Fedora 36 update for apptainer, asciigraph, buildah, butane, caddy, cheat, clipman, cri-o, deepin-gir-generator, docker-distribution, git-lfs, git-octopus, gmailctl, go-bindata, godep, golang, golang-ariga-atlas, golang-entgo-ent, golang-github-chromedp,



Risk Medium
Patch available YES
Number of vulnerabilities 6
CVE-ID CVE-2022-1996
CVE-2022-24675
CVE-2022-28327
CVE-2022-27191
CVE-2022-29526
CVE-2022-30629
CWE-ID CWE-942
CWE-120
CWE-190
CWE-327
CWE-264
CWE-330
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Fedora
Operating systems & Components / Operating system

xe-guest-utilities-latest
Operating systems & Components / Operating system package or component

skopeo
Operating systems & Components / Operating system package or component

singularity
Operating systems & Components / Operating system package or component

runc
Operating systems & Components / Operating system package or component

restic
Operating systems & Components / Operating system package or component

reposurgeon
Operating systems & Components / Operating system package or component

podman
Operating systems & Components / Operating system package or component

pack
Operating systems & Components / Operating system package or component

osbuild-composer
Operating systems & Components / Operating system package or component

origin
Operating systems & Components / Operating system package or component

oci-seccomp-bpf-hook
Operating systems & Components / Operating system package or component

manifest-tool
Operating systems & Components / Operating system package or component

kompose
Operating systems & Components / Operating system package or component

kata-containers
Operating systems & Components / Operating system package or component

ignition
Operating systems & Components / Operating system package or component

gron
Operating systems & Components / Operating system package or component

grafana-pcp
Operating systems & Components / Operating system package or component

grafana
Operating systems & Components / Operating system package or component

gotun
Operating systems & Components / Operating system package or component

google-guest-agent
Operating systems & Components / Operating system package or component

gomtree
Operating systems & Components / Operating system package or component

golang-starlark
Operating systems & Components / Operating system package or component

golang-rsc-pdf
Operating systems & Components / Operating system package or component

golang-github-zyedidia-highlight
Operating systems & Components / Operating system package or component

golang-github-tscholl2-siec
Operating systems & Components / Operating system package or component

golang-github-tomnomnom-xtermcolor
Operating systems & Components / Operating system package or component

golang-github-sqshq-sampler
Operating systems & Components / Operating system package or component

golang-github-segmentio-ksuid
Operating systems & Components / Operating system package or component

golang-github-rickb777-date
Operating systems & Components / Operating system package or component

golang-github-msprev-fzf-bibtex
Operating systems & Components / Operating system package or component

golang-github-mozillazg-pinyin
Operating systems & Components / Operating system package or component

golang-github-mbndr-figlet4go
Operating systems & Components / Operating system package or component

golang-github-lunixbochs-vtclean
Operating systems & Components / Operating system package or component

golang-github-lofanmi-pinyin
Operating systems & Components / Operating system package or component

golang-github-letsencrypt-pebble
Operating systems & Components / Operating system package or component

golang-github-kalafut-imohash
Operating systems & Components / Operating system package or component

golang-github-heistp-irtt
Operating systems & Components / Operating system package or component

golang-github-google-dap
Operating systems & Components / Operating system package or component

golang-github-elves-elvish
Operating systems & Components / Operating system package or component

golang-github-client9-gospell
Operating systems & Components / Operating system package or component

golang-github-chromedp
Operating systems & Components / Operating system package or component

golang-entgo-ent
Operating systems & Components / Operating system package or component

golang-ariga-atlas
Operating systems & Components / Operating system package or component

golang
Operating systems & Components / Operating system package or component

godep
Operating systems & Components / Operating system package or component

go-bindata
Operating systems & Components / Operating system package or component

gmailctl
Operating systems & Components / Operating system package or component

git-octopus
Operating systems & Components / Operating system package or component

git-lfs
Operating systems & Components / Operating system package or component

docker-distribution
Operating systems & Components / Operating system package or component

