ISHACK AI BOT

Red Hat: CVE-2023-1786: cloud-init: sensitive data could be exposed in logs (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:N) Published 04/26/2023 Created 11/09/2023 Added 11/08/2023 Modified 01/28/2025 Description Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege. Solution(s) redhat-upgrade-cloud-init References CVE-2023-1786 RHSA-2023:6371 RHSA-2023:6943

VMware Photon OS: CVE-2023-1786 Severity 5 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:N) Published 04/26/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-1786 CVE - 2023-1786

Alma Linux: CVE-2023-0458: Important: kernel security, bug fix, and enhancement update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:S/C:C/I:N/A:N) Published 04/26/2023 Created 08/10/2023 Added 08/09/2023 Modified 01/30/2025 Description A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 Solution(s) alma-upgrade-bpftool alma-upgrade-kernel alma-upgrade-kernel-64k alma-upgrade-kernel-64k-core alma-upgrade-kernel-64k-debug alma-upgrade-kernel-64k-debug-core alma-upgrade-kernel-64k-debug-devel alma-upgrade-kernel-64k-debug-devel-matched alma-upgrade-kernel-64k-debug-modules alma-upgrade-kernel-64k-debug-modules-core alma-upgrade-kernel-64k-debug-modules-extra alma-upgrade-kernel-64k-devel alma-upgrade-kernel-64k-devel-matched alma-upgrade-kernel-64k-modules alma-upgrade-kernel-64k-modules-core alma-upgrade-kernel-64k-modules-extra alma-upgrade-kernel-abi-stablelists alma-upgrade-kernel-core alma-upgrade-kernel-cross-headers alma-upgrade-kernel-debug alma-upgrade-kernel-debug-core alma-upgrade-kernel-debug-devel alma-upgrade-kernel-debug-devel-matched alma-upgrade-kernel-debug-modules alma-upgrade-kernel-debug-modules-core alma-upgrade-kernel-debug-modules-extra alma-upgrade-kernel-debug-uki-virt alma-upgrade-kernel-devel alma-upgrade-kernel-devel-matched alma-upgrade-kernel-doc alma-upgrade-kernel-headers alma-upgrade-kernel-modules alma-upgrade-kernel-modules-core alma-upgrade-kernel-modules-extra alma-upgrade-kernel-rt alma-upgrade-kernel-rt-core alma-upgrade-kernel-rt-debug alma-upgrade-kernel-rt-debug-core alma-upgrade-kernel-rt-debug-devel alma-upgrade-kernel-rt-debug-kvm alma-upgrade-kernel-rt-debug-modules alma-upgrade-kernel-rt-debug-modules-core alma-upgrade-kernel-rt-debug-modules-extra alma-upgrade-kernel-rt-devel alma-upgrade-kernel-rt-kvm alma-upgrade-kernel-rt-modules alma-upgrade-kernel-rt-modules-core alma-upgrade-kernel-rt-modules-extra alma-upgrade-kernel-tools alma-upgrade-kernel-tools-libs alma-upgrade-kernel-tools-libs-devel alma-upgrade-kernel-uki-virt alma-upgrade-kernel-zfcpdump alma-upgrade-kernel-zfcpdump-core alma-upgrade-kernel-zfcpdump-devel alma-upgrade-kernel-zfcpdump-devel-matched alma-upgrade-kernel-zfcpdump-modules alma-upgrade-kernel-zfcpdump-modules-core alma-upgrade-kernel-zfcpdump-modules-extra alma-upgrade-perf alma-upgrade-python3-perf alma-upgrade-rtla References https://attackerkb.com/topics/cve-2023-0458 CVE - 2023-0458 https://errata.almalinux.org/8/ALSA-2023-7077.html https://errata.almalinux.org/9/ALSA-2023-4377.html https://errata.almalinux.org/9/ALSA-2023-4378.html

Microsoft Edge Chromium: CVE-2023-29334 Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 04/28/2023 Created 05/05/2023 Added 05/01/2023 Modified 01/28/2025 Description Microsoft Edge (Chromium-based) Spoofing Vulnerability Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2023-29334 CVE - 2023-29334 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29334

