ISHACK AI BOT

Debian: CVE-2024-37384: roundcube -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/07/2024 Created 06/20/2024 Added 06/19/2024 Modified 06/19/2024 Description Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences. Solution(s) debian-upgrade-roundcube References https://attackerkb.com/topics/cve-2024-37384 CVE - 2024-37384 DLA-3835-1

SUSE: CVE-2024-0444: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 06/07/2024 Created 11/01/2024 Added 10/31/2024 Modified 01/28/2025 Description GStreamer AV1 Video Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of tile list data within AV1-encoded video files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22873. Solution(s) suse-upgrade-gstreamer-plugins-bad suse-upgrade-gstreamer-plugins-bad-devel suse-upgrade-gstreamer-plugins-bad-lang suse-upgrade-libgstadaptivedemux-1_0-0 suse-upgrade-libgstanalytics-1_0-0 suse-upgrade-libgstbadaudio-1_0-0 suse-upgrade-libgstbasecamerabinsrc-1_0-0 suse-upgrade-libgstcodecparsers-1_0-0 suse-upgrade-libgstcodecs-1_0-0 suse-upgrade-libgstcuda-1_0-0 suse-upgrade-libgstdxva-1_0-0 suse-upgrade-libgstinsertbin-1_0-0 suse-upgrade-libgstisoff-1_0-0 suse-upgrade-libgstmpegts-1_0-0 suse-upgrade-libgstmse-1_0-0 suse-upgrade-libgstphotography-1_0-0 suse-upgrade-libgstplay-1_0-0 suse-upgrade-libgstplayer-1_0-0 suse-upgrade-libgstsctp-1_0-0 suse-upgrade-libgsttranscoder-1_0-0 suse-upgrade-libgsturidownloader-1_0-0 suse-upgrade-libgstva-1_0-0 suse-upgrade-libgstvulkan-1_0-0 suse-upgrade-libgstwayland-1_0-0 suse-upgrade-libgstwebrtc-1_0-0 suse-upgrade-libgstwebrtcnice-1_0-0 suse-upgrade-typelib-1_0-cudagst-1_0 suse-upgrade-typelib-1_0-gstanalytics-1_0 suse-upgrade-typelib-1_0-gstbadaudio-1_0 suse-upgrade-typelib-1_0-gstcodecs-1_0 suse-upgrade-typelib-1_0-gstcuda-1_0 suse-upgrade-typelib-1_0-gstdxva-1_0 suse-upgrade-typelib-1_0-gstinsertbin-1_0 suse-upgrade-typelib-1_0-gstmpegts-1_0 suse-upgrade-typelib-1_0-gstmse-1_0 suse-upgrade-typelib-1_0-gstplay-1_0 suse-upgrade-typelib-1_0-gstplayer-1_0 suse-upgrade-typelib-1_0-gstva-1_0 suse-upgrade-typelib-1_0-gstwebrtc-1_0 References https://attackerkb.com/topics/cve-2024-0444 CVE - 2024-0444

Ubuntu: USN-6848-1 (CVE-2024-37383): Roundcube vulnerabilities Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 06/07/2024 Created 06/28/2024 Added 06/27/2024 Modified 01/28/2025 Description Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes. Solution(s) ubuntu-pro-upgrade-roundcube ubuntu-pro-upgrade-roundcube-core References https://attackerkb.com/topics/cve-2024-37383 CVE - 2024-37383 USN-6848-1

Huawei EulerOS: CVE-2024-37388: python-lxml security update Severity 9 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:C) Published 06/07/2024 Created 10/10/2024 Added 10/09/2024 Modified 01/28/2025 Description An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of lxml before v4.9.1 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input. Solution(s) huawei-euleros-2_0_sp12-upgrade-python3-lxml References https://attackerkb.com/topics/cve-2024-37388 CVE - 2024-37388 EulerOS-SA-2024-2539

Alpine Linux: CVE-2024-0444: Vulnerability in Multiple Components Severity 8 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:C) Published 06/07/2024 Created 08/23/2024 Added 08/22/2024 Modified 11/04/2024 Description GStreamer AV1 Video Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of tile list data within AV1-encoded video files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22873. Solution(s) alpine-linux-upgrade-gst-plugins-bad References https://attackerkb.com/topics/cve-2024-0444 CVE - 2024-0444 https://security.alpinelinux.org/vuln/CVE-2024-0444

