ISHACK AI BOT

CentOS Linux: CVE-2023-28162: Important: firefox security update (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/20/2023 Created 03/22/2023 Added 03/21/2023 Modified 01/28/2025 Description While implementing AudioWorklets, some code may have casted one type to another, invalid, dynamic type. This could have led to a potentially exploitable crash. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9. Solution(s) centos-upgrade-firefox centos-upgrade-firefox-debuginfo centos-upgrade-thunderbird centos-upgrade-thunderbird-debuginfo References CVE-2023-28162

CentOS Linux: CVE-2023-28164: Important: firefox security update (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 03/20/2023 Created 03/22/2023 Added 03/21/2023 Modified 01/28/2025 Description Dragging a URL from a cross-origin iframe that was removed during the drag could have led to user confusion and website spoofing attacks. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9. Solution(s) centos-upgrade-firefox centos-upgrade-firefox-debuginfo centos-upgrade-thunderbird centos-upgrade-thunderbird-debuginfo References CVE-2023-28164

Amazon Linux 2023: CVE-2023-27534: Medium priority package update for curl Severity 3 CVSS (AV:N/AC:H/Au:N/C:P/I:N/A:N) Published 03/20/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description A path traversal vulnerability exists in curl &lt;8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user&apos;s home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user. Solution(s) amazon-linux-2023-upgrade-curl amazon-linux-2023-upgrade-curl-debuginfo amazon-linux-2023-upgrade-curl-debugsource amazon-linux-2023-upgrade-curl-minimal amazon-linux-2023-upgrade-curl-minimal-debuginfo amazon-linux-2023-upgrade-libcurl amazon-linux-2023-upgrade-libcurl-debuginfo amazon-linux-2023-upgrade-libcurl-devel amazon-linux-2023-upgrade-libcurl-minimal amazon-linux-2023-upgrade-libcurl-minimal-debuginfo References https://attackerkb.com/topics/cve-2023-27534 CVE - 2023-27534 https://alas.aws.amazon.com/AL2023/ALAS-2023-193.html

Ubuntu: (Multiple Advisories) (CVE-2023-27533): curl vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/20/2023 Created 03/29/2023 Added 03/22/2023 Modified 01/30/2025 Description A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system. Solution(s) ubuntu-pro-upgrade-curl ubuntu-pro-upgrade-libcurl3 ubuntu-pro-upgrade-libcurl3-gnutls ubuntu-pro-upgrade-libcurl3-nss ubuntu-pro-upgrade-libcurl4 References https://attackerkb.com/topics/cve-2023-27533 CVE - 2023-27533 USN-5964-1 USN-5964-2

FreeBSD: VID-A4F8BB03-F52F-11ED-9859-080027083A05 (CVE-2023-28320): curl -- multiple vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 03/21/2023 Created 05/23/2023 Added 05/20/2023 Modified 01/28/2025 Description Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below. From VID-A4F8BB03-F52F-11ED-9859-080027083A05: Wei Chong Tan, Harry Sintonen, and Hiroki Kurosawa reports: This update fixes 4 security vulnerabilities: Medium CVE-2023-28319: UAF in SSH sha256 fingerprint check. Reported by Wei Chong Tan on 2023-03-21 Low CVE-2023-28320: siglongjmp race condition. Reported by Harry Sintonen on 2023-04-02 Low CVE-2023-28321: IDN wildcard match. Reported by Hiroki Kurosawa on 2023-04-17 Low CVE-2023-28322: more POST-after-PUT confusion. Reported by Hiroki Kurosawa on 2023-04-19 Solution(s) freebsd-upgrade-package-curl References CVE-2023-28320 SUSE-SU-2023:2224-1 SUSE-SU-2023:2225-1 SUSE-SU-2023:2226-1 SUSE-SU-2023:2227-1 SUSE-SU-2023:2228-1 SUSE-SU-2023:2230-1 View more

FreeBSD: VID-A4F8BB03-F52F-11ED-9859-080027083A05 (CVE-2023-28319): curl -- multiple vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 03/21/2023 Created 05/23/2023 Added 05/20/2023 Modified 01/28/2025 Description Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below. From VID-A4F8BB03-F52F-11ED-9859-080027083A05: Wei Chong Tan, Harry Sintonen, and Hiroki Kurosawa reports: This update fixes 4 security vulnerabilities: Medium CVE-2023-28319: UAF in SSH sha256 fingerprint check. Reported by Wei Chong Tan on 2023-03-21 Low CVE-2023-28320: siglongjmp race condition. Reported by Harry Sintonen on 2023-04-02 Low CVE-2023-28321: IDN wildcard match. Reported by Hiroki Kurosawa on 2023-04-17 Low CVE-2023-28322: more POST-after-PUT confusion. Reported by Hiroki Kurosawa on 2023-04-19 Solution(s) freebsd-upgrade-package-curl References CVE-2023-28319 SUSE-SU-2023:2224-1 SUSE-SU-2023:2225-1

