ISHACK AI BOT

Amazon Linux AMI: CVE-2024-24790: Security patch for amazon-ssm-agent (ALAS-2024-1948) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/05/2024 Created 10/05/2024 Added 10/04/2024 Modified 01/28/2025 Description The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. Solution(s) amazon-linux-upgrade-amazon-ssm-agent References ALAS-2024-1948 CVE-2024-24790

OpenSSL vulnerability (CVE-2024-4603) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/05/2024 Created 06/06/2024 Added 06/05/2024 Modified 06/07/2024 Description Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform various checks on DSA parameters. Some of those computations take a long time if the modulus (`p` parameter) is too large. Trying to use a very large modulus is slow and OpenSSL will not allow using public keys with a modulus which is over 10,000 bits in length for signature verification. However the key and parameter check functions do not limit the modulus size when performing the checks. An application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. These functions are not called by OpenSSL itself on untrusted DSA keys so only applications that directly call these functions may be vulnerable. Also vulnerable are the OpenSSL pkey and pkeyparam command line applications when using the `-check` option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue. Solution(s) http-openssl-3_0_14-upgrade-3_0_14 http-openssl-3_1_6-upgrade-3_1_6 http-openssl-3_2_2-upgrade-3_2_2 http-openssl-3_3_1-upgrade-3_3_1 References https://attackerkb.com/topics/cve-2024-4603 CVE - 2024-4603

Alpine Linux: CVE-2024-5171: Integer Overflow or Wraparound Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/05/2024 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Integer overflow in libaom internal function img_alloc_helper can lead to heap buffer overflow. This function can be reached via 3 callers: *Calling aom_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. *Calling aom_img_wrap() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. *Calling aom_img_alloc_with_border() with a large value of the d_w, d_h, align, size_align, or border parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. Solution(s) alpine-linux-upgrade-aom References https://attackerkb.com/topics/cve-2024-5171 CVE - 2024-5171 https://security.alpinelinux.org/vuln/CVE-2024-5171

OpenSSL vulnerability (CVE-2024-4741) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/05/2024 Created 06/06/2024 Added 06/05/2024 Modified 11/15/2024 Description Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed that was previously freed in some situations Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, only applications that directly call the SSL_free_buffers function are affected by this issue. Applications that do not call this function are not vulnerable. Our investigations indicate that this function is rarely used by applications. The SSL_free_buffers function is used to free the internal OpenSSL buffer used when processing an incoming record from the network. The call is only expected to succeed if the buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even when still in use. The first scenario occurs where a record header has been received from the network and processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers will succeed even though a record has only been partially processed and the buffer is still in use. The second scenario occurs where a full record containing application data has been received and processed by OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed even though the buffer is still in use. While these scenarios could occur accidentally during normal operation a malicious attacker could attempt to engineer a stituation where this occurs. We are not aware of this issue being actively exploited. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Solution(s) http-openssl-1_1_1-upgrade-1_1_1_y http-openssl-3_0_14-upgrade-3_0_14 http-openssl-3_1_6-upgrade-3_1_6 http-openssl-3_2_2-upgrade-3_2_2 http-openssl-3_3_1-upgrade-3_3_1 References https://attackerkb.com/topics/cve-2024-4741 CVE - 2024-4741

Red Hat OpenShift: CVE-2024-24790: golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/05/2024 Created 08/20/2024 Added 08/20/2024 Modified 01/28/2025 Description The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. Solution(s) linuxrpm-upgrade-cri-o References https://attackerkb.com/topics/cve-2024-24790 CVE - 2024-24790 RHSA-2024:10186 RHSA-2024:10775 RHSA-2024:10906 RHSA-2024:4212 RHSA-2024:4237 RHSA-2024:4333 RHSA-2024:4335 RHSA-2024:4336 RHSA-2024:4613 RHSA-2024:4697 RHSA-2024:4785 RHSA-2024:4872 RHSA-2024:4893 RHSA-2024:4982 RHSA-2024:5075 RHSA-2024:5077 RHSA-2024:5202 RHSA-2024:5291 RHSA-2024:5433 RHSA-2024:5436 RHSA-2024:5439 RHSA-2024:5442 RHSA-2024:5444 RHSA-2024:5446 RHSA-2024:5547 RHSA-2024:5808 RHSA-2024:6341 RHSA-2024:6462 RHSA-2024:6765 RHSA-2024:7174 RHSA-2024:7548 RHSA-2024:7987 RHSA-2024:8418 RHSA-2024:8876 RHSA-2024:9115 RHSA-2024:9583 View more

