicrohttpd-devel-0.9.59-8.up1.uel20.x86_64.rpm libmicrohttpd-help-0.9.59-8.up1.uel20.noarch.rpm libmicrohttpd-0.9.59-8.up1.uel20.aarch64.rpm libmicrohttpd-devel-0.9.59-8.up1.uel20.aarch64.rpm UTSA-2023:20082 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: redis security update

Redis is an in-memory database that persists on disk. Authenticated users can use string matching commands (like `SCAN` or `KEYS`) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. The problem is fixed in Redis versions 6.0.18, 6.2.11, 7.0.9.(CVE-2022-36021) redis-4.0.11-17.uel20.x86_64.rpm redis-4.0.11-17.uel20.aarch64.rpm UTSA-2023:20083 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: glusterfs security update

In Gluster GlusterFS 11.0, there is an xlators/mount/fuse/src/fuse-bridge.c notify stack-based buffer over-read.(CVE-2023-26253) glusterfs-7.0-10.uel20.x86_64.rpm glusterfs-devel-7.0-10.uel20.x86_64.rpm glusterfs-help-7.0-10.uel20.x86_64.rpm python3-gluster-7.0-10.uel20.x86_64.rpm glusterfs-7.0-10.uel20.aarch64.rpm python3-gluster-7.0-10.uel20.aarch64.rpm glusterfs-devel-7.0-10.uel20.aarch64.rpm glusterfs-resource-agents-7.0-10.uel20.noarch.rpm glusterfs-help-7.0-10.uel20.aarch64.rpm UTSA-2023:20084 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: clamav security update

On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the DMG file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection. An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to leak bytes from any file that may be read by the ClamAV scanning process.(CVE-2023-20052) On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the HFS+ partition file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to execute arbitrary code. This vulnerability is due to a missing buffer size check that may result in a heap buffer overflow write. An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the ClamAV scanning process, or else crash the process, resulting in a denial of service (DoS) condition. For a description of this vulnerability, see the ClamAV blog ["https://blog.clamav.net/"].(CVE-2023-20032) clamd-0.103.8-1.uel20.x86_64.rpm clamav-devel-0.103.8-1.uel20.x86_64.rpm clamav-0.103.8-1.uel20.x86_64.rpm clamav-milter-0.103.8-1.uel20.x86_64.rpm clamav-help-0.103.8-1.uel20.x86_64.rpm clamav-update-0.103.8-1.uel20.x86_64.rpm clamav-0.103.8-1.uel20.aarch64.rpm clamav-update-0.103.8-1.uel20.aarch64.rpm clamav-milter-0.103.8-1.uel20.aarch64.rpm clamd-0.103.8-1.uel20.aarch64.rpm clamav-help-0.103.8-1.uel20.aarch64.rpm clamav-devel-0.103.8-1.uel20.aarch64.rpm clamav-data-0.103.8-1.uel20.noarch.rpm clamav-filesystem-0.103.8-1.uel20.noarch.rpm UTSA-2023:20087 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: future security update

An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server.(CVE-2022-40899) python2-future-0.16.0-12.uel20.noarch.rpm python3-future-0.16.0-12.uel20.noarch.rpm UTSA-2023:20088 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: hyperscan security update

Improper buffer restrictions in the Hyperscan library maintained by Intel(R) all versions downloaded before 04/29/2022 may allow an unauthenticated user to potentially enable escalation of privilege via network access.(CVE-2022-29486) hyperscan-5.2.1-3.uel20.x86_64.rpm hyperscan-devel-5.2.1-3.uel20.x86_64.rpm hyperscan-devel-5.2.1-3.uel20.aarch64.rpm hyperscan-5.2.1-3.uel20.aarch64.rpm UTSA-2023:20089 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: dmidecode security update

Dmidecode before 3.5 allows -dump-bin to overwrite a local file. This has security relevance because, for example, execution of Dmidecode via Sudo is plausible.(CVE-2023-30630) dmidecode-3.3-4.uel20.06.x86_64.rpm dmidecode-3.3-4.uel20.06.aarch64.rpm UTSA-2023:20090 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: protobuf-c security update

protobuf-c before 1.4.1 has an unsigned integer overflow in parse_required_member.(CVE-2022-48468) protobuf-c-1.3.2-5.uel20.x86_64.rpm protobuf-c-devel-1.3.2-5.uel20.x86_64.rpm protobuf-c-1.3.2-5.uel20.aarch64.rpm protobuf-c-devel-1.3.2-5.uel20.aarch64.rpm UTSA-2023:20092 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: avahi security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-1981) avahi-gobject-0.8-9.uel20.x86_64.rpm avahi-compat-libdns_sd-0.8-9.uel20.x86_64.rpm avahi-ui-0.8-9.uel20.x86_64.rpm avahi-dnsconfd-0.8-9.uel20.x86_64.rpm avahi-ui-devel-0.8-9.uel20.x86_64.rpm avahi-qt5-0.8-9.uel20.x86_64.rpm avahi-qt5-devel-0.8-9.uel20.x86_64.rpm avahi-compat-howl-0.8-9.uel20.x86_64.rpm avahi-devel-0.8-9.uel20.x86_64.rpm avahi-compat-libdns_sd-devel-0.8-9.uel20.x86_64.rpm avahi-gobject-devel-0.8-9.uel20.x86_64.rpm avahi-ui-gtk3-0.8-9.uel20.x86_64.rpm avahi-glib-0.8-9.uel20.x86_64.rpm avahi-tools-0.8-9.uel20.x86_64.rpm avahi-libs-0.8-9.uel20.x86_64.rpm avahi-glib-devel-0.8-9.uel20.x86_64.rpm avahi-autoipd-0.8-9.uel20.x86_64.rpm avahi-0.8-9.uel20.x86_64.rpm avahi-compat-howl-devel-0.8-9.uel20.x86_64.rpm avahi-tools-0.8-9.uel20.aarch64.rpm avahi-ui-0.8-9.uel20.aarch64.rpm avahi-dnsconfd-0.8-9.uel20.aarch64.rpm avahi-libs-0.8-9.uel20.aarch64.rpm avahi-glib-devel-0.8-9.uel20.aarch64.rpm avahi-qt5-0.8-9.uel20.aarch64.rpm avahi-compat-libdns_sd-0.8-9.uel20.aarch64.rpm avahi-compat-howl-0.8-9.uel20.aarch64.rpm avahi-glib-0.8-9.uel20.aarch64.rpm avahi-ui-gtk3-0.8-9.uel20.aarch64.rpm avahi-gobject-devel-0.8-9.uel20.aarch64.rpm avahi-autoipd-0.8-9.uel20.aarch64.rpm avahi-ui-devel-0.8-9.uel20.aarch64.rpm avahi-help-0.8-9.uel20.noarch.rpm avahi-devel-0.8-9.uel20.aarch64.rpm avahi-gobject-0.8-9.uel20.aarch64.rpm avahi-0.8-9.uel20.aarch64.rpm avahi-compat-libdns_sd-devel-0.8-9.uel20.aarch64.rpm avahi-compat-howl-devel-0.8-9.uel20.aarch64.rpm avahi-qt5-devel-0.8-9.uel20.aarch64.rpm UTSA-2023:20094 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: golang security update

Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.(CVE-2023-24538) Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.(CVE-2023-24537) Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.(CVE-2023-24536) HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.(CVE-2023-24534) golang-1.15.7-26.up1.uel20.x86_64.rpm golang-devel-1.15.7-26.up1.uel20.noarch.rpm golang-1.15.7-26.up1.uel20.aarch64.rpm UTSA-2023:20095 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: ruby security update

A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.(CVE-2023-28755) A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.(CVE-2023-28756) rubygem-io-console-0.4.6-119.uel20.x86_64.rpm rubygem-bigdecimal-1.3.4-119.uel20.x86_64.rpm rubygem-json-2.1.0-119.uel20.x86_64.rpm rubygem-psych-3.0.2-119.uel20.x86_64.rpm ruby-2.5.8-119.uel20.x86_64.rpm rubygem-openssl-2.1.2-119.uel20.x86_64.rpm ruby-devel-2.5.8-119.uel20.x86_64.rpm rubygem-minitest-5.10.3-119.uel20.noarch.rpm rubygem-test-unit-3.2.7-119.uel20.noarch.rpm rubygems-2.7.6-119.uel20.noarch.rpm ruby-help-2.5.8-119.uel20.noarch.rpm rubygem-net-telnet-0.1.1-119.uel20.noarch.rpm ruby-devel-2.5.8-119.uel20.aarch64.rpm rubygem-power_assert-1.1.1-119.uel20.noarch.rpm ruby-2.5.8-119.uel20.aarch64.rpm rubygem-did_you_mean-1.2.0-119.uel20.noarch.rpm rubygem-openssl-2.1.2-119.uel20.aarch64.rpm ruby-irb-2.5.8-119.uel20.noarch.rpm rubygem-xmlrpc-0.3.0-119.uel20.noarch.rpm rubygem-psych-3.0.2-119.uel20.aarch64.rpm rubygem-io-console-0.4.6-119.uel20.aarch64.rpm rubygem-rake-12.3.0-119.uel20.noarch.rpm rubygems-devel-2.7.6-119.uel20.noarch.rpm rubygem-rdoc-6.0.1.1-119.uel20.noarch.rpm rubygem-bigdecimal-1.3.4-119.uel20.aarch64.rpm rubygem-json-2.1.0-119.uel20.aarch64.rpm UTSA-2023:20096 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: nasm security update

NASM v2.16 was discovered to contain a heap buffer overflow in the component quote_for_pmake() asm/nasm.c:856(CVE-2022-44370) nasm-2.15.03-6.uel20.x86_64.rpm nasm-help-2.15.03-6.uel20.noarch.rpm nasm-2.15.03-6.uel20.aarch64.rpm UTSA-2023:20097 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: xorg-x11-server security update

A flaw was found in X.Org Server Overlay Window. A Use-After-Free may lead to local privilege escalation. If a client explicitly destroys the compositor overlay window (aka COW), the Xserver would leave a dangling pointer to that window in the CompScreen structure, which will trigger a use-after-free later.(CVE-2023-1393) xorg-x11-server-1.20.8-18.up4.uel20.x86_64.rpm xorg-x11-server-Xephyr-1.20.8-18.up4.uel20.x86_64.rpm xorg-x11-server-devel-1.20.8-18.up4.uel20.x86_64.rpm xorg-x11-server-1.20.8-18.up4.uel20.aarch64.rpm xorg-x11-server-devel-1.20.8-18.up4.uel20.aarch64.rpm xorg-x11-server-help-1.20.8-18.up4.uel20.noarch.rpm xorg-x11-server-Xephyr-1.20.8-18.up4.uel20.aarch64.rpm UTSA-2023:20099 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: httpd security update

Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.(CVE-2019-17567) httpd-2.4.43-22.up1.uel20.x86_64.rpm httpd-tools-2.4.43-22.up1.uel20.x86_64.rpm mod_ldap-2.4.43-22.up1.uel20.x86_64.rpm mod_ssl-2.4.43-22.up1.uel20.x86_64.rpm httpd-devel-2.4.43-22.up1.uel20.x86_64.rpm mod_session-2.4.43-22.up1.uel20.x86_64.rpm mod_md-2.4.43-22.up1.uel20.x86_64.rpm mod_proxy_html-2.4.43-22.up1.uel20.x86_64.rpm httpd-help-2.4.43-22.up1.uel20.noarch.rpm httpd-2.4.43-22.up1.uel20.aarch64.rpm mod_proxy_html-2.4.43-22.up1.uel20.aarch64.rpm httpd-filesystem-2.4.43-22.up1.uel20.noarch.rpm httpd-devel-2.4.43-22.up1.uel20.aarch64.rpm mod_ldap-2.4.43-22.up1.uel20.aarch64.rpm mod_md-2.4.43-22.up1.uel20.aarch64.rpm mod_session-2.4.43-22.up1.uel20.aarch64.rpm httpd-tools-2.4.43-22.up1.uel20.aarch64.rpm mod_ssl-2.4.43-22.up1.uel20.aarch64.rpm UTSA-2023:20101 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: vim security update

Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 9.0.1499.(CVE-2023-2426) vim-common-9.0-13.uel20.01.x86_64.rpm vim-enhanced-9.0-13.uel20.01.x86_64.rpm vim-X11-9.0-13.uel20.01.x86_64.rpm vim-minimal-9.0-13.uel20.01.x86_64.rpm vim-common-9.0-13.uel20.01.aarch64.rpm vim-X11-9.0-13.uel20.01.aarch64.rpm vim-filesystem-9.0-13.uel20.01.noarch.rpm vim-enhanced-9.0-13.uel20.01.aarch64.rpm vim-minimal-9.0-13.uel20.01.aarch64.rpm UTSA-2023:20103 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: git security update

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`.(CVE-2023-29007) In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\mingw64\share\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\` (and since `C:\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1. This vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It does require local write access by the attacker, though, which makes this attack vector less likely. Version 2.40.1 contains a patch for this issue. Some workarounds are available. Do not work on a Windows machine with shared accounts, or alternatively create a `C:\mingw64` folder and leave it empty. Users who have administrative rights may remove the permission to create folders in `C:\`.(CVE-2023-25815) Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists.(CVE-2023-25652) git-2.27.0-17.uel20.x86_64.rpm git-daemon-2.27.0-17.uel20.x86_64.rpm perl-Git-SVN-2.27.0-17.uel20.noarch.rpm git-daemon-2.27.0-17.uel20.aarch64.rpm git-gui-2.27.0-17.uel20.noarch.rpm git-2.27.0-17.uel20.aarch64.rpm git-help-2.27.0-17.uel20.noarch.rpm git-email-2.27.0-17.uel20.noarch.rpm git-svn-2.27.0-17.uel20.noarch.rpm gitk-2.27.0-17.uel20.noarch.rpm git-web-2.27.0-17.uel20.noarch.rpm perl-Git-2.27.0-17.uel20.noarch.rpm UTSA-2023:20107 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Low

Low: shadow security update

In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.(CVE-2023-29383) shadow-4.8.1-6.uel20.x86_64.rpm shadow-help-4.8.1-6.uel20.noarch.rpm shadow-4.8.1-6.uel20.aarch64.rpm UTSA-2023:20108 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: screen security update

socket.c in GNU Screen through 4.9.0, when installed setuid or setgid (the default on platforms such as Arch Linux and FreeBSD), allows local users to send a privileged SIGHUP signal to any PID, causing a denial of service or disruption of the target process.(CVE-2023-24626) screen-4.8.0-6.uel20.x86_64.rpm screen-help-4.8.0-6.uel20.noarch.rpm screen-4.8.0-6.uel20.aarch64.rpm UTSA-2023:20109 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: bluez security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-27349) bluez-5.54-12.uel20.x86_64.rpm bluez-cups-5.54-12.uel20.x86_64.rpm bluez-devel-5.54-12.uel20.x86_64.rpm bluez-libs-5.54-12.uel20.x86_64.rpm bluez-cups-5.54-12.uel20.aarch64.rpm bluez-devel-5.54-12.uel20.aarch64.rpm bluez-5.54-12.uel20.aarch64.rpm bluez-libs-5.54-12.uel20.aarch64.rpm bluez-help-5.54-12.uel20.noarch.rpm UTSA-2023:20112 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: ImageMagick security update

A heap-based buffer overflow issue was discovered in ImageMagick's ImportMultiSpectralQuantum() function in MagickCore/quantum-import.c. An attacker could pass specially crafted file to convert, triggering an out-of-bounds read error, allowing an application to crash, resulting in a denial of service.(CVE-2023-1906) A vulnerability was discovered in ImageMagick where a specially created SVG file loads itself and causes a segmentation fault. This flaw allows a remote attacker to pass a specially crafted SVG file that leads to a segmentation fault, generating many trash files in "/tmp," resulting in a denial of service. When ImageMagick crashes, it generates a lot of trash files. These trash files can be large if the SVG file contains many render actions. In a denial of service attack, if a remote attacker uploads an SVG file of size t, ImageMagick generates files of size 103*t. If an attacker uploads a 100M SVG, the server will generate about 10G.(CVE-2023-1289) ImageMagick-c++-devel-6.9.12.86-1.uel20.x86_64.rpm ImageMagick-6.9.12.86-1.uel20.x86_64.rpm ImageMagick-perl-6.9.12.86-1.uel20.x86_64.rpm ImageMagick-devel-6.9.12.86-1.uel20.x86_64.rpm ImageMagick-help-6.9.12.86-1.uel20.x86_64.rpm ImageMagick-c++-6.9.12.86-1.uel20.x86_64.rpm ImageMagick-6.9.12.86-1.uel20.aarch64.rpm ImageMagick-help-6.9.12.86-1.uel20.aarch64.rpm ImageMagick-c++-6.9.12.86-1.uel20.aarch64.rpm ImageMagick-devel-6.9.12.86-1.uel20.aarch64.rpm ImageMagick-perl-6.9.12.86-1.uel20.aarch64.rpm ImageMagick-c++-devel-6.9.12.86-1.uel20.aarch64.rpm UTSA-2023:20113 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: tomcat security update

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.(CVE-2023-28708) tomcat-9.0.10-28.up1.uel20.noarch.rpm tomcat-jsvc-9.0.10-28.up1.uel20.noarch.rpm tomcat-embed-9.0.10-28.up1.uel20.noarch.rpm tomcat-help-9.0.10-28.up1.uel20.noarch.rpm UTSA-2023:20119 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: cups security update

OpenPrinting CUPS is an open source printing system. In versions 2.4.2 and prior, a heap buffer overflow vulnerability would allow a remote attacker to launch a denial of service (DoS) attack. A buffer overflow vulnerability in the function `format_log_line` could allow remote attackers to cause a DoS on the affected system. Exploitation of the vulnerability can be triggered when the configuration file `cupsd.conf` sets the value of `loglevel `to `DEBUG`. No known patches or workarounds exist at time of publication.(CVE-2023-32324) cups-devel-2.2.13-15.up4.uel20.x86_64.rpm cups-libs-2.2.13-15.up4.uel20.x86_64.rpm cups-2.2.13-15.up4.uel20.x86_64.rpm cups-2.2.13-15.up4.uel20.aarch64.rpm cups-libs-2.2.13-15.up4.uel20.aarch64.rpm cups-help-2.2.13-15.up4.uel20.noarch.rpm cups-devel-2.2.13-15.up4.uel20.aarch64.rpm UTSA-2023:20120 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: ImageMagick security update

A vulnerability was found in ImageMagick. This security flaw ouccers as an undefined behaviors of casting double to size_t in svg, mvg and other coders (recurring bugs of CVE-2022-32546).(CVE-2023-34151) ImageMagick-6.9.12.86-2.uel20.x86_64.rpm ImageMagick-help-6.9.12.86-2.uel20.x86_64.rpm ImageMagick-perl-6.9.12.86-2.uel20.x86_64.rpm ImageMagick-c++-devel-6.9.12.86-2.uel20.x86_64.rpm ImageMagick-c++-6.9.12.86-2.uel20.x86_64.rpm ImageMagick-devel-6.9.12.86-2.uel20.x86_64.rpm ImageMagick-6.9.12.86-2.uel20.aarch64.rpm ImageMagick-help-6.9.12.86-2.uel20.aarch64.rpm ImageMagick-c++-6.9.12.86-2.uel20.aarch64.rpm ImageMagick-devel-6.9.12.86-2.uel20.aarch64.rpm ImageMagick-perl-6.9.12.86-2.uel20.aarch64.rpm ImageMagick-c++-devel-6.9.12.86-2.uel20.aarch64.rpm UTSA-2023:20121 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: wireshark security update

VMS TCPIPtrace file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture file(CVE-2023-2856) wireshark-help-2.6.2-22.uel20.x86_64.rpm wireshark-devel-2.6.2-22.uel20.x86_64.rpm wireshark-2.6.2-22.uel20.x86_64.rpm wireshark-devel-2.6.2-22.uel20.aarch64.rpm wireshark-2.6.2-22.uel20.aarch64.rpm wireshark-help-2.6.2-22.uel20.aarch64.rpm UTSA-2023:20122 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: python-requests security update

Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0. (CVE-2023-32681) python3-requests-2.24.0-2.up1.uel20.noarch.rpm python-requests-help-2.24.0-2.up1.uel20.noarch.rpm python2-requests-2.24.0-2.up1.uel20.noarch.rpm UTSA-2023:20123 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: c-ares security update

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.(CVE-2023-31147) c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1. (CVE-2023-31130) c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1. (CVE-2023-31124) c-ares-devel-1.16.1-7.uel20.x86_64.rpm c-ares-1.16.1-7.uel20.x86_64.rpm c-ares-1.16.1-7.uel20.aarch64.rpm c-ares-devel-1.16.1-7.uel20.aarch64.rpm c-ares-help-1.16.1-7.uel20.noarch.rpm UTSA-2023:20124 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: libwebp security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-1999) libwebp-tools-1.1.0-3.uel20.x86_64.rpm libwebp-devel-1.1.0-3.uel20.x86_64.rpm libwebp-java-1.1.0-3.uel20.x86_64.rpm libwebp-1.1.0-3.uel20.x86_64.rpm libwebp-java-1.1.0-3.uel20.aarch64.rpm libwebp-devel-1.1.0-3.uel20.aarch64.rpm libwebp-1.1.0-3.uel20.aarch64.rpm libwebp-tools-1.1.0-3.uel20.aarch64.rpm libwebp-help-1.1.0-3.uel20.noarch.rpm UTSA-2023:20125 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: webkit2gtk3 security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-28204) webkit2gtk3-devel-2.22.2-12.uel20.x86_64.rpm webkit2gtk3-2.22.2-12.uel20.x86_64.rpm webkit2gtk3-jsc-2.22.2-12.uel20.x86_64.rpm webkit2gtk3-jsc-devel-2.22.2-12.uel20.x86_64.rpm webkit2gtk3-devel-2.22.2-12.uel20.aarch64.rpm webkit2gtk3-2.22.2-12.uel20.aarch64.rpm webkit2gtk3-jsc-devel-2.22.2-12.uel20.aarch64.rpm webkit2gtk3-help-2.22.2-12.uel20.noarch.rpm webkit2gtk3-jsc-2.22.2-12.uel20.aarch64.rpm UTSA-2023:20126 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: ImageMagick security update

A heap-based buffer overflow vulnerability was found in the ImageMagick package that can lead to the application crashing.(CVE-2023-2157) ImageMagick-c++-devel-6.9.12.86-1.uel20.x86_64.rpm ImageMagick-6.9.12.86-1.uel20.x86_64.rpm ImageMagick-perl-6.9.12.86-1.uel20.x86_64.rpm ImageMagick-devel-6.9.12.86-1.uel20.x86_64.rpm ImageMagick-help-6.9.12.86-1.uel20.x86_64.rpm ImageMagick-c++-6.9.12.86-1.uel20.x86_64.rpm ImageMagick-6.9.12.86-1.uel20.aarch64.rpm ImageMagick-help-6.9.12.86-1.uel20.aarch64.rpm ImageMagick-c++-6.9.12.86-1.uel20.aarch64.rpm ImageMagick-devel-6.9.12.86-1.uel20.aarch64.rpm ImageMagick-perl-6.9.12.86-1.uel20.aarch64.rpm ImageMagick-c++-devel-6.9.12.86-1.uel20.aarch64.rpm UTSA-2023:20127 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: curl security update

An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with `xn--` and should not be allowed to pattern match, but the wildcard check in curl could still check for `x*`, which would match even though the IDN name most likely contained nothing even resembling an `x`.(CVE-2023-28321) An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.(CVE-2023-28322) curl-help-7.71.1-27.up3.uel20.x86_64.rpm curl-7.71.1-27.up3.uel20.x86_64.rpm libcurl-7.71.1-27.up3.uel20.x86_64.rpm libcurl-devel-7.71.1-27.up3.uel20.x86_64.rpm libcurl-devel-7.71.1-27.up3.uel20.aarch64.rpm libcurl-7.71.1-27.up3.uel20.aarch64.rpm curl-help-7.71.1-27.up3.uel20.aarch64.rpm curl-7.71.1-27.up3.uel20.aarch64.rpm UTSA-2023:20128 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: libtiff security update

A NULL pointer dereference flaw was found in Libtiff's LZWDecode() function in the libtiff/tif_lzw.c file. This flaw allows a local attacker to craft specific input data that can cause the program to dereference a NULL pointer when decompressing a TIFF format file, resulting in a program crash or denial of service.(CVE-2023-2731) libtiff-4.3.0-11.uel20.x86_64.rpm libtiff-devel-4.3.0-11.uel20.x86_64.rpm libtiff-devel-4.3.0-11.uel20.aarch64.rpm libtiff-4.3.0-11.uel20.aarch64.rpm libtiff-help-4.3.0-11.uel20.noarch.rpm UTSA-2023:20129 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: libcap security update

A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB.(CVE-2023-2603) libcap-2.32-6.uel20.x86_64.rpm libcap-devel-2.32-6.uel20.x86_64.rpm libcap-devel-2.32-6.uel20.aarch64.rpm libcap-2.32-6.uel20.aarch64.rpm libcap-help-2.32-6.uel20.noarch.rpm UTSA-2023:20130 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: libssh security update

A vulnerability was found in libssh, where the authentication check of the connecting client can be bypassed in the`pki_verify_data_signature` function in memory allocation problems. This issue may happen if there is insufficient memory or the memory usage is limited. The problem is caused by the return value `rc,` which is initialized to SSH_ERROR and later rewritten to save the return value of the function call `pki_key_check_hash_compatible.` The value of the variable is not changed between this point and the cryptographic verification. Therefore any error between them calls `goto error` returning SSH_OK.(CVE-2023-2283) A NULL pointer dereference was found In libssh during re-keying with algorithm guessing. This issue may allow an authenticated client to cause a denial of service.(CVE-2023-1667) libssh-devel-0.9.6-3.uel20.05.x86_64.rpm libssh-0.9.6-3.uel20.05.x86_64.rpm libssh-devel-0.9.6-3.uel20.05.aarch64.rpm libssh-0.9.6-3.uel20.05.aarch64.rpm libssh-help-0.9.6-3.uel20.05.noarch.rpm UTSA-2023:20131 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: cloud-init security update

Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege.(CVE-2023-1786) cloud-init-19.4-13.up4.uel20.02.noarch.rpm cloud-init-help-19.4-13.up4.uel20.02.noarch.rpm UTSA-2023:20132 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: ntp security update

praecis_parse in ntpd/refclock_palisade.c in NTP 4.2.8p15 has an out-of-bounds write. Any attack method would be complex, e.g., with a manipulated GPS receiver.(CVE-2023-26555) ntp-4.2.8p14-8.uel20.x86_64.rpm ntp-4.2.8p14-8.uel20.aarch64.rpm ntp-help-4.2.8p14-8.uel20.noarch.rpm ntp-perl-4.2.8p14-8.uel20.noarch.rpm UTSA-2023:20133 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: libtiff security update

A NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path or a path that requires permissions like /dev/null) while specifying zones. (CVE-2023-3316) libtiff-devel-4.3.0-13.uel20.x86_64.rpm libtiff-4.3.0-13.uel20.x86_64.rpm libtiff-devel-4.3.0-13.uel20.aarch64.rpm libtiff-4.3.0-13.uel20.aarch64.rpm libtiff-help-4.3.0-13.uel20.noarch.rpm UTSA-2023:20134 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: libX11 security update

A vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. They trust that they were called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself, possibly causing the client to crash with this memory corruption.(CVE-2023-3138) libX11-1.6.9-7.uel20.x86_64.rpm libX11-devel-1.6.9-7.uel20.x86_64.rpm libX11-help-1.6.9-7.uel20.noarch.rpm libX11-1.6.9-7.uel20.aarch64.rpm libX11-devel-1.6.9-7.uel20.aarch64.rpm UTSA-2023:20135 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: libtiff security update

loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image.(CVE-2023-26965) libtiff-4.3.0-12.uel20.x86_64.rpm libtiff-devel-4.3.0-12.uel20.x86_64.rpm libtiff-4.3.0-12.uel20.aarch64.rpm libtiff-help-4.3.0-12.uel20.noarch.rpm libtiff-devel-4.3.0-12.uel20.aarch64.rpm UTSA-2023:20136 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: ImageMagick security update

A stack-based buffer overflow issue was found in ImageMagick's coders/tiff.c. This flaw allows an attacker to trick the user into opening a specially crafted malicious tiff file, causing an application to crash, resulting in a denial of service.(CVE-2023-3195) ImageMagick-6.9.12.86-2.uel20.x86_64.rpm ImageMagick-help-6.9.12.86-2.uel20.x86_64.rpm ImageMagick-perl-6.9.12.86-2.uel20.x86_64.rpm ImageMagick-c++-devel-6.9.12.86-2.uel20.x86_64.rpm ImageMagick-c++-6.9.12.86-2.uel20.x86_64.rpm ImageMagick-devel-6.9.12.86-2.uel20.x86_64.rpm ImageMagick-6.9.12.86-2.uel20.aarch64.rpm ImageMagick-help-6.9.12.86-2.uel20.aarch64.rpm ImageMagick-c++-6.9.12.86-2.uel20.aarch64.rpm ImageMagick-devel-6.9.12.86-2.uel20.aarch64.rpm ImageMagick-perl-6.9.12.86-2.uel20.aarch64.rpm ImageMagick-c++-devel-6.9.12.86-2.uel20.aarch64.rpm UTSA-2023:20137 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: dbus security update

D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.(CVE-2023-34969) dbus-1.12.16-21.uel20.09.x86_64.rpm dbus-daemon-1.12.16-21.uel20.09.x86_64.rpm dbus-devel-1.12.16-21.uel20.09.x86_64.rpm dbus-x11-1.12.16-21.uel20.09.x86_64.rpm dbus-tools-1.12.16-21.uel20.09.x86_64.rpm dbus-libs-1.12.16-21.uel20.09.x86_64.rpm dbus-daemon-1.12.16-21.uel20.09.aarch64.rpm dbus-common-1.12.16-21.uel20.09.noarch.rpm dbus-1.12.16-21.uel20.09.aarch64.rpm dbus-devel-1.12.16-21.uel20.09.aarch64.rpm dbus-tools-1.12.16-21.uel20.09.aarch64.rpm dbus-help-1.12.16-21.uel20.09.noarch.rpm dbus-x11-1.12.16-21.uel20.09.aarch64.rpm dbus-libs-1.12.16-21.uel20.09.aarch64.rpm UTSA-2023:20138 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: wireshark security update

Due to failure in validating the length provided by an attacker-crafted MSMMS packet, Wireshark version 4.0.5 and prior, in an unusual configuration, is susceptible to a heap-based buffer overflow, and possibly code execution in the context of the process running Wireshark(CVE-2023-0667) wireshark-3.6.14-1.uel20.x86_64.rpm wireshark-devel-3.6.14-1.uel20.x86_64.rpm wireshark-help-3.6.14-1.uel20.x86_64.rpm wireshark-devel-3.6.14-1.uel20.aarch64.rpm wireshark-3.6.14-1.uel20.aarch64.rpm wireshark-help-3.6.14-1.uel20.aarch64.rpm UTSA-2023:20139 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: openssl security update

Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service. An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers - most of which have no size limit. OBJ_obj2txt() may be used to translate an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical numeric text form, which are the sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by periods. When one of the sub-identifiers in the OBJECT IDENTIFIER is very large (these are sizes that are seen as absurdly large, taking up tens or hundreds of KiBs), the translation to a decimal number in text may take a very long time. The time complexity is O(n^2) with 'n' being the size of the sub-identifiers in bytes (*). With OpenSSL 3.0, support to fetch cryptographic algorithms using names / identifiers in string form was introduced. This includes using OBJECT IDENTIFIERs in canonical numeric text form as identifiers for fetching algorithms. Such OBJECT IDENTIFIERs may be received through the ASN.1 structure AlgorithmIdentifier, which is commonly used in multiple protocols to specify what cryptographic algorithm should be used to sign or verify, encrypt or decrypt, or digest passed data. Applications that call OBJ_obj2txt() directly with untrusted data are affected, with any version of OpenSSL. If the use is for the mere purpose of display, the severity is considered low. In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS. It also impacts anything that processes X.509 certificates, including simple things like verifying its signature. The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer's certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication. In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.(CVE-2023-2650) openssl-devel-1.1.1k-9.uel20.16.aarch64.rpm openssl-libs-1.1.1k-9.uel20.16.aarch64.rpm openssl-1.1.1k-9.uel20.16.aarch64.rpm openssl-help-1.1.1k-9.uel20.16.noarch.rpm openssl-1.1.1k-9.uel20.16.x86_64.rpm openssl-devel-1.1.1k-9.uel20.16.x86_64.rpm openssl-libs-1.1.1k-9.uel20.16.x86_64.rpm UTSA-2023:20140 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: openldap security update

A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.(CVE-2023-2953) openldap-servers-2.4.50-8.up1.uel20.01.aarch64.rpm openldap-clients-2.4.50-8.up1.uel20.01.aarch64.rpm openldap-2.4.50-8.up1.uel20.01.aarch64.rpm openldap-devel-2.4.50-8.up1.uel20.01.aarch64.rpm openldap-servers-2.4.50-8.up1.uel20.01.x86_64.rpm openldap-devel-2.4.50-8.up1.uel20.01.x86_64.rpm openldap-clients-2.4.50-8.up1.uel20.01.x86_64.rpm openldap-help-2.4.50-8.up1.uel20.01.noarch.rpm openldap-2.4.50-8.up1.uel20.01.x86_64.rpm UTSA-2023:20141 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: postgresql-jdbc security update

pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.(CVE-2022-41946) postgresql-jdbc-javadoc-42.4.1-2.uel20.noarch.rpm postgresql-jdbc-42.4.1-2.uel20.noarch.rpm postgresql-jdbc-help-42.4.1-2.uel20.noarch.rpm UTSA-2023:20142 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: python-tornado security update

Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.(CVE-2023-28370) python2-tornado-5.0.2-8.uel20.x86_64.rpm python3-tornado-5.0.2-8.uel20.x86_64.rpm python2-tornado-5.0.2-8.uel20.aarch64.rpm python3-tornado-5.0.2-8.uel20.aarch64.rpm UTSA-2023:20143 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: LibRaw security update

A flaw was found in LibRaw. A heap-buffer-overflow in raw2image_ex() caused by a maliciously crafted file may lead to an application crash.(CVE-2023-1729) LibRaw-0.20.2-5.uel20.x86_64.rpm LibRaw-0.20.2-5.uel20.aarch64.rpm UTSA-2023:20144 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: php security update

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.(CVE-2022-31629) In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress "quines" gzip files, resulting in an infinite loop.(CVE-2022-31628) php-xml-8.0.28-1.up2.uel20.x86_64.rpm php-mysqlnd-8.0.28-1.up2.uel20.x86_64.rpm php-dbg-8.0.28-1.up2.uel20.x86_64.rpm php-pdo-8.0.28-1.up2.uel20.x86_64.rpm php-embedded-8.0.28-1.up2.uel20.x86_64.rpm php-tidy-8.0.28-1.up2.uel20.x86_64.rpm php-mbstring-8.0.28-1.up2.uel20.x86_64.rpm php-gmp-8.0.28-1.up2.uel20.x86_64.rpm php-opcache-8.0.28-1.up2.uel20.x86_64.rpm php-devel-8.0.28-1.up2.uel20.x86_64.rpm php-gd-8.0.28-1.up2.uel20.x86_64.rpm php-process-8.0.28-1.up2.uel20.x86_64.rpm php-odbc-8.0.28-1.up2.uel20.x86_64.rpm php-fpm-8.0.28-1.up2.uel20.x86_64.rpm php-snmp-8.0.28-1.up2.uel20.x86_64.rpm php-bcmath-8.0.28-1.up2.uel20.x86_64.rpm php-ffi-8.0.28-1.up2.uel20.x86_64.rpm php-ldap-8.0.28-1.up2.uel20.x86_64.rpm php-sodium-8.0.28-1.up2.uel20.x86_64.rpm php-soap-8.0.28-1.up2.uel20.x86_64.rpm php-intl-8.0.28-1.up2.uel20.x86_64.rpm php-enchant-8.0.28-1.up2.uel20.x86_64.rpm php-8.0.28-1.up2.uel20.x86_64.rpm php-pgsql-8.0.28-1.up2.uel20.x86_64.rpm php-help-8.0.28-1.up2.uel20.x86_64.rpm php-dba-8.0.28-1.up2.uel20.x86_64.rpm php-common-8.0.28-1.up2.uel20.x86_64.rpm php-cli-8.0.28-1.up2.uel20.x86_64.rpm php-devel-8.0.28-1.up2.uel20.aarch64.rpm php-soap-8.0.28-1.up2.uel20.aarch64.rpm php-pdo-8.0.28-1.up2.uel20.aarch64.rpm php-mbstring-8.0.28-1.up2.uel20.aarch64.rpm php-ldap-8.0.28-1.up2.uel20.aarch64.rpm php-dbg-8.0.28-1.up2.uel20.aarch64.rpm php-odbc-8.0.28-1.up2.uel20.aarch64.rpm php-snmp-8.0.28-1.up2.uel20.aarch64.rpm php-intl-8.0.28-1.up2.uel20.aarch64.rpm php-ffi-8.0.28-1.up2.uel20.aarch64.rpm php-8.0.28-1.up2.uel20.aarch64.rpm php-opcache-8.0.28-1.up2.uel20.aarch64.rpm php-cli-8.0.28-1.up2.uel20.aarch64.rpm php-dba-8.0.28-1.up2.uel20.aarch64.rpm php-gmp-8.0.28-1.up2.uel20.aarch64.rpm php-mysqlnd-8.0.28-1.up2.uel20.aarch64.rpm php-xml-8.0.28-1.up2.uel20.aarch64.rpm php-bcmath-8.0.28-1.up2.uel20.aarch64.rpm php-gd-8.0.28-1.up2.uel20.aarch64.rpm php-sodium-8.0.28-1.up2.uel20.aarch64.rpm php-embedded-8.0.28-1.up2.uel20.aarch64.rpm php-help-8.0.28-1.up2.uel20.aarch64.rpm php-fpm-8.0.28-1.up2.uel20.aarch64.rpm php-common-8.0.28-1.up2.uel20.aarch64.rpm php-process-8.0.28-1.up2.uel20.aarch64.rpm php-tidy-8.0.28-1.up2.uel20.aarch64.rpm php-enchant-8.0.28-1.up2.uel20.aarch64.rpm php-pgsql-8.0.28-1.up2.uel20.aarch64.rpm UTSA-2023:20145 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: qemu security update

A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition.(CVE-2022-1050) qemu-img-4.1.0-77.up2.uel20.x86_64.rpm qemu-img-4.1.0-77.up2.uel20.aarch64.rpm UTSA-2023:20146 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: nghttp2 security update

Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` frame. The clean-up code is right after the return statement, causing memory leak. Denial of service through memory exhaustion. This vulnerability was patched in versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.(CVE-2023-35945) nghttp2-1.41.0-5.uel20.4.x86_64.rpm libnghttp2-devel-1.41.0-5.uel20.4.x86_64.rpm libnghttp2-1.41.0-5.uel20.4.x86_64.rpm nghttp2-1.41.0-5.uel20.4.aarch64.rpm libnghttp2-devel-1.41.0-5.uel20.4.aarch64.rpm libnghttp2-1.41.0-5.uel20.4.aarch64.rpm nghttp2-help-1.41.0-5.uel20.4.noarch.rpm UTSA-2023:20147 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: scipy security update

A refcounting issue which leads to potential memory leak was discovered in scipy commit 8627df31ab in Py_FindObjects() function.(CVE-2023-25399) python2-scipy-1.2.2-4.uel20.x86_64.rpm python3-scipy-1.2.2-4.uel20.x86_64.rpm python2-scipy-1.2.2-4.uel20.aarch64.rpm python3-scipy-1.2.2-4.uel20.aarch64.rpm UTSA-2023:20148 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: libtiff security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-3576) libtiff-devel-4.3.0-15.uel20.x86_64.rpm libtiff-4.3.0-15.uel20.x86_64.rpm libtiff-4.3.0-15.uel20.aarch64.rpm libtiff-help-4.3.0-15.uel20.noarch.rpm libtiff-devel-4.3.0-15.uel20.aarch64.rpm UTSA-2023:20149 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: syslinux security update

The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.(CVE-2016-9842) inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.(CVE-2016-9841) inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.(CVE-2016-9840) The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.(CVE-2016-9843) syslinux-extlinux-6.04-12.uel20.x86_64.rpm syslinux-perl-6.04-12.uel20.x86_64.rpm syslinux-6.04-12.uel20.x86_64.rpm syslinux-extlinux-nonlinux-6.04-12.uel20.noarch.rpm syslinux-efi64-6.04-12.uel20.x86_64.rpm syslinux-devel-6.04-12.uel20.x86_64.rpm syslinux-tftpboot-6.04-12.uel20.noarch.rpm syslinux-nonlinux-6.04-12.uel20.noarch.rpm UTSA-2023:20150 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: ruby security update

A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.(CVE-2023-36617) rubygem-openssl-2.1.2-120.uel20.x86_64.rpm rubygem-bigdecimal-1.3.4-120.uel20.x86_64.rpm rubygem-json-2.1.0-120.uel20.x86_64.rpm ruby-devel-2.5.8-120.uel20.x86_64.rpm ruby-2.5.8-120.uel20.x86_64.rpm rubygem-io-console-0.4.6-120.uel20.x86_64.rpm rubygem-psych-3.0.2-120.uel20.x86_64.rpm rubygem-openssl-2.1.2-120.uel20.aarch64.rpm rubygem-power_assert-1.1.1-120.uel20.noarch.rpm rubygem-net-telnet-0.1.1-120.uel20.noarch.rpm rubygem-json-2.1.0-120.uel20.aarch64.rpm ruby-devel-2.5.8-120.uel20.aarch64.rpm rubygem-bigdecimal-1.3.4-120.uel20.aarch64.rpm rubygem-test-unit-3.2.7-120.uel20.noarch.rpm ruby-2.5.8-120.uel20.aarch64.rpm rubygem-rake-12.3.0-120.uel20.noarch.rpm ruby-help-2.5.8-120.uel20.noarch.rpm rubygem-did_you_mean-1.2.0-120.uel20.noarch.rpm rubygem-psych-3.0.2-120.uel20.aarch64.rpm rubygems-2.7.6-120.uel20.noarch.rpm rubygems-devel-2.7.6-120.uel20.noarch.rpm rubygem-xmlrpc-0.3.0-120.uel20.noarch.rpm rubygem-rdoc-6.0.1.1-120.uel20.noarch.rpm rubygem-minitest-5.10.3-120.uel20.noarch.rpm rubygem-io-console-0.4.6-120.uel20.aarch64.rpm ruby-irb-2.5.8-120.uel20.noarch.rpm UTSA-2023:20151 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: gnuplot security update

gnuplot v5.5 was discovered to contain a buffer overflow via the function plotrequest().(CVE-2020-25969) gnuplot-5.0.6-13.uel20.x86_64.rpm gnuplot-help-5.0.6-13.uel20.noarch.rpm gnuplot-5.0.6-13.uel20.aarch64.rpm UTSA-2023:20152 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: perl-CPAN security update

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.(CVE-2023-31484) perl-CPAN-2.27-4.uel20.noarch.rpm perl-CPAN-help-2.27-4.uel20.noarch.rpm UTSA-2023:20153 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: kubernetes security update

Users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the `kubernetes.io/enforce-mountable-secrets` annotation are used together with ephemeral containers. (CVE-2023-2728) Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers. (CVE-2023-2727) Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network.(CVE-2022-3294) Users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group without authorization. Clusters are impacted by this vulnerability if all of the following are true: 1. There are 2+ CustomResourceDefinitions sharing the same API group 2. Users have cluster-wide list or watch authorization on one of those custom resources. 3. The same users are not authorized to read another custom resource in the same API group.(CVE-2022-3162) kubernetes-help-1.20.2-20.uel20.x86_64.rpm kubernetes-node-1.20.2-20.uel20.x86_64.rpm kubernetes-master-1.20.2-20.uel20.x86_64.rpm kubernetes-kubeadm-1.20.2-20.uel20.x86_64.rpm kubernetes-kubelet-1.20.2-20.uel20.x86_64.rpm kubernetes-client-1.20.2-20.uel20.x86_64.rpm kubernetes-1.20.2-20.uel20.x86_64.rpm kubernetes-master-1.20.2-20.uel20.aarch64.rpm kubernetes-kubelet-1.20.2-20.uel20.aarch64.rpm kubernetes-1.20.2-20.uel20.aarch64.rpm kubernetes-client-1.20.2-20.uel20.aarch64.rpm kubernetes-kubeadm-1.20.2-20.uel20.aarch64.rpm kubernetes-help-1.20.2-20.uel20.aarch64.rpm kubernetes-node-1.20.2-20.uel20.aarch64.rpm UTSA-2023:20154 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: texlive-base security update

LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.(CVE-2023-32700) texlive-tie-20180414-32.uel20.up1.x86_64.rpm texlive-ctie-20180414-32.uel20.up1.x86_64.rpm texlive-dvidvi-20180414-32.uel20.up1.x86_64.rpm texlive-synctex-20180414-32.uel20.up1.x86_64.rpm texlive-patgen-20180414-32.uel20.up1.x86_64.rpm texlive-gsftopk-20180414-32.uel20.up1.x86_64.rpm texlive-dvipos-20180414-32.uel20.up1.x86_64.rpm texlive-pstools-20180414-32.uel20.up1.x86_64.rpm texlive-detex-20180414-32.uel20.up1.x86_64.rpm texlive-dvicopy-20180414-32.uel20.up1.x86_64.rpm texlive-texware-20180414-32.uel20.up1.x86_64.rpm texlive-lacheck-20180414-32.uel20.up1.x86_64.rpm texlive-dtl-20180414-32.uel20.up1.x86_64.rpm texlive-dvi2tty-20180414-32.uel20.up1.x86_64.rpm texlive-afm2pl-20180414-32.uel20.up1.x86_64.rpm texlive-web-20180414-32.uel20.up1.x86_64.rpm texlive-musixtnt-20180414-32.uel20.up1.x86_64.rpm texlive-seetexk-20180414-32.uel20.up1.x86_64.rpm texlive-vlna-20180414-32.uel20.up1.x86_64.rpm texlive-cjkutils-20180414-32.uel20.up1.x86_64.rpm texlive-bibtexu-20180414-32.uel20.up1.x86_64.rpm texlive-ps2pk-20180414-32.uel20.up1.x86_64.rpm texlive-fontware-20180414-32.uel20.up1.x86_64.rpm texlive-mfware-20180414-32.uel20.up1.x86_64.rpm texlive-dviljk-20180414-32.uel20.up1.x86_64.rpm texlive-lib-devel-20180414-32.uel20.up1.x86_64.rpm texlive-bibtex8-20180414-32.uel20.up1.x86_64.rpm texlive-tex-20180414-32.uel20.up1.x86_64.rpm texlive-autosp-20180414-32.uel20.up1.x86_64.rpm texlive-dvipng-20180414-32.uel20.up1.x86_64.rpm texlive-chktex-20180414-32.uel20.up1.x86_64.rpm texlive-makeindex-20180414-32.uel20.up1.x86_64.rpm texlive-aleph-20180414-32.uel20.up1.x86_64.rpm texlive-cweb-20180414-32.uel20.up1.x86_64.rpm texlive-omegaware-20180414-32.uel20.up1.x86_64.rpm texlive-m-tx-20180414-32.uel20.up1.x86_64.rpm texlive-metafont-20180414-32.uel20.up1.x86_64.rpm texlive-bibtex-20180414-32.uel20.up1.x86_64.rpm texlive-xdvi-20180414-32.uel20.up1.x86_64.rpm texlive-axodraw2-20180414-32.uel20.up1.x86_64.rpm texlive-mflua-20180414-32.uel20.up1.x86_64.rpm texlive-lib-20180414-32.uel20.up1.x86_64.rpm texlive-ttfutils-20180414-32.uel20.up1.x86_64.rpm texlive-dvips-20180414-32.uel20.up1.x86_64.rpm texlive-pdftools-20180414-32.uel20.up1.x86_64.rpm texlive-pmx-20180414-32.uel20.up1.x86_64.rpm texlive-kpathsea-20180414-32.uel20.up1.x86_64.rpm texlive-ptex-20180414-32.uel20.up1.x86_64.rpm texlive-uptex-20180414-32.uel20.up1.x86_64.rpm texlive-dvipdfmx-20180414-32.uel20.up1.x86_64.rpm texlive-lcdftypetools-20180414-32.uel20.up1.x86_64.rpm texlive-xetex-20180414-32.uel20.up1.x86_64.rpm texlive-dvisvgm-20180414-32.uel20.up1.x86_64.rpm texlive-pdftex-20180414-32.uel20.up1.x86_64.rpm texlive-metapost-20180414-32.uel20.up1.x86_64.rpm texlive-velthuis-20180414-32.uel20.up1.x86_64.rpm texlive-luatex-20180414-32.uel20.up1.x86_64.rpm texlive-tex4ht-20180414-32.uel20.up1.x86_64.rpm texlive-base-20180414-32.uel20.up1.x86_64.rpm texlive-gregoriotex-20180414-32.uel20.up1.x86_64.rpm texlive-typeoutfileinfo-20180414-32.uel20.up1.noarch.rpm texlive-latex-papersize-20180414-32.uel20.up1.noarch.rpm texlive-latexfileversion-20180414-32.uel20.up1.noarch.rpm texlive-wordcount-20180414-32.uel20.up1.noarch.rpm texlive-texloganalyser-20180414-32.uel20.up1.noarch.rpm texlive-dviinfox-20180414-32.uel20.up1.noarch.rpm texlive-convbkmk-20180414-32.uel20.up1.noarch.rpm texlive-texdirflatten-20180414-32.uel20.up1.noarch.rpm texlive-pdfbook2-20180414-32.uel20.up1.noarch.rpm texlive-texliveonfly-20180414-32.uel20.up1.noarch.rpm texlive-texfot-20180414-32.uel20.up1.noarch.rpm texlive-latexpand-20180414-32.uel20.up1.noarch.rpm texlive-purifyeps-20180414-32.uel20.up1.noarch.rpm texlive-texdiff-20180414-32.uel20.up1.noarch.rpm texlive-findhyph-20180414-32.uel20.up1.noarch.rpm texlive-pdfxup-20180414-32.uel20.up1.noarch.rpm texlive-yplan-20180414-32.uel20.up1.noarch.rpm texlive-pkfix-20180414-32.uel20.up1.noarch.rpm texlive-epstopdf-20180414-32.uel20.up1.noarch.rpm texlive-ctan-o-mat-20180414-32.uel20.up1.noarch.rpm texlive-dviasm-20180414-32.uel20.up1.noarch.rpm texlive-texlive-scripts-20180414-32.uel20.up1.noarch.rpm texlive-pax-20180414-32.uel20.up1.noarch.rpm texlive-vpe-20180414-32.uel20.up1.noarch.rpm texlive-adhocfilelist-20180414-32.uel20.up1.noarch.rpm texlive-pdfcrop-20180414-32.uel20.up1.noarch.rpm texlive-ptex2pdf-20180414-32.uel20.up1.noarch.rpm texlive-mltex-20180414-32.uel20.up1.noarch.rpm texlive-ltxfileinfo-20180414-32.uel20.up1.noarch.rpm texlive-bundledoc-20180414-32.uel20.up1.noarch.rpm texlive-texconfig-20180414-32.uel20.up1.noarch.rpm texlive-dtxgen-20180414-32.uel20.up1.noarch.rpm texlive-match_parens-20180414-32.uel20.up1.noarch.rpm texlive-tie-20180414-32.uel20.up1.aarch64.rpm texlive-ctie-20180414-32.uel20.up1.aarch64.rpm texlive-detex-20180414-32.uel20.up1.aarch64.rpm texlive-lacheck-20180414-32.uel20.up1.aarch64.rpm texlive-dvipos-20180414-32.uel20.up1.aarch64.rpm texlive-dvidvi-20180414-32.uel20.up1.aarch64.rpm texlive-patgen-20180414-32.uel20.up1.aarch64.rpm texlive-synctex-20180414-32.uel20.up1.aarch64.rpm texlive-ctanify-20180414-32.uel20.up1.noarch.rpm texlive-gsftopk-20180414-32.uel20.up1.aarch64.rpm texlive-cslatex-20180414-32.uel20.up1.noarch.rpm texlive-dosepsbin-20180414-32.uel20.up1.noarch.rpm texlive-tpic2pdftex-20180414-32.uel20.up1.noarch.rpm texlive-glyphlist-20180414-32.uel20.up1.noarch.rpm texlive-de-macro-20180414-32.uel20.up1.noarch.rpm texlive-thumbpdf-20180414-32.uel20.up1.noarch.rpm texlive-installfont-20180414-32.uel20.up1.noarch.rpm texlive-texdoctk-20180414-32.uel20.up1.noarch.rpm texlive-fig4latex-20180414-32.uel20.up1.noarch.rpm texlive-latex-git-log-20180414-32.uel20.up1.noarch.rpm texlive-ebong-20180414-32.uel20.up1.noarch.rpm texlive-a2ping-20180414-32.uel20.up1.noarch.rpm texlive-pstools-20180414-32.uel20.up1.aarch64.rpm texlive-mkgrkindex-20180414-32.uel20.up1.noarch.rpm texlive-jfmutil-20180414-32.uel20.up1.noarch.rpm texlive-mkjobtexmf-20180414-32.uel20.up1.noarch.rpm texlive-afm2pl-20180414-32.uel20.up1.aarch64.rpm texlive-dvicopy-20180414-32.uel20.up1.aarch64.rpm texlive-texware-20180414-32.uel20.up1.aarch64.rpm texlive-dvi2tty-20180414-32.uel20.up1.aarch64.rpm texlive-pdflatexpicscale-20180414-32.uel20.up1.noarch.rpm texlive-dtl-20180414-32.uel20.up1.aarch64.rpm texlive-mex-20180414-32.uel20.up1.noarch.rpm texlive-mptopdf-20180414-32.uel20.up1.noarch.rpm texlive-tex4ebook-20180414-32.uel20.up1.noarch.rpm texlive-xmltex-20180414-32.uel20.up1.noarch.rpm texlive-listings-ext-20180414-32.uel20.up1.noarch.rpm texlive-fontools-20180414-32.uel20.up1.noarch.rpm texlive-sty2dtx-20180414-32.uel20.up1.noarch.rpm texlive-musixtnt-20180414-32.uel20.up1.aarch64.rpm texlive-authorindex-20180414-32.uel20.up1.noarch.rpm texlive-accfonts-20180414-32.uel20.up1.noarch.rpm texlive-cachepic-20180414-32.uel20.up1.noarch.rpm texlive-texdef-20180414-32.uel20.up1.noarch.rpm texlive-web-20180414-32.uel20.up1.aarch64.rpm texlive-vlna-20180414-32.uel20.up1.aarch64.rpm texlive-crossrefware-20180414-32.uel20.up1.noarch.rpm texlive-mkpic-20180414-32.uel20.up1.noarch.rpm texlive-bibtexu-20180414-32.uel20.up1.aarch64.rpm texlive-lib-devel-20180414-32.uel20.up1.aarch64.rpm texlive-bibtex-20180414-32.uel20.up1.aarch64.rpm texlive-cjkutils-20180414-32.uel20.up1.aarch64.rpm texlive-omegaware-20180414-32.uel20.up1.aarch64.rpm texlive-texsis-20180414-32.uel20.up1.noarch.rpm texlive-make4ht-20180414-32.uel20.up1.noarch.rpm texlive-jadetex-20180414-32.uel20.up1.noarch.rpm texlive-makedtx-20180414-32.uel20.up1.noarch.rpm texlive-latexdiff-20180414-32.uel20.up1.noarch.rpm texlive-pdftex-20180414-32.uel20.up1.aarch64.rpm texlive-cweb-20180414-32.uel20.up1.aarch64.rpm texlive-texlive.infra-20180414-32.uel20.up1.noarch.rpm texlive-musixtex-20180414-32.uel20.up1.noarch.rpm texlive-glossaries-20180414-32.uel20.up1.noarch.rpm texlive-fontware-20180414-32.uel20.up1.aarch64.rpm texlive-splitindex-20180414-32.uel20.up1.noarch.rpm texlive-pkfix-helper-20180414-32.uel20.up1.noarch.rpm texlive-kotex-utils-20180414-32.uel20.up1.noarch.rpm texlive-mf2pt1-20180414-32.uel20.up1.noarch.rpm texlive-texlive-en-20180414-32.uel20.up1.noarch.rpm texlive-tex-20180414-32.uel20.up1.aarch64.rpm texlive-chktex-20180414-32.uel20.up1.aarch64.rpm texlive-multibibliography-20180414-32.uel20.up1.noarch.rpm texlive-mflua-20180414-32.uel20.up1.aarch64.rpm texlive-pst2pdf-20180414-32.uel20.up1.noarch.rpm texlive-mfware-20180414-32.uel20.up1.aarch64.rpm texlive-l3build-20180414-32.uel20.up1.noarch.rpm texlive-autosp-20180414-32.uel20.up1.aarch64.rpm texlive-perltex-20180414-32.uel20.up1.noarch.rpm texlive-mathspic-20180414-32.uel20.up1.noarch.rpm texlive-pmxchords-20180414-32.uel20.up1.noarch.rpm texlive-urlbst-20180414-32.uel20.up1.noarch.rpm texlive-epspdf-20180414-32.uel20.up1.noarch.rpm texlive-texosquery-20180414-32.uel20.up1.noarch.rpm texlive-pygmentex-20180414-32.uel20.up1.noarch.rpm texlive-checklistings-20180414-32.uel20.up1.noarch.rpm texlive-m-tx-20180414-32.uel20.up1.aarch64.rpm texlive-ps2pk-20180414-32.uel20.up1.aarch64.rpm texlive-listbib-20180414-32.uel20.up1.noarch.rpm texlive-svn-multi-20180414-32.uel20.up1.noarch.rpm texlive-dvisvgm-20180414-32.uel20.up1.aarch64.rpm texlive-bibtex8-20180414-32.uel20.up1.aarch64.rpm texlive-latex2man-20180414-32.uel20.up1.noarch.rpm texlive-dvipng-20180414-32.uel20.up1.aarch64.rpm texlive-tetex-20180414-32.uel20.up1.noarch.rpm texlive-context-20180414-32.uel20.up1.noarch.rpm texlive-tex4ht-20180414-32.uel20.up1.aarch64.rpm texlive-dvips-20180414-32.uel20.up1.aarch64.rpm texlive-texdoc-20180414-32.uel20.up1.noarch.rpm texlive-ltximg-20180414-32.uel20.up1.noarch.rpm texlive-checkcites-20180414-32.uel20.up1.noarch.rpm texlive-ptex-fontmaps-20180414-32.uel20.up1.noarch.rpm texlive-pdfjam-20180414-32.uel20.up1.noarch.rpm texlive-seetexk-20180414-32.uel20.up1.aarch64.rpm texlive-fragmaster-20180414-32.uel20.up1.noarch.rpm texlive-bibexport-20180414-32.uel20.up1.noarch.rpm texlive-dviljk-20180414-32.uel20.up1.aarch64.rpm texlive-lollipop-20180414-32.uel20.up1.noarch.rpm texlive-pfarrei-20180414-32.uel20.up1.noarch.rpm texlive-aleph-20180414-32.uel20.up1.aarch64.rpm texlive-axodraw2-20180414-32.uel20.up1.aarch64.rpm texlive-srcredact-20180414-32.uel20.up1.noarch.rpm texlive-makeindex-20180414-32.uel20.up1.aarch64.rpm texlive-texcount-20180414-32.uel20.up1.noarch.rpm texlive-amstex-20180414-32.uel20.up1.noarch.rpm texlive-ttfutils-20180414-32.uel20.up1.aarch64.rpm texlive-velthuis-20180414-32.uel20.up1.aarch64.rpm texlive-kpathsea-20180414-32.uel20.up1.aarch64.rpm texlive-metafont-20180414-32.uel20.up1.aarch64.rpm texlive-pst-pdf-20180414-32.uel20.up1.noarch.rpm texlive-ptex-20180414-32.uel20.up1.aarch64.rpm texlive-bib2gls-20180414-32.uel20.up1.noarch.rpm texlive-getmap-20180414-32.uel20.up1.noarch.rpm texlive-lua2dox-20180414-32.uel20.up1.noarch.rpm texlive-pmx-20180414-32.uel20.up1.aarch64.rpm texlive-lyluatex-svn47584-32.uel20.up1.noarch.rpm texlive-oberdiek-20180414-32.uel20.up1.noarch.rpm texlive-eplain-20180414-32.uel20.up1.noarch.rpm texlive-uptex-20180414-32.uel20.up1.aarch64.rpm texlive-pythontex-20180414-32.uel20.up1.noarch.rpm texlive-luatex-20180414-32.uel20.up1.aarch64.rpm texlive-luaotfload-20180414-32.uel20.up1.noarch.rpm texlive-xetex-20180414-32.uel20.up1.aarch64.rpm texlive-arara-20180414-32.uel20.up1.noarch.rpm texlive-lilyglyphs-20180414-32.uel20.up1.noarch.rpm texlive-dvipdfmx-20180414-32.uel20.up1.aarch64.rpm texlive-diadia-20180414-32.uel20.up1.noarch.rpm texlive-lcdftypetools-20180414-32.uel20.up1.aarch64.rpm texlive-ulqda-20180414-32.uel20.up1.noarch.rpm texlive-petri-nets-20180414-32.uel20.up1.noarch.rpm texlive-csplain-20180414-32.uel20.up1.noarch.rpm texlive-lib-20180414-32.uel20.up1.aarch64.rpm texlive-xdvi-20180414-32.uel20.up1.aarch64.rpm texlive-cyrillic-20180414-32.uel20.up1.noarch.rpm texlive-pdftools-20180414-32.uel20.up1.aarch64.rpm texlive-pedigree-perl-20180414-32.uel20.up1.noarch.rpm texlive-gregoriotex-20180414-32.uel20.up1.aarch64.rpm texlive-lwarp-20180414-32.uel20.up1.noarch.rpm texlive-fontinst-20180414-32.uel20.up1.noarch.rpm texlive-rubik-20180414-32.uel20.up1.noarch.rpm texlive-latex-20180414-32.uel20.up1.noarch.rpm texlive-latex2nemeth-20180414-32.uel20.up1.noarch.rpm texlive-metapost-20180414-32.uel20.up1.aarch64.rpm texlive-base-20180414-32.uel20.up1.aarch64.rpm UTSA-2023:20155 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: libtiff security update

A null pointer dereference issue was found in Libtiff's tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service.(CVE-2023-2908) libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian.(CVE-2023-26966) libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV.(CVE-2023-25433) libtiff-4.3.0-14.uel20.x86_64.rpm libtiff-devel-4.3.0-14.uel20.x86_64.rpm libtiff-help-4.3.0-14.uel20.noarch.rpm libtiff-4.3.0-14.uel20.aarch64.rpm libtiff-devel-4.3.0-14.uel20.aarch64.rpm UTSA-2023:20156 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: perl-HTTP-Tiny security update

HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.(CVE-2023-31486) perl-HTTP-Tiny-help-0.076-4.uel20.noarch.rpm perl-HTTP-Tiny-0.076-4.uel20.noarch.rpm UTSA-2023:20157 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: gdk-pixbuf2 security update

GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow vulnerability when decoding the lzw compressed stream of image data in GIF files with lzw minimum code size equals to 12.(CVE-2021-44648) gdk-pixbuf2-2.40.0-5.uel20.x86_64.rpm gdk-pixbuf2-devel-2.40.0-5.uel20.x86_64.rpm gdk-pixbuf2-devel-2.40.0-5.uel20.aarch64.rpm gdk-pixbuf2-2.40.0-5.uel20.aarch64.rpm gdk-pixbuf2-help-2.40.0-5.uel20.noarch.rpm UTSA-2023:20158 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: cups security update

OpenPrinting CUPS is a standards-based, open source printing system for Linux and other Unix-like operating systems. Starting in version 2.0.0 and prior to version 2.4.6, CUPS logs data of free memory to the logging service AFTER the connection has been closed, when it should have logged the data right before. This is a use-after-free bug that impacts the entire cupsd process. The exact cause of this issue is the function `httpClose(con->http)` being called in `scheduler/client.c`. The problem is that httpClose always, provided its argument is not null, frees the pointer at the end of the call, only for cupsdLogClient to pass the pointer to httpGetHostname. This issue happens in function `cupsdAcceptClient` if LogLevel is warn or higher and in two scenarios: there is a double-lookup for the IP Address (HostNameLookups Double is set in `cupsd.conf`) which fails to resolve, or if CUPS is compiled with TCP wrappers and the connection is refused by rules from `/etc/hosts.allow` and `/etc/hosts.deny`. Version 2.4.6 has a patch for this issue.(CVE-2023-34241) cups-2.2.13-17.up4.uel20.x86_64.rpm cups-devel-2.2.13-17.up4.uel20.x86_64.rpm cups-libs-2.2.13-17.up4.uel20.x86_64.rpm cups-2.2.13-17.up4.uel20.aarch64.rpm cups-help-2.2.13-17.up4.uel20.noarch.rpm cups-libs-2.2.13-17.up4.uel20.aarch64.rpm cups-devel-2.2.13-17.up4.uel20.aarch64.rpm UTSA-2023:20159 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: perl security update

HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.(CVE-2023-31486) perl-5.28.3-9.uel20.x86_64.rpm perl-devel-5.28.3-9.uel20.x86_64.rpm perl-libs-5.28.3-9.uel20.x86_64.rpm perl-5.28.3-9.uel20.aarch64.rpm perl-devel-5.28.3-9.uel20.aarch64.rpm perl-libs-5.28.3-9.uel20.aarch64.rpm perl-help-5.28.3-9.uel20.noarch.rpm UTSA-2023:20160 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: bind security update

Every `named` instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. The size limit for that cache database can be configured using the `max-cache-size` statement in the configuration file; it defaults to 90% of the total amount of memory available on the host. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache, to keep memory use below the configured limit. It has been discovered that the effectiveness of the cache-cleaning algorithm used in `named` can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9 versions 9.11.0 through 9.16.41, 9.18.0 through 9.18.15, 9.19.0 through 9.19.13, 9.11.3-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1.(CVE-2023-2828) bind-devel-9.11.21-16.uel20.x86_64.rpm bind-9.11.21-16.uel20.x86_64.rpm bind-utils-9.11.21-16.uel20.x86_64.rpm bind-export-devel-9.11.21-16.uel20.x86_64.rpm bind-pkcs11-9.11.21-16.uel20.x86_64.rpm bind-libs-9.11.21-16.uel20.x86_64.rpm bind-export-libs-9.11.21-16.uel20.x86_64.rpm bind-chroot-9.11.21-16.uel20.x86_64.rpm bind-libs-lite-9.11.21-16.uel20.x86_64.rpm bind-pkcs11-devel-9.11.21-16.uel20.x86_64.rpm bind-9.11.21-16.uel20.aarch64.rpm bind-devel-9.11.21-16.uel20.aarch64.rpm bind-utils-9.11.21-16.uel20.aarch64.rpm bind-export-devel-9.11.21-16.uel20.aarch64.rpm bind-export-libs-9.11.21-16.uel20.aarch64.rpm bind-chroot-9.11.21-16.uel20.aarch64.rpm python3-bind-9.11.21-16.uel20.noarch.rpm bind-pkcs11-9.11.21-16.uel20.aarch64.rpm bind-libs-9.11.21-16.uel20.aarch64.rpm bind-libs-lite-9.11.21-16.uel20.aarch64.rpm bind-pkcs11-devel-9.11.21-16.uel20.aarch64.rpm UTSA-2023:20161 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: golang security update

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.(CVE-2023-29405) The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.(CVE-2023-29404) On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.(CVE-2023-29403) The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).(CVE-2023-29402) golang-1.15.7-29.up1.uel20.x86_64.rpm golang-1.15.7-29.up1.uel20.aarch64.rpm golang-devel-1.15.7-29.up1.uel20.noarch.rpm UTSA-2023:20162 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: librabbitmq security update

