ISHACK AI BOT

SUSE: CVE-2023-45733: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/16/2024 Created 05/21/2024 Added 05/20/2024 Modified 05/20/2024 Description Hardware logic contains race conditions in some Intel(R) Processors may allow an authenticated user to potentially enable partial information disclosure via local access. Solution(s) suse-upgrade-ucode-intel References https://attackerkb.com/topics/cve-2023-45733 CVE - 2023-45733

Huawei EulerOS: CVE-2024-35176: ruby security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/16/2024 Created 11/12/2024 Added 11/11/2024 Modified 11/11/2024 Description REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs. Solution(s) huawei-euleros-2_0_sp9-upgrade-ruby huawei-euleros-2_0_sp9-upgrade-ruby-help huawei-euleros-2_0_sp9-upgrade-ruby-irb References https://attackerkb.com/topics/cve-2024-35176 CVE - 2024-35176 EulerOS-SA-2024-2838

Amazon Linux 2023: CVE-2024-33870: Medium priority package update for ghostscript Severity 6 CVSS (AV:L/AC:L/Au:N/C:C/I:N/A:P) Published 05/16/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description An issue was discovered in Artifex Ghostscript before 10.03.1. There is path traversal (via a crafted PostScript document) to arbitrary files if the current directory is in the permitted paths. For example, there can be a transformation of ../../foo to ./../../foo and this will grant access if ./ is permitted. A flaw was found in Ghostscript. When the `gp_validate_path_len` function validates a path, it distinguishes between absolute and relative paths. In the case of relative paths, it will check the path with and without the current-directory-prefix (&quot;foo&quot; and &quot;./foo&quot;). This does not take into account paths with a parent-directory-prefix. Therefore, a path like &quot;../../foo&quot; is also tested as &quot;./../../foo&quot; and if the current directory &quot;./&quot; is in the permitted paths, it will pass the check, which may allow arbitrary file access. Solution(s) amazon-linux-2023-upgrade-ghostscript amazon-linux-2023-upgrade-ghostscript-debuginfo amazon-linux-2023-upgrade-ghostscript-debugsource amazon-linux-2023-upgrade-ghostscript-doc amazon-linux-2023-upgrade-ghostscript-gtk amazon-linux-2023-upgrade-ghostscript-gtk-debuginfo amazon-linux-2023-upgrade-ghostscript-tools-dvipdf amazon-linux-2023-upgrade-ghostscript-tools-fonts amazon-linux-2023-upgrade-ghostscript-tools-printing amazon-linux-2023-upgrade-ghostscript-x11 amazon-linux-2023-upgrade-ghostscript-x11-debuginfo amazon-linux-2023-upgrade-libgs amazon-linux-2023-upgrade-libgs-debuginfo amazon-linux-2023-upgrade-libgs-devel References https://attackerkb.com/topics/cve-2024-33870 CVE - 2024-33870 https://alas.aws.amazon.com/AL2023/ALAS-2024-691.html

Amazon Linux 2023: CVE-2024-29510: Important priority package update for ghostscript Severity 5 CVSS (AV:L/AC:L/Au:N/C:C/I:N/A:N) Published 05/16/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device. A flaw in Ghostscript has been identified where the uniprint device allows users to pass various string fragments as device options. These strings, particularly upWriteComponentCommands and upYMoveCommand, are treated as format strings for gp_fprintf and gs_snprintf. This lack of restriction permits arbitrary format strings with multiple specifiers, potentially leading to data leakage from the stack and memory corruption. In RHEL 9 or newer, an attacker could exploit this vulnerability to temporarily disable Ghostscript’s SAFER mode, which prevents Postscript code from executing commands or opening arbitrary files during the current invocation. Solution(s) amazon-linux-2023-upgrade-ghostscript amazon-linux-2023-upgrade-ghostscript-debuginfo amazon-linux-2023-upgrade-ghostscript-debugsource amazon-linux-2023-upgrade-ghostscript-doc amazon-linux-2023-upgrade-ghostscript-gtk amazon-linux-2023-upgrade-ghostscript-gtk-debuginfo amazon-linux-2023-upgrade-ghostscript-tools-dvipdf amazon-linux-2023-upgrade-ghostscript-tools-fonts amazon-linux-2023-upgrade-ghostscript-tools-printing amazon-linux-2023-upgrade-ghostscript-x11 amazon-linux-2023-upgrade-ghostscript-x11-debuginfo amazon-linux-2023-upgrade-libgs amazon-linux-2023-upgrade-libgs-debuginfo amazon-linux-2023-upgrade-libgs-devel References https://attackerkb.com/topics/cve-2024-29510 CVE - 2024-29510 https://alas.aws.amazon.com/AL2023/ALAS-2024-664.html

