ISHACK AI BOT

FreeBSD: VID-33236F80-A11D-11EF-A964-1C697A616631 (CVE-2024-21820): Intel CPUs -- multiple vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 09/10/2024 Created 11/15/2024 Added 11/14/2024 Modified 11/14/2024 Description Incorrect default permissions in some Intel(R) Xeon(R) processor memory controller configurations when using Intel(R) SGX may allow a privileged user to potentially enable escalation of privilege via local access. Solution(s) freebsd-upgrade-package-cpu-microcode-intel References CVE-2024-21820

Microsoft Windows: CVE-2024-38247: Windows Graphics Component Elevation of Privilege Vulnerability Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 09/10/2024 Created 09/11/2024 Added 09/10/2024 Modified 09/12/2024 Description Microsoft Windows: CVE-2024-38247: Windows Graphics Component Elevation of Privilege Vulnerability Solution(s) microsoft-windows-windows_10-1507-kb5043083 microsoft-windows-windows_10-1607-kb5043051 microsoft-windows-windows_10-1809-kb5043050 microsoft-windows-windows_10-21h2-kb5043064 microsoft-windows-windows_10-22h2-kb5043064 microsoft-windows-windows_11-21h2-kb5043067 microsoft-windows-windows_11-22h2-kb5043076 microsoft-windows-windows_11-23h2-kb5043076 microsoft-windows-windows_11-24h2-kb5043080 microsoft-windows-windows_server_2012-kb5043125 microsoft-windows-windows_server_2012_r2-kb5043138 microsoft-windows-windows_server_2016-1607-kb5043051 microsoft-windows-windows_server_2019-1809-kb5043050 microsoft-windows-windows_server_2022-21h2-kb5042881 microsoft-windows-windows_server_2022-22h2-kb5042881 microsoft-windows-windows_server_2022-23h2-kb5043055 msft-kb5043092-3cbea16d-fee8-4498-8eee-0db0de2057d4 msft-kb5043129-e33e803f-1b25-4ead-9555-11b1c2520c78 References https://attackerkb.com/topics/cve-2024-38247 CVE - 2024-38247 5042881 5043050 5043051 5043055 5043064 5043067 5043076 5043080 5043083 5043092 5043125 5043129 5043138 https://support.microsoft.com/help/5042881 https://support.microsoft.com/help/5043050 https://support.microsoft.com/help/5043051 https://support.microsoft.com/help/5043055 https://support.microsoft.com/help/5043064 https://support.microsoft.com/help/5043067 https://support.microsoft.com/help/5043076 https://support.microsoft.com/help/5043080 https://support.microsoft.com/help/5043083 https://support.microsoft.com/help/5043125 https://support.microsoft.com/help/5043138 View more

Fortinet FortiManager: Authorization Bypass Through User-Controlled Key (CVE-2023-44254) Severity 7 CVSS (AV:N/AC:L/Au:S/C:C/I:N/A:N) Published 09/10/2024 Created 10/08/2024 Added 10/07/2024 Modified 01/28/2025 Description An authorization bypass through user-controlled key [CWE-639] vulnerability in FortiAnalyzer version 7.4.1 and before 7.2.5 and FortiManager version 7.4.1 and before 7.2.5 may allow a remote attacker with low privileges to read sensitive data via a crafted HTTP request. Solution(s) fortinet-fortimanager-upgrade-7_2_5 fortinet-fortimanager-upgrade-7_4_1 References https://attackerkb.com/topics/cve-2023-44254 CVE - 2023-44254 https://fortiguard.com/psirt/FG-IR-23-204

Vicidial SQL Injection Time-based Admin Credentials Enumeration Disclosed 09/10/2024 Created 09/26/2024 Description This module exploits a time-based SQL injection vulnerability in VICIdial, allowing attackers to dump admin credentials (usernames and passwords) via SQL injection. Author(s) Valentin Lobstein Jaggar Henry of KoreLogic, Inc. Development Source Code History

Microsoft Office: CVE-2024-43465: Microsoft Excel Elevation of Privilege Vulnerability Severity 4 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 09/10/2024 Created 09/11/2024 Added 09/10/2024 Modified 09/12/2024 Description Microsoft Office: CVE-2024-43465: Microsoft Excel Elevation of Privilege Vulnerability Solution(s) microsoft-excel_2016-kb5002605 microsoft-office_online_server-kb5002601 office-click-to-run-upgrade-latest References https://attackerkb.com/topics/cve-2024-43465 CVE - 2024-43465 https://support.microsoft.com/help/5002601 https://support.microsoft.com/help/5002605

