ISHACK AI BOT

Amazon Linux AMI 2: CVE-2023-31484: Security patch for perl (ALAS-2023-2034) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 04/29/2023 Created 05/17/2023 Added 05/17/2023 Modified 01/28/2025 Description CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. Solution(s) amazon-linux-ami-2-upgrade-perl amazon-linux-ami-2-upgrade-perl-core amazon-linux-ami-2-upgrade-perl-cpan amazon-linux-ami-2-upgrade-perl-debuginfo amazon-linux-ami-2-upgrade-perl-devel amazon-linux-ami-2-upgrade-perl-extutils-cbuilder amazon-linux-ami-2-upgrade-perl-extutils-embed amazon-linux-ami-2-upgrade-perl-extutils-install amazon-linux-ami-2-upgrade-perl-io-zlib amazon-linux-ami-2-upgrade-perl-libs amazon-linux-ami-2-upgrade-perl-locale-maketext-simple amazon-linux-ami-2-upgrade-perl-macros amazon-linux-ami-2-upgrade-perl-module-corelist amazon-linux-ami-2-upgrade-perl-module-loaded amazon-linux-ami-2-upgrade-perl-object-accessor amazon-linux-ami-2-upgrade-perl-package-constants amazon-linux-ami-2-upgrade-perl-pod-escapes amazon-linux-ami-2-upgrade-perl-tests amazon-linux-ami-2-upgrade-perl-time-piece References https://attackerkb.com/topics/cve-2023-31484 AL2/ALAS-2023-2034 CVE - 2023-31484

Amazon Linux AMI 2: CVE-2023-31486: Security patch for perl-HTTP-Tiny, perl-Pod-Perldoc (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 04/29/2023 Created 07/04/2023 Added 07/04/2023 Modified 01/28/2025 Description HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. Solution(s) amazon-linux-ami-2-upgrade-perl-http-tiny amazon-linux-ami-2-upgrade-perl-pod-perldoc References https://attackerkb.com/topics/cve-2023-31486 AL2/ALAS-2023-2093 AL2/ALAS-2023-2094 CVE - 2023-31486

Alpine Linux: CVE-2023-2426: Vulnerability in Vim Severity 5 CVSS (AV:L/AC:L/Au:N/C:P/I:P/A:P) Published 04/29/2023 Created 03/22/2024 Added 03/21/2024 Modified 03/22/2024 Description Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 9.0.1499. Solution(s) alpine-linux-upgrade-vim References https://attackerkb.com/topics/cve-2023-2426 CVE - 2023-2426 https://security.alpinelinux.org/vuln/CVE-2023-2426

Gentoo Linux: CVE-2023-31486: Perl: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 04/29/2023 Created 11/19/2024 Added 11/18/2024 Modified 01/28/2025 Description HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. Solution(s) gentoo-linux-upgrade-dev-lang-perl References https://attackerkb.com/topics/cve-2023-31486 CVE - 2023-31486 202411-09

Amazon Linux AMI: CVE-2023-2426: Security patch for vim (ALAS-2023-1761) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 04/29/2023 Created 06/12/2023 Added 06/09/2023 Modified 01/28/2025 Description Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 9.0.1499. Solution(s) amazon-linux-upgrade-vim References ALAS-2023-1761 CVE-2023-2426

Huawei EulerOS: CVE-2023-31486: perl-HTTP-Tiny security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 04/29/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. Solution(s) huawei-euleros-2_0_sp11-upgrade-perl-http-tiny References https://attackerkb.com/topics/cve-2023-31486 CVE - 2023-31486 EulerOS-SA-2023-2867

Rocky Linux: CVE-2023-31484: perl-CPAN (RLSA-2023-6539) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 04/29/2023 Created 05/13/2024 Added 08/15/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Amazon Linux AMI: CVE-2023-31436: Security patch for kernel (ALAS-2023-1744) Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 04/28/2023 Created 05/25/2023 Added 05/24/2023 Modified 01/28/2025 Description qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. Solution(s) amazon-linux-upgrade-kernel References ALAS-2023-1744 CVE-2023-31436

