ISHACK AI BOT

SUSE: CVE-2024-4076: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/23/2024 Created 07/31/2024 Added 07/31/2024 Modified 08/12/2024 Description Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure. This issue affects BIND 9 versions 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1 through 9.11.37-S1, 9.16.13-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. Solution(s) suse-upgrade-bind suse-upgrade-bind-doc suse-upgrade-bind-utils suse-upgrade-python3-bind References https://attackerkb.com/topics/cve-2024-4076 CVE - 2024-4076

SUSE: CVE-2024-1737: SUSE Linux Security Advisory Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/23/2024 Created 07/31/2024 Added 07/31/2024 Modified 01/28/2025 Description Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. Solution(s) suse-upgrade-bind suse-upgrade-bind-chrootenv suse-upgrade-bind-devel suse-upgrade-bind-doc suse-upgrade-bind-utils suse-upgrade-libbind9-1600 suse-upgrade-libbind9-161 suse-upgrade-libdns1110 suse-upgrade-libdns1605 suse-upgrade-libirs-devel suse-upgrade-libirs1601 suse-upgrade-libirs161 suse-upgrade-libisc1107 suse-upgrade-libisc1107-32bit suse-upgrade-libisc1606 suse-upgrade-libisccc1600 suse-upgrade-libisccc161 suse-upgrade-libisccfg1600 suse-upgrade-libisccfg163 suse-upgrade-liblwres161 suse-upgrade-libns1604 suse-upgrade-python-bind suse-upgrade-python3-bind References https://attackerkb.com/topics/cve-2024-1737 CVE - 2024-1737

Oracle Linux: CVE-2024-4076: ELSA-2024-5390:bind9.16 security update (IMPORTANT) (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/23/2024 Created 10/24/2024 Added 10/16/2024 Modified 12/06/2024 Description Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure. This issue affects BIND 9 versions 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1 through 9.11.37-S1, 9.16.13-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. A flaw was found in the bind9 package, where a client query triggers stale data and also requires local lookups may trigger a assertion failure. This issue results in a denial of service of the bind server. Solution(s) oracle-linux-upgrade-bind oracle-linux-upgrade-bind-chroot oracle-linux-upgrade-bind-devel oracle-linux-upgrade-bind-dnssec-doc oracle-linux-upgrade-bind-dnssec-utils oracle-linux-upgrade-bind-doc oracle-linux-upgrade-bind-dyndb-ldap oracle-linux-upgrade-bind-libs oracle-linux-upgrade-bind-license oracle-linux-upgrade-bind-utils oracle-linux-upgrade-python3-bind References https://attackerkb.com/topics/cve-2024-4076 CVE - 2024-4076 ELSA-2024-5390 ELSA-2024-5231

Huawei EulerOS: CVE-2024-41012: kernel security update Severity 6 CVSS (AV:L/AC:M/Au:S/C:C/I:N/A:C) Published 07/23/2024 Created 11/06/2024 Added 11/05/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: filelock: Remove locks reliably when fcntl/close race is detected When fcntl_setlk() races with close(), it removes the created lock with do_lock_file_wait(). However, LSMs can allow the first do_lock_file_wait() that created the lock while denying the second do_lock_file_wait() that tries to remove the lock. Separately, posix_lock_file() could also fail to remove a lock due to GFP_KERNEL allocation failure (when splitting a range in the middle). After the bug has been triggered, use-after-free reads will occur in lock_get_status() when userspace reads /proc/locks. This can likely be used to read arbitrary kernel memory, but can't corrupt kernel memory. Fix it by calling locks_remove_posix() instead, which is designed to reliably get rid of POSIX locks associated with the given file and files_struct and is also used by filp_flush(). Solution(s) huawei-euleros-2_0_sp12-upgrade-bpftool huawei-euleros-2_0_sp12-upgrade-kernel huawei-euleros-2_0_sp12-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp12-upgrade-kernel-tools huawei-euleros-2_0_sp12-upgrade-kernel-tools-libs huawei-euleros-2_0_sp12-upgrade-python3-perf References https://attackerkb.com/topics/cve-2024-41012 CVE - 2024-41012 EulerOS-SA-2024-2806

