ISHACK AI BOT

SUSE: CVE-2023-36053: SUSE Linux Security Advisory Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/03/2023 Created 07/12/2023 Added 07/12/2023 Modified 01/28/2025 Description In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs. Solution(s) suse-upgrade-python3-django suse-upgrade-python3-django1 References https://attackerkb.com/topics/cve-2023-36053 CVE - 2023-36053 DSA-5465

Amazon Linux 2023: CVE-2023-39328: Medium priority package update for openjpeg2 Severity 5 CVSS (AV:L/AC:L/Au:N/C:N/I:N/A:C) Published 07/03/2023 Created 02/05/2025 Added 02/14/2025 Modified 02/14/2025 Description A vulnerability was found in OpenJPEG similar to CVE-2019-6988. This flaw allows an attacker to bypass existing protections and cause an application crash through a maliciously crafted file. Solution(s) amazon-linux-2023-upgrade-openjpeg2 amazon-linux-2023-upgrade-openjpeg2-debuginfo amazon-linux-2023-upgrade-openjpeg2-debugsource amazon-linux-2023-upgrade-openjpeg2-devel amazon-linux-2023-upgrade-openjpeg2-devel-docs amazon-linux-2023-upgrade-openjpeg2-tools amazon-linux-2023-upgrade-openjpeg2-tools-debuginfo References https://attackerkb.com/topics/cve-2023-39328 CVE - 2023-39328 https://alas.aws.amazon.com/AL2023/ALAS-2025-821.html

VMware Photon OS: CVE-2023-30589 Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 06/30/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20 Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-30589 CVE - 2023-30589

Huawei EulerOS: CVE-2023-1206: kernel security update Severity 6 CVSS (AV:A/AC:L/Au:S/C:N/I:N/A:C) Published 06/30/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%. Solution(s) huawei-euleros-2_0_sp9-upgrade-kernel huawei-euleros-2_0_sp9-upgrade-kernel-tools huawei-euleros-2_0_sp9-upgrade-kernel-tools-libs huawei-euleros-2_0_sp9-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-1206 CVE - 2023-1206 EulerOS-SA-2023-2898

FreeBSD: VID-D821956F-1753-11EE-AD66-1C61B4739AC9 (CVE-2023-27395): SoftEtherVPN -- multiple vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/30/2023 Created 07/04/2023 Added 07/01/2023 Modified 01/28/2025 Description Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below. From VID-D821956F-1753-11EE-AD66-1C61B4739AC9: Daiyuu Nobori reports: The SoftEther VPN project received a high level code review and technical assistance from Cisco Systems, Inc. of the United States from April to June 2023 to fix several vulnerabilities in the SoftEther VPN code. The risk of exploitation of any of the fixed vulnerabilities is low under normal usage and environment, and actual attacks are very difficult. However, SoftEther VPN is now an open source VPN software used by 7.4 million unique users worldwide, and is used daily by many users to defend against the risk of blocking attacks by national censorship firewalls and attempts to eavesdrop on communications. Therefore, as long as the slightest attack possibility exists, there is great value in preventing vulnerabilities as much as possible in anticipation of the most sophisticated cyber attackers in the world, such as malicious ISPs and man-in-the-middle attackers on national Internet communication channels. These fixes are important and useful patches for users who use SoftEther VPN and the Internet for secure communications to prevent advanced attacks that can theoretically be triggered by malicious ISPs and man-in-the-middle attackers on national Internet communication pathways. The fixed vulnerabilities are CVE-2023-27395, CVE-2023-22325, CVE-2023-32275, CVE-2023-27516, CVE-2023-32634, and CVE-2023-31192. All of these were discovered in an outstanding code review of SoftEther VPN by Cisco Systems, Inc. CVE-2023-27395: Heap overflow in SoftEther VPN DDNS client functionality at risk of crashing and theoretically arbitrary code execution caused by a malicious man-in-the-middle attacker such like ISP-level or on national Internet communication channels CVE-2023-22325: Integer overflow in the SoftEther VPN DDNS client functionality could result in crashing caused by a malicious man-in-the-middle attacker such like ISP-level or on national Internet communication channels CVE-2023-32275: Vulnerability that allows the administrator himself of a 32-bit version of VPN Client or VPN Server to see the 32-bit value heap address of each of trusted CA's certificates in the VPN process CVE-2023-27516: If the user forget to set the administrator password of SoftEther VPN Client and enable remote administration with blank password, the administrator password of VPN Client can be changed remotely or VPN client can be used remotely by anonymouse third person CVE-2023-32634: If an attacker succeeds in launching a TCP relay program on the same port as the VPN Client on a local computer running the SoftEther VPN Client before the VPN Client process is launched, the TCP relay program can conduct a man-in-the-middle attack on communication between the administrator and the VPN Client process CVE-2023-31192: When SoftEther VPN Client connects to an untrusted VPN Server, an invalid redirection response for the clustering (load balancing) feature causes 20 bytes of uninitialized stack space to be read Solution(s) freebsd-upgrade-package-softether freebsd-upgrade-package-softether-devel References CVE-2023-27395

