ISHACK AI BOT

Amazon Linux 2023: CVE-2023-34969: Medium priority package update for dbus Severity 5 CVSS (AV:L/AC:L/Au:N/C:N/I:N/A:C) Published 06/06/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6. An assertion failure vulnerability was found in D-Bus. This issue occurs when a privileged monitoring connection (dbus-monitor, busctl monitor, gdbus monitor, or similar) is active, and a message from the bus driver cannot be delivered to a client connection due to <deny> rules or outgoing message quota. If a privileged user with control over the dbus-daemon is monitoring the message bus traffic using the Monitoring clients like the dbus-monitor or busctl monitor interfaces, then an unprivileged local user with the ability to connect to the same dbus-daemon could send specially crafted request, causing a dbus-daemon to crash, resulting in a denial of service under some circumstances. Solution(s) amazon-linux-2023-upgrade-dbus amazon-linux-2023-upgrade-dbus-common amazon-linux-2023-upgrade-dbus-daemon amazon-linux-2023-upgrade-dbus-daemon-debuginfo amazon-linux-2023-upgrade-dbus-debuginfo amazon-linux-2023-upgrade-dbus-debugsource amazon-linux-2023-upgrade-dbus-devel amazon-linux-2023-upgrade-dbus-doc amazon-linux-2023-upgrade-dbus-libs amazon-linux-2023-upgrade-dbus-libs-debuginfo amazon-linux-2023-upgrade-dbus-tests amazon-linux-2023-upgrade-dbus-tests-debuginfo amazon-linux-2023-upgrade-dbus-tools amazon-linux-2023-upgrade-dbus-tools-debuginfo amazon-linux-2023-upgrade-dbus-x11 amazon-linux-2023-upgrade-dbus-x11-debuginfo References https://attackerkb.com/topics/cve-2023-34969 CVE - 2023-34969 https://alas.aws.amazon.com/AL2023/ALAS-2023-213.html

CentOS Linux: CVE-2023-33460: Moderate: yajl security update (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 06/06/2023 Created 11/09/2023 Added 11/08/2023 Modified 01/28/2025 Description There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which will cause out-of-memory in server and cause crash. Solution(s) centos-upgrade-yajl centos-upgrade-yajl-debuginfo centos-upgrade-yajl-debugsource References CVE-2023-33460

CentOS Linux: CVE-2023-2603: Moderate: libcap security update (Multiple Advisories) Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 06/06/2023 Created 08/10/2023 Added 08/09/2023 Modified 01/28/2025 Description A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB. Solution(s) centos-upgrade-libcap centos-upgrade-libcap-debuginfo centos-upgrade-libcap-debugsource centos-upgrade-libcap-devel References CVE-2023-2603

Oracle Linux: CVE-2023-34414: ELSA-2023-3579:firefox security update (IMPORTANT) (Multiple Advisories) Severity 8 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:C) Published 06/06/2023 Created 05/22/2024 Added 05/21/2024 Modified 12/06/2024 Description The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a site with a certificate error and made the renderer extremely busy at the same time, it could create a gap between when the error page was loaded and when the display actually refreshed. With the right timing the elicited clicks could land in that gap and activate the button that overrides the certificate error for that site. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12. The Mozilla Foundation Security Advisory describes this flaw as: The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a site with a certificate error and made the renderer extremely busy at the same time, it could create a gap between when the error page was loaded and when the display actually refreshed. With the right timing the elicited clicks could land in that gap and activate the button that overrides the certificate error for that site. Solution(s) oracle-linux-upgrade-firefox oracle-linux-upgrade-firefox-x11 oracle-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-34414 CVE - 2023-34414 ELSA-2023-3579 ELSA-2023-3563 ELSA-2023-3587 ELSA-2023-3588 ELSA-2023-3590 ELSA-2023-3589 View more

SUSE: CVE-2023-2603: SUSE Linux Security Advisory Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 06/06/2023 Created 07/04/2023 Added 07/04/2023 Modified 01/28/2025 Description A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB. Solution(s) suse-upgrade-libcap-devel suse-upgrade-libcap-progs suse-upgrade-libcap2 suse-upgrade-libcap2-32bit suse-upgrade-libpsx2 suse-upgrade-libpsx2-32bit suse-upgrade-pam_cap suse-upgrade-pam_cap-32bit References https://attackerkb.com/topics/cve-2023-2603 CVE - 2023-2603

