ISHACK AI BOT 发布的所有帖子
-
Debian: CVE-2024-2626: chromium -- security update
Debian: CVE-2024-2626: chromium -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 03/20/2024 Created 04/02/2024 Added 04/01/2024 Modified 01/28/2025 Description Out of bounds read in Swiftshader in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2024-2626 CVE - 2024-2626 DSA-5648-1
-
Gentoo Linux: CVE-2023-46839: Xen: Multiple Vulnerabilities
Gentoo Linux: CVE-2023-46839: Xen: Multiple Vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/20/2024 Created 09/24/2024 Added 09/23/2024 Modified 09/23/2024 Description PCI devices can make use of a functionality called phantom functions, that when enabled allows the device to generate requests using the IDs of functions that are otherwise unpopulated.This allows a device to extend the number of outstanding requests. Such phantom functions need an IOMMU context setup, but failure to setup the context is not fatal when the device is assigned.Not failing device assignment when such failure happens can lead to the primary device being assigned to a guest, while some of the phantom functions are assigned to a different domain. Solution(s) gentoo-linux-upgrade-app-emulation-xen References https://attackerkb.com/topics/cve-2023-46839 CVE - 2023-46839 202409-10
-
Alpine Linux: CVE-2024-29018: Vulnerability in Multiple Components
Alpine Linux: CVE-2024-29018: Vulnerability in Multiple Components Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 03/20/2024 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well. When containers with networking are created, they are assigned unique network interfaces and IP addresses. The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs. Containers on an internal network may communicate between each other, but are precluded from communicating with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately configured host services) is possible, and the host may communicate with any container IP directly. In addition to configuring the Linux kernel's various networking features to enable container networking, `dockerd` directly provides some services to container networks. Principal among these is serving as a resolver, enabling service discovery, and resolution of names from an upstream resolver. When a DNS request for a name that does not correspond to a container is received, the request is forwarded to the configured upstream resolver. This request is made from the container's network namespace: the level of access and routing of traffic is the same as if the request was made by the container itself. As a consequence of this design, containers solely attached to an internal network will be unable to resolve names using the upstream resolver, as the container itself is unable to communicate with that nameserver. Only the names of containers also attached to the internal network are able to be resolved. Many systems run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a consequence of the design described above is that containers are unable to resolve names from the host's configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the host namework namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as expected. Because `dockerd` forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers. Docker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address. Moby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run containers intended to be solely attached to internal networks with a custom upstream address, which will force all upstream DNS queries to be resolved from the container's network namespace. Solution(s) alpine-linux-upgrade-docker References https://attackerkb.com/topics/cve-2024-29018 CVE - 2024-29018 https://security.alpinelinux.org/vuln/CVE-2024-29018
-
Google Chrome Vulnerability: CVE-2024-2629 Incorrect security UI in iOS
Google Chrome Vulnerability: CVE-2024-2629 Incorrect security UI in iOS Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 03/20/2024 Created 03/20/2024 Added 03/20/2024 Modified 01/28/2025 Description Incorrect security UI in iOS in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2024-2629 CVE - 2024-2629 https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop_19.html
-
Google Chrome Vulnerability: CVE-2024-2625 Object lifecycle issue in V8
Google Chrome Vulnerability: CVE-2024-2625 Object lifecycle issue in V8 Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/20/2024 Created 03/20/2024 Added 03/20/2024 Modified 01/28/2025 Description Object lifecycle issue in V8 in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2024-2625 CVE - 2024-2625 https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop_19.html
-
FreeBSD: (Multiple Advisories) (CVE-2024-2625): qt6-webengine -- Multiple vulnerabilities
FreeBSD: (Multiple Advisories) (CVE-2024-2625): qt6-webengine -- Multiple vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/20/2024 Created 05/22/2024 Added 03/23/2024 Modified 01/28/2025 Description Object lifecycle issue in V8 in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) freebsd-upgrade-package-chromium freebsd-upgrade-package-electron27 freebsd-upgrade-package-electron28 freebsd-upgrade-package-qt6-webengine freebsd-upgrade-package-ungoogled-chromium References CVE-2024-2625
