ISHACK AI BOT

Ubuntu: USN-6740-1 (CVE-2023-1838): Linux kernel vulnerabilities Severity 6 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:C) Published 04/05/2023 Created 04/22/2024 Added 04/22/2024 Modified 01/28/2025 Description A use-after-free flaw was found in vhost_net_set_backend in drivers/vhost/net.c in virtio network subcomponent in the Linux kernel due to a double fget. This flaw could allow a local attacker to crash the system, and could even lead to a kernel information leak problem. Solution(s) ubuntu-upgrade-linux-image-4-15-0-1130-oracle ubuntu-upgrade-linux-image-4-15-0-1151-kvm ubuntu-upgrade-linux-image-4-15-0-1161-gcp ubuntu-upgrade-linux-image-4-15-0-1167-aws ubuntu-upgrade-linux-image-4-15-0-1176-azure ubuntu-upgrade-linux-image-4-15-0-224-generic ubuntu-upgrade-linux-image-4-15-0-224-lowlatency ubuntu-upgrade-linux-image-aws-hwe ubuntu-upgrade-linux-image-aws-lts-18-04 ubuntu-upgrade-linux-image-azure ubuntu-upgrade-linux-image-azure-lts-18-04 ubuntu-upgrade-linux-image-gcp ubuntu-upgrade-linux-image-gcp-lts-18-04 ubuntu-upgrade-linux-image-generic ubuntu-upgrade-linux-image-generic-hwe-16-04 ubuntu-upgrade-linux-image-gke ubuntu-upgrade-linux-image-kvm ubuntu-upgrade-linux-image-lowlatency ubuntu-upgrade-linux-image-lowlatency-hwe-16-04 ubuntu-upgrade-linux-image-oem ubuntu-upgrade-linux-image-oracle ubuntu-upgrade-linux-image-oracle-lts-18-04 ubuntu-upgrade-linux-image-virtual ubuntu-upgrade-linux-image-virtual-hwe-16-04 References https://attackerkb.com/topics/cve-2023-1838 CVE - 2023-1838 USN-6740-1

Aruba AOS-10: CVE-2023-0215: Use-after-free following BIO_new_NDEF Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 04/05/2023 Created 01/16/2025 Added 01/14/2025 Modified 02/04/2025 Description The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7. Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL cms and smime command line applications are similarly affected. Solution(s) aruba-aos-10-cve-2023-0215 References https://attackerkb.com/topics/cve-2023-0215 CVE - 2023-0215 https://csaf.arubanetworks.com/2023/hpe_aruba_networking_-_2023-001.json

Google Chrome Vulnerability: CVE-2023-1821 Inappropriate implementation in WebShare Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 04/05/2023 Created 05/05/2023 Added 04/05/2023 Modified 01/28/2025 Description Inappropriate implementation in WebShare in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to potentially hide the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2023-1821 CVE - 2023-1821 https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop.html

Google Chrome Vulnerability: CVE-2023-1823 Inappropriate implementation in FedCM Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 04/05/2023 Created 05/05/2023 Added 04/05/2023 Modified 01/28/2025 Description Inappropriate implementation in FedCM in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2023-1823 CVE - 2023-1823 https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop.html

Huawei EulerOS: CVE-2023-1838: kernel security update Severity 6 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:C) Published 04/05/2023 Created 07/10/2023 Added 07/10/2023 Modified 01/28/2025 Description A use-after-free flaw was found in vhost_net_set_backend in drivers/vhost/net.c in virtio network subcomponent in the Linux kernel due to a double fget. This flaw could allow a local attacker to crash the system, and could even lead to a kernel information leak problem. Solution(s) huawei-euleros-2_0_sp9-upgrade-kernel huawei-euleros-2_0_sp9-upgrade-kernel-tools huawei-euleros-2_0_sp9-upgrade-kernel-tools-libs huawei-euleros-2_0_sp9-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-1838 CVE - 2023-1838 EulerOS-SA-2023-2335

