The newest upstream commit Security fixes for CVE-2022-1381, CVE-2022-1420
Archive for April, 2022
Fix CVE-2022-29536
zgrep applied to a crafted file name with two or more newlines can no longer overwrite an arbitrary, attacker-selected file. reproducer: $ touch foo.gz $ echo foo | gzip > “$(printf ‘|\n;e touch pwned\n#.gz’)” $ zgrep foo *.gz (the unfixed version of zgrep creates the file called pwned)
This month’s People of WordPress feature shares the story of developer and e-commerce builder Meher Bala.
RedHat: RHSA-2022-1646:01 Important: Red Hat OpenStack Platform 16.1
An update for python-twisted is now available for Red Hat OpenStack Platform 16.1 (Train). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
RedHat: RHSA-2022-1645:01 Important: Red Hat OpenStack Platform 16.2
An update for python-twisted is now available for Red Hat OpenStack Platform 16.2 (Train). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
Security fixes for CVE-2022-1227, CVE-2022-21698, CVE-2022-27191, CVE-2022-27649
Security fix for CVE-2021-28021, CVE-2021-42715, CVE-2021-42716, and CVE-2022-28041
Ubuntu 5398-1: Simple DirectMedia Layer vulnerability
SDL (Simple DirectMedia Layer) could be made to crash or run programs if it opened a specially crafted file.
Several security issues were fixed in curl.
Ubuntu 5396-1: Ghostscript vulnerability
Ghostscript could be made to crash, access files, or run programs if it opened a specially crafted file.
Ubuntu 5395-1: networkd-dispatcher vulnerabilities
Several security issues were fixed in networkd-dispatcher.
RedHat: RHSA-2022-1642:01 Important: zlib security update
An update for zlib is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability
Several security issues were fixed in Mutt.
Ubuntu 5394-1: WebKitGTK vulnerabilities
Several security issues were fixed in WebKitGTK.
nginx could be made to redirect network traffic.
Security fix for CVE-2022-28041, CVE-2022-28042, CVE-2022-28048
Rebuild for CVE-2022-27191
Ubuntu 5393-1: Thunderbird vulnerabilities
Several security issues were fixed in Thunderbird.
Several security issues were fixed in fribidi.
In the April 2022 survey we received responses from 1,160,964,134 sites across 271,960,629 unique domains and 11,974,636 web-facing computers. This reflects a loss of 8.66 million sites and 217,000 domains, but a gain of 97,400 computers.
Amongst the top ten vendors, nginx gained the largest number of domains and computers this month, maintaining its lead in both of these metrics. Its net growth of 537,000 domains has taken its total up to 73.8 million domains and increased its market share in this metric to 27.1%. Coupled with a net loss of 573,000 domains powered by Apache, this has culminated in nginx’s market share lead over Apache being extended from 3.63 percentage points to 4.04.
The number of web-facing computers running nginx grew by 80,200 (+1.78%), pushing its market share up to 38.3% while Apache’s fell to 29.0%. nginx also continues to have the largest market share of sites (31.1%), despite losing more than half a million this month.
Within the top million websites, Cloudflare made the largest gain of 3,350 sites as it continues to edge its way up towards the leaders. Apache is currently still in the lead with 229,000 sites in the top million, but lost 1,700 this month; and nginx is in second place with 218,000 sites after losing 2,250. Cloudflare now has 199,000 sites and looks set to overtake both nginx and Apache by the end of the year if it maintains this pace of growth. Amongst all websites, Cloudflare lost 38,400 sites but gained 115,000 domains.
OpenResty was the major vendor that gained most sites this month, increasing its total by 1.47 million to 93.0 million (+1.61%), and it also gained 6,890 web-facing computers.
While most of the top vendors lost active sites this month, Pepyaka made a significant gain of 1.22 million active sites (+27.6%). This server is predominantly used by the Wix web development platform, which switched from using nginx in 2018. It is currently the 8th most commonly used web server by active sites, and 11th by sites. Similarities in the version numbering since 2018 suggest Pepyaka is likely based on mainline releases of nginx.