-
Google Chrome Vulnerability: CVE-2024-2626 Out of bounds read in Swiftshader
Google Chrome Vulnerability: CVE-2024-2626 Out of bounds read in Swiftshader Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 03/20/2024 Created 03/20/2024 Added 03/20/2024 Modified 01/28/2025 Description Out of bounds read in Swiftshader in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2024-2626 CVE - 2024-2626 https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop_19.html
-
Debian: CVE-2023-46841: xen -- security update
Debian: CVE-2023-46841: xen -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/20/2024 Created 12/31/2024 Added 12/30/2024 Modified 12/30/2024 Description Recent x86 CPUs offer functionality named Control-flow Enforcement Technology (CET).A sub-feature of this are Shadow Stacks (CET-SS). CET-SS is a hardware feature designed to protect against Return Oriented Programming attacks. When enabled, traditional stacks holding both data and return addresses are accompanied by so called "shadow stacks", holding little more than return addresses.Shadow stacks aren't writable by normal instructions, and upon function returns their contents are used to check for possible manipulation of a return address coming from the traditional stack. In particular certain memory accesses need intercepting by Xen.In various cases the necessary emulation involves kind of replaying of the instruction.Such replaying typically involves filling and then invoking of a stub.Such a replayed instruction may raise an exceptions, which is expected and dealt with accordingly. Unfortunately the interaction of both of the above wasn't right: Recovery involves removal of a call frame from the (traditional) stack. The counterpart of this operation for the shadow stack was missing. Solution(s) debian-upgrade-xen References https://attackerkb.com/topics/cve-2023-46841 CVE - 2023-46841 DSA-5836-1
-
Oracle Linux: CVE-2024-1394: ELSA-2024-1501: grafana security update (IMPORTANT) (Multiple Advisories)
Oracle Linux: CVE-2024-1394: ELSA-2024-1501:grafana security update (IMPORTANT) (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 03/20/2024 Created 05/22/2024 Added 03/21/2024 Modified 01/07/2025 Description A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them. Solution(s) oracle-linux-upgrade-aardvark-dns oracle-linux-upgrade-buildah oracle-linux-upgrade-buildah-tests oracle-linux-upgrade-cockpit-podman oracle-linux-upgrade-conmon oracle-linux-upgrade-containernetworking-plugins oracle-linux-upgrade-containers-common oracle-linux-upgrade-container-selinux oracle-linux-upgrade-crit oracle-linux-upgrade-criu oracle-linux-upgrade-criu-devel oracle-linux-upgrade-criu-libs oracle-linux-upgrade-crun oracle-linux-upgrade-delve oracle-linux-upgrade-fuse-overlayfs oracle-linux-upgrade-golang oracle-linux-upgrade-golang-bin oracle-linux-upgrade-golang-docs oracle-linux-upgrade-golang-misc oracle-linux-upgrade-golang-src oracle-linux-upgrade-golang-tests oracle-linux-upgrade-go-toolset oracle-linux-upgrade-grafana oracle-linux-upgrade-grafana-pcp oracle-linux-upgrade-grafana-selinux oracle-linux-upgrade-gvisor-tap-vsock oracle-linux-upgrade-libslirp oracle-linux-upgrade-libslirp-devel oracle-linux-upgrade-netavark oracle-linux-upgrade-oci-seccomp-bpf-hook oracle-linux-upgrade-osbuild-composer oracle-linux-upgrade-osbuild-composer-core oracle-linux-upgrade-osbuild-composer-worker oracle-linux-upgrade-podman oracle-linux-upgrade-podman-catatonit oracle-linux-upgrade-podman-docker oracle-linux-upgrade-podman-gvproxy oracle-linux-upgrade-podman-plugins oracle-linux-upgrade-podman-remote oracle-linux-upgrade-podman-tests oracle-linux-upgrade-python3-criu oracle-linux-upgrade-python3-podman oracle-linux-upgrade-runc oracle-linux-upgrade-skopeo oracle-linux-upgrade-skopeo-tests oracle-linux-upgrade-slirp4netns oracle-linux-upgrade-udica References https://attackerkb.com/topics/cve-2024-1394 CVE - 2024-1394 ELSA-2024-1501 ELSA-2024-2569 ELSA-2024-2568 ELSA-2024-4502 ELSA-2024-5258 ELSA-2024-4762 ELSA-2024-7262 ELSA-2024-1472 ELSA-2024-1644 ELSA-2024-1646 ELSA-2024-4378 ELSA-2024-4761 ELSA-2024-4371 ELSA-2024-1502 ELSA-2024-4379 ELSA-2024-1462 ELSA-2024-2562 ELSA-2024-3265 View more
-
FreeBSD: (Multiple Advisories) (CVE-2024-2626): qt6-webengine -- Multiple vulnerabilities
FreeBSD: (Multiple Advisories) (CVE-2024-2626): qt6-webengine -- Multiple vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 03/20/2024 Created 05/22/2024 Added 03/23/2024 Modified 01/28/2025 Description Out of bounds read in Swiftshader in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium) Solution(s) freebsd-upgrade-package-chromium freebsd-upgrade-package-qt6-webengine freebsd-upgrade-package-ungoogled-chromium References CVE-2024-2626
-
Google Chrome Vulnerability: CVE-2024-2630 Inappropriate implementation in iOS
Google Chrome Vulnerability: CVE-2024-2630 Inappropriate implementation in iOS Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 03/20/2024 Created 03/20/2024 Added 03/20/2024 Modified 01/28/2025 Description Inappropriate implementation in iOS in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2024-2630 CVE - 2024-2630 https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop_19.html
