ISHACK AI BOT

CentOS Linux: CVE-2024-5690: Important: firefox security update (Multiple Advisories) Severity 4 CVSS (AV:N/AC:M/Au:N/C:P/I:N/A:N) Published 06/11/2024 Created 06/19/2024 Added 06/18/2024 Modified 01/28/2025 Description By monitoring the time certain operations take, an attacker could have guessed which external protocol handlers were functional on a user's system. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12. Solution(s) centos-upgrade-firefox centos-upgrade-firefox-debuginfo centos-upgrade-thunderbird centos-upgrade-thunderbird-debuginfo References CVE-2024-5690

Debian: CVE-2024-5832: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/11/2024 Created 06/17/2024 Added 06/17/2024 Modified 01/28/2025 Description Use after free in Dawn in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2024-5832 CVE - 2024-5832 DSA-5710-1

CentOS Linux: CVE-2024-5688: Important: firefox security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/11/2024 Created 06/19/2024 Added 06/18/2024 Modified 06/21/2024 Description If a garbage collection was triggered at the right time, a use-after-free could have occurred during object transplant. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12. Solution(s) centos-upgrade-firefox centos-upgrade-firefox-debuginfo centos-upgrade-thunderbird centos-upgrade-thunderbird-debuginfo References CVE-2024-5688

Ubuntu: USN-6844-1 (CVE-2024-35235): CUPS vulnerability Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/11/2024 Created 06/28/2024 Added 06/27/2024 Modified 11/15/2024 Description OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.8 and earlier, when starting the cupsd server with a Listen configuration item pointing to a symbolic link, the cupsd process can be caused to perform an arbitrary chmod of the provided argument, providing world-writable access to the target. Given that cupsd is often running as root, this can result in the change of permission of any user or system files to be world writable. Given the aforementioned Ubuntu AppArmor context, on such systems this vulnerability is limited to those files modifiable by the cupsd process. In that specific case it was found to be possible to turn the configuration of the Listen argument into full control over the cupsd.conf and cups-files.conf configuration files. By later setting the User and Group arguments in cups-files.conf, and printing with a printer configured by PPD with a `FoomaticRIPCommandLine` argument, arbitrary user and group (not root) command execution could be achieved, which can further be used on Ubuntu systems to achieve full root command execution. Commit ff1f8a623e090dee8a8aadf12a6a4b25efac143d contains a patch for the issue. Solution(s) ubuntu-pro-upgrade-cups References https://attackerkb.com/topics/cve-2024-35235 CVE - 2024-35235 USN-6844-1

VMware Photon OS: CVE-2024-35235 Severity 4 CVSS (AV:L/AC:L/Au:M/C:C/I:N/A:N) Published 06/11/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.8 and earlier, when starting the cupsd server with a Listen configuration item pointing to a symbolic link, the cupsd process can be caused to perform an arbitrary chmod of the provided argument, providing world-writable access to the target. Given that cupsd is often running as root, this can result in the change of permission of any user or system files to be world writable. Given the aforementioned Ubuntu AppArmor context, on such systems this vulnerability is limited to those files modifiable by the cupsd process. In that specific case it was found to be possible to turn the configuration of the Listen argument into full control over the cupsd.conf and cups-files.conf configuration files. By later setting the User and Group arguments in cups-files.conf, and printing with a printer configured by PPD with a `FoomaticRIPCommandLine` argument, arbitrary user and group (not root) command execution could be achieved, which can further be used on Ubuntu systems to achieve full root command execution. Commit ff1f8a623e090dee8a8aadf12a6a4b25efac143d contains a patch for the issue. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2024-35235 CVE - 2024-35235

Amazon Linux AMI 2: CVE-2024-5690: Security patch for firefox (ALASFIREFOX-2024-027) Severity 4 CVSS (AV:N/AC:M/Au:N/C:P/I:N/A:N) Published 06/11/2024 Created 08/14/2024 Added 08/14/2024 Modified 01/30/2025 Description By monitoring the time certain operations take, an attacker could have guessed which external protocol handlers were functional on a user's system. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12. Solution(s) amazon-linux-ami-2-upgrade-firefox amazon-linux-ami-2-upgrade-firefox-debuginfo References https://attackerkb.com/topics/cve-2024-5690 AL2/ALASFIREFOX-2024-027 CVE - 2024-5690

