ISHACK AI BOT

Amazon Linux 2023: CVE-2023-32067: Important priority package update for c-ares (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 05/22/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1. A vulnerability was found in c-ares. This issue occurs due to a 0-byte UDP payload that can cause a Denial of Service. Solution(s) amazon-linux-2023-upgrade-c-ares amazon-linux-2023-upgrade-c-ares-debuginfo amazon-linux-2023-upgrade-c-ares-debugsource amazon-linux-2023-upgrade-c-ares-devel amazon-linux-2023-upgrade-ecs-service-connect-agent References https://attackerkb.com/topics/cve-2023-32067 CVE - 2023-32067 https://alas.aws.amazon.com/AL2023/ALAS-2023-198.html https://alas.aws.amazon.com/AL2023/ALAS-2023-344.html

CentOS Linux: CVE-2023-33285: Moderate: qt5 security and bug fix update (Multiple Advisories) Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:P) Published 05/22/2023 Created 11/09/2023 Added 11/08/2023 Modified 01/28/2025 Description An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server. Solution(s) centos-upgrade-adwaita-qt-debuginfo centos-upgrade-adwaita-qt-debugsource centos-upgrade-adwaita-qt5 centos-upgrade-adwaita-qt5-debuginfo centos-upgrade-libadwaita-qt5 centos-upgrade-libadwaita-qt5-debuginfo centos-upgrade-python-pyqt5-sip-debugsource centos-upgrade-python-qt5-debuginfo centos-upgrade-python-qt5-debugsource centos-upgrade-python-qt5-rpm-macros centos-upgrade-python3-pyqt5-sip centos-upgrade-python3-pyqt5-sip-debuginfo centos-upgrade-python3-qt5 centos-upgrade-python3-qt5-base centos-upgrade-python3-qt5-base-debuginfo centos-upgrade-python3-qt5-debuginfo centos-upgrade-qgnomeplatform centos-upgrade-qgnomeplatform-debuginfo centos-upgrade-qgnomeplatform-debugsource centos-upgrade-qt5 centos-upgrade-qt5-assistant centos-upgrade-qt5-assistant-debuginfo centos-upgrade-qt5-designer centos-upgrade-qt5-designer-debuginfo centos-upgrade-qt5-doctools centos-upgrade-qt5-doctools-debuginfo centos-upgrade-qt5-linguist centos-upgrade-qt5-linguist-debuginfo centos-upgrade-qt5-qdbusviewer centos-upgrade-qt5-qdbusviewer-debuginfo centos-upgrade-qt5-qt3d centos-upgrade-qt5-qt3d-debuginfo centos-upgrade-qt5-qt3d-debugsource centos-upgrade-qt5-qt3d-devel centos-upgrade-qt5-qt3d-devel-debuginfo centos-upgrade-qt5-qt3d-doc centos-upgrade-qt5-qt3d-examples centos-upgrade-qt5-qt3d-examples-debuginfo centos-upgrade-qt5-qt3d-tests-debuginfo centos-upgrade-qt5-qtbase centos-upgrade-qt5-qtbase-common centos-upgrade-qt5-qtbase-debuginfo centos-upgrade-qt5-qtbase-debugsource centos-upgrade-qt5-qtbase-devel centos-upgrade-qt5-qtbase-devel-debuginfo centos-upgrade-qt5-qtbase-doc centos-upgrade-qt5-qtbase-examples centos-upgrade-qt5-qtbase-examples-debuginfo centos-upgrade-qt5-qtbase-gui centos-upgrade-qt5-qtbase-gui-debuginfo centos-upgrade-qt5-qtbase-mysql centos-upgrade-qt5-qtbase-mysql-debuginfo centos-upgrade-qt5-qtbase-odbc centos-upgrade-qt5-qtbase-odbc-debuginfo centos-upgrade-qt5-qtbase-postgresql centos-upgrade-qt5-qtbase-postgresql-debuginfo centos-upgrade-qt5-qtbase-private-devel centos-upgrade-qt5-qtbase-tests-debuginfo centos-upgrade-qt5-qtconnectivity centos-upgrade-qt5-qtconnectivity-debuginfo centos-upgrade-qt5-qtconnectivity-debugsource centos-upgrade-qt5-qtconnectivity-devel centos-upgrade-qt5-qtconnectivity-doc centos-upgrade-qt5-qtconnectivity-examples centos-upgrade-qt5-qtconnectivity-examples-debuginfo centos-upgrade-qt5-qtconnectivity-tests-debuginfo centos-upgrade-qt5-qtdeclarative centos-upgrade-qt5-qtdeclarative-debuginfo centos-upgrade-qt5-qtdeclarative-debugsource centos-upgrade-qt5-qtdeclarative-devel centos-upgrade-qt5-qtdeclarative-devel-debuginfo centos-upgrade-qt5-qtdeclarative-doc centos-upgrade-qt5-qtdeclarative-examples centos-upgrade-qt5-qtdeclarative-examples-debuginfo centos-upgrade-qt5-qtdeclarative-tests-debuginfo centos-upgrade-qt5-qtdoc centos-upgrade-qt5-qtgraphicaleffects centos-upgrade-qt5-qtgraphicaleffects-debuginfo centos-upgrade-qt5-qtgraphicaleffects-debugsource centos-upgrade-qt5-qtgraphicaleffects-doc centos-upgrade-qt5-qtgraphicaleffects-tests-debuginfo centos-upgrade-qt5-qtimageformats centos-upgrade-qt5-qtimageformats-debuginfo centos-upgrade-qt5-qtimageformats-debugsource centos-upgrade-qt5-qtimageformats-doc centos-upgrade-qt5-qtimageformats-tests-debuginfo centos-upgrade-qt5-qtlocation centos-upgrade-qt5-qtlocation-debuginfo centos-upgrade-qt5-qtlocation-debugsource centos-upgrade-qt5-qtlocation-devel centos-upgrade-qt5-qtlocation-doc centos-upgrade-qt5-qtlocation-examples centos-upgrade-qt5-qtlocation-examples-debuginfo centos-upgrade-qt5-qtlocation-tests-debuginfo centos-upgrade-qt5-qtmultimedia centos-upgrade-qt5-qtmultimedia-debuginfo centos-upgrade-qt5-qtmultimedia-debugsource centos-upgrade-qt5-qtmultimedia-devel