ISHACK AI BOT

Gentoo Linux: CVE-2022-42898: Samba: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 12/25/2022 Created 09/18/2023 Added 09/18/2023 Modified 01/30/2025 Description PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug." Solution(s) gentoo-linux-upgrade-app-crypt-heimdal gentoo-linux-upgrade-app-crypt-mit-krb5 gentoo-linux-upgrade-net-fs-samba References https://attackerkb.com/topics/cve-2022-42898 CVE - 2022-42898 202309-06 202310-06 202405-11

Ubuntu: USN-5800-1 (CVE-2022-44640): Heimdal vulnerabilities Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 12/25/2022 Created 01/17/2023 Added 01/13/2023 Modified 01/28/2025 Description Heimdal before 7.7.1 allows remote attackers to execute arbitrary code because of an invalid free in the ASN.1 codec used by the Key Distribution Center (KDC). Solution(s) ubuntu-pro-upgrade-libasn1-8-heimdal ubuntu-pro-upgrade-libgssapi3-heimdal ubuntu-pro-upgrade-libhdb9-heimdal ubuntu-pro-upgrade-libhx509-5-heimdal ubuntu-pro-upgrade-libkrb5-26-heimdal References https://attackerkb.com/topics/cve-2022-44640 CVE - 2022-44640 CVE-2022-44640 USN-5800-1

Gentoo Linux: CVE-2022-44640: Heimdal: Multiple Vulnerabilities Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 12/25/2022 Created 10/11/2023 Added 10/10/2023 Modified 01/28/2025 Description Heimdal before 7.7.1 allows remote attackers to execute arbitrary code because of an invalid free in the ASN.1 codec used by the Key Distribution Center (KDC). Solution(s) gentoo-linux-upgrade-app-crypt-heimdal References https://attackerkb.com/topics/cve-2022-44640 CVE - 2022-44640 202310-06

Ubuntu: USN-6758-1 (CVE-2022-46175): JSON5 vulnerability Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 12/24/2022 Created 05/02/2024 Added 05/02/2024 Modified 01/28/2025 Description JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. `JSON5.parse` should restrict parsing of `__proto__` keys when parsing JSON strings to objects. As a point of reference, the `JSON.parse` method included in JavaScript ignores `__proto__` keys. Simply changing `JSON5.parse` to `JSON.parse` in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later. Solution(s) ubuntu-pro-upgrade-node-json5 References https://attackerkb.com/topics/cve-2022-46175 CVE - 2022-46175 USN-6758-1

OS X update for AppleScript (CVE-2022-43551) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 12/23/2022 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Debian: CVE-2022-46175: node-json5 -- security update Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 12/24/2022 Created 12/05/2023 Added 12/04/2023 Modified 01/28/2025 Description JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. `JSON5.parse` should restrict parsing of `__proto__` keys when parsing JSON strings to objects. As a point of reference, the `JSON.parse` method included in JavaScript ignores `__proto__` keys. Simply changing `JSON5.parse` to `JSON.parse` in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later. Solution(s) debian-upgrade-node-json5 References https://attackerkb.com/topics/cve-2022-46175 CVE - 2022-46175 DLA-3665-1

Debian: CVE-2022-43551: curl -- security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 12/23/2022 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded. Solution(s) debian-upgrade-curl References https://attackerkb.com/topics/cve-2022-43551 CVE - 2022-43551

Debian: CVE-2022-47942: linux -- security update Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 12/23/2022 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. There is a heap-based buffer overflow in set_ntacl_dacl, related to use of SMB2_QUERY_INFO_HE after a malformed SMB2_SET_INFO_HE command. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2022-47942 CVE - 2022-47942

OS X update for AMD (CVE-2022-43551) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 12/23/2022 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Debian: CVE-2022-47938: linux -- security update Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 12/23/2022 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2misc.c has an out-of-bounds read and OOPS for SMB2_TREE_CONNECT. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2022-47938 CVE - 2022-47938