Rocky Linux: CVE-2023-0458: kernel-rt (RLSA-2023-4378) Severity 4 CVSS (AV:L/AC:M/Au:S/C:C/I:N/A:N) Published 04/26/2023 Created 03/07/2024 Added 03/05/2024 Modified 01/30/2025 Description A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 Solution(s) rocky-upgrade-kernel-rt rocky-upgrade-kernel-rt-core rocky-upgrade-kernel-rt-debug rocky-upgrade-kernel-rt-debug-core rocky-upgrade-kernel-rt-debug-debuginfo rocky-upgrade-kernel-rt-debug-devel rocky-upgrade-kernel-rt-debug-kvm rocky-upgrade-kernel-rt-debug-modules rocky-upgrade-kernel-rt-debug-modules-core rocky-upgrade-kernel-rt-debug-modules-extra rocky-upgrade-kernel-rt-debuginfo rocky-upgrade-kernel-rt-devel rocky-upgrade-kernel-rt-kvm rocky-upgrade-kernel-rt-modules rocky-upgrade-kernel-rt-modules-core rocky-upgrade-kernel-rt-modules-extra References https://attackerkb.com/topics/cve-2023-0458 CVE - 2023-0458 https://errata.rockylinux.org/RLSA-2023:4378

Huawei EulerOS: CVE-2023-0458: kernel security update Severity 4 CVSS (AV:L/AC:M/Au:S/C:C/I:N/A:N) Published 04/26/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/30/2025 Description A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 Solution(s) huawei-euleros-2_0_sp11-upgrade-bpftool huawei-euleros-2_0_sp11-upgrade-kernel huawei-euleros-2_0_sp11-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp11-upgrade-kernel-tools huawei-euleros-2_0_sp11-upgrade-kernel-tools-libs huawei-euleros-2_0_sp11-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-0458 CVE - 2023-0458 EulerOS-SA-2023-2689

VMware Photon OS: CVE-2023-0458 Severity 5 CVSS (AV:N/AC:H/Au:S/C:C/I:N/A:N) Published 04/26/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-0458 CVE - 2023-0458

Oracle Linux: CVE-2023-3212: ELSA-2023-7077:kernel security, bug fix, and enhancement update (IMPORTANT) (Multiple Advisories) Severity 4 CVSS (AV:L/AC:L/Au:M/C:N/I:N/A:C) Published 04/28/2023 Created 11/18/2023 Added 11/16/2023 Modified 01/07/2025 Description A NULL pointer dereference issue was found in the gfs2 file system in the Linux kernel. It occurs on corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it has been freed and set to NULL. A privileged local user could use this flaw to cause a kernel panic. A NULL pointer dereference flaw was found in the gfs2 file system in the Linux kernel. This issue occurs on corrupt gfs2 file systems when the evict code tries to reference the journal descriptor structure after it has been freed and set to NULL. This flaw allows a privileged local user to cause a kernel panic. Solution(s) oracle-linux-upgrade-kernel References https://attackerkb.com/topics/cve-2023-3212 CVE - 2023-3212 ELSA-2023-7077 ELSA-2023-6583

Alma Linux: CVE-2023-31436: Important: kernel security, bug fix, and enhancement update (ALSA-2023-7077) Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 04/28/2023 Created 11/29/2023 Added 11/28/2023 Modified 01/28/2025 Description qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. Solution(s) alma-upgrade-bpftool alma-upgrade-kernel alma-upgrade-kernel-abi-stablelists alma-upgrade-kernel-core alma-upgrade-kernel-cross-headers alma-upgrade-kernel-debug alma-upgrade-kernel-debug-core alma-upgrade-kernel-debug-devel alma-upgrade-kernel-debug-modules alma-upgrade-kernel-debug-modules-extra alma-upgrade-kernel-devel alma-upgrade-kernel-doc alma-upgrade-kernel-headers alma-upgrade-kernel-modules alma-upgrade-kernel-modules-extra alma-upgrade-kernel-tools alma-upgrade-kernel-tools-libs alma-upgrade-kernel-tools-libs-devel alma-upgrade-kernel-zfcpdump alma-upgrade-kernel-zfcpdump-core alma-upgrade-kernel-zfcpdump-devel alma-upgrade-kernel-zfcpdump-modules alma-upgrade-kernel-zfcpdump-modules-extra alma-upgrade-perf alma-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-31436 CVE - 2023-31436 https://errata.almalinux.org/8/ALSA-2023-7077.html