Huawei EulerOS: CVE-2023-1838: kernel security update Severity 6 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:C) Published 04/05/2023 Created 06/09/2023 Added 06/09/2023 Modified 01/28/2025 Description A use-after-free flaw was found in vhost_net_set_backend in drivers/vhost/net.c in virtio network subcomponent in the Linux kernel due to a double fget. This flaw could allow a local attacker to crash the system, and could even lead to a kernel information leak problem. Solution(s) huawei-euleros-2_0_sp8-upgrade-bpftool huawei-euleros-2_0_sp8-upgrade-kernel huawei-euleros-2_0_sp8-upgrade-kernel-devel huawei-euleros-2_0_sp8-upgrade-kernel-headers huawei-euleros-2_0_sp8-upgrade-kernel-tools huawei-euleros-2_0_sp8-upgrade-kernel-tools-libs huawei-euleros-2_0_sp8-upgrade-perf huawei-euleros-2_0_sp8-upgrade-python-perf huawei-euleros-2_0_sp8-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-1838 CVE - 2023-1838 EulerOS-SA-2023-2193

Huawei EulerOS: CVE-2023-28840: docker-engine security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:C) Published 04/04/2023 Created 05/10/2024 Added 05/13/2024 Modified 01/30/2025 Description Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby, is commonly referred to as *Docker*. Swarm Mode, which is compiled in and delivered by default in dockerd and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code. The overlay network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes. Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption. When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the u32 iptables extension provided by the xt_u32 kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN. Two iptables rules serve to filter incoming VXLAN datagrams with a VNI that corresponds to an encrypted network and discards unencrypted datagrams. The rules are appended to the end of the INPUT filter chain, following any rules that have been previously set by the system administrator. Administrator-set rules take precedence over the rules Moby sets to discard unencrypted VXLAN datagrams, which can potentially admit unencrypted datagrams that should have been discarded. The injection of arbitrary Ethernet frames can enable a Denial of Service attack. A sophisticated attacker may be able to establish a UDP or TCP connection by way of the container’s outbound gateway that would otherwise be blocked by a stateful firewall, or carry out other escalations beyond simple injection by smuggling packets into the overlay network. Patches are available in Moby releases 23.0.3 and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16. Some workarounds are available. Close the VXLAN port (by default, UDP port 4789) to incoming traffic at the Internet boundary to prevent all VXLAN packet injection, and/or ensure that the `xt_u32` kernel module is available on all nodes of the Swarm cluster. Solution(s) huawei-euleros-2_0_sp10-upgrade-docker-engine huawei-euleros-2_0_sp10-upgrade-docker-engine-selinux References https://attackerkb.com/topics/cve-2023-28840 CVE - 2023-28840 EulerOS-SA-2024-1585

Huawei EulerOS: CVE-2023-1582: kernel security update Severity 4 CVSS (AV:L/AC:M/Au:S/C:N/I:N/A:C) Published 04/05/2023 Created 05/10/2023 Added 05/10/2023 Modified 01/28/2025 Description A race problem was found in fs/proc/task_mmu.c in the memory management sub-component in the Linux kernel. This issue may allow a local attacker with user privilege to cause a denial of service. Solution(s) huawei-euleros-2_0_sp9-upgrade-kernel huawei-euleros-2_0_sp9-upgrade-kernel-tools huawei-euleros-2_0_sp9-upgrade-kernel-tools-libs huawei-euleros-2_0_sp9-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-1582 CVE - 2023-1582 EulerOS-SA-2023-1873