centos-upgrade-qt5-qtmultimedia-doc centos-upgrade-qt5-qtmultimedia-examples centos-upgrade-qt5-qtmultimedia-examples-debuginfo centos-upgrade-qt5-qtmultimedia-tests-debuginfo centos-upgrade-qt5-qtquickcontrols centos-upgrade-qt5-qtquickcontrols-debuginfo centos-upgrade-qt5-qtquickcontrols-debugsource centos-upgrade-qt5-qtquickcontrols-doc centos-upgrade-qt5-qtquickcontrols-examples centos-upgrade-qt5-qtquickcontrols-examples-debuginfo centos-upgrade-qt5-qtquickcontrols-tests-debuginfo centos-upgrade-qt5-qtquickcontrols2 centos-upgrade-qt5-qtquickcontrols2-debuginfo centos-upgrade-qt5-qtquickcontrols2-debugsource centos-upgrade-qt5-qtquickcontrols2-devel centos-upgrade-qt5-qtquickcontrols2-doc centos-upgrade-qt5-qtquickcontrols2-examples centos-upgrade-qt5-qtquickcontrols2-examples-debuginfo centos-upgrade-qt5-qtquickcontrols2-tests-debuginfo centos-upgrade-qt5-qtscript centos-upgrade-qt5-qtscript-debuginfo centos-upgrade-qt5-qtscript-debugsource centos-upgrade-qt5-qtscript-devel centos-upgrade-qt5-qtscript-doc centos-upgrade-qt5-qtscript-examples centos-upgrade-qt5-qtscript-examples-debuginfo centos-upgrade-qt5-qtscript-tests-debuginfo centos-upgrade-qt5-qtsensors centos-upgrade-qt5-qtsensors-debuginfo centos-upgrade-qt5-qtsensors-debugsource centos-upgrade-qt5-qtsensors-devel centos-upgrade-qt5-qtsensors-doc centos-upgrade-qt5-qtsensors-examples centos-upgrade-qt5-qtsensors-examples-debuginfo centos-upgrade-qt5-qtsensors-tests-debuginfo centos-upgrade-qt5-qtserialbus centos-upgrade-qt5-qtserialbus-debuginfo centos-upgrade-qt5-qtserialbus-debugsource centos-upgrade-qt5-qtserialbus-devel centos-upgrade-qt5-qtserialbus-doc centos-upgrade-qt5-qtserialbus-examples centos-upgrade-qt5-qtserialbus-examples-debuginfo centos-upgrade-qt5-qtserialbus-tests-debuginfo centos-upgrade-qt5-qtserialport centos-upgrade-qt5-qtserialport-debuginfo centos-upgrade-qt5-qtserialport-debugsource centos-upgrade-qt5-qtserialport-devel centos-upgrade-qt5-qtserialport-doc centos-upgrade-qt5-qtserialport-examples centos-upgrade-qt5-qtserialport-examples-debuginfo centos-upgrade-qt5-qtserialport-tests-debuginfo centos-upgrade-qt5-qtsvg centos-upgrade-qt5-qtsvg-debuginfo centos-upgrade-qt5-qtsvg-debugsource centos-upgrade-qt5-qtsvg-devel centos-upgrade-qt5-qtsvg-doc centos-upgrade-qt5-qtsvg-examples centos-upgrade-qt5-qtsvg-examples-debuginfo centos-upgrade-qt5-qtsvg-tests-debuginfo centos-upgrade-qt5-qttools centos-upgrade-qt5-qttools-common centos-upgrade-qt5-qttools-debuginfo centos-upgrade-qt5-qttools-debugsource centos-upgrade-qt5-qttools-devel centos-upgrade-qt5-qttools-devel-debuginfo centos-upgrade-qt5-qttools-doc centos-upgrade-qt5-qttools-examples centos-upgrade-qt5-qttools-examples-debuginfo centos-upgrade-qt5-qttools-libs-designer centos-upgrade-qt5-qttools-libs-designer-debuginfo centos-upgrade-qt5-qttools-libs-designercomponents centos-upgrade-qt5-qttools-libs-designercomponents-debuginfo centos-upgrade-qt5-qttools-libs-help centos-upgrade-qt5-qttools-libs-help-debuginfo centos-upgrade-qt5-qttools-tests-debuginfo centos-upgrade-qt5-qttranslations centos-upgrade-qt5-qtwayland centos-upgrade-qt5-qtwayland-debuginfo centos-upgrade-qt5-qtwayland-debugsource centos-upgrade-qt5-qtwayland-devel centos-upgrade-qt5-qtwayland-devel-debuginfo centos-upgrade-qt5-qtwayland-doc centos-upgrade-qt5-qtwayland-examples centos-upgrade-qt5-qtwayland-examples-debuginfo centos-upgrade-qt5-qtwayland-tests-debuginfo centos-upgrade-qt5-qtwebchannel centos-upgrade-qt5-qtwebchannel-debuginfo centos-upgrade-qt5-qtwebchannel-debugsource centos-upgrade-qt5-qtwebchannel-devel centos-upgrade-qt5-qtwebchannel-doc centos-upgrade-qt5-qtwebchannel-examples centos-upgrade-qt5-qtwebchannel-examples-debuginfo centos-upgrade-qt5-qtwebchannel-tests-debuginfo centos-upgrade-qt5-qtwebsockets centos-upgrade-qt5-qtwebsockets-debuginfo centos-upgrade-qt5-qtwebsockets-debugsource centos-upgrade-qt5-qtwebsockets-devel centos-upgrade-qt5-qtwebsockets-doc centos-upgrade-qt5-qtwebsockets-examples centos-upgrade-qt5-qtwebsockets-examples-debuginfo centos-upgrade-qt5-qtwebsockets-tests-debuginfo centos-upgrade-qt5-qtx11extras centos-upgrade-qt5-qtx11extras-debuginfo centos-upgrade-qt5-qtx11extras-debugsource centos-upgrade-qt5-qtx11extras-devel centos-upgrade-qt5-qtx11extras-doc centos-upgrade-qt5-qtx11extras-tests-debuginfo centos-upgrade-qt5-qtxmlpatterns centos-upgrade-qt5-qtxmlpatterns-debuginfo centos-upgrade-qt5-qtxmlpatterns-debugsource centos-upgrade-qt5-qtxmlpatterns-devel centos-upgrade-qt5-qtxmlpatterns-devel-debuginfo centos-upgrade-qt5-qtxmlpatterns-doc centos-upgrade-qt5-qtxmlpatterns-examples centos-upgrade-qt5-qtxmlpatterns-examples-debuginfo centos-upgrade-qt5-qtxmlpatterns-tests-debuginfo centos-upgrade-qt5-rpm-macros centos-upgrade-qt5-srpm-macros References CVE-2023-33285

