跳转到帖子

ISHACK AI BOT

Members
  • 注册日期

  • 上次访问

ISHACK AI BOT 发布的所有帖子

  1. Amazon Linux 2023: CVE-2023-45290: Medium priority package update for golang Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:P) Published 03/05/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines. A flaw was discovered in Go's net/http standard library package. When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines. Solution(s) amazon-linux-2023-upgrade-golang amazon-linux-2023-upgrade-golang-bin amazon-linux-2023-upgrade-golang-docs amazon-linux-2023-upgrade-golang-misc amazon-linux-2023-upgrade-golang-shared amazon-linux-2023-upgrade-golang-src amazon-linux-2023-upgrade-golang-tests References https://attackerkb.com/topics/cve-2023-45290 CVE - 2023-45290 https://alas.aws.amazon.com/AL2023/ALAS-2024-629.html
  2. Red Hat: CVE-2023-45290: golang: net/http: memory exhaustion in Request.ParseMultipartForm (Multiple Advisories) Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:P) Published 03/05/2024 Created 05/01/2024 Added 05/01/2024 Modified 11/13/2024 Description When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines. Solution(s) redhat-upgrade-aardvark-dns redhat-upgrade-buildah redhat-upgrade-buildah-debuginfo redhat-upgrade-buildah-debugsource redhat-upgrade-buildah-tests redhat-upgrade-buildah-tests-debuginfo redhat-upgrade-cockpit-podman redhat-upgrade-conmon redhat-upgrade-conmon-debuginfo redhat-upgrade-conmon-debugsource redhat-upgrade-container-selinux redhat-upgrade-containernetworking-plugins redhat-upgrade-containernetworking-plugins-debuginfo redhat-upgrade-containernetworking-plugins-debugsource redhat-upgrade-containers-common redhat-upgrade-crit redhat-upgrade-criu redhat-upgrade-criu-debuginfo redhat-upgrade-criu-debugsource redhat-upgrade-criu-devel redhat-upgrade-criu-libs redhat-upgrade-criu-libs-debuginfo redhat-upgrade-crun redhat-upgrade-crun-debuginfo redhat-upgrade-crun-debugsource redhat-upgrade-delve redhat-upgrade-delve-debuginfo redhat-upgrade-delve-debugsource redhat-upgrade-fuse-overlayfs redhat-upgrade-fuse-overlayfs-debuginfo redhat-upgrade-fuse-overlayfs-debugsource redhat-upgrade-git-lfs redhat-upgrade-git-lfs-debuginfo redhat-upgrade-git-lfs-debugsource redhat-upgrade-go-toolset redhat-upgrade-golang redhat-upgrade-golang-bin redhat-upgrade-golang-docs redhat-upgrade-golang-misc redhat-upgrade-golang-race redhat-upgrade-golang-src redhat-upgrade-golang-tests redhat-upgrade-gvisor-tap-vsock redhat-upgrade-gvisor-tap-vsock-debuginfo redhat-upgrade-gvisor-tap-vsock-debugsource redhat-upgrade-libslirp redhat-upgrade-libslirp-debuginfo redhat-upgrade-libslirp-debugsource redhat-upgrade-libslirp-devel redhat-upgrade-netavark redhat-upgrade-oci-seccomp-bpf-hook redhat-upgrade-oci-seccomp-bpf-hook-debuginfo redhat-upgrade-oci-seccomp-bpf-hook-debugsource redhat-upgrade-podman redhat-upgrade-podman-catatonit redhat-upgrade-podman-catatonit-debuginfo redhat-upgrade-podman-debuginfo redhat-upgrade-podman-debugsource redhat-upgrade-podman-docker redhat-upgrade-podman-gvproxy redhat-upgrade-podman-gvproxy-debuginfo redhat-upgrade-podman-plugins redhat-upgrade-podman-plugins-debuginfo redhat-upgrade-podman-remote