Debian: CVE-2024-4603: openssl -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/16/2024 Created 09/03/2024 Added 09/02/2024 Modified 09/02/2024 Description Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform various checks on DSA parameters. Some of those computations take a long time if the modulus (`p` parameter) is too large. Trying to use a very large modulus is slow and OpenSSL will not allow using public keys with a modulus which is over 10,000 bits in length for signature verification. However the key and parameter check functions do not limit the modulus size when performing the checks. An application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. These functions are not called by OpenSSL itself on untrusted DSA keys so only applications that directly call these functions may be vulnerable. Also vulnerable are the OpenSSL pkey and pkeyparam command line applications when using the `-check` option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue. Solution(s) debian-upgrade-openssl References https://attackerkb.com/topics/cve-2024-4603 CVE - 2024-4603

Debian: CVE-2024-35176: ruby2.7, ruby3.1 -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/16/2024 Created 01/21/2025 Added 01/20/2025 Modified 01/20/2025 Description REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs. Solution(s) debian-upgrade-ruby2-7 debian-upgrade-ruby3-1 References https://attackerkb.com/topics/cve-2024-35176 CVE - 2024-35176 DLA-4018-1

SUSE: CVE-2023-47855: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/16/2024 Created 05/21/2024 Added 05/20/2024 Modified 05/20/2024 Description Improper input validation in some Intel(R) TDX module software before version 1.5.05.46.698 may allow a privileged user to potentially enable escalation of privilege via local access. Solution(s) suse-upgrade-ucode-intel References https://attackerkb.com/topics/cve-2023-47855 CVE - 2023-47855

Amazon Linux AMI 2: CVE-2024-33655: Security patch for unbound (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/16/2024 Created 05/16/2024 Added 05/16/2024 Modified 06/26/2024 Description The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification in some cases), aka the "DNSBomb" issue. Solution(s) amazon-linux-ami-2-upgrade-python2-unbound amazon-linux-ami-2-upgrade-python3-unbound amazon-linux-ami-2-upgrade-unbound amazon-linux-ami-2-upgrade-unbound-anchor amazon-linux-ami-2-upgrade-unbound-debuginfo amazon-linux-ami-2-upgrade-unbound-devel amazon-linux-ami-2-upgrade-unbound-libs amazon-linux-ami-2-upgrade-unbound-utils References https://attackerkb.com/topics/cve-2024-33655 AL2/ALAS-2024-2536 AL2/ALASUNBOUND-1.17-2024-001 AL2/ALASUNBOUND-2024-001 CVE - 2024-33655

SUSE: CVE-2024-4603: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/16/2024 Created 05/29/2024 Added 05/28/2024 Modified 06/19/2024 Description Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform various checks on DSA parameters. Some of those computations take a long time if the modulus (`p` parameter) is too large. Trying to use a very large modulus is slow and OpenSSL will not allow using public keys with a modulus which is over 10,000 bits in length for signature verification. However the key and parameter check functions do not limit the modulus size when performing the checks. An application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. These functions are not called by OpenSSL itself on untrusted DSA keys so only applications that directly call these functions may be vulnerable. Also vulnerable are the OpenSSL pkey and pkeyparam command line applications when using the `-check` option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue. Solution(s) suse-upgrade-libopenssl-3-devel suse-upgrade-libopenssl-3-devel-32bit suse-upgrade-libopenssl-3-fips-provider suse-upgrade-libopenssl-3-fips-provider-32bit suse-upgrade-libopenssl3 suse-upgrade-libopenssl3-32bit suse-upgrade-openssl-3 suse-upgrade-openssl-3-doc References https://attackerkb.com/topics/cve-2024-4603 CVE - 2024-4603

Gentoo Linux: CVE-2024-31142: Xen: Multiple Vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/16/2024 Created 09/24/2024 Added 09/23/2024 Modified 09/23/2024 Description Because of a logical error in XSA-407 (Branch Type Confusion), the mitigation is not applied properly when it is intended to be used. XSA-434 (Speculative Return Stack Overflow) uses the same infrastructure, so is equally impacted. For more details, see: https://xenbits.xen.org/xsa/advisory-407.html https://xenbits.xen.org/xsa/advisory-434.html Solution(s) gentoo-linux-upgrade-app-emulation-xen References https://attackerkb.com/topics/cve-2024-31142 CVE - 2024-31142 202409-10