Ubuntu: (CVE-2022-47938): linux vulnerability Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 12/23/2022 Created 11/21/2024 Added 11/19/2024 Modified 02/11/2025 Description An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2misc.c has an out-of-bounds read and OOPS for SMB2_TREE_CONNECT. Solution(s) ubuntu-upgrade-linux ubuntu-upgrade-linux-aws ubuntu-upgrade-linux-aws-5-15 ubuntu-upgrade-linux-azure ubuntu-upgrade-linux-azure-5-15 ubuntu-upgrade-linux-azure-fde ubuntu-upgrade-linux-azure-fde-5-15 ubuntu-upgrade-linux-gcp ubuntu-upgrade-linux-gcp-5-15 ubuntu-upgrade-linux-gke ubuntu-upgrade-linux-gke-5-15 ubuntu-upgrade-linux-gkeop ubuntu-upgrade-linux-gkeop-5-15 ubuntu-upgrade-linux-hwe-5-15 ubuntu-upgrade-linux-ibm ubuntu-upgrade-linux-intel-iotg ubuntu-upgrade-linux-intel-iotg-5-15 ubuntu-upgrade-linux-kvm ubuntu-upgrade-linux-lowlatency ubuntu-upgrade-linux-lowlatency-hwe-5-15 ubuntu-upgrade-linux-nvidia ubuntu-upgrade-linux-oracle ubuntu-upgrade-linux-oracle-5-15 ubuntu-upgrade-linux-raspi ubuntu-upgrade-linux-realtime ubuntu-upgrade-linux-riscv ubuntu-upgrade-linux-riscv-5-15 References https://attackerkb.com/topics/cve-2022-47938 CVE - 2022-47938 https://www.cve.org/CVERecord?id=CVE-2022-47938 https://www.openwall.com/lists/oss-security/2022/12/23/10 https://www.zerodayinitiative.com/advisories/ZDI-22-1689/

Huawei EulerOS: CVE-2022-40897: python-setuptools security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 12/23/2022 Created 06/09/2023 Added 06/09/2023 Modified 01/28/2025 Description Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. Solution(s) huawei-euleros-2_0_sp5-upgrade-python2-setuptools References https://attackerkb.com/topics/cve-2022-40897 CVE - 2022-40897 EulerOS-SA-2023-2166

Ubuntu: USN-6422-1 (CVE-2022-23547): Ring vulnerabilities Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 12/23/2022 Created 10/11/2023 Added 10/10/2023 Modified 01/28/2025 Description PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. This issue is similar to GHSA-9pfh-r8x4-w26w. Possible buffer overread when parsing a certain STUN message. The vulnerability affects applications that uses STUN including PJNATH and PJSUA-LIB. The patch is available as commit in the master branch. Solution(s) ubuntu-pro-upgrade-jami ubuntu-pro-upgrade-jami-daemon ubuntu-pro-upgrade-ring ubuntu-pro-upgrade-ring-daemon References https://attackerkb.com/topics/cve-2022-23547 CVE - 2022-23547 USN-6422-1

OS X update for PackageKit (CVE-2022-46704) Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:C/A:N) Published 12/23/2022 Created 12/24/2022 Added 12/23/2022 Modified 01/28/2025 Description A logic issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.1, macOS Big Sur 11.7.2, macOS Monterey 12.6.2. An app may be able to modify protected parts of the file system. Solution(s) apple-osx-upgrade-11_7_2 apple-osx-upgrade-12_6_2 apple-osx-upgrade-13_1 References https://attackerkb.com/topics/cve-2022-46704 CVE - 2022-46704 https://support.apple.com/kb/HT213532 https://support.apple.com/kb/HT213533 https://support.apple.com/kb/HT213534

Gentoo Linux: CVE-2022-40897: Setuptools: Denial of Service Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 12/23/2022 Created 05/06/2024 Added 05/06/2024 Modified 01/28/2025 Description Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. Solution(s) gentoo-linux-upgrade-dev-python-setuptools References https://attackerkb.com/topics/cve-2022-40897 CVE - 2022-40897 202405-10

OS X update for WebKit (CVE-2022-42826) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 12/23/2022 Created 12/24/2022 Added 12/23/2022 Modified 01/28/2025 Description A use after free issue was addressed with improved memory management. This issue is fixed in macOS Ventura 13, iOS 16.1 and iPadOS 16, Safari 16.1. Processing maliciously crafted web content may lead to arbitrary code execution. Solution(s) apple-osx-upgrade-13 References https://attackerkb.com/topics/cve-2022-42826 CVE - 2022-42826 https://support.apple.com/kb/HT213488

