ISHACK AI BOT

Red Hat OpenShift: CVE-2024-34155: go/parser: golang: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 09/06/2024 Created 10/25/2024 Added 10/24/2024 Modified 01/30/2025 Description Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. Solution(s) linuxrpm-upgrade-podman References https://attackerkb.com/topics/cve-2024-34155 CVE - 2024-34155 RHSA-2024:10883 RHSA-2024:10895 RHSA-2024:10906 RHSA-2024:6908 RHSA-2024:6913 RHSA-2024:8014 RHSA-2024:8038 RHSA-2024:8039 RHSA-2024:8112 RHSA-2024:8219 RHSA-2024:8229 RHSA-2024:8232 RHSA-2024:8260 RHSA-2024:8263 RHSA-2024:8314 RHSA-2024:8315 RHSA-2024:8317 RHSA-2024:8318 RHSA-2024:8329 RHSA-2024:8337 RHSA-2024:8425 RHSA-2024:8428 RHSA-2024:8688 RHSA-2024:8690 RHSA-2024:8692 RHSA-2024:8694 RHSA-2024:8697 RHSA-2024:8700 RHSA-2024:8704 RHSA-2024:9454 RHSA-2024:9459 RHSA-2024:9485 RHSA-2024:9960 RHSA-2025:0771 View more

Red Hat OpenShift: CVE-2024-34156: encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 09/06/2024 Created 10/25/2024 Added 10/24/2024 Modified 02/11/2025 Description Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. Solution(s) linuxrpm-upgrade-containernetworking-plugins linuxrpm-upgrade-podman linuxrpm-upgrade-skopeo References https://attackerkb.com/topics/cve-2024-34156 CVE - 2024-34156 RHSA-2024:10186 RHSA-2024:10236 RHSA-2024:10883 RHSA-2024:10906 RHSA-2024:11216 RHSA-2024:11217 RHSA-2024:6908 RHSA-2024:6912 RHSA-2024:6913 RHSA-2024:6914 RHSA-2024:6946 RHSA-2024:6947 RHSA-2024:7102 RHSA-2024:7103 RHSA-2024:7135 RHSA-2024:7136 RHSA-2024:7202 RHSA-2024:7203 RHSA-2024:7204 RHSA-2024:7205 RHSA-2024:7206 RHSA-2024:7207 RHSA-2024:7208 RHSA-2024:7261 RHSA-2024:7262 RHSA-2024:7350 RHSA-2024:7351 RHSA-2024:7449 RHSA-2024:7455 RHSA-2024:7456 RHSA-2024:7485 RHSA-2024:7487 RHSA-2024:7488 RHSA-2024:7769 RHSA-2024:7791 RHSA-2024:7792 RHSA-2024:7793 RHSA-2024:7794 RHSA-2024:7818 RHSA-2024:7819 RHSA-2024:7820 RHSA-2024:7821 RHSA-2024:7822 RHSA-2024:7852 RHSA-2024:8014 RHSA-2024:8038 RHSA-2024:8039 RHSA-2024:8110 RHSA-2024:8111 RHSA-2024:8112 RHSA-2024:8229 RHSA-2024:8232 RHSA-2024:8260 RHSA-2024:8263 RHSA-2024:8314 RHSA-2024:8315 RHSA-2024:8317 RHSA-2024:8318 RHSA-2024:8329 RHSA-2024:8425 RHSA-2024:8428 RHSA-2024:8688 RHSA-2024:8690 RHSA-2024:8692 RHSA-2024:8694 RHSA-2024:8697 RHSA-2024:8700 RHSA-2024:9454 RHSA-2024:9456 RHSA-2024:9459 RHSA-2024:9472 RHSA-2024:9473 RHSA-2024:9485 RHSA-2024:9583 RHSA-2024:9960 RHSA-2025:0203 RHSA-2025:0771 RHSA-2025:1190 View more