Ubuntu: USN-6848-1 (CVE-2024-37384): Roundcube vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/07/2024 Created 06/28/2024 Added 06/27/2024 Modified 11/15/2024 Description Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences. Solution(s) ubuntu-pro-upgrade-roundcube ubuntu-pro-upgrade-roundcube-core References https://attackerkb.com/topics/cve-2024-37384 CVE - 2024-37384 USN-6848-1

Amazon Linux 2023: CVE-2024-2408: Medium priority package update for php8.1 (Multiple Advisories) Severity 5 CVSS (AV:N/AC:H/Au:N/C:C/I:N/A:N) Published 06/07/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request:https://github.com/openssl/openssl/pull/13817(rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable. PHP Windows builds for the versions 8.1.29, 8.2.20 and 8.3.8 and above include OpenSSL patches that fix the vulnerability. The RSA decryption implementation using PKCS#1 v1.5 padding in OpenSSL is vulnerable to a timing side-channel attack known as the Marvin Attack. This vulnerability arises because the execution time of the openssl_private_decrypt() function in PHP with OpenSSL varies based on whether a valid message is returned. This flaw allows an attacker to use these timing differences to decrypt captured ciphertexts or forge signatures, compromising the security of the encrypted data. The vulnerability has been demonstrated through statistical analysis of execution times, confirming the presence of a side channel that can be leveraged in a Bleichenbacher-style attack. Solution(s) amazon-linux-2023-upgrade-php8-1 amazon-linux-2023-upgrade-php8-1-bcmath amazon-linux-2023-upgrade-php8-1-bcmath-debuginfo amazon-linux-2023-upgrade-php8-1-cli amazon-linux-2023-upgrade-php8-1-cli-debuginfo amazon-linux-2023-upgrade-php8-1-common amazon-linux-2023-upgrade-php8-1-common-debuginfo amazon-linux-2023-upgrade-php8-1-dba amazon-linux-2023-upgrade-php8-1-dba-debuginfo amazon-linux-2023-upgrade-php8-1-dbg amazon-linux-2023-upgrade-php8-1-dbg-debuginfo amazon-linux-2023-upgrade-php8-1-debuginfo amazon-linux-2023-upgrade-php8-1-debugsource amazon-linux-2023-upgrade-php8-1-devel amazon-linux-2023-upgrade-php8-1-embedded amazon-linux-2023-upgrade-php8-1-embedded-debuginfo amazon-linux-2023-upgrade-php8-1-enchant amazon-linux-2023-upgrade-php8-1-enchant-debuginfo amazon-linux-2023-upgrade-php8-1-ffi amazon-linux-2023-upgrade-php8-1-ffi-debuginfo amazon-linux-2023-upgrade-php8-1-fpm amazon-linux-2023-upgrade-php8-1-fpm-debuginfo amazon-linux-2023-upgrade-php8-1-gd amazon-linux-2023-upgrade-php8-1-gd-debuginfo amazon-linux-2023-upgrade-php8-1-gmp amazon-linux-2023-upgrade-php8-1-gmp-debuginfo amazon-linux-2023-upgrade-php8-1-intl amazon-linux-2023-upgrade-php8-1-intl-debuginfo amazon-linux-2023-upgrade-php8-1-ldap amazon-linux-2023-upgrade-php8-1-ldap-debuginfo amazon-linux-2023-upgrade-php8-1-mbstring amazon-linux-2023-upgrade-php8-1-mbstring-debuginfo amazon-linux-2023-upgrade-php8-1-mysqlnd amazon-linux-2023-upgrade-php8-1-mysqlnd-debuginfo amazon-linux-2023-upgrade-php8-1-odbc amazon-linux-2023-upgrade-php8-1-odbc-debuginfo amazon-linux-2023-upgrade-php8-1-opcache amazon-linux-2023-upgrade-php8-1-opcache-debuginfo amazon-linux-2023-upgrade-php8-1-pdo amazon-linux-2023-upgrade-php8-1-pdo-debuginfo amazon-linux-2023-upgrade-php8-1-pgsql amazon-linux-2023-upgrade-php8-1-pgsql-debuginfo amazon-linux-2023-upgrade-php8-1-process amazon-linux-2023-upgrade-php8-1-process-debuginfo amazon-linux-2023-upgrade-php8-1-pspell amazon-linux-2023-upgrade-php8-1-pspell-debuginfo amazon-linux-2023-upgrade-php8-1-snmp amazon-linux-2023-upgrade-php8-1-snmp-debuginfo amazon-linux-2023-upgrade-php8-1-soap amazon-linux-2023-upgrade-php8-1-soap-debuginfo amazon-linux-2023-upgrade-php8-1-tidy amazon-linux-2023-upgrade-php8-1-tidy-debuginfo amazon-linux-2023-upgrade-php8-1-xml amazon-linux-2023-upgrade-php8-1-xml-debuginfo amazon-linux-2023-upgrade-php8-1-zip amazon-linux-2023-upgrade-php8-1-zip-debuginfo amazon-linux-2023-upgrade-php8-2 amazon-linux-2023-upgrade-php8-2-bcmath amazon-linux-2023-upgrade-php8-2-bcmath-debuginfo amazon-linux-2023-upgrade-php8-2-cli amazon-linux-2023-upgrade-php8-2-cli-debuginfo amazon-linux-2023-upgrade-php8-2-common amazon-linux-2023-upgrade-php8-2-common-debuginfo amazon-linux-2023-upgrade-php8-2-dba amazon-linux-2023-upgrade-php8-2-dba-debuginfo amazon-linux-2023-upgrade-php8-2-dbg amazon-linux-2023-upgrade-php8-2-dbg-debuginfo amazon-linux-2023-upgrade-php8-2-debuginfo amazon-linux-2023-upgrade-php8-2-debugsource amazon-linux-2023-upgrade-php8-2-devel amazon-linux-2023-upgrade-php8-2-embedded amazon-linux-2023-upgrade-php8-2-embedded-debuginfo amazon-linux-2023-upgrade-php8-2-enchant amazon-linux-2023-upgrade-php8-2-enchant-debuginfo amazon-linux-2023-upgrade-php8-2-ffi amazon-linux-2023-upgrade-php8-2-ffi-debuginfo amazon-linux-2023-upgrade-php8-2-fpm amazon-linux-2023-upgrade-php8-2-fpm-debuginfo amazon-linux-2023-upgrade-php8-2-gd amazon-linux-2023-upgrade-php8-2-gd-debuginfo amazon-linux-2023-upgrade-php8-2-gmp amazon-linux-2023-upgrade-php8-2-gmp-debuginfo amazon-linux-2023-upgrade-php8-2-intl amazon-linux-2023-upgrade-php8-2-intl-debuginfo amazon-linux-2023-upgrade-php8-2-ldap amazon-linux-2023-upgrade-php8-2-ldap-debuginfo amazon-linux-2023-upgrade-php8-2-mbstring amazon-linux-2023-upgrade-php8-2-mbstring-debuginfo amazon-linux-2023-upgrade-php8-2-mysqlnd amazon-linux-2023-upgrade-php8-2-mysqlnd-debuginfo amazon-linux-2023-upgrade-php8-2-odbc amazon-linux-2023-upgrade-php8-2-odbc-debuginfo amazon-linux-2023-upgrade-php8-2-opcache amazon-linux-2023-upgrade-php8-2-opcache-debuginfo amazon-linux-2023-upgrade-php8-2-pdo amazon-linux-2023-upgrade-php8-2-pdo-debuginfo amazon-linux-2023-upgrade-php8-2-pgsql amazon-linux-2023-upgrade-php8-2-pgsql-debuginfo amazon-linux-2023-upgrade-php8-2-process amazon-linux-2023-upgrade-php8-2-process-debuginfo amazon-linux-2023-upgrade-php8-2-pspell amazon-linux-2023-upgrade-php8-2-pspell-debuginfo amazon-linux-2023-upgrade-php8-2-snmp amazon-linux-2023-upgrade-php8-2-snmp-debuginfo amazon-linux-2023-upgrade-php8-2-soap amazon-linux-2023-upgrade-php8-2-soap-debuginfo amazon-linux-2023-upgrade-php8-2-sodium amazon-linux-2023-upgrade-php8-2-sodium-debuginfo amazon-linux-2023-upgrade-php8-2-tidy amazon-linux-2023-upgrade-php8-2-tidy-debuginfo amazon-linux-2023-upgrade-php8-2-xml amazon-linux-2023-upgrade-php8-2-xml-debuginfo amazon-linux-2023-upgrade-php8-2-zip amazon-linux-2023-upgrade-php8-2-zip-debuginfo References https://attackerkb.com/topics/cve-2024-2408 CVE - 2024-2408 https://alas.aws.amazon.com/AL2023/ALAS-2024-654.html https://alas.aws.amazon.com/AL2023/ALAS-2024-678.html

