ISHACK AI BOT

Huawei EulerOS: CVE-2022-23521: git security update Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 01/17/2023 Created 05/05/2023 Added 04/13/2023 Modified 01/28/2025 Description Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue. Solution(s) huawei-euleros-2_0_sp8-upgrade-git huawei-euleros-2_0_sp8-upgrade-git-core huawei-euleros-2_0_sp8-upgrade-git-core-doc huawei-euleros-2_0_sp8-upgrade-perl-git References https://attackerkb.com/topics/cve-2022-23521 CVE - 2022-23521 EulerOS-SA-2023-1594

VMware Photon OS: CVE-2022-36760 Severity 8 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:C) Published 01/17/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to.This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2022-36760 CVE - 2022-36760

Alma Linux: CVE-2022-41859: Moderate: freeradius:3.0 security update (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 01/17/2023 Created 05/15/2023 Added 05/15/2023 Modified 01/28/2025 Description In freeradius, the EAP-PWD function compute_password_element() leaks information about the password which allows an attacker to substantially reduce the size of an offline dictionary attack. Solution(s) alma-upgrade-freeradius alma-upgrade-freeradius-devel alma-upgrade-freeradius-doc alma-upgrade-freeradius-krb5 alma-upgrade-freeradius-ldap alma-upgrade-freeradius-mysql alma-upgrade-freeradius-perl alma-upgrade-freeradius-postgresql alma-upgrade-freeradius-rest alma-upgrade-freeradius-sqlite alma-upgrade-freeradius-unixodbc alma-upgrade-freeradius-utils alma-upgrade-python3-freeradius References https://attackerkb.com/topics/cve-2022-41859 CVE - 2022-41859 https://errata.almalinux.org/8/ALSA-2023-2870.html https://errata.almalinux.org/9/ALSA-2023-2166.html

Debian: CVE-2022-23521: git -- security update Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 01/17/2023 Created 01/31/2023 Added 01/30/2023 Modified 01/28/2025 Description Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue. Solution(s) debian-upgrade-git References https://attackerkb.com/topics/cve-2022-23521 CVE - 2022-23521 DLA-3282-1

Alma Linux: CVE-2022-36760: Moderate: httpd:2.4 security and bug fix update (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 01/17/2023 Created 02/22/2023 Added 02/22/2023 Modified 01/30/2025 Description Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to.This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions. Solution(s) alma-upgrade-httpd alma-upgrade-httpd-core alma-upgrade-httpd-devel alma-upgrade-httpd-filesystem alma-upgrade-httpd-manual alma-upgrade-httpd-tools alma-upgrade-mod_http2 alma-upgrade-mod_ldap alma-upgrade-mod_lua alma-upgrade-mod_md alma-upgrade-mod_proxy_html alma-upgrade-mod_session alma-upgrade-mod_ssl References https://attackerkb.com/topics/cve-2022-36760 CVE - 2022-36760 https://errata.almalinux.org/8/ALSA-2023-0852.html https://errata.almalinux.org/9/ALSA-2023-0970.html

Gentoo Linux: CVE-2022-23816: Xen: Multiple Vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/17/2023 Created 02/06/2024 Added 02/05/2024 Modified 02/05/2024 Description Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is unused by its CNA. Notes: none. Solution(s) gentoo-linux-upgrade-app-emulation-xen References https://attackerkb.com/topics/cve-2022-23816 CVE - 2022-23816 202402-07

Alma Linux: CVE-2022-41861: Moderate: freeradius:3.0 security update (Multiple Advisories) Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 01/17/2023 Created 05/15/2023 Added 05/15/2023 Modified 01/28/2025 Description A flaw was found in freeradius. A malicious RADIUS client or home server can send a malformed abinary attribute which can cause the server to crash. Solution(s) alma-upgrade-freeradius alma-upgrade-freeradius-devel alma-upgrade-freeradius-doc alma-upgrade-freeradius-krb5 alma-upgrade-freeradius-ldap alma-upgrade-freeradius-mysql alma-upgrade-freeradius-perl alma-upgrade-freeradius-postgresql alma-upgrade-freeradius-rest alma-upgrade-freeradius-sqlite alma-upgrade-freeradius-unixodbc alma-upgrade-freeradius-utils alma-upgrade-python3-freeradius References https://attackerkb.com/topics/cve-2022-41861 CVE - 2022-41861 https://errata.almalinux.org/8/ALSA-2023-2870.html https://errata.almalinux.org/9/ALSA-2023-2166.html

