ISHACK AI BOT

SUSE: CVE-2024-26745: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/04/2024 Created 05/06/2024 Added 05/06/2024 Modified 05/16/2024 Description In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/iommu: IOMMU table is not initialized for kdump over SR-IOV When kdump kernel tries to copy dump data over SR-IOV, LPAR panics due to NULL pointer exception: Kernel attempted to read user page (0) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc000000020847ad4 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries Modules linked in: mlx5_core(+) vmx_crypto pseries_wdt papr_scm libnvdimm mlxfw tls psample sunrpc fuse overlay squashfs loop CPU: 12 PID: 315 Comm: systemd-udevd Not tainted 6.4.0-Test102+ #12 Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries NIP:c000000020847ad4 LR: c00000002083b2dc CTR: 00000000006cd18c REGS: c000000029162ca0 TRAP: 0300 Not tainted(6.4.0-Test102+) MSR:800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE>CR: 48288244XER: 00000008 CFAR: c00000002083b2d8 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 1 ... NIP _find_next_zero_bit+0x24/0x110 LRbitmap_find_next_zero_area_off+0x5c/0xe0 Call Trace: dev_printk_emit+0x38/0x48 (unreliable) iommu_area_alloc+0xc4/0x180 iommu_range_alloc+0x1e8/0x580 iommu_alloc+0x60/0x130 iommu_alloc_coherent+0x158/0x2b0 dma_iommu_alloc_coherent+0x3c/0x50 dma_alloc_attrs+0x170/0x1f0 mlx5_cmd_init+0xc0/0x760 [mlx5_core] mlx5_function_setup+0xf0/0x510 [mlx5_core] mlx5_init_one+0x84/0x210 [mlx5_core] probe_one+0x118/0x2c0 [mlx5_core] local_pci_probe+0x68/0x110 pci_call_probe+0x68/0x200 pci_device_probe+0xbc/0x1a0 really_probe+0x104/0x540 __driver_probe_device+0xb4/0x230 driver_probe_device+0x54/0x130 __driver_attach+0x158/0x2b0 bus_for_each_dev+0xa8/0x130 driver_attach+0x34/0x50 bus_add_driver+0x16c/0x300 driver_register+0xa4/0x1b0 __pci_register_driver+0x68/0x80 mlx5_init+0xb8/0x100 [mlx5_core] do_one_initcall+0x60/0x300 do_init_module+0x7c/0x2b0 At the time of LPAR dump, before kexec hands over control to kdump kernel, DDWs (Dynamic DMA Windows) are scanned and added to the FDT. For the SR-IOV case, default DMA window "ibm,dma-window" is removed from the FDT and DDW added, for the device. Now, kexec hands over control to the kdump kernel. When the kdump kernel initializes, PCI busses are scanned and IOMMU group/tables created, in pci_dma_bus_setup_pSeriesLP(). For the SR-IOV case, there is no "ibm,dma-window". The original commit: b1fc44eaa9ba, fixes the path where memory is pre-mapped (direct mapped) to the DDW. When TCEs are direct mapped, there is no need to initialize IOMMU tables. iommu_table_setparms_lpar() only considers "ibm,dma-window" property when initiallizing IOMMU table. In the scenario where TCEs are dynamically allocated for SR-IOV, newly created IOMMU table is not initialized. Later, when the device driver tries to enter TCEs for the SR-IOV device, NULL pointer execption is thrown from iommu_area_alloc(). The fix is to initialize the IOMMU table with DDW property stored in the FDT. There are 2 points to remember: 1. For the dedicated adapter, kdump kernel would encounter both default and DDW in FDT. In this case, DDW property is used to initialize the IOMMU table. 2. A DDW could be direct or dynamic mapped. kdump kernel would initialize IOMMU table and mark the existing DDW as "dynamic". This works fine since, at the time of table initialization, iommu_table_clear() makes some space in the DDW, for some predefined number of TCEs which are needed for kdump to succeed. Solution(s) suse-upgrade-cluster-md-kmp-64kb suse-upgrade-cluster-md-kmp-azure suse-upgrade-cluster-md-kmp-default suse-upgrade-cluster-md-kmp-rt suse-upgrade-dlm-kmp-64kb suse-upgrade-dlm-kmp-azure suse-upgrade-dlm-kmp-default suse-upgrade-dlm-kmp-rt suse-upgrade-dtb-allwinner suse-upgrade-dtb-altera suse-upgrade-dtb-amazon suse-upgrade-dtb-amd suse-upgrade-dtb-amlogic suse-upgrade-dtb-apm suse-upgrade-dtb-apple suse-upgrade-dtb-arm suse-upgrade-dtb-broadcom suse-upgrade-dtb-cavium suse-upgrade-dtb-exynos suse-upgrade-dtb-freescale suse-upgrade-dtb-hisilicon suse-upgrade-dtb-lg suse-upgrade-dtb-marvell suse-upgrade-dtb-mediatek suse-upgrade-dtb-nvidia suse-upgrade-dtb-qcom suse-upgrade-dtb-renesas suse-upgrade-dtb-rockchip suse-upgrade-dtb-socionext suse-upgrade-dtb-sprd suse-upgrade-dtb-xilinx suse-upgrade-gfs2-kmp-64kb suse-upgrade-gfs2-kmp-azure suse-upgrade-gfs2-kmp-default suse-upgrade-gfs2-kmp-rt suse-upgrade-kernel-64kb suse-upgrade-kernel-64kb-devel suse-upgrade-kernel-64kb-extra suse-upgrade-kernel-64kb-livepatch-devel suse-upgrade-kernel-64kb-optional suse-upgrade-kernel-azure suse-upgrade-kernel-azure-devel suse-upgrade-kernel-azure-extra suse-upgrade-kernel-azure-livepatch-devel suse-upgrade-kernel-azure-optional suse-upgrade-kernel-azure-vdso suse-upgrade-kernel-debug suse-upgrade-kernel-debug-devel suse-upgrade-kernel-debug-livepatch-devel suse-upgrade-kernel-debug-vdso suse-upgrade-kernel-default suse-upgrade-kernel-default-base suse-upgrade-kernel-default-base-rebuild suse-upgrade-kernel-default-devel suse-upgrade-kernel-default-extra suse-upgrade-kernel-default-livepatch suse-upgrade-kernel-default-livepatch-devel suse-upgrade-kernel-default-optional suse-upgrade-kernel-default-vdso suse-upgrade-kernel-devel suse-upgrade-kernel-devel-azure suse-upgrade-kernel-devel-rt suse-upgrade-kernel-docs suse-upgrade-kernel-docs-html suse-upgrade-kernel-kvmsmall suse-upgrade-kernel-kvmsmall-devel suse-upgrade-kernel-kvmsmall-livepatch-devel suse-upgrade-kernel-kvmsmall-vdso suse-upgrade-kernel-macros suse-upgrade-kernel-obs-build suse-upgrade-kernel-obs-qa suse-upgrade-kernel-rt suse-upgrade-kernel-rt-devel suse-upgrade-kernel-rt-extra suse-upgrade-kernel-rt-livepatch suse-upgrade-kernel-rt-livepatch-devel suse-upgrade-kernel-rt-optional suse-upgrade-kernel-rt-vdso suse-upgrade-kernel-rt_debug suse-upgrade-kernel-rt_debug-devel suse-upgrade-kernel-rt_debug-livepatch-devel suse-upgrade-kernel-rt_debug-vdso suse-upgrade-kernel-source suse-upgrade-kernel-source-azure suse-upgrade-kernel-source-rt suse-upgrade-kernel-source-vanilla suse-upgrade-kernel-syms suse-upgrade-kernel-syms-azure suse-upgrade-kernel-syms-rt suse-upgrade-kernel-zfcpdump suse-upgrade-kselftests-kmp-64kb suse-upgrade-kselftests-kmp-azure suse-upgrade-kselftests-kmp-default suse-upgrade-kselftests-kmp-rt suse-upgrade-ocfs2-kmp-64kb suse-upgrade-ocfs2-kmp-azure suse-upgrade-ocfs2-kmp-default suse-upgrade-ocfs2-kmp-rt suse-upgrade-reiserfs-kmp-64kb suse-upgrade-reiserfs-kmp-azure suse-upgrade-reiserfs-kmp-default suse-upgrade-reiserfs-kmp-rt References https://attackerkb.com/topics/cve-2024-26745 CVE - 2024-26745

