Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Fedora
(Fedoraproject)| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-09-27 | CVE-2023-42822 | xrdp is an open source remote desktop protocol server. Access to the font glyphs in xrdp_painter.c is not bounds-checked . Since some of this data is controllable by the user, this can result in an out-of-bounds read within the xrdp executable. The vulnerability allows an out-of-bounds read within a potentially privileged process. On non-Debian platforms, xrdp tends to run as root. Potentially an out-of-bounds write can follow the out-of-bounds read. There is no denial-of-service impact,... | Fedora, Xrdp | 6.5 | ||
| 2023-09-29 | CVE-2023-43655 | Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the... | Fedora, Composer | 8.8 | ||
| 2023-10-23 | CVE-2023-31122 | Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57. | Http_server, Fedora | 7.5 | ||
| 2023-10-17 | CVE-2023-39456 | Improper Input Validation vulnerability in Apache Traffic Server with malformed HTTP/2 frames.This issue affects Apache Traffic Server: from 9.0.0 through 9.2.2. Users are recommended to upgrade to version 9.2.3, which fixes the issue. | Traffic_server, Fedora | 7.5 | ||
| 2023-10-17 | CVE-2023-41752 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Traffic Server.This issue affects Apache Traffic Server: from 8.0.0 through 8.1.8, from 9.0.0 through 9.2.2. Users are recommended to upgrade to version 8.1.9 or 9.2.3, which fixes the issue. | Traffic_server, Fedora | 7.5 | ||
| 2023-10-17 | CVE-2023-45803 | urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in... | Fedora, Urllib3 | 4.2 | ||
| 2023-10-18 | CVE-2023-38545 | This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only. Due to this bug, the local variable that means "let the host resolve the name"... | Fedora, Libcurl, Windows_10_1809, Windows_10_21h2, Windows_10_22h2, Windows_11_21h2, Windows_11_22h2, Windows_11_23h2, Windows_server_2019, Windows_server_2022, Active_iq_unified_manager, Oncommand_insight, Oncommand_workflow_automation | 9.8 | ||
| 2023-10-31 | CVE-2023-43796 | Synapse is an open-source Matrix homeserver Prior to versions 1.95.1 and 1.96.0rc1, cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver. System administrators are encouraged to upgrade to Synapse 1.95.1 or 1.96.0rc1 to receive a patch. As a workaround, the `federation_domain_whitelist` can be used to limit federation traffic with a homeserver. | Fedora, Synapse | 5.3 | ||
| 2023-12-07 | CVE-2023-46218 | This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case... | Fedora, Curl | 6.5 | ||
| 2023-12-11 | CVE-2023-6185 | Improper Input Validation vulnerability in GStreamer integration of The Document Foundation LibreOffice allows an attacker to execute arbitrary GStreamer plugins. In affected versions the filename of the embedded video is not sufficiently escaped when passed to GStreamer enabling an attacker to run arbitrary gstreamer plugins depending on what plugins are installed on the target system. | Debian_linux, Fedora, Libreoffice | 8.8 |