Debian: CVE-2022-47318: ruby-git -- security update Severity 9 CVSS (AV:N/AC:M/Au:S/C:C/I:C/A:C) Published 01/17/2023 Created 02/02/2023 Added 02/01/2023 Modified 01/28/2025 Description ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-46648. Solution(s) debian-upgrade-ruby-git References https://attackerkb.com/topics/cve-2022-47318 CVE - 2022-47318 DLA-3303-1

Oracle Linux: CVE-2006-20001: ELSA-2023-0852:httpd:2.4 security and bug fix update (MODERATE) (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 01/17/2023 Created 02/24/2023 Added 02/23/2023 Modified 01/07/2025 Description A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier. A flaw was found in the mod_dav module of httpd. A specially crafted "If:" request header can cause a memory read or write of a single zero byte due to a missing error check, resulting in a Denial of Service. Solution(s) oracle-linux-upgrade-httpd oracle-linux-upgrade-httpd-core oracle-linux-upgrade-httpd-devel oracle-linux-upgrade-httpd-filesystem oracle-linux-upgrade-httpd-manual oracle-linux-upgrade-httpd-tools oracle-linux-upgrade-mod-http2 oracle-linux-upgrade-mod-ldap oracle-linux-upgrade-mod-lua oracle-linux-upgrade-mod-md oracle-linux-upgrade-mod-proxy-html oracle-linux-upgrade-mod-session oracle-linux-upgrade-mod-ssl References https://attackerkb.com/topics/cve-2006-20001 CVE - 2006-20001 ELSA-2023-0852 ELSA-2023-0970

Huawei EulerOS: CVE-2022-41903: git security update Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 01/17/2023 Created 03/22/2023 Added 03/20/2023 Modified 01/28/2025 Description Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`. Solution(s) huawei-euleros-2_0_sp10-upgrade-git huawei-euleros-2_0_sp10-upgrade-git-help huawei-euleros-2_0_sp10-upgrade-perl-git References https://attackerkb.com/topics/cve-2022-41903 CVE - 2022-41903 EulerOS-SA-2023-1548

MFSA2023-01 Firefox: Security Vulnerabilities fixed in Firefox 109 (CVE-2023-23601) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 01/17/2023 Created 01/19/2023 Added 01/18/2023 Modified 01/28/2025 Description Navigations were being allowed when dragging a URL from a cross-origin iframe into the same tab which could lead to website spoofing attacks. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7. Solution(s) mozilla-firefox-upgrade-109_0 References https://attackerkb.com/topics/cve-2023-23601 CVE - 2023-23601 http://www.mozilla.org/security/announce/2023/mfsa2023-01.html

MFSA2023-02 Firefox: Security Vulnerabilities fixed in Firefox ESR 102.7 (CVE-2023-23599) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 01/17/2023 Created 01/19/2023 Added 01/18/2023 Modified 01/28/2025 Description When copying a network request from the developer tools panel as a curl command the output was not being properly sanitized and could allow arbitrary commands to be hidden within. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7. Solution(s) mozilla-firefox-esr-upgrade-102_7 References https://attackerkb.com/topics/cve-2023-23599 CVE - 2023-23599 http://www.mozilla.org/security/announce/2023/mfsa2023-02.html

Huawei EulerOS: CVE-2022-41953: git security update Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 01/17/2023 Created 05/08/2023 Added 05/08/2023 Modified 01/28/2025 Description Git GUI is a convenient graphical tool that comes with Git for Windows. Its target audience is users who are uncomfortable with using Git on the command-line. Git GUI has a function to clone repositories. Immediately after the local clone is available, Git GUI will automatically post-process it, among other things running a spell checker called `aspell.exe` if it was found. Git GUI is implemented as a Tcl/Tk script. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable _always includes the current directory_. Therefore, malicious repositories can ship with an `aspell.exe` in their top-level directory which is executed by Git GUI without giving the user a chance to inspect it first, i.e. running untrusted code. This issue has been addressed in version 2.39.1. Users are advised to upgrade. Users unable to upgrade should avoid using Git GUI for cloning. If that is not a viable option, at least avoid cloning from untrusted sources. Solution(s) huawei-euleros-2_0_sp11-upgrade-git huawei-euleros-2_0_sp11-upgrade-git-help References https://attackerkb.com/topics/cve-2022-41953 CVE - 2022-41953 EulerOS-SA-2023-1779