Amazon Linux AMI 2: CVE-2024-5700: Security patch for firefox, thunderbird (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/11/2024 Created 07/12/2024 Added 07/11/2024 Modified 07/12/2024 Description Memory safety bugs present in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12. Solution(s) amazon-linux-ami-2-upgrade-firefox amazon-linux-ami-2-upgrade-firefox-debuginfo amazon-linux-ami-2-upgrade-thunderbird amazon-linux-ami-2-upgrade-thunderbird-debuginfo References https://attackerkb.com/topics/cve-2024-5700 AL2/ALAS-2024-2583 AL2/ALASFIREFOX-2024-026 CVE - 2024-5700

Amazon Linux AMI 2: CVE-2024-5696: Security patch for firefox (ALASFIREFOX-2024-027) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/11/2024 Created 08/14/2024 Added 08/14/2024 Modified 08/14/2024 Description By manipulating the text in an `&lt;input&gt;` tag, an attacker could have caused corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12. Solution(s) amazon-linux-ami-2-upgrade-firefox amazon-linux-ami-2-upgrade-firefox-debuginfo References https://attackerkb.com/topics/cve-2024-5696 AL2/ALASFIREFOX-2024-027 CVE - 2024-5696

Oracle Linux: CVE-2024-5702: ELSA-2024-4016:thunderbird security update (IMPORTANT) (Multiple Advisories) Severity 8 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:C) Published 06/11/2024 Created 06/19/2024 Added 06/17/2024 Modified 01/07/2025 Description Memory corruption in the networking stack could have led to a potentially exploitable crash. This vulnerability affects Firefox &lt; 125, Firefox ESR &lt; 115.12, and Thunderbird &lt; 115.12. The Mozilla Foundation Security Advisory describes this flaw as: Memory corruption in the networking stack could have led to a potentially exploitable crash. Solution(s) oracle-linux-upgrade-firefox oracle-linux-upgrade-firefox-x11 oracle-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2024-5702 CVE - 2024-5702 ELSA-2024-4016 ELSA-2024-3954 ELSA-2024-3955 ELSA-2024-4036 ELSA-2024-3951 ELSA-2024-4002 View more

Oracle Linux: CVE-2024-5693: ELSA-2024-4016:thunderbird security update (IMPORTANT) (Multiple Advisories) Severity 6 CVSS (AV:N/AC:L/Au:N/C:P/I:P/A:N) Published 06/11/2024 Created 06/19/2024 Added 06/17/2024 Modified 01/07/2025 Description Offscreen Canvas did not properly track cross-origin tainting, which could be used to access image data from another site in violation of same-origin policy. This vulnerability affects Firefox &lt; 127, Firefox ESR &lt; 115.12, and Thunderbird &lt; 115.12. The Mozilla Foundation Security Advisory describes this flaw as: Offscreen Canvas did not properly track cross-origin tainting, which could be used to access image data from another site in violation of same-origin policy. Solution(s) oracle-linux-upgrade-firefox oracle-linux-upgrade-firefox-x11 oracle-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2024-5693 CVE - 2024-5693 ELSA-2024-4016 ELSA-2024-3954 ELSA-2024-3955 ELSA-2024-4036 ELSA-2024-3951 ELSA-2024-4002 View more

Oracle Linux: CVE-2024-5700: ELSA-2024-4016:thunderbird security update (IMPORTANT) (Multiple Advisories) Severity 8 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:C) Published 06/11/2024 Created 06/19/2024 Added 06/17/2024 Modified 01/07/2025 Description Memory safety bugs present in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox &lt; 127, Firefox ESR &lt; 115.12, and Thunderbird &lt; 115.12. The Mozilla Foundation Security Advisory describes this flaw as: Memory safety bugs present in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Solution(s) oracle-linux-upgrade-firefox oracle-linux-upgrade-firefox-x11 oracle-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2024-5700 CVE - 2024-5700 ELSA-2024-4016 ELSA-2024-3954 ELSA-2024-3955 ELSA-2024-4036 ELSA-2024-3951 ELSA-2024-4002 View more

Gentoo Linux: CVE-2024-5846: QtWebEngine: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/11/2024 Created 01/25/2025 Added 01/24/2025 Modified 01/28/2025 Description Use after free in PDFium in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: Medium) Solution(s) gentoo-linux-upgrade-dev-qt-qtwebengine References https://attackerkb.com/topics/cve-2024-5846 CVE - 2024-5846 202501-09

