ISHACK AI BOT

SUSE: CVE-2022-40899: SUSE Linux Security Advisory Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 12/23/2022 Created 01/14/2023 Added 01/13/2023 Modified 01/28/2025 Description An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. Solution(s) suse-upgrade-libpython3_4m1_0 suse-upgrade-libpython3_4m1_0-32bit suse-upgrade-python-future suse-upgrade-python3 suse-upgrade-python3-base suse-upgrade-python3-curses suse-upgrade-python3-dbm suse-upgrade-python3-devel suse-upgrade-python3-future suse-upgrade-python3-tk References https://attackerkb.com/topics/cve-2022-40899 CVE - 2022-40899

Ubuntu: (CVE-2022-47943): linux vulnerability Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:N/A:C) Published 12/23/2022 Created 11/21/2024 Added 11/19/2024 Modified 02/11/2025 Description An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. There is an out-of-bounds read and OOPS for SMB2_WRITE, when there is a large length in the zero DataOffset case. Solution(s) ubuntu-upgrade-linux ubuntu-upgrade-linux-aws ubuntu-upgrade-linux-aws-5-15 ubuntu-upgrade-linux-azure ubuntu-upgrade-linux-azure-5-15 ubuntu-upgrade-linux-azure-fde ubuntu-upgrade-linux-azure-fde-5-15 ubuntu-upgrade-linux-gcp ubuntu-upgrade-linux-gcp-5-15 ubuntu-upgrade-linux-gke ubuntu-upgrade-linux-gke-5-15 ubuntu-upgrade-linux-gkeop ubuntu-upgrade-linux-gkeop-5-15 ubuntu-upgrade-linux-hwe-5-15 ubuntu-upgrade-linux-ibm ubuntu-upgrade-linux-intel-iotg ubuntu-upgrade-linux-intel-iotg-5-15 ubuntu-upgrade-linux-kvm ubuntu-upgrade-linux-lowlatency ubuntu-upgrade-linux-lowlatency-hwe-5-15 ubuntu-upgrade-linux-nvidia ubuntu-upgrade-linux-oracle ubuntu-upgrade-linux-oracle-5-15 ubuntu-upgrade-linux-raspi ubuntu-upgrade-linux-realtime ubuntu-upgrade-linux-riscv ubuntu-upgrade-linux-riscv-5-15 References https://attackerkb.com/topics/cve-2022-47943 CVE - 2022-47943 https://www.cve.org/CVERecord?id=CVE-2022-47943 https://www.openwall.com/lists/oss-security/2022/12/23/1 https://www.zerodayinitiative.com/advisories/ZDI-22-1691/

Ubuntu: (CVE-2022-47942): linux vulnerability Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 12/23/2022 Created 11/21/2024 Added 11/19/2024 Modified 02/11/2025 Description An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. There is a heap-based buffer overflow in set_ntacl_dacl, related to use of SMB2_QUERY_INFO_HE after a malformed SMB2_SET_INFO_HE command. Solution(s) ubuntu-upgrade-linux ubuntu-upgrade-linux-aws ubuntu-upgrade-linux-aws-5-15 ubuntu-upgrade-linux-azure ubuntu-upgrade-linux-azure-5-15 ubuntu-upgrade-linux-azure-fde ubuntu-upgrade-linux-azure-fde-5-15 ubuntu-upgrade-linux-gcp ubuntu-upgrade-linux-gcp-5-15 ubuntu-upgrade-linux-gke ubuntu-upgrade-linux-gke-5-15 ubuntu-upgrade-linux-gkeop ubuntu-upgrade-linux-gkeop-5-15 ubuntu-upgrade-linux-hwe-5-15 ubuntu-upgrade-linux-ibm ubuntu-upgrade-linux-intel-iotg ubuntu-upgrade-linux-intel-iotg-5-15 ubuntu-upgrade-linux-kvm ubuntu-upgrade-linux-lowlatency ubuntu-upgrade-linux-lowlatency-hwe-5-15 ubuntu-upgrade-linux-nvidia ubuntu-upgrade-linux-oracle ubuntu-upgrade-linux-oracle-5-15 ubuntu-upgrade-linux-raspi ubuntu-upgrade-linux-realtime ubuntu-upgrade-linux-riscv ubuntu-upgrade-linux-riscv-5-15 References https://attackerkb.com/topics/cve-2022-47942 CVE - 2022-47942 https://www.cve.org/CVERecord?id=CVE-2022-47942 https://www.openwall.com/lists/oss-security/2022/12/23/10 https://www.zerodayinitiative.com/advisories/ZDI-22-1688/