Alma Linux: CVE-2022-41858: Important: kernel security update (ALSA-2024-0897) Severity 6 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:C) Published 01/17/2023 Created 02/24/2024 Added 02/23/2024 Modified 01/28/2025 Description A flaw was found in the Linux kernel. A NULL pointer dereference may occur while a slip driver is in progress to detach in sl_tx_timeout in drivers/net/slip/slip.c. This issue could allow an attacker to crash the system or leak internal kernel information. Solution(s) alma-upgrade-bpftool alma-upgrade-kernel alma-upgrade-kernel-abi-stablelists alma-upgrade-kernel-core alma-upgrade-kernel-cross-headers alma-upgrade-kernel-debug alma-upgrade-kernel-debug-core alma-upgrade-kernel-debug-devel alma-upgrade-kernel-debug-modules alma-upgrade-kernel-debug-modules-extra alma-upgrade-kernel-devel alma-upgrade-kernel-doc alma-upgrade-kernel-modules alma-upgrade-kernel-modules-extra alma-upgrade-kernel-tools alma-upgrade-kernel-tools-libs alma-upgrade-kernel-tools-libs-devel alma-upgrade-kernel-zfcpdump alma-upgrade-kernel-zfcpdump-core alma-upgrade-kernel-zfcpdump-devel alma-upgrade-kernel-zfcpdump-modules alma-upgrade-kernel-zfcpdump-modules-extra alma-upgrade-perf alma-upgrade-python3-perf References https://attackerkb.com/topics/cve-2022-41858 CVE - 2022-41858 https://errata.almalinux.org/8/ALSA-2024-0897.html

Oracle WebLogic: CVE-2023-21837 : Critical Patch Update Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 01/17/2023 Created 01/19/2023 Added 01/17/2023 Modified 01/28/2025 Description Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core).Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP to compromise Oracle WebLogic Server.Successful attacks of this vulnerability can result inunauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Solution(s) oracle-weblogic-jan-2023-cpu-12_2_1_3_0 oracle-weblogic-jan-2023-cpu-12_2_1_4_0 oracle-weblogic-jan-2023-cpu-14_1_1_0_0 References https://attackerkb.com/topics/cve-2023-21837 CVE - 2023-21837 http://www.oracle.com/security-alerts/cpujan2023.html https://support.oracle.com/rs?type=doc&id=2917213.2

Debian: CVE-2022-46648: ruby-git -- security update Severity 9 CVSS (AV:N/AC:M/Au:S/C:C/I:C/A:C) Published 01/17/2023 Created 02/02/2023 Added 02/01/2023 Modified 01/28/2025 Description ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-47318. Solution(s) debian-upgrade-ruby-git References https://attackerkb.com/topics/cve-2022-46648 CVE - 2022-46648 DLA-3303-1

Debian: CVE-2022-37436: apache2 -- security update Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:P/A:N) Published 01/17/2023 Created 03/07/2023 Added 03/06/2023 Modified 01/28/2025 Description Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. Solution(s) debian-upgrade-apache2 References https://attackerkb.com/topics/cve-2022-37436 CVE - 2022-37436 DLA-3351-1

Debian: CVE-2022-36760: apache2 -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 01/17/2023 Created 03/07/2023 Added 03/06/2023 Modified 01/30/2025 Description Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to.This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions. Solution(s) debian-upgrade-apache2 References https://attackerkb.com/topics/cve-2022-36760 CVE - 2022-36760 DLA-3351-1