IBM WebSphere Application Server: CVE-2023-30441: Vulnerability in IBM® Java SDK affects IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to CVE-2023-30441 Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 04/29/2023 Created 07/27/2023 Added 07/27/2023 Modified 01/28/2025 Description IBM Runtime Environment, Java Technology Edition IBMJCEPlus and JSSE 8.0.7.0 through 8.0.7.11 components could expose sensitive information using a combination of flaws and configurations.IBM X-Force ID:253188. Solution(s) ibm-was-install-8-5-0-0-ph53088 ibm-was-upgrade-8-5-0-0-8-5-5-23 References https://attackerkb.com/topics/cve-2023-30441 CVE - 2023-30441 https://exchange.xforce.ibmcloud.com/vulnerabilities/253188 https://www.ibm.com/support/pages/node/6985011 https://www.ibm.com/support/pages/node/6986617 https://www.ibm.com/support/pages/node/6986637 https://www.ibm.com/support/pages/node/6987167

Debian: CVE-2023-31436: linux -- security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 04/28/2023 Created 05/15/2023 Added 05/15/2023 Modified 01/28/2025 Description qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2023-31436 CVE - 2023-31436 DSA-5402 DSA-5402-1

Debian: CVE-2023-28882: modsecurity -- security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 04/28/2023 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some configurations. Solution(s) debian-upgrade-modsecurity References https://attackerkb.com/topics/cve-2023-28882 CVE - 2023-28882

Huawei EulerOS: CVE-2023-31436: kernel security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 04/28/2023 Created 07/18/2023 Added 07/18/2023 Modified 01/28/2025 Description qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. Solution(s) huawei-euleros-2_0_sp10-upgrade-kernel huawei-euleros-2_0_sp10-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp10-upgrade-kernel-tools huawei-euleros-2_0_sp10-upgrade-kernel-tools-libs huawei-euleros-2_0_sp10-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-31436 CVE - 2023-31436 EulerOS-SA-2023-2383

Huawei EulerOS: CVE-2023-31436: kernel security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 04/28/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. Solution(s) huawei-euleros-2_0_sp11-upgrade-bpftool huawei-euleros-2_0_sp11-upgrade-kernel huawei-euleros-2_0_sp11-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp11-upgrade-kernel-tools huawei-euleros-2_0_sp11-upgrade-kernel-tools-libs huawei-euleros-2_0_sp11-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-31436 CVE - 2023-31436 EulerOS-SA-2023-2689

Huawei EulerOS: CVE-2023-31436: kernel security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 04/28/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. Solution(s) huawei-euleros-2_0_sp8-upgrade-bpftool huawei-euleros-2_0_sp8-upgrade-kernel huawei-euleros-2_0_sp8-upgrade-kernel-devel huawei-euleros-2_0_sp8-upgrade-kernel-headers huawei-euleros-2_0_sp8-upgrade-kernel-tools huawei-euleros-2_0_sp8-upgrade-kernel-tools-libs huawei-euleros-2_0_sp8-upgrade-perf huawei-euleros-2_0_sp8-upgrade-python-perf huawei-euleros-2_0_sp8-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-31436 CVE - 2023-31436 EulerOS-SA-2023-3132

IBM AIX: invscout_advisory4 (CVE-2023-28528): Vulnerability in invscout affects AIX Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 04/28/2023 Created 07/27/2023 Added 07/27/2023 Modified 01/28/2025 Description IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the invscout command to execute arbitrary commands.IBM X-Force ID:251207. Solution(s) ibm-aix-invscout_advisory4 References https://attackerkb.com/topics/cve-2023-28528 CVE - 2023-28528 https://aix.software.ibm.com/aix/efixes/security/invscout_advisory4.asc

SUSE: CVE-2023-0547: SUSE Linux Security Advisory Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 04/28/2023 Created 05/05/2023 Added 05/01/2023 Modified 01/28/2025 Description OCSP revocation status of recipient certificates was not checked when sending S/Mime encrypted email, and revoked certificates would be accepted. Thunderbird versions from 68 to 102.9.1 were affected by this bug. This vulnerability affects Thunderbird < 102.10. Solution(s) suse-upgrade-mozillathunderbird suse-upgrade-mozillathunderbird-translations-common suse-upgrade-mozillathunderbird-translations-other References https://attackerkb.com/topics/cve-2023-0547 CVE - 2023-0547

