ISHACK AI BOT

Debian: CVE-2023-24754: libde265 -- security update Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 03/01/2023 Created 03/07/2023 Added 03/06/2023 Modified 01/28/2025 Description libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_weighted_pred_avg_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file. Solution(s) debian-upgrade-libde265 References https://attackerkb.com/topics/cve-2023-24754 CVE - 2023-24754 DLA-3352-1 DSA-5346-1

Debian: CVE-2023-24758: libde265 -- security update Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 03/01/2023 Created 03/07/2023 Added 03/06/2023 Modified 01/28/2025 Description libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_weighted_pred_avg_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file. Solution(s) debian-upgrade-libde265 References https://attackerkb.com/topics/cve-2023-24758 CVE - 2023-24758 DLA-3352-1 DSA-5346-1

Debian: CVE-2023-24752: libde265 -- security update Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 03/01/2023 Created 03/07/2023 Added 03/06/2023 Modified 01/28/2025 Description libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_hevc_epel_pixels_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file. Solution(s) debian-upgrade-libde265 References https://attackerkb.com/topics/cve-2023-24752 CVE - 2023-24752 DLA-3352-1 DSA-5346-1

Red Hat: CVE-2023-25361: setNextSibling() (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/02/2023 Created 05/15/2023 Added 05/15/2023 Modified 01/28/2025 Description A use-after-free vulnerability in WebCore::RenderLayer::setNextSibling in WebKitGTK before 2.36.8 allows attackers to execute code remotely. Solution(s) redhat-upgrade-webkit2gtk3 redhat-upgrade-webkit2gtk3-debuginfo redhat-upgrade-webkit2gtk3-debugsource redhat-upgrade-webkit2gtk3-devel redhat-upgrade-webkit2gtk3-devel-debuginfo redhat-upgrade-webkit2gtk3-jsc redhat-upgrade-webkit2gtk3-jsc-debuginfo redhat-upgrade-webkit2gtk3-jsc-devel redhat-upgrade-webkit2gtk3-jsc-devel-debuginfo References CVE-2023-25361 RHSA-2023:2256 RHSA-2023:2834

Ubuntu: USN-6531-1 (CVE-2023-25155): Redis vulnerabilities Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 03/02/2023 Created 12/07/2023 Added 12/06/2023 Modified 01/28/2025 Description Redis is an in-memory database that persists on disk. Authenticated users issuing specially crafted `SRANDMEMBER`, `ZRANDMEMBER`, and `HRANDFIELD` commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. This problem affects all Redis versions. Patches were released in Redis version(s) 6.0.18, 6.2.11 and 7.0.9. Solution(s) ubuntu-pro-upgrade-redis-server ubuntu-pro-upgrade-redis-tools References https://attackerkb.com/topics/cve-2023-25155 CVE - 2023-25155 USN-6531-1