Amazon Linux AMI 2: CVE-2023-38709: Security patch for httpd (ALAS-2024-2532) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/04/2024 Created 05/01/2024 Added 05/01/2024 Modified 07/31/2024 Description Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58. Solution(s) amazon-linux-ami-2-upgrade-httpd amazon-linux-ami-2-upgrade-httpd-debuginfo amazon-linux-ami-2-upgrade-httpd-devel amazon-linux-ami-2-upgrade-httpd-filesystem amazon-linux-ami-2-upgrade-httpd-manual amazon-linux-ami-2-upgrade-httpd-tools amazon-linux-ami-2-upgrade-mod_ldap amazon-linux-ami-2-upgrade-mod_md amazon-linux-ami-2-upgrade-mod_proxy_html amazon-linux-ami-2-upgrade-mod_session amazon-linux-ami-2-upgrade-mod_ssl References https://attackerkb.com/topics/cve-2023-38709 AL2/ALAS-2024-2532 CVE - 2023-38709

Ubuntu: (CVE-2024-26797): linux-raspi-realtime vulnerability Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/04/2024 Created 02/12/2025 Added 02/11/2025 Modified 02/11/2025 Description In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Prevent potential buffer overflow in map_hw_resources Adds a check in the map_hw_resources function to prevent a potential buffer overflow. The function was accessing arrays using an index that could potentially be greater than the size of the arrays, leading to a buffer overflow. Adds a check to ensure that the index is within the bounds of the arrays. If the index is out of bounds, an error message is printed and break it will continue execution with just ignoring extra data early to prevent the buffer overflow. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/dml2/dml2_wrapper.c:79 map_hw_resources() error: buffer overflow 'dml2->v20.scratch.dml_to_dc_pipe_mapping.disp_cfg_to_stream_id' 6 <= 7 drivers/gpu/drm/amd/amdgpu/../display/dc/dml2/dml2_wrapper.c:81 map_hw_resources() error: buffer overflow 'dml2->v20.scratch.dml_to_dc_pipe_mapping.disp_cfg_to_plane_id' 6 <= 7 Solution(s) ubuntu-upgrade-linux-raspi-realtime References https://attackerkb.com/topics/cve-2024-26797 CVE - 2024-26797 https://git.kernel.org/stable/c/0f8ca019544a252d1afb468ce840c6dcbac73af4 https://git.kernel.org/stable/c/50a6302cf881f67f1410461a68fe9eabd00ff31d https://www.cve.org/CVERecord?id=CVE-2024-26797

Amazon Linux 2023: CVE-2024-26809: Important priority package update for kernel Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 04/04/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb (&quot;netfilter: nf_tables: integrate pipapo into commit protocol&quot;) which came after: 9827a0e6e23b (&quot;netfilter: nft_set_pipapo: release elements in clone from abort path&quot;). A vulnerability was found in the Linux kernel&apos;s Netfilter subsystem. More specifically, the issue is related to the `nft_set_pipapo` function, where releasing elements from cloned structures occurs outside the intended destroy path. This improper handling could lead to resource leaks or stability issues. Solution(s) amazon-linux-2023-upgrade-bpftool amazon-linux-2023-upgrade-bpftool-debuginfo amazon-linux-2023-upgrade-kernel amazon-linux-2023-upgrade-kernel-debuginfo amazon-linux-2023-upgrade-kernel-debuginfo-common-aarch64 amazon-linux-2023-upgrade-kernel-debuginfo-common-x86-64 amazon-linux-2023-upgrade-kernel-devel amazon-linux-2023-upgrade-kernel-headers amazon-linux-2023-upgrade-kernel-libbpf amazon-linux-2023-upgrade-kernel-libbpf-devel amazon-linux-2023-upgrade-kernel-libbpf-static amazon-linux-2023-upgrade-kernel-livepatch-6-1-84-99-169 amazon-linux-2023-upgrade-kernel-modules-extra amazon-linux-2023-upgrade-kernel-modules-extra-common amazon-linux-2023-upgrade-kernel-tools amazon-linux-2023-upgrade-kernel-tools-debuginfo amazon-linux-2023-upgrade-kernel-tools-devel amazon-linux-2023-upgrade-perf amazon-linux-2023-upgrade-perf-debuginfo amazon-linux-2023-upgrade-python3-perf amazon-linux-2023-upgrade-python3-perf-debuginfo References https://attackerkb.com/topics/cve-2024-26809 CVE - 2024-26809 https://alas.aws.amazon.com/AL2023/ALAS-2024-696.html

Amazon Linux 2023: CVE-2024-24795: Medium priority package update for httpd Severity 3 CVSS (AV:N/AC:H/Au:N/C:P/I:N/A:N) Published 04/04/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue. A flaw was found in httpd. An HTTP response splitting in multiple httpd modules may allow an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Solution(s) amazon-linux-2023-upgrade-httpd amazon-linux-2023-upgrade-httpd-core amazon-linux-2023-upgrade-httpd-core-debuginfo amazon-linux-2023-upgrade-httpd-debuginfo amazon-linux-2023-upgrade-httpd-debugsource amazon-linux-2023-upgrade-httpd-devel amazon-linux-2023-upgrade-httpd-filesystem amazon-linux-2023-upgrade-httpd-manual amazon-linux-2023-upgrade-httpd-tools amazon-linux-2023-upgrade-httpd-tools-debuginfo amazon-linux-2023-upgrade-mod-ldap amazon-linux-2023-upgrade-mod-ldap-debuginfo amazon-linux-2023-upgrade-mod-lua amazon-linux-2023-upgrade-mod-lua-debuginfo amazon-linux-2023-upgrade-mod-proxy-html amazon-linux-2023-upgrade-mod-proxy-html-debuginfo amazon-linux-2023-upgrade-mod-session amazon-linux-2023-upgrade-mod-session-debuginfo amazon-linux-2023-upgrade-mod-ssl amazon-linux-2023-upgrade-mod-ssl-debuginfo References https://attackerkb.com/topics/cve-2024-24795 CVE - 2024-24795 https://alas.aws.amazon.com/AL2023/ALAS-2024-607.html