An issue was discovered in the C AMQP client library (aka rabbitmq-c) through 0.13.0 for RabbitMQ. Credentials can only be entered on the command line (e.g., for amqp-publish or amqp-consume) and are thus visible to local attackers by listing a process and its arguments.(CVE-2023-35789) librabbitmq-0.9.0-7.uel20.x86_64.rpm librabbitmq-help-0.9.0-7.uel20.x86_64.rpm librabbitmq-devel-0.9.0-7.uel20.x86_64.rpm librabbitmq-0.9.0-7.uel20.aarch64.rpm librabbitmq-devel-0.9.0-7.uel20.aarch64.rpm librabbitmq-help-0.9.0-7.uel20.aarch64.rpm UTSA-2023:20163 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: snappy-java security update

snappy-java is a fast compressor/decompressor for Java. Due to use of an unchecked chunk length, an unrecoverable fatal error can occur in versions prior to 1.1.10.1. The code in the function hasNextChunk in the fileSnappyInputStream.java checks if a given stream has more chunks to read. It does that by attempting to read 4 bytes. If it wasn’t possible to read the 4 bytes, the function returns false. Otherwise, if 4 bytes were available, the code treats them as the length of the next chunk. In the case that the `compressed` variable is null, a byte array is allocated with the size given by the input data. Since the code doesn’t test the legality of the `chunkSize` variable, it is possible to pass a negative number (such as 0xFFFFFFFF which is -1), which will cause the code to raise a `java.lang.NegativeArraySizeException` exception. A worse case would happen when passing a huge positive value (such as 0x7FFFFFFF), which would raise the fatal `java.lang.OutOfMemoryError` error. Version 1.1.10.1 contains a patch for this issue.(CVE-2023-34455) snappy-java is a fast compressor/decompressor for Java. Due to unchecked multiplications, an integer overflow may occur in versions prior to 1.1.10.1, causing an unrecoverable fatal error. The function `compress(char[] input)` in the file `Snappy.java` receives an array of characters and compresses it. It does so by multiplying the length by 2 and passing it to the rawCompress` function. Since the length is not tested, the multiplication by two can cause an integer overflow and become negative. The rawCompress function then uses the received length and passes it to the natively compiled maxCompressedLength function, using the returned value to allocate a byte array. Since the maxCompressedLength function treats the length as an unsigned integer, it doesn’t care that it is negative, and it returns a valid value, which is casted to a signed integer by the Java engine. If the result is negative, a `java.lang.NegativeArraySizeException` exception will be raised while trying to allocate the array `buf`. On the other side, if the result is positive, the `buf` array will successfully be allocated, but its size might be too small to use for the compression, causing a fatal Access Violation error. The same issue exists also when using the `compress` functions that receive double, float, int, long and short, each using a different multiplier that may cause the same issue. The issue most likely won’t occur when using a byte array, since creating a byte array of size 0x80000000 (or any other negative value) is impossible in the first place. Version 1.1.10.1 contains a patch for this issue.(CVE-2023-34454) snappy-java-1.1.2.4-2.uel20.x86_64.rpm snappy-java-javadoc-1.1.2.4-2.uel20.noarch.rpm snappy-java-1.1.2.4-2.uel20.aarch64.rpm UTSA-2023:20164 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: bouncycastle security update

Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.(CVE-2023-33201) bouncycastle-1.67-2.uel20.noarch.rpm UTSA-2023:20165 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: kubernetes security update

A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.(CVE-2023-2431) kubernetes-master-1.20.2-17.uel20.x86_64.rpm kubernetes-client-1.20.2-17.uel20.x86_64.rpm kubernetes-help-1.20.2-17.uel20.x86_64.rpm kubernetes-kubelet-1.20.2-17.uel20.x86_64.rpm kubernetes-1.20.2-17.uel20.x86_64.rpm kubernetes-node-1.20.2-17.uel20.x86_64.rpm kubernetes-kubeadm-1.20.2-17.uel20.x86_64.rpm kubernetes-client-1.20.2-17.uel20.aarch64.rpm kubernetes-help-1.20.2-17.uel20.aarch64.rpm kubernetes-node-1.20.2-17.uel20.aarch64.rpm kubernetes-1.20.2-17.uel20.aarch64.rpm kubernetes-master-1.20.2-17.uel20.aarch64.rpm kubernetes-kubeadm-1.20.2-17.uel20.aarch64.rpm kubernetes-kubelet-1.20.2-17.uel20.aarch64.rpm UTSA-2023:20166 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: tang security update

A race condition exists in the Tang server functionality for key generation and key rotation. This flaw results in a small time window where Tang private keys become readable by other processes on the same host.(CVE-2023-1672) tang-7-4.uel20.x86_64.rpm tang-7-4.uel20.aarch64.rpm tang-help-7-4.uel20.noarch.rpm UTSA-2023:20167 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: guava20 security update

Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows. (CVE-2023-2976) guava20-help-20.0-11.uel20.noarch.rpm guava20-20.0-11.uel20.noarch.rpm UTSA-2023:20168 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: guava security update

Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows. (CVE-2023-2976) guava-help-25.0-6.uel20.noarch.rpm guava-25.0-6.uel20.noarch.rpm guava-testlib-25.0-6.uel20.noarch.rpm UTSA-2023:20169 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: qt5-qtbase security update

An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.(CVE-2023-32763) An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.(CVE-2023-32762) qt5-qtbase-devel-5.11.1-15.up7.uel20.x86_64.rpm qt5-qtbase-5.11.1-15.up7.uel20.x86_64.rpm qt5-qtbase-mysql-5.11.1-15.up7.uel20.x86_64.rpm qt5-qtbase-gui-5.11.1-15.up7.uel20.x86_64.rpm qt5-qtbase-postgresql-5.11.1-15.up7.uel20.x86_64.rpm qt5-qtbase-odbc-5.11.1-15.up7.uel20.x86_64.rpm qt5-qtbase-devel-5.11.1-15.up7.uel20.aarch64.rpm qt5-qtbase-5.11.1-15.up7.uel20.aarch64.rpm qt5-qtbase-gui-5.11.1-15.up7.uel20.aarch64.rpm qt5-qtbase-postgresql-5.11.1-15.up7.uel20.aarch64.rpm qt5-qtbase-common-5.11.1-15.up7.uel20.noarch.rpm qt5-qtbase-odbc-5.11.1-15.up7.uel20.aarch64.rpm qt5-qtbase-mysql-5.11.1-15.up7.uel20.aarch64.rpm UTSA-2023:20170 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: ncurses security update

ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.(CVE-2023-29491) ncurses-6.2-4.uel20.01.x86_64.rpm ncurses-libs-6.2-4.uel20.01.x86_64.rpm ncurses-help-6.2-4.uel20.01.x86_64.rpm ncurses-devel-6.2-4.uel20.01.x86_64.rpm ncurses-6.2-4.uel20.01.aarch64.rpm ncurses-help-6.2-4.uel20.01.aarch64.rpm ncurses-libs-6.2-4.uel20.01.aarch64.rpm ncurses-devel-6.2-4.uel20.01.aarch64.rpm ncurses-base-6.2-4.uel20.01.noarch.rpm UTSA-2023:20171 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: edk2 security update

A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.(CVE-2022-4304) edk2-devel-202002-16.up2.uel20.x86_64.rpm edk2-ovmf-202002-16.up2.uel20.noarch.rpm python3-edk2-devel-202002-16.up2.uel20.noarch.rpm edk2-help-202002-16.up2.uel20.noarch.rpm edk2-devel-202002-16.up2.uel20.aarch64.rpm edk2-aarch64-202002-16.up2.uel20.noarch.rpm UTSA-2023:20172 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: openssl security update

Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.(CVE-2023-3817) openssl-devel-1.1.1k-9.uel20.18.x86_64.rpm openssl-libs-1.1.1k-9.uel20.18.x86_64.rpm openssl-1.1.1k-9.uel20.18.x86_64.rpm openssl-help-1.1.1k-9.uel20.18.noarch.rpm openssl-devel-1.1.1k-9.uel20.18.aarch64.rpm openssl-libs-1.1.1k-9.uel20.18.aarch64.rpm openssl-1.1.1k-9.uel20.18.aarch64.rpm UTSA-2023:20173 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: amanda security update

AMANDA (Advanced Maryland Automatic Network Disk Archiver) before tag-community-3.5.4 mishandles argument checking for runtar.c, a different vulnerability than CVE-2022-37705.(CVE-2023-30577) amanda-3.5.4-1.uel20.x86_64.rpm amanda-3.5.4-1.uel20.aarch64.rpm amanda-help-3.5.4-1.uel20.noarch.rpm UTSA-2023:20174 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: pcre2 security update

Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input.(CVE-2022-41409) pcre2-10.35-5.uel20.01.x86_64.rpm pcre2-devel-10.35-5.uel20.01.x86_64.rpm pcre2-help-10.35-5.uel20.01.noarch.rpm pcre2-devel-10.35-5.uel20.01.aarch64.rpm pcre2-10.35-5.uel20.01.aarch64.rpm UTSA-2023:20175 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: python-certifi security update

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.(CVE-2023-37920) Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.(CVE-2022-23491) python3-certifi-2023.7.22-1.uel20.noarch.rpm python-certifi-help-2023.7.22-1.uel20.noarch.rpm UTSA-2023:20176 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: doxygen security update

Cross Site Scripting vulnerability in jQuery 2.2.0 through 3.x before 3.5.0 allows a remote attacker to execute arbitrary code via the <options> element.(CVE-2020-23064) doxygen-doxywizard-1.8.17-8.uel20.x86_64.rpm doxygen-1.8.17-8.uel20.x86_64.rpm doxygen-doxywizard-1.8.17-8.uel20.aarch64.rpm doxygen-1.8.17-8.uel20.aarch64.rpm UTSA-2023:20178 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: libtiff security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-38289) ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-38288) libtiff-4.3.0-16.uel20.x86_64.rpm libtiff-devel-4.3.0-16.uel20.x86_64.rpm libtiff-help-4.3.0-16.uel20.noarch.rpm libtiff-4.3.0-16.uel20.aarch64.rpm libtiff-devel-4.3.0-16.uel20.aarch64.rpm UTSA-2023:20179 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: firefox security update

storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.(CVE-2022-22827) nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.(CVE-2022-22826) lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.(CVE-2022-22825) defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.(CVE-2022-22824) build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.(CVE-2022-22823) addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.(CVE-2022-22822) In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.(CVE-2021-46143) In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).(CVE-2021-45960) firefox-79.0-12.up1.uel20.x86_64.rpm firefox-79.0-12.up1.uel20.aarch64.rpm UTSA-2023:20180 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: golang security update

The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.(CVE-2023-29406) golang-1.15.7-31.up1.uel20.x86_64.rpm golang-devel-1.15.7-31.up1.uel20.noarch.rpm golang-1.15.7-31.up1.uel20.aarch64.rpm UTSA-2023:20181 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: openssh security update

The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.(CVE-2023-38408) openssh-8.2p1-20.up1.uel20.04.x86_64.rpm openssh-clients-8.2p1-20.up1.uel20.04.x86_64.rpm openssh-ldap-8.2p1-20.up1.uel20.04.x86_64.rpm openssh-server-8.2p1-20.up1.uel20.04.x86_64.rpm openssh-askpass-8.2p1-20.up1.uel20.04.x86_64.rpm pam_ssh_agent_auth-0.10.3-9.20.04.uel20.x86_64.rpm openssh-keycat-8.2p1-20.up1.uel20.04.x86_64.rpm openssh-cavs-8.2p1-20.up1.uel20.04.x86_64.rpm openssh-askpass-8.2p1-20.up1.uel20.04.aarch64.rpm openssh-keycat-8.2p1-20.up1.uel20.04.aarch64.rpm openssh-cavs-8.2p1-20.up1.uel20.04.aarch64.rpm openssh-clients-8.2p1-20.up1.uel20.04.aarch64.rpm openssh-server-8.2p1-20.up1.uel20.04.aarch64.rpm openssh-8.2p1-20.up1.uel20.04.aarch64.rpm openssh-help-8.2p1-20.up1.uel20.04.noarch.rpm openssh-ldap-8.2p1-20.up1.uel20.04.aarch64.rpm pam_ssh_agent_auth-0.10.3-9.20.04.uel20.aarch64.rpm UTSA-2023:20182 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: samba security update

A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed-in pointer is not a valid talloc pointer. With an RPC worker process shared among multiple client connections, a malicious client or attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients this worker serves.(CVE-2023-34967) An infinite loop vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This flaw allows an attacker to issue a malformed RPC request, triggering an infinite loop, resulting in a denial of service condition.(CVE-2023-34966) An out-of-bounds read vulnerability was found in Samba due to insufficient length checks in winbindd_pam_auth_crap.c. When performing NTLM authentication, the client replies to cryptographic challenges back to the server. These replies have variable lengths, and Winbind fails to check the lan manager response length. When Winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in Winbind, possibly resulting in a crash.(CVE-2022-2127) samba-winbind-krb5-locator-4.11.12-30.uel20.x86_64.rpm samba-krb5-printing-4.11.12-30.uel20.x86_64.rpm libwbclient-devel-4.11.12-30.uel20.x86_64.rpm samba-vfs-glusterfs-4.11.12-30.uel20.x86_64.rpm samba-winbind-modules-4.11.12-30.uel20.x86_64.rpm libwbclient-4.11.12-30.uel20.x86_64.rpm libsmbclient-devel-4.11.12-30.uel20.x86_64.rpm samba-winbind-clients-4.11.12-30.uel20.x86_64.rpm libsmbclient-4.11.12-30.uel20.x86_64.rpm samba-dc-bind-dlz-4.11.12-30.uel20.x86_64.rpm samba-libs-4.11.12-30.uel20.x86_64.rpm samba-common-4.11.12-30.uel20.x86_64.rpm samba-help-4.11.12-30.uel20.x86_64.rpm samba-common-tools-4.11.12-30.uel20.x86_64.rpm samba-devel-4.11.12-30.uel20.x86_64.rpm samba-winbind-4.11.12-30.uel20.x86_64.rpm samba-dc-4.11.12-30.uel20.x86_64.rpm python3-samba-dc-4.11.12-30.uel20.x86_64.rpm ctdb-tests-4.11.12-30.uel20.x86_64.rpm samba-client-4.11.12-30.uel20.x86_64.rpm python3-samba-4.11.12-30.uel20.x86_64.rpm python3-samba-test-4.11.12-30.uel20.x86_64.rpm samba-4.11.12-30.uel20.x86_64.rpm samba-dc-provision-4.11.12-30.uel20.x86_64.rpm samba-test-4.11.12-30.uel20.x86_64.rpm ctdb-4.11.12-30.uel20.x86_64.rpm ctdb-4.11.12-30.uel20.aarch64.rpm samba-krb5-printing-4.11.12-30.uel20.aarch64.rpm samba-dc-bind-dlz-4.11.12-30.uel20.aarch64.rpm python3-samba-dc-4.11.12-30.uel20.aarch64.rpm samba-dc-provision-4.11.12-30.uel20.aarch64.rpm samba-4.11.12-30.uel20.aarch64.rpm libwbclient-4.11.12-30.uel20.aarch64.rpm libwbclient-devel-4.11.12-30.uel20.aarch64.rpm samba-common-tools-4.11.12-30.uel20.aarch64.rpm samba-winbind-4.11.12-30.uel20.aarch64.rpm libsmbclient-4.11.12-30.uel20.aarch64.rpm ctdb-tests-4.11.12-30.uel20.aarch64.rpm python3-samba-4.11.12-30.uel20.aarch64.rpm libsmbclient-devel-4.11.12-30.uel20.aarch64.rpm samba-test-4.11.12-30.uel20.aarch64.rpm python3-samba-test-4.11.12-30.uel20.aarch64.rpm samba-common-4.11.12-30.uel20.aarch64.rpm samba-winbind-modules-4.11.12-30.uel20.aarch64.rpm samba-winbind-krb5-locator-4.11.12-30.uel20.aarch64.rpm samba-pidl-4.11.12-30.uel20.noarch.rpm samba-devel-4.11.12-30.uel20.aarch64.rpm samba-dc-4.11.12-30.uel20.aarch64.rpm samba-winbind-clients-4.11.12-30.uel20.aarch64.rpm samba-client-4.11.12-30.uel20.aarch64.rpm samba-help-4.11.12-30.uel20.aarch64.rpm samba-libs-4.11.12-30.uel20.aarch64.rpm UTSA-2023:20183 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: openssl security update

Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ('p' parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulernable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the '-check' option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.(CVE-2023-3446) openssl-1.1.1k-9.uel20.17.x86_64.rpm openssl-devel-1.1.1k-9.uel20.17.x86_64.rpm openssl-libs-1.1.1k-9.uel20.17.x86_64.rpm openssl-help-1.1.1k-9.uel20.17.noarch.rpm openssl-libs-1.1.1k-9.uel20.17.aarch64.rpm openssl-devel-1.1.1k-9.uel20.17.aarch64.rpm openssl-1.1.1k-9.uel20.17.aarch64.rpm UTSA-2023:20184 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: curl security update

libcurl can be told to save cookie, HSTS and/or alt-svc data to files. When doing this, it called `stat()` followed by `fopen()` in a way that made it vulnerable to a TOCTOU race condition problem. By exploiting this flaw, an attacker could trick the victim to create or overwrite protected files holding this data in ways it was not intended to. (CVE-2023-32001) libcurl-7.71.1-30.up3.uel20.01.x86_64.rpm libcurl-devel-7.71.1-30.up3.uel20.01.x86_64.rpm curl-7.71.1-30.up3.uel20.01.x86_64.rpm curl-help-7.71.1-30.up3.uel20.01.noarch.rpm curl-7.71.1-30.up3.uel20.01.aarch64.rpm libcurl-7.71.1-30.up3.uel20.01.aarch64.rpm libcurl-devel-7.71.1-30.up3.uel20.01.aarch64.rpm UTSA-2023:20185 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: iperf3 security update

iperf3 before 3.14 allows peers to cause an integer overflow and heap corruption via a crafted length field.(CVE-2023-38403) iperf3-devel-3.6-6.uel20.x86_64.rpm iperf3-3.6-6.uel20.x86_64.rpm iperf3-help-3.6-6.uel20.noarch.rpm iperf3-3.6-6.uel20.aarch64.rpm iperf3-devel-3.6-6.uel20.aarch64.rpm UTSA-2023:20186 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: wireshark security update

Kafka dissector crash in Wireshark 4.0.0 to 4.0.6 and 3.6.0 to 3.6.14 allows denial of service via packet injection or crafted capture file(CVE-2023-3648) wireshark-devel-3.6.14-2.uel20.x86_64.rpm wireshark-3.6.14-2.uel20.x86_64.rpm wireshark-help-3.6.14-2.uel20.x86_64.rpm wireshark-devel-3.6.14-2.uel20.aarch64.rpm wireshark-3.6.14-2.uel20.aarch64.rpm wireshark-help-3.6.14-2.uel20.aarch64.rpm UTSA-2023:20187 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: redis security update

Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and 6.0.20.(CVE-2022-24834) redis-4.0.11-19.uel20.x86_64.rpm redis-4.0.11-19.uel20.aarch64.rpm UTSA-2023:20188 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: python-django security update

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.(CVE-2023-36053) In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.(CVE-2023-31047) An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.(CVE-2023-24580) In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.(CVE-2023-23969) A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.(CVE-2022-28347) An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.(CVE-2022-28346) An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.(CVE-2022-23833) The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.(CVE-2022-22818) Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.(CVE-2021-45452) An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.(CVE-2021-45116) An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.(CVE-2021-45115) python3-Django-2.2.27-6.uel20.noarch.rpm python-django-help-2.2.27-6.uel20.noarch.rpm UTSA-2023:20189 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: qemu security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-2861) A flaw was found in the QEMU Guest Agent service for Windows. A local unprivileged user may be able to manipulate the QEMU Guest Agent's Windows installer via repair custom actions to elevate their privileges on the system.(CVE-2023-0664) qemu-4.1.0-78.up3.uel20.x86_64.rpm qemu-guest-agent-4.1.0-78.up3.uel20.x86_64.rpm qemu-img-4.1.0-78.up3.uel20.x86_64.rpm qemu-block-curl-4.1.0-78.up3.uel20.x86_64.rpm qemu-block-ssh-4.1.0-78.up3.uel20.x86_64.rpm qemu-block-iscsi-4.1.0-78.up3.uel20.x86_64.rpm qemu-seabios-4.1.0-78.up3.uel20.x86_64.rpm qemu-block-rbd-4.1.0-78.up3.uel20.x86_64.rpm qemu-4.1.0-78.up3.uel20.aarch64.rpm qemu-block-rbd-4.1.0-78.up3.uel20.aarch64.rpm qemu-guest-agent-4.1.0-78.up3.uel20.aarch64.rpm qemu-help-4.1.0-78.up3.uel20.noarch.rpm qemu-block-iscsi-4.1.0-78.up3.uel20.aarch64.rpm qemu-block-curl-4.1.0-78.up3.uel20.aarch64.rpm qemu-img-4.1.0-78.up3.uel20.aarch64.rpm qemu-block-ssh-4.1.0-78.up3.uel20.aarch64.rpm UTSA-2023:20190 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: ImageMagick security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-3428) ImageMagick-6.9.12.86-3.uel20.x86_64.rpm ImageMagick-help-6.9.12.86-3.uel20.x86_64.rpm ImageMagick-c++-6.9.12.86-3.uel20.x86_64.rpm ImageMagick-c++-devel-6.9.12.86-3.uel20.x86_64.rpm ImageMagick-devel-6.9.12.86-3.uel20.x86_64.rpm ImageMagick-perl-6.9.12.86-3.uel20.x86_64.rpm ImageMagick-6.9.12.86-3.uel20.aarch64.rpm ImageMagick-help-6.9.12.86-3.uel20.aarch64.rpm ImageMagick-c++-6.9.12.86-3.uel20.aarch64.rpm ImageMagick-perl-6.9.12.86-3.uel20.aarch64.rpm ImageMagick-devel-6.9.12.86-3.uel20.aarch64.rpm ImageMagick-c++-devel-6.9.12.86-3.uel20.aarch64.rpm UTSA-2023:20191 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: python-reportlab security update

Reportlab up to v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file.(CVE-2023-33733) python3-reportlab-3.6.10-2.uel20.x86_64.rpm python3-reportlab-3.6.10-2.uel20.aarch64.rpm python-reportlab-help-3.6.10-2.uel20.noarch.rpm UTSA-2023:20192 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: openjdk-latest security update

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-22049) Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2023-22045) Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371-perf, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).(CVE-2023-22044) Vulnerability in Oracle Java SE (component: JavaFX). The supported version that is affected is Oracle Java SE: 8u371. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).(CVE-2023-22043) Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-22041) Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Utility). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-22036) Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).(CVE-2023-22006) Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21968) Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).(CVE-2023-21967) Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).(CVE-2023-21954) Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21939) Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21938) Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21937) Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).(CVE-2023-21930) Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Sound). Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21843) Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via DTLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2023-21835) Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf; Oracle GraalVM Enterprise Edition: 20.3.8 and 21.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2023-21830) An issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service.(CVE-2022-40433) Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.3.1; Oracle GraalVM Enterprise Edition: 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).(CVE-2022-21549) java-latest-openjdk-javadoc-20.0.2.9-2.rolling.up1.uel20.x86_64.rpm java-latest-openjdk-headless-20.0.2.9-2.rolling.up1.uel20.x86_64.rpm java-latest-openjdk-demo-20.0.2.9-2.rolling.up1.uel20.x86_64.rpm java-latest-openjdk-javadoc-zip-20.0.2.9-2.rolling.up1.uel20.x86_64.rpm java-latest-openjdk-devel-20.0.2.9-2.rolling.up1.uel20.x86_64.rpm java-latest-openjdk-20.0.2.9-2.rolling.up1.uel20.x86_64.rpm java-latest-openjdk-jmods-20.0.2.9-2.rolling.up1.uel20.x86_64.rpm java-latest-openjdk-javadoc-20.0.2.9-2.rolling.up1.uel20.aarch64.rpm java-latest-openjdk-headless-20.0.2.9-2.rolling.up1.uel20.aarch64.rpm java-latest-openjdk-demo-20.0.2.9-2.rolling.up1.uel20.aarch64.rpm java-latest-openjdk-devel-20.0.2.9-2.rolling.up1.uel20.aarch64.rpm java-latest-openjdk-javadoc-zip-20.0.2.9-2.rolling.up1.uel20.aarch64.rpm java-latest-openjdk-jmods-20.0.2.9-2.rolling.up1.uel20.aarch64.rpm java-latest-openjdk-20.0.2.9-2.rolling.up1.uel20.aarch64.rpm UTSA-2023:20193 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: binutils security update

An issue was discovered Binutils objdump before 2.39.3 allows attackers to cause a denial of service or other unspecified impacts via function compare_symbols.(CVE-2022-47696) An issue was discovered function make_tempdir, and make_tempname in bucomm.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.(CVE-2022-47008) binutils-2.34-25.up1.uel20.x86_64.rpm binutils-help-2.34-25.up1.uel20.x86_64.rpm binutils-devel-2.34-25.up1.uel20.x86_64.rpm binutils-help-2.34-25.up1.uel20.aarch64.rpm binutils-devel-2.34-25.up1.uel20.aarch64.rpm binutils-2.34-25.up1.uel20.aarch64.rpm UTSA-2023:20194 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: file security update

File before 5.43 has an stack-based buffer over-read in file_copystr in funcs.c. NOTE: "File" is the name of an Open Source project.(CVE-2022-48554) file-5.39-7.uel20.01.x86_64.rpm file-devel-5.39-7.uel20.01.x86_64.rpm file-help-5.39-7.uel20.01.x86_64.rpm file-libs-5.39-7.uel20.01.x86_64.rpm file-devel-5.39-7.uel20.01.aarch64.rpm file-5.39-7.uel20.01.aarch64.rpm python3-magic-5.39-7.uel20.01.noarch.rpm file-help-5.39-7.uel20.01.aarch64.rpm file-libs-5.39-7.uel20.01.aarch64.rpm python2-magic-5.39-7.uel20.01.noarch.rpm UTSA-2023:20195 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: binutils security update

GNU Binutils before 2.40 was discovered to contain an excessive memory consumption vulnerability via the function bfd_dwarf2_find_nearest_line_with_alt at dwarf2.c. The attacker could supply a crafted ELF file and cause a DNS attack.(CVE-2022-48064) binutils-devel-2.34-27.up1.uel20.x86_64.rpm binutils-help-2.34-27.up1.uel20.x86_64.rpm binutils-2.34-27.up1.uel20.x86_64.rpm binutils-2.34-27.up1.uel20.aarch64.rpm binutils-devel-2.34-27.up1.uel20.aarch64.rpm binutils-help-2.34-27.up1.uel20.aarch64.rpm UTSA-2023:20196 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: nodejs security update

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.(CVE-2023-32559) The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.(CVE-2023-32002) The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.(CVE-2023-32006) ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-30590) ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-30581) The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20 (CVE-2023-30589) An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.(CVE-2023-23920) A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.(CVE-2023-23918) This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. (CVE-2022-25881) The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.(CVE-2022-35256) The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).(CVE-2022-32215) The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).(CVE-2022-32214) The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).(CVE-2022-32213) A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.(CVE-2022-32212) npm-6.14.16-1.12.22.11.4.uel20.x86_64.rpm nodejs-libs-12.22.11-4.uel20.x86_64.rpm nodejs-12.22.11-4.uel20.x86_64.rpm nodejs-devel-12.22.11-4.uel20.x86_64.rpm nodejs-full-i18n-12.22.11-4.uel20.x86_64.rpm v8-devel-7.8.279.23-1.12.22.11.4.uel20.x86_64.rpm npm-6.14.16-1.12.22.11.4.uel20.aarch64.rpm nodejs-docs-12.22.11-4.uel20.noarch.rpm nodejs-devel-12.22.11-4.uel20.aarch64.rpm nodejs-full-i18n-12.22.11-4.uel20.aarch64.rpm nodejs-libs-12.22.11-4.uel20.aarch64.rpm nodejs-12.22.11-4.uel20.aarch64.rpm v8-devel-7.8.279.23-1.12.22.11.4.uel20.aarch64.rpm UTSA-2023:20197 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: clamav security update

A vulnerability in the filesystem image parser for Hierarchical File System Plus (HFS+) of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an incorrect check for completion when a file is decompressed, which may result in a loop condition that could cause the affected software to stop responding. An attacker could exploit this vulnerability by submitting a crafted HFS+ filesystem image to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to stop responding, resulting in a DoS condition on the affected software and consuming available system resources. For a description of this vulnerability, see the ClamAV blog .(CVE-2023-20197) clamav-0.103.9-1.uel20.x86_64.rpm clamav-update-0.103.9-1.uel20.x86_64.rpm clamav-help-0.103.9-1.uel20.x86_64.rpm clamav-devel-0.103.9-1.uel20.x86_64.rpm clamav-milter-0.103.9-1.uel20.x86_64.rpm clamd-0.103.9-1.uel20.x86_64.rpm clamav-0.103.9-1.uel20.aarch64.rpm clamav-update-0.103.9-1.uel20.aarch64.rpm clamav-milter-0.103.9-1.uel20.aarch64.rpm clamav-devel-0.103.9-1.uel20.aarch64.rpm clamav-filesystem-0.103.9-1.uel20.noarch.rpm clamd-0.103.9-1.uel20.aarch64.rpm clamav-data-0.103.9-1.uel20.noarch.rpm clamav-help-0.103.9-1.uel20.aarch64.rpm UTSA-2023:20198 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: golang security update

Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.(CVE-2023-29409) golang-1.15.7-32.up1.uel20.x86_64.rpm golang-1.15.7-32.up1.uel20.aarch64.rpm golang-devel-1.15.7-32.up1.uel20.noarch.rpm UTSA-2023:20199 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: qpdf security update

An issue was discovered in QPDF version 10.0.4, allows remote attackers to execute arbitrary code via crafted .pdf file to Pl_ASCII85Decoder::write parameter in libqpdf.(CVE-2021-25786) qpdf-8.4.2-4.uel20.x86_64.rpm qpdf-devel-8.4.2-4.uel20.x86_64.rpm qpdf-devel-8.4.2-4.uel20.aarch64.rpm qpdf-8.4.2-4.uel20.aarch64.rpm qpdf-help-8.4.2-4.uel20.noarch.rpm UTSA-2023:20200 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: haproxy security update

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.(CVE-2023-40225) haproxy-2.2.16-5.uel20.x86_64.rpm haproxy-help-2.2.16-5.uel20.noarch.rpm haproxy-2.2.16-5.uel20.aarch64.rpm UTSA-2023:20201 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libreswan security update

An issue was discovered in Libreswan 3.x and 4.x before 4.12. When an IKEv1 ISAKMP SA Informational Exchange packet contains a Delete/Notify payload followed by further Notifies that act on the ISAKMP SA, such as a duplicated Delete/Notify message, a NULL pointer dereference on the deleted state causes the pluto daemon to crash and restart.(CVE-2023-38712) An issue was discovered in Libreswan before 4.12. When an IKEv1 Quick Mode connection configured with ID_IPV4_ADDR or ID_IPV6_ADDR receives an IDcr payload with ID_FQDN, a NULL pointer dereference causes a crash and restart of the pluto daemon. NOTE: the earliest affected version is 4.6.(CVE-2023-38711) An issue was discovered in Libreswan before 4.12. When an IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of 0 or 1, an error notify INVALID_SPI is sent back. The notify payload's protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an assertion that the protocol ID must be ESP (2) or AH(3) and causes the pluto daemon to crash and restart. NOTE: the earliest affected version is 3.20.(CVE-2023-38710) libreswan-4.12-1.uel20.x86_64.rpm libreswan-help-4.12-1.uel20.x86_64.rpm libreswan-4.12-1.uel20.aarch64.rpm libreswan-help-4.12-1.uel20.aarch64.rpm UTSA-2023:20202 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: php security update

In PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.  (CVE-2023-3824) In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such as ImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.  (CVE-2023-3823) In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space. (CVE-2023-0662) In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.(CVE-2023-0567) In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification. (CVE-2023-0568) In PHP versions prior to 7.4.33, 8.0.25 and 8.2.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information.(CVE-2022-31630) php-pdo-8.0.30-1.uel20.x86_64.rpm php-devel-8.0.30-1.uel20.x86_64.rpm php-intl-8.0.30-1.uel20.x86_64.rpm php-cli-8.0.30-1.uel20.x86_64.rpm php-soap-8.0.30-1.uel20.x86_64.rpm php-help-8.0.30-1.uel20.x86_64.rpm php-mbstring-8.0.30-1.uel20.x86_64.rpm php-opcache-8.0.30-1.uel20.x86_64.rpm php-dbg-8.0.30-1.uel20.x86_64.rpm php-pgsql-8.0.30-1.uel20.x86_64.rpm php-xml-8.0.30-1.uel20.x86_64.rpm php-gd-8.0.30-1.uel20.x86_64.rpm php-8.0.30-1.uel20.x86_64.rpm php-process-8.0.30-1.uel20.x86_64.rpm php-ldap-8.0.30-1.uel20.x86_64.rpm php-fpm-8.0.30-1.uel20.x86_64.rpm php-odbc-8.0.30-1.uel20.x86_64.rpm php-bcmath-8.0.30-1.uel20.x86_64.rpm php-common-8.0.30-1.uel20.x86_64.rpm php-sodium-8.0.30-1.uel20.x86_64.rpm php-ffi-8.0.30-1.uel20.x86_64.rpm php-mysqlnd-8.0.30-1.uel20.x86_64.rpm php-gmp-8.0.30-1.uel20.x86_64.rpm php-embedded-8.0.30-1.uel20.x86_64.rpm php-snmp-8.0.30-1.uel20.x86_64.rpm php-dba-8.0.30-1.uel20.x86_64.rpm php-enchant-8.0.30-1.uel20.x86_64.rpm php-tidy-8.0.30-1.uel20.x86_64.rpm php-common-8.0.30-1.uel20.aarch64.rpm php-8.0.30-1.uel20.aarch64.rpm php-dbg-8.0.30-1.uel20.aarch64.rpm php-cli-8.0.30-1.uel20.aarch64.rpm php-opcache-8.0.30-1.uel20.aarch64.rpm php-ffi-8.0.30-1.uel20.aarch64.rpm php-ldap-8.0.30-1.uel20.aarch64.rpm php-mysqlnd-8.0.30-1.uel20.aarch64.rpm php-dba-8.0.30-1.uel20.aarch64.rpm php-intl-8.0.30-1.uel20.aarch64.rpm php-xml-8.0.30-1.uel20.aarch64.rpm php-enchant-8.0.30-1.uel20.aarch64.rpm php-gd-8.0.30-1.uel20.aarch64.rpm php-sodium-8.0.30-1.uel20.aarch64.rpm php-tidy-8.0.30-1.uel20.aarch64.rpm php-embedded-8.0.30-1.uel20.aarch64.rpm php-gmp-8.0.30-1.uel20.aarch64.rpm php-devel-8.0.30-1.uel20.aarch64.rpm php-fpm-8.0.30-1.uel20.aarch64.rpm php-pgsql-8.0.30-1.uel20.aarch64.rpm php-mbstring-8.0.30-1.uel20.aarch64.rpm php-process-8.0.30-1.uel20.aarch64.rpm php-help-8.0.30-1.uel20.aarch64.rpm php-bcmath-8.0.30-1.uel20.aarch64.rpm php-pdo-8.0.30-1.uel20.aarch64.rpm php-snmp-8.0.30-1.uel20.aarch64.rpm php-odbc-8.0.30-1.uel20.aarch64.rpm php-soap-8.0.30-1.uel20.aarch64.rpm UTSA-2023:20203 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Low

Low: ImageMagick security update

ImageMagick before 6.9.12-91 allows attackers to cause a denial of service (memory consumption) in Magick::Draw.(CVE-2023-39978) ImageMagick-help-6.9.12.86-4.uel20.x86_64.rpm ImageMagick-c++-devel-6.9.12.86-4.uel20.x86_64.rpm ImageMagick-perl-6.9.12.86-4.uel20.x86_64.rpm ImageMagick-devel-6.9.12.86-4.uel20.x86_64.rpm ImageMagick-6.9.12.86-4.uel20.x86_64.rpm ImageMagick-c++-6.9.12.86-4.uel20.x86_64.rpm ImageMagick-6.9.12.86-4.uel20.aarch64.rpm ImageMagick-perl-6.9.12.86-4.uel20.aarch64.rpm ImageMagick-devel-6.9.12.86-4.uel20.aarch64.rpm ImageMagick-help-6.9.12.86-4.uel20.aarch64.rpm ImageMagick-c++-devel-6.9.12.86-4.uel20.aarch64.rpm ImageMagick-c++-6.9.12.86-4.uel20.aarch64.rpm UTSA-2023:20204 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: krb5 security update

lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.(CVE-2023-36054) krb5-devel-1.18.2-8.uel20.x86_64.rpm krb5-server-1.18.2-8.uel20.x86_64.rpm krb5-1.18.2-8.uel20.x86_64.rpm krb5-client-1.18.2-8.uel20.x86_64.rpm krb5-libs-1.18.2-8.uel20.x86_64.rpm krb5-server-1.18.2-8.uel20.aarch64.rpm krb5-libs-1.18.2-8.uel20.aarch64.rpm krb5-devel-1.18.2-8.uel20.aarch64.rpm krb5-1.18.2-8.uel20.aarch64.rpm krb5-client-1.18.2-8.uel20.aarch64.rpm krb5-help-1.18.2-8.uel20.noarch.rpm UTSA-2023:20205 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: procps-ng security update

Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.(CVE-2023-4016) procps-ng-3.3.16-19.uel20.01.x86_64.rpm procps-ng-devel-3.3.16-19.uel20.01.x86_64.rpm procps-ng-help-3.3.16-19.uel20.01.noarch.rpm procps-ng-devel-3.3.16-19.uel20.01.aarch64.rpm procps-ng-i18n-3.3.16-19.uel20.01.noarch.rpm procps-ng-3.3.16-19.uel20.01.aarch64.rpm UTSA-2023:20206 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: qemu security update

A flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ.(CVE-2023-3180) qemu-block-rbd-4.1.0-79.up3.uel20.x86_64.rpm qemu-block-curl-4.1.0-79.up3.uel20.x86_64.rpm qemu-4.1.0-79.up3.uel20.x86_64.rpm qemu-block-ssh-4.1.0-79.up3.uel20.x86_64.rpm qemu-seabios-4.1.0-79.up3.uel20.x86_64.rpm qemu-block-iscsi-4.1.0-79.up3.uel20.x86_64.rpm qemu-img-4.1.0-79.up3.uel20.x86_64.rpm qemu-guest-agent-4.1.0-79.up3.uel20.x86_64.rpm qemu-4.1.0-79.up3.uel20.aarch64.rpm qemu-guest-agent-4.1.0-79.up3.uel20.aarch64.rpm qemu-img-4.1.0-79.up3.uel20.aarch64.rpm qemu-block-curl-4.1.0-79.up3.uel20.aarch64.rpm qemu-block-rbd-4.1.0-79.up3.uel20.aarch64.rpm qemu-block-ssh-4.1.0-79.up3.uel20.aarch64.rpm qemu-block-iscsi-4.1.0-79.up3.uel20.aarch64.rpm qemu-help-4.1.0-79.up3.uel20.noarch.rpm UTSA-2023:20207 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: ghostscript security update

A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This issue may allow a local attacker to cause a denial of service via outputting a crafted PDF file for a DEVN device with gs.(CVE-2023-38559) ghostscript-9.52-8.uel20.x86_64.rpm ghostscript-tools-dvipdf-9.52-8.uel20.x86_64.rpm ghostscript-devel-9.52-8.uel20.x86_64.rpm ghostscript-9.52-8.uel20.aarch64.rpm ghostscript-help-9.52-8.uel20.noarch.rpm ghostscript-devel-9.52-8.uel20.aarch64.rpm ghostscript-tools-dvipdf-9.52-8.uel20.aarch64.rpm UTSA-2023:20208 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: yasm security update

Yasm v1.3.0.78 was found prone to NULL Pointer Dereference in /libyasm/intnum.c and /elf/elf.c, which allows the attacker to cause a denial of service via a crafted file.(CVE-2023-37732) yasm-1.3.0-10.uel20.x86_64.rpm yasm-devel-1.3.0-10.uel20.x86_64.rpm yasm-devel-1.3.0-10.uel20.aarch64.rpm yasm-1.3.0-10.uel20.aarch64.rpm yasm-help-1.3.0-10.uel20.noarch.rpm UTSA-2023:20209 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: libtiff security update

A flaw was found in libtiff. A specially crafted tiff file can lead to a segmentation fault due to a buffer overflow in the Fax3Encode function in libtiff/tif_fax3.c, resulting in a denial of service.(CVE-2023-3618) libtiff-devel-4.3.0-17.uel20.x86_64.rpm libtiff-4.3.0-17.uel20.x86_64.rpm libtiff-4.3.0-17.uel20.aarch64.rpm libtiff-help-4.3.0-17.uel20.noarch.rpm libtiff-devel-4.3.0-17.uel20.aarch64.rpm UTSA-2023:20210 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: xerces-j2 security update

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).(CVE-2018-2799) xerces-j2-help-2.12.2-1.uel20.noarch.rpm xerces-j2-2.12.2-1.uel20.noarch.rpm UTSA-2023:20211 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: qt security update

In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.(CVE-2023-32573) qt-4.8.7-51.uel20.x86_64.rpm qt-devel-4.8.7-51.uel20.x86_64.rpm qt-4.8.7-51.uel20.aarch64.rpm qt-devel-4.8.7-51.uel20.aarch64.rpm UTSA-2023:20212 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: python-werkzeug security update

Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. Version 2.2.3 contains a patch for this issue.(CVE-2023-25577) Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.(CVE-2023-23934) python3-werkzeug-doc-1.0.1-2.up1.uel20.noarch.rpm python3-werkzeug-1.0.1-2.up1.uel20.noarch.rpm python2-werkzeug-1.0.1-2.up1.uel20.noarch.rpm UTSA-2023:20213 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: snappy-java security update

snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources.(CVE-2023-43642) snappy-java-1.1.2.4-3.uel20.x86_64.rpm snappy-java-javadoc-1.1.2.4-3.uel20.noarch.rpm snappy-java-1.1.2.4-3.uel20.aarch64.rpm UTSA-2023:20214 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: lcr security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2021-33634) lcr-2.0.9-7.uel20.x86_64.rpm lcr-devel-2.0.9-7.uel20.x86_64.rpm lcr-2.0.9-7.uel20.aarch64.rpm lcr-devel-2.0.9-7.uel20.aarch64.rpm UTSA-2023:20215 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: cups security update

Due to failure in validating the length provided by an attacker-crafted PPD PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023. (CVE-2023-4504) cups-2.2.13-19.up4.uel20.x86_64.rpm cups-devel-2.2.13-19.up4.uel20.x86_64.rpm cups-libs-2.2.13-19.up4.uel20.x86_64.rpm cups-2.2.13-19.up4.uel20.aarch64.rpm cups-help-2.2.13-19.up4.uel20.noarch.rpm cups-devel-2.2.13-19.up4.uel20.aarch64.rpm cups-libs-2.2.13-19.up4.uel20.aarch64.rpm UTSA-2023:20216 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libwebp security update

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)(CVE-2023-4863) libwebp-1.1.0-4.uel20.x86_64.rpm libwebp-java-1.1.0-4.uel20.x86_64.rpm libwebp-devel-1.1.0-4.uel20.x86_64.rpm libwebp-tools-1.1.0-4.uel20.x86_64.rpm libwebp-tools-1.1.0-4.uel20.aarch64.rpm libwebp-1.1.0-4.uel20.aarch64.rpm libwebp-devel-1.1.0-4.uel20.aarch64.rpm libwebp-java-1.1.0-4.uel20.aarch64.rpm libwebp-help-1.1.0-4.uel20.noarch.rpm UTSA-2023:20217 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: grpc security update

Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Java, and Go are NOT affected. (CVE-2023-4785) grpc-devel-1.31.0-8.uel20.x86_64.rpm grpc-1.31.0-8.uel20.x86_64.rpm python3-grpcio-1.31.0-8.uel20.x86_64.rpm grpc-devel-1.31.0-8.uel20.aarch64.rpm python3-grpcio-1.31.0-8.uel20.aarch64.rpm grpc-1.31.0-8.uel20.aarch64.rpm UTSA-2023:20218 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: glibc security update

A flaw was found in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.(CVE-2023-4813) glibc-common-2.28-95.uel20.01.x86_64.rpm glibc-benchtests-2.28-95.uel20.01.x86_64.rpm glibc-nss-devel-2.28-95.uel20.01.x86_64.rpm glibc-devel-2.28-95.uel20.01.x86_64.rpm glibc-all-langpacks-2.28-95.uel20.01.x86_64.rpm glibc-locale-source-2.28-95.uel20.01.x86_64.rpm glibc-2.28-95.uel20.01.x86_64.rpm libnsl-2.28-95.uel20.01.x86_64.rpm nscd-2.28-95.uel20.01.x86_64.rpm nss_modules-2.28-95.uel20.01.x86_64.rpm glibc-debugutils-2.28-95.uel20.01.x86_64.rpm glibc-debugutils-2.28-95.uel20.01.aarch64.rpm glibc-2.28-95.uel20.01.aarch64.rpm glibc-help-2.28-95.uel20.01.noarch.rpm nscd-2.28-95.uel20.01.aarch64.rpm glibc-benchtests-2.28-95.uel20.01.aarch64.rpm libnsl-2.28-95.uel20.01.aarch64.rpm nss_modules-2.28-95.uel20.01.aarch64.rpm glibc-nss-devel-2.28-95.uel20.01.aarch64.rpm glibc-common-2.28-95.uel20.01.aarch64.rpm glibc-locale-source-2.28-95.uel20.01.aarch64.rpm glibc-devel-2.28-95.uel20.01.aarch64.rpm glibc-all-langpacks-2.28-95.uel20.01.aarch64.rpm UTSA-2023:20219 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: rubygem-railties security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-38037) rubygem-railties-doc-5.2.4.4-5.uel20.noarch.rpm rubygem-railties-5.2.4.4-5.uel20.noarch.rpm UTSA-2023:20220 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: mutt security update

Null pointer dereference when composing from a specially crafted draft message in Mutt >1.5.2 <2.2.12(CVE-2023-4875) Null pointer dereference when viewing a specially crafted email in Mutt >1.5.2 <2.2.12(CVE-2023-4874) mutt-2.2.12-1.uel20.x86_64.rpm mutt-2.2.12-1.uel20.aarch64.rpm mutt-help-2.2.12-1.uel20.noarch.rpm UTSA-2023:20221 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: pmix security update

OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to obtain ownership of arbitrary files via a race condition during execution of library code with UID 0.(CVE-2023-41915) pmix-4.2.6-1.uel20.x86_64.rpm pmix-tools-4.2.6-1.uel20.x86_64.rpm pmix-devel-4.2.6-1.uel20.x86_64.rpm pmix-devel-4.2.6-1.uel20.aarch64.rpm pmix-4.2.6-1.uel20.aarch64.rpm pmix-tools-4.2.6-1.uel20.aarch64.rpm UTSA-2023:20222 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: vim security update

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873.(CVE-2023-4781) Use After Free in GitHub repository vim/vim prior to 9.0.1858.(CVE-2023-4752) Use After Free in GitHub repository vim/vim prior to 9.0.1857.(CVE-2023-4750) Use After Free in GitHub repository vim/vim prior to 9.0.1840.(CVE-2023-4733) Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848.(CVE-2023-4738) Untrusted Search Path in GitHub repository vim/vim prior to 9.0.1833.(CVE-2023-4736) Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847.(CVE-2023-4735) Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1846.(CVE-2023-4734) vim-common-9.0-15.uel20.01.x86_64.rpm vim-X11-9.0-15.uel20.01.x86_64.rpm vim-enhanced-9.0-15.uel20.01.x86_64.rpm vim-minimal-9.0-15.uel20.01.x86_64.rpm vim-common-9.0-15.uel20.01.aarch64.rpm vim-X11-9.0-15.uel20.01.aarch64.rpm vim-minimal-9.0-15.uel20.01.aarch64.rpm vim-enhanced-9.0-15.uel20.01.aarch64.rpm vim-filesystem-9.0-15.uel20.01.noarch.rpm UTSA-2023:20223 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: python-django security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-41164) python3-Django-2.2.27-7.uel20.noarch.rpm python-django-help-2.2.27-7.uel20.noarch.rpm UTSA-2023:20224 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: libtommath security update

Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS).(CVE-2023-36328) libtommath-devel-1.1.0-4.uel20.x86_64.rpm libtommath-help-1.1.0-4.uel20.x86_64.rpm libtommath-1.1.0-4.uel20.x86_64.rpm libtommath-help-1.1.0-4.uel20.aarch64.rpm libtommath-1.1.0-4.uel20.aarch64.rpm libtommath-devel-1.1.0-4.uel20.aarch64.rpm UTSA-2023:20225 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: freerdp security update

FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions there is a Global-Buffer-Overflow in the ncrush_decompress function. Feeding crafted input into this function can trigger the overflow which has only been shown to cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.(CVE-2023-40589) FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Write in the `progressive_decompress` function. This issue is likely down to incorrect calculations of the `nXSrc` and `nYSrc` variables. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. there are no known workarounds for this vulnerability.(CVE-2023-40569) FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Write in the `clear_decompress_bands_data` function in which there is no offset validation. Abuse of this vulnerability may lead to an out of bounds write. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. there are no known workarounds for this vulnerability.(CVE-2023-40567) FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Read in the `general_LumaToYUV444` function. This Out-Of-Bounds Read occurs because processing is done on the `in` variable without checking if it contains data of sufficient length. Insufficient data for the `in` variable may cause errors or crashes. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.(CVE-2023-40188) FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an IntegerOverflow leading to Out-Of-Bound Write Vulnerability in the `gdi_CreateSurface` function. This issue affects FreeRDP based clients only. FreeRDP proxies are not affected as image decoding is not done by a proxy. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.(CVE-2023-40186) FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Integer-Underflow leading to Out-Of-Bound Read in the `zgfx_decompress_segment` function. In the context of `CopyMemory`, it's possible to read data beyond the transmitted packet range and likely cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this issue.(CVE-2023-40181) FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions a missing offset validation may lead to an Out Of Bound Read in the function `gdi_multi_opaque_rect`. In particular there is no code to validate if the value `multi_opaque_rect->numRectangles` is less than 45. Looping through `multi_opaque_rect->`numRectangles without proper boundary checks can lead to Out-of-Bounds Read errors which will likely lead to a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability. (CVE-2023-39356) FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an Out-Of-Bounds Read in the `nsc_rle_decompress_data` function. The Out-Of-Bounds Read occurs because it processes `context->Planes` without checking if it contains data of sufficient length. Should an attacker be able to leverage this vulnerability they may be able to cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-39354) FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to a missing offset validation leading to Out Of Bound Read. In the `libfreerdp/codec/rfx.c` file there is no offset validation in `tile->quantIdxY`, `tile->quantIdxCb`, and `tile->quantIdxCr`. As a result crafted input can lead to an out of bounds read access which in turn will cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-39353) FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions are subject to an invalid offset validation leading to Out Of Bound Write. This can be triggered when the values `rect->left` and `rect->top` are exactly equal to `surface->width` and `surface->height`. eg. `rect->left` == `surface->width` && `rect->top` == `surface->height`. In practice this should cause a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability. (CVE-2023-39352) FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. Affected versions of FreeRDP are subject to a Null Pointer Dereference leading a crash in the RemoteFX (rfx) handling. Inside the `rfx_process_message_tileset` function, the program allocates tiles using `rfx_allocate_tiles` for the number of numTiles. If the initialization process of tiles is not completed for various reasons, tiles will have a NULL pointer. Which may be accessed in further processing and would cause a program crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-39351) FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. This issue affects Clients only. Integer underflow leading to DOS (e.g. abort due to `WINPR_ASSERT` with default compilation flags). When an insufficient blockLen is provided, and proper length validation is not performed, an Integer Underflow occurs, leading to a Denial of Service (DOS) vulnerability. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability. (CVE-2023-39350) freerdp-2.11.1-1.uel20.x86_64.rpm freerdp-devel-2.11.1-1.uel20.x86_64.rpm libwinpr-devel-2.11.1-1.uel20.x86_64.rpm libwinpr-2.11.1-1.uel20.x86_64.rpm freerdp-help-2.11.1-1.uel20.x86_64.rpm freerdp-2.11.1-1.uel20.aarch64.rpm freerdp-devel-2.11.1-1.uel20.aarch64.rpm freerdp-help-2.11.1-1.uel20.aarch64.rpm libwinpr-2.11.1-1.uel20.aarch64.rpm libwinpr-devel-2.11.1-1.uel20.aarch64.rpm UTSA-2023:20226 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: shadow security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-4641) shadow-4.8.1-8.uel20.x86_64.rpm shadow-4.8.1-8.uel20.aarch64.rpm shadow-help-4.8.1-8.uel20.noarch.rpm UTSA-2023:20227 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: qemu security update

An issue was discovered in TCG Accelerator in QEMU 4.2.0, allows local attackers to execute arbitrary code, escalate privileges, and cause a denial of service (DoS).(CVE-2020-24165) A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated client to cause a denial of service.(CVE-2023-3354) hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an address near the end of the PCI configuration space.(CVE-2020-13791) qemu-4.1.0-80.up3.uel20.x86_64.rpm qemu-guest-agent-4.1.0-80.up3.uel20.x86_64.rpm qemu-block-ssh-4.1.0-80.up3.uel20.x86_64.rpm qemu-block-curl-4.1.0-80.up3.uel20.x86_64.rpm qemu-block-iscsi-4.1.0-80.up3.uel20.x86_64.rpm qemu-block-rbd-4.1.0-80.up3.uel20.x86_64.rpm qemu-img-4.1.0-80.up3.uel20.x86_64.rpm qemu-seabios-4.1.0-80.up3.uel20.x86_64.rpm qemu-help-4.1.0-80.up3.uel20.noarch.rpm qemu-block-rbd-4.1.0-80.up3.uel20.aarch64.rpm qemu-block-iscsi-4.1.0-80.up3.uel20.aarch64.rpm qemu-block-ssh-4.1.0-80.up3.uel20.aarch64.rpm qemu-4.1.0-80.up3.uel20.aarch64.rpm qemu-img-4.1.0-80.up3.uel20.aarch64.rpm qemu-block-curl-4.1.0-80.up3.uel20.aarch64.rpm qemu-guest-agent-4.1.0-80.up3.uel20.aarch64.rpm UTSA-2023:20228 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: tomcat security update

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. The vulnerability is limited to the ROOT (default) web application.(CVE-2023-41080) tomcat-embed-9.0.10-29.up1.uel20.noarch.rpm tomcat-jsvc-9.0.10-29.up1.uel20.noarch.rpm tomcat-help-9.0.10-29.up1.uel20.noarch.rpm tomcat-9.0.10-29.up1.uel20.noarch.rpm UTSA-2023:20229 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: giflib security update

giflib v5.2.1 was discovered to contain a segmentation fault via the component getarg.c.(CVE-2023-39742) giflib-devel-5.2.1-4.uel20.x86_64.rpm giflib-5.2.1-4.uel20.x86_64.rpm giflib-utils-5.2.1-4.uel20.x86_64.rpm giflib-utils-5.2.1-4.uel20.aarch64.rpm giflib-help-5.2.1-4.uel20.noarch.rpm giflib-5.2.1-4.uel20.aarch64.rpm giflib-devel-5.2.1-4.uel20.aarch64.rpm UTSA-2023:20230 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: wireshark security update

Due to a failure in validating the length provided by an attacker-crafted CP2179 packet, Wireshark versions 2.0.0 through 4.0.7 is susceptible to a divide by zero allowing for a denial of service attack. (CVE-2023-2906) BT SDP dissector memory leak in Wireshark 4.0.0 to 4.0.7 and 3.6.0 to 3.6.15 allows denial of service via packet injection or crafted capture file(CVE-2023-4513) BT SDP dissector infinite loop in Wireshark 4.0.0 to 4.0.7 and 3.6.0 to 3.6.15 allows denial of service via packet injection or crafted capture file(CVE-2023-4511) iSCSI dissector crash in Wireshark 4.0.0 to 4.0.6 allows denial of service via packet injection or crafted capture file(CVE-2023-3649) wireshark-devel-3.6.14-3.uel20.x86_64.rpm wireshark-3.6.14-3.uel20.x86_64.rpm wireshark-help-3.6.14-3.uel20.x86_64.rpm wireshark-devel-3.6.14-3.uel20.aarch64.rpm wireshark-3.6.14-3.uel20.aarch64.rpm wireshark-help-3.6.14-3.uel20.aarch64.rpm UTSA-2023:20231 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: libtiff security update

An issue was discovered in function TIFFReadDirectory libtiff before 4.4.0 allows attackers to cause a denial of service via crafted TIFF file.(CVE-2022-40090) libtiff-4.3.0-18.uel20.x86_64.rpm libtiff-devel-4.3.0-18.uel20.x86_64.rpm libtiff-4.3.0-18.uel20.aarch64.rpm libtiff-help-4.3.0-18.uel20.noarch.rpm libtiff-devel-4.3.0-18.uel20.aarch64.rpm UTSA-2023:20232 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: binutils security update

Heap-based Buffer Overflow in function bfd_getl32 in Binutils objdump 3.37.(CVE-2021-46174) binutils-2.34-26.up1.uel20.x86_64.rpm binutils-devel-2.34-26.up1.uel20.x86_64.rpm binutils-help-2.34-26.up1.uel20.x86_64.rpm binutils-2.34-26.up1.uel20.aarch64.rpm binutils-devel-2.34-26.up1.uel20.aarch64.rpm binutils-help-2.34-26.up1.uel20.aarch64.rpm UTSA-2023:20233 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: python3 security update

An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)(CVE-2023-40217) python3-devel-3.7.9-37.up2.uel20.x86_64.rpm python3-3.7.9-37.up2.uel20.x86_64.rpm python3-debug-3.7.9-37.up2.uel20.x86_64.rpm python3-devel-3.7.9-37.up2.uel20.aarch64.rpm python3-3.7.9-37.up2.uel20.aarch64.rpm python3-debug-3.7.9-37.up2.uel20.aarch64.rpm python3-help-3.7.9-37.up2.uel20.noarch.rpm UTSA-2023:20234 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: rubygem-activesupport security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-38037) rubygem-activesupport-doc-5.2.4.4-3.uel20.noarch.rpm rubygem-activesupport-5.2.4.4-3.uel20.noarch.rpm UTSA-2023:20235 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: python3 security update

An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.(CVE-2022-48566) An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.(CVE-2022-48565) python3-3.7.9-35.up2.uel20.x86_64.rpm python3-debug-3.7.9-35.up2.uel20.x86_64.rpm python3-devel-3.7.9-35.up2.uel20.x86_64.rpm python3-3.7.9-35.up2.uel20.aarch64.rpm python3-devel-3.7.9-35.up2.uel20.aarch64.rpm python3-help-3.7.9-35.up2.uel20.noarch.rpm python3-debug-3.7.9-35.up2.uel20.aarch64.rpm UTSA-2023:20236 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: busybox security update

There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.(CVE-2022-48174) busybox-petitboot-1.31.1-19.uel20.x86_64.rpm busybox-1.31.1-19.uel20.x86_64.rpm busybox-help-1.31.1-19.uel20.x86_64.rpm busybox-1.31.1-19.uel20.aarch64.rpm busybox-petitboot-1.31.1-19.uel20.aarch64.rpm busybox-help-1.31.1-19.uel20.aarch64.rpm UTSA-2023:20237 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: batik security update

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. A malicious SVG can probe user profile / data and send it directly as parameter to a URL. (CVE-2022-44730) Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later. (CVE-2022-44729) Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.(CVE-2022-40146) Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.(CVE-2022-38648) Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.(CVE-2022-38398) batik-1.17-1.uel20.noarch.rpm batik-help-1.17-1.uel20.noarch.rpm UTSA-2023:20238 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: poppler security update

An issue was discovered in Poppler 22.08.0. There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an embedded file.(CVE-2022-38349) A reachable Object::getString assertion in Poppler 22.07.0 allows attackers to cause a denial of service due to a failure in markObject.(CVE-2022-37052) An issue was discovered in Poppler 22.07.0. There is a reachable abort which leads to denial of service because the main function in pdfunite.cc lacks a stream check before saving an embedded file.(CVE-2022-37051) In Poppler 22.07.0, PDFDoc::savePageAs in PDFDoc.c callows attackers to cause a denial-of-service (application crashes with SIGABRT) by crafting a PDF file in which the xref data structure is mishandled in getCatalog processing. Note that this vulnerability is caused by the incomplete patch of CVE-2018-20662.(CVE-2022-37050) Uncontrolled Recursion in pdfinfo, and pdftops in poppler 0.89.0 allows remote attackers to cause a denial of service via crafted input.(CVE-2020-23804) poppler-utils-0.90.0-4.uel20.x86_64.rpm poppler-glib-0.90.0-4.uel20.x86_64.rpm poppler-qt5-devel-0.90.0-4.uel20.x86_64.rpm poppler-glib-devel-0.90.0-4.uel20.x86_64.rpm poppler-cpp-devel-0.90.0-4.uel20.x86_64.rpm poppler-cpp-0.90.0-4.uel20.x86_64.rpm poppler-qt5-0.90.0-4.uel20.x86_64.rpm poppler-devel-0.90.0-4.uel20.x86_64.rpm poppler-0.90.0-4.uel20.x86_64.rpm poppler-glib-0.90.0-4.uel20.aarch64.rpm poppler-cpp-devel-0.90.0-4.uel20.aarch64.rpm poppler-cpp-0.90.0-4.uel20.aarch64.rpm poppler-qt5-devel-0.90.0-4.uel20.aarch64.rpm poppler-qt5-0.90.0-4.uel20.aarch64.rpm poppler-help-0.90.0-4.uel20.noarch.rpm poppler-devel-0.90.0-4.uel20.aarch64.rpm poppler-glib-doc-0.90.0-4.uel20.noarch.rpm poppler-utils-0.90.0-4.uel20.aarch64.rpm poppler-0.90.0-4.uel20.aarch64.rpm poppler-glib-devel-0.90.0-4.uel20.aarch64.rpm UTSA-2023:20239 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: json-c security update

An issue was discovered in json-c from 20200420 (post 0.14 unreleased code) through 0.15-20200726. A stack-buffer-overflow exists in the auxiliary sample program json_parse which is located in the function parseit.(CVE-2021-32292) json-c-0.15-6.uel20.01.x86_64.rpm json-c-devel-0.15-6.uel20.01.x86_64.rpm json-c-0.15-6.uel20.01.aarch64.rpm json-c-devel-0.15-6.uel20.01.aarch64.rpm json-c-help-0.15-6.uel20.01.noarch.rpm UTSA-2023:20240 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: flac security update

Buffer Overflow vulnerability in function bitwriter_grow_ in flac before 1.4.0 allows remote attackers to run arbitrary code via crafted input to the encoder.(CVE-2020-22219) flac-devel-1.3.3-7.uel20.x86_64.rpm flac-1.3.3-7.uel20.x86_64.rpm xmms-flac-1.3.3-7.uel20.x86_64.rpm flac-help-1.3.3-7.uel20.x86_64.rpm flac-help-1.3.3-7.uel20.aarch64.rpm xmms-flac-1.3.3-7.uel20.aarch64.rpm flac-devel-1.3.3-7.uel20.aarch64.rpm flac-1.3.3-7.uel20.aarch64.rpm UTSA-2023:20241 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: nasm security update

A Segmentation Fault issue discovered in in ieee_segment function in outieee.c in nasm 2.14.03 and 2.15 allows remote attackers to cause a denial of service via crafted assembly file.(CVE-2020-21528) nasm-2.15.03-7.uel20.x86_64.rpm nasm-2.15.03-7.uel20.aarch64.rpm nasm-help-2.15.03-7.uel20.noarch.rpm UTSA-2023:20242 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libpq security update

** DISPUTED ** An issue was discovered in PostgreSQL 12.2 allows attackers to cause a denial of service via repeatedly sending SIGHUP signals. NOTE: this is disputed by the vendor because untrusted users cannot send SIGHUP signals; they can only be sent by a PostgreSQL superuser, a user with pg_reload_conf access, or a user with sufficient privileges at the OS level (the postgres account or the root account).(CVE-2020-21469) A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.(CVE-2023-39418) IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.(CVE-2023-39417) libpq-13.12-1.uel20.x86_64.rpm libpq-devel-13.12-1.uel20.x86_64.rpm libpq-devel-13.12-1.uel20.aarch64.rpm libpq-13.12-1.uel20.aarch64.rpm UTSA-2023:20243 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: mdadm security update

Uncontrolled resource consumption in some Intel(R) SSD Tools software before version mdadm-4.2-rc2 may allow a priviledged user to potentially enable denial of service via local access.(CVE-2023-28938) Buffer overflow in some Intel(R) SSD Tools software before version mdadm-4.2-rc2 may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2023-28736) mdadm-4.1-rc2.0.16.uel20.x86_64.rpm mdadm-4.1-rc2.0.16.uel20.aarch64.rpm mdadm-help-4.1-rc2.0.16.uel20.noarch.rpm UTSA-2023:20244 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: indent security update

GNU indent 2.2.13 has a heap-based buffer overflow in search_brace in indent.c via a crafted file.(CVE-2023-40305) indent-2.2.11-29.uel20.x86_64.rpm indent-help-2.2.11-29.uel20.noarch.rpm indent-2.2.11-29.uel20.aarch64.rpm UTSA-2023:20245 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: hyperscan security update

Insufficient control flow management in the Hyperscan Library maintained by Intel(R) before version 5.4.1 may allow an authenticated user to potentially enable denial of service via local access.(CVE-2023-28711) hyperscan-5.4.2-1.uel20.x86_64.rpm hyperscan-devel-5.4.2-1.uel20.x86_64.rpm hyperscan-devel-5.4.2-1.uel20.aarch64.rpm hyperscan-5.4.2-1.uel20.aarch64.rpm UTSA-2023:20246 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: microcode_ctl security update

Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.(CVE-2022-40982) Improper isolation of shared resources in some Intel(R) Processors when using Intel(R) Software Guard Extensions may allow a privileged user to potentially enable information disclosure via local access.(CVE-2022-38090) Incorrect default permissions in some memory controller configurations for some Intel(R) Xeon(R) Processors when using Intel(R) Software Guard Extensions which may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2022-33196) microcode_ctl-20220809-220230808.1.0.1.uel20.01.x86_64.rpm UTSA-2023:20247 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: gawk security update

A heap out-of-bounds read flaw was found in builtin.c in the gawk package. This issue may lead to a crash and could be used to read sensitive information.(CVE-2023-4156) gawk-lang-5.0.1-5.uel20.01.x86_64.rpm gawk-5.0.1-5.uel20.01.x86_64.rpm gawk-devel-5.0.1-5.uel20.01.x86_64.rpm gawk-help-5.0.1-5.uel20.01.noarch.rpm gawk-5.0.1-5.uel20.01.aarch64.rpm gawk-devel-5.0.1-5.uel20.01.aarch64.rpm gawk-lang-5.0.1-5.uel20.01.aarch64.rpm UTSA-2023:20248 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: qt5-qtbase security update

In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.(CVE-2023-37369) qt5-qtbase-devel-5.11.1-16.up7.uel20.x86_64.rpm qt5-qtbase-5.11.1-16.up7.uel20.x86_64.rpm qt5-qtbase-gui-5.11.1-16.up7.uel20.x86_64.rpm qt5-qtbase-mysql-5.11.1-16.up7.uel20.x86_64.rpm qt5-qtbase-odbc-5.11.1-16.up7.uel20.x86_64.rpm qt5-qtbase-postgresql-5.11.1-16.up7.uel20.x86_64.rpm qt5-qtbase-devel-5.11.1-16.up7.uel20.aarch64.rpm qt5-qtbase-gui-5.11.1-16.up7.uel20.aarch64.rpm qt5-qtbase-5.11.1-16.up7.uel20.aarch64.rpm qt5-qtbase-common-5.11.1-16.up7.uel20.noarch.rpm qt5-qtbase-postgresql-5.11.1-16.up7.uel20.aarch64.rpm qt5-qtbase-odbc-5.11.1-16.up7.uel20.aarch64.rpm qt5-qtbase-mysql-5.11.1-16.up7.uel20.aarch64.rpm UTSA-2023:20249 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: gdb security update

GNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a stack overflow via the function ada_decode at /gdb/ada-lang.c.(CVE-2023-39128) gdb-headless-9.2-5.uel20.01.x86_64.rpm gdb-gdbserver-9.2-5.uel20.01.x86_64.rpm gdb-9.2-5.uel20.01.x86_64.rpm gdb-headless-9.2-5.uel20.01.aarch64.rpm gdb-9.2-5.uel20.01.aarch64.rpm gdb-gdbserver-9.2-5.uel20.01.aarch64.rpm gdb-help-9.2-5.uel20.01.noarch.rpm UTSA-2023:20250 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: librsvg2 security update

A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.(CVE-2023-38633) librsvg2-devel-2.50.5-2.uel20.x86_64.rpm librsvg2-tools-2.50.5-2.uel20.x86_64.rpm librsvg2-2.50.5-2.uel20.x86_64.rpm librsvg2-tools-2.50.5-2.uel20.aarch64.rpm librsvg2-devel-2.50.5-2.uel20.aarch64.rpm librsvg2-2.50.5-2.uel20.aarch64.rpm librsvg2-help-2.50.5-2.uel20.noarch.rpm UTSA-2023:20251 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: opensc security update

A vulnerbility was found in OpenSC. This security flaw cause a buffer overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The attacker can supply a smart card package with malformed ASN1 context. The cardos_have_verifyrc_package function scans the ASN1 buffer for 2 tags, where remaining length is wrongly caculated due to moved starting pointer. This leads to possible heap-based buffer oob read. In cases where ASAN is enabled while compiling this causes a crash. Further info leak or more damage is possible.(CVE-2023-2977) opensc-0.20.0-11.uel20.x86_64.rpm opensc-0.20.0-11.uel20.aarch64.rpm opensc-help-0.20.0-11.uel20.noarch.rpm UTSA-2023:20252 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: ghostscript security update

In Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption of data internal to the PostScript interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode, TBCPEncode, and TBCPDecode. If the write buffer is filled to one byte less than full, and one then tries to write an escaped character, two bytes are written.(CVE-2023-28879) ghostscript-devel-9.52-10.uel20.x86_64.rpm ghostscript-9.52-10.uel20.x86_64.rpm ghostscript-tools-dvipdf-9.52-10.uel20.x86_64.rpm ghostscript-help-9.52-10.uel20.noarch.rpm ghostscript-9.52-10.uel20.aarch64.rpm ghostscript-devel-9.52-10.uel20.aarch64.rpm ghostscript-tools-dvipdf-9.52-10.uel20.aarch64.rpm UTSA-2023:20253 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: ctags security update

A flaw was found in Exuberant Ctags in the way it handles the "-o" option. This option specifies the tag filename. A crafted tag filename specified in the command line or in the configuration file results in arbitrary command execution because the externalSortTags() in sort.c calls the system(3) function in an unsafe way.(CVE-2022-4515) ctags-5.8-28.uel20.x86_64.rpm ctags-5.8-28.uel20.aarch64.rpm ctags-help-5.8-28.uel20.noarch.rpm UTSA-2023:20254 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: python-mako security update

Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.(CVE-2022-40023) python3-mako-1.0.6-14.uel20.noarch.rpm python2-mako-1.0.6-14.uel20.noarch.rpm python-mako-help-1.0.6-14.uel20.noarch.rpm UTSA-2023:20255 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: libxpm security update

A vulnerability was found in libXpm where a vulnerability exists due to a boundary condition, a local user can trigger an out-of-bounds read error and read contents of memory on the system.(CVE-2023-43789) libXpm-3.5.13-3.uel20.x86_64.rpm libXpm-devel-3.5.13-3.uel20.x86_64.rpm libXpm-3.5.13-3.uel20.aarch64.rpm libXpm-help-3.5.13-3.uel20.noarch.rpm libXpm-devel-3.5.13-3.uel20.aarch64.rpm UTSA-2023:20256 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libx11 security update

A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This flaw allows a local user to trigger an integer overflow and execute arbitrary code with elevated privileges.(CVE-2023-43787) A vulnerability was found in libX11 due to an infinite loop within the PutSubImage() function. This flaw allows a local user to consume all available system resources and cause a denial of service condition.(CVE-2023-43786) A vulnerability was found in libX11 due to a boundary condition within the _XkbReadKeySyms() function. This flaw allows a local user to trigger an out-of-bounds read error and read the contents of memory on the system.(CVE-2023-43785) libX11-1.6.9-8.uel20.x86_64.rpm libX11-devel-1.6.9-8.uel20.x86_64.rpm libX11-1.6.9-8.uel20.aarch64.rpm libX11-help-1.6.9-8.uel20.noarch.rpm libX11-devel-1.6.9-8.uel20.aarch64.rpm UTSA-2023:20257 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: vim security update

Use After Free in GitHub repository vim/vim prior to v9.0.2010.(CVE-2023-5535) NULL Pointer Dereference in GitHub repository vim/vim prior to 20d161ace307e28690229b68584f2d84556f8960.(CVE-2023-5441) vim-common-9.0-17.uel20.01.x86_64.rpm vim-X11-9.0-17.uel20.01.x86_64.rpm vim-enhanced-9.0-17.uel20.01.x86_64.rpm vim-minimal-9.0-17.uel20.01.x86_64.rpm vim-common-9.0-17.uel20.01.aarch64.rpm vim-X11-9.0-17.uel20.01.aarch64.rpm vim-minimal-9.0-17.uel20.01.aarch64.rpm vim-filesystem-9.0-17.uel20.01.noarch.rpm vim-enhanced-9.0-17.uel20.01.aarch64.rpm UTSA-2023:20258 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: samba security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-4091) ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-42669) samba-help-4.11.12-31.uel20.x86_64.rpm python3-samba-test-4.11.12-31.uel20.x86_64.rpm samba-dc-provision-4.11.12-31.uel20.x86_64.rpm samba-common-tools-4.11.12-31.uel20.x86_64.rpm samba-krb5-printing-4.11.12-31.uel20.x86_64.rpm samba-dc-bind-dlz-4.11.12-31.uel20.x86_64.rpm ctdb-4.11.12-31.uel20.x86_64.rpm samba-winbind-krb5-locator-4.11.12-31.uel20.x86_64.rpm libwbclient-devel-4.11.12-31.uel20.x86_64.rpm python3-samba-4.11.12-31.uel20.x86_64.rpm ctdb-tests-4.11.12-31.uel20.x86_64.rpm samba-client-4.11.12-31.uel20.x86_64.rpm libsmbclient-devel-4.11.12-31.uel20.x86_64.rpm samba-dc-4.11.12-31.uel20.x86_64.rpm libsmbclient-4.11.12-31.uel20.x86_64.rpm samba-devel-4.11.12-31.uel20.x86_64.rpm samba-winbind-4.11.12-31.uel20.x86_64.rpm samba-common-4.11.12-31.uel20.x86_64.rpm samba-libs-4.11.12-31.uel20.x86_64.rpm samba-winbind-clients-4.11.12-31.uel20.x86_64.rpm samba-winbind-modules-4.11.12-31.uel20.x86_64.rpm libwbclient-4.11.12-31.uel20.x86_64.rpm python3-samba-dc-4.11.12-31.uel20.x86_64.rpm samba-vfs-glusterfs-4.11.12-31.uel20.x86_64.rpm samba-4.11.12-31.uel20.x86_64.rpm samba-test-4.11.12-31.uel20.x86_64.rpm samba-winbind-krb5-locator-4.11.12-31.uel20.aarch64.rpm samba-test-4.11.12-31.uel20.aarch64.rpm samba-dc-4.11.12-31.uel20.aarch64.rpm samba-dc-bind-dlz-4.11.12-31.uel20.aarch64.rpm samba-devel-4.11.12-31.uel20.aarch64.rpm samba-libs-4.11.12-31.uel20.aarch64.rpm ctdb-tests-4.11.12-31.uel20.aarch64.rpm samba-help-4.11.12-31.uel20.aarch64.rpm samba-dc-provision-4.11.12-31.uel20.aarch64.rpm samba-4.11.12-31.uel20.aarch64.rpm samba-winbind-4.11.12-31.uel20.aarch64.rpm samba-winbind-clients-4.11.12-31.uel20.aarch64.rpm libsmbclient-devel-4.11.12-31.uel20.aarch64.rpm samba-winbind-modules-4.11.12-31.uel20.aarch64.rpm samba-pidl-4.11.12-31.uel20.noarch.rpm samba-common-4.11.12-31.uel20.aarch64.rpm samba-common-tools-4.11.12-31.uel20.aarch64.rpm samba-krb5-printing-4.11.12-31.uel20.aarch64.rpm libwbclient-4.11.12-31.uel20.aarch64.rpm samba-client-4.11.12-31.uel20.aarch64.rpm python3-samba-dc-4.11.12-31.uel20.aarch64.rpm libwbclient-devel-4.11.12-31.uel20.aarch64.rpm libsmbclient-4.11.12-31.uel20.aarch64.rpm python3-samba-test-4.11.12-31.uel20.aarch64.rpm python3-samba-4.11.12-31.uel20.aarch64.rpm ctdb-4.11.12-31.uel20.aarch64.rpm UTSA-2023:20259 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: curl security update

This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html). If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as `none` (using the four ASCII letters, no quotes). Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named `none` - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course. (CVE-2023-38546) This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long host name to the target buffer instead of copying just the resolved address there. The target buffer being a heap based buffer, and the host name coming from the URL that curl has been told to operate with. (CVE-2023-38545) libcurl-7.71.1-31.up3.uel20.03.x86_64.rpm curl-7.71.1-31.up3.uel20.03.x86_64.rpm libcurl-devel-7.71.1-31.up3.uel20.03.x86_64.rpm curl-help-7.71.1-31.up3.uel20.03.noarch.rpm libcurl-7.71.1-31.up3.uel20.03.aarch64.rpm libcurl-devel-7.71.1-31.up3.uel20.03.aarch64.rpm curl-7.71.1-31.up3.uel20.03.aarch64.rpm UTSA-2023:20260 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: golang security update

Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.(CVE-2023-39323) golang-1.15.7-35.uel20.x86_64.rpm golang-devel-1.15.7-35.uel20.noarch.rpm golang-1.15.7-35.uel20.aarch64.rpm UTSA-2023:20261 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: wireshark security update

RTPS dissector memory leak in Wireshark 4.0.0 to 4.0.8 and 3.6.0 to 3.6.16 allows denial of service via packet injection or crafted capture file(CVE-2023-5371) wireshark-3.6.14-4.uel20.x86_64.rpm wireshark-help-3.6.14-4.uel20.x86_64.rpm wireshark-devel-3.6.14-4.uel20.x86_64.rpm wireshark-devel-3.6.14-4.uel20.aarch64.rpm wireshark-3.6.14-4.uel20.aarch64.rpm wireshark-help-3.6.14-4.uel20.aarch64.rpm UTSA-2023:20262 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: grub2 security update

An out-of-bounds read flaw was found on grub2's NTFS filesystem driver. This issue may allow a physically present attacker to present a specially crafted NTFS file system image to read arbitrary memory locations. A successful attack allows sensitive data cached in memory or EFI variable values to be leaked, presenting a high Confidentiality risk.(CVE-2023-4693) An out-of-bounds write flaw was found in grub2's NTFS filesystem driver. This issue may allow an attacker to present a specially crafted NTFS filesystem image, leading to grub's heap metadata corruption. In some circumstances, the attack may also corrupt the UEFI firmware heap metadata. As a result, arbitrary code execution and secure boot protection bypass may be achieved.(CVE-2023-4692) grub2-efi-ia32-2.04-36.up7.uel20.16.x86_64.rpm grub2-efi-x64-modules-2.04-36.up7.uel20.16.noarch.rpm grub2-pc-modules-2.04-36.up7.uel20.16.noarch.rpm grub2-tools-minimal-2.04-36.up7.uel20.16.x86_64.rpm grub2-pc-2.04-36.up7.uel20.16.x86_64.rpm grub2-tools-2.04-36.up7.uel20.16.x86_64.rpm grub2-efi-ia32-cdboot-2.04-36.up7.uel20.16.x86_64.rpm grub2-common-2.04-36.up7.uel20.16.x86_64.rpm grub2-efi-ia32-modules-2.04-36.up7.uel20.16.noarch.rpm grub2-tools-efi-2.04-36.up7.uel20.16.x86_64.rpm grub2-efi-x64-2.04-36.up7.uel20.16.x86_64.rpm grub2-tools-extra-2.04-36.up7.uel20.16.x86_64.rpm grub2-efi-x64-cdboot-2.04-36.up7.uel20.16.x86_64.rpm grub2-efi-aa64-modules-2.04-36.up7.uel20.16.noarch.rpm grub2-common-2.04-36.up7.uel20.16.aarch64.rpm grub2-tools-2.04-36.up7.uel20.16.aarch64.rpm grub2-efi-aa64-2.04-36.up7.uel20.16.aarch64.rpm grub2-tools-extra-2.04-36.up7.uel20.16.aarch64.rpm grub2-tools-minimal-2.04-36.up7.uel20.16.aarch64.rpm grub2-help-2.04-36.up7.uel20.16.noarch.rpm grub2-efi-aa64-cdboot-2.04-36.up7.uel20.16.aarch64.rpm UTSA-2023:20263 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: python-django security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-43665) python3-Django-2.2.27-8.uel20.noarch.rpm python-django-help-2.2.27-8.uel20.noarch.rpm UTSA-2023:20264 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: openvswitch security update

A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Advertisement packets between virtual machines to bypass OpenFlow rules. This issue may allow a local attacker to create specially crafted packets with a modified or spoofed target IP address field that can redirect ICMPv6 traffic to arbitrary IP addresses.(CVE-2023-5366) openvswitch-2.12.4-6.uel20.x86_64.rpm openvswitch-devel-2.12.4-6.uel20.x86_64.rpm python3-openvswitch-2.12.4-6.uel20.x86_64.rpm openvswitch-help-2.12.4-6.uel20.x86_64.rpm openvswitch-2.12.4-6.uel20.aarch64.rpm python3-openvswitch-2.12.4-6.uel20.aarch64.rpm openvswitch-devel-2.12.4-6.uel20.aarch64.rpm openvswitch-help-2.12.4-6.uel20.aarch64.rpm UTSA-2023:20265 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: vim security update

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969.(CVE-2023-5344) vim-common-9.0-16.uel20.01.x86_64.rpm vim-X11-9.0-16.uel20.01.x86_64.rpm vim-enhanced-9.0-16.uel20.01.x86_64.rpm vim-minimal-9.0-16.uel20.01.x86_64.rpm vim-filesystem-9.0-16.uel20.01.noarch.rpm vim-minimal-9.0-16.uel20.01.aarch64.rpm vim-common-9.0-16.uel20.01.aarch64.rpm vim-X11-9.0-16.uel20.01.aarch64.rpm vim-enhanced-9.0-16.uel20.01.aarch64.rpm UTSA-2023:20266 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: python-urllib3 security update

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.(CVE-2023-43804) python2-urllib3-1.25.9-9.uel20.noarch.rpm python3-urllib3-1.25.9-9.uel20.noarch.rpm UTSA-2023:20267 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libvpx security update

VP9 in libvpx before 1.13.1 mishandles widths, leading to a crash related to encoding.(CVE-2023-44488) Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)(CVE-2023-5217) libvpx-devel-1.7.0-10.uel20.x86_64.rpm libvpx-1.7.0-10.uel20.x86_64.rpm libvpx-devel-1.7.0-10.uel20.aarch64.rpm libvpx-1.7.0-10.uel20.aarch64.rpm UTSA-2023:20268 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: gstreamer1-plugins-bad-free security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-40476) ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-40475) ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-40474) gstreamer1-plugins-bad-free-devel-1.16.2-3.uel20.x86_64.rpm gstreamer1-plugins-bad-free-1.16.2-3.uel20.x86_64.rpm gstreamer1-plugins-bad-free-1.16.2-3.uel20.aarch64.rpm gstreamer1-plugins-bad-free-devel-1.16.2-3.uel20.aarch64.rpm UTSA-2023:20269 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: glibc security update

A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.(CVE-2023-5156) A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.(CVE-2023-4806) glibc-2.28-97.uel20.01.x86_64.rpm glibc-compat-2.17-2.28-97.uel20.01.x86_64.rpm nss_modules-2.28-97.uel20.01.x86_64.rpm nscd-2.28-97.uel20.01.x86_64.rpm glibc-devel-2.28-97.uel20.01.x86_64.rpm glibc-nss-devel-2.28-97.uel20.01.x86_64.rpm libnsl-2.28-97.uel20.01.x86_64.rpm glibc-benchtests-2.28-97.uel20.01.x86_64.rpm glibc-all-langpacks-2.28-97.uel20.01.x86_64.rpm glibc-locale-source-2.28-97.uel20.01.x86_64.rpm glibc-debugutils-2.28-97.uel20.01.x86_64.rpm glibc-common-2.28-97.uel20.01.x86_64.rpm glibc-all-langpacks-2.28-97.uel20.01.aarch64.rpm glibc-2.28-97.uel20.01.aarch64.rpm glibc-locale-source-2.28-97.uel20.01.aarch64.rpm glibc-devel-2.28-97.uel20.01.aarch64.rpm glibc-benchtests-2.28-97.uel20.01.aarch64.rpm glibc-common-2.28-97.uel20.01.aarch64.rpm libnsl-2.28-97.uel20.01.aarch64.rpm nss_modules-2.28-97.uel20.01.aarch64.rpm glibc-nss-devel-2.28-97.uel20.01.aarch64.rpm nscd-2.28-97.uel20.01.aarch64.rpm glibc-debugutils-2.28-97.uel20.01.aarch64.rpm glibc-compat-2.17-2.28-97.uel20.01.aarch64.rpm glibc-help-2.28-97.uel20.01.noarch.rpm UTSA-2023:20270 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: bind security update

The code that processes control channel messages sent to `named` calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key; only network access to the control channel's configured TCP port is necessary. This issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1.(CVE-2023-3341) bind-9.11.21-18.uel20.x86_64.rpm bind-export-libs-9.11.21-18.uel20.x86_64.rpm bind-pkcs11-9.11.21-18.uel20.x86_64.rpm bind-export-devel-9.11.21-18.uel20.x86_64.rpm bind-devel-9.11.21-18.uel20.x86_64.rpm bind-utils-9.11.21-18.uel20.x86_64.rpm bind-libs-9.11.21-18.uel20.x86_64.rpm bind-chroot-9.11.21-18.uel20.x86_64.rpm bind-pkcs11-devel-9.11.21-18.uel20.x86_64.rpm bind-libs-lite-9.11.21-18.uel20.x86_64.rpm bind-devel-9.11.21-18.uel20.aarch64.rpm bind-9.11.21-18.uel20.aarch64.rpm bind-export-devel-9.11.21-18.uel20.aarch64.rpm bind-libs-9.11.21-18.uel20.aarch64.rpm bind-pkcs11-9.11.21-18.uel20.aarch64.rpm bind-utils-9.11.21-18.uel20.aarch64.rpm bind-chroot-9.11.21-18.uel20.aarch64.rpm python3-bind-9.11.21-18.uel20.noarch.rpm bind-export-libs-9.11.21-18.uel20.aarch64.rpm bind-libs-lite-9.11.21-18.uel20.aarch64.rpm bind-pkcs11-devel-9.11.21-18.uel20.aarch64.rpm UTSA-2023:20271 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: golang security update

The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.(CVE-2023-39319) The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.(CVE-2023-39318) golang-1.15.7-34.uel20.x86_64.rpm golang-1.15.7-34.uel20.aarch64.rpm golang-devel-1.15.7-34.uel20.noarch.rpm UTSA-2023:20272 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: ghostscript security update

In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents because they can switch to the IJS device, or change the IjsServer parameter, after SAFER has been activated. NOTE: it is a documented risk that the IJS server can be specified on a gs command line (the IJS device inherently must execute a command to start the IJS server).(CVE-2023-43115) ghostscript-9.52-11.uel20.x86_64.rpm ghostscript-tools-dvipdf-9.52-11.uel20.x86_64.rpm ghostscript-devel-9.52-11.uel20.x86_64.rpm ghostscript-9.52-11.uel20.aarch64.rpm ghostscript-tools-dvipdf-9.52-11.uel20.aarch64.rpm ghostscript-devel-9.52-11.uel20.aarch64.rpm ghostscript-help-9.52-11.uel20.noarch.rpm UTSA-2023:20273 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: djvulibre security update

An issue was discovered IW44EncodeCodec.cpp in djvulibre 3.5.28 in allows attackers to cause a denial of service via divide by zero.(CVE-2021-46312) An issue was discovered IW44Image.cpp in djvulibre 3.5.28 in allows attackers to cause a denial of service via divide by zero.(CVE-2021-46310) djvulibre-devel-3.5.27-20.uel20.x86_64.rpm djvulibre-3.5.27-20.uel20.x86_64.rpm djvulibre-help-3.5.27-20.uel20.x86_64.rpm djvulibre-help-3.5.27-20.uel20.aarch64.rpm djvulibre-devel-3.5.27-20.uel20.aarch64.rpm djvulibre-3.5.27-20.uel20.aarch64.rpm UTSA-2023:20274 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: zziplib security update

An issue was discovered in function zzip_disk_entry_to_file_header in mmapped.c in zziplib 0.13.69, which will lead to a denial-of-service.(CVE-2020-18770) zziplib-0.13.69-9.uel20.x86_64.rpm zziplib-devel-0.13.69-9.uel20.x86_64.rpm zziplib-0.13.69-9.uel20.aarch64.rpm zziplib-devel-0.13.69-9.uel20.aarch64.rpm zziplib-help-0.13.69-9.uel20.noarch.rpm UTSA-2023:20275 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: exempi security update

Buffer Overflow vulnerability in WEBP_Support.cpp in exempi 2.5.0 and earlier allows remote attackers to cause a denial of service via opening of crafted webp file.(CVE-2020-18652) Buffer Overflow vulnerability in function ID3_Support::ID3v2Frame::getFrameValue in exempi 2.5.0 and earlier allows remote attackers to cause a denial of service via opening of crafted audio file with ID3V2 frame.(CVE-2020-18651) XMP Toolkit version 2020.1 (and earlier) is affected by a null pointer dereference vulnerability that could result in leaking data from certain memory locations and causing a local denial of service in the context of the current user. User interaction is required to exploit this vulnerability in that the victim will need to open a specially crafted MXF file.(CVE-2021-40732) exempi-devel-2.4.5-5.uel20.x86_64.rpm exempi-2.4.5-5.uel20.x86_64.rpm exempi-help-2.4.5-5.uel20.x86_64.rpm exempi-2.4.5-5.uel20.aarch64.rpm exempi-devel-2.4.5-5.uel20.aarch64.rpm exempi-help-2.4.5-5.uel20.aarch64.rpm UTSA-2023:20276 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: avahi security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-38470) avahi-glib-devel-0.8-10.uel20.x86_64.rpm avahi-compat-libdns_sd-devel-0.8-10.uel20.x86_64.rpm avahi-libs-0.8-10.uel20.x86_64.rpm avahi-0.8-10.uel20.x86_64.rpm avahi-dnsconfd-0.8-10.uel20.x86_64.rpm avahi-compat-howl-0.8-10.uel20.x86_64.rpm avahi-qt5-0.8-10.uel20.x86_64.rpm avahi-compat-howl-devel-0.8-10.uel20.x86_64.rpm avahi-tools-0.8-10.uel20.x86_64.rpm avahi-ui-0.8-10.uel20.x86_64.rpm avahi-gobject-devel-0.8-10.uel20.x86_64.rpm avahi-compat-libdns_sd-0.8-10.uel20.x86_64.rpm avahi-gobject-0.8-10.uel20.x86_64.rpm avahi-glib-0.8-10.uel20.x86_64.rpm avahi-autoipd-0.8-10.uel20.x86_64.rpm avahi-ui-gtk3-0.8-10.uel20.x86_64.rpm avahi-qt5-devel-0.8-10.uel20.x86_64.rpm avahi-ui-devel-0.8-10.uel20.x86_64.rpm avahi-devel-0.8-10.uel20.x86_64.rpm avahi-tools-0.8-10.uel20.aarch64.rpm avahi-ui-0.8-10.uel20.aarch64.rpm avahi-compat-libdns_sd-0.8-10.uel20.aarch64.rpm avahi-compat-howl-devel-0.8-10.uel20.aarch64.rpm avahi-help-0.8-10.uel20.noarch.rpm avahi-gobject-0.8-10.uel20.aarch64.rpm avahi-compat-howl-0.8-10.uel20.aarch64.rpm avahi-devel-0.8-10.uel20.aarch64.rpm avahi-libs-0.8-10.uel20.aarch64.rpm avahi-dnsconfd-0.8-10.uel20.aarch64.rpm avahi-0.8-10.uel20.aarch64.rpm avahi-gobject-devel-0.8-10.uel20.aarch64.rpm avahi-autoipd-0.8-10.uel20.aarch64.rpm avahi-compat-libdns_sd-devel-0.8-10.uel20.aarch64.rpm avahi-glib-0.8-10.uel20.aarch64.rpm avahi-qt5-0.8-10.uel20.aarch64.rpm avahi-qt5-devel-0.8-10.uel20.aarch64.rpm avahi-ui-gtk3-0.8-10.uel20.aarch64.rpm avahi-ui-devel-0.8-10.uel20.aarch64.rpm avahi-glib-devel-0.8-10.uel20.aarch64.rpm UTSA-2023:20277 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: activemq security update

The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue. (CVE-2023-46604) activemq-5.15.16-1.uel20.x86_64.rpm activemq-5.15.16-1.uel20.aarch64.rpm UTSA-2023:20278 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: squid security update

Squid is vulnerable to a Denial of Service, where a remote attacker can perform buffer overflow attack by writing up to 2 MB of arbitrary data to heap memory when Squid is configured to accept HTTP Digest Authentication.(CVE-2023-46847) SQUID is vulnerable to HTTP request smuggling, caused by chunked decoder lenience, allows a remote attacker to perform Request/Response smuggling past firewall and frontend security systems.(CVE-2023-46846) squid-4.9-14.uel20.x86_64.rpm squid-4.9-14.uel20.aarch64.rpm UTSA-2023:20279 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: traceroute security update

In buc Traceroute 2.0.12 through 2.1.2 before 2.1.3, the wrapper scripts do not properly parse command lines.(CVE-2023-46316) traceroute-2.1.2-2.uel20.x86_64.rpm traceroute-2.1.2-2.uel20.aarch64.rpm traceroute-help-2.1.2-2.uel20.noarch.rpm UTSA-2023:20280 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: httpd security update

When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue. (CVE-2023-45802) Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57. (CVE-2023-31122) mod_proxy_html-2.4.43-23.up1.uel20.x86_64.rpm mod_ssl-2.4.43-23.up1.uel20.x86_64.rpm httpd-2.4.43-23.up1.uel20.x86_64.rpm mod_md-2.4.43-23.up1.uel20.x86_64.rpm httpd-tools-2.4.43-23.up1.uel20.x86_64.rpm httpd-devel-2.4.43-23.up1.uel20.x86_64.rpm mod_session-2.4.43-23.up1.uel20.x86_64.rpm mod_ldap-2.4.43-23.up1.uel20.x86_64.rpm httpd-2.4.43-23.up1.uel20.aarch64.rpm httpd-tools-2.4.43-23.up1.uel20.aarch64.rpm mod_md-2.4.43-23.up1.uel20.aarch64.rpm mod_proxy_html-2.4.43-23.up1.uel20.aarch64.rpm mod_ldap-2.4.43-23.up1.uel20.aarch64.rpm httpd-help-2.4.43-23.up1.uel20.noarch.rpm httpd-filesystem-2.4.43-23.up1.uel20.noarch.rpm httpd-devel-2.4.43-23.up1.uel20.aarch64.rpm mod_session-2.4.43-23.up1.uel20.aarch64.rpm mod_ssl-2.4.43-23.up1.uel20.aarch64.rpm UTSA-2023:20281 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: nghttp2 security update

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.(CVE-2023-44487) nghttp2-1.41.0-5.uel20.5.x86_64.rpm libnghttp2-devel-1.41.0-5.uel20.5.x86_64.rpm libnghttp2-1.41.0-5.uel20.5.x86_64.rpm nghttp2-1.41.0-5.uel20.5.aarch64.rpm libnghttp2-devel-1.41.0-5.uel20.5.aarch64.rpm libnghttp2-1.41.0-5.uel20.5.aarch64.rpm nghttp2-help-1.41.0-5.uel20.5.noarch.rpm UTSA-2023:20282 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: nginx security update

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.(CVE-2023-44487) nginx-mod-devel-1.21.5-4.uel20.x86_64.rpm nginx-mod-http-image-filter-1.21.5-4.uel20.x86_64.rpm nginx-mod-http-perl-1.21.5-4.uel20.x86_64.rpm nginx-mod-mail-1.21.5-4.uel20.x86_64.rpm nginx-mod-stream-1.21.5-4.uel20.x86_64.rpm nginx-1.21.5-4.uel20.x86_64.rpm nginx-mod-http-xslt-filter-1.21.5-4.uel20.x86_64.rpm nginx-mod-stream-1.21.5-4.uel20.aarch64.rpm nginx-mod-http-perl-1.21.5-4.uel20.aarch64.rpm nginx-1.21.5-4.uel20.aarch64.rpm nginx-mod-http-image-filter-1.21.5-4.uel20.aarch64.rpm nginx-filesystem-1.21.5-4.uel20.noarch.rpm nginx-mod-devel-1.21.5-4.uel20.aarch64.rpm nginx-mod-mail-1.21.5-4.uel20.aarch64.rpm nginx-mod-http-xslt-filter-1.21.5-4.uel20.aarch64.rpm nginx-all-modules-1.21.5-4.uel20.noarch.rpm UTSA-2023:20283 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: zlib security update

MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.(CVE-2023-45853) zlib-devel-1.2.11-23.uel20.03.x86_64.rpm zlib-1.2.11-23.uel20.03.x86_64.rpm minizip-devel-1.2.11-23.uel20.03.x86_64.rpm minizip-1.2.11-23.uel20.03.x86_64.rpm zlib-1.2.11-23.uel20.03.aarch64.rpm minizip-1.2.11-23.uel20.03.aarch64.rpm minizip-devel-1.2.11-23.uel20.03.aarch64.rpm zlib-help-1.2.11-23.uel20.03.noarch.rpm zlib-devel-1.2.11-23.uel20.03.aarch64.rpm UTSA-2023:20284 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: golang security update

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.(CVE-2023-39325) golang-1.15.7-36.uel20.x86_64.rpm golang-devel-1.15.7-36.uel20.noarch.rpm golang-1.15.7-36.uel20.aarch64.rpm UTSA-2023:20285 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: tomcat security update

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue. (CVE-2023-45648) tomcat-help-9.0.10-30.up1.uel20.noarch.rpm tomcat-jsvc-9.0.10-30.up1.uel20.noarch.rpm tomcat-9.0.10-30.up1.uel20.noarch.rpm tomcat-embed-9.0.10-30.up1.uel20.noarch.rpm UTSA-2023:20286 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: libxml2 security update

libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail."(CVE-2023-45322) python3-libxml2-2.9.10-38.uel20.x86_64.rpm libxml2-devel-2.9.10-38.uel20.x86_64.rpm libxml2-2.9.10-38.uel20.x86_64.rpm python2-libxml2-2.9.10-38.uel20.x86_64.rpm libxml2-devel-2.9.10-38.uel20.aarch64.rpm python2-libxml2-2.9.10-38.uel20.aarch64.rpm python3-libxml2-2.9.10-38.uel20.aarch64.rpm libxml2-2.9.10-38.uel20.aarch64.rpm libxml2-help-2.9.10-38.uel20.noarch.rpm UTSA-2023:20287 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: mariadb security update

A vulnerability was found in MariaDB. An OpenVAS port scan on ports 3306 and 4567 allows a malicious remote client to cause a denial of service.(CVE-2023-5157) MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of Service. It is possible for function spider_db_mbase::print_warnings to dereference a null pointer.(CVE-2022-47015) In MariaDB before 10.9.2, compress_write in extra/mariabackup/ds_compress.cc does not release data_mutex upon a stream write failure, which allows local users to trigger a deadlock.(CVE-2022-38791) The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).(CVE-2022-0778) MariaDB v10.7 was discovered to contain an use-after-poison in in __interceptor_memset at /libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc.(CVE-2022-32091) MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Exec_time_tracker::get_loops/Filesort_tracker::report_use/filesort.(CVE-2022-32088) MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_args::walk_args.(CVE-2022-32087) MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_func_in::cleanup/Item::cleanup_processor.(CVE-2022-32085) MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component sub_select.(CVE-2022-32084) MariaDB v10.2 to v10.6.1 was discovered to contain a segmentation fault via the component Item_subselect::init_expr_cache_tracker.(CVE-2022-32083) With MariaDB running on Windows, when local clients connect to the server over named pipes, it's possible for an unprivileged user with an ability to run code on the server machine to intercept the named pipe connection and act as a man-in-the-middle, gaining access to all the data passed between the client and the server, and getting the ability to run SQL commands on behalf of the connected user. This occurs because of an incorrect security descriptor. This affects MariaDB Server before 10.1.48, 10.2.x before 10.2.35, 10.3.x before 10.3.26, 10.4.x before 10.4.16, and 10.5.x before 10.5.7. NOTE: this issue exists because certain details of the MariaDB CVE-2019-2503 fix did not comprehensively address attack variants against MariaDB. This situation is specific to MariaDB, and thus CVE-2020-28912 does NOT apply to other vendors that were originally affected by CVE-2019-2503.(CVE-2020-28912) Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).(CVE-2021-2144) mariadb-test-10.3.39-1.uel20.x86_64.rpm mariadb-server-10.3.39-1.uel20.x86_64.rpm mariadb-backup-10.3.39-1.uel20.x86_64.rpm mariadb-gssapi-server-10.3.39-1.uel20.x86_64.rpm mariadb-errmessage-10.3.39-1.uel20.x86_64.rpm mariadb-10.3.39-1.uel20.x86_64.rpm mariadb-cracklib-10.3.39-1.uel20.x86_64.rpm mariadb-embedded-10.3.39-1.uel20.x86_64.rpm mariadb-devel-10.3.39-1.uel20.x86_64.rpm mariadb-server-galera-10.3.39-1.uel20.x86_64.rpm mariadb-oqgraph-engine-10.3.39-1.uel20.x86_64.rpm mariadb-common-10.3.39-1.uel20.x86_64.rpm mariadb-embedded-devel-10.3.39-1.uel20.x86_64.rpm mariadb-test-10.3.39-1.uel20.aarch64.rpm mariadb-server-10.3.39-1.uel20.aarch64.rpm mariadb-devel-10.3.39-1.uel20.aarch64.rpm mariadb-embedded-10.3.39-1.uel20.aarch64.rpm mariadb-cracklib-10.3.39-1.uel20.aarch64.rpm mariadb-gssapi-server-10.3.39-1.uel20.aarch64.rpm mariadb-embedded-devel-10.3.39-1.uel20.aarch64.rpm mariadb-backup-10.3.39-1.uel20.aarch64.rpm mariadb-errmessage-10.3.39-1.uel20.aarch64.rpm mariadb-common-10.3.39-1.uel20.aarch64.rpm mariadb-oqgraph-engine-10.3.39-1.uel20.aarch64.rpm mariadb-10.3.39-1.uel20.aarch64.rpm mariadb-server-galera-10.3.39-1.uel20.aarch64.rpm UTSA-2023:20288 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: gcc security update

A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. (CVE-2023-4039) libitm-static-7.3.0-2020033101.53.up2.uel20.x86_64.rpm libubsan-7.3.0-2020033101.53.up2.uel20.x86_64.rpm libasan-7.3.0-2020033101.53.up2.uel20.x86_64.rpm libobjc-7.3.0-2020033101.53.up2.uel20.x86_64.rpm gcc-objc-7.3.0-2020033101.53.up2.uel20.x86_64.rpm gcc-plugin-devel-7.3.0-2020033101.53.up2.uel20.x86_64.rpm libquadmath-7.3.0-2020033101.53.up2.uel20.x86_64.rpm libatomic-7.3.0-2020033101.53.up2.uel20.x86_64.rpm gcc-7.3.0-2020033101.53.up2.uel20.x86_64.rpm libitm-devel-7.3.0-2020033101.53.up2.uel20.x86_64.rpm gcc-objc++-7.3.0-2020033101.53.up2.uel20.x86_64.rpm libatomic-static-7.3.0-2020033101.53.up2.uel20.x86_64.rpm libgomp-7.3.0-2020033101.53.up2.uel20.x86_64.rpm gcc-c++-7.3.0-2020033101.53.up2.uel20.x86_64.rpm libstdc++-7.3.0-2020033101.53.up2.uel20.x86_64.rpm libubsan-static-7.3.0-2020033101.53.up2.uel20.x86_64.rpm liblsan-7.3.0-2020033101.53.up2.uel20.x86_64.rpm libstdc++-devel-7.3.0-2020033101.53.up2.uel20.x86_64.rpm libitm-7.3.0-2020033101.53.up2.uel20.x86_64.rpm cpp-7.3.0-2020033101.53.up2.uel20.x86_64.rpm libquadmath-static-7.3.0-2020033101.53.up2.uel20.x86_64.rpm libasan-static-7.3.0-2020033101.53.up2.uel20.x86_64.rpm libtsan-7.3.0-2020033101.53.up2.uel20.x86_64.rpm libgfortran-static-7.3.0-2020033101.53.up2.uel20.x86_64.rpm libquadmath-devel-7.3.0-2020033101.53.up2.uel20.x86_64.rpm gcc-gfortran-7.3.0-2020033101.53.up2.uel20.x86_64.rpm liblsan-static-7.3.0-2020033101.53.up2.uel20.x86_64.rpm gcc-gdb-plugin-7.3.0-2020033101.53.up2.uel20.x86_64.rpm libstdc++-static-7.3.0-2020033101.53.up2.uel20.x86_64.rpm libtsan-static-7.3.0-2020033101.53.up2.uel20.x86_64.rpm libgfortran-7.3.0-2020033101.53.up2.uel20.x86_64.rpm libgcc-7.3.0-2020033101.53.up2.uel20.x86_64.rpm libtsan-static-7.3.0-2020033101.53.up2.uel20.aarch64.rpm libgomp-7.3.0-2020033101.53.up2.uel20.aarch64.rpm libitm-devel-7.3.0-2020033101.53.up2.uel20.aarch64.rpm libgfortran-7.3.0-2020033101.53.up2.uel20.aarch64.rpm libitm-static-7.3.0-2020033101.53.up2.uel20.aarch64.rpm libstdc++-devel-7.3.0-2020033101.53.up2.uel20.aarch64.rpm liblsan-7.3.0-2020033101.53.up2.uel20.aarch64.rpm libasan-static-7.3.0-2020033101.53.up2.uel20.aarch64.rpm libasan-7.3.0-2020033101.53.up2.uel20.aarch64.rpm libatomic-7.3.0-2020033101.53.up2.uel20.aarch64.rpm gcc-gdb-plugin-7.3.0-2020033101.53.up2.uel20.aarch64.rpm gcc-gfortran-7.3.0-2020033101.53.up2.uel20.aarch64.rpm libitm-7.3.0-2020033101.53.up2.uel20.aarch64.rpm libatomic-static-7.3.0-2020033101.53.up2.uel20.aarch64.rpm libstdc++-7.3.0-2020033101.53.up2.uel20.aarch64.rpm libubsan-static-7.3.0-2020033101.53.up2.uel20.aarch64.rpm libstdc++-static-7.3.0-2020033101.53.up2.uel20.aarch64.rpm liblsan-static-7.3.0-2020033101.53.up2.uel20.aarch64.rpm libtsan-7.3.0-2020033101.53.up2.uel20.aarch64.rpm libubsan-7.3.0-2020033101.53.up2.uel20.aarch64.rpm gcc-c++-7.3.0-2020033101.53.up2.uel20.aarch64.rpm gcc-plugin-devel-7.3.0-2020033101.53.up2.uel20.aarch64.rpm gcc-objc++-7.3.0-2020033101.53.up2.uel20.aarch64.rpm libgcc-7.3.0-2020033101.53.up2.uel20.aarch64.rpm gcc-7.3.0-2020033101.53.up2.uel20.aarch64.rpm cpp-7.3.0-2020033101.53.up2.uel20.aarch64.rpm gcc-objc-7.3.0-2020033101.53.up2.uel20.aarch64.rpm libobjc-7.3.0-2020033101.53.up2.uel20.aarch64.rpm libgfortran-static-7.3.0-2020033101.53.up2.uel20.aarch64.rpm UTSA-2023:20289 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: avahi security update

A vulnerability was found in Avahi. A reachable assertion exists in the avahi_alternative_host_name() function.(CVE-2023-38473) A vulnerability was found in Avahi. A reachable assertion exists in the avahi_rdata_parse() function.(CVE-2023-38472) A vulnerability was found in Avahi. A reachable assertion exists in the dbus_set_host_name function.(CVE-2023-38471) A vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record.(CVE-2023-38469) avahi-compat-libdns_sd-devel-0.8-11.uel20.x86_64.rpm avahi-qt5-0.8-11.uel20.x86_64.rpm avahi-glib-0.8-11.uel20.x86_64.rpm avahi-ui-devel-0.8-11.uel20.x86_64.rpm avahi-compat-howl-devel-0.8-11.uel20.x86_64.rpm avahi-ui-gtk3-0.8-11.uel20.x86_64.rpm avahi-compat-libdns_sd-0.8-11.uel20.x86_64.rpm avahi-autoipd-0.8-11.uel20.x86_64.rpm avahi-devel-0.8-11.uel20.x86_64.rpm avahi-libs-0.8-11.uel20.x86_64.rpm avahi-compat-howl-0.8-11.uel20.x86_64.rpm avahi-qt5-devel-0.8-11.uel20.x86_64.rpm avahi-gobject-0.8-11.uel20.x86_64.rpm avahi-glib-devel-0.8-11.uel20.x86_64.rpm avahi-tools-0.8-11.uel20.x86_64.rpm avahi-gobject-devel-0.8-11.uel20.x86_64.rpm avahi-ui-0.8-11.uel20.x86_64.rpm avahi-dnsconfd-0.8-11.uel20.x86_64.rpm avahi-0.8-11.uel20.x86_64.rpm avahi-devel-0.8-11.uel20.aarch64.rpm avahi-gobject-devel-0.8-11.uel20.aarch64.rpm avahi-glib-0.8-11.uel20.aarch64.rpm avahi-glib-devel-0.8-11.uel20.aarch64.rpm avahi-qt5-0.8-11.uel20.aarch64.rpm avahi-libs-0.8-11.uel20.aarch64.rpm avahi-help-0.8-11.uel20.noarch.rpm avahi-gobject-0.8-11.uel20.aarch64.rpm avahi-ui-gtk3-0.8-11.uel20.aarch64.rpm avahi-ui-0.8-11.uel20.aarch64.rpm avahi-dnsconfd-0.8-11.uel20.aarch64.rpm avahi-compat-libdns_sd-devel-0.8-11.uel20.aarch64.rpm avahi-compat-howl-0.8-11.uel20.aarch64.rpm avahi-compat-libdns_sd-0.8-11.uel20.aarch64.rpm avahi-0.8-11.uel20.aarch64.rpm avahi-autoipd-0.8-11.uel20.aarch64.rpm avahi-tools-0.8-11.uel20.aarch64.rpm avahi-compat-howl-devel-0.8-11.uel20.aarch64.rpm avahi-ui-devel-0.8-11.uel20.aarch64.rpm avahi-qt5-devel-0.8-11.uel20.aarch64.rpm UTSA-2023:20290 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: libtiff security update

An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB.(CVE-2023-6277) libtiff-4.3.0-21.uel20.x86_64.rpm libtiff-devel-4.3.0-21.uel20.x86_64.rpm libtiff-4.3.0-21.uel20.aarch64.rpm libtiff-help-4.3.0-21.uel20.noarch.rpm libtiff-devel-4.3.0-21.uel20.aarch64.rpm UTSA-2023:20291 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: libtiff security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-6228) libtiff-devel-4.3.0-20.uel20.x86_64.rpm libtiff-4.3.0-20.uel20.x86_64.rpm libtiff-help-4.3.0-20.uel20.noarch.rpm libtiff-devel-4.3.0-20.uel20.aarch64.rpm libtiff-4.3.0-20.uel20.aarch64.rpm UTSA-2023:20292 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: wireshark security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-6175) wireshark-3.6.14-5.uel20.x86_64.rpm wireshark-devel-3.6.14-5.uel20.x86_64.rpm wireshark-help-3.6.14-5.uel20.x86_64.rpm wireshark-devel-3.6.14-5.uel20.aarch64.rpm wireshark-3.6.14-5.uel20.aarch64.rpm wireshark-help-3.6.14-5.uel20.aarch64.rpm UTSA-2023:20293 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: gnutls security update

A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.(CVE-2023-5981) gnutls-help-3.6.16-6.uel20.5.x86_64.rpm gnutls-devel-3.6.16-6.uel20.5.x86_64.rpm gnutls-3.6.16-6.uel20.5.x86_64.rpm gnutls-devel-3.6.16-6.uel20.5.aarch64.rpm gnutls-help-3.6.16-6.uel20.5.aarch64.rpm gnutls-3.6.16-6.uel20.5.aarch64.rpm UTSA-2023:20294 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: microcode_ctl security update

Sequence of processor instructions leads to unexpected behavior for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege and/or information disclosure and/or denial of service via local access.(CVE-2023-23583) microcode_ctl-20220809-220231114.2.0.1.uel20.01.x86_64.rpm UTSA-2023:20295 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: squid security update

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol is always available and enabled in Squid prior to Squid 6.0.1. Responses triggering this bug are possible to be received from any gopher server, even those without malicious intent. Gopher support has been removed in Squid version 6.0.1. Users are advised to upgrade. Users unable to upgrade should reject all gopher URL requests.(CVE-2023-46728) squid-4.9-16.uel20.x86_64.rpm squid-4.9-16.uel20.aarch64.rpm UTSA-2023:20296 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: opensc security update

Several memory vulnerabilities were identified within the OpenSC packages, particularly in the card enrollment process using pkcs15-init when a user or administrator enrolls cards. To take advantage of these flaws, an attacker must have physical access to the computer system and employ a custom-crafted USB device or smart card to manipulate responses to APDUs. This manipulation can potentially allow compromise key generation, certificate loading, and other card management operations during enrollment.(CVE-2023-40661) A flaw was found in OpenSC packages that allow a potential PIN bypass. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed. This issue poses a security risk, particularly for OS logon/screen unlock and for small, permanently connected tokens to computers. Additionally, the token can internally track login status. This flaw allows an attacker to gain unauthorized access, carry out malicious actions, or compromise the system without the user's awareness.(CVE-2023-40660) opensc-0.20.0-13.uel20.x86_64.rpm opensc-help-0.20.0-13.uel20.noarch.rpm opensc-0.20.0-13.uel20.aarch64.rpm UTSA-2023:20297 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: sqlite-jdbc security update

SQLite JDBC is a library for accessing and creating SQLite database files in Java. Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL. This issue impacting versions 3.6.14.1 through 3.41.2.1 and has been fixed in version 3.41.2.2. (CVE-2023-32697) sqlite-jdbc-3.15.1-2.uel20.x86_64.rpm sqlite-jdbc-javadoc-3.15.1-2.uel20.noarch.rpm sqlite-jdbc-3.15.1-2.uel20.aarch64.rpm UTSA-2023:20298 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: python-pillow security update

An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument.(CVE-2023-44271) python3-pillow-tk-9.0.1-3.up1.uel20.x86_64.rpm python3-pillow-devel-9.0.1-3.up1.uel20.x86_64.rpm python3-pillow-qt-9.0.1-3.up1.uel20.x86_64.rpm python3-pillow-9.0.1-3.up1.uel20.x86_64.rpm python3-pillow-9.0.1-3.up1.uel20.aarch64.rpm python3-pillow-qt-9.0.1-3.up1.uel20.aarch64.rpm python3-pillow-devel-9.0.1-3.up1.uel20.aarch64.rpm python3-pillow-help-9.0.1-3.up1.uel20.noarch.rpm python3-pillow-tk-9.0.1-3.up1.uel20.aarch64.rpm UTSA-2023:20299 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: squid security update

Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages.(CVE-2023-46724) squid-4.9-15.uel20.x86_64.rpm squid-4.9-15.uel20.aarch64.rpm UTSA-2023:20300 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: qt5-qtbase security update

An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.(CVE-2023-33285) qt5-qtbase-devel-5.11.1-18.up7.uel20.x86_64.rpm qt5-qtbase-mysql-5.11.1-18.up7.uel20.x86_64.rpm qt5-qtbase-gui-5.11.1-18.up7.uel20.x86_64.rpm qt5-qtbase-postgresql-5.11.1-18.up7.uel20.x86_64.rpm qt5-qtbase-5.11.1-18.up7.uel20.x86_64.rpm qt5-qtbase-odbc-5.11.1-18.up7.uel20.x86_64.rpm qt5-qtbase-devel-5.11.1-18.up7.uel20.aarch64.rpm qt5-qtbase-5.11.1-18.up7.uel20.aarch64.rpm qt5-qtbase-gui-5.11.1-18.up7.uel20.aarch64.rpm qt5-qtbase-common-5.11.1-18.up7.uel20.noarch.rpm qt5-qtbase-odbc-5.11.1-18.up7.uel20.aarch64.rpm qt5-qtbase-postgresql-5.11.1-18.up7.uel20.aarch64.rpm qt5-qtbase-mysql-5.11.1-18.up7.uel20.aarch64.rpm UTSA-2023:20301 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: vim security update

Vim is an improved version of the good old UNIX editor Vi. Heap-use-after-free in memory allocated in the function `ga_grow_inner` in in the file `src/alloc.c` at line 748, which is freed in the file `src/ex_docmd.c` in the function `do_cmdline` at line 1010 and then used again in `src/cmdhist.c` at line 759. When using the `:history` command, it's possible that the provided argument overflows the accepted value. Causing an Integer Overflow and potentially later an use-after-free. This vulnerability has been patched in version 9.0.2068. (CVE-2023-46246) vim-common-9.0-18.uel20.01.x86_64.rpm vim-X11-9.0-18.uel20.01.x86_64.rpm vim-enhanced-9.0-18.uel20.01.x86_64.rpm vim-minimal-9.0-18.uel20.01.x86_64.rpm vim-filesystem-9.0-18.uel20.01.noarch.rpm vim-enhanced-9.0-18.uel20.01.aarch64.rpm vim-common-9.0-18.uel20.01.aarch64.rpm vim-minimal-9.0-18.uel20.01.aarch64.rpm vim-X11-9.0-18.uel20.01.aarch64.rpm UTSA-2023:20302 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: xorg-x11-server security update

A use-after-free flaw was found in the xorg-x11-server. An X server crash may occur in a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode) if the pointer is warped from within a window on one screen to the root window of the other screen and if the original window is destroyed followed by another window being destroyed.(CVE-2023-5380) A out-of-bounds write flaw was found in the xorg-x11-server. This issue occurs due to an incorrect calculation of a buffer offset when copying data stored in the heap in the XIChangeDeviceProperty function in Xi/xiproperty.c and in RRChangeOutputProperty function in randr/rrproperty.c, allowing for possible escalation of privileges or denial of service.(CVE-2023-5367) xorg-x11-server-1.20.8-22.up5.uel20.x86_64.rpm xorg-x11-server-devel-1.20.8-22.up5.uel20.x86_64.rpm xorg-x11-server-Xephyr-1.20.8-22.up5.uel20.x86_64.rpm xorg-x11-server-1.20.8-22.up5.uel20.aarch64.rpm xorg-x11-server-devel-1.20.8-22.up5.uel20.aarch64.rpm xorg-x11-server-help-1.20.8-22.up5.uel20.noarch.rpm xorg-x11-server-Xephyr-1.20.8-22.up5.uel20.aarch64.rpm UTSA-2023:20303 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: python-urllib3 security update

urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body. (CVE-2023-45803) python2-urllib3-1.25.9-10.uel20.noarch.rpm python3-urllib3-1.25.9-10.uel20.noarch.rpm UTSA-2023:20304 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: poppler security update

An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::cvtGlyph function.(CVE-2020-36023) poppler-cpp-devel-0.90.0-6.uel20.x86_64.rpm poppler-cpp-0.90.0-6.uel20.x86_64.rpm poppler-qt5-devel-0.90.0-6.uel20.x86_64.rpm poppler-devel-0.90.0-6.uel20.x86_64.rpm poppler-utils-0.90.0-6.uel20.x86_64.rpm poppler-qt5-0.90.0-6.uel20.x86_64.rpm poppler-glib-0.90.0-6.uel20.x86_64.rpm poppler-0.90.0-6.uel20.x86_64.rpm poppler-glib-devel-0.90.0-6.uel20.x86_64.rpm poppler-utils-0.90.0-6.uel20.aarch64.rpm poppler-help-0.90.0-6.uel20.noarch.rpm poppler-qt5-0.90.0-6.uel20.aarch64.rpm poppler-cpp-devel-0.90.0-6.uel20.aarch64.rpm poppler-cpp-0.90.0-6.uel20.aarch64.rpm poppler-glib-devel-0.90.0-6.uel20.aarch64.rpm poppler-0.90.0-6.uel20.aarch64.rpm poppler-devel-0.90.0-6.uel20.aarch64.rpm poppler-glib-0.90.0-6.uel20.aarch64.rpm poppler-qt5-devel-0.90.0-6.uel20.aarch64.rpm poppler-glib-doc-0.90.0-6.uel20.noarch.rpm UTSA-2023:20305 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: gdb security update

GNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap buffer overflow via the function pe_as16() at /gdb/coff-pe-read.c.(CVE-2023-39130) GNU gdb (GDB) 13.0.50.20220805-git was discovered to contain a heap use after free via the function add_pe_exported_sym() at /gdb/coff-pe-read.c.(CVE-2023-39129) gdb-headless-9.2-7.uel20.01.x86_64.rpm gdb-9.2-7.uel20.01.x86_64.rpm gdb-gdbserver-9.2-7.uel20.01.x86_64.rpm gdb-headless-9.2-7.uel20.01.aarch64.rpm gdb-gdbserver-9.2-7.uel20.01.aarch64.rpm gdb-9.2-7.uel20.01.aarch64.rpm gdb-help-9.2-7.uel20.01.noarch.rpm UTSA-2023:20306 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: skopeo security update

Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.(CVE-2023-24537) HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.(CVE-2023-24534) skopeo-1.1.0-9.uel20.x86_64.rpm containers-common-1.1.0-9.uel20.x86_64.rpm skopeo-1.1.0-9.uel20.aarch64.rpm containers-common-1.1.0-9.uel20.aarch64.rpm UTSA-2023:20307 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: apache-commons-net security update

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.(CVE-2021-37533) apache-commons-net-help-3.6-7.uel20.noarch.rpm apache-commons-net-3.6-7.uel20.noarch.rpm UTSA-2023:20308 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: shadow security update

shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees(CVE-2013-4235) shadow-4.8.1-9.uel20.x86_64.rpm shadow-4.8.1-9.uel20.aarch64.rpm shadow-help-4.8.1-9.uel20.noarch.rpm UTSA-2023:20309 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: bluez security update

Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue.(CVE-2023-45866) bluez-5.54-13.uel20.x86_64.rpm bluez-libs-5.54-13.uel20.x86_64.rpm bluez-devel-5.54-13.uel20.x86_64.rpm bluez-cups-5.54-13.uel20.x86_64.rpm bluez-5.54-13.uel20.aarch64.rpm bluez-help-5.54-13.uel20.noarch.rpm bluez-libs-5.54-13.uel20.aarch64.rpm bluez-devel-5.54-13.uel20.aarch64.rpm bluez-cups-5.54-13.uel20.aarch64.rpm UTSA-2023:20310 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: golang security update

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).(CVE-2023-45285) A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.(CVE-2023-39326) golang-1.15.7-37.uel20.x86_64.rpm golang-1.15.7-37.uel20.aarch64.rpm golang-devel-1.15.7-37.uel20.noarch.rpm UTSA-2023:20311 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: strongswan security update

strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm's DH proxy. The earliest affected version is 5.3.0. An attack can occur via a crafted IKE_SA_INIT message.(CVE-2023-41913) strongswan-5.7.2-11.uel20.x86_64.rpm strongswan-help-5.7.2-11.uel20.noarch.rpm strongswan-5.7.2-11.uel20.aarch64.rpm UTSA-2023:20312 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: dde-control-center security update

fix cve/bug or enhancement dde-control-center-5.5.182-10.uel20.01.aarch64.rpm dde-control-center-devel-5.5.182-10.uel20.01.aarch64.rpm dde-control-center-devel-5.5.182-10.uel20.01.x86_64.rpm dde-control-center-5.5.182-10.uel20.01.x86_64.rpm UTSA-2023:20313 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: curl security update

When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use. (CVE-2023-46219) This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain. (CVE-2023-46218) libcurl-7.71.1-32.up3.uel20.03.x86_64.rpm libcurl-devel-7.71.1-32.up3.uel20.03.x86_64.rpm curl-7.71.1-32.up3.uel20.03.x86_64.rpm curl-help-7.71.1-32.up3.uel20.03.noarch.rpm libcurl-7.71.1-32.up3.uel20.03.aarch64.rpm curl-7.71.1-32.up3.uel20.03.aarch64.rpm libcurl-devel-7.71.1-32.up3.uel20.03.aarch64.rpm UTSA-2023:20314 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: squid security update

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Incorrect Check of Function Return Value bug Squid is vulnerable to a Denial of Service attack against its Helper process management. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-49286) Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-49285) squid-4.9-17.uel20.x86_64.rpm squid-4.9-17.uel20.aarch64.rpm UTSA-2023:20315 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: activemq security update

Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.  In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#executeRequest. Into deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest is able to invoke through refection. And then, RCE is able to be achieved via jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11. 1 Call newRecording. 2 Call setConfiguration. And a webshell data hides in it. 3 Call startRecording. 4 Call copyTo method. The webshell will be written to a .jsp file. The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia. A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0. (CVE-2022-41678) activemq-5.16.7-1.uel20.x86_64.rpm activemq-5.16.7-1.uel20.aarch64.rpm UTSA-2023:20316 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: logback security update

A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. (CVE-2023-6481) A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. (CVE-2023-6378) logback-help-1.2.8-3.uel20.noarch.rpm logback-1.2.8-3.uel20.noarch.rpm logback-examples-1.2.8-3.uel20.noarch.rpm logback-access-1.2.8-3.uel20.noarch.rpm UTSA-2023:20317 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: haproxy security update

HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.(CVE-2023-45539) An information leak vulnerability was discovered in HAProxy 2.1, 2.2 before 2.2.27, 2.3, 2.4 before 2.4.21, 2.5 before 2.5.11, 2.6 before 2.6.8, 2.7 before 2.7.1. There are 5 bytes left uninitialized in the connection buffer when encoding the FCGI_BEGIN_REQUEST record. Sensitive data may be disclosed to configured FastCGI backends in an unexpected way.(CVE-2023-0836) haproxy-2.2.16-7.uel20.x86_64.rpm haproxy-2.2.16-7.uel20.aarch64.rpm haproxy-help-2.2.16-7.uel20.noarch.rpm UTSA-2023:20318 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: vim security update

Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a `:s` command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes free-ing of memory which may later then be accessed by the initial `:s` command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue.(CVE-2023-48706) Vim is an open source command line text editor. In affected versions when shifting lines in operator pending mode and using a very large value, it may be possible to overflow the size of integer. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `6bf131888` which has been included in version 9.0.2112. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48237) Vim is an open source command line text editor. When using the z= command, the user may overflow the count with values larger than MAX_INT. Impact is low, user interaction is required and a crash may not even happen in all situations. This vulnerability has been addressed in commit `73b2d379` which has been included in release version 9.0.2111. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48236) Vim is an open source command line text editor. When parsing relative ex addresses one may unintentionally cause an overflow. Ironically this happens in the existing overflow check, because the line number becomes negative and LONG_MAX - lnum will cause the overflow. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `060623e` which has been included in release version 9.0.2110. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48235) Vim is an open source command line text editor. When getting the count for a normal mode z command, it may overflow for large counts given. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `58f9befca1` which has been included in release version 9.0.2109. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48234) Vim is an open source command line text editor. If the count after the :s command is larger than what fits into a (signed) long variable, abort with e_value_too_large. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `ac6378773` which has been included in release version 9.0.2108. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48233) Vim is an open source command line text editor. When closing a window, vim may try to access already freed window structure. Exploitation beyond crashing the application has not been shown to be viable. This issue has been addressed in commit `25aabc2b` which has been included in release version 9.0.2106. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2023-48231) vim-common-9.0-19.uel20.01.x86_64.rpm vim-X11-9.0-19.uel20.01.x86_64.rpm vim-enhanced-9.0-19.uel20.01.x86_64.rpm vim-minimal-9.0-19.uel20.01.x86_64.rpm vim-common-9.0-19.uel20.01.aarch64.rpm vim-enhanced-9.0-19.uel20.01.aarch64.rpm vim-minimal-9.0-19.uel20.01.aarch64.rpm vim-X11-9.0-19.uel20.01.aarch64.rpm vim-filesystem-9.0-19.uel20.01.noarch.rpm UTSA-2023:20319 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: gimp security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-44444) ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-44442) gimp-2.10.6-10.uel20.x86_64.rpm gimp-devel-2.10.6-10.uel20.x86_64.rpm gimp-help-2.10.6-10.uel20.x86_64.rpm gimp-libs-2.10.6-10.uel20.x86_64.rpm gimp-libs-2.10.6-10.uel20.aarch64.rpm gimp-help-2.10.6-10.uel20.aarch64.rpm gimp-2.10.6-10.uel20.aarch64.rpm gimp-devel-2.10.6-10.uel20.aarch64.rpm UTSA-2023:20320 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: python-django security update

An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.(CVE-2023-46695) python3-Django-2.2.27-9.uel20.noarch.rpm python-django-help-2.2.27-9.uel20.noarch.rpm UTSA-2023:20321 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: optipng security update

OptiPNG v0.7.7 was discovered to contain a global buffer overflow via the 'buffer' variable at gifread.c.(CVE-2023-43907) optipng-0.7.8-1.uel20.x86_64.rpm optipng-0.7.8-1.uel20.aarch64.rpm UTSA-2023:20322 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: ceph security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-43040) python3-cephfs-12.2.8-23.up2.uel20.x86_64.rpm ceph-test-12.2.8-23.up2.uel20.x86_64.rpm rados-objclass-devel-12.2.8-23.up2.uel20.x86_64.rpm python3-rados-12.2.8-23.up2.uel20.x86_64.rpm libcephfs2-12.2.8-23.up2.uel20.x86_64.rpm python3-rbd-12.2.8-23.up2.uel20.x86_64.rpm rbd-nbd-12.2.8-23.up2.uel20.x86_64.rpm ceph-mgr-12.2.8-23.up2.uel20.x86_64.rpm ceph-fuse-12.2.8-23.up2.uel20.x86_64.rpm ceph-mds-12.2.8-23.up2.uel20.x86_64.rpm rbd-mirror-12.2.8-23.up2.uel20.x86_64.rpm librados2-12.2.8-23.up2.uel20.x86_64.rpm librgw-devel-12.2.8-23.up2.uel20.x86_64.rpm libradosstriper-devel-12.2.8-23.up2.uel20.x86_64.rpm rbd-fuse-12.2.8-23.up2.uel20.x86_64.rpm librados-devel-12.2.8-23.up2.uel20.x86_64.rpm ceph-resource-agents-12.2.8-23.up2.uel20.x86_64.rpm libradosstriper1-12.2.8-23.up2.uel20.x86_64.rpm python-cephfs-12.2.8-23.up2.uel20.x86_64.rpm python3-rgw-12.2.8-23.up2.uel20.x86_64.rpm ceph-mon-12.2.8-23.up2.uel20.x86_64.rpm ceph-base-12.2.8-23.up2.uel20.x86_64.rpm librbd-devel-12.2.8-23.up2.uel20.x86_64.rpm librgw2-12.2.8-23.up2.uel20.x86_64.rpm python3-ceph-argparse-12.2.8-23.up2.uel20.x86_64.rpm ceph-selinux-12.2.8-23.up2.uel20.x86_64.rpm python-rados-12.2.8-23.up2.uel20.x86_64.rpm python-ceph-compat-12.2.8-23.up2.uel20.x86_64.rpm ceph-12.2.8-23.up2.uel20.x86_64.rpm ceph-radosgw-12.2.8-23.up2.uel20.x86_64.rpm ceph-osd-12.2.8-23.up2.uel20.x86_64.rpm python-rgw-12.2.8-23.up2.uel20.x86_64.rpm libcephfs-devel-12.2.8-23.up2.uel20.x86_64.rpm python-rbd-12.2.8-23.up2.uel20.x86_64.rpm librbd1-12.2.8-23.up2.uel20.x86_64.rpm ceph-common-12.2.8-23.up2.uel20.x86_64.rpm ceph-test-12.2.8-23.up2.uel20.aarch64.rpm ceph-radosgw-12.2.8-23.up2.uel20.aarch64.rpm librados2-12.2.8-23.up2.uel20.aarch64.rpm ceph-base-12.2.8-23.up2.uel20.aarch64.rpm rbd-fuse-12.2.8-23.up2.uel20.aarch64.rpm python3-rados-12.2.8-23.up2.uel20.aarch64.rpm ceph-common-12.2.8-23.up2.uel20.aarch64.rpm libradosstriper-devel-12.2.8-23.up2.uel20.aarch64.rpm libcephfs2-12.2.8-23.up2.uel20.aarch64.rpm python-ceph-compat-12.2.8-23.up2.uel20.aarch64.rpm libcephfs-devel-12.2.8-23.up2.uel20.aarch64.rpm librgw2-12.2.8-23.up2.uel20.aarch64.rpm python3-rbd-12.2.8-23.up2.uel20.aarch64.rpm librbd-devel-12.2.8-23.up2.uel20.aarch64.rpm librgw-devel-12.2.8-23.up2.uel20.aarch64.rpm libradosstriper1-12.2.8-23.up2.uel20.aarch64.rpm rados-objclass-devel-12.2.8-23.up2.uel20.aarch64.rpm ceph-12.2.8-23.up2.uel20.aarch64.rpm ceph-mds-12.2.8-23.up2.uel20.aarch64.rpm python3-cephfs-12.2.8-23.up2.uel20.aarch64.rpm ceph-fuse-12.2.8-23.up2.uel20.aarch64.rpm python-rbd-12.2.8-23.up2.uel20.aarch64.rpm python3-ceph-argparse-12.2.8-23.up2.uel20.aarch64.rpm ceph-selinux-12.2.8-23.up2.uel20.aarch64.rpm rbd-nbd-12.2.8-23.up2.uel20.aarch64.rpm librados-devel-12.2.8-23.up2.uel20.aarch64.rpm python-rados-12.2.8-23.up2.uel20.aarch64.rpm python-cephfs-12.2.8-23.up2.uel20.aarch64.rpm ceph-mon-12.2.8-23.up2.uel20.aarch64.rpm ceph-osd-12.2.8-23.up2.uel20.aarch64.rpm rbd-mirror-12.2.8-23.up2.uel20.aarch64.rpm python-rgw-12.2.8-23.up2.uel20.aarch64.rpm librbd1-12.2.8-23.up2.uel20.aarch64.rpm python3-rgw-12.2.8-23.up2.uel20.aarch64.rpm ceph-resource-agents-12.2.8-23.up2.uel20.aarch64.rpm ceph-mgr-12.2.8-23.up2.uel20.aarch64.rpm UTSA-2023:20323 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: qt security update

