pkexec: argv overflow results in local privilege esc.
Comment
Archive for January, 2022
171 results.
Fedora 35: flatpak-builder 2022-7e328bd66c
Jan26
on January 26, 2022
at 7:33 pm
Posted In: Uncategorized
This is a regression fix update, reverting non-backwards-compatible behaviour changes in the solution previously chosen for [CVE-2022-21682](https://github.co m/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx)
RedHat: RHSA-2022-0288:02 Important: httpd:2.4 security update
Jan26
on January 26, 2022
at 5:20 pm
Posted In: Uncategorized
An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
RedHat: RHSA-2022-0289:04 Important: parfait:0.5 security update
Jan26
on January 26, 2022
at 5:19 pm
Posted In: Uncategorized
An update for the parfait:0.5 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
Ubuntu 5193-2: X.Org X Server vulnerabilities
Jan26
on January 26, 2022
at 2:49 pm
Posted In: Uncategorized
Several security issues were fixed in X.Org X Server.
Debian: DSA-5062-1: nss security update
Jan25
on January 25, 2022
at 10:56 pm
Posted In: Uncategorized
Tavis Ormandy discovered that incorrect parsing of pkcs7 sequences in nss, the Mozilla Network Security Service library, may result in denial of service.
Debian: DSA-5060-1: webkit2gtk security update
Jan25
on January 25, 2022
at 8:51 pm
Posted In: Uncategorized
The following vulnerabilities have been discovered in the webkit2gtk web engine: CVE-2021-30934
Debian: DSA-5058-1: openjdk-17 security update
Jan25
on January 25, 2022
at 8:50 pm
Posted In: Uncategorized
Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, bypass of deserialization restrictions or information disclosure.
Debian: DSA-5061-1: wpewebkit security update
Jan25
on January 25, 2022
at 8:03 pm
Posted In: Uncategorized
The following vulnerabilities have been discovered in the wpewebkit web engine: CVE-2021-30934
Ubuntu 5252-2: PolicyKit vulnerability
Jan25
on January 25, 2022
at 7:47 pm
Posted In: Uncategorized
policykit-1 could be made to run programs as an administrator.
Ubuntu 5252-1: PolicyKit vulnerability
Jan25
on January 25, 2022
at 7:15 pm
Posted In: Uncategorized
policykit-1 could be made to run programs as an administrator.
Debian: DSA-5059-1: policykit-1 security update
Jan25
on January 25, 2022
at 6:46 pm
Posted In: Uncategorized
The Qualys Research Labs discovered a local privilege escalation in PolicyKit’s pkexec. Details can be found in the Qualys advisory at
RedHat: RHSA-2022-0236:04 Moderate: OpenShift Container Platform 3.11.570
Jan25
on January 25, 2022
at 5:18 pm
Posted In: Uncategorized
Red Hat OpenShift Container Platform release 3.11.570 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
RedHat: RHSA-2022-0258:02 Important: httpd:2.4 security update
Jan25
on January 25, 2022
at 5:18 pm
Posted In: Uncategorized
An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 8.2 Extended Update Support, and Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact
WordPress 5.9 is available thanks over 600 contributors who helped make it happen.
Bug fixes and incremental optimization improvements. —- Bugfix release including fix for CVE-2021-45290 and CVE-2021-45293.
Security fix for CVE-2022-21658, a TOCTOU race condition in std::fs::remove_dir_all. Privileged programs should be rebuilt if they use this function on paths that may be manipulated with lesser privileges. For more details, see the upstream [security advisory](https://blog.rust- lang.org/2022/01/20/cve-2022-21658.html).
Debian: DSA-5057-1: openjdk-11 security update
Jan24
on January 24, 2022
at 7:32 pm
Posted In: Uncategorized
Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, bypass of deserialization restrictions or information disclosure.
Ubuntu 5250-2: strongSwan vulnerability
Jan24
on January 24, 2022
at 7:30 pm
Posted In: Uncategorized
strongSwan could crash or allow unintended access to network services.
Debian: DSA-5056-1: strongswan security update
Jan24
on January 24, 2022
at 7:13 pm
Posted In: Uncategorized
Zhuowei Zhang discovered a bug in the EAP authentication client code of strongSwan, an IKE/IPsec suite, that may allow to bypass the client and in some scenarios even the server authentication, or could lead to a denial-of-service attack.
Ubuntu 5250-1: strongSwan vulnerability
Jan24
on January 24, 2022
at 6:53 pm
Posted In: Uncategorized
strongSwan could crash or allow unintended access to network services.
RedHat: RHSA-2022-0229:02 Moderate: OpenJDK 11.0.14 security update for
Jan24
on January 24, 2022
at 5:20 pm
Posted In: Uncategorized
The Red Hat Build of OpenJDK 11 (java-11-openjdk) is now available for Windows. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
RedHat: RHSA-2022-0166:03 Moderate: OpenJDK 17.0.2 security update for
Jan24
on January 24, 2022
at 5:19 pm
Posted In: Uncategorized
The Red Hat build of OpenJDK 17 (java-17-openjdk) is now available for portable Linux. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
Debian: DSA-5055-1: util-linux security update
Jan24
on January 24, 2022
at 12:29 pm
Posted In: Uncategorized
The Qualys Research Labs discovered two vulnerabilities in util-linux’s libmount. These flaws allow an unprivileged user to unmount other users’ filesystems that are either world-writable themselves or mounted in a world-writable directory (CVE-2021-3996), or to unmount FUSE filesystems
AIDE could be made to crash or run programs as an administrator if it opened a specially crafted file.
Security fix for CVE-2021-46059, CVE-2022-0158, CVE-2022-0156 —- Security fix for CVE-2021-4136, CVE-2021-4166, CVE-2021-4173, CVE-2021-4186, CVE-2021-4192, CVE-2021-4193
Debian: DSA-5054-1: chromium security update
Jan23
on January 23, 2022
at 4:51 pm
Posted In: Uncategorized
Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.
Fix CVE-2022-23132, CVE-2022-23133, CVE-2022-23134
Fedora 35: webkit2gtk3 2022-25a98f5d55
Jan23
on January 23, 2022
at 1:59 am
Posted In: Uncategorized
Update to 2.34.4: * Fix dire [“Safari Leaks”](https://safarileaks.com/) IndexedDB privacy violation. * Make audio tools (like mixers) display the actual name of the application producing sound, instead of a generic one. * Fix several crashes and rendering issues. * Additional security fixes: CVE-2021-30887, CVE-2021-30890, CVE-2021-30934, CVE-2021-30936, CVE-2021-30951,
Fix CVE-2022-23132, CVE-2022-23133, CVE-2022-23134