Ubuntu: (CVE-2023-52915): linux vulnerability Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 09/06/2024 Created 11/21/2024 Added 11/19/2024 Modified 02/11/2025 Description In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer In af9035_i2c_master_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach af9035_i2c_master_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") Solution(s) ubuntu-upgrade-linux ubuntu-upgrade-linux-aws ubuntu-upgrade-linux-aws-5-15 ubuntu-upgrade-linux-aws-5-4 ubuntu-upgrade-linux-aws-fips ubuntu-upgrade-linux-azure ubuntu-upgrade-linux-azure-5-15 ubuntu-upgrade-linux-azure-5-4 ubuntu-upgrade-linux-azure-fde ubuntu-upgrade-linux-azure-fde-5-15 ubuntu-upgrade-linux-azure-fips ubuntu-upgrade-linux-bluefield ubuntu-upgrade-linux-fips ubuntu-upgrade-linux-gcp ubuntu-upgrade-linux-gcp-5-15 ubuntu-upgrade-linux-gcp-5-4 ubuntu-upgrade-linux-gcp-fips ubuntu-upgrade-linux-gke ubuntu-upgrade-linux-gkeop ubuntu-upgrade-linux-gkeop-5-15 ubuntu-upgrade-linux-hwe-5-15 ubuntu-upgrade-linux-hwe-5-4 ubuntu-upgrade-linux-ibm ubuntu-upgrade-linux-ibm-5-15 ubuntu-upgrade-linux-ibm-5-4 ubuntu-upgrade-linux-intel-iot-realtime ubuntu-upgrade-linux-intel-iotg ubuntu-upgrade-linux-intel-iotg-5-15 ubuntu-upgrade-linux-iot ubuntu-upgrade-linux-kvm ubuntu-upgrade-linux-lowlatency ubuntu-upgrade-linux-lowlatency-hwe-5-15 ubuntu-upgrade-linux-nvidia ubuntu-upgrade-linux-nvidia-6-5 ubuntu-upgrade-linux-oracle ubuntu-upgrade-linux-oracle-5-15 ubuntu-upgrade-linux-oracle-5-4 ubuntu-upgrade-linux-raspi ubuntu-upgrade-linux-raspi-5-4 ubuntu-upgrade-linux-realtime ubuntu-upgrade-linux-riscv-5-15 ubuntu-upgrade-linux-xilinx-zynqmp References https://attackerkb.com/topics/cve-2023-52915 CVE - 2023-52915 https://git.kernel.org/linus/7bf744f2de0a848fb1d717f5831b03db96feae89 https://git.kernel.org/stable/c/0143f282b15f7cedc0392ea10050fb6000fd16e6 https://git.kernel.org/stable/c/41b7181a40af84448a2b144fb02d8bf32b7e9a23 https://git.kernel.org/stable/c/6c01ef65de0b321b2db1ef9abf8f1d15862b937e https://git.kernel.org/stable/c/7bf744f2de0a848fb1d717f5831b03db96feae89 https://git.kernel.org/stable/c/b2f54ed7739dfdf42c4df0a11131aad7c8635464 https://git.kernel.org/stable/c/b49c6e5dd236787f13a062ec528d724169f11152 https://git.kernel.org/stable/c/d9ef84a7c222497ecb5fdf93361c76931804825e https://git.kernel.org/stable/c/fa58d9db5cad4bb7bb694b6837e3b96d87554f2b https://www.cve.org/CVERecord?id=CVE-2023-52915 View more

Huawei EulerOS: CVE-2024-34156: golang security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 09/06/2024 Created 11/12/2024 Added 11/11/2024 Modified 11/11/2024 Description Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. Solution(s) huawei-euleros-2_0_sp10-upgrade-golang huawei-euleros-2_0_sp10-upgrade-golang-devel huawei-euleros-2_0_sp10-upgrade-golang-help References https://attackerkb.com/topics/cve-2024-34156 CVE - 2024-34156 EulerOS-SA-2024-2906

Ubuntu: USN-7024-1 (CVE-2024-45751): tgt vulnerability Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 09/06/2024 Created 09/20/2024 Added 09/20/2024 Modified 10/23/2024 Description tgt (aka Linux target framework) before 1.0.93 attempts to achieve entropy by calling rand without srand. The PRNG seed is always 1, and thus the sequence of challenges is always identical. Solution(s) ubuntu-upgrade-tgt References https://attackerkb.com/topics/cve-2024-45751 CVE - 2024-45751 USN-7024-1

Amazon Linux 2023: CVE-2024-34158: Important priority package update for golang Severity 5 CVSS (AV:N/AC:H/Au:N/C:N/I:N/A:C) Published 09/06/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. A flaw was found in the go/build/constraint package of the Golang standard library. Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. Solution(s) amazon-linux-2023-upgrade-golang amazon-linux-2023-upgrade-golang-bin amazon-linux-2023-upgrade-golang-docs amazon-linux-2023-upgrade-golang-misc amazon-linux-2023-upgrade-golang-shared amazon-linux-2023-upgrade-golang-src amazon-linux-2023-upgrade-golang-tests References https://attackerkb.com/topics/cve-2024-34158 CVE - 2024-34158 https://alas.aws.amazon.com/AL2023/ALAS-2024-733.html

Huawei EulerOS: CVE-2023-52915: kernel security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 09/06/2024 Created 11/12/2024 Added 11/11/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer In af9035_i2c_master_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach af9035_i2c_master_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") Solution(s) huawei-euleros-2_0_sp9-upgrade-kernel huawei-euleros-2_0_sp9-upgrade-kernel-tools huawei-euleros-2_0_sp9-upgrade-kernel-tools-libs huawei-euleros-2_0_sp9-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-52915 CVE - 2023-52915 EulerOS-SA-2024-2832

Amazon Linux 2023: CVE-2024-34155: Important priority package update for golang Severity 5 CVSS (AV:N/AC:H/Au:N/C:N/I:N/A:C) Published 09/06/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. A flaw was found in the go/parser package of the Golang standard library. Calling any Parse functions on Go source code containing deeply nested literals can cause a panic due to stack exhaustion. Solution(s) amazon-linux-2023-upgrade-golang amazon-linux-2023-upgrade-golang-bin amazon-linux-2023-upgrade-golang-docs amazon-linux-2023-upgrade-golang-misc amazon-linux-2023-upgrade-golang-shared amazon-linux-2023-upgrade-golang-src amazon-linux-2023-upgrade-golang-tests References https://attackerkb.com/topics/cve-2024-34155 CVE - 2024-34155 https://alas.aws.amazon.com/AL2023/ALAS-2024-733.html

Huawei EulerOS: CVE-2024-34155: golang security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 09/06/2024 Created 02/12/2025 Added 02/11/2025 Modified 02/11/2025 Description Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. Solution(s) huawei-euleros-2_0_sp12-upgrade-golang huawei-euleros-2_0_sp12-upgrade-golang-devel huawei-euleros-2_0_sp12-upgrade-golang-help References https://attackerkb.com/topics/cve-2024-34155 CVE - 2024-34155 EulerOS-SA-2025-1190

Huawei EulerOS: CVE-2024-34158: golang security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 09/06/2024 Created 02/12/2025 Added 02/11/2025 Modified 02/11/2025 Description Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. Solution(s) huawei-euleros-2_0_sp12-upgrade-golang huawei-euleros-2_0_sp12-upgrade-golang-devel huawei-euleros-2_0_sp12-upgrade-golang-help References https://attackerkb.com/topics/cve-2024-34158 CVE - 2024-34158 EulerOS-SA-2025-1190

Huawei EulerOS: CVE-2024-34156: golang security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 09/06/2024 Created 12/13/2024 Added 12/12/2024 Modified 12/12/2024 Description Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. Solution(s) huawei-euleros-2_0_sp12-upgrade-golang huawei-euleros-2_0_sp12-upgrade-golang-devel huawei-euleros-2_0_sp12-upgrade-golang-help References https://attackerkb.com/topics/cve-2024-34156 CVE - 2024-34156 EulerOS-SA-2024-2951

SUSE: CVE-2024-8394: SUSE Linux Security Advisory Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 09/06/2024 Created 01/01/2025 Added 12/31/2024 Modified 01/28/2025 Description When aborting the verification of an OTR chat session, an attacker could have caused a use-after-free bug leading to a potentially exploitable crash. This vulnerability affects Thunderbird < 128.2. Solution(s) suse-upgrade-mozillathunderbird suse-upgrade-mozillathunderbird-translations-common suse-upgrade-mozillathunderbird-translations-other References https://attackerkb.com/topics/cve-2024-8394 CVE - 2024-8394

Red Hat: CVE-2024-36137: nodejs: fs.fchown/fchmod bypasses permission model (Multiple Advisories) Severity 3 CVSS (AV:L/AC:L/Au:S/C:P/I:P/A:N) Published 09/07/2024 Created 09/14/2024 Added 09/13/2024 Modified 09/13/2024 Description A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file. Solution(s) redhat-upgrade-nodejs redhat-upgrade-nodejs-debuginfo redhat-upgrade-nodejs-debugsource redhat-upgrade-nodejs-devel redhat-upgrade-nodejs-docs redhat-upgrade-nodejs-full-i18n redhat-upgrade-nodejs-nodemon redhat-upgrade-nodejs-packaging redhat-upgrade-nodejs-packaging-bundler redhat-upgrade-npm References CVE-2024-36137 RHSA-2024:5814 RHSA-2024:5815

