ISHACK AI BOT

VMware Photon OS: CVE-2024-42302 Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 08/17/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description In the Linux kernel, the following vulnerability has been resolved: PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal Keith reports a use-after-free when a DPC event occurs concurrently to hot-removal of the same portion of the hierarchy: The dpc_handler() awaits readiness of the secondary bus below the Downstream Port where the DPC event occurred.To do so, it polls the config space of the first child device on the secondary bus.If that child device is concurrently removed, accesses to its struct pci_dev cause the kernel to oops. That's because pci_bridge_wait_for_secondary_bus() neglects to hold a reference on the child device.Before v6.3, the function was only called on resume from system sleep or on runtime resume.Holding a reference wasn't necessary back then because the pciehp IRQ thread could never run concurrently.(On resume from system sleep, IRQs are not enabled until after the resume_noirq phase.And runtime resume is always awaited before a PCI device is removed.) However starting with v6.3, pci_bridge_wait_for_secondary_bus() is also called on a DPC event.Commit 53b54ad074de ("PCI/DPC: Await readiness of secondary bus after reset"), which introduced that, failed to appreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a reference on the child device because dpc_handler() and pciehp may indeed run concurrently.The commit was backported to v5.10+ stable kernels, so that's the oldest one affected. Add the missing reference acquisition. Abridged stack trace: BUG: unable to handle page fault for address: 00000000091400c0 CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0 RIP: pci_bus_read_config_dword+0x17/0x50 pci_dev_wait() pci_bridge_wait_for_secondary_bus() dpc_reset_link() pcie_do_recovery() dpc_handler() Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2024-42302 CVE - 2024-42302

Huawei EulerOS: CVE-2024-42312: kernel security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 08/17/2024 Created 11/12/2024 Added 11/11/2024 Modified 11/11/2024 Description In the Linux kernel, the following vulnerability has been resolved: sysctl: always initialize i_uid/i_gid Always initialize i_uid/i_gid inside the sysfs core so set_ownership() can safely skip setting them. Commit 5ec27ec735ba ("fs/proc/proc_sysctl.c: fix the default values of i_uid/i_gid on /proc/sys inodes.") added defaults for i_uid/i_gid when set_ownership() was not implemented. It also missed adjusting net_ctl_set_ownership() to use the same default values in case the computation of a better value failed. Solution(s) huawei-euleros-2_0_sp9-upgrade-kernel huawei-euleros-2_0_sp9-upgrade-kernel-tools huawei-euleros-2_0_sp9-upgrade-kernel-tools-libs huawei-euleros-2_0_sp9-upgrade-python3-perf References https://attackerkb.com/topics/cve-2024-42312 CVE - 2024-42312 EulerOS-SA-2024-2832

Huawei EulerOS: CVE-2024-42284: kernel security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 08/17/2024 Created 11/12/2024 Added 11/11/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: tipc: Return non-zero value from tipc_udp_addr2str() on error tipc_udp_addr2str() should return non-zero value if the UDP media address is invalid. Otherwise, a buffer overflow access can occur in tipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP media address. Solution(s) huawei-euleros-2_0_sp9-upgrade-kernel huawei-euleros-2_0_sp9-upgrade-kernel-tools huawei-euleros-2_0_sp9-upgrade-kernel-tools-libs huawei-euleros-2_0_sp9-upgrade-python3-perf References https://attackerkb.com/topics/cve-2024-42284 CVE - 2024-42284 EulerOS-SA-2024-2832

Microsoft Edge Chromium: CVE-2024-43472 Severity 8 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:C) Published 08/16/2024 Created 08/20/2024 Added 08/19/2024 Modified 01/28/2025 Description Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2024-43472 CVE - 2024-43472 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43472

