ISHACK AI BOT

MFSA2025-02 Firefox: Security Vulnerabilities fixed in Firefox ESR 128.6 (CVE-2025-0240) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/07/2025 Created 01/09/2025 Added 01/08/2025 Modified 02/06/2025 Description Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. Solution(s) mozilla-firefox-esr-upgrade-128_6 References https://attackerkb.com/topics/cve-2025-0240 CVE - 2025-0240 http://www.mozilla.org/security/announce/2025/mfsa2025-02.html

Alma Linux: CVE-2025-0239: Important: firefox security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/07/2025 Created 01/14/2025 Added 01/13/2025 Modified 01/15/2025 Description When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. Solution(s) alma-upgrade-firefox alma-upgrade-firefox-x11 References https://attackerkb.com/topics/cve-2025-0239 CVE - 2025-0239 https://errata.almalinux.org/8/ALSA-2025-0144.html https://errata.almalinux.org/9/ALSA-2025-0080.html

Rocky Linux: CVE-2025-0241: firefox (RLSA-2025-0144) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/07/2025 Created 01/14/2025 Added 01/13/2025 Modified 01/15/2025 Description When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. Solution(s) rocky-upgrade-firefox rocky-upgrade-firefox-debuginfo rocky-upgrade-firefox-debugsource References https://attackerkb.com/topics/cve-2025-0241 CVE - 2025-0241 https://errata.rockylinux.org/RLSA-2025:0144

Debian: CVE-2025-0238: firefox-esr, thunderbird -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/07/2025 Created 01/11/2025 Added 01/10/2025 Modified 01/15/2025 Description Assuming a controlled failed memory allocation, an attacker could have caused a use-after-free, leading to a potentially exploitable crash. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Firefox ESR < 115.19, Thunderbird < 134, and Thunderbird < 128.6. Solution(s) debian-upgrade-firefox-esr debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2025-0238 CVE - 2025-0238 DSA-5839-1

MFSA2025-03 Firefox: Security Vulnerabilities fixed in Firefox ESR 115.19 (CVE-2025-0238) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/07/2025 Created 01/09/2025 Added 01/08/2025 Modified 01/15/2025 Description Assuming a controlled failed memory allocation, an attacker could have caused a use-after-free, leading to a potentially exploitable crash. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Firefox ESR < 115.19, Thunderbird < 134, and Thunderbird < 128.6. Solution(s) mozilla-firefox-esr-upgrade-115_19 References https://attackerkb.com/topics/cve-2025-0238 CVE - 2025-0238 http://www.mozilla.org/security/announce/2025/mfsa2025-03.html

Debian: CVE-2025-0242: firefox-esr, thunderbird -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/07/2025 Created 01/11/2025 Added 01/10/2025 Modified 01/15/2025 Description Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Firefox ESR < 115.19, Thunderbird < 134, and Thunderbird < 128.6. Solution(s) debian-upgrade-firefox-esr debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2025-0242 CVE - 2025-0242 DSA-5839-1

SUSE: CVE-2025-0237: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/07/2025 Created 01/11/2025 Added 01/10/2025 Modified 01/15/2025 Description The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. Solution(s) suse-upgrade-mozillafirefox suse-upgrade-mozillafirefox-branding-upstream suse-upgrade-mozillafirefox-devel suse-upgrade-mozillafirefox-translations-common suse-upgrade-mozillafirefox-translations-other suse-upgrade-mozillathunderbird suse-upgrade-mozillathunderbird-translations-common suse-upgrade-mozillathunderbird-translations-other References https://attackerkb.com/topics/cve-2025-0237 CVE - 2025-0237

MFSA2025-05 Thunderbird: Security Vulnerabilities fixed in Thunderbird ESR 128.6 (CVE-2025-0242) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/07/2025 Created 01/11/2025 Added 01/10/2025 Modified 02/14/2025 Description Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Firefox ESR < 115.19, Thunderbird < 134, and Thunderbird < 128.6. Solution(s) mozilla-thunderbird-upgrade-128_6 References https://attackerkb.com/topics/cve-2025-0242 CVE - 2025-0242 http://www.mozilla.org/security/announce/2025/mfsa2025-05.html

Gentoo Linux: CVE-2025-0247: Mozilla Firefox: Multiple Vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/07/2025 Created 01/25/2025 Added 01/24/2025 Modified 01/24/2025 Description Memory safety bugs present in Firefox 133 and Thunderbird 133. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134 and Thunderbird < 134. Solution(s) gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2025-0247 CVE - 2025-0247 202501-10

Oracle Linux: CVE-2025-0243: ELSA-2025-0147:thunderbird security update (IMPORTANT) (Multiple Advisories) Severity 8 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:C) Published 01/07/2025 Created 01/14/2025 Added 01/10/2025 Modified 01/27/2025 Description Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox &lt; 134, Firefox ESR &lt; 128.6, Thunderbird &lt; 134, and Thunderbird ESR &lt; 128.6. A flaw was found in Firefox. The Mozilla Foundation&apos;s Security Advisory describes the following issue: Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 128.5, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Solution(s) oracle-linux-upgrade-firefox oracle-linux-upgrade-firefox-x11 oracle-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2025-0243 CVE - 2025-0243 ELSA-2025-0147 ELSA-2025-0080 ELSA-2025-0144 ELSA-2025-0281 ELSA-2025-0132

