ISHACK AI BOT

Huawei EulerOS: CVE-2023-45322: libxml2 security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 10/06/2023 Created 07/23/2024 Added 07/23/2024 Modified 01/30/2025 Description libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail." Solution(s) huawei-euleros-2_0_sp8-upgrade-libxml2 huawei-euleros-2_0_sp8-upgrade-libxml2-devel huawei-euleros-2_0_sp8-upgrade-python2-libxml2 huawei-euleros-2_0_sp8-upgrade-python3-libxml2 References https://attackerkb.com/topics/cve-2023-45322 CVE - 2023-45322 EulerOS-SA-2024-2478

Huawei EulerOS: CVE-2023-45322: libxml2 security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 10/06/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/30/2025 Description libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail." Solution(s) huawei-euleros-2_0_sp10-upgrade-libxml2 huawei-euleros-2_0_sp10-upgrade-python3-libxml2 References https://attackerkb.com/topics/cve-2023-45322 CVE - 2023-45322 EulerOS-SA-2024-1090

Alma Linux: CVE-2023-39928: Important: webkit2gtk3 security update (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 10/06/2023 Created 05/08/2024 Added 05/08/2024 Modified 01/28/2025 Description A use-after-free vulnerability exists in the MediaRecorder API of Webkit WebKitGTK 2.40.5. A specially crafted web page can abuse this vulnerability to cause memory corruption and potentially arbitrary code execution. A user would need to to visit a malicious webpage to trigger this vulnerability. Solution(s) alma-upgrade-webkit2gtk3 alma-upgrade-webkit2gtk3-devel alma-upgrade-webkit2gtk3-jsc alma-upgrade-webkit2gtk3-jsc-devel References https://attackerkb.com/topics/cve-2023-39928 CVE - 2023-39928 https://errata.almalinux.org/8/ALSA-2024-2982.html https://errata.almalinux.org/9/ALSA-2024-2126.html

Huawei EulerOS: CVE-2023-39189: kernel security update Severity 6 CVSS (AV:L/AC:L/Au:M/C:C/I:N/A:C) Published 10/09/2023 Created 03/14/2024 Added 03/13/2024 Modified 01/28/2025 Description A flaw was found in the Netfilter subsystem in the Linux kernel. The nfnl_osf_add_callback function did not validate the user mode controlled opt_num field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure. Solution(s) huawei-euleros-2_0_sp8-upgrade-bpftool huawei-euleros-2_0_sp8-upgrade-kernel huawei-euleros-2_0_sp8-upgrade-kernel-devel huawei-euleros-2_0_sp8-upgrade-kernel-headers huawei-euleros-2_0_sp8-upgrade-kernel-tools huawei-euleros-2_0_sp8-upgrade-kernel-tools-libs huawei-euleros-2_0_sp8-upgrade-perf huawei-euleros-2_0_sp8-upgrade-python-perf huawei-euleros-2_0_sp8-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-39189 CVE - 2023-39189 EulerOS-SA-2024-1275

Debian: CVE-2023-39928: webkit2gtk, wpewebkit -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 10/06/2023 Created 10/16/2023 Added 10/16/2023 Modified 01/28/2025 Description A use-after-free vulnerability exists in the MediaRecorder API of Webkit WebKitGTK 2.40.5. A specially crafted web page can abuse this vulnerability to cause memory corruption and potentially arbitrary code execution. A user would need to to visit a malicious webpage to trigger this vulnerability. Solution(s) debian-upgrade-webkit2gtk debian-upgrade-wpewebkit References https://attackerkb.com/topics/cve-2023-39928 CVE - 2023-39928 DSA-5527-1