SUSE: CVE-2023-25362: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/02/2023 Created 05/05/2023 Added 04/28/2023 Modified 01/28/2025 Description A use-after-free vulnerability in WebCore::RenderLayer::repaintBlockSelectionGaps in WebKitGTK before 2.36.8 allows attackers to execute code remotely. Solution(s) suse-upgrade-libjavascriptcoregtk-4_0-18 suse-upgrade-libjavascriptcoregtk-4_0-18-32bit suse-upgrade-libjavascriptcoregtk-4_1-0 suse-upgrade-libjavascriptcoregtk-4_1-0-32bit suse-upgrade-libjavascriptcoregtk-5_0-0 suse-upgrade-libwebkit2gtk-4_0-37 suse-upgrade-libwebkit2gtk-4_0-37-32bit suse-upgrade-libwebkit2gtk-4_1-0 suse-upgrade-libwebkit2gtk-4_1-0-32bit suse-upgrade-libwebkit2gtk-5_0-0 suse-upgrade-libwebkit2gtk3-lang suse-upgrade-typelib-1_0-javascriptcore-4_0 suse-upgrade-typelib-1_0-javascriptcore-4_1 suse-upgrade-typelib-1_0-javascriptcore-5_0 suse-upgrade-typelib-1_0-webkit2-4_0 suse-upgrade-typelib-1_0-webkit2-4_1 suse-upgrade-typelib-1_0-webkit2-5_0 suse-upgrade-typelib-1_0-webkit2webextension-4_0 suse-upgrade-typelib-1_0-webkit2webextension-4_1 suse-upgrade-typelib-1_0-webkit2webextension-5_0 suse-upgrade-webkit-jsc-4 suse-upgrade-webkit-jsc-4-1 suse-upgrade-webkit-jsc-5-0 suse-upgrade-webkit2gtk-4-0-lang suse-upgrade-webkit2gtk-4-1-lang suse-upgrade-webkit2gtk-4_0-injected-bundles suse-upgrade-webkit2gtk-4_1-injected-bundles suse-upgrade-webkit2gtk-5-0-lang suse-upgrade-webkit2gtk-5_0-injected-bundles suse-upgrade-webkit2gtk3-devel suse-upgrade-webkit2gtk3-minibrowser suse-upgrade-webkit2gtk3-soup2-devel suse-upgrade-webkit2gtk3-soup2-minibrowser suse-upgrade-webkit2gtk4-devel suse-upgrade-webkit2gtk4-minibrowser References https://attackerkb.com/topics/cve-2023-25362 CVE - 2023-25362

SUSE: CVE-2023-25360: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/02/2023 Created 05/05/2023 Added 04/28/2023 Modified 01/28/2025 Description A use-after-free vulnerability in WebCore::RenderLayer::renderer in WebKitGTK before 2.36.8 allows attackers to execute code remotely. Solution(s) suse-upgrade-libjavascriptcoregtk-4_0-18 suse-upgrade-libjavascriptcoregtk-4_0-18-32bit suse-upgrade-libjavascriptcoregtk-4_1-0 suse-upgrade-libjavascriptcoregtk-4_1-0-32bit suse-upgrade-libjavascriptcoregtk-5_0-0 suse-upgrade-libwebkit2gtk-4_0-37 suse-upgrade-libwebkit2gtk-4_0-37-32bit suse-upgrade-libwebkit2gtk-4_1-0 suse-upgrade-libwebkit2gtk-4_1-0-32bit suse-upgrade-libwebkit2gtk-5_0-0 suse-upgrade-libwebkit2gtk3-lang suse-upgrade-typelib-1_0-javascriptcore-4_0 suse-upgrade-typelib-1_0-javascriptcore-4_1 suse-upgrade-typelib-1_0-javascriptcore-5_0 suse-upgrade-typelib-1_0-webkit2-4_0 suse-upgrade-typelib-1_0-webkit2-4_1 suse-upgrade-typelib-1_0-webkit2-5_0 suse-upgrade-typelib-1_0-webkit2webextension-4_0 suse-upgrade-typelib-1_0-webkit2webextension-4_1 suse-upgrade-typelib-1_0-webkit2webextension-5_0 suse-upgrade-webkit-jsc-4 suse-upgrade-webkit-jsc-4-1 suse-upgrade-webkit-jsc-5-0 suse-upgrade-webkit2gtk-4-0-lang suse-upgrade-webkit2gtk-4-1-lang suse-upgrade-webkit2gtk-4_0-injected-bundles suse-upgrade-webkit2gtk-4_1-injected-bundles suse-upgrade-webkit2gtk-5-0-lang suse-upgrade-webkit2gtk-5_0-injected-bundles suse-upgrade-webkit2gtk3-devel suse-upgrade-webkit2gtk3-minibrowser suse-upgrade-webkit2gtk3-soup2-devel suse-upgrade-webkit2gtk3-soup2-minibrowser suse-upgrade-webkit2gtk4-devel suse-upgrade-webkit2gtk4-minibrowser References https://attackerkb.com/topics/cve-2023-25360 CVE - 2023-25360