Debian: CVE-2023-33460: yajl -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 06/06/2023 Created 07/10/2023 Added 07/10/2023 Modified 01/30/2025 Description There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which will cause out-of-memory in server and cause crash. Solution(s) debian-upgrade-yajl References https://attackerkb.com/topics/cve-2023-33460 CVE - 2023-33460 DLA-3478-1

VMware Photon OS: CVE-2023-2603 Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 06/06/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-2603 CVE - 2023-2603

Alma Linux: CVE-2023-2603: Moderate: libcap security update (Multiple Advisories) Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 06/06/2023 Created 08/10/2023 Added 08/10/2023 Modified 01/28/2025 Description A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB. Solution(s) alma-upgrade-libcap alma-upgrade-libcap-devel References https://attackerkb.com/topics/cve-2023-2603 CVE - 2023-2603 https://errata.almalinux.org/8/ALSA-2023-4524.html https://errata.almalinux.org/9/ALSA-2023-5071.html

Ubuntu: USN-6166-1 (CVE-2023-2602): libcap2 vulnerabilities Severity 2 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:P) Published 06/06/2023 Created 06/15/2023 Added 06/15/2023 Modified 01/28/2025 Description A vulnerability was found in the pthread_create() function in libcap. This issue may allow a malicious actor to use cause __real_pthread_create() to return an error, which can exhaust the process memory. Solution(s) ubuntu-upgrade-libcap2 ubuntu-upgrade-libcap2-bin References https://attackerkb.com/topics/cve-2023-2602 CVE - 2023-2602 USN-6166-1

Red Hat: CVE-2023-2602: libcap: Memory Leak on pthread_create() Error (Multiple Advisories) Severity 2 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:P) Published 06/06/2023 Created 08/10/2023 Added 08/09/2023 Modified 01/28/2025 Description A vulnerability was found in the pthread_create() function in libcap. This issue may allow a malicious actor to use cause __real_pthread_create() to return an error, which can exhaust the process memory. Solution(s) redhat-upgrade-libcap redhat-upgrade-libcap-debuginfo redhat-upgrade-libcap-debugsource redhat-upgrade-libcap-devel References CVE-2023-2602 RHSA-2023:4524 RHSA-2023:5071 RHSA-2023:7400

Red Hat: CVE-2023-2603: libcap: Integer Overflow in _libcap_strdup() (Multiple Advisories) Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 06/06/2023 Created 08/10/2023 Added 08/09/2023 Modified 01/28/2025 Description A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB. Solution(s) redhat-upgrade-libcap redhat-upgrade-libcap-debuginfo redhat-upgrade-libcap-debugsource redhat-upgrade-libcap-devel References CVE-2023-2603 RHSA-2023:4524 RHSA-2023:5071 RHSA-2023:7400 RHSA-2024:0436

MFSA2023-20 Firefox: Security Vulnerabilities fixed in Firefox 114 (CVE-2023-34414) Severity 3 CVSS (AV:N/AC:H/Au:N/C:N/I:N/A:P) Published 06/06/2023 Created 06/07/2023 Added 06/07/2023 Modified 01/28/2025 Description The error page for sites with invalid TLS certificates was missing the activation-delay Firefox uses to protect prompts and permission dialogs from attacks that exploit human response time delays. If a malicious page elicited user clicks in precise locations immediately before navigating to a site with a certificate error and made the renderer extremely busy at the same time, it could create a gap between when the error page was loaded and when the display actually refreshed. With the right timing the elicited clicks could land in that gap and activate the button that overrides the certificate error for that site. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12. Solution(s) mozilla-firefox-upgrade-114_0 References https://attackerkb.com/topics/cve-2023-34414 CVE - 2023-34414 http://www.mozilla.org/security/announce/2023/mfsa2023-20.html

VMware Photon OS: CVE-2023-2602 Severity 2 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:P) Published 06/06/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description A vulnerability was found in the pthread_create() function in libcap. This issue may allow a malicious actor to use cause __real_pthread_create() to return an error, which can exhaust the process memory. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-2602 CVE - 2023-2602