Gentoo Linux: CVE-2024-5835: QtWebEngine: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/11/2024 Created 01/25/2025 Added 01/24/2025 Modified 01/28/2025 Description Heap buffer overflow in Tab Groups in Google Chrome prior to 126.0.6478.54 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) gentoo-linux-upgrade-dev-qt-qtwebengine References https://attackerkb.com/topics/cve-2024-5835 CVE - 2024-5835 202501-09

Gentoo Linux: CVE-2024-5830: QtWebEngine: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/11/2024 Created 01/25/2025 Added 01/24/2025 Modified 01/28/2025 Description Type Confusion in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) Solution(s) gentoo-linux-upgrade-dev-qt-qtwebengine References https://attackerkb.com/topics/cve-2024-5830 CVE - 2024-5830 202501-09

Gentoo Linux: CVE-2024-5695: Mozilla Firefox: Multiple Vulnerabilities Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/11/2024 Created 08/08/2024 Added 08/07/2024 Modified 01/28/2025 Description If an out-of-memory condition occurs at a specific point using allocations in the probabilistic heap checker, an assertion could have been triggered, and in rarer situations, memory corruption could have occurred. This vulnerability affects Firefox < 127. Solution(s) gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2024-5695 CVE - 2024-5695 202408-02

OS X update for Safari (CVE-2024-27844) Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:C/A:N) Published 06/11/2024 Created 06/12/2024 Added 06/11/2024 Modified 01/30/2025 Description The issue was addressed with improved checks. This issue is fixed in visionOS 1.2, macOS Sonoma 14.5, Safari 17.5. A website's permission dialog may persist after navigation away from the site. Solution(s) apple-osx-upgrade-14_5 References https://attackerkb.com/topics/cve-2024-27844 CVE - 2024-27844 https://support.apple.com/en-us/120903

Gentoo Linux: CVE-2024-5834: QtWebEngine: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/11/2024 Created 01/25/2025 Added 01/24/2025 Modified 01/28/2025 Description Inappropriate implementation in Dawn in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) Solution(s) gentoo-linux-upgrade-dev-qt-qtwebengine References https://attackerkb.com/topics/cve-2024-5834 CVE - 2024-5834 202501-09

OS X update for StorageKit (CVE-2024-27848) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 06/11/2024 Created 06/12/2024 Added 06/11/2024 Modified 01/28/2025 Description This issue was addressed with improved permissions checking. This issue is fixed in macOS Sonoma 14.5, iOS 17.5 and iPadOS 17.5. A malicious app may be able to gain root privileges. Solution(s) apple-osx-upgrade-14_5 References https://attackerkb.com/topics/cve-2024-27848 CVE - 2024-27848 https://support.apple.com/en-us/120903

OS X update for CoreMedia (CVE-2024-27831) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 06/11/2024 Created 06/12/2024 Added 06/11/2024 Modified 01/28/2025 Description An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13.6.7, macOS Monterey 12.7.5, iOS 16.7.8 and iPadOS 16.7.8, tvOS 17.5, visionOS 1.2, iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5. Processing a file may lead to unexpected app termination or arbitrary code execution. Solution(s) apple-osx-upgrade-12_7_5 apple-osx-upgrade-13_6_7 apple-osx-upgrade-14_5 References https://attackerkb.com/topics/cve-2024-27831 CVE - 2024-27831 https://support.apple.com/en-us/120899 https://support.apple.com/en-us/120900 https://support.apple.com/en-us/120903

FreeBSD: VID-AA1C7AF9-570E-11EF-A43E-B42E991FC52E (CVE-2024-5690): mozilla firefox -- protocol information guessing Severity 4 CVSS (AV:N/AC:M/Au:N/C:P/I:N/A:N) Published 06/11/2024 Created 08/13/2024 Added 08/10/2024 Modified 01/28/2025 Description By monitoring the time certain operations take, an attacker could have guessed which external protocol handlers were functional on a user's system. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12. Solution(s) freebsd-upgrade-package-firefox References CVE-2024-5690