Amazon Linux AMI 2: CVE-2023-25155: Security patch for redis (ALASREDIS6-2023-001) Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 03/02/2023 Created 09/28/2023 Added 09/28/2023 Modified 01/28/2025 Description Redis is an in-memory database that persists on disk. Authenticated users issuing specially crafted `SRANDMEMBER`, `ZRANDMEMBER`, and `HRANDFIELD` commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. This problem affects all Redis versions. Patches were released in Redis version(s) 6.0.18, 6.2.11 and 7.0.9. Solution(s) amazon-linux-ami-2-upgrade-redis amazon-linux-ami-2-upgrade-redis-debuginfo amazon-linux-ami-2-upgrade-redis-devel amazon-linux-ami-2-upgrade-redis-doc References https://attackerkb.com/topics/cve-2023-25155 AL2/ALASREDIS6-2023-001 CVE - 2023-25155

Amazon Linux AMI 2: CVE-2023-25361: Security patch for webkitgtk4 (ALAS-2023-2088) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/02/2023 Created 06/14/2023 Added 06/13/2023 Modified 01/28/2025 Description A use-after-free vulnerability in WebCore::RenderLayer::setNextSibling in WebKitGTK before 2.36.8 allows attackers to execute code remotely. Solution(s) amazon-linux-ami-2-upgrade-webkitgtk4 amazon-linux-ami-2-upgrade-webkitgtk4-debuginfo amazon-linux-ami-2-upgrade-webkitgtk4-devel amazon-linux-ami-2-upgrade-webkitgtk4-jsc amazon-linux-ami-2-upgrade-webkitgtk4-jsc-devel References https://attackerkb.com/topics/cve-2023-25361 AL2/ALAS-2023-2088 CVE - 2023-25361

Amazon Linux AMI 2: CVE-2023-25363: Security patch for webkitgtk4 (ALAS-2023-2088) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/02/2023 Created 06/14/2023 Added 06/13/2023 Modified 01/28/2025 Description A use-after-free vulnerability in WebCore::RenderLayer::updateDescendantDependentFlags in WebKitGTK before 2.36.8 allows attackers to execute code remotely. Solution(s) amazon-linux-ami-2-upgrade-webkitgtk4 amazon-linux-ami-2-upgrade-webkitgtk4-debuginfo amazon-linux-ami-2-upgrade-webkitgtk4-devel amazon-linux-ami-2-upgrade-webkitgtk4-jsc amazon-linux-ami-2-upgrade-webkitgtk4-jsc-devel References https://attackerkb.com/topics/cve-2023-25363 AL2/ALAS-2023-2088 CVE - 2023-25363

Amazon Linux AMI 2: CVE-2023-25358: Security patch for webkitgtk4 (ALAS-2023-2088) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/02/2023 Created 06/14/2023 Added 06/13/2023 Modified 01/28/2025 Description A use-after-free vulnerability in WebCore::RenderLayer::addChild in WebKitGTK before 2.36.8 allows attackers to execute code remotely. Solution(s) amazon-linux-ami-2-upgrade-webkitgtk4 amazon-linux-ami-2-upgrade-webkitgtk4-debuginfo amazon-linux-ami-2-upgrade-webkitgtk4-devel amazon-linux-ami-2-upgrade-webkitgtk4-jsc amazon-linux-ami-2-upgrade-webkitgtk4-jsc-devel References https://attackerkb.com/topics/cve-2023-25358 AL2/ALAS-2023-2088 CVE - 2023-25358

Gentoo Linux: CVE-2023-25155: Redis: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 03/02/2023 Created 08/08/2024 Added 08/08/2024 Modified 01/28/2025 Description Redis is an in-memory database that persists on disk. Authenticated users issuing specially crafted `SRANDMEMBER`, `ZRANDMEMBER`, and `HRANDFIELD` commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. This problem affects all Redis versions. Patches were released in Redis version(s) 6.0.18, 6.2.11 and 7.0.9. Solution(s) gentoo-linux-upgrade-dev-db-redis References https://attackerkb.com/topics/cve-2023-25155 CVE - 2023-25155 202408-05