Amazon Linux 2023: CVE-2023-31124: Important priority package update for c-ares (Multiple Advisories) Severity 3 CVSS (AV:N/AC:H/Au:N/C:N/I:P/A:N) Published 05/22/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android.This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1. A flaw was found in c-ares. This issue occurs when cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross-compiling aarch64 android. As a result, it will downgrade to rand(), which could allow an attacker to utilize the lack of entropy by not using a CSPRNG. Solution(s) amazon-linux-2023-upgrade-c-ares amazon-linux-2023-upgrade-c-ares-debuginfo amazon-linux-2023-upgrade-c-ares-debugsource amazon-linux-2023-upgrade-c-ares-devel amazon-linux-2023-upgrade-ecs-service-connect-agent References https://attackerkb.com/topics/cve-2023-31124 CVE - 2023-31124 https://alas.aws.amazon.com/AL2023/ALAS-2023-198.html https://alas.aws.amazon.com/AL2023/ALAS-2023-344.html

Oracle Linux: CVE-2023-32373: ELSA-2023-3432:webkit2gtk3 security update (IMPORTANT) (Multiple Advisories) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 05/22/2023 Created 05/22/2024 Added 05/21/2024 Modified 02/10/2025 Description A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, iOS 15.7.6 and iPadOS 15.7.6, Safari 16.5, iOS 16.5 and iPadOS 16.5. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. A use after free vulnerability was found in the webkitgtk package. Processing maliciously crafted web content may lead to arbitrary code execution. Solution(s) oracle-linux-upgrade-webkit2gtk3 oracle-linux-upgrade-webkit2gtk3-devel oracle-linux-upgrade-webkit2gtk3-jsc oracle-linux-upgrade-webkit2gtk3-jsc-devel References https://attackerkb.com/topics/cve-2023-32373 CVE - 2023-32373 ELSA-2023-3432 ELSA-2023-3433

Oracle Linux: CVE-2023-28709: ELSA-2023-6570:tomcat security and bug fix update (MODERATE) (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 05/22/2023 Created 11/18/2023 Added 11/16/2023 Modified 11/28/2024 Description The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur. A flaw was found in Apache Tomcat due to an incomplete fix for CVE-2023-24998, which aims to limit the uploaded request parts that can be bypassed in a request. This issue may allow an attacker to use a malicious upload or series of uploads to trigger a denial of service. Solution(s) oracle-linux-upgrade-tomcat oracle-linux-upgrade-tomcat-admin-webapps oracle-linux-upgrade-tomcat-docs-webapp oracle-linux-upgrade-tomcat-el-3-0-api oracle-linux-upgrade-tomcat-jsp-2-3-api oracle-linux-upgrade-tomcat-lib oracle-linux-upgrade-tomcat-servlet-4-0-api oracle-linux-upgrade-tomcat-webapps References https://attackerkb.com/topics/cve-2023-28709 CVE - 2023-28709 ELSA-2023-6570 ELSA-2023-7065

Oracle Linux: CVE-2023-31147: ELSA-2023-3577: 18 security update (IMPORTANT) (Multiple Advisories) Severity 5 CVSS (AV:N/AC:H/Au:N/C:N/I:C/A:N) Published 05/22/2023 Created 06/16/2023 Added 06/15/2023 Modified 01/23/2025 Description c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1. A vulnerability was found in c-ares. This issue occurs when /dev/urandom or RtlGenRandom() are unavailable, c-ares will use rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand(), so it will generate predictable output. Solution(s) oracle-linux-upgrade-c-ares oracle-linux-upgrade-c-ares-devel oracle-linux-upgrade-nodejs oracle-linux-upgrade-nodejs-devel oracle-linux-upgrade-nodejs-docs oracle-linux-upgrade-nodejs-full-i18n oracle-linux-upgrade-nodejs-libs oracle-linux-upgrade-nodejs-nodemon oracle-linux-upgrade-nodejs-packaging oracle-linux-upgrade-nodejs-packaging-bundler oracle-linux-upgrade-npm References https://attackerkb.com/topics/cve-2023-31147 CVE - 2023-31147 ELSA-2023-3577 ELSA-2023-4035 ELSA-2023-4034 ELSA-2023-6635 ELSA-2023-3586

Oracle Linux: CVE-2023-28204: ELSA-2023-3432:webkit2gtk3 security update (IMPORTANT) (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 05/22/2023 Created 06/07/2023 Added 06/06/2023 Modified 02/10/2025 Description An out-of-bounds read was addressed with improved input validation. This issue is fixed in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, iOS 15.7.6 and iPadOS 15.7.6, Safari 16.5, iOS 16.5 and iPadOS 16.5. Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited. A flaw was found in the webkitgtk package. An out of bounds read may be possible when processing malicious web content, which can lead to information disclosure. Solution(s) oracle-linux-upgrade-webkit2gtk3 oracle-linux-upgrade-webkit2gtk3-devel oracle-linux-upgrade-webkit2gtk3-jsc oracle-linux-upgrade-webkit2gtk3-jsc-devel References https://attackerkb.com/topics/cve-2023-28204 CVE - 2023-28204 ELSA-2023-3432 ELSA-2023-3433

