Ike.ninja

Update to new upstream version.

The following vulnerabilities have been discovered in the WPE WebKit web engine: CVE-2022-26700

Several security issues were fixed in CUPS.

An InfluxDB vulnerability allowed attackers to login as any known database user.

In the thirty-second episode of the WordPress Briefing, WordPress Executive Director Josepha Haden Chomphosy shares her open source reading list for that post-WordCamp Europe downtime. Have a question you’d like answered? You can submit them to [email protected], either written or as a voice recording. Credits Editor: Dustin Hartzler Logo: Beatriz Fialho Production: Santana Inniss and Chloé Bringmann Song: […]

In the May 2022 survey we received responses from 1,155,729,496 sites across 273,593,762 unique domains and 12,069,814 web-facing computers. This reflects a loss of 5.23 million sites but a gain of 1.63 million domains and 95,200 computers.

nginx gained the largest number of domains (+1.24 million) and also a hefty amount of web-facing computers (+21,500), further securing its lead in both metrics. The total number of domains powered by nginx is now 75.0 million (+1.68%) and its market share has increased to 27.4% (+0.29). In terms of web-facing computers, nginx now has a total of 4.60 million; and although its leading market share fell slightly to 38.1%, Apache’s fell slightly further, extending the gap between the two to 9.54 percentage points.

nginx also continues to lead with a 30.7% share of all sites, despite losing the largest amount this month (-6.57 million). Apache follows with a share of 23.0%, but also lost a large number of sites (-2.32 million). The largest gain in this metric was seen by Google, which added 2.96 million sites to its total and increased its market share to 4.14%. LiteSpeed made the second largest gain of 1.26 million sites, and stays slightly ahead of Google with a share of 4.35%.

Google and LiteSpeed also made the only significant gains in the active sites metric, with Google gaining 977,000 and LiteSpeed gaining 151,000. Google has a greater lead in this metric, with a market share of 9.49% versus LiteSpeed’s 4.60%.

Cloudflare is continuing to edge its way up towards the leaders in the top million websites. This month it gained an additional 1,822 sites and now accounts for more than 20% of the top million sites for the first time. Meanwhile, both Apache and nginx lost more than a thousand sites each in the top million, making it look ever more likely that Cloudflare could gain places by the end of the year. Apache, nginx and Cloudflare currently have top-million site shares of 22.8%, 21.7% and 20.0% respectively.

One surprise this month was that the largest computer growth was seen not by nginx, but by the awselb (Amazon Web Services Elastic Load Balancing) web server, which gained 26,200 computers to reach a total of 378,000. These computers are likely to form only a small fraction of the AWS infrastructure used by the 1.86 million sites that are served from these computers, as AWS ELB achieves fault tolerance and scalability by automatically distributing incoming application traffic across multiple targets, and can also spread traffic across multiple AWS Availability Zones.

Vendor news

• nginx 1.22.0 was released on 24 May 2022. This is the first release in the 1.22.x stable branch and incorporates new features and bug fixes from the 1.21.x mainline branch. Some of the notable new features include support for OpenSSL 3.0 and the PCRE2 library, as well as some security improvements such as hardening against potential request smuggling and cross-protocol attacks.
• njs 0.7.4 was also released on 24 May 2022. This version of nginx’s JavaScript-based scripting language includes several bug fixes and adds extended directives for configuring the Fetch API.
• Apache Tomcat 9.0.63, 10.0.21 and 10.1.0-M15 (alpha) were released on 16 May 2022. Tomcat 8.5.79 was later released on 23 May. Amongst other changes, all of these versions include a new error message that is shown when the Linux kernel duplicate accept bug is detected. This change follows the identification of the root cause of the bug along with the kernel version that includes the fix.
• OpenResty 1.21.4.1 was released on 18 May 2022. This web platform now uses nginx 1.21.4 mainline as its core and incorporates many other new features, including support for BoringSSL.
• On 3 May 2022, Microsoft announced the general availability of its next-generation WAF (web application firewall) engine on Azure Application Gateway. This makes use of Open Web Application Security Project (OWASP) Core Rule Set 3.2 (CRS 3.2), which is intended to provide increased coverage for web vulnerabilities, reduce false positives, and protect against specific vulnerabilities like Log4J and SpringShell.
• Microsoft has also expanded its Azure Migration and Modernization Program (AMMP) to encourage more customers to move their web applications to Azure. Azure also offers free Extended Security Updates for SQL Server 2012 and Windows Server 2012, giving more time to modernize older applications for three additional years beyond the 10 years granted by Microsoft Support.
• Cloudflare made several new features available during the month of May, including:
  • The ability for everyone to proxy DNS wildcard records. This feature was previously only available to enterprise customers.
  • Cloudflare Pages now support direct uploads.
  • The Cloudflare R2 object storage solution has entered open beta.
  • Cloudflare D1 – an SQL database based on SQLite – was also announced. A demo site that runs on Cloudflare Workers can be seen at https://northwind.d1sql.com/.
  • Cache Reserve provides a new way to persistently serve all static content from Cloudflare’s global cache.
  • Workers Analytics Engine provides a new way to get telemetry about anything that uses Cloudflare Workers.
  • Cloudflare has open sourced a Cloudflare Relay Worker that takes a generic webhook response and delivers it to Rocket Chat.
  • Cloudflare’s Ethereum and IPFS gateways are now publicly available to all Cloudflare customers.
  • Workers for Platforms, Pages Plugins, and Custom Domains for Workers were also announced.

An update for the maven:3.5 module is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 8.2 Extended Update Support, and Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact

FreeType could be made to crash if it opened a specially crafted file.

– Fixed missing popups in some scenarios on Wayland (https://bugzilla.mozilla.org/show_bug.cgi?id=1771104) —- – Updated to latest upstream (100.0.2) —- – Fixed crashes on Wayland during recovery from sleep.

– Update to 1.1.2. Fixes rhbz#2085287. – Mitigate CVE-2022-29162 / GHSA-f3fp- gc8g-vw66.

Several security vulnerabilities have been discovered in smarty3, the compiling PHP template engine. Template authors are able to run restricted static php methods or even arbitrary PHP code by crafting a malicious math string or by choosing an invalid {block} or {include} file name. If a math string was passed

The 5.17.11 stable kernel update contains a number of important fixes across the tree.

Security fix for CVE-2022-28327

An update for thunderbird is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

An update for openvswitch2.16 is now available in Fast Datapath for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which