Microsoft Edge Chromium: CVE-2023-1533 Use after free in WebProtect Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/21/2023 Created 03/27/2023 Added 03/27/2023 Modified 01/28/2025 Description Use after free in WebProtect in Google Chrome prior to 111.0.5563.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2023-1533 CVE - 2023-1533 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-1533

Microsoft Edge Chromium: CVE-2023-1534 Out of bounds read in ANGLE Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/21/2023 Created 03/27/2023 Added 03/27/2023 Modified 01/28/2025 Description Out of bounds read in ANGLE in Google Chrome prior to 111.0.5563.110 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2023-1534 CVE - 2023-1534 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-1534

SUSE: CVE-2023-1534: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/21/2023 Created 03/28/2023 Added 03/28/2023 Modified 01/28/2025 Description Out of bounds read in ANGLE in Google Chrome prior to 111.0.5563.110 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) suse-upgrade-chromedriver suse-upgrade-chromium suse-upgrade-opera References https://attackerkb.com/topics/cve-2023-1534 CVE - 2023-1534

Debian: CVE-2023-1532: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/21/2023 Created 03/27/2023 Added 03/27/2023 Modified 01/28/2025 Description Out of bounds read in GPU Video in Google Chrome prior to 111.0.5563.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2023-1532 CVE - 2023-1532 DSA-5377-1

Ubuntu: (Multiple Advisories) (CVE-2023-27535): curl vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 03/20/2023 Created 03/29/2023 Added 03/22/2023 Modified 01/28/2025 Description An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information. Solution(s) ubuntu-pro-upgrade-curl ubuntu-pro-upgrade-libcurl3 ubuntu-pro-upgrade-libcurl3-gnutls ubuntu-pro-upgrade-libcurl3-nss ubuntu-pro-upgrade-libcurl4 References https://attackerkb.com/topics/cve-2023-27535 CVE - 2023-27535 USN-5964-1 USN-5964-2

Ubuntu: USN-5964-1 (CVE-2023-27538): curl vulnerabilities Severity 5 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:N) Published 03/20/2023 Created 03/29/2023 Added 03/22/2023 Modified 01/28/2025 Description An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection. Solution(s) ubuntu-upgrade-curl ubuntu-upgrade-libcurl3-gnutls ubuntu-upgrade-libcurl3-nss ubuntu-upgrade-libcurl4 References https://attackerkb.com/topics/cve-2023-27538 CVE - 2023-27538 USN-5964-1

Debian: CVE-2023-28425: redis -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 03/20/2023 Created 07/31/2024 Added 07/30/2024 Modified 01/28/2025 Description Redis is an in-memory database that persists on disk. Starting in version 7.0.8 and prior to version 7.0.10, authenticated users can use the MSETNX command to trigger a runtime assertion and termination of the Redis server process. The problem is fixed in Redis version 7.0.10. Solution(s) debian-upgrade-redis References https://attackerkb.com/topics/cve-2023-28425 CVE - 2023-28425

Red Hat: CVE-2023-28176: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9 (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/20/2023 Created 03/22/2023 Added 03/21/2023 Modified 01/28/2025 Description Memory safety bugs present in Firefox 110 and Firefox ESR 102.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9. Solution(s) redhat-upgrade-firefox redhat-upgrade-firefox-debuginfo redhat-upgrade-firefox-debugsource redhat-upgrade-firefox-x11 redhat-upgrade-thunderbird redhat-upgrade-thunderbird-debuginfo redhat-upgrade-thunderbird-debugsource References CVE-2023-28176 RHSA-2023:1333 RHSA-2023:1336 RHSA-2023:1337 RHSA-2023:1364 RHSA-2023:1367 RHSA-2023:1401 RHSA-2023:1402 RHSA-2023:1403 RHSA-2023:1404 RHSA-2023:1407 RHSA-2023:1444 RHSA-2023:1472 View more

Red Hat: CVE-2023-28164: CVE-2023-28164 Mozilla: URL being dragged from a removed cross-origin iframe into the same tab triggered navigation (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 03/20/2023 Created 03/22/2023 Added 03/21/2023 Modified 01/28/2025 Description Dragging a URL from a cross-origin iframe that was removed during the drag could have led to user confusion and website spoofing attacks. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9. Solution(s) redhat-upgrade-firefox redhat-upgrade-firefox-debuginfo redhat-upgrade-firefox-debugsource redhat-upgrade-firefox-x11 redhat-upgrade-thunderbird redhat-upgrade-thunderbird-debuginfo redhat-upgrade-thunderbird-debugsource References CVE-2023-28164 RHSA-2023:1333 RHSA-2023:1336 RHSA-2023:1337 RHSA-2023:1364 RHSA-2023:1367 RHSA-2023:1401 RHSA-2023:1402 RHSA-2023:1403 RHSA-2023:1404 RHSA-2023:1407 RHSA-2023:1444 RHSA-2023:1472 View more