Huawei EulerOS: CVE-2024-42285: kernel security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 08/17/2024 Created 11/12/2024 Added 11/11/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix a use-after-free related to destroying CM IDs iw_conn_req_handler() associates a new struct rdma_id_private (conn_id) with an existing struct iw_cm_id (cm_id) as follows: conn_id->cm_id.iw = cm_id; cm_id->context = conn_id; cm_id->cm_handler = cma_iw_handler; rdma_destroy_id() frees both the cm_id and the struct rdma_id_private. Make sure that cm_work_handler() does not trigger a use-after-free by only freeing of the struct rdma_id_private after all pending work has finished. Solution(s) huawei-euleros-2_0_sp9-upgrade-kernel huawei-euleros-2_0_sp9-upgrade-kernel-tools huawei-euleros-2_0_sp9-upgrade-kernel-tools-libs huawei-euleros-2_0_sp9-upgrade-python3-perf References https://attackerkb.com/topics/cve-2024-42285 CVE - 2024-42285 EulerOS-SA-2024-2832

Debian: CVE-2024-43370: gettext.js -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 08/16/2024 Created 09/03/2024 Added 09/02/2024 Modified 09/02/2024 Description gettext.js is a GNU gettext port for node and the browser. There is a cross-site scripting (XSS) injection if `.po` dictionary definition files are corrupted. This vulnerability has been patched in version 2.0.3. As a workaround, control the origin of the definition catalog to prevent the use of this flaw in the definition of plural forms. Solution(s) debian-upgrade-gettext-js References https://attackerkb.com/topics/cve-2024-43370 CVE - 2024-43370

JetBrains TeamCity: CVE-2024-43809: Reflected XSS was possible on the agentPushPreset page (TW-84016) Severity 5 CVSS (AV:N/AC:L/Au:M/C:P/I:P/A:N) Published 08/16/2024 Created 10/22/2024 Added 10/15/2024 Modified 02/03/2025 Description In JetBrains TeamCity before 2024.07.1 reflected XSS was possible on the agentPushPreset page Solution(s) jetbrains-teamcity-upgrade-latest References https://attackerkb.com/topics/cve-2024-43809 CVE - 2024-43809 https://www.jetbrains.com/privacy-security/issues-fixed/

Huawei EulerOS: CVE-2024-43374: vim security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 08/16/2024 Created 11/12/2024 Added 11/11/2024 Modified 11/11/2024 Description The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. The issue has been fixed as of Vim patch v9.1.0678. Solution(s) huawei-euleros-2_0_sp10-upgrade-vim-common huawei-euleros-2_0_sp10-upgrade-vim-enhanced huawei-euleros-2_0_sp10-upgrade-vim-filesystem huawei-euleros-2_0_sp10-upgrade-vim-minimal References https://attackerkb.com/topics/cve-2024-43374 CVE - 2024-43374 EulerOS-SA-2024-2918

JetBrains TeamCity: CVE-2024-43810: Reflected XSS was possible in the AWS Core plugin (TW-86958) Severity 5 CVSS (AV:N/AC:L/Au:S/C:P/I:P/A:N) Published 08/16/2024 Created 10/22/2024 Added 10/15/2024 Modified 02/03/2025 Description In JetBrains TeamCity before 2024.07.1 reflected XSS was possible in the AWS Core plugin Solution(s) jetbrains-teamcity-upgrade-latest References https://attackerkb.com/topics/cve-2024-43810 CVE - 2024-43810 https://www.jetbrains.com/privacy-security/issues-fixed/

JetBrains TeamCity: CVE-2024-43807: Multiple stored XSS was possible on Clouds page (TW-85512) Severity 5 CVSS (AV:N/AC:L/Au:S/C:P/I:P/A:N) Published 08/16/2024 Created 10/22/2024 Added 10/15/2024 Modified 02/03/2025 Description In JetBrains TeamCity before 2024.07.1 multiple stored XSS was possible on Clouds page Solution(s) jetbrains-teamcity-upgrade-latest References https://attackerkb.com/topics/cve-2024-43807 CVE - 2024-43807 https://www.jetbrains.com/privacy-security/issues-fixed/

Huawei EulerOS: CVE-2024-43374: vim security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 08/16/2024 Created 11/12/2024 Added 11/11/2024 Modified 11/11/2024 Description The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. The issue has been fixed as of Vim patch v9.1.0678. Solution(s) huawei-euleros-2_0_sp9-upgrade-vim-common huawei-euleros-2_0_sp9-upgrade-vim-enhanced huawei-euleros-2_0_sp9-upgrade-vim-filesystem huawei-euleros-2_0_sp9-upgrade-vim-minimal References https://attackerkb.com/topics/cve-2024-43374 CVE - 2024-43374 EulerOS-SA-2024-2841