An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont{FromData], then it can cause the application to crash because of missing length checks.(CVE-2023-43114) In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.(CVE-2023-37369) An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.(CVE-2023-38197) An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.(CVE-2023-34410) qt-4.8.7-55.uel20.x86_64.rpm qt-devel-4.8.7-55.uel20.x86_64.rpm qt-4.8.7-55.uel20.aarch64.rpm qt-devel-4.8.7-55.uel20.aarch64.rpm UTSA-2023:20324 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: freeimage security update

Buffer Overflow vulnerability in function LoadRGB in PluginDDS.cpp in FreeImage 3.18.0 allows remote attackers to run arbitrary code and cause other impacts via crafted image file.(CVE-2020-21428) Buffer Overflow vulnerability in function LoadPixelDataRLE8 in PluginBMP.cpp in FreeImage 3.18.0 allows remote attackers to run arbitrary code and cause other impacts via crafted image file.(CVE-2020-21427) freeimage-devel-3.18.0-5.up2.uel20.x86_64.rpm freeimage-3.18.0-5.up2.uel20.x86_64.rpm freeimage-devel-3.18.0-5.up2.uel20.aarch64.rpm freeimage-3.18.0-5.up2.uel20.aarch64.rpm UTSA-2023:20325 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: sox security update

A heap buffer overflow vulnerability was found in sox, in the lsx_readbuf function at sox/src/formats_i.c:98:16. This flaw can lead to a denial of service, code execution, or information disclosure.(CVE-2023-34432) A floating point exception vulnerability was found in sox, in the read_samples function at sox/src/voc.c:334:18. This flaw can lead to a denial of service.(CVE-2023-32627) A floating point exception vulnerability was found in sox, in the lsx_aiffstartwrite function at sox/src/aiff.c:622:58. This flaw can lead to a denial of service.(CVE-2023-26590) A heap buffer overflow vulnerability was found in sox, in the startread function at sox/src/hcom.c:160:41. This flaw can lead to a denial of service, code execution, or information disclosure.(CVE-2023-34318) A floating point exception (divide-by-zero) issue was discovered in SoX in functon startread() of wav.c file. An attacker with a crafted wav file, could cause an application to crash.(CVE-2021-33844) A vulnerability was found in SoX, where a heap-buffer-overflow occurs in function lsx_read_w_buf() in formats_i.c file. The vulnerability is exploitable with a crafted file, that could cause an application to crash.(CVE-2021-23159) A floating point exception (divide-by-zero) issue was discovered in SoX in functon read_samples() of voc.c file. An attacker with a crafted file, could cause an application to crash.(CVE-2021-23210) A vulnerability was found in SoX, where a heap-buffer-overflow occurs in function startread() in hcom.c file. The vulnerability is exploitable with a crafted hcomn file, that could cause an application to crash.(CVE-2021-23172) sox-14.4.2.0-29.uel20.x86_64.rpm sox-devel-14.4.2.0-29.uel20.x86_64.rpm sox-14.4.2.0-29.uel20.aarch64.rpm sox-devel-14.4.2.0-29.uel20.aarch64.rpm sox-help-14.4.2.0-29.uel20.noarch.rpm UTSA-2023:20326 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: nodejs-tough-cookie security update

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.(CVE-2023-26136) nodejs-tough-cookie-2.3.2-3.uel20.noarch.rpm UTSA-2023:20327 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: qemu security update

A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.(CVE-2023-1544) qemu-block-curl-4.1.0-81.up5.uel20.x86_64.rpm qemu-img-4.1.0-81.up5.uel20.x86_64.rpm qemu-4.1.0-81.up5.uel20.x86_64.rpm qemu-block-rbd-4.1.0-81.up5.uel20.x86_64.rpm qemu-block-ssh-4.1.0-81.up5.uel20.x86_64.rpm qemu-seabios-4.1.0-81.up5.uel20.x86_64.rpm qemu-guest-agent-4.1.0-81.up5.uel20.x86_64.rpm qemu-block-iscsi-4.1.0-81.up5.uel20.x86_64.rpm qemu-4.1.0-81.up5.uel20.aarch64.rpm qemu-guest-agent-4.1.0-81.up5.uel20.aarch64.rpm qemu-block-curl-4.1.0-81.up5.uel20.aarch64.rpm qemu-block-ssh-4.1.0-81.up5.uel20.aarch64.rpm qemu-block-rbd-4.1.0-81.up5.uel20.aarch64.rpm qemu-help-4.1.0-81.up5.uel20.noarch.rpm qemu-img-4.1.0-81.up5.uel20.aarch64.rpm qemu-block-iscsi-4.1.0-81.up5.uel20.aarch64.rpm UTSA-2023:20328 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: xstream security update

XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.(CVE-2022-41966) Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.(CVE-2022-40151) xstream-parent-1.4.20-1.uel20.noarch.rpm xstream-benchmark-1.4.20-1.uel20.noarch.rpm xstream-hibernate-1.4.20-1.uel20.noarch.rpm xstream-1.4.20-1.uel20.noarch.rpm xstream-javadoc-1.4.20-1.uel20.noarch.rpm UTSA-2023:20329 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: python-pillow security update

Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification).(CVE-2022-45198) python3-pillow-9.0.1-5.uel20.x86_64.rpm python3-pillow-tk-9.0.1-5.uel20.x86_64.rpm python3-pillow-qt-9.0.1-5.uel20.x86_64.rpm python3-pillow-devel-9.0.1-5.uel20.x86_64.rpm python3-pillow-9.0.1-5.uel20.aarch64.rpm python3-pillow-qt-9.0.1-5.uel20.aarch64.rpm python3-pillow-devel-9.0.1-5.uel20.aarch64.rpm python3-pillow-help-9.0.1-5.uel20.noarch.rpm python3-pillow-tk-9.0.1-5.uel20.aarch64.rpm UTSA-2023:20330 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: hsqldb security update

Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.(CVE-2022-41853) hsqldb-demo-2.4.0-4.uel20.noarch.rpm hsqldb-lib-2.4.0-4.uel20.noarch.rpm hsqldb-javadoc-2.4.0-4.uel20.noarch.rpm hsqldb-manual-2.4.0-4.uel20.noarch.rpm hsqldb-2.4.0-4.uel20.noarch.rpm UTSA-2023:20331 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: liblouis security update

Liblouis through 3.21.0 has a buffer overflow in compilePassOpcode in compileTranslationTable.c (called, indirectly, by tools/lou_checktable.c).(CVE-2022-26981) liblouis-3.7.0-5.uel20.x86_64.rpm liblouis-devel-3.7.0-5.uel20.x86_64.rpm liblouis-utils-3.7.0-5.uel20.x86_64.rpm liblouis-3.7.0-5.uel20.aarch64.rpm liblouis-help-3.7.0-5.uel20.noarch.rpm python3-louis-3.7.0-5.uel20.noarch.rpm liblouis-devel-3.7.0-5.uel20.aarch64.rpm python2-louis-3.7.0-5.uel20.noarch.rpm liblouis-utils-3.7.0-5.uel20.aarch64.rpm UTSA-2023:20332 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: SDL security update

SDL (Simple DirectMedia Layer) through 2.0.12 has an Integer Overflow (and resultant SDL_memcpy heap corruption) in SDL_BlitCopy in video/SDL_blit_copy.c via a crafted .BMP file.(CVE-2020-14409) SDL-devel-1.2.15-39.uel20.x86_64.rpm SDL-1.2.15-39.uel20.x86_64.rpm SDL-help-1.2.15-39.uel20.x86_64.rpm SDL-devel-1.2.15-39.uel20.aarch64.rpm SDL-help-1.2.15-39.uel20.aarch64.rpm SDL-1.2.15-39.uel20.aarch64.rpm UTSA-2023:20333 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: arm-trusted-firmware security update

Trusted Firmware-A through 2.8 has an out-of-bounds read in the X.509 parser for parsing boot certificates. This affects downstream use of get_ext and auth_nvctr. Attackers might be able to trigger dangerous read side effects or obtain sensitive information about microarchitectural state.(CVE-2022-47630) arm-trusted-firmware-armv8-1.6-3.uel20.aarch64.rpm UTSA-2024:20001 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: libssh security update

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795) A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.(CVE-2023-6918) A flaw was found in libssh. By utilizing the ProxyCommand or ProxyJump feature, users can exploit unchecked hostname syntax on the client. This issue may allow an attacker to inject malicious code into the command of the features mentioned through the hostname parameter.(CVE-2023-6004) libssh-devel-0.9.6-8.uel20.x86_64.rpm libssh-0.9.6-8.uel20.x86_64.rpm libssh-devel-0.9.6-8.uel20.aarch64.rpm libssh-0.9.6-8.uel20.aarch64.rpm libssh-help-0.9.6-8.uel20.noarch.rpm UTSA-2024:20002 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: systemd security update

A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.(CVE-2023-7008) systemd-243-62.up9.uel20.03.x86_64.rpm systemd-libs-243-62.up9.uel20.03.x86_64.rpm systemd-journal-remote-243-62.up9.uel20.03.x86_64.rpm systemd-devel-243-62.up9.uel20.03.x86_64.rpm systemd-udev-243-62.up9.uel20.03.x86_64.rpm systemd-container-243-62.up9.uel20.03.x86_64.rpm systemd-udev-compat-243-62.up9.uel20.03.x86_64.rpm systemd-udev-243-62.up9.uel20.03.aarch64.rpm systemd-container-243-62.up9.uel20.03.aarch64.rpm systemd-devel-243-62.up9.uel20.03.aarch64.rpm systemd-libs-243-62.up9.uel20.03.aarch64.rpm systemd-journal-remote-243-62.up9.uel20.03.aarch64.rpm systemd-help-243-62.up9.uel20.03.noarch.rpm systemd-243-62.up9.uel20.03.aarch64.rpm systemd-udev-compat-243-62.up9.uel20.03.aarch64.rpm UTSA-2024:20003 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: bluez security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-50230) ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-50229) bluez-5.54-14.uel20.x86_64.rpm bluez-libs-5.54-14.uel20.x86_64.rpm bluez-cups-5.54-14.uel20.x86_64.rpm bluez-devel-5.54-14.uel20.x86_64.rpm bluez-libs-5.54-14.uel20.aarch64.rpm bluez-5.54-14.uel20.aarch64.rpm bluez-cups-5.54-14.uel20.aarch64.rpm bluez-help-5.54-14.uel20.noarch.rpm bluez-devel-5.54-14.uel20.aarch64.rpm UTSA-2024:20004 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: openssh security update

In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.(CVE-2023-51385) openssh-askpass-8.2p1-22.up1.uel20.05.x86_64.rpm openssh-8.2p1-22.up1.uel20.05.x86_64.rpm pam_ssh_agent_auth-0.10.3-9.22.05.uel20.x86_64.rpm openssh-cavs-8.2p1-22.up1.uel20.05.x86_64.rpm openssh-clients-8.2p1-22.up1.uel20.05.x86_64.rpm openssh-keycat-8.2p1-22.up1.uel20.05.x86_64.rpm openssh-server-8.2p1-22.up1.uel20.05.x86_64.rpm openssh-ldap-8.2p1-22.up1.uel20.05.x86_64.rpm openssh-8.2p1-22.up1.uel20.05.aarch64.rpm openssh-clients-8.2p1-22.up1.uel20.05.aarch64.rpm openssh-ldap-8.2p1-22.up1.uel20.05.aarch64.rpm openssh-keycat-8.2p1-22.up1.uel20.05.aarch64.rpm openssh-help-8.2p1-22.up1.uel20.05.noarch.rpm openssh-askpass-8.2p1-22.up1.uel20.05.aarch64.rpm openssh-server-8.2p1-22.up1.uel20.05.aarch64.rpm openssh-cavs-8.2p1-22.up1.uel20.05.aarch64.rpm pam_ssh_agent_auth-0.10.3-9.22.05.uel20.aarch64.rpm UTSA-2024:20005 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: squid security update

Squid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. This problem allows a remote client to perform Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives.(CVE-2023-50269) squid-4.9-18.uel20.x86_64.rpm squid-4.9-18.uel20.aarch64.rpm UTSA-2024:20006 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: gstreamer1-plugins-bad-free security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-37329) ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-44446) gstreamer1-plugins-bad-free-1.16.2-4.uel20.x86_64.rpm gstreamer1-plugins-bad-free-devel-1.16.2-4.uel20.x86_64.rpm gstreamer1-plugins-bad-free-devel-1.16.2-4.uel20.aarch64.rpm gstreamer1-plugins-bad-free-1.16.2-4.uel20.aarch64.rpm UTSA-2024:20007 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: gstreamer1-plugins-good security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-37327) gstreamer1-plugins-good-1.16.2-4.uel20.x86_64.rpm gstreamer1-plugins-good-gtk-1.16.2-4.uel20.x86_64.rpm gstreamer1-plugins-good-1.16.2-4.uel20.aarch64.rpm gstreamer1-plugins-good-help-1.16.2-4.uel20.noarch.rpm gstreamer1-plugins-good-gtk-1.16.2-4.uel20.aarch64.rpm UTSA-2024:20008 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: xorg-x11-server security update

A flaw was found in xorg-server. A specially crafted request to RRChangeProviderProperty or RRChangeOutputProperty can trigger an integer overflow which may lead to a disclosure of sensitive information.(CVE-2023-6478) A flaw was found in xorg-server. Querying or changing XKB button actions such as moving from a touchpad to a mouse can result in out-of-bounds memory reads and writes. This may allow local privilege escalation or possible remote code execution in cases where X11 forwarding is involved.(CVE-2023-6377) xorg-x11-server-1.20.8-24.up7.uel20.x86_64.rpm xorg-x11-server-Xephyr-1.20.8-24.up7.uel20.x86_64.rpm xorg-x11-server-devel-1.20.8-24.up7.uel20.x86_64.rpm xorg-x11-server-1.20.8-24.up7.uel20.aarch64.rpm xorg-x11-server-devel-1.20.8-24.up7.uel20.aarch64.rpm xorg-x11-server-Xephyr-1.20.8-24.up7.uel20.aarch64.rpm xorg-x11-server-help-1.20.8-24.up7.uel20.noarch.rpm UTSA-2024:20009 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: ncurses security update

NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().(CVE-2023-50495) ncurses-6.2-5.uel20.01.x86_64.rpm ncurses-libs-6.2-5.uel20.01.x86_64.rpm ncurses-help-6.2-5.uel20.01.x86_64.rpm ncurses-devel-6.2-5.uel20.01.x86_64.rpm ncurses-help-6.2-5.uel20.01.aarch64.rpm ncurses-base-6.2-5.uel20.01.noarch.rpm ncurses-libs-6.2-5.uel20.01.aarch64.rpm ncurses-devel-6.2-5.uel20.01.aarch64.rpm ncurses-6.2-5.uel20.01.aarch64.rpm UTSA-2024:20010 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: tar security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-39804) tar-1.32-3.uel20.05.x86_64.rpm tar-1.32-3.uel20.05.aarch64.rpm tar-help-1.32-3.uel20.05.noarch.rpm UTSA-2024:20011 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: python-cryptography security update

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.(CVE-2023-49083) python2-cryptography-3.3.1-5.uel20.x86_64.rpm python3-cryptography-3.3.1-5.uel20.x86_64.rpm python3-cryptography-3.3.1-5.uel20.aarch64.rpm python2-cryptography-3.3.1-5.uel20.aarch64.rpm python-cryptography-help-3.3.1-5.uel20.noarch.rpm UTSA-2024:20012 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: jgit security update

Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem. This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command. The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration. Setting git configuration option core.symlinks = false before checking out avoids the problem. The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/  and repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . The JGit maintainers would like to thank RyotaK for finding and reporting this issue. (CVE-2023-4759) jgit-javadoc-5.11.0-3.uel20.noarch.rpm jgit-5.11.0-3.uel20.noarch.rpm UTSA-2024:20013 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libsass security update

Stack overflow vulnerability in ast_selectors.cpp: in function Sass::ComplexSelector::has_placeholder in libsass:3.6.5-8-g210218, which can be exploited by attackers to cause a denial of service (DoS).(CVE-2022-43358) Stack overflow vulnerability in ast_selectors.cpp in function Sass::CompoundSelector::has_real_parent_ref in libsass:3.6.5-8-g210218, which can be exploited by attackers to causea denial of service (DoS). Also affects the command line driver for libsass, sassc 3.6.2.(CVE-2022-43357) Stack Overflow vulnerability in libsass 3.6.5 via the CompoundSelector::has_real_parent_ref function.(CVE-2022-26592) libsass-3.6.4-2.uel20.x86_64.rpm libsass-devel-3.6.4-2.uel20.x86_64.rpm libsass-devel-3.6.4-2.uel20.aarch64.rpm libsass-3.6.4-2.uel20.aarch64.rpm UTSA-2024:20014 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: python-flask security update

Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met. 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets `session.permanent = True` 3. The application does not access or modify the session at any point during a request. 4. `SESSION_REFRESH_EACH_REQUEST` enabled (the default). 5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.(CVE-2023-30861) python3-flask-1.1.2-5.uel20.noarch.rpm python2-flask-1.1.2-5.uel20.noarch.rpm UTSA-2024:20015 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: mybatis security update

A SQL injection vulnerability in Mybatis plus below 3.5.3.1 allows remote attackers to execute arbitrary SQL commands via the tenant ID valuer.(CVE-2023-25330) mybatis-3.5.8-1.uel20.noarch.rpm mybatis-javadoc-3.5.8-1.uel20.noarch.rpm UTSA-2024:20016 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: containernetworking-plugins security update

Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.(CVE-2023-24538) Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.(CVE-2023-24537) Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.(CVE-2023-24536) HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.(CVE-2023-24534) containernetworking-plugins-unit-test-devel-0.8.6-6.gitad10b6f.uel20.x86_64.rpm containernetworking-plugins-0.8.6-6.gitad10b6f.uel20.x86_64.rpm containernetworking-plugins-unit-test-devel-0.8.6-6.gitad10b6f.uel20.aarch64.rpm containernetworking-plugins-0.8.6-6.gitad10b6f.uel20.aarch64.rpm containernetworking-plugins-devel-0.8.6-6.gitad10b6f.uel20.noarch.rpm UTSA-2024:20017 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: rubygem-puma security update

Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.(CVE-2022-23634) Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`.(CVE-2021-41136) rubygem-puma-3.12.6-3.uel20.x86_64.rpm rubygem-puma-doc-3.12.6-3.uel20.noarch.rpm rubygem-puma-3.12.6-3.uel20.aarch64.rpm UTSA-2024:20018 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: jettison security update

An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown. (CVE-2023-1436) Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.(CVE-2022-45693) A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data.(CVE-2022-45685) Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.(CVE-2022-40150) Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.(CVE-2022-40149) jettison-javadoc-1.5.4-1.uel20.noarch.rpm jettison-1.5.4-1.uel20.noarch.rpm UTSA-2024:20019 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: tidy security update

An issue in HTACG HTML Tidy v5.7.28 allows attacker to execute arbitrary code via the -g option of the CleanNode() function in gdoc.c.(CVE-2021-33391) tidy-5.6.0-5.uel20.x86_64.rpm libtidy-devel-5.6.0-5.uel20.x86_64.rpm libtidy-5.6.0-5.uel20.x86_64.rpm libtidy-5.6.0-5.uel20.aarch64.rpm tidy-help-5.6.0-5.uel20.noarch.rpm tidy-5.6.0-5.uel20.aarch64.rpm libtidy-devel-5.6.0-5.uel20.aarch64.rpm UTSA-2024:20020 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: libgit2 security update

libgit2 is a cross-platform, linkable library implementation of Git. When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the `certificate_check` field of libgit2's `git_remote_callbacks` structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack. Users are encouraged to upgrade to v1.4.5 or v1.5.1. Users unable to upgrade should ensure that all relevant certificates are manually checked.(CVE-2023-22742) libgit2-0.27.8-7.uel20.x86_64.rpm libgit2-devel-0.27.8-7.uel20.x86_64.rpm libgit2-devel-0.27.8-7.uel20.aarch64.rpm libgit2-0.27.8-7.uel20.aarch64.rpm UTSA-2024:20021 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: python-wheel security update

An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.(CVE-2022-40898) python-wheel-wheel-0.31.1-7.uel20.noarch.rpm python3-wheel-0.31.1-7.uel20.noarch.rpm python2-wheel-0.31.1-7.uel20.noarch.rpm UTSA-2024:20022 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: netty security update

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.(CVE-2022-41881) netty-4.1.13-18.uel20.x86_64.rpm netty-help-4.1.13-18.uel20.noarch.rpm netty-4.1.13-18.uel20.aarch64.rpm UTSA-2024:20023 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: freeradius security update

In freeradius, the EAP-PWD function compute_password_element() leaks information about the password which allows an attacker to substantially reduce the size of an offline dictionary attack.(CVE-2022-41859) freeradius-krb5-3.0.15-27.uel20.x86_64.rpm python2-freeradius-3.0.15-27.uel20.x86_64.rpm freeradius-perl-3.0.15-27.uel20.x86_64.rpm freeradius-help-3.0.15-27.uel20.x86_64.rpm freeradius-devel-3.0.15-27.uel20.x86_64.rpm freeradius-sqlite-3.0.15-27.uel20.x86_64.rpm freeradius-utils-3.0.15-27.uel20.x86_64.rpm freeradius-mysql-3.0.15-27.uel20.x86_64.rpm freeradius-3.0.15-27.uel20.x86_64.rpm freeradius-postgresql-3.0.15-27.uel20.x86_64.rpm freeradius-ldap-3.0.15-27.uel20.x86_64.rpm freeradius-postgresql-3.0.15-27.uel20.aarch64.rpm freeradius-perl-3.0.15-27.uel20.aarch64.rpm freeradius-ldap-3.0.15-27.uel20.aarch64.rpm freeradius-3.0.15-27.uel20.aarch64.rpm freeradius-devel-3.0.15-27.uel20.aarch64.rpm freeradius-utils-3.0.15-27.uel20.aarch64.rpm freeradius-krb5-3.0.15-27.uel20.aarch64.rpm freeradius-help-3.0.15-27.uel20.aarch64.rpm python2-freeradius-3.0.15-27.uel20.aarch64.rpm freeradius-mysql-3.0.15-27.uel20.aarch64.rpm freeradius-sqlite-3.0.15-27.uel20.aarch64.rpm UTSA-2024:20024 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: jackson-databind security update

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.(CVE-2022-42004) In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1(CVE-2022-42003) jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.(CVE-2020-36518) jackson-databind-javadoc-2.9.8-10.uel20.noarch.rpm jackson-databind-2.9.8-10.uel20.noarch.rpm UTSA-2024:20025 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: hsqldb1 security update

Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.(CVE-2022-41853) hsqldb1-javadoc-1.8.1.3-3.uel20.noarch.rpm hsqldb1-1.8.1.3-3.uel20.noarch.rpm UTSA-2024:20026 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: hdf5 security update

An issue was discovered in HDF5 through 1.12.0. A heap-based buffer overflow exists in the function Decompress() located in decompress.c. It can be triggered by sending a crafted file to the gif2h5 binary. It allows an attacker to cause Denial of Service.(CVE-2020-10809) ReadCode() in decompress.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (invalid write access) via a crafted HDF5 file. This issue was triggered while converting a GIF file to an HDF file.(CVE-2018-17436) A heap-based buffer overflow in ReadGifImageDesc() in gifread.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while converting a GIF file to an HDF file.(CVE-2018-17433) hdf5-devel-1.12.1-4.uel20.x86_64.rpm hdf5-1.12.1-4.uel20.x86_64.rpm hdf5-mpich-devel-1.12.1-4.uel20.x86_64.rpm hdf5-openmpi-1.12.1-4.uel20.x86_64.rpm hdf5-openmpi-devel-1.12.1-4.uel20.x86_64.rpm hdf5-mpich-1.12.1-4.uel20.x86_64.rpm hdf5-mpich-static-1.12.1-4.uel20.x86_64.rpm hdf5-openmpi-static-1.12.1-4.uel20.x86_64.rpm hdf5-mpich-devel-1.12.1-4.uel20.aarch64.rpm hdf5-mpich-1.12.1-4.uel20.aarch64.rpm hdf5-openmpi-1.12.1-4.uel20.aarch64.rpm hdf5-devel-1.12.1-4.uel20.aarch64.rpm hdf5-openmpi-static-1.12.1-4.uel20.aarch64.rpm hdf5-mpich-static-1.12.1-4.uel20.aarch64.rpm hdf5-openmpi-devel-1.12.1-4.uel20.aarch64.rpm hdf5-1.12.1-4.uel20.aarch64.rpm UTSA-2024:20027 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: zeromq security update

In ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any message. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them. This is patched in version 4.3.3.(CVE-2020-15166) zeromq-devel-4.3.4-1.uel20.x86_64.rpm zeromq-4.3.4-1.uel20.x86_64.rpm zeromq-devel-4.3.4-1.uel20.aarch64.rpm zeromq-4.3.4-1.uel20.aarch64.rpm UTSA-2024:20028 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: squid security update

Squid is a caching proxy for the Web. Due to an expired pointer reference bug, Squid prior to version 6.6 is vulnerable to a Denial of Service attack against Cache Manager error responses. This problem allows a trusted client to perform Denial of Service when generating error pages for Client Manager reports. Squid older than 5.0.5 have not been tested and should be assumed to be vulnerable. All Squid-5.x up to and including 5.9 are vulnerable. All Squid-6.x up to and including 6.5 are vulnerable. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. As a workaround, prevent access to Cache Manager using Squid's main access control: `http_access deny manager`.(CVE-2024-23638) squid-4.9-19.uel20.x86_64.rpm squid-4.9-19.uel20.aarch64.rpm UTSA-2024:20029 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: imagemagick security update

A heap use-after-free flaw was found in coders/bmp.c in ImageMagick.(CVE-2023-5341) ImageMagick-6.9.12.86-5.uel20.x86_64.rpm ImageMagick-help-6.9.12.86-5.uel20.x86_64.rpm ImageMagick-devel-6.9.12.86-5.uel20.x86_64.rpm ImageMagick-c++-devel-6.9.12.86-5.uel20.x86_64.rpm ImageMagick-perl-6.9.12.86-5.uel20.x86_64.rpm ImageMagick-c++-6.9.12.86-5.uel20.x86_64.rpm ImageMagick-6.9.12.86-5.uel20.aarch64.rpm ImageMagick-help-6.9.12.86-5.uel20.aarch64.rpm ImageMagick-perl-6.9.12.86-5.uel20.aarch64.rpm ImageMagick-c++-6.9.12.86-5.uel20.aarch64.rpm ImageMagick-c++-devel-6.9.12.86-5.uel20.aarch64.rpm ImageMagick-devel-6.9.12.86-5.uel20.aarch64.rpm UTSA-2024:20030 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: grafana security update

Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.(CVE-2022-32148) A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.(CVE-2023-39325) grafana-7.5.15-5.up1.uel20.x86_64.rpm grafana-7.5.15-5.up1.uel20.aarch64.rpm UTSA-2024:20031 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: tomcat security update

Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.(CVE-2024-21733) Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue. (CVE-2023-42795) The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur. (CVE-2023-28709) Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured. (CVE-2023-24998) tomcat-help-9.0.10-31.up1.uel20.noarch.rpm tomcat-9.0.10-31.up1.uel20.noarch.rpm tomcat-jsvc-9.0.10-31.up1.uel20.noarch.rpm tomcat-embed-9.0.10-31.up1.uel20.noarch.rpm UTSA-2024:20032 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: apache-sshd security update

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795) apache-sshd-javadoc-2.9.2-3.uel20.noarch.rpm apache-sshd-2.9.2-3.uel20.noarch.rpm UTSA-2024:20033 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: xorg-x11-server security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2024-21886) ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2024-21885) A flaw was found in the X.Org server. The cursor code in both Xephyr and Xwayland uses the wrong type of private at creation. It uses the cursor bits type with the cursor as private, and when initiating the cursor, that overwrites the XSELINUX context.(CVE-2024-0409) A flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.(CVE-2024-0408) An out-of-bounds memory access flaw was found in the X.Org server. This issue can be triggered when a device frozen by a sync grab is reattached to a different master device. This issue may lead to an application crash, local privilege escalation (if the server runs with extended privileges), or remote code execution in SSH X11 forwarding environments.(CVE-2024-0229) A flaw was found in X.Org server. Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255, but the X.Org Server was only allocating space for the device's particular number of buttons, leading to a heap overflow if a bigger value was used.(CVE-2023-6816) xorg-x11-server-1.20.8-24.up8.uel20.x86_64.rpm xorg-x11-server-devel-1.20.8-24.up8.uel20.x86_64.rpm xorg-x11-server-Xephyr-1.20.8-24.up8.uel20.x86_64.rpm xorg-x11-server-1.20.8-24.up8.uel20.aarch64.rpm xorg-x11-server-devel-1.20.8-24.up8.uel20.aarch64.rpm xorg-x11-server-Xephyr-1.20.8-24.up8.uel20.aarch64.rpm xorg-x11-server-help-1.20.8-24.up8.uel20.noarch.rpm UTSA-2024:20034 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: gnutls security update

A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.(CVE-2024-0553) gnutls-help-3.6.16-6.uel20.6.x86_64.rpm gnutls-devel-3.6.16-6.uel20.6.x86_64.rpm gnutls-3.6.16-6.uel20.6.x86_64.rpm gnutls-devel-3.6.16-6.uel20.6.aarch64.rpm gnutls-help-3.6.16-6.uel20.6.aarch64.rpm gnutls-3.6.16-6.uel20.6.aarch64.rpm UTSA-2024:20035 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: mongo-c-driver security update

When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0.(CVE-2023-0437) mongo-c-driver-help-1.13.1-7.uel20.x86_64.rpm mongo-c-driver-devel-1.13.1-7.uel20.x86_64.rpm mongo-c-driver-1.13.1-7.uel20.x86_64.rpm libbson-devel-1.13.1-7.uel20.x86_64.rpm libbson-1.13.1-7.uel20.x86_64.rpm mongo-c-driver-1.13.1-7.uel20.aarch64.rpm mongo-c-driver-help-1.13.1-7.uel20.aarch64.rpm mongo-c-driver-devel-1.13.1-7.uel20.aarch64.rpm libbson-devel-1.13.1-7.uel20.aarch64.rpm libbson-1.13.1-7.uel20.aarch64.rpm UTSA-2024:20036 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: rear security update

Relax-and-Recover (aka ReaR) through 2.7 creates a world-readable initrd when using GRUB_RESCUE=y. This allows local attackers to gain access to system secrets otherwise only readable by root.(CVE-2024-23301) rear-2.4-3.uel20.01.x86_64.rpm rear-help-2.4-3.uel20.01.noarch.rpm UTSA-2024:20037 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: apache-sshd security update

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache MINA. In SFTP servers implemented using Apache MINA SSHD that use a RootedFileSystem, logged users may be able to discover "exists/does not exist" information about items outside the rooted tree via paths including parent navigation ("..") beyond the root, or involving symlinks. This issue affects Apache MINA: from 1.0 before 2.10. Users are recommended to upgrade to 2.10 (CVE-2023-35887) apache-sshd-javadoc-2.9.2-2.uel20.noarch.rpm apache-sshd-2.9.2-2.uel20.noarch.rpm UTSA-2024:20038 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: libexif security update

In exif_entry_get_value of exif-entry.c, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution if a third party app used this library to process remote image data with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11 Android-8.0Android ID: A-159625731(CVE-2020-0452) libexif-devel-0.6.21-26.uel20.x86_64.rpm libexif-0.6.21-26.uel20.x86_64.rpm libexif-0.6.21-26.uel20.aarch64.rpm libexif-help-0.6.21-26.uel20.noarch.rpm libexif-devel-0.6.21-26.uel20.aarch64.rpm UTSA-2024:20039 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: mysql-connector-java security update

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).(CVE-2022-21363) Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).(CVE-2021-2471) mysql-connector-java-8.0.30-1.uel20.noarch.rpm UTSA-2024:20040 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: sqlite security update

A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999.(CVE-2023-7104) sqlite-devel-3.32.3-6.uel20.03.x86_64.rpm sqlite-3.32.3-6.uel20.03.x86_64.rpm sqlite-help-3.32.3-6.uel20.03.noarch.rpm sqlite-3.32.3-6.uel20.03.aarch64.rpm sqlite-devel-3.32.3-6.uel20.03.aarch64.rpm UTSA-2024:20041 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: sudo security update

Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit.(CVE-2023-42465) sudo-1.9.2-15.uel20.01.x86_64.rpm sudo-devel-1.9.2-15.uel20.01.x86_64.rpm sudo-1.9.2-15.uel20.01.aarch64.rpm sudo-help-1.9.2-15.uel20.01.noarch.rpm sudo-devel-1.9.2-15.uel20.01.aarch64.rpm UTSA-2024:20042 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: espeak-ng security update

Espeak-ng 1.52-dev was discovered to contain a Floating Point Exception via the function PeaksToHarmspect at wavegen.c.(CVE-2023-49994) Espeak-ng 1.52-dev was discovered to contain a Buffer Overflow via the function ReadClause at readclause.c.(CVE-2023-49993) Espeak-ng 1.52-dev was discovered to contain a Stack Buffer Overflow via the function RemoveEnding at dictionary.c.(CVE-2023-49992) Espeak-ng 1.52-dev was discovered to contain a Stack Buffer Underflow via the function CountVowelPosition at synthdata.c.(CVE-2023-49991) Espeak-ng 1.52-dev was discovered to contain a buffer-overflow via the function SetUpPhonemeTable at synthdata.c.(CVE-2023-49990) espeak-ng-devel-1.51-2.uel20.x86_64.rpm espeak-ng-1.51-2.uel20.x86_64.rpm espeak-ng-1.51-2.uel20.aarch64.rpm espeak-ng-help-1.51-2.uel20.noarch.rpm espeak-ng-devel-1.51-2.uel20.aarch64.rpm UTSA-2024:20043 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: ghostscript security update

An issue was discovered in the function gdev_prn_open_printer_seekable() in Artifex Ghostscript through 10.02.0 allows remote attackers to crash the application via a dangling pointer.(CVE-2023-46751) ghostscript-9.52-12.uel20.01.x86_64.rpm ghostscript-tools-dvipdf-9.52-12.uel20.01.x86_64.rpm ghostscript-devel-9.52-12.uel20.01.x86_64.rpm ghostscript-9.52-12.uel20.01.aarch64.rpm ghostscript-help-9.52-12.uel20.01.noarch.rpm ghostscript-tools-dvipdf-9.52-12.uel20.01.aarch64.rpm ghostscript-devel-9.52-12.uel20.01.aarch64.rpm UTSA-2024:20044 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: testng security update

A vulnerability was found in cbeust testng 7.5.0/7.6.0/7.6.1/7.7.0. It has been declared as critical. Affected by this vulnerability is the function testngXmlExistsInJar of the file testng-core/src/main/java/org/testng/JarFileUtils.java of the component XML File Parser. The manipulation leads to path traversal. The attack can be launched remotely. Upgrading to version 7.5.1 and 7.7.1 is able to address this issue. The patch is named 9150736cd2c123a6a3b60e6193630859f9f0422b. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-214027.(CVE-2022-4065) testng-javadoc-6.14.3-7.uel20.noarch.rpm testng-6.14.3-7.uel20.noarch.rpm UTSA-2024:20045 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: apache-mime4j security update

Improper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message. This can be exploited by an attacker to add unintended headers to MIME messages. (CVE-2024-21742) apache-mime4j-javadoc-0.8.1-2.uel20.noarch.rpm apache-mime4j-0.8.1-2.uel20.noarch.rpm UTSA-2024:20046 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: linux-sgx security update

A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection. (CVE-2022-4304) libsgx-dcap-quote-verify-devel-2.11.100-14.uel20.x86_64.rpm libsgx-dcap-ql-2.11.100-14.uel20.x86_64.rpm libsgx-ra-network-devel-2.11.100-14.uel20.x86_64.rpm libsgx-dcap-default-qpl-2.11.100-14.uel20.x86_64.rpm sgxsdk-2.11.100-14.uel20.x86_64.rpm libsgx-aesm-launch-plugin-2.11.100-14.uel20.x86_64.rpm sgx-aesm-service-2.11.100-14.uel20.x86_64.rpm libsgx-urts-2.11.100-14.uel20.x86_64.rpm libsgx-aesm-quote-ex-plugin-2.11.100-14.uel20.x86_64.rpm libsgx-ra-uefi-devel-2.11.100-14.uel20.x86_64.rpm sgx-dcap-pccs-2.11.100-14.uel20.x86_64.rpm libsgx-ae-pce-2.11.100-14.uel20.x86_64.rpm libsgx-epid-2.11.100-14.uel20.x86_64.rpm libsgx-aesm-ecdsa-plugin-2.11.100-14.uel20.x86_64.rpm libsgx-epid-devel-2.11.100-14.uel20.x86_64.rpm libsgx-uae-service-2.11.100-14.uel20.x86_64.rpm libsgx-enclave-common-2.11.100-14.uel20.x86_64.rpm libsgx-dcap-default-qpl-devel-2.11.100-14.uel20.x86_64.rpm libsgx-enclave-common-devel-2.11.100-14.uel20.x86_64.rpm sgx-pck-id-retrieval-tool-2.11.100-14.uel20.x86_64.rpm libsgx-ae-le-2.11.100-14.uel20.x86_64.rpm libsgx-aesm-pce-plugin-2.11.100-14.uel20.x86_64.rpm libsgx-ae-epid-2.11.100-14.uel20.x86_64.rpm libsgx-ra-network-2.11.100-14.uel20.x86_64.rpm libsgx-quote-ex-2.11.100-14.uel20.x86_64.rpm libsgx-qe3-logic-2.11.100-14.uel20.x86_64.rpm libsgx-ae-qe3-2.11.100-14.uel20.x86_64.rpm libsgx-ra-uefi-2.11.100-14.uel20.x86_64.rpm libsgx-aesm-epid-plugin-2.11.100-14.uel20.x86_64.rpm libsgx-dcap-quote-verify-2.11.100-14.uel20.x86_64.rpm libsgx-quote-ex-devel-2.11.100-14.uel20.x86_64.rpm libsgx-launch-devel-2.11.100-14.uel20.x86_64.rpm libsgx-pce-logic-2.11.100-14.uel20.x86_64.rpm libsgx-ae-qve-2.11.100-14.uel20.x86_64.rpm libsgx-dcap-ql-devel-2.11.100-14.uel20.x86_64.rpm libsgx-launch-2.11.100-14.uel20.x86_64.rpm sgx-ra-service-2.11.100-14.uel20.x86_64.rpm UTSA-2024:20047 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: fontforge security update

Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files.(CVE-2024-25082) Splinefont in FontForge through 20230101 allows command injection via crafted filenames.(CVE-2024-25081) fontforge-20200314-5.uel20.x86_64.rpm fontforge-devel-20200314-5.uel20.x86_64.rpm fontforge-20200314-5.uel20.aarch64.rpm fontforge-devel-20200314-5.uel20.aarch64.rpm fontforge-help-20200314-5.uel20.noarch.rpm UTSA-2024:20048 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: dde-daemon security update

fix cve/bug or enhancement dde-daemon-5.14.122-1.uel20.10.aarch64.rpm dde-daemon-5.14.122-1.uel20.10.x86_64.rpm UTSA-2024:20049 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: less security update

close_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE.(CVE-2022-48624) less-590-2.uel20.02.x86_64.rpm less-help-590-2.uel20.02.noarch.rpm less-590-2.uel20.02.aarch64.rpm UTSA-2024:20050 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: squid security update

Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid may be vulnerable to a Denial of Service attack against HTTP header parsing. This problem allows a remote client or a remote server to perform Denial of Service when sending oversized headers in HTTP messages. In versions of Squid prior to 6.5 this can be achieved if the request_header_max_size or reply_header_max_size settings are unchanged from the default. In Squid version 6.5 and later, the default setting of these parameters is safe. Squid will emit a critical warning in cache.log if the administrator is setting these parameters to unsafe values. Squid will not at this time prevent these settings from being changed to unsafe values. Users are advised to upgrade to version 6.5. There are no known workarounds for this vulnerability. This issue is also tracked as SQUID-2024:2 (CVE-2024-25617) squid-4.9-20.uel20.x86_64.rpm squid-4.9-20.uel20.aarch64.rpm UTSA-2024:20051 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: freeglut security update

freeglut through 3.4.0 was discovered to contain a memory leak via the menuEntry variable in the glutAddMenuEntry function.(CVE-2024-24259) freeglut 3.4.0 was discovered to contain a memory leak via the menuEntry variable in the glutAddSubMenu function.(CVE-2024-24258) freeglut-help-3.0.0-11.uel20.x86_64.rpm freeglut-3.0.0-11.uel20.x86_64.rpm freeglut-devel-3.0.0-11.uel20.x86_64.rpm freeglut-devel-3.0.0-11.uel20.aarch64.rpm freeglut-3.0.0-11.uel20.aarch64.rpm freeglut-help-3.0.0-11.uel20.aarch64.rpm UTSA-2024:20052 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: jss security update

A flaw was found in JSS, where it did not properly free up all memory. Over time, the wasted memory builds up in the server memory, saturating the server’s RAM. This flaw allows an attacker to force the invocation of an out-of-memory process, causing a denial of service.(CVE-2021-4213) jss-help-4.9.3-1.uel20.x86_64.rpm jss-4.9.3-1.uel20.x86_64.rpm jss-help-4.9.3-1.uel20.aarch64.rpm jss-4.9.3-1.uel20.aarch64.rpm UTSA-2024:20053 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: openvswitch security update

A flaw was found in Open vSwitch where multiple versions are vulnerable to crafted Geneve packets, which may result in a denial of service and invalid memory accesses. Triggering this issue requires that hardware offloading via the netlink path is enabled.(CVE-2023-3966) python3-openvswitch-2.12.4-9.uel20.x86_64.rpm openvswitch-2.12.4-9.uel20.x86_64.rpm openvswitch-devel-2.12.4-9.uel20.x86_64.rpm openvswitch-help-2.12.4-9.uel20.x86_64.rpm openvswitch-2.12.4-9.uel20.aarch64.rpm openvswitch-devel-2.12.4-9.uel20.aarch64.rpm python3-openvswitch-2.12.4-9.uel20.aarch64.rpm openvswitch-help-2.12.4-9.uel20.aarch64.rpm UTSA-2024:20054 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libuv security update

libuv is a multi-platform support library with a focus on asynchronous I/O. The `uv_getaddrinfo` function in `src/unix/getaddrinfo.c` (and its windows counterpart `src/win/getaddrinfo.c`), truncates hostnames to 256 characters before calling `getaddrinfo`. This behavior can be exploited to create addresses like `0x00007f000001`, which are considered valid by `getaddrinfo` and could allow an attacker to craft payloads that resolve to unintended IP addresses, bypassing developer checks. The vulnerability arises due to how the `hostname_ascii` variable (with a length of 256 bytes) is handled in `uv_getaddrinfo` and subsequently in `uv__idna_toascii`. When the hostname exceeds 256 characters, it gets truncated without a terminating null byte. As a result attackers may be able to access internal APIs or for websites (similar to MySpace) that allows users to have `username.example.com` pages. Internal services that crawl or cache these user pages can be exposed to SSRF attacks if a malicious user chooses a long vulnerable username. This issue has been addressed in release version 1.48.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2024-24806) libuv-1.42.0-2.uel20.x86_64.rpm libuv-devel-1.42.0-2.uel20.x86_64.rpm libuv-1.42.0-2.uel20.aarch64.rpm libuv-devel-1.42.0-2.uel20.aarch64.rpm libuv-help-1.42.0-2.uel20.noarch.rpm UTSA-2024:20055 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: python-django security update

An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.(CVE-2024-24680) python3-Django-2.2.27-10.uel20.noarch.rpm python-django-help-2.2.27-10.uel20.noarch.rpm UTSA-2024:20056 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: libgit2 security update

libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.(CVE-2024-24577) libgit2-devel-0.27.8-8.uel20.x86_64.rpm libgit2-0.27.8-8.uel20.x86_64.rpm libgit2-devel-0.27.8-8.uel20.aarch64.rpm libgit2-0.27.8-8.uel20.aarch64.rpm UTSA-2024:20057 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: rust security update

libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.(CVE-2024-24577) libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_revparse_single` can cause the function to enter an infinite loop, potentially causing a Denial of Service attack in the calling application. The revparse function in `src/libgit2/revparse.c` uses a loop to parse the user-provided spec string. There is an edge-case during parsing that allows a bad actor to force the loop conditions to access arbitrary memory. Potentially, this could also leak memory if the extracted rev spec is reflected back to the attacker. As such, libgit2 versions before 1.4.0 are not affected. Users should upgrade to version 1.6.5 or 1.7.2.(CVE-2024-24575) clippy-1.58.1-1.uel20.05.x86_64.rpm rust-help-1.58.1-1.uel20.05.x86_64.rpm cargo-1.58.1-1.uel20.05.x86_64.rpm rust-1.58.1-1.uel20.05.x86_64.rpm rust-std-static-1.58.1-1.uel20.05.x86_64.rpm rustfmt-1.58.1-1.uel20.05.x86_64.rpm rls-1.58.1-1.uel20.05.x86_64.rpm rust-analysis-1.58.1-1.uel20.05.x86_64.rpm clippy-1.58.1-1.uel20.05.aarch64.rpm rust-1.58.1-1.uel20.05.aarch64.rpm rust-gdb-1.58.1-1.uel20.05.noarch.rpm rust-debugger-common-1.58.1-1.uel20.05.noarch.rpm rust-help-1.58.1-1.uel20.05.aarch64.rpm rls-1.58.1-1.uel20.05.aarch64.rpm rust-src-1.58.1-1.uel20.05.noarch.rpm cargo-1.58.1-1.uel20.05.aarch64.rpm rustfmt-1.58.1-1.uel20.05.aarch64.rpm rust-lldb-1.58.1-1.uel20.05.noarch.rpm rust-std-static-1.58.1-1.uel20.05.aarch64.rpm rust-analysis-1.58.1-1.uel20.05.aarch64.rpm UTSA-2024:20058 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: qt5-qtbase security update

An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.(CVE-2023-51714) qt5-qtbase-devel-5.11.1-21.up7.uel20.x86_64.rpm qt5-qtbase-5.11.1-21.up7.uel20.x86_64.rpm qt5-qtbase-gui-5.11.1-21.up7.uel20.x86_64.rpm qt5-qtbase-mysql-5.11.1-21.up7.uel20.x86_64.rpm qt5-qtbase-odbc-5.11.1-21.up7.uel20.x86_64.rpm qt5-qtbase-postgresql-5.11.1-21.up7.uel20.x86_64.rpm qt5-qtbase-devel-5.11.1-21.up7.uel20.aarch64.rpm qt5-qtbase-5.11.1-21.up7.uel20.aarch64.rpm qt5-qtbase-gui-5.11.1-21.up7.uel20.aarch64.rpm qt5-qtbase-mysql-5.11.1-21.up7.uel20.aarch64.rpm qt5-qtbase-postgresql-5.11.1-21.up7.uel20.aarch64.rpm qt5-qtbase-common-5.11.1-21.up7.uel20.noarch.rpm qt5-qtbase-odbc-5.11.1-21.up7.uel20.aarch64.rpm UTSA-2024:20059 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: nodejs security update

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.(CVE-2023-44487) Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0465) A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0464) npm-6.14.16-1.12.22.11.8.uel20.x86_64.rpm nodejs-12.22.11-8.uel20.x86_64.rpm nodejs-libs-12.22.11-8.uel20.x86_64.rpm nodejs-devel-12.22.11-8.uel20.x86_64.rpm nodejs-full-i18n-12.22.11-8.uel20.x86_64.rpm v8-devel-7.8.279.23-1.12.22.11.8.uel20.x86_64.rpm npm-6.14.16-1.12.22.11.8.uel20.aarch64.rpm nodejs-docs-12.22.11-8.uel20.noarch.rpm nodejs-12.22.11-8.uel20.aarch64.rpm v8-devel-7.8.279.23-1.12.22.11.8.uel20.aarch64.rpm nodejs-libs-12.22.11-8.uel20.aarch64.rpm nodejs-devel-12.22.11-8.uel20.aarch64.rpm nodejs-full-i18n-12.22.11-8.uel20.aarch64.rpm UTSA-2024:20060 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libxml2 security update

An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.(CVE-2024-25062) libxml2-2.9.10-39.uel20.x86_64.rpm python3-libxml2-2.9.10-39.uel20.x86_64.rpm python2-libxml2-2.9.10-39.uel20.x86_64.rpm libxml2-devel-2.9.10-39.uel20.x86_64.rpm libxml2-devel-2.9.10-39.uel20.aarch64.rpm libxml2-2.9.10-39.uel20.aarch64.rpm python3-libxml2-2.9.10-39.uel20.aarch64.rpm python2-libxml2-2.9.10-39.uel20.aarch64.rpm libxml2-help-2.9.10-39.uel20.noarch.rpm UTSA-2024:20061 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: rubygem-actionpack security update

A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.(CVE-2023-22795) A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.(CVE-2023-22792) rubygem-actionpack-doc-5.2.4.4-4.uel20.noarch.rpm rubygem-actionpack-5.2.4.4-4.uel20.noarch.rpm UTSA-2024:20062 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: runc security update

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. (CVE-2024-21626) docker-runc-1.0.0.rc3-224.up1.uel20.x86_64.rpm docker-runc-1.0.0.rc3-224.up1.uel20.aarch64.rpm UTSA-2024:20063 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: graphviz security update

Graphviz 2.36 before 10.0.0 has an out-of-bounds read via a crafted config6a file. NOTE: exploitability may be uncommon because this file is typically owned by root.(CVE-2023-46045) graphviz-java-2.44.0-5.uel20.x86_64.rpm graphviz-devel-2.44.0-5.uel20.x86_64.rpm graphviz-ruby-2.44.0-5.uel20.x86_64.rpm graphviz-ocaml-2.44.0-5.uel20.x86_64.rpm graphviz-2.44.0-5.uel20.x86_64.rpm graphviz-perl-2.44.0-5.uel20.x86_64.rpm graphviz-docs-2.44.0-5.uel20.x86_64.rpm graphviz-python3-2.44.0-5.uel20.x86_64.rpm graphviz-lua-2.44.0-5.uel20.x86_64.rpm graphviz-tcl-2.44.0-5.uel20.x86_64.rpm graphviz-python2-2.44.0-5.uel20.x86_64.rpm graphviz-python2-2.44.0-5.uel20.aarch64.rpm graphviz-perl-2.44.0-5.uel20.aarch64.rpm graphviz-python3-2.44.0-5.uel20.aarch64.rpm graphviz-ocaml-2.44.0-5.uel20.aarch64.rpm graphviz-java-2.44.0-5.uel20.aarch64.rpm graphviz-ruby-2.44.0-5.uel20.aarch64.rpm graphviz-devel-2.44.0-5.uel20.aarch64.rpm graphviz-docs-2.44.0-5.uel20.aarch64.rpm graphviz-tcl-2.44.0-5.uel20.aarch64.rpm graphviz-lua-2.44.0-5.uel20.aarch64.rpm graphviz-2.44.0-5.uel20.aarch64.rpm UTSA-2024:20064 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: containerd security update

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.(CVE-2022-41723) A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.(CVE-2023-39325) containerd-stress-1.5.3-1.uel20.12.x86_64.rpm containerd-1.5.3-1.uel20.12.x86_64.rpm containerd-1.5.3-1.uel20.12.aarch64.rpm containerd-stress-1.5.3-1.uel20.12.aarch64.rpm UTSA-2024:20065 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: ncurses security update

ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.(CVE-2023-45918) ncurses-libs-6.2-5.uel20.02.x86_64.rpm ncurses-6.2-5.uel20.02.x86_64.rpm ncurses-devel-6.2-5.uel20.02.x86_64.rpm ncurses-help-6.2-5.uel20.02.x86_64.rpm ncurses-6.2-5.uel20.02.aarch64.rpm ncurses-help-6.2-5.uel20.02.aarch64.rpm ncurses-devel-6.2-5.uel20.02.aarch64.rpm ncurses-libs-6.2-5.uel20.02.aarch64.rpm ncurses-base-6.2-5.uel20.02.noarch.rpm UTSA-2024:20066 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: indent security update

A flaw was found in indent, a program for formatting C code. This issue may allow an attacker to trick a user into processing a specially crafted file to trigger a heap-based buffer overflow, causing the application to crash.(CVE-2024-0911) indent-2.2.11-30.uel20.x86_64.rpm indent-2.2.11-30.uel20.aarch64.rpm indent-help-2.2.11-30.uel20.noarch.rpm UTSA-2024:20067 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: jruby security update

A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.(CVE-2023-28756) jruby-javadoc-1.7.22-4.uel20.noarch.rpm jruby-1.7.22-4.uel20.noarch.rpm jruby-devel-1.7.22-4.uel20.noarch.rpm UTSA-2024:20068 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: freerdp security update

FreeRDP is a set of free and open source remote desktop protocol library and clients. In affected versions an integer overflow in `freerdp_bitmap_planar_context_reset` leads to heap-buffer overflow. This affects FreeRDP based clients. FreeRDP based server implementations and proxy are not affected. A malicious server could prepare a `RDPGFX_RESET_GRAPHICS_PDU` to allocate too small buffers, possibly triggering later out of bound read/write. Data extraction over network is not possible, the buffers are used to display an image. This issue has been addressed in version 2.11.5 and 3.2.0. Users are advised to upgrade. there are no know workarounds for this vulnerability. (CVE-2024-22211) libwinpr-2.11.1-2.uel20.x86_64.rpm libwinpr-devel-2.11.1-2.uel20.x86_64.rpm freerdp-help-2.11.1-2.uel20.x86_64.rpm freerdp-2.11.1-2.uel20.x86_64.rpm freerdp-devel-2.11.1-2.uel20.x86_64.rpm freerdp-devel-2.11.1-2.uel20.aarch64.rpm libwinpr-2.11.1-2.uel20.aarch64.rpm freerdp-help-2.11.1-2.uel20.aarch64.rpm freerdp-2.11.1-2.uel20.aarch64.rpm libwinpr-devel-2.11.1-2.uel20.aarch64.rpm UTSA-2024:20069 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: python-pillow security update

Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).(CVE-2023-50447) python3-pillow-tk-9.0.1-6.uel20.x86_64.rpm python3-pillow-9.0.1-6.uel20.x86_64.rpm python3-pillow-devel-9.0.1-6.uel20.x86_64.rpm python3-pillow-qt-9.0.1-6.uel20.x86_64.rpm python3-pillow-9.0.1-6.uel20.aarch64.rpm python3-pillow-devel-9.0.1-6.uel20.aarch64.rpm python3-pillow-help-9.0.1-6.uel20.noarch.rpm python3-pillow-tk-9.0.1-6.uel20.aarch64.rpm python3-pillow-qt-9.0.1-6.uel20.aarch64.rpm UTSA-2024:20070 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: ansible security update

An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. It was discovered that information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.(CVE-2024-0690) ansible-2.9.11-1.uel20.01.noarch.rpm ansible-doc-2.9.11-1.uel20.01.noarch.rpm UTSA-2024:20071 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: pam security update

linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.(CVE-2024-22365) pam-1.4.0-11.up6.uel20.x86_64.rpm pam-devel-1.4.0-11.up6.uel20.x86_64.rpm pam-help-1.4.0-11.up6.uel20.noarch.rpm pam-1.4.0-11.up6.uel20.aarch64.rpm pam-devel-1.4.0-11.up6.uel20.aarch64.rpm UTSA-2024:20072 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: erlang security update

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795) erlang-runtime_tools-21.3.3-2.uel20.01.x86_64.rpm erlang-ftp-21.3.3-2.uel20.01.x86_64.rpm erlang-jinterface-21.3.3-2.uel20.01.x86_64.rpm erlang-tools-21.3.3-2.uel20.01.x86_64.rpm erlang-tftp-21.3.3-2.uel20.01.x86_64.rpm erlang-compiler-21.3.3-2.uel20.01.x86_64.rpm erlang-megaco-21.3.3-2.uel20.01.x86_64.rpm erlang-wx-21.3.3-2.uel20.01.x86_64.rpm erlang-examples-21.3.3-2.uel20.01.x86_64.rpm erlang-parsetools-21.3.3-2.uel20.01.x86_64.rpm erlang-erl_docgen-21.3.3-2.uel20.01.x86_64.rpm erlang-inets-21.3.3-2.uel20.01.x86_64.rpm erlang-debugger-21.3.3-2.uel20.01.x86_64.rpm erlang-public_key-21.3.3-2.uel20.01.x86_64.rpm erlang-os_mon-21.3.3-2.uel20.01.x86_64.rpm erlang-21.3.3-2.uel20.01.x86_64.rpm erlang-ssh-21.3.3-2.uel20.01.x86_64.rpm erlang-snmp-21.3.3-2.uel20.01.x86_64.rpm erlang-diameter-21.3.3-2.uel20.01.x86_64.rpm erlang-eldap-21.3.3-2.uel20.01.x86_64.rpm erlang-mnesia-21.3.3-2.uel20.01.x86_64.rpm erlang-erts-21.3.3-2.uel20.01.x86_64.rpm erlang-et-21.3.3-2.uel20.01.x86_64.rpm erlang-kernel-21.3.3-2.uel20.01.x86_64.rpm erlang-crypto-21.3.3-2.uel20.01.x86_64.rpm erlang-edoc-21.3.3-2.uel20.01.x86_64.rpm erlang-erl_interface-21.3.3-2.uel20.01.x86_64.rpm erlang-hipe-21.3.3-2.uel20.01.x86_64.rpm erlang-stdlib-21.3.3-2.uel20.01.x86_64.rpm erlang-odbc-21.3.3-2.uel20.01.x86_64.rpm erlang-eunit-21.3.3-2.uel20.01.x86_64.rpm erlang-syntax_tools-21.3.3-2.uel20.01.x86_64.rpm erlang-reltool-21.3.3-2.uel20.01.x86_64.rpm erlang-otp_mibs-21.3.3-2.uel20.01.x86_64.rpm erlang-common_test-21.3.3-2.uel20.01.x86_64.rpm erlang-observer-21.3.3-2.uel20.01.x86_64.rpm erlang-asn1-21.3.3-2.uel20.01.x86_64.rpm erlang-xmerl-21.3.3-2.uel20.01.x86_64.rpm erlang-dialyzer-21.3.3-2.uel20.01.x86_64.rpm erlang-ssl-21.3.3-2.uel20.01.x86_64.rpm erlang-sasl-21.3.3-2.uel20.01.x86_64.rpm erlang-os_mon-21.3.3-2.uel20.01.aarch64.rpm erlang-inets-21.3.3-2.uel20.01.aarch64.rpm erlang-reltool-21.3.3-2.uel20.01.aarch64.rpm erlang-crypto-21.3.3-2.uel20.01.aarch64.rpm erlang-diameter-21.3.3-2.uel20.01.aarch64.rpm erlang-kernel-21.3.3-2.uel20.01.aarch64.rpm erlang-megaco-21.3.3-2.uel20.01.aarch64.rpm erlang-ftp-21.3.3-2.uel20.01.aarch64.rpm erlang-asn1-21.3.3-2.uel20.01.aarch64.rpm erlang-edoc-21.3.3-2.uel20.01.aarch64.rpm erlang-eunit-21.3.3-2.uel20.01.aarch64.rpm erlang-21.3.3-2.uel20.01.aarch64.rpm erlang-tftp-21.3.3-2.uel20.01.aarch64.rpm erlang-stdlib-21.3.3-2.uel20.01.aarch64.rpm erlang-observer-21.3.3-2.uel20.01.aarch64.rpm erlang-snmp-21.3.3-2.uel20.01.aarch64.rpm erlang-otp_mibs-21.3.3-2.uel20.01.aarch64.rpm erlang-erl_interface-21.3.3-2.uel20.01.aarch64.rpm erlang-parsetools-21.3.3-2.uel20.01.aarch64.rpm erlang-hipe-21.3.3-2.uel20.01.aarch64.rpm erlang-common_test-21.3.3-2.uel20.01.aarch64.rpm erlang-runtime_tools-21.3.3-2.uel20.01.aarch64.rpm erlang-ssh-21.3.3-2.uel20.01.aarch64.rpm erlang-erts-21.3.3-2.uel20.01.aarch64.rpm erlang-sasl-21.3.3-2.uel20.01.aarch64.rpm erlang-erl_docgen-21.3.3-2.uel20.01.aarch64.rpm erlang-eldap-21.3.3-2.uel20.01.aarch64.rpm erlang-wx-21.3.3-2.uel20.01.aarch64.rpm erlang-odbc-21.3.3-2.uel20.01.aarch64.rpm erlang-examples-21.3.3-2.uel20.01.aarch64.rpm erlang-syntax_tools-21.3.3-2.uel20.01.aarch64.rpm erlang-xmerl-21.3.3-2.uel20.01.aarch64.rpm erlang-ssl-21.3.3-2.uel20.01.aarch64.rpm erlang-mnesia-21.3.3-2.uel20.01.aarch64.rpm erlang-jinterface-21.3.3-2.uel20.01.aarch64.rpm erlang-et-21.3.3-2.uel20.01.aarch64.rpm erlang-dialyzer-21.3.3-2.uel20.01.aarch64.rpm erlang-debugger-21.3.3-2.uel20.01.aarch64.rpm erlang-tools-21.3.3-2.uel20.01.aarch64.rpm erlang-public_key-21.3.3-2.uel20.01.aarch64.rpm erlang-compiler-21.3.3-2.uel20.01.aarch64.rpm UTSA-2024:20073 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: deepin-system-monitor security update

fix cve/bug or enhancement deepin-system-monitor-5.9.31-1.uel20.01.aarch64.rpm deepin-system-monitor-5.9.31-1.uel20.01.x86_64.rpm UTSA-2024:20074 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: python-jinja2 security update

Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. (CVE-2024-22195) python3-jinja2-2.11.2-6.uel20.noarch.rpm python-jinja2-help-2.11.2-6.uel20.noarch.rpm python2-jinja2-2.11.2-6.uel20.noarch.rpm UTSA-2024:20075 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: python-paramiko security update

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795) python3-paramiko-2.11.0-2.uel20.noarch.rpm python-paramiko-help-2.11.0-2.uel20.noarch.rpm UTSA-2024:20076 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: python-pycryptodome security update

PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.(CVE-2023-52323) python3-pycryptodome-3.19.1-1.uel20.x86_64.rpm python2-pycryptodome-3.19.1-1.uel20.x86_64.rpm python2-pycryptodome-3.19.1-1.uel20.aarch64.rpm python3-pycryptodome-3.19.1-1.uel20.aarch64.rpm UTSA-2024:20077 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: python-pycryptodomex security update

PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.(CVE-2023-52323) python3-pycryptodomex-3.19.1-1.uel20.x86_64.rpm python3-pycryptodomex-3.19.1-1.uel20.aarch64.rpm python-pycryptodomex-help-3.19.1-1.uel20.noarch.rpm UTSA-2024:20078 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: proftpd security update

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795) make_ftp_cmd in main.c in ProFTPD before 1.3.8a has a one-byte out-of-bounds read, and daemon crash, because of mishandling of quote/backslash semantics.(CVE-2023-51713) proftpd-postgresql-1.3.8b-2.uel20.x86_64.rpm proftpd-sqlite-1.3.8b-2.uel20.x86_64.rpm proftpd-utils-1.3.8b-2.uel20.x86_64.rpm proftpd-mysql-1.3.8b-2.uel20.x86_64.rpm proftpd-ldap-1.3.8b-2.uel20.x86_64.rpm proftpd-1.3.8b-2.uel20.x86_64.rpm proftpd-devel-1.3.8b-2.uel20.x86_64.rpm proftpd-devel-1.3.8b-2.uel20.aarch64.rpm proftpd-postgresql-1.3.8b-2.uel20.aarch64.rpm proftpd-1.3.8b-2.uel20.aarch64.rpm proftpd-utils-1.3.8b-2.uel20.aarch64.rpm proftpd-mysql-1.3.8b-2.uel20.aarch64.rpm proftpd-ldap-1.3.8b-2.uel20.aarch64.rpm proftpd-sqlite-1.3.8b-2.uel20.aarch64.rpm UTSA-2024:20079 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libpq security update

A flaw was found in PostgreSQL involving the pg_cancel_backend role that signals background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher. Successful exploitation requires a non-core extension with a less-resilient background worker and would affect that specific background worker only. This issue may allow a remote high privileged user to launch a denial of service (DoS) attack.(CVE-2023-5870) A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server's memory.(CVE-2023-5869) A memory disclosure vulnerability was found in PostgreSQL that allows remote users to access sensitive information by exploiting certain aggregate function calls with 'unknown'-type arguments. Handling 'unknown'-type values from string literals without type designation can disclose bytes, potentially revealing notable and confidential information. This issue exists due to excessive data output in aggregate function calls, enabling remote users to read some portion of system memory.(CVE-2023-5868) libpq-13.13-1.uel20.x86_64.rpm libpq-devel-13.13-1.uel20.x86_64.rpm libpq-13.13-1.uel20.aarch64.rpm libpq-devel-13.13-1.uel20.aarch64.rpm UTSA-2024:20080 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: openssl security update

Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. (CVE-2023-5678) openssl-1.1.1k-9.uel20.20.x86_64.rpm openssl-devel-1.1.1k-9.uel20.20.x86_64.rpm openssl-libs-1.1.1k-9.uel20.20.x86_64.rpm openssl-help-1.1.1k-9.uel20.20.noarch.rpm openssl-devel-1.1.1k-9.uel20.20.aarch64.rpm openssl-libs-1.1.1k-9.uel20.20.aarch64.rpm openssl-1.1.1k-9.uel20.20.aarch64.rpm UTSA-2024:20081 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libsndfile security update

Multiple signed integers overflow in function au_read_header in src/au.c and in functions mat4_open and mat4_read_header in src/mat4.c in Libsndfile, allows an attacker to cause Denial of Service or other unspecified impacts.(CVE-2022-33065) libsndfile-1.0.28-21.uel20.x86_64.rpm libsndfile-utils-1.0.28-21.uel20.x86_64.rpm libsndfile-devel-1.0.28-21.uel20.x86_64.rpm libsndfile-devel-1.0.28-21.uel20.aarch64.rpm libsndfile-utils-help-1.0.28-21.uel20.noarch.rpm libsndfile-1.0.28-21.uel20.aarch64.rpm libsndfile-utils-1.0.28-21.uel20.aarch64.rpm UTSA-2024:20082 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Low

Low: yasm security update

yasm v1.3.0 was discovered to contain a memory leak via the function yasm_intnum_copy at /libyasm/intnum.c.(CVE-2023-31975) yasm-1.3.0-11.uel20.x86_64.rpm yasm-devel-1.3.0-11.uel20.x86_64.rpm yasm-1.3.0-11.uel20.aarch64.rpm yasm-devel-1.3.0-11.uel20.aarch64.rpm yasm-help-1.3.0-11.uel20.noarch.rpm UTSA-2024:20083 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: postgresql-jdbc security update

pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.(CVE-2024-1597) postgresql-jdbc-javadoc-42.4.1-3.uel20.noarch.rpm postgresql-jdbc-42.4.1-3.uel20.noarch.rpm postgresql-jdbc-help-42.4.1-3.uel20.noarch.rpm UTSA-2024:20084 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: unbound security update