Gentoo Linux: CVE-2023-25360: WebKitGTK+: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/02/2023 Created 05/31/2023 Added 05/31/2023 Modified 01/28/2025 Description A use-after-free vulnerability in WebCore::RenderLayer::renderer in WebKitGTK before 2.36.8 allows attackers to execute code remotely. Solution(s) gentoo-linux-upgrade-net-libs-webkit-gtk References https://attackerkb.com/topics/cve-2023-25360 CVE - 2023-25360 202305-32

Gentoo Linux: CVE-2023-25361: WebKitGTK+: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/02/2023 Created 05/31/2023 Added 05/31/2023 Modified 01/28/2025 Description A use-after-free vulnerability in WebCore::RenderLayer::setNextSibling in WebKitGTK before 2.36.8 allows attackers to execute code remotely. Solution(s) gentoo-linux-upgrade-net-libs-webkit-gtk References https://attackerkb.com/topics/cve-2023-25361 CVE - 2023-25361 202305-32

Gentoo Linux: CVE-2023-25362: WebKitGTK+: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/02/2023 Created 05/31/2023 Added 05/31/2023 Modified 01/28/2025 Description A use-after-free vulnerability in WebCore::RenderLayer::repaintBlockSelectionGaps in WebKitGTK before 2.36.8 allows attackers to execute code remotely. Solution(s) gentoo-linux-upgrade-net-libs-webkit-gtk References https://attackerkb.com/topics/cve-2023-25362 CVE - 2023-25362 202305-32

CentOS Linux: CVE-2023-1118: Important: kernel-rt security, bug fix, and enhancement update (Multiple Advisories) Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 03/02/2023 Created 11/16/2023 Added 11/15/2023 Modified 01/28/2025 Description A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. Solution(s) centos-upgrade-kernel centos-upgrade-kernel-rt References CVE-2023-1118

SUSE: CVE-2022-27672: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:S/C:C/I:N/A:N) Published 03/01/2023 Created 03/13/2023 Added 03/13/2023 Modified 01/28/2025 Description When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. Solution(s) suse-upgrade-xen suse-upgrade-xen-devel suse-upgrade-xen-doc-html suse-upgrade-xen-libs suse-upgrade-xen-libs-32bit suse-upgrade-xen-tools suse-upgrade-xen-tools-domu suse-upgrade-xen-tools-xendomains-wait-disk References https://attackerkb.com/topics/cve-2022-27672 CVE - 2022-27672

Debian: CVE-2023-24755: libde265 -- security update Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 03/01/2023 Created 03/07/2023 Added 03/06/2023 Modified 01/28/2025 Description libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the put_weighted_pred_8_fallback function at fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file. Solution(s) debian-upgrade-libde265 References https://attackerkb.com/topics/cve-2023-24755 CVE - 2023-24755 DLA-3352-1 DSA-5346-1

Amazon Linux AMI 2: CVE-2023-25360: Security patch for webkitgtk4 (ALAS-2023-2088) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/02/2023 Created 06/14/2023 Added 06/13/2023 Modified 01/28/2025 Description A use-after-free vulnerability in WebCore::RenderLayer::renderer in WebKitGTK before 2.36.8 allows attackers to execute code remotely. Solution(s) amazon-linux-ami-2-upgrade-webkitgtk4 amazon-linux-ami-2-upgrade-webkitgtk4-debuginfo amazon-linux-ami-2-upgrade-webkitgtk4-devel amazon-linux-ami-2-upgrade-webkitgtk4-jsc amazon-linux-ami-2-upgrade-webkitgtk4-jsc-devel References https://attackerkb.com/topics/cve-2023-25360 AL2/ALAS-2023-2088 CVE - 2023-25360