-
Ubuntu: USN-7161-1 (CVE-2024-29018): Docker vulnerabilities
Ubuntu: USN-7161-1 (CVE-2024-29018): Docker vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/20/2024 Created 12/18/2024 Added 12/17/2024 Modified 12/17/2024 Description Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well. When containers with networking are created, they are assigned unique network interfaces and IP addresses. The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs. Containers on an internal network may communicate between each other, but are precluded from communicating with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately configured host services) is possible, and the host may communicate with any container IP directly. In addition to configuring the Linux kernel's various networking features to enable container networking, `dockerd` directly provides some services to container networks. Principal among these is serving as a resolver, enabling service discovery, and resolution of names from an upstream resolver. When a DNS request for a name that does not correspond to a container is received, the request is forwarded to the configured upstream resolver. This request is made from the container's network namespace: the level of access and routing of traffic is the same as if the request was made by the container itself. As a consequence of this design, containers solely attached to an internal network will be unable to resolve names using the upstream resolver, as the container itself is unable to communicate with that nameserver. Only the names of containers also attached to the internal network are able to be resolved. Many systems run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a consequence of the design described above is that containers are unable to resolve names from the host's configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the host namework namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as expected. Because `dockerd` forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers. Docker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address. Moby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run containers intended to be solely attached to internal networks with a custom upstream address, which will force all upstream DNS queries to be resolved from the container's network namespace. Solution(s) ubuntu-pro-upgrade-docker-io References https://attackerkb.com/topics/cve-2024-29018 CVE - 2024-29018 USN-7161-1
-
Debian: CVE-2023-46840: xen -- security update
Debian: CVE-2023-46840: xen -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/20/2024 Created 07/31/2024 Added 07/30/2024 Modified 07/30/2024 Description Incorrect placement of a preprocessor directive in source code results in logic that doesn't operate as intended when support for HVM guests is compiled out of Xen. Solution(s) debian-upgrade-xen References https://attackerkb.com/topics/cve-2023-46840 CVE - 2023-46840
-
Debian: CVE-2023-46839: xen -- security update
Debian: CVE-2023-46839: xen -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/20/2024 Created 07/31/2024 Added 07/30/2024 Modified 07/30/2024 Description PCI devices can make use of a functionality called phantom functions, that when enabled allows the device to generate requests using the IDs of functions that are otherwise unpopulated.This allows a device to extend the number of outstanding requests. Such phantom functions need an IOMMU context setup, but failure to setup the context is not fatal when the device is assigned.Not failing device assignment when such failure happens can lead to the primary device being assigned to a guest, while some of the phantom functions are assigned to a different domain. Solution(s) debian-upgrade-xen References https://attackerkb.com/topics/cve-2023-46839 CVE - 2023-46839
-
Alpine Linux: CVE-2024-2625: Vulnerability in Multiple Components
Alpine Linux: CVE-2024-2625: Vulnerability in Multiple Components Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/20/2024 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Object lifecycle issue in V8 in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) alpine-linux-upgrade-qt6-qtwebengine References https://attackerkb.com/topics/cve-2024-2625 CVE - 2024-2625 https://security.alpinelinux.org/vuln/CVE-2024-2625
-
Gentoo Linux: CVE-2023-46840: Xen: Multiple Vulnerabilities
Gentoo Linux: CVE-2023-46840: Xen: Multiple Vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/20/2024 Created 09/24/2024 Added 09/23/2024 Modified 09/23/2024 Description Incorrect placement of a preprocessor directive in source code results in logic that doesn't operate as intended when support for HVM guests is compiled out of Xen. Solution(s) gentoo-linux-upgrade-app-emulation-xen References https://attackerkb.com/topics/cve-2023-46840 CVE - 2023-46840 202409-10
-
Debian: CVE-2024-2631: chromium -- security update
Debian: CVE-2024-2631: chromium -- security update Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 03/20/2024 Created 04/02/2024 Added 04/01/2024 Modified 01/28/2025 Description Inappropriate implementation in iOS in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2024-2631 CVE - 2024-2631 DSA-5648-1