A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. If a process can connect over localhost to port 8953, it can alter the configuration of unbound.service. This flaw allows an unprivileged attacker to manipulate a running instance, potentially altering forwarders, allowing them to track all queries forwarded by the local resolver, and, in some cases, disrupting resolving altogether.(CVE-2024-1488) The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.(CVE-2023-50868) Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.(CVE-2023-50387) unbound-help-1.16.2-5.uel20.03.x86_64.rpm python3-unbound-1.16.2-5.uel20.03.x86_64.rpm unbound-1.16.2-5.uel20.03.x86_64.rpm unbound-libs-1.16.2-5.uel20.03.x86_64.rpm unbound-devel-1.16.2-5.uel20.03.x86_64.rpm unbound-1.16.2-5.uel20.03.aarch64.rpm unbound-libs-1.16.2-5.uel20.03.aarch64.rpm unbound-help-1.16.2-5.uel20.03.aarch64.rpm unbound-devel-1.16.2-5.uel20.03.aarch64.rpm python3-unbound-1.16.2-5.uel20.03.aarch64.rpm UTSA-2024:20085 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: varnish security update

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.(CVE-2023-44487) varnish-7.4.2-1.uel20.x86_64.rpm varnish-devel-7.4.2-1.uel20.x86_64.rpm varnish-help-7.4.2-1.uel20.noarch.rpm varnish-7.4.2-1.uel20.aarch64.rpm varnish-devel-7.4.2-1.uel20.aarch64.rpm UTSA-2024:20086 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: edk2 security update

Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ('p' parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulernable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the '-check' option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.(CVE-2023-3446) Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service. An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers - most of which have no size limit. OBJ_obj2txt() may be used to translate an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical numeric text form, which are the sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by periods. When one of the sub-identifiers in the OBJECT IDENTIFIER is very large (these are sizes that are seen as absurdly large, taking up tens or hundreds of KiBs), the translation to a decimal number in text may take a very long time. The time complexity is O(n^2) with 'n' being the size of the sub-identifiers in bytes (*). With OpenSSL 3.0, support to fetch cryptographic algorithms using names / identifiers in string form was introduced. This includes using OBJECT IDENTIFIERs in canonical numeric text form as identifiers for fetching algorithms. Such OBJECT IDENTIFIERs may be received through the ASN.1 structure AlgorithmIdentifier, which is commonly used in multiple protocols to specify what cryptographic algorithm should be used to sign or verify, encrypt or decrypt, or digest passed data. Applications that call OBJ_obj2txt() directly with untrusted data are affected, with any version of OpenSSL. If the use is for the mere purpose of display, the severity is considered low. In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS. It also impacts anything that processes X.509 certificates, including simple things like verifying its signature. The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer's certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication. In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.(CVE-2023-2650) The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification. As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.(CVE-2023-0466) Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0465) A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0464) Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.(CVE-2024-0727) edk2-devel-202002-17.uel20.01.x86_64.rpm edk2-ovmf-202002-17.uel20.01.noarch.rpm edk2-help-202002-17.uel20.01.noarch.rpm python3-edk2-devel-202002-17.uel20.01.noarch.rpm edk2-aarch64-202002-17.uel20.01.noarch.rpm edk2-devel-202002-17.uel20.01.aarch64.rpm UTSA-2024:20087 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: shim security update

Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ('p' parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulernable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the '-check' option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.(CVE-2023-3446) Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service. An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers - most of which have no size limit. OBJ_obj2txt() may be used to translate an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical numeric text form, which are the sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by periods. When one of the sub-identifiers in the OBJECT IDENTIFIER is very large (these are sizes that are seen as absurdly large, taking up tens or hundreds of KiBs), the translation to a decimal number in text may take a very long time. The time complexity is O(n^2) with 'n' being the size of the sub-identifiers in bytes (*). With OpenSSL 3.0, support to fetch cryptographic algorithms using names / identifiers in string form was introduced. This includes using OBJECT IDENTIFIERs in canonical numeric text form as identifiers for fetching algorithms. Such OBJECT IDENTIFIERs may be received through the ASN.1 structure AlgorithmIdentifier, which is commonly used in multiple protocols to specify what cryptographic algorithm should be used to sign or verify, encrypt or decrypt, or digest passed data. Applications that call OBJ_obj2txt() directly with untrusted data are affected, with any version of OpenSSL. If the use is for the mere purpose of display, the severity is considered low. In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS. It also impacts anything that processes X.509 certificates, including simple things like verifying its signature. The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer's certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication. In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.(CVE-2023-2650) Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0465) A flaw was found in the MZ binary format in Shim. An out-of-bounds read may occur, leading to a crash or possible exposure of sensitive data during the system's boot phase.(CVE-2023-40551) A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully.(CVE-2023-40547) shim-15-35.up1.uel20.02.x86_64.rpm shim-15-35.up1.uel20.02.aarch64.rpm UTSA-2024:20088 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: shim security update

A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0464) shim-15-33.up1.uel20.x86_64.rpm shim-15-33.up1.uel20.aarch64.rpm UTSA-2024:20089 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: kernel-4.19 security update

In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel through 6.7.1, there is an off-by-one error for an RDS_MSG_RX_DGRAM_TRACE_MAX comparison, resulting in out-of-bounds access.(CVE-2024-23849) A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. (CVE-2024-1086) A flaw was found in the Netfilter subsystem in the Linux kernel. The issue is in the nft_byteorder_eval() function, where the code iterates through a loop and writes to the `dst` array. On each iteration, 8 bytes are written, but `dst` is an array of u32, so each element only has space for 4 bytes. That means every iteration overwrites part of the previous element corrupting this array of u32. This flaw allows a local user to cause a denial of service or potentially break NetFilter functionality.(CVE-2024-0607) An out-of-bounds memory read flaw was found in receive_encrypted_standard in fs/smb/client/smb2ops.c in the SMB Client sub-component in the Linux Kernel. This issue occurs due to integer underflow on the memcpy length, leading to a denial of service.(CVE-2024-0565) In the Linux kernel before 6.4.5, drivers/gpu/drm/drm_atomic.c has a use-after-free during a race condition between a nonblocking atomic commit and a driver unload.(CVE-2023-51043) In the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c has a fence use-after-free.(CVE-2023-51042) Transmit requests in Xen's virtual network protocol can consist of multiple parts. While not really useful, except for the initial part any of them may be of zero length, i.e. carry no data at all. Besides a certain initial portion of the to be transferred data, these parts are directly translated into what Linux calls SKB fragments. Such converted request parts can, when for a particular SKB they are all of length zero, lead to a de-reference of NULL in core networking code. (CVE-2023-46838) In the Linux kernel before 6.5.9, there is a NULL pointer dereference in send_acknowledge in net/nfc/nci/spi.c.(CVE-2023-46343) An issue was discovered in drivers/input/input.c in the Linux kernel before 5.17.10. An attacker can cause a denial of service (panic) because input_set_capability mishandles the situation in which an event code falls outside of a bitmap.(CVE-2022-48619) A vulnerability was found in vhost_new_msg in drivers/vhost/vhost.c in the Linux kernel, which does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This issue can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file.(CVE-2024-0340) An out-of-bounds access vulnerability involving netfilter was reported and fixed as: f1082dd31fe4 (netfilter: nf_tables: Reject tables of unsupported family); While creating a new netfilter table, lack of a safeguard against invalid nf_tables family (pf) values within `nf_tables_newtable` function enables an attacker to achieve out-of-bounds access.(CVE-2023-6040) kernel-devel-4.19.90-2305.1.0.0199.78.uel20.aarch64.rpm kernel-tools-devel-4.19.90-2305.1.0.0199.78.uel20.aarch64.rpm kernel-4.19.90-2305.1.0.0199.78.uel20.aarch64.rpm python2-perf-4.19.90-2305.1.0.0199.78.uel20.aarch64.rpm kernel-tools-4.19.90-2305.1.0.0199.78.uel20.aarch64.rpm bpftool-4.19.90-2305.1.0.0199.78.uel20.aarch64.rpm perf-4.19.90-2305.1.0.0199.78.uel20.aarch64.rpm kernel-btf-4.19.90-2305.1.0.0199.78.uel20.aarch64.rpm python3-perf-4.19.90-2305.1.0.0199.78.uel20.aarch64.rpm python2-perf-4.19.90-2305.1.0.0199.78.uel20.x86_64.rpm kernel-btf-4.19.90-2305.1.0.0199.78.uel20.x86_64.rpm bpftool-4.19.90-2305.1.0.0199.78.uel20.x86_64.rpm kernel-tools-4.19.90-2305.1.0.0199.78.uel20.x86_64.rpm kernel-devel-4.19.90-2305.1.0.0199.78.uel20.x86_64.rpm kernel-4.19.90-2305.1.0.0199.78.uel20.x86_64.rpm perf-4.19.90-2305.1.0.0199.78.uel20.x86_64.rpm kernel-tools-devel-4.19.90-2305.1.0.0199.78.uel20.x86_64.rpm python3-perf-4.19.90-2305.1.0.0199.78.uel20.x86_64.rpm UTSA-2024:20090 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: edk2 security update

EDK2's Network Package is susceptible to a buffer overflow vulnerability when handling Server ID option from a DHCPv6 proxy Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability. (CVE-2023-45235) EDK2's Network Package is susceptible to a buffer overflow vulnerability when processing DNS Servers option from a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability. (CVE-2023-45234) EDK2's Network Package is susceptible to an infinite lop vulnerability when parsing a PadN option in the Destination Options header of IPv6. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Availability. (CVE-2023-45233) EDK2's Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Availability. (CVE-2023-45232) EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing  Neighbor Discovery Redirect message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.(CVE-2023-45231) EDK2's Network Package is susceptible to a buffer overflow vulnerability via a long server ID option in DHCPv6 client. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability. (CVE-2023-45230) EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing the IA_NA or IA_TA option in a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.(CVE-2023-45229) EDK2 is susceptible to a vulnerability in the CreateHob() function, allowing a user to trigger a integer overflow to buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability. (CVE-2022-36765) EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability. (CVE-2022-36764) EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability. (CVE-2022-36763) edk2-ovmf-202002-19.uel20.01.noarch.rpm edk2-devel-202002-19.uel20.01.x86_64.rpm python3-edk2-devel-202002-19.uel20.01.noarch.rpm edk2-devel-202002-19.uel20.01.aarch64.rpm edk2-help-202002-19.uel20.01.noarch.rpm edk2-aarch64-202002-19.uel20.01.noarch.rpm UTSA-2024:20091 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: wireshark security update

IEEE 1609.2 dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, and 3.6.0 to 3.6.19 allows denial of service via packet injection or crafted capture file(CVE-2024-0209) GVCP dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, and 3.6.0 to 3.6.19 allows denial of service via packet injection or crafted capture file(VE-2024-0208) wireshark-devel-3.6.14-6.uel20.x86_64.rpm wireshark-3.6.14-6.uel20.x86_64.rpm wireshark-help-3.6.14-6.uel20.x86_64.rpm wireshark-devel-3.6.14-6.uel20.aarch64.rpm wireshark-3.6.14-6.uel20.aarch64.rpm wireshark-help-3.6.14-6.uel20.aarch64.rpm UTSA-2024:20092 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: firefox security update

A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999.(CVE-2023-7104) Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)(CVE-2023-5217) Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)(CVE-2023-4863) firefox-79.0-15.uel20.01.x86_64.rpm firefox-79.0-15.uel20.01.aarch64.rpm UTSA-2024:20093 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: glusterfs security update

In Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free.(CVE-2022-48340) glusterfs-7.0-12.uel20.x86_64.rpm glusterfs-devel-7.0-12.uel20.x86_64.rpm python3-gluster-7.0-12.uel20.x86_64.rpm glusterfs-help-7.0-12.uel20.x86_64.rpm glusterfs-resource-agents-7.0-12.uel20.noarch.rpm glusterfs-7.0-12.uel20.aarch64.rpm glusterfs-help-7.0-12.uel20.aarch64.rpm glusterfs-devel-7.0-12.uel20.aarch64.rpm python3-gluster-7.0-12.uel20.aarch64.rpm UTSA-2024:20094 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: python-django security update

In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.(CVE-2024-27351) python3-Django-2.2.27-11.uel20.noarch.rpm python-django-help-2.2.27-11.uel20.noarch.rpm UTSA-2024:20095 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: glade security update

plugins/gtk+/glade-gtk-box.c in GNOME Glade before 3.38.1 and 3.39.x before 3.40.0 mishandles widget rebuilding for GladeGtkBox, leading to a denial of service (application crash).(CVE-2020-36774) glade-3.36.0-3.uel20.x86_64.rpm glade-libs-3.36.0-3.uel20.x86_64.rpm glade-devel-3.36.0-3.uel20.x86_64.rpm glade-3.36.0-3.uel20.aarch64.rpm glade-libs-3.36.0-3.uel20.aarch64.rpm glade-devel-3.36.0-3.uel20.aarch64.rpm glade-help-3.36.0-3.uel20.noarch.rpm UTSA-2024:20096 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Low

Low: grub2 security update

A flaw was found in the grub2-set-bootflag utility of grub2. After the fix of CVE-2019-14865, grub2-set-bootflag will create a temporary file with the new grubenv content and rename it to the original grubenv file. If the program is killed before the rename operation, the temporary file will not be removed and may fill the filesystem when invoked multiple times, resulting in a filesystem out of free inodes or blocks.(CVE-2024-1048) grub2-efi-aa64-modules-2.04-38.up7.uel20.01.noarch.rpm grub2-common-2.04-38.up7.uel20.01.aarch64.rpm grub2-efi-aa64-2.04-38.up7.uel20.01.aarch64.rpm grub2-efi-aa64-cdboot-2.04-38.up7.uel20.01.aarch64.rpm grub2-tools-extra-2.04-38.up7.uel20.01.aarch64.rpm grub2-tools-2.04-38.up7.uel20.01.aarch64.rpm grub2-tools-minimal-2.04-38.up7.uel20.01.aarch64.rpm grub2-tools-2.04-38.up7.uel20.01.x86_64.rpm grub2-efi-x64-2.04-38.up7.uel20.01.x86_64.rpm grub2-efi-ia32-2.04-38.up7.uel20.01.x86_64.rpm grub2-tools-efi-2.04-38.up7.uel20.01.x86_64.rpm grub2-efi-ia32-modules-2.04-38.up7.uel20.01.noarch.rpm grub2-pc-modules-2.04-38.up7.uel20.01.noarch.rpm grub2-efi-x64-cdboot-2.04-38.up7.uel20.01.x86_64.rpm grub2-tools-extra-2.04-38.up7.uel20.01.x86_64.rpm grub2-help-2.04-38.up7.uel20.01.noarch.rpm grub2-pc-2.04-38.up7.uel20.01.x86_64.rpm grub2-tools-minimal-2.04-38.up7.uel20.01.x86_64.rpm grub2-efi-ia32-cdboot-2.04-38.up7.uel20.01.x86_64.rpm grub2-efi-x64-modules-2.04-38.up7.uel20.01.noarch.rpm grub2-common-2.04-38.up7.uel20.01.x86_64.rpm UTSA-2024:20097 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: openssl security update

Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.(CVE-2024-0727) openssl-1.1.1k-9.uel20.22.x86_64.rpm openssl-devel-1.1.1k-9.uel20.22.x86_64.rpm openssl-libs-1.1.1k-9.uel20.22.x86_64.rpm openssl-help-1.1.1k-9.uel20.22.noarch.rpm openssl-1.1.1k-9.uel20.22.aarch64.rpm openssl-devel-1.1.1k-9.uel20.22.aarch64.rpm openssl-libs-1.1.1k-9.uel20.22.aarch64.rpm UTSA-2024:20098 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: arm-trusted-firmware security update

Trusted Firmware-A (TF-A) before 2.10 has a potential read out-of-bounds in the SDEI service. The input parameter passed in register x1 is not validated well enough in the function sdei_interrupt_bind. The parameter is passed to a call to plat_ic_get_interrupt_type. It can be any arbitrary value passing checks in the function plat_ic_is_sgi. A compromised Normal World (Linux kernel) can enable a root-privileged attacker to issue arbitrary SMC calls. Using this primitive, he can control the content of registers x0 through x6, which are used to send parameters to TF-A. Out-of-bounds addresses can be read in the context of TF-A (EL3). Because the read value is never returned to non-secure memory or in registers, no leak is possible. An attacker can still crash TF-A, however.(CVE-2023-49100) arm-trusted-firmware-armv8-1.6-4.uel20.aarch64.rpm UTSA-2024:20099 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: json-path security update

json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.(CVE-2023-51074) json-path-2.1.0-2.uel20.noarch.rpm json-path-javadoc-2.1.0-2.uel20.noarch.rpm UTSA-2024:20100 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: jsoup security update

jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)(CVE-2022-36033) jsoup-1.14.2-2.uel20.noarch.rpm UTSA-2024:20101 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: xorg-x11-server security update

A use-after-free vulnerability was found in the ProcRenderAddGlyphs() function of Xorg servers. This issue occurs when AllocateGlyph() is called to store new glyphs sent by the client to the X server, potentially resulting in multiple entries pointing to the same non-refcounted glyphs. Consequently, ProcRenderAddGlyphs() may free a glyph, leading to a use-after-free scenario when the same glyph pointer is subsequently accessed. This flaw allows an authenticated attacker to execute arbitrary code on the system by sending a specially crafted request.(CVE-2024-31083) A heap-based buffer over-read vulnerability was found in the X.org server's ProcAppleDRICreatePixmap() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.(CVE-2024-31082) A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIPassiveGrabDevice() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.(CVE-2024-31081) A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIGetSelectedEvents() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.(CVE-2024-31080) xorg-x11-server-1.20.8-26.up8.uel20.x86_64.rpm xorg-x11-server-devel-1.20.8-26.up8.uel20.x86_64.rpm xorg-x11-server-Xephyr-1.20.8-26.up8.uel20.x86_64.rpm xorg-x11-server-1.20.8-26.up8.uel20.aarch64.rpm xorg-x11-server-devel-1.20.8-26.up8.uel20.aarch64.rpm xorg-x11-server-Xephyr-1.20.8-26.up8.uel20.aarch64.rpm xorg-x11-server-help-1.20.8-26.up8.uel20.noarch.rpm UTSA-2024:20102 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: nghttp2 security update

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.(CVE-2024-28182) nghttp2-1.41.0-5.uel20.6.x86_64.rpm libnghttp2-1.41.0-5.uel20.6.x86_64.rpm libnghttp2-devel-1.41.0-5.uel20.6.x86_64.rpm nghttp2-1.41.0-5.uel20.6.aarch64.rpm libnghttp2-devel-1.41.0-5.uel20.6.aarch64.rpm nghttp2-help-1.41.0-5.uel20.6.noarch.rpm libnghttp2-1.41.0-5.uel20.6.aarch64.rpm UTSA-2024:20103 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: mod_http2 security update

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.(CVE-2024-27316) mod_http2-1.15.13-2.uel20.x86_64.rpm mod_http2-help-1.15.13-2.uel20.noarch.rpm mod_http2-1.15.13-2.uel20.aarch64.rpm UTSA-2024:20104 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: iperf3 security update

A flaw was found in iperf, a utility for testing network performance using TCP, UDP, and SCTP. A malicious or malfunctioning client can send less than the expected amount of data to the iperf server, which can cause the server to hang indefinitely waiting for the remainder or until the connection gets closed. This will prevent other connections to the server, leading to a denial of service.(CVE-2023-7250) iperf3-3.16-1.uel20.x86_64.rpm iperf3-devel-3.16-1.uel20.x86_64.rpm iperf3-3.16-1.uel20.aarch64.rpm iperf3-help-3.16-1.uel20.noarch.rpm iperf3-devel-3.16-1.uel20.aarch64.rpm UTSA-2024:20105 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: util-linux security update

wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.(CVE-2024-28085) util-linux-2.35.2-12.up4.uel20.09.x86_64.rpm libblkid-2.35.2-12.up4.uel20.09.x86_64.rpm libmount-2.35.2-12.up4.uel20.09.x86_64.rpm python-libmount-2.35.2-12.up4.uel20.09.x86_64.rpm libfdisk-2.35.2-12.up4.uel20.09.x86_64.rpm libuuid-2.35.2-12.up4.uel20.09.x86_64.rpm uuidd-2.35.2-12.up4.uel20.09.x86_64.rpm util-linux-devel-2.35.2-12.up4.uel20.09.x86_64.rpm util-linux-user-2.35.2-12.up4.uel20.09.x86_64.rpm util-linux-help-2.35.2-12.up4.uel20.09.x86_64.rpm libsmartcols-2.35.2-12.up4.uel20.09.x86_64.rpm util-linux-2.35.2-12.up4.uel20.09.aarch64.rpm libfdisk-2.35.2-12.up4.uel20.09.aarch64.rpm python-libmount-2.35.2-12.up4.uel20.09.aarch64.rpm libsmartcols-2.35.2-12.up4.uel20.09.aarch64.rpm uuidd-2.35.2-12.up4.uel20.09.aarch64.rpm libblkid-2.35.2-12.up4.uel20.09.aarch64.rpm util-linux-help-2.35.2-12.up4.uel20.09.aarch64.rpm util-linux-user-2.35.2-12.up4.uel20.09.aarch64.rpm libuuid-2.35.2-12.up4.uel20.09.aarch64.rpm libmount-2.35.2-12.up4.uel20.09.aarch64.rpm util-linux-devel-2.35.2-12.up4.uel20.09.aarch64.rpm UTSA-2024:20106 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: curl security update

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.(CVE-2024-2398) libcurl-7.71.1-33.up3.uel20.03.x86_64.rpm curl-7.71.1-33.up3.uel20.03.x86_64.rpm libcurl-devel-7.71.1-33.up3.uel20.03.x86_64.rpm curl-7.71.1-33.up3.uel20.03.aarch64.rpm libcurl-7.71.1-33.up3.uel20.03.aarch64.rpm libcurl-devel-7.71.1-33.up3.uel20.03.aarch64.rpm curl-help-7.71.1-33.up3.uel20.03.noarch.rpm UTSA-2024:20107 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: golang security update

The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.(CVE-2024-24784) golang-1.15.7-41.uel20.x86_64.rpm golang-devel-1.15.7-41.uel20.noarch.rpm golang-1.15.7-41.uel20.aarch64.rpm golang-help-1.15.7-41.uel20.noarch.rpm UTSA-2024:20108 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: tigervnc security update

A heap buffer overflow flaw was found in the DisableDevice function in the X.Org server. This issue may lead to an application crash or, in some circumstances, remote code execution in SSH X11 forwarding environments.(CVE-2024-21886) A flaw was found in X.Org server. In the XISendDeviceHierarchyEvent function, it is possible to exceed the allocated array length when certain new device IDs are added to the xXIHierarchyInfo struct. This can trigger a heap buffer overflow condition, which may lead to an application crash or remote code execution in SSH X11 forwarding environments.(CVE-2024-21885) A use-after-free flaw was found in the xorg-x11-server. An X server crash may occur in a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode) if the pointer is warped from within a window on one screen to the root window of the other screen and if the original window is destroyed followed by another window being destroyed.(CVE-2023-5380) A out-of-bounds write flaw was found in the xorg-x11-server. This issue occurs due to an incorrect calculation of a buffer offset when copying data stored in the heap in the XIChangeDeviceProperty function in Xi/xiproperty.c and in RRChangeOutputProperty function in randr/rrproperty.c, allowing for possible escalation of privileges or denial of service.(CVE-2023-5367) tigervnc-server-minimal-1.10.1-8.uel20.01.x86_64.rpm tigervnc-server-module-1.10.1-8.uel20.01.x86_64.rpm tigervnc-1.10.1-8.uel20.01.x86_64.rpm tigervnc-server-1.10.1-8.uel20.01.x86_64.rpm tigervnc-1.10.1-8.uel20.01.aarch64.rpm tigervnc-server-minimal-1.10.1-8.uel20.01.aarch64.rpm tigervnc-server-1.10.1-8.uel20.01.aarch64.rpm tigervnc-server-module-1.10.1-8.uel20.01.aarch64.rpm tigervnc-server-applet-1.10.1-8.uel20.01.noarch.rpm tigervnc-help-1.10.1-8.uel20.01.noarch.rpm UTSA-2024:20109 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: mod_security security update

In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase.(CVE-2022-48279) mod_security-2.9.5-2.up1.uel20.x86_64.rpm mod_security-2.9.5-2.up1.uel20.aarch64.rpm UTSA-2024:20110 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: telnet security update

telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference via 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval, the telnet service would become unavailable after inetd logs a "telnet/tcp server failing (looping), service terminated" error. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.(CVE-2022-39028) telnet-0.17-78.uel20.x86_64.rpm telnet-help-0.17-78.uel20.x86_64.rpm telnet-help-0.17-78.uel20.aarch64.rpm telnet-0.17-78.uel20.aarch64.rpm UTSA-2024:20111 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: ruby security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2024-27280) ruby-2.5.8-121.uel20.x86_64.rpm rubygem-json-2.1.0-121.uel20.x86_64.rpm ruby-devel-2.5.8-121.uel20.x86_64.rpm rubygem-bigdecimal-1.3.4-121.uel20.x86_64.rpm rubygem-psych-3.0.2-121.uel20.x86_64.rpm rubygem-io-console-0.4.6-121.uel20.x86_64.rpm rubygem-openssl-2.1.2-121.uel20.x86_64.rpm ruby-help-2.5.8-121.uel20.noarch.rpm ruby-2.5.8-121.uel20.aarch64.rpm rubygem-xmlrpc-0.3.0-121.uel20.noarch.rpm ruby-devel-2.5.8-121.uel20.aarch64.rpm rubygems-devel-2.7.6-121.uel20.noarch.rpm rubygem-test-unit-3.2.7-121.uel20.noarch.rpm rubygems-2.7.6-121.uel20.noarch.rpm rubygem-io-console-0.4.6-121.uel20.aarch64.rpm rubygem-did_you_mean-1.2.0-121.uel20.noarch.rpm rubygem-psych-3.0.2-121.uel20.aarch64.rpm rubygem-bigdecimal-1.3.4-121.uel20.aarch64.rpm rubygem-rdoc-6.0.1.1-121.uel20.noarch.rpm ruby-irb-2.5.8-121.uel20.noarch.rpm rubygem-power_assert-1.1.1-121.uel20.noarch.rpm rubygem-json-2.1.0-121.uel20.aarch64.rpm rubygem-rake-12.3.0-121.uel20.noarch.rpm rubygem-net-telnet-0.1.1-121.uel20.noarch.rpm rubygem-minitest-5.10.3-121.uel20.noarch.rpm rubygem-openssl-2.1.2-121.uel20.aarch64.rpm UTSA-2024:20112 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: jpegoptim security update

JPEGOPTIM v1.4.7 was discovered to contain a segmentation violation which is caused by a READ memory access at jpegoptim.c.(CVE-2022-32325) jpegoptim-1.5.5-1.uel20.x86_64.rpm jpegoptim-1.5.5-1.uel20.aarch64.rpm UTSA-2024:20113 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: rubygem-tzinfo security update

TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with `require` on demand. In the affected versions, `TZInfo::Timezone.get` fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, `TZInfo::Timezone.get` can be made to load unintended files with `require`, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of `tzinfo/definition` within a directory in the load path. Applications should ensure that untrusted files are not placed in a directory on the load path. As a workaround, the time zone identifier can be validated before passing to `TZInfo::Timezone.get` by ensuring it matches the regular expression `\A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z`.(CVE-2022-31163) rubygem-tzinfo-doc-1.2.5-3.uel20.noarch.rpm rubygem-tzinfo-1.2.5-3.uel20.noarch.rpm UTSA-2024:20114 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: openvswitch security update

An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system.(CVE-2022-2639) openvswitch-2.12.4-10.uel20.x86_64.rpm openvswitch-devel-2.12.4-10.uel20.x86_64.rpm python3-openvswitch-2.12.4-10.uel20.x86_64.rpm openvswitch-help-2.12.4-10.uel20.x86_64.rpm openvswitch-2.12.4-10.uel20.aarch64.rpm python3-openvswitch-2.12.4-10.uel20.aarch64.rpm openvswitch-help-2.12.4-10.uel20.aarch64.rpm openvswitch-devel-2.12.4-10.uel20.aarch64.rpm UTSA-2024:20115 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: nodejs-qs security update

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).(CVE-2022-24999) nodejs-qs-6.5.1-2.uel20.noarch.rpm UTSA-2024:20116 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libgsasl security update

GNU SASL libgsasl server-side read-out-of-bounds with malicious authenticated GSS-API client(CVE-2022-2469) libgsasl-1.8.0-17.uel20.x86_64.rpm libgsasl-devel-1.8.0-17.uel20.x86_64.rpm libgsasl-1.8.0-17.uel20.aarch64.rpm libgsasl-devel-1.8.0-17.uel20.aarch64.rpm UTSA-2024:20117 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libdwarf security update

A double-free vulnerability was found in libdwarf. In a multiply-corrupted DWARF object, libdwarf may try to dealloc(free) an allocation twice, potentially causing unpredictable and various results.(CVE-2024-2002) libdwarf-devel-0.9.1-1.uel20.x86_64.rpm libdwarf-tools-0.9.1-1.uel20.x86_64.rpm libdwarf-0.9.1-1.uel20.x86_64.rpm libdwarf-devel-0.9.1-1.uel20.aarch64.rpm libdwarf-help-0.9.1-1.uel20.noarch.rpm libdwarf-tools-0.9.1-1.uel20.aarch64.rpm libdwarf-0.9.1-1.uel20.aarch64.rpm UTSA-2024:20118 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: microcode_ctl security update

Protection mechanism failure of bus lock regulator for some Intel(R) Processors may allow an unauthenticated user to potentially enable denial of service via network access.(CVE-2023-39368) Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.(CVE-2023-38575) microcode_ctl-20240312-1.uel20.01.x86_64.rpm UTSA-2024:20119 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: libreswan security update

The Libreswan Project was notified of an issue causing libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret) and the connection cannot find a matching configured secret. When such a connection is automatically added on startup using the auto= keyword, it can cause repeated crashes leading to a Denial of Service.(CVE-2024-2357) libreswan-4.14-1.uel20.x86_64.rpm libreswan-help-4.14-1.uel20.x86_64.rpm libreswan-4.14-1.uel20.aarch64.rpm libreswan-help-4.14-1.uel20.aarch64.rpm UTSA-2024:20120 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: golang security update

If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.(CVE-2024-24785) Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.(CVE-2024-24783) When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.(CVE-2023-45290) When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.(CVE-2023-45289) golang-1.15.7-39.uel20.x86_64.rpm golang-devel-1.15.7-39.uel20.noarch.rpm golang-1.15.7-39.uel20.aarch64.rpm golang-help-1.15.7-39.uel20.noarch.rpm UTSA-2024:20121 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: c-ares security update

c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist.(CVE-2024-25629) c-ares-1.16.1-8.uel20.01.x86_64.rpm c-ares-devel-1.16.1-8.uel20.01.x86_64.rpm c-ares-devel-1.16.1-8.uel20.01.aarch64.rpm c-ares-1.16.1-8.uel20.01.aarch64.rpm c-ares-help-1.16.1-8.uel20.01.noarch.rpm UTSA-2024:20122 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: kernel-4.19 security update

In the Linux kernel, the following vulnerability has been resolved: net: qualcomm: rmnet: fix global oob in rmnet_policy The variable rmnet_link_ops assign a *bigger* maxtype which leads to a global out-of-bounds read when parsing the netlink attributes. See bug trace below: ================================================================== BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline] BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 Read of size 1 at addr ffffffff92c438d0 by task syz-executor.6/84207 CPU: 0 PID: 84207 Comm: syz-executor.6 Tainted: G N 6.1.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x172/0x475 mm/kasan/report.c:395 kasan_report+0xbb/0x1c0 mm/kasan/report.c:495 validate_nla lib/nlattr.c:386 [inline] __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 __nla_parse+0x3e/0x50 lib/nlattr.c:697 nla_parse_nested_deprecated include/net/netlink.h:1248 [inline] __rtnl_newlink+0x50a/0x1880 net/core/rtnetlink.c:3485 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594 rtnetlink_rcv_msg+0x43c/0xd70 net/core/rtnetlink.c:6091 netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0x154/0x190 net/socket.c:734 ____sys_sendmsg+0x6df/0x840 net/socket.c:2482 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fdcf2072359 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdcf13e3168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fdcf219ff80 RCX: 00007fdcf2072359 RDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003 RBP: 00007fdcf20bd493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffbb8d7bdf R14: 00007fdcf13e3300 R15: 0000000000022000 </TASK> The buggy address belongs to the variable: rmnet_policy+0x30/0xe0 The buggy address belongs to the physical page: page:0000000065bdeb3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155243 flags: 0x200000000001000(reserved|node=0|zone=2) raw: 0200000000001000 ffffea00055490c8 ffffea00055490c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffff92c43780: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 07 ffffffff92c43800: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 06 f9 f9 f9 >ffffffff92c43880: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 ^ ffffffff92c43900: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 ffffffff92c43980: 00 00 00 07 f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 According to the comment of `nla_parse_nested_deprecated`, the maxtype should be len(destination array) - 1. Hence use `IFLA_RMNET_MAX` here.(CVE-2024-26597) In the Linux kernel, the following vulnerability has been resolved: EDAC/thunderx: Fix possible out-of-bounds string access Enabling -Wstringop-overflow globally exposes a warning for a common bug in the usage of strncat(): drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr': drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=] 1136 | strncat(msg, other, OCX_MESSAGE_SIZE); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ... 1145 | strncat(msg, other, OCX_MESSAGE_SIZE); ... 1150 | strncat(msg, other, OCX_MESSAGE_SIZE); ... Apparently the author of this driver expected strncat() to behave the way that strlcat() does, which uses the size of the destination buffer as its third argument rather than the length of the source buffer. The result is that there is no check on the size of the allocated buffer. Change it to strlcat(). [ bp: Trim compiler output, fixup commit message. ](CVE-2023-52464) In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/memhp: Fix access beyond end of drmem array dlpar_memory_remove_by_index() may access beyond the bounds of the drmem lmb array when the LMB lookup fails to match an entry with the given DRC index. When the search fails, the cursor is left pointing to &drmem_info->lmbs[drmem_info->n_lmbs], which is one element past the last valid entry in the array. The debug message at the end of the function then dereferences this pointer: pr_debug("Failed to hot-remove memory at %llx\n", lmb->base_addr); This was found by inspection and confirmed with KASAN: pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 1234 ================================================================== BUG: KASAN: slab-out-of-bounds in dlpar_memory+0x298/0x1658 Read of size 8 at addr c000000364e97fd0 by task bash/949 dump_stack_lvl+0xa4/0xfc (unreliable) print_report+0x214/0x63c kasan_report+0x140/0x2e0 __asan_load8+0xa8/0xe0 dlpar_memory+0x298/0x1658 handle_dlpar_errorlog+0x130/0x1d0 dlpar_store+0x18c/0x3e0 kobj_attr_store+0x68/0xa0 sysfs_kf_write+0xc4/0x110 kernfs_fop_write_iter+0x26c/0x390 vfs_write+0x2d4/0x4e0 ksys_write+0xac/0x1a0 system_call_exception+0x268/0x530 system_call_vectored_common+0x15c/0x2ec Allocated by task 1: kasan_save_stack+0x48/0x80 kasan_set_track+0x34/0x50 kasan_save_alloc_info+0x34/0x50 __kasan_kmalloc+0xd0/0x120 __kmalloc+0x8c/0x320 kmalloc_array.constprop.0+0x48/0x5c drmem_init+0x2a0/0x41c do_one_initcall+0xe0/0x5c0 kernel_init_freeable+0x4ec/0x5a0 kernel_init+0x30/0x1e0 ret_from_kernel_user_thread+0x14/0x1c The buggy address belongs to the object at c000000364e80000 which belongs to the cache kmalloc-128k of size 131072 The buggy address is located 0 bytes to the right of allocated 98256-byte region [c000000364e80000, c000000364e97fd0) ================================================================== pseries-hotplug-mem: Failed to hot-remove memory at 0 Log failed lookups with a separate message and dereference the cursor only when it points to a valid entry.(CVE-2023-52451) In the Linux kernel, the following vulnerability has been resolved: mtd: Fix gluebi NULL pointer dereference caused by ftl notifier If both ftl.ko and gluebi.ko are loaded, the notifier of ftl triggers NULL pointer dereference when trying to access ‘gluebi->desc’ in gluebi_read(). ubi_gluebi_init ubi_register_volume_notifier ubi_enumerate_volumes ubi_notify_all gluebi_notify nb->notifier_call() gluebi_create mtd_device_register mtd_device_parse_register add_mtd_device blktrans_notify_add not->add() ftl_add_mtd tr->add_mtd() scan_header mtd_read mtd_read_oob mtd_read_oob_std gluebi_read mtd->read() gluebi->desc - NULL Detailed reproduction information available at the Link [1], In the normal case, obtain gluebi->desc in the gluebi_get_device(), and access gluebi->desc in the gluebi_read(). However, gluebi_get_device() is not executed in advance in the ftl_add_mtd() process, which leads to NULL pointer dereference. The solution for the gluebi module is to run jffs2 on the UBI volume without considering working with ftl or mtdblock [2]. Therefore, this problem can be avoided by preventing gluebi from creating the mtdblock device after creating mtd partition of the type MTD_UBIVOLUME.(CVE-2023-52449) In the Linux kernel, the following vulnerability has been resolved: media: pvrusb2: fix use after free on context disconnection Upon module load, a kthread is created targeting the pvr2_context_thread_func function, which may call pvr2_context_destroy and thus call kfree() on the context object. However, that might happen before the usb hub_event handler is able to notify the driver. This patch adds a sanity check before the invalid read reported by syzbot, within the context disconnection call stack.(CVE-2023-52445) In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid dirent corruption As Al reported in link[1]: f2fs_rename() ... if (old_dir != new_dir && !whiteout) f2fs_set_link(old_inode, old_dir_entry, old_dir_page, new_dir); else f2fs_put_page(old_dir_page, 0); You want correct inumber in the ".." link. And cross-directory rename does move the source to new parent, even if you'd been asked to leave a whiteout in the old place. [1] https://lore.kernel.org/all/20231017055040.GN800259@ZenIV/ With below testcase, it may cause dirent corruption, due to it missed to call f2fs_set_link() to update ".." link to new directory. - mkdir -p dir/foo - renameat2 -w dir/foo bar [ASSERT] (__chk_dots_dentries:1421) --> Bad inode number[0x4] for '..', parent parent ino is [0x3] [FSCK] other corrupted bugs [Fail](CVE-2023-52444) In the Linux kernel, the following vulnerability has been resolved: apparmor: avoid crash when parsed profile name is empty When processing a packed profile in unpack_profile() described like "profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}" a string ":samba-dcerpcd" is unpacked as a fully-qualified name and then passed to aa_splitn_fqname(). aa_splitn_fqname() treats ":samba-dcerpcd" as only containing a namespace. Thus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later aa_alloc_profile() crashes as the new profile name is NULL now. general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 RIP: 0010:strlen+0x1e/0xa0 Call Trace: <TASK> ? strlen+0x1e/0xa0 aa_policy_init+0x1bb/0x230 aa_alloc_profile+0xb1/0x480 unpack_profile+0x3bc/0x4960 aa_unpack+0x309/0x15e0 aa_replace_profiles+0x213/0x33c0 policy_update+0x261/0x370 profile_replace+0x20e/0x2a0 vfs_write+0x2af/0xe00 ksys_write+0x126/0x250 do_syscall_64+0x46/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 </TASK> ---[ end trace 0000000000000000 ]--- RIP: 0010:strlen+0x1e/0xa0 It seems such behaviour of aa_splitn_fqname() is expected and checked in other places where it is called (e.g. aa_remove_profiles). Well, there is an explicit comment "a ns name without a following profile is allowed" inside. AFAICS, nothing can prevent unpacked "name" to be in form like ":samba-dcerpcd" - it is passed from userspace. Deny the whole profile set replacement in such case and inform user with EPROTO and an explaining message. Found by Linux Verification Center (linuxtesting.org).(CVE-2023-52443) In the Linux kernel, the following vulnerability has been resolved: uio: Fix use-after-free in uio_open core-1 core-2 ------------------------------------------------------- uio_unregister_device uio_open idev = idr_find() device_unregister(&idev->dev) put_device(&idev->dev) uio_device_release get_device(&idev->dev) kfree(idev) uio_free_minor(minor) uio_release put_device(&idev->dev) kfree(idev) ------------------------------------------------------- In the core-1 uio_unregister_device(), the device_unregister will kfree idev when the idev->dev kobject ref is 1. But after core-1 device_unregister, put_device and before doing kfree, the core-2 may get_device. Then: 1. After core-1 kfree idev, the core-2 will do use-after-free for idev. 2. When core-2 do uio_release and put_device, the idev will be double freed. To address this issue, we can get idev atomic & inc idev reference with minor_lock.(CVE-2023-52439) In the Linux kernel, the following vulnerability has been resolved: f2fs: explicitly null-terminate the xattr list When setting an xattr, explicitly null-terminate the xattr list. This eliminates the fragile assumption that the unused xattr space is always zeroed.(CVE-2023-52436) A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel. This flaw allows a local user to cause an information leak problem while freeing the old quota file names before a potential failure, leading to a use-after-free.(CVE-2024-0775) Rejected reason: Do not use this CVE as it is duplicate of CVE-2023-6932(CVE-2024-0584) Integer Overflow or Wraparound vulnerability in openEuler kernel on Linux (filesystem modules) allows Forced Integer Overflow.This issue affects openEuler kernel: from 4.19.90 before 4.19.90-2401.3, from 5.10.0-60.18.0 before 5.10.0-183.0.0. (CVE-2021-33631) A use-after-free vulnerability in the Linux kernel's ipv4: igmp component can be exploited to achieve local privilege escalation. A race condition can be exploited to cause a timer be mistakenly registered on a RCU read locked object which is freed by another thread. We recommend upgrading past commit e2b706c691905fe78468c361aaabc719d0a496f1. (CVE-2023-6932) kernel-devel-4.19.90-2305.1.0.0199.79.uel20.aarch64.rpm kernel-btf-4.19.90-2305.1.0.0199.79.uel20.aarch64.rpm kernel-tools-devel-4.19.90-2305.1.0.0199.79.uel20.aarch64.rpm python2-perf-4.19.90-2305.1.0.0199.79.uel20.aarch64.rpm python3-perf-4.19.90-2305.1.0.0199.79.uel20.aarch64.rpm perf-4.19.90-2305.1.0.0199.79.uel20.aarch64.rpm kernel-4.19.90-2305.1.0.0199.79.uel20.aarch64.rpm bpftool-4.19.90-2305.1.0.0199.79.uel20.aarch64.rpm kernel-tools-4.19.90-2305.1.0.0199.79.uel20.aarch64.rpm kernel-btf-4.19.90-2305.1.0.0199.79.uel20.x86_64.rpm kernel-tools-4.19.90-2305.1.0.0199.79.uel20.x86_64.rpm kernel-devel-4.19.90-2305.1.0.0199.79.uel20.x86_64.rpm perf-4.19.90-2305.1.0.0199.79.uel20.x86_64.rpm python3-perf-4.19.90-2305.1.0.0199.79.uel20.x86_64.rpm kernel-4.19.90-2305.1.0.0199.79.uel20.x86_64.rpm python2-perf-4.19.90-2305.1.0.0199.79.uel20.x86_64.rpm kernel-tools-devel-4.19.90-2305.1.0.0199.79.uel20.x86_64.rpm bpftool-4.19.90-2305.1.0.0199.79.uel20.x86_64.rpm UTSA-2024:20123 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: openssh security update

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795) openssh-askpass-8.2p1-29.up2.uel20.07.x86_64.rpm openssh-server-8.2p1-29.up2.uel20.07.x86_64.rpm openssh-clients-8.2p1-29.up2.uel20.07.x86_64.rpm openssh-ldap-8.2p1-29.up2.uel20.07.x86_64.rpm openssh-8.2p1-29.up2.uel20.07.x86_64.rpm openssh-keycat-8.2p1-29.up2.uel20.07.x86_64.rpm openssh-cavs-8.2p1-29.up2.uel20.07.x86_64.rpm pam_ssh_agent_auth-0.10.3-9.29.06.uel20.x86_64.rpm openssh-help-8.2p1-29.up2.uel20.07.noarch.rpm openssh-8.2p1-29.up2.uel20.07.aarch64.rpm openssh-keycat-8.2p1-29.up2.uel20.07.aarch64.rpm openssh-clients-8.2p1-29.up2.uel20.07.aarch64.rpm openssh-askpass-8.2p1-29.up2.uel20.07.aarch64.rpm openssh-server-8.2p1-29.up2.uel20.07.aarch64.rpm openssh-cavs-8.2p1-29.up2.uel20.07.aarch64.rpm pam_ssh_agent_auth-0.10.3-9.29.06.uel20.aarch64.rpm openssh-ldap-8.2p1-29.up2.uel20.07.aarch64.rpm UTSA-2024:20124 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: gstreamer1-plugins-base security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-37328) gstreamer1-plugins-base-1.16.2-3.uel20.x86_64.rpm gstreamer1-plugins-base-devel-1.16.2-3.uel20.x86_64.rpm gstreamer1-plugins-base-1.16.2-3.uel20.aarch64.rpm gstreamer1-plugins-base-devel-1.16.2-3.uel20.aarch64.rpm gstreamer1-plugins-base-help-1.16.2-3.uel20.noarch.rpm UTSA-2024:20125 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: qemu security update

A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.(CVE-2023-3019) A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free.(CVE-2023-0330) qemu-4.1.0-82.up6.uel20.x86_64.rpm qemu-guest-agent-4.1.0-82.up6.uel20.x86_64.rpm qemu-block-curl-4.1.0-82.up6.uel20.x86_64.rpm qemu-seabios-4.1.0-82.up6.uel20.x86_64.rpm qemu-block-ssh-4.1.0-82.up6.uel20.x86_64.rpm qemu-block-iscsi-4.1.0-82.up6.uel20.x86_64.rpm qemu-img-4.1.0-82.up6.uel20.x86_64.rpm qemu-block-rbd-4.1.0-82.up6.uel20.x86_64.rpm qemu-help-4.1.0-82.up6.uel20.noarch.rpm qemu-block-curl-4.1.0-82.up6.uel20.aarch64.rpm qemu-block-ssh-4.1.0-82.up6.uel20.aarch64.rpm qemu-block-rbd-4.1.0-82.up6.uel20.aarch64.rpm qemu-guest-agent-4.1.0-82.up6.uel20.aarch64.rpm qemu-block-iscsi-4.1.0-82.up6.uel20.aarch64.rpm qemu-img-4.1.0-82.up6.uel20.aarch64.rpm qemu-4.1.0-82.up6.uel20.aarch64.rpm UTSA-2024:20126 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libxml2 security update

NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.(CVE-2022-2309) libxml2-2.9.10-40.uel20.x86_64.rpm python2-libxml2-2.9.10-40.uel20.x86_64.rpm python3-libxml2-2.9.10-40.uel20.x86_64.rpm libxml2-devel-2.9.10-40.uel20.x86_64.rpm libxml2-devel-2.9.10-40.uel20.aarch64.rpm libxml2-help-2.9.10-40.uel20.noarch.rpm python2-libxml2-2.9.10-40.uel20.aarch64.rpm libxml2-2.9.10-40.uel20.aarch64.rpm python3-libxml2-2.9.10-40.uel20.aarch64.rpm UTSA-2024:20127 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: fdupes security update

In deletefiles in FDUPES before 2.2.0, a TOCTOU race condition allows arbitrary file deletion via a symlink.(CVE-2022-48682) fdupes-2.3.0-1.uel20.x86_64.rpm fdupes-2.3.0-1.uel20.aarch64.rpm fdupes-help-2.3.0-1.uel20.noarch.rpm UTSA-2024:20128 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: freerdp security update

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.5.1, a malicious server can crash the FreeRDP client by sending invalid huge allocation size. Version 3.5.1 contains a patch for the issue. No known workarounds are available.(CVE-2024-32660) FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients prior to version 3.5.1 are vulnerable to out-of-bounds read if `((nWidth == 0) and (nHeight == 0))`. Version 3.5.1 contains a patch for the issue. No known workarounds are available.(CVE-2024-32659) FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients prior to version 3.5.1 are vulnerable to out-of-bounds read. Version 3.5.1 contains a patch for the issue. No known workarounds are available.(CVE-2024-32658) FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based based clients using `/bpp:32` legacy `GDI` drawing path with a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, use modern drawing paths (e.g. `/rfx` or `/gfx` options). The workaround requires server side support.(CVE-2024-32460) FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients and servers that use a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. No known workarounds are available.(CVE-2024-32459) FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients that use a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, use `/gfx` or `/rfx` modes (on by default, require server side support).(CVE-2024-32458) FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients that use a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, deactivate `/gfx` (on by default, set `/bpp` or `/rfx` options instead.(CVE-2024-32041) FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients that use a version of FreeRDP prior to 3.5.0 or 2.11.6 and have connections to servers using the `NSC` codec are vulnerable to integer underflow. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, do not use the NSC codec (e.g. use `-nsc`).(CVE-2024-32040) FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients using a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to integer overflow and out-of-bounds write. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, do not use `/gfx` options (e.g. deactivate with `/bpp:32` or `/rfx` as it is on by default).(CVE-2024-32039) freerdp-2.11.7-1.uel20.x86_64.rpm libwinpr-2.11.7-1.uel20.x86_64.rpm freerdp-devel-2.11.7-1.uel20.x86_64.rpm libwinpr-devel-2.11.7-1.uel20.x86_64.rpm freerdp-help-2.11.7-1.uel20.x86_64.rpm freerdp-devel-2.11.7-1.uel20.aarch64.rpm libwinpr-devel-2.11.7-1.uel20.aarch64.rpm freerdp-2.11.7-1.uel20.aarch64.rpm freerdp-help-2.11.7-1.uel20.aarch64.rpm libwinpr-2.11.7-1.uel20.aarch64.rpm UTSA-2024:20129 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: flatpak security update

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It's possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6.(CVE-2024-32462) flatpak-1.0.3-12.uel20.x86_64.rpm flatpak-devel-1.0.3-12.uel20.x86_64.rpm flatpak-devel-1.0.3-12.uel20.aarch64.rpm flatpak-help-1.0.3-12.uel20.noarch.rpm flatpak-1.0.3-12.uel20.aarch64.rpm UTSA-2024:20130 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: sssd security update

A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately.(CVE-2023-3758) python3-sssd-2.2.2-16.uel20.01.x86_64.rpm python2-sssd-2.2.2-16.uel20.01.x86_64.rpm sssd-2.2.2-16.uel20.01.x86_64.rpm sssd-devel-2.2.2-16.uel20.01.x86_64.rpm sssd-devel-2.2.2-16.uel20.01.aarch64.rpm python2-sssd-2.2.2-16.uel20.01.aarch64.rpm sssd-help-2.2.2-16.uel20.01.noarch.rpm python3-sssd-2.2.2-16.uel20.01.aarch64.rpm sssd-2.2.2-16.uel20.01.aarch64.rpm UTSA-2024:20131 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: less security update

less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.(CVE-2024-32487) less-590-2.uel20.03.x86_64.rpm less-help-590-2.uel20.03.noarch.rpm less-590-2.uel20.03.aarch64.rpm UTSA-2024:20132 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: libreswan security update

The Libreswan Project was notified of an issue causing libreswan to restart when using IKEv1 without specifying an esp= line. When the peer requests AES-GMAC, libreswan's default proposal handler causes an assertion failure and crashes and restarts. IKEv2 connections are not affected.(CVE-2024-3652) libreswan-help-4.15-1.uel20.x86_64.rpm libreswan-4.15-1.uel20.x86_64.rpm libreswan-help-4.15-1.uel20.aarch64.rpm libreswan-4.15-1.uel20.aarch64.rpm UTSA-2024:20133 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: qemu security update

A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest user to crash the QEMU process on the host, resulting in a denial of service or allow arbitrary code execution within the context of the QEMU process on the host.(CVE-2024-3446) ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2024-3447) qemu-4.1.0-83.up6.uel20.x86_64.rpm qemu-img-4.1.0-83.up6.uel20.x86_64.rpm qemu-block-ssh-4.1.0-83.up6.uel20.x86_64.rpm qemu-block-rbd-4.1.0-83.up6.uel20.x86_64.rpm qemu-block-iscsi-4.1.0-83.up6.uel20.x86_64.rpm qemu-block-curl-4.1.0-83.up6.uel20.x86_64.rpm qemu-guest-agent-4.1.0-83.up6.uel20.x86_64.rpm qemu-seabios-4.1.0-83.up6.uel20.x86_64.rpm qemu-block-curl-4.1.0-83.up6.uel20.aarch64.rpm qemu-guest-agent-4.1.0-83.up6.uel20.aarch64.rpm qemu-img-4.1.0-83.up6.uel20.aarch64.rpm qemu-block-ssh-4.1.0-83.up6.uel20.aarch64.rpm qemu-block-rbd-4.1.0-83.up6.uel20.aarch64.rpm qemu-help-4.1.0-83.up6.uel20.noarch.rpm qemu-block-iscsi-4.1.0-83.up6.uel20.aarch64.rpm qemu-4.1.0-83.up6.uel20.aarch64.rpm UTSA-2024:20134 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: kernel-4.19 security update