Amazon Linux 2023: CVE-2024-26792: Medium priority package update for kernel (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 04/04/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free of anonymous device after snapshot creation failure When creating a snapshot we may do a double free of an anonymous device in case there&apos;s an error committing the transaction. The second free may result in freeing an anonymous device number that was allocated by some other subsystem in the kernel or another btrfs filesystem. The steps that lead to this: 1) At ioctl.c:create_snapshot() we allocate an anonymous device number and assign it to pending_snapshot-&gt;anon_dev; 2) Then we call btrfs_commit_transaction() and end up at transaction.c:create_pending_snapshot(); 3) There we call btrfs_get_new_fs_root() and pass it the anonymous device number stored in pending_snapshot-&gt;anon_dev; 4) btrfs_get_new_fs_root() frees that anonymous device number because btrfs_lookup_fs_root() returned a root - someone else did a lookup of the new root already, which could some task doing backref walking; 5) After that some error happens in the transaction commit path, and at ioctl.c:create_snapshot() we jump to the &apos;fail&apos; label, and after that we free again the same anonymous device number, which in the meanwhile may have been reallocated somewhere else, because pending_snapshot-&gt;anon_dev still has the same value as in step 1. Recently syzbot ran into this and reported the following trace: ------------[ cut here ]------------ ida_free called for id=51 which is not allocated. WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525 Modules linked in: CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525 Code: 10 42 80 3c 28 (...) RSP: 0018:ffffc90015a67300 EFLAGS: 00010246 RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000 RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4 R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246 R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246 FS:00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS:0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0 Call Trace: &lt;TASK&gt; btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346 create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837 create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931 btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404 create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848 btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998 btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044 __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306 btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393 btrfs_ioctl+0xa74/0xd40 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7fca3e67dda9 Code: 28 00 00 00 (...) RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9 RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003 RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658 &lt;/TASK&gt; Where we get an explicit message where we attempt to free an anonymous device number that is not currently allocated. It happens in a different code path from the example below, at btrfs_get_root_ref(), so this change may not fix the case triggered by sy ---truncated--- A double-free flaw was found in the btrfs filesystem in the Linux kernel that could occur after a snapshot creation failure. This flaw could potentially lead to system crashes or unintended behaviors. Solution(s) amazon-linux-2023-upgrade-bpftool amazon-linux-2023-upgrade-bpftool-debuginfo amazon-linux-2023-upgrade-kernel amazon-linux-2023-upgrade-kernel-debuginfo amazon-linux-2023-upgrade-kernel-debuginfo-common-aarch64 amazon-linux-2023-upgrade-kernel-debuginfo-common-x86-64 amazon-linux-2023-upgrade-kernel-devel amazon-linux-2023-upgrade-kernel-headers amazon-linux-2023-upgrade-kernel-libbpf amazon-linux-2023-upgrade-kernel-libbpf-devel amazon-linux-2023-upgrade-kernel-libbpf-static amazon-linux-2023-upgrade-kernel-livepatch-6-1-82-99-168 amazon-linux-2023-upgrade-kernel-modules-extra amazon-linux-2023-upgrade-kernel-modules-extra-common amazon-linux-2023-upgrade-kernel-tools amazon-linux-2023-upgrade-kernel-tools-debuginfo amazon-linux-2023-upgrade-kernel-tools-devel amazon-linux-2023-upgrade-perf amazon-linux-2023-upgrade-perf-debuginfo amazon-linux-2023-upgrade-python3-perf amazon-linux-2023-upgrade-python3-perf-debuginfo References https://attackerkb.com/topics/cve-2024-26792 CVE - 2024-26792 https://alas.aws.amazon.com/AL2023/ALAS-2024-603.html https://alas.aws.amazon.com/AL2023/ALAS-2024-784.html

Amazon Linux 2023: CVE-2024-26782: Medium priority package update for kernel (Multiple Advisories) Severity 4 CVSS (AV:L/AC:H/Au:S/C:N/I:N/A:C) Published 04/04/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description In the Linux kernel, the following vulnerability has been resolved: mptcp: fix double-free on socket dismantle when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to &apos;inet_opt&apos; for the new socket has the same value as the original one: as a consequence, on program exit it&apos;s possible to observe the following splat: BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0 CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.007/26/2013 Call Trace: &lt;IRQ&gt; dump_stack_lvl+0x32/0x50 print_report+0xca/0x620 kasan_report_invalid_free+0x64/0x90 __kasan_slab_free+0x1aa/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 rcu_do_batch+0x34e/0xd90 rcu_core+0x559/0xac0 __do_softirq+0x183/0x5a4 irq_exit_rcu+0x12d/0x170 sysvec_apic_timer_interrupt+0x6b/0x80 &lt;/IRQ&gt; &lt;TASK&gt; asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed &lt;0f&gt; 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidle_enter+0x4a/0xa0 do_idle+0x310/0x410 cpu_startup_entry+0x51/0x60 start_secondary+0x211/0x270 secondary_startup_64_no_verify+0x184/0x18b &lt;/TASK&gt; Allocated by task 6853: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 __kmalloc+0x1eb/0x450 cipso_v4_sock_setattr+0x96/0x360 netlbl_sock_setattr+0x132/0x1f0 selinux_netlbl_socket_post_create+0x6c/0x110 selinux_socket_post_create+0x37b/0x7f0 security_socket_post_create+0x63/0xb0 __sock_create+0x305/0x450 __sys_socket_create.part.23+0xbd/0x130 __sys_socket+0x37/0xb0 __x64_sys_socket+0x6f/0xb0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 6858: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x12c/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 subflow_ulp_release+0x1f0/0x250 tcp_cleanup_ulp+0x6e/0x110 tcp_v4_destroy_sock+0x5a/0x3a0 inet_csk_destroy_sock+0x135/0x390 tcp_fin+0x416/0x5c0 tcp_data_queue+0x1bc8/0x4310 tcp_rcv_state_process+0x15a3/0x47b0 tcp_v4_do_rcv+0x2c1/0x990 tcp_v4_rcv+0x41fb/0x5ed0 ip_protocol_deliver_rcu+0x6d/0x9f0 ip_local_deliver_finish+0x278/0x360 ip_local_deliver+0x182/0x2c0 ip_rcv+0xb5/0x1c0 __netif_receive_skb_one_core+0x16e/0x1b0 process_backlog+0x1e3/0x650 __napi_poll+0xa6/0x500 net_rx_action+0x740/0xbb0 __do_softirq+0x183/0x5a4 The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0) The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888485950780: fa fb fb ---truncated--- Solution(s) amazon-linux-2023-upgrade-bpftool amazon-linux-2023-upgrade-bpftool-debuginfo amazon-linux-2023-upgrade-kernel amazon-linux-2023-upgrade-kernel-debuginfo amazon-linux-2023-upgrade-kernel-debuginfo-common-aarch64 amazon-linux-2023-upgrade-kernel-debuginfo-common-x86-64 amazon-linux-2023-upgrade-kernel-devel amazon-linux-2023-upgrade-kernel-headers amazon-linux-2023-upgrade-kernel-libbpf amazon-linux-2023-upgrade-kernel-libbpf-devel amazon-linux-2023-upgrade-kernel-libbpf-static amazon-linux-2023-upgrade-kernel-livepatch-6-1-82-99-168 amazon-linux-2023-upgrade-kernel-modules-extra amazon-linux-2023-upgrade-kernel-modules-extra-common amazon-linux-2023-upgrade-kernel-tools amazon-linux-2023-upgrade-kernel-tools-debuginfo amazon-linux-2023-upgrade-kernel-tools-devel amazon-linux-2023-upgrade-perf amazon-linux-2023-upgrade-perf-debuginfo amazon-linux-2023-upgrade-python3-perf amazon-linux-2023-upgrade-python3-perf-debuginfo References https://attackerkb.com/topics/cve-2024-26782 CVE - 2024-26782 https://alas.aws.amazon.com/AL2023/ALAS-2024-603.html https://alas.aws.amazon.com/AL2023/ALAS-2024-784.html