Oracle Linux: CVE-2023-27536: ELSA-2023-6679:curl security update (MODERATE) (Multiple Advisories) Severity 5 CVSS (AV:N/AC:H/Au:N/C:C/I:N/A:N) Published 03/20/2023 Created 08/11/2023 Added 08/10/2023 Modified 12/01/2024 Description An authentication bypass vulnerability exists libcurl &lt;8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed. A flaw was found in the Curl package. Libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, the GSS delegation setting was left out from the configuration match checks, making them match too easily, affecting krb5/kerberos/negotiate/GSSAPI transfers. Solution(s) oracle-linux-upgrade-curl oracle-linux-upgrade-curl-minimal oracle-linux-upgrade-libcurl oracle-linux-upgrade-libcurl-devel oracle-linux-upgrade-libcurl-minimal References https://attackerkb.com/topics/cve-2023-27536 CVE - 2023-27536 ELSA-2023-6679 ELSA-2023-4523

Oracle Linux: CVE-2023-33203: ELSA-2023-7077:kernel security, bug fix, and enhancement update (IMPORTANT) (Multiple Advisories) Severity 6 CVSS (AV:L/AC:H/Au:N/C:C/I:C/A:C) Published 03/20/2023 Created 11/18/2023 Added 11/16/2023 Modified 01/07/2025 Description The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/net/ethernet/qualcomm/emac/emac.c if a physically proximate attacker unplugs an emac based device. A race condition vulnerability was found in the Linux kernel&apos;s Qualcomm EMAC Gigabit Ethernet Controller when the user physically removes the device before cleanup in the emac_remove function. This flaw can eventually result in a use-after-free issue, possibly leading to a system crash or other undefined behaviors. Solution(s) oracle-linux-upgrade-kernel References https://attackerkb.com/topics/cve-2023-33203 CVE - 2023-33203 ELSA-2023-7077 ELSA-2023-6583

FreeBSD: VID-A60CC0E4-C7AA-11ED-8A4B-080027F5FEC9 (CVE-2023-28425): redis -- specially crafted MSETNX command can lead to denial-of-service Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 03/20/2023 Created 03/24/2023 Added 03/23/2023 Modified 01/28/2025 Description Redis is an in-memory database that persists on disk. Starting in version 7.0.8 and prior to version 7.0.10, authenticated users can use the MSETNX command to trigger a runtime assertion and termination of the Redis server process. The problem is fixed in Redis version 7.0.10. Solution(s) freebsd-upgrade-package-redis freebsd-upgrade-package-redis-devel References CVE-2023-28425

FreeBSD: VID-68958E18-ED94-11ED-9688-B42E991FC52E (CVE-2023-28852): glpi -- multiple vulnerabilities Severity 4 CVSS (AV:N/AC:M/Au:M/C:P/I:P/A:N) Published 03/20/2023 Created 05/17/2023 Added 05/16/2023 Modified 01/28/2025 Description GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 9.5.13 and 10.0.7, a user with dashboard administration rights may hack the dashboard form to store malicious code that will be executed when other users will use the related dashboard. Versions 9.5.13 and 10.0.7 contain a patch for this issue. Solution(s) freebsd-upgrade-package-glpi References CVE-2023-28852

FreeBSD: VID-68958E18-ED94-11ED-9688-B42E991FC52E (CVE-2023-28634): glpi -- multiple vulnerabilities Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 03/20/2023 Created 05/17/2023 Added 05/16/2023 Modified 01/28/2025 Description GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, a user who has the Technician profile could see and generate a Personal token for a Super-Admin. Using such token it is possible to negotiate a GLPI session and hijack the Super-Admin account, resulting in a Privilege Escalation. Versions 9.5.13 and 10.0.7 contain a patch for this issue. Solution(s) freebsd-upgrade-package-glpi References CVE-2023-28634

FreeBSD: VID-68958E18-ED94-11ED-9688-B42E991FC52E (CVE-2023-28838): glpi -- multiple vulnerabilities Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:N) Published 03/20/2023 Created 05/17/2023 Added 05/16/2023 Modified 01/28/2025 Description GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 9.5.13 and 10.0.7, a SQL Injection vulnerability allow users with access rights to statistics or reports to extract all data from database and, in some cases, write a webshell on the server. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, remove `Assistance > Statistics` and `Tools > Reports` read rights from every user. Solution(s) freebsd-upgrade-package-glpi References CVE-2023-28838