Huawei EulerOS: CVE-2022-43551: curl security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 12/23/2022 Created 03/24/2023 Added 03/24/2023 Modified 01/28/2025 Description A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded. Solution(s) huawei-euleros-2_0_sp11-upgrade-curl huawei-euleros-2_0_sp11-upgrade-libcurl References https://attackerkb.com/topics/cve-2022-43551 CVE - 2022-43551 EulerOS-SA-2023-1581

Alma Linux: CVE-2022-40897: Moderate: python-setuptools security update (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 12/23/2022 Created 02/22/2023 Added 02/22/2023 Modified 01/28/2025 Description Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. Solution(s) alma-upgrade-babel alma-upgrade-platform-python-setuptools alma-upgrade-python-nose-docs alma-upgrade-python-psycopg2-doc alma-upgrade-python-sqlalchemy-doc alma-upgrade-python2 alma-upgrade-python2-attrs alma-upgrade-python2-babel alma-upgrade-python2-backports alma-upgrade-python2-backports-ssl_match_hostname alma-upgrade-python2-bson alma-upgrade-python2-chardet alma-upgrade-python2-coverage alma-upgrade-python2-cython alma-upgrade-python2-debug alma-upgrade-python2-devel alma-upgrade-python2-dns alma-upgrade-python2-docs alma-upgrade-python2-docs-info alma-upgrade-python2-docutils alma-upgrade-python2-funcsigs alma-upgrade-python2-idna alma-upgrade-python2-ipaddress alma-upgrade-python2-jinja2 alma-upgrade-python2-libs alma-upgrade-python2-lxml alma-upgrade-python2-markupsafe alma-upgrade-python2-mock alma-upgrade-python2-nose alma-upgrade-python2-numpy alma-upgrade-python2-numpy-doc alma-upgrade-python2-numpy-f2py alma-upgrade-python2-pip alma-upgrade-python2-pip-wheel alma-upgrade-python2-pluggy alma-upgrade-python2-psycopg2 alma-upgrade-python2-psycopg2-debug alma-upgrade-python2-psycopg2-tests alma-upgrade-python2-py alma-upgrade-python2-pygments alma-upgrade-python2-pymongo alma-upgrade-python2-pymongo-gridfs alma-upgrade-python2-pymysql alma-upgrade-python2-pysocks alma-upgrade-python2-pytest alma-upgrade-python2-pytest-mock alma-upgrade-python2-pytz alma-upgrade-python2-pyyaml alma-upgrade-python2-requests alma-upgrade-python2-rpm-macros alma-upgrade-python2-scipy alma-upgrade-python2-setuptools alma-upgrade-python2-setuptools-wheel alma-upgrade-python2-setuptools_scm alma-upgrade-python2-six alma-upgrade-python2-sqlalchemy alma-upgrade-python2-test alma-upgrade-python2-tkinter alma-upgrade-python2-tools alma-upgrade-python2-urllib3 alma-upgrade-python2-virtualenv alma-upgrade-python2-wheel alma-upgrade-python2-wheel-wheel alma-upgrade-python3-setuptools alma-upgrade-python3-setuptools-wheel alma-upgrade-python39 alma-upgrade-python39-attrs alma-upgrade-python39-cffi alma-upgrade-python39-chardet alma-upgrade-python39-cryptography alma-upgrade-python39-cython alma-upgrade-python39-debug alma-upgrade-python39-devel alma-upgrade-python39-idle alma-upgrade-python39-idna alma-upgrade-python39-iniconfig alma-upgrade-python39-libs alma-upgrade-python39-lxml alma-upgrade-python39-mod_wsgi alma-upgrade-python39-more-itertools alma-upgrade-python39-numpy alma-upgrade-python39-numpy-doc alma-upgrade-python39-numpy-f2py alma-upgrade-python39-packaging alma-upgrade-python39-pip alma-upgrade-python39-pip-wheel alma-upgrade-python39-pluggy alma-upgrade-python39-ply alma-upgrade-python39-psutil alma-upgrade-python39-psycopg2 alma-upgrade-python39-psycopg2-doc alma-upgrade-python39-psycopg2-tests alma-upgrade-python39-py alma-upgrade-python39-pybind11 alma-upgrade-python39-pybind11-devel alma-upgrade-python39-pycparser alma-upgrade-python39-pymysql alma-upgrade-python39-pyparsing alma-upgrade-python39-pysocks alma-upgrade-python39-pytest alma-upgrade-python39-pyyaml alma-upgrade-python39-requests alma-upgrade-python39-rpm-macros alma-upgrade-python39-scipy alma-upgrade-python39-setuptools alma-upgrade-python39-setuptools-wheel alma-upgrade-python39-six alma-upgrade-python39-test alma-upgrade-python39-tkinter alma-upgrade-python39-toml alma-upgrade-python39-urllib3 alma-upgrade-python39-wcwidth alma-upgrade-python39-wheel alma-upgrade-python39-wheel-wheel References https://attackerkb.com/topics/cve-2022-40897 CVE - 2022-40897 https://errata.almalinux.org/8/ALSA-2023-0835.html https://errata.almalinux.org/8/ALSA-2024-2985.html https://errata.almalinux.org/8/ALSA-2024-2987.html https://errata.almalinux.org/9/ALSA-2023-0952.html