SUSE: CVE-2023-28882: SUSE Linux Security Advisory Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 04/28/2023 Created 09/26/2023 Added 09/26/2023 Modified 01/28/2025 Description Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some configurations. Solution(s) suse-upgrade-libmodsecurity3 suse-upgrade-libmodsecurity3-32bit suse-upgrade-libmodsecurity3-64bit suse-upgrade-modsecurity suse-upgrade-modsecurity-devel References https://attackerkb.com/topics/cve-2023-28882 CVE - 2023-28882

Huawei EulerOS: CVE-2023-31436: kernel security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 04/28/2023 Created 08/10/2023 Added 08/09/2023 Modified 01/28/2025 Description qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. Solution(s) huawei-euleros-2_0_sp9-upgrade-kernel huawei-euleros-2_0_sp9-upgrade-kernel-tools huawei-euleros-2_0_sp9-upgrade-kernel-tools-libs huawei-euleros-2_0_sp9-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-31436 CVE - 2023-31436 EulerOS-SA-2023-2614

SUSE: CVE-2023-1999: SUSE Linux Security Advisory Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 04/28/2023 Created 05/05/2023 Added 05/01/2023 Modified 01/28/2025 Description There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free. Solution(s) suse-upgrade-libwebp-devel suse-upgrade-libwebp-devel-32bit suse-upgrade-libwebp-tools suse-upgrade-libwebp5 suse-upgrade-libwebp5-32bit suse-upgrade-libwebp6 suse-upgrade-libwebp6-32bit suse-upgrade-libwebp7 suse-upgrade-libwebp7-32bit suse-upgrade-libwebpdecoder1 suse-upgrade-libwebpdecoder2 suse-upgrade-libwebpdecoder2-32bit suse-upgrade-libwebpdecoder3 suse-upgrade-libwebpdecoder3-32bit suse-upgrade-libwebpdemux1 suse-upgrade-libwebpdemux2 suse-upgrade-libwebpdemux2-32bit suse-upgrade-libwebpextras0 suse-upgrade-libwebpextras0-32bit suse-upgrade-libwebpmux1 suse-upgrade-libwebpmux2 suse-upgrade-libwebpmux2-32bit suse-upgrade-libwebpmux3 suse-upgrade-libwebpmux3-32bit suse-upgrade-mozillafirefox suse-upgrade-mozillafirefox-devel suse-upgrade-mozillafirefox-translations-common suse-upgrade-mozillafirefox-translations-other suse-upgrade-mozillathunderbird suse-upgrade-mozillathunderbird-translations-common suse-upgrade-mozillathunderbird-translations-other References https://attackerkb.com/topics/cve-2023-1999 CVE - 2023-1999

Red Hat: CVE-2023-31436: kernel: out-of-bounds write in qfq_change_class function (Multiple Advisories) Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 04/28/2023 Created 11/16/2023 Added 11/15/2023 Modified 01/28/2025 Description qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. Solution(s) redhat-upgrade-kernel redhat-upgrade-kernel-rt References CVE-2023-31436 RHSA-2023:6901 RHSA-2023:7077 RHSA-2023:7423 RHSA-2023:7424 RHSA-2024:0378 RHSA-2024:0412 RHSA-2024:0554 RHSA-2024:0575 RHSA-2024:1323 View more

FreeBSD: VID-78F2E491-312D-11EE-85F2-BD89B893FCB4 (CVE-2023-24539): go -- multiple vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:P/I:P/A:P) Published 04/27/2023 Created 08/04/2023 Added 08/03/2023 Modified 01/28/2025 Description Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input. Solution(s) freebsd-upgrade-package-go119 freebsd-upgrade-package-go120 References CVE-2023-24539

