This release contains fixes for the following vulnerabilities:
-
- CVE-2021-4028: kernel: use-after-free in RDMA listen()
- CVE-2022-25636: kernel: heap out of bounds write in nf_dup_netdev.c
-
- CVE-2021-4028: kernel: use-after-free in RDMA listen()
- CVE-2022-25636: kernel: heap out of bounds write in nf_dup_netdev.c
-
- CVE-2020-0404: kernel: avoid cyclic entity chains due to malformed USB descriptors
- CVE-2020-4788: kernel: speculation on incompletely validated data on IBM Power9
- CVE-2020-13974: kernel: integer overflow in k_ascii() in drivers/tty/vt/keyboard.c
- CVE-2020-27820: kernel: use-after-free in nouveau kernel module
- CVE-2021-0941: kernel: out-of-bounds read in bpf_skb_change_head() of filter.c due to a use-after-free
- CVE-2021-3612: kernel: joydev: zero size passed to joydev_handle_JSIOCSBTNMAP()
- CVE-2021-3669: kernel: reading /proc/sysvipc/shm does not scale with large shared memory segment counts
- CVE-2021-3743: kernel: out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c
- CVE-2021-3744: kernel: crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()
- CVE-2021-3752: kernel: possible use-after-free in bluetooth module
- CVE-2021-3759: kernel: unaccounted ipc objects in Linux kernel lead to breaking memcg limits and DoS attacks
- CVE-2021-3764: kernel: DoS in ccp_run_aes_gcm_cmd() function
- CVE-2021-3772: kernel: sctp: Invalid chunks may be used to remotely remove existing associations
- CVE-2021-3773: kernel: lack of port sanity checking in natd and netfilter leads to exploit of OpenVPN clients
- CVE-2021-4002: kernel: possible leak or coruption of data residing on hugetlbfs
- CVE-2021-4037: kernel: security regression for CVE-2018-13405
- CVE-2021-4083: kernel: fget: check that the fd still exists after getting a ref to it
- CVE-2021-4093: kernel: KVM: SVM: out-of-bounds read/write in sev_es_string_io
- CVE-2021-4157: kernel: Buffer overwrite in decode_nfs_fh function
- CVE-2021-4197: kernel: cgroup: Use open-time creds and namespace for migration perm checks
- CVE-2021-4203: kernel: Race condition in races in sk_peer_pid and sk_peer_cred accesses
- CVE-2021-20322: kernel: new DNS Cache Poisoning Attack based on ICMP fragment needed packets replies
- CVE-2021-21781: kernel: arm: SIGPAGE information disclosure vulnerability
- CVE-2021-26401: hw: cpu: LFENCE/JMP Mitigation Update for CVE-2017-5715
- CVE-2021-29154: kernel: Local privilege escalation due to incorrect BPF JIT branch displacement computation
- CVE-2021-37159: kernel: use-after-free in hso_free_net_device() in drivers/net/usb/hso.c
- CVE-2021-41864: kernel: eBPF multiplication integer overflow in prealloc_elems_and_freelist() in kernel/bpf/stackmap.c leads to out-of-bounds write
- CVE-2021-42739: kernel: Heap buffer overflow in firedtv driver
- CVE-2021-43056: kernel: ppc: kvm: allows a malicious KVM guest to crash the host
- CVE-2021-43389: kernel: an array-index-out-bounds in detach_capi_ctr in drivers/isdn/capi/kcapi.c
- CVE-2021-43976: kernel: mwifiex_usb_recv() in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker to cause DoS via crafted USB device
- CVE-2021-44733: kernel: use-after-free in the TEE subsystem
- CVE-2021-45485: kernel: information leak in the IPv6 implementation
- CVE-2021-45486: kernel: information leak in the IPv4 implementation
- CVE-2022-0001: hw: cpu: intel: Branch History Injection (BHI)
- CVE-2022-0002: hw: cpu: intel: Intra-Mode BTI
- CVE-2022-0286: kernel: Local denial of service in bond_ipsec_add_sa
- CVE-2022-0322: kernel: DoS in sctp_addto_chunk in net/sctp/sm_make_chunk.c
- CVE-2022-1011: kernel: FUSE allows UAF reads of write() buffers, allowing theft of (partial) /etc/shadow hashes
-
- CVE-2020-28915: kernel: out-of-bounds read in fbcon_get_font function
- CVE-2022-27666: kernel: buffer overflow in IPsec ESP transformation code
-
- CVE-2022-1729: kernel: race condition in perf_event_open leads to privilege escalation
-
- CVE-2022-1012: kernel: Small table perturb size in the TCP source port generation algorithm can lead to information leak
- CVE-2022-32250: kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root
-
- CVE-2022-21123: hw: cpu: Incomplete cleanup of multi-core shared buffers (aka SBDR)
- CVE-2022-21125: hw: cpu: Incomplete cleanup of microarchitectural fill buffers (aka SBDS)