deepin-gir-generator
Operating systems & Components / Operating system package or component

cri-o
Operating systems & Components / Operating system package or component

clipman
Operating systems & Components / Operating system package or component

cheat
Operating systems & Components / Operating system package or component

caddy
Operating systems & Components / Operating system package or component

butane
Operating systems & Components / Operating system package or component

buildah
Operating systems & Components / Operating system package or component

asciigraph
Operating systems & Components / Operating system package or component

apptainer
Operating systems & Components / Operating system package or component

Vendor Fedoraproject

Security Bulletin

This security bulletin contains information about 6 vulnerabilities.

1) Overly permissive cross-domain whitelist

EUVDB-ID: #VU66447

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-1996

CWE-ID: CWE-942 - Overly Permissive Cross-domain Whitelist

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass the CORS protection mechanism.

The vulnerability exists due to incorrect processing of the "Origin" HTTP header that is supplied within HTTP request. A remote attacker can supply arbitrary value via the "Origin" HTTP header, bypass implemented CORS protection mechanism and perform cross-site scripting attacks against the vulnerable application.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 36

xe-guest-utilities-latest: before 7.30.0-4.fc36

skopeo: before 1.8.0-9.fc36

singularity: before 3.8.7-2.fc36

runc: before 1.1.1-2.fc36

restic: before 0.12.1-3.fc36

reposurgeon: before 4.32-2.fc36

podman: before 4.1.1-2.fc36

pack: before 0.27.0~rc1-4.fc36

osbuild-composer: before 55-2.fc36

origin: before 3.11.2-6.fc36

oci-seccomp-bpf-hook: before 1.2.5-3.fc36

manifest-tool: before 2.0.3-2.fc36

kompose: before 1.17.0-9.fc36

kata-containers: before 2.3.3-2.fc36.1

ignition: before 2.14.0-2.fc36

gron: before 0.7.1-2.fc36

grafana-pcp: before 3.2.0-3.fc36

grafana: before 7.5.15-3.fc36

gotun: before 0-0.14.gita9dbe4d.fc36

google-guest-agent: before 20201217.02-4.fc36

gomtree: before 0.4.0-11.fc36

golang-starlark: before 0-0.7.20210113gite81fc95.fc36

golang-rsc-pdf: before 0.1.1-10.fc36

golang-github-zyedidia-highlight: before 0-0.6.20200218git291680f.fc36

golang-github-tscholl2-siec: before 0-3.20211128git9bdfc48.fc36

golang-github-tomnomnom-xtermcolor: before 0.1.2-8.fc36

golang-github-sqshq-sampler: before 1.1.0-9.fc36

golang-github-segmentio-ksuid: before 1.0.4-3.fc36

golang-github-rickb777-date: before 1.19.1-2.fc36

golang-github-msprev-fzf-bibtex: before 1.1-5.20220205gitd5df2c6.fc36

golang-github-mozillazg-pinyin: before 0.19.0-4.fc36

golang-github-mbndr-figlet4go: before 0-0.8.20191009gitd6cef5b.fc36

golang-github-lunixbochs-vtclean: before 1.0.0-8.fc36

golang-github-lofanmi-pinyin: before 1.0-4.fc36

golang-github-letsencrypt-pebble: before 2.3.1-5.fc36

golang-github-kalafut-imohash: before 1.0.2-3.fc36

golang-github-heistp-irtt: before 0.9.1-2.fc36

golang-github-google-dap: before 0.4.0-4.fc36

golang-github-elves-elvish: before 0.15.0-4.fc36

golang-github-client9-gospell: before 0-0.11.20190524git90dfc71.fc36

golang-github-chromedp: before 0.8.1-2.fc36

golang-entgo-ent: before 0.10.0-4.fc36

golang-ariga-atlas: before 0.3.6-3.fc36

golang: before 1.18.3-2.fc36

godep: before 62-17.fc36

go-bindata: before 3.0.7-22.gita0ff256.fc36

gmailctl: before 0.10.4-3.fc36

git-octopus: before 2.0-0.4.beta.3.fc36.12

git-lfs: before 3.1.2-4.fc36

docker-distribution: before 2.6.2-17.git48294d9.fc36

deepin-gir-generator: before 2.1.0-3.fc36

cri-o: before 1.24.1-2.fc36

clipman: before 1.6.1-3.fc36

cheat: before 4.2.2-4.fc36

caddy: before 2.4.6-3.fc36

butane: before 0.14.0-2.fc36

buildah: before 1.26.1-4.fc36

asciigraph: before 0.5.5-2.fc36

apptainer: before 1.0.2-2.fc36

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2022-ba365d3703


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Buffer overflow

EUVDB-ID: #VU64266

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-24675

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in the Golang's library encoding/pem. A remote attacker can send to victim a large (more than 5 MB) PEM input to cause a stack overflow in Decode and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 36