Huawei EulerOS: CVE-2023-39193: kernel security update Severity 6 CVSS (AV:L/AC:L/Au:M/C:C/I:N/A:C) Published 10/09/2023 Created 03/14/2024 Added 03/13/2024 Modified 01/28/2025 Description A flaw was found in the Netfilter subsystem in the Linux kernel. The sctp_mt_check did not validate the flag_count field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure. Solution(s) huawei-euleros-2_0_sp8-upgrade-bpftool huawei-euleros-2_0_sp8-upgrade-kernel huawei-euleros-2_0_sp8-upgrade-kernel-devel huawei-euleros-2_0_sp8-upgrade-kernel-headers huawei-euleros-2_0_sp8-upgrade-kernel-tools huawei-euleros-2_0_sp8-upgrade-kernel-tools-libs huawei-euleros-2_0_sp8-upgrade-perf huawei-euleros-2_0_sp8-upgrade-python-perf huawei-euleros-2_0_sp8-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-39193 CVE - 2023-39193 EulerOS-SA-2024-1275

Alma Linux: CVE-2023-39189: Moderate: kernel security, bug fix, and enhancement update (Multiple Advisories) Severity 6 CVSS (AV:L/AC:L/Au:M/C:C/I:N/A:C) Published 10/09/2023 Created 06/01/2024 Added 05/31/2024 Modified 01/28/2025 Description A flaw was found in the Netfilter subsystem in the Linux kernel. The nfnl_osf_add_callback function did not validate the user mode controlled opt_num field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure. Solution(s) alma-upgrade-bpftool alma-upgrade-kernel alma-upgrade-kernel-64k alma-upgrade-kernel-64k-core alma-upgrade-kernel-64k-debug alma-upgrade-kernel-64k-debug-core alma-upgrade-kernel-64k-debug-devel alma-upgrade-kernel-64k-debug-devel-matched alma-upgrade-kernel-64k-debug-modules alma-upgrade-kernel-64k-debug-modules-core alma-upgrade-kernel-64k-debug-modules-extra alma-upgrade-kernel-64k-devel alma-upgrade-kernel-64k-devel-matched alma-upgrade-kernel-64k-modules alma-upgrade-kernel-64k-modules-core alma-upgrade-kernel-64k-modules-extra alma-upgrade-kernel-abi-stablelists alma-upgrade-kernel-core alma-upgrade-kernel-cross-headers alma-upgrade-kernel-debug alma-upgrade-kernel-debug-core alma-upgrade-kernel-debug-devel alma-upgrade-kernel-debug-devel-matched alma-upgrade-kernel-debug-modules alma-upgrade-kernel-debug-modules-core alma-upgrade-kernel-debug-modules-extra alma-upgrade-kernel-debug-uki-virt alma-upgrade-kernel-devel alma-upgrade-kernel-devel-matched alma-upgrade-kernel-doc alma-upgrade-kernel-headers alma-upgrade-kernel-modules alma-upgrade-kernel-modules-core alma-upgrade-kernel-modules-extra alma-upgrade-kernel-rt alma-upgrade-kernel-rt-core alma-upgrade-kernel-rt-debug alma-upgrade-kernel-rt-debug-core alma-upgrade-kernel-rt-debug-devel alma-upgrade-kernel-rt-debug-kvm alma-upgrade-kernel-rt-debug-modules alma-upgrade-kernel-rt-debug-modules-core alma-upgrade-kernel-rt-debug-modules-extra alma-upgrade-kernel-rt-devel alma-upgrade-kernel-rt-kvm alma-upgrade-kernel-rt-modules alma-upgrade-kernel-rt-modules-core alma-upgrade-kernel-rt-modules-extra alma-upgrade-kernel-tools alma-upgrade-kernel-tools-libs alma-upgrade-kernel-tools-libs-devel alma-upgrade-kernel-uki-virt alma-upgrade-kernel-zfcpdump alma-upgrade-kernel-zfcpdump-core alma-upgrade-kernel-zfcpdump-devel alma-upgrade-kernel-zfcpdump-devel-matched alma-upgrade-kernel-zfcpdump-modules alma-upgrade-kernel-zfcpdump-modules-core alma-upgrade-kernel-zfcpdump-modules-extra alma-upgrade-libperf alma-upgrade-perf alma-upgrade-python3-perf alma-upgrade-rtla alma-upgrade-rv References https://attackerkb.com/topics/cve-2023-39189 CVE - 2023-39189 https://errata.almalinux.org/8/ALSA-2024-2950.html https://errata.almalinux.org/8/ALSA-2024-3138.html https://errata.almalinux.org/9/ALSA-2024-2394.html