JetBrains TeamCity: CVE-2024-35301: Commit status publisher didn't check project scope of the GitHub App token (TW-86523) Severity 5 CVSS (AV:N/AC:L/Au:M/C:P/I:P/A:N) Published 05/16/2024 Created 10/22/2024 Added 10/15/2024 Modified 02/03/2025 Description In JetBrains TeamCity before 2024.03.1 commit status publisher didn't check project scope of the GitHub App token Solution(s) jetbrains-teamcity-upgrade-latest References https://attackerkb.com/topics/cve-2024-35301 CVE - 2024-35301 https://www.jetbrains.com/privacy-security/issues-fixed/

Ubuntu: USN-6797-1 (CVE-2023-45733): Intel Microcode vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/16/2024 Created 06/07/2024 Added 06/06/2024 Modified 11/15/2024 Description Hardware logic contains race conditions in some Intel(R) Processors may allow an authenticated user to potentially enable partial information disclosure via local access. Solution(s) ubuntu-pro-upgrade-intel-microcode References https://attackerkb.com/topics/cve-2023-45733 CVE - 2023-45733 USN-6797-1

Oracle Linux: CVE-2024-33870: ELSA-2024-6197:ghostscript security update (MODERATE) (Multiple Advisories) Severity 6 CVSS (AV:L/AC:L/Au:N/C:C/I:N/A:P) Published 05/16/2024 Created 11/13/2024 Added 10/16/2024 Modified 11/22/2024 Description An issue was discovered in Artifex Ghostscript before 10.03.1. There is path traversal (via a crafted PostScript document) to arbitrary files if the current directory is in the permitted paths. For example, there can be a transformation of ../../foo to ./../../foo and this will grant access if ./ is permitted. A flaw was found in Ghostscript. When the `gp_validate_path_len` function validates a path, it distinguishes between absolute and relative paths. In the case of relative paths, it will check the path with and without the current-directory-prefix (&quot;foo&quot; and &quot;./foo&quot;). This does not take into account paths with a parent-directory-prefix. Therefore, a path like &quot;../../foo&quot; is also tested as &quot;./../../foo&quot; and if the current directory &quot;./&quot; is in the permitted paths, it will pass the check, which may allow arbitrary file access. Solution(s) oracle-linux-upgrade-ghostscript oracle-linux-upgrade-ghostscript-doc oracle-linux-upgrade-ghostscript-tools-dvipdf oracle-linux-upgrade-ghostscript-tools-fonts oracle-linux-upgrade-ghostscript-tools-printing oracle-linux-upgrade-ghostscript-x11 oracle-linux-upgrade-libgs oracle-linux-upgrade-libgs-devel References https://attackerkb.com/topics/cve-2024-33870 CVE - 2024-33870 ELSA-2024-6197

Oracle Linux: CVE-2024-35176: ELSA-2024-4499:ruby security update (MODERATE) (Multiple Advisories) Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:P) Published 05/16/2024 Created 07/19/2024 Added 08/16/2024 Modified 01/07/2025 Description REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `&lt;`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don&apos;t parse untrusted XMLs. Solution(s) oracle-linux-upgrade-pcs oracle-linux-upgrade-pcs-snmp oracle-linux-upgrade-ruby oracle-linux-upgrade-ruby-devel oracle-linux-upgrade-ruby-doc oracle-linux-upgrade-rubygem-abrt oracle-linux-upgrade-rubygem-abrt-doc oracle-linux-upgrade-rubygem-bigdecimal oracle-linux-upgrade-rubygem-bson oracle-linux-upgrade-rubygem-bson-doc oracle-linux-upgrade-rubygem-bundler oracle-linux-upgrade-rubygem-bundler-doc oracle-linux-upgrade-rubygem-did-you-mean oracle-linux-upgrade-rubygem-io-console oracle-linux-upgrade-rubygem-json oracle-linux-upgrade-rubygem-minitest oracle-linux-upgrade-rubygem-mongo oracle-linux-upgrade-rubygem-mongo-doc oracle-linux-upgrade-rubygem-mysql2 oracle-linux-upgrade-rubygem-mysql2-doc oracle-linux-upgrade-rubygem-net-telnet oracle-linux-upgrade-rubygem-openssl oracle-linux-upgrade-rubygem-pg oracle-linux-upgrade-rubygem-pg-doc oracle-linux-upgrade-rubygem-power-assert oracle-linux-upgrade-rubygem-psych oracle-linux-upgrade-rubygem-rake oracle-linux-upgrade-rubygem-rdoc oracle-linux-upgrade-rubygems oracle-linux-upgrade-rubygems-devel oracle-linux-upgrade-rubygem-test-unit oracle-linux-upgrade-rubygem-xmlrpc oracle-linux-upgrade-ruby-irb oracle-linux-upgrade-ruby-libs References https://attackerkb.com/topics/cve-2024-35176 CVE - 2024-35176 ELSA-2024-4499 ELSA-2024-5338