In the Linux kernel, the following vulnerability has been resolved: llc: call sock_orphan() at release time syzbot reported an interesting trace [1] caused by a stale sk->sk_wq pointer in a closed llc socket. In commit ff7b11aa481f ("net: socket: set sock->sk to NULL after calling proto_ops::release()") Eric Biggers hinted that some protocols are missing a sock_orphan(), we need to perform a full audit. In net-next, I plan to clear sock->sk from sock_orphan() and amend Eric patch to add a warning. [1] BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:373 [inline] BUG: KASAN: slab-use-after-free in waitqueue_active include/linux/wait.h:127 [inline] BUG: KASAN: slab-use-after-free in sock_def_write_space_wfree net/core/sock.c:3384 [inline] BUG: KASAN: slab-use-after-free in sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468 Read of size 8 at addr ffff88802f4fc880 by task ksoftirqd/1/27 CPU: 1 PID: 27 Comm: ksoftirqd/1 Not tainted 6.8.0-rc1-syzkaller-00049-g6098d87eaf31 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc4/0x620 mm/kasan/report.c:488 kasan_report+0xda/0x110 mm/kasan/report.c:601 list_empty include/linux/list.h:373 [inline] waitqueue_active include/linux/wait.h:127 [inline] sock_def_write_space_wfree net/core/sock.c:3384 [inline] sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468 skb_release_head_state+0xa3/0x2b0 net/core/skbuff.c:1080 skb_release_all net/core/skbuff.c:1092 [inline] napi_consume_skb+0x119/0x2b0 net/core/skbuff.c:1404 e1000_unmap_and_free_tx_resource+0x144/0x200 drivers/net/ethernet/intel/e1000/e1000_main.c:1970 e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3860 [inline] e1000_clean+0x4a1/0x26e0 drivers/net/ethernet/intel/e1000/e1000_main.c:3801 __napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6576 napi_poll net/core/dev.c:6645 [inline] net_rx_action+0x956/0xe90 net/core/dev.c:6778 __do_softirq+0x21a/0x8de kernel/softirq.c:553 run_ksoftirqd kernel/softirq.c:921 [inline] run_ksoftirqd+0x31/0x60 kernel/softirq.c:913 smpboot_thread_fn+0x660/0xa10 kernel/smpboot.c:164 kthread+0x2c6/0x3a0 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 </TASK> Allocated by task 5167: kasan_save_stack+0x33/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:314 [inline] __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:340 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3813 [inline] slab_alloc_node mm/slub.c:3860 [inline] kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3879 alloc_inode_sb include/linux/fs.h:3019 [inline] sock_alloc_inode+0x25/0x1c0 net/socket.c:308 alloc_inode+0x5d/0x220 fs/inode.c:260 new_inode_pseudo+0x16/0x80 fs/inode.c:1005 sock_alloc+0x40/0x270 net/socket.c:634 __sock_create+0xbc/0x800 net/socket.c:1535 sock_create net/socket.c:1622 [inline] __sys_socket_create net/socket.c:1659 [inline] __sys_socket+0x14c/0x260 net/socket.c:1706 __do_sys_socket net/socket.c:1720 [inline] __se_sys_socket net/socket.c:1718 [inline] __x64_sys_socket+0x72/0xb0 net/socket.c:1718 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Freed by task 0: kasan_save_stack+0x33/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640 poison_slab_object mm/kasan/common.c:241 [inline] __kasan_slab_free+0x121/0x1b0 mm/kasan/common.c:257 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2121 [inlin ---truncated---(CVE-2024-26625) In the Linux kernel, the following vulnerability has been resolved: binder: signal epoll threads of self-work In (e)poll mode, threads often depend on I/O events to determine when data is ready for consumption. Within binder, a thread may initiate a command via BINDER_WRITE_READ without a read buffer and then make use of epoll_wait() or similar to consume any responses afterwards. It is then crucial that epoll threads are signaled via wakeup when they queue their own work. Otherwise, they risk waiting indefinitely for an event leaving their work unhandled. What is worse, subsequent commands won't trigger a wakeup either as the thread has pending work.(CVE-2024-26606) In the Linux kernel, the following vulnerability has been resolved: sched/membarrier: reduce the ability to hammer on sys_membarrier On some systems, sys_membarrier can be very expensive, causing overall slowdowns for everything. So put a lock on the path in order to serialize the accesses to prevent the ability for this to be called at too high of a frequency and saturate the machine.(CVE-2024-26602) In the Linux kernel, the following vulnerability has been resolved: phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP If the external phy working together with phy-omap-usb2 does not implement send_srp(), we may still attempt to call it. This can happen on an idle Ethernet gadget triggering a wakeup for example: configfs-gadget.g1 gadget.0: ECM Suspend configfs-gadget.g1 gadget.0: Port suspended. Triggering wakeup ... Unable to handle kernel NULL pointer dereference at virtual address 00000000 when execute ... PC is at 0x0 LR is at musb_gadget_wakeup+0x1d4/0x254 [musb_hdrc] ... musb_gadget_wakeup [musb_hdrc] from usb_gadget_wakeup+0x1c/0x3c [udc_core] usb_gadget_wakeup [udc_core] from eth_start_xmit+0x3b0/0x3d4 [u_ether] eth_start_xmit [u_ether] from dev_hard_start_xmit+0x94/0x24c dev_hard_start_xmit from sch_direct_xmit+0x104/0x2e4 sch_direct_xmit from __dev_queue_xmit+0x334/0xd88 __dev_queue_xmit from arp_solicit+0xf0/0x268 arp_solicit from neigh_probe+0x54/0x7c neigh_probe from __neigh_event_send+0x22c/0x47c __neigh_event_send from neigh_resolve_output+0x14c/0x1c0 neigh_resolve_output from ip_finish_output2+0x1c8/0x628 ip_finish_output2 from ip_send_skb+0x40/0xd8 ip_send_skb from udp_send_skb+0x124/0x340 udp_send_skb from udp_sendmsg+0x780/0x984 udp_sendmsg from __sys_sendto+0xd8/0x158 __sys_sendto from ret_fast_syscall+0x0/0x58 Let's fix the issue by checking for send_srp() and set_vbus() before calling them. For USB peripheral only cases these both could be NULL.(CVE-2024-26600) In the Linux kernel, the following vulnerability has been resolved: powerpc/mm: Fix null-pointer dereference in pgtable_cache_add kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Ensure the allocation was successful by checking the pointer validity.(CVE-2023-52607) In the Linux kernel, the following vulnerability has been resolved: powerpc/lib: Validate size for vector operations Some of the fp/vmx code in sstep.c assume a certain maximum size for the instructions being emulated. The size of those operations however is determined separately in analyse_instr(). Add a check to validate the assumption on the maximum size of the operations, so as to prevent any unintended kernel stack corruption.(CVE-2023-52606) In the Linux kernel, the following vulnerability has been resolved: FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree Syzkaller reported the following issue: UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2867:6 index 196694 is out of range for type 's8[1365]' (aka 'signed char[1365]') CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:217 [inline] __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348 dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867 dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834 dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331 dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline] dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402 txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534 txUpdateMap+0x342/0x9e0 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline] jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732 kthread+0x2d3/0x370 kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 </TASK> ================================================================================ Kernel panic - not syncing: UBSAN: panic_on_warn set ... CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 panic+0x30f/0x770 kernel/panic.c:340 check_panic_on_warn+0x82/0xa0 kernel/panic.c:236 ubsan_epilogue lib/ubsan.c:223 [inline] __ubsan_handle_out_of_bounds+0x13c/0x150 lib/ubsan.c:348 dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867 dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834 dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331 dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline] dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402 txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534 txUpdateMap+0x342/0x9e0 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline] jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732 kthread+0x2d3/0x370 kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 </TASK> Kernel Offset: disabled Rebooting in 86400 seconds.. The issue is caused when the value of lp becomes greater than CTLTREESIZE which is the max size of stree. Adding a simple check solves this issue. Dave: As the function returns a void, good error handling would require a more intrusive code reorganization, so I modified Osama's patch at use WARN_ON_ONCE for lack of a cleaner option. The patch is tested via syzbot.(CVE-2023-52604) In the Linux kernel, the following vulnerability has been resolved: s390/ptrace: handle setting of fpc register correctly If the content of the floating point control (fpc) register of a traced process is modified with the ptrace interface the new value is tested for validity by temporarily loading it into the fpc register. This may lead to corruption of the fpc register of the tracing process: if an interrupt happens while the value is temporarily loaded into the fpc register, and within interrupt context floating point or vector registers are used, the current fp/vx registers are saved with save_fpu_regs() assuming they belong to user space and will be loaded into fp/vx registers when returning to user space. test_fp_ctl() restores the original user space fpc register value, however it will be discarded, when returning to user space. In result the tracer will incorrectly continue to run with the value that was supposed to be used for the traced process. Fix this by saving fpu register contents with save_fpu_regs() before using test_fp_ctl().(CVE-2023-52598) In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Add mutex lock in control vblank irq Add a mutex lock to control vblank irq to synchronize vblank enable/disable operations happening from different threads to prevent race conditions while registering/unregistering the vblank irq callback. v4: -Removed vblank_ctl_lock from dpu_encoder_virt, so it is only a parameter of dpu_encoder_phys. -Switch from atomic refcnt to a simple int counter as mutex has now been added v3: Mistakenly did not change wording in last version. It is done now. v2: Slightly changed wording of commit message Patchwork: https://patchwork.freedesktop.org/patch/571854/(CVE-2023-52586) In the Linux kernel, the following vulnerability has been resolved: ceph: fix deadlock or deadcode of misusing dget() The lock order is incorrect between denty and its parent, we should always make sure that the parent get the lock first. But since this deadcode is never used and the parent dir will always be set from the callers, let's just remove it.(CVE-2023-52583) In the Linux kernel, the following vulnerability has been resolved: net: bridge: use DEV_STATS_INC() syzbot/KCSAN reported data-races in br_handle_frame_finish() [1] This function can run from multiple cpus without mutual exclusion. Adopt SMP safe DEV_STATS_INC() to update dev->stats fields. Handles updates to dev->stats.tx_dropped while we are at it. [1] BUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1: br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189 br_nf_hook_thresh+0x1ed/0x220 br_nf_pre_routing_finish_ipv6+0x50f/0x540 NF_HOOK include/linux/netfilter.h:304 [inline] br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178 br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508 nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline] nf_hook_bridge_pre net/bridge/br_input.c:272 [inline] br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417 __netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417 __netif_receive_skb_one_core net/core/dev.c:5521 [inline] __netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637 process_backlog+0x21f/0x380 net/core/dev.c:5965 __napi_poll+0x60/0x3b0 net/core/dev.c:6527 napi_poll net/core/dev.c:6594 [inline] net_rx_action+0x32b/0x750 net/core/dev.c:6727 __do_softirq+0xc1/0x265 kernel/softirq.c:553 run_ksoftirqd+0x17/0x20 kernel/softirq.c:921 smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164 kthread+0x1d7/0x210 kernel/kthread.c:388 ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0: br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189 br_nf_hook_thresh+0x1ed/0x220 br_nf_pre_routing_finish_ipv6+0x50f/0x540 NF_HOOK include/linux/netfilter.h:304 [inline] br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178 br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508 nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline] nf_hook_bridge_pre net/bridge/br_input.c:272 [inline] br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417 __netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417 __netif_receive_skb_one_core net/core/dev.c:5521 [inline] __netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637 process_backlog+0x21f/0x380 net/core/dev.c:5965 __napi_poll+0x60/0x3b0 net/core/dev.c:6527 napi_poll net/core/dev.c:6594 [inline] net_rx_action+0x32b/0x750 net/core/dev.c:6727 __do_softirq+0xc1/0x265 kernel/softirq.c:553 do_softirq+0x5e/0x90 kernel/softirq.c:454 __local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline] _raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] batadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356 batadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560 process_one_work kernel/workqueue.c:2630 [inline] process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703 worker_thread+0x525/0x730 kernel/workqueue.c:2784 kthread+0x1d7/0x210 kernel/kthread.c:388 ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 value changed: 0x00000000000d7190 -> 0x00000000000d7191 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0(CVE-2023-52578) In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential use after free in nilfs_gccache_submit_read_data() In nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the reference count of bh when the call to nilfs_dat_translate() fails. If the reference count hits 0 and its owner page gets unlocked, bh may be freed. However, bh->b_page is dereferenced to put the page after that, which may result in a use-after-free bug. This patch moves the release operation after unlocking and putting the page. NOTE: The function in question is only called in GC, and in combination with current userland tools, address translation using DAT does not occur in that function, so the code path that causes this issue will not be executed. However, it is possible to run that code path by intentionally modifying the userland GC library or by calling the GC ioctl directly. [konishi.ryusuke@gmail.com: NOTE added to the commit log](CVE-2023-52566) In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add() but returns 0 due to KRACK protection (identical key reinstall), ieee80211_gtk_rekey_add() will still return a pointer into the key, in a potential use-after-free. This normally doesn't happen since it's only called by iwlwifi in case of WoWLAN rekey offload which has its own KRACK protection, but still better to fix, do that by returning an error code and converting that to success on the cfg80211 boundary only, leaving the error for bad callers of ieee80211_gtk_rekey_add().(CVE-2023-52530) In the Linux kernel, the following vulnerability has been resolved: net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg syzbot reported the following uninit-value access issue: ===================================================== BUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline] BUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482 CPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x21c/0x280 lib/dump_stack.c:118 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline] smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482 usbnet_probe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737 usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374 really_probe+0xf20/0x20b0 drivers/base/dd.c:529 driver_probe_device+0x293/0x390 drivers/base/dd.c:701 __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807 bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431 __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873 device_initial_probe+0x4a/0x60 drivers/base/dd.c:920 bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491 device_add+0x3b0e/0x40d0 drivers/base/core.c:2680 usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032 usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241 usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272 really_probe+0xf20/0x20b0 drivers/base/dd.c:529 driver_probe_device+0x293/0x390 drivers/base/dd.c:701 __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807 bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431 __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873 device_initial_probe+0x4a/0x60 drivers/base/dd.c:920 bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491 device_add+0x3b0e/0x40d0 drivers/base/core.c:2680 usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554 hub_port_connect drivers/usb/core/hub.c:5208 [inline] hub_port_connect_change drivers/usb/core/hub.c:5348 [inline] port_event drivers/usb/core/hub.c:5494 [inline] hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576 process_one_work+0x1688/0x2140 kernel/workqueue.c:2269 worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415 kthread+0x551/0x590 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293 Local variable ----buf.i87@smsc75xx_bind created at: __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline] smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline] smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482 __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline] smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline] smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482 This issue is caused because usbnet_read_cmd() reads less bytes than requested (zero byte in the reproducer). In this case, 'buf' is not properly filled. This patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads less bytes than requested.(CVE-2023-52528) In the Linux kernel, the following vulnerability has been resolved: net: fix possible store tearing in neigh_periodic_work() While looking at a related syzbot report involving neigh_periodic_work(), I found that I forgot to add an annotation when deleting an RCU protected item from a list. Readers use rcu_deference(*np), we need to use either rcu_assign_pointer() or WRITE_ONCE() on writer side to prevent store tearing. I use rcu_assign_pointer() to have lockdep support, this was the choice made in neigh_flush_dev().(CVE-2023-52522) In the Linux kernel, the following vulnerability has been resolved: RDMA/srp: Do not call scsi_done() from srp_abort() After scmd_eh_abort_handler() has called the SCSI LLD eh_abort_handler callback, it performs one of the following actions: * Call scsi_queue_insert(). * Call scsi_finish_command(). * Call scsi_eh_scmd_add(). Hence, SCSI abort handlers must not call scsi_done(). Otherwise all the above actions would trigger a use-after-free. Hence remove the scsi_done() call from srp_abort(). Keep the srp_free_req() call before returning SUCCESS because we may not see the command again if SUCCESS is returned.(CVE-2023-52515) In the Linux kernel, the following vulnerability has been resolved: ieee802154: ca8210: Fix a potential UAF in ca8210_probe If of_clk_add_provider() fails in ca8210_register_ext_clock(), it calls clk_unregister() to release priv->clk and returns an error. However, the caller ca8210_probe() then calls ca8210_remove(), where priv->clk is freed again in ca8210_unregister_ext_clock(). In this case, a use-after-free may happen in the second time we call clk_unregister(). Fix this by removing the first clk_unregister(). Also, priv->clk could be an error code on failure of clk_register_fixed_rate(). Use IS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock().(CVE-2023-52510) In the Linux kernel, the following vulnerability has been resolved: nfc: nci: assert requested protocol is valid The protocol is used in a bit mask to determine if the protocol is supported. Assert the provided protocol is less than the maximum defined so it doesn't potentially perform a shift-out-of-bounds and provide a clearer error for undefined protocols vs unsupported ones.(CVE-2023-52507) In the Linux kernel, the following vulnerability has been resolved: x86/alternatives: Disable KASAN in apply_alternatives() Fei has reported that KASAN triggers during apply_alternatives() on a 5-level paging machine: BUG: KASAN: out-of-bounds in rcu_is_watching() Read of size 4 at addr ff110003ee6419a0 by task swapper/0/0 ... __asan_load4() rcu_is_watching() trace_hardirqs_on() text_poke_early() apply_alternatives() ... On machines with 5-level paging, cpu_feature_enabled(X86_FEATURE_LA57) gets patched. It includes KASAN code, where KASAN_SHADOW_START depends on __VIRTUAL_MASK_SHIFT, which is defined with cpu_feature_enabled(). KASAN gets confused when apply_alternatives() patches the KASAN_SHADOW_START users. A test patch that makes KASAN_SHADOW_START static, by replacing __VIRTUAL_MASK_SHIFT with 56, works around the issue. Fix it for real by disabling KASAN while the kernel is patching alternatives. [ mingo: updated the changelog ](CVE-2023-52504) In the Linux kernel, the following vulnerability has been resolved: net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn() Sili Luo reported a race in nfc_llcp_sock_get(), leading to UAF. Getting a reference on the socket found in a lookup while holding a lock should happen before releasing the lock. nfc_llcp_sock_get_sn() has a similar problem. Finally nfc_llcp_recv_snl() needs to make sure the socket found by nfc_llcp_sock_from_sn() does not disappear.(CVE-2023-52502) In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command Tags allocated for OPC_INB_SET_CONTROLLER_CONFIG command need to be freed when we receive the response.(CVE-2023-52500) In the Linux kernel, the following vulnerability has been resolved: drm: Don't unref the same fb many times by mistake due to deadlock handling If we get a deadlock after the fb lookup in drm_mode_page_flip_ioctl() we proceed to unref the fb and then retry the whole thing from the top. But we forget to reset the fb pointer back to NULL, and so if we then get another error during the retry, before the fb lookup, we proceed the unref the same fb again without having gotten another reference. The end result is that the fb will (eventually) end up being freed while it's still in use. Reset fb to NULL once we've unreffed it to avoid doing it again until we've done another fb lookup. This turned out to be pretty easy to hit on a DG2 when doing async flips (and CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y). The first symptom I saw that drm_closefb() simply got stuck in a busy loop while walking the framebuffer list. Fortunately I was able to convince it to oops instead, and from there it was easier to track down the culprit.(CVE-2023-52486) In the Linux kernel, the following vulnerability has been resolved: HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect hidpp_connect_event() has *four* time-of-check vs time-of-use (TOCTOU) races when it races with itself. hidpp_connect_event() primarily runs from a workqueue but it also runs on probe() and if a "device-connected" packet is received by the hw when the thread running hidpp_connect_event() from probe() is waiting on the hw, then a second thread running hidpp_connect_event() will be started from the workqueue. This opens the following races (note the below code is simplified): 1. Retrieving + printing the protocol (harmless race): if (!hidpp->protocol_major) { hidpp_root_get_protocol_version() hidpp->protocol_major = response.rap.params[0]; } We can actually see this race hit in the dmesg in the abrt output attached to rhbz#2227968: [ 3064.624215] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected. [ 3064.658184] logitech-hidpp-device 0003:046D:4071.0049: HID++ 4.5 device connected. Testing with extra logging added has shown that after this the 2 threads take turn grabbing the hw access mutex (send_mutex) so they ping-pong through all the other TOCTOU cases managing to hit all of them: 2. Updating the name to the HIDPP name (harmless race): if (hidpp->name == hdev->name) { ... hidpp->name = new_name; } 3. Initializing the power_supply class for the battery (problematic!): hidpp_initialize_battery() { if (hidpp->battery.ps) return 0; probe_battery(); /* Blocks, threads take turns executing this */ hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); } 4. Creating delayed input_device (potentially problematic): if (hidpp->delayed_input) return; hidpp->delayed_input = hidpp_allocate_input(hdev); The really big problem here is 3. Hitting the race leads to the following sequence: hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); ... hidpp->battery.desc.properties = devm_kmemdup(dev, hidpp_battery_props, cnt, GFP_KERNEL); hidpp->battery.ps = devm_power_supply_register(&hidpp->hid_dev->dev, &hidpp->battery.desc, cfg); So now we have registered 2 power supplies for the same battery, which looks a bit weird from userspace's pov but this is not even the really big problem. Notice how: 1. This is all devm-maganaged 2. The hidpp->battery.desc struct is shared between the 2 power supplies 3. hidpp->battery.desc.properties points to the result from the second devm_kmemdup() This causes a use after free scenario on USB disconnect of the receiver: 1. The last registered power supply class device gets unregistered 2. The memory from the last devm_kmemdup() call gets freed, hidpp->battery.desc.properties now points to freed memory 3. The first registered power supply class device gets unregistered, this involves sending a remove uevent to userspace which invokes power_supply_uevent() to fill the uevent data 4. power_supply_uevent() uses hidpp->battery.desc.properties which now points to freed memory leading to backtraces like this one: Sep 22 20:01:35 eric kernel: BUG: unable to handle page fault for address: ffffb2140e017f08 ... Sep 22 20:01:35 eric kernel: Workqueue: usb_hub_wq hub_event Sep 22 20:01:35 eric kernel: RIP: 0010:power_supply_uevent+0xee/0x1d0 ... Sep 22 20:01:35 eric kernel: ? asm_exc_page_fault+0x26/0x30 Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0xee/0x1d0 Sep 22 20:01:35 eric kernel: ? power_supply_uevent+0x10d/0x1d0 Sep 22 20:01:35 eric kernel: dev_uevent+0x10f/0x2d0 Sep 22 20:01:35 eric kernel: kobject_uevent_env+0x291/0x680 Sep 22 20:01:35 eric kernel: ---truncated---(CVE-2023-52478) In the Linux kernel, the following vulnerability has been resolved: usb: hub: Guard against accesses to uninitialized BOS descriptors Many functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h access fields inside udev->bos without checking if it was allocated and initialized. If usb_get_bos_descriptor() fails for whatever reason, udev->bos will be NULL and those accesses will result in a crash: BUG: kernel NULL pointer dereference, address: 0000000000000018 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 <HASH:1f9e 1> Hardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021 Workqueue: usb_hub_wq hub_event RIP: 0010:hub_port_reset+0x193/0x788 Code: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 <48> 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9 RSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310 RDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840 RBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0 Call Trace: hub_event+0x73f/0x156e ? hub_activate+0x5b7/0x68f process_one_work+0x1a2/0x487 worker_thread+0x11a/0x288 kthread+0x13a/0x152 ? process_one_work+0x487/0x487 ? kthread_associate_blkcg+0x70/0x70 ret_from_fork+0x1f/0x30 Fall back to a default behavior if the BOS descriptor isn't accessible and skip all the functionalities that depend on it: LPM support checks, Super Speed capabilitiy checks, U1/U2 states setup.(CVE-2023-52477) In the Linux kernel, the following vulnerability has been resolved: perf/x86/lbr: Filter vsyscall addresses We found that a panic can occur when a vsyscall is made while LBR sampling is active. If the vsyscall is interrupted (NMI) for perf sampling, this call sequence can occur (most recent at top): __insn_get_emulate_prefix() insn_get_emulate_prefix() insn_get_prefixes() insn_get_opcode() decode_branch_type() get_branch_type() intel_pmu_lbr_filter() intel_pmu_handle_irq() perf_event_nmi_handler() Within __insn_get_emulate_prefix() at frame 0, a macro is called: peek_nbyte_next(insn_byte_t, insn, i) Within this macro, this dereference occurs: (insn)->next_byte Inspecting registers at this point, the value of the next_byte field is the address of the vsyscall made, for example the location of the vsyscall version of gettimeofday() at 0xffffffffff600000. The access to an address in the vsyscall region will trigger an oops due to an unhandled page fault. To fix the bug, filtering for vsyscalls can be done when determining the branch type. This patch will return a "none" branch if a kernel address if found to lie in the vsyscall region.(CVE-2023-52476) In the Linux kernel, the following vulnerability has been resolved: Input: powermate - fix use-after-free in powermate_config_complete syzbot has found a use-after-free bug [1] in the powermate driver. This happens when the device is disconnected, which leads to a memory free from the powermate_device struct. When an asynchronous control message completes after the kfree and its callback is invoked, the lock does not exist anymore and hence the bug. Use usb_kill_urb() on pm->config to cancel any in-progress requests upon device disconnection. [1] https://syzkaller.appspot.com/bug?extid=0434ac83f907a1dbdd1e(CVE-2023-52475) In the Linux kernel, the following vulnerability has been resolved: drivers/amd/pm: fix a use-after-free in kv_parse_power_table When ps allocated by kzalloc equals to NULL, kv_parse_power_table frees adev->pm.dpm.ps that allocated before. However, after the control flow goes through the following call chains: kv_parse_power_table |-> kv_dpm_init |-> kv_dpm_sw_init |-> kv_dpm_fini The adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its first free in kv_parse_power_table and causes a use-after-free bug.(CVE-2023-52469) In the Linux kernel, the following vulnerability has been resolved: crypto: qcom-rng - ensure buffer for generate is completely filled The generate function in struct rng_alg expects that the destination buffer is completely filled if the function returns 0. qcom_rng_read() can run into a situation where the buffer is partially filled with randomness and the remaining part of the buffer is zeroed since qcom_rng_generate() doesn't check the return value. This issue can be reproduced by running the following from libkcapi: kcapi-rng -b 9000000 > OUTFILE The generated OUTFILE will have three huge sections that contain all zeros, and this is caused by the code where the test 'val & PRNG_STATUS_DATA_AVAIL' fails. Let's fix this issue by ensuring that qcom_rng_read() always returns with a full buffer if the function returns success. Let's also have qcom_rng_generate() return the correct value. Here's some statistics from the ent project (https://www.fourmilab.ch/random/) that shows information about the quality of the generated numbers: $ ent -c qcom-random-before Value Char Occurrences Fraction 0 606748 0.067416 1 33104 0.003678 2 33001 0.003667 ... 253 � 32883 0.003654 254 � 33035 0.003671 255 � 33239 0.003693 Total: 9000000 1.000000 Entropy = 7.811590 bits per byte. Optimum compression would reduce the size of this 9000000 byte file by 2 percent. Chi square distribution for 9000000 samples is 9329962.81, and randomly would exceed this value less than 0.01 percent of the times. Arithmetic mean value of data bytes is 119.3731 (127.5 = random). Monte Carlo value for Pi is 3.197293333 (error 1.77 percent). Serial correlation coefficient is 0.159130 (totally uncorrelated = 0.0). Without this patch, the results of the chi-square test is 0.01%, and the numbers are certainly not random according to ent's project page. The results improve with this patch: $ ent -c qcom-random-after Value Char Occurrences Fraction 0 35432 0.003937 1 35127 0.003903 2 35424 0.003936 ... 253 � 35201 0.003911 254 � 34835 0.003871 255 � 35368 0.003930 Total: 9000000 1.000000 Entropy = 7.999979 bits per byte. Optimum compression would reduce the size of this 9000000 byte file by 0 percent. Chi square distribution for 9000000 samples is 258.77, and randomly would exceed this value 42.24 percent of the times. Arithmetic mean value of data bytes is 127.5006 (127.5 = random). Monte Carlo value for Pi is 3.141277333 (error 0.01 percent). Serial correlation coefficient is 0.000468 (totally uncorrelated = 0.0). This change was tested on a Nexus 5 phone (msm8974 SoC).(CVE-2022-48629) In the Linux kernel, the following vulnerability has been resolved: vt: fix memory overlapping when deleting chars in the buffer A memory overlapping copy occurs when deleting a long line. This memory overlapping copy can cause data corruption when scr_memcpyw is optimized to memcpy because memcpy does not ensure its behavior if the destination buffer overlaps with the source buffer. The line buffer is not always broken, because the memcpy utilizes the hardware acceleration, whose result is not deterministic. Fix this problem by using replacing the scr_memcpyw with scr_memmovew.(CVE-2022-48627) In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Clear all QP fields if creation failed rxe_qp_do_cleanup() relies on valid pointer values in QP for the properly created ones, but in case rxe_qp_from_init() failed it was filled with garbage and caused tot the following error. refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 12560 at lib/refcount.c:28 refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28 Modules linked in: CPU: 1 PID: 12560 Comm: syz-executor.4 Not tainted 5.12.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:refcount_warn_saturate+0x1d1/0x1e0 lib/refcount.c:28 Code: e9 db fe ff ff 48 89 df e8 2c c2 ea fd e9 8a fe ff ff e8 72 6a a7 fd 48 c7 c7 e0 b2 c1 89 c6 05 dc 3a e6 09 01 e8 ee 74 fb 04 <0f> 0b e9 af fe ff ff 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 55 RSP: 0018:ffffc900097ceba8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000040000 RSI: ffffffff815bb075 RDI: fffff520012f9d67 RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815b4eae R11: 0000000000000000 R12: ffff8880322a4800 R13: ffff8880322a4940 R14: ffff888033044e00 R15: 0000000000000000 FS: 00007f6eb2be3700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdbe5d41000 CR3: 000000001d181000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] kref_put include/linux/kref.h:64 [inline] rxe_qp_do_cleanup+0x96f/0xaf0 drivers/infiniband/sw/rxe/rxe_qp.c:805 execute_in_process_context+0x37/0x150 kernel/workqueue.c:3327 rxe_elem_release+0x9f/0x180 drivers/infiniband/sw/rxe/rxe_pool.c:391 kref_put include/linux/kref.h:65 [inline] rxe_create_qp+0x2cd/0x310 drivers/infiniband/sw/rxe/rxe_verbs.c:425 _ib_create_qp drivers/infiniband/core/core_priv.h:331 [inline] ib_create_named_qp+0x2ad/0x1370 drivers/infiniband/core/verbs.c:1231 ib_create_qp include/rdma/ib_verbs.h:3644 [inline] create_mad_qp+0x177/0x2d0 drivers/infiniband/core/mad.c:2920 ib_mad_port_open drivers/infiniband/core/mad.c:3001 [inline] ib_mad_init_device+0xd6f/0x1400 drivers/infiniband/core/mad.c:3092 add_client_context+0x405/0x5e0 drivers/infiniband/core/device.c:717 enable_device_and_get+0x1cd/0x3b0 drivers/infiniband/core/device.c:1331 ib_register_device drivers/infiniband/core/device.c:1413 [inline] ib_register_device+0x7c7/0xa50 drivers/infiniband/core/device.c:1365 rxe_register_device+0x3d5/0x4a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1147 rxe_add+0x12fe/0x16d0 drivers/infiniband/sw/rxe/rxe.c:247 rxe_net_add+0x8c/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:503 rxe_newlink drivers/infiniband/sw/rxe/rxe.c:269 [inline] rxe_newlink+0xb7/0xe0 drivers/infiniband/sw/rxe/rxe.c:250 nldev_newlink+0x30e/0x550 drivers/infiniband/core/nldev.c:1555 rdma_nl_rcv_msg+0x36d/0x690 drivers/infiniband/core/netlink.c:195 rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0x2ee/0x430 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0 ---truncated---(CVE-2021-47078) In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Add pointer checks in qedf_update_link_speed() The following trace was observed: [ 14.042059] Call Trace: [ 14.042061] <IRQ> [ 14.042068] qedf_link_update+0x144/0x1f0 [qedf] [ 14.042117] qed_link_update+0x5c/0x80 [qed] [ 14.042135] qed_mcp_handle_link_change+0x2d2/0x410 [qed] [ 14.042155] ? qed_set_ptt+0x70/0x80 [qed] [ 14.042170] ? qed_set_ptt+0x70/0x80 [qed] [ 14.042186] ? qed_rd+0x13/0x40 [qed] [ 14.042205] qed_mcp_handle_events+0x437/0x690 [qed] [ 14.042221] ? qed_set_ptt+0x70/0x80 [qed] [ 14.042239] qed_int_sp_dpc+0x3a6/0x3e0 [qed] [ 14.042245] tasklet_action_common.isra.14+0x5a/0x100 [ 14.042250] __do_softirq+0xe4/0x2f8 [ 14.042253] irq_exit+0xf7/0x100 [ 14.042255] do_IRQ+0x7f/0xd0 [ 14.042257] common_interrupt+0xf/0xf [ 14.042259] </IRQ> API qedf_link_update() is getting called from QED but by that time shost_data is not initialised. This results in a NULL pointer dereference when we try to dereference shost_data while updating supported_speeds. Add a NULL pointer check before dereferencing shost_data.(CVE-2021-47077) In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Return CQE error if invalid lkey was supplied RXE is missing update of WQE status in LOCAL_WRITE failures. This caused the following kernel panic if someone sent an atomic operation with an explicitly wrong lkey. [leonro@vm ~]$ mkt test test_atomic_invalid_lkey (tests.test_atomic.AtomicTest) ... WARNING: CPU: 5 PID: 263 at drivers/infiniband/sw/rxe/rxe_comp.c:740 rxe_completer+0x1a6d/0x2e30 [rdma_rxe] Modules linked in: crc32_generic rdma_rxe ip6_udp_tunnel udp_tunnel rdma_ucm rdma_cm ib_umad ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core ptp pps_core CPU: 5 PID: 263 Comm: python3 Not tainted 5.13.0-rc1+ #2936 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:rxe_completer+0x1a6d/0x2e30 [rdma_rxe] Code: 03 0f 8e 65 0e 00 00 3b 93 10 06 00 00 0f 84 82 0a 00 00 4c 89 ff 4c 89 44 24 38 e8 2d 74 a9 e1 4c 8b 44 24 38 e9 1c f5 ff ff <0f> 0b e9 0c e8 ff ff b8 05 00 00 00 41 bf 05 00 00 00 e9 ab e7 ff RSP: 0018:ffff8880158af090 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888016a78000 RCX: ffffffffa0cf1652 RDX: 1ffff9200004b442 RSI: 0000000000000004 RDI: ffffc9000025a210 RBP: dffffc0000000000 R08: 00000000ffffffea R09: ffff88801617740b R10: ffffed1002c2ee81 R11: 0000000000000007 R12: ffff88800f3b63e8 R13: ffff888016a78008 R14: ffffc9000025a180 R15: 000000000000000c FS: 00007f88b622a740(0000) GS:ffff88806d540000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f88b5a1fa10 CR3: 000000000d848004 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rxe_do_task+0x130/0x230 [rdma_rxe] rxe_rcv+0xb11/0x1df0 [rdma_rxe] rxe_loopback+0x157/0x1e0 [rdma_rxe] rxe_responder+0x5532/0x7620 [rdma_rxe] rxe_do_task+0x130/0x230 [rdma_rxe] rxe_rcv+0x9c8/0x1df0 [rdma_rxe] rxe_loopback+0x157/0x1e0 [rdma_rxe] rxe_requester+0x1efd/0x58c0 [rdma_rxe] rxe_do_task+0x130/0x230 [rdma_rxe] rxe_post_send+0x998/0x1860 [rdma_rxe] ib_uverbs_post_send+0xd5f/0x1220 [ib_uverbs] ib_uverbs_write+0x847/0xc80 [ib_uverbs] vfs_write+0x1c5/0x840 ksys_write+0x176/0x1d0 do_syscall_64+0x3f/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae(CVE-2021-47076) In the Linux kernel, the following vulnerability has been resolved: nvme-loop: fix memory leak in nvme_loop_create_ctrl() When creating loop ctrl in nvme_loop_create_ctrl(), if nvme_init_ctrl() fails, the loop ctrl should be freed before jumping to the "out" label.(CVE-2021-47074) In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-smbios-wmi: Fix oops on rmmod dell_smbios init_dell_smbios_wmi() only registers the dell_smbios_wmi_driver on systems where the Dell WMI interface is supported. While exit_dell_smbios_wmi() unregisters it unconditionally, this leads to the following oops: [ 175.722921] ------------[ cut here ]------------ [ 175.722925] Unexpected driver unregister! [ 175.722939] WARNING: CPU: 1 PID: 3630 at drivers/base/driver.c:194 driver_unregister+0x38/0x40 ... [ 175.723089] Call Trace: [ 175.723094] cleanup_module+0x5/0xedd [dell_smbios] ... [ 175.723148] ---[ end trace 064c34e1ad49509d ]--- Make the unregister happen on the same condition the register happens to fix this.(CVE-2021-47073) In the Linux kernel, the following vulnerability has been resolved: drm: bridge/panel: Cleanup connector on bridge detach If we don't call drm_connector_cleanup() manually in panel_bridge_detach(), the connector will be cleaned up with the other DRM objects in the call to drm_mode_config_cleanup(). However, since our drm_connector is devm-allocated, by the time drm_mode_config_cleanup() will be called, our connector will be long gone. Therefore, the connector must be cleaned up when the bridge is detached to avoid use-after-free conditions. v2: Cleanup connector only if it was created v3: Add FIXME v4: (Use connector->dev) directly in if() block(CVE-2021-47063) In the Linux kernel, the following vulnerability has been resolved: crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init ADF_STATUS_PF_RUNNING is (only) used and checked by adf_vf2pf_shutdown() before calling adf_iov_putmsg()->mutex_lock(vf2pf_lock), however the vf2pf_lock is initialized in adf_dev_init(), which can fail and when it fail, the vf2pf_lock is either not initialized or destroyed, a subsequent use of vf2pf_lock will cause issue. To fix this issue, only set this flag if adf_dev_init() returns 0. [ 7.178404] BUG: KASAN: user-memory-access in __mutex_lock.isra.0+0x1ac/0x7c0 [ 7.180345] Call Trace: [ 7.182576] mutex_lock+0xc9/0xd0 [ 7.183257] adf_iov_putmsg+0x118/0x1a0 [intel_qat] [ 7.183541] adf_vf2pf_shutdown+0x4d/0x7b [intel_qat] [ 7.183834] adf_dev_shutdown+0x172/0x2b0 [intel_qat] [ 7.184127] adf_probe+0x5e9/0x600 [qat_dh895xccvf](CVE-2021-47056) In the Linux kernel, the following vulnerability has been resolved: bus: qcom: Put child node before return Put child node before return to fix potential reference count leak. Generally, the reference count of child is incremented and decremented automatically in the macro for_each_available_child_of_node() and should be decremented manually if the loop is broken in loop body.(CVE-2021-47054) In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Use after free in __vmbus_open() The "open_info" variable is added to the &vmbus_connection.chn_msg_list, but the error handling frees "open_info" without removing it from the list. This will result in a use after free. First remove it from the list, and then free it.(CVE-2021-47049) In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix pte update for kernel memory on radix When adding a PTE a ptesync is needed to order the update of the PTE with subsequent accesses otherwise a spurious fault may be raised. radix__set_pte_at() does not do this for performance gains. For non-kernel memory this is not an issue as any faults of this kind are corrected by the page fault handler. For kernel memory these faults are not handled. The current solution is that there is a ptesync in flush_cache_vmap() which should be called when mapping from the vmalloc region. However, map_kernel_page() does not call flush_cache_vmap(). This is troublesome in particular for code patching with Strict RWX on radix. In do_patch_instruction() the page frame that contains the instruction to be patched is mapped and then immediately patched. With no ordering or synchronization between setting up the PTE and writing to the page it is possible for faults. As the code patching is done using __put_user_asm_goto() the resulting fault is obscured - but using a normal store instead it can be seen: BUG: Unable to handle kernel data access on write at 0xc008000008f24a3c Faulting instruction address: 0xc00000000008bd74 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: nop_module(PO+) [last unloaded: nop_module] CPU: 4 PID: 757 Comm: sh Tainted: P O 5.10.0-rc5-01361-ge3c1b78c8440-dirty #43 NIP: c00000000008bd74 LR: c00000000008bd50 CTR: c000000000025810 REGS: c000000016f634a0 TRAP: 0300 Tainted: P O (5.10.0-rc5-01361-ge3c1b78c8440-dirty) MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 44002884 XER: 00000000 CFAR: c00000000007c68c DAR: c008000008f24a3c DSISR: 42000000 IRQMASK: 1 This results in the kind of issue reported here: https://lore.kernel.org/linuxppc-dev/15AC5B0E-A221-4B8C-9039-FA96B8EF7C88@lca.pw/ Chris Riedl suggested a reliable way to reproduce the issue: $ mount -t debugfs none /sys/kernel/debug $ (while true; do echo function > /sys/kernel/debug/tracing/current_tracer ; echo nop > /sys/kernel/debug/tracing/current_tracer ; done) & Turning ftrace on and off does a large amount of code patching which in usually less then 5min will crash giving a trace like: ftrace-powerpc: (____ptrval____): replaced (4b473b11) != old (60000000) ------------[ ftrace bug ]------------ ftrace failed to modify [<c000000000bf8e5c>] napi_busy_loop+0xc/0x390 actual: 11:3b:47:4b Setting ftrace call site to call ftrace function ftrace record flags: 80000001 (1) expected tramp: c00000000006c96c ------------[ cut here ]------------ WARNING: CPU: 4 PID: 809 at kernel/trace/ftrace.c:2065 ftrace_bug+0x28c/0x2e8 Modules linked in: nop_module(PO-) [last unloaded: nop_module] CPU: 4 PID: 809 Comm: sh Tainted: P O 5.10.0-rc5-01360-gf878ccaf250a #1 NIP: c00000000024f334 LR: c00000000024f330 CTR: c0000000001a5af0 REGS: c000000004c8b760 TRAP: 0700 Tainted: P O (5.10.0-rc5-01360-gf878ccaf250a) MSR: 900000000282b033 <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 28008848 XER: 20040000 CFAR: c0000000001a9c98 IRQMASK: 0 GPR00: c00000000024f330 c000000004c8b9f0 c000000002770600 0000000000000022 GPR04: 00000000ffff7fff c000000004c8b6d0 0000000000000027 c0000007fe9bcdd8 GPR08: 0000000000000023 ffffffffffffffd8 0000000000000027 c000000002613118 GPR12: 0000000000008000 c0000007fffdca00 0000000000000000 0000000000000000 GPR16: 0000000023ec37c5 0000000000000000 0000000000000000 0000000000000008 GPR20: c000000004c8bc90 c0000000027a2d20 c000000004c8bcd0 c000000002612fe8 GPR24: 0000000000000038 0000000000000030 0000000000000028 0000000000000020 GPR28: c000000000ff1b68 c000000000bf8e5c c00000000312f700 c000000000fbb9b0 NIP ftrace_bug+0x28c/0x2e8 LR ftrace_bug+0x288/0x2e8 Call T ---truncated---(CVE-2021-47034) In the Linux kernel, the following vulnerability has been resolved: soundwire: stream: fix memory leak in stream config error path When stream config is failed, master runtime will release all slave runtime in the slave_rt_list, but slave runtime is not added to the list at this time. This patch frees slave runtime in the config error path to fix the memory leak.(CVE-2021-47020) In the Linux kernel, the following vulnerability has been resolved: net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send In emac_mac_tx_buf_send, it calls emac_tx_fill_tpd(..,skb,..). If some error happens in emac_tx_fill_tpd(), the skb will be freed via dev_kfree_skb(skb) in error branch of emac_tx_fill_tpd(). But the freed skb is still used via skb->len by netdev_sent_queue(,skb->len). As i observed that emac_tx_fill_tpd() haven't modified the value of skb->len, thus my patch assigns skb->len to 'len' before the possible free and use 'len' instead of skb->len later.(CVE-2021-47013) In the Linux kernel, the following vulnerability has been resolved: ARM: 9064/1: hw_breakpoint: Do not directly check the event's overflow_handler hook The commit 1879445dfa7b ("perf/core: Set event's default ::overflow_handler()") set a default event->overflow_handler in perf_event_alloc(), and replace the check event->overflow_handler with is_default_overflow_handler(), but one is missing. Currently, the bp->overflow_handler can not be NULL. As a result, enable_single_step() is always not invoked. Comments from Zhen Lei: https://patchwork.kernel.org/project/linux-arm-kernel/patch/20210207105934.2001-1-thunder.leizhen@huawei.com/(CVE-2021-47006) In the Linux kernel, the following vulnerability has been resolved: ethernet:enic: Fix a use after free bug in enic_hard_start_xmit In enic_hard_start_xmit, it calls enic_queue_wq_skb(). Inside enic_queue_wq_skb, if some error happens, the skb will be freed by dev_kfree_skb(skb). But the freed skb is still used in skb_tx_timestamp(skb). My patch makes enic_queue_wq_skb() return error and goto spin_unlock() incase of error. The solution is provided by Govind. See https://lkml.org/lkml/2021/4/30/961.(CVE-2021-46998) In the Linux kernel, the following vulnerability has been resolved: hfsplus: prevent corruption in shrinking truncate I believe there are some issues introduced by commit 31651c607151 ("hfsplus: avoid deadlock on file truncation") HFS+ has extent records which always contains 8 extents. In case the first extent record in catalog file gets full, new ones are allocated from extents overflow file. In case shrinking truncate happens to middle of an extent record which locates in extents overflow file, the logic in hfsplus_file_truncate() was changed so that call to hfs_brec_remove() is not guarded any more. Right action would be just freeing the extents that exceed the new size inside extent record by calling hfsplus_free_extents(), and then check if the whole extent record should be removed. However since the guard (blk_cnt > start) is now after the call to hfs_brec_remove(), this has unfortunate effect that the last matching extent record is removed unconditionally. To reproduce this issue, create a file which has at least 10 extents, and then perform shrinking truncate into middle of the last extent record, so that the number of remaining extents is not under or divisible by 8. This causes the last extent record (8 extents) to be removed totally instead of truncating into middle of it. Thus this causes corruption, and lost data. Fix for this is simply checking if the new truncated end is below the start of this extent record, making it safe to remove the full extent record. However call to hfs_brec_remove() can't be moved to it's previous place since we're dropping ->tree_lock and it can cause a race condition and the cached info being invalidated possibly corrupting the node data. Another issue is related to this one. When entering into the block (blk_cnt > start) we are not holding the ->tree_lock. We break out from the loop not holding the lock, but hfs_find_exit() does unlock it. Not sure if it's possible for someone else to take the lock under our feet, but it can cause hard to debug errors and premature unlocking. Even if there's no real risk of it, the locking should still always be kept in balance. Thus taking the lock now just before the check.(CVE-2021-46989) In the Linux kernel, the following vulnerability has been resolved: openvswitch: fix stack OOB read while fragmenting IPv4 packets running openvswitch on kernels built with KASAN, it's possible to see the following splat while testing fragmentation of IPv4 packets: BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60 Read of size 1 at addr ffff888112fc713c by task handler2/1367 CPU: 0 PID: 1367 Comm: handler2 Not tainted 5.12.0-rc6+ #418 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 Call Trace: dump_stack+0x92/0xc1 print_address_description.constprop.7+0x1a/0x150 kasan_report.cold.13+0x7f/0x111 ip_do_fragment+0x1b03/0x1f60 ovs_fragment+0x5bf/0x840 [openvswitch] do_execute_actions+0x1bd5/0x2400 [openvswitch] ovs_execute_actions+0xc8/0x3d0 [openvswitch] ovs_packet_cmd_execute+0xa39/0x1150 [openvswitch] genl_family_rcv_msg_doit.isra.15+0x227/0x2d0 genl_rcv_msg+0x287/0x490 netlink_rcv_skb+0x120/0x380 genl_rcv+0x24/0x40 netlink_unicast+0x439/0x630 netlink_sendmsg+0x719/0xbf0 sock_sendmsg+0xe2/0x110 ____sys_sendmsg+0x5ba/0x890 ___sys_sendmsg+0xe9/0x160 __sys_sendmsg+0xd3/0x170 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f957079db07 Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 eb ec ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 24 ed ff ff 48 RSP: 002b:00007f956ce35a50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000019 RCX: 00007f957079db07 RDX: 0000000000000000 RSI: 00007f956ce35ae0 RDI: 0000000000000019 RBP: 00007f956ce35ae0 R08: 0000000000000000 R09: 00007f9558006730 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 00007f956ce37308 R14: 00007f956ce35f80 R15: 00007f956ce35ae0 The buggy address belongs to the page: page:00000000af2a1d93 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112fc7 flags: 0x17ffffc0000000() raw: 0017ffffc0000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected addr ffff888112fc713c is located in stack of task handler2/1367 at offset 180 in frame: ovs_fragment+0x0/0x840 [openvswitch] this frame has 2 objects: [32, 144) 'ovs_dst' [192, 424) 'ovs_rt' Memory state around the buggy address: ffff888112fc7000: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888112fc7080: 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 >ffff888112fc7100: 00 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 ^ ffff888112fc7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888112fc7200: 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 for IPv4 packets, ovs_fragment() uses a temporary struct dst_entry. Then, in the following call graph: ip_do_fragment() ip_skb_dst_mtu() ip_dst_mtu_maybe_forward() ip_mtu_locked() the pointer to struct dst_entry is used as pointer to struct rtable: this turns the access to struct members like rt_mtu_locked into an OOB read in the stack. Fix this changing the temporary variable used for IPv4 packets in ovs_fragment(), similarly to what is done for IPv6 few lines below.(CVE-2021-46955) In the Linux kernel, the following vulnerability has been resolved: NFS: fs_context: validate UDP retrans to prevent shift out-of-bounds Fix shift out-of-bounds in xprt_calc_majortimeo(). This is caused by a garbage timeout (retrans) mount option being passed to nfs mount, in this case from syzkaller. If the protocol is XPRT_TRANSPORT_UDP, then 'retrans' is a shift value for a 64-bit long integer, so 'retrans' cannot be >= 64. If it is >= 64, fail the mount and return an error.(CVE-2021-46952) In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: core: Do core softreset when switch mode According to the programming guide, to switch mode for DRD controller, the driver needs to do the following. To switch from device to host: 1. Reset controller with GCTL.CoreSoftReset 2. Set GCTL.PrtCapDir(host mode) 3. Reset the host with USBCMD.HCRESET 4. Then follow up with the initializing host registers sequence To switch from host to device: 1. Reset controller with GCTL.CoreSoftReset 2. Set GCTL.PrtCapDir(device mode) 3. Reset the device with DCTL.CSftRst 4. Then follow up with the initializing registers sequence Currently we're missing step 1) to do GCTL.CoreSoftReset and step 3) of switching from host to device. John Stult reported a lockup issue seen with HiKey960 platform without these steps[1]. Similar issue is observed with Ferry's testing platform[2]. So, apply the required steps along with some fixes to Yu Chen's and John Stultz's version. The main fixes to their versions are the missing wait for clocks synchronization before clearing GCTL.CoreSoftReset and only apply DCTL.CSftRst when switching from host to device. [1] https://lore.kernel.org/linux-usb/20210108015115.27920-1-john.stultz@linaro.org/ [2] https://lore.kernel.org/linux-usb/0ba7a6ba-e6a7-9cd4-0695-64fc927e01f1@gmail.com/(CVE-2021-46941) In the Linux kernel, the following vulnerability has been resolved: binder: fix async_free_space accounting for empty parcels In 4.13, commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space") fixed a kernel structure visibility issue. As part of that patch, sizeof(void *) was used as the buffer size for 0-length data payloads so the driver could detect abusive clients sending 0-length asynchronous transactions to a server by enforcing limits on async_free_size. Unfortunately, on the "free" side, the accounting of async_free_space did not add the sizeof(void *) back. The result was that up to 8-bytes of async_free_space were leaked on every async transaction of 8-bytes or less. These small transactions are uncommon, so this accounting issue has gone undetected for several years. The fix is to use "buffer_size" (the allocated buffer size) instead of "size" (the logical buffer size) when updating the async_free_space during the free operation. These are the same except for this corner case of asynchronous transactions with payloads < 8 bytes.(CVE-2021-46935) In the Linux kernel, the following vulnerability has been resolved: i2c: validate user data in compat ioctl Wrong user data may cause warning in i2c_transfer(), ex: zero msgs. Userspace should not be able to trigger warnings, so this patch adds validation checks for user data in compact ioctl to prevent reported warnings(CVE-2021-46934) In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear. ffs_data_clear is indirectly called from both ffs_fs_kill_sb and ffs_ep0_release, so it ends up being called twice when userland closes ep0 and then unmounts f_fs. If userland provided an eventfd along with function's USB descriptors, it ends up calling eventfd_ctx_put as many times, causing a refcount underflow. NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls. Also, set epfiles to NULL right after de-allocating it, for readability. For completeness, ffs_data_clear actually ends up being called thrice, the last call being before the whole ffs structure gets freed, so when this specific sequence happens there is a second underflow happening (but not being reported): /sys/kernel/debug/tracing# modprobe usb_f_fs /sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter /sys/kernel/debug/tracing# echo function > current_tracer /sys/kernel/debug/tracing# echo 1 > tracing_on (setup gadget, run and kill function userland process, teardown gadget) /sys/kernel/debug/tracing# echo 0 > tracing_on /sys/kernel/debug/tracing# cat trace smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_put Warning output corresponding to above trace: [ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c [ 1946.293094] refcount_t: underflow; use-after-free. [ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E) [ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1 [ 1946.417950] Hardware name: BCM2835 [ 1946.425442] Backtrace: [ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24) [ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c [ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30) [ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154) [ 1946.482067] r5:c04a948c r4:c0a71dc8 [ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4) [ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04 [ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c) [ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0 [ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74) [ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs]) [ 1946.582664] r5:c3b84c00 r4:c2695b00 [ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs]) [ 1946.609608] r5:bf54d014 r4:c2695b00 [ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs]) [ 1946.636217] r7:c0dfcb ---truncated---(CVE-2021-46933) In the Linux kernel, the following vulnerability has been resolved: Input: appletouch - initialize work before device registration Syzbot has reported warning in __flush_work(). This warning is caused by work->func == NULL, which means missing work initialization. This may happen, since input_dev->close() calls cancel_work_sync(&dev->work), but dev->work initalization happens _after_ input_register_device() call. So this patch moves dev->work initialization before registering input device(CVE-2021-46932) In the Linux kernel, the following vulnerability has been resolved: parisc: Clear stale IIR value on instruction access rights trap When a trap 7 (Instruction access rights) occurs, this means the CPU couldn't execute an instruction due to missing execute permissions on the memory region. In this case it seems the CPU didn't even fetched the instruction from memory and thus did not store it in the cr19 (IIR) register before calling the trap handler. So, the trap handler will find some random old stale value in cr19. This patch simply overwrites the stale IIR value with a constant magic "bad food" value (0xbaadf00d), in the hope people don't start to try to understand the various random IIR values in trap 7 dumps.(CVE-2021-46928) In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: intel-sdw-acpi: harden detection of controller The existing code currently sets a pointer to an ACPI handle before checking that it's actually a SoundWire controller. This can lead to issues where the graph walk continues and eventually fails, but the pointer was set already. This patch changes the logic so that the information provided to the caller is set when a controller is found.(CVE-2021-46926) In the Linux kernel, the following vulnerability has been resolved: NFC: st21nfca: Fix memory leak in device probe and remove 'phy->pending_skb' is alloced when device probe, but forgot to free in the error handling path and remove path, this cause memory leak as follows: unreferenced object 0xffff88800bc06800 (size 512): comm "8", pid 11775, jiffies 4295159829 (age 9.032s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000d66c09ce>] __kmalloc_node_track_caller+0x1ed/0x450 [<00000000c93382b3>] kmalloc_reserve+0x37/0xd0 [<000000005fea522c>] __alloc_skb+0x124/0x380 [<0000000019f29f9a>] st21nfca_hci_i2c_probe+0x170/0x8f2 Fix it by freeing 'pending_skb' in error and remove.(CVE-2021-46924) In the Linux kernel, the following vulnerability has been resolved: ARM: footbridge: fix PCI interrupt mapping Since commit 30fdfb929e82 ("PCI: Add a call to pci_assign_irq() in pci_device_probe()"), the PCI code will call the IRQ mapping function whenever a PCI driver is probed. If these are marked as __init, this causes an oops if a PCI driver is loaded or bound after the kernel has initialised.(CVE-2021-46909) In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: fix info leak in hid_submit_ctrl In hid_submit_ctrl(), the way of calculating the report length doesn't take into account that report->size can be zero. When running the syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to calculate transfer_buffer_length as 16384. When this urb is passed to the usb core layer, KMSAN reports an info leak of 16384 bytes. To fix this, first modify hid_report_len() to account for the zero report size case by using DIV_ROUND_UP for the division. Then, call it from hid_submit_ctrl().(CVE-2021-46906) In the Linux kernel, the following vulnerability has been resolved: net: hso: fix null-ptr-deref during tty device unregistration Multiple ttys try to claim the same the minor number causing a double unregistration of the same device. The first unregistration succeeds but the next one results in a null-ptr-deref. The get_free_serial_index() function returns an available minor number but doesn't assign it immediately. The assignment is done by the caller later. But before this assignment, calls to get_free_serial_index() would return the same minor number. Fix this by modifying get_free_serial_index to assign the minor number immediately after one is found to be and rename it to obtain_minor() to better reflect what it does. Similary, rename set_serial_by_index() to release_minor() and modify it to free up the minor number of the given hso_serial. Every obtain_minor() should have corresponding release_minor() call.(CVE-2021-46904) In the Linux kernel, the following vulnerability has been resolved: i2c: cadence: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in functions cdns_i2c_master_xfer and cdns_reg_slave. However, pm_runtime_get_sync will increment pm usage counter even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced.(CVE-2020-36784) In the Linux kernel, the following vulnerability has been resolved: i2c: img-scb: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in functions img_i2c_xfer and img_i2c_init. However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced.(CVE-2020-36783) In the Linux kernel, the following vulnerability has been resolved: i2c: imx-lpi2c: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in lpi2c_imx_master_enable. However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced.(CVE-2020-36782) In the Linux kernel, the following vulnerability has been resolved: i2c: sprd: fix reference leak when pm_runtime_get_sync fails The PM reference count is not expected to be incremented on return in sprd_i2c_master_xfer() and sprd_i2c_remove(). However, pm_runtime_get_sync will increment the PM reference count even failed. Forgetting to putting operation will result in a reference leak here. Replace it with pm_runtime_resume_and_get to keep usage counter balanced.(CVE-2020-36780) In the Linux kernel, the following vulnerability has been resolved: media: dvbdev: Fix memory leak in dvb_media_device_free() dvb_media_device_free() is leaking memory. Free `dvbdev->adapter->conn` before setting it to NULL, as documented in include/media/media-device.h: "The media_entity instance itself must be freed explicitly by the driver if required."(CVE-2020-36777) In the Linux kernel, the following vulnerability has been resolved: i2c: Fix a potential use after free Free the adap structure only after we are done using it. This patch just moves the put_device() down a bit to avoid the use after free. [wsa: added comment to the code, added Fixes tag](CVE-2019-25162) In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache There is a potential UAF scenario in the case of an LPI translation cache hit racing with an operation that invalidates the cache, such as a DISCARD ITS command. The root of the problem is that vgic_its_check_cache() does not elevate the refcount on the vgic_irq before dropping the lock that serializes refcount changes. Have vgic_its_check_cache() raise the refcount on the returned vgic_irq and add the corresponding decrement after queueing the interrupt.(CVE-2024-26598) In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path When calling mlxsw_sp_acl_tcam_region_destroy() from an error path after failing to attach the region to an ACL group, we hit a NULL pointer dereference upon 'region->group->tcam' [1]. Fix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam(). [1] BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] RIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0 [...] Call Trace: mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20 mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0 mlxsw_sp_acl_rule_add+0x47/0x240 mlxsw_sp_flower_replace+0x1a9/0x1d0 tc_setup_cb_add+0xdc/0x1c0 fl_hw_replace_filter+0x146/0x1f0 fl_change+0xc17/0x1360 tc_new_tfilter+0x472/0xb90 rtnetlink_rcv_msg+0x313/0x3b0 netlink_rcv_skb+0x58/0x100 netlink_unicast+0x244/0x390 netlink_sendmsg+0x1e4/0x440 ____sys_sendmsg+0x164/0x260 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xc0 do_syscall_64+0x40/0xe0 entry_SYSCALL_64_after_hwframe+0x63/0x6b(CVE-2024-26595) In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix stack corruption When tc filters are first added to a net device, the corresponding local port gets bound to an ACL group in the device. The group contains a list of ACLs. In turn, each ACL points to a different TCAM region where the filters are stored. During forwarding, the ACLs are sequentially evaluated until a match is found. One reason to place filters in different regions is when they are added with decreasing priorities and in an alternating order so that two consecutive filters can never fit in the same region because of their key usage. In Spectrum-2 and newer ASICs the firmware started to report that the maximum number of ACLs in a group is more than 16, but the layout of the register that configures ACL groups (PAGT) was not updated to account for that. It is therefore possible to hit stack corruption [1] in the rare case where more than 16 ACLs in a group are required. Fix by limiting the maximum ACL group size to the minimum between what the firmware reports and the maximum ACLs that fit in the PAGT register. Add a test case to make sure the machine does not crash when this condition is hit. [1] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: mlxsw_sp_acl_tcam_group_update+0x116/0x120 [...] dump_stack_lvl+0x36/0x50 panic+0x305/0x330 __stack_chk_fail+0x15/0x20 mlxsw_sp_acl_tcam_group_update+0x116/0x120 mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110 mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20 mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0 mlxsw_sp_acl_rule_add+0x47/0x240 mlxsw_sp_flower_replace+0x1a9/0x1d0 tc_setup_cb_add+0xdc/0x1c0 fl_hw_replace_filter+0x146/0x1f0 fl_change+0xc17/0x1360 tc_new_tfilter+0x472/0xb90 rtnetlink_rcv_msg+0x313/0x3b0 netlink_rcv_skb+0x58/0x100 netlink_unicast+0x244/0x390 netlink_sendmsg+0x1e4/0x440 ____sys_sendmsg+0x164/0x260 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xc0 do_syscall_64+0x40/0xe0 entry_SYSCALL_64_after_hwframe+0x63/0x6b(CVE-2024-26586) A vulnerability was reported in the Open vSwitch sub-component in the Linux Kernel. The flaw occurs when a recursive operation of code push recursively calls into the code block. The OVS module does not validate the stack depth, pushing too many frames and causing a stack overflow. As a result, this can lead to a crash or other related issues.(CVE-2024-1151) In the Linux kernel, the following vulnerability has been resolved: net: prevent mss overflow in skb_segment() Once again syzbot is able to crash the kernel in skb_segment() [1] GSO_BY_FRAGS is a forbidden value, but unfortunately the following computation in skb_segment() can reach it quite easily : mss = mss * partial_segs; 65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to a bad final result. Make sure to limit segmentation so that the new mss value is smaller than GSO_BY_FRAGS. [1] general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551 Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00 RSP: 0018:ffffc900043473d0 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597 RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070 RBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff R10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0 R13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046 FS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> udp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109 ipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120 skb_mac_gso_segment+0x290/0x610 net/core/gso.c:53 __skb_gso_segment+0x339/0x710 net/core/gso.c:124 skb_gso_segment include/net/gso.h:83 [inline] validate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626 __dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338 dev_queue_xmit include/linux/netdevice.h:3134 [inline] packet_xmit+0x257/0x380 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xd5/0x180 net/socket.c:745 __sys_sendto+0x255/0x340 net/socket.c:2190 __do_sys_sendto net/socket.c:2202 [inline] __se_sys_sendto net/socket.c:2198 [inline] __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7f8692032aa9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9 RDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003 RBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480 R13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551 Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00 RSP: 0018:ffffc900043473d0 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597 RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070 RBP: ffffc90004347578 R0 ---truncated---(CVE-2023-52435) NULL Pointer Dereference vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (net, bluetooth modules) allows Overflow Buffers. This vulnerability is associated with program files /net/bluetooth/rfcomm/core.C. This issue affects Linux kernel: v2.6.12-rc2. (CVE-2024-22099) A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.(CVE-2023-6270) kernel-devel-4.19.90-2305.1.0.0199.80.uel20.x86_64.rpm perf-4.19.90-2305.1.0.0199.80.uel20.x86_64.rpm python3-perf-4.19.90-2305.1.0.0199.80.uel20.x86_64.rpm kernel-4.19.90-2305.1.0.0199.80.uel20.x86_64.rpm bpftool-4.19.90-2305.1.0.0199.80.uel20.x86_64.rpm python2-perf-4.19.90-2305.1.0.0199.80.uel20.x86_64.rpm kernel-tools-4.19.90-2305.1.0.0199.80.uel20.x86_64.rpm kernel-btf-4.19.90-2305.1.0.0199.80.uel20.x86_64.rpm kernel-tools-devel-4.19.90-2305.1.0.0199.80.uel20.x86_64.rpm kernel-devel-4.19.90-2305.1.0.0199.80.uel20.aarch64.rpm kernel-4.19.90-2305.1.0.0199.80.uel20.aarch64.rpm kernel-btf-4.19.90-2305.1.0.0199.80.uel20.aarch64.rpm python3-perf-4.19.90-2305.1.0.0199.80.uel20.aarch64.rpm bpftool-4.19.90-2305.1.0.0199.80.uel20.aarch64.rpm kernel-tools-4.19.90-2305.1.0.0199.80.uel20.aarch64.rpm perf-4.19.90-2305.1.0.0199.80.uel20.aarch64.rpm python2-perf-4.19.90-2305.1.0.0199.80.uel20.aarch64.rpm kernel-tools-devel-4.19.90-2305.1.0.0199.80.uel20.aarch64.rpm UTSA-2024:20135 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: systemd security update

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.(CVE-2023-50868) systemd-libs-243-62.up9.uel20.08.x86_64.rpm systemd-243-62.up9.uel20.08.x86_64.rpm systemd-devel-243-62.up9.uel20.08.x86_64.rpm systemd-container-243-62.up9.uel20.08.x86_64.rpm systemd-udev-243-62.up9.uel20.08.x86_64.rpm systemd-journal-remote-243-62.up9.uel20.08.x86_64.rpm systemd-udev-compat-243-62.up9.uel20.08.x86_64.rpm systemd-container-243-62.up9.uel20.08.aarch64.rpm systemd-libs-243-62.up9.uel20.08.aarch64.rpm systemd-help-243-62.up9.uel20.08.noarch.rpm systemd-243-62.up9.uel20.08.aarch64.rpm systemd-journal-remote-243-62.up9.uel20.08.aarch64.rpm systemd-udev-compat-243-62.up9.uel20.08.aarch64.rpm systemd-devel-243-62.up9.uel20.08.aarch64.rpm systemd-udev-243-62.up9.uel20.08.aarch64.rpm UTSA-2024:20136 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: systemd security update

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.(CVE-2023-50387) systemd-container-243-62.up9.uel20.07.x86_64.rpm systemd-243-62.up9.uel20.07.x86_64.rpm systemd-libs-243-62.up9.uel20.07.x86_64.rpm systemd-devel-243-62.up9.uel20.07.x86_64.rpm systemd-udev-243-62.up9.uel20.07.x86_64.rpm systemd-udev-compat-243-62.up9.uel20.07.x86_64.rpm systemd-journal-remote-243-62.up9.uel20.07.x86_64.rpm systemd-243-62.up9.uel20.07.aarch64.rpm systemd-udev-243-62.up9.uel20.07.aarch64.rpm systemd-libs-243-62.up9.uel20.07.aarch64.rpm systemd-devel-243-62.up9.uel20.07.aarch64.rpm systemd-journal-remote-243-62.up9.uel20.07.aarch64.rpm systemd-udev-compat-243-62.up9.uel20.07.aarch64.rpm systemd-help-243-62.up9.uel20.07.noarch.rpm systemd-container-243-62.up9.uel20.07.aarch64.rpm UTSA-2024:20137 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: qt5-qtbase security update

Qt 6 through 6.6 was discovered to contain a NULL pointer dereference via the function QXcbConnection::initializeAllAtoms(). NOTE: this is disputed because it is not expected that an X application should continue to run when there is arbitrary anomalous behavior from the X server.(CVE-2023-45935) qt5-qtbase-devel-5.11.1-22.up7.uel20.x86_64.rpm qt5-qtbase-5.11.1-22.up7.uel20.x86_64.rpm qt5-qtbase-gui-5.11.1-22.up7.uel20.x86_64.rpm qt5-qtbase-mysql-5.11.1-22.up7.uel20.x86_64.rpm qt5-qtbase-odbc-5.11.1-22.up7.uel20.x86_64.rpm qt5-qtbase-postgresql-5.11.1-22.up7.uel20.x86_64.rpm qt5-qtbase-devel-5.11.1-22.up7.uel20.aarch64.rpm qt5-qtbase-5.11.1-22.up7.uel20.aarch64.rpm qt5-qtbase-gui-5.11.1-22.up7.uel20.aarch64.rpm qt5-qtbase-odbc-5.11.1-22.up7.uel20.aarch64.rpm qt5-qtbase-mysql-5.11.1-22.up7.uel20.aarch64.rpm qt5-qtbase-common-5.11.1-22.up7.uel20.noarch.rpm qt5-qtbase-postgresql-5.11.1-22.up7.uel20.aarch64.rpm UTSA-2024:20138 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: python-pymongo security update

Versions of the package pymongo before 4.6.3 are vulnerable to Out-of-bounds Read in the bson module. Using the crafted payload the attacker could force the parser to deserialize unmanaged memory. The parser tries to interpret bytes next to buffer and throws an exception with string. If the following bytes are not printable UTF-8 the parser throws an exception with a single byte.(CVE-2024-21506) python3-pymongo-3.9.0-6.uel20.x86_64.rpm python2-bson-3.9.0-6.uel20.x86_64.rpm python2-pymongo-gridfs-3.9.0-6.uel20.x86_64.rpm python2-pymongo-3.9.0-6.uel20.x86_64.rpm python3-pymongo-gridfs-3.9.0-6.uel20.x86_64.rpm python3-bson-3.9.0-6.uel20.x86_64.rpm python2-pymongo-3.9.0-6.uel20.aarch64.rpm python3-bson-3.9.0-6.uel20.aarch64.rpm python2-bson-3.9.0-6.uel20.aarch64.rpm python3-pymongo-3.9.0-6.uel20.aarch64.rpm python3-pymongo-gridfs-3.9.0-6.uel20.aarch64.rpm python-pymongo-help-3.9.0-6.uel20.noarch.rpm python2-pymongo-gridfs-3.9.0-6.uel20.aarch64.rpm UTSA-2024:20139 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: tigervnc security update

A use-after-free vulnerability was found in the ProcRenderAddGlyphs() function of Xorg servers. This issue occurs when AllocateGlyph() is called to store new glyphs sent by the client to the X server, potentially resulting in multiple entries pointing to the same non-refcounted glyphs. Consequently, ProcRenderAddGlyphs() may free a glyph, leading to a use-after-free scenario when the same glyph pointer is subsequently accessed. This flaw allows an authenticated attacker to execute arbitrary code on the system by sending a specially crafted request.(CVE-2024-31083) A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIPassiveGrabDevice() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.(CVE-2024-31081) A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIGetSelectedEvents() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.(CVE-2024-31080) tigervnc-1.10.1-8.uel20.02.x86_64.rpm tigervnc-server-module-1.10.1-8.uel20.02.x86_64.rpm tigervnc-server-minimal-1.10.1-8.uel20.02.x86_64.rpm tigervnc-server-1.10.1-8.uel20.02.x86_64.rpm tigervnc-1.10.1-8.uel20.02.aarch64.rpm tigervnc-server-minimal-1.10.1-8.uel20.02.aarch64.rpm tigervnc-server-1.10.1-8.uel20.02.aarch64.rpm tigervnc-server-module-1.10.1-8.uel20.02.aarch64.rpm tigervnc-server-applet-1.10.1-8.uel20.02.noarch.rpm tigervnc-help-1.10.1-8.uel20.02.noarch.rpm UTSA-2024:20140 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: golang security update

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.(CVE-2023-45288) golang-1.15.7-43.uel20.x86_64.rpm golang-devel-1.15.7-43.uel20.noarch.rpm golang-1.15.7-43.uel20.aarch64.rpm golang-help-1.15.7-43.uel20.noarch.rpm UTSA-2024:20141 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: python-pillow security update

In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.(CVE-2024-28219) python3-pillow-9.0.1-7.uel20.x86_64.rpm python3-pillow-tk-9.0.1-7.uel20.x86_64.rpm python3-pillow-qt-9.0.1-7.uel20.x86_64.rpm python3-pillow-devel-9.0.1-7.uel20.x86_64.rpm python3-pillow-qt-9.0.1-7.uel20.aarch64.rpm python3-pillow-help-9.0.1-7.uel20.noarch.rpm python3-pillow-tk-9.0.1-7.uel20.aarch64.rpm python3-pillow-9.0.1-7.uel20.aarch64.rpm python3-pillow-devel-9.0.1-7.uel20.aarch64.rpm UTSA-2024:20142 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: llvm security update

LLVM 15.0.0 has a NULL pointer dereference in the parseOneMetadata() function via a crafted pdflatex.fmt file (or perhaps a crafted .o file) to llvm-lto. NOTE: this is disputed because the relationship between pdflatex.fmt and any LLVM language front end is not explained, and because a crash of the llvm-lto application should be categorized as a usability problem.(CVE-2023-46049) llvm-12.0.1-7.uel20.01.x86_64.rpm llvm-devel-12.0.1-7.uel20.01.x86_64.rpm llvm-libs-12.0.1-7.uel20.01.x86_64.rpm llvm-devel-12.0.1-7.uel20.01.aarch64.rpm llvm-help-12.0.1-7.uel20.01.noarch.rpm llvm-12.0.1-7.uel20.01.aarch64.rpm llvm-libs-12.0.1-7.uel20.01.aarch64.rpm UTSA-2024:20143 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: emacs security update

In Emacs before 29.3, Org mode considers contents of remote files to be trusted. This affects Org Mode before 9.6.23.(CVE-2024-30205) In Emacs before 29.3, LaTeX preview is enabled by default for e-mail attachments.(CVE-2024-30204) In Emacs before 29.3, Gnus treats inline MIME contents as trusted.(CVE-2024-30203) In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turning on Org mode. This affects Org Mode before 9.6.23.(CVE-2024-30202) emacs-devel-27.1-11.uel20.x86_64.rpm emacs-27.1-11.uel20.x86_64.rpm emacs-common-27.1-11.uel20.x86_64.rpm emacs-nox-27.1-11.uel20.x86_64.rpm emacs-lucid-27.1-11.uel20.x86_64.rpm emacs-common-27.1-11.uel20.aarch64.rpm emacs-27.1-11.uel20.aarch64.rpm emacs-lucid-27.1-11.uel20.aarch64.rpm emacs-nox-27.1-11.uel20.aarch64.rpm emacs-devel-27.1-11.uel20.aarch64.rpm emacs-help-27.1-11.uel20.noarch.rpm emacs-terminal-27.1-11.uel20.noarch.rpm emacs-filesystem-27.1-11.uel20.noarch.rpm UTSA-2024:20144 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: varnish security update

Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 LTS), and Varnish Enterprise 6 before 6.0.12r6, allows credits exhaustion for an HTTP/2 connection control flow window, aka a Broke Window Attack.(CVE-2024-30156) varnish-7.4.3-1.uel20.x86_64.rpm varnish-devel-7.4.3-1.uel20.x86_64.rpm varnish-7.4.3-1.uel20.aarch64.rpm varnish-devel-7.4.3-1.uel20.aarch64.rpm varnish-help-7.4.3-1.uel20.noarch.rpm UTSA-2024:20145 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: wireshark security update

Due to failure in validating the length provided by an attacker-crafted RTPS packet, Wireshark version 4.0.5 and prior, by default, is susceptible to a heap-based buffer overflow, and possibly code execution in the context of the process running Wireshark.(CVE-2023-0666) wireshark-devel-3.6.14-7.uel20.x86_64.rpm wireshark-3.6.14-7.uel20.x86_64.rpm wireshark-help-3.6.14-7.uel20.x86_64.rpm wireshark-devel-3.6.14-7.uel20.aarch64.rpm wireshark-3.6.14-7.uel20.aarch64.rpm wireshark-help-3.6.14-7.uel20.aarch64.rpm UTSA-2024:20146 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: ruby security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2024-27281) rubygem-io-console-0.4.6-122.uel20.x86_64.rpm rubygem-psych-3.0.2-122.uel20.x86_64.rpm rubygem-bigdecimal-1.3.4-122.uel20.x86_64.rpm rubygem-json-2.1.0-122.uel20.x86_64.rpm rubygem-openssl-2.1.2-122.uel20.x86_64.rpm ruby-2.5.8-122.uel20.x86_64.rpm ruby-devel-2.5.8-122.uel20.x86_64.rpm ruby-help-2.5.8-122.uel20.noarch.rpm ruby-2.5.8-122.uel20.aarch64.rpm rubygems-2.7.6-122.uel20.noarch.rpm rubygem-rdoc-6.0.1.1-122.uel20.noarch.rpm rubygem-rake-12.3.0-122.uel20.noarch.rpm rubygem-io-console-0.4.6-122.uel20.aarch64.rpm rubygem-json-2.1.0-122.uel20.aarch64.rpm rubygem-psych-3.0.2-122.uel20.aarch64.rpm rubygem-openssl-2.1.2-122.uel20.aarch64.rpm rubygem-test-unit-3.2.7-122.uel20.noarch.rpm rubygem-xmlrpc-0.3.0-122.uel20.noarch.rpm ruby-devel-2.5.8-122.uel20.aarch64.rpm rubygem-did_you_mean-1.2.0-122.uel20.noarch.rpm rubygem-minitest-5.10.3-122.uel20.noarch.rpm rubygem-bigdecimal-1.3.4-122.uel20.aarch64.rpm rubygems-devel-2.7.6-122.uel20.noarch.rpm rubygem-power_assert-1.1.1-122.uel20.noarch.rpm rubygem-net-telnet-0.1.1-122.uel20.noarch.rpm ruby-irb-2.5.8-122.uel20.noarch.rpm UTSA-2024:20147 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: gnutls security update

A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.(CVE-2024-28834) gnutls-devel-3.6.16-6.uel20.7.x86_64.rpm gnutls-help-3.6.16-6.uel20.7.x86_64.rpm gnutls-3.6.16-6.uel20.7.x86_64.rpm gnutls-devel-3.6.16-6.uel20.7.aarch64.rpm gnutls-3.6.16-6.uel20.7.aarch64.rpm gnutls-help-3.6.16-6.uel20.7.aarch64.rpm UTSA-2024:20148 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: libvirt security update

A flaw was found in the RPC library APIs of libvirt. The RPC server deserialization code allocates memory for arrays before the non-negative length check is performed by the C API entry points. Passing a negative length to the g_new0 function results in a crash due to the negative length being treated as a huge positive number. This flaw allows a local, unprivileged user to perform a denial of service attack by causing the libvirt daemon to crash.(CVE-2024-2494) An off-by-one error flaw was found in the udevListInterfacesByStatus() function in libvirt when the number of interfaces exceeds the size of the `names` array. This issue can be reproduced by sending specially crafted data to the libvirt daemon, allowing an unprivileged client to perform a denial of service attack by causing the libvirt daemon to crash.(CVE-2024-1441) libvirt-client-6.2.0-24.up1.uel20.x86_64.rpm libvirt-daemon-driver-qemu-6.2.0-24.up1.uel20.x86_64.rpm libvirt-daemon-driver-storage-mpath-6.2.0-24.up1.uel20.x86_64.rpm libvirt-nss-6.2.0-24.up1.uel20.x86_64.rpm libvirt-daemon-config-nwfilter-6.2.0-24.up1.uel20.x86_64.rpm libvirt-daemon-driver-storage-logical-6.2.0-24.up1.uel20.x86_64.rpm libvirt-daemon-driver-secret-6.2.0-24.up1.uel20.x86_64.rpm libvirt-libs-6.2.0-24.up1.uel20.x86_64.rpm libvirt-6.2.0-24.up1.uel20.x86_64.rpm libvirt-docs-6.2.0-24.up1.uel20.x86_64.rpm libvirt-daemon-driver-storage-core-6.2.0-24.up1.uel20.x86_64.rpm libvirt-daemon-kvm-6.2.0-24.up1.uel20.x86_64.rpm libvirt-daemon-driver-storage-iscsi-6.2.0-24.up1.uel20.x86_64.rpm libvirt-wireshark-6.2.0-24.up1.uel20.x86_64.rpm libvirt-daemon-6.2.0-24.up1.uel20.x86_64.rpm libvirt-bash-completion-6.2.0-24.up1.uel20.x86_64.rpm libvirt-daemon-driver-storage-iscsi-direct-6.2.0-24.up1.uel20.x86_64.rpm libvirt-daemon-driver-storage-rbd-6.2.0-24.up1.uel20.x86_64.rpm libvirt-daemon-driver-storage-gluster-6.2.0-24.up1.uel20.x86_64.rpm libvirt-daemon-driver-storage-6.2.0-24.up1.uel20.x86_64.rpm libvirt-daemon-driver-storage-disk-6.2.0-24.up1.uel20.x86_64.rpm libvirt-daemon-driver-nwfilter-6.2.0-24.up1.uel20.x86_64.rpm libvirt-admin-6.2.0-24.up1.uel20.x86_64.rpm libvirt-daemon-driver-interface-6.2.0-24.up1.uel20.x86_64.rpm libvirt-devel-6.2.0-24.up1.uel20.x86_64.rpm libvirt-lock-sanlock-6.2.0-24.up1.uel20.x86_64.rpm libvirt-daemon-driver-nodedev-6.2.0-24.up1.uel20.x86_64.rpm libvirt-daemon-qemu-6.2.0-24.up1.uel20.x86_64.rpm libvirt-daemon-driver-storage-scsi-6.2.0-24.up1.uel20.x86_64.rpm libvirt-daemon-config-network-6.2.0-24.up1.uel20.x86_64.rpm libvirt-daemon-driver-network-6.2.0-24.up1.uel20.x86_64.rpm libvirt-daemon-driver-storage-disk-6.2.0-24.up1.uel20.aarch64.rpm libvirt-daemon-6.2.0-24.up1.uel20.aarch64.rpm libvirt-daemon-driver-secret-6.2.0-24.up1.uel20.aarch64.rpm libvirt-nss-6.2.0-24.up1.uel20.aarch64.rpm libvirt-devel-6.2.0-24.up1.uel20.aarch64.rpm libvirt-daemon-driver-storage-6.2.0-24.up1.uel20.aarch64.rpm libvirt-libs-6.2.0-24.up1.uel20.aarch64.rpm libvirt-client-6.2.0-24.up1.uel20.aarch64.rpm libvirt-daemon-driver-storage-gluster-6.2.0-24.up1.uel20.aarch64.rpm libvirt-daemon-driver-storage-core-6.2.0-24.up1.uel20.aarch64.rpm libvirt-bash-completion-6.2.0-24.up1.uel20.aarch64.rpm libvirt-daemon-driver-storage-logical-6.2.0-24.up1.uel20.aarch64.rpm libvirt-daemon-config-network-6.2.0-24.up1.uel20.aarch64.rpm libvirt-daemon-driver-qemu-6.2.0-24.up1.uel20.aarch64.rpm libvirt-daemon-driver-nodedev-6.2.0-24.up1.uel20.aarch64.rpm libvirt-daemon-driver-storage-rbd-6.2.0-24.up1.uel20.aarch64.rpm libvirt-docs-6.2.0-24.up1.uel20.aarch64.rpm libvirt-6.2.0-24.up1.uel20.aarch64.rpm libvirt-daemon-driver-network-6.2.0-24.up1.uel20.aarch64.rpm libvirt-wireshark-6.2.0-24.up1.uel20.aarch64.rpm libvirt-lock-sanlock-6.2.0-24.up1.uel20.aarch64.rpm libvirt-daemon-kvm-6.2.0-24.up1.uel20.aarch64.rpm libvirt-daemon-driver-nwfilter-6.2.0-24.up1.uel20.aarch64.rpm libvirt-daemon-driver-storage-scsi-6.2.0-24.up1.uel20.aarch64.rpm libvirt-daemon-config-nwfilter-6.2.0-24.up1.uel20.aarch64.rpm libvirt-admin-6.2.0-24.up1.uel20.aarch64.rpm libvirt-daemon-driver-storage-iscsi-6.2.0-24.up1.uel20.aarch64.rpm libvirt-daemon-driver-storage-iscsi-direct-6.2.0-24.up1.uel20.aarch64.rpm libvirt-daemon-qemu-6.2.0-24.up1.uel20.aarch64.rpm libvirt-daemon-driver-storage-mpath-6.2.0-24.up1.uel20.aarch64.rpm libvirt-daemon-driver-interface-6.2.0-24.up1.uel20.aarch64.rpm UTSA-2024:20149 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: jose security update

latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.(CVE-2023-50967) jose-10-6.uel20.x86_64.rpm jose-devel-10-6.uel20.x86_64.rpm jose-help-10-6.uel20.x86_64.rpm jose-help-10-6.uel20.aarch64.rpm jose-devel-10-6.uel20.aarch64.rpm jose-10-6.uel20.aarch64.rpm UTSA-2024:20150 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: expat security update

libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).(CVE-2024-28757) libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.(CVE-2023-52426) expat-devel-2.2.9-11.uel20.x86_64.rpm expat-2.2.9-11.uel20.x86_64.rpm expat-help-2.2.9-11.uel20.noarch.rpm expat-2.2.9-11.uel20.aarch64.rpm expat-devel-2.2.9-11.uel20.aarch64.rpm UTSA-2024:20151 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: mozjs78 security update