- CVE-2022-21166: hw: cpu: Incomplete cleanup in specific special register write operations (aka DRPW)
-
- CVE-2022-40674: expat: a use-after-free in the doContent function in xmlparse.c
-
- CVE-2022-21619: OpenJDK: improper handling of long NTLM client hostnames (Security, 8286526)
- CVE-2022-21624: OpenJDK: insufficient randomization of JNDI DNS port numbers (JNDI, 8286910)
- CVE-2022-21626: OpenJDK: excessive memory allocation in X.509 certificate parsing (Security, 8286533)
- CVE-2022-21628: OpenJDK: HttpServer no connection count limit (Lightweight HTTP Server, 8286918)
-
- CVE-2022-3515: libksba: integer overflow may lead to remote code execution
-
- CVE-2022-2509: gnutls: Double free during gnutls_pkcs7_verify
-
- CVE-2022-37434: zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field
-
- CVE-2020-35525: sqlite: Null pointer derreference in src/select.c
- CVE-2020-35527: sqlite: Out of bounds access during table rename
-
- CVE-2022-0494: kernel: information leak in scsi_ioctl()
- CVE-2022-1353: Kernel: A kernel-info-leak issue in pfkey_register
- CVE-2022-2588: kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation
- CVE-2022-23816: hw: cpu: AMD: RetBleed Arbitrary Speculative Code Execution with Return Instructions
- CVE-2022-23825: hw: cpu: AMD: Branch Type Confusion (non-retbleed)
- CVE-2022-29900: hw: cpu: AMD: RetBleed Arbitrary Speculative Code Execution with Return Instructions
- CVE-2022-29901: hw: cpu: Intel: RetBleed Arbitrary Speculative Code Execution with Return Instructions
-
- CVE-2022-32742: samba: server memory information leak via SMB1
-
- CVE-2022-41974: device-mapper-multipath: Authorization bypass, multipathd daemon listens for client connections on an abstract Unix socket
-
- CVE-2021-3507: QEMU: fdc: heap buffer overflow in DMA read data transfers
- CVE-2022-0897: libvirt: missing locking in nwfilterConnectNumOfNWFilters can lead to denial of service
- CVE-2022-2211: libguestfs: Buffer overflow in get_keys leads to DoS
- CVE-2022-23645: swtpm: Unchecked header size indicator against expected size
-
- CVE-2022-25308: fribidi: Stack based buffer overflow
- CVE-2022-25309: fribidi: Heap-buffer-overflow in fribidi_cap_rtl_to_unicode
- CVE-2022-25310: fribidi: SEGV in fribidi_remove_bidi_marks
-
- CVE-2022-24795: yajl: heap-based buffer overflow when handling large inputs due to an integer overflow
-
- CVE-2022-0561: libtiff: Denial of Service via crafted TIFF file
- CVE-2022-0562: libtiff: Null source pointer lead to Denial of Service via crafted TIFF file
- CVE-2022-0865: libtiff: reachable assertion
- CVE-2022-0891: libtiff: heap buffer overflow in extractImageSection
- CVE-2022-0908: tiff: Null source pointer passed as an argument to memcpy in TIFFFetchNormalTag() in tif_dirread.c
- CVE-2022-0909: tiff: Divide By Zero error in tiffcrop
- CVE-2022-0924: libtiff: Out-of-bounds Read error in tiffcp
- CVE-2022-1355: libtiff: stack-buffer-overflow in tiffcp.c in main()
- CVE-2022-22844: libtiff: out-of-bounds read in _TIFFmemcpy() in tif_unix.c
-
- CVE-2022-30698: unbound: the novel ghost domain where malicious users to trigger continued resolvability of malicious domain names
- CVE-2022-30699: unbound: novel ghost domain attack where malicious users to trigger continued resolvability of malicious domain names
-
- CVE-2022-22719: httpd: mod_lua: Use of uninitialized value of in r:parsebody
- CVE-2022-22721: httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody
- CVE-2022-23943: httpd: mod_sed: Read/write beyond bounds
- CVE-2022-26377: httpd: mod_proxy_ajp: Possible request smuggling
- CVE-2022-28614: httpd: Out-of-bounds read via ap_rwrite()
- CVE-2022-28615: httpd: Out-of-bounds read in ap_strcmp_match()
- CVE-2022-29404: httpd: mod_lua: DoS in r:parsebody
- CVE-2022-30522: httpd: mod_sed: DoS vulnerability
- CVE-2022-30556: httpd: mod_lua: Information disclosure with websockets
- CVE-2022-31813: httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism
-
- CVE-2020-36516: A TCP/IP packet spoofing attack flaw was found in the Linux kernel’s TCP/IP protocol, where a Man-in-the-Middle Attack (MITM) performs an IP fragmentation attack and an IPID collision. This flaw allows a remote user to pretend to be the sender of the TCP/IP packet for an existing TCP/IP session.