Microsoft Office: CVE-2024-38226: Microsoft Publisher Security Feature Bypass Vulnerability Severity 4 CVSS (AV:L/AC:M/Au:S/C:C/I:C/A:C) Published 09/10/2024 Created 09/11/2024 Added 09/10/2024 Modified 11/18/2024 Description Microsoft Office: CVE-2024-38226: Microsoft Publisher Security Feature Bypass Vulnerability Solution(s) microsoft-publisher_2016-kb5002566 office-click-to-run-upgrade-latest References https://attackerkb.com/topics/cve-2024-38226 CVE - 2024-38226 https://support.microsoft.com/help/5002566

Microsoft Windows: CVE-2024-43461: Windows MSHTML Platform Spoofing Vulnerability Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 09/10/2024 Created 09/11/2024 Added 09/10/2024 Modified 10/08/2024 Description Microsoft Windows: CVE-2024-43461: Windows MSHTML Platform Spoofing Vulnerability Solution(s) microsoft-windows-windows_10-1507-kb5043083 microsoft-windows-windows_10-1607-kb5043051 microsoft-windows-windows_10-1809-kb5043050 microsoft-windows-windows_10-21h2-kb5043064 microsoft-windows-windows_10-22h2-kb5043064 microsoft-windows-windows_11-21h2-kb5043067 microsoft-windows-windows_11-22h2-kb5043076 microsoft-windows-windows_11-23h2-kb5043076 microsoft-windows-windows_11-24h2-kb5043080 microsoft-windows-windows_server_2012-kb5043125 microsoft-windows-windows_server_2012_r2-kb5043138 microsoft-windows-windows_server_2016-1607-kb5043051 microsoft-windows-windows_server_2019-1809-kb5043050 microsoft-windows-windows_server_2022-21h2-kb5042881 microsoft-windows-windows_server_2022-22h2-kb5042881 microsoft-windows-windows_server_2022-23h2-kb5043055 msft-kb5043049-1dca0e4e-ea35-48dd-89a6-dec18eed82da msft-kb5043049-5810fab4-b5a1-4a64-87fb-fff4af81f6f8 msft-kb5043049-c3be5737-d21e-4422-a479-b0c664f7fa8a msft-kb5043087-70b8073b-cd75-40a0-b56c-164ecf9f75b3 msft-kb5043087-76a2e9b3-a189-4fe4-86bb-5883ff72aee6 msft-kb5043092-3cbea16d-fee8-4498-8eee-0db0de2057d4 msft-kb5043135-050dc0b3-198b-44cf-b232-4f07b65a64ab msft-kb5043135-62fbaf76-0812-4f0f-8926-ead627bdeb12 References https://attackerkb.com/topics/cve-2024-43461 CVE - 2024-43461 5042881 5043049 5043050 5043051 5043055 5043064 5043067 5043076 5043080 5043083 5043087 5043092 5043125 5043135 5043138 https://support.microsoft.com/help/5042881 https://support.microsoft.com/help/5043050 https://support.microsoft.com/help/5043051 https://support.microsoft.com/help/5043055 https://support.microsoft.com/help/5043064 https://support.microsoft.com/help/5043067 https://support.microsoft.com/help/5043076 https://support.microsoft.com/help/5043080 https://support.microsoft.com/help/5043083 https://support.microsoft.com/help/5043125 https://support.microsoft.com/help/5043138 View more

Microsoft CVE-2024-43475: Microsoft Windows Admin Center Information Disclosure Vulnerability Severity 8 CVSS (AV:N/AC:M/Au:S/C:C/I:N/A:C) Published 09/10/2024 Created 09/11/2024 Added 09/10/2024 Modified 09/12/2024 Description Microsoft CVE-2024-43475: Microsoft Windows Admin Center Information Disclosure Vulnerability Solution(s) msft-kb5043087-70b8073b-cd75-40a0-b56c-164ecf9f75b3 msft-kb5043087-76a2e9b3-a189-4fe4-86bb-5883ff72aee6 msft-kb5043135-050dc0b3-198b-44cf-b232-4f07b65a64ab msft-kb5043135-62fbaf76-0812-4f0f-8926-ead627bdeb12 References https://attackerkb.com/topics/cve-2024-43475 CVE - 2024-43475 5043087 5043135