CentOS Linux: CVE-2022-40899: Important: Satellite 6.13.3 Async Security Update (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 12/23/2022 Created 08/04/2023 Added 08/04/2023 Modified 01/28/2025 Description An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. Solution(s) centos-upgrade-foreman-cli centos-upgrade-python39-pulp_manifest centos-upgrade-rubygem-amazing_print centos-upgrade-rubygem-apipie-bindings centos-upgrade-rubygem-clamp centos-upgrade-rubygem-domain_name centos-upgrade-rubygem-fast_gettext centos-upgrade-rubygem-ffi centos-upgrade-rubygem-ffi-debuginfo centos-upgrade-rubygem-ffi-debugsource centos-upgrade-rubygem-foreman_maintain centos-upgrade-rubygem-gssapi centos-upgrade-rubygem-hammer_cli centos-upgrade-rubygem-hammer_cli_foreman centos-upgrade-rubygem-hammer_cli_foreman_admin centos-upgrade-rubygem-hammer_cli_foreman_ansible centos-upgrade-rubygem-hammer_cli_foreman_azure_rm centos-upgrade-rubygem-hammer_cli_foreman_bootdisk centos-upgrade-rubygem-hammer_cli_foreman_discovery centos-upgrade-rubygem-hammer_cli_foreman_google centos-upgrade-rubygem-hammer_cli_foreman_openscap centos-upgrade-rubygem-hammer_cli_foreman_remote_execution centos-upgrade-rubygem-hammer_cli_foreman_tasks centos-upgrade-rubygem-hammer_cli_foreman_templates centos-upgrade-rubygem-hammer_cli_foreman_virt_who_configure centos-upgrade-rubygem-hammer_cli_foreman_webhooks centos-upgrade-rubygem-hammer_cli_katello centos-upgrade-rubygem-hashie centos-upgrade-rubygem-highline centos-upgrade-rubygem-http-accept centos-upgrade-rubygem-http-cookie centos-upgrade-rubygem-jwt centos-upgrade-rubygem-little-plugger centos-upgrade-rubygem-locale centos-upgrade-rubygem-logging centos-upgrade-rubygem-mime-types centos-upgrade-rubygem-mime-types-data centos-upgrade-rubygem-multi_json centos-upgrade-rubygem-netrc centos-upgrade-rubygem-oauth centos-upgrade-rubygem-oauth-tty centos-upgrade-rubygem-powerbar centos-upgrade-rubygem-rest-client centos-upgrade-rubygem-snaky_hash centos-upgrade-rubygem-unf centos-upgrade-rubygem-unf_ext centos-upgrade-rubygem-unf_ext-debuginfo centos-upgrade-rubygem-unf_ext-debugsource centos-upgrade-rubygem-unicode centos-upgrade-rubygem-unicode-debuginfo centos-upgrade-rubygem-unicode-debugsource centos-upgrade-rubygem-unicode-display_width centos-upgrade-rubygem-version_gem centos-upgrade-satellite-cli centos-upgrade-satellite-clone centos-upgrade-satellite-maintain References CVE-2022-40899