Huawei EulerOS: CVE-2023-1582: kernel security update Severity 4 CVSS (AV:L/AC:M/Au:S/C:N/I:N/A:C) Published 04/05/2023 Created 06/09/2023 Added 06/09/2023 Modified 01/28/2025 Description A race problem was found in fs/proc/task_mmu.c in the memory management sub-component in the Linux kernel. This issue may allow a local attacker with user privilege to cause a denial of service. Solution(s) huawei-euleros-2_0_sp8-upgrade-bpftool huawei-euleros-2_0_sp8-upgrade-kernel huawei-euleros-2_0_sp8-upgrade-kernel-devel huawei-euleros-2_0_sp8-upgrade-kernel-headers huawei-euleros-2_0_sp8-upgrade-kernel-tools huawei-euleros-2_0_sp8-upgrade-kernel-tools-libs huawei-euleros-2_0_sp8-upgrade-perf huawei-euleros-2_0_sp8-upgrade-python-perf huawei-euleros-2_0_sp8-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-1582 CVE - 2023-1582 EulerOS-SA-2023-2193

Alma Linux: CVE-2023-1838: Important: kernel security update (ALSA-2024-0897) Severity 6 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:C) Published 04/05/2023 Created 02/24/2024 Added 02/23/2024 Modified 01/28/2025 Description A use-after-free flaw was found in vhost_net_set_backend in drivers/vhost/net.c in virtio network subcomponent in the Linux kernel due to a double fget. This flaw could allow a local attacker to crash the system, and could even lead to a kernel information leak problem. Solution(s) alma-upgrade-bpftool alma-upgrade-kernel alma-upgrade-kernel-abi-stablelists alma-upgrade-kernel-core alma-upgrade-kernel-cross-headers alma-upgrade-kernel-debug alma-upgrade-kernel-debug-core alma-upgrade-kernel-debug-devel alma-upgrade-kernel-debug-modules alma-upgrade-kernel-debug-modules-extra alma-upgrade-kernel-devel alma-upgrade-kernel-doc alma-upgrade-kernel-modules alma-upgrade-kernel-modules-extra alma-upgrade-kernel-tools alma-upgrade-kernel-tools-libs alma-upgrade-kernel-tools-libs-devel alma-upgrade-kernel-zfcpdump alma-upgrade-kernel-zfcpdump-core alma-upgrade-kernel-zfcpdump-devel alma-upgrade-kernel-zfcpdump-modules alma-upgrade-kernel-zfcpdump-modules-extra alma-upgrade-perf alma-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-1838 CVE - 2023-1838 https://errata.almalinux.org/8/ALSA-2024-0897.html

Alma Linux: CVE-2023-1582: Important: kernel security, bug fix, and enhancement update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:S/C:N/I:N/A:C) Published 04/05/2023 Created 05/23/2023 Added 05/23/2023 Modified 01/28/2025 Description A race problem was found in fs/proc/task_mmu.c in the memory management sub-component in the Linux kernel. This issue may allow a local attacker with user privilege to cause a denial of service. Solution(s) alma-upgrade-bpftool alma-upgrade-kernel alma-upgrade-kernel-abi-stablelists alma-upgrade-kernel-core alma-upgrade-kernel-cross-headers alma-upgrade-kernel-debug alma-upgrade-kernel-debug-core alma-upgrade-kernel-debug-devel alma-upgrade-kernel-debug-modules alma-upgrade-kernel-debug-modules-extra alma-upgrade-kernel-devel alma-upgrade-kernel-doc alma-upgrade-kernel-modules alma-upgrade-kernel-modules-extra alma-upgrade-kernel-rt alma-upgrade-kernel-rt-core alma-upgrade-kernel-rt-debug alma-upgrade-kernel-rt-debug-core alma-upgrade-kernel-rt-debug-devel alma-upgrade-kernel-rt-debug-kvm alma-upgrade-kernel-rt-debug-modules alma-upgrade-kernel-rt-debug-modules-extra alma-upgrade-kernel-rt-devel alma-upgrade-kernel-rt-kvm alma-upgrade-kernel-rt-modules alma-upgrade-kernel-rt-modules-extra alma-upgrade-kernel-tools alma-upgrade-kernel-tools-libs alma-upgrade-kernel-tools-libs-devel alma-upgrade-kernel-zfcpdump alma-upgrade-kernel-zfcpdump-core alma-upgrade-kernel-zfcpdump-devel alma-upgrade-kernel-zfcpdump-modules alma-upgrade-kernel-zfcpdump-modules-extra alma-upgrade-perf alma-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-1582 CVE - 2023-1582 https://errata.almalinux.org/8/ALSA-2023-2736.html https://errata.almalinux.org/8/ALSA-2023-2951.html