SUSE: CVE-2024-0092: SUSE Linux Security Advisory Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 06/11/2024 Created 06/13/2024 Added 06/12/2024 Modified 01/28/2025 Description NVIDIA GPU Driver for Windows and Linux contains a vulnerability where an improper check or improper handling of exception conditions might lead to denial of service. Solution(s) suse-upgrade-kernel-firmware-nvidia-gspx-g06 suse-upgrade-kernel-firmware-nvidia-gspx-g06-cuda suse-upgrade-nv-prefer-signed-open-driver suse-upgrade-nvidia-open-driver-g06-signed-64kb-devel suse-upgrade-nvidia-open-driver-g06-signed-azure-devel suse-upgrade-nvidia-open-driver-g06-signed-cuda-64kb-devel suse-upgrade-nvidia-open-driver-g06-signed-cuda-azure-devel suse-upgrade-nvidia-open-driver-g06-signed-cuda-default-devel suse-upgrade-nvidia-open-driver-g06-signed-cuda-kmp-64kb suse-upgrade-nvidia-open-driver-g06-signed-cuda-kmp-azure suse-upgrade-nvidia-open-driver-g06-signed-cuda-kmp-default suse-upgrade-nvidia-open-driver-g06-signed-default-devel suse-upgrade-nvidia-open-driver-g06-signed-kmp-64kb suse-upgrade-nvidia-open-driver-g06-signed-kmp-azure suse-upgrade-nvidia-open-driver-g06-signed-kmp-default References https://attackerkb.com/topics/cve-2024-0092 CVE - 2024-0092

Huawei EulerOS: CVE-2024-35235: cups security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/11/2024 Created 10/10/2024 Added 10/09/2024 Modified 10/09/2024 Description OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.8 and earlier, when starting the cupsd server with a Listen configuration item pointing to a symbolic link, the cupsd process can be caused to perform an arbitrary chmod of the provided argument, providing world-writable access to the target. Given that cupsd is often running as root, this can result in the change of permission of any user or system files to be world writable. Given the aforementioned Ubuntu AppArmor context, on such systems this vulnerability is limited to those files modifiable by the cupsd process. In that specific case it was found to be possible to turn the configuration of the Listen argument into full control over the cupsd.conf and cups-files.conf configuration files. By later setting the User and Group arguments in cups-files.conf, and printing with a printer configured by PPD with a `FoomaticRIPCommandLine` argument, arbitrary user and group (not root) command execution could be achieved, which can further be used on Ubuntu systems to achieve full root command execution. Commit ff1f8a623e090dee8a8aadf12a6a4b25efac143d contains a patch for the issue. Solution(s) huawei-euleros-2_0_sp11-upgrade-cups-libs References https://attackerkb.com/topics/cve-2024-35235 CVE - 2024-35235 EulerOS-SA-2024-2574

FreeBSD: VID-453AA0FC-2D91-11EF-8A0F-A8A1599412C6 (CVE-2024-5836): chromium -- multiple security fixes Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/11/2024 Created 06/20/2024 Added 06/19/2024 Modified 01/28/2025 Description Inappropriate Implementation in DevTools in Google Chrome prior to 126.0.6478.54 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: High) Solution(s) freebsd-upgrade-package-chromium freebsd-upgrade-package-ungoogled-chromium References CVE-2024-5836

FreeBSD: VID-453AA0FC-2D91-11EF-8A0F-A8A1599412C6 (CVE-2024-5840): chromium -- multiple security fixes Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 06/11/2024 Created 06/20/2024 Added 06/19/2024 Modified 01/28/2025 Description Policy bypass in CORS in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Medium) Solution(s) freebsd-upgrade-package-chromium freebsd-upgrade-package-ungoogled-chromium References CVE-2024-5840

Alma Linux: CVE-2024-5702: Important: firefox security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/11/2024 Created 06/20/2024 Added 06/20/2024 Modified 09/19/2024 Description Memory corruption in the networking stack could have led to a potentially exploitable crash. This vulnerability affects Firefox < 125, Firefox ESR < 115.12, and Thunderbird < 115.12. Solution(s) alma-upgrade-firefox alma-upgrade-firefox-x11 alma-upgrade-thunderbird References https://attackerkb.com/topics/cve-2024-5702 CVE - 2024-5702 https://errata.almalinux.org/8/ALSA-2024-3954.html https://errata.almalinux.org/8/ALSA-2024-4036.html https://errata.almalinux.org/9/ALSA-2024-3955.html https://errata.almalinux.org/9/ALSA-2024-4002.html