Ubuntu: (Multiple Advisories) (CVE-2022-47940): Linux kernel vulnerabilities Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:N/A:C) Published 12/23/2022 Created 03/29/2023 Added 03/22/2023 Modified 01/28/2025 Description An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.18 before 5.18.18. fs/ksmbd/smb2pdu.c lacks length validation in the non-padding case in smb2_write. Solution(s) ubuntu-upgrade-linux-image-5-15-0-1015-gkeop ubuntu-upgrade-linux-image-5-15-0-1024-raspi ubuntu-upgrade-linux-image-5-15-0-1024-raspi-nolpae ubuntu-upgrade-linux-image-5-15-0-1025-ibm ubuntu-upgrade-linux-image-5-15-0-1025-intel-iotg ubuntu-upgrade-linux-image-5-15-0-1027-gke ubuntu-upgrade-linux-image-5-15-0-1028-kvm ubuntu-upgrade-linux-image-5-15-0-1029-gcp ubuntu-upgrade-linux-image-5-15-0-1029-oracle ubuntu-upgrade-linux-image-5-15-0-1030-aws ubuntu-upgrade-linux-image-5-15-0-1033-azure ubuntu-upgrade-linux-image-5-15-0-1033-azure-fde ubuntu-upgrade-linux-image-5-15-0-60-generic ubuntu-upgrade-linux-image-5-15-0-60-generic-64k ubuntu-upgrade-linux-image-5-15-0-60-generic-lpae ubuntu-upgrade-linux-image-5-15-0-60-lowlatency ubuntu-upgrade-linux-image-5-15-0-60-lowlatency-64k ubuntu-upgrade-linux-image-aws ubuntu-upgrade-linux-image-aws-lts-22-04 ubuntu-upgrade-linux-image-azure ubuntu-upgrade-linux-image-azure-fde ubuntu-upgrade-linux-image-azure-lts-22-04 ubuntu-upgrade-linux-image-gcp ubuntu-upgrade-linux-image-generic ubuntu-upgrade-linux-image-generic-64k ubuntu-upgrade-linux-image-generic-64k-hwe-20-04 ubuntu-upgrade-linux-image-generic-64k-hwe-22-04 ubuntu-upgrade-linux-image-generic-hwe-20-04 ubuntu-upgrade-linux-image-generic-hwe-22-04 ubuntu-upgrade-linux-image-generic-lpae ubuntu-upgrade-linux-image-generic-lpae-hwe-20-04 ubuntu-upgrade-linux-image-generic-lpae-hwe-22-04 ubuntu-upgrade-linux-image-gke ubuntu-upgrade-linux-image-gke-5-15 ubuntu-upgrade-linux-image-gkeop ubuntu-upgrade-linux-image-gkeop-5-15 ubuntu-upgrade-linux-image-ibm ubuntu-upgrade-linux-image-intel-iotg ubuntu-upgrade-linux-image-kvm ubuntu-upgrade-linux-image-lowlatency ubuntu-upgrade-linux-image-lowlatency-64k ubuntu-upgrade-linux-image-lowlatency-64k-hwe-20-04 ubuntu-upgrade-linux-image-lowlatency-64k-hwe-22-04 ubuntu-upgrade-linux-image-lowlatency-hwe-20-04 ubuntu-upgrade-linux-image-lowlatency-hwe-22-04 ubuntu-upgrade-linux-image-oracle ubuntu-upgrade-linux-image-raspi ubuntu-upgrade-linux-image-raspi-nolpae ubuntu-upgrade-linux-image-virtual ubuntu-upgrade-linux-image-virtual-hwe-20-04 ubuntu-upgrade-linux-image-virtual-hwe-22-04 References https://attackerkb.com/topics/cve-2022-47940 CVE - 2022-47940 USN-5851-1 USN-5860-1 USN-5876-1 USN-5877-1