Further down the field, GHS gained 1.08 million (+36.7%) sites and 554,000 (+35.5%) domains. GHS (Google Host Server) is one of Google’s proprietary web servers, which can be used by sites registered through Google Domains. It is also still used to redirect traffic from googlepages.com sites that were created with Google Page Creator. When this website creation service shut down in 2009, existing pages were migrated to Google Sites, which hosts user content in subdirectories under the sites.google.com hostname.
Vendor news
- Apache Tomcat 8.5.78, 9.0.62, 10.0.20 and 10.1.0-M14 (alpha) were released on 1 April 2022. Amongst other changes, all of these releases include a mitigation for a Spring Framework vulnerability (CVE-2022-22965) that could make some Tomcat servers vulnerable to remote code execution attacks.
- Tomcat Native 1.2.32 was released on 22 March 2022. This is an optional component for use with Apache Tomcat that can provide better performance and compatibility by allowing Tomcat to use certain native resources.
- njs 0.7.3 was released on 12 April 2022. This is the JavaScript-based scripting language that can be used to extend the functionality of nginx, and the latest version now allows the host environment to control how imported modules are loaded.
- OpenResty 1.21.4.1 RC3 was released on 18 April 20202. This includes some bugfixes and uses a newer version of the LuaJIT 2 compiler.
- Microsoft Azure now offers a bring your own IP address (BYOIP) feature with Custom IP Prefix that lets customers bring their own public IPv4 address ranges to Azure in all public regions. These ranges can then be associated with Azure resources, interact with private addresses and VNETs within Azure’s networks, and reach external destinations via Microsoft’s Wide Area Network.
- Cloudflare’s Magic Transit DDoS mitigation solution now offers a new mode (On Demand + Flow-based Monitoring) that integrates Kentik Protect to automatically detect attacks.
- Finally, have you noticed fewer CAPTCHAs on the web? Cloudflare has reduced the number of CAPTCHAs it serves by 91% over the past year, and now plans to stop using them altogether.
Developer | March 2022 | Percent | April 2022 | Percent | Change |
---|---|---|---|---|---|
nginx | 361,976,272 | 30.95% | 361,438,143 | 31.13% | 0.18 |
Apache | 272,919,651 | 23.33% | 268,005,916 | 23.08% | -0.25 |
OpenResty | 91,479,385 | 7.82% | 92,950,864 | 8.01% | 0.19 |
Cloudflare | 63,739,599 | 5.45% | 63,701,232 | 5.49% | 0.04 |
Debian: DSA-5125-1: chromium security update
Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.
RedHat: RHSA-2022-1628:01 Important: web-admin-build security update
Updated web-admin-build packages are now available for Red Hat Gluster Storage 3.5 Web Administration on Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
Based on extensive feedback collected across various channels, we are implementing the following updates to Jupiter within v102. Starting in 102.0.11, you’ll see a few major features arrive to Jupiter WHM that should restore or otherwise iterate on the features many of you have pointed to as core concerns. Unless otherwise noted below, these updates will arrive on the v102 tier and through EDGE, CURRENT, and RELEASE as typical builds do. Watch our
The post Jupiter Improvements in v102 first appeared on cPanel Blog.
RedHat: RHSA-2022-1420:01 Important: OpenShift Container Platform 3.11.665
Red Hat OpenShift Container Platform release 3.11.665 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
RedHat: RHSA-2022-1626:01 Low: Red Hat AMQ Broker 7.8.6 release and
Red Hat AMQ Broker 7.8.6 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from
RedHat: RHSA-2022-1619:01 Important: kpatch-patch security update
An update is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
RedHat: RHSA-2022-1627:01 Low: Red Hat AMQ Broker 7.9.4 release and
Red Hat AMQ Broker 7.9.4 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from
RedHat: RHSA-2022-1599:01 Important: convert2rhel security update
A security update for convert2rhel is now available for supported conversions of CentOS Linux 8 and Oracle Linux 8 to Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact
RedHat: RHSA-2022-1550:01 Important: kernel security and bug fix update
An update for kernel is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability