ISHACK AI BOT

Alma Linux: CVE-2023-23931: Moderate: python-cryptography security update (Multiple Advisories) Severity 6 CVSS (AV:N/AC:L/Au:N/C:N/I:P/A:P) Published 02/07/2023 Created 11/17/2023 Added 11/16/2023 Modified 01/28/2025 Description cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8. Solution(s) alma-upgrade-python3-cryptography alma-upgrade-python39 alma-upgrade-python39-attrs alma-upgrade-python39-cffi alma-upgrade-python39-chardet alma-upgrade-python39-cryptography alma-upgrade-python39-cython alma-upgrade-python39-debug alma-upgrade-python39-devel alma-upgrade-python39-idle alma-upgrade-python39-idna alma-upgrade-python39-iniconfig alma-upgrade-python39-libs alma-upgrade-python39-lxml alma-upgrade-python39-mod_wsgi alma-upgrade-python39-more-itertools alma-upgrade-python39-numpy alma-upgrade-python39-numpy-doc alma-upgrade-python39-numpy-f2py alma-upgrade-python39-packaging alma-upgrade-python39-pip alma-upgrade-python39-pip-wheel alma-upgrade-python39-pluggy alma-upgrade-python39-ply alma-upgrade-python39-psutil alma-upgrade-python39-psycopg2 alma-upgrade-python39-psycopg2-doc alma-upgrade-python39-psycopg2-tests alma-upgrade-python39-py alma-upgrade-python39-pybind11 alma-upgrade-python39-pybind11-devel alma-upgrade-python39-pycparser alma-upgrade-python39-pymysql alma-upgrade-python39-pyparsing alma-upgrade-python39-pysocks alma-upgrade-python39-pytest alma-upgrade-python39-pyyaml alma-upgrade-python39-requests alma-upgrade-python39-rpm-macros alma-upgrade-python39-scipy alma-upgrade-python39-setuptools alma-upgrade-python39-setuptools-wheel alma-upgrade-python39-six alma-upgrade-python39-test alma-upgrade-python39-tkinter alma-upgrade-python39-toml alma-upgrade-python39-urllib3 alma-upgrade-python39-wcwidth alma-upgrade-python39-wheel alma-upgrade-python39-wheel-wheel References https://attackerkb.com/topics/cve-2023-23931 CVE - 2023-23931 https://errata.almalinux.org/8/ALSA-2023-7096.html https://errata.almalinux.org/8/ALSA-2024-2985.html https://errata.almalinux.org/9/ALSA-2023-6615.html

Huawei EulerOS: CVE-2023-23931: python-cryptography security update Severity 6 CVSS (AV:N/AC:L/Au:N/C:N/I:P/A:P) Published 02/07/2023 Created 07/10/2023 Added 07/10/2023 Modified 01/28/2025 Description cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8. Solution(s) huawei-euleros-2_0_sp9-upgrade-python-cryptography-help References https://attackerkb.com/topics/cve-2023-23931 CVE - 2023-23931 EulerOS-SA-2023-2340

Amazon Linux AMI: CVE-2023-0494: Security patch for tigervnc ((Multiple Advisories)) Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 02/07/2023 Created 03/24/2023 Added 03/23/2023 Modified 01/28/2025 Description A vulnerability was found in X.Org. This issue occurs due to a dangling pointer in DeepCopyPointerClasses that can be exploited by ProcXkbSetDeviceInfo() and ProcXkbGetDeviceInfo() to read and write into freed memory. This can lead to local privilege elevation on systems where the X server runs privileged and remote code execution for ssh X forwarding sessions. Solution(s) amazon-linux-upgrade-tigervnc amazon-linux-upgrade-xorg-x11-server References ALAS-2023-1746 CVE-2023-0494

SUSE: CVE-2023-0704: SUSE Linux Security Advisory Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 02/07/2023 Created 02/17/2023 Added 02/16/2023 Modified 01/28/2025 Description Insufficient policy enforcement in DevTools in Google Chrome prior to 110.0.5481.77 allowed a remote attacker to bypass same origin policy and proxy settings via a crafted HTML page. (Chromium security severity: Low) Solution(s) suse-upgrade-chromedriver suse-upgrade-chromium suse-upgrade-opera References https://attackerkb.com/topics/cve-2023-0704 CVE - 2023-0704

Huawei EulerOS: CVE-2022-4883: libXpm security update Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 02/07/2023 Created 06/09/2023 Added 06/09/2023 Modified 01/28/2025 Description A flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH environment variable. Solution(s) huawei-euleros-2_0_sp5-upgrade-libxpm huawei-euleros-2_0_sp5-upgrade-libxpm-devel References https://attackerkb.com/topics/cve-2022-4883 CVE - 2022-4883 EulerOS-SA-2023-2158

