https://bugzilla.redhat.com/show_bug.cgi?id=2094052
Bug ID: 2094052
Summary: CVE-2021-4231 angular: XSS vulnerability
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: aileenc(a)redhat.com, amctagga(a)redhat.com,
amurdaca(a)redhat.com, andrew.slice(a)redhat.com,
aoconnor(a)redhat.com, asm(a)redhat.com,
bniver(a)redhat.com, bodavis(a)redhat.com,
branto(a)redhat.com, chazlett(a)redhat.com,
danmick(a)gmail.com, david(a)gnsa.us, dbhole(a)redhat.com,
decathorpe(a)gmail.com, deparker(a)redhat.com,
dwd(a)fedoraproject.org, eduardo.ramalho(a)gmail.com,
epel-packagers-sig(a)lists.fedoraproject.org,
erack(a)redhat.com, fedora(a)zaniyah.org,
flucifre(a)redhat.com, fmuellner(a)redhat.com,
fzatlouk(a)redhat.com,
gecko-bugs-nobody(a)fedoraproject.org,
gmalinko(a)redhat.com, gmeno(a)redhat.com,
go-sig(a)lists.fedoraproject.org, i(a)stingr.net,
janstey(a)redhat.com, jcajka(a)cajka.dev,
jhorak(a)redhat.com, jochrist(a)redhat.com,
josef(a)toxicpanda.com, jwon(a)redhat.com,
kai-engert-fedora(a)kuix.de, kanderso(a)redhat.com,
kkeithle(a)redhat.com, klaas(a)demter.de,
klember(a)redhat.com, lemenkov(a)gmail.com,
loic(a)dachary.org, lvaleeva(a)redhat.com,
madam(a)redhat.com, mbenjamin(a)redhat.com,
mhackett(a)redhat.com, muagarwa(a)redhat.com,
ngompa13(a)gmail.com, ocs-bugs(a)redhat.com,
omajid(a)redhat.com, pdelbell(a)redhat.com,
pjasicek(a)redhat.com, polkit-devel(a)redhat.com,
ramkrsna(a)gmail.com, rhughes(a)redhat.com,
rstrode(a)redhat.com, rwagner(a)redhat.com,
sandmann(a)redhat.com, sostapov(a)redhat.com,
steve(a)silug.org, stransky(a)redhat.com,
thofmann(a)fedoraproject.org, tpopela(a)redhat.com,
trpost(a)rocketmail.com, vereddy(a)redhat.com,
zebob.m(a)gmail.com, zsvetlik(a)redhat.com
Blocks: 2094048
Target Milestone: ---
Classification: Other
A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2. It has been
classified as problematic. Affected is the handling of comments. The
manipulation leads to cross site scripting. It is possible to launch the attack
remotely but it might require an authentication first. Upgrading to version
11.0.5 and 11.1.0-next.3 is able to address this issue. The name of the patch
is ba8da742e3b243e8f43d4c63aa842b44e14f2b09. It is recommended to upgrade the
affected component.
References:
https://vuldb.com/?id.181356https://github.com/angular/angular/issues/40136https://security.snyk.io/vuln/SNYK-JS-ANGULARCORE-1070902https://github.com/angular/angular/commit/ba8da742e3b243e8f43d4c63aa842b44e…
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2094052
https://bugzilla.redhat.com/show_bug.cgi?id=2032607
Bug ID: 2032607
Summary: F36FailsToInstall: hyperkitty
Product: Fedora
Version: rawhide
Status: NEW
Component: python-hyperkitty
Assignee: michel(a)michel-slm.name
Reporter: mhroncok(a)redhat.com
CC: epel-packagers-sig(a)lists.fedoraproject.org,
infra-sig(a)lists.fedoraproject.org,
michel(a)michel-slm.name, ngompa13(a)gmail.com,
python-sig(a)lists.fedoraproject.org
Blocks: 1992487 (F36FailsToInstall,RAWHIDEFailsToInstall)
Target Milestone: ---
Classification: Fedora
Hello,
Please note that this comment was generated automatically. If you feel that
this output has mistakes, please contact me via email (mhroncok(a)redhat.com)
Your package (python-hyperkitty) Fails To Install in Fedora 36:
can't install hyperkitty:
- nothing provides python3.10dist(flufl-lock) >= 4 needed by
hyperkitty-1.3.5-1.fc36.noarch
- nothing provides python3.10dist(mistune) >= 2~rc1 needed by
hyperkitty-1.3.5-1.fc36.noarch
If you know about this problem and are planning on fixing it, please
acknowledge so by setting the bug status to ASSIGNED. If you don't have time to
maintain this package, consider orphaning it, so maintainers of dependent
packages realize the problem.