SUSE: CVE-2024-0760: SUSE Linux Security Advisory Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/23/2024 Created 07/31/2024 Added 07/31/2024 Modified 01/28/2025 Description A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack. This issue affects BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through 9.19.24, and 9.18.11-S1 through 9.18.27-S1. Solution(s) suse-upgrade-bind suse-upgrade-bind-doc suse-upgrade-bind-utils References https://attackerkb.com/topics/cve-2024-0760 CVE - 2024-0760

Red Hat: CVE-2024-4076: bind: bind9: Assertion failure when serving both stale cache data and authoritative zone content (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/23/2024 Created 08/23/2024 Added 08/22/2024 Modified 09/13/2024 Description Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure. This issue affects BIND 9 versions 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1 through 9.11.37-S1, 9.16.13-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. Solution(s) redhat-upgrade-bind redhat-upgrade-bind-chroot redhat-upgrade-bind-debuginfo redhat-upgrade-bind-debugsource redhat-upgrade-bind-devel redhat-upgrade-bind-dnssec-doc redhat-upgrade-bind-dnssec-utils redhat-upgrade-bind-dnssec-utils-debuginfo redhat-upgrade-bind-doc redhat-upgrade-bind-dyndb-ldap redhat-upgrade-bind-dyndb-ldap-debuginfo redhat-upgrade-bind-dyndb-ldap-debugsource redhat-upgrade-bind-libs redhat-upgrade-bind-libs-debuginfo redhat-upgrade-bind-license redhat-upgrade-bind-utils redhat-upgrade-bind-utils-debuginfo redhat-upgrade-bind9-16 redhat-upgrade-bind9-16-chroot redhat-upgrade-bind9-16-debuginfo redhat-upgrade-bind9-16-debugsource redhat-upgrade-bind9-16-devel redhat-upgrade-bind9-16-dnssec-utils redhat-upgrade-bind9-16-dnssec-utils-debuginfo redhat-upgrade-bind9-16-doc redhat-upgrade-bind9-16-libs redhat-upgrade-bind9-16-libs-debuginfo redhat-upgrade-bind9-16-license redhat-upgrade-bind9-16-utils redhat-upgrade-bind9-16-utils-debuginfo redhat-upgrade-python3-bind redhat-upgrade-python3-bind9-16 References CVE-2024-4076 RHSA-2024:5231 RHSA-2024:5390 RHSA-2024:5525 RHSA-2024:5813

Huawei EulerOS: CVE-2024-1737: bind security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/23/2024 Created 10/10/2024 Added 10/09/2024 Modified 01/28/2025 Description Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. Solution(s) huawei-euleros-2_0_sp12-upgrade-bind huawei-euleros-2_0_sp12-upgrade-bind-chroot huawei-euleros-2_0_sp12-upgrade-bind-dnssec-doc huawei-euleros-2_0_sp12-upgrade-bind-dnssec-utils huawei-euleros-2_0_sp12-upgrade-bind-libs huawei-euleros-2_0_sp12-upgrade-bind-license huawei-euleros-2_0_sp12-upgrade-bind-pkcs11 huawei-euleros-2_0_sp12-upgrade-bind-pkcs11-libs huawei-euleros-2_0_sp12-upgrade-bind-pkcs11-utils huawei-euleros-2_0_sp12-upgrade-bind-utils huawei-euleros-2_0_sp12-upgrade-python3-bind References https://attackerkb.com/topics/cve-2024-1737 CVE - 2024-1737 EulerOS-SA-2024-2520

