Stay Informed

This week, read about:

•    New Zimbra Email Vulnerability Could Let Attackers Steal Your Login Credentials.
•    Adobe Releases Open Source Toolkit to Counter Visual Misinformation.
•    Thunderbird is Taking Over a Beloved Open-Source Email App to Transform it Into its Own Mobile Client.

Key Security, Maintenance, and Features Releases
 

Security Updates

Apache HTTPd 2.4.54

*) SECURITY: CVE-2022-31813: mod_proxy X-Forwarded-For dropped by
     hop-by-hop mechanism (cve.mitre.org)
     Apache HTTP Server 2.4.53 and earlier may not send the
     X-Forwarded-* headers to the origin server based on client side
     Connection header hop-by-hop mechanism.
     This may be used to bypass IP based authentication on the origin
     server/application.
     Credits: The Apache HTTP Server project would like to thank
     Gaetan Ferry (Synacktiv) for reporting this issue

*) SECURITY: CVE-2022-30556: Information Disclosure in mod_lua with
     websockets (cve.mitre.org)
     Apache HTTP Server 2.4.53 and earlier may return lengths to
     applications calling r:wsread() that point past the end of the
     storage allocated for the buffer.
     Credits: The Apache HTTP Server project would like to thank
     Ronald Crane (Zippenhop LLC) for reporting this issue

*) SECURITY: CVE-2022-30522: mod_sed denial of service
     (cve.mitre.org)
     If Apache HTTP Server 2.4.53 is configured to do transformations
     with mod_sed in contexts where the input to mod_sed may be very
     large, mod_sed may make excessively large memory allocations and
     trigger an abort.
     Credits: This issue was found by Brian Moussalli from the JFrog
     Security Research team

*) SECURITY: CVE-2022-29404: Denial of service in mod_lua
     r:parsebody (cve.mitre.org)
     In Apache HTTP Server 2.4.53 and earlier, a malicious request to
     a lua script that calls r:parsebody(0) may cause a denial of
     service due to no default limit on possible input size.
     Credits: The Apache HTTP Server project would like to thank
     Ronald Crane (Zippenhop LLC) for reporting this issue
 

Non-Security Updates

Docker 2.6.0
fix TestLocalComposeUp which fail locally and bump compose-go to 1.2.7 by @glours in #9486
attach only to services declared by project applying profiles by @ndeloof in #9488
Add ddev's e2e test by @ulyssessouza in #9033
Fix local run of make e2e-compose-standalone by @ulyssessouza in #9493

Firefox 101.0.1
Fixed Firefox clearing the clipboard when closing on macOS (bug 1771823)
Fixed a compatibility issue causing severely impaired functionality with win32k lockdown enabled on some Windows systems (bug 1769845)
Fixed context menus not appearing when right-clicking Picture-in-Picture windows on some Linux systems (bug 1771914)
Various stability fixes

View all OpenUpdate editions >