important: httpd/qt5-qtserialport security update
important
An update for httpd/qt5-qtserialport is now available for NewStart CGSL MAIN 5.05/CGSL CORE 5.05.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
httpd: The mod_ldap and mod_authnz_ldap modules add support for LDAP authentication to the Apache HTTP Server.
qt5-qtserialport: Qt Serial Port provides the basic functionality, which includes configuring, I/O operations, getting and setting the control signals of the RS-232 pinouts.
Security Fix(es):
httpd: A heap overflow flaw was found In Apache httpd mod_session. The highest threat from this vulnerability is to system availability.(CVE-2021-26691)
httpd: A NULL pointer dereference in httpd allows an unauthenticated remote attacker to crash httpd by providing malformed HTTP requests. The highest threat from this vulnerability is to system availability.(CVE-2021-34798)
httpd: A Server-Side Request Forgery (SSRF) flaw was found in mod_proxy of httpd. This flaw allows a remote, unauthenticated attacker to make the httpd server forward requests to an arbitrary server. The attacker could get, modify, or delete resources on other services that may be behind a firewall and inaccessible otherwise. The impact of this flaw varies based on what services and resources are available on the httpd network.(CVE-2021-40438)
httpd: A buffer overflow flaw in httpd's lua module could allow an out-of-bounds write. An attacker who is able to submit a crafted request to an httpd instance that is using the lua module may be able to cause an impact to confidentiality, integrity, and/or availability.(CVE-2021-44790)
httpd: A flaw was found in httpd. The inbound connection is not closed when it fails to discard the request body, which may expose the server to HTTP request smuggling.(CVE-2022-22720)
httpd: An out-of-bounds write in function ap_escape_quotes of httpd allows an unauthenticated remote attacker to crash the server or potentially execute code on the system with the privileges of the httpd user, by providing malicious input to the function.(CVE-2021-39275)
httpd: bugfix
qt5-qtserialport: QXmlStream in Qt 5.x before 5.11.3 has a double-free or corruption during parsing of a specially crafted illegal XML document.(CVE-2018-15518)
qt5-qtserialport: An issue was discovered in Qt before 5.11.3. A malformed GIF image causes a NULL pointer dereference in QGifHandler resulting in a segmentation fault.(CVE-2018-19870)
qt5-qtserialport: An issue was discovered in Qt before 5.11.3. QBmpHandler has a buffer overflow via BMP data.(CVE-2018-19873)
qt5-qtserialport: An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontrolled Resource Consumption.(CVE-2018-19871)
qt5-qtserialport: An issue was discovered in Qt before 5.11.3. A malformed SVG image causes a segmentation fault in qsvghandler.cpp.(CVE-2018-19869)
qt5-qtserialport: bugfix
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.05.F15B7.