SUSE: CVE-2022-40898: SUSE Linux Security Advisory Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 12/23/2022 Created 01/18/2023 Added 01/17/2023 Modified 01/28/2025 Description An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. Solution(s) suse-upgrade-python-wheel suse-upgrade-python3-wheel References https://attackerkb.com/topics/cve-2022-40898 CVE - 2022-40898

OS X update for Archive Utility (CVE-2022-43551) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 12/23/2022 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Huawei EulerOS: CVE-2022-40898: python-wheel security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 12/23/2022 Created 05/10/2023 Added 05/10/2023 Modified 01/28/2025 Description An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. Solution(s) huawei-euleros-2_0_sp9-upgrade-python-wheel-wheel References https://attackerkb.com/topics/cve-2022-40898 CVE - 2022-40898 EulerOS-SA-2023-1877

Red Hat: CVE-2022-40897: pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 12/23/2022 Created 02/22/2023 Added 02/22/2023 Modified 01/28/2025 Description Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. Solution(s) redhat-upgrade-babel redhat-upgrade-cython-debugsource redhat-upgrade-numpy-debugsource redhat-upgrade-platform-python-setuptools redhat-upgrade-python-cffi-debugsource redhat-upgrade-python-coverage-debugsource redhat-upgrade-python-cryptography-debugsource redhat-upgrade-python-lxml-debugsource redhat-upgrade-python-nose-docs redhat-upgrade-python-psutil-debugsource redhat-upgrade-python-psycopg2-debuginfo redhat-upgrade-python-psycopg2-debugsource redhat-upgrade-python-psycopg2-doc redhat-upgrade-python-pymongo-debuginfo redhat-upgrade-python-pymongo-debugsource redhat-upgrade-python-sqlalchemy-doc redhat-upgrade-python2 redhat-upgrade-python2-attrs redhat-upgrade-python2-babel redhat-upgrade-python2-backports redhat-upgrade-python2-backports-ssl_match_hostname redhat-upgrade-python2-bson redhat-upgrade-python2-bson-debuginfo redhat-upgrade-python2-chardet redhat-upgrade-python2-coverage redhat-upgrade-python2-coverage-debuginfo redhat-upgrade-python2-cython redhat-upgrade-python2-cython-debuginfo redhat-upgrade-python2-debug redhat-upgrade-python2-debuginfo redhat-upgrade-python2-debugsource redhat-upgrade-python2-devel redhat-upgrade-python2-dns redhat-upgrade-python2-docs redhat-upgrade-python2-docs-info redhat-upgrade-python2-docutils redhat-upgrade-python2-funcsigs redhat-upgrade-python2-idna redhat-upgrade-python2-ipaddress redhat-upgrade-python2-jinja2 redhat-upgrade-python2-libs redhat-upgrade-python2-lxml redhat-upgrade-python2-lxml-debuginfo redhat-upgrade-python2-markupsafe redhat-upgrade-python2-mock redhat-upgrade-python2-nose redhat-upgrade-python2-numpy redhat-upgrade-python2-numpy-debuginfo redhat-upgrade-python2-numpy-doc redhat-upgrade-python2-numpy-f2py redhat-upgrade-python2-pip redhat-upgrade-python2-pip-wheel redhat-upgrade-python2-pluggy redhat-upgrade-python2-psycopg2 redhat-upgrade-python2-psycopg2-debug redhat-upgrade-python2-psycopg2-debug-debuginfo redhat-upgrade-python2-psycopg2-debuginfo redhat-upgrade-python2-psycopg2-tests redhat-upgrade-python2-py redhat-upgrade-python2-pygments redhat-upgrade-python2-pymongo redhat-upgrade-python2-pymongo-debuginfo redhat-upgrade-python2-pymongo-gridfs redhat-upgrade-python2-pymysql redhat-upgrade-python2-pysocks redhat-upgrade-python2-pytest redhat-upgrade-python2-pytest-mock redhat-upgrade-python2-pytz redhat-upgrade-python2-pyyaml redhat-upgrade-python2-pyyaml-debuginfo redhat-upgrade-python2-requests redhat-upgrade-python2-rpm-macros redhat-upgrade-python2-scipy redhat-upgrade-python2-scipy-debuginfo redhat-upgrade-python2-setuptools