Amazon Linux 2023: CVE-2024-26804: Medium priority package update for kernel (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 04/04/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description In the Linux kernel, the following vulnerability has been resolved: net: ip_tunnel: prevent perpetual headroom growth syzkaller triggered following kasan splat: BUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170 Read of size 1 at addr ffff88812fb4000e by task syz-executor183/5191 [..] kasan_report+0xda/0x110 mm/kasan/report.c:588 __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170 skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline] ___skb_get_hash net/core/flow_dissector.c:1791 [inline] __skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856 skb_get_hash include/linux/skbuff.h:1556 [inline] ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748 ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564 __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592 ... ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235 ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323 .. iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831 ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564 ... The splat occurs because skb-&gt;data points past skb-&gt;head allocated area. This is because neigh layer does: __skb_pull(skb, skb_network_offset(skb)); ... but skb_network_offset() returns a negative offset and __skb_pull() arg is unsigned.IOW, we skb-&gt;data gets &quot;adjusted&quot; by a huge value. The negative value is returned because skb-&gt;head and skb-&gt;data distance is more than 64k and skb-&gt;network_header (u16) has wrapped around. The bug is in the ip_tunnel infrastructure, which can cause dev-&gt;needed_headroom to increment ad infinitum. The syzkaller reproducer consists of packets getting routed via a gre tunnel, and route of gre encapsulated packets pointing at another (ipip) tunnel.The ipip encapsulation finds gre0 as next output device. This results in the following pattern: 1). First packet is to be sent out via gre0. Route lookup found an output device, ipip0. 2). ip_tunnel_xmit for gre0 bumps gre0-&gt;needed_headroom based on the future output device, rt.dev-&gt;needed_headroom (ipip0). 3). ip output / start_xmit moves skb on to ipip0. which runs the same code path again (xmit recursion). 4). Routing step for the post-gre0-encap packet finds gre0 as output device to use for ipip0 encapsulated packet. tunl0-&gt;needed_headroom is then incremented based on the (already bumped) gre0 device headroom. This repeats for every future packet: gre0-&gt;needed_headroom gets inflated because previous packets&apos; ipip0 step incremented rt-&gt;dev (gre0) headroom, and ipip0 incremented because gre0 needed_headroom was increased. For each subsequent packet, gre/ipip0-&gt;needed_headroom grows until post-expand-head reallocations result in a skb-&gt;head/data distance of more than 64k. Once that happens, skb-&gt;network_header (u16) wraps around when pskb_expand_head tries to make sure that skb_network_offset() is unchanged after the headroom expansion/reallocation. After this skb_network_offset(skb) returns a different (and negative) result post headroom expansion. The next trip to neigh layer (or anything else that would __skb_pull the network header) makes skb-&gt;data point to a memory location outside skb-&gt;head area. v2: Cap the needed_headroom update to an arbitarily chosen upperlimit to prevent perpetual increase instead of dropping the headroom increment completely. A use-after-free flaw was found in the Linux kernel’s ip_tunnel functionality when a user uses the ip_tunnel infrastructure. This flaw allows a local user to crash the system. Solution(s) amazon-linux-2023-upgrade-bpftool amazon-linux-2023-upgrade-bpftool-debuginfo amazon-linux-2023-upgrade-kernel amazon-linux-2023-upgrade-kernel-debuginfo amazon-linux-2023-upgrade-kernel-debuginfo-common-aarch64 amazon-linux-2023-upgrade-kernel-debuginfo-common-x86-64 amazon-linux-2023-upgrade-kernel-devel amazon-linux-2023-upgrade-kernel-headers amazon-linux-2023-upgrade-kernel-libbpf amazon-linux-2023-upgrade-kernel-libbpf-devel amazon-linux-2023-upgrade-kernel-libbpf-static amazon-linux-2023-upgrade-kernel-livepatch-6-1-82-99-168 amazon-linux-2023-upgrade-kernel-modules-extra amazon-linux-2023-upgrade-kernel-modules-extra-common amazon-linux-2023-upgrade-kernel-tools amazon-linux-2023-upgrade-kernel-tools-debuginfo amazon-linux-2023-upgrade-kernel-tools-devel amazon-linux-2023-upgrade-perf amazon-linux-2023-upgrade-perf-debuginfo amazon-linux-2023-upgrade-python3-perf amazon-linux-2023-upgrade-python3-perf-debuginfo References https://attackerkb.com/topics/cve-2024-26804 CVE - 2024-26804 https://alas.aws.amazon.com/AL2023/ALAS-2024-603.html https://alas.aws.amazon.com/AL2023/ALAS-2024-784.html

Amazon Linux 2023: CVE-2024-26798: Medium priority package update for kernel (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 04/04/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description In the Linux kernel, the following vulnerability has been resolved: fbcon: always restore the old font data in fbcon_do_set_font() Commit a5a923038d70 (fbdev: fbcon: Properly revert changes when vc_resize() failed) started restoring old font data upon failure (of vc_resize()). But it performs so only for user fonts. It means that the &quot;system&quot;/internal fonts are not restored at all. So in result, the very first call to fbcon_do_set_font() performs no restore at all upon failing vc_resize(). This can be reproduced by Syzkaller to crash the system on the next invocation of font_get(). It&apos;s rather hard to hit the allocation failure in vc_resize() on the first font_set(), but not impossible. Esp. if fault injection is used to aid the execution/failure. It was demonstrated by Sirius: BUG: unable to handle page fault for address: fffffffffffffff8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286 Call Trace: &lt;TASK&gt; con_font_get drivers/tty/vt/vt.c:4558 [inline] con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673 vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline] vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752 tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803 vfs_ioctl fs/ioctl.c:51 [inline] ... So restore the font data in any case, not only for user fonts. Note the later &apos;if&apos; is now protected by &apos;old_userfont&apos; and not &apos;old_data&apos; as the latter is always set now. (And it is supposed to be non-NULL. Otherwise we would see the bug above again.) A vulnerability was found in the Linux kernel in the framebuffer console (`fbcon`). The`fbcon_do_set_font()` function failed to restore the old font data correctly. This flaw could lead to improper font rendering and display issues on the console. Solution(s) amazon-linux-2023-upgrade-bpftool amazon-linux-2023-upgrade-bpftool-debuginfo amazon-linux-2023-upgrade-kernel amazon-linux-2023-upgrade-kernel-debuginfo amazon-linux-2023-upgrade-kernel-debuginfo-common-aarch64 amazon-linux-2023-upgrade-kernel-debuginfo-common-x86-64 amazon-linux-2023-upgrade-kernel-devel amazon-linux-2023-upgrade-kernel-headers amazon-linux-2023-upgrade-kernel-libbpf amazon-linux-2023-upgrade-kernel-libbpf-devel amazon-linux-2023-upgrade-kernel-libbpf-static amazon-linux-2023-upgrade-kernel-livepatch-6-1-82-99-168 amazon-linux-2023-upgrade-kernel-modules-extra amazon-linux-2023-upgrade-kernel-modules-extra-common amazon-linux-2023-upgrade-kernel-tools amazon-linux-2023-upgrade-kernel-tools-debuginfo amazon-linux-2023-upgrade-kernel-tools-devel amazon-linux-2023-upgrade-perf amazon-linux-2023-upgrade-perf-debuginfo amazon-linux-2023-upgrade-python3-perf amazon-linux-2023-upgrade-python3-perf-debuginfo References https://attackerkb.com/topics/cve-2024-26798 CVE - 2024-26798 https://alas.aws.amazon.com/AL2023/ALAS-2024-603.html https://alas.aws.amazon.com/AL2023/ALAS-2024-784.html

