git is distributed revision control system. Gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2kb when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue. (( CVE-2022-23521) git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.ConsequenceSuccessful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.SolutionPlease refer to Amazon advisory: ALAS2-2023-1923 for affected packages and patching details, or update with your package manager.Patches amazon linux 2 ALAS2-2023-1923CVE-2022-23521+QID: 354718Amazon Linux Security Advisory for git : ALAS-2023-1679SeverityUrgent5In DevelopmentQualys ID354718Vendor ReferenceALAS-2023-1679CVE ReferenceCVE-2022-23521, CVE-2022-41903CVSS ScoresBase 9.8 / Temporal 8.5Description git is distributed revision control system. Gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2kb when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue. (( CVE-2022-23521) git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.ConsequenceSuccessful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.SolutionPlease refer to Amazon advisory: ALAS-2023-1679 for affected packages and patching details, or update with your package manager.Patches amazon linux ALAS-2023-1679CVE-2022-47629QID: 241167Red Hat Update for libksba (RHSA-2023:0594)SeverityUrgent5In DevelopmentQualys ID241167Vendor ReferenceRHSA-2023:0594CVE ReferenceCVE-2022-47629CVSS ScoresBase 9.8 / Temporal 8.5DescriptionKsba (pronounced kasbah) is a library to make x.509 certificates as well as the cms easily accessible by other applications. Both specifications are building blocks of s/mime and tls...Security Fix(es): libksba: integer overflow to code executiona (cve-2022-47629). Affected Products: Red Hat enterprise linux for x86_64 - extended update support 8.6 x86_64. Red hat enterprise linux server - aus 8.6 x86_64. Red hat enterprise linux for ibm z systems - extended update support 8.6 s390x. Red hat enterprise linux for power, little endian - extended update support 8.6 ppc64le. Red hat enterprise linux server - tus 8.6 x86_64. Red hat enterprise linux for arm 64 - extended update support 8.6 aarch64. Red hat enterprise linux server for power le - update services for sap solutions 8.6 ppc64le. Red hat enterprise linux for x86_64 - update services for sap solutions 8.6 x86_64. Red hat codeready linux builder for x86_64 - extended update support 8.6 x86_64. Red hat codeready linux builder for power, little endian - extended update support 8.6 ppc64le. Red hat codeready linux builder for ibm z systems - extended update support 8.6 s390x. Red hat codeready linux builder for arm 64 - extended update support 8.6 aarch64.. Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.ConsequenceSuccessful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.SolutionRefer to Red Hat security advisory RHSA-2023:0594 for updates and patch information.Patches Red Hat Enterprise Linux RHSA-2023:0594CVE-2022-23521+QID: 241166Red Hat Update for git (RHSA-2023:0610)SeverityUrgent5In DevelopmentQualys ID241166Vendor ReferenceRHSA-2023:0610CVE ReferenceCVE-2022-23521, CVE-2022-41903CVSS ScoresBase 9.8 / Temporal 8.5DescriptionGit is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, git ensures that each working copy of a git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection...Security Fix(es): git: gitattributes parsing integer overflow (cve-2022-23521). Git: heap overflow in `git archive`, `git log --format` leading to rce (cve-2022-41903). Affected Products: Red Hat enterprise linux for x86_64 8 x86_64. Red hat enterprise linux for ibm z systems 8 s390x. Red hat enterprise linux for power, little endian 8 ppc64le. Red hat enterprise linux for arm 64 8 aarch64.. Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.ConsequenceSuccessful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.SolutionRefer to Red Hat security advisory RHSA-2023:0610 for updates and patch information.Patches Red Hat Enterprise Linux RHSA-2023:0610CVE-2022-23521+QID: 241163Red Hat Update for git (RHSA-2023:0611)SeverityUrgent5In DevelopmentQualys ID241163Vendor ReferenceRHSA-2023:0611CVE ReferenceCVE-2022-23521, CVE-2022-41903CVSS ScoresBase 9.8 / Temporal 8.5DescriptionGit is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, git ensures that each working copy of a git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection...Security Fix(es): git: gitattributes parsing integer overflow (cve-2022-23521). Git: heap overflow in `git archive`, `git log --format` leading to rce (cve-2022-41903). Affected Products: Red Hat enterprise linux for x86_64 9 x86_64. Red hat enterprise linux for ibm z systems 9 s390x. Red hat enterprise linux for power, little endian 9 ppc64le. Red hat enterprise linux for arm 64 9 aarch64.. Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.ConsequenceSuccessful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.SolutionRefer to Red Hat security advisory RHSA-2023:0611 for updates and patch information.Patches Red Hat Enterprise Linux RHSA-2023:0611CVE-2022-23521+QID: 241161Red Hat Update for rh-git227-git (RHSA-2023:0597)SeverityUrgent5In DevelopmentQualys ID241161Vendor ReferenceRHSA-2023:0597CVE ReferenceCVE-2022-23521, CVE-2022-41903CVSS ScoresBase 9.8 / Temporal 8.5DescriptionGit is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, git ensures that each working copy of a git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection...Security Fix(es): git: gitattributes parsing integer overflow (cve-2022-23521). Git: heap overflow in `git archive`, `git log --format` leading to rce (cve-2022-41903). Affected Products: Red Hat software collections (for rhel server) 1 for rhel 7 x86_64. Red hat software collections (for rhel server for system z) 1 for rhel 7 s390x. Red hat software collections (for rhel server for ibm power le) 1 for rhel 7 ppc64le. Red hat software collections (for rhel workstation) 1 for rhel 7 x86_64.. Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.ConsequenceSuccessful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.SolutionRefer to Red Hat security advisory RHSA-2023:0597 for updates and patch information.Patches Red Hat Enterprise Linux RHSA-2023:0597CVE-2021-35065+QID: 241160Red Hat Update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon (RHSA-2023:0612)SeverityUrgent5In DevelopmentQualys ID241160Vendor ReferenceRHSA-2023:0612CVE ReferenceCVE-2021-35065, CVE-2021-44906, CVE-2022-0235, CVE-2022-3517, CVE-2022-24999, CVE-2022-43548CVSS ScoresBase 9.8 / Temporal 8.5DescriptionNode.js is a software development platform for building fast and scalable network applications in the javascript programming language. .. Security fix(es): glob-parent: regular expression denial of service (cve-2021-35065). Minimist: prototype pollution (cve-2021-44906). Node-fetch: exposure of sensitive information to an unauthorized actor (cve-2022-0235). Nodejs-minimatch: redos via the braceexpand function (cve-2022-3517). Express: "qs" prototype poisoning causes the hang of the node process (cve-2022-24999). Nodejs: dns rebinding in inspect via invalid octal ip address (cve-2022-43548). Affected Products: Red Hat software collections (for rhel server) 1 for rhel 7 x86_64. Red hat software collections (for rhel server for system z) 1 for rhel 7 s390x. Red hat software collections (for rhel server for ibm power le) 1 for rhel 7 ppc64le. Red hat software collections (for rhel workstation) 1 for rhel 7 x86_64.. Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.ConsequenceSuccessful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.SolutionRefer to Red Hat security advisory RHSA-2023:0612 for updates and patch information.Patches Red Hat Enterprise Linux RHSA-2023:0612CVE-2022-23521+QID: 241158Red Hat Update for git (RHSA-2023:0596)SeverityUrgent5In DevelopmentQualys ID241158Vendor ReferenceRHSA-2023:0596CVE ReferenceCVE-2022-23521, CVE-2022-41903CVSS ScoresBase 9.8 / Temporal 8.5DescriptionGit is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, git ensures that each working copy of a git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection...Security Fix(es): git: gitattributes parsing integer overflow (cve-2022-23521). Git: heap overflow in `git archive`, `git log --format` leading to rce (cve-2022-41903). Affected Products: Red Hat enterprise linux for x86_64 - extended update support 8.4 x86_64. Red hat enterprise linux server - aus 8.4 x86_64. Red hat enterprise linux for ibm z systems - extended update support 8.4 s390x. Red hat enterprise linux for power, little endian - extended update support 8.4 ppc64le. Red hat enterprise linux server - tus 8.4 x86_64. Red hat enterprise linux for arm 64 - extended update support 8.4 aarch64. Red hat enterprise linux server for power le - update services for sap solutions 8.4 ppc64le. Red hat enterprise linux for x86_64 - update services for sap solutions 8.4 x86_64.. Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.ConsequenceSuccessful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.SolutionRefer to Red Hat security advisory RHSA-2023:0596 for updates and patch information.Patches Red Hat Enterprise Linux RHSA-2023:0596CVE-2022-42898QID: 354720Amazon Linux Security Advisory for krb5 : ALAS-2023-1680SeverityCritical4In DevelopmentQualys ID354720Vendor ReferenceALAS-2023-1680CVE ReferenceCVE-2022-42898CVSS ScoresBase 8.8 / Temporal 7.7DescriptionInteger overflow vulnerabilities in pac parsing (cve-2022-42898)
VMware Workstation Pro 14.1.5 Build With License Keys
2ff7e9595c
Comments