VMware Photon OS: CVE-2024-24789 Severity 5 CVSS (AV:L/AC:L/Au:N/C:P/I:P/A:P) Published 06/05/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2024-24789 CVE - 2024-24789

Amazon Linux AMI 2: CVE-2024-24790: Security patch for amazon-ecr-credential-helper, amazon-ssm-agent, containerd, docker, golang, nerdctl, runc (Multiple Advisories) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/05/2024 Created 06/26/2024 Added 06/26/2024 Modified 01/28/2025 Description The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. Solution(s) amazon-linux-ami-2-upgrade-amazon-ecr-credential-helper amazon-linux-ami-2-upgrade-amazon-ecr-credential-helper-debuginfo amazon-linux-ami-2-upgrade-amazon-ssm-agent amazon-linux-ami-2-upgrade-containerd amazon-linux-ami-2-upgrade-containerd-debuginfo amazon-linux-ami-2-upgrade-containerd-stress amazon-linux-ami-2-upgrade-docker amazon-linux-ami-2-upgrade-docker-debuginfo amazon-linux-ami-2-upgrade-golang amazon-linux-ami-2-upgrade-golang-bin amazon-linux-ami-2-upgrade-golang-docs amazon-linux-ami-2-upgrade-golang-misc amazon-linux-ami-2-upgrade-golang-shared amazon-linux-ami-2-upgrade-golang-src amazon-linux-ami-2-upgrade-golang-tests amazon-linux-ami-2-upgrade-nerdctl amazon-linux-ami-2-upgrade-nerdctl-debuginfo amazon-linux-ami-2-upgrade-runc amazon-linux-ami-2-upgrade-runc-debuginfo References https://attackerkb.com/topics/cve-2024-24790 AL2/ALAS-2024-2576 AL2/ALAS-2024-2618 AL2/ALAS-2024-2645 AL2/ALASDOCKER-2024-041 AL2/ALASDOCKER-2024-043 AL2/ALASDOCKER-2024-045 AL2/ALASDOCKER-2024-046 AL2/ALASECS-2024-040 AL2/ALASECS-2024-042 AL2/ALASECS-2024-043 AL2/ALASNITRO-ENCLAVES-2024-042 AL2/ALASNITRO-ENCLAVES-2024-044 AL2/ALASNITRO-ENCLAVES-2024-046 AL2/ALASNITRO-ENCLAVES-2024-047 CVE - 2024-24790 View more

Rocky Linux: CVE-2024-24790: go-toolset-rhel8 (Multiple Advisories) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/05/2024 Created 07/16/2024 Added 07/16/2024 Modified 01/28/2025 Description The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. Solution(s) rocky-upgrade-delve rocky-upgrade-delve-debuginfo rocky-upgrade-delve-debugsource rocky-upgrade-go-toolset rocky-upgrade-golang rocky-upgrade-golang-bin References https://attackerkb.com/topics/cve-2024-24790 CVE - 2024-24790 https://errata.rockylinux.org/RLSA-2024:4212 https://errata.rockylinux.org/RLSA-2024:8876

Debian: CVE-2024-34055: cyrus-imapd -- security update Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 06/05/2024 Created 06/14/2024 Added 06/13/2024 Modified 01/28/2025 Description Cyrus IMAP before 3.8.3 and 3.10.x before 3.10.0-rc1 allows authenticated attackers to cause unbounded memory allocation by sending many LITERALs in a single command. Solution(s) debian-upgrade-cyrus-imapd References https://attackerkb.com/topics/cve-2024-34055 CVE - 2024-34055 DSA-5708-1