Oracle Linux: CVE-2023-31124: ELSA-2023-3577: 18 security update (IMPORTANT) (Multiple Advisories) Severity 3 CVSS (AV:N/AC:H/Au:N/C:N/I:P/A:N) Published 05/22/2023 Created 06/16/2023 Added 06/15/2023 Modified 01/23/2025 Description c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android.This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1. A flaw was found in c-ares. This issue occurs when cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross-compiling aarch64 android. As a result, it will downgrade to rand(), which could allow an attacker to utilize the lack of entropy by not using a CSPRNG. Solution(s) oracle-linux-upgrade-c-ares oracle-linux-upgrade-c-ares-devel oracle-linux-upgrade-nodejs oracle-linux-upgrade-nodejs-devel oracle-linux-upgrade-nodejs-docs oracle-linux-upgrade-nodejs-full-i18n oracle-linux-upgrade-nodejs-libs oracle-linux-upgrade-nodejs-nodemon oracle-linux-upgrade-nodejs-packaging oracle-linux-upgrade-nodejs-packaging-bundler oracle-linux-upgrade-npm References https://attackerkb.com/topics/cve-2023-31124 CVE - 2023-31124 ELSA-2023-3577 ELSA-2023-4035 ELSA-2023-4034 ELSA-2023-6635 ELSA-2023-3586

Debian: CVE-2023-33285: qt6-base, qtbase-opensource-src, qtbase-opensource-src-gles -- security update Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:P) Published 05/22/2023 Created 05/02/2024 Added 05/02/2024 Modified 01/28/2025 Description An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server. Solution(s) debian-upgrade-qt6-base debian-upgrade-qtbase-opensource-src debian-upgrade-qtbase-opensource-src-gles References https://attackerkb.com/topics/cve-2023-33285 CVE - 2023-33285 DLA-3805-1

Debian: CVE-2023-2840: gpac -- security update Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 05/22/2023 Created 05/29/2023 Added 05/29/2023 Modified 01/28/2025 Description NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2. Solution(s) debian-upgrade-gpac References https://attackerkb.com/topics/cve-2023-2840 CVE - 2023-2840 DSA-5411 DSA-5411-1

Huawei EulerOS: CVE-2023-31124: c-ares security update Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 05/25/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android.This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1. Solution(s) huawei-euleros-2_0_sp10-upgrade-c-ares References https://attackerkb.com/topics/cve-2023-31124 CVE - 2023-31124 EulerOS-SA-2023-2804

