ISHACK AI BOT

Oracle Linux: CVE-2023-4042: ELSA-2023-7053:ghostscript security and bug fix update (MODERATE) (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:N/C:N/I:N/A:C) Published 08/23/2023 Created 11/25/2023 Added 11/23/2023 Modified 11/30/2024 Description A flaw was found in ghostscript. The fix for CVE-2020-16305 in ghostscript was not included in RHSA-2021:1852-06 advisory as it was claimed to be. This issue only affects the ghostscript package as shipped with Red Hat Enterprise Linux 8. Solution(s) oracle-linux-upgrade-ghostscript oracle-linux-upgrade-ghostscript-doc oracle-linux-upgrade-ghostscript-tools-dvipdf oracle-linux-upgrade-ghostscript-tools-fonts oracle-linux-upgrade-ghostscript-tools-printing oracle-linux-upgrade-ghostscript-x11 oracle-linux-upgrade-libgs oracle-linux-upgrade-libgs-devel References https://attackerkb.com/topics/cve-2023-4042 CVE - 2023-4042 ELSA-2023-7053

IBM AIX: openssh_advisory15 (CVE-2023-40371): Vulnerabilities in OpenSSH affect AIX Severity 5 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:N) Published 08/23/2023 Created 08/24/2023 Added 08/24/2023 Modified 01/30/2025 Description IBM AIX 7.2, 7.3, VIOS 3.1's OpenSSH implementation could allow a non-privileged local user to access files outside of those allowed due to improper access controls.IBM X-Force ID:263476. Solution(s) ibm-aix-openssh_advisory15 References https://attackerkb.com/topics/cve-2023-40371 CVE - 2023-40371 https://aix.software.ibm.com/aix/efixes/security/openssh_advisory15.asc

Microsoft Edge Chromium: CVE-2023-4429: Use after free in Loader Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 08/23/2023 Created 08/28/2023 Added 08/28/2023 Modified 01/28/2025 Description Use after free in Loader in Google Chrome prior to 116.0.5845.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2023-4429 CVE - 2023-4429 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4429

Google Chrome Vulnerability: CVE-2023-4431 Out of bounds memory access in Fonts Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:C) Published 08/23/2023 Created 08/28/2023 Added 08/28/2023 Modified 01/28/2025 Description Out of bounds memory access in Fonts in Google Chrome prior to 116.0.5845.110 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2023-4431 CVE - 2023-4431

CentOS Linux: CVE-2022-40433: Moderate: java-1.8.0-openjdk security update (Multiple Advisories) Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 08/22/2023 Created 11/01/2023 Added 11/01/2023 Modified 01/28/2025 Description An issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service. Note: Vendor states that this to is Defense in Depth at most due to the nature of the issue and the special circumstances required (server must be running particular code locally, code compiled with an old, old version of javac, etc.). Solution(s) centos-upgrade-java-1-8-0-openjdk centos-upgrade-java-1-8-0-openjdk-accessibility centos-upgrade-java-1-8-0-openjdk-debuginfo centos-upgrade-java-1-8-0-openjdk-debugsource centos-upgrade-java-1-8-0-openjdk-demo centos-upgrade-java-1-8-0-openjdk-demo-debuginfo centos-upgrade-java-1-8-0-openjdk-devel centos-upgrade-java-1-8-0-openjdk-devel-debuginfo centos-upgrade-java-1-8-0-openjdk-headless centos-upgrade-java-1-8-0-openjdk-headless-debuginfo centos-upgrade-java-1-8-0-openjdk-javadoc centos-upgrade-java-1-8-0-openjdk-javadoc-zip centos-upgrade-java-1-8-0-openjdk-src References CVE-2022-40433

Amazon Linux AMI 2: CVE-2020-18831: Security patch for exiv2 (ALAS-2023-2284) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 08/22/2023 Created 10/06/2023 Added 10/06/2023 Modified 01/28/2025 Description Buffer Overflow vulnerability in tEXtToDataBuf function in pngimage.cpp in Exiv2 0.27.1 allows remote attackers to cause a denial of service and other unspecified impacts via use of crafted file. Solution(s) amazon-linux-ami-2-upgrade-exiv2 amazon-linux-ami-2-upgrade-exiv2-debuginfo amazon-linux-ami-2-upgrade-exiv2-devel amazon-linux-ami-2-upgrade-exiv2-doc amazon-linux-ami-2-upgrade-exiv2-libs References https://attackerkb.com/topics/cve-2020-18831 AL2/ALAS-2023-2284 CVE - 2020-18831

