Security information¶
Updated Golang to version 1.17.13 to resolve vulnerabilities. For more information, refer to the following announcements for versions 1.17.12 and 1.17.13.
Resolved CVEs, as detailed:
CVE
Status
Problem details from upstream
Resolved
ncurses
6.3 before patch 20220416 has an out-of-bounds read and segmentation violation inconvert_strings
intinfo/read_entry.c
in theterminfo
library.Resolved
In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, an SQL injection vulnerability exists in the experimental
back-sql
back end toslapd
, through an SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.Resolved
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The
Trunc()
andExtract()
database functions are subject to SQL injection if untrusted data is used as akind
/lookup_name
value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.Resolved
Authorization Bypass Through User-Controlled Key in GitHub repository
emicklei/go-restful
prior to v3.8.0.Resolved
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for
X86_64
CPUs supporting theAVX512IFMA
instructions. This issue makes the RSA implementation with 2048-bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption, an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048-bit RSA private keys running on machines that supportAVX512IFMA
instructions of theX86_64
architecture are affected by this issue.Resolved
In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call
mailcap.findmatch
with untrusted input (if they lack validation of user-provided file names or arguments).Resolved
A use-after-free in Busybox 1.35-x’s awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the
copyvar
function.Resolved
No description is available for this CVE.
Resolved
No description is available for this CVE.
Resolved
No description is available for this CVE.
Resolved
No description is available for this CVE.
Resolved
No description is available for this CVE.
Resolved
No description is available for this CVE.
Resolved
No description is available for this CVE.
Resolved
No description is available for this CVE.
Resolved
No description is available for this CVE.
False positive
sqclass.cpp
in Squirrel through 2.2.5 and 3.x through 3.1 allows an out-of-bounds read in the core interpreter that can lead to code execution. If a victim executes an attacker-controlled squirrel script, it is possible for the attacker to break out of the squirrel script sandbox even if all dangerous functionality such as file system functions have been disabled. An attacker might abuse this bug to target, for example, cloud services that allow customization using SquirrelScripts, or distribute malware through video games that embed a Squirrel Engine.