Huawei EulerOS: CVE-2023-2908: libtiff security update Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 06/30/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/30/2025 Description A null pointer dereference issue was found in Libtiff's tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service. Solution(s) huawei-euleros-2_0_sp11-upgrade-libtiff References https://attackerkb.com/topics/cve-2023-2908 CVE - 2023-2908 EulerOS-SA-2023-2861

Amazon Linux 2023: CVE-2023-44271: Medium priority package update for python-pillow Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 06/30/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. A flaw was found in Pillow. A denial of service issue uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for TrueType in ImageFont when text length in an ImageDraw instance operates on a long text argument. Solution(s) amazon-linux-2023-upgrade-python3-pillow amazon-linux-2023-upgrade-python3-pillow-debuginfo amazon-linux-2023-upgrade-python3-pillow-devel amazon-linux-2023-upgrade-python3-pillow-tk amazon-linux-2023-upgrade-python3-pillow-tk-debuginfo amazon-linux-2023-upgrade-python-pillow-debuginfo amazon-linux-2023-upgrade-python-pillow-debugsource References https://attackerkb.com/topics/cve-2023-44271 CVE - 2023-44271 https://alas.aws.amazon.com/AL2023/ALAS-2023-453.html

Huawei EulerOS: CVE-2023-2908: libtiff security update Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 06/30/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/30/2025 Description A null pointer dereference issue was found in Libtiff's tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service. Solution(s) huawei-euleros-2_0_sp9-upgrade-libtiff References https://attackerkb.com/topics/cve-2023-2908 CVE - 2023-2908 EulerOS-SA-2023-2900

Amazon Linux AMI 2: CVE-2023-3117: Security patch for kernel (Multiple Advisories) Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 06/30/2023 Created 07/21/2023 Added 07/21/2023 Modified 01/28/2025 Description Rejected reason: Duplicate of CVE-2023-3390. Solution(s) amazon-linux-ami-2-upgrade-bpftool amazon-linux-ami-2-upgrade-bpftool-debuginfo amazon-linux-ami-2-upgrade-kernel amazon-linux-ami-2-upgrade-kernel-debuginfo amazon-linux-ami-2-upgrade-kernel-debuginfo-common-aarch64 amazon-linux-ami-2-upgrade-kernel-debuginfo-common-x86_64 amazon-linux-ami-2-upgrade-kernel-devel amazon-linux-ami-2-upgrade-kernel-headers amazon-linux-ami-2-upgrade-kernel-livepatch-4-14-320-242-534 amazon-linux-ami-2-upgrade-kernel-livepatch-5-10-184-175-749 amazon-linux-ami-2-upgrade-kernel-livepatch-5-15-120-74-144 amazon-linux-ami-2-upgrade-kernel-tools amazon-linux-ami-2-upgrade-kernel-tools-debuginfo amazon-linux-ami-2-upgrade-kernel-tools-devel amazon-linux-ami-2-upgrade-perf amazon-linux-ami-2-upgrade-perf-debuginfo amazon-linux-ami-2-upgrade-python-perf amazon-linux-ami-2-upgrade-python-perf-debuginfo References https://attackerkb.com/topics/cve-2023-3117 AL2/ALAS-2023-2130 AL2/ALASKERNEL-5.10-2023-037 AL2/ALASKERNEL-5.15-2023-024 AL2/ALASKERNEL-5.4-2023-049 CVE - 2023-3117

Huawei EulerOS: CVE-2023-3338: kernel security update Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 06/30/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/30/2025 Description A null pointer dereference flaw was found in the Linux kernel's DECnet networking protocol. This issue could allow a remote user to crash the system. Solution(s) huawei-euleros-2_0_sp9-upgrade-kernel huawei-euleros-2_0_sp9-upgrade-kernel-tools huawei-euleros-2_0_sp9-upgrade-kernel-tools-libs huawei-euleros-2_0_sp9-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-3338 CVE - 2023-3338 EulerOS-SA-2023-2898