Huawei EulerOS: CVE-2024-43374: vim security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 08/16/2024 Created 12/13/2024 Added 12/12/2024 Modified 12/12/2024 Description The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. The issue has been fixed as of Vim patch v9.1.0678. Solution(s) huawei-euleros-2_0_sp11-upgrade-vim-common huawei-euleros-2_0_sp11-upgrade-vim-enhanced huawei-euleros-2_0_sp11-upgrade-vim-filesystem huawei-euleros-2_0_sp11-upgrade-vim-minimal References https://attackerkb.com/topics/cve-2024-43374 CVE - 2024-43374 EulerOS-SA-2024-2989

Amazon Linux 2023: CVE-2024-43374: Medium priority package update for vim Severity 2 CVSS (AV:L/AC:L/Au:N/C:N/I:N/A:P) Published 08/16/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. The issue has been fixed as of Vim patch v9.1.0678. A heap use-after-free vulnerability was found in Vim's alist_add() function. Adding a new file to the argument list triggers Buf* autocommands. In an autocommand, if the buffer that was just opened is closed, including the window where it is shown, it causes the window structure to be freed, containing a reference to the argument list that is being modified. Once the autocommands are completed, references to the window and argument list are no longer valid, causing a use-after-free issue. To trigger this issue, a local attacker or user must add unusual autocommands that wipe a buffer during creation, either manually or by sourcing a malicious plugin, which will cause Vim to crash. Solution(s) amazon-linux-2023-upgrade-vim-common amazon-linux-2023-upgrade-vim-data amazon-linux-2023-upgrade-vim-debuginfo amazon-linux-2023-upgrade-vim-debugsource amazon-linux-2023-upgrade-vim-default-editor amazon-linux-2023-upgrade-vim-enhanced amazon-linux-2023-upgrade-vim-enhanced-debuginfo amazon-linux-2023-upgrade-vim-filesystem amazon-linux-2023-upgrade-vim-minimal amazon-linux-2023-upgrade-vim-minimal-debuginfo amazon-linux-2023-upgrade-xxd amazon-linux-2023-upgrade-xxd-debuginfo References https://attackerkb.com/topics/cve-2024-43374 CVE - 2024-43374 https://alas.aws.amazon.com/AL2023/ALAS-2024-761.html

JetBrains TeamCity: CVE-2024-43808: Self XSS was possible in the HashiCorp Vault plugin (TW-84492) Severity 4 CVSS (AV:N/AC:H/Au:S/C:P/I:P/A:N) Published 08/16/2024 Created 10/22/2024 Added 10/15/2024 Modified 02/03/2025 Description In JetBrains TeamCity before 2024.07.1 self XSS was possible in the HashiCorp Vault plugin Solution(s) jetbrains-teamcity-upgrade-latest References https://attackerkb.com/topics/cve-2024-43808 CVE - 2024-43808 https://www.jetbrains.com/privacy-security/issues-fixed/