VMware Photon OS: CVE-2024-8645 Severity 5 CVSS (AV:L/AC:L/Au:N/C:N/I:N/A:C) Published 09/10/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description SPRT dissector crash in Wireshark 4.2.0 to 4.0.5 and 4.0.0 to 4.0.15 allows denial of service via packet injection or crafted capture file Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2024-8645 CVE - 2024-8645

Alma Linux: CVE-2024-23184: Moderate: dovecot security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 09/10/2024 Created 09/13/2024 Added 09/12/2024 Modified 09/26/2024 Description Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known. Solution(s) alma-upgrade-dovecot alma-upgrade-dovecot-devel alma-upgrade-dovecot-mysql alma-upgrade-dovecot-pgsql alma-upgrade-dovecot-pigeonhole References https://attackerkb.com/topics/cve-2024-23184 CVE - 2024-23184 https://errata.almalinux.org/8/ALSA-2024-6973.html https://errata.almalinux.org/9/ALSA-2024-6529.html

Adobe Photoshop: CVE-2024-45109: Security updates available for Adobe Photoshop (APSB24-72) Severity 7 CVSS (AV:L/AC:L/Au:N/C:C/I:C/A:C) Published 09/10/2024 Created 11/19/2024 Added 11/18/2024 Modified 12/18/2024 Description Adobe has released an update for Photoshop for Windows and macOS. This update resolves critical vulnerabilities. Successful exploitation could lead to arbitrary code execution. Solution(s) adobe-photoshop-upgrade-latest References https://attackerkb.com/topics/cve-2024-45109 CVE - 2024-45109 https://helpx.adobe.com/security/products/photoshop/apsb24-72.html

Alma Linux: CVE-2024-23185: Moderate: dovecot security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 09/10/2024 Created 09/13/2024 Added 09/12/2024 Modified 09/26/2024 Description Very large headers can cause resource exhaustion when parsing message. The message-parser normally reads reasonably sized chunks of the message. However, when it feeds them to message-header-parser, it starts building up "full_value" buffer out of the smaller chunks. The full_value buffer has no size limit, so large headers can cause large memory usage. It doesn't matter whether it's a single long header line, or a single header split into multiple lines. This bug exists in all Dovecot versions. Incoming mails typically have some size limits set by MTA, so even largest possible header size may still fit into Dovecot's vsz_limit. So attackers probably can't DoS a victim user this way. A user could APPEND larger mails though, allowing them to DoS themselves (although maybe cause some memory issues for the backend in general). One can implement restrictions on headers on MTA component preceding Dovecot. No publicly available exploits are known. Solution(s) alma-upgrade-dovecot alma-upgrade-dovecot-devel alma-upgrade-dovecot-mysql alma-upgrade-dovecot-pgsql alma-upgrade-dovecot-pigeonhole References https://attackerkb.com/topics/cve-2024-23185 CVE - 2024-23185 https://errata.almalinux.org/8/ALSA-2024-6973.html https://errata.almalinux.org/9/ALSA-2024-6529.html

Microsoft CVE-2024-37339: Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 09/10/2024 Created 09/11/2024 Added 09/10/2024 Modified 09/12/2024 Description Microsoft CVE-2024-37339: Microsoft SQL Server Native Scoring Remote Code Execution Vulnerability Solution(s) msft-kb5042211-c6790ab2-0e40-435c-bec5-2b078d1cd42c-x64 msft-kb5042214-d9a5068e-208a-439b-be46-bfd99b9c07c4-x64 msft-kb5042215-d727f379-2be3-4d35-b5c7-d7773c1545ec-x64 msft-kb5042217-be1e107a-01e8-47f2-bc8f-188add4a9150-x64 msft-kb5042578-388635e1-8b00-4bfd-8839-ebd7443ad16e-x64 msft-kb5042749-36147962-2eeb-447d-9d3b-381d3470f0e8-x64 References https://attackerkb.com/topics/cve-2024-37339 CVE - 2024-37339 5042211 5042214 5042215 5042217 5042578 5042749 View more