If you don't react accordingly to the policy for FTBFS/FTI bugs
(https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails…)
your package may be orphaned in 8+ weeks.
P.S. The data was generated solely from koji buildroot, so it might be newer
than the latest compose or the content on mirrors.
P.P.S. If this bug has been reported in the middle of upgrading multiple
dependent packages, please consider using side tags:
https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/#updating-inter-d…
Thanks!
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1992487
[Bug 1992487] Fedora 36 Fails To install Tracker
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2032607
https://bugzilla.redhat.com/show_bug.cgi?id=2063508
Bug ID: 2063508
Summary: authentication recquired The password you use does not
match
Product: Fedora
Version: 36
OS: Linux
Status: NEW
Component: keyrings-filesystem
Severity: high
Assignee: manisandro(a)gmail.com
Reporter: jjb(a)xs4all.nl
QA Contact: extras-qa(a)fedoraproject.org
CC: epel-packagers-sig(a)lists.fedoraproject.org,
manisandro(a)gmail.com, sergio(a)serjux.com
Target Milestone: ---
Classification: Fedora
Description of problem:
Keyring is locked. (in Passwords and Keys, Seahorse)
try to solve error message "authentication required, the password you use to
log in to your computer no longer match that of your login keyring"
The known password is not accepted.
Version-Release number of selected component (if applicable):
How reproducible:
try to Get Geary (email program) at work.
At login to the computer the password is working all right.
Steps to Reproduce:
1.
2.
3.
Actual results:
cannot authenticate password.
Expected results:
no question of authentication
Additional info:
do not know how to solve this problem.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2063508
https://bugzilla.redhat.com/show_bug.cgi?id=2107574
Bug ID: 2107574
Summary: fortune(6) man page indentation is messed up for -o
and -s options
Product: Fedora
Version: 36
Status: NEW
Component: fortune-mod
Severity: low
Assignee: sheltren(a)fedoraproject.org
Reporter: rhbugs(a)n-dimensional.de
QA Contact: extras-qa(a)fedoraproject.org
CC: epel-packagers-sig(a)lists.fedoraproject.org,
sergio(a)serjux.com, sheltren(a)fedoraproject.org,
shlomif(a)shlomifish.org
Target Milestone: ---
Classification: Fedora
Created attachment 1897376
--> https://bugzilla.redhat.com/attachment.cgi?id=1897376&action=edit
Quick fix patch to the fortune.6 file, copying the formatting -i and -n
Description of problem:
In the fortune(6) man page, the indentation for the description
of the options -o and -s is wrong.
Version-Release number of selected component (if applicable):
fortune-mod-3.12.0-2.fc36.x86_64
How reproducible:
100%
Steps to Reproduce:
1. man fortune
2. type /record or scroll down
Actual results:
filename-record will precede the records from the file it names.
-n length
Set the longest fortune length (in characters) considered to be
“short” (the default is 160). All fortunes longer than this are
considered “long”. Be careful! If you set the length too short and
ask for short fortunes, or too long and ask for long ones, fortune
goes into a never-ending thrash loop.
-o Choose only from potentially offensive aphorisms. The -o option
is ignored if a fortune directory is specified.
Please, please, please request a potentially offensive fortune if
and only if you believe, deep in your heart, that you are willing
to be offended. (And that you'll just quit using -o rather than
give us grief about it, okay?)