Amazon Linux AMI 2: CVE-2024-42472: Security patch for flatpak (ALAS-2024-2712) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 08/15/2024 Created 12/21/2024 Added 12/20/2024 Modified 12/20/2024 Description Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using persistent directories could access and write files outside of what it would otherwise have access to, which is an attack on integrity and confidentiality. When `persistent=subdir` is used in the application permissions (represented as `--persist=subdir` in the command-line interface), that means that an application which otherwise doesn't have access to the real user home directory will see an empty home directory with a writeable subdirectory `subdir`. Behind the scenes, this directory is actually a bind mount and the data is stored in the per-application directory as `~/.var/app/$APPID/subdir`. This allows existing apps that are not aware of the per-application directory to still work as intended without general home directory access. However, the application does have write access to the application directory `~/.var/app/$APPID` where this directory is stored. If the source directory for the `persistent`/`--persist` option is replaced by a symlink, then the next time the application is started, the bind mount will follow the symlink and mount whatever it points to into the sandbox. Partial protection against this vulnerability can be provided by patching Flatpak using the patches in commits ceec2ffc and 98f79773. However, this leaves a race condition that could be exploited by two instances of a malicious app running in parallel. Closing the race condition requires updating or patching the version of bubblewrap that is used by Flatpak to add the new `--bind-fd` option using the patch and then patching Flatpak to use it. If Flatpak has been configured at build-time with `-Dsystem_bubblewrap=bwrap` (1.15.x) or `--with-system-bubblewrap=bwrap` (1.14.x or older), or a similar option, then the version of bubblewrap that needs to be patched is a system copy that is distributed separately, typically `/usr/bin/bwrap`. This configuration is the one that is typically used in Linux distributions. If Flatpak has been configured at build-time with `-Dsystem_bubblewrap=` (1.15.x) or with `--without-system-bubblewrap` (1.14.x or older), then it is the bundled version of bubblewrap that is included with Flatpak that must be patched. This is typically installed as `/usr/libexec/flatpak-bwrap`. This configuration is the default when building from source code. For the 1.14.x stable branch, these changes are included in Flatpak 1.14.10. The bundled version of bubblewrap included in this release has been updated to 0.6.3. For the 1.15.x development branch, these changes are included in Flatpak 1.15.10. The bundled version of bubblewrap in this release is a Meson "wrap" subproject, which has been updated to 0.10.0. The 1.12.x and 1.10.x branches will not be updated for this vulnerability. Long-term support OS distributions should backport the individual changes into their versions of Flatpak and bubblewrap, or update to newer versions if their stability policy allows it. As a workaround, avoid using applications using the `persistent` (`--persist`) permission. Solution(s) amazon-linux-ami-2-upgrade-flatpak amazon-linux-ami-2-upgrade-flatpak-builder amazon-linux-ami-2-upgrade-flatpak-debuginfo amazon-linux-ami-2-upgrade-flatpak-devel amazon-linux-ami-2-upgrade-flatpak-libs References https://attackerkb.com/topics/cve-2024-42472 AL2/ALAS-2024-2712 CVE - 2024-42472

Alma Linux: CVE-2024-42472: Important: bubblewrap and flatpak security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 08/15/2024 Created 09/07/2024 Added 09/06/2024 Modified 11/19/2024 Description Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using persistent directories could access and write files outside of what it would otherwise have access to, which is an attack on integrity and confidentiality. When `persistent=subdir` is used in the application permissions (represented as `--persist=subdir` in the command-line interface), that means that an application which otherwise doesn't have access to the real user home directory will see an empty home directory with a writeable subdirectory `subdir`. Behind the scenes, this directory is actually a bind mount and the data is stored in the per-application directory as `~/.var/app/$APPID/subdir`. This allows existing apps that are not aware of the per-application directory to still work as intended without general home directory access. However, the application does have write access to the application directory `~/.var/app/$APPID` where this directory is stored. If the source directory for the `persistent`/`--persist` option is replaced by a symlink, then the next time the application is started, the bind mount will follow the symlink and mount whatever it points to into the sandbox. Partial protection against this vulnerability can be provided by patching Flatpak using the patches in commits ceec2ffc and 98f79773. However, this leaves a race condition that could be exploited by two instances of a malicious app running in parallel. Closing the race condition requires updating or patching the version of bubblewrap that is used by Flatpak to add the new `--bind-fd` option using the patch and then patching Flatpak to use it. If Flatpak has been configured at build-time with `-Dsystem_bubblewrap=bwrap` (1.15.x) or `--with-system-bubblewrap=bwrap` (1.14.x or older), or a similar option, then the version of bubblewrap that needs to be patched is a system copy that is distributed separately, typically `/usr/bin/bwrap`. This configuration is the one that is typically used in Linux distributions. If Flatpak has been configured at build-time with `-Dsystem_bubblewrap=` (1.15.x) or with `--without-system-bubblewrap` (1.14.x or older), then it is the bundled version of bubblewrap that is included with Flatpak that must be patched. This is typically installed as `/usr/libexec/flatpak-bwrap`. This configuration is the default when building from source code. For the 1.14.x stable branch, these changes are included in Flatpak 1.14.10. The bundled version of bubblewrap included in this release has been updated to 0.6.3. For the 1.15.x development branch, these changes are included in Flatpak 1.15.10. The bundled version of bubblewrap in this release is a Meson "wrap" subproject, which has been updated to 0.10.0. The 1.12.x and 1.10.x branches will not be updated for this vulnerability. Long-term support OS distributions should backport the individual changes into their versions of Flatpak and bubblewrap, or update to newer versions if their stability policy allows it. As a workaround, avoid using applications using the `persistent` (`--persist`) permission. Solution(s) alma-upgrade-bubblewrap alma-upgrade-flatpak alma-upgrade-flatpak-devel alma-upgrade-flatpak-libs alma-upgrade-flatpak-selinux alma-upgrade-flatpak-session-helper References https://attackerkb.com/topics/cve-2024-42472 CVE - 2024-42472 https://errata.almalinux.org/8/ALSA-2024-6422.html https://errata.almalinux.org/9/ALSA-2024-6356.html https://errata.almalinux.org/9/ALSA-2024-9449.html