xe-guest-utilities-latest: before 7.30.0-4.fc36

skopeo: before 1.8.0-9.fc36

singularity: before 3.8.7-2.fc36

runc: before 1.1.1-2.fc36

restic: before 0.12.1-3.fc36

reposurgeon: before 4.32-2.fc36

podman: before 4.1.1-2.fc36

pack: before 0.27.0~rc1-4.fc36

osbuild-composer: before 55-2.fc36

origin: before 3.11.2-6.fc36

oci-seccomp-bpf-hook: before 1.2.5-3.fc36

manifest-tool: before 2.0.3-2.fc36

kompose: before 1.17.0-9.fc36

kata-containers: before 2.3.3-2.fc36.1

ignition: before 2.14.0-2.fc36

gron: before 0.7.1-2.fc36

grafana-pcp: before 3.2.0-3.fc36

grafana: before 7.5.15-3.fc36

gotun: before 0-0.14.gita9dbe4d.fc36

google-guest-agent: before 20201217.02-4.fc36

gomtree: before 0.4.0-11.fc36

golang-starlark: before 0-0.7.20210113gite81fc95.fc36

golang-rsc-pdf: before 0.1.1-10.fc36

golang-github-zyedidia-highlight: before 0-0.6.20200218git291680f.fc36

golang-github-tscholl2-siec: before 0-3.20211128git9bdfc48.fc36

golang-github-tomnomnom-xtermcolor: before 0.1.2-8.fc36

golang-github-sqshq-sampler: before 1.1.0-9.fc36

golang-github-segmentio-ksuid: before 1.0.4-3.fc36

golang-github-rickb777-date: before 1.19.1-2.fc36

golang-github-msprev-fzf-bibtex: before 1.1-5.20220205gitd5df2c6.fc36

golang-github-mozillazg-pinyin: before 0.19.0-4.fc36

golang-github-mbndr-figlet4go: before 0-0.8.20191009gitd6cef5b.fc36

golang-github-lunixbochs-vtclean: before 1.0.0-8.fc36

golang-github-lofanmi-pinyin: before 1.0-4.fc36

golang-github-letsencrypt-pebble: before 2.3.1-5.fc36

golang-github-kalafut-imohash: before 1.0.2-3.fc36

golang-github-heistp-irtt: before 0.9.1-2.fc36

golang-github-google-dap: before 0.4.0-4.fc36

golang-github-elves-elvish: before 0.15.0-4.fc36

golang-github-client9-gospell: before 0-0.11.20190524git90dfc71.fc36

golang-github-chromedp: before 0.8.1-2.fc36

golang-entgo-ent: before 0.10.0-4.fc36

golang-ariga-atlas: before 0.3.6-3.fc36

golang: before 1.18.3-2.fc36

godep: before 62-17.fc36

go-bindata: before 3.0.7-22.gita0ff256.fc36

gmailctl: before 0.10.4-3.fc36

git-octopus: before 2.0-0.4.beta.3.fc36.12

git-lfs: before 3.1.2-4.fc36

docker-distribution: before 2.6.2-17.git48294d9.fc36

deepin-gir-generator: before 2.1.0-3.fc36

cri-o: before 1.24.1-2.fc36

clipman: before 1.6.1-3.fc36

cheat: before 4.2.2-4.fc36

caddy: before 2.4.6-3.fc36

butane: before 0.14.0-2.fc36

buildah: before 1.26.1-4.fc36

asciigraph: before 0.5.5-2.fc36

apptainer: before 1.0.2-2.fc36

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2022-ba365d3703


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Integer overflow

EUVDB-ID: #VU64269

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-28327