OS X update for CoreMedia (CVE-2022-42838) Severity 2 CVSS (AV:L/AC:L/Au:S/C:P/I:N/A:N) Published 12/23/2022 Created 12/24/2022 Added 12/23/2022 Modified 01/28/2025 Description An issue with app access to camera data was addressed with improved logic. This issue is fixed in macOS Ventura 13. A camera extension may be able to continue receiving video after the app which activated was closed. Solution(s) apple-osx-upgrade-13 References https://attackerkb.com/topics/cve-2022-42838 CVE - 2022-42838 https://support.apple.com/kb/HT213488

Ubuntu: (CVE-2022-47941): linux vulnerability Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 12/23/2022 Created 11/21/2024 Added 11/19/2024 Modified 02/11/2025 Description An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. fs/ksmbd/smb2pdu.c omits a kfree call in certain smb2_handle_negotiate error conditions, aka a memory leak. Solution(s) ubuntu-upgrade-linux ubuntu-upgrade-linux-aws ubuntu-upgrade-linux-aws-5-15 ubuntu-upgrade-linux-azure ubuntu-upgrade-linux-azure-5-15 ubuntu-upgrade-linux-azure-fde ubuntu-upgrade-linux-azure-fde-5-15 ubuntu-upgrade-linux-gcp ubuntu-upgrade-linux-gcp-5-15 ubuntu-upgrade-linux-gke ubuntu-upgrade-linux-gke-5-15 ubuntu-upgrade-linux-gkeop ubuntu-upgrade-linux-gkeop-5-15 ubuntu-upgrade-linux-hwe-5-15 ubuntu-upgrade-linux-ibm ubuntu-upgrade-linux-intel-iotg ubuntu-upgrade-linux-intel-iotg-5-15 ubuntu-upgrade-linux-kvm ubuntu-upgrade-linux-lowlatency ubuntu-upgrade-linux-lowlatency-hwe-5-15 ubuntu-upgrade-linux-nvidia ubuntu-upgrade-linux-oracle ubuntu-upgrade-linux-oracle-5-15 ubuntu-upgrade-linux-raspi ubuntu-upgrade-linux-realtime ubuntu-upgrade-linux-riscv ubuntu-upgrade-linux-riscv-5-15 References https://attackerkb.com/topics/cve-2022-47941 CVE - 2022-47941 https://www.cve.org/CVERecord?id=CVE-2022-47941 https://www.openwall.com/lists/oss-security/2022/12/23/10 https://www.zerodayinitiative.com/advisories/ZDI-22-1687/

OS X update for CommCenter (CVE-2022-43551) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 12/23/2022 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Apple Safari security update for CVE-2022-46705 Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 12/23/2022 Created 12/24/2022 Added 12/23/2022 Modified 01/28/2025 Description A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. This issue is fixed in iOS 16.2 and iPadOS 16.2, macOS Ventura 13.1, Safari 16.2. Visiting a malicious website may lead to address bar spoofing. Solution(s) apple-safari-upgrade-16_2 apple-safari-windows-uninstall References https://attackerkb.com/topics/cve-2022-46705 CVE - 2022-46705 http://support.apple.com/kb/HT213537

OS X update for Carbon Core (CVE-2022-43551) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 12/23/2022 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Huawei EulerOS: CVE-2022-40897: python-setuptools security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 12/23/2022 Created 05/08/2023 Added 05/08/2023 Modified 01/28/2025 Description Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. Solution(s) huawei-euleros-2_0_sp11-upgrade-python-setuptools huawei-euleros-2_0_sp11-upgrade-python3-setuptools References https://attackerkb.com/topics/cve-2022-40897 CVE - 2022-40897 EulerOS-SA-2023-1788

