FEDORA-2018-3fbc181b3e created by rohara 2 years ago for Fedora 29
stable

Security fix for CVE-2018-19044, CVE-2018-19045, CVE-2018-19046, CVE-2018-19115

How to install

sudo dnf upgrade --advisory=FEDORA-2018-3fbc181b3e

This update has been submitted for testing by rohara.

2 years ago

This update has been pushed to testing.

2 years ago
User Icon muench commented & provided feedback 2 years ago

hello rohara, thank you for your work! i assume you have mixed up CVE-2018-19047 with CVE-2018-19115 in the description at the top. CVE-2018-19047 concerns mPDF and is currently disputed:

CVE-2018-19047: DISPUTED mPDF through 7.1.6, if deployed as a web application that accepts arbitrary HTML, allows SSRF, as demonstrated by a '<img src="http://192.168' substring that triggers a call to getImage in Image/ImageProcessor.php. NOTE: the software maintainer disputes this, stating "If you allow users to pass HTML without sanitising it, you're asking for trouble."

is that right?

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

2 years ago

This update has been submitted for batched by rohara.

2 years ago
User Icon rohara commented & provided feedback 2 years ago

I will have to look into that. I am using the CVE #s that were provided to me by Red Hat security team.

User Icon rohara commented & provided feedback 2 years ago

You are correct, I used the wrong CVE ID. Will fix.

rohara edited this update.

2 years ago

This update has been submitted for stable by rohara.

2 years ago

This update has been submitted for batched by rohara.

2 years ago

This update has been submitted for stable by rohara.

2 years ago

This update has been pushed to stable.

2 years ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
disabled
Dates
submitted
2 years ago
in testing
2 years ago
in stable
2 years ago
modified
2 years ago
BZ#1651863 CVE-2018-19044 keepalived: Improper pathname validation allows for overwrite of arbitrary filenames via symlinks
0
0
BZ#1651864 CVE-2018-19044 keepalived: Improper pathname validation allows for overwrite of arbitrary filenames via symlinks [fedora-all]
0
0
BZ#1651866 CVE-2018-19045 keepalived: Insecure permissions when creating new temporary files allows for leaking of sensitive data
0
0
BZ#1651868 CVE-2018-19045 keepalived: Insecure permissions when creating new temporary files allows for leaking of sensitive data [fedora-all]
0
0
BZ#1651869 CVE-2018-19046 keepalived: Insecure use of temporary files allows attackers read sensitive information from pre-existing files
0
0
BZ#1651870 CVE-2018-19046 keepalived: Insecure use of temporary files allows attackers read sensitive information from pre-existing files [fedora-all]
0
0
BZ#1651871 CVE-2018-19115 keepalived: Heap-based buffer overflow when parsing HTTP status codes allows for denial of service or possibly arbitrary code execution
0
0
BZ#1651873 CVE-2018-19115 keepalived: Heap-based buffer overflow when parsing HTTP status codes allows for denial of service or possibly arbitrary code execution [fedora-all]
0
0

Automated Test Results