Alma Linux: CVE-2023-2255: Moderate: libreoffice security update (Multiple Advisories) Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:P/A:N) Published 05/25/2023 Created 11/17/2023 Added 11/16/2023 Modified 01/30/2025 Description Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used "floating frames" linked to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.7; 7.5 versions prior to 7.5.3. Solution(s) alma-upgrade-autocorr-af alma-upgrade-autocorr-bg alma-upgrade-autocorr-ca alma-upgrade-autocorr-cs alma-upgrade-autocorr-da alma-upgrade-autocorr-de alma-upgrade-autocorr-dsb alma-upgrade-autocorr-el alma-upgrade-autocorr-en alma-upgrade-autocorr-es alma-upgrade-autocorr-fa alma-upgrade-autocorr-fi alma-upgrade-autocorr-fr alma-upgrade-autocorr-ga alma-upgrade-autocorr-hr alma-upgrade-autocorr-hsb alma-upgrade-autocorr-hu alma-upgrade-autocorr-is alma-upgrade-autocorr-it alma-upgrade-autocorr-ja alma-upgrade-autocorr-ko alma-upgrade-autocorr-lb alma-upgrade-autocorr-lt alma-upgrade-autocorr-mn alma-upgrade-autocorr-nl alma-upgrade-autocorr-pl alma-upgrade-autocorr-pt alma-upgrade-autocorr-ro alma-upgrade-autocorr-ru alma-upgrade-autocorr-sk alma-upgrade-autocorr-sl alma-upgrade-autocorr-sr alma-upgrade-autocorr-sv alma-upgrade-autocorr-tr alma-upgrade-autocorr-vi alma-upgrade-autocorr-vro alma-upgrade-autocorr-zh alma-upgrade-libreoffice alma-upgrade-libreoffice-base alma-upgrade-libreoffice-calc alma-upgrade-libreoffice-core alma-upgrade-libreoffice-data alma-upgrade-libreoffice-draw alma-upgrade-libreoffice-emailmerge alma-upgrade-libreoffice-filters alma-upgrade-libreoffice-gdb-debug-support alma-upgrade-libreoffice-graphicfilter alma-upgrade-libreoffice-gtk3 alma-upgrade-libreoffice-help-ar alma-upgrade-libreoffice-help-bg alma-upgrade-libreoffice-help-bn alma-upgrade-libreoffice-help-ca alma-upgrade-libreoffice-help-cs alma-upgrade-libreoffice-help-da alma-upgrade-libreoffice-help-de alma-upgrade-libreoffice-help-dz alma-upgrade-libreoffice-help-el alma-upgrade-libreoffice-help-en alma-upgrade-libreoffice-help-eo alma-upgrade-libreoffice-help-es alma-upgrade-libreoffice-help-et alma-upgrade-libreoffice-help-eu alma-upgrade-libreoffice-help-fi alma-upgrade-libreoffice-help-fr alma-upgrade-libreoffice-help-gl alma-upgrade-libreoffice-help-gu alma-upgrade-libreoffice-help-he alma-upgrade-libreoffice-help-hi alma-upgrade-libreoffice-help-hr alma-upgrade-libreoffice-help-hu alma-upgrade-libreoffice-help-id alma-upgrade-libreoffice-help-it alma-upgrade-libreoffice-help-ja alma-upgrade-libreoffice-help-ko alma-upgrade-libreoffice-help-lt alma-upgrade-libreoffice-help-lv alma-upgrade-libreoffice-help-nb alma-upgrade-libreoffice-help-nl alma-upgrade-libreoffice-help-nn alma-upgrade-libreoffice-help-pl alma-upgrade-libreoffice-help-pt-br alma-upgrade-libreoffice-help-pt-pt alma-upgrade-libreoffice-help-ro alma-upgrade-libreoffice-help-ru alma-upgrade-libreoffice-help-si alma-upgrade-libreoffice-help-sk alma-upgrade-libreoffice-help-sl alma-upgrade-libreoffice-help-sv alma-upgrade-libreoffice-help-ta alma-upgrade-libreoffice-help-tr alma-upgrade-libreoffice-help-uk alma-upgrade-libreoffice-help-zh-hans alma-upgrade-libreoffice-help-zh-hant alma-upgrade-libreoffice-impress alma-upgrade-libreoffice-langpack-af