A mishandled security check when creating a WebSocket in a WebWorker caused the Content Security Policy connect-src header to be ignored. This could lead to connections to restricted origins from inside WebWorkers. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.(CVE-2023-23602) Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.(CVE-2023-23601) When copying a network request from the developer tools panel as a curl command the output was not being properly sanitized and could allow arbitrary commands to be hidden within. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7.(CVE-2023-23599) mozjs78-help-78.4.0-3.up1.uel20.01.x86_64.rpm mozjs78-78.4.0-3.up1.uel20.01.x86_64.rpm mozjs78-devel-78.4.0-3.up1.uel20.01.x86_64.rpm mozjs78-devel-78.4.0-3.up1.uel20.01.aarch64.rpm mozjs78-78.4.0-3.up1.uel20.01.aarch64.rpm mozjs78-help-78.4.0-3.up1.uel20.01.aarch64.rpm UTSA-2024:20152 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: rubygem-rack security update

Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and 2.2.8.1.(CVE-2024-25126) rubygem-rack-help-2.2.3.1-5.uel20.01.noarch.rpm rubygem-rack-2.2.3.1-5.uel20.01.noarch.rpm UTSA-2024:20153 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: ghostscript security update

Artifex Ghostscript before 9.53.0 has an out-of-bounds write and use-after-free in devices/vector/gdevtxtw.c (for txtwrite) because a single character code in a PDF document can map to more than one Unicode code point (e.g., for a ligature).(CVE-2020-36773) ghostscript-9.52-13.uel20.01.x86_64.rpm ghostscript-tools-dvipdf-9.52-13.uel20.01.x86_64.rpm ghostscript-devel-9.52-13.uel20.01.x86_64.rpm ghostscript-help-9.52-13.uel20.01.noarch.rpm ghostscript-9.52-13.uel20.01.aarch64.rpm ghostscript-tools-dvipdf-9.52-13.uel20.01.aarch64.rpm ghostscript-devel-9.52-13.uel20.01.aarch64.rpm UTSA-2024:20154 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: libssh2 security update

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795) libssh2-devel-1.9.0-8.uel20.x86_64.rpm libssh2-1.9.0-8.uel20.x86_64.rpm libssh2-devel-1.9.0-8.uel20.aarch64.rpm libssh2-help-1.9.0-8.uel20.noarch.rpm libssh2-1.9.0-8.uel20.aarch64.rpm UTSA-2024:20155 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: postgresql security update

Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.(CVE-2023-2455) schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.(CVE-2023-2454) postgresql-contrib-10.23-1.uel20.01.x86_64.rpm postgresql-server-devel-10.23-1.uel20.01.x86_64.rpm postgresql-help-10.23-1.uel20.01.x86_64.rpm postgresql-test-10.23-1.uel20.01.x86_64.rpm postgresql-pltcl-10.23-1.uel20.01.x86_64.rpm postgresql-plpython3-10.23-1.uel20.01.x86_64.rpm postgresql-10.23-1.uel20.01.x86_64.rpm postgresql-plperl-10.23-1.uel20.01.x86_64.rpm postgresql-server-10.23-1.uel20.01.x86_64.rpm postgresql-test-rpm-macros-10.23-1.uel20.01.x86_64.rpm postgresql-static-10.23-1.uel20.01.x86_64.rpm postgresql-test-10.23-1.uel20.01.aarch64.rpm postgresql-static-10.23-1.uel20.01.aarch64.rpm postgresql-server-devel-10.23-1.uel20.01.aarch64.rpm postgresql-test-rpm-macros-10.23-1.uel20.01.aarch64.rpm postgresql-plperl-10.23-1.uel20.01.aarch64.rpm postgresql-plpython3-10.23-1.uel20.01.aarch64.rpm postgresql-pltcl-10.23-1.uel20.01.aarch64.rpm postgresql-contrib-10.23-1.uel20.01.aarch64.rpm postgresql-server-10.23-1.uel20.01.aarch64.rpm postgresql-help-10.23-1.uel20.01.aarch64.rpm postgresql-10.23-1.uel20.01.aarch64.rpm UTSA-2024:20156 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: git security update

Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.(CVE-2024-32465) Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning will be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.(CVE-2024-32021) Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user. Cloning local repositories will cause Git to either copy or hardlink files of the source repository into the target repository. This significantly speeds up such local clones compared to doing a "proper" clone and saves both disk space and compute time. When cloning a repository located on the same disk that is owned by a different user than the current user we also end up creating such hardlinks. These files will continue to be owned and controlled by the potentially-untrusted user and can be rewritten by them at will in the future. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.(CVE-2024-32020) Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.(CVE-2024-32004) Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.(CVE-2024-32002) git-2.27.0-20.uel20.x86_64.rpm git-daemon-2.27.0-20.uel20.x86_64.rpm git-web-2.27.0-20.uel20.noarch.rpm git-help-2.27.0-20.uel20.noarch.rpm git-gui-2.27.0-20.uel20.noarch.rpm git-email-2.27.0-20.uel20.noarch.rpm git-svn-2.27.0-20.uel20.noarch.rpm git-2.27.0-20.uel20.aarch64.rpm perl-Git-SVN-2.27.0-20.uel20.noarch.rpm perl-Git-2.27.0-20.uel20.noarch.rpm git-daemon-2.27.0-20.uel20.aarch64.rpm gitk-2.27.0-20.uel20.noarch.rpm UTSA-2024:20157 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: python-sqlparse security update

Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError. (CVE-2024-4340) python3-sqlparse-0.3.1-3.uel20.noarch.rpm python-sqlparse-help-0.3.1-3.uel20.noarch.rpm UTSA-2024:20158 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: freerdp security update

FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients prior to version 3.5.1 are vulnerable to a possible `NULL` access and crash. Version 3.5.1 contains a patch for the issue. No known workarounds are available.(CVE-2024-32661) libwinpr-devel-2.11.7-2.uel20.x86_64.rpm libwinpr-2.11.7-2.uel20.x86_64.rpm freerdp-devel-2.11.7-2.uel20.x86_64.rpm freerdp-help-2.11.7-2.uel20.x86_64.rpm freerdp-2.11.7-2.uel20.x86_64.rpm freerdp-2.11.7-2.uel20.aarch64.rpm freerdp-devel-2.11.7-2.uel20.aarch64.rpm libwinpr-2.11.7-2.uel20.aarch64.rpm libwinpr-devel-2.11.7-2.uel20.aarch64.rpm freerdp-help-2.11.7-2.uel20.aarch64.rpm UTSA-2024:20159 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: libyaml security update

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: The maintainer identified an error in the libyaml fuzzers. It is not possible to reproduce nor exploit the issue.(CVE-2024-3205) libyaml-0.2.5-3.uel20.02.x86_64.rpm libyaml-devel-0.2.5-3.uel20.02.x86_64.rpm libyaml-0.2.5-3.uel20.02.aarch64.rpm libyaml-devel-0.2.5-3.uel20.02.aarch64.rpm libyaml-help-0.2.5-3.uel20.02.noarch.rpm UTSA-2024:20160 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: podman security update

An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.(CVE-2022-32149) podman-help-3.4.4-2.uel20.x86_64.rpm podman-3.4.4-2.uel20.x86_64.rpm podman-gvproxy-3.4.4-2.uel20.x86_64.rpm podman-remote-3.4.4-2.uel20.x86_64.rpm podman-plugins-3.4.4-2.uel20.x86_64.rpm podman-3.4.4-2.uel20.aarch64.rpm podman-help-3.4.4-2.uel20.aarch64.rpm podman-docker-3.4.4-2.uel20.noarch.rpm podman-plugins-3.4.4-2.uel20.aarch64.rpm podman-gvproxy-3.4.4-2.uel20.aarch64.rpm podman-remote-3.4.4-2.uel20.aarch64.rpm UTSA-2024:20161 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: expat security update

libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.(CVE-2023-52425) expat-2.2.9-12.uel20.x86_64.rpm expat-devel-2.2.9-12.uel20.x86_64.rpm expat-2.2.9-12.uel20.aarch64.rpm expat-devel-2.2.9-12.uel20.aarch64.rpm expat-help-2.2.9-12.uel20.noarch.rpm UTSA-2024:20162 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: giflib security update

A memory leak (out-of-memory) in gif2rgb in util/gif2rgb.c in giflib 5.1.4 allows remote attackers trigger an out of memory exception or denial of service via a gif format file.(CVE-2021-40633) giflib-devel-5.2.1-5.uel20.x86_64.rpm giflib-5.2.1-5.uel20.x86_64.rpm giflib-utils-5.2.1-5.uel20.x86_64.rpm giflib-5.2.1-5.uel20.aarch64.rpm giflib-utils-5.2.1-5.uel20.aarch64.rpm giflib-help-5.2.1-5.uel20.noarch.rpm giflib-devel-5.2.1-5.uel20.aarch64.rpm UTSA-2024:20163 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: infinispan security update

A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.(CVE-2019-10174) infinispan-help-8.2.4-13.uel20.noarch.rpm infinispan-8.2.4-13.uel20.noarch.rpm UTSA-2024:20164 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: uharden security update

fix cve/bug or enhancement uharden-dbus-1.1.1-25.uel20.aarch64.rpm uharden-dbus-1.1.1-25.uel20.x86_64.rpm UTSA-2024:20165 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: mozjs78 security update

In the <code>nsTArray_Impl::ReplaceElementsAt()</code> function, an integer overflow could have occurred when the number of elements to replace was too large for the container. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.(CVE-2022-34481) Ports that were written as an integer overflow above the bounds of a 16-bit integer could have bypassed port blocking restrictions when used in the Alt-Svc header. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.(CVE-2021-29946) mozjs78-devel-78.4.0-3.up1.uel20.02.x86_64.rpm mozjs78-78.4.0-3.up1.uel20.02.x86_64.rpm mozjs78-help-78.4.0-3.up1.uel20.02.x86_64.rpm mozjs78-devel-78.4.0-3.up1.uel20.02.aarch64.rpm mozjs78-help-78.4.0-3.up1.uel20.02.aarch64.rpm mozjs78-78.4.0-3.up1.uel20.02.aarch64.rpm UTSA-2024:20166 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: three-eight-nine-ds-base security update

A flaw was found in 389-ds-base. A specially-crafted LDAP query can potentially cause a failure on the directory server, leading to a denial of service(CVE-2024-3657) 389-ds-base-devel-1.4.4.4-1.2.up2.uel20.x86_64.rpm 389-ds-base-1.4.4.4-1.2.up2.uel20.x86_64.rpm 389-ds-base-libs-1.4.4.4-1.2.up2.uel20.x86_64.rpm 389-ds-base-snmp-1.4.4.4-1.2.up2.uel20.x86_64.rpm python3-lib389-1.4.4.4-1.2.up2.uel20.noarch.rpm 389-ds-base-1.4.4.4-1.2.up2.uel20.aarch64.rpm 389-ds-base-snmp-1.4.4.4-1.2.up2.uel20.aarch64.rpm 389-ds-base-devel-1.4.4.4-1.2.up2.uel20.aarch64.rpm cockpit-389-ds-1.4.4.4-1.2.up2.uel20.noarch.rpm 389-ds-base-libs-1.4.4.4-1.2.up2.uel20.aarch64.rpm UTSA-2024:20167 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: qemu security update

A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of an L1 (vdiskL1) hypervisor to read and/or write data to LBA 0 of vdiskL1, potentially gaining control of L1 at its next reboot.(CVE-2023-5088) qemu-guest-agent-4.1.0-83.up7.uel20.x86_64.rpm qemu-4.1.0-83.up7.uel20.x86_64.rpm qemu-img-4.1.0-83.up7.uel20.x86_64.rpm qemu-block-iscsi-4.1.0-83.up7.uel20.x86_64.rpm qemu-seabios-4.1.0-83.up7.uel20.x86_64.rpm qemu-block-ssh-4.1.0-83.up7.uel20.x86_64.rpm qemu-block-curl-4.1.0-83.up7.uel20.x86_64.rpm qemu-block-rbd-4.1.0-83.up7.uel20.x86_64.rpm qemu-4.1.0-83.up7.uel20.aarch64.rpm qemu-guest-agent-4.1.0-83.up7.uel20.aarch64.rpm qemu-block-curl-4.1.0-83.up7.uel20.aarch64.rpm qemu-help-4.1.0-83.up7.uel20.noarch.rpm qemu-block-ssh-4.1.0-83.up7.uel20.aarch64.rpm qemu-img-4.1.0-83.up7.uel20.aarch64.rpm qemu-block-rbd-4.1.0-83.up7.uel20.aarch64.rpm qemu-block-iscsi-4.1.0-83.up7.uel20.aarch64.rpm UTSA-2024:20168 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: microcode_ctl security update

Hardware logic contains race conditions in some Intel(R) Processors may allow an authenticated user to potentially enable partial information disclosure via local access.(CVE-2023-45733) Improper input validation in some Intel(R) TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2023-45745) Sequence of processor instructions leads to unexpected behavior in Intel(R) Core(TM) Ultra Processors may allow an authenticated user to potentially enable denial of service via local access.(CVE-2023-46103) Improper input validation in some Intel(R) TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2023-47855) microcode_ctl-20240531-1.uel20.01.x86_64.rpm UTSA-2024:20169 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libarchive security update

Windows Libarchive Remote Code Execution Vulnerability(CVE-2024-20696) libarchive-3.5.3-3.uel20.02.x86_64.rpm libarchive-devel-3.5.3-3.uel20.02.x86_64.rpm libarchive-help-3.5.3-3.uel20.02.noarch.rpm libarchive-devel-3.5.3-3.uel20.02.aarch64.rpm libarchive-3.5.3-3.uel20.02.aarch64.rpm UTSA-2024:20170 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libndp security update

A vulnerability was found in libndp. This flaw allows a local malicious user to cause a buffer overflow in NetworkManager, triggered by sending a malformed IPv6 router advertisement packet. This issue occurred as libndp was not correctly validating the route length information.(CVE-2024-5564) libndp-help-1.7-6.uel20.02.x86_64.rpm libndp-1.7-6.uel20.02.x86_64.rpm libndp-devel-1.7-6.uel20.02.x86_64.rpm libndp-1.7-6.uel20.02.aarch64.rpm libndp-help-1.7-6.uel20.02.aarch64.rpm libndp-devel-1.7-6.uel20.02.aarch64.rpm UTSA-2024:20171 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: mozjs78 security update

Certain network request objects were freed too early when releasing a network request handle. This could have lead to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.(CVE-2022-22740) A local attacker can trick the Mozilla Maintenance Service into applying an unsigned update file by pointing the service at an update file on a malicious SMB server. The update file can be replaced after the signature check, before the use, because the write-lock requested by the service does not work on a SMB server. *Note: This attack requires local system access and only affects Windows. Other operating systems are not affected.* This vulnerability affects Firefox < 112, Firefox ESR < 102.10, and Thunderbird < 102.10. (CVE-2023-29532) mozjs78-devel-78.4.0-3.up1.uel20.03.x86_64.rpm mozjs78-78.4.0-3.up1.uel20.03.x86_64.rpm mozjs78-help-78.4.0-3.up1.uel20.03.x86_64.rpm mozjs78-devel-78.4.0-3.up1.uel20.03.aarch64.rpm mozjs78-help-78.4.0-3.up1.uel20.03.aarch64.rpm mozjs78-78.4.0-3.up1.uel20.03.aarch64.rpm UTSA-2024:20175 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: kernel-4.19 security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-52340) A flaw was found in the XFRM subsystem in the Linux kernel. The specific flaw exists within the processing of state filters, which can result in a read past the end of an allocated buffer. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, potentially leading to an information disclosure.(CVE-2023-39194) kernel-devel-4.19.90-2305.1.0.0199.78.uel20.aarch64.rpm kernel-tools-devel-4.19.90-2305.1.0.0199.78.uel20.aarch64.rpm kernel-4.19.90-2305.1.0.0199.78.uel20.aarch64.rpm python2-perf-4.19.90-2305.1.0.0199.78.uel20.aarch64.rpm kernel-tools-4.19.90-2305.1.0.0199.78.uel20.aarch64.rpm bpftool-4.19.90-2305.1.0.0199.78.uel20.aarch64.rpm perf-4.19.90-2305.1.0.0199.78.uel20.aarch64.rpm kernel-btf-4.19.90-2305.1.0.0199.78.uel20.aarch64.rpm python3-perf-4.19.90-2305.1.0.0199.78.uel20.aarch64.rpm python2-perf-4.19.90-2305.1.0.0199.78.uel20.x86_64.rpm kernel-btf-4.19.90-2305.1.0.0199.78.uel20.x86_64.rpm bpftool-4.19.90-2305.1.0.0199.78.uel20.x86_64.rpm kernel-tools-4.19.90-2305.1.0.0199.78.uel20.x86_64.rpm kernel-devel-4.19.90-2305.1.0.0199.78.uel20.x86_64.rpm kernel-4.19.90-2305.1.0.0199.78.uel20.x86_64.rpm perf-4.19.90-2305.1.0.0199.78.uel20.x86_64.rpm kernel-tools-devel-4.19.90-2305.1.0.0199.78.uel20.x86_64.rpm python3-perf-4.19.90-2305.1.0.0199.78.uel20.x86_64.rpm UTSA-2024:20178 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: kernel-4.19 security update

An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.(CVE-2023-6610) bt_sock_recvmsg in net/bluetooth/af_bluetooth.c in the Linux kernel through 6.6.8 has a use-after-free because of a bt_sock_ioctl race condition.(CVE-2023-51779) An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data being printed and potentially leaked to the kernel ring buffer (dmesg).(CVE-2023-6121) A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation.(CVE-2023-39198) An out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux kernel. This flaw allows a remote user to disclose sensitive information via the DCCP protocol.(CVE-2023-39197) A flaw was found in the IPv4 Resource Reservation Protocol (RSVP) classifier in the Linux kernel. The xprt pointer may go beyond the linear part of the skb, leading to an out-of-bounds read in the `rsvp_classify` function. This issue may allow a local user to crash the system and cause a denial of service.(CVE-2023-42755) A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. When fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec. (CVE-2023-4207) An issue was discovered in the Linux kernel through 6.3.8. A use-after-free was found in ravb_remove in drivers/net/ethernet/renesas/ravb_main.c.(CVE-2023-35827) An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvbdev.c has a use-after-free, related to dvb_register_device dynamically allocating fops.(CVE-2022-45884) kernel-devel-4.19.90-2305.1.0.0199.67.uel20.aarch64.rpm kernel-tools-devel-4.19.90-2305.1.0.0199.67.uel20.aarch64.rpm perf-4.19.90-2305.1.0.0199.67.uel20.aarch64.rpm kernel-tools-4.19.90-2305.1.0.0199.67.uel20.aarch64.rpm python2-perf-4.19.90-2305.1.0.0199.67.uel20.aarch64.rpm bpftool-4.19.90-2305.1.0.0199.67.uel20.aarch64.rpm kernel-4.19.90-2305.1.0.0199.67.uel20.aarch64.rpm kernel-btf-4.19.90-2305.1.0.0199.67.uel20.aarch64.rpm python3-perf-4.19.90-2305.1.0.0199.67.uel20.aarch64.rpm kernel-devel-4.19.90-2305.1.0.0199.67.uel20.x86_64.rpm kernel-4.19.90-2305.1.0.0199.67.uel20.x86_64.rpm kernel-tools-4.19.90-2305.1.0.0199.67.uel20.x86_64.rpm python2-perf-4.19.90-2305.1.0.0199.67.uel20.x86_64.rpm bpftool-4.19.90-2305.1.0.0199.67.uel20.x86_64.rpm kernel-tools-devel-4.19.90-2305.1.0.0199.67.uel20.x86_64.rpm kernel-btf-4.19.90-2305.1.0.0199.67.uel20.x86_64.rpm perf-4.19.90-2305.1.0.0199.67.uel20.x86_64.rpm python3-perf-4.19.90-2305.1.0.0199.67.uel20.x86_64.rpm UTSA-2024:20183 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: kernel-4.19 security update

A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation. If a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free. We recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f. (CVE-2023-4623) A use-after-free vulnerability in the Linux kernel's af_unix component can be exploited to achieve local privilege escalation. The unix_stream_sendpage() function tries to add data to the last skb in the peer's recv queue without locking the queue. Thus there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free. We recommend upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c. (CVE-2023-4622) A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation. When u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81. (CVE-2023-4208) A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation. When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8. (CVE-2023-4206) Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.(CVE-2022-40982) An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvb_net.c has a .disconnect versus dvb_device_open race condition that leads to a use-after-free.(CVE-2022-45886) kernel-devel-4.19.90-2305.1.0.0199.65.uel20.aarch64.rpm kernel-4.19.90-2305.1.0.0199.65.uel20.aarch64.rpm python3-perf-4.19.90-2305.1.0.0199.65.uel20.aarch64.rpm kernel-tools-4.19.90-2305.1.0.0199.65.uel20.aarch64.rpm bpftool-4.19.90-2305.1.0.0199.65.uel20.aarch64.rpm perf-4.19.90-2305.1.0.0199.65.uel20.aarch64.rpm kernel-btf-4.19.90-2305.1.0.0199.65.uel20.aarch64.rpm kernel-tools-devel-4.19.90-2305.1.0.0199.65.uel20.aarch64.rpm python2-perf-4.19.90-2305.1.0.0199.65.uel20.aarch64.rpm kernel-devel-4.19.90-2305.1.0.0199.65.uel20.x86_64.rpm kernel-4.19.90-2305.1.0.0199.65.uel20.x86_64.rpm kernel-tools-devel-4.19.90-2305.1.0.0199.65.uel20.x86_64.rpm python3-perf-4.19.90-2305.1.0.0199.65.uel20.x86_64.rpm kernel-tools-4.19.90-2305.1.0.0199.65.uel20.x86_64.rpm perf-4.19.90-2305.1.0.0199.65.uel20.x86_64.rpm kernel-btf-4.19.90-2305.1.0.0199.65.uel20.x86_64.rpm bpftool-4.19.90-2305.1.0.0199.65.uel20.x86_64.rpm python2-perf-4.19.90-2305.1.0.0199.65.uel20.x86_64.rpm UTSA-2024:20184 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: kernel-4.19 security update

A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with normal user privilege to cause a denial of service due to a missing sanity check during cleanup.(CVE-2023-4459) A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in VMware's vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a kernel information leak problem.(CVE-2023-4387) A NULL pointer dereference flaw was found in dbFree in fs/jfs/jfs_dmap.c in the journaling file system (JFS) in the Linux Kernel. This issue may allow a local attacker to crash the system due to a missing sanity check.(CVE-2023-4385) An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled.(CVE-2023-40283) A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 ("tun: tun_chr_open(): correctly initialize socket uid"), - 66b2c338adce ("tap: tap_open(): correctly initialize socket uid"), pass "inode->i_uid" to sock_init_data_uid() as the last parameter and that turns out to not be accurate.(CVE-2023-4194) Rejected reason: ** REJECT ** DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2023-4206, CVE-2023-4207, CVE-2023-4208. Reason: This record is a duplicate of CVE-2023-4206, CVE-2023-4207, CVE-2023-4208. Notes: All CVE users should reference CVE-2023-4206, CVE-2023-4207, CVE-2023-4208 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.(CVE-2023-4128) The fix for XSA-423 added logic to Linux'es netback driver to deal with a frontend splitting a packet in a way such that not all of the headers would come in one piece. Unfortunately the logic introduced there didn't account for the extreme case of the entire packet being split into as many pieces as permitted by the protocol, yet still being smaller than the area that's specially dealt with to keep all (possible) headers together. Such an unusual packet would therefore trigger a buffer overrun in the driver. (CVE-2023-34319) A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service.(CVE-2023-3772) A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%.(CVE-2023-1206) kernel-devel-4.19.90-2305.1.0.0199.64.uel20.aarch64.rpm kernel-4.19.90-2305.1.0.0199.64.uel20.aarch64.rpm kernel-tools-devel-4.19.90-2305.1.0.0199.64.uel20.aarch64.rpm kernel-btf-4.19.90-2305.1.0.0199.64.uel20.aarch64.rpm perf-4.19.90-2305.1.0.0199.64.uel20.aarch64.rpm bpftool-4.19.90-2305.1.0.0199.64.uel20.aarch64.rpm python2-perf-4.19.90-2305.1.0.0199.64.uel20.aarch64.rpm python3-perf-4.19.90-2305.1.0.0199.64.uel20.aarch64.rpm kernel-tools-4.19.90-2305.1.0.0199.64.uel20.aarch64.rpm kernel-devel-4.19.90-2305.1.0.0199.64.uel20.x86_64.rpm perf-4.19.90-2305.1.0.0199.64.uel20.x86_64.rpm kernel-btf-4.19.90-2305.1.0.0199.64.uel20.x86_64.rpm bpftool-4.19.90-2305.1.0.0199.64.uel20.x86_64.rpm kernel-4.19.90-2305.1.0.0199.64.uel20.x86_64.rpm python2-perf-4.19.90-2305.1.0.0199.64.uel20.x86_64.rpm kernel-tools-4.19.90-2305.1.0.0199.64.uel20.x86_64.rpm kernel-tools-devel-4.19.90-2305.1.0.0199.64.uel20.x86_64.rpm python3-perf-4.19.90-2305.1.0.0199.64.uel20.x86_64.rpm UTSA-2024:20185 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: kernel-4.19 security update

A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition.(CVE-2023-4132) A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel. This flaw allows a local user with special privileges to impact a kernel information leak issue.(CVE-2023-3863) kernel-devel-4.19.90-2305.1.0.0199.63.uel20.aarch64.rpm kernel-4.19.90-2305.1.0.0199.63.uel20.aarch64.rpm python3-perf-4.19.90-2305.1.0.0199.63.uel20.aarch64.rpm kernel-btf-4.19.90-2305.1.0.0199.63.uel20.aarch64.rpm kernel-tools-devel-4.19.90-2305.1.0.0199.63.uel20.aarch64.rpm bpftool-4.19.90-2305.1.0.0199.63.uel20.aarch64.rpm perf-4.19.90-2305.1.0.0199.63.uel20.aarch64.rpm kernel-tools-4.19.90-2305.1.0.0199.63.uel20.aarch64.rpm python2-perf-4.19.90-2305.1.0.0199.63.uel20.aarch64.rpm kernel-devel-4.19.90-2305.1.0.0199.63.uel20.x86_64.rpm kernel-4.19.90-2305.1.0.0199.63.uel20.x86_64.rpm kernel-btf-4.19.90-2305.1.0.0199.63.uel20.x86_64.rpm python3-perf-4.19.90-2305.1.0.0199.63.uel20.x86_64.rpm bpftool-4.19.90-2305.1.0.0199.63.uel20.x86_64.rpm perf-4.19.90-2305.1.0.0199.63.uel20.x86_64.rpm kernel-tools-devel-4.19.90-2305.1.0.0199.63.uel20.x86_64.rpm kernel-tools-4.19.90-2305.1.0.0199.63.uel20.x86_64.rpm python2-perf-4.19.90-2305.1.0.0199.63.uel20.x86_64.rpm UTSA-2024:20188 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: kernel-4.19 security update

An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in renesas_usb3_remove in drivers/usb/gadget/udc/renesas_usb3.c.(CVE-2023-35828) An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in dm1105_remove in drivers/media/pci/dm1105/dm1105.c.(CVE-2023-35824) An issue was discovered in the Linux kernel before 6.3.2. A use-after-free was found in saa7134_finidev in drivers/media/pci/saa7134/saa7134-core.c.(CVE-2023-35823) An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.(CVE-2023-35788) A null pointer dereference was found in the Linux kernel's Integrated Sensor Hub (ISH) driver. This issue could allow a local user to crash the system.(CVE-2023-3358) An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information.(CVE-2023-3268) An issue was discovered in the Linux kernel through 6.1-rc8. dpu_crtc_atomic_check in drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c lacks check of the return value of kzalloc() and will cause the NULL Pointer Dereference.(CVE-2023-3220) kernel-devel-4.19.90-2305.1.0.0199.60.uel20.aarch64.rpm python2-perf-4.19.90-2305.1.0.0199.60.uel20.aarch64.rpm python3-perf-4.19.90-2305.1.0.0199.60.uel20.aarch64.rpm kernel-tools-4.19.90-2305.1.0.0199.60.uel20.aarch64.rpm kernel-tools-devel-4.19.90-2305.1.0.0199.60.uel20.aarch64.rpm perf-4.19.90-2305.1.0.0199.60.uel20.aarch64.rpm kernel-4.19.90-2305.1.0.0199.60.uel20.aarch64.rpm kernel-btf-4.19.90-2305.1.0.0199.60.uel20.aarch64.rpm bpftool-4.19.90-2305.1.0.0199.60.uel20.aarch64.rpm kernel-tools-devel-4.19.90-2305.1.0.0199.60.uel20.x86_64.rpm python2-perf-4.19.90-2305.1.0.0199.60.uel20.x86_64.rpm python3-perf-4.19.90-2305.1.0.0199.60.uel20.x86_64.rpm kernel-tools-4.19.90-2305.1.0.0199.60.uel20.x86_64.rpm kernel-devel-4.19.90-2305.1.0.0199.60.uel20.x86_64.rpm bpftool-4.19.90-2305.1.0.0199.60.uel20.x86_64.rpm kernel-btf-4.19.90-2305.1.0.0199.60.uel20.x86_64.rpm perf-4.19.90-2305.1.0.0199.60.uel20.x86_64.rpm kernel-4.19.90-2305.1.0.0199.60.uel20.x86_64.rpm UTSA-2024:20189 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: kernel-4.19 security update

qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX.(CVE-2023-31436) Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-33203. Reason: This candidate is a reservation duplicate of CVE-2023-33203. Notes: All CVE users should reference CVE-2023-33203 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.(CVE-2023-2483) A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component.(CVE-2023-2269) Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because it was the duplicate of CVE-2023-31436.(CVE-2023-2248) A null pointer dereference issue was found in the sctp network protocol in net/sctp/stream_sched.c in Linux Kernel. If stream_in allocation is failed, stream_out is freed which would further be accessed. A local user could use this flaw to crash the system or potentially cause a denial of service.(CVE-2023-2177) A vulnerability was found in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA in the Linux Kernel. The improper cleanup results in out-of-boundary read, where a local user can utilize this problem to crash the system or escalation of privilege.(CVE-2023-2176) The specific flaw exists within the DPT I2O Controller driver. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel.(CVE-2023-2007) kernel-devel-4.19.90-2305.1.0.0199.56.uel20.x86_64.rpm kernel-4.19.90-2305.1.0.0199.56.uel20.x86_64.rpm bpftool-4.19.90-2305.1.0.0199.56.uel20.x86_64.rpm kernel-btf-4.19.90-2305.1.0.0199.56.uel20.x86_64.rpm perf-4.19.90-2305.1.0.0199.56.uel20.x86_64.rpm kernel-tools-devel-4.19.90-2305.1.0.0199.56.uel20.x86_64.rpm python3-perf-4.19.90-2305.1.0.0199.56.uel20.x86_64.rpm kernel-tools-4.19.90-2305.1.0.0199.56.uel20.x86_64.rpm python2-perf-4.19.90-2305.1.0.0199.56.uel20.x86_64.rpm kernel-devel-4.19.90-2305.1.0.0199.56.uel20.aarch64.rpm kernel-tools-devel-4.19.90-2305.1.0.0199.56.uel20.aarch64.rpm python3-perf-4.19.90-2305.1.0.0199.56.uel20.aarch64.rpm kernel-tools-4.19.90-2305.1.0.0199.56.uel20.aarch64.rpm kernel-4.19.90-2305.1.0.0199.56.uel20.aarch64.rpm perf-4.19.90-2305.1.0.0199.56.uel20.aarch64.rpm bpftool-4.19.90-2305.1.0.0199.56.uel20.aarch64.rpm kernel-btf-4.19.90-2305.1.0.0199.56.uel20.aarch64.rpm python2-perf-4.19.90-2305.1.0.0199.56.uel20.aarch64.rpm UTSA-2024:20190 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: mozjs78 security update

xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.(CVE-2022-25235) In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).(CVE-2021-45960) mozjs78-devel-78.4.0-3.up1.uel20.04.x86_64.rpm mozjs78-78.4.0-3.up1.uel20.04.x86_64.rpm mozjs78-help-78.4.0-3.up1.uel20.04.x86_64.rpm mozjs78-devel-78.4.0-3.up1.uel20.04.aarch64.rpm mozjs78-78.4.0-3.up1.uel20.04.aarch64.rpm mozjs78-help-78.4.0-3.up1.uel20.04.aarch64.rpm UTSA-2024:20191 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: emacs security update

In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org Mode before 9.7.5.(CVE-2024-39331) emacs-lucid-27.1-14.uel20.x86_64.rpm emacs-nox-27.1-14.uel20.x86_64.rpm emacs-27.1-14.uel20.x86_64.rpm emacs-common-27.1-14.uel20.x86_64.rpm emacs-devel-27.1-14.uel20.x86_64.rpm emacs-help-27.1-14.uel20.noarch.rpm emacs-devel-27.1-14.uel20.aarch64.rpm emacs-nox-27.1-14.uel20.aarch64.rpm emacs-filesystem-27.1-14.uel20.noarch.rpm emacs-common-27.1-14.uel20.aarch64.rpm emacs-27.1-14.uel20.aarch64.rpm emacs-lucid-27.1-14.uel20.aarch64.rpm emacs-terminal-27.1-14.uel20.noarch.rpm UTSA-2024:20192 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: poppler security update

A flaw was found in the Poppler's Pdfinfo utility. This issue occurs when using -dests parameter with pdfinfo utility. By using certain malformed input files, an attacker could cause the utility to crash, leading to a denial of service.(CVE-2024-6239) poppler-cpp-devel-0.90.0-6.uel20.03.x86_64.rpm poppler-glib-0.90.0-6.uel20.03.x86_64.rpm poppler-cpp-0.90.0-6.uel20.03.x86_64.rpm poppler-devel-0.90.0-6.uel20.03.x86_64.rpm poppler-qt5-devel-0.90.0-6.uel20.03.x86_64.rpm poppler-glib-devel-0.90.0-6.uel20.03.x86_64.rpm poppler-utils-0.90.0-6.uel20.03.x86_64.rpm poppler-qt5-0.90.0-6.uel20.03.x86_64.rpm poppler-0.90.0-6.uel20.03.x86_64.rpm poppler-0.90.0-6.uel20.03.aarch64.rpm poppler-glib-devel-0.90.0-6.uel20.03.aarch64.rpm poppler-glib-doc-0.90.0-6.uel20.03.noarch.rpm poppler-qt5-devel-0.90.0-6.uel20.03.aarch64.rpm poppler-cpp-0.90.0-6.uel20.03.aarch64.rpm poppler-glib-0.90.0-6.uel20.03.aarch64.rpm poppler-qt5-0.90.0-6.uel20.03.aarch64.rpm poppler-help-0.90.0-6.uel20.03.noarch.rpm poppler-devel-0.90.0-6.uel20.03.aarch64.rpm poppler-cpp-devel-0.90.0-6.uel20.03.aarch64.rpm poppler-utils-0.90.0-6.uel20.03.aarch64.rpm UTSA-2024:20193 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: edk2 security update

EDK2 contains a vulnerability when S3 sleep is activated where an Attacker may cause a Division-By-Zero due to a UNIT32 overflow via local access. A successful exploit of this vulnerability may lead to a loss of Availability.(CVE-2024-1298) edk2-devel-202002-22.uel20.05.aarch64.rpm edk2-aarch64-202002-22.uel20.05.noarch.rpm edk2-ovmf-202002-22.uel20.05.noarch.rpm edk2-devel-202002-22.uel20.05.x86_64.rpm python3-edk2-devel-202002-22.uel20.05.noarch.rpm edk2-help-202002-22.uel20.05.noarch.rpm UTSA-2024:20194 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: openssl security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2024-4741) openssl-1.1.1k-9.uel20.22.03.x86_64.rpm openssl-libs-1.1.1k-9.uel20.22.03.x86_64.rpm openssl-devel-1.1.1k-9.uel20.22.03.x86_64.rpm openssl-help-1.1.1k-9.uel20.22.03.noarch.rpm openssl-devel-1.1.1k-9.uel20.22.03.aarch64.rpm openssl-libs-1.1.1k-9.uel20.22.03.aarch64.rpm openssl-1.1.1k-9.uel20.22.03.aarch64.rpm UTSA-2024:20195 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: uriparser security update

An issue was discovered in uriparser through 0.9.7. ComposeQueryEngine in UriQuery.c has an integer overflow via long keys or values, with a resultant buffer overflow.(CVE-2024-34402) An issue was discovered in uriparser through 0.9.7. ComposeQueryMallocExMm in UriQuery.c has an integer overflow via a long string.(CVE-2024-34403) uriparser-devel-0.9.6-2.uel20.x86_64.rpm uriparser-0.9.6-2.uel20.x86_64.rpm uriparser-help-0.9.6-2.uel20.noarch.rpm uriparser-devel-0.9.6-2.uel20.aarch64.rpm uriparser-0.9.6-2.uel20.aarch64.rpm UTSA-2024:20196 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: libvirt security update

A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being "freed" when returning from virNetClientIOEventLoop(). The 'virtproxyd' daemon can be used to trigger requests. If libvirt is configured with fine-grained access control, this issue, in theory, allows a user to escape their otherwise limited access. This flaw allows a local, unprivileged user to access virtproxyd without authenticating. Remote users would need to authenticate before they could access it.(CVE-2024-4418) libvirt-daemon-driver-interface-6.2.0-25.up1.uel20.x86_64.rpm libvirt-daemon-driver-network-6.2.0-25.up1.uel20.x86_64.rpm libvirt-daemon-driver-secret-6.2.0-25.up1.uel20.x86_64.rpm libvirt-client-6.2.0-25.up1.uel20.x86_64.rpm libvirt-daemon-driver-storage-core-6.2.0-25.up1.uel20.x86_64.rpm libvirt-libs-6.2.0-25.up1.uel20.x86_64.rpm libvirt-daemon-driver-nwfilter-6.2.0-25.up1.uel20.x86_64.rpm libvirt-admin-6.2.0-25.up1.uel20.x86_64.rpm libvirt-daemon-driver-storage-logical-6.2.0-25.up1.uel20.x86_64.rpm libvirt-daemon-driver-storage-rbd-6.2.0-25.up1.uel20.x86_64.rpm libvirt-daemon-kvm-6.2.0-25.up1.uel20.x86_64.rpm libvirt-daemon-6.2.0-25.up1.uel20.x86_64.rpm libvirt-daemon-driver-storage-disk-6.2.0-25.up1.uel20.x86_64.rpm libvirt-daemon-driver-storage-mpath-6.2.0-25.up1.uel20.x86_64.rpm libvirt-daemon-config-nwfilter-6.2.0-25.up1.uel20.x86_64.rpm libvirt-lock-sanlock-6.2.0-25.up1.uel20.x86_64.rpm libvirt-daemon-driver-storage-iscsi-direct-6.2.0-25.up1.uel20.x86_64.rpm libvirt-daemon-driver-storage-iscsi-6.2.0-25.up1.uel20.x86_64.rpm libvirt-wireshark-6.2.0-25.up1.uel20.x86_64.rpm libvirt-daemon-driver-nodedev-6.2.0-25.up1.uel20.x86_64.rpm libvirt-nss-6.2.0-25.up1.uel20.x86_64.rpm libvirt-daemon-driver-storage-6.2.0-25.up1.uel20.x86_64.rpm libvirt-bash-completion-6.2.0-25.up1.uel20.x86_64.rpm libvirt-daemon-qemu-6.2.0-25.up1.uel20.x86_64.rpm libvirt-daemon-driver-storage-gluster-6.2.0-25.up1.uel20.x86_64.rpm libvirt-6.2.0-25.up1.uel20.x86_64.rpm libvirt-daemon-driver-storage-scsi-6.2.0-25.up1.uel20.x86_64.rpm libvirt-docs-6.2.0-25.up1.uel20.x86_64.rpm libvirt-devel-6.2.0-25.up1.uel20.x86_64.rpm libvirt-daemon-driver-qemu-6.2.0-25.up1.uel20.x86_64.rpm libvirt-daemon-config-network-6.2.0-25.up1.uel20.x86_64.rpm libvirt-daemon-driver-nwfilter-6.2.0-25.up1.uel20.aarch64.rpm libvirt-daemon-driver-interface-6.2.0-25.up1.uel20.aarch64.rpm libvirt-libs-6.2.0-25.up1.uel20.aarch64.rpm libvirt-client-6.2.0-25.up1.uel20.aarch64.rpm libvirt-daemon-6.2.0-25.up1.uel20.aarch64.rpm libvirt-daemon-driver-qemu-6.2.0-25.up1.uel20.aarch64.rpm libvirt-daemon-driver-nodedev-6.2.0-25.up1.uel20.aarch64.rpm libvirt-6.2.0-25.up1.uel20.aarch64.rpm libvirt-daemon-driver-network-6.2.0-25.up1.uel20.aarch64.rpm libvirt-daemon-kvm-6.2.0-25.up1.uel20.aarch64.rpm libvirt-daemon-driver-storage-6.2.0-25.up1.uel20.aarch64.rpm libvirt-daemon-driver-storage-gluster-6.2.0-25.up1.uel20.aarch64.rpm libvirt-daemon-driver-storage-mpath-6.2.0-25.up1.uel20.aarch64.rpm libvirt-daemon-driver-secret-6.2.0-25.up1.uel20.aarch64.rpm libvirt-daemon-driver-storage-iscsi-direct-6.2.0-25.up1.uel20.aarch64.rpm libvirt-daemon-driver-storage-core-6.2.0-25.up1.uel20.aarch64.rpm libvirt-daemon-driver-storage-iscsi-6.2.0-25.up1.uel20.aarch64.rpm libvirt-daemon-driver-storage-rbd-6.2.0-25.up1.uel20.aarch64.rpm libvirt-daemon-driver-storage-scsi-6.2.0-25.up1.uel20.aarch64.rpm libvirt-daemon-config-nwfilter-6.2.0-25.up1.uel20.aarch64.rpm libvirt-daemon-driver-storage-disk-6.2.0-25.up1.uel20.aarch64.rpm libvirt-wireshark-6.2.0-25.up1.uel20.aarch64.rpm libvirt-daemon-driver-storage-logical-6.2.0-25.up1.uel20.aarch64.rpm libvirt-daemon-config-network-6.2.0-25.up1.uel20.aarch64.rpm libvirt-admin-6.2.0-25.up1.uel20.aarch64.rpm libvirt-nss-6.2.0-25.up1.uel20.aarch64.rpm libvirt-daemon-qemu-6.2.0-25.up1.uel20.aarch64.rpm libvirt-bash-completion-6.2.0-25.up1.uel20.aarch64.rpm libvirt-docs-6.2.0-25.up1.uel20.aarch64.rpm libvirt-lock-sanlock-6.2.0-25.up1.uel20.aarch64.rpm libvirt-devel-6.2.0-25.up1.uel20.aarch64.rpm UTSA-2024:20197 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: ffmpeg security update

Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavutil/imgutils.c:353:9 in image_copy_plane.(CVE-2023-51793) A null pointer dereference issue was discovered in 'FFmpeg' in decode_main_header() function of libavformat/nutdec.c file. The flaw occurs because the function lacks check of the return value of avformat_new_stream() and triggers the null pointer dereference error, causing an application to crash.(CVE-2022-3341) An issue was discovered in the FFmpeg package, where vp3_decode_frame in libavcodec/vp3.c lacks check of the return value of av_malloc() and will cause a null pointer dereference, impacting availability.(CVE-2022-3109) adts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 does not check the init_get_bits return value, which is a necessary step because the second argument to init_get_bits can be crafted.(CVE-2021-38171) ffmpeg-libs-4.2.4-12.uel20.x86_64.rpm ffmpeg-4.2.4-12.uel20.x86_64.rpm ffmpeg-devel-4.2.4-12.uel20.x86_64.rpm libavdevice-4.2.4-12.uel20.x86_64.rpm ffmpeg-libs-4.2.4-12.uel20.aarch64.rpm ffmpeg-4.2.4-12.uel20.aarch64.rpm ffmpeg-devel-4.2.4-12.uel20.aarch64.rpm libavdevice-4.2.4-12.uel20.aarch64.rpm UTSA-2024:20198 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: ffmpeg security update

Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via a floating point exception (FPE) error at libavfilter/vf_minterpolate.c:1078:60 in interpolate.(CVE-2023-51798) ffmpeg-libs-4.2.4-8.uel20.x86_64.rpm ffmpeg-4.2.4-8.uel20.x86_64.rpm libavdevice-4.2.4-8.uel20.x86_64.rpm ffmpeg-devel-4.2.4-8.uel20.x86_64.rpm ffmpeg-devel-4.2.4-8.uel20.aarch64.rpm ffmpeg-libs-4.2.4-8.uel20.aarch64.rpm libavdevice-4.2.4-8.uel20.aarch64.rpm ffmpeg-4.2.4-8.uel20.aarch64.rpm UTSA-2024:20199 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: rust security update

Cargo is a package manager for the rust programming language. After a package is downloaded, Cargo extracts its source code in the ~/.cargo folder on disk, making it available to the Rust projects it builds. To record when an extraction is successful, Cargo writes "ok" to the .cargo-ok file at the root of the extracted source code once it extracted all the files. It was discovered that Cargo allowed packages to contain a .cargo-ok symbolic link, which Cargo would extract. Then, when Cargo attempted to write "ok" into .cargo-ok, it would actually replace the first two bytes of the file the symlink pointed to with ok. This would allow an attacker to corrupt one file on the machine using Cargo to extract the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain. Mitigations We recommend users of alternate registries to exercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to exercise care in choosing their dependencies though, as remote code execution is allowed by design there as well.(CVE-2022-36113) Cargo is a package manager for the rust programming language. It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size (also known as a "zip bomb"), exhausting the disk space on the machine using Cargo to download the package. Note that by design Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros. The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it. Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain. We recommend users of alternate registries to excercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to excercise care in choosing their dependencies though, as the same concerns about build scripts and procedural macros apply here.(CVE-2022-36114) clippy-1.58.1-1.uel20.06.x86_64.rpm rust-help-1.58.1-1.uel20.06.x86_64.rpm rls-1.58.1-1.uel20.06.x86_64.rpm cargo-1.58.1-1.uel20.06.x86_64.rpm rustfmt-1.58.1-1.uel20.06.x86_64.rpm rust-analysis-1.58.1-1.uel20.06.x86_64.rpm rust-1.58.1-1.uel20.06.x86_64.rpm rust-std-static-1.58.1-1.uel20.06.x86_64.rpm rust-lldb-1.58.1-1.uel20.06.noarch.rpm rust-src-1.58.1-1.uel20.06.noarch.rpm rust-help-1.58.1-1.uel20.06.aarch64.rpm rust-std-static-1.58.1-1.uel20.06.aarch64.rpm rust-analysis-1.58.1-1.uel20.06.aarch64.rpm rls-1.58.1-1.uel20.06.aarch64.rpm cargo-1.58.1-1.uel20.06.aarch64.rpm rustfmt-1.58.1-1.uel20.06.aarch64.rpm rust-debugger-common-1.58.1-1.uel20.06.noarch.rpm rust-1.58.1-1.uel20.06.aarch64.rpm clippy-1.58.1-1.uel20.06.aarch64.rpm rust-gdb-1.58.1-1.uel20.06.noarch.rpm UTSA-2024:20200 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: rubygem-rack security update

A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.(CVE-2022-44572) rubygem-rack-help-2.2.3.1-3.uel20.noarch.rpm rubygem-rack-2.2.3.1-3.uel20.noarch.rpm UTSA-2024:20201 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: gdk-pixbuf2 security update

In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. A crafted file could allow an attacker to overwrite heap metadata, leading to a denial of service or code execution attack. This occurs in gdk_pixbuf_set_option() in gdk-pixbuf.c.(CVE-2022-48622) gdk-pixbuf2-2.40.0-5.uel20.01.x86_64.rpm gdk-pixbuf2-devel-2.40.0-5.uel20.01.x86_64.rpm gdk-pixbuf2-devel-2.40.0-5.uel20.01.aarch64.rpm gdk-pixbuf2-2.40.0-5.uel20.01.aarch64.rpm gdk-pixbuf2-help-2.40.0-5.uel20.01.noarch.rpm UTSA-2024:20202 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: gtk2 security update

A flaw was found in the GTK library. Under certain conditions, it is possible for a library to be injected into a GTK application from the current working directory.(CVE-2024-6655) gtk2-help-2.24.32-11.uel20.x86_64.rpm gtk2-immodule-xim-2.24.32-11.uel20.x86_64.rpm gtk2-2.24.32-11.uel20.x86_64.rpm gtk2-devel-2.24.32-11.uel20.x86_64.rpm gtk2-help-2.24.32-11.uel20.aarch64.rpm gtk2-devel-2.24.32-11.uel20.aarch64.rpm gtk2-2.24.32-11.uel20.aarch64.rpm gtk2-immodule-xim-2.24.32-11.uel20.aarch64.rpm UTSA-2024:20203 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: gtk3 security update

A flaw was found in the GTK library. Under certain conditions, it is possible for a library to be injected into a GTK application from the current working directory.(CVE-2024-6655) gtk3-devel-3.24.21-6.uel20.x86_64.rpm gtk3-help-3.24.21-6.uel20.x86_64.rpm gtk3-3.24.21-6.uel20.x86_64.rpm gtk3-immodule-xim-3.24.21-6.uel20.x86_64.rpm gtk3-devel-3.24.21-6.uel20.aarch64.rpm gtk3-help-3.24.21-6.uel20.aarch64.rpm gtk3-immodule-xim-3.24.21-6.uel20.aarch64.rpm gtk3-3.24.21-6.uel20.aarch64.rpm UTSA-2024:20204 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: rapidjson security update

Tencent RapidJSON is vulnerable to privilege escalation due to an integer underflow in the `GenericReader::ParseNumber()` function of `include/rapidjson/reader.h` when parsing JSON text from a stream. An attacker needs to send the victim a crafted file which needs to be opened; this triggers the integer underflow vulnerability (when the file is parsed), leading to elevation of privilege.(CVE-2024-38517) rapidjson-help-1.1.0-12.uel20.noarch.rpm rapidjson-devel-1.1.0-12.uel20.noarch.rpm UTSA-2024:20205 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: edk2 security update

Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists). This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a "no overlap" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem. In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur. This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available.(CVE-2024-5535) edk2-devel-202002-23.uel20.06.aarch64.rpm edk2-aarch64-202002-23.uel20.06.noarch.rpm edk2-devel-202002-23.uel20.06.x86_64.rpm python3-edk2-devel-202002-23.uel20.06.noarch.rpm edk2-ovmf-202002-23.uel20.06.noarch.rpm edk2-help-202002-23.uel20.06.noarch.rpm UTSA-2024:20206 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: httpd security update

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers.   "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue.(CVE-2024-39884) Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue.(CVE-2024-39573) null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue.(CVE-2024-38477) Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue.(CVE-2024-38473) Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.(CVE-2024-38474) Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.(CVE-2024-38475) mod_proxy_html-2.4.43-25.up1.uel20.x86_64.rpm mod_ldap-2.4.43-25.up1.uel20.x86_64.rpm httpd-2.4.43-25.up1.uel20.x86_64.rpm httpd-devel-2.4.43-25.up1.uel20.x86_64.rpm mod_md-2.4.43-25.up1.uel20.x86_64.rpm mod_session-2.4.43-25.up1.uel20.x86_64.rpm mod_ssl-2.4.43-25.up1.uel20.x86_64.rpm httpd-tools-2.4.43-25.up1.uel20.x86_64.rpm httpd-2.4.43-25.up1.uel20.aarch64.rpm mod_ssl-2.4.43-25.up1.uel20.aarch64.rpm mod_proxy_html-2.4.43-25.up1.uel20.aarch64.rpm httpd-help-2.4.43-25.up1.uel20.noarch.rpm mod_ldap-2.4.43-25.up1.uel20.aarch64.rpm httpd-tools-2.4.43-25.up1.uel20.aarch64.rpm httpd-devel-2.4.43-25.up1.uel20.aarch64.rpm mod_session-2.4.43-25.up1.uel20.aarch64.rpm httpd-filesystem-2.4.43-25.up1.uel20.noarch.rpm mod_md-2.4.43-25.up1.uel20.aarch64.rpm UTSA-2024:20207 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Low

Low: cockpit security update

A flaw was found in the cockpit package. This flaw allows an authenticated user to kill any process when enabling the pam_env's user_readenv option, which leads to a denial of service (DoS) attack.(CVE-2024-6126) cockpit-ws-310.4-1.uel20.02.x86_64.rpm cockpit-bridge-310.4-1.uel20.02.x86_64.rpm cockpit-310.4-1.uel20.02.x86_64.rpm cockpit-system-310.4-1.uel20.02.noarch.rpm cockpit-ws-310.4-1.uel20.02.aarch64.rpm cockpit-bridge-310.4-1.uel20.02.aarch64.rpm cockpit-310.4-1.uel20.02.aarch64.rpm cockpit-doc-310.4-1.uel20.02.noarch.rpm UTSA-2024:20208 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: qemu security update

A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file.(CVE-2024-4467) qemu-4.1.0-85.up8.uel20.x86_64.rpm qemu-img-4.1.0-85.up8.uel20.x86_64.rpm qemu-guest-agent-4.1.0-85.up8.uel20.x86_64.rpm qemu-block-curl-4.1.0-85.up8.uel20.x86_64.rpm qemu-seabios-4.1.0-85.up8.uel20.x86_64.rpm qemu-block-ssh-4.1.0-85.up8.uel20.x86_64.rpm qemu-block-iscsi-4.1.0-85.up8.uel20.x86_64.rpm qemu-block-rbd-4.1.0-85.up8.uel20.x86_64.rpm qemu-block-curl-4.1.0-85.up8.uel20.aarch64.rpm qemu-block-ssh-4.1.0-85.up8.uel20.aarch64.rpm qemu-img-4.1.0-85.up8.uel20.aarch64.rpm qemu-4.1.0-85.up8.uel20.aarch64.rpm qemu-block-rbd-4.1.0-85.up8.uel20.aarch64.rpm qemu-block-iscsi-4.1.0-85.up8.uel20.aarch64.rpm qemu-guest-agent-4.1.0-85.up8.uel20.aarch64.rpm qemu-help-4.1.0-85.up8.uel20.noarch.rpm UTSA-2024:20209 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: openssl security update

Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists). This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a "no overlap" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem. In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur. This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available.(CVE-2024-5535) openssl-1.1.1k-9.uel20.22.04.x86_64.rpm openssl-devel-1.1.1k-9.uel20.22.04.x86_64.rpm openssl-libs-1.1.1k-9.uel20.22.04.x86_64.rpm openssl-help-1.1.1k-9.uel20.22.04.noarch.rpm openssl-libs-1.1.1k-9.uel20.22.04.aarch64.rpm openssl-1.1.1k-9.uel20.22.04.aarch64.rpm openssl-devel-1.1.1k-9.uel20.22.04.aarch64.rpm UTSA-2024:20210 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: squid security update

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to an Out-of-bounds Write error when assigning ESI variables, Squid is susceptible to a Memory Corruption error. This error can lead to a Denial of Service attack.(CVE-2024-37894) squid-4.9-21.uel20.x86_64.rpm squid-4.9-21.uel20.aarch64.rpm UTSA-2024:20211 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: rubygem-activesupport security update

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.(CVE-2022-23633) rubygem-activesupport-doc-5.2.4.4-4.uel20.noarch.rpm rubygem-activesupport-5.2.4.4-4.uel20.noarch.rpm UTSA-2024:20212 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: python-pip security update

urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.(CVE-2024-37891) urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body. (CVE-2023-45803) urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.(CVE-2023-43804) python3-pip-20.2.2-9.uel20.noarch.rpm python2-pip-20.2.2-9.uel20.noarch.rpm python-pip-help-20.2.2-9.uel20.noarch.rpm python-pip-wheel-20.2.2-9.uel20.noarch.rpm UTSA-2024:20213 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: deepin-image-editor security update

fix cve/bug or enhancement libimagevisualresult-devel-1.0.34-1.uel20.04.aarch64.rpm libimageviewer-1.0.34-1.uel20.04.aarch64.rpm libimageviewer-devel-1.0.34-1.uel20.04.aarch64.rpm deepin-image-editor-1.0.34-1.uel20.04.aarch64.rpm libimagevisualresult-1.0.34-1.uel20.04.aarch64.rpm libimagevisualresult-devel-1.0.34-1.uel20.04.x86_64.rpm libimageviewer-devel-1.0.34-1.uel20.04.x86_64.rpm deepin-image-editor-1.0.34-1.uel20.04.x86_64.rpm libimageviewer-1.0.34-1.uel20.04.x86_64.rpm libimagevisualresult-1.0.34-1.uel20.04.x86_64.rpm UTSA-2024:20214 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: golang security update

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.(CVE-2024-24789) golang-1.15.7-45.uel20.01.x86_64.rpm golang-help-1.15.7-45.uel20.01.noarch.rpm golang-devel-1.15.7-45.uel20.01.noarch.rpm golang-1.15.7-45.uel20.01.aarch64.rpm UTSA-2024:20215 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: wget security update

url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.(CVE-2024-38428) wget-1.20.3-4.up2.uel20.x86_64.rpm wget-help-1.20.3-4.up2.uel20.x86_64.rpm wget-help-1.20.3-4.up2.uel20.aarch64.rpm wget-1.20.3-4.up2.uel20.aarch64.rpm UTSA-2024:20216 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: ntfs-3g security update

NTFS-3G before 75dcdc2 has a use-after-free in ntfs_uppercase_mbs in libntfs-3g/unistr.c. NOTE: discussion suggests that exploitation would be challenging.(CVE-2023-52890) ntfs-3g-devel-2022.5.17-3.uel20.x86_64.rpm ntfs-3g-2022.5.17-3.uel20.x86_64.rpm ntfs-3g-help-2022.5.17-3.uel20.x86_64.rpm ntfs-3g-devel-2022.5.17-3.uel20.aarch64.rpm ntfs-3g-help-2022.5.17-3.uel20.aarch64.rpm ntfs-3g-2022.5.17-3.uel20.aarch64.rpm UTSA-2024:20217 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: nano security update

A vulnerability was found in GNU Nano that allows a possible privilege escalation through an insecure temporary file. If Nano is killed while editing, a file it saves to an emergency file with the permissions of the running user provides a window of opportunity for attackers to escalate privileges through a malicious symlink.(CVE-2024-5742) nano-8.0-1.uel20.x86_64.rpm nano-8.0-1.uel20.aarch64.rpm nano-help-8.0-1.uel20.noarch.rpm UTSA-2024:20218 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: cups security update

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.8 and earlier, when starting the cupsd server with a Listen configuration item pointing to a symbolic link, the cupsd process can be caused to perform an arbitrary chmod of the provided argument, providing world-writable access to the target. Given that cupsd is often running as root, this can result in the change of permission of any user or system files to be world writable. Given the aforementioned Ubuntu AppArmor context, on such systems this vulnerability is limited to those files modifiable by the cupsd process. In that specific case it was found to be possible to turn the configuration of the Listen argument into full control over the cupsd.conf and cups-files.conf configuration files. By later setting the User and Group arguments in cups-files.conf, and printing with a printer configured by PPD with a `FoomaticRIPCommandLine` argument, arbitrary user and group (not root) command execution could be achieved, which can further be used on Ubuntu systems to achieve full root command execution. Commit ff1f8a623e090dee8a8aadf12a6a4b25efac143d contains a patch for the issue. (CVE-2024-35235) cups-2.2.13-20.up4.uel20.x86_64.rpm cups-devel-2.2.13-20.up4.uel20.x86_64.rpm cups-libs-2.2.13-20.up4.uel20.x86_64.rpm cups-2.2.13-20.up4.uel20.aarch64.rpm cups-libs-2.2.13-20.up4.uel20.aarch64.rpm cups-help-2.2.13-20.up4.uel20.noarch.rpm cups-devel-2.2.13-20.up4.uel20.aarch64.rpm UTSA-2024:20219 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: python-lxml security update

An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of lxml before v4.9.1 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input.(CVE-2024-37388) python2-lxml-4.5.2-9.uel20.x86_64.rpm python3-lxml-4.5.2-9.uel20.x86_64.rpm python3-lxml-4.5.2-9.uel20.aarch64.rpm python2-lxml-4.5.2-9.uel20.aarch64.rpm python-lxml-help-4.5.2-9.uel20.noarch.rpm UTSA-2024:20220 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: php security update

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.(CVE-2024-5458) php-8.0.30-4.uel20.x86_64.rpm php-soap-8.0.30-4.uel20.x86_64.rpm php-devel-8.0.30-4.uel20.x86_64.rpm php-gd-8.0.30-4.uel20.x86_64.rpm php-bcmath-8.0.30-4.uel20.x86_64.rpm php-opcache-8.0.30-4.uel20.x86_64.rpm php-ldap-8.0.30-4.uel20.x86_64.rpm php-process-8.0.30-4.uel20.x86_64.rpm php-gmp-8.0.30-4.uel20.x86_64.rpm php-dbg-8.0.30-4.uel20.x86_64.rpm php-cli-8.0.30-4.uel20.x86_64.rpm php-pdo-8.0.30-4.uel20.x86_64.rpm php-embedded-8.0.30-4.uel20.x86_64.rpm php-fpm-8.0.30-4.uel20.x86_64.rpm php-mbstring-8.0.30-4.uel20.x86_64.rpm php-pgsql-8.0.30-4.uel20.x86_64.rpm php-odbc-8.0.30-4.uel20.x86_64.rpm php-snmp-8.0.30-4.uel20.x86_64.rpm php-dba-8.0.30-4.uel20.x86_64.rpm php-xml-8.0.30-4.uel20.x86_64.rpm php-mysqlnd-8.0.30-4.uel20.x86_64.rpm php-help-8.0.30-4.uel20.x86_64.rpm php-tidy-8.0.30-4.uel20.x86_64.rpm php-ffi-8.0.30-4.uel20.x86_64.rpm php-intl-8.0.30-4.uel20.x86_64.rpm php-sodium-8.0.30-4.uel20.x86_64.rpm php-enchant-8.0.30-4.uel20.x86_64.rpm php-common-8.0.30-4.uel20.x86_64.rpm php-fpm-8.0.30-4.uel20.aarch64.rpm php-cli-8.0.30-4.uel20.aarch64.rpm php-process-8.0.30-4.uel20.aarch64.rpm php-mysqlnd-8.0.30-4.uel20.aarch64.rpm php-intl-8.0.30-4.uel20.aarch64.rpm php-8.0.30-4.uel20.aarch64.rpm php-common-8.0.30-4.uel20.aarch64.rpm php-enchant-8.0.30-4.uel20.aarch64.rpm php-pgsql-8.0.30-4.uel20.aarch64.rpm php-ldap-8.0.30-4.uel20.aarch64.rpm php-soap-8.0.30-4.uel20.aarch64.rpm php-dba-8.0.30-4.uel20.aarch64.rpm php-xml-8.0.30-4.uel20.aarch64.rpm php-odbc-8.0.30-4.uel20.aarch64.rpm php-sodium-8.0.30-4.uel20.aarch64.rpm php-devel-8.0.30-4.uel20.aarch64.rpm php-gmp-8.0.30-4.uel20.aarch64.rpm php-mbstring-8.0.30-4.uel20.aarch64.rpm php-dbg-8.0.30-4.uel20.aarch64.rpm php-pdo-8.0.30-4.uel20.aarch64.rpm php-embedded-8.0.30-4.uel20.aarch64.rpm php-gd-8.0.30-4.uel20.aarch64.rpm php-tidy-8.0.30-4.uel20.aarch64.rpm php-opcache-8.0.30-4.uel20.aarch64.rpm php-snmp-8.0.30-4.uel20.aarch64.rpm php-help-8.0.30-4.uel20.aarch64.rpm php-bcmath-8.0.30-4.uel20.aarch64.rpm php-ffi-8.0.30-4.uel20.aarch64.rpm UTSA-2024:20221 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: python-scikit-learn security update

A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data within the `stop_words_` attribute, rather than only storing the subset of tokens required for the TF-IDF technique to function. This behavior leads to the potential leakage of sensitive information, as the `stop_words_` attribute could contain tokens that were meant to be discarded and not stored, such as passwords or keys. The impact of this vulnerability varies based on the nature of the data being processed by the vectorizer.(CVE-2024-5206) python3-scikit-learn-0.20.4-5.uel20.x86_64.rpm python3-scikit-learn-0.20.4-5.uel20.aarch64.rpm UTSA-2024:20222 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: libvpx security update

There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h, or stride_align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. We recommend upgrading to version 1.14.1 or beyond(CVE-2024-5197) libvpx-devel-1.7.0-11.uel20.x86_64.rpm libvpx-1.7.0-11.uel20.x86_64.rpm libvpx-1.7.0-11.uel20.aarch64.rpm libvpx-devel-1.7.0-11.uel20.aarch64.rpm UTSA-2024:20223 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: ruby security update