Debian: CVE-2024-35801: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/17/2024 Created 07/31/2024 Added 07/30/2024 Modified 07/30/2024 Description In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Keep xfd_state in sync with MSR_IA32_XFD Commit 672365477ae8 ("x86/fpu: Update XFD state where required") and commit 8bf26758ca96 ("x86/fpu: Add XFD state to fpstate") introduced a per CPU variable xfd_state to keep the MSR_IA32_XFD value cached, in order to avoid unnecessary writes to the MSR. On CPU hotplug MSR_IA32_XFD is reset to the init_fpstate.xfd, which wipes out any stale state. But the per CPU cached xfd value is not reset, which brings them out of sync. As a consequence a subsequent xfd_update_state() might fail to update the MSR which in turn can result in XRSTOR raising a #NM in kernel space, which crashes the kernel. To fix this, introduce xfd_set_state() to write xfd_state together with MSR_IA32_XFD, and use it in all places that set MSR_IA32_XFD. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2024-35801 CVE - 2024-35801

Huawei EulerOS: CVE-2024-35807: kernel security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/17/2024 Created 10/09/2024 Added 10/08/2024 Modified 10/08/2024 Description In the Linux kernel, the following vulnerability has been resolved: ext4: fix corruption during on-line resize We observed a corruption during on-line resize of a file system that is larger than 16 TiB with 4k block size. With having more then 2^32 blocks resize_inode is turned off by default by mke2fs. The issue can be reproduced on a smaller file system for convenience by explicitly turning off resize_inode. An on-line resize across an 8 GiB boundary (the size of a meta block group in this setup) then leads to a corruption: dev=/dev/<some_dev> # should be >= 16 GiB mkdir -p /corruption /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15)) mount -t ext4 $dev /corruption dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15)) sha1sum /corruption/test # 79d2658b39dcfd77274e435b0934028adafaab11/corruption/test /sbin/resize2fs $dev $((2*2**21)) # drop page cache to force reload the block from disk echo 1 > /proc/sys/vm/drop_caches sha1sum /corruption/test # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3/corruption/test 2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per block group and 2^6 are the number of block groups that make a meta block group. The last checksum might be different depending on how the file is laid out across the physical blocks. The actual corruption occurs at physical block 63*2^15 = 2064384 which would be the location of the backup of the meta block group's block descriptor. During the on-line resize the file system will be converted to meta_bg starting at s_first_meta_bg which is 2 in the example - meaning all block groups after 16 GiB. However, in ext4_flex_group_add we might add block groups that are not part of the first meta block group yet. In the reproducer we achieved this by substracting the size of a whole block group from the point where the meta block group would start. This must be considered when updating the backup block group descriptors to follow the non-meta_bg layout. The fix is to add a test whether the group to add is already part of the meta block group or not. Solution(s) huawei-euleros-2_0_sp9-upgrade-kernel huawei-euleros-2_0_sp9-upgrade-kernel-tools huawei-euleros-2_0_sp9-upgrade-kernel-tools-libs huawei-euleros-2_0_sp9-upgrade-python3-perf References https://attackerkb.com/topics/cve-2024-35807 CVE - 2024-35807 EulerOS-SA-2024-2394

Huawei EulerOS: CVE-2023-52676: kernel security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/17/2024 Created 10/09/2024 Added 10/08/2024 Modified 10/08/2024 Description In the Linux kernel, the following vulnerability has been resolved: bpf: Guard stack limits against 32bit overflow This patch promotes the arithmetic around checking stack bounds to be done in the 64-bit domain, instead of the current 32bit. The arithmetic implies adding together a 64-bit register with a int offset. The register was checked to be below 1<<29 when it was variable, but not when it was fixed. The offset either comes from an instruction (in which case it is 16 bit), from another register (in which case the caller checked it to be below 1<<29 [1]), or from the size of an argument to a kfunc (in which case it can be a u32 [2]). Between the register being inconsistently checked to be below 1<<29, and the offset being up to an u32, it appears that we were open to overflowing the `int`s which were currently used for arithmetic. [1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498 [2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L11904 Solution(s) huawei-euleros-2_0_sp11-upgrade-bpftool huawei-euleros-2_0_sp11-upgrade-kernel huawei-euleros-2_0_sp11-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp11-upgrade-kernel-tools huawei-euleros-2_0_sp11-upgrade-kernel-tools-libs huawei-euleros-2_0_sp11-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-52676 CVE - 2023-52676 EulerOS-SA-2024-2207

