ISHACK AI BOT

SUSE: CVE-2023-39321: SUSE Linux Security Advisory Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 09/08/2023 Created 09/21/2023 Added 09/21/2023 Modified 01/28/2025 Description Processing an incomplete post-handshake message for a QUIC connection can cause a panic. Solution(s) suse-upgrade-go1-21 suse-upgrade-go1-21-doc suse-upgrade-go1-21-openssl suse-upgrade-go1-21-openssl-doc suse-upgrade-go1-21-openssl-race suse-upgrade-go1-21-race References https://attackerkb.com/topics/cve-2023-39321 CVE - 2023-39321

SUSE: CVE-2023-39318: SUSE Linux Security Advisory Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 09/08/2023 Created 09/21/2023 Added 09/21/2023 Modified 01/28/2025 Description The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack. Solution(s) suse-upgrade-go1-20 suse-upgrade-go1-20-doc suse-upgrade-go1-20-openssl suse-upgrade-go1-20-openssl-doc suse-upgrade-go1-20-openssl-race suse-upgrade-go1-20-race suse-upgrade-go1-21 suse-upgrade-go1-21-doc suse-upgrade-go1-21-openssl suse-upgrade-go1-21-openssl-doc suse-upgrade-go1-21-openssl-race suse-upgrade-go1-21-race References https://attackerkb.com/topics/cve-2023-39318 CVE - 2023-39318

SUSE: CVE-2023-39319: SUSE Linux Security Advisory Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 09/08/2023 Created 09/21/2023 Added 09/21/2023 Modified 01/28/2025 Description The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack. Solution(s) suse-upgrade-go1-20 suse-upgrade-go1-20-doc suse-upgrade-go1-20-openssl suse-upgrade-go1-20-openssl-doc suse-upgrade-go1-20-openssl-race suse-upgrade-go1-20-race suse-upgrade-go1-21 suse-upgrade-go1-21-doc suse-upgrade-go1-21-openssl suse-upgrade-go1-21-openssl-doc suse-upgrade-go1-21-openssl-race suse-upgrade-go1-21-race References https://attackerkb.com/topics/cve-2023-39319 CVE - 2023-39319

Huawei EulerOS: CVE-2023-39318: golang security update Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 09/08/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/30/2025 Description The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack. Solution(s) huawei-euleros-2_0_sp10-upgrade-golang huawei-euleros-2_0_sp10-upgrade-golang-devel huawei-euleros-2_0_sp10-upgrade-golang-help References https://attackerkb.com/topics/cve-2023-39318 CVE - 2023-39318 EulerOS-SA-2023-3213

OS X update for ImageIO (CVE-2023-41064) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 09/08/2023 Created 09/08/2023 Added 09/08/2023 Modified 01/28/2025 Description A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 16.6.1 and iPadOS 16.6.1, macOS Monterey 12.6.9, macOS Ventura 13.5.2, iOS 15.7.9 and iPadOS 15.7.9, macOS Big Sur 11.7.10. Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Solution(s) apple-osx-upgrade-11_7_10 apple-osx-upgrade-12_6_9 apple-osx-upgrade-13_5_2 References https://attackerkb.com/topics/cve-2023-41064 CVE - 2023-41064 https://support.apple.com/kb/HT213906 https://support.apple.com/kb/HT213914 https://support.apple.com/kb/HT213915

Gentoo Linux: CVE-2023-39322: Go: Multiple Vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 09/08/2023 Created 11/28/2023 Added 11/27/2023 Modified 01/28/2025 Description QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size. Solution(s) gentoo-linux-upgrade-dev-lang-go References https://attackerkb.com/topics/cve-2023-39322 CVE - 2023-39322 202311-09

Gentoo Linux: CVE-2023-39321: Go: Multiple Vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 09/08/2023 Created 11/28/2023 Added 11/27/2023 Modified 01/28/2025 Description Processing an incomplete post-handshake message for a QUIC connection can cause a panic. Solution(s) gentoo-linux-upgrade-dev-lang-go References https://attackerkb.com/topics/cve-2023-39321 CVE - 2023-39321 202311-09