OS X update for ColorSync (CVE-2022-43551) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 12/23/2022 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for Crash Reporter (CVE-2022-43551) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 12/23/2022 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Huawei EulerOS: CVE-2022-47946: kernel security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 12/23/2022 Created 05/08/2023 Added 05/08/2023 Modified 01/28/2025 Description An issue was discovered in the Linux kernel 5.10.x before 5.10.155. A use-after-free in io_sqpoll_wait_sq in fs/io_uring.c allows an attacker to crash the kernel, resulting in denial of service. finish_wait can be skipped. An attack can occur in some situations by forking a process and then quickly terminating it. NOTE: later kernel versions, such as the 5.15 longterm series, substantially changed the implementation of io_sqpoll_wait_sq. Solution(s) huawei-euleros-2_0_sp11-upgrade-bpftool huawei-euleros-2_0_sp11-upgrade-kernel huawei-euleros-2_0_sp11-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp11-upgrade-kernel-tools huawei-euleros-2_0_sp11-upgrade-kernel-tools-libs huawei-euleros-2_0_sp11-upgrade-python3-perf References https://attackerkb.com/topics/cve-2022-47946 CVE - 2022-47946 EulerOS-SA-2023-1781

Debian: CVE-2022-40897: setuptools -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 12/23/2022 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. Solution(s) debian-upgrade-setuptools References https://attackerkb.com/topics/cve-2022-40897 CVE - 2022-40897 DLA-3876-1

IBM AIX: curl_advisory2 (CVE-2022-43551): Security vulnerabilities in cURL for AIX Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 12/23/2022 Created 07/27/2023 Added 07/27/2023 Modified 01/28/2025 Description A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded. Solution(s) ibm-aix-curl_advisory2 References https://attackerkb.com/topics/cve-2022-43551 CVE - 2022-43551 https://aix.software.ibm.com/aix/efixes/security/curl_advisory2.asc

OS X update for Camera (CVE-2022-43551) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 12/23/2022 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Debian: CVE-2022-23547: asterisk, ring -- security update Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 12/23/2022 Created 02/24/2023 Added 02/24/2023 Modified 01/28/2025 Description PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. This issue is similar to GHSA-9pfh-r8x4-w26w. Possible buffer overread when parsing a certain STUN message. The vulnerability affects applications that uses STUN including PJNATH and PJSUA-LIB. The patch is available as commit in the master branch. Solution(s) debian-upgrade-asterisk debian-upgrade-ring References https://attackerkb.com/topics/cve-2022-23547 CVE - 2022-23547 DLA-3335-1 DSA-5358-1

OS X update for AppleMobileFileIntegrity (CVE-2022-43551) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 12/23/2022 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Red Hat: CVE-2022-40899: Important: Satellite 6.13.3 Async Security Update (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 12/23/2022 Created 08/04/2023 Added 08/04/2023 Modified 01/28/2025 Description An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. Solution(s) redhat-upgrade-foreman-cli redhat-upgrade-python39-pulp_manifest redhat-upgrade-rubygem-amazing_print redhat-upgrade-rubygem-apipie-bindings redhat-upgrade-rubygem-clamp redhat-upgrade-rubygem-domain_name redhat-upgrade-rubygem-fast_gettext redhat-upgrade-rubygem-ffi redhat-upgrade-rubygem-ffi-debuginfo redhat-upgrade-rubygem-ffi-debugsource redhat-upgrade-rubygem-foreman_maintain redhat-upgrade-rubygem-gssapi redhat-upgrade-rubygem-hammer_cli redhat-upgrade-rubygem-hammer_cli_foreman redhat-upgrade-rubygem-hammer_cli_foreman_admin redhat-upgrade-rubygem-hammer_cli_foreman_ansible redhat-upgrade-rubygem-hammer_cli_foreman_azure_rm redhat-upgrade-rubygem-hammer_cli_foreman_bootdisk redhat-upgrade-rubygem-hammer_cli_foreman_discovery redhat-upgrade-rubygem-hammer_cli_foreman_google redhat-upgrade-rubygem-hammer_cli_foreman_openscap redhat-upgrade-rubygem-hammer_cli_foreman_remote_execution redhat-upgrade-rubygem-hammer_cli_foreman_tasks redhat-upgrade-rubygem-hammer_cli_foreman_templates redhat-upgrade-rubygem-hammer_cli_foreman_virt_who_configure redhat-upgrade-rubygem-hammer_cli_foreman_webhooks redhat-upgrade-rubygem-hammer_cli_katello redhat-upgrade-rubygem-hashie redhat-upgrade-rubygem-highline redhat-upgrade-rubygem-http-accept redhat-upgrade-rubygem-http-cookie redhat-upgrade-rubygem-jwt redhat-upgrade-rubygem-little-plugger redhat-upgrade-rubygem-locale redhat-upgrade-rubygem-logging redhat-upgrade-rubygem-mime-types redhat-upgrade-rubygem-mime-types-data redhat-upgrade-rubygem-multi_json redhat-upgrade-rubygem-netrc redhat-upgrade-rubygem-oauth redhat-upgrade-rubygem-oauth-tty redhat-upgrade-rubygem-powerbar redhat-upgrade-rubygem-rest-client redhat-upgrade-rubygem-snaky_hash redhat-upgrade-rubygem-unf redhat-upgrade-rubygem-unf_ext redhat-upgrade-rubygem-unf_ext-debuginfo redhat-upgrade-rubygem-unf_ext-debugsource redhat-upgrade-rubygem-unicode redhat-upgrade-rubygem-unicode-debuginfo redhat-upgrade-rubygem-unicode-debugsource redhat-upgrade-rubygem-unicode-display_width redhat-upgrade-rubygem-version_gem redhat-upgrade-satellite-cli redhat-upgrade-satellite-clone redhat-upgrade-satellite-maintain References CVE-2022-40899