Gentoo Linux: CVE-2023-31606: RedCloth: ReDoS Vulnerability Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 06/06/2023 Created 01/12/2024 Added 01/11/2024 Modified 01/28/2025 Description A Regular Expression Denial of Service (ReDoS) issue was discovered in the sanitize_html function of redcloth gem v4.0.0. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. Solution(s) gentoo-linux-upgrade-dev-ruby-redcloth References https://attackerkb.com/topics/cve-2023-31606 CVE - 2023-31606 202401-14

Alpine Linux: CVE-2023-33460: Missing Release of Memory after Effective Lifetime Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 06/06/2023 Created 03/22/2024 Added 03/21/2024 Modified 10/02/2024 Description There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which will cause out-of-memory in server and cause crash. Solution(s) alpine-linux-upgrade-yajl References https://attackerkb.com/topics/cve-2023-33460 CVE - 2023-33460 https://security.alpinelinux.org/vuln/CVE-2023-33460

Alma Linux: CVE-2023-33460: Moderate: yajl security update (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 06/06/2023 Created 11/17/2023 Added 11/16/2023 Modified 01/30/2025 Description There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function. which will cause out-of-memory in server and cause crash. Solution(s) alma-upgrade-yajl alma-upgrade-yajl-devel References https://attackerkb.com/topics/cve-2023-33460 CVE - 2023-33460 https://errata.almalinux.org/8/ALSA-2023-7057.html https://errata.almalinux.org/9/ALSA-2023-6551.html

MFSA2023-20 Firefox: Security Vulnerabilities fixed in Firefox 114 (CVE-2023-34417) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/06/2023 Created 06/07/2023 Added 06/07/2023 Modified 01/28/2025 Description Memory safety bugs present in Firefox 113. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 114. Solution(s) mozilla-firefox-upgrade-114_0 References https://attackerkb.com/topics/cve-2023-34417 CVE - 2023-34417 http://www.mozilla.org/security/announce/2023/mfsa2023-20.html

MFSA2023-19 Firefox: Security Vulnerabilities fixed in Firefox ESR 102.12 (CVE-2023-34416) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/06/2023 Created 06/07/2023 Added 06/07/2023 Modified 01/28/2025 Description Memory safety bugs present in Firefox 113, Firefox ESR 102.11, and Thunderbird 102.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 102.12, Firefox < 114, and Thunderbird < 102.12. Solution(s) mozilla-firefox-esr-upgrade-102_12 References https://attackerkb.com/topics/cve-2023-34416 CVE - 2023-34416 http://www.mozilla.org/security/announce/2023/mfsa2023-19.html

CentOS Linux: CVE-2023-2183: Moderate: Red Hat Ceph Storage 6.1 security, enhancements, and bug fix update (CESA-2023:7740) Severity 6 CVSS (AV:N/AC:L/Au:S/C:P/I:P/A:N) Published 06/06/2023 Created 12/14/2023 Added 12/13/2023 Modified 01/28/2025 Description Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function. This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server. Users may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix. Solution(s) centos-upgrade-ceph-base centos-upgrade-ceph-base-debuginfo centos-upgrade-ceph-common centos-upgrade-ceph-common-debuginfo centos-upgrade-ceph-debuginfo centos-upgrade-ceph-debugsource centos-upgrade-ceph-exporter-debuginfo centos-upgrade-ceph-fuse centos-upgrade-ceph-fuse-debuginfo centos-upgrade-ceph-immutable-object-cache centos-upgrade-ceph-immutable-object-cache-debuginfo centos-upgrade-ceph-mds-debuginfo centos-upgrade-ceph-mgr-debuginfo centos-upgrade-ceph-mib centos-upgrade-ceph-mon-debuginfo centos-upgrade-ceph-osd-debuginfo centos-upgrade-ceph-radosgw-debuginfo centos-upgrade-ceph-resource-agents centos-upgrade-ceph-selinux centos-upgrade-ceph-test-debuginfo centos-upgrade-cephadm centos-upgrade-cephadm-ansible centos-upgrade-cephfs-mirror-debuginfo centos-upgrade-cephfs-top centos-upgrade-libcephfs-devel centos-upgrade-libcephfs2 centos-upgrade-libcephfs2-debuginfo centos-upgrade-libcephsqlite-debuginfo centos-upgrade-librados-devel centos-upgrade-librados-devel-debuginfo centos-upgrade-libradospp-devel centos-upgrade-libradosstriper1 centos-upgrade-libradosstriper1-debuginfo centos-upgrade-librbd-devel centos-upgrade-librgw-devel centos-upgrade-librgw2 centos-upgrade-librgw2-debuginfo centos-upgrade-python3-ceph-argparse centos-upgrade-python3-ceph-common centos-upgrade-python3-cephfs centos-upgrade-python3-cephfs-debuginfo centos-upgrade-python3-rados centos-upgrade-python3-rados-debuginfo centos-upgrade-python3-rbd centos-upgrade-python3-rbd-debuginfo centos-upgrade-python3-rgw centos-upgrade-python3-rgw-debuginfo centos-upgrade-rbd-fuse-debuginfo centos-upgrade-rbd-mirror-debuginfo centos-upgrade-rbd-nbd centos-upgrade-rbd-nbd-debuginfo References CVE-2023-2183