Amazon Linux AMI 2: CVE-2024-34155: Security patch for golang (ALAS-2024-2643) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 09/06/2024 Created 10/03/2024 Added 10/03/2024 Modified 10/03/2024 Description Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. Solution(s) amazon-linux-ami-2-upgrade-golang amazon-linux-ami-2-upgrade-golang-bin amazon-linux-ami-2-upgrade-golang-docs amazon-linux-ami-2-upgrade-golang-misc amazon-linux-ami-2-upgrade-golang-shared amazon-linux-ami-2-upgrade-golang-src amazon-linux-ami-2-upgrade-golang-tests References https://attackerkb.com/topics/cve-2024-34155 AL2/ALAS-2024-2643 CVE - 2024-34155

Alpine Linux: CVE-2024-36138: Vulnerability in Multiple Components Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 09/07/2024 Created 10/02/2024 Added 10/01/2024 Modified 10/01/2024 Description Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. Solution(s) alpine-linux-upgrade-nodejs References https://attackerkb.com/topics/cve-2024-36138 CVE - 2024-36138 https://security.alpinelinux.org/vuln/CVE-2024-36138

Alpine Linux: CVE-2024-36137: Vulnerability in Multiple Components Severity 2 CVSS (AV:L/AC:L/Au:S/C:N/I:P/A:N) Published 09/07/2024 Created 10/02/2024 Added 10/01/2024 Modified 10/01/2024 Description A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file. Solution(s) alpine-linux-upgrade-nodejs References https://attackerkb.com/topics/cve-2024-36137 CVE - 2024-36137 https://security.alpinelinux.org/vuln/CVE-2024-36137

VMware Photon OS: CVE-2024-36138 Severity 8 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:C) Published 09/07/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2024-36138 CVE - 2024-36138

VMware Photon OS: CVE-2024-36137 Severity 2 CVSS (AV:L/AC:L/Au:S/C:N/I:P/A:N) Published 09/07/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2024-36137 CVE - 2024-36137

Alpine Linux: CVE-2023-39333: Vulnerability in Multiple Components Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 09/07/2024 Created 10/02/2024 Added 10/01/2024 Modified 10/01/2024 Description Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. This vulnerability affects users of any active release line of Node.js. The vulnerable feature is only available if Node.js is started with the `--experimental-wasm-modules` command line option. Solution(s) alpine-linux-upgrade-nodejs alpine-linux-upgrade-nodejs-current References https://attackerkb.com/topics/cve-2023-39333 CVE - 2023-39333 https://security.alpinelinux.org/vuln/CVE-2023-39333

VMware Photon OS: CVE-2023-46809 Severity 7 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:N) Published 09/07/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if PCKS #1 v1.5 padding is allowed when performing RSA descryption using a private key. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-46809 CVE - 2023-46809

Rocky Linux: CVE-2024-7652: thunderbird (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 09/06/2024 Created 09/18/2024 Added 09/17/2024 Modified 11/18/2024 Description An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128. Solution(s) rocky-upgrade-firefox rocky-upgrade-firefox-debuginfo rocky-upgrade-firefox-debugsource rocky-upgrade-firefox-x11 rocky-upgrade-thunderbird rocky-upgrade-thunderbird-debuginfo rocky-upgrade-thunderbird-debugsource References https://attackerkb.com/topics/cve-2024-7652 CVE - 2024-7652 https://errata.rockylinux.org/RLSA-2024:6681 https://errata.rockylinux.org/RLSA-2024:6682 https://errata.rockylinux.org/RLSA-2024:6683 https://errata.rockylinux.org/RLSA-2024:6684

VMware Photon OS: CVE-2023-39333 Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:P/A:N) Published 09/07/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. This vulnerability affects users of any active release line of Node.js. The vulnerable feature is only available if Node.js is started with the `--experimental-wasm-modules` command line option. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-39333 CVE - 2023-39333

Rocky Linux: CVE-2024-36137: nodejs-20 (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 09/07/2024 Created 09/18/2024 Added 09/17/2024 Modified 11/18/2024 Description A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file. Solution(s) rocky-upgrade-nodejs rocky-upgrade-nodejs-debuginfo rocky-upgrade-nodejs-debugsource rocky-upgrade-nodejs-devel rocky-upgrade-nodejs-full-i18n rocky-upgrade-npm References https://attackerkb.com/topics/cve-2024-36137 CVE - 2024-36137 https://errata.rockylinux.org/RLSA-2024:5814 https://errata.rockylinux.org/RLSA-2024:5815