redhat-upgrade-podman-remote-debuginfo redhat-upgrade-podman-tests redhat-upgrade-python3-criu redhat-upgrade-python3-podman redhat-upgrade-runc redhat-upgrade-runc-debuginfo redhat-upgrade-runc-debugsource redhat-upgrade-skopeo redhat-upgrade-skopeo-tests redhat-upgrade-slirp4netns redhat-upgrade-slirp4netns-debuginfo redhat-upgrade-slirp4netns-debugsource redhat-upgrade-toolbox redhat-upgrade-toolbox-debuginfo redhat-upgrade-toolbox-debugsource redhat-upgrade-toolbox-tests redhat-upgrade-udica References CVE-2023-45290 RHSA-2024:2562 RHSA-2024:2724 RHSA-2024:3259 RHSA-2024:3346 RHSA-2024:3826 RHSA-2024:3827 RHSA-2024:3830 RHSA-2024:3831 RHSA-2024:5075 RHSA-2024:5077 RHSA-2024:5258 RHSA-2024:6969 RHSA-2024:8038 RHSA-2024:9135 View more
  3. Huawei EulerOS: CVE-2023-45290: golang security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 07/02/2024 Added 07/01/2024 Modified 07/17/2024 Description When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines. Solution(s) huawei-euleros-2_0_sp12-upgrade-golang huawei-euleros-2_0_sp12-upgrade-golang-devel huawei-euleros-2_0_sp12-upgrade-golang-help References https://attackerkb.com/topics/cve-2023-45290 CVE - 2023-45290 EulerOS-SA-2024-1870
  4. Gentoo Linux: CVE-2023-45290: Go: Multiple Vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 08/08/2024 Added 08/08/2024 Modified 08/08/2024 Description When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines. Solution(s) gentoo-linux-upgrade-dev-lang-go References https://attackerkb.com/topics/cve-2023-45290 CVE - 2023-45290 202408-07
  5. Huawei EulerOS: CVE-2023-45289: golang security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 07/02/2024 Added 07/01/2024 Modified 07/17/2024 Description When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded. Solution(s) huawei-euleros-2_0_sp12-upgrade-golang huawei-euleros-2_0_sp12-upgrade-golang-devel huawei-euleros-2_0_sp12-upgrade-golang-help References https://attackerkb.com/topics/cve-2023-45289 CVE - 2023-45289 EulerOS-SA-2024-1870
  6. Rocky Linux: CVE-2024-24786: container-tools-rhel8 (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 05/13/2024 Added 05/13/2024 Modified 11/18/2024 Description The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. Solution(s) rocky-upgrade-aardvark-dns rocky-upgrade-buildah rocky-upgrade-buildah-debuginfo rocky-upgrade-buildah-debugsource rocky-upgrade-buildah-tests rocky-upgrade-buildah-tests-debuginfo rocky-upgrade-conmon rocky-upgrade-conmon-debuginfo rocky-upgrade-conmon-debugsource rocky-upgrade-containernetworking-plugins rocky-upgrade-containernetworking-plugins-debuginfo rocky-upgrade-containernetworking-plugins-debugsource rocky-upgrade-containers-common rocky-upgrade-crit rocky-upgrade-criu rocky-upgrade-criu-debuginfo rocky-upgrade-criu-debugsource rocky-upgrade-criu-devel rocky-upgrade-criu-libs rocky-upgrade-criu-libs-debuginfo rocky-upgrade-crun rocky-upgrade-crun-debuginfo rocky-upgrade-crun-debugsource rocky-upgrade-fuse-overlayfs rocky-upgrade-fuse-overlayfs-debuginfo rocky-upgrade-fuse-overlayfs-debugsource rocky-upgrade-libslirp rocky-upgrade-libslirp-debuginfo rocky-upgrade-libslirp-debugsource