Huawei EulerOS: CVE-2023-52677: kernel security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/17/2024 Created 10/09/2024 Added 10/08/2024 Modified 10/08/2024 Description In the Linux kernel, the following vulnerability has been resolved: riscv: Check if the code to patch lies in the exit section Otherwise we fall through to vmalloc_to_page() which panics since the address does not lie in the vmalloc region. Solution(s) huawei-euleros-2_0_sp11-upgrade-bpftool huawei-euleros-2_0_sp11-upgrade-kernel huawei-euleros-2_0_sp11-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp11-upgrade-kernel-tools huawei-euleros-2_0_sp11-upgrade-kernel-tools-libs huawei-euleros-2_0_sp11-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-52677 CVE - 2023-52677 EulerOS-SA-2024-2207

Huawei EulerOS: CVE-2023-52679: kernel security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 05/17/2024 Created 10/10/2024 Added 10/09/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: of: Fix double free in of_parse_phandle_with_args_map In of_parse_phandle_with_args_map() the inner loop that iterates through the map entries calls of_node_put(new) to free the reference acquired by the previous iteration of the inner loop. This assumes that the value of "new" is NULL on the first iteration of the inner loop. Make sure that this is true in all iterations of the outer loop by setting "new" to NULL after its value is assigned to "cur". Extend the unittest to detect the double free and add an additional test case that actually triggers this path. Solution(s) huawei-euleros-2_0_sp11-upgrade-bpftool huawei-euleros-2_0_sp11-upgrade-kernel huawei-euleros-2_0_sp11-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp11-upgrade-kernel-tools huawei-euleros-2_0_sp11-upgrade-kernel-tools-libs huawei-euleros-2_0_sp11-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-52679 CVE - 2023-52679 EulerOS-SA-2024-2585

Huawei EulerOS: CVE-2023-52698: kernel security update Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 05/17/2024 Created 10/09/2024 Added 10/08/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: calipso: fix memory leak in netlbl_calipso_add_pass() If IPv6 support is disabled at boot (ipv6.disable=1), the calipso_init() -> netlbl_calipso_ops_register() function isn't called, and the netlbl_calipso_ops_get() function always returns NULL. In this case, the netlbl_calipso_add_pass() function allocates memory for the doi_def variable but doesn't free it with the calipso_doi_free(). BUG: memory leak unreferenced object 0xffff888011d68180 (size 64): comm "syz-executor.1", pid 10746, jiffies 4295410986 (age 17.928s) hex dump (first 32 bytes): 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................ backtrace: [<...>] kmalloc include/linux/slab.h:552 [inline] [<...>] netlbl_calipso_add_pass net/netlabel/netlabel_calipso.c:76 [inline] [<...>] netlbl_calipso_add+0x22e/0x4f0 net/netlabel/netlabel_calipso.c:111 [<...>] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739 [<...>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] [<...>] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800 [<...>] netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2515 [<...>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:811 [<...>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] [<...>] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1339 [<...>] netlink_sendmsg+0x90a/0xdf0 net/netlink/af_netlink.c:1934 [<...>] sock_sendmsg_nosec net/socket.c:651 [inline] [<...>] sock_sendmsg+0x157/0x190 net/socket.c:671 [<...>] ____sys_sendmsg+0x712/0x870 net/socket.c:2342 [<...>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2396 [<...>] __sys_sendmsg+0xea/0x1b0 net/socket.c:2429 [<...>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 [<...>] entry_SYSCALL_64_after_hwframe+0x61/0xc6 Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller [PM: merged via the LSM tree at Jakub Kicinski request] Solution(s) huawei-euleros-2_0_sp11-upgrade-bpftool huawei-euleros-2_0_sp11-upgrade-kernel huawei-euleros-2_0_sp11-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp11-upgrade-kernel-tools huawei-euleros-2_0_sp11-upgrade-kernel-tools-libs huawei-euleros-2_0_sp11-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-52698 CVE - 2023-52698 EulerOS-SA-2024-2207