SUSE: CVE-2023-28842: SUSE Linux Security Advisory Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 04/04/2023 Created 08/15/2023 Added 08/15/2023 Modified 01/28/2025 Description Moby) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as *Docker*. Swarm Mode, which is compiled in and delivered by default in `dockerd` and is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code. The `overlay` network driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with the VXLAN metadata, including a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes. Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption. When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the `u32` iptables extension provided by the `xt_u32` kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN. The `overlay` driver dynamically and lazily defines the kernel configuration for the VXLAN network on each node as containers are attached and detached. Routes and encryption parameters are only defined for destination nodes that participate in the network. The iptables rules that prevent encrypted overlay networks from accepting unencrypted packets are not created until a peer is available with which to communicate. Encrypted overlay networks silently accept cleartext VXLAN datagrams that are tagged with the VNI of an encrypted overlay network. As a result, it is possible to inject arbitrary Ethernet frames into the encrypted overlay network by encapsulating them in VXLAN datagrams. The implications of this can be quite dire, and GHSA-vwm3-crmr-xfxw should be referenced for a deeper exploration. Patches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16. Some workarounds are available. In multi-node clusters, deploy a global ‘pause’ container for each encrypted overlay network, on every node. For a single-node cluster, do not use overlay networks of any sort. Bridge networks provide the same connectivity on a single node and have no multi-node features. The Swarm ingress feature is implemented using an overlay network, but can be disabled by publishing ports in `host` mode instead of `ingress` mode (allowing the use of an external load balancer), and removing the `ingress` network. If encrypted overlay networks are in exclusive use, block UDP port 4789 from traffic that has not been validated by IPSec. Solution(s) suse-upgrade-docker suse-upgrade-docker-bash-completion suse-upgrade-docker-fish-completion suse-upgrade-docker-zsh-completion References https://attackerkb.com/topics/cve-2023-28842 CVE - 2023-28842

Debian: CVE-2023-28998: nextcloud-desktop -- security update Severity 7 CVSS (AV:N/AC:M/Au:M/C:C/I:C/A:N) Published 04/04/2023 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure, and add new files.? Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available. Solution(s) debian-upgrade-nextcloud-desktop References https://attackerkb.com/topics/cve-2023-28998 CVE - 2023-28998

IBM HTTP Server: CVE-2023-25690: Apache HTTP Server is vulnerable to HTTP request splitting attacks, caused by an error when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 04/04/2023 Created 05/16/2024 Added 05/16/2024 Modified 05/17/2024 Description Apache HTTP Server is vulnerable to HTTP request splitting attacks, caused by an error when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch. A remote attacker could exploit this vulnerability to bypass access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Solution(s) ibm-http_server-apply-interim-fix-ph53014-for-9_0 ibm-http_server-apply-interim-fix-ph53014-for-8_5 ibm-http_server-apply-fix-pack-9_0_5_16 ibm-http_server-apply-fix-pack-8_5_5_24 References https://attackerkb.com/topics/cve-2023-25690 CVE - 2023-25690

Debian: CVE-2023-29000: nextcloud-desktop -- security update Severity 6 CVSS (AV:N/AC:L/Au:N/C:P/I:P/A:N) Published 04/04/2023 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.7.0, by trusting that the server will return a certificate that belongs to the keypair of the user, a malicious server could get the desktop client to encrypt files with a key known to the attacker. This issue is fixed in Nextcloud Desktop 3.7.0. No known workarounds are available. Solution(s) debian-upgrade-nextcloud-desktop References https://attackerkb.com/topics/cve-2023-29000 CVE - 2023-29000