FreeBSD: VID-78F2E491-312D-11EE-85F2-BD89B893FCB4 (CVE-2023-29404): go -- multiple vulnerabilities Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 04/27/2023 Created 08/04/2023 Added 08/03/2023 Modified 01/28/2025 Description The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers. Solution(s) freebsd-upgrade-package-go119 freebsd-upgrade-package-go120 References CVE-2023-29404

SUSE: CVE-2023-27954: SUSE Linux Security Advisory Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 04/27/2023 Created 05/05/2023 Added 04/28/2023 Modified 01/28/2025 Description The issue was addressed by removing origin information. This issue is fixed in macOS Ventura 13.3, Safari 16.4, iOS 16.4 and iPadOS 16.4, iOS 15.7.4 and iPadOS 15.7.4, tvOS 16.4, watchOS 9.4. A website may be able to track sensitive user information. Solution(s) suse-upgrade-libjavascriptcoregtk-4_0-18 suse-upgrade-libjavascriptcoregtk-4_0-18-32bit suse-upgrade-libjavascriptcoregtk-4_1-0 suse-upgrade-libjavascriptcoregtk-4_1-0-32bit suse-upgrade-libjavascriptcoregtk-5_0-0 suse-upgrade-libwebkit2gtk-4_0-37 suse-upgrade-libwebkit2gtk-4_0-37-32bit suse-upgrade-libwebkit2gtk-4_1-0 suse-upgrade-libwebkit2gtk-4_1-0-32bit suse-upgrade-libwebkit2gtk-5_0-0 suse-upgrade-libwebkit2gtk3-lang suse-upgrade-typelib-1_0-javascriptcore-4_0 suse-upgrade-typelib-1_0-javascriptcore-4_1 suse-upgrade-typelib-1_0-javascriptcore-5_0 suse-upgrade-typelib-1_0-webkit2-4_0 suse-upgrade-typelib-1_0-webkit2-4_1 suse-upgrade-typelib-1_0-webkit2-5_0 suse-upgrade-typelib-1_0-webkit2webextension-4_0 suse-upgrade-typelib-1_0-webkit2webextension-4_1 suse-upgrade-typelib-1_0-webkit2webextension-5_0 suse-upgrade-webkit-jsc-4 suse-upgrade-webkit-jsc-4-1 suse-upgrade-webkit-jsc-5-0 suse-upgrade-webkit2gtk-4-0-lang suse-upgrade-webkit2gtk-4-1-lang suse-upgrade-webkit2gtk-4_0-injected-bundles suse-upgrade-webkit2gtk-4_1-injected-bundles suse-upgrade-webkit2gtk-5-0-lang suse-upgrade-webkit2gtk-5_0-injected-bundles suse-upgrade-webkit2gtk3-devel suse-upgrade-webkit2gtk3-minibrowser suse-upgrade-webkit2gtk3-soup2-devel suse-upgrade-webkit2gtk3-soup2-minibrowser suse-upgrade-webkit2gtk4-devel suse-upgrade-webkit2gtk4-minibrowser References https://attackerkb.com/topics/cve-2023-27954 CVE - 2023-27954

FreeBSD: VID-78F2E491-312D-11EE-85F2-BD89B893FCB4 (CVE-2023-29403): go -- multiple vulnerabilities Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 04/27/2023 Created 08/04/2023 Added 08/03/2023 Modified 01/28/2025 Description On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers. Solution(s) freebsd-upgrade-package-go119 freebsd-upgrade-package-go120 References CVE-2023-29403

Oracle Linux: CVE-2023-1786: ELSA-2023-6943:cloud-init security, bug fix, and enhancement update (MODERATE) (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:N) Published 04/27/2023 Created 05/05/2023 Added 04/28/2023 Modified 01/07/2025 Description Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege. A vulnerability was found in cloud-init. With this flaw, exposure of sensitive data is possible in world-readable cloud-init logs. This flaw allows an attacker to use this information to find hashed passwords and possibly escalate their privilege. Solution(s) oracle-linux-upgrade-cloud-init References https://attackerkb.com/topics/cve-2023-1786 CVE - 2023-1786 ELSA-2023-6943 ELSA-2023-12298 ELSA-2023-6371 ELSA-2023-12299