Ubuntu: USN-6993-1 (CVE-2024-43374): Vim vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 08/16/2024 Created 09/07/2024 Added 09/06/2024 Modified 11/15/2024 Description The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. The issue has been fixed as of Vim patch v9.1.0678. Solution(s) ubuntu-pro-upgrade-vim References https://attackerkb.com/topics/cve-2024-43374 CVE - 2024-43374 USN-6993-1

Red Hat: CVE-2024-23184: dovecot: using a large number of address headers may trigger a denial of service (Multiple Advisories) Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 08/15/2024 Created 09/11/2024 Added 09/10/2024 Modified 09/25/2024 Description Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known. Solution(s) redhat-upgrade-dovecot redhat-upgrade-dovecot-debuginfo redhat-upgrade-dovecot-debugsource redhat-upgrade-dovecot-devel redhat-upgrade-dovecot-mysql redhat-upgrade-dovecot-mysql-debuginfo redhat-upgrade-dovecot-pgsql redhat-upgrade-dovecot-pgsql-debuginfo redhat-upgrade-dovecot-pigeonhole redhat-upgrade-dovecot-pigeonhole-debuginfo References CVE-2024-23184 RHSA-2024:6465 RHSA-2024:6529 RHSA-2024:6973

Ubuntu: USN-7046-1 (CVE-2024-42472): Flatpak and Bubblewrap vulnerability Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 08/15/2024 Created 10/02/2024 Added 10/01/2024 Modified 10/23/2024 Description Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using persistent directories could access and write files outside of what it would otherwise have access to, which is an attack on integrity and confidentiality. When `persistent=subdir` is used in the application permissions (represented as `--persist=subdir` in the command-line interface), that means that an application which otherwise doesn't have access to the real user home directory will see an empty home directory with a writeable subdirectory `subdir`. Behind the scenes, this directory is actually a bind mount and the data is stored in the per-application directory as `~/.var/app/$APPID/subdir`. This allows existing apps that are not aware of the per-application directory to still work as intended without general home directory access. However, the application does have write access to the application directory `~/.var/app/$APPID` where this directory is stored. If the source directory for the `persistent`/`--persist` option is replaced by a symlink, then the next time the application is started, the bind mount will follow the symlink and mount whatever it points to into the sandbox. Partial protection against this vulnerability can be provided by patching Flatpak using the patches in commits ceec2ffc and 98f79773. However, this leaves a race condition that could be exploited by two instances of a malicious app running in parallel. Closing the race condition requires updating or patching the version of bubblewrap that is used by Flatpak to add the new `--bind-fd` option using the patch and then patching Flatpak to use it. If Flatpak has been configured at build-time with `-Dsystem_bubblewrap=bwrap` (1.15.x) or `--with-system-bubblewrap=bwrap` (1.14.x or older), or a similar option, then the version of bubblewrap that needs to be patched is a system copy that is distributed separately, typically `/usr/bin/bwrap`. This configuration is the one that is typically used in Linux distributions. If Flatpak has been configured at build-time with `-Dsystem_bubblewrap=` (1.15.x) or with `--without-system-bubblewrap` (1.14.x or older), then it is the bundled version of bubblewrap that is included with Flatpak that must be patched. This is typically installed as `/usr/libexec/flatpak-bwrap`. This configuration is the default when building from source code. For the 1.14.x stable branch, these changes are included in Flatpak 1.14.10. The bundled version of bubblewrap included in this release has been updated to 0.6.3. For the 1.15.x development branch, these changes are included in Flatpak 1.15.10. The bundled version of bubblewrap in this release is a Meson "wrap" subproject, which has been updated to 0.10.0. The 1.12.x and 1.10.x branches will not be updated for this vulnerability. Long-term support OS distributions should backport the individual changes into their versions of Flatpak and bubblewrap, or update to newer versions if their stability policy allows it. As a workaround, avoid using applications using the `persistent` (`--persist`) permission. Solution(s) ubuntu-upgrade-bubblewrap ubuntu-upgrade-flatpak ubuntu-upgrade-libflatpak0 References https://attackerkb.com/topics/cve-2024-42472 CVE - 2024-42472 USN-7046-1