Oracle Linux: CVE-2024-41012: ELSA-2024-7000:kernel security update (IMPORTANT) (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 07/23/2024 Created 10/18/2024 Added 10/16/2024 Modified 01/23/2025 Description In the Linux kernel, the following vulnerability has been resolved: filelock: Remove locks reliably when fcntl/close race is detected When fcntl_setlk() races with close(), it removes the created lock with do_lock_file_wait(). However, LSMs can allow the first do_lock_file_wait() that created the lock while denying the second do_lock_file_wait() that tries to remove the lock. Separately, posix_lock_file() could also fail to remove a lock due to GFP_KERNEL allocation failure (when splitting a range in the middle). After the bug has been triggered, use-after-free reads will occur in lock_get_status() when userspace reads /proc/locks. This can likely be used to read arbitrary kernel memory, but can't corrupt kernel memory. Fix it by calling locks_remove_posix() instead, which is designed to reliably get rid of POSIX locks associated with the given file and files_struct and is also used by filp_flush(). Solution(s) oracle-linux-upgrade-kernel oracle-linux-upgrade-kernel-uek References https://attackerkb.com/topics/cve-2024-41012 CVE - 2024-41012 ELSA-2024-7000 ELSA-2024-12782 ELSA-2024-12780 ELSA-2024-12815 ELSA-2024-12814

Red Hat: CVE-2024-1975: bind9: bind: SIG(0) can be used to exhaust CPU resources (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/23/2024 Created 08/23/2024 Added 08/22/2024 Modified 09/13/2024 Description If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. Solution(s) redhat-upgrade-bind redhat-upgrade-bind-chroot redhat-upgrade-bind-debuginfo redhat-upgrade-bind-debugsource redhat-upgrade-bind-devel redhat-upgrade-bind-dnssec-doc redhat-upgrade-bind-dnssec-utils redhat-upgrade-bind-dnssec-utils-debuginfo redhat-upgrade-bind-doc redhat-upgrade-bind-dyndb-ldap redhat-upgrade-bind-dyndb-ldap-debuginfo redhat-upgrade-bind-dyndb-ldap-debugsource redhat-upgrade-bind-export-devel redhat-upgrade-bind-export-libs redhat-upgrade-bind-export-libs-debuginfo redhat-upgrade-bind-libs redhat-upgrade-bind-libs-debuginfo redhat-upgrade-bind-libs-lite redhat-upgrade-bind-libs-lite-debuginfo redhat-upgrade-bind-license redhat-upgrade-bind-lite-devel redhat-upgrade-bind-pkcs11 redhat-upgrade-bind-pkcs11-debuginfo redhat-upgrade-bind-pkcs11-devel redhat-upgrade-bind-pkcs11-libs redhat-upgrade-bind-pkcs11-libs-debuginfo redhat-upgrade-bind-pkcs11-utils redhat-upgrade-bind-pkcs11-utils-debuginfo redhat-upgrade-bind-sdb redhat-upgrade-bind-sdb-chroot redhat-upgrade-bind-sdb-debuginfo redhat-upgrade-bind-utils redhat-upgrade-bind-utils-debuginfo redhat-upgrade-bind9-16 redhat-upgrade-bind9-16-chroot redhat-upgrade-bind9-16-debuginfo redhat-upgrade-bind9-16-debugsource redhat-upgrade-bind9-16-devel redhat-upgrade-bind9-16-dnssec-utils redhat-upgrade-bind9-16-dnssec-utils-debuginfo redhat-upgrade-bind9-16-doc redhat-upgrade-bind9-16-libs redhat-upgrade-bind9-16-libs-debuginfo redhat-upgrade-bind9-16-license redhat-upgrade-bind9-16-utils redhat-upgrade-bind9-16-utils-debuginfo redhat-upgrade-python3-bind redhat-upgrade-python3-bind9-16 References CVE-2024-1975 RHSA-2024:5231 RHSA-2024:5390 RHSA-2024:5524 RHSA-2024:5525 RHSA-2024:5813 RHSA-2024:5838 View more