Gentoo Linux: CVE-2023-39318: Go: Multiple Vulnerabilities Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 09/08/2023 Created 11/28/2023 Added 11/27/2023 Modified 01/30/2025 Description The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack. Solution(s) gentoo-linux-upgrade-dev-lang-go References https://attackerkb.com/topics/cve-2023-39318 CVE - 2023-39318 202311-09

Gentoo Linux: CVE-2023-39320: Go: Multiple Vulnerabilities Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 09/08/2023 Created 11/28/2023 Added 11/27/2023 Modified 01/30/2025 Description The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software. Solution(s) gentoo-linux-upgrade-dev-lang-go References https://attackerkb.com/topics/cve-2023-39320 CVE - 2023-39320 202311-09

VMware Photon OS: CVE-2023-39318 Severity 6 CVSS (AV:N/AC:L/Au:N/C:P/I:P/A:N) Published 09/08/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-39318 CVE - 2023-39318

Alma Linux: CVE-2023-39319: Moderate: container-tools:4.0 security update (Multiple Advisories) Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 09/08/2023 Created 12/20/2023 Added 12/19/2023 Modified 01/30/2025 Description The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack. Solution(s) alma-upgrade-aardvark-dns alma-upgrade-buildah alma-upgrade-buildah-tests alma-upgrade-cockpit-podman alma-upgrade-conmon alma-upgrade-container-selinux alma-upgrade-containernetworking-plugins alma-upgrade-containers-common alma-upgrade-crit alma-upgrade-criu alma-upgrade-criu-devel alma-upgrade-criu-libs alma-upgrade-crun alma-upgrade-fuse-overlayfs alma-upgrade-libslirp alma-upgrade-libslirp-devel alma-upgrade-netavark alma-upgrade-oci-seccomp-bpf-hook alma-upgrade-podman alma-upgrade-podman-catatonit alma-upgrade-podman-docker alma-upgrade-podman-gvproxy alma-upgrade-podman-plugins alma-upgrade-podman-remote alma-upgrade-podman-tests alma-upgrade-python3-criu alma-upgrade-python3-podman alma-upgrade-runc alma-upgrade-skopeo alma-upgrade-skopeo-tests alma-upgrade-slirp4netns alma-upgrade-toolbox alma-upgrade-toolbox-tests alma-upgrade-udica References https://attackerkb.com/topics/cve-2023-39319 CVE - 2023-39319 https://errata.almalinux.org/8/ALSA-2024-0121.html https://errata.almalinux.org/9/ALSA-2023-7762.html https://errata.almalinux.org/9/ALSA-2023-7764.html https://errata.almalinux.org/9/ALSA-2023-7765.html https://errata.almalinux.org/9/ALSA-2023-7766.html https://errata.almalinux.org/9/ALSA-2024-2160.html View more

Amazon Linux AMI: CVE-2023-39319: Security patch for golang (ALAS-2023-1848) Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 09/08/2023 Created 01/11/2024 Added 01/09/2024 Modified 01/28/2025 Description The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack. Solution(s) amazon-linux-upgrade-golang References ALAS-2023-1848 CVE-2023-39319

Alma Linux: CVE-2023-39318: Moderate: container-tools:4.0 security update (Multiple Advisories) Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 09/08/2023 Created 12/20/2023 Added 12/19/2023 Modified 01/30/2025 Description The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack. Solution(s) alma-upgrade-aardvark-dns alma-upgrade-buildah alma-upgrade-buildah-tests alma-upgrade-cockpit-podman alma-upgrade-conmon alma-upgrade-container-selinux alma-upgrade-containernetworking-plugins alma-upgrade-containers-common alma-upgrade-crit alma-upgrade-criu alma-upgrade-criu-devel alma-upgrade-criu-libs alma-upgrade-crun alma-upgrade-fuse-overlayfs alma-upgrade-libslirp alma-upgrade-libslirp-devel alma-upgrade-netavark alma-upgrade-oci-seccomp-bpf-hook alma-upgrade-podman alma-upgrade-podman-catatonit alma-upgrade-podman-docker alma-upgrade-podman-gvproxy alma-upgrade-podman-plugins alma-upgrade-podman-remote alma-upgrade-podman-tests alma-upgrade-python3-criu alma-upgrade-python3-podman alma-upgrade-runc alma-upgrade-skopeo alma-upgrade-skopeo-tests alma-upgrade-slirp4netns alma-upgrade-toolbox alma-upgrade-toolbox-tests alma-upgrade-udica References https://attackerkb.com/topics/cve-2023-39318 CVE - 2023-39318 https://errata.almalinux.org/8/ALSA-2024-0121.html https://errata.almalinux.org/9/ALSA-2023-7762.html https://errata.almalinux.org/9/ALSA-2023-7764.html https://errata.almalinux.org/9/ALSA-2023-7765.html https://errata.almalinux.org/9/ALSA-2023-7766.html https://errata.almalinux.org/9/ALSA-2024-2160.html View more