Oracle Linux: CVE-2024-23184: ELSA-2024-6529:dovecot security update (MODERATE) (Multiple Advisories) Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 08/15/2024 Created 10/18/2024 Added 10/16/2024 Modified 12/01/2024 Description Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known. A flaw was found in Dovecot. Processing a large number of address headers (From, To, Cc, Bcc, etc) can be excessively CPU intensive. This flaw allows a remote attacker to trigger a denial of service. Solution(s) oracle-linux-upgrade-dovecot oracle-linux-upgrade-dovecot-devel oracle-linux-upgrade-dovecot-mysql oracle-linux-upgrade-dovecot-pgsql oracle-linux-upgrade-dovecot-pigeonhole References https://attackerkb.com/topics/cve-2024-23184 CVE - 2024-23184 ELSA-2024-6529 ELSA-2024-6973

Rocky Linux: CVE-2024-42472: bubblewrap-and-flatpak (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 08/15/2024 Created 09/18/2024 Added 09/17/2024 Modified 11/20/2024 Description Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using persistent directories could access and write files outside of what it would otherwise have access to, which is an attack on integrity and confidentiality. When `persistent=subdir` is used in the application permissions (represented as `--persist=subdir` in the command-line interface), that means that an application which otherwise doesn't have access to the real user home directory will see an empty home directory with a writeable subdirectory `subdir`. Behind the scenes, this directory is actually a bind mount and the data is stored in the per-application directory as `~/.var/app/$APPID/subdir`. This allows existing apps that are not aware of the per-application directory to still work as intended without general home directory access. However, the application does have write access to the application directory `~/.var/app/$APPID` where this directory is stored. If the source directory for the `persistent`/`--persist` option is replaced by a symlink, then the next time the application is started, the bind mount will follow the symlink and mount whatever it points to into the sandbox. Partial protection against this vulnerability can be provided by patching Flatpak using the patches in commits ceec2ffc and 98f79773. However, this leaves a race condition that could be exploited by two instances of a malicious app running in parallel. Closing the race condition requires updating or patching the version of bubblewrap that is used by Flatpak to add the new `--bind-fd` option using the patch and then patching Flatpak to use it. If Flatpak has been configured at build-time with `-Dsystem_bubblewrap=bwrap` (1.15.x) or `--with-system-bubblewrap=bwrap` (1.14.x or older), or a similar option, then the version of bubblewrap that needs to be patched is a system copy that is distributed separately, typically `/usr/bin/bwrap`. This configuration is the one that is typically used in Linux distributions. If Flatpak has been configured at build-time with `-Dsystem_bubblewrap=` (1.15.x) or with `--without-system-bubblewrap` (1.14.x or older), then it is the bundled version of bubblewrap that is included with Flatpak that must be patched. This is typically installed as `/usr/libexec/flatpak-bwrap`. This configuration is the default when building from source code. For the 1.14.x stable branch, these changes are included in Flatpak 1.14.10. The bundled version of bubblewrap included in this release has been updated to 0.6.3. For the 1.15.x development branch, these changes are included in Flatpak 1.15.10. The bundled version of bubblewrap in this release is a Meson "wrap" subproject, which has been updated to 0.10.0. The 1.12.x and 1.10.x branches will not be updated for this vulnerability. Long-term support OS distributions should backport the individual changes into their versions of Flatpak and bubblewrap, or update to newer versions if their stability policy allows it. As a workaround, avoid using applications using the `persistent` (`--persist`) permission. Solution(s) rocky-upgrade-bubblewrap rocky-upgrade-bubblewrap-debuginfo rocky-upgrade-bubblewrap-debugsource rocky-upgrade-flatpak rocky-upgrade-flatpak-debuginfo rocky-upgrade-flatpak-debugsource rocky-upgrade-flatpak-devel rocky-upgrade-flatpak-libs rocky-upgrade-flatpak-libs-debuginfo rocky-upgrade-flatpak-session-helper rocky-upgrade-flatpak-session-helper-debuginfo References https://attackerkb.com/topics/cve-2024-42472 CVE - 2024-42472 https://errata.rockylinux.org/RLSA-2024:6422 https://errata.rockylinux.org/RLSA-2024:9449