Alma Linux: CVE-2022-48554: Low: file security update (ALSA-2024-2512) Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 08/22/2023 Created 05/08/2024 Added 05/08/2024 Modified 01/30/2025 Description File before 5.43 has an stack-based buffer over-read in file_copystr in funcs.c. NOTE: "File" is the name of an Open Source project. Solution(s) alma-upgrade-file alma-upgrade-file-devel alma-upgrade-file-libs alma-upgrade-python3-file-magic References https://attackerkb.com/topics/cve-2022-48554 CVE - 2022-48554 https://errata.almalinux.org/9/ALSA-2024-2512.html

OS X update for ncurses (CVE-2020-19186) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 08/22/2023 Created 12/13/2023 Added 12/12/2023 Modified 01/28/2025 Description Buffer Overflow vulnerability in _nc_find_entry function in tinfo/comp_hash.c:66 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command. Solution(s) apple-osx-upgrade-12_7_2 apple-osx-upgrade-13_6_3 apple-osx-upgrade-14_2 References https://attackerkb.com/topics/cve-2020-19186 CVE - 2020-19186 https://support.apple.com/kb/HT214036 https://support.apple.com/kb/HT214037 https://support.apple.com/kb/HT214038

OS X update for ncurses (CVE-2020-19187) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 08/22/2023 Created 12/13/2023 Added 12/12/2023 Modified 01/28/2025 Description Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1100 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command. Solution(s) apple-osx-upgrade-12_7_2 apple-osx-upgrade-13_6_3 apple-osx-upgrade-14_2 References https://attackerkb.com/topics/cve-2020-19187 CVE - 2020-19187 https://support.apple.com/kb/HT214036 https://support.apple.com/kb/HT214037 https://support.apple.com/kb/HT214038

OS X update for ncurses (CVE-2020-19190) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 08/22/2023 Created 12/13/2023 Added 12/12/2023 Modified 01/28/2025 Description Buffer Overflow vulnerability in _nc_find_entry in tinfo/comp_hash.c:70 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command. Solution(s) apple-osx-upgrade-12_7_2 apple-osx-upgrade-13_6_3 apple-osx-upgrade-14_2 References https://attackerkb.com/topics/cve-2020-19190 CVE - 2020-19190 https://support.apple.com/kb/HT214036 https://support.apple.com/kb/HT214037 https://support.apple.com/kb/HT214038

Gentoo Linux: CVE-2022-44729: Apache Batik: Multiple Vulnerabilities Severity 6 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:C) Published 08/22/2023 Created 01/09/2024 Added 01/08/2024 Modified 01/28/2025 Description Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later. Solution(s) gentoo-linux-upgrade-dev-java-batik References https://attackerkb.com/topics/cve-2022-44729 CVE - 2022-44729 202401-11

OS X update for Model I/O (CVE-2020-19190) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 08/22/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for IOUSBDeviceFamily (CVE-2020-19186) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 08/22/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Debian: CVE-2021-32421: dpic -- security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 08/22/2023 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description dpic 2021.01.01 has a Heap Use-After-Free in thedeletestringbox() function in dpic.y. Solution(s) debian-upgrade-dpic References https://attackerkb.com/topics/cve-2021-32421 CVE - 2021-32421

FreeBSD: VID-4B3A8E7D-9372-11EF-87AD-A8A15998B5CB (CVE-2022-47022): hwloc2 -- Denial of service or other unspecified impacts Severity 4 CVSS (AV:L/AC:M/Au:S/C:N/I:N/A:C) Published 08/22/2023 Created 11/01/2024 Added 10/31/2024 Modified 01/28/2025 Description An issue was discovered in open-mpi hwloc 2.1.0 allows attackers to cause a denial of service or other unspecified impacts via glibc-cpuset in topology-linux.c. Solution(s) freebsd-upgrade-package-hwloc2 References CVE-2022-47022