Red Hat OpenShift: CVE-2023-39318: golang: html/template: improper handling of HTML-like comments within script contexts Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 09/08/2023 Created 11/01/2023 Added 11/01/2023 Modified 01/30/2025 Description The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack. Solution(s) linuxrpm-upgrade-buildah linuxrpm-upgrade-containernetworking-plugins linuxrpm-upgrade-microshift linuxrpm-upgrade-openshift-clients linuxrpm-upgrade-podman linuxrpm-upgrade-runc linuxrpm-upgrade-skopeo References https://attackerkb.com/topics/cve-2023-39318 CVE - 2023-39318 RHSA-2023:5008 RHSA-2023:5009 RHSA-2023:5947 RHSA-2023:5974 RHSA-2023:6085 RHSA-2023:6115 RHSA-2023:6119 RHSA-2023:6122 RHSA-2023:6145 RHSA-2023:6148 RHSA-2023:6154 RHSA-2023:6161 RHSA-2023:6200 RHSA-2023:6202 RHSA-2023:6840 RHSA-2023:7762 RHSA-2023:7764 RHSA-2023:7765 RHSA-2023:7766 RHSA-2024:0121 RHSA-2024:1383 RHSA-2024:1901 RHSA-2024:2160 RHSA-2024:2988 RHSA-2024:3352 RHSA-2024:3467 View more

Red Hat OpenShift: CVE-2023-39321: golang: crypto/tls: panic when processing post-handshake message on QUIC connections Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 09/08/2023 Created 11/01/2023 Added 11/01/2023 Modified 01/28/2025 Description Processing an incomplete post-handshake message for a QUIC connection can cause a panic. Solution(s) linuxrpm-upgrade-buildah linuxrpm-upgrade-conmon linuxrpm-upgrade-containernetworking-plugins linuxrpm-upgrade-microshift linuxrpm-upgrade-openshift-clients linuxrpm-upgrade-podman linuxrpm-upgrade-runc linuxrpm-upgrade-skopeo References https://attackerkb.com/topics/cve-2023-39321 CVE - 2023-39321 RHSA-2023:5008 RHSA-2023:5009 RHSA-2023:5947 RHSA-2023:5974 RHSA-2023:6031 RHSA-2023:6085 RHSA-2023:6115 RHSA-2023:6119 RHSA-2023:6122 RHSA-2023:6145 RHSA-2023:6148 RHSA-2023:6154 RHSA-2023:6161 RHSA-2023:6200 RHSA-2023:6202 RHSA-2023:6840 RHSA-2023:7517 RHSA-2023:7762 RHSA-2023:7763 RHSA-2023:7764 RHSA-2023:7765 RHSA-2023:7766 RHSA-2024:0121 RHSA-2024:1383 RHSA-2024:1901 RHSA-2024:2988 RHSA-2024:3352 RHSA-2024:3467 View more

Alpine Linux: CVE-2023-39318: Cross-site Scripting Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 09/08/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack. Solution(s) alpine-linux-upgrade-go References https://attackerkb.com/topics/cve-2023-39318 CVE - 2023-39318 https://security.alpinelinux.org/vuln/CVE-2023-39318