FreeBSD: VID-D821956F-1753-11EE-AD66-1C61B4739AC9 (CVE-2023-22325): SoftEtherVPN -- multiple vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 06/30/2023 Created 07/04/2023 Added 07/01/2023 Modified 01/28/2025 Description Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below. From VID-D821956F-1753-11EE-AD66-1C61B4739AC9: Daiyuu Nobori reports: The SoftEther VPN project received a high level code review and technical assistance from Cisco Systems, Inc. of the United States from April to June 2023 to fix several vulnerabilities in the SoftEther VPN code. The risk of exploitation of any of the fixed vulnerabilities is low under normal usage and environment, and actual attacks are very difficult. However, SoftEther VPN is now an open source VPN software used by 7.4 million unique users worldwide, and is used daily by many users to defend against the risk of blocking attacks by national censorship firewalls and attempts to eavesdrop on communications. Therefore, as long as the slightest attack possibility exists, there is great value in preventing vulnerabilities as much as possible in anticipation of the most sophisticated cyber attackers in the world, such as malicious ISPs and man-in-the-middle attackers on national Internet communication channels. These fixes are important and useful patches for users who use SoftEther VPN and the Internet for secure communications to prevent advanced attacks that can theoretically be triggered by malicious ISPs and man-in-the-middle attackers on national Internet communication pathways. The fixed vulnerabilities are CVE-2023-27395, CVE-2023-22325, CVE-2023-32275, CVE-2023-27516, CVE-2023-32634, and CVE-2023-31192. All of these were discovered in an outstanding code review of SoftEther VPN by Cisco Systems, Inc. CVE-2023-27395: Heap overflow in SoftEther VPN DDNS client functionality at risk of crashing and theoretically arbitrary code execution caused by a malicious man-in-the-middle attacker such like ISP-level or on national Internet communication channels CVE-2023-22325: Integer overflow in the SoftEther VPN DDNS client functionality could result in crashing caused by a malicious man-in-the-middle attacker such like ISP-level or on national Internet communication channels CVE-2023-32275: Vulnerability that allows the administrator himself of a 32-bit version of VPN Client or VPN Server to see the 32-bit value heap address of each of trusted CA's certificates in the VPN process CVE-2023-27516: If the user forget to set the administrator password of SoftEther VPN Client and enable remote administration with blank password, the administrator password of VPN Client can be changed remotely or VPN client can be used remotely by anonymouse third person CVE-2023-32634: If an attacker succeeds in launching a TCP relay program on the same port as the VPN Client on a local computer running the SoftEther VPN Client before the VPN Client process is launched, the TCP relay program can conduct a man-in-the-middle attack on communication between the administrator and the VPN Client process CVE-2023-31192: When SoftEther VPN Client connects to an untrusted VPN Server, an invalid redirection response for the clustering (load balancing) feature causes 20 bytes of uninitialized stack space to be read Solution(s) freebsd-upgrade-package-softether freebsd-upgrade-package-softether-devel References CVE-2023-22325

Huawei EulerOS: CVE-2023-1206: kernel security update Severity 6 CVSS (AV:A/AC:L/Au:S/C:N/I:N/A:C) Published 06/30/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%. Solution(s) huawei-euleros-2_0_sp8-upgrade-bpftool huawei-euleros-2_0_sp8-upgrade-kernel huawei-euleros-2_0_sp8-upgrade-kernel-devel huawei-euleros-2_0_sp8-upgrade-kernel-headers huawei-euleros-2_0_sp8-upgrade-kernel-tools huawei-euleros-2_0_sp8-upgrade-kernel-tools-libs huawei-euleros-2_0_sp8-upgrade-perf huawei-euleros-2_0_sp8-upgrade-python-perf huawei-euleros-2_0_sp8-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-1206 CVE - 2023-1206 EulerOS-SA-2023-3132

Huawei EulerOS: CVE-2023-2908: libtiff security update Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 06/30/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/30/2025 Description A null pointer dereference issue was found in Libtiff's tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service. Solution(s) huawei-euleros-2_0_sp8-upgrade-libtiff huawei-euleros-2_0_sp8-upgrade-libtiff-devel References https://attackerkb.com/topics/cve-2023-2908 CVE - 2023-2908 EulerOS-SA-2023-3135

Debian: CVE-2023-3338: linux -- security update Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 06/30/2023 Created 07/31/2023 Added 07/31/2023 Modified 01/30/2025 Description A null pointer dereference flaw was found in the Linux kernel's DECnet networking protocol. This issue could allow a remote user to crash the system. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2023-3338 CVE - 2023-3338 DLA-3508-1