Amazon Linux 2023: CVE-2024-23185: Medium priority package update for dovecot Severity 5 CVSS (AV:N/AC:H/Au:N/C:N/I:N/A:C) Published 08/15/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description Very large headers can cause resource exhaustion when parsing message. The message-parser normally reads reasonably sized chunks of the message. However, when it feeds them to message-header-parser, it starts building up "full_value" buffer out of the smaller chunks. The full_value buffer has no size limit, so large headers can cause large memory usage. It doesn't matter whether it's a single long header line, or a single header split into multiple lines. This bug exists in all Dovecot versions. Incoming mails typically have some size limits set by MTA, so even largest possible header size may still fit into Dovecot's vsz_limit. So attackers probably can't DoS a victim user this way. A user could APPEND larger mails though, allowing them to DoS themselves (although maybe cause some memory issues for the backend in general). One can implement restrictions on headers on MTA component preceding Dovecot. No publicly available exploits are known. A security issue was found in Dovecot. Very large headers can lead to resource exhaustion when parsing messages. The message-parser normally reads reasonably sized chunks of the message. However, when it feeds them to the message-header-parser, it starts building up a "full_value" buffer out of the smaller chunks. The full_value buffer has no size limit so large headers can cause large memory usage. This issue occurs whether it is a single long header line or a single header split into multiple lines. Solution(s) amazon-linux-2023-upgrade-dovecot amazon-linux-2023-upgrade-dovecot-debuginfo amazon-linux-2023-upgrade-dovecot-debugsource amazon-linux-2023-upgrade-dovecot-devel amazon-linux-2023-upgrade-dovecot-mysql amazon-linux-2023-upgrade-dovecot-mysql-debuginfo amazon-linux-2023-upgrade-dovecot-pgsql amazon-linux-2023-upgrade-dovecot-pgsql-debuginfo amazon-linux-2023-upgrade-dovecot-pigeonhole amazon-linux-2023-upgrade-dovecot-pigeonhole-debuginfo References https://attackerkb.com/topics/cve-2024-23185 CVE - 2024-23185 https://alas.aws.amazon.com/AL2023/ALAS-2024-785.html

Red Hat: CVE-2024-23185: dovecot: very large headers can cause resource exhaustion when parsing message (Multiple Advisories) Severity 5 CVSS (AV:N/AC:H/Au:N/C:N/I:N/A:C) Published 08/15/2024 Created 09/11/2024 Added 09/10/2024 Modified 09/25/2024 Description Very large headers can cause resource exhaustion when parsing message. The message-parser normally reads reasonably sized chunks of the message. However, when it feeds them to message-header-parser, it starts building up "full_value" buffer out of the smaller chunks. The full_value buffer has no size limit, so large headers can cause large memory usage. It doesn't matter whether it's a single long header line, or a single header split into multiple lines. This bug exists in all Dovecot versions. Incoming mails typically have some size limits set by MTA, so even largest possible header size may still fit into Dovecot's vsz_limit. So attackers probably can't DoS a victim user this way. A user could APPEND larger mails though, allowing them to DoS themselves (although maybe cause some memory issues for the backend in general). One can implement restrictions on headers on MTA component preceding Dovecot. No publicly available exploits are known. Solution(s) redhat-upgrade-dovecot redhat-upgrade-dovecot-debuginfo redhat-upgrade-dovecot-debugsource redhat-upgrade-dovecot-devel redhat-upgrade-dovecot-mysql redhat-upgrade-dovecot-mysql-debuginfo redhat-upgrade-dovecot-pgsql redhat-upgrade-dovecot-pgsql-debuginfo redhat-upgrade-dovecot-pigeonhole redhat-upgrade-dovecot-pigeonhole-debuginfo References CVE-2024-23185 RHSA-2024:6465 RHSA-2024:6529 RHSA-2024:6973