Huawei EulerOS: CVE-2024-37388: python-lxml security update Severity 9 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:C) Published 06/07/2024 Created 10/09/2024 Added 10/08/2024 Modified 01/28/2025 Description An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of lxml before v4.9.1 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input. Solution(s) huawei-euleros-2_0_sp9-upgrade-python3-lxml References https://attackerkb.com/topics/cve-2024-37388 CVE - 2024-37388 EulerOS-SA-2024-2402

Ubuntu: USN-6851-1 (CVE-2022-4968): Netplan vulnerabilities Severity 5 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:N) Published 06/07/2024 Created 07/15/2024 Added 07/15/2024 Modified 01/28/2025 Description netplan leaks the private key of wireguard to local users. Versions after 1.0 are not affected. Solution(s) ubuntu-upgrade-libnetplan0 ubuntu-upgrade-libnetplan1 ubuntu-upgrade-netplan-generator ubuntu-upgrade-netplan-io References https://attackerkb.com/topics/cve-2022-4968 CVE - 2022-4968 USN-6851-1

Huawei EulerOS: CVE-2024-37388: python-lxml security update Severity 9 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:C) Published 06/07/2024 Created 10/09/2024 Added 10/08/2024 Modified 01/28/2025 Description An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of lxml before v4.9.1 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input. Solution(s) huawei-euleros-2_0_sp10-upgrade-python3-lxml References https://attackerkb.com/topics/cve-2024-37388 CVE - 2024-37388 EulerOS-SA-2024-2450

VMware Photon OS: CVE-2024-0444 Severity 8 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:C) Published 06/07/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description GStreamer AV1 Video Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of tile list data within AV1-encoded video files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22873. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2024-0444 CVE - 2024-0444

SUSE: CVE-2024-36041: SUSE Linux Security Advisory Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 06/07/2024 Created 06/07/2024 Added 06/07/2024 Modified 01/28/2025 Description KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5.27.11.1 and 6.x before 6.0.5.1 allows connections via ICE based purely on the host, i.e., all local connections are accepted. This allows another user on the same machine to gain access to the session manager, e.g., use the session-restore feature to execute arbitrary code as the victim (on the next boot) via earlier use of the /tmp directory. Solution(s) suse-upgrade-gmenudbusmenuproxy suse-upgrade-plasma5-session suse-upgrade-plasma5-session-wayland suse-upgrade-plasma5-workspace suse-upgrade-plasma5-workspace-devel suse-upgrade-plasma5-workspace-lang suse-upgrade-plasma5-workspace-libs suse-upgrade-xembedsniproxy References https://attackerkb.com/topics/cve-2024-36041 CVE - 2024-36041

Huawei EulerOS: CVE-2024-24789: golang security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:C/A:N) Published 06/05/2024 Created 10/10/2024 Added 10/09/2024 Modified 01/30/2025 Description The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors. Solution(s) huawei-euleros-2_0_sp12-upgrade-golang huawei-euleros-2_0_sp12-upgrade-golang-devel huawei-euleros-2_0_sp12-upgrade-golang-help References https://attackerkb.com/topics/cve-2024-24789 CVE - 2024-24789 EulerOS-SA-2024-2528

Huawei EulerOS: CVE-2023-49441: dnsmasq security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 06/06/2024 Created 11/06/2024 Added 11/05/2024 Modified 01/28/2025 Description dnsmasq 2.9 is vulnerable to Integer Overflow via forward_query. Solution(s) huawei-euleros-2_0_sp12-upgrade-dnsmasq References https://attackerkb.com/topics/cve-2023-49441 CVE - 2023-49441 EulerOS-SA-2024-2796