Rocky Linux: CVE-2024-28182: nghttp2 (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/04/2024 Created 05/10/2024 Added 05/13/2024 Modified 11/18/2024 Description nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync.This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability. Solution(s) rocky-upgrade-libnghttp2 rocky-upgrade-libnghttp2-debuginfo rocky-upgrade-libnghttp2-devel rocky-upgrade-nghttp2 rocky-upgrade-nghttp2-debuginfo rocky-upgrade-nghttp2-debugsource rocky-upgrade-nodejs rocky-upgrade-nodejs-debuginfo rocky-upgrade-nodejs-debugsource rocky-upgrade-nodejs-devel rocky-upgrade-nodejs-full-i18n rocky-upgrade-nodejs-libs rocky-upgrade-nodejs-libs-debuginfo rocky-upgrade-npm References https://attackerkb.com/topics/cve-2024-28182 CVE - 2024-28182 https://errata.rockylinux.org/RLSA-2024:2778 https://errata.rockylinux.org/RLSA-2024:2779 https://errata.rockylinux.org/RLSA-2024:2780 https://errata.rockylinux.org/RLSA-2024:2853 https://errata.rockylinux.org/RLSA-2024:2910 https://errata.rockylinux.org/RLSA-2024:3501 View more

Rocky Linux: CVE-2024-31080: xorg-x11-server-Xwayland (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/04/2024 Created 05/08/2024 Added 05/08/2024 Modified 11/20/2024 Description A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIGetSelectedEvents() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads. Solution(s) rocky-upgrade-tigervnc rocky-upgrade-tigervnc-debuginfo rocky-upgrade-tigervnc-debugsource rocky-upgrade-tigervnc-server rocky-upgrade-tigervnc-server-debuginfo rocky-upgrade-tigervnc-server-minimal rocky-upgrade-tigervnc-server-minimal-debuginfo rocky-upgrade-tigervnc-server-module rocky-upgrade-tigervnc-server-module-debuginfo rocky-upgrade-xorg-x11-server-common rocky-upgrade-xorg-x11-server-debuginfo rocky-upgrade-xorg-x11-server-debugsource rocky-upgrade-xorg-x11-server-devel rocky-upgrade-xorg-x11-server-xdmx rocky-upgrade-xorg-x11-server-xdmx-debuginfo rocky-upgrade-xorg-x11-server-xephyr rocky-upgrade-xorg-x11-server-xephyr-debuginfo rocky-upgrade-xorg-x11-server-xnest rocky-upgrade-xorg-x11-server-xnest-debuginfo rocky-upgrade-xorg-x11-server-xorg rocky-upgrade-xorg-x11-server-xorg-debuginfo rocky-upgrade-xorg-x11-server-xvfb rocky-upgrade-xorg-x11-server-xvfb-debuginfo rocky-upgrade-xorg-x11-server-xwayland rocky-upgrade-xorg-x11-server-xwayland-debuginfo rocky-upgrade-xorg-x11-server-xwayland-debugsource References https://attackerkb.com/topics/cve-2024-31080 CVE - 2024-31080 https://errata.rockylinux.org/RLSA-2024:2037 https://errata.rockylinux.org/RLSA-2024:2616 https://errata.rockylinux.org/RLSA-2024:3258 https://errata.rockylinux.org/RLSA-2024:3261 https://errata.rockylinux.org/RLSA-2024:3343

FreeBSD: VID-51498EE4-39A1-11EF-B609-002590C1F29C (CVE-2024-3262): Request Tracker -- information exposure vulnerability Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/04/2024 Created 07/09/2024 Added 07/04/2024 Modified 07/04/2024 Description Information exposure vulnerability in RT software affecting version 4.4.1. This vulnerability allows an attacker with local access to the device to retrieve sensitive information about the application, such as vulnerability tickets, because the application stores the information in the browser cache, leading to information exposure despite session termination. Solution(s) freebsd-upgrade-package-rt50 References CVE-2024-3262