alma-upgrade-libreoffice-langpack-ar alma-upgrade-libreoffice-langpack-as alma-upgrade-libreoffice-langpack-bg alma-upgrade-libreoffice-langpack-bn alma-upgrade-libreoffice-langpack-br alma-upgrade-libreoffice-langpack-ca alma-upgrade-libreoffice-langpack-cs alma-upgrade-libreoffice-langpack-cy alma-upgrade-libreoffice-langpack-da alma-upgrade-libreoffice-langpack-de alma-upgrade-libreoffice-langpack-dz alma-upgrade-libreoffice-langpack-el alma-upgrade-libreoffice-langpack-en alma-upgrade-libreoffice-langpack-eo alma-upgrade-libreoffice-langpack-es alma-upgrade-libreoffice-langpack-et alma-upgrade-libreoffice-langpack-eu alma-upgrade-libreoffice-langpack-fa alma-upgrade-libreoffice-langpack-fi alma-upgrade-libreoffice-langpack-fr alma-upgrade-libreoffice-langpack-fy alma-upgrade-libreoffice-langpack-ga alma-upgrade-libreoffice-langpack-gl alma-upgrade-libreoffice-langpack-gu alma-upgrade-libreoffice-langpack-he alma-upgrade-libreoffice-langpack-hi alma-upgrade-libreoffice-langpack-hr alma-upgrade-libreoffice-langpack-hu alma-upgrade-libreoffice-langpack-id alma-upgrade-libreoffice-langpack-it alma-upgrade-libreoffice-langpack-ja alma-upgrade-libreoffice-langpack-kk alma-upgrade-libreoffice-langpack-kn alma-upgrade-libreoffice-langpack-ko alma-upgrade-libreoffice-langpack-lt alma-upgrade-libreoffice-langpack-lv alma-upgrade-libreoffice-langpack-mai alma-upgrade-libreoffice-langpack-ml alma-upgrade-libreoffice-langpack-mr alma-upgrade-libreoffice-langpack-nb alma-upgrade-libreoffice-langpack-nl alma-upgrade-libreoffice-langpack-nn alma-upgrade-libreoffice-langpack-nr alma-upgrade-libreoffice-langpack-nso alma-upgrade-libreoffice-langpack-or alma-upgrade-libreoffice-langpack-pa alma-upgrade-libreoffice-langpack-pl alma-upgrade-libreoffice-langpack-pt-br alma-upgrade-libreoffice-langpack-pt-pt alma-upgrade-libreoffice-langpack-ro alma-upgrade-libreoffice-langpack-ru alma-upgrade-libreoffice-langpack-si alma-upgrade-libreoffice-langpack-sk alma-upgrade-libreoffice-langpack-sl alma-upgrade-libreoffice-langpack-sr alma-upgrade-libreoffice-langpack-ss alma-upgrade-libreoffice-langpack-st alma-upgrade-libreoffice-langpack-sv alma-upgrade-libreoffice-langpack-ta alma-upgrade-libreoffice-langpack-te alma-upgrade-libreoffice-langpack-th alma-upgrade-libreoffice-langpack-tn alma-upgrade-libreoffice-langpack-tr alma-upgrade-libreoffice-langpack-ts alma-upgrade-libreoffice-langpack-uk alma-upgrade-libreoffice-langpack-ve alma-upgrade-libreoffice-langpack-xh alma-upgrade-libreoffice-langpack-zh-hans alma-upgrade-libreoffice-langpack-zh-hant alma-upgrade-libreoffice-langpack-zu alma-upgrade-libreoffice-math alma-upgrade-libreoffice-ogltrans alma-upgrade-libreoffice-opensymbol-fonts alma-upgrade-libreoffice-pdfimport alma-upgrade-libreoffice-pyuno alma-upgrade-libreoffice-sdk alma-upgrade-libreoffice-sdk-doc alma-upgrade-libreoffice-ure alma-upgrade-libreoffice-ure-common alma-upgrade-libreoffice-wiki-publisher alma-upgrade-libreoffice-writer alma-upgrade-libreoffice-x11 alma-upgrade-libreoffice-xsltfilter alma-upgrade-libreofficekit References https://attackerkb.com/topics/cve-2023-2255 CVE - 2023-2255 https://errata.almalinux.org/8/ALSA-2023-6933.html https://errata.almalinux.org/9/ALSA-2023-6508.html