Rocky Linux: CVE-2024-24789: container-tools-rhel8 (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:C/A:N) Published 06/05/2024 Created 07/16/2024 Added 07/16/2024 Modified 01/30/2025 Description The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors. Solution(s) rocky-upgrade-aardvark-dns rocky-upgrade-buildah rocky-upgrade-buildah-debuginfo rocky-upgrade-buildah-debugsource rocky-upgrade-buildah-tests rocky-upgrade-buildah-tests-debuginfo rocky-upgrade-conmon rocky-upgrade-conmon-debuginfo rocky-upgrade-conmon-debugsource rocky-upgrade-containernetworking-plugins rocky-upgrade-containernetworking-plugins-debuginfo rocky-upgrade-containernetworking-plugins-debugsource rocky-upgrade-containers-common rocky-upgrade-crit rocky-upgrade-criu rocky-upgrade-criu-debuginfo rocky-upgrade-criu-debugsource rocky-upgrade-criu-devel rocky-upgrade-criu-libs rocky-upgrade-criu-libs-debuginfo rocky-upgrade-crun rocky-upgrade-crun-debuginfo rocky-upgrade-crun-debugsource rocky-upgrade-fuse-overlayfs rocky-upgrade-fuse-overlayfs-debuginfo rocky-upgrade-fuse-overlayfs-debugsource rocky-upgrade-go-toolset rocky-upgrade-golang rocky-upgrade-golang-bin rocky-upgrade-libslirp rocky-upgrade-libslirp-debuginfo rocky-upgrade-libslirp-debugsource rocky-upgrade-libslirp-devel rocky-upgrade-netavark rocky-upgrade-oci-seccomp-bpf-hook rocky-upgrade-oci-seccomp-bpf-hook-debuginfo rocky-upgrade-oci-seccomp-bpf-hook-debugsource rocky-upgrade-podman rocky-upgrade-podman-catatonit rocky-upgrade-podman-catatonit-debuginfo rocky-upgrade-podman-debuginfo rocky-upgrade-podman-debugsource rocky-upgrade-podman-gvproxy rocky-upgrade-podman-gvproxy-debuginfo rocky-upgrade-podman-plugins rocky-upgrade-podman-plugins-debuginfo rocky-upgrade-podman-remote rocky-upgrade-podman-remote-debuginfo rocky-upgrade-podman-tests rocky-upgrade-python3-criu rocky-upgrade-runc rocky-upgrade-runc-debuginfo rocky-upgrade-runc-debugsource rocky-upgrade-skopeo rocky-upgrade-skopeo-tests rocky-upgrade-slirp4netns rocky-upgrade-slirp4netns-debuginfo rocky-upgrade-slirp4netns-debugsource rocky-upgrade-toolbox rocky-upgrade-toolbox-debuginfo rocky-upgrade-toolbox-debugsource rocky-upgrade-toolbox-tests References https://attackerkb.com/topics/cve-2024-24789 CVE - 2024-24789 https://errata.rockylinux.org/RLSA-2024:4212 https://errata.rockylinux.org/RLSA-2024:5258

Debian: CVE-2024-5171: aom -- security update Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 06/05/2024 Created 08/23/2024 Added 08/22/2024 Modified 01/28/2025 Description Integer overflow in libaom internal function img_alloc_helper can lead to heap buffer overflow. This function can be reached via 3 callers: *Calling aom_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. *Calling aom_img_wrap() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. *Calling aom_img_alloc_with_border() with a large value of the d_w, d_h, align, size_align, or border parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. Solution(s) debian-upgrade-aom References https://attackerkb.com/topics/cve-2024-5171 CVE - 2024-5171 DSA-5753-1

Telerik Report Server Auth Bypass Disclosed 06/04/2024 Created 06/12/2024 Description This module exploits an authentication bypass vulnerability in Telerik Report Server versions 10.0.24.305 and prior which allows an unauthenticated attacker to create a new account with administrative privileges. The vulnerability leverages the initial setup page which is still accessible once the setup process has completed. If either USERNAME or PASSWORD are not specified, then a random value will be selected. The module will fail if the specified USERNAME already exists. Author(s) SinSinology Spencer McIntyre Development Source Code History