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to integer overflow in the Golang's library crypto/elliptic. A remote attacker can send a specially crafted scalar input longer than 32 bytes to cause P256().ScalarMult or P256().ScalarBaseMult to panic and perform a denial of service attack.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 36

xe-guest-utilities-latest: before 7.30.0-4.fc36

skopeo: before 1.8.0-9.fc36

singularity: before 3.8.7-2.fc36

runc: before 1.1.1-2.fc36

restic: before 0.12.1-3.fc36

reposurgeon: before 4.32-2.fc36

podman: before 4.1.1-2.fc36

pack: before 0.27.0~rc1-4.fc36

osbuild-composer: before 55-2.fc36

origin: before 3.11.2-6.fc36

oci-seccomp-bpf-hook: before 1.2.5-3.fc36

manifest-tool: before 2.0.3-2.fc36

kompose: before 1.17.0-9.fc36

kata-containers: before 2.3.3-2.fc36.1

ignition: before 2.14.0-2.fc36

gron: before 0.7.1-2.fc36

grafana-pcp: before 3.2.0-3.fc36

grafana: before 7.5.15-3.fc36

gotun: before 0-0.14.gita9dbe4d.fc36

google-guest-agent: before 20201217.02-4.fc36

gomtree: before 0.4.0-11.fc36

golang-starlark: before 0-0.7.20210113gite81fc95.fc36

golang-rsc-pdf: before 0.1.1-10.fc36

golang-github-zyedidia-highlight: before 0-0.6.20200218git291680f.fc36

golang-github-tscholl2-siec: before 0-3.20211128git9bdfc48.fc36

golang-github-tomnomnom-xtermcolor: before 0.1.2-8.fc36

golang-github-sqshq-sampler: before 1.1.0-9.fc36

golang-github-segmentio-ksuid: before 1.0.4-3.fc36

golang-github-rickb777-date: before 1.19.1-2.fc36

golang-github-msprev-fzf-bibtex: before 1.1-5.20220205gitd5df2c6.fc36

golang-github-mozillazg-pinyin: before 0.19.0-4.fc36

golang-github-mbndr-figlet4go: before 0-0.8.20191009gitd6cef5b.fc36

golang-github-lunixbochs-vtclean: before 1.0.0-8.fc36

golang-github-lofanmi-pinyin: before 1.0-4.fc36

golang-github-letsencrypt-pebble: before 2.3.1-5.fc36

golang-github-kalafut-imohash: before 1.0.2-3.fc36

golang-github-heistp-irtt: before 0.9.1-2.fc36

golang-github-google-dap: before 0.4.0-4.fc36

golang-github-elves-elvish: before 0.15.0-4.fc36

golang-github-client9-gospell: before 0-0.11.20190524git90dfc71.fc36

golang-github-chromedp: before 0.8.1-2.fc36

golang-entgo-ent: before 0.10.0-4.fc36

golang-ariga-atlas: before 0.3.6-3.fc36

golang: before 1.18.3-2.fc36

godep: before 62-17.fc36

go-bindata: before 3.0.7-22.gita0ff256.fc36

gmailctl: before 0.10.4-3.fc36

git-octopus: before 2.0-0.4.beta.3.fc36.12

git-lfs: before 3.1.2-4.fc36

docker-distribution: before 2.6.2-17.git48294d9.fc36

deepin-gir-generator: before 2.1.0-3.fc36

cri-o: before 1.24.1-2.fc36

clipman: before 1.6.1-3.fc36

cheat: before 4.2.2-4.fc36

caddy: before 2.4.6-3.fc36

butane: before 0.14.0-2.fc36

buildah: before 1.26.1-4.fc36

asciigraph: before 0.5.5-2.fc36

apptainer: before 1.0.2-2.fc36

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2022-ba365d3703


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Use of a broken or risky cryptographic algorithm