Red Hat: CVE-2024-1737: bind: bind9: BIND's database will be slow if a very large number of RRs exist at the same nam (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/23/2024 Created 08/23/2024 Added 08/22/2024 Modified 09/13/2024 Description Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. Solution(s) redhat-upgrade-bind redhat-upgrade-bind-chroot redhat-upgrade-bind-debuginfo redhat-upgrade-bind-debugsource redhat-upgrade-bind-devel redhat-upgrade-bind-dnssec-doc redhat-upgrade-bind-dnssec-utils redhat-upgrade-bind-dnssec-utils-debuginfo redhat-upgrade-bind-doc redhat-upgrade-bind-dyndb-ldap redhat-upgrade-bind-dyndb-ldap-debuginfo redhat-upgrade-bind-dyndb-ldap-debugsource redhat-upgrade-bind-export-devel redhat-upgrade-bind-export-libs redhat-upgrade-bind-export-libs-debuginfo redhat-upgrade-bind-libs redhat-upgrade-bind-libs-debuginfo redhat-upgrade-bind-libs-lite redhat-upgrade-bind-libs-lite-debuginfo redhat-upgrade-bind-license redhat-upgrade-bind-lite-devel redhat-upgrade-bind-pkcs11 redhat-upgrade-bind-pkcs11-debuginfo redhat-upgrade-bind-pkcs11-devel redhat-upgrade-bind-pkcs11-libs redhat-upgrade-bind-pkcs11-libs-debuginfo redhat-upgrade-bind-pkcs11-utils redhat-upgrade-bind-pkcs11-utils-debuginfo redhat-upgrade-bind-sdb redhat-upgrade-bind-sdb-chroot redhat-upgrade-bind-sdb-debuginfo redhat-upgrade-bind-utils redhat-upgrade-bind-utils-debuginfo redhat-upgrade-bind9-16 redhat-upgrade-bind9-16-chroot redhat-upgrade-bind9-16-debuginfo redhat-upgrade-bind9-16-debugsource redhat-upgrade-bind9-16-devel redhat-upgrade-bind9-16-dnssec-utils redhat-upgrade-bind9-16-dnssec-utils-debuginfo redhat-upgrade-bind9-16-doc redhat-upgrade-bind9-16-libs redhat-upgrade-bind9-16-libs-debuginfo redhat-upgrade-bind9-16-license redhat-upgrade-bind9-16-utils redhat-upgrade-bind9-16-utils-debuginfo redhat-upgrade-python3-bind redhat-upgrade-python3-bind9-16 References CVE-2024-1737 RHSA-2024:5231 RHSA-2024:5390 RHSA-2024:5524 RHSA-2024:5525 RHSA-2024:5813 RHSA-2024:5838 View more

Huawei EulerOS: CVE-2024-1975: dhcp security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/23/2024 Created 01/16/2025 Added 01/15/2025 Modified 01/15/2025 Description If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. Solution(s) huawei-euleros-2_0_sp9-upgrade-dhcp References https://attackerkb.com/topics/cve-2024-1975 CVE - 2024-1975 EulerOS-SA-2025-1053

Huawei EulerOS: CVE-2024-1737: dhcp security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/23/2024 Created 01/16/2025 Added 01/15/2025 Modified 01/15/2025 Description Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. Solution(s) huawei-euleros-2_0_sp9-upgrade-dhcp References https://attackerkb.com/topics/cve-2024-1737 CVE - 2024-1737 EulerOS-SA-2025-1053