SUSE: CVE-2023-23931: SUSE Linux Security Advisory Severity 6 CVSS (AV:N/AC:L/Au:N/C:N/I:P/A:P) Published 02/07/2023 Created 03/15/2023 Added 03/15/2023 Modified 01/28/2025 Description cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8. Solution(s) suse-upgrade-python-cffi suse-upgrade-python-cryptography suse-upgrade-python2-cryptography suse-upgrade-python3-cffi suse-upgrade-python3-cryptography References https://attackerkb.com/topics/cve-2023-23931 CVE - 2023-23931

SUSE: CVE-2023-0217: SUSE Linux Security Advisory Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 02/07/2023 Created 02/08/2023 Added 02/08/2023 Modified 01/28/2025 Description An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function. This will most likely lead to an application crash. This function can be called on public keys supplied from untrusted sources which could allow an attacker to cause a denial of service attack. The TLS implementation in OpenSSL does not call this function but applications might call the function if there are additional security requirements imposed by standards such as FIPS 140-3. Solution(s) suse-upgrade-libopenssl-3-devel suse-upgrade-libopenssl-3-devel-32bit suse-upgrade-libopenssl3 suse-upgrade-libopenssl3-32bit suse-upgrade-openssl-3 suse-upgrade-openssl-3-doc References https://attackerkb.com/topics/cve-2023-0217 CVE - 2023-0217

SUSE: CVE-2023-0401: SUSE Linux Security Advisory Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 02/07/2023 Created 02/08/2023 Added 02/08/2023 Modified 01/28/2025 Description A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest initialization will fail. There is a missing check for the return value from the initialization function which later leads to invalid usage of the digest API most likely leading to a crash. The unavailability of an algorithm can be caused by using FIPS enabled configuration of providers or more commonly by not loading the legacy provider. PKCS7 data is processed by the SMIME library calls and also by the time stamp (TS) library calls. The TLS implementation in OpenSSL does not call these functions however third party applications would be affected if they call these functions to verify signatures on untrusted data. Solution(s) suse-upgrade-libopenssl-3-devel suse-upgrade-libopenssl-3-devel-32bit suse-upgrade-libopenssl3 suse-upgrade-libopenssl3-32bit suse-upgrade-openssl-3 suse-upgrade-openssl-3-doc References https://attackerkb.com/topics/cve-2023-0401 CVE - 2023-0401

SUSE: CVE-2023-0216: SUSE Linux Security Advisory Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 02/07/2023 Created 02/08/2023 Added 02/08/2023 Modified 01/28/2025 Description An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. The result of the dereference is an application crash which could lead to a denial of service attack. The TLS implementation in OpenSSL does not call this function however third party applications might call these functions on untrusted data. Solution(s) suse-upgrade-libopenssl-3-devel suse-upgrade-libopenssl-3-devel-32bit suse-upgrade-libopenssl3 suse-upgrade-libopenssl3-32bit suse-upgrade-openssl-3 suse-upgrade-openssl-3-doc References https://attackerkb.com/topics/cve-2023-0216 CVE - 2023-0216

SUSE: CVE-2022-44572: SUSE Linux Security Advisory Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 02/07/2023 Created 02/08/2023 Added 02/07/2023 Modified 01/28/2025 Description A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. Solution(s) suse-upgrade-ruby2-5-rubygem-rack suse-upgrade-ruby2-5-rubygem-rack-doc suse-upgrade-ruby2-5-rubygem-rack-testsuite References https://attackerkb.com/topics/cve-2022-44572 CVE - 2022-44572

Debian: CVE-2023-0700: chromium -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 02/07/2023 Created 02/11/2023 Added 02/10/2023 Modified 01/28/2025 Description Inappropriate implementation in Download in Google Chrome prior to 110.0.5481.77 allowed a remote attacker to potentially spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2023-0700 CVE - 2023-0700 DSA-5345-1

Ubuntu: USN-5848-1 (CVE-2022-46663): less vulnerability Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 02/07/2023 Created 03/29/2023 Added 03/22/2023 Modified 01/30/2025 Description In GNU Less before 609, crafted data can result in "less -R" not filtering ANSI escape sequences sent to the terminal. Solution(s) ubuntu-upgrade-less References https://attackerkb.com/topics/cve-2022-46663 CVE - 2022-46663 USN-5848-1

Debian: CVE-2022-4883: libxpm -- security update Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 02/07/2023 Created 06/21/2023 Added 06/21/2023 Modified 01/28/2025 Description A flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH environment variable. Solution(s) debian-upgrade-libxpm References https://attackerkb.com/topics/cve-2022-4883 CVE - 2022-4883 DLA-3459-1

Debian: CVE-2023-0702: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 02/07/2023 Created 02/11/2023 Added 02/10/2023 Modified 01/28/2025 Description Type confusion in Data Transfer in Google Chrome prior to 110.0.5481.77 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2023-0702 CVE - 2023-0702 DSA-5345-1