EUVDB-ID: #VU62039

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-27191

CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an error in golang.org/x/crypto/ssh before 0.0.0-20220314234659-1baeb1ce4c0b, as used in Go programming language. A remote attacker can crash a server in certain circumstances involving AddHostKey.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 36

xe-guest-utilities-latest: before 7.30.0-4.fc36

skopeo: before 1.8.0-9.fc36

singularity: before 3.8.7-2.fc36

runc: before 1.1.1-2.fc36

restic: before 0.12.1-3.fc36

reposurgeon: before 4.32-2.fc36

podman: before 4.1.1-2.fc36

pack: before 0.27.0~rc1-4.fc36

osbuild-composer: before 55-2.fc36

origin: before 3.11.2-6.fc36

oci-seccomp-bpf-hook: before 1.2.5-3.fc36

manifest-tool: before 2.0.3-2.fc36

kompose: before 1.17.0-9.fc36

kata-containers: before 2.3.3-2.fc36.1

ignition: before 2.14.0-2.fc36

gron: before 0.7.1-2.fc36

grafana-pcp: before 3.2.0-3.fc36

grafana: before 7.5.15-3.fc36

gotun: before 0-0.14.gita9dbe4d.fc36

google-guest-agent: before 20201217.02-4.fc36

gomtree: before 0.4.0-11.fc36

golang-starlark: before 0-0.7.20210113gite81fc95.fc36

golang-rsc-pdf: before 0.1.1-10.fc36

golang-github-zyedidia-highlight: before 0-0.6.20200218git291680f.fc36

golang-github-tscholl2-siec: before 0-3.20211128git9bdfc48.fc36

golang-github-tomnomnom-xtermcolor: before 0.1.2-8.fc36

golang-github-sqshq-sampler: before 1.1.0-9.fc36

golang-github-segmentio-ksuid: before 1.0.4-3.fc36

golang-github-rickb777-date: before 1.19.1-2.fc36

golang-github-msprev-fzf-bibtex: before 1.1-5.20220205gitd5df2c6.fc36

golang-github-mozillazg-pinyin: before 0.19.0-4.fc36

golang-github-mbndr-figlet4go: before 0-0.8.20191009gitd6cef5b.fc36

golang-github-lunixbochs-vtclean: before 1.0.0-8.fc36

golang-github-lofanmi-pinyin: before 1.0-4.fc36

golang-github-letsencrypt-pebble: before 2.3.1-5.fc36

golang-github-kalafut-imohash: before 1.0.2-3.fc36

golang-github-heistp-irtt: before 0.9.1-2.fc36

golang-github-google-dap: before 0.4.0-4.fc36

golang-github-elves-elvish: before 0.15.0-4.fc36

golang-github-client9-gospell: before 0-0.11.20190524git90dfc71.fc36

golang-github-chromedp: before 0.8.1-2.fc36

golang-entgo-ent: before 0.10.0-4.fc36

golang-ariga-atlas: before 0.3.6-3.fc36

golang: before 1.18.3-2.fc36

godep: before 62-17.fc36

go-bindata: before 3.0.7-22.gita0ff256.fc36

gmailctl: before 0.10.4-3.fc36

git-octopus: before 2.0-0.4.beta.3.fc36.12

git-lfs: before 3.1.2-4.fc36

docker-distribution: before 2.6.2-17.git48294d9.fc36

deepin-gir-generator: before 2.1.0-3.fc36

cri-o: before 1.24.1-2.fc36

clipman: before 1.6.1-3.fc36

cheat: before 4.2.2-4.fc36

caddy: before 2.4.6-3.fc36

butane: before 0.14.0-2.fc36

buildah: before 1.26.1-4.fc36

asciigraph: before 0.5.5-2.fc36

apptainer: before 1.0.2-2.fc36

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2022-ba365d3703


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU63173

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-29526

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to the Faccessat function can incorrectly report that a file is accessible, when called with a non-zero flags parameter. An attacker can bypass implemented security restrictions.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 36