Gentoo Linux: CVE-2023-29334: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 04/28/2023 Created 10/03/2023 Added 10/02/2023 Modified 01/28/2025 Description Microsoft Edge (Chromium-based) Spoofing Vulnerability Solution(s) gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-chromium-bin gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-29334 CVE - 2023-29334 202309-17

VMware Photon OS: CVE-2023-31486 Severity 8 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:C) Published 04/28/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-31486 CVE - 2023-31486

Amazon Linux AMI 2: CVE-2023-31436: Security patch for kernel (Multiple Advisories) Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 04/28/2023 Created 05/17/2023 Added 05/17/2023 Modified 01/28/2025 Description qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. Solution(s) amazon-linux-ami-2-upgrade-bpftool amazon-linux-ami-2-upgrade-bpftool-debuginfo amazon-linux-ami-2-upgrade-kernel amazon-linux-ami-2-upgrade-kernel-debuginfo amazon-linux-ami-2-upgrade-kernel-debuginfo-common-aarch64 amazon-linux-ami-2-upgrade-kernel-debuginfo-common-x86_64 amazon-linux-ami-2-upgrade-kernel-devel amazon-linux-ami-2-upgrade-kernel-headers amazon-linux-ami-2-upgrade-kernel-livepatch-4-14-314-237-533 amazon-linux-ami-2-upgrade-kernel-livepatch-5-10-179-166-674 amazon-linux-ami-2-upgrade-kernel-livepatch-5-15-110-70-141 amazon-linux-ami-2-upgrade-kernel-tools amazon-linux-ami-2-upgrade-kernel-tools-debuginfo amazon-linux-ami-2-upgrade-kernel-tools-devel amazon-linux-ami-2-upgrade-perf amazon-linux-ami-2-upgrade-perf-debuginfo amazon-linux-ami-2-upgrade-python-perf amazon-linux-ami-2-upgrade-python-perf-debuginfo References https://attackerkb.com/topics/cve-2023-31436 AL2/ALAS-2023-2035 AL2/ALASKERNEL-5.10-2023-032 AL2/ALASKERNEL-5.15-2023-018 AL2/ALASKERNEL-5.4-2023-045 CVE - 2023-31436

FreeBSD: VID-78F2E491-312D-11EE-85F2-BD89B893FCB4 (CVE-2023-29400): go -- multiple vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:P/I:P/A:P) Published 04/27/2023 Created 08/04/2023 Added 08/03/2023 Modified 01/28/2025 Description Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags. Solution(s) freebsd-upgrade-package-go119 freebsd-upgrade-package-go120 References CVE-2023-29400

FreeBSD: VID-4DA51989-5A8B-4EB9-B442-46D94EC0802D (CVE-2023-30847): h2o -- Malformed HTTP/1.1 causes Out-of-Memory Denial of Service Severity 9 CVSS (AV:N/AC:L/Au:N/C:P/I:N/A:C) Published 04/27/2023 Created 05/05/2023 Added 05/01/2023 Modified 01/28/2025 Description H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the reverse proxy handler tries to processes a certain type of invalid HTTP request, it tries to build an upstream URL by reading from uninitialized pointer. This behavior can lead to crashes or leak of information to back end HTTP servers. Pull requestnumber 3229 fixes the issue. The pull request has been merged to the `master` branch in commit f010336. Users should upgrade to commit f010336 or later. Solution(s) freebsd-upgrade-package-h2o freebsd-upgrade-package-h2o-devel References CVE-2023-30847