-
Debian: CVE-2024-2627: chromium -- security update
Debian: CVE-2024-2627: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/20/2024 Created 04/02/2024 Added 04/01/2024 Modified 01/28/2025 Description Use after free in Canvas in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2024-2627 CVE - 2024-2627 DSA-5648-1
-
Debian: CVE-2024-2630: chromium -- security update
Debian: CVE-2024-2630: chromium -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 03/20/2024 Created 04/02/2024 Added 04/01/2024 Modified 01/28/2025 Description Inappropriate implementation in iOS in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2024-2630 CVE - 2024-2630 DSA-5648-1
-
Debian: CVE-2024-2625: chromium -- security update
Debian: CVE-2024-2625: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 03/20/2024 Created 04/02/2024 Added 04/01/2024 Modified 01/28/2025 Description Object lifecycle issue in V8 in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2024-2625 CVE - 2024-2625 DSA-5648-1
-
Debian: CVE-2024-2629: chromium -- security update
Debian: CVE-2024-2629: chromium -- security update Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 03/20/2024 Created 04/02/2024 Added 04/01/2024 Modified 01/28/2025 Description Incorrect security UI in iOS in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2024-2629 CVE - 2024-2629 DSA-5648-1
-
Debian: CVE-2024-2628: chromium -- security update
Debian: CVE-2024-2628: chromium -- security update Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 03/20/2024 Created 04/02/2024 Added 04/01/2024 Modified 01/28/2025 Description Inappropriate implementation in Downloads in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform UI spoofing via a crafted URL. (Chromium security severity: Medium) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2024-2628 CVE - 2024-2628 DSA-5648-1
-
Debian: CVE-2023-50967: jose -- security update
Debian: CVE-2023-50967: jose -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/20/2024 Created 07/31/2024 Added 07/30/2024 Modified 07/30/2024 Description latchset jose through version 11 allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value. Solution(s) debian-upgrade-jose References https://attackerkb.com/topics/cve-2023-50967 CVE - 2023-50967
-
Google Chrome Vulnerability: CVE-2024-2628 Inappropriate implementation in Downloads
Google Chrome Vulnerability: CVE-2024-2628 Inappropriate implementation in Downloads Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 03/20/2024 Created 03/20/2024 Added 03/20/2024 Modified 01/28/2025 Description Inappropriate implementation in Downloads in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform UI spoofing via a crafted URL. (Chromium security severity: Medium) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2024-2628 CVE - 2024-2628 https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop_19.html
-
Rocky Linux: CVE-2024-0450: python3.9 (Multiple Advisories)
Rocky Linux: CVE-2024-0450: python3.9 (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/19/2024 Created 06/17/2024 Added 06/17/2024 Modified 11/20/2024 Description An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive. Solution(s) rocky-upgrade-cython-debugsource rocky-upgrade-numpy-debugsource rocky-upgrade-platform-python rocky-upgrade-platform-python-debug rocky-upgrade-platform-python-devel rocky-upgrade-python-cffi-debugsource rocky-upgrade-python-cryptography-debugsource rocky-upgrade-python-lxml-debugsource rocky-upgrade-python-psutil-debugsource rocky-upgrade-python-psycopg2-debugsource rocky-upgrade-python3 rocky-upgrade-python3-debug rocky-upgrade-python3-debuginfo rocky-upgrade-python3-debugsource rocky-upgrade-python3-devel rocky-upgrade-python3-idle rocky-upgrade-python3-libs rocky-upgrade-python3-test rocky-upgrade-python3-tkinter rocky-upgrade-python39 rocky-upgrade-python39-cffi rocky-upgrade-python39-cffi-debuginfo rocky-upgrade-python39-cryptography rocky-upgrade-python39-cryptography-debuginfo rocky-upgrade-python39-cython rocky-upgrade-python39-cython-debuginfo rocky-upgrade-python39-debug rocky-upgrade-python39-debuginfo rocky-upgrade-python39-debugsource rocky-upgrade-python39-devel rocky-upgrade-python39-idle rocky-upgrade-python39-libs rocky-upgrade-python39-lxml rocky-upgrade-python39-lxml-debuginfo rocky-upgrade-python39-mod_wsgi rocky-upgrade-python39-numpy rocky-upgrade-python39-numpy-debuginfo rocky-upgrade-python39-numpy-f2py rocky-upgrade-python39-psutil rocky-upgrade-python39-psutil-debuginfo rocky-upgrade-python39-psycopg2 rocky-upgrade-python39-psycopg2-debuginfo rocky-upgrade-python39-psycopg2-doc rocky-upgrade-python39-psycopg2-tests rocky-upgrade-python39-pybind11 rocky-upgrade-python39-pybind11-devel rocky-upgrade-python39-pyyaml rocky-upgrade-python39-pyyaml-debuginfo rocky-upgrade-python39-scipy rocky-upgrade-python39-scipy-debuginfo rocky-upgrade-python39-test rocky-upgrade-python39-tkinter rocky-upgrade-pyyaml-debugsource rocky-upgrade-scipy-debugsource References https://attackerkb.com/topics/cve-2024-0450 CVE - 2024-0450 https://errata.rockylinux.org/RLSA-2024:3347 https://errata.rockylinux.org/RLSA-2024:3466 https://errata.rockylinux.org/RLSA-2024:4078