FreeBSD: VID-68958E18-ED94-11ED-9688-B42E991FC52E (CVE-2023-28636): glpi -- multiple vulnerabilities Severity 4 CVSS (AV:N/AC:M/Au:M/C:P/I:P/A:N) Published 03/20/2023 Created 05/17/2023 Added 05/16/2023 Modified 01/28/2025 Description GLPI is a free asset and IT management software package. Starting in version 0.60 and prior to versions 9.5.13 and 10.0.7, a vulnerability allows an administrator to create a malicious external link. This issue is fixed in versions 9.5.13 and 10.0.7. Solution(s) freebsd-upgrade-package-glpi References CVE-2023-28636

Amazon Linux 2023: CVE-2023-27533: Medium priority package update for curl Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:P/A:N) Published 03/20/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description A vulnerability in input validation exists in curl &lt;8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and &quot;telnet options&quot; during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application&apos;s intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system. Solution(s) amazon-linux-2023-upgrade-curl amazon-linux-2023-upgrade-curl-debuginfo amazon-linux-2023-upgrade-curl-debugsource amazon-linux-2023-upgrade-curl-minimal amazon-linux-2023-upgrade-curl-minimal-debuginfo amazon-linux-2023-upgrade-libcurl amazon-linux-2023-upgrade-libcurl-debuginfo amazon-linux-2023-upgrade-libcurl-devel amazon-linux-2023-upgrade-libcurl-minimal amazon-linux-2023-upgrade-libcurl-minimal-debuginfo References https://attackerkb.com/topics/cve-2023-27533 CVE - 2023-27533 https://alas.aws.amazon.com/AL2023/ALAS-2023-193.html

FreeBSD: VID-0D7D104C-C6FB-11ED-8A4B-080027F5FEC9 (CVE-2023-27536): curl -- multiple vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 03/20/2023 Created 03/24/2023 Added 03/23/2023 Modified 01/28/2025 Description Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below. From VID-0D7D104C-C6FB-11ED-8A4B-080027F5FEC9: Harry Sintonen reports: CVE-2023-27533 curl supports communicating using the TELNET protocol and as a part of this it offers users to pass on user name and "telnet options" for the server negotiation. Due to lack of proper input scrubbing and without it being the documented functionality, curl would pass on user name and telnet options to the server as provided. This could allow users to pass in carefully crafted content that pass on content or do option negotiation without the application intending to do so. In particular if an application for example allows users to provide the data or parts of the data. CVE-2023-27534 curl supports SFTP transfers. curl's SFTP implementation offers a special feature in the path component of URLs: a tilde (~) character as the first path element in the path to denotes a path relative to the user's home directory. This is supported because of wording in the once proposed to-become RFC draft that was to dictate how SFTP URLs work. Due to a bug, the handling of the tilde in SFTP path did however not only replace it when it is used stand-alone as the first path element but also wrongly when used as a mere prefix in the first element. Using a path like /~2/foo when accessing a server using the user dan (with home directory /home/dan) would then quite surprisingly access the file /home/dan2/foo. This can be taken advantage of to circumvent filtering or worse. CVE-2023-27535 libcurl would reuse a previously created FTP connection even when one or more options had been changed that could have made the effective user a very different one, thus leading to the doing the second transfer with wrong credentials. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The settings in questions are CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC and CURLOPT_USE_SSL level. CVE-2023-27536 ibcurl would reuse a previously created connection even when the GSS delegation (CURLOPT_GSSAPI_DELEGATION) option had been changed that could have changed the user's permissions in a second transfer. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, this GSS delegation setting was left out from the configuration match checks, making them match too easily, affecting krb5/kerberos/negotiate/GSSAPI transfers. CVE-2023-27537 libcurl supports sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-free or use-after-free. CVE-2023-27538 libcurl would reuse a previously created connection even when an SSH related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, two SSH settings were left out from the configuration match checks, making them match too easily. Solution(s) freebsd-upgrade-package-curl References CVE-2023-27536 SUSE-SU-2023:0865-1

SUSE: CVE-2023-27586: SUSE Linux Security Advisory Severity 6 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:C) Published 03/20/2023 Created 09/26/2023 Added 09/26/2023 Modified 01/28/2025 Description CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to version 2.7.0, Cairo can send requests to external hosts when processing SVG files. A malicious actor could send a specially crafted SVG file that allows them to perform a server-side request forgery or denial of service. Version 2.7.0 disables CairoSVG's ability to access other files online by default. Solution(s) suse-upgrade-python3-cairosvg References https://attackerkb.com/topics/cve-2023-27586 CVE - 2023-27586