Red Hat: CVE-2022-46648: Important: Satellite 6.13.5 Async Security Update (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:S/C:C/I:C/A:C) Published 01/17/2023 Created 11/01/2023 Added 11/01/2023 Modified 01/28/2025 Description ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-47318. Solution(s) redhat-upgrade-foreman-cli redhat-upgrade-python39-pulp_manifest redhat-upgrade-rubygem-amazing_print redhat-upgrade-rubygem-apipie-bindings redhat-upgrade-rubygem-clamp redhat-upgrade-rubygem-domain_name redhat-upgrade-rubygem-fast_gettext redhat-upgrade-rubygem-ffi redhat-upgrade-rubygem-ffi-debuginfo redhat-upgrade-rubygem-ffi-debugsource redhat-upgrade-rubygem-foreman_maintain redhat-upgrade-rubygem-gssapi redhat-upgrade-rubygem-hammer_cli redhat-upgrade-rubygem-hammer_cli_foreman redhat-upgrade-rubygem-hammer_cli_foreman_admin redhat-upgrade-rubygem-hammer_cli_foreman_ansible redhat-upgrade-rubygem-hammer_cli_foreman_azure_rm redhat-upgrade-rubygem-hammer_cli_foreman_bootdisk redhat-upgrade-rubygem-hammer_cli_foreman_discovery redhat-upgrade-rubygem-hammer_cli_foreman_google redhat-upgrade-rubygem-hammer_cli_foreman_openscap redhat-upgrade-rubygem-hammer_cli_foreman_remote_execution redhat-upgrade-rubygem-hammer_cli_foreman_tasks redhat-upgrade-rubygem-hammer_cli_foreman_templates redhat-upgrade-rubygem-hammer_cli_foreman_virt_who_configure redhat-upgrade-rubygem-hammer_cli_foreman_webhooks redhat-upgrade-rubygem-hammer_cli_katello redhat-upgrade-rubygem-hashie redhat-upgrade-rubygem-highline redhat-upgrade-rubygem-http-accept redhat-upgrade-rubygem-http-cookie redhat-upgrade-rubygem-jwt redhat-upgrade-rubygem-little-plugger redhat-upgrade-rubygem-locale redhat-upgrade-rubygem-logging redhat-upgrade-rubygem-mime-types redhat-upgrade-rubygem-mime-types-data redhat-upgrade-rubygem-multi_json redhat-upgrade-rubygem-netrc redhat-upgrade-rubygem-oauth redhat-upgrade-rubygem-oauth-tty redhat-upgrade-rubygem-powerbar redhat-upgrade-rubygem-rest-client redhat-upgrade-rubygem-snaky_hash redhat-upgrade-rubygem-unf redhat-upgrade-rubygem-unf_ext redhat-upgrade-rubygem-unf_ext-debuginfo redhat-upgrade-rubygem-unf_ext-debugsource redhat-upgrade-rubygem-unicode redhat-upgrade-rubygem-unicode-debuginfo redhat-upgrade-rubygem-unicode-debugsource redhat-upgrade-rubygem-unicode-display_width redhat-upgrade-rubygem-version_gem redhat-upgrade-satellite-cli redhat-upgrade-satellite-clone redhat-upgrade-satellite-maintain References CVE-2022-46648

SUSE: CVE-2023-22298: SUSE Linux Security Advisory Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 01/17/2023 Created 05/05/2023 Added 04/04/2023 Modified 01/28/2025 Description Open redirect vulnerability in pgAdmin 4 versions prior to v6.14 allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL. Solution(s) suse-upgrade-pgadmin4 suse-upgrade-pgadmin4-doc suse-upgrade-pgadmin4-web suse-upgrade-pgadmin4-web-uwsgi References https://attackerkb.com/topics/cve-2023-22298 CVE - 2023-22298

Amazon Linux AMI 2: CVE-2022-23521: Security patch for git (ALAS-2023-1923) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 01/17/2023 Created 02/08/2023 Added 02/07/2023 Modified 01/28/2025 Description Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue. Solution(s) amazon-linux-ami-2-upgrade-git amazon-linux-ami-2-upgrade-git-all amazon-linux-ami-2-upgrade-git-core amazon-linux-ami-2-upgrade-git-core-doc amazon-linux-ami-2-upgrade-git-credential-libsecret amazon-linux-ami-2-upgrade-git-cvs amazon-linux-ami-2-upgrade-git-daemon amazon-linux-ami-2-upgrade-git-debuginfo amazon-linux-ami-2-upgrade-git-email amazon-linux-ami-2-upgrade-git-gui amazon-linux-ami-2-upgrade-git-instaweb amazon-linux-ami-2-upgrade-git-p4 amazon-linux-ami-2-upgrade-git-subtree amazon-linux-ami-2-upgrade-git-svn amazon-linux-ami-2-upgrade-gitk amazon-linux-ami-2-upgrade-gitweb amazon-linux-ami-2-upgrade-perl-git amazon-linux-ami-2-upgrade-perl-git-svn References https://attackerkb.com/topics/cve-2022-23521 AL2/ALAS-2023-1923 CVE - 2022-23521