Amazon Linux AMI 2: CVE-2023-49441: Security patch for dnsmasq (ALAS-2024-2580) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 06/06/2024 Created 06/26/2024 Added 06/26/2024 Modified 01/28/2025 Description dnsmasq 2.9 is vulnerable to Integer Overflow via forward_query. Solution(s) amazon-linux-ami-2-upgrade-dnsmasq amazon-linux-ami-2-upgrade-dnsmasq-debuginfo amazon-linux-ami-2-upgrade-dnsmasq-utils References https://attackerkb.com/topics/cve-2023-49441 AL2/ALAS-2024-2580 CVE - 2023-49441

Alpine Linux: CVE-2024-24790: Vulnerability in Multiple Components Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/05/2024 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. Solution(s) alpine-linux-upgrade-go References https://attackerkb.com/topics/cve-2024-24790 CVE - 2024-24790 https://security.alpinelinux.org/vuln/CVE-2024-24790

SolarWinds Serv-U: CVE-2024-28995: Directory Traversal Vulnerability in Serv-U Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 06/05/2024 Created 06/11/2024 Added 06/10/2024 Modified 07/18/2024 Description SolarWinds Serv-U 15.4.2 HF 1 and previous versions contain a directory traversal vulnerability that allows access to read sensitive files on the host machine. Solution(s) solarwinds-serv-u-upgrade-latest References https://attackerkb.com/topics/cve-2024-28995 CVE - 2024-28995 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28995

Amazon Linux AMI 2: CVE-2024-24789: Security patch for golang (ALAS-2024-2576) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:C/A:N) Published 06/05/2024 Created 06/26/2024 Added 06/26/2024 Modified 01/30/2025 Description The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors. Solution(s) amazon-linux-ami-2-upgrade-golang amazon-linux-ami-2-upgrade-golang-bin amazon-linux-ami-2-upgrade-golang-docs amazon-linux-ami-2-upgrade-golang-misc amazon-linux-ami-2-upgrade-golang-shared amazon-linux-ami-2-upgrade-golang-src amazon-linux-ami-2-upgrade-golang-tests References https://attackerkb.com/topics/cve-2024-24789 AL2/ALAS-2024-2576 CVE - 2024-24789

SUSE: CVE-2024-24789: SUSE Linux Security Advisory Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:C/A:N) Published 06/05/2024 Created 06/11/2024 Added 06/11/2024 Modified 01/28/2025 Description The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors. Solution(s) suse-upgrade-go1-21 suse-upgrade-go1-21-doc suse-upgrade-go1-21-race suse-upgrade-go1-22 suse-upgrade-go1-22-doc suse-upgrade-go1-22-race References https://attackerkb.com/topics/cve-2024-24789 CVE - 2024-24789

Debian: CVE-2024-5629: pymongo -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:C) Published 06/05/2024 Created 06/19/2024 Added 06/18/2024 Modified 01/30/2025 Description An out-of-bounds read in the 'bson' module of PyMongo 4.6.2 or earlier allows deserialization of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory. Solution(s) debian-upgrade-pymongo References https://attackerkb.com/topics/cve-2024-5629 CVE - 2024-5629 DLA-3832-1

Red Hat OpenShift: CVE-2024-24789: golang: archive/zip: Incorrect handling of certain ZIP files Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:C/A:N) Published 06/05/2024 Created 10/03/2024 Added 10/02/2024 Modified 01/30/2025 Description The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors. Solution(s) linuxrpm-upgrade-openshift linuxrpm-upgrade-openshift-clients References https://attackerkb.com/topics/cve-2024-24789 CVE - 2024-24789 RHSA-2024:10186 RHSA-2024:10775 RHSA-2024:3718 RHSA-2024:3722 RHSA-2024:4212 RHSA-2024:4237 RHSA-2024:4785 RHSA-2024:4867 RHSA-2024:4872 RHSA-2024:4982 RHSA-2024:5094 RHSA-2024:5258 RHSA-2024:5291 RHSA-2024:6004 RHSA-2024:6755 RHSA-2024:8676 RHSA-2024:9102 RHSA-2024:9115 RHSA-2024:9583 View more