Red Hat JBossEAP: Out-of-bounds Read (CVE-2024-36124) Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:P) Published 06/04/2024 Created 09/20/2024 Added 09/19/2024 Modified 12/20/2024 Description iq80 Snappy is a compression/decompression library. When uncompressing certain data, Snappy tries to read outside the bounds of the given byte arrays. Because Snappy uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM. iq80 Snappy is not actively maintained anymore. As quick fix users can upgrade to version 0.5.. A flaw was found in the iq80 Snappy compression/decompression library. When uncompressing certain data, Snappy tries to read outside the bounds of the given byte arrays. Because Snappy uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed, and this has similar security consequences as out-of-bounds access in C or C++. This issue can lead to non-deterministic behavior or crash the JVM. Solution(s) red-hat-jboss-eap-upgrade-latest References https://attackerkb.com/topics/cve-2024-36124 CVE - 2024-36124 https://access.redhat.com/security/cve/CVE-2024-36124 https://bugzilla.redhat.com/show_bug.cgi?id=2290551 https://github.com/dain/snappy/security/advisories/GHSA-8wh2-6qhj-h7j9

Amazon Linux AMI 2: CVE-2024-34364: Security patch for ecs-service-connect-agent (ALASECS-2024-037) Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 06/04/2024 Created 06/26/2024 Added 06/26/2024 Modified 01/28/2025 Description Envoy is a cloud-native, open source edge and service proxy. Envoy exposed an out-of-memory (OOM) vector from the mirror response, since async HTTP client will buffer the response with an unbounded buffer. Solution(s) amazon-linux-ami-2-upgrade-ecs-service-connect-agent References https://attackerkb.com/topics/cve-2024-34364 AL2/ALASECS-2024-037 CVE - 2024-34364

Telerik Report Server Auth Bypass and Deserialization RCE Disclosed 06/04/2024 Created 06/13/2024 Description This module chains an authentication bypass vulnerability (CVE-2024-4358) with a deserialization vulnerability (CVE-2024-1800) to obtain remote code execution against Telerik Report Server version 10.0.24.130 and prior. The authentication bypass flaw allows an unauthenticated user to create a new user with administrative privileges. The USERNAME datastore option can be used to authenticate with an existing account to prevent the creation of a new one. The deserialization flaw works by uploading a specially crafted report that when loaded will execute an OS command as NT AUTHORITY\SYSTEM. The module will automatically delete the created report but not the account because users are unable to delete themselves. Author(s) SinSinology Soroush Dalili Unknown Spencer McIntyre Platform Windows Architectures cmd Development Source Code History

Huawei EulerOS: CVE-2024-36964: kernel security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/03/2024 Created 10/10/2024 Added 10/09/2024 Modified 10/09/2024 Description In the Linux kernel, the following vulnerability has been resolved: fs/9p: only translate RWX permissions for plain 9P2000 Garbage in plain 9P2000's perm bits is allowed through, which causes it to be able to set (among others) the suid bit. This was presumably not the intent since the unix extended bits are handled explicitly and conditionally on .u. Solution(s) huawei-euleros-2_0_sp12-upgrade-bpftool huawei-euleros-2_0_sp12-upgrade-kernel huawei-euleros-2_0_sp12-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp12-upgrade-kernel-tools huawei-euleros-2_0_sp12-upgrade-kernel-tools-libs huawei-euleros-2_0_sp12-upgrade-python3-perf References https://attackerkb.com/topics/cve-2024-36964 CVE - 2024-36964 EulerOS-SA-2024-2544

Oracle Linux: CVE-2024-36960: ELSA-2024-12606: Unbreakable Enterprise kernel security update (IMPORTANT) (Multiple Advisories) Severity 6 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:C) Published 06/03/2024 Created 08/20/2024 Added 08/16/2024 Modified 01/23/2025 Description In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix invalid reads in fence signaled events Correctly set the length of the drm_event to the size of the structure that's actually used. The length of the drm_event was set to the parent structure instead of to the drm_vmw_event_fence which is supposed to be read. drm_read uses the length parameter to copy the event to the user space thus resuling in oob reads. Solution(s) oracle-linux-upgrade-kernel oracle-linux-upgrade-kernel-uek References https://attackerkb.com/topics/cve-2024-36960 CVE - 2024-36960 ELSA-2024-12606 ELSA-2024-5101