Amazon Linux AMI 2: CVE-2023-32067: Security patch for c-ares, ecs-service-connect-agent (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 05/25/2023 Created 07/21/2023 Added 07/21/2023 Modified 01/28/2025 Description c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1. Solution(s) amazon-linux-ami-2-upgrade-c-ares amazon-linux-ami-2-upgrade-c-ares-debuginfo amazon-linux-ami-2-upgrade-c-ares-devel amazon-linux-ami-2-upgrade-ecs-service-connect-agent References https://attackerkb.com/topics/cve-2023-32067 AL2/ALAS-2023-2127 AL2/ALASECS-2023-007 CVE - 2023-32067

Gentoo Linux: CVE-2023-31130: c-ares: Multiple Vulnerabilities Severity 6 CVSS (AV:L/AC:M/Au:M/C:C/I:C/A:C) Published 05/25/2023 Created 10/11/2023 Added 10/10/2023 Modified 01/30/2025 Description c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue.C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1. Solution(s) gentoo-linux-upgrade-net-dns-c-ares References https://attackerkb.com/topics/cve-2023-31130 CVE - 2023-31130 202310-09

Gentoo Linux: CVE-2023-2255: LibreOffice: Multiple Vulnerabilities Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:P/A:N) Published 05/25/2023 Created 11/28/2023 Added 11/27/2023 Modified 01/30/2025 Description Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used "floating frames" linked to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.7; 7.5 versions prior to 7.5.3. Solution(s) gentoo-linux-upgrade-app-office-libreoffice gentoo-linux-upgrade-app-office-libreoffice-bin References https://attackerkb.com/topics/cve-2023-2255 CVE - 2023-2255 202311-15

Alma Linux: CVE-2023-31130: Moderate: c-ares security update (Multiple Advisories) Severity 6 CVSS (AV:L/AC:M/Au:M/C:C/I:C/A:C) Published 05/25/2023 Created 06/27/2023 Added 06/27/2023 Modified 01/30/2025 Description c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue.C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1. Solution(s) alma-upgrade-c-ares alma-upgrade-c-ares-devel alma-upgrade-nodejs alma-upgrade-nodejs-devel alma-upgrade-nodejs-docs alma-upgrade-nodejs-full-i18n alma-upgrade-nodejs-libs alma-upgrade-nodejs-nodemon alma-upgrade-nodejs-packaging alma-upgrade-nodejs-packaging-bundler alma-upgrade-npm References https://attackerkb.com/topics/cve-2023-31130 CVE - 2023-31130 https://errata.almalinux.org/8/ALSA-2023-4034.html https://errata.almalinux.org/8/ALSA-2023-4035.html https://errata.almalinux.org/8/ALSA-2023-7207.html https://errata.almalinux.org/9/ALSA-2023-3577.html https://errata.almalinux.org/9/ALSA-2023-3586.html https://errata.almalinux.org/9/ALSA-2023-6635.html View more

Gentoo Linux: CVE-2023-32067: c-ares: Multiple Vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 05/25/2023 Created 10/11/2023 Added 10/10/2023 Modified 01/28/2025 Description c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1. Solution(s) gentoo-linux-upgrade-net-dns-c-ares References https://attackerkb.com/topics/cve-2023-32067 CVE - 2023-32067 202310-09

Gentoo Linux: CVE-2023-31147: c-ares: Multiple Vulnerabilities Severity 6 CVSS (AV:N/AC:L/Au:N/C:P/I:P/A:N) Published 05/25/2023 Created 10/11/2023 Added 10/10/2023 Modified 01/28/2025 Description c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1. Solution(s) gentoo-linux-upgrade-net-dns-c-ares References https://attackerkb.com/topics/cve-2023-31147 CVE - 2023-31147 202310-09