Alpine Linux: CVE-2023-39321: Vulnerability in Multiple Components Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 09/08/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Processing an incomplete post-handshake message for a QUIC connection can cause a panic. Solution(s) alpine-linux-upgrade-go References https://attackerkb.com/topics/cve-2023-39321 CVE - 2023-39321 https://security.alpinelinux.org/vuln/CVE-2023-39321

Alpine Linux: CVE-2023-39322: Allocation of Resources Without Limits or Throttling Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 09/08/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size. Solution(s) alpine-linux-upgrade-go References https://attackerkb.com/topics/cve-2023-39322 CVE - 2023-39322 https://security.alpinelinux.org/vuln/CVE-2023-39322

Alpine Linux: CVE-2023-4807: Vulnerability in Multiple Components Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 09/08/2023 Created 08/23/2024 Added 08/22/2024 Modified 08/23/2024 Description Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions. Impact summary: If in an application that uses the OpenSSL library an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL does not save the contents of non-volatile XMM registers on Windows 64 platform when calculating the MAC of data larger than 64 bytes. Before returning to the caller all the XMM registers are set to zero rather than restoring their previous content. The vulnerable code is used only on newer x86_64 processors supporting the AVX512-IFMA instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However given the contents of the registers are just zeroized so the attacker cannot put arbitrary values inside, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3 and a malicious client can influence whether this AEAD cipher is used by the server. This implies that server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue. As a workaround the AVX512-IFMA instructions support can be disabled at runtime by setting the environment variable OPENSSL_ia32cap: OPENSSL_ia32cap=:~0x200000 The FIPS provider is not affected by this issue. Solution(s) alpine-linux-upgrade-openssl References https://attackerkb.com/topics/cve-2023-4807 CVE - 2023-4807 https://security.alpinelinux.org/vuln/CVE-2023-4807

Red Hat: CVE-2023-39319: golang: html/template: improper handling of special tags within script contexts (Multiple Advisories) Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 09/08/2023 Created 12/14/2023 Added 12/13/2023 Modified 01/30/2025 Description The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack. Solution(s) redhat-upgrade-aardvark-dns redhat-upgrade-buildah redhat-upgrade-buildah-debuginfo redhat-upgrade-buildah-debugsource redhat-upgrade-buildah-tests redhat-upgrade-buildah-tests-debuginfo redhat-upgrade-cockpit-podman redhat-upgrade-conmon redhat-upgrade-conmon-debuginfo redhat-upgrade-conmon-debugsource redhat-upgrade-container-selinux redhat-upgrade-containernetworking-plugins redhat-upgrade-containernetworking-plugins-debuginfo redhat-upgrade-containernetworking-plugins-debugsource redhat-upgrade-containers-common redhat-upgrade-crit redhat-upgrade-criu redhat-upgrade-criu-debuginfo redhat-upgrade-criu-debugsource redhat-upgrade-criu-devel redhat-upgrade-criu-libs redhat-upgrade-criu-libs-debuginfo redhat-upgrade-crun redhat-upgrade-crun-debuginfo redhat-upgrade-crun-debugsource redhat-upgrade-fuse-overlayfs redhat-upgrade-fuse-overlayfs-debuginfo redhat-upgrade-fuse-overlayfs-debugsource redhat-upgrade-libslirp redhat-upgrade-libslirp-debuginfo redhat-upgrade-libslirp-debugsource redhat-upgrade-libslirp-devel redhat-upgrade-netavark redhat-upgrade-oci-seccomp-bpf-hook redhat-upgrade-oci-seccomp-bpf-hook-debuginfo redhat-upgrade-oci-seccomp-bpf-hook-debugsource redhat-upgrade-podman redhat-upgrade-podman-catatonit redhat-upgrade-podman-catatonit-debuginfo redhat-upgrade-podman-debuginfo redhat-upgrade-podman-debugsource redhat-upgrade-podman-docker redhat-upgrade-podman-gvproxy redhat-upgrade-podman-gvproxy-debuginfo redhat-upgrade-podman-plugins redhat-upgrade-podman-plugins-debuginfo redhat-upgrade-podman-remote redhat-upgrade-podman-remote-debuginfo redhat-upgrade-podman-tests redhat-upgrade-python3-criu redhat-upgrade-python3-podman redhat-upgrade-runc redhat-upgrade-runc-debuginfo redhat-upgrade-runc-debugsource redhat-upgrade-skopeo redhat-upgrade-skopeo-debuginfo redhat-upgrade-skopeo-debugsource redhat-upgrade-skopeo-tests redhat-upgrade-slirp4netns redhat-upgrade-slirp4netns-debuginfo redhat-upgrade-slirp4netns-debugsource redhat-upgrade-toolbox redhat-upgrade-toolbox-debuginfo redhat-upgrade-toolbox-debugsource redhat-upgrade-toolbox-tests redhat-upgrade-udica References CVE-2023-39319 RHSA-2023:7762 RHSA-2023:7764 RHSA-2023:7765 RHSA-2023:7766 RHSA-2024:0121 RHSA-2024:2160 RHSA-2024:2988 View more