Ubuntu: (CVE-2024-7652): firefox vulnerability Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 09/06/2024 Created 11/21/2024 Added 11/19/2024 Modified 11/19/2024 Description An error in the ECMA-262 specification relating to Async Generators could have resulted in a type confusion, potentially leading to memory corruption and an exploitable crash. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128. Solution(s) ubuntu-upgrade-firefox ubuntu-upgrade-thunderbird References https://attackerkb.com/topics/cve-2024-7652 CVE - 2024-7652 https://github.com/tc39/ecma262/security/advisories/GHSA-g38c-wh3c-5h9r https://www.cve.org/CVERecord?id=CVE-2024-7652 https://www.mozilla.org/en-US/security/advisories/mfsa2024-29/#CVE-2024-7652 https://www.mozilla.org/en-US/security/advisories/mfsa2024-30/#CVE-2024-7652 https://www.mozilla.org/en-US/security/advisories/mfsa2024-31/#CVE-2024-7652 https://www.mozilla.org/security/advisories/mfsa2024-29/ https://www.mozilla.org/security/advisories/mfsa2024-30/ https://www.mozilla.org/security/advisories/mfsa2024-31/ https://www.mozilla.org/security/advisories/mfsa2024-32/ View more

Rocky Linux: CVE-2024-34155: podman (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 09/06/2024 Created 10/03/2024 Added 10/02/2024 Modified 11/18/2024 Description Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. Solution(s) rocky-upgrade-aardvark-dns rocky-upgrade-buildah rocky-upgrade-buildah-debuginfo rocky-upgrade-buildah-debugsource rocky-upgrade-buildah-tests rocky-upgrade-buildah-tests-debuginfo rocky-upgrade-conmon rocky-upgrade-conmon-debuginfo rocky-upgrade-conmon-debugsource rocky-upgrade-containernetworking-plugins rocky-upgrade-containernetworking-plugins-debuginfo rocky-upgrade-containernetworking-plugins-debugsource rocky-upgrade-containers-common rocky-upgrade-crit rocky-upgrade-criu rocky-upgrade-criu-debuginfo rocky-upgrade-criu-debugsource rocky-upgrade-criu-devel rocky-upgrade-criu-libs rocky-upgrade-criu-libs-debuginfo rocky-upgrade-crun rocky-upgrade-crun-debuginfo rocky-upgrade-crun-debugsource rocky-upgrade-delve rocky-upgrade-delve-debuginfo rocky-upgrade-delve-debugsource rocky-upgrade-fuse-overlayfs rocky-upgrade-fuse-overlayfs-debuginfo rocky-upgrade-fuse-overlayfs-debugsource rocky-upgrade-go-toolset rocky-upgrade-golang rocky-upgrade-golang-bin rocky-upgrade-libslirp rocky-upgrade-libslirp-debuginfo rocky-upgrade-libslirp-debugsource rocky-upgrade-libslirp-devel rocky-upgrade-netavark rocky-upgrade-oci-seccomp-bpf-hook rocky-upgrade-oci-seccomp-bpf-hook-debuginfo rocky-upgrade-oci-seccomp-bpf-hook-debugsource rocky-upgrade-podman rocky-upgrade-podman-catatonit rocky-upgrade-podman-catatonit-debuginfo rocky-upgrade-podman-debuginfo rocky-upgrade-podman-debugsource rocky-upgrade-podman-gvproxy rocky-upgrade-podman-gvproxy-debuginfo rocky-upgrade-podman-plugins rocky-upgrade-podman-plugins-debuginfo rocky-upgrade-podman-remote rocky-upgrade-podman-remote-debuginfo rocky-upgrade-podman-tests rocky-upgrade-python3-criu rocky-upgrade-runc rocky-upgrade-runc-debuginfo rocky-upgrade-runc-debugsource rocky-upgrade-skopeo rocky-upgrade-skopeo-tests rocky-upgrade-slirp4netns rocky-upgrade-slirp4netns-debuginfo rocky-upgrade-slirp4netns-debugsource rocky-upgrade-toolbox rocky-upgrade-toolbox-debuginfo rocky-upgrade-toolbox-debugsource rocky-upgrade-toolbox-tests References https://attackerkb.com/topics/cve-2024-34155 CVE - 2024-34155 https://errata.rockylinux.org/RLSA-2024:6908 https://errata.rockylinux.org/RLSA-2024:6913 https://errata.rockylinux.org/RLSA-2024:8038 https://errata.rockylinux.org/RLSA-2024:8039