- CVE-2020-36558: A NULL pointer dereference flaw was found in the Linux kernel’s Virtual Terminal subsystem was found in how a user calls the VT_RESIZEX ioctl. This flaw allows a local user to crash the system.
- CVE-2021-3640: A flaw use-after-free in function sco_sock_sendmsg() of the Linux kernel HCI subsystem was found in the way user calls ioct UFFDIO_REGISTER or other way triggers race condition of the call sco_conn_del() together with the call sco_sock_sendmsg() with the expected controllable faulting memory page. A privileged local user could use this flaw to crash the system or escalate their privileges on the system.
- CVE-2021-30002: A flaw memory leak in the Linux kernel webcam device functionality was found in the way user calls ioctl that triggers video_usercopy function. The highest threat from this vulnerability is to system availability.
- CVE-2022-0168: A denial of service (DOS) issue was found in the Linux kernel’s smb2_ioctl_query_info function in the fs/cifs/smb2ops.c Common Internet File System (CIFS) due to an incorrect return from the memdup_user function. This flaw allows a local, privileged (CAP_SYS_ADMIN) attacker to crash the system.
- CVE-2022-0617: A NULL pointer dereference was found in the Linux kernel’s UDF file system functionality in the way the user triggers the udf_file_write_iter function for a malicious UDF image. This flaw allows a local user to crash the system.
- CVE-2022-0854: A memory leak flaw was found in the Linux kernel’s DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space.
- CVE-2022-1016: A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain, which can cause a use-after-free. This issue needs to handle 'return' with proper preconditions, as it can lead to a kernel information leak problem caused by a local, unprivileged attacker.
- CVE-2022-1048: A use-after-free flaw was found in the Linux kernel’s sound subsystem in the way a user triggers concurrent calls of PCM hw_params. The hw_free ioctls or similar race condition happens inside ALSA PCM for other ioctls. This flaw allows a local user to crash or potentially escalate their privileges on the system.
- CVE-2022-1055: A use-after-free vulnerability was found in the tc_new_tfilter function in net/sched/cls_api.c in the Linux kernel. The availability of local, unprivileged user namespaces allows privilege escalation.
- CVE-2022-1158: A flaw was found in KVM. When updating a guest's page table entry, vm_pgoff was improperly used as the offset to get the page's pfn. As vaddr and vm_pgoff are controllable by user-mode processes, this flaw allows unprivileged local users on the host to write outside the userspace region and potentially corrupt the kernel, resulting in a denial of service condition.
- CVE-2022-1184: A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernel’s filesystem sub-component. This flaw allows a local attacker with a user privilege to cause a denial of service.
- CVE-2022-1852: A NULL pointer dereference flaw was found in the Linux kernel’s KVM module, which can lead to a denial of service in the x86_emulate_insn in arch/x86/kvm/emulate.c. This flaw occurs while executing an illegal instruction in guest in the Intel CPU.
- CVE-2022-2078: A vulnerability was found in the Linux kernel's nft_set_desc_concat_parse() function .This flaw allows an attacker to trigger a buffer overflow via nft_set_desc_concat_parse() , causing a denial of service and possibly to run code.
- CVE-2022-2153: A flaw was found in the Linux kernel’s KVM when attempting to set a SynIC IRQ. This issue makes it possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service.
- CVE-2022-2586: A use-after-free flaw was found in nf_tables cross-table in the net/netfilter/nf_tables_api.c function in the Linux kernel. This flaw allows a local, privileged attacker to cause a use-after-free problem at the time of table deletion, possibly leading to local privilege escalation.