redhat-upgrade-python2-setuptools-wheel redhat-upgrade-python2-setuptools_scm redhat-upgrade-python2-six redhat-upgrade-python2-sqlalchemy redhat-upgrade-python2-test redhat-upgrade-python2-tkinter redhat-upgrade-python2-tools redhat-upgrade-python2-urllib3 redhat-upgrade-python2-virtualenv redhat-upgrade-python2-wheel redhat-upgrade-python2-wheel-wheel redhat-upgrade-python3-setuptools redhat-upgrade-python3-setuptools-wheel redhat-upgrade-python39 redhat-upgrade-python39-attrs redhat-upgrade-python39-cffi redhat-upgrade-python39-cffi-debuginfo redhat-upgrade-python39-chardet redhat-upgrade-python39-cryptography redhat-upgrade-python39-cryptography-debuginfo redhat-upgrade-python39-cython redhat-upgrade-python39-cython-debuginfo redhat-upgrade-python39-debug redhat-upgrade-python39-debuginfo redhat-upgrade-python39-debugsource redhat-upgrade-python39-devel redhat-upgrade-python39-idle redhat-upgrade-python39-idna redhat-upgrade-python39-iniconfig redhat-upgrade-python39-libs redhat-upgrade-python39-lxml redhat-upgrade-python39-lxml-debuginfo redhat-upgrade-python39-mod_wsgi redhat-upgrade-python39-more-itertools redhat-upgrade-python39-numpy redhat-upgrade-python39-numpy-debuginfo redhat-upgrade-python39-numpy-doc redhat-upgrade-python39-numpy-f2py redhat-upgrade-python39-packaging redhat-upgrade-python39-pip redhat-upgrade-python39-pip-wheel redhat-upgrade-python39-pluggy redhat-upgrade-python39-ply redhat-upgrade-python39-psutil redhat-upgrade-python39-psutil-debuginfo redhat-upgrade-python39-psycopg2 redhat-upgrade-python39-psycopg2-debuginfo redhat-upgrade-python39-psycopg2-doc redhat-upgrade-python39-psycopg2-tests redhat-upgrade-python39-py redhat-upgrade-python39-pybind11 redhat-upgrade-python39-pybind11-devel redhat-upgrade-python39-pycparser redhat-upgrade-python39-pymysql redhat-upgrade-python39-pyparsing redhat-upgrade-python39-pysocks redhat-upgrade-python39-pytest redhat-upgrade-python39-pyyaml redhat-upgrade-python39-pyyaml-debuginfo redhat-upgrade-python39-requests redhat-upgrade-python39-rpm-macros redhat-upgrade-python39-scipy redhat-upgrade-python39-scipy-debuginfo redhat-upgrade-python39-setuptools redhat-upgrade-python39-setuptools-wheel redhat-upgrade-python39-six redhat-upgrade-python39-test redhat-upgrade-python39-tkinter redhat-upgrade-python39-toml redhat-upgrade-python39-urllib3 redhat-upgrade-python39-wcwidth redhat-upgrade-python39-wheel redhat-upgrade-python39-wheel-wheel redhat-upgrade-pyyaml-debugsource redhat-upgrade-scipy-debugsource References CVE-2022-40897 RHSA-2023:0835 RHSA-2023:0952 RHSA-2023:7395 RHSA-2024:2985 RHSA-2024:2987 RHSA-2024:4421 View more

Red Hat: CVE-2022-40898: remote attackers can cause denial of service via attacker controlled input to wheel cli (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 12/23/2022 Created 12/19/2023 Added 12/15/2023 Modified 02/10/2025 Description An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. Solution(s) redhat-upgrade-python3-wheel redhat-upgrade-python3-wheel-wheel redhat-upgrade-rhc-worker-playbook redhat-upgrade-rhc-worker-playbook-debuginfo References CVE-2022-40898 RHSA-2023:6712 RHSA-2024:10761

SUSE: CVE-2022-40897: SUSE Linux Security Advisory Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 12/23/2022 Created 01/18/2023 Added 01/17/2023 Modified 01/28/2025 Description Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. Solution(s) suse-upgrade-python-setuptools suse-upgrade-python3-setuptools suse-upgrade-python3-setuptools-test suse-upgrade-python3-setuptools-wheel suse-upgrade-python310-setuptools suse-upgrade-python36-setuptools suse-upgrade-python39-setuptools References https://attackerkb.com/topics/cve-2022-40897 CVE - 2022-40897