FreeBSD: VID-78F2E491-312D-11EE-85F2-BD89B893FCB4 (CVE-2023-29402): go -- multiple vulnerabilities Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 04/27/2023 Created 08/04/2023 Added 08/03/2023 Modified 01/28/2025 Description The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected). Solution(s) freebsd-upgrade-package-go119 freebsd-upgrade-package-go120 References CVE-2023-29402

FreeBSD: VID-78F2E491-312D-11EE-85F2-BD89B893FCB4 (CVE-2023-29406): go -- multiple vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 04/27/2023 Created 08/04/2023 Added 08/03/2023 Modified 01/28/2025 Description The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value. Solution(s) freebsd-upgrade-package-go119 freebsd-upgrade-package-go120 References CVE-2023-29406

CentOS Linux: CVE-2023-1786: Moderate: cloud-init security, bug fix, and enhancement update (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:N) Published 04/26/2023 Created 11/09/2023 Added 11/08/2023 Modified 01/28/2025 Description Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege. Solution(s) centos-upgrade-cloud-init References CVE-2023-1786

FreeBSD: VID-78F2E491-312D-11EE-85F2-BD89B893FCB4 (CVE-2023-24540): go -- multiple vulnerabilities Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 04/27/2023 Created 08/04/2023 Added 08/03/2023 Modified 01/28/2025 Description Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution. Solution(s) freebsd-upgrade-package-go119 freebsd-upgrade-package-go120 References CVE-2023-24540

Alma Linux: CVE-2023-25652: Important: git security update (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 04/25/2023 Created 05/24/2023 Added 05/24/2023 Modified 01/28/2025 Description Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists. Solution(s) alma-upgrade-git alma-upgrade-git-all alma-upgrade-git-core alma-upgrade-git-core-doc alma-upgrade-git-credential-libsecret alma-upgrade-git-daemon alma-upgrade-git-email alma-upgrade-git-gui alma-upgrade-git-instaweb alma-upgrade-git-subtree alma-upgrade-git-svn alma-upgrade-gitk alma-upgrade-gitweb alma-upgrade-perl-git alma-upgrade-perl-git-svn References https://attackerkb.com/topics/cve-2023-25652 CVE - 2023-25652 https://errata.almalinux.org/8/ALSA-2023-3246.html https://errata.almalinux.org/9/ALSA-2023-3245.html

Alma Linux: CVE-2023-29007: Important: git security update (Multiple Advisories) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 04/25/2023 Created 05/24/2023 Added 05/24/2023 Modified 01/30/2025 Description Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`. Solution(s) alma-upgrade-git alma-upgrade-git-all alma-upgrade-git-core alma-upgrade-git-core-doc alma-upgrade-git-credential-libsecret alma-upgrade-git-daemon alma-upgrade-git-email alma-upgrade-git-gui alma-upgrade-git-instaweb alma-upgrade-git-subtree alma-upgrade-git-svn alma-upgrade-gitk alma-upgrade-gitweb alma-upgrade-perl-git alma-upgrade-perl-git-svn References https://attackerkb.com/topics/cve-2023-29007 CVE - 2023-29007 https://errata.almalinux.org/8/ALSA-2023-3246.html https://errata.almalinux.org/9/ALSA-2023-3245.html

Huawei EulerOS: CVE-2023-0458: kernel security update Severity 4 CVSS (AV:L/AC:M/Au:S/C:C/I:N/A:N) Published 04/26/2023 Created 08/10/2023 Added 08/09/2023 Modified 01/30/2025 Description A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 Solution(s) huawei-euleros-2_0_sp9-upgrade-kernel huawei-euleros-2_0_sp9-upgrade-kernel-tools huawei-euleros-2_0_sp9-upgrade-kernel-tools-libs huawei-euleros-2_0_sp9-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-0458 CVE - 2023-0458 EulerOS-SA-2023-2614

