Ike.ninja

Add patch to bump W_MAX_BYTES to 8.

A X-Frame-Options bypass was discovered in Firefox.

Joomla 3.9.20 is now available. This is a security release for the 3.x series of Joomla which addresses 6 security vulnerabilities and contains over 25 bug fixes and improvements.

• Project: Joomla!
• SubProject: CMS
• Impact: Low
• Severity: Low
• Versions: 3.0.0-3.9.19
• Exploit type: XSS
• Reported Date: 2020-Jun-08
• Fixed Date: 2020-July-14
• CVE Number: CVE-2020-15696

Description

Lack of input filtering and escaping allows XSS attacks in mod_random_image

Affected Installs

Joomla! CMS versions 3.0.0 – 3.9.19

Solution

Upgrade to version 3.9.20

Contact

The JSST at the Joomla! Security Centre.

• Project: Joomla!
• SubProject: CMS
• Impact: Low
• Severity: Low
• Versions: 3.9.0-3.9.19
• Exploit type: CSRF
• Reported Date: 2020-May-07
• Fixed Date: 2020-July-14
• CVE Number: CVE-2020-15695

Description

A missing token check in the remove request section of com_privacy causes a CSRF vulnerability.

Affected Installs

Joomla! CMS versions 3.9.0 – 3.9.19

Solution

Upgrade to version 3.9.20

Contact

The JSST at the Joomla! Security Centre.

• Project: Joomla!
• SubProject: CMS
• Impact: Low
• Severity: Low
• Versions: 3.7.0-3.9.19
• Exploit type: CSRF
• Reported Date: 2020-May-07
• Fixed Date: 2020-July-14
• CVE Number: CVE-2020-XXXXX

Description

A missing token check in the ajax_install endpoint com_installer causes a CSRF vulnerability.

Affected Installs

Joomla! CMS versions 3.7.0 – 3.9.19

Solution

Upgrade to version 3.9.20

Contact

The JSST at the Joomla! Security Centre.

An update for thunderbird is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

Add podofo_maxbytes.patch

An update for dovecot is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

An update is now available for Red Hat OpenShift Container Platform 4.5. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

The previous update for chromium released as DSA 4714-2 contained a flaw in the service worker implementation. This problem causes the browser to crash when a connection error occurs. Updated chromium packages are now available that correct this issue.

Add podofo_maxbytes.patch

The current coronavirus pandemic has resulted in the closure of many pubs, restaurants, and brick-and-mortar retail stores. Many purchases that would previously have been made in person now take place online. In research commissioned by Visa
, 89% of Britons have shopped online since the UK’s lockdown restrictions began, with 31% buying items online for the first time during this period. This increase in online shopping activity benefits criminal groups in that: smaller businesses newly reliant on online transactions provide attackers with a stream of inadequately-defended shopping sites to exploit, and buyers are far more likely to be driven to these compromised shops or to fake shops compared to before the pandemic.

JavaScript skimmers run on compromised shopping sites. When shoppers enter their payment details, the skimmer secretly sends a copy to the attacker – potentially even if the customer does not complete the transaction. Even the most careful of users can be victims of these attacks, as they appear on compromised but otherwise well-intentioned shops with no visual indication of their presence.

Fake shops are another threat. Shoppers seeking bargains may unknowingly find themselves on a fake shop which claims to offers the products they want at a highly discounted price, but the victim will subsequently only receive counterfeit goods, no goods at all, or have the transaction aborted after entering credentials which is equivalent to a phishing attack.

Fake shops also take advantage of the pandemic by offering goods in high demand due to coronavirus, such as N95 masks. The FBI has released a Public Service Announcement about an increase in online shopping scams involving the sale of counterfeit healthcare products such as Personal Protective Equipment (PPE). To date, Netcraft has blocked over a thousand such coronavirus-themed fake shops, 80,000 other fake shops selling all sorts of counterfeit goods, and around 3,500 compromised shops hosting JavaScript skimmers.

The Netcraft browser extension and mobile apps provide protection against fake shops as well as legitimate shopping sites that have been compromised with JavaScript skimmers. When an extension or app user visits one of these dangerous shops, Netcraft will block access to the shop and alert them:

Update to 2.28.3: * Fix kinetic scrolling with async scrolling. * Fix web process hangs on large GitHub pages. * Bubblewrap sandbox should not attempt to bind empty paths. * Fix threading issues in the media player. * Fix several crashes and rendering issues. * Security fixes: CVE-2020-9802, CVE-2020-9803, CVE-2020-9805, CVE-2020-9806, CVE-2020-9807, CVE-2020-9843, CVE-2020-9850,

This update applies a proposed fix for CVE-2018-12983.