Gentoo Linux: CVE-2023-0704: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 02/07/2023 Created 10/03/2023 Added 10/02/2023 Modified 01/28/2025 Description Insufficient policy enforcement in DevTools in Google Chrome prior to 110.0.5481.77 allowed a remote attacker to bypass same origin policy and proxy settings via a crafted HTML page. (Chromium security severity: Low) Solution(s) gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-chromium-bin gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-0704 CVE - 2023-0704 202309-17

Debian: CVE-2023-0697: chromium -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 02/07/2023 Created 02/11/2023 Added 02/10/2023 Modified 01/28/2025 Description Inappropriate implementation in Full screen mode in Google Chrome on Android prior to 110.0.5481.77 allowed a remote attacker to spoof the contents of the security UI via a crafted HTML page. (Chromium security severity: High) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2023-0697 CVE - 2023-0697 DSA-5345-1

Gentoo Linux: CVE-2022-46285: libXpm: Multiple Vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 02/07/2023 Created 08/08/2024 Added 08/08/2024 Modified 01/28/2025 Description A flaw was found in libXpm. This issue occurs when parsing a file with a comment not closed; the end-of-file condition will not be detected, leading to an infinite loop and resulting in a Denial of Service in the application linked to the library. Solution(s) gentoo-linux-upgrade-x11-libs-libxpm References https://attackerkb.com/topics/cve-2022-46285 CVE - 2022-46285 202408-03

Gentoo Linux: CVE-2022-4883: libXpm: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 02/07/2023 Created 08/08/2024 Added 08/08/2024 Modified 01/28/2025 Description A flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH environment variable. Solution(s) gentoo-linux-upgrade-x11-libs-libxpm References https://attackerkb.com/topics/cve-2022-4883 CVE - 2022-4883 202408-03

Gentoo Linux: CVE-2023-0699: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 02/07/2023 Created 10/03/2023 Added 10/02/2023 Modified 01/28/2025 Description Use after free in GPU in Google Chrome prior to 110.0.5481.77 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page and browser shutdown. (Chromium security severity: Medium) Solution(s) gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-chromium-bin gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-0699 CVE - 2023-0699 202309-17

Huawei EulerOS: CVE-2022-46285: libXpm security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 02/07/2023 Created 06/09/2023 Added 06/09/2023 Modified 01/28/2025 Description A flaw was found in libXpm. This issue occurs when parsing a file with a comment not closed; the end-of-file condition will not be detected, leading to an infinite loop and resulting in a Denial of Service in the application linked to the library. Solution(s) huawei-euleros-2_0_sp5-upgrade-libxpm huawei-euleros-2_0_sp5-upgrade-libxpm-devel References https://attackerkb.com/topics/cve-2022-46285 CVE - 2022-46285 EulerOS-SA-2023-2158

Gentoo Linux: CVE-2023-0697: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 02/07/2023 Created 10/03/2023 Added 10/02/2023 Modified 01/28/2025 Description Inappropriate implementation in Full screen mode in Google Chrome on Android prior to 110.0.5481.77 allowed a remote attacker to spoof the contents of the security UI via a crafted HTML page. (Chromium security severity: High) Solution(s) gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-chromium-bin gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-0697 CVE - 2023-0697 202309-17

Gentoo Linux: CVE-2023-0705: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities Severity 8 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:C) Published 02/07/2023 Created 10/03/2023 Added 10/02/2023 Modified 01/28/2025 Description Integer overflow in Core in Google Chrome prior to 110.0.5481.77 allowed a remote attacker who had one a race condition to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low) Solution(s) gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-chromium-bin gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-0705 CVE - 2023-0705 202309-17

Gentoo Linux: CVE-2023-0698: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 02/07/2023 Created 10/03/2023 Added 10/02/2023 Modified 01/28/2025 Description Out of bounds read in WebRTC in Google Chrome prior to 110.0.5481.77 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High) Solution(s) gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-chromium-bin gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-0698 CVE - 2023-0698 202309-17

Gentoo Linux: CVE-2023-0703: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 02/07/2023 Created 10/03/2023 Added 10/02/2023 Modified 01/28/2025 Description Type confusion in DevTools in Google Chrome prior to 110.0.5481.77 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via UI interactions. (Chromium security severity: Medium) Solution(s) gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-chromium-bin gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-0703 CVE - 2023-0703 202309-17

Gentoo Linux: CVE-2023-0696: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 02/07/2023 Created 10/03/2023 Added 10/02/2023 Modified 01/28/2025 Description Type confusion in V8 in Google Chrome prior to 110.0.5481.77 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-chromium-bin gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-0696 CVE - 2023-0696 202309-17