rocky-upgrade-libslirp-devel rocky-upgrade-netavark rocky-upgrade-oci-seccomp-bpf-hook rocky-upgrade-oci-seccomp-bpf-hook-debuginfo rocky-upgrade-oci-seccomp-bpf-hook-debugsource rocky-upgrade-podman rocky-upgrade-podman-catatonit rocky-upgrade-podman-catatonit-debuginfo rocky-upgrade-podman-debuginfo rocky-upgrade-podman-debugsource rocky-upgrade-podman-gvproxy rocky-upgrade-podman-gvproxy-debuginfo rocky-upgrade-podman-plugins rocky-upgrade-podman-plugins-debuginfo rocky-upgrade-podman-remote rocky-upgrade-podman-remote-debuginfo rocky-upgrade-podman-tests rocky-upgrade-python3-criu rocky-upgrade-runc rocky-upgrade-runc-debuginfo rocky-upgrade-runc-debugsource rocky-upgrade-skopeo rocky-upgrade-skopeo-debuginfo rocky-upgrade-skopeo-debugsource rocky-upgrade-skopeo-tests rocky-upgrade-slirp4netns rocky-upgrade-slirp4netns-debuginfo rocky-upgrade-slirp4netns-debugsource rocky-upgrade-toolbox rocky-upgrade-toolbox-debuginfo rocky-upgrade-toolbox-debugsource rocky-upgrade-toolbox-tests References https://attackerkb.com/topics/cve-2024-24786 CVE - 2024-24786 https://errata.rockylinux.org/RLSA-2024:2548 https://errata.rockylinux.org/RLSA-2024:2549 https://errata.rockylinux.org/RLSA-2024:2550 https://errata.rockylinux.org/RLSA-2024:3254
  7. Rocky Linux: CVE-2024-24784: container-tools-rhel8 (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 05/13/2024 Added 05/13/2024 Modified 11/18/2024 Description The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. Solution(s) rocky-upgrade-aardvark-dns rocky-upgrade-buildah rocky-upgrade-buildah-debuginfo rocky-upgrade-buildah-debugsource rocky-upgrade-buildah-tests rocky-upgrade-buildah-tests-debuginfo rocky-upgrade-conmon rocky-upgrade-conmon-debuginfo rocky-upgrade-conmon-debugsource rocky-upgrade-containernetworking-plugins rocky-upgrade-containernetworking-plugins-debuginfo rocky-upgrade-containernetworking-plugins-debugsource rocky-upgrade-containers-common rocky-upgrade-crit rocky-upgrade-criu rocky-upgrade-criu-debuginfo rocky-upgrade-criu-debugsource rocky-upgrade-criu-devel rocky-upgrade-criu-libs rocky-upgrade-criu-libs-debuginfo rocky-upgrade-crun rocky-upgrade-crun-debuginfo rocky-upgrade-crun-debugsource rocky-upgrade-delve rocky-upgrade-delve-debuginfo rocky-upgrade-delve-debugsource rocky-upgrade-fuse-overlayfs rocky-upgrade-fuse-overlayfs-debuginfo rocky-upgrade-fuse-overlayfs-debugsource rocky-upgrade-go-toolset rocky-upgrade-golang rocky-upgrade-golang-bin rocky-upgrade-libslirp rocky-upgrade-libslirp-debuginfo rocky-upgrade-libslirp-debugsource rocky-upgrade-libslirp-devel rocky-upgrade-netavark rocky-upgrade-oci-seccomp-bpf-hook rocky-upgrade-oci-seccomp-bpf-hook-debuginfo rocky-upgrade-oci-seccomp-bpf-hook-debugsource rocky-upgrade-podman rocky-upgrade-podman-catatonit rocky-upgrade-podman-catatonit-debuginfo rocky-upgrade-podman-debuginfo rocky-upgrade-podman-debugsource rocky-upgrade-podman-gvproxy rocky-upgrade-podman-gvproxy-debuginfo rocky-upgrade-podman-plugins rocky-upgrade-podman-plugins-debuginfo rocky-upgrade-podman-remote rocky-upgrade-podman-remote-debuginfo rocky-upgrade-podman-tests rocky-upgrade-python3-criu rocky-upgrade-runc rocky-upgrade-runc-debuginfo