Gentoo Linux: CVE-2024-42472: Flatpak: Sandbox Escape Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 08/15/2024 Created 11/08/2024 Added 11/07/2024 Modified 11/07/2024 Description Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using persistent directories could access and write files outside of what it would otherwise have access to, which is an attack on integrity and confidentiality. When `persistent=subdir` is used in the application permissions (represented as `--persist=subdir` in the command-line interface), that means that an application which otherwise doesn't have access to the real user home directory will see an empty home directory with a writeable subdirectory `subdir`. Behind the scenes, this directory is actually a bind mount and the data is stored in the per-application directory as `~/.var/app/$APPID/subdir`. This allows existing apps that are not aware of the per-application directory to still work as intended without general home directory access. However, the application does have write access to the application directory `~/.var/app/$APPID` where this directory is stored. If the source directory for the `persistent`/`--persist` option is replaced by a symlink, then the next time the application is started, the bind mount will follow the symlink and mount whatever it points to into the sandbox. Partial protection against this vulnerability can be provided by patching Flatpak using the patches in commits ceec2ffc and 98f79773. However, this leaves a race condition that could be exploited by two instances of a malicious app running in parallel. Closing the race condition requires updating or patching the version of bubblewrap that is used by Flatpak to add the new `--bind-fd` option using the patch and then patching Flatpak to use it. If Flatpak has been configured at build-time with `-Dsystem_bubblewrap=bwrap` (1.15.x) or `--with-system-bubblewrap=bwrap` (1.14.x or older), or a similar option, then the version of bubblewrap that needs to be patched is a system copy that is distributed separately, typically `/usr/bin/bwrap`. This configuration is the one that is typically used in Linux distributions. If Flatpak has been configured at build-time with `-Dsystem_bubblewrap=` (1.15.x) or with `--without-system-bubblewrap` (1.14.x or older), then it is the bundled version of bubblewrap that is included with Flatpak that must be patched. This is typically installed as `/usr/libexec/flatpak-bwrap`. This configuration is the default when building from source code. For the 1.14.x stable branch, these changes are included in Flatpak 1.14.10. The bundled version of bubblewrap included in this release has been updated to 0.6.3. For the 1.15.x development branch, these changes are included in Flatpak 1.15.10. The bundled version of bubblewrap in this release is a Meson "wrap" subproject, which has been updated to 0.10.0. The 1.12.x and 1.10.x branches will not be updated for this vulnerability. Long-term support OS distributions should backport the individual changes into their versions of Flatpak and bubblewrap, or update to newer versions if their stability policy allows it. As a workaround, avoid using applications using the `persistent` (`--persist`) permission. Solution(s) gentoo-linux-upgrade-sys-apps-flatpak References https://attackerkb.com/topics/cve-2024-42472 CVE - 2024-42472 202411-02

Amazon Linux 2023: CVE-2024-23184: Medium priority package update for dovecot Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 08/15/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known. A flaw was found in Dovecot. Processing a large number of address headers (From, To, Cc, Bcc, etc) can be excessively CPU intensive. This flaw allows a remote attacker to trigger a denial of service. Solution(s) amazon-linux-2023-upgrade-dovecot amazon-linux-2023-upgrade-dovecot-debuginfo amazon-linux-2023-upgrade-dovecot-debugsource amazon-linux-2023-upgrade-dovecot-devel amazon-linux-2023-upgrade-dovecot-mysql amazon-linux-2023-upgrade-dovecot-mysql-debuginfo amazon-linux-2023-upgrade-dovecot-pgsql amazon-linux-2023-upgrade-dovecot-pgsql-debuginfo amazon-linux-2023-upgrade-dovecot-pigeonhole amazon-linux-2023-upgrade-dovecot-pigeonhole-debuginfo References https://attackerkb.com/topics/cve-2024-23184 CVE - 2024-23184 https://alas.aws.amazon.com/AL2023/ALAS-2024-785.html