... let us keep in mind the basic governing philosophy of The
Brotherhood, as handsomely summarized in these words: we believe in
healthy, hearty laughter -- at the expense of the whole human race,
if needs be. Needs be.
--H. Allen Smith, "Rude Jokes"
-s Short apothegms only. See -n on which fortunes are considered
“short”.
-i
Ignore case for -m patterns.
Expected results:
filename-record will precede the records from the file it names.
-n length
Set the longest fortune length (in characters) considered to be
“short” (the default is 160). All fortunes longer than this are
considered “long”. Be careful! If you set the length too short and
ask for short fortunes, or too long and ask for long ones, fortune
goes into a never-ending thrash loop.
-o
Choose only from potentially offensive aphorisms. The -o option is
ignored if a fortune directory is specified.
Please, please, please request a potentially offensive fortune if
and only if you believe, deep in your heart, that you are willing
to be offended. (And that you'll just quit using -o rather than
give us grief about it, okay?)
... let us keep in mind the basic governing philosophy of The
Brotherhood, as handsomely summarized in these words: we believe in
healthy, hearty laughter -- at the expense of the whole human race,
if needs be. Needs be.
--H. Allen Smith, "Rude Jokes"
-s
Short apothegms only. See -n on which fortunes are considered
“short”.
-i
Ignore case for -m patterns.
Additional info:
The attached patch only fixes the symptoms, not the root cause.
This should probably be fixed somewhere upstream deep inside the mass of perl
scripts building the man pages.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2107574
https://bugzilla.redhat.com/show_bug.cgi?id=2104905
Bug ID: 2104905
Summary: CVE-2022-2097 openssl: AES OCB fails to encrypt some
bytes
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: mcascell(a)redhat.com
CC: bdettelb(a)redhat.com, berrange(a)redhat.com,
bootloader-eng-team(a)redhat.com, caswilli(a)redhat.com,
cfergeau(a)redhat.com, cllang(a)redhat.com,
crobinso(a)redhat.com,
crypto-team(a)lists.fedoraproject.org,
csutherl(a)redhat.com, dbelyavs(a)redhat.com,
ddepaula(a)redhat.com, dffrench(a)redhat.com,
dhalasz(a)redhat.com, dkuc(a)redhat.com, dueno(a)redhat.com,
elima(a)redhat.com,
epel-packagers-sig(a)lists.fedoraproject.org,
erik-fedora(a)vanpienbroek.nl, f4bug(a)amsat.org,
fjansen(a)redhat.com, fmartine(a)redhat.com,
gzaronik(a)redhat.com, jary(a)redhat.com,
jburrell(a)redhat.com, jclere(a)redhat.com,
jferlan(a)redhat.com, jkoehler(a)redhat.com,
jwong(a)redhat.com, jwon(a)redhat.com, kaycoth(a)redhat.com,
krathod(a)redhat.com, kraxel(a)redhat.com,
kshier(a)redhat.com, ktietz(a)redhat.com,
marcandre.lureau(a)redhat.com,
michal.skrivanek(a)redhat.com, michel(a)michel-slm.name,
micjohns(a)redhat.com, mjg59(a)srcf.ucam.org,
mmadzin(a)redhat.com, mperina(a)redhat.com,
mspacek(a)redhat.com, mturk(a)redhat.com,
ngough(a)redhat.com, pbonzini(a)redhat.com,
peholase(a)redhat.com, pjindal(a)redhat.com,
pjones(a)redhat.com, plodge(a)redhat.com,
redhat-bugzilla(a)linuxnetz.de, rgodfrey(a)redhat.com,
rharwood(a)redhat.com, rh-spice-bugs(a)redhat.com,
rjones(a)redhat.com, sahana(a)redhat.com,
sbonazzo(a)redhat.com, stcannon(a)redhat.com,
sthirugn(a)redhat.com, szappis(a)redhat.com,
tfister(a)redhat.com, tm(a)t8m.info,
virt-maint(a)lists.fedoraproject.org,
virt-maint(a)redhat.com, vkrizan(a)redhat.com,
vkumar(a)redhat.com, vmugicag(a)redhat.com
Blocks: 2104175
Target Milestone: ---
Classification: Other
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
implementation will not encrypt the entirety of the data under some
circumstances. This could reveal sixteen bytes of data that was preexisting in
the memory that wasn't written. In the special case of "in place" encryption,
sixteen bytes of the plaintext would be revealed.