Alma Linux: CVE-2023-25815: Important: git security update (Multiple Advisories) Severity 1 CVSS (AV:L/AC:H/Au:S/C:N/I:P/A:N) Published 04/25/2023 Created 05/24/2023 Added 05/24/2023 Modified 01/30/2025 Description In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\mingw64\share\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\` (and since `C:\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1. This vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It does require local write access by the attacker, though, which makes this attack vector less likely. Version 2.40.1 contains a patch for this issue. Some workarounds are available. Do not work on a Windows machine with shared accounts, or alternatively create a `C:\mingw64` folder and leave it empty. Users who have administrative rights may remove the permission to create folders in `C:\`. Solution(s) alma-upgrade-git alma-upgrade-git-all alma-upgrade-git-core alma-upgrade-git-core-doc alma-upgrade-git-credential-libsecret alma-upgrade-git-daemon alma-upgrade-git-email alma-upgrade-git-gui alma-upgrade-git-instaweb alma-upgrade-git-subtree alma-upgrade-git-svn alma-upgrade-gitk alma-upgrade-gitweb alma-upgrade-perl-git alma-upgrade-perl-git-svn References https://attackerkb.com/topics/cve-2023-25815 CVE - 2023-25815 https://errata.almalinux.org/8/ALSA-2023-3246.html https://errata.almalinux.org/9/ALSA-2023-3245.html

Red Hat: CVE-2023-2269: kernel:A possible deadlock in dm_get_inactive_table in dm- ioctl.c leads to dos (Multiple Advisories) Severity 4 CVSS (AV:L/AC:L/Au:M/C:N/I:N/A:C) Published 04/25/2023 Created 09/14/2024 Added 09/13/2024 Modified 12/05/2024 Description A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component. Solution(s) redhat-upgrade-kernel redhat-upgrade-kernel-rt References CVE-2023-2269 RHSA-2023:6583 RHSA-2023:6901 RHSA-2023:7077

Huawei EulerOS: CVE-2023-2269: kernel security update Severity 4 CVSS (AV:L/AC:L/Au:M/C:N/I:N/A:C) Published 04/25/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component. Solution(s) huawei-euleros-2_0_sp8-upgrade-bpftool huawei-euleros-2_0_sp8-upgrade-kernel huawei-euleros-2_0_sp8-upgrade-kernel-devel huawei-euleros-2_0_sp8-upgrade-kernel-headers huawei-euleros-2_0_sp8-upgrade-kernel-tools huawei-euleros-2_0_sp8-upgrade-kernel-tools-libs huawei-euleros-2_0_sp8-upgrade-perf huawei-euleros-2_0_sp8-upgrade-python-perf huawei-euleros-2_0_sp8-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-2269 CVE - 2023-2269 EulerOS-SA-2023-3132

Huawei EulerOS: CVE-2023-25815: git security update Severity 1 CVSS (AV:L/AC:H/Au:S/C:N/I:P/A:N) Published 04/25/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/30/2025 Description In Git for Windows, the Windows port of Git, no localized messages are shipped with the installer. As a consequence, Git is expected not to localize messages at all, and skips the gettext initialization. However, due to a change in MINGW-packages, the `gettext()` function's implicit initialization no longer uses the runtime prefix but uses the hard-coded path `C:\mingw64\share\locale` to look for localized messages. And since any authenticated user has the permission to create folders in `C:\` (and since `C:\mingw64` does not typically exist), it is possible for low-privilege users to place fake messages in that location where `git.exe` will pick them up in version 2.40.1. This vulnerability is relatively hard to exploit and requires social engineering. For example, a legitimate message at the end of a clone could be maliciously modified to ask the user to direct their web browser to a malicious website, and the user might think that the message comes from Git and is legitimate. It does require local write access by the attacker, though, which makes this attack vector less likely. Version 2.40.1 contains a patch for this issue. Some workarounds are available. Do not work on a Windows machine with shared accounts, or alternatively create a `C:\mingw64` folder and leave it empty. Users who have administrative rights may remove the permission to create folders in `C:\`. Solution(s) huawei-euleros-2_0_sp8-upgrade-git huawei-euleros-2_0_sp8-upgrade-git-core huawei-euleros-2_0_sp8-upgrade-git-core-doc huawei-euleros-2_0_sp8-upgrade-perl-git References https://attackerkb.com/topics/cve-2023-25815 CVE - 2023-25815 EulerOS-SA-2023-3127