FreeBSD: VID-A57472BA-4D84-11EE-BF05-000C29DE725B (CVE-2023-40217): Python -- multiple vulnerabilities Severity 5 CVSS (AV:N/AC:L/Au:N/C:P/I:N/A:N) Published 08/22/2023 Created 09/11/2023 Added 09/08/2023 Modified 01/28/2025 Description An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.) Solution(s) freebsd-upgrade-package-python310 freebsd-upgrade-package-python311 freebsd-upgrade-package-python38 freebsd-upgrade-package-python39 References CVE-2023-40217

VMware Photon OS: CVE-2020-35342 Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 08/22/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description GNU Binutils before 2.34 has an uninitialized-heap vulnerability in function tic4x_print_cond (file opcodes/tic4x-dis.c) which could allow attackers to make an information leak. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2020-35342 CVE - 2020-35342

Alma Linux: CVE-2020-22217: Moderate: c-ares security update (ALSA-2023-7207) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 08/22/2023 Created 11/29/2023 Added 11/28/2023 Modified 01/28/2025 Description Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c. Solution(s) alma-upgrade-c-ares alma-upgrade-c-ares-devel References https://attackerkb.com/topics/cve-2020-22217 CVE - 2020-22217 https://errata.almalinux.org/8/ALSA-2023-7207.html

Ubuntu: (Multiple Advisories) (CVE-2022-45703): GNU binutils vulnerabilities Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 08/22/2023 Created 09/20/2023 Added 09/19/2023 Modified 01/28/2025 Description Heap buffer overflow vulnerability in binutils readelf before 2.40 via function display_debug_section in file readelf.c. Solution(s) ubuntu-pro-upgrade-binutils ubuntu-pro-upgrade-binutils-multiarch References https://attackerkb.com/topics/cve-2022-45703 CVE - 2022-45703 USN-6381-1 USN-6581-1

Ubuntu: (Multiple Advisories) (CVE-2022-44840): GNU binutils vulnerabilities Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 08/22/2023 Created 09/20/2023 Added 09/19/2023 Modified 01/28/2025 Description Heap buffer overflow vulnerability in binutils readelf before 2.40 via function find_section_in_set in file readelf.c. Solution(s) ubuntu-pro-upgrade-binutils ubuntu-pro-upgrade-binutils-multiarch References https://attackerkb.com/topics/cve-2022-44840 CVE - 2022-44840 USN-6381-1 USN-6581-1

SUSE: CVE-2022-40090: SUSE Linux Security Advisory Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 08/22/2023 Created 12/14/2023 Added 12/13/2023 Modified 01/28/2025 Description An issue was discovered in function TIFFReadDirectory libtiff before 4.4.0 allows attackers to cause a denial of service via crafted TIFF file. Solution(s) suse-upgrade-libtiff-devel suse-upgrade-libtiff-devel-32bit suse-upgrade-libtiff5 suse-upgrade-libtiff5-32bit suse-upgrade-tiff References https://attackerkb.com/topics/cve-2022-40090 CVE - 2022-40090

VMware Photon OS: CVE-2020-21490 Severity 5 CVSS (AV:L/AC:L/Au:N/C:N/I:N/A:C) Published 08/22/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description An issue was discovered in GNU Binutils 2.34. It is a memory leak when process microblaze-dis.c. This one will consume memory on each insn disassembled. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2020-21490 CVE - 2020-21490

OS X update for Accessibility (CVE-2020-19186) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 08/22/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

SUSE: CVE-2020-18651: SUSE Linux Security Advisory Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 08/22/2023 Created 08/16/2024 Added 08/09/2024 Modified 01/28/2025 Description Buffer Overflow vulnerability in function ID3_Support::ID3v2Frame::getFrameValue in exempi 2.5.0 and earlier allows remote attackers to cause a denial of service via opening of crafted audio file with ID3V2 frame. Solution(s) suse-upgrade-exempi-tools suse-upgrade-libexempi-devel suse-upgrade-libexempi3 suse-upgrade-libexempi3-32bit References https://attackerkb.com/topics/cve-2020-18651 CVE - 2020-18651

OS X update for Accounts (CVE-2020-19190) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 08/22/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)