Red Hat JBossEAP: Session Fixation (CVE-2024-7341) Severity 7 CVSS (AV:N/AC:H/Au:S/C:C/I:C/A:C) Published 09/09/2024 Created 09/20/2024 Added 09/19/2024 Modified 12/20/2024 Description A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.. A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation. Solution(s) red-hat-jboss-eap-upgrade-latest References https://attackerkb.com/topics/cve-2024-7341 CVE - 2024-7341 https://access.redhat.com/security/cve/CVE-2024-7341 https://bugzilla.redhat.com/show_bug.cgi?id=2302064

Debian: CVE-2024-45411: php-twig -- security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 09/09/2024 Created 09/18/2024 Added 09/17/2024 Modified 01/28/2025 Description Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0. Solution(s) debian-upgrade-php-twig References https://attackerkb.com/topics/cve-2024-45411 CVE - 2024-45411 DLA-3888-1

Microsoft Windows: CVE-2024-43458: Windows Networking Information Disclosure Vulnerability Severity 7 CVSS (AV:N/AC:L/Au:S/C:C/I:N/A:N) Published 09/10/2024 Created 09/11/2024 Added 09/10/2024 Modified 09/12/2024 Description Microsoft Windows: CVE-2024-43458: Windows Networking Information Disclosure Vulnerability Solution(s) microsoft-windows-windows_10-1607-kb5043051 microsoft-windows-windows_server_2016-1607-kb5043051 References https://attackerkb.com/topics/cve-2024-43458 CVE - 2024-43458 https://support.microsoft.com/help/5043051

Microsoft Windows: CVE-2024-38243: Kernel Streaming Service Driver Elevation of Privilege Vulnerability Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 09/10/2024 Created 09/11/2024 Added 09/10/2024 Modified 09/12/2024 Description Microsoft Windows: CVE-2024-38243: Kernel Streaming Service Driver Elevation of Privilege Vulnerability Solution(s) microsoft-windows-windows_10-1507-kb5043083 microsoft-windows-windows_10-1607-kb5043051 microsoft-windows-windows_10-1809-kb5043050 microsoft-windows-windows_10-21h2-kb5043064 microsoft-windows-windows_10-22h2-kb5043064 microsoft-windows-windows_11-21h2-kb5043067 microsoft-windows-windows_11-22h2-kb5043076 microsoft-windows-windows_11-23h2-kb5043076 microsoft-windows-windows_11-24h2-kb5043080 microsoft-windows-windows_server_2016-1607-kb5043051 microsoft-windows-windows_server_2019-1809-kb5043050 microsoft-windows-windows_server_2022-21h2-kb5042881 microsoft-windows-windows_server_2022-22h2-kb5042881 microsoft-windows-windows_server_2022-23h2-kb5043055 References https://attackerkb.com/topics/cve-2024-38243 CVE - 2024-38243 https://support.microsoft.com/help/5042881 https://support.microsoft.com/help/5043050 https://support.microsoft.com/help/5043051 https://support.microsoft.com/help/5043055 https://support.microsoft.com/help/5043064 https://support.microsoft.com/help/5043067 https://support.microsoft.com/help/5043076 https://support.microsoft.com/help/5043080 https://support.microsoft.com/help/5043083 View more

Microsoft Windows: CVE-2024-38256: Windows Kernel-Mode Driver Information Disclosure Vulnerability Severity 5 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:N) Published 09/10/2024 Created 09/11/2024 Added 09/10/2024 Modified 09/12/2024 Description Microsoft Windows: CVE-2024-38256: Windows Kernel-Mode Driver Information Disclosure Vulnerability Solution(s) microsoft-windows-windows_10-1507-kb5043083 microsoft-windows-windows_10-1607-kb5043051 microsoft-windows-windows_10-1809-kb5043050 microsoft-windows-windows_10-21h2-kb5043064 microsoft-windows-windows_10-22h2-kb5043064 microsoft-windows-windows_server_2012-kb5043125 microsoft-windows-windows_server_2012_r2-kb5043138 microsoft-windows-windows_server_2016-1607-kb5043051 microsoft-windows-windows_server_2019-1809-kb5043050 msft-kb5043087-70b8073b-cd75-40a0-b56c-164ecf9f75b3 msft-kb5043087-76a2e9b3-a189-4fe4-86bb-5883ff72aee6 msft-kb5043092-3cbea16d-fee8-4498-8eee-0db0de2057d4 msft-kb5043129-e33e803f-1b25-4ead-9555-11b1c2520c78 msft-kb5043135-050dc0b3-198b-44cf-b232-4f07b65a64ab msft-kb5043135-62fbaf76-0812-4f0f-8926-ead627bdeb12 References https://attackerkb.com/topics/cve-2024-38256 CVE - 2024-38256 5043050 5043051 5043064 5043083 5043087 5043092 5043125 5043129 5043135 5043138 https://support.microsoft.com/help/5043050 https://support.microsoft.com/help/5043051 https://support.microsoft.com/help/5043064 https://support.microsoft.com/help/5043083 https://support.microsoft.com/help/5043125 https://support.microsoft.com/help/5043138 View more