VMware Photon OS: CVE-2024-56759 Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 01/06/2025 Created 01/30/2025 Added 01/29/2025 Modified 02/04/2025 Description In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free when COWing tree bock and tracing is enabled When a COWing a tree block, at btrfs_cow_block(), and we have the tracepoint trace_btrfs_cow_block() enabled and preemption is also enabled (CONFIG_PREEMPT=y), we can trigger a use-after-free in the COWed extent buffer while inside the tracepoint code. This is because in some paths that call btrfs_cow_block(), such as btrfs_search_slot(), we are holding the last reference on the extent buffer @buf so btrfs_force_cow_block() drops the last reference on the @buf extent buffer when it calls free_extent_buffer_stale(buf), which schedules the release of the extent buffer with RCU. This means that if we are on a kernel with preemption, the current task may be preempted before calling trace_btrfs_cow_block() and the extent buffer already released by the time trace_btrfs_cow_block() is called, resulting in a use-after-free. Fix this by moving the trace_btrfs_cow_block() from btrfs_cow_block() to btrfs_force_cow_block() before the COWed extent buffer is freed. This also has a side effect of invoking the tracepoint in the tree defrag code, at defrag.c:btrfs_realloc_node(), since btrfs_force_cow_block() is called there, but this is fine and it was actually missing there. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2024-56759 CVE - 2024-56759

Ubuntu: USN-7182-1 (CVE-2024-48916): Ceph vulnerability Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/06/2025 Created 01/08/2025 Added 01/07/2025 Modified 01/23/2025 Description It was discovered that Ceph incorrectly handled unsupported JWT algorithms in the RadosGW gateway. An attacker could possibly use this issue to bypass certain authentication checks and restrictions. Solution(s) ubuntu-upgrade-ceph ubuntu-upgrade-ceph-base ubuntu-upgrade-ceph-common ubuntu-upgrade-radosgw References https://attackerkb.com/topics/cve-2024-48916 CVE - 2024-48916 USN-7182-1

Debian: CVE-2025-0237: firefox-esr, thunderbird -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/07/2025 Created 01/11/2025 Added 01/10/2025 Modified 01/15/2025 Description The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. Solution(s) debian-upgrade-firefox-esr debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2025-0237 CVE - 2025-0237 DSA-5839-1

Red Hat: CVE-2025-21613: go-git: argument injection via the URL field (Multiple Advisories) Severity 8 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:C) Published 01/06/2025 Created 01/23/2025 Added 01/22/2025 Modified 01/24/2025 Description go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0. Solution(s) redhat-upgrade-grafana redhat-upgrade-grafana-debuginfo redhat-upgrade-grafana-debugsource redhat-upgrade-grafana-selinux References CVE-2025-21613 RHSA-2025:0401 RHSA-2025:0662

Debian: CVE-2024-55553: frr -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/06/2025 Created 01/25/2025 Added 01/24/2025 Modified 01/24/2025 Description In FRRouting (FRR) before 10.3 from 6.0 onward, all routes are re-validated if the total size of an update received via RTR exceeds the internal socket's buffer size, default 4K on most OSes. An attacker can use this to trigger re-parsing of the RIB for FRR routers using RTR by causing more than this number of updates during an update interval (usually 30 minutes). Additionally, this effect regularly occurs organically. Furthermore, an attacker can use this to trigger route validation continuously. Given that routers with large full tables may need more than 30 minutes to fully re-validate the table, continuous issuance/withdrawal of large numbers of ROA may be used to impact the route handling performance of all FRR instances using RPKI globally. Additionally, the re-validation will cause heightened BMP traffic to ingestors. Fixed Versions: 10.0.3, 10.1.2, 10.2.1, >= 10.3. Solution(s) debian-upgrade-frr References https://attackerkb.com/topics/cve-2024-55553 CVE - 2024-55553 DLA-4029-1

Red Hat: CVE-2025-21614: go-git: go-git clients vulnerable to DoS via maliciously crafted Git server replies (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 01/06/2025 Created 01/23/2025 Added 01/22/2025 Modified 01/24/2025 Description go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability. Solution(s) redhat-upgrade-grafana redhat-upgrade-grafana-debuginfo redhat-upgrade-grafana-debugsource redhat-upgrade-grafana-selinux References CVE-2025-21614 RHSA-2025:0401 RHSA-2025:0662