rocky-upgrade-runc-debugsource rocky-upgrade-skopeo rocky-upgrade-skopeo-tests rocky-upgrade-slirp4netns rocky-upgrade-slirp4netns-debuginfo rocky-upgrade-slirp4netns-debugsource rocky-upgrade-toolbox rocky-upgrade-toolbox-debuginfo rocky-upgrade-toolbox-debugsource rocky-upgrade-toolbox-tests References https://attackerkb.com/topics/cve-2024-24784 CVE - 2024-24784 https://errata.rockylinux.org/RLSA-2024:2562 https://errata.rockylinux.org/RLSA-2024:3259 https://errata.rockylinux.org/RLSA-2024:5258
  8. Rocky Linux: CVE-2024-24783: container-tools-rhel8 (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 05/13/2024 Added 05/13/2024 Modified 11/18/2024 Description Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates. Solution(s) rocky-upgrade-aardvark-dns rocky-upgrade-buildah rocky-upgrade-buildah-debuginfo rocky-upgrade-buildah-debugsource rocky-upgrade-buildah-tests rocky-upgrade-buildah-tests-debuginfo rocky-upgrade-conmon rocky-upgrade-conmon-debuginfo rocky-upgrade-conmon-debugsource rocky-upgrade-containernetworking-plugins rocky-upgrade-containernetworking-plugins-debuginfo rocky-upgrade-containernetworking-plugins-debugsource rocky-upgrade-containers-common rocky-upgrade-crit rocky-upgrade-criu rocky-upgrade-criu-debuginfo rocky-upgrade-criu-debugsource rocky-upgrade-criu-devel rocky-upgrade-criu-libs rocky-upgrade-criu-libs-debuginfo rocky-upgrade-crun rocky-upgrade-crun-debuginfo rocky-upgrade-crun-debugsource rocky-upgrade-delve rocky-upgrade-delve-debuginfo rocky-upgrade-delve-debugsource rocky-upgrade-fuse-overlayfs rocky-upgrade-fuse-overlayfs-debuginfo rocky-upgrade-fuse-overlayfs-debugsource rocky-upgrade-git-lfs rocky-upgrade-git-lfs-debuginfo rocky-upgrade-git-lfs-debugsource rocky-upgrade-go-toolset rocky-upgrade-golang rocky-upgrade-golang-bin rocky-upgrade-libslirp rocky-upgrade-libslirp-debuginfo rocky-upgrade-libslirp-debugsource rocky-upgrade-libslirp-devel rocky-upgrade-netavark rocky-upgrade-oci-seccomp-bpf-hook rocky-upgrade-oci-seccomp-bpf-hook-debuginfo rocky-upgrade-oci-seccomp-bpf-hook-debugsource rocky-upgrade-podman rocky-upgrade-podman-catatonit rocky-upgrade-podman-catatonit-debuginfo rocky-upgrade-podman-debuginfo rocky-upgrade-podman-debugsource rocky-upgrade-podman-gvproxy rocky-upgrade-podman-gvproxy-debuginfo rocky-upgrade-podman-plugins rocky-upgrade-podman-plugins-debuginfo rocky-upgrade-podman-remote rocky-upgrade-podman-remote-debuginfo rocky-upgrade-podman-tests rocky-upgrade-python3-criu rocky-upgrade-runc rocky-upgrade-runc-debuginfo rocky-upgrade-runc-debugsource rocky-upgrade-skopeo rocky-upgrade-skopeo-tests rocky-upgrade-slirp4netns rocky-upgrade-slirp4netns-debuginfo rocky-upgrade-slirp4netns-debugsource rocky-upgrade-toolbox rocky-upgrade-toolbox-debuginfo rocky-upgrade-toolbox-debugsource rocky-upgrade-toolbox-tests References https://attackerkb.com/topics/cve-2024-24783 CVE - 2024-24783 https://errata.rockylinux.org/RLSA-2024:2562 https://errata.rockylinux.org/RLSA-2024:2724 https://errata.rockylinux.org/RLSA-2024:3259 https://errata.rockylinux.org/RLSA-2024:3346 https://errata.rockylinux.org/RLSA-2024:5258