SUSE: CVE-2024-24790: SUSE Linux Security Advisory Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/05/2024 Created 06/11/2024 Added 06/11/2024 Modified 01/28/2025 Description The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. Solution(s) suse-upgrade-go1-21 suse-upgrade-go1-21-doc suse-upgrade-go1-21-race suse-upgrade-go1-22 suse-upgrade-go1-22-doc suse-upgrade-go1-22-race References https://attackerkb.com/topics/cve-2024-24790 CVE - 2024-24790

Alma Linux: CVE-2024-24789: Moderate: go-toolset security update (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:C/A:N) Published 06/05/2024 Created 07/03/2024 Added 07/03/2024 Modified 01/30/2025 Description The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors. Solution(s) alma-upgrade-aardvark-dns alma-upgrade-buildah alma-upgrade-buildah-tests alma-upgrade-cockpit-podman alma-upgrade-conmon alma-upgrade-container-selinux alma-upgrade-containernetworking-plugins alma-upgrade-containers-common alma-upgrade-crit alma-upgrade-criu alma-upgrade-criu-devel alma-upgrade-criu-libs alma-upgrade-crun alma-upgrade-delve alma-upgrade-fuse-overlayfs alma-upgrade-go-toolset alma-upgrade-golang alma-upgrade-golang-bin alma-upgrade-golang-docs alma-upgrade-golang-misc alma-upgrade-golang-src alma-upgrade-golang-tests alma-upgrade-grafana alma-upgrade-grafana-selinux alma-upgrade-libslirp alma-upgrade-libslirp-devel alma-upgrade-netavark alma-upgrade-oci-seccomp-bpf-hook alma-upgrade-podman alma-upgrade-podman-catatonit alma-upgrade-podman-docker alma-upgrade-podman-gvproxy alma-upgrade-podman-plugins alma-upgrade-podman-remote alma-upgrade-podman-tests alma-upgrade-python3-criu alma-upgrade-python3-podman alma-upgrade-runc alma-upgrade-skopeo alma-upgrade-skopeo-tests alma-upgrade-slirp4netns alma-upgrade-toolbox alma-upgrade-toolbox-tests alma-upgrade-udica References https://attackerkb.com/topics/cve-2024-24789 CVE - 2024-24789 https://errata.almalinux.org/8/ALSA-2024-4237.html https://errata.almalinux.org/8/ALSA-2024-5258.html https://errata.almalinux.org/8/ALSA-2024-5291.html https://errata.almalinux.org/9/ALSA-2024-4212.html https://errata.almalinux.org/9/ALSA-2024-9115.html

Red Hat: CVE-2024-34055: cyrus-imapd: unbounded memory allocation by sending many LITERALs in a single command (Multiple Advisories) Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 06/05/2024 Created 11/14/2024 Added 11/13/2024 Modified 11/13/2024 Description Cyrus IMAP before 3.8.3 and 3.10.x before 3.10.0-rc1 allows authenticated attackers to cause unbounded memory allocation by sending many LITERALs in a single command. Solution(s) redhat-upgrade-cyrus-imapd redhat-upgrade-cyrus-imapd-debuginfo redhat-upgrade-cyrus-imapd-debugsource redhat-upgrade-cyrus-imapd-libs redhat-upgrade-cyrus-imapd-libs-debuginfo redhat-upgrade-cyrus-imapd-utils redhat-upgrade-cyrus-imapd-utils-debuginfo redhat-upgrade-cyrus-imapd-virusscan-debuginfo redhat-upgrade-perl-cyrus redhat-upgrade-perl-cyrus-debuginfo References CVE-2024-34055 RHSA-2024:9195

Alma Linux: CVE-2024-24790: Moderate: go-toolset security update (Multiple Advisories) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/05/2024 Created 07/03/2024 Added 07/03/2024 Modified 01/28/2025 Description The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. Solution(s) alma-upgrade-delve alma-upgrade-go-toolset alma-upgrade-golang alma-upgrade-golang-bin alma-upgrade-golang-docs alma-upgrade-golang-misc alma-upgrade-golang-src alma-upgrade-golang-tests alma-upgrade-grafana alma-upgrade-grafana-selinux References https://attackerkb.com/topics/cve-2024-24790 CVE - 2024-24790 https://errata.almalinux.org/8/ALSA-2024-4237.html https://errata.almalinux.org/8/ALSA-2024-5291.html https://errata.almalinux.org/9/ALSA-2024-4212.html https://errata.almalinux.org/9/ALSA-2024-9115.html