- CVE-2022-2639: An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system.
- CVE-2022-2938: A flaw was found in the Linux kernel’s implementation of Pressure Stall Information. While the feature is disabled by default, it could allow an attacker to crash the system or have other memory-corruption side effects.
- CVE-2022-20368: An out-of-bounds access issue was found in the Linux kernel networking subsystem in the way raw packet sockets (AF_PACKET) used PACKET_COPY_THRESH and mmap operations. A local attacker with CAP_NET_RAW capability could use this flaw to trigger a buffer overflow resulting in a system crash or privilege escalation.
- CVE-2022-21499: A flaw was found in the kernel/debug/debug_core.c in the Linux kernel in lockdown mode. This flaw allows an attacker with local access to trigger the debugger, bypass lockdown and write anonymously.
- CVE-2022-23960: A new cache speculation vulnerability, known as Branch History Injection (BHI) or Spectre-BHB, was found in hw. Spectre-BHB is similar to Spectre v2, except that malicious code uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted branches within the victim's hardware context. Once that occurs, speculation caused by the mispredicted branches can cause cache allocation. This issue leads to obtaining information that should not be accessible.
- CVE-2022-24448: A flaw was found in the Linux kernel. When an application tries to open a directory (using the O_DIRECTORY flag) in a mounted NFS filesystem, a lookup operation is performed. If the NFS server returns a file as a result of the lookup, the NFS filesystem returns an uninitialized file descriptor instead of the expected ENOTDIR value. This flaw leads to the kernel's data leak into the userspace.
- CVE-2022-26373: A flaw was found in hw. In certain processors with Intel's Enhanced Indirect Branch Restricted Speculation (eIBRS) capabilities, soon after VM exit or IBPB command event, the linear address following the most recent near CALL instruction prior to a VM exit may be used as the Return Stack Buffer (RSB) prediction.
- CVE-2022-27950: A memory leak flaw was found in elo_probe in drivers/hid/hid-elo.c in the Human Interface Devices (HID) in the Linux kernel. This issue allows an attacker to cause a denial of service when hid_parse() in elo_probe() fails.
- CVE-2022-28390: A double-free flaw was found in the Linux kernel in the ems_usb_start_xmit function. This flaw allows an attacker to create a memory leak and corrupt the underlying data structure by calling free more than once.
- CVE-2022-28893: A use-after-free flaw was found in the Linux kernel’s net/sunrpc/xprt.c function in the Remote Procedure Call (SunRPC) protocol. This flaw allows a local attacker to crash the system, leading to a kernel information leak issue.
- CVE-2022-29581: A use-after-free flaw was found in u32_change in net/sched/cls_u32.c in the network subcomponent of the Linux kernel. This flaw allows a local attacker to crash the system, cause a privilege escalation, and leak kernel information.
- CVE-2022-36946: A memory corruption flaw was found in the Linux kernel’s Netfilter subsystem in the way a local user uses the libnetfilter_queue when analyzing a corrupted network packet. This flaw allows a local user to crash the system or a remote user to crash the system when the libnetfilter_queue is used by a local user.
-
- CVE-2020-0256: gdisk: possible out-of-bounds-write in LoadPartitionTable of gpt.cc
- CVE-2021-0308: gdisk: possible out-of-bounds-write in ReadLogicalParts of basicmbr.cc
-
- CVE-2016-3709: libxml2: Incorrect server side include parsing can lead to XSS
-
- CVE-2022-1304: e2fsprogs: out-of-bounds read/write via crafted filesystem
-
- CVE-2022-32746: samba: AD users can induce a use-after-free in the server process with an LDAP add or modify request
-
- CVE-2022-27404: FreeType: Buffer overflow in sfnt_init_face
- CVE-2022-27405: FreeType: Segmentation violation via FNT_Size_Request
- CVE-2022-27406: Freetype: Segmentation violation via FT_Request_Size
-
- CVE-2021-25220: bind: DNS forwarders - cache poisoning vulnerability
-
- CVE-2022-37434: zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field
-
- CVE-2021-44531: nodejs: Improper handling of URI Subject Alternative Names
- CVE-2021-44532: nodejs: Certificate Verification Bypass via String Injection
- CVE-2021-44533: nodejs: Incorrect handling of certificate subject and issuer fields
- CVE-2022-21824: nodejs: Prototype pollution via console.table properties
- CVE-2022-35256: nodejs: HTTP Request Smuggling due to incorrect parsing of header fields
Comments
Please sign in to leave a comment.