Documentation Portal

Light theme Dark theme

2.9.9¶

(2022-08-11)

Enhancements¶

(ENGDTR-3220) Upgraded Synopsys scanner to version 2022.6.0.

Addressed issues¶

(FIELD-4537) Fixed the invalid documentation links that are embedded in MSR vulnerability scan warnings.

Security information¶

Updated Golang to version 1.17.13 to resolve vulnerabilities. For more information, refer to the following announcements for versions 1.17.12 and 1.17.13.

Resolved CVEs, as detailed:

CVE	Status	Problem details from upstream
CVE-2022-29458	Resolved	`ncurses` 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in `convert_strings` in `tinfo/read_entry.c` in the `terminfo` library.
CVE-2022-29155	Resolved	In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, an SQL injection vulnerability exists in the experimental `back-sql` back end to `slapd`, through an SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.
CVE-2022-34265	Resolved	An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The `Trunc()` and `Extract()` database functions are subject to SQL injection if untrusted data is used as a `kind`/`lookup_name` value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
CVE-2022-2274	Resolved	The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for `X86_64` CPUs supporting the `AVX512IFMA` instructions. This issue makes the RSA implementation with 2048-bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption, an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048-bit RSA private keys running on machines that support `AVX512IFMA` instructions of the `X86_64` architecture are affected by this issue.
CVE-2015-20107	Resolved	In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call `mailcap.findmatch` with untrusted input (if they lack validation of user-provided file names or arguments).
CVE-2022-30065	Resolved	A use-after-free in Busybox 1.35-x’s awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the `copyvar` function.
CVE-2022-27782	Resolved	`libcurl` would reuse a previously created connection even when a TLS or SSH-related option had been changed that should have prohibited reuse. `libcurl` keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several TLS and SSH settings were left out from the configuration match checks, making them match too easily.
CVE-2022-27781	Resolved	`libcurl` provides the `CURLOPT_CERTINFO` option to allow applications to request details to be returned about a server’s certificate chain. Due to an erroneous function, a malicious server could make libcurl built with NSS get stuck in a never-ending busy-loop when trying to retrieve that information.
CVE-2022-32148	Resolved	No description is available for this CVE.
CVE-2022-30631	Resolved	No description is available for this CVE.
CVE-2022-30633	Resolved	No description is available for this CVE.
CVE-2022-28131	Resolved	No description is available for this CVE.
CVE-2022-30635	Resolved	No description is available for this CVE.
CVE-2022-30632	Resolved	No description is available for this CVE.
CVE-2022-30630	Resolved	No description is available for this CVE.
CVE-2022-1962	Resolved	No description is available for this CVE.
CVE-2022-32189	Resolved	No description is available for this CVE.
CVE-2022-1996	Not vulnerable 1	Authorization Bypass Through User-Controlled Key in GitHub repository `emicklei/go-restful` prior to v3.8.0.
CVE-2021-41556	False positive	`sqclass.cpp` in Squirrel through 2.2.5 and 3.x through 3.1 allows an out-of-bounds read in the core interpreter that can lead to code execution. If a victim executes an attacker-controlled squirrel script, it is possible for the attacker to break out of the squirrel script sandbox even if all dangerous functionality such as file system functions have been disabled. An attacker might abuse this bug to target, for example, cloud services that allow customization using SquirrelScripts, or distribute malware through video games that embed a Squirrel Engine.

1: The issue is likely to be triggered in software that uses a CORS filter, which MSR does not.