Oracle Linux: CVE-2024-3446: ELSA-2024-6964:virt:ol and virt-devel:rhel security update (MODERATE) (Multiple Advisories) Severity 6 CVSS (AV:L/AC:L/Au:M/C:C/I:C/A:C) Published 04/04/2024 Created 10/18/2024 Added 10/16/2024 Modified 01/07/2025 Description A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest user to crash the QEMU process on the host, resulting in a denial of service or allow arbitrary code execution within the context of the QEMU process on the host. Solution(s) oracle-linux-upgrade-hivex oracle-linux-upgrade-hivex-devel oracle-linux-upgrade-libguestfs oracle-linux-upgrade-libguestfs-appliance oracle-linux-upgrade-libguestfs-bash-completion oracle-linux-upgrade-libguestfs-devel oracle-linux-upgrade-libguestfs-gfs2 oracle-linux-upgrade-libguestfs-gobject oracle-linux-upgrade-libguestfs-gobject-devel oracle-linux-upgrade-libguestfs-inspect-icons oracle-linux-upgrade-libguestfs-java oracle-linux-upgrade-libguestfs-java-devel oracle-linux-upgrade-libguestfs-javadoc oracle-linux-upgrade-libguestfs-man-pages-ja oracle-linux-upgrade-libguestfs-man-pages-uk oracle-linux-upgrade-libguestfs-rescue oracle-linux-upgrade-libguestfs-rsync oracle-linux-upgrade-libguestfs-tools oracle-linux-upgrade-libguestfs-tools-c oracle-linux-upgrade-libguestfs-winsupport oracle-linux-upgrade-libguestfs-xfs oracle-linux-upgrade-libiscsi oracle-linux-upgrade-libiscsi-devel oracle-linux-upgrade-libiscsi-utils oracle-linux-upgrade-libnbd oracle-linux-upgrade-libnbd-bash-completion oracle-linux-upgrade-libnbd-devel oracle-linux-upgrade-libtpms oracle-linux-upgrade-libtpms-devel oracle-linux-upgrade-libvirt oracle-linux-upgrade-libvirt-client oracle-linux-upgrade-libvirt-client-qemu oracle-linux-upgrade-libvirt-daemon oracle-linux-upgrade-libvirt-daemon-config-network oracle-linux-upgrade-libvirt-daemon-config-nwfilter oracle-linux-upgrade-libvirt-daemon-driver-interface oracle-linux-upgrade-libvirt-daemon-driver-network oracle-linux-upgrade-libvirt-daemon-driver-nodedev oracle-linux-upgrade-libvirt-daemon-driver-nwfilter oracle-linux-upgrade-libvirt-daemon-driver-qemu oracle-linux-upgrade-libvirt-daemon-driver-secret oracle-linux-upgrade-libvirt-daemon-driver-storage oracle-linux-upgrade-libvirt-daemon-driver-storage-core oracle-linux-upgrade-libvirt-daemon-driver-storage-disk oracle-linux-upgrade-libvirt-daemon-driver-storage-gluster oracle-linux-upgrade-libvirt-daemon-driver-storage-iscsi oracle-linux-upgrade-libvirt-daemon-driver-storage-iscsi-direct oracle-linux-upgrade-libvirt-daemon-driver-storage-logical oracle-linux-upgrade-libvirt-daemon-driver-storage-mpath oracle-linux-upgrade-libvirt-daemon-driver-storage-rbd oracle-linux-upgrade-libvirt-daemon-driver-storage-scsi oracle-linux-upgrade-libvirt-daemon-kvm oracle-linux-upgrade-libvirt-dbus oracle-linux-upgrade-libvirt-devel oracle-linux-upgrade-libvirt-docs oracle-linux-upgrade-libvirt-libs oracle-linux-upgrade-libvirt-lock-sanlock oracle-linux-upgrade-libvirt-nss oracle-linux-upgrade-libvirt-wireshark oracle-linux-upgrade-lua-guestfs oracle-linux-upgrade-nbdfuse oracle-linux-upgrade-nbdkit oracle-linux-upgrade-nbdkit-bash-completion oracle-linux-upgrade-nbdkit-basic-filters oracle-linux-upgrade-nbdkit-basic-plugins oracle-linux-upgrade-nbdkit-curl-plugin oracle-linux-upgrade-nbdkit-devel oracle-linux-upgrade-nbdkit-example-plugins oracle-linux-upgrade-nbdkit-gzip-filter oracle-linux-upgrade-nbdkit-gzip-plugin oracle-linux-upgrade-nbdkit-linuxdisk-plugin oracle-linux-upgrade-nbdkit-nbd-plugin oracle-linux-upgrade-nbdkit-python-plugin oracle-linux-upgrade-nbdkit-server oracle-linux-upgrade-nbdkit-ssh-plugin oracle-linux-upgrade-nbdkit-tar-filter oracle-linux-upgrade-nbdkit-tar-plugin oracle-linux-upgrade-nbdkit-tmpdisk-plugin oracle-linux-upgrade-nbdkit-vddk-plugin oracle-linux-upgrade-nbdkit-xz-filter oracle-linux-upgrade-netcf oracle-linux-upgrade-netcf-devel oracle-linux-upgrade-netcf-libs oracle-linux-upgrade-ocaml-hivex oracle-linux-upgrade-ocaml-hivex-devel oracle-linux-upgrade-ocaml-libguestfs oracle-linux-upgrade-ocaml-libguestfs-devel oracle-linux-upgrade-ocaml-libnbd oracle-linux-upgrade-ocaml-libnbd-devel oracle-linux-upgrade-perl-hivex oracle-linux-upgrade-perl-sys-guestfs oracle-linux-upgrade-perl-sys-virt oracle-linux-upgrade-python3-hivex oracle-linux-upgrade-python3-libguestfs oracle-linux-upgrade-python3-libnbd oracle-linux-upgrade-python3-libvirt oracle-linux-upgrade-qemu-guest-agent oracle-linux-upgrade-qemu-img oracle-linux-upgrade-qemu-kvm oracle-linux-upgrade-qemu-kvm-audio-pa oracle-linux-upgrade-qemu-kvm-block-blkio oracle-linux-upgrade-qemu-kvm-block-curl oracle-linux-upgrade-qemu-kvm-block-gluster oracle-linux-upgrade-qemu-kvm-block-iscsi oracle-linux-upgrade-qemu-kvm-block-rbd oracle-linux-upgrade-qemu-kvm-block-ssh oracle-linux-upgrade-qemu-kvm-common oracle-linux-upgrade-qemu-kvm-core oracle-linux-upgrade-qemu-kvm-device-display-virtio-gpu oracle-linux-upgrade-qemu-kvm-device-display-virtio-gpu-pci oracle-linux-upgrade-qemu-kvm-device-display-virtio-vga oracle-linux-upgrade-qemu-kvm-device-usb-host oracle-linux-upgrade-qemu-kvm-device-usb-redirect oracle-linux-upgrade-qemu-kvm-docs oracle-linux-upgrade-qemu-kvm-hw-usbredir oracle-linux-upgrade-qemu-kvm-tests oracle-linux-upgrade-qemu-kvm-tools oracle-linux-upgrade-qemu-kvm-ui-egl-headless oracle-linux-upgrade-qemu-kvm-ui-opengl oracle-linux-upgrade-qemu-kvm-ui-spice oracle-linux-upgrade-qemu-pr-helper oracle-linux-upgrade-qemu-virtiofsd oracle-linux-upgrade-ruby-hivex oracle-linux-upgrade-ruby-libguestfs oracle-linux-upgrade-seabios oracle-linux-upgrade-seabios-bin oracle-linux-upgrade-seavgabios-bin oracle-linux-upgrade-sgabios oracle-linux-upgrade-sgabios-bin oracle-linux-upgrade-supermin oracle-linux-upgrade-supermin-devel oracle-linux-upgrade-swtpm oracle-linux-upgrade-swtpm-devel oracle-linux-upgrade-swtpm-libs oracle-linux-upgrade-swtpm-tools oracle-linux-upgrade-swtpm-tools-pkcs11 oracle-linux-upgrade-virt-dib oracle-linux-upgrade-virt-v2v oracle-linux-upgrade-virt-v2v-bash-completion oracle-linux-upgrade-virt-v2v-man-pages-ja oracle-linux-upgrade-virt-v2v-man-pages-uk References https://attackerkb.com/topics/cve-2024-3446 CVE - 2024-3446 ELSA-2024-6964 ELSA-2024-12674 ELSA-2024-12604 ELSA-2024-12605 ELSA-2024-9136

Huawei EulerOS: CVE-2023-38709: httpd security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/04/2024 Created 10/09/2024 Added 10/08/2024 Modified 10/14/2024 Description Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58. Solution(s) huawei-euleros-2_0_sp12-upgrade-httpd huawei-euleros-2_0_sp12-upgrade-httpd-filesystem huawei-euleros-2_0_sp12-upgrade-httpd-tools huawei-euleros-2_0_sp12-upgrade-mod_ssl References https://attackerkb.com/topics/cve-2023-38709 CVE - 2023-38709 EulerOS-SA-2024-2239