Alma Linux: CVE-2023-31124: Important: nodejs:16 security update (Multiple Advisories) Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 05/25/2023 Created 06/27/2023 Added 06/27/2023 Modified 01/28/2025 Description c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android.This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1. Solution(s) alma-upgrade-c-ares alma-upgrade-c-ares-devel alma-upgrade-nodejs alma-upgrade-nodejs-devel alma-upgrade-nodejs-docs alma-upgrade-nodejs-full-i18n alma-upgrade-nodejs-libs alma-upgrade-nodejs-nodemon alma-upgrade-nodejs-packaging alma-upgrade-nodejs-packaging-bundler alma-upgrade-npm References https://attackerkb.com/topics/cve-2023-31124 CVE - 2023-31124 https://errata.almalinux.org/8/ALSA-2023-4034.html https://errata.almalinux.org/8/ALSA-2023-4035.html https://errata.almalinux.org/9/ALSA-2023-3577.html https://errata.almalinux.org/9/ALSA-2023-3586.html https://errata.almalinux.org/9/ALSA-2023-6635.html

Gentoo Linux: CVE-2023-0950: LibreOffice: Multiple Vulnerabilities Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 05/25/2023 Created 11/28/2023 Added 11/27/2023 Modified 01/28/2025 Description Improper Validation of Array Index vulnerability in the spreadsheet component of The Document Foundation LibreOffice allows an attacker to craft a spreadsheet document that will cause an array index underflow when loaded. In the affected versions of LibreOffice certain malformed spreadsheet formulas, such as AGGREGATE, could be created with less parameters passed to the formula interpreter than it expected, leading to an array index underflow, in which case there is a risk that arbitrary code could be executed. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.6; 7.5 versions prior to 7.5.1. Solution(s) gentoo-linux-upgrade-app-office-libreoffice gentoo-linux-upgrade-app-office-libreoffice-bin References https://attackerkb.com/topics/cve-2023-0950 CVE - 2023-0950 202311-15

Gentoo Linux: CVE-2023-31124: c-ares: Multiple Vulnerabilities Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 05/25/2023 Created 10/11/2023 Added 10/10/2023 Modified 01/28/2025 Description c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android.This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1. Solution(s) gentoo-linux-upgrade-net-dns-c-ares References https://attackerkb.com/topics/cve-2023-31124 CVE - 2023-31124 202310-09

Huawei EulerOS: CVE-2023-32067: c-ares security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 05/25/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1. Solution(s) huawei-euleros-2_0_sp8-upgrade-c-ares huawei-euleros-2_0_sp8-upgrade-c-ares-devel References https://attackerkb.com/topics/cve-2023-32067 CVE - 2023-32067 EulerOS-SA-2023-3115

Ubuntu: (Multiple Advisories) (CVE-2023-28370): Tornado vulnerability Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 05/25/2023 Created 06/14/2023 Added 06/14/2023 Modified 01/28/2025 Description Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL. Solution(s) ubuntu-pro-upgrade-python-tornado ubuntu-pro-upgrade-python3-tornado References https://attackerkb.com/topics/cve-2023-28370 CVE - 2023-28370 USN-6159-1 USN-7150-1

Debian: CVE-2023-32067: c-ares -- security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 05/25/2023 Created 06/08/2023 Added 06/08/2023 Modified 01/28/2025 Description c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1. Solution(s) debian-upgrade-c-ares References https://attackerkb.com/topics/cve-2023-32067 CVE - 2023-32067 DSA-5419-1

Red Hat: CVE-2023-31124: AutoTools does not set CARES_RANDOM_FILE during cross compilation (Multiple Advisories) Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 05/25/2023 Created 06/15/2023 Added 06/15/2023 Modified 01/28/2025 Description c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android.This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1. Solution(s) redhat-upgrade-c-ares redhat-upgrade-c-ares-debuginfo redhat-upgrade-c-ares-debugsource redhat-upgrade-c-ares-devel redhat-upgrade-nodejs redhat-upgrade-nodejs-debuginfo redhat-upgrade-nodejs-debugsource redhat-upgrade-nodejs-devel redhat-upgrade-nodejs-docs redhat-upgrade-nodejs-full-i18n redhat-upgrade-nodejs-libs redhat-upgrade-nodejs-libs-debuginfo redhat-upgrade-nodejs-nodemon redhat-upgrade-nodejs-packaging redhat-upgrade-nodejs-packaging-bundler redhat-upgrade-npm References CVE-2023-31124 RHSA-2023:3577 RHSA-2023:3586 RHSA-2023:4033 RHSA-2023:4034 RHSA-2023:4035 RHSA-2023:4036 RHSA-2023:6635 View more