Oracle Linux: CVE-2024-34156: ELSA-2024-6947:grafana security update (IMPORTANT) (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 09/06/2024 Created 11/13/2024 Added 10/16/2024 Modified 01/07/2025 Description Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. A flaw was found in the encoding/gob package of the Golang standard library. Calling Decoder.Decoding, a message that contains deeply nested structures, can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. Solution(s) oracle-linux-upgrade-aardvark-dns oracle-linux-upgrade-buildah oracle-linux-upgrade-buildah-tests oracle-linux-upgrade-cockpit-podman oracle-linux-upgrade-conmon oracle-linux-upgrade-containernetworking-plugins oracle-linux-upgrade-containers-common oracle-linux-upgrade-container-selinux oracle-linux-upgrade-crit oracle-linux-upgrade-criu oracle-linux-upgrade-criu-devel oracle-linux-upgrade-criu-libs oracle-linux-upgrade-crun oracle-linux-upgrade-delve oracle-linux-upgrade-fuse-overlayfs oracle-linux-upgrade-git-lfs oracle-linux-upgrade-golang oracle-linux-upgrade-golang-bin oracle-linux-upgrade-golang-docs oracle-linux-upgrade-golang-misc oracle-linux-upgrade-golang-src oracle-linux-upgrade-golang-tests oracle-linux-upgrade-go-toolset oracle-linux-upgrade-grafana oracle-linux-upgrade-grafana-pcp oracle-linux-upgrade-grafana-selinux oracle-linux-upgrade-libslirp oracle-linux-upgrade-libslirp-devel oracle-linux-upgrade-netavark oracle-linux-upgrade-oci-seccomp-bpf-hook oracle-linux-upgrade-osbuild-composer oracle-linux-upgrade-osbuild-composer-core oracle-linux-upgrade-osbuild-composer-worker oracle-linux-upgrade-podman oracle-linux-upgrade-podman-catatonit oracle-linux-upgrade-podman-docker oracle-linux-upgrade-podman-gvproxy oracle-linux-upgrade-podman-plugins oracle-linux-upgrade-podman-remote oracle-linux-upgrade-podman-tests oracle-linux-upgrade-python3-criu oracle-linux-upgrade-python3-podman oracle-linux-upgrade-runc oracle-linux-upgrade-skopeo oracle-linux-upgrade-skopeo-tests oracle-linux-upgrade-slirp4netns oracle-linux-upgrade-udica References https://attackerkb.com/topics/cve-2024-34156 CVE - 2024-34156 ELSA-2024-6947 ELSA-2024-8038 ELSA-2024-7136 ELSA-2024-8112 ELSA-2024-6946 ELSA-2024-6913 ELSA-2024-7262 ELSA-2024-8111 ELSA-2024-6908 ELSA-2024-7204 ELSA-2024-8110 ELSA-2024-8039 ELSA-2024-7135 ELSA-2024-9459 ELSA-2024-9473 ELSA-2024-9456 ELSA-2024-9454 ELSA-2024-9472 ELSA-2024-11217 ELSA-2024-11216 View more

Debian: CVE-2023-52915: linux -- security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 09/06/2024 Created 09/10/2024 Added 09/09/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer In af9035_i2c_master_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach af9035_i2c_master_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2023-52915 CVE - 2023-52915