Oracle Linux: CVE-2024-56769: ELSA-2025-20095: Unbreakable Enterprise kernel security update (IMPORTANT) (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 01/06/2025 Created 02/13/2025 Added 02/11/2025 Modified 02/13/2025 Description In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: dib3000mb: fix uninit-value in dib3000_write_reg Syzbot reports [1] an uninitialized value issue found by KMSAN in dib3000_read_reg(). Local u8 rb[2] is used in i2c_transfer() as a read buffer; in case that call fails, the buffer may end up with some undefined values. Since no elaborate error handling is expected in dib3000_write_reg(), simply zero out rb buffer to mitigate the problem. [1] Syzkaller report dvb-usb: bulk message failed: -22 (6/0) ===================================================== BUG: KMSAN: uninit-value in dib3000mb_attach+0x2d8/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758 dib3000mb_attach+0x2d8/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758 dibusb_dib3000mb_frontend_attach+0x155/0x2f0 drivers/media/usb/dvb-usb/dibusb-mb.c:31 dvb_usb_adapter_frontend_init+0xed/0x9a0 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:290 dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:90 [inline] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:186 [inline] dvb_usb_device_init+0x25a8/0x3760 drivers/media/usb/dvb-usb/dvb-usb-init.c:310 dibusb_probe+0x46/0x250 drivers/media/usb/dvb-usb/dibusb-mb.c:110 ... Local variable rb created at: dib3000_read_reg+0x86/0x4e0 drivers/media/dvb-frontends/dib3000mb.c:54 dib3000mb_attach+0x123/0x3c0 drivers/media/dvb-frontends/dib3000mb.c:758 ... Solution(s) oracle-linux-upgrade-kernel-uek References https://attackerkb.com/topics/cve-2024-56769 CVE - 2024-56769 ELSA-2025-20095

Alma Linux: CVE-2025-21613: Important: grafana security update (ALSA-2025-0401) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/06/2025 Created 01/23/2025 Added 01/21/2025 Modified 01/21/2025 Description go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0. Solution(s) alma-upgrade-grafana alma-upgrade-grafana-selinux References https://attackerkb.com/topics/cve-2025-21613 CVE - 2025-21613 https://errata.almalinux.org/8/ALSA-2025-0401.html

Oracle Linux: CVE-2024-46981: ELSA-2025-0595:redis:6 security update (IMPORTANT) (Multiple Advisories) Severity 6 CVSS (AV:L/AC:H/Au:S/C:C/I:C/A:C) Published 01/06/2025 Created 01/28/2025 Added 01/24/2025 Modified 02/05/2025 Description Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands. A flaw was found in the Redis server. This flaw allows an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, potentially leading to remote code execution. Solution(s) oracle-linux-upgrade-redis oracle-linux-upgrade-redis-devel oracle-linux-upgrade-redis-doc References https://attackerkb.com/topics/cve-2024-46981 CVE - 2024-46981 ELSA-2025-0595 ELSA-2025-0692 ELSA-2025-0693

Alma Linux: CVE-2025-21614: Important: grafana security update (ALSA-2025-0401) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/06/2025 Created 01/23/2025 Added 01/21/2025 Modified 01/21/2025 Description go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability. Solution(s) alma-upgrade-grafana alma-upgrade-grafana-selinux References https://attackerkb.com/topics/cve-2025-21614 CVE - 2025-21614 https://errata.almalinux.org/8/ALSA-2025-0401.html

SUSE: CVE-2024-5594: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/06/2025 Created 01/31/2025 Added 01/30/2025 Modified 01/30/2025 Description OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which attackers can use to inject unexpected arbitrary data into third-party executables or plug-ins. Solution(s) suse-upgrade-openvpn suse-upgrade-openvpn-auth-pam-plugin suse-upgrade-openvpn-dco suse-upgrade-openvpn-dco-devel suse-upgrade-openvpn-devel suse-upgrade-openvpn-down-root-plugin References https://attackerkb.com/topics/cve-2024-5594 CVE - 2024-5594

SUSE: CVE-2025-21614: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/06/2025 Created 01/14/2025 Added 01/13/2025 Modified 02/10/2025 Description go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability. Solution(s) suse-upgrade-govulncheck-vulndb suse-upgrade-trivy References https://attackerkb.com/topics/cve-2025-21614 CVE - 2025-21614

Alma Linux: CVE-2024-51741: Important: redis:7 security update (ALSA-2025-0692) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/06/2025 Created 01/31/2025 Added 01/30/2025 Modified 01/30/2025 Description Redis is an open source, in-memory database that persists on disk. An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem is fixed in Redis 7.2.7 and 7.4.2. Solution(s) alma-upgrade-redis alma-upgrade-redis-devel alma-upgrade-redis-doc References https://attackerkb.com/topics/cve-2024-51741 CVE - 2024-51741 https://errata.almalinux.org/9/ALSA-2025-0692.html

Amazon Linux AMI 2: CVE-2025-21614: Security patch for amazon-ssm-agent (ALAS-2025-2739) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/06/2025 Created 02/05/2025 Added 02/05/2025 Modified 02/05/2025 Description go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability. Solution(s) amazon-linux-ami-2-upgrade-amazon-ssm-agent References https://attackerkb.com/topics/cve-2025-21614 AL2/ALAS-2025-2739 CVE - 2025-21614

Debian: CVE-2024-56766: linux -- security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 01/06/2025 Created 01/14/2025 Added 01/13/2025 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: fix double free in atmel_pmecc_create_user() The "user" pointer was converted from being allocated with kzalloc() to being allocated by devm_kzalloc().Calling kfree(user) will lead to a double free. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2024-56766 CVE - 2024-56766