Alma Linux: CVE-2024-1975: Important: bind9.16 security update (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/23/2024 Created 08/23/2024 Added 08/22/2024 Modified 02/13/2025 Description If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. Solution(s) alma-upgrade-bind alma-upgrade-bind-chroot alma-upgrade-bind-devel alma-upgrade-bind-dnssec-doc alma-upgrade-bind-dnssec-utils alma-upgrade-bind-doc alma-upgrade-bind-dyndb-ldap alma-upgrade-bind-export-devel alma-upgrade-bind-export-libs alma-upgrade-bind-libs alma-upgrade-bind-libs-lite alma-upgrade-bind-license alma-upgrade-bind-lite-devel alma-upgrade-bind-pkcs11 alma-upgrade-bind-pkcs11-devel alma-upgrade-bind-pkcs11-libs alma-upgrade-bind-pkcs11-utils alma-upgrade-bind-sdb alma-upgrade-bind-sdb-chroot alma-upgrade-bind-utils alma-upgrade-bind9.16 alma-upgrade-bind9.16-chroot alma-upgrade-bind9.16-devel alma-upgrade-bind9.16-dnssec-utils alma-upgrade-bind9.16-doc alma-upgrade-bind9.16-libs alma-upgrade-bind9.16-license alma-upgrade-bind9.16-utils alma-upgrade-python3-bind alma-upgrade-python3-bind9.16 References https://attackerkb.com/topics/cve-2024-1975 CVE - 2024-1975 https://errata.almalinux.org/8/ALSA-2024-5390.html https://errata.almalinux.org/8/ALSA-2024-5524.html https://errata.almalinux.org/9/ALSA-2024-5231.html

VMware Photon OS: CVE-2024-4076 Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/23/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure. This issue affects BIND 9 versions 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1 through 9.11.37-S1, 9.16.13-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2024-4076 CVE - 2024-4076

Huawei EulerOS: CVE-2024-1975: dhcp security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/23/2024 Created 01/15/2025 Added 01/14/2025 Modified 01/14/2025 Description If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. Solution(s) huawei-euleros-2_0_sp10-upgrade-dhcp References https://attackerkb.com/topics/cve-2024-1975 CVE - 2024-1975 EulerOS-SA-2025-1019

Huawei EulerOS: CVE-2024-1737: dhcp security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 07/23/2024 Created 01/15/2025 Added 01/14/2025 Modified 01/14/2025 Description Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. Solution(s) huawei-euleros-2_0_sp10-upgrade-dhcp References https://attackerkb.com/topics/cve-2024-1737 CVE - 2024-1737 EulerOS-SA-2025-1019

Amazon Linux AMI 2: CVE-2024-1737: Security patch for bind (ALAS-2024-2616) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/23/2024 Created 08/14/2024 Added 08/14/2024 Modified 01/28/2025 Description Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. Solution(s) amazon-linux-ami-2-upgrade-bind amazon-linux-ami-2-upgrade-bind-chroot amazon-linux-ami-2-upgrade-bind-debuginfo amazon-linux-ami-2-upgrade-bind-devel amazon-linux-ami-2-upgrade-bind-export-devel amazon-linux-ami-2-upgrade-bind-export-libs amazon-linux-ami-2-upgrade-bind-libs amazon-linux-ami-2-upgrade-bind-libs-lite amazon-linux-ami-2-upgrade-bind-license amazon-linux-ami-2-upgrade-bind-lite-devel amazon-linux-ami-2-upgrade-bind-pkcs11 amazon-linux-ami-2-upgrade-bind-pkcs11-devel amazon-linux-ami-2-upgrade-bind-pkcs11-libs amazon-linux-ami-2-upgrade-bind-pkcs11-utils amazon-linux-ami-2-upgrade-bind-sdb amazon-linux-ami-2-upgrade-bind-sdb-chroot amazon-linux-ami-2-upgrade-bind-utils References https://attackerkb.com/topics/cve-2024-1737 AL2/ALAS-2024-2616 CVE - 2024-1737

IBM AIX: bind_advisory27 (CVE-2024-1975): Vulnerability in bind affects AIX Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/23/2024 Created 11/21/2024 Added 11/19/2024 Modified 01/30/2025 Description If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. Solution(s) ibm-aix-bind_advisory27 References https://attackerkb.com/topics/cve-2024-1975 CVE - 2024-1975 https://aix.software.ibm.com/aix/efixes/security/bind_advisory27.asc

IBM AIX: bind_advisory27 (CVE-2024-0760): Vulnerability in bind affects AIX Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/23/2024 Created 11/21/2024 Added 11/19/2024 Modified 01/28/2025 Description A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack. This issue affects BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through 9.19.24, and 9.18.11-S1 through 9.18.27-S1. Solution(s) ibm-aix-bind_advisory27 References https://attackerkb.com/topics/cve-2024-0760 CVE - 2024-0760 https://aix.software.ibm.com/aix/efixes/security/bind_advisory27.asc