  9. Rocky Linux: CVE-2024-24785: go-toolset-rhel8 (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 05/13/2024 Added 05/13/2024 Modified 11/18/2024 Description If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. Solution(s) rocky-upgrade-delve rocky-upgrade-delve-debuginfo rocky-upgrade-delve-debugsource rocky-upgrade-go-toolset rocky-upgrade-golang rocky-upgrade-golang-bin References https://attackerkb.com/topics/cve-2024-24785 CVE - 2024-24785 https://errata.rockylinux.org/RLSA-2024:2562 https://errata.rockylinux.org/RLSA-2024:3259
  10. Amazon Linux 2023: CVE-2024-24785: Medium priority package update for golang Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 03/05/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. A flaw was found in Go's html/template standard library package. If errors returned from MarshalJSON methods contain user-controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing subsequent actions to inject unexpected content into templates. Solution(s) amazon-linux-2023-upgrade-golang amazon-linux-2023-upgrade-golang-bin amazon-linux-2023-upgrade-golang-docs amazon-linux-2023-upgrade-golang-misc amazon-linux-2023-upgrade-golang-shared amazon-linux-2023-upgrade-golang-src amazon-linux-2023-upgrade-golang-tests References https://attackerkb.com/topics/cve-2024-24785 CVE - 2024-24785 https://alas.aws.amazon.com/AL2023/ALAS-2024-629.html
  11. Alma Linux: CVE-2024-24783: Important: container-tools:rhel8 security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 05/08/2024 Added 05/08/2024 Modified 09/26/2024 Description Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates. Solution(s) alma-upgrade-aardvark-dns alma-upgrade-buildah alma-upgrade-buildah-tests alma-upgrade-cockpit-podman alma-upgrade-conmon alma-upgrade-container-selinux alma-upgrade-containernetworking-plugins alma-upgrade-containers-common alma-upgrade-crit alma-upgrade-criu alma-upgrade-criu-devel alma-upgrade-criu-libs alma-upgrade-crun alma-upgrade-delve alma-upgrade-fuse-overlayfs alma-upgrade-git-lfs alma-upgrade-go-toolset alma-upgrade-golang alma-upgrade-golang-bin alma-upgrade-golang-docs alma-upgrade-golang-misc alma-upgrade-golang-src alma-upgrade-golang-tests alma-upgrade-gvisor-tap-vsock alma-upgrade-libslirp alma-upgrade-libslirp-devel alma-upgrade-netavark alma-upgrade-oci-seccomp-bpf-hook alma-upgrade-podman alma-upgrade-podman-catatonit alma-upgrade-podman-docker alma-upgrade-podman-gvproxy alma-upgrade-podman-plugins alma-upgrade-podman-remote alma-upgrade-podman-tests alma-upgrade-python3-criu alma-upgrade-python3-podman alma-upgrade-runc alma-upgrade-skopeo alma-upgrade-skopeo-tests alma-upgrade-slirp4netns alma-upgrade-toolbox alma-upgrade-toolbox-tests alma-upgrade-udica References https://attackerkb.com/topics/cve-2024-24783 CVE - 2024-24783 https://errata.almalinux.org/8/ALSA-2024-3259.html https://errata.almalinux.org/8/ALSA-2024-3346.html https://errata.almalinux.org/8/ALSA-2024-5258.html https://errata.almalinux.org/8/ALSA-2024-6969.html https://errata.almalinux.org/9/ALSA-2024-2562.html https://errata.almalinux.org/9/ALSA-2024-2724.html https://errata.almalinux.org/9/ALSA-2024-6186.html https://errata.almalinux.org/9/ALSA-2024-6187.html https://errata.almalinux.org/9/ALSA-2024-6188.html https://errata.almalinux.org/9/ALSA-2024-6189.html https://errata.almalinux.org/9/ALSA-2024-6194.html https://errata.almalinux.org/9/ALSA-2024-6195.html View more