Debian: CVE-2024-5197: libvpx -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/03/2024 Created 06/19/2024 Added 06/18/2024 Modified 06/18/2024 Description There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h, or stride_align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. We recommend upgrading to version 1.14.1 or beyond Solution(s) debian-upgrade-libvpx References https://attackerkb.com/topics/cve-2024-5197 CVE - 2024-5197 DLA-3830-1

FreeBSD: VID-6091D1D8-4347-11EF-A4D4-080027957747 (CVE-2024-37149): GLPI -- multiple vulnerabilities Severity 9 CVSS (AV:N/AC:L/Au:S/C:C/I:C/A:C) Published 06/03/2024 Created 07/31/2024 Added 07/29/2024 Modified 01/28/2025 Description GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute this malicious script. Upgrade to 10.0.16. Solution(s) freebsd-upgrade-package-glpi References CVE-2024-37149

Alma Linux: CVE-2024-5197: Moderate: libvpx security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/03/2024 Created 08/31/2024 Added 08/30/2024 Modified 11/19/2024 Description There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h, or stride_align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. We recommend upgrading to version 1.14.1 or beyond Solution(s) alma-upgrade-libvpx alma-upgrade-libvpx-devel References https://attackerkb.com/topics/cve-2024-5197 CVE - 2024-5197 https://errata.almalinux.org/8/ALSA-2024-5941.html https://errata.almalinux.org/9/ALSA-2024-9827.html

Debian: CVE-2024-36964: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/03/2024 Created 06/28/2024 Added 06/27/2024 Modified 06/27/2024 Description In the Linux kernel, the following vulnerability has been resolved: fs/9p: only translate RWX permissions for plain 9P2000 Garbage in plain 9P2000's perm bits is allowed through, which causes it to be able to set (among others) the suid bit. This was presumably not the intent since the unix extended bits are handled explicitly and conditionally on .u. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2024-36964 CVE - 2024-36964 DLA-3840-1