Huawei EulerOS: CVE-2023-39194: kernel security update Severity 4 CVSS (AV:L/AC:L/Au:M/C:C/I:N/A:N) Published 10/09/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description A flaw was found in the XFRM subsystem in the Linux kernel. The specific flaw exists within the processing of state filters, which can result in a read past the end of an allocated buffer. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, potentially leading to an information disclosure. Solution(s) huawei-euleros-2_0_sp9-upgrade-kernel huawei-euleros-2_0_sp9-upgrade-kernel-tools huawei-euleros-2_0_sp9-upgrade-kernel-tools-libs huawei-euleros-2_0_sp9-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-39194 CVE - 2023-39194 EulerOS-SA-2023-3336

Debian: CVE-2023-43788: libxpm -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:N) Published 10/06/2023 Created 10/06/2023 Added 10/06/2023 Modified 01/28/2025 Description A vulnerability was found in libXpm due to a boundary condition within the XpmCreateXpmImageFromBuffer() function. This flaw allows a local attacker to trigger an out-of-bounds read error and read the contents of memory on the system. Solution(s) debian-upgrade-libxpm References https://attackerkb.com/topics/cve-2023-43788 CVE - 2023-43788 DLA-3603-1

Debian: CVE-2023-38703: asterisk, ring -- security update Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 10/06/2023 Created 01/04/2024 Added 01/03/2024 Modified 01/28/2025 Description PJSIP is a free and open source multimedia communication library written in C with high level API in C, C++, Java, C#, and Python languages. SRTP is a higher level media transport which is stacked upon a lower level media transport such as UDP and ICE. Currently a higher level transport is not synchronized with its lower level transport that may introduce use-after-free issue. This vulnerability affects applications that have SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media transport other than UDP. This vulnerability’s impact may range from unexpected application termination to control flow hijack/memory corruption. The patch is available as a commit in the master branch. Solution(s) debian-upgrade-asterisk debian-upgrade-ring References https://attackerkb.com/topics/cve-2023-38703 CVE - 2023-38703 DLA-3696-1

Debian: CVE-2023-43787: libx11 -- security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 10/06/2023 Created 10/06/2023 Added 10/06/2023 Modified 01/28/2025 Description A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This flaw allows a local user to trigger an integer overflow and execute arbitrary code with elevated privileges. Solution(s) debian-upgrade-libx11 References https://attackerkb.com/topics/cve-2023-43787 CVE - 2023-43787 DLA-3602-1 DLA-3603-1

Debian: CVE-2023-43786: libx11 -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 10/06/2023 Created 10/06/2023 Added 10/06/2023 Modified 01/28/2025 Description A vulnerability was found in libX11 due to an infinite loop within the PutSubImage() function. This flaw allows a local user to consume all available system resources and cause a denial of service condition. Solution(s) debian-upgrade-libx11 References https://attackerkb.com/topics/cve-2023-43786 CVE - 2023-43786 DLA-3602-1 DLA-3603-1

Huawei EulerOS: CVE-2023-45322: libxml2 security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 10/06/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/30/2025 Description libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail." Solution(s) huawei-euleros-2_0_sp9-upgrade-libxml2 huawei-euleros-2_0_sp9-upgrade-python3-libxml2 References https://attackerkb.com/topics/cve-2023-45322 CVE - 2023-45322 EulerOS-SA-2023-3343