Alma Linux: CVE-2024-31081: Moderate: xorg-x11-server security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/04/2024 Created 04/30/2024 Added 04/30/2024 Modified 11/19/2024 Description A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIPassiveGrabDevice() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads. Solution(s) alma-upgrade-tigervnc alma-upgrade-tigervnc-icons alma-upgrade-tigervnc-license alma-upgrade-tigervnc-selinux alma-upgrade-tigervnc-server alma-upgrade-tigervnc-server-minimal alma-upgrade-tigervnc-server-module alma-upgrade-xorg-x11-server-common alma-upgrade-xorg-x11-server-devel alma-upgrade-xorg-x11-server-source alma-upgrade-xorg-x11-server-xdmx alma-upgrade-xorg-x11-server-xephyr alma-upgrade-xorg-x11-server-xnest alma-upgrade-xorg-x11-server-xorg alma-upgrade-xorg-x11-server-xvfb alma-upgrade-xorg-x11-server-xwayland alma-upgrade-xorg-x11-server-xwayland-devel References https://attackerkb.com/topics/cve-2024-31081 CVE - 2024-31081 https://errata.almalinux.org/8/ALSA-2024-2037.html https://errata.almalinux.org/8/ALSA-2024-3258.html https://errata.almalinux.org/8/ALSA-2024-3261.html https://errata.almalinux.org/8/ALSA-2024-3343.html https://errata.almalinux.org/9/ALSA-2024-2616.html https://errata.almalinux.org/9/ALSA-2024-9093.html https://errata.almalinux.org/9/ALSA-2024-9122.html View more

VMware Photon OS: CVE-2024-26790 Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/04/2024 Created 01/21/2025 Added 01/20/2025 Modified 01/20/2025 Description In the Linux kernel, the following vulnerability has been resolved: dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read There is chip (ls1028a) errata: The SoC may hang on 16 byte unaligned read transactions by QDMA. Unaligned read transactions initiated by QDMA may stall in the NOC (Network On-Chip), causing a deadlock condition. Stalled transactions will trigger completion timeouts in PCIe controller. Workaround: Enable prefetch by setting the source descriptor prefetchable bit ( SD[PF] = 1 ). Implement this workaround. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2024-26790 CVE - 2024-26790

Red Hat: CVE-2024-26801: kernel: Bluetooth: Avoid potential use-after-free in hci_error_reset (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 04/04/2024 Created 07/03/2024 Added 07/03/2024 Modified 12/05/2024 Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Avoid potential use-after-free in hci_error_reset While handling the HCI_EV_HARDWARE_ERROR event, if the underlying BT controller is not responding, the GPIO reset mechanism would free the hci_dev and lead to a use-after-free in hci_error_reset. Here's the call trace observed on a ChromeOS device with Intel AX201: queue_work_on+0x3e/0x6c __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth <HASH:3b4a6>] ? init_wait_entry+0x31/0x31 __hci_cmd_sync+0x16/0x20 [bluetooth <HASH:3b4a 6>] hci_error_reset+0x4f/0xa4 [bluetooth <HASH:3b4a 6>] process_one_work+0x1d8/0x33f worker_thread+0x21b/0x373 kthread+0x13a/0x152 ? pr_cont_work+0x54/0x54 ? kthread_blkcg+0x31/0x31 ret_from_fork+0x1f/0x30 This patch holds the reference count on the hci_dev while processing a HCI_EV_HARDWARE_ERROR event to avoid potential crash. Solution(s) redhat-upgrade-kernel redhat-upgrade-kernel-rt References CVE-2024-26801 RHSA-2024:4211 RHSA-2024:4349 RHSA-2024:4352 RHSA-2024:4533 RHSA-2024:4554 RHSA-2024:4740 View more

F5 Networks: CVE-2023-38709: K000139764: Apache HTTPD vulnerability CVE-2023-38709 Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/04/2024 Created 05/29/2024 Added 05/28/2024 Modified 08/06/2024 Description Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58. Solution(s) f5-big-ip-upgrade-latest References https://attackerkb.com/topics/cve-2023-38709 CVE - 2023-38709 https://my.f5.com/manage/s/article/K000139764

VMware Photon OS: CVE-2024-26788 Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/04/2024 Created 01/21/2025 Added 01/20/2025 Modified 01/20/2025 Description In the Linux kernel, the following vulnerability has been resolved: dmaengine: fsl-qdma: init irq after reg initialization Initialize the qDMA irqs after the registers are configured so that interrupts that may have been pending from a primary kernel don't get processed by the irq handler before it is ready to and cause panic with the following trace: Call trace: fsl_qdma_queue_handler+0xf8/0x3e8 __handle_irq_event_percpu+0x78/0x2b0 handle_irq_event_percpu+0x1c/0x68 handle_irq_event+0x44/0x78 handle_fasteoi_irq+0xc8/0x178 generic_handle_irq+0x24/0x38 __handle_domain_irq+0x90/0x100 gic_handle_irq+0x5c/0xb8 el1_irq+0xb8/0x180 _raw_spin_unlock_irqrestore+0x14/0x40 __setup_irq+0x4bc/0x798 request_threaded_irq+0xd8/0x190 devm_request_threaded_irq+0x74/0xe8 fsl_qdma_probe+0x4d4/0xca8 platform_drv_probe+0x50/0xa0 really_probe+0xe0/0x3f8 driver_probe_device+0x64/0x130 device_driver_attach+0x6c/0x78 __driver_attach+0xbc/0x158 bus_for_each_dev+0x5c/0x98 driver_attach+0x20/0x28 bus_add_driver+0x158/0x220 driver_register+0x60/0x110 __platform_driver_register+0x44/0x50 fsl_qdma_driver_init+0x18/0x20 do_one_initcall+0x48/0x258 kernel_init_freeable+0x1a4/0x23c kernel_init+0x10/0xf8 ret_from_fork+0x10/0x18 Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2024-26788 CVE - 2024-26788

Gentoo Linux: CVE-2024-27316: Apache HTTPD: Multiple Vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 04/04/2024 Created 10/01/2024 Added 09/30/2024 Modified 01/28/2025 Description HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. Solution(s) gentoo-linux-upgrade-www-servers-apache References https://attackerkb.com/topics/cve-2024-27316 CVE - 2024-27316 202409-31