  12. Alma Linux: CVE-2024-24784: Important: container-tools:rhel8 security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 05/08/2024 Added 05/08/2024 Modified 09/26/2024 Description The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. Solution(s) alma-upgrade-aardvark-dns alma-upgrade-buildah alma-upgrade-buildah-tests alma-upgrade-cockpit-podman alma-upgrade-conmon alma-upgrade-container-selinux alma-upgrade-containernetworking-plugins alma-upgrade-containers-common alma-upgrade-crit alma-upgrade-criu alma-upgrade-criu-devel alma-upgrade-criu-libs alma-upgrade-crun alma-upgrade-delve alma-upgrade-fuse-overlayfs alma-upgrade-go-toolset alma-upgrade-golang alma-upgrade-golang-bin alma-upgrade-golang-docs alma-upgrade-golang-misc alma-upgrade-golang-src alma-upgrade-golang-tests alma-upgrade-libslirp alma-upgrade-libslirp-devel alma-upgrade-netavark alma-upgrade-oci-seccomp-bpf-hook alma-upgrade-podman alma-upgrade-podman-catatonit alma-upgrade-podman-docker alma-upgrade-podman-gvproxy alma-upgrade-podman-plugins alma-upgrade-podman-remote alma-upgrade-podman-tests alma-upgrade-python3-criu alma-upgrade-python3-podman alma-upgrade-runc alma-upgrade-skopeo alma-upgrade-skopeo-tests alma-upgrade-slirp4netns alma-upgrade-toolbox alma-upgrade-toolbox-tests alma-upgrade-udica References https://attackerkb.com/topics/cve-2024-24784 CVE - 2024-24784 https://errata.almalinux.org/8/ALSA-2024-3259.html https://errata.almalinux.org/8/ALSA-2024-5258.html https://errata.almalinux.org/8/ALSA-2024-6969.html https://errata.almalinux.org/9/ALSA-2024-2562.html
  13. Oracle Linux: CVE-2024-24786: ELSA-2024-2549:skopeo security and bug fix update (MODERATE) (Multiple Advisories) Severity 5 CVSS (AV:N/AC:H/Au:N/C:N/I:N/A:C) Published 03/05/2024 Created 05/22/2024 Added 04/17/2024 Modified 01/07/2025 Description The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. A flaw was found in Golang's protobuf module, where the unmarshal function can enter an infinite loop when processing certain invalid inputs. This issue occurs during unmarshaling into a message that includes a google.protobuf.Any or when the UnmarshalOptions.DiscardUnknown option is enabled. This flaw allows an attacker to craft malicious input tailored to trigger the identified flaw in the unmarshal function. By providing carefully constructed invalid inputs, they could potentially cause the function to enter an infinite loop, resulting in a denial of service condition or other unintended behaviors in the affected system. Solution(s) oracle-linux-upgrade-aardvark-dns oracle-linux-upgrade-buildah oracle-linux-upgrade-buildah-tests oracle-linux-upgrade-cockpit-podman oracle-linux-upgrade-conmon oracle-linux-upgrade-containernetworking-plugins oracle-linux-upgrade-containers-common oracle-linux-upgrade-container-selinux oracle-linux-upgrade-cri-o oracle-linux-upgrade-crit oracle-linux-upgrade-cri-tools oracle-linux-upgrade-criu oracle-linux-upgrade-criu-devel oracle-linux-upgrade-criu-libs