Amazon Linux AMI 2: CVE-2022-37436: Security patch for httpd (ALAS-2023-1938) Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:P/A:N) Published 01/17/2023 Created 02/23/2023 Added 02/23/2023 Modified 01/28/2025 Description Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. Solution(s) amazon-linux-ami-2-upgrade-httpd amazon-linux-ami-2-upgrade-httpd-debuginfo amazon-linux-ami-2-upgrade-httpd-devel amazon-linux-ami-2-upgrade-httpd-filesystem amazon-linux-ami-2-upgrade-httpd-manual amazon-linux-ami-2-upgrade-httpd-tools amazon-linux-ami-2-upgrade-mod_ldap amazon-linux-ami-2-upgrade-mod_md amazon-linux-ami-2-upgrade-mod_proxy_html amazon-linux-ami-2-upgrade-mod_session amazon-linux-ami-2-upgrade-mod_ssl References https://attackerkb.com/topics/cve-2022-37436 AL2/ALAS-2023-1938 CVE - 2022-37436

Amazon Linux AMI 2: CVE-2022-41860: Security patch for freeradius (ALAS-2023-1970) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 01/17/2023 Created 03/08/2023 Added 03/07/2023 Modified 01/28/2025 Description In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash. Solution(s) amazon-linux-ami-2-upgrade-freeradius amazon-linux-ami-2-upgrade-freeradius-debuginfo amazon-linux-ami-2-upgrade-freeradius-devel amazon-linux-ami-2-upgrade-freeradius-doc amazon-linux-ami-2-upgrade-freeradius-krb5 amazon-linux-ami-2-upgrade-freeradius-ldap amazon-linux-ami-2-upgrade-freeradius-mysql amazon-linux-ami-2-upgrade-freeradius-perl amazon-linux-ami-2-upgrade-freeradius-postgresql amazon-linux-ami-2-upgrade-freeradius-python amazon-linux-ami-2-upgrade-freeradius-sqlite amazon-linux-ami-2-upgrade-freeradius-unixodbc amazon-linux-ami-2-upgrade-freeradius-utils References https://attackerkb.com/topics/cve-2022-41860 AL2/ALAS-2023-1970 CVE - 2022-41860

CentOS Linux: CVE-2022-36760: Moderate: httpd:2.4 security and bug fix update (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 01/17/2023 Created 02/22/2023 Added 02/22/2023 Modified 01/28/2025 Description Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to.This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions. Solution(s) centos-upgrade-httpd centos-upgrade-httpd-core centos-upgrade-httpd-core-debuginfo centos-upgrade-httpd-debuginfo centos-upgrade-httpd-debugsource centos-upgrade-httpd-devel centos-upgrade-httpd-filesystem centos-upgrade-httpd-manual centos-upgrade-httpd-tools centos-upgrade-httpd-tools-debuginfo centos-upgrade-mod_http2 centos-upgrade-mod_http2-debuginfo centos-upgrade-mod_http2-debugsource centos-upgrade-mod_ldap centos-upgrade-mod_ldap-debuginfo centos-upgrade-mod_lua centos-upgrade-mod_lua-debuginfo centos-upgrade-mod_md centos-upgrade-mod_md-debuginfo centos-upgrade-mod_md-debugsource centos-upgrade-mod_proxy_html centos-upgrade-mod_proxy_html-debuginfo centos-upgrade-mod_session centos-upgrade-mod_session-debuginfo centos-upgrade-mod_ssl centos-upgrade-mod_ssl-debuginfo References CVE-2022-36760

CentOS Linux: CVE-2022-47929: Important: kernel-rt security and bug fix update (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 01/17/2023 Created 05/15/2023 Added 05/15/2023 Modified 01/28/2025 Description In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control configuration that is set up with "tc qdisc" and "tc class" commands. This affects qdisc_graft in net/sched/sch_api.c. Solution(s) centos-upgrade-kernel centos-upgrade-kernel-rt References DSA-5324 CVE-2022-47929