Red Hat: CVE-2023-39321: golang: crypto/tls: panic when processing post-handshake message on QUIC connections (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 09/08/2023 Created 12/14/2023 Added 12/13/2023 Modified 01/28/2025 Description Processing an incomplete post-handshake message for a QUIC connection can cause a panic. Solution(s) redhat-upgrade-aardvark-dns redhat-upgrade-buildah redhat-upgrade-buildah-debuginfo redhat-upgrade-buildah-debugsource redhat-upgrade-buildah-tests redhat-upgrade-buildah-tests-debuginfo redhat-upgrade-cockpit-podman redhat-upgrade-conmon redhat-upgrade-conmon-debuginfo redhat-upgrade-conmon-debugsource redhat-upgrade-container-selinux redhat-upgrade-containernetworking-plugins redhat-upgrade-containernetworking-plugins-debuginfo redhat-upgrade-containernetworking-plugins-debugsource redhat-upgrade-containers-common redhat-upgrade-crit redhat-upgrade-criu redhat-upgrade-criu-debuginfo redhat-upgrade-criu-debugsource redhat-upgrade-criu-devel redhat-upgrade-criu-libs redhat-upgrade-criu-libs-debuginfo redhat-upgrade-crun redhat-upgrade-crun-debuginfo redhat-upgrade-crun-debugsource redhat-upgrade-fuse-overlayfs redhat-upgrade-fuse-overlayfs-debuginfo redhat-upgrade-fuse-overlayfs-debugsource redhat-upgrade-libslirp redhat-upgrade-libslirp-debuginfo redhat-upgrade-libslirp-debugsource redhat-upgrade-libslirp-devel redhat-upgrade-netavark redhat-upgrade-oci-seccomp-bpf-hook redhat-upgrade-oci-seccomp-bpf-hook-debuginfo redhat-upgrade-oci-seccomp-bpf-hook-debugsource redhat-upgrade-podman redhat-upgrade-podman-catatonit redhat-upgrade-podman-catatonit-debuginfo redhat-upgrade-podman-debuginfo redhat-upgrade-podman-debugsource redhat-upgrade-podman-docker redhat-upgrade-podman-gvproxy redhat-upgrade-podman-gvproxy-debuginfo redhat-upgrade-podman-plugins redhat-upgrade-podman-plugins-debuginfo redhat-upgrade-podman-remote redhat-upgrade-podman-remote-debuginfo redhat-upgrade-podman-tests redhat-upgrade-python3-criu redhat-upgrade-python3-podman redhat-upgrade-runc redhat-upgrade-runc-debuginfo redhat-upgrade-runc-debugsource redhat-upgrade-skopeo redhat-upgrade-skopeo-debuginfo redhat-upgrade-skopeo-debugsource redhat-upgrade-skopeo-tests redhat-upgrade-slirp4netns redhat-upgrade-slirp4netns-debuginfo redhat-upgrade-slirp4netns-debugsource redhat-upgrade-toolbox redhat-upgrade-toolbox-debuginfo redhat-upgrade-toolbox-debugsource redhat-upgrade-toolbox-tests redhat-upgrade-udica References CVE-2023-39321 RHSA-2023:7762 RHSA-2023:7763 RHSA-2023:7764 RHSA-2023:7765 RHSA-2023:7766 RHSA-2024:0121 RHSA-2024:2988 View more