Oracle Linux: CVE-2024-34155: ELSA-2024-8038:container-tools:ol8 security update (IMPORTANT) (Multiple Advisories) Severity 5 CVSS (AV:N/AC:H/Au:N/C:N/I:N/A:C) Published 09/06/2024 Created 10/24/2024 Added 10/16/2024 Modified 12/06/2024 Description Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. A flaw was found in the go/parser package of the Golang standard library. Calling any Parse functions on Go source code containing deeply nested literals can cause a panic due to stack exhaustion. Solution(s) oracle-linux-upgrade-aardvark-dns oracle-linux-upgrade-buildah oracle-linux-upgrade-buildah-tests oracle-linux-upgrade-cockpit-podman oracle-linux-upgrade-conmon oracle-linux-upgrade-containernetworking-plugins oracle-linux-upgrade-containers-common oracle-linux-upgrade-container-selinux oracle-linux-upgrade-crit oracle-linux-upgrade-criu oracle-linux-upgrade-criu-devel oracle-linux-upgrade-criu-libs oracle-linux-upgrade-crun oracle-linux-upgrade-fuse-overlayfs oracle-linux-upgrade-libslirp oracle-linux-upgrade-libslirp-devel oracle-linux-upgrade-netavark oracle-linux-upgrade-oci-seccomp-bpf-hook oracle-linux-upgrade-podman oracle-linux-upgrade-podman-catatonit oracle-linux-upgrade-podman-docker oracle-linux-upgrade-podman-gvproxy oracle-linux-upgrade-podman-plugins oracle-linux-upgrade-podman-remote oracle-linux-upgrade-podman-tests oracle-linux-upgrade-python3-criu oracle-linux-upgrade-python3-podman oracle-linux-upgrade-runc oracle-linux-upgrade-skopeo oracle-linux-upgrade-skopeo-tests oracle-linux-upgrade-slirp4netns oracle-linux-upgrade-udica References https://attackerkb.com/topics/cve-2024-34155 CVE - 2024-34155 ELSA-2024-8038 ELSA-2024-8112 ELSA-2024-6913 ELSA-2024-6908 ELSA-2024-8039 ELSA-2024-9459 ELSA-2024-9454 View more

Debian: CVE-2023-52916: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 09/06/2024 Created 01/14/2025 Added 01/13/2025 Modified 01/13/2025 Description In the Linux kernel, the following vulnerability has been resolved: media: aspeed: Fix memory overwrite if timing is 1600x900 When capturing 1600x900, system could crash when system memory usage is tight. The way to reproduce this issue: 1. Use 1600x900 to display on host 2. Mount ISO through 'Virtual media' on OpenBMC's web 3. Run script as below on host to do sha continuously #!/bin/bash while [ [1] ]; do find /media -type f -printf '"%h/%f"\n' | xargs sha256sum done 4. Open KVM on OpenBMC's web The size of macro block captured is 8x8. Therefore, we should make sure the height of src-buf is 8 aligned to fix this issue. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2023-52916 CVE - 2023-52916

Gentoo Linux: CVE-2024-8394: Mozilla Firefox: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 09/06/2024 Created 12/10/2024 Added 12/09/2024 Modified 01/28/2025 Description When aborting the verification of an OTR chat session, an attacker could have caused a use-after-free bug leading to a potentially exploitable crash. This vulnerability affects Thunderbird < 128.2. Solution(s) gentoo-linux-upgrade-dev-lang-spidermonkey gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2024-8394 CVE - 2024-8394 202412-04 202412-06 202412-13

FreeBSD: VID-7ADE3C38-6D1F-11EF-AE11-B42E991FC52E (CVE-2024-7652): firefox -- Potential memory corruption and exploitable crash Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 09/06/2024 Created 09/10/2024 Added 09/08/2024 Modified 09/08/2024 Description An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128. Solution(s) freebsd-upgrade-package-firefox References CVE-2024-7652

Amazon Linux 2023: CVE-2024-34156: Important priority package update for golang Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 09/06/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. A flaw was found in the encoding/gob package of the Golang standard library. Calling Decoder.Decoding, a message that contains deeply nested structures, can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. Solution(s) amazon-linux-2023-upgrade-golang amazon-linux-2023-upgrade-golang-bin amazon-linux-2023-upgrade-golang-docs amazon-linux-2023-upgrade-golang-misc amazon-linux-2023-upgrade-golang-shared amazon-linux-2023-upgrade-golang-src amazon-linux-2023-upgrade-golang-tests References https://attackerkb.com/topics/cve-2024-34156 CVE - 2024-34156 https://alas.aws.amazon.com/AL2023/ALAS-2024-733.html