OS X update for Calendar (CVE-2022-43551) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 12/23/2022 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Ubuntu: (Multiple Advisories) (CVE-2022-40898): wheel vulnerability Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 12/23/2022 Created 01/25/2023 Added 01/24/2023 Modified 01/28/2025 Description An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. Solution(s) ubuntu-pro-upgrade-python-pip ubuntu-pro-upgrade-python-pip-whl ubuntu-pro-upgrade-python-wheel ubuntu-pro-upgrade-python3-pip ubuntu-pro-upgrade-python3-pip-whl ubuntu-pro-upgrade-python3-wheel References https://attackerkb.com/topics/cve-2022-40898 CVE - 2022-40898 CVE-2022-40898 USN-5821-1 USN-5821-2 USN-5821-3

OS X update for curl (CVE-2022-43551) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 12/23/2022 Created 05/05/2023 Added 04/12/2023 Modified 01/28/2025 Description A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded. Solution(s) apple-osx-upgrade-13_3 References https://attackerkb.com/topics/cve-2022-43551 CVE - 2022-43551 https://support.apple.com/kb/HT213670

Ubuntu: USN-5833-1 (CVE-2022-40899): python-future vulnerability Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 12/23/2022 Created 03/29/2023 Added 03/22/2023 Modified 01/28/2025 Description An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. Solution(s) ubuntu-pro-upgrade-python-future ubuntu-pro-upgrade-python3-future References https://attackerkb.com/topics/cve-2022-40899 CVE - 2022-40899 USN-5833-1

Rocky Linux: CVE-2022-40899: Satellite-6.14 (RLSA-2023-6818) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 12/23/2022 Created 03/07/2024 Added 03/05/2024 Modified 01/28/2025 Description An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. Solution(s) rocky-upgrade-libdb-cxx rocky-upgrade-libdb-cxx-debuginfo rocky-upgrade-libdb-debuginfo rocky-upgrade-libdb-debugsource rocky-upgrade-libdb-sql-debuginfo rocky-upgrade-libdb-sql-devel-debuginfo rocky-upgrade-libdb-utils-debuginfo References https://attackerkb.com/topics/cve-2022-40899 CVE - 2022-40899 https://errata.rockylinux.org/RLSA-2023:6818

Alpine Linux: CVE-2022-43551: Cleartext Transmission of Sensitive Information Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 12/23/2022 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded. Solution(s) alpine-linux-upgrade-curl References https://attackerkb.com/topics/cve-2022-43551 CVE - 2022-43551 https://security.alpinelinux.org/vuln/CVE-2022-43551