Red Hat: CVE-2023-39322: golang: crypto/tls: lack of a limit on buffered post-handshake (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 09/08/2023 Created 12/14/2023 Added 12/13/2023 Modified 01/28/2025 Description QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size. Solution(s) redhat-upgrade-aardvark-dns redhat-upgrade-buildah redhat-upgrade-buildah-debuginfo redhat-upgrade-buildah-debugsource redhat-upgrade-buildah-tests redhat-upgrade-buildah-tests-debuginfo redhat-upgrade-cockpit-podman redhat-upgrade-conmon redhat-upgrade-conmon-debuginfo redhat-upgrade-conmon-debugsource redhat-upgrade-container-selinux redhat-upgrade-containernetworking-plugins redhat-upgrade-containernetworking-plugins-debuginfo redhat-upgrade-containernetworking-plugins-debugsource redhat-upgrade-containers-common redhat-upgrade-crit redhat-upgrade-criu redhat-upgrade-criu-debuginfo redhat-upgrade-criu-debugsource redhat-upgrade-criu-devel redhat-upgrade-criu-libs redhat-upgrade-criu-libs-debuginfo redhat-upgrade-crun redhat-upgrade-crun-debuginfo redhat-upgrade-crun-debugsource redhat-upgrade-fuse-overlayfs redhat-upgrade-fuse-overlayfs-debuginfo redhat-upgrade-fuse-overlayfs-debugsource redhat-upgrade-libslirp redhat-upgrade-libslirp-debuginfo redhat-upgrade-libslirp-debugsource redhat-upgrade-libslirp-devel redhat-upgrade-netavark redhat-upgrade-oci-seccomp-bpf-hook redhat-upgrade-oci-seccomp-bpf-hook-debuginfo redhat-upgrade-oci-seccomp-bpf-hook-debugsource redhat-upgrade-podman redhat-upgrade-podman-catatonit redhat-upgrade-podman-catatonit-debuginfo redhat-upgrade-podman-debuginfo redhat-upgrade-podman-debugsource redhat-upgrade-podman-docker redhat-upgrade-podman-gvproxy redhat-upgrade-podman-gvproxy-debuginfo redhat-upgrade-podman-plugins redhat-upgrade-podman-plugins-debuginfo redhat-upgrade-podman-remote redhat-upgrade-podman-remote-debuginfo redhat-upgrade-podman-tests redhat-upgrade-python3-criu redhat-upgrade-python3-podman redhat-upgrade-runc redhat-upgrade-runc-debuginfo redhat-upgrade-runc-debugsource redhat-upgrade-skopeo redhat-upgrade-skopeo-debuginfo redhat-upgrade-skopeo-debugsource redhat-upgrade-skopeo-tests redhat-upgrade-slirp4netns redhat-upgrade-slirp4netns-debuginfo redhat-upgrade-slirp4netns-debugsource redhat-upgrade-toolbox redhat-upgrade-toolbox-debuginfo redhat-upgrade-toolbox-debugsource redhat-upgrade-toolbox-tests redhat-upgrade-udica References CVE-2023-39322 RHSA-2023:7762 RHSA-2023:7763 RHSA-2023:7764 RHSA-2023:7765 RHSA-2023:7766 RHSA-2024:0121 RHSA-2024:2988 View more

Gentoo Linux: CVE-2023-39319: Go: Multiple Vulnerabilities Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 09/08/2023 Created 11/28/2023 Added 11/27/2023 Modified 01/30/2025 Description The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack. Solution(s) gentoo-linux-upgrade-dev-lang-go References https://attackerkb.com/topics/cve-2023-39319 CVE - 2023-39319 202311-09