Debian: CVE-2023-5346: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 10/06/2023 Created 10/06/2023 Added 10/06/2023 Modified 01/28/2025 Description Type confusion in V8 in Google Chrome prior to 117.0.5938.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2023-5346 CVE - 2023-5346 DSA-5515-1

Debian: CVE-2023-5366: openvswitch -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:C/A:N) Published 10/06/2023 Created 02/24/2024 Added 02/23/2024 Modified 01/28/2025 Description A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Advertisement packets between virtual machines to bypass OpenFlow rules. This issue may allow a local attacker to create specially crafted packets with a modified or spoofed target IP address field that can redirect ICMPv6 traffic to arbitrary IP addresses. Solution(s) debian-upgrade-openvswitch References https://attackerkb.com/topics/cve-2023-5366 CVE - 2023-5366 DLA-3734-1

Amazon Linux AMI: CVE-2023-45322: Security patch for libxml2 (ALAS-2023-1874) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 10/06/2023 Created 11/07/2023 Added 11/04/2023 Modified 01/28/2025 Description ** DISPUTED ** libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail." Solution(s) amazon-linux-upgrade-libxml2 References ALAS-2023-1874 CVE-2023-45322

Red Hat: CVE-2023-39928: webkitgtk: use-after-free in the MediaRecorder API of the WebKit GStreamer-based ports (Multiple Advisories) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 10/06/2023 Created 05/01/2024 Added 05/01/2024 Modified 09/03/2024 Description A use-after-free vulnerability exists in the MediaRecorder API of Webkit WebKitGTK 2.40.5. A specially crafted web page can abuse this vulnerability to cause memory corruption and potentially arbitrary code execution. A user would need to to visit a malicious webpage to trigger this vulnerability. Solution(s) redhat-upgrade-webkit2gtk3 redhat-upgrade-webkit2gtk3-debuginfo redhat-upgrade-webkit2gtk3-debugsource redhat-upgrade-webkit2gtk3-devel redhat-upgrade-webkit2gtk3-devel-debuginfo redhat-upgrade-webkit2gtk3-jsc redhat-upgrade-webkit2gtk3-jsc-debuginfo redhat-upgrade-webkit2gtk3-jsc-devel redhat-upgrade-webkit2gtk3-jsc-devel-debuginfo References CVE-2023-39928 RHSA-2024:2126 RHSA-2024:2982

Gentoo Linux: CVE-2023-39928: WebKitGTK+: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 10/06/2023 Created 02/02/2024 Added 02/01/2024 Modified 01/28/2025 Description A use-after-free vulnerability exists in the MediaRecorder API of Webkit WebKitGTK 2.40.5. A specially crafted web page can abuse this vulnerability to cause memory corruption and potentially arbitrary code execution. A user would need to to visit a malicious webpage to trigger this vulnerability. Solution(s) gentoo-linux-upgrade-net-libs-webkit-gtk References https://attackerkb.com/topics/cve-2023-39928 CVE - 2023-39928 202401-33

Huawei EulerOS: CVE-2023-45322: libxml2 security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 10/06/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/30/2025 Description libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail." Solution(s) huawei-euleros-2_0_sp11-upgrade-libxml2 huawei-euleros-2_0_sp11-upgrade-python3-libxml2 References https://attackerkb.com/topics/cve-2023-45322 CVE - 2023-45322 EulerOS-SA-2023-3278

Ubuntu: (Multiple Advisories) (CVE-2023-5366): Open vSwitch vulnerability Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:C/A:N) Published 10/06/2023 Created 11/28/2023 Added 11/27/2023 Modified 01/28/2025 Description A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Advertisement packets between virtual machines to bypass OpenFlow rules. This issue may allow a local attacker to create specially crafted packets with a modified or spoofed target IP address field that can redirect ICMPv6 traffic to arbitrary IP addresses. Solution(s) ubuntu-pro-upgrade-openvswitch-common ubuntu-pro-upgrade-python3-openvswitch References https://attackerkb.com/topics/cve-2023-5366 CVE - 2023-5366 USN-6514-1 USN-6690-1