Huawei EulerOS: CVE-2024-26805: kernel security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/04/2024 Created 06/26/2024 Added 06/26/2024 Modified 11/11/2024 Description In the Linux kernel, the following vulnerability has been resolved: netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter syzbot reported the following uninit-value access issue [1]: netlink_to_full_skb() creates a new `skb` and puts the `skb->data` passed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data size is specified as `len` and passed to skb_put_data(). This `len` is based on `skb->end` that is not data offset but buffer offset. The `skb->end` contains data and tailroom. Since the tailroom is not initialized when the new `skb` created, KMSAN detects uninitialized memory area when copying the data. This patch resolved this issue by correct the len from `skb->end` to `skb->len`, which is the actual data offset. BUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24 [inline] BUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf include/linux/iov_iter.h:29 [inline] BUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] BUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance include/linux/iov_iter.h:271 [inline] BUG: KMSAN: kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copy_to_user_iter lib/iov_iter.c:24 [inline] iterate_ubuf include/linux/iov_iter.h:29 [inline] iterate_and_advance2 include/linux/iov_iter.h:245 [inline] iterate_and_advance include/linux/iov_iter.h:271 [inline] _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186 copy_to_iter include/linux/uio.h:197 [inline] simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532 __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420 skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546 skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline] packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482 sock_recvmsg_nosec net/socket.c:1044 [inline] sock_recvmsg net/socket.c:1066 [inline] sock_read_iter+0x467/0x580 net/socket.c:1136 call_read_iter include/linux/fs.h:2014 [inline] new_sync_read fs/read_write.c:389 [inline] vfs_read+0x8f6/0xe00 fs/read_write.c:470 ksys_read+0x20f/0x4c0 fs/read_write.c:613 __do_sys_read fs/read_write.c:623 [inline] __se_sys_read fs/read_write.c:621 [inline] __x64_sys_read+0x93/0xd0 fs/read_write.c:621 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was stored to memory at: skb_put_data include/linux/skbuff.h:2622 [inline] netlink_to_full_skb net/netlink/af_netlink.c:181 [inline] __netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [inline] __netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325 netlink_deliver_tap net/netlink/af_netlink.c:338 [inline] netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [inline] netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368 netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: free_pages_prepare mm/page_alloc.c:1087 [inline] free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347 free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533 release_pages+0x23d3/0x2410 mm/swap.c:1042 free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316 tlb_batch_pages ---truncated--- Solution(s) huawei-euleros-2_0_sp11-upgrade-bpftool huawei-euleros-2_0_sp11-upgrade-kernel huawei-euleros-2_0_sp11-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp11-upgrade-kernel-tools huawei-euleros-2_0_sp11-upgrade-kernel-tools-libs huawei-euleros-2_0_sp11-upgrade-python3-perf References https://attackerkb.com/topics/cve-2024-26805 CVE - 2024-26805 EulerOS-SA-2024-1837

Oracle Linux: CVE-2024-26804: ELSA-2024-3306:kernel security and bug fix update (MODERATE) (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 04/04/2024 Created 05/28/2024 Added 05/25/2024 Modified 01/07/2025 Description In the Linux kernel, the following vulnerability has been resolved: net: ip_tunnel: prevent perpetual headroom growth syzkaller triggered following kasan splat: BUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170 Read of size 1 at addr ffff88812fb4000e by task syz-executor183/5191 [..] kasan_report+0xda/0x110 mm/kasan/report.c:588 __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170 skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline] ___skb_get_hash net/core/flow_dissector.c:1791 [inline] __skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856 skb_get_hash include/linux/skbuff.h:1556 [inline] ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748 ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564 __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349 dev_queue_xmit include/linux/netdevice.h:3134 [inline] neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592 ... ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235 ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323 .. iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831 ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3548 [inline] dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564 ... The splat occurs because skb-&gt;data points past skb-&gt;head allocated area. This is because neigh layer does: __skb_pull(skb, skb_network_offset(skb)); ... but skb_network_offset() returns a negative offset and __skb_pull() arg is unsigned.IOW, we skb-&gt;data gets &quot;adjusted&quot; by a huge value. The negative value is returned because skb-&gt;head and skb-&gt;data distance is more than 64k and skb-&gt;network_header (u16) has wrapped around. The bug is in the ip_tunnel infrastructure, which can cause dev-&gt;needed_headroom to increment ad infinitum. The syzkaller reproducer consists of packets getting routed via a gre tunnel, and route of gre encapsulated packets pointing at another (ipip) tunnel.The ipip encapsulation finds gre0 as next output device. This results in the following pattern: 1). First packet is to be sent out via gre0. Route lookup found an output device, ipip0. 2). ip_tunnel_xmit for gre0 bumps gre0-&gt;needed_headroom based on the future output device, rt.dev-&gt;needed_headroom (ipip0). 3). ip output / start_xmit moves skb on to ipip0. which runs the same code path again (xmit recursion). 4). Routing step for the post-gre0-encap packet finds gre0 as output device to use for ipip0 encapsulated packet. tunl0-&gt;needed_headroom is then incremented based on the (already bumped) gre0 device headroom. This repeats for every future packet: gre0-&gt;needed_headroom gets inflated because previous packets&apos; ipip0 step incremented rt-&gt;dev (gre0) headroom, and ipip0 incremented because gre0 needed_headroom was increased. For each subsequent packet, gre/ipip0-&gt;needed_headroom grows until post-expand-head reallocations result in a skb-&gt;head/data distance of more than 64k. Once that happens, skb-&gt;network_header (u16) wraps around when pskb_expand_head tries to make sure that skb_network_offset() is unchanged after the headroom expansion/reallocation. After this skb_network_offset(skb) returns a different (and negative) result post headroom expansion. The next trip to neigh layer (or anything else that would __skb_pull the network header) makes skb-&gt;data point to a memory location outside skb-&gt;head area. v2: Cap the needed_headroom update to an arbitarily chosen upperlimit to prevent perpetual increase instead of dropping the headroom increment completely. A use-after-free flaw was found in the Linux kernel’s ip_tunnel functionality when a user uses the ip_tunnel infrastructure. This flaw allows a local user to crash the system. Solution(s) oracle-linux-upgrade-kernel References https://attackerkb.com/topics/cve-2024-26804 CVE - 2024-26804 ELSA-2024-3306 ELSA-2024-4211

Debian: CVE-2024-26809: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 04/04/2024 Created 04/15/2024 Added 04/15/2024 Modified 07/03/2024 Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit protocol") which came after: 9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from abort path"). Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2024-26809 CVE - 2024-26809 DSA-5658-1

Debian: CVE-2024-26800: linux -- security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 04/04/2024 Created 04/15/2024 Added 04/15/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decrypt returns -EBUSY, tls_do_decryption will wait until all async decryptions have completed. If one of them fails, tls_do_decryption will return -EBADMSG and tls_decrypt_sg jumps to the error path, releasing all the pages. But the pages have been passed to the async callback, and have already been released by tls_decrypt_done. The only true async case is when crypto_aead_decrypt returns -EINPROGRESS. With -EBUSY, we already waited so we can tell tls_sw_recvmsg that the data is available for immediate copy, but we need to notify tls_decrypt_sg (via the new ->async_done flag) that the memory has already been released. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2024-26800 CVE - 2024-26800 DSA-5658-1

Apache HTTPD: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames (CVE-2024-27316) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 04/04/2024 Created 04/16/2024 Added 04/09/2024 Modified 12/09/2024 Description HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. Solution(s) apache-httpd-upgrade-latest References https://attackerkb.com/topics/cve-2024-27316 http://seclists.org/fulldisclosure/2024/Jul/18 http://www.openwall.com/lists/oss-security/2024/04/04/4 https://httpd.apache.org/security/vulnerabilities_24.html https://support.apple.com/kb/HT214119 https://www.openwall.com/lists/oss-security/2024/04/03/16 CVE - 2024-27316