xe-guest-utilities-latest: before 7.30.0-4.fc36

skopeo: before 1.8.0-9.fc36

singularity: before 3.8.7-2.fc36

runc: before 1.1.1-2.fc36

restic: before 0.12.1-3.fc36

reposurgeon: before 4.32-2.fc36

podman: before 4.1.1-2.fc36

pack: before 0.27.0~rc1-4.fc36

osbuild-composer: before 55-2.fc36

origin: before 3.11.2-6.fc36

oci-seccomp-bpf-hook: before 1.2.5-3.fc36

manifest-tool: before 2.0.3-2.fc36

kompose: before 1.17.0-9.fc36

kata-containers: before 2.3.3-2.fc36.1

ignition: before 2.14.0-2.fc36

gron: before 0.7.1-2.fc36

grafana-pcp: before 3.2.0-3.fc36

grafana: before 7.5.15-3.fc36

gotun: before 0-0.14.gita9dbe4d.fc36

google-guest-agent: before 20201217.02-4.fc36

gomtree: before 0.4.0-11.fc36

golang-starlark: before 0-0.7.20210113gite81fc95.fc36

golang-rsc-pdf: before 0.1.1-10.fc36

golang-github-zyedidia-highlight: before 0-0.6.20200218git291680f.fc36

golang-github-tscholl2-siec: before 0-3.20211128git9bdfc48.fc36

golang-github-tomnomnom-xtermcolor: before 0.1.2-8.fc36

golang-github-sqshq-sampler: before 1.1.0-9.fc36

golang-github-segmentio-ksuid: before 1.0.4-3.fc36

golang-github-rickb777-date: before 1.19.1-2.fc36

golang-github-msprev-fzf-bibtex: before 1.1-5.20220205gitd5df2c6.fc36

golang-github-mozillazg-pinyin: before 0.19.0-4.fc36

golang-github-mbndr-figlet4go: before 0-0.8.20191009gitd6cef5b.fc36

golang-github-lunixbochs-vtclean: before 1.0.0-8.fc36

golang-github-lofanmi-pinyin: before 1.0-4.fc36

golang-github-letsencrypt-pebble: before 2.3.1-5.fc36

golang-github-kalafut-imohash: before 1.0.2-3.fc36

golang-github-heistp-irtt: before 0.9.1-2.fc36

golang-github-google-dap: before 0.4.0-4.fc36

golang-github-elves-elvish: before 0.15.0-4.fc36

golang-github-client9-gospell: before 0-0.11.20190524git90dfc71.fc36

golang-github-chromedp: before 0.8.1-2.fc36

golang-entgo-ent: before 0.10.0-4.fc36

golang-ariga-atlas: before 0.3.6-3.fc36

golang: before 1.18.3-2.fc36

godep: before 62-17.fc36

go-bindata: before 3.0.7-22.gita0ff256.fc36

gmailctl: before 0.10.4-3.fc36

git-octopus: before 2.0-0.4.beta.3.fc36.12

git-lfs: before 3.1.2-4.fc36

docker-distribution: before 2.6.2-17.git48294d9.fc36

deepin-gir-generator: before 2.1.0-3.fc36

cri-o: before 1.24.1-2.fc36

clipman: before 1.6.1-3.fc36

cheat: before 4.2.2-4.fc36

caddy: before 2.4.6-3.fc36

butane: before 0.14.0-2.fc36

buildah: before 1.26.1-4.fc36

asciigraph: before 0.5.5-2.fc36

apptainer: before 1.0.2-2.fc36

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2022-ba365d3703


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Use of insufficiently random values

EUVDB-ID: #VU66122

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-30629

CWE-ID: CWE-330 - Use of Insufficiently Random Values

Exploit availability: No

Description

The vulnerability allows a remote attacker gain access to sensitive information.