Debian: CVE-2023-1821: chromium -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 04/04/2023 Created 05/05/2023 Added 04/14/2023 Modified 01/28/2025 Description Inappropriate implementation in WebShare in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to potentially hide the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2023-1821 CVE - 2023-1821 DSA-5386-1

Debian: CVE-2023-1811: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 04/04/2023 Created 05/05/2023 Added 04/14/2023 Modified 01/28/2025 Description Use after free in Frames in Google Chrome prior to 112.0.5615.49 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2023-1811 CVE - 2023-1811 DSA-5386-1

Debian: CVE-2023-1810: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 04/04/2023 Created 05/05/2023 Added 04/14/2023 Modified 01/28/2025 Description Heap buffer overflow in Visuals in Google Chrome prior to 112.0.5615.49 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2023-1810 CVE - 2023-1810 DSA-5386-1

Amazon Linux 2023: CVE-2023-24538: Important priority package update for golang (Multiple Advisories) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 04/04/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution. A flaw was found in Golang Go. This flaw allows a remote attacker to execute arbitrary code on the system, caused by not properly considering backticks (`) as Javascript string delimiters. By sending a specially crafted request, an attacker execute arbitrary code on the system. Solution(s) amazon-linux-2023-upgrade-amazon-ssm-agent amazon-linux-2023-upgrade-amazon-ssm-agent-debuginfo amazon-linux-2023-upgrade-amazon-ssm-agent-debugsource amazon-linux-2023-upgrade-golang amazon-linux-2023-upgrade-golang-bin amazon-linux-2023-upgrade-golang-docs amazon-linux-2023-upgrade-golang-misc amazon-linux-2023-upgrade-golang-race amazon-linux-2023-upgrade-golang-shared amazon-linux-2023-upgrade-golang-src amazon-linux-2023-upgrade-golang-tests References https://attackerkb.com/topics/cve-2023-24538 CVE - 2023-24538 https://alas.aws.amazon.com/AL2023/ALAS-2023-175.html https://alas.aws.amazon.com/AL2023/ALAS-2023-388.html

Debian: CVE-2023-1812: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 04/04/2023 Created 05/05/2023 Added 04/14/2023 Modified 01/28/2025 Description Out of bounds memory access in DOM Bindings in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2023-1812 CVE - 2023-1812 DSA-5386-1

Debian: CVE-2023-1814: chromium -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 04/04/2023 Created 05/05/2023 Added 04/14/2023 Modified 01/28/2025 Description Insufficient validation of untrusted input in Safe Browsing in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to bypass download checking via a crafted HTML page. (Chromium security severity: Medium) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2023-1814 CVE - 2023-1814 DSA-5386-1

Microsoft Edge Chromium: CVE-2023-1817 Insufficient policy enforcement in Intents Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 04/04/2023 Created 05/05/2023 Added 04/10/2023 Modified 01/28/2025 Description Insufficient policy enforcement in Intents in Google Chrome on Android prior to 112.0.5615.49 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium) Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2023-1817 CVE - 2023-1817 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-1817

Microsoft Edge Chromium: CVE-2023-1819 Out of bounds read in Accessibility Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 04/04/2023 Created 05/05/2023 Added 04/10/2023 Modified 01/28/2025 Description Out of bounds read in Accessibility in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2023-1819 CVE - 2023-1819 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-1819

Debian: CVE-2023-1822: chromium -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 04/04/2023 Created 05/05/2023 Added 04/14/2023 Modified 01/28/2025 Description Incorrect security UI in Navigation in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Low) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2023-1822 CVE - 2023-1822 DSA-5386-1

Microsoft Edge Chromium: CVE-2023-1820 Heap buffer overflow in Browser History Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 04/04/2023 Created 05/05/2023 Added 04/10/2023 Modified 01/28/2025 Description Heap buffer overflow in Browser History in Google Chrome prior to 112.0.5615.49 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2023-1820 CVE - 2023-1820 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-1820