Rubygems.org is the Ruby community's gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.from_yaml. from_yaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called `YAML-bombs` (comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab.(CVE-2024-35221) rubygem-io-console-0.4.6-125.uel20.x86_64.rpm rubygem-bigdecimal-1.3.4-125.uel20.x86_64.rpm rubygem-json-2.1.0-125.uel20.x86_64.rpm rubygem-psych-3.0.2-125.uel20.x86_64.rpm ruby-2.5.8-125.uel20.x86_64.rpm ruby-devel-2.5.8-125.uel20.x86_64.rpm rubygem-openssl-2.1.2-125.uel20.x86_64.rpm ruby-help-2.5.8-125.uel20.noarch.rpm rubygem-did_you_mean-1.2.0-125.uel20.noarch.rpm rubygem-net-telnet-0.1.1-125.uel20.noarch.rpm rubygem-json-2.1.0-125.uel20.aarch64.rpm rubygem-rake-12.3.0-125.uel20.noarch.rpm ruby-irb-2.5.8-125.uel20.noarch.rpm rubygem-psych-3.0.2-125.uel20.aarch64.rpm rubygem-bigdecimal-1.3.4-125.uel20.aarch64.rpm rubygem-io-console-0.4.6-125.uel20.aarch64.rpm rubygem-power_assert-1.1.1-125.uel20.noarch.rpm rubygems-devel-2.7.6-125.uel20.noarch.rpm rubygem-xmlrpc-0.3.0-125.uel20.noarch.rpm ruby-2.5.8-125.uel20.aarch64.rpm rubygem-minitest-5.10.3-125.uel20.noarch.rpm rubygem-rdoc-6.0.1.1-125.uel20.noarch.rpm ruby-devel-2.5.8-125.uel20.aarch64.rpm rubygem-openssl-2.1.2-125.uel20.aarch64.rpm rubygems-2.7.6-125.uel20.noarch.rpm rubygem-test-unit-3.2.7-125.uel20.noarch.rpm UTSA-2024:20224 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: libldb security update

MaxQueryDuration not honoured in Samba AD DC LDAP(CVE-2021-3670) A flaw was found in the Samba AD LDAP server. The AD DC database audit logging module can access LDAP message values freed by a preceding database module, resulting in a use-after-free issue. This issue is only possible when modifying certain privileged attributes, such as userAccountControl.(CVE-2022-32746) libldb-2.0.12-5.uel20.x86_64.rpm python3-ldb-2.0.12-5.uel20.x86_64.rpm python3-ldb-devel-2.0.12-5.uel20.x86_64.rpm libldb-devel-2.0.12-5.uel20.x86_64.rpm python-ldb-devel-common-2.0.12-5.uel20.x86_64.rpm libldb-2.0.12-5.uel20.aarch64.rpm python-ldb-devel-common-2.0.12-5.uel20.aarch64.rpm python3-ldb-2.0.12-5.uel20.aarch64.rpm libldb-devel-2.0.12-5.uel20.aarch64.rpm python3-ldb-devel-2.0.12-5.uel20.aarch64.rpm libldb-help-2.0.12-5.uel20.noarch.rpm UTSA-2024:20225 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: wireshark security update

Memory handling issue in editcap could cause denial of service via crafted capture file(CVE-2024-4853) Use after free issue in editcap could cause denial of service via crafted capture file(CVE-2024-4855) MONGO and ZigBee TLV dissector infinite loops in Wireshark 4.2.0 to 4.2.4, 4.0.0 to 4.0.14, and 3.6.0 to 3.6.22 allow denial of service via packet injection or crafted capture file(CVE-2024-4854) wireshark-help-3.6.14-8.uel20.x86_64.rpm wireshark-3.6.14-8.uel20.x86_64.rpm wireshark-devel-3.6.14-8.uel20.x86_64.rpm wireshark-3.6.14-8.uel20.aarch64.rpm wireshark-devel-3.6.14-8.uel20.aarch64.rpm wireshark-help-3.6.14-8.uel20.aarch64.rpm UTSA-2024:20226 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: glib2 security update

An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.(CVE-2024-34397) glib2-devel-2.68.4-6.uel20.03.aarch64.rpm glib2-2.68.4-6.uel20.03.aarch64.rpm glib2-devel-2.68.4-6.uel20.03.x86_64.rpm glib2-help-2.68.4-6.uel20.03.noarch.rpm glib2-2.68.4-6.uel20.03.x86_64.rpm UTSA-2024:20227 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: ffmpeg security update

Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via the set_encoder_id function in /fftools/ffmpeg_enc.c component.(CVE-2023-50010) libavcodec/pthread_frame.c in FFmpeg before 5.1.2, as used in VLC and other products, leaves stale hwaccel state in worker threads, which allows attackers to trigger a use-after-free and execute arbitrary code in some circumstances (e.g., hardware re-initialization upon a mid-video SPS change when Direct3D11 is used).(CVE-2022-48434) libavdevice-4.2.4-17.uel20.x86_64.rpm ffmpeg-libs-4.2.4-17.uel20.x86_64.rpm ffmpeg-devel-4.2.4-17.uel20.x86_64.rpm ffmpeg-4.2.4-17.uel20.x86_64.rpm ffmpeg-libs-4.2.4-17.uel20.aarch64.rpm libavdevice-4.2.4-17.uel20.aarch64.rpm ffmpeg-devel-4.2.4-17.uel20.aarch64.rpm ffmpeg-4.2.4-17.uel20.aarch64.rpm UTSA-2024:20228 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: rubygem-actionview security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-23913) rubygem-actionview-doc-5.2.4.4-2.uel20.noarch.rpm rubygem-actionview-5.2.4.4-2.uel20.noarch.rpm UTSA-2024:20229 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 None

None: rubygem-activesupport security update

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2023-28120) rubygem-activesupport-doc-5.2.4.4-5.uel20.noarch.rpm rubygem-activesupport-5.2.4.4-5.uel20.noarch.rpm UTSA-2024:20230 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: wpa_supplicant security update

The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks.(CVE-2023-52160) wpa_supplicant-help-2.6-30.up2.uel20.x86_64.rpm wpa_supplicant-2.6-30.up2.uel20.x86_64.rpm wpa_supplicant-gui-2.6-30.up2.uel20.x86_64.rpm wpa_supplicant-2.6-30.up2.uel20.aarch64.rpm wpa_supplicant-help-2.6-30.up2.uel20.aarch64.rpm wpa_supplicant-gui-2.6-30.up2.uel20.aarch64.rpm UTSA-2024:20231 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: busybox security update

A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.(CVE-2023-42363) A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.(CVE-2023-42365) A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.(CVE-2023-42366) A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.(CVE-2023-42364) busybox-petitboot-1.31.1-20.uel20.x86_64.rpm busybox-help-1.31.1-20.uel20.x86_64.rpm busybox-1.31.1-20.uel20.x86_64.rpm busybox-petitboot-1.31.1-20.uel20.aarch64.rpm busybox-1.31.1-20.uel20.aarch64.rpm busybox-help-1.31.1-20.uel20.aarch64.rpm UTSA-2024:20232 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: nasm security update

A stack-use-after-scope issue discovered in expand_mmac_params function in preproc.c in nasm before 2.15.04 allows remote attackers to cause a denial of service via crafted asm file.(CVE-2020-21686) Buffer Overflow vulnerability in scan function in stdscan.c in nasm 2.15rc0 allows remote attackers to cause a denial of service via crafted asm file.(CVE-2020-21687) Buffer Overflow vulnerability in hash_findi function in hashtbl.c in nasm 2.15rc0 allows remote attackers to cause a denial of service via crafted asm file.(CVE-2020-21685) nasm-2.15.05-1.uel20.x86_64.rpm nasm-help-2.15.05-1.uel20.noarch.rpm nasm-2.15.05-1.uel20.aarch64.rpm UTSA-2024:20233 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: ffmpeg security update

Integer overflow vulnerability in av_timecode_make_string in libavutil/timecode.c in FFmpeg version 4.3.2, allows local attackers to cause a denial of service (DoS) via crafted .mov file.(CVE-2021-28429) ffmpeg-devel-4.2.4-13.uel20.x86_64.rpm ffmpeg-libs-4.2.4-13.uel20.x86_64.rpm ffmpeg-4.2.4-13.uel20.x86_64.rpm libavdevice-4.2.4-13.uel20.x86_64.rpm ffmpeg-libs-4.2.4-13.uel20.aarch64.rpm libavdevice-4.2.4-13.uel20.aarch64.rpm ffmpeg-4.2.4-13.uel20.aarch64.rpm ffmpeg-devel-4.2.4-13.uel20.aarch64.rpm UTSA-2024:20234 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Moderate

Moderate: samba security update

An information leak vulnerability was discovered in Samba's LDAP server. Due to missing access control checks, an authenticated but unprivileged attacker could discover the names and preserved attributes of deleted objects in the LDAP store.(CVE-2018-14628) samba-winbind-krb5-locator-4.11.12-35.up1.uel20.x86_64.rpm samba-krb5-printing-4.11.12-35.up1.uel20.x86_64.rpm libwbclient-devel-4.11.12-35.up1.uel20.x86_64.rpm samba-vfs-glusterfs-4.11.12-35.up1.uel20.x86_64.rpm samba-winbind-modules-4.11.12-35.up1.uel20.x86_64.rpm samba-winbind-clients-4.11.12-35.up1.uel20.x86_64.rpm libwbclient-4.11.12-35.up1.uel20.x86_64.rpm libsmbclient-devel-4.11.12-35.up1.uel20.x86_64.rpm libsmbclient-4.11.12-35.up1.uel20.x86_64.rpm samba-dc-bind-dlz-4.11.12-35.up1.uel20.x86_64.rpm samba-libs-4.11.12-35.up1.uel20.x86_64.rpm samba-common-4.11.12-35.up1.uel20.x86_64.rpm samba-help-4.11.12-35.up1.uel20.x86_64.rpm samba-common-tools-4.11.12-35.up1.uel20.x86_64.rpm samba-devel-4.11.12-35.up1.uel20.x86_64.rpm samba-winbind-4.11.12-35.up1.uel20.x86_64.rpm samba-dc-4.11.12-35.up1.uel20.x86_64.rpm python3-samba-dc-4.11.12-35.up1.uel20.x86_64.rpm samba-client-4.11.12-35.up1.uel20.x86_64.rpm samba-4.11.12-35.up1.uel20.x86_64.rpm ctdb-4.11.12-35.up1.uel20.x86_64.rpm ctdb-tests-4.11.12-35.up1.uel20.x86_64.rpm samba-test-4.11.12-35.up1.uel20.x86_64.rpm python3-samba-4.11.12-35.up1.uel20.x86_64.rpm samba-dc-provision-4.11.12-35.up1.uel20.x86_64.rpm python3-samba-test-4.11.12-35.up1.uel20.x86_64.rpm libsmbclient-devel-4.11.12-35.up1.uel20.aarch64.rpm samba-krb5-printing-4.11.12-35.up1.uel20.aarch64.rpm samba-client-4.11.12-35.up1.uel20.aarch64.rpm python3-samba-4.11.12-35.up1.uel20.aarch64.rpm samba-winbind-modules-4.11.12-35.up1.uel20.aarch64.rpm samba-dc-bind-dlz-4.11.12-35.up1.uel20.aarch64.rpm ctdb-4.11.12-35.up1.uel20.aarch64.rpm samba-winbind-4.11.12-35.up1.uel20.aarch64.rpm samba-winbind-clients-4.11.12-35.up1.uel20.aarch64.rpm samba-devel-4.11.12-35.up1.uel20.aarch64.rpm libwbclient-4.11.12-35.up1.uel20.aarch64.rpm samba-dc-4.11.12-35.up1.uel20.aarch64.rpm ctdb-tests-4.11.12-35.up1.uel20.aarch64.rpm libwbclient-devel-4.11.12-35.up1.uel20.aarch64.rpm samba-test-4.11.12-35.up1.uel20.aarch64.rpm samba-help-4.11.12-35.up1.uel20.aarch64.rpm samba-pidl-4.11.12-35.up1.uel20.noarch.rpm samba-common-4.11.12-35.up1.uel20.aarch64.rpm samba-libs-4.11.12-35.up1.uel20.aarch64.rpm samba-dc-provision-4.11.12-35.up1.uel20.aarch64.rpm libsmbclient-4.11.12-35.up1.uel20.aarch64.rpm samba-4.11.12-35.up1.uel20.aarch64.rpm samba-common-tools-4.11.12-35.up1.uel20.aarch64.rpm samba-winbind-krb5-locator-4.11.12-35.up1.uel20.aarch64.rpm python3-samba-dc-4.11.12-35.up1.uel20.aarch64.rpm python3-samba-test-4.11.12-35.up1.uel20.aarch64.rpm UTSA-2024:20235 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: tomcat security update

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.(CVE-2020-9484) tomcat-help-9.0.10-31.up1.uel20.noarch.rpm tomcat-9.0.10-31.up1.uel20.noarch.rpm tomcat-jsvc-9.0.10-31.up1.uel20.noarch.rpm tomcat-embed-9.0.10-31.up1.uel20.noarch.rpm UTSA-2024:20236 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: python-setuptools security update

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.(CVE-2024-6345) python-setuptools-help-44.1.1-3.uel20.noarch.rpm python3-setuptools-44.1.1-3.uel20.noarch.rpm python2-setuptools-44.1.1-3.uel20.noarch.rpm python-setuptools-44.1.1-3.uel20.noarch.rpm UTSA-2024:20237 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: expat security update

An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.(CVE-2024-45490) expat-devel-2.2.9-13.uel20.x86_64.rpm expat-2.2.9-13.uel20.x86_64.rpm expat-2.2.9-13.uel20.aarch64.rpm expat-devel-2.2.9-13.uel20.aarch64.rpm expat-help-2.2.9-13.uel20.noarch.rpm UTSA-2024:20238 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: xmlrpc-c security update

An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.(CVE-2024-45490) An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).(CVE-2024-45491) xmlrpc-c-1.51.06-2.uel20.x86_64.rpm xmlrpc-c-devel-1.51.06-2.uel20.x86_64.rpm xmlrpc-c-1.51.06-2.uel20.aarch64.rpm xmlrpc-c-devel-1.51.06-2.uel20.aarch64.rpm xmlrpc-c-help-1.51.06-2.uel20.noarch.rpm UTSA-2024:20239 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: expat security update

An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).(CVE-2024-45491) An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).(CVE-2024-45492) expat-2.2.9-14.uel20.x86_64.rpm expat-devel-2.2.9-14.uel20.x86_64.rpm expat-2.2.9-14.uel20.aarch64.rpm expat-help-2.2.9-14.uel20.noarch.rpm expat-devel-2.2.9-14.uel20.aarch64.rpm UTSA-2024:20240 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: flatpak security update

Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using persistent directories could access and write files outside of what it would otherwise have access to, which is an attack on integrity and confidentiality. When `persistent=subdir` is used in the application permissions (represented as `--persist=subdir` in the command-line interface), that means that an application which otherwise doesn't have access to the real user home directory will see an empty home directory with a writeable subdirectory `subdir`. Behind the scenes, this directory is actually a bind mount and the data is stored in the per-application directory as `~/.var/app/$APPID/subdir`. This allows existing apps that are not aware of the per-application directory to still work as intended without general home directory access. However, the application does have write access to the application directory `~/.var/app/$APPID` where this directory is stored. If the source directory for the `persistent`/`--persist` option is replaced by a symlink, then the next time the application is started, the bind mount will follow the symlink and mount whatever it points to into the sandbox. Partial protection against this vulnerability can be provided by patching Flatpak using the patches in commits ceec2ffc and 98f79773. However, this leaves a race condition that could be exploited by two instances of a malicious app running in parallel. Closing the race condition requires updating or patching the version of bubblewrap that is used by Flatpak to add the new `--bind-fd` option using the patch and then patching Flatpak to use it. If Flatpak has been configured at build-time with `-Dsystem_bubblewrap=bwrap` (1.15.x) or `--with-system-bubblewrap=bwrap` (1.14.x or older), or a similar option, then the version of bubblewrap that needs to be patched is a system copy that is distributed separately, typically `/usr/bin/bwrap`. This configuration is the one that is typically used in Linux distributions. If Flatpak has been configured at build-time with `-Dsystem_bubblewrap=` (1.15.x) or with `--without-system-bubblewrap` (1.14.x or older), then it is the bundled version of bubblewrap that is included with Flatpak that must be patched. This is typically installed as `/usr/libexec/flatpak-bwrap`. This configuration is the default when building from source code. For the 1.14.x stable branch, these changes are included in Flatpak 1.14.10. The bundled version of bubblewrap included in this release has been updated to 0.6.3. For the 1.15.x development branch, these changes are included in Flatpak 1.15.10. The bundled version of bubblewrap in this release is a Meson "wrap" subproject, which has been updated to 0.10.0. The 1.12.x and 1.10.x branches will not be updated for this vulnerability. Long-term support OS distributions should backport the individual changes into their versions of Flatpak and bubblewrap, or update to newer versions if their stability policy allows it. As a workaround, avoid using applications using the `persistent` (`--persist`) permission.(CVE-2024-42472) flatpak-devel-1.0.3-13.uel20.x86_64.rpm flatpak-1.0.3-13.uel20.x86_64.rpm flatpak-1.0.3-13.uel20.aarch64.rpm flatpak-help-1.0.3-13.uel20.noarch.rpm flatpak-devel-1.0.3-13.uel20.aarch64.rpm UTSA-2024:20241 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: microcode_ctl security update

Incorrect behavior order in transition between executive monitor and SMI transfer monitor (STM) in some Intel(R) Processor may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2024-24853) Mirrored regions with different values in 3rd Generation Intel(R) Xeon(R) Scalable Processors may allow a privileged user to potentially enable denial of service via local access.(CVE-2024-25939) Protection mechanism failure in some 3rd, 4th, and 5th Generation Intel(R) Xeon(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2024-24980) Improper isolation in the Intel(R) Core(TM) Ultra Processor stream cache mechanism may allow an authenticated user to potentially enable escalation of privilege via local access.(CVE-2023-42667) Improper isolation in some Intel(R) Processors stream cache mechanism may allow an authenticated user to potentially enable escalation of privilege via local access.(CVE-2023-49141) microcode_ctl-20240813-1.uel20.01.x86_64.rpm UTSA-2024:20242 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: ruby security update

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability.(CVE-2024-43398) REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. Users are advised to upgrade. Users unable to upgrade should avoid parsing untrusted XML strings.(CVE-2024-39908) REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.(CVE-2024-41946) REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.(CVE-2024-41123) rubygem-json-2.1.0-129.uel20.x86_64.rpm ruby-2.5.8-129.uel20.x86_64.rpm rubygem-bigdecimal-1.3.4-129.uel20.x86_64.rpm rubygem-openssl-2.1.2-129.uel20.x86_64.rpm ruby-devel-2.5.8-129.uel20.x86_64.rpm rubygem-io-console-0.4.6-129.uel20.x86_64.rpm rubygem-psych-3.0.2-129.uel20.x86_64.rpm ruby-help-2.5.8-129.uel20.noarch.rpm rubygem-power_assert-1.1.1-129.uel20.noarch.rpm rubygem-minitest-5.10.3-129.uel20.noarch.rpm rubygem-net-telnet-0.1.1-129.uel20.noarch.rpm rubygem-io-console-0.4.6-129.uel20.aarch64.rpm rubygem-rake-12.3.0-129.uel20.noarch.rpm rubygem-openssl-2.1.2-129.uel20.aarch64.rpm ruby-2.5.8-129.uel20.aarch64.rpm ruby-devel-2.5.8-129.uel20.aarch64.rpm rubygems-devel-2.7.6-129.uel20.noarch.rpm rubygems-2.7.6-129.uel20.noarch.rpm rubygem-psych-3.0.2-129.uel20.aarch64.rpm rubygem-test-unit-3.2.7-129.uel20.noarch.rpm rubygem-json-2.1.0-129.uel20.aarch64.rpm rubygem-bigdecimal-1.3.4-129.uel20.aarch64.rpm rubygem-did_you_mean-1.2.0-129.uel20.noarch.rpm ruby-irb-2.5.8-129.uel20.noarch.rpm rubygem-rdoc-6.0.1.1-129.uel20.noarch.rpm rubygem-xmlrpc-0.3.0-129.uel20.noarch.rpm UTSA-2024:20243 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: dovecot security update

Very large headers can cause resource exhaustion when parsing message. The message-parser normally reads reasonably sized chunks of the message. However, when it feeds them to message-header-parser, it starts building up "full_value" buffer out of the smaller chunks. The full_value buffer has no size limit, so large headers can cause large memory usage. It doesn't matter whether it's a single long header line, or a single header split into multiple lines. This bug exists in all Dovecot versions. Incoming mails typically have some size limits set by MTA, so even largest possible header size may still fit into Dovecot's vsz_limit. So attackers probably can't DoS a victim user this way. A user could APPEND larger mails though, allowing them to DoS themselves (although maybe cause some memory issues for the backend in general). One can implement restrictions on headers on MTA component preceding Dovecot. No publicly available exploits are known.(CVE-2024-23185) Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known.(CVE-2024-23184) dovecot-2.3.15-6.uel20.x86_64.rpm dovecot-devel-2.3.15-6.uel20.x86_64.rpm dovecot-help-2.3.15-6.uel20.x86_64.rpm dovecot-help-2.3.15-6.uel20.aarch64.rpm dovecot-devel-2.3.15-6.uel20.aarch64.rpm dovecot-2.3.15-6.uel20.aarch64.rpm UTSA-2024:20244 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: webkit2gtk3 security update

Use after free in ANGLE in Google Chrome prior to 124.0.6367.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)(CVE-2024-4558) An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, Safari 17.6, iOS 17.6 and iPadOS 17.6, watchOS 10.6, tvOS 17.6, visionOS 1.3, macOS Sonoma 14.6. Processing maliciously crafted web content may lead to an unexpected process crash.(CVE-2024-40779) An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, Safari 17.6, iOS 17.6 and iPadOS 17.6, watchOS 10.6, tvOS 17.6, visionOS 1.3, macOS Sonoma 14.6. Processing maliciously crafted web content may lead to an unexpected process crash.(CVE-2024-40780) webkit2gtk3-2.22.2-13.up1.uel20.x86_64.rpm webkit2gtk3-devel-2.22.2-13.up1.uel20.x86_64.rpm webkit2gtk3-jsc-2.22.2-13.up1.uel20.x86_64.rpm webkit2gtk3-jsc-devel-2.22.2-13.up1.uel20.x86_64.rpm webkit2gtk3-devel-2.22.2-13.up1.uel20.aarch64.rpm webkit2gtk3-jsc-devel-2.22.2-13.up1.uel20.aarch64.rpm webkit2gtk3-help-2.22.2-13.up1.uel20.noarch.rpm webkit2gtk3-2.22.2-13.up1.uel20.aarch64.rpm webkit2gtk3-jsc-2.22.2-13.up1.uel20.aarch64.rpm UTSA-2024:20245 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: wireshark security update

NTLMSSP dissector crash in Wireshark 4.2.0 to 4.0.6 and 4.0.0 to 4.0.16 allows denial of service via packet injection or crafted capture file(CVE-2024-8250) wireshark-3.6.14-9.uel20.x86_64.rpm wireshark-devel-3.6.14-9.uel20.x86_64.rpm wireshark-help-3.6.14-9.uel20.x86_64.rpm wireshark-3.6.14-9.uel20.aarch64.rpm wireshark-devel-3.6.14-9.uel20.aarch64.rpm wireshark-help-3.6.14-9.uel20.aarch64.rpm UTSA-2024:20246 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libtiff security update

A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service.(CVE-2024-7006) libtiff-4.3.0-24.uel20.x86_64.rpm libtiff-devel-4.3.0-24.uel20.x86_64.rpm libtiff-devel-4.3.0-24.uel20.aarch64.rpm libtiff-help-4.3.0-24.uel20.noarch.rpm libtiff-4.3.0-24.uel20.aarch64.rpm UTSA-2024:20247 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: linux-firmware security update

Improper validation in a model specific register (MSR) could allow a malicious program with ring0 access to modify SMM configuration while SMI lock is enabled, potentially leading to arbitrary code execution.(CVE-2023-31315) linux-firmware-20240811-1.uel20.noarch.rpm linux-firmware-iwlwifi-20240811-1.uel20.noarch.rpm linux-firmware-ath-20240811-1.uel20.noarch.rpm linux-firmware-libertas-20240811-1.uel20.noarch.rpm linux-firmware-mediatek-20240811-1.uel20.noarch.rpm linux-firmware-netronome-20240811-1.uel20.noarch.rpm linux-firmware-ti-connectivity-20240811-1.uel20.noarch.rpm linux-firmware-cypress-20240811-1.uel20.noarch.rpm linux-firmware-mrvl-20240811-1.uel20.noarch.rpm UTSA-2024:20248 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: postgresql-13 security update

Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.(CVE-2024-7348) postgresql-13-docs-13.16-1.01.uel20.x86_64.rpm postgresql-13-server-devel-13.16-1.01.uel20.x86_64.rpm postgresql-13-llvmjit-13.16-1.01.uel20.x86_64.rpm postgresql-13-contrib-13.16-1.01.uel20.x86_64.rpm postgresql-13-test-13.16-1.01.uel20.x86_64.rpm postgresql-13-13.16-1.01.uel20.x86_64.rpm postgresql-13-server-13.16-1.01.uel20.x86_64.rpm postgresql-13-private-libs-13.16-1.01.uel20.x86_64.rpm postgresql-13-pltcl-13.16-1.01.uel20.x86_64.rpm postgresql-13-plpython3-13.16-1.01.uel20.x86_64.rpm postgresql-13-private-devel-13.16-1.01.uel20.x86_64.rpm postgresql-13-plperl-13.16-1.01.uel20.x86_64.rpm postgresql-13-static-13.16-1.01.uel20.x86_64.rpm postgresql-13-contrib-13.16-1.01.uel20.aarch64.rpm postgresql-13-test-13.16-1.01.uel20.aarch64.rpm postgresql-13-pltcl-13.16-1.01.uel20.aarch64.rpm postgresql-13-plperl-13.16-1.01.uel20.aarch64.rpm postgresql-13-server-13.16-1.01.uel20.aarch64.rpm postgresql-13-llvmjit-13.16-1.01.uel20.aarch64.rpm postgresql-13-test-rpm-macros-13.16-1.01.uel20.noarch.rpm postgresql-13-13.16-1.01.uel20.aarch64.rpm postgresql-13-plpython3-13.16-1.01.uel20.aarch64.rpm postgresql-13-static-13.16-1.01.uel20.aarch64.rpm postgresql-13-private-libs-13.16-1.01.uel20.aarch64.rpm postgresql-13-server-devel-13.16-1.01.uel20.aarch64.rpm postgresql-13-docs-13.16-1.01.uel20.aarch64.rpm postgresql-13-private-devel-13.16-1.01.uel20.aarch64.rpm UTSA-2024:20249 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: wpa_supplicant security update

An issue was discovered in Ubuntu wpa_supplicant that resulted in loading of arbitrary shared objects, which allows a local unprivileged attacker to escalate privileges to the user that wpa_supplicant runs as (usually root). Membership in the netdev group or access to the dbus interface of wpa_supplicant allow an unprivileged user to specify an arbitrary path to a module to be loaded by the wpa_supplicant process; other escalation paths might exist.(CVE-2024-5290) wpa_supplicant-gui-2.6-30.up3.uel20.x86_64.rpm wpa_supplicant-help-2.6-30.up3.uel20.x86_64.rpm wpa_supplicant-2.6-30.up3.uel20.x86_64.rpm wpa_supplicant-2.6-30.up3.uel20.aarch64.rpm wpa_supplicant-help-2.6-30.up3.uel20.aarch64.rpm wpa_supplicant-gui-2.6-30.up3.uel20.aarch64.rpm UTSA-2024:20250 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: qemu security update

A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline.(CVE-2024-7409) qemu-4.1.0-86.uel20.x86_64.rpm qemu-img-4.1.0-86.uel20.x86_64.rpm qemu-block-rbd-4.1.0-86.uel20.x86_64.rpm qemu-block-ssh-4.1.0-86.uel20.x86_64.rpm qemu-seabios-4.1.0-86.uel20.x86_64.rpm qemu-guest-agent-4.1.0-86.uel20.x86_64.rpm qemu-block-curl-4.1.0-86.uel20.x86_64.rpm qemu-block-iscsi-4.1.0-86.uel20.x86_64.rpm qemu-4.1.0-86.uel20.aarch64.rpm qemu-guest-agent-4.1.0-86.uel20.aarch64.rpm qemu-img-4.1.0-86.uel20.aarch64.rpm qemu-block-curl-4.1.0-86.uel20.aarch64.rpm qemu-help-4.1.0-86.uel20.noarch.rpm qemu-block-iscsi-4.1.0-86.uel20.aarch64.rpm qemu-block-ssh-4.1.0-86.uel20.aarch64.rpm qemu-block-rbd-4.1.0-86.uel20.aarch64.rpm UTSA-2024:20251 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: bind security update

If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1.(CVE-2024-1975) Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1.(CVE-2024-1737) The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.(CVE-2023-50868) bind-chroot-9.11.21-19.uel20.x86_64.rpm bind-pkcs11-devel-9.11.21-19.uel20.x86_64.rpm bind-libs-9.11.21-19.uel20.x86_64.rpm bind-utils-9.11.21-19.uel20.x86_64.rpm bind-export-devel-9.11.21-19.uel20.x86_64.rpm bind-devel-9.11.21-19.uel20.x86_64.rpm bind-pkcs11-9.11.21-19.uel20.x86_64.rpm bind-export-libs-9.11.21-19.uel20.x86_64.rpm bind-libs-lite-9.11.21-19.uel20.x86_64.rpm bind-9.11.21-19.uel20.x86_64.rpm bind-9.11.21-19.uel20.aarch64.rpm bind-pkcs11-9.11.21-19.uel20.aarch64.rpm bind-utils-9.11.21-19.uel20.aarch64.rpm bind-libs-lite-9.11.21-19.uel20.aarch64.rpm python3-bind-9.11.21-19.uel20.noarch.rpm bind-chroot-9.11.21-19.uel20.aarch64.rpm bind-devel-9.11.21-19.uel20.aarch64.rpm bind-libs-9.11.21-19.uel20.aarch64.rpm bind-export-libs-9.11.21-19.uel20.aarch64.rpm bind-export-devel-9.11.21-19.uel20.aarch64.rpm bind-pkcs11-devel-9.11.21-19.uel20.aarch64.rpm UTSA-2024:20252 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: golang security update

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.(CVE-2024-24791) golang-1.15.7-46.uel20.01.x86_64.rpm golang-devel-1.15.7-46.uel20.01.noarch.rpm golang-1.15.7-46.uel20.01.aarch64.rpm golang-help-1.15.7-46.uel20.01.noarch.rpm UTSA-2024:20253 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: httpd security update

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue.(CVE-2024-38476) mod_proxy_html-2.4.43-25.up1.uel20.x86_64.rpm mod_ldap-2.4.43-25.up1.uel20.x86_64.rpm httpd-2.4.43-25.up1.uel20.x86_64.rpm httpd-devel-2.4.43-25.up1.uel20.x86_64.rpm mod_md-2.4.43-25.up1.uel20.x86_64.rpm mod_session-2.4.43-25.up1.uel20.x86_64.rpm mod_ssl-2.4.43-25.up1.uel20.x86_64.rpm httpd-tools-2.4.43-25.up1.uel20.x86_64.rpm httpd-2.4.43-25.up1.uel20.aarch64.rpm mod_ssl-2.4.43-25.up1.uel20.aarch64.rpm mod_proxy_html-2.4.43-25.up1.uel20.aarch64.rpm httpd-help-2.4.43-25.up1.uel20.noarch.rpm mod_ldap-2.4.43-25.up1.uel20.aarch64.rpm httpd-tools-2.4.43-25.up1.uel20.aarch64.rpm httpd-devel-2.4.43-25.up1.uel20.aarch64.rpm mod_session-2.4.43-25.up1.uel20.aarch64.rpm httpd-filesystem-2.4.43-25.up1.uel20.noarch.rpm mod_md-2.4.43-25.up1.uel20.aarch64.rpm UTSA-2024:20254 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: syslinux security update

The png_format_buffer function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 allows remote attackers to cause a denial of service (application crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message data. NOTE: this vulnerability exists because of a CVE-2004-0421 regression. NOTE: this is called an off-by-one error by some sources.(CVE-2011-2501) Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4, when used by an application that calls the png_rgb_to_gray function but not the png_set_expand function, allows remote attackers to overwrite memory with an arbitrary amount of data, and possibly have unspecified other impact, via a crafted PNG image.(CVE-2011-2690) The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 makes a function call using a NULL pointer argument instead of an empty-string argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG image.(CVE-2011-2691) The png_handle_sCAL function in pngrutil.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 does not properly handle invalid sCAL chunks, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted PNG image that triggers the reading of uninitialized memory.(CVE-2011-2692) Integer signedness error in the png_inflate function in pngrutil.c in libpng before 1.4.10beta01, as used in Google Chrome before 17.0.963.83 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file, a different vulnerability than CVE-2011-3026.(CVE-2011-3045) The png_set_text_2 function in pngset.c in libpng 1.0.x before 1.0.59, 1.2.x before 1.2.49, 1.4.x before 1.4.11, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted text chunk in a PNG image file, which triggers a memory allocation failure that is not properly handled, leading to a heap-based buffer overflow.(CVE-2011-3048) The png_push_read_zTXt function in pngpread.c in libpng 1.0.x before 1.0.58, 1.2.x before 1.2.48, 1.4.x before 1.4.10, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (out-of-bounds read) via a large avail_in field value in a PNG image.(CVE-2012-3425) The png_convert_to_rfc1123 function in png.c in libpng 1.0.x before 1.0.64, 1.2.x before 1.2.54, and 1.4.x before 1.4.17 allows remote attackers to obtain sensitive process memory information via crafted tIME chunk data in an image file, which triggers an out-of-bounds read.(CVE-2015-7981) Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image.(CVE-2015-8126) Buffer overflow in the png_set_PLTE function in libpng before 1.0.65, 1.1.x and 1.2.x before 1.2.55, 1.3.x, 1.4.x before 1.4.18, 1.5.x before 1.5.25, and 1.6.x before 1.6.20 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-8126.(CVE-2015-8472) Integer underflow in the png_check_keyword function in pngwutil.c in libpng 0.90 through 0.99, 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 allows remote attackers to have unspecified impact via a space character as a keyword in a PNG image, which triggers an out-of-bounds read.(CVE-2015-8540) The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure.(CVE-2016-10087) libpng before 1.6.32 does not properly check the length of chunks against the user limit.(CVE-2017-12652) syslinux-extlinux-6.04-14.uel20.01.x86_64.rpm syslinux-tftpboot-6.04-14.uel20.01.noarch.rpm syslinux-extlinux-nonlinux-6.04-14.uel20.01.noarch.rpm syslinux-efi64-6.04-14.uel20.01.x86_64.rpm syslinux-6.04-14.uel20.01.x86_64.rpm syslinux-devel-6.04-14.uel20.01.x86_64.rpm syslinux-perl-6.04-14.uel20.01.x86_64.rpm syslinux-nonlinux-6.04-14.uel20.01.noarch.rpm UTSA-2025:20001 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: iperf3 security update

iperf v3.17.1 was discovered to contain a segmentation violation via the iperf_exchange_parameters() function.(CVE-2024-53580) iperf3-3.18-1.uel20.x86_64.rpm iperf3-devel-3.18-1.uel20.x86_64.rpm iperf3-3.18-1.uel20.aarch64.rpm iperf3-devel-3.18-1.uel20.aarch64.rpm iperf3-help-3.18-1.uel20.noarch.rpm UTSA-2025:20002 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: libsoup security update

GNOME libsoup before 3.6.1 has an infinite loop, and memory consumption. during the reading of certain patterns of WebSocket data from clients.(CVE-2024-52532) GNOME libsoup before 3.6.1 allows a buffer overflow in applications that perform conversion to UTF-8 in soup_header_parse_param_list_strict. Input received over the network cannot trigger this.(CVE-2024-52531) GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of header names are ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the same as a "Transfer-Encoding: chunked" header.(CVE-2024-52530) libsoup-2.71.0-4.uel20.x86_64.rpm libsoup-devel-2.71.0-4.uel20.x86_64.rpm libsoup-devel-2.71.0-4.uel20.aarch64.rpm libsoup-help-2.71.0-4.uel20.noarch.rpm libsoup-2.71.0-4.uel20.aarch64.rpm UTSA-2025:20003 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: tuned security update

A script injection vulnerability was identified in the Tuned package. The `instance_create()` D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with `script_pre` or `script_post` options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local privilege escalation.(CVE-2024-52336) A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the 'evil' the attacker could mimic a valid TuneD log line and trick the administrator. The quotes '' are usually used in TuneD logs citing raw user input, so there will always be the ' character ending the spoofed input, and the administrator can easily overlook this. This logged string is later used in logging and in the output of utilities, for example, `tuned-adm get_instances` or other third-party programs that use Tuned's D-Bus interface for such operations.(CVE-2024-52337) tuned-2.24.1-1.uel20.noarch.rpm tuned-profiles-devel-2.24.1-1.uel20.noarch.rpm tuned-help-2.24.1-1.uel20.noarch.rpm UTSA-2025:20004 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: proftpd security update

In ProFTPD through 1.3.8b before cec01cc, supplemental group inheritance grants unintended access to GID 0 because of the lack of supplemental groups from mod_sql.(CVE-2024-48651) proftpd-1.3.8b-3.uel20.x86_64.rpm proftpd-mysql-1.3.8b-3.uel20.x86_64.rpm proftpd-utils-1.3.8b-3.uel20.x86_64.rpm proftpd-postgresql-1.3.8b-3.uel20.x86_64.rpm proftpd-devel-1.3.8b-3.uel20.x86_64.rpm proftpd-ldap-1.3.8b-3.uel20.x86_64.rpm proftpd-sqlite-1.3.8b-3.uel20.x86_64.rpm proftpd-devel-1.3.8b-3.uel20.aarch64.rpm proftpd-utils-1.3.8b-3.uel20.aarch64.rpm proftpd-mysql-1.3.8b-3.uel20.aarch64.rpm proftpd-1.3.8b-3.uel20.aarch64.rpm proftpd-sqlite-1.3.8b-3.uel20.aarch64.rpm proftpd-ldap-1.3.8b-3.uel20.aarch64.rpm proftpd-postgresql-1.3.8b-3.uel20.aarch64.rpm UTSA-2025:20005 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: gstreamer1-plugins-good security update

GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been identified in the gst_wavparse_smpl_chunk function within gstwavparse.c. This function attempts to read 4 bytes from the data + 12 offset without checking if the size of the data buffer is sufficient. If the buffer is too small, the function reads beyond its bounds. This vulnerability may result in reading 4 bytes out of the boundaries of the data buffer. This vulnerability is fixed in 1.24.10.(CVE-2024-47777) GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been found in the parse_ds64 function within gstwavparse.c. The parse_ds64 function does not check that the buffer buf contains sufficient data before attempting to read from it, doing multiple GST_READ_UINT32_LE operations without performing boundary checks. This can lead to an OOB-read when buf is smaller than expected. This vulnerability allows reading beyond the bounds of the data buffer, potentially leading to a crash (denial of service) or the leak of sensitive data. This vulnerability is fixed in 1.24.10.(CVE-2024-47775) GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been identified in the gst_avi_subtitle_parse_gab2_chunk function within gstavisubtitle.c. The function reads the name_length value directly from the input file without checking it properly. Then, the a condition, does not properly handle cases where name_length is greater than 0xFFFFFFFF - 17, causing an integer overflow. In such scenario, the function attempts to access memory beyond the buffer leading to an OOB-read. This vulnerability is fixed in 1.24.10.(CVE-2024-47774) GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been discovered in qtdemux_parse_container function within qtdemux.c. In the parent function qtdemux_parse_node, the value of length is not well checked. So, if length is big enough, it causes the pointer end to point beyond the boundaries of buffer. Subsequently, in the qtdemux_parse_container function, the while loop can trigger an OOB-read, accessing memory beyond the bounds of buf. This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. This vulnerability is fixed in 1.24.10.(CVE-2024-47543) GStreamer is a library for constructing graphs of media-handling components. An out-of-bounds write vulnerability was identified in the convert_to_s334_1a function in isomp4/qtdemux.c. The vulnerability arises due to a discrepancy between the size of memory allocated to the storage array and the loop condition i * 2 < ccpair_size. Specifically, when ccpair_size is even, the allocated size in storage does not match the loop's expected bounds, resulting in an out-of-bounds write. This bug allows for the overwriting of up to 3 bytes beyond the allocated bounds of the storage array. This vulnerability is fixed in 1.24.10.(CVE-2024-47539) GStreamer is a library for constructing graphs of media-handling components. An Use-After-Free read vulnerability has been discovered affecting the processing of CodecPrivate elements in Matroska streams. In the GST_MATROSKA_ID_CODECPRIVATE case within the gst_matroska_demux_parse_stream function, a data chunk is allocated using gst_ebml_read_binary. Later, the allocated memory is freed in the gst_matroska_track_free function, by the call to g_free (track->codec_priv). Finally, the freed memory is accessed in the caps_serialize function through gst_value_serialize_buffer. The freed memory will be accessed in the gst_value_serialize_buffer function. This results in a UAF read vulnerability, as the function tries to process memory that has already been freed. This vulnerability is fixed in 1.24.10.(CVE-2024-47834) GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been discovered in gst_wavparse_adtl_chunk within gstwavparse.c. This vulnerability arises due to insufficient validation of the size parameter, which can exceed the bounds of the data buffer. As a result, an OOB read occurs in the following while loop. This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. This vulnerability is fixed in 1.24.10.(CVE-2024-47778) GStreamer is a library for constructing graphs of media-handling components. An OOB-read has been discovered in gst_wavparse_cue_chunk within gstwavparse.c. The vulnerability happens due to a discrepancy between the size of the data buffer and the size value provided to the function. This mismatch causes the comparison if (size < 4 + ncues * 24) to fail in some cases, allowing the subsequent loop to access beyond the bounds of the data buffer. The root cause of this discrepancy stems from a miscalculation when clipping the chunk size based on upstream data size. This vulnerability allows reading beyond the bounds of the data buffer, potentially leading to a crash (denial of service) or the leak of sensitive data. This vulnerability is fixed in 1.24.10.(CVE-2024-47776) GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been identified in `gst_gdk_pixbuf_dec_flush` within `gstgdkpixbufdec.c`. This function invokes `memcpy`, using `out_pix` as the destination address. `out_pix` is expected to point to the frame 0 from the frame structure, which is read from the input file. However, in certain situations, it can points to a NULL frame, causing the subsequent call to `memcpy` to attempt writing to the null address (0x00), leading to a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10.(CVE-2024-47613) GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_matroska_demux_parse_blockgroup_or_simpleblock function within matroska-demux.c. This function does not properly check the validity of the GstBuffer *sub pointer before performing dereferences. As a result, null pointer dereferences may occur. This vulnerability is fixed in 1.24.10.(CVE-2024-47601) GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in extract_cc_from_data function within qtdemux.c. In the FOURCC_c708 case, the subtraction atom_length - 8 may result in an underflow if atom_length is less than 8. When that subtraction underflows, *cclen ends up being a large number, and then cclen is passed to g_memdup2 leading to an out-of-bounds (OOB) read. This vulnerability is fixed in 1.24.10.(CVE-2024-47546) GStreamer is a library for constructing graphs of media-handling components. An uninitialized stack variable vulnerability has been identified in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. When size < 4, the program calls gst_buffer_unmap with an uninitialized map variable. Then, in the gst_memory_unmap function, the program will attempt to unmap the buffer using the uninitialized map variable, causing a function pointer hijack, as it will jump to mem->allocator->mem_unmap_full or mem->allocator->mem_unmap. This vulnerability could allow an attacker to hijack the execution flow, potentially leading to code execution. This vulnerability is fixed in 1.24.10.(CVE-2024-47540) GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10.(CVE-2024-47606) GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. This function does not properly check the validity of the stream->codec_priv pointer in the following code. If stream->codec_priv is NULL, the call to GST_READ_UINT16_LE will attempt to dereference a null pointer, leading to a crash of the application. This vulnerability is fixed in 1.24.10.(CVE-2024-47602) GStreamer is a library for constructing graphs of media-handling components. An OOB-read has been detected in the function qtdemux_parse_samples within qtdemux.c. This issue arises when the function qtdemux_parse_samples reads data beyond the boundaries of the stream->stco buffer. The following code snippet shows the call to qt_atom_parser_get_offset_unchecked, which leads to the OOB-read when parsing the provided GHSL-2024-245_crash1.mp4 file. This issue may lead to read up to 8 bytes out-of-bounds. This vulnerability is fixed in 1.24.10.(CVE-2024-47597) GStreamer is a library for constructing graphs of media-handling components. An OOB-read has been discovered in the qtdemux_parse_svq3_stsd_data function within qtdemux.c. In the FOURCC_SMI_ case, seqh_size is read from the input file without proper validation. If seqh_size is greater than the remaining size of the data buffer, it can lead to an OOB-read in the following call to gst_buffer_fill, which internally uses memcpy. This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. This vulnerability is fixed in 1.24.10.(CVE-2024-47596) GStreamer is a library for constructing graphs of media-handling components. The program attempts to reallocate the memory pointed to by stream->samples to accommodate stream->n_samples + samples_count elements of type QtDemuxSample. The problem is that samples_count is read from the input file. And if this value is big enough, this can lead to an integer overflow during the addition. As a consequence, g_try_renew might allocate memory for a significantly smaller number of elements than intended. Following this, the program iterates through samples_count elements and attempts to write samples_count number of elements, potentially exceeding the actual allocated memory size and causing an OOB-write. This vulnerability is fixed in 1.24.10.(CVE-2024-47537) gstreamer1-plugins-good-1.16.2-7.uel20.x86_64.rpm gstreamer1-plugins-good-gtk-1.16.2-7.uel20.x86_64.rpm gstreamer1-plugins-good-1.16.2-7.uel20.aarch64.rpm gstreamer1-plugins-good-help-1.16.2-7.uel20.noarch.rpm gstreamer1-plugins-good-gtk-1.16.2-7.uel20.aarch64.rpm UTSA-2025:20006 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: gstreamer1-plugins-base security update

GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference has been discovered in the id3v2_read_synch_uint function, located in id3v2.c. If id3v2_read_synch_uint is called with a null work->hdr.frame_data, the pointer guint8 *data is accessed without validation, resulting in a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10.(CVE-2024-47542) GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been detected in the parse_lrc function within gstsubparse.c. The parse_lrc function calls strchr() to find the character ']' in the string line. The pointer returned by this call is then passed to g_strdup(). However, if the string line does not contain the character ']', strchr() returns NULL, and a call to g_strdup(start + 1) leads to a null pointer dereference. This vulnerability is fixed in 1.24.10.(CVE-2024-47835) GStreamer is a library for constructing graphs of media-handling components. stack-buffer overflow has been detected in the gst_opus_dec_parse_header function within `gstopusdec.c'. The pos array is a stack-allocated buffer of size 64. If n_channels exceeds 64, the for loop will write beyond the boundaries of the pos array. The value written will always be GST_AUDIO_CHANNEL_POSITION_NONE. This bug allows to overwrite the EIP address allocated in the stack. This vulnerability is fixed in 1.24.10.(CVE-2024-47607) GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been detected in the format_channel_mask function in gst-discoverer.c. The vulnerability affects the local array position, which is defined with a fixed size of 64 elements. However, the function gst_discoverer_audio_info_get_channels may return a guint channels value greater than 64. This causes the for loop to attempt access beyond the bounds of the position array, resulting in an OOB-read when an index greater than 63 is used. This vulnerability can result in reading unintended bytes from the stack. Additionally, the dereference of value->value_nick after the OOB-read can lead to further memory corruption or undefined behavior. This vulnerability is fixed in 1.24.10.(CVE-2024-47600) GStreamer is a library for constructing graphs of media-handling components. An OOB-Write has been detected in the function gst_parse_vorbis_setup_packet within vorbis_parse.c. The integer size is read from the input file without proper validation. As a result, size can exceed the fixed size of the pad->vorbis_mode_sizes array (which size is 256). When this happens, the for loop overwrites the entire pad structure with 0s and 1s, affecting adjacent memory as well. This OOB-write can overwrite up to 380 bytes of memory beyond the boundaries of the pad->vorbis_mode_sizes array. This vulnerability is fixed in 1.24.10.(CVE-2024-47615) GStreamer is a library for constructing graphs of media-handling components. An OOB-write vulnerability has been identified in the gst_ssa_parse_remove_override_codes function of the gstssaparse.c file. This function is responsible for parsing and removing SSA (SubStation Alpha) style override codes, which are enclosed in curly brackets ({}). The issue arises when a closing curly bracket "}" appears before an opening curly bracket "{" in the input string. In this case, memmove() incorrectly duplicates a substring. With each successive loop iteration, the size passed to memmove() becomes progressively larger (strlen(end+1)), leading to a write beyond the allocated memory bounds. This vulnerability is fixed in 1.24.10.(CVE-2024-47541) GStreamer is a library for constructing graphs of media-handling components. A stack-buffer overflow has been detected in the `vorbis_handle_identification_packet` function within `gstvorbisdec.c`. The position array is a stack-allocated buffer of size 64. If vd->vi.channels exceeds 64, the for loop will write beyond the boundaries of the position array. The value written will always be `GST_AUDIO_CHANNEL_POSITION_NONE`. This vulnerability allows someone to overwrite the EIP address allocated in the stack. Additionally, this bug can overwrite the `GstAudioInfo` info structure. This vulnerability is fixed in 1.24.10.(CVE-2024-47538) gstreamer1-plugins-base-1.16.2-6.uel20.x86_64.rpm gstreamer1-plugins-base-devel-1.16.2-6.uel20.x86_64.rpm gstreamer1-plugins-base-help-1.16.2-6.uel20.noarch.rpm gstreamer1-plugins-base-1.16.2-6.uel20.aarch64.rpm gstreamer1-plugins-base-devel-1.16.2-6.uel20.aarch64.rpm UTSA-2025:20007 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: xstream security update

XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.(CVE-2024-47072) xstream-1.4.20-2.uel20.noarch.rpm xstream-hibernate-1.4.20-2.uel20.noarch.rpm xstream-javadoc-1.4.20-2.uel20.noarch.rpm xstream-benchmark-1.4.20-2.uel20.noarch.rpm xstream-parent-1.4.20-2.uel20.noarch.rpm UTSA-2025:20008 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: ghostscript security update

An issue was discovered in base/gsdevice.c in Artifex Ghostscript before 10.04.0. An integer overflow when parsing the filename format string (for the output filename) results in path truncation, and possible path traversal and code execution.(CVE-2024-46953) An issue was discovered in psi/zfile.c in Artifex Ghostscript before 10.04.0. Out-of-bounds data access in filenameforall can lead to arbitrary code execution.(CVE-2024-46956) An issue was discovered in psi/zcolor.c in Artifex Ghostscript before 10.04.0. There is an out-of-bounds read when reading color in Indexed color space.(CVE-2024-46955) An issue was discovered in psi/zcolor.c in Artifex Ghostscript before 10.04.0. An unchecked Implementation pointer in Pattern color space could lead to arbitrary code execution.(CVE-2024-46951) An issue was discovered in Artifex Ghostscript before 10.03.1. contrib/opvp/gdevopvp.c allows arbitrary code execution via a custom Driver library, exploitable via a crafted PostScript document. This occurs because the Driver parameter for opvp (and oprp) devices can have an arbitrary name for a dynamic library; this library is then loaded.(CVE-2024-33871) ghostscript-9.52-20.uel20.01.x86_64.rpm ghostscript-devel-9.52-20.uel20.01.x86_64.rpm ghostscript-tools-dvipdf-9.52-20.uel20.01.x86_64.rpm ghostscript-9.52-20.uel20.01.aarch64.rpm ghostscript-devel-9.52-20.uel20.01.aarch64.rpm ghostscript-help-9.52-20.uel20.01.noarch.rpm ghostscript-tools-dvipdf-9.52-20.uel20.01.aarch64.rpm UTSA-2025:20009 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: ffmpeg security update

FFmpeg n7.0 is affected by a Double Free via the rkmpp_retrieve_frame function within libavcodec/rkmppdec.c.(CVE-2024-35368) An integer overflow in the component /libavformat/westwood_vqa.c of FFmpeg n6.1.1 allows attackers to cause a denial of service in the application via a crafted VQA file.(CVE-2024-36616) ffmpeg-libs-4.2.4-19.uel20.02.x86_64.rpm ffmpeg-4.2.4-19.uel20.02.x86_64.rpm ffmpeg-devel-4.2.4-19.uel20.02.x86_64.rpm libavdevice-4.2.4-19.uel20.02.x86_64.rpm ffmpeg-libs-4.2.4-19.uel20.02.aarch64.rpm ffmpeg-devel-4.2.4-19.uel20.02.aarch64.rpm ffmpeg-4.2.4-19.uel20.02.aarch64.rpm libavdevice-4.2.4-19.uel20.02.aarch64.rpm UTSA-2025:20010 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: ffmpeg security update

FFmpeg n6.1.1 has an Out-of-bounds Read via libavcodec/ppc/vp8dsp_altivec.c, static const vec_s8 h_subpel_filters_outer(CVE-2024-35367) FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in the parse_options function of sbgdec.c within the libavformat module. When parsing certain options, the software does not adequately validate the input. This allows for negative duration values to be accepted without proper bounds checking.(CVE-2024-35366) ffmpeg-libs-4.2.4-19.uel20.01.x86_64.rpm ffmpeg-devel-4.2.4-19.uel20.01.x86_64.rpm ffmpeg-4.2.4-19.uel20.01.x86_64.rpm libavdevice-4.2.4-19.uel20.01.x86_64.rpm ffmpeg-4.2.4-19.uel20.01.aarch64.rpm ffmpeg-devel-4.2.4-19.uel20.01.aarch64.rpm ffmpeg-libs-4.2.4-19.uel20.01.aarch64.rpm libavdevice-4.2.4-19.uel20.01.aarch64.rpm UTSA-2025:20011 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: redis6 security update

Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2024-31449) redis6-6.2.7-2.uel20.01.x86_64.rpm redis6-devel-6.2.7-2.uel20.01.x86_64.rpm redis6-6.2.7-2.uel20.01.aarch64.rpm redis6-doc-6.2.7-2.uel20.01.noarch.rpm redis6-devel-6.2.7-2.uel20.01.aarch64.rpm UTSA-2025:20012 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: microcode_ctl security update

Improper conditions check in some Intel(R) Xeon(R) processor memory controller configurations when using Intel(R) SGX may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2024-23918) Incorrect default permissions in some Intel(R) Xeon(R) processor memory controller configurations when using Intel(R) SGX may allow a privileged user to potentially enable escalation of privilege via local access.(CVE-2024-21820) ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2024-24968) ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2024-23984) Improper finite state machines (FSMs) in the hardware logic in some 4th and 5th Generation Intel(R) Xeon(R) Processors may allow an authorized user to potentially enable denial of service via local access.(CVE-2024-21853) microcode_ctl-20241112-1.uel20.01.x86_64.rpm UTSA-2025:20013 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: tomcat security update

Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.(CVE-2024-54677) Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.(CVE-2024-50379) tomcat-9.0.96-4.up1.uel20.noarch.rpm tomcat-jsvc-9.0.96-4.up1.uel20.noarch.rpm tomcat-embed-9.0.96-4.up1.uel20.noarch.rpm tomcat-help-9.0.96-4.up1.uel20.noarch.rpm UTSA-2025:20014 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: apache-mina security update

The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows attackers to exploit the deserialization process by sending specially crafted malicious serialized data, potentially leading to remote code execution (RCE) attacks. This issue affects MINA core versions 2.0.X, 2.1.X and 2.2.X, and will be fixed by the releases 2.0.27, 2.1.10 and 2.2.4. It's also important to note that an application using MINA core library will only be affected if the IoBuffer#getObject() method is called, and this specific method is potentially called when adding a ProtocolCodecFilter instance using the ObjectSerializationCodecFactory class in the filter chain. If your application is specifically using those classes, you have to upgrade to the latest version of MINA core library. Upgrading will  not be enough: you also need to explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance, using one of the three new methods: /**      * Accept class names where the supplied ClassNameMatcher matches for * deserialization, unless they are otherwise rejected. * * @param classNameMatcher the matcher to use */ public void accept(ClassNameMatcher classNameMatcher) /** * Accept class names that match the supplied pattern for * deserialization, unless they are otherwise rejected. * * @param pattern standard Java regexp */ public void accept(Pattern pattern) /** * Accept the wildcard specified classes for deserialization, * unless they are otherwise rejected. * * @param patterns Wildcard file name patterns as defined by * {@link org.apache.commons.io.FilenameUtils#wildcardMatch(String, String) FilenameUtils.wildcardMatch} */ public void accept(String... patterns) By default, the decoder will reject *all* classes that will be present in the incoming data. Note: The FtpServer, SSHd and Vysper sub-project are not affected by this issue.(CVE-2024-52046) apache-mina-javadoc-2.0.27-1.uel20.noarch.rpm apache-mina-mina-http-2.0.27-1.uel20.noarch.rpm apache-mina-2.0.27-1.uel20.noarch.rpm apache-mina-mina-filter-compression-2.0.27-1.uel20.noarch.rpm apache-mina-mina-core-2.0.27-1.uel20.noarch.rpm apache-mina-mina-statemachine-2.0.27-1.uel20.noarch.rpm UTSA-2025:20015 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: pam security update

A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.(CVE-2024-10963) pam-1.4.0-12.up1.uel20.x86_64.rpm pam-devel-1.4.0-12.up1.uel20.x86_64.rpm pam-devel-1.4.0-12.up1.uel20.aarch64.rpm pam-1.4.0-12.up1.uel20.aarch64.rpm pam-help-1.4.0-12.up1.uel20.noarch.rpm UTSA-2025:20016 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: deepin-log-viewer security update

fix cve/bug or enhancement deepin-log-viewer-6.1.18-1.uel20.05.aarch64.rpm deepin-log-viewer-plugin-devel-6.1.18-1.uel20.05.aarch64.rpm deepin-log-viewer-plugin-6.1.18-1.uel20.05.aarch64.rpm deepin-log-viewer-6.1.18-1.uel20.05.x86_64.rpm deepin-log-viewer-plugin-6.1.18-1.uel20.05.x86_64.rpm deepin-log-viewer-plugin-devel-6.1.18-1.uel20.05.x86_64.rpm UTSA-2025:20017 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: efl security update

fix cve/bug or enhancement efl-devel-1.23.3-1.up2.uel20.x86_64.rpm efl-1.23.3-1.up2.uel20.x86_64.rpm efl-devel-1.23.3-1.up2.uel20.aarch64.rpm efl-1.23.3-1.up2.uel20.aarch64.rpm UTSA-2025:20018 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: dde-daemon security update

fix cve/bug or enhancement dde-daemon-5.14.122-1.uel20.12.aarch64.rpm dde-daemon-5.14.122-1.uel20.12.x86_64.rpm UTSA-2025:20019 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: socat security update

readline.sh in socat before1.8.0.2 relies on the /tmp/$USER/stderr2 file.(CVE-2024-54661) socat-1.7.3.2-8.up2.uel20.x86_64.rpm socat-1.7.3.2-8.up2.uel20.aarch64.rpm socat-help-1.7.3.2-8.up2.uel20.noarch.rpm UTSA-2025:20020 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: cups-filters security update

CUPS is a standards-based, open-source printing system, and `libppd` can be used for legacy PPD file support. The `libppd` function `ppdCreatePPDFromIPP2` does not sanitize IPP attributes when creating the PPD buffer. When used in combination with other functions such as `cfGetPrinterAttributes5`, can result in user controlled input and ultimately code execution via Foomatic. This vulnerability can be part of an exploit chain leading to remote code execution (RCE), as described in CVE-2024-47176.(CVE-2024-47175) cups-filters-1.26.1-4.uel20.04.x86_64.rpm cups-filters-devel-1.26.1-4.uel20.04.x86_64.rpm cups-filters-1.26.1-4.uel20.04.aarch64.rpm cups-filters-help-1.26.1-4.uel20.04.noarch.rpm cups-filters-devel-1.26.1-4.uel20.04.aarch64.rpm UTSA-2025:20021 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: squid security update

Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to Input Validation, Premature Release of Resource During Expected Lifetime, and Missing Release of Resource after Effective Lifetime bugs, Squid is vulnerable to Denial of Service attacks by a trusted server against all clients using the proxy. This bug is fixed in the default build configuration of Squid version 6.10.(CVE-2024-45802) squid-4.9-23.uel20.x86_64.rpm squid-4.9-23.uel20.aarch64.rpm UTSA-2025:20022 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: undertow security update

A flaw was found in Undertow. An HTTP request header value from a previous stream may be incorrectly reused for a request associated with a subsequent stream on the same HTTP/2 connection. This issue can potentially lead to information leakage between requests.(CVE-2024-4109) undertow-javadoc-1.4.0-8.uel20.noarch.rpm undertow-1.4.0-8.uel20.noarch.rpm UTSA-2025:20023 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: redis5 security update

Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2024-31449) redis5-5.0.14-3.uel20.x86_64.rpm redis5-devel-5.0.14-3.uel20.x86_64.rpm redis5-doc-5.0.14-3.uel20.noarch.rpm redis5-5.0.14-3.uel20.aarch64.rpm redis5-devel-5.0.14-3.uel20.aarch64.rpm UTSA-2025:20024 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: dhcp security update

If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1.(CVE-2024-1975) Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1.(CVE-2024-1737) dhcp-devel-4.4.2-9.uel20.02.x86_64.rpm dhcp-4.4.2-9.uel20.02.x86_64.rpm dhcp-help-4.4.2-9.uel20.02.noarch.rpm dhcp-4.4.2-9.uel20.02.aarch64.rpm dhcp-devel-4.4.2-9.uel20.02.aarch64.rpm UTSA-2025:20025 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: python-django security update

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.(CVE-2024-42005) An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.(CVE-2024-41991) An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.(CVE-2024-41990) An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.(CVE-2024-41989) An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.(CVE-2024-39614) An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)(CVE-2024-39330) An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.(CVE-2024-39329) An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.(CVE-2024-38875) python3-Django-2.2.27-12.uel20.noarch.rpm python-django-help-2.2.27-12.uel20.noarch.rpm UTSA-2025:20026 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: tomcat security update

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue. (CVE-2024-34750) Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue. (CVE-2024-24549) Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue. (CVE-2024-23672) Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue. (CVE-2023-46589) The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.(CVE-2023-44487) The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.(CVE-2021-43980) If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.(CVE-2022-25762) tomcat-9.0.96-1.up1.uel20.noarch.rpm tomcat-help-9.0.96-1.up1.uel20.noarch.rpm tomcat-embed-9.0.96-1.up1.uel20.noarch.rpm tomcat-jsvc-9.0.96-1.up1.uel20.noarch.rpm UTSA-2025:20027 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: motif security update

A flaw was found in libXpm. This issue occurs when parsing a file with a comment not closed; the end-of-file condition will not be detected, leading to an infinite loop and resulting in a Denial of Service in the application linked to the library.(CVE-2022-46285) A flaw was found in libXpm. When processing a file with width of 0 and a very large height, some parser functions will be called repeatedly and can lead to an infinite loop, resulting in a Denial of Service in the application linked to the library.(CVE-2022-44617) motif-devel-2.3.4-21.uel20.x86_64.rpm motif-2.3.4-21.uel20.x86_64.rpm motif-help-2.3.4-21.uel20.x86_64.rpm motif-help-2.3.4-21.uel20.aarch64.rpm motif-devel-2.3.4-21.uel20.aarch64.rpm motif-2.3.4-21.uel20.aarch64.rpm UTSA-2025:20028 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Critical

Critical: ca-certificates security update

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.(CVE-2023-37920) ca-certificates-2024.2.69_v8.0.303-80.0.uel20.noarch.rpm UTSA-2025:20029 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: krb5 security update

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.(CVE-2024-26461) Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.(CVE-2024-26458) krb5-devel-1.18.2-13.uel20.x86_64.rpm krb5-libs-1.18.2-13.uel20.x86_64.rpm krb5-server-1.18.2-13.uel20.x86_64.rpm krb5-1.18.2-13.uel20.x86_64.rpm krb5-client-1.18.2-13.uel20.x86_64.rpm krb5-devel-1.18.2-13.uel20.aarch64.rpm krb5-help-1.18.2-13.uel20.noarch.rpm krb5-server-1.18.2-13.uel20.aarch64.rpm krb5-1.18.2-13.uel20.aarch64.rpm krb5-client-1.18.2-13.uel20.aarch64.rpm krb5-libs-1.18.2-13.uel20.aarch64.rpm UTSA-2025:20030 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: xorg-x11-server security update

A use-after-free flaw was found in xorg-x11-server-Xvfb. This issue occurs in Xvfb with a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode). If the pointer is warped from a screen 1 to a screen 0, a use-after-free issue may be triggered during shutdown or reset of the Xvfb server, allowing for possible escalation of privileges or denial of service.(CVE-2023-5574) xorg-x11-server-1.20.8-26.up13.uel20.x86_64.rpm xorg-x11-server-Xephyr-1.20.8-26.up13.uel20.x86_64.rpm xorg-x11-server-devel-1.20.8-26.up13.uel20.x86_64.rpm xorg-x11-server-1.20.8-26.up13.uel20.aarch64.rpm xorg-x11-server-help-1.20.8-26.up13.uel20.noarch.rpm xorg-x11-server-Xephyr-1.20.8-26.up13.uel20.aarch64.rpm xorg-x11-server-devel-1.20.8-26.up13.uel20.aarch64.rpm UTSA-2025:20031 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: ruby security update

Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.(CVE-2021-41817) rubygem-openssl-2.1.2-132.uel20.x86_64.rpm rubygem-json-2.1.0-132.uel20.x86_64.rpm ruby-devel-2.5.8-132.uel20.x86_64.rpm ruby-2.5.8-132.uel20.x86_64.rpm rubygem-io-console-0.4.6-132.uel20.x86_64.rpm rubygem-bigdecimal-1.3.4-132.uel20.x86_64.rpm rubygem-psych-3.0.2-132.uel20.x86_64.rpm rubygem-openssl-2.1.2-132.uel20.aarch64.rpm rubygem-test-unit-3.2.7-132.uel20.noarch.rpm rubygem-rake-12.3.0-132.uel20.noarch.rpm rubygem-io-console-0.4.6-132.uel20.aarch64.rpm ruby-devel-2.5.8-132.uel20.aarch64.rpm ruby-help-2.5.8-132.uel20.noarch.rpm rubygem-rdoc-6.0.1.1-132.uel20.noarch.rpm rubygem-net-telnet-0.1.1-132.uel20.noarch.rpm ruby-irb-2.5.8-132.uel20.noarch.rpm rubygems-2.7.6-132.uel20.noarch.rpm rubygem-psych-3.0.2-132.uel20.aarch64.rpm rubygem-minitest-5.10.3-132.uel20.noarch.rpm rubygem-xmlrpc-0.3.0-132.uel20.noarch.rpm rubygem-json-2.1.0-132.uel20.aarch64.rpm ruby-2.5.8-132.uel20.aarch64.rpm rubygem-bigdecimal-1.3.4-132.uel20.aarch64.rpm rubygem-did_you_mean-1.2.0-132.uel20.noarch.rpm rubygem-power_assert-1.1.1-132.uel20.noarch.rpm rubygems-devel-2.7.6-132.uel20.noarch.rpm UTSA-2025:20032 Copyright (C) 2022 UnionTech Software Technology Co., Ltd UnionTech OS Server 20 Important

Important: vorbis-tools security update

Buffer Overflow vulnerability in Vorbis-tools v.1.4.2 allows a local attacker to execute arbitrary code and cause a denial of service during the conversion of wav files to ogg files.(CVE-2023-43361) vorbis-tools-1.4.0-33.uel20.x86_64.rpm vorbis-tools-1.4.0-33.uel20.aarch64.rpm vorbis-tools-help-1.4.0-33.uel20.noarch.rpm