Rocky Linux: CVE-2023-39928: webkit2gtk3 (RLSA-2024-2982) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 10/06/2023 Created 06/17/2024 Added 06/17/2024 Modified 01/28/2025 Description A use-after-free vulnerability exists in the MediaRecorder API of Webkit WebKitGTK 2.40.5. A specially crafted web page can abuse this vulnerability to cause memory corruption and potentially arbitrary code execution. A user would need to to visit a malicious webpage to trigger this vulnerability. Solution(s) rocky-upgrade-webkit2gtk3 rocky-upgrade-webkit2gtk3-debuginfo rocky-upgrade-webkit2gtk3-debugsource rocky-upgrade-webkit2gtk3-devel rocky-upgrade-webkit2gtk3-devel-debuginfo rocky-upgrade-webkit2gtk3-jsc rocky-upgrade-webkit2gtk3-jsc-debuginfo rocky-upgrade-webkit2gtk3-jsc-devel rocky-upgrade-webkit2gtk3-jsc-devel-debuginfo References https://attackerkb.com/topics/cve-2023-39928 CVE - 2023-39928 https://errata.rockylinux.org/RLSA-2024:2982

Alpine Linux: CVE-2023-5366: Insufficient Verification of Data Authenticity Severity 8 CVSS (AV:N/AC:L/Au:S/C:P/I:N/A:C) Published 10/06/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/14/2024 Description A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Advertisement packets between virtual machines to bypass OpenFlow rules. This issue may allow a local attacker to create specially crafted packets with a modified or spoofed target IP address field that can redirect ICMPv6 traffic to arbitrary IP addresses. Solution(s) alpine-linux-upgrade-openvswitch References https://attackerkb.com/topics/cve-2023-5366 CVE - 2023-5366 https://security.alpinelinux.org/vuln/CVE-2023-5366

Ubuntu: USN-6426-1 (CVE-2023-39928): WebKitGTK vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 10/06/2023 Created 10/11/2023 Added 10/11/2023 Modified 01/28/2025 Description A use-after-free vulnerability exists in the MediaRecorder API of Webkit WebKitGTK 2.40.5. A specially crafted web page can abuse this vulnerability to cause memory corruption and potentially arbitrary code execution. A user would need to to visit a malicious webpage to trigger this vulnerability. Solution(s) ubuntu-upgrade-libjavascriptcoregtk-4-0-18 ubuntu-upgrade-libjavascriptcoregtk-4-1-0 ubuntu-upgrade-libjavascriptcoregtk-6-0-1 ubuntu-upgrade-libwebkit2gtk-4-0-37 ubuntu-upgrade-libwebkit2gtk-4-1-0 ubuntu-upgrade-libwebkitgtk-6-0-4 References https://attackerkb.com/topics/cve-2023-39928 CVE - 2023-39928 USN-6426-1

Alpine Linux: CVE-2023-45322: Use After Free Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 10/06/2023 Created 03/22/2024 Added 03/21/2024 Modified 03/22/2024 Description libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail." Solution(s) alpine-linux-upgrade-libxml2 References https://attackerkb.com/topics/cve-2023-45322 CVE - 2023-45322 https://security.alpinelinux.org/vuln/CVE-2023-45322

Alma Linux: CVE-2023-40745: Moderate: libtiff security update (ALSA-2024-2289) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 10/05/2023 Created 05/08/2024 Added 05/08/2024 Modified 01/28/2025 Description LibTIFF is vulnerable to an integer overflow. This flaw allows remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow. Solution(s) alma-upgrade-libtiff alma-upgrade-libtiff-devel alma-upgrade-libtiff-tools References https://attackerkb.com/topics/cve-2023-40745 CVE - 2023-40745 https://errata.almalinux.org/9/ALSA-2024-2289.html