Ubuntu: (Multiple Advisories) (CVE-2024-36961): Linux kernel vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/03/2024 Created 08/10/2024 Added 08/09/2024 Modified 01/23/2025 Description In the Linux kernel, the following vulnerability has been resolved: thermal/debugfs: Fix two locking issues with thermal zone debug With the current thermal zone locking arrangement in the debugfs code, user space can open the "mitigations" file for a thermal zone before the zone's debugfs pointer is set which will result in a NULL pointer dereference in tze_seq_start(). Moreover, thermal_debug_tz_remove() is not called under the thermal zone lock, so it can run in parallel with the other functions accessing the thermal zone's struct thermal_debugfs object.Then, it may clear tz->debugfs after one of those functions has checked it and the struct thermal_debugfs object may be freed prematurely. To address the first problem, pass a pointer to the thermal zone's struct thermal_debugfs object to debugfs_create_file() in thermal_debug_tz_add() and make tze_seq_start(), tze_seq_next(), tze_seq_stop(), and tze_seq_show() retrieve it from s->private instead of a pointer to the thermal zone object.This will ensure that tz_debugfs will be valid across the "mitigations" file accesses until thermal_debugfs_remove_id() called by thermal_debug_tz_remove() removes that file. To address the second problem, use tz->lock in thermal_debug_tz_remove() around the tz->debugfs value check (in case the same thermal zone is removed at the same time in two different threads) and its reset to NULL. Cc :6.8+ <[email protected]> # 6.8+ Solution(s) ubuntu-upgrade-linux-image-6-8-0-1008-gke ubuntu-upgrade-linux-image-6-8-0-1009-raspi ubuntu-upgrade-linux-image-6-8-0-1010-ibm ubuntu-upgrade-linux-image-6-8-0-1010-oem ubuntu-upgrade-linux-image-6-8-0-1010-oracle ubuntu-upgrade-linux-image-6-8-0-1010-oracle-64k ubuntu-upgrade-linux-image-6-8-0-1011-nvidia ubuntu-upgrade-linux-image-6-8-0-1011-nvidia-64k ubuntu-upgrade-linux-image-6-8-0-1011-nvidia-lowlatency ubuntu-upgrade-linux-image-6-8-0-1011-nvidia-lowlatency-64k ubuntu-upgrade-linux-image-6-8-0-1012-azure ubuntu-upgrade-linux-image-6-8-0-1012-azure-fde ubuntu-upgrade-linux-image-6-8-0-1012-gcp ubuntu-upgrade-linux-image-6-8-0-1013-aws ubuntu-upgrade-linux-image-6-8-0-40-generic ubuntu-upgrade-linux-image-6-8-0-40-generic-64k ubuntu-upgrade-linux-image-6-8-0-40-lowlatency ubuntu-upgrade-linux-image-6-8-0-40-lowlatency-64k ubuntu-upgrade-linux-image-aws ubuntu-upgrade-linux-image-azure ubuntu-upgrade-linux-image-azure-fde ubuntu-upgrade-linux-image-gcp ubuntu-upgrade-linux-image-generic ubuntu-upgrade-linux-image-generic-64k ubuntu-upgrade-linux-image-generic-64k-hwe-24-04 ubuntu-upgrade-linux-image-generic-hwe-24-04 ubuntu-upgrade-linux-image-generic-lpae ubuntu-upgrade-linux-image-gke ubuntu-upgrade-linux-image-ibm ubuntu-upgrade-linux-image-ibm-classic ubuntu-upgrade-linux-image-ibm-lts-24-04 ubuntu-upgrade-linux-image-kvm ubuntu-upgrade-linux-image-lowlatency ubuntu-upgrade-linux-image-lowlatency-64k ubuntu-upgrade-linux-image-nvidia ubuntu-upgrade-linux-image-nvidia-6-8 ubuntu-upgrade-linux-image-nvidia-64k ubuntu-upgrade-linux-image-nvidia-64k-6-8 ubuntu-upgrade-linux-image-nvidia-lowlatency ubuntu-upgrade-linux-image-nvidia-lowlatency-64k ubuntu-upgrade-linux-image-oem-24-04 ubuntu-upgrade-linux-image-oem-24-04a ubuntu-upgrade-linux-image-oracle ubuntu-upgrade-linux-image-oracle-64k ubuntu-upgrade-linux-image-raspi ubuntu-upgrade-linux-image-virtual ubuntu-upgrade-linux-image-virtual-hwe-24-04 References https://attackerkb.com/topics/cve-2024-36961 CVE - 2024-36961 USN-6949-1 USN-6949-2 USN-6952-1 USN-6952-2 USN-6955-1

Alpine Linux: CVE-2024-5197: Vulnerability in Multiple Components Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/03/2024 Created 08/23/2024 Added 08/22/2024 Modified 10/01/2024 Description There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h, or stride_align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. We recommend upgrading to version 1.14.1 or beyond Solution(s) alpine-linux-upgrade-libvpx References https://attackerkb.com/topics/cve-2024-5197 CVE - 2024-5197 https://security.alpinelinux.org/vuln/CVE-2024-5197

SUSE: CVE-2024-5197: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/03/2024 Created 07/12/2024 Added 07/12/2024 Modified 07/12/2024 Description There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h, or stride_align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. We recommend upgrading to version 1.14.1 or beyond Solution(s) suse-upgrade-libvpx-devel suse-upgrade-libvpx4 suse-upgrade-libvpx7 suse-upgrade-libvpx7-32bit suse-upgrade-vpx-tools References https://attackerkb.com/topics/cve-2024-5197 CVE - 2024-5197