Debian: CVE-2023-2908: tiff -- security update Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 06/30/2023 Created 08/02/2023 Added 08/02/2023 Modified 01/30/2025 Description A null pointer dereference issue was found in Libtiff's tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service. Solution(s) debian-upgrade-tiff References https://attackerkb.com/topics/cve-2023-2908 CVE - 2023-2908 DLA-3513-1

Debian: CVE-2023-37365: hnswlib -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 06/30/2023 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description Hnswlib 0.7.0 has a double free in init_index when the M argument is a large integer. Solution(s) debian-upgrade-hnswlib References https://attackerkb.com/topics/cve-2023-37365 CVE - 2023-37365

Huawei EulerOS: CVE-2023-1206: kernel security update Severity 6 CVSS (AV:A/AC:L/Au:S/C:N/I:N/A:C) Published 06/30/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%. Solution(s) huawei-euleros-2_0_sp10-upgrade-kernel huawei-euleros-2_0_sp10-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp10-upgrade-kernel-tools huawei-euleros-2_0_sp10-upgrade-kernel-tools-libs huawei-euleros-2_0_sp10-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-1206 CVE - 2023-1206 EulerOS-SA-2023-3217

Huawei EulerOS: CVE-2023-2908: libtiff security update Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 06/30/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/30/2025 Description A null pointer dereference issue was found in Libtiff's tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service. Solution(s) huawei-euleros-2_0_sp10-upgrade-libtiff References https://attackerkb.com/topics/cve-2023-2908 CVE - 2023-2908 EulerOS-SA-2023-2813

Debian: CVE-2023-36807: pypdf2 -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 06/30/2023 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description pypdf is a pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. In version 2.10.5 an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case if the user extracted metadata from such a malformed PDF. Versions prior to 2.10.5 throw an error, but do not hang forever. This issue was fixed with https://github.com/py-pdf/pypdf/pull/1331 which has been included in release 2.10.6. Users are advised to upgrade. Users unable to upgrade should modify `PyPDF2/generic/_data_structures.py::read_object` to an an error throwing case. See GHSA-hm9v-vj3r-r55m for details. Solution(s) debian-upgrade-pypdf2 References https://attackerkb.com/topics/cve-2023-36807 CVE - 2023-36807

Debian: CVE-2023-36810: pypdf2 -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 06/30/2023 Created 07/17/2023 Added 07/17/2023 Modified 01/28/2025 Description pypdf is a pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime. This quadratic runtime blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. This issue has been addressed in PR 808 and versions from 1.27.9 include this fix. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) debian-upgrade-pypdf2 References https://attackerkb.com/topics/cve-2023-36810 CVE - 2023-36810 DLA-3497-1

VMware Photon OS: CVE-2023-2908 Severity 5 CVSS (AV:L/AC:L/Au:N/C:N/I:N/A:C) Published 06/30/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description A null pointer dereference issue was found in Libtiff's tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-2908 CVE - 2023-2908

VMware Photon OS: CVE-2023-3338 Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 06/30/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description A null pointer dereference flaw was found in the Linux kernel's DECnet networking protocol. This issue could allow a remote user to crash the system. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-3338 CVE - 2023-3338

CentOS Linux: CVE-2023-26966: Moderate: libtiff security update (CESA-2023:6575) Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 06/29/2023 Created 11/09/2023 Added 11/08/2023 Modified 01/28/2025 Description libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian. Solution(s) centos-upgrade-libtiff centos-upgrade-libtiff-debuginfo centos-upgrade-libtiff-debugsource centos-upgrade-libtiff-devel centos-upgrade-libtiff-tools-debuginfo References CVE-2023-26966

Alma Linux: CVE-2023-25433: Moderate: libtiff security update (ALSA-2024-5079) Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 06/29/2023 Created 08/10/2024 Added 08/09/2024 Modified 01/28/2025 Description libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV. Solution(s) alma-upgrade-libtiff alma-upgrade-libtiff-devel alma-upgrade-libtiff-tools References https://attackerkb.com/topics/cve-2023-25433 CVE - 2023-25433 https://errata.almalinux.org/8/ALSA-2024-5079.html

Alma Linux: CVE-2023-26966: Moderate: libtiff security update (ALSA-2023-6575) Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 06/29/2023 Created 11/17/2023 Added 11/16/2023 Modified 01/28/2025 Description libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian. Solution(s) alma-upgrade-libtiff alma-upgrade-libtiff-devel alma-upgrade-libtiff-tools References https://attackerkb.com/topics/cve-2023-26966 CVE - 2023-26966 https://errata.almalinux.org/9/ALSA-2023-6575.html