IBM AIX: bind_advisory27 (CVE-2024-1737): Vulnerability in bind affects AIX Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/23/2024 Created 11/21/2024 Added 11/19/2024 Modified 01/28/2025 Description Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. Solution(s) ibm-aix-bind_advisory27 References https://attackerkb.com/topics/cve-2024-1737 CVE - 2024-1737 https://aix.software.ibm.com/aix/efixes/security/bind_advisory27.asc

Huawei EulerOS: CVE-2024-1737: dhcp security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 07/23/2024 Created 10/10/2024 Added 10/09/2024 Modified 02/11/2025 Description Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. Solution(s) huawei-euleros-2_0_sp11-upgrade-dhcp References https://attackerkb.com/topics/cve-2024-1737 CVE - 2024-1737 EulerOS-SA-2025-1152

Huawei EulerOS: CVE-2024-41110: docker-engine security update Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 07/24/2024 Created 10/10/2024 Added 10/09/2024 Modified 12/06/2024 Description Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted. Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable. docker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege. Solution(s) huawei-euleros-2_0_sp11-upgrade-docker-engine huawei-euleros-2_0_sp11-upgrade-docker-engine-selinux References https://attackerkb.com/topics/cve-2024-41110 CVE - 2024-41110 EulerOS-SA-2024-2577

Debian: CVE-2024-41110: docker.io -- security update Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 07/24/2024 Created 10/16/2024 Added 10/15/2024 Modified 12/06/2024 Description Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted. Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable. docker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege. Solution(s) debian-upgrade-docker-io References https://attackerkb.com/topics/cve-2024-41110 CVE - 2024-41110 DLA-3918-1

Google Chrome Vulnerability: CVE-2024-7001 Inappropriate implementation in HTML Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 07/24/2024 Created 07/24/2024 Added 07/24/2024 Modified 01/28/2025 Description Inappropriate implementation in HTML in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2024-7001 CVE - 2024-7001

Oracle Linux: CVE-2024-41091: ELSA-2024-12581: Unbreakable Enterprise kernel security update (IMPORTANT) (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:N/C:N/I:N/A:C) Published 07/24/2024 Created 08/20/2024 Added 08/16/2024 Modified 01/23/2025 Description In the Linux kernel, the following vulnerability has been resolved: tun: add missing verification for short frame The cited commit missed to check against the validity of the frame length in the tun_xdp_one() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tun_xdp_one-->eth_type_trans() may access the Ethernet header although it can be less than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata. In the alternative path, tun_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted for IFF_TAP. This is to drop any frame shorter than the Ethernet header size just like how tun_get_user() does. CVE: CVE-2024-41091 A denial of service (DoS) attack was found in the mlx5 driver in the Linux kernel. A KVM guest VM using virtio-net can crash the host by sending a short packet, for example, size < ETH_HLEN. The packet may traverse through vhost-net, macvtap, and vlan without any validation or drop. When this packet is presented to the mlx5 driver on the host side, the kernel panic happens since mlx5_core assumes the frame size is always >= ETH_HLEN. Solution(s) oracle-linux-upgrade-kernel oracle-linux-upgrade-kernel-uek References https://attackerkb.com/topics/cve-2024-41091 CVE - 2024-41091 ELSA-2024-12581 ELSA-2024-5928 ELSA-2024-12549 ELSA-2024-7000 ELSA-2024-12546 ELSA-2024-12582 ELSA-2024-12548 ELSA-2024-12547 ELSA-2024-12584 ELSA-2024-12585 ELSA-2024-12782 ELSA-2024-12571 ELSA-2024-12583 ELSA-2024-12780 ELSA-2024-12570 ELSA-2024-12551 ELSA-2024-12552 ELSA-2024-12815 View more