Red Hat: CVE-2024-35791: kernel: KVM: SVM: Flush pages under kvm-&gt;lock to fix UAF in svm_register_enc_region() (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 05/17/2024 Created 07/26/2024 Added 07/25/2024 Modified 12/05/2024 Description In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region() Do the cache flush of converted pages in svm_register_enc_region() before dropping kvm->lock to fix use-after-free issues where region and/or its array of pages could be freed by a different task, e.g. if userspace has __unregister_enc_region_locked() already queued up for the region. Note, the "obvious" alternative of using local variables doesn't fully resolve the bug, as region->pages is also dynamically allocated.I.e. the region structure itself would be fine, but region->pages could be freed. Flushing multiple pages under kvm->lock is unfortunate, but the entire flow is a rare slow path, and the manual flush is only needed on CPUs that lack coherency for encrypted memory. Solution(s) redhat-upgrade-kernel redhat-upgrade-kernel-rt References CVE-2024-35791 RHSA-2024:4823 RHSA-2024:4831 RHSA-2024:6567

Huawei EulerOS: CVE-2023-52672: kernel security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/17/2024 Created 10/09/2024 Added 10/08/2024 Modified 10/08/2024 Description In the Linux kernel, the following vulnerability has been resolved: pipe: wakeup wr_wait after setting max_usage Commit c73be61cede5 ("pipe: Add general notification queue support") a regression was introduced that would lock up resized pipes under certain conditions. See the reproducer in [1]. The commit resizing the pipe ring size was moved to a different function, doing that moved the wakeup for pipe->wr_wait before actually raising pipe->max_usage. If a pipe was full before the resize occured it would result in the wakeup never actually triggering pipe_write. Set @max_usage and @nr_accounted before waking writers if this isn't a watch queue. [Christian Brauner <[email protected]>: rewrite to account for watch queues] Solution(s) huawei-euleros-2_0_sp11-upgrade-bpftool huawei-euleros-2_0_sp11-upgrade-kernel huawei-euleros-2_0_sp11-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp11-upgrade-kernel-tools huawei-euleros-2_0_sp11-upgrade-kernel-tools-libs huawei-euleros-2_0_sp11-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-52672 CVE - 2023-52672 EulerOS-SA-2024-2207

Huawei EulerOS: CVE-2023-52672: kernel security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/17/2024 Created 10/10/2024 Added 10/09/2024 Modified 10/09/2024 Description In the Linux kernel, the following vulnerability has been resolved: pipe: wakeup wr_wait after setting max_usage Commit c73be61cede5 ("pipe: Add general notification queue support") a regression was introduced that would lock up resized pipes under certain conditions. See the reproducer in [1]. The commit resizing the pipe ring size was moved to a different function, doing that moved the wakeup for pipe->wr_wait before actually raising pipe->max_usage. If a pipe was full before the resize occured it would result in the wakeup never actually triggering pipe_write. Set @max_usage and @nr_accounted before waking writers if this isn't a watch queue. [Christian Brauner <[email protected]>: rewrite to account for watch queues] Solution(s) huawei-euleros-2_0_sp12-upgrade-bpftool huawei-euleros-2_0_sp12-upgrade-kernel huawei-euleros-2_0_sp12-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp12-upgrade-kernel-tools huawei-euleros-2_0_sp12-upgrade-kernel-tools-libs huawei-euleros-2_0_sp12-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-52672 CVE - 2023-52672 EulerOS-SA-2024-2544

Red Hat: CVE-2024-35840: kernel: mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect() (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 05/17/2024 Created 12/06/2024 Added 12/05/2024 Modified 12/05/2024 Description In the Linux kernel, the following vulnerability has been resolved: mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect() subflow_finish_connect() uses four fields (backup, join_id, thmac, none) that may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set in mptcp_parse_option() Solution(s) redhat-upgrade-kernel redhat-upgrade-kernel-rt References CVE-2024-35840 RHSA-2024:9315

Red Hat: CVE-2023-45733: intel-microcode: Race conditions in some Intel(R) Processors (Multiple Advisories) Severity 1 CVSS (AV:L/AC:H/Au:S/C:P/I:N/A:N) Published 05/16/2024 Created 11/14/2024 Added 11/13/2024 Modified 11/13/2024 Description Hardware logic contains race conditions in some Intel(R) Processors may allow an authenticated user to potentially enable partial information disclosure via local access. Solution(s) redhat-upgrade-microcode_ctl References CVE-2023-45733 RHSA-2024:9401