OpenSSL security advisory:
https://www.openssl.org/news/secadv/20220705.txt
Upstream fix:
https://github.com/openssl/openssl/commit/6ebf6d51596f51d23ccbc17930778d104…
[master]
https://github.com/openssl/openssl/commit/919925673d6c9cfed3c1085497f5dfbbe…
[1_1_1-stable]
https://github.com/openssl/openssl/commit/a98f339ddd7e8f487d6e0088d4a9a4232…
[openssl-3.0]
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2104905
https://bugzilla.redhat.com/show_bug.cgi?id=2092724
Bug ID: 2092724
Summary: CVE-2022-21681 thrift: marked: regular expression
inline.reflinkSearch may lead Denial of Service
[fedora-all]
Product: Fedora
Version: 36
Status: NEW
Component: thrift
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: ctubbsii(a)fedoraproject.org
Reporter: trathi(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: ctubbsii(a)fedoraproject.org,
epel-packagers-sig(a)lists.fedoraproject.org,
milleruntime(a)gmail.com, orion(a)nwra.com,
willb(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2092724
https://bugzilla.redhat.com/show_bug.cgi?id=2090581
Bug ID: 2090581
Summary: CVE-2022-21680 thrift: marked: regular expression
block.def may lead Denial of Service [fedora-all]
Product: Fedora
Version: 36
Status: NEW
Component: thrift
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: ctubbsii(a)fedoraproject.org
Reporter: saroy(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: ctubbsii(a)fedoraproject.org,
epel-packagers-sig(a)lists.fedoraproject.org,
milleruntime(a)gmail.com, orion(a)nwra.com,
willb(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2090581
https://bugzilla.redhat.com/show_bug.cgi?id=2093358
Bug ID: 2093358
Summary: CVE-2021-46790 ntfs-3g: heap-based buffer overflow in
ntfsck
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: ddepaula(a)redhat.com,
epel-packagers-sig(a)lists.fedoraproject.org,
jferlan(a)redhat.com, kparal(a)redhat.com,
ngompa13(a)gmail.com, rjones(a)redhat.com,
spotrh(a)gmail.com, virt-maint(a)redhat.com
Target Milestone: ---
Classification: Other
ntfsck in NTFS-3G through 2021.8.22 has a heap-based buffer overflow involving
buffer+512*3-2. NOTE: the upstream position is that ntfsck is deprecated;
however, it is shipped by some Linux distributions.
References:
https://github.com/tuxera/ntfs-3g/issues/16http://www.openwall.com/lists/oss-security/2022/05/26/1
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2093358
https://bugzilla.redhat.com/show_bug.cgi?id=2093348
Bug ID: 2093348
Summary: CVE-2022-30789 ntfs-3g: crafted NTFS image can cause a
heap-based buffer overflow in
ntfs_check_log_client_array
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: gsuckevi(a)redhat.com
CC: ddepaula(a)redhat.com,
epel-packagers-sig(a)lists.fedoraproject.org,
jferlan(a)redhat.com, kparal(a)redhat.com,
ngompa13(a)gmail.com, rjones(a)redhat.com,
spotrh(a)gmail.com, virt-maint(a)redhat.com
Target Milestone: ---
Classification: Other
A crafted NTFS image can cause a heap-based buffer overflow in
ntfs_check_log_client_array in NTFS-3G through 2021.8.22.
References:
https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-xchm-ph5h-hw4xhttps://github.com/tuxera/ntfs-3g/releases
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2093348