Red Hat OpenShift: CVE-2023-39319: golang: html/template: improper handling of special tags within script contexts Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 09/08/2023 Created 11/01/2023 Added 11/01/2023 Modified 01/30/2025 Description The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack. Solution(s) linuxrpm-upgrade-buildah linuxrpm-upgrade-containernetworking-plugins linuxrpm-upgrade-microshift linuxrpm-upgrade-openshift-clients linuxrpm-upgrade-podman linuxrpm-upgrade-skopeo References https://attackerkb.com/topics/cve-2023-39319 CVE - 2023-39319 RHSA-2023:5008 RHSA-2023:5009 RHSA-2023:5947 RHSA-2023:5974 RHSA-2023:6085 RHSA-2023:6115 RHSA-2023:6119 RHSA-2023:6122 RHSA-2023:6145 RHSA-2023:6148 RHSA-2023:6154 RHSA-2023:6161 RHSA-2023:6200 RHSA-2023:6202 RHSA-2023:6840 RHSA-2023:7762 RHSA-2023:7764 RHSA-2023:7765 RHSA-2023:7766 RHSA-2024:0121 RHSA-2024:1383 RHSA-2024:1901 RHSA-2024:2160 RHSA-2024:2988 RHSA-2024:3352 RHSA-2024:3467 View more

CentOS Linux: CVE-2023-39318: Moderate: skopeo security update (Multiple Advisories) Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 09/08/2023 Created 12/14/2023 Added 12/13/2023 Modified 01/28/2025 Description The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack. Solution(s) centos-upgrade-aardvark-dns centos-upgrade-buildah centos-upgrade-buildah-debuginfo centos-upgrade-buildah-debugsource centos-upgrade-buildah-tests centos-upgrade-buildah-tests-debuginfo centos-upgrade-cockpit-podman centos-upgrade-conmon centos-upgrade-conmon-debuginfo centos-upgrade-conmon-debugsource centos-upgrade-container-selinux centos-upgrade-containernetworking-plugins centos-upgrade-containernetworking-plugins-debuginfo centos-upgrade-containernetworking-plugins-debugsource centos-upgrade-containers-common centos-upgrade-crit centos-upgrade-criu centos-upgrade-criu-debuginfo centos-upgrade-criu-debugsource centos-upgrade-criu-devel centos-upgrade-criu-libs centos-upgrade-criu-libs-debuginfo centos-upgrade-crun centos-upgrade-crun-debuginfo centos-upgrade-crun-debugsource centos-upgrade-fuse-overlayfs centos-upgrade-fuse-overlayfs-debuginfo centos-upgrade-fuse-overlayfs-debugsource centos-upgrade-libslirp centos-upgrade-libslirp-debuginfo centos-upgrade-libslirp-debugsource centos-upgrade-libslirp-devel centos-upgrade-netavark centos-upgrade-oci-seccomp-bpf-hook centos-upgrade-oci-seccomp-bpf-hook-debuginfo centos-upgrade-oci-seccomp-bpf-hook-debugsource centos-upgrade-podman centos-upgrade-podman-catatonit centos-upgrade-podman-catatonit-debuginfo centos-upgrade-podman-debuginfo centos-upgrade-podman-debugsource centos-upgrade-podman-docker centos-upgrade-podman-gvproxy centos-upgrade-podman-gvproxy-debuginfo centos-upgrade-podman-plugins centos-upgrade-podman-plugins-debuginfo centos-upgrade-podman-remote centos-upgrade-podman-remote-debuginfo centos-upgrade-podman-tests centos-upgrade-python3-criu centos-upgrade-python3-podman centos-upgrade-runc centos-upgrade-runc-debuginfo centos-upgrade-runc-debugsource centos-upgrade-skopeo centos-upgrade-skopeo-debuginfo centos-upgrade-skopeo-debugsource centos-upgrade-skopeo-tests centos-upgrade-slirp4netns centos-upgrade-slirp4netns-debuginfo centos-upgrade-slirp4netns-debugsource centos-upgrade-toolbox centos-upgrade-toolbox-debuginfo centos-upgrade-toolbox-debugsource centos-upgrade-toolbox-tests centos-upgrade-udica References CVE-2023-39318