Google Chrome Vulnerability: CVE-2023-0931 Use after free in Video Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/01/2023 Created 03/02/2023 Added 03/01/2023 Modified 01/28/2025 Description Use after free in Video in Google Chrome prior to 110.0.5481.177 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2023-0931 CVE - 2023-0931 https://chromereleases.googleblog.com/2023/02/stable-channel-desktop-update_22.html

Juniper Junos OS: 2024-10 Security Bulletin: Junos OS: J-Web: Multiple vulnerabilities resolved in PHP software. (JSA88120) (multiple CVEs) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/01/2023 Created 10/18/2024 Added 10/14/2024 Modified 10/18/2024 Description In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid. Solution(s) juniper-junos-os-upgrade-latest References https://attackerkb.com/topics/cve-2023-0567 CVE - 2023-0567 CVE - 2023-0662 CVE - 2023-3823 JSA88120

SUSE: CVE-2022-3294: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 03/01/2023 Created 05/29/2023 Added 05/29/2023 Modified 01/28/2025 Description Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network. Solution(s) suse-upgrade-kubernetes1-23-client suse-upgrade-kubernetes1-23-client-common suse-upgrade-kubernetes1-24-client suse-upgrade-kubernetes1-24-client-common References https://attackerkb.com/topics/cve-2022-3294 CVE - 2022-3294

Amazon Linux AMI: CVE-2023-1127: Security patch for vim (ALAS-2023-1703) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 03/01/2023 Created 03/24/2023 Added 03/23/2023 Modified 01/28/2025 Description Divide By Zero in GitHub repository vim/vim prior to 9.0.1367. Solution(s) amazon-linux-upgrade-vim References ALAS-2023-1703 CVE-2023-1127

SUSE: CVE-2022-36021: SUSE Linux Security Advisory Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 03/01/2023 Created 03/13/2023 Added 03/13/2023 Modified 01/28/2025 Description Redis is an in-memory database that persists on disk. Authenticated users can use string matching commands (like `SCAN` or `KEYS`) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. The problem is fixed in Redis versions 6.0.18, 6.2.11, 7.0.9. Solution(s) suse-upgrade-redis suse-upgrade-redis7 References https://attackerkb.com/topics/cve-2022-36021 CVE - 2022-36021

Alma Linux: CVE-2023-0567: Important: php:8.0 security update (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:N/C:N/I:C/A:N) Published 03/01/2023 Created 10/24/2023 Added 10/23/2023 Modified 02/11/2025 Description In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid. Solution(s) alma-upgrade-apcu-panel alma-upgrade-libzip alma-upgrade-libzip-devel alma-upgrade-libzip-tools alma-upgrade-php alma-upgrade-php-bcmath alma-upgrade-php-cli alma-upgrade-php-common alma-upgrade-php-dba alma-upgrade-php-dbg alma-upgrade-php-devel alma-upgrade-php-embedded alma-upgrade-php-enchant alma-upgrade-php-ffi alma-upgrade-php-fpm alma-upgrade-php-gd alma-upgrade-php-gmp alma-upgrade-php-intl alma-upgrade-php-json alma-upgrade-php-ldap alma-upgrade-php-mbstring alma-upgrade-php-mysqlnd alma-upgrade-php-odbc alma-upgrade-php-opcache alma-upgrade-php-pdo alma-upgrade-php-pear alma-upgrade-php-pecl-apcu alma-upgrade-php-pecl-apcu-devel alma-upgrade-php-pecl-rrd alma-upgrade-php-pecl-xdebug alma-upgrade-php-pecl-xdebug3 alma-upgrade-php-pecl-zip alma-upgrade-php-pgsql alma-upgrade-php-process alma-upgrade-php-snmp alma-upgrade-php-soap alma-upgrade-php-xml alma-upgrade-php-xmlrpc References https://attackerkb.com/topics/cve-2023-0567 CVE - 2023-0567 https://errata.almalinux.org/8/ALSA-2023-5927.html https://errata.almalinux.org/8/ALSA-2024-10952.html https://errata.almalinux.org/9/ALSA-2023-5926.html https://errata.almalinux.org/9/ALSA-2024-0387.html