Debian: CVE-2023-2603: libcap2 -- security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 06/06/2023 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB. Solution(s) debian-upgrade-libcap2 References https://attackerkb.com/topics/cve-2023-2603 CVE - 2023-2603

Alma Linux: CVE-2023-28204: Important: webkit2gtk3 security update (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 06/05/2023 Created 06/07/2023 Added 06/07/2023 Modified 01/28/2025 Description An out-of-bounds read was addressed with improved input validation. This issue is fixed in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, iOS 15.7.6 and iPadOS 15.7.6, Safari 16.5, iOS 16.5 and iPadOS 16.5. Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited. Solution(s) alma-upgrade-webkit2gtk3 alma-upgrade-webkit2gtk3-devel alma-upgrade-webkit2gtk3-jsc alma-upgrade-webkit2gtk3-jsc-devel References https://attackerkb.com/topics/cve-2023-28204 CVE - 2023-28204 https://errata.almalinux.org/8/ALSA-2023-3433.html https://errata.almalinux.org/9/ALSA-2023-3432.html

VMware Photon OS: CVE-2023-3111 Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 06/05/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description A use after free vulnerability was found in prepare_to_relocate in fs/btrfs/relocation.c in btrfs in the Linux Kernel. This possible flaw can be triggered by calling btrfs_ioctl_balance() before calling btrfs_ioctl_defrag(). Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-3111 CVE - 2023-3111

Ubuntu: USN-6196-1 (CVE-2023-33733): ReportLab vulnerability Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 06/05/2023 Created 07/04/2023 Added 07/04/2023 Modified 01/28/2025 Description Reportlab up to v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file. Solution(s) ubuntu-upgrade-python3-reportlab References https://attackerkb.com/topics/cve-2023-33733 CVE - 2023-33733 USN-6196-1

Alma Linux: CVE-2023-34410: Moderate: qt5-qtbase security update (Multiple Advisories) Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:P/A:N) Published 06/05/2023 Created 11/17/2023 Added 11/16/2023 Modified 01/28/2025 Description An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate. Solution(s) alma-upgrade-qt5 alma-upgrade-qt5-devel alma-upgrade-qt5-qtbase alma-upgrade-qt5-qtbase-common alma-upgrade-qt5-qtbase-devel alma-upgrade-qt5-qtbase-examples alma-upgrade-qt5-qtbase-gui alma-upgrade-qt5-qtbase-mysql alma-upgrade-qt5-qtbase-odbc alma-upgrade-qt5-qtbase-postgresql alma-upgrade-qt5-qtbase-private-devel alma-upgrade-qt5-qtbase-static alma-upgrade-qt5-rpm-macros alma-upgrade-qt5-srpm-macros References https://attackerkb.com/topics/cve-2023-34410 CVE - 2023-34410 https://errata.almalinux.org/8/ALSA-2023-6967.html https://errata.almalinux.org/9/ALSA-2023-6369.html

Alma Linux: CVE-2023-32373: Important: webkit2gtk3 security update (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/05/2023 Created 06/07/2023 Added 06/07/2023 Modified 01/28/2025 Description A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, iOS 15.7.6 and iPadOS 15.7.6, Safari 16.5, iOS 16.5 and iPadOS 16.5. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Solution(s) alma-upgrade-webkit2gtk3 alma-upgrade-webkit2gtk3-devel alma-upgrade-webkit2gtk3-jsc alma-upgrade-webkit2gtk3-jsc-devel References https://attackerkb.com/topics/cve-2023-32373 CVE - 2023-32373 https://errata.almalinux.org/8/ALSA-2023-3433.html https://errata.almalinux.org/9/ALSA-2023-3432.html