The vulnerability exists in crypto/tls implementation when generating TLS tickets age. The newSessionTicketMsgTLS13.ageAdd is always set to "0" instead of a random value.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Fedora: 36

xe-guest-utilities-latest: before 7.30.0-4.fc36

skopeo: before 1.8.0-9.fc36

singularity: before 3.8.7-2.fc36

runc: before 1.1.1-2.fc36

restic: before 0.12.1-3.fc36

reposurgeon: before 4.32-2.fc36

podman: before 4.1.1-2.fc36

pack: before 0.27.0~rc1-4.fc36

osbuild-composer: before 55-2.fc36

origin: before 3.11.2-6.fc36

oci-seccomp-bpf-hook: before 1.2.5-3.fc36

manifest-tool: before 2.0.3-2.fc36

kompose: before 1.17.0-9.fc36

kata-containers: before 2.3.3-2.fc36.1

ignition: before 2.14.0-2.fc36

gron: before 0.7.1-2.fc36

grafana-pcp: before 3.2.0-3.fc36

grafana: before 7.5.15-3.fc36

gotun: before 0-0.14.gita9dbe4d.fc36

google-guest-agent: before 20201217.02-4.fc36

gomtree: before 0.4.0-11.fc36

golang-starlark: before 0-0.7.20210113gite81fc95.fc36

golang-rsc-pdf: before 0.1.1-10.fc36

golang-github-zyedidia-highlight: before 0-0.6.20200218git291680f.fc36

golang-github-tscholl2-siec: before 0-3.20211128git9bdfc48.fc36

golang-github-tomnomnom-xtermcolor: before 0.1.2-8.fc36

golang-github-sqshq-sampler: before 1.1.0-9.fc36

golang-github-segmentio-ksuid: before 1.0.4-3.fc36

golang-github-rickb777-date: before 1.19.1-2.fc36

golang-github-msprev-fzf-bibtex: before 1.1-5.20220205gitd5df2c6.fc36

golang-github-mozillazg-pinyin: before 0.19.0-4.fc36

golang-github-mbndr-figlet4go: before 0-0.8.20191009gitd6cef5b.fc36

golang-github-lunixbochs-vtclean: before 1.0.0-8.fc36

golang-github-lofanmi-pinyin: before 1.0-4.fc36

golang-github-letsencrypt-pebble: before 2.3.1-5.fc36

golang-github-kalafut-imohash: before 1.0.2-3.fc36

golang-github-heistp-irtt: before 0.9.1-2.fc36

golang-github-google-dap: before 0.4.0-4.fc36

golang-github-elves-elvish: before 0.15.0-4.fc36

golang-github-client9-gospell: before 0-0.11.20190524git90dfc71.fc36

golang-github-chromedp: before 0.8.1-2.fc36

golang-entgo-ent: before 0.10.0-4.fc36

golang-ariga-atlas: before 0.3.6-3.fc36

golang: before 1.18.3-2.fc36

godep: before 62-17.fc36

go-bindata: before 3.0.7-22.gita0ff256.fc36

gmailctl: before 0.10.4-3.fc36

git-octopus: before 2.0-0.4.beta.3.fc36.12

git-lfs: before 3.1.2-4.fc36

docker-distribution: before 2.6.2-17.git48294d9.fc36

deepin-gir-generator: before 2.1.0-3.fc36

cri-o: before 1.24.1-2.fc36

clipman: before 1.6.1-3.fc36

cheat: before 4.2.2-4.fc36

caddy: before 2.4.6-3.fc36

butane: before 0.14.0-2.fc36

buildah: before 1.26.1-4.fc36

asciigraph: before 0.5.5-2.fc36

apptainer: before 1.0.2-2.fc36

CPE2.3 External links

https://bodhi.fedoraproject.org/updates/FEDORA-2022-ba365d3703


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###