[Security] Mitigation & Patch
Maybe we could stick this one ?
|
libexpat: before 2.4.5
CVE-2022-25236 lib: Protect against insertion of namesep characters into namespace URIs https://github.com/libexpat/libexpat/pull/561 CVE-2022-25235 lib: Protect against malformed encoding (e.g. malformed UTF-8) https://github.com/libexpat/libexpat/pull/562 |
Vim: before 8.2.4397
"Crash when using many composing characters in error message" https://nvd.nist.gov/vuln/detail/CVE-2022-0629 severity: 8.4 Patch: https://github.com/vim/vim/commit/34...2729db278163fc Or upgrade to the latest version |
Quote:
CVE-2022-25313 Prevent stack exhaustion in build_model https://github.com/libexpat/libexpat/pull/558 CVE-2022-25314 Prevent integer overflow in copyString https://github.com/libexpat/libexpat/pull/560 CVE-2022-25315 Prevent integer overflow in storeRawNames https://github.com/libexpat/libexpat/pull/559 |
vim : Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4440
CVE-2022-0729 https://nvd.nist.gov/vuln/detail/CVE-2022-0729 patch 8.2.4440: crash with specific regexp pattern and string https://github.com/vim/vim/commit/64...af09974604ff30 |
Quote:
|
Quote:
|
gettext : patch
from archlinux: Code:
This uses an internal version of libcroco, which has known security issues. build option: Code:
--without-included-gettext |
"Dirty Pipe" kernel vulnerability - CVE-2022-0847
Details: https://dirtypipe.cm4all.com/ Summary: "a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes." Fixed in kernels 5.16.11, 5.15.25 and 5.10.102. |
Quote:
https://arstechnica.com/information-...lity-in-years/ |
polkit 0.120
There is a flaw in polkit which can allow an unprivileged user to cause polkit to crash, due to process file descriptor exhaustion. CVE 2021-4115: https://github.com/advisories/GHSA-vvr6-r92h-x7jw Patch: https://gitlab.com/redhat/centos-str...42b0f2b15c531e EDIT: already reported by @gmgf in "request for current" |
Anyone else think this thread should be made "sticky"?
:) |
Not so sure. Average users depend on Pat's reactivity and for more advanced or concerned users, there're mailing lists and so on...
|
Quote:
|
Sorry for my bad english : Pat's speed to update.
I can't fix that myself, I rely on his fix. |
All times are GMT -5. The time now is 07:28 PM. |