Ubuntu: (Multiple Advisories) (CVE-2024-36962): Linux kernel vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 06/03/2024 Created 08/10/2024 Added 08/09/2024 Modified 01/23/2025 Description In the Linux kernel, the following vulnerability has been resolved: net: ks8851: Queue RX packets in IRQ handler instead of disabling BHs Currently the driver uses local_bh_disable()/local_bh_enable() in its IRQ handler to avoid triggering net_rx_action() softirq on exit from netif_rx(). The net_rx_action() could trigger this driver .start_xmit callback, which is protected by the same lock as the IRQ handler, so calling the .start_xmit from netif_rx() from the IRQ handler critical section protected by the lock could lead to an attempt to claim the already claimed lock, and a hang. The local_bh_disable()/local_bh_enable() approach works only in case the IRQ handler is protected by a spinlock, but does not work if the IRQ handler is protected by mutex, i.e. this works for KS8851 with Parallel bus interface, but not for KS8851 with SPI bus interface. Remove the BH manipulation and instead of calling netif_rx() inside the IRQ handler code protected by the lock, queue all the received SKBs in the IRQ handler into a queue first, and once the IRQ handler exits the critical section protected by the lock, dequeue all the queued SKBs and push them all into netif_rx(). At this point, it is safe to trigger the net_rx_action() softirq, since the netif_rx() call is outside of the lock that protects the IRQ handler. Solution(s) ubuntu-upgrade-linux-image-6-8-0-1008-gke ubuntu-upgrade-linux-image-6-8-0-1009-raspi ubuntu-upgrade-linux-image-6-8-0-1010-ibm ubuntu-upgrade-linux-image-6-8-0-1010-oem ubuntu-upgrade-linux-image-6-8-0-1010-oracle ubuntu-upgrade-linux-image-6-8-0-1010-oracle-64k ubuntu-upgrade-linux-image-6-8-0-1011-nvidia ubuntu-upgrade-linux-image-6-8-0-1011-nvidia-64k ubuntu-upgrade-linux-image-6-8-0-1011-nvidia-lowlatency ubuntu-upgrade-linux-image-6-8-0-1011-nvidia-lowlatency-64k ubuntu-upgrade-linux-image-6-8-0-1012-azure ubuntu-upgrade-linux-image-6-8-0-1012-azure-fde ubuntu-upgrade-linux-image-6-8-0-1012-gcp ubuntu-upgrade-linux-image-6-8-0-1013-aws ubuntu-upgrade-linux-image-6-8-0-40-generic ubuntu-upgrade-linux-image-6-8-0-40-generic-64k ubuntu-upgrade-linux-image-6-8-0-40-lowlatency ubuntu-upgrade-linux-image-6-8-0-40-lowlatency-64k ubuntu-upgrade-linux-image-aws ubuntu-upgrade-linux-image-azure ubuntu-upgrade-linux-image-azure-fde ubuntu-upgrade-linux-image-gcp ubuntu-upgrade-linux-image-generic ubuntu-upgrade-linux-image-generic-64k ubuntu-upgrade-linux-image-generic-64k-hwe-24-04 ubuntu-upgrade-linux-image-generic-hwe-24-04 ubuntu-upgrade-linux-image-generic-lpae ubuntu-upgrade-linux-image-gke ubuntu-upgrade-linux-image-ibm ubuntu-upgrade-linux-image-ibm-classic ubuntu-upgrade-linux-image-ibm-lts-24-04 ubuntu-upgrade-linux-image-kvm ubuntu-upgrade-linux-image-lowlatency ubuntu-upgrade-linux-image-lowlatency-64k ubuntu-upgrade-linux-image-nvidia ubuntu-upgrade-linux-image-nvidia-6-8 ubuntu-upgrade-linux-image-nvidia-64k ubuntu-upgrade-linux-image-nvidia-64k-6-8 ubuntu-upgrade-linux-image-nvidia-lowlatency ubuntu-upgrade-linux-image-nvidia-lowlatency-64k ubuntu-upgrade-linux-image-oem-24-04 ubuntu-upgrade-linux-image-oem-24-04a ubuntu-upgrade-linux-image-oracle ubuntu-upgrade-linux-image-oracle-64k ubuntu-upgrade-linux-image-raspi ubuntu-upgrade-linux-image-virtual ubuntu-upgrade-linux-image-virtual-hwe-24-04 References https://attackerkb.com/topics/cve-2024-36962 CVE - 2024-36962 USN-6949-1 USN-6949-2 USN-6952-1 USN-6952-2 USN-6955-1