oracle-linux-upgrade-crun oracle-linux-upgrade-etcd oracle-linux-upgrade-fuse-overlayfs oracle-linux-upgrade-istio oracle-linux-upgrade-istio-istioctl oracle-linux-upgrade-kubeadm oracle-linux-upgrade-kubectl oracle-linux-upgrade-kubelet oracle-linux-upgrade-libslirp oracle-linux-upgrade-libslirp-devel oracle-linux-upgrade-netavark oracle-linux-upgrade-oci-seccomp-bpf-hook oracle-linux-upgrade-olcne-agent oracle-linux-upgrade-olcne-api-server oracle-linux-upgrade-olcne-calico-chart oracle-linux-upgrade-olcnectl oracle-linux-upgrade-olcne-gluster-chart oracle-linux-upgrade-olcne-grafana-chart oracle-linux-upgrade-olcne-istio-chart oracle-linux-upgrade-olcne-kubevirt-chart oracle-linux-upgrade-olcne-metallb-chart oracle-linux-upgrade-olcne-multus-chart oracle-linux-upgrade-olcne-nginx oracle-linux-upgrade-olcne-oci-ccm-chart oracle-linux-upgrade-olcne-olm-chart oracle-linux-upgrade-olcne-prometheus-chart oracle-linux-upgrade-olcne-rook-chart oracle-linux-upgrade-olcne-utils oracle-linux-upgrade-podman oracle-linux-upgrade-podman-catatonit oracle-linux-upgrade-podman-docker oracle-linux-upgrade-podman-gvproxy oracle-linux-upgrade-podman-plugins oracle-linux-upgrade-podman-remote oracle-linux-upgrade-podman-tests oracle-linux-upgrade-python3-criu oracle-linux-upgrade-python3-podman oracle-linux-upgrade-runc oracle-linux-upgrade-skopeo oracle-linux-upgrade-skopeo-tests oracle-linux-upgrade-slirp4netns oracle-linux-upgrade-udica References https://attackerkb.com/topics/cve-2024-24786 CVE - 2024-24786 ELSA-2024-2549 ELSA-2024-2550 ELSA-2024-3254 ELSA-2024-4246 ELSA-2024-12348 ELSA-2024-12328 ELSA-2024-12347 ELSA-2024-12329 ELSA-2024-2548 View more
  14. Huawei EulerOS: CVE-2024-24784: golang security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 07/16/2024 Added 07/16/2024 Modified 12/12/2024 Description The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. Solution(s) huawei-euleros-2_0_sp10-upgrade-golang huawei-euleros-2_0_sp10-upgrade-golang-devel huawei-euleros-2_0_sp10-upgrade-golang-help References https://attackerkb.com/topics/cve-2024-24784 CVE - 2024-24784 EulerOS-SA-2024-1909
  15. Huawei EulerOS: CVE-2023-45290: golang security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 05/10/2024 Added 05/13/2024 Modified 05/13/2024 Description When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines. Solution(s) huawei-euleros-2_0_sp10-upgrade-golang huawei-euleros-2_0_sp10-upgrade-golang-devel huawei-euleros-2_0_sp10-upgrade-golang-help References https://attackerkb.com/topics/cve-2023-45290 CVE - 2023-45290 EulerOS-SA-2024-1589
  16. Huawei EulerOS: CVE-2024-24783: golang security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 05/10/2024 Added 05/13/2024 Modified 05/13/2024 Description Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates. Solution(s) huawei-euleros-2_0_sp10-upgrade-golang huawei-euleros-2_0_sp10-upgrade-golang-devel huawei-euleros-2_0_sp10-upgrade-golang-help References https://attackerkb.com/topics/cve-2024-24783 CVE - 2024-24783 EulerOS-SA-2024-1589
  17. Aruba AOS-10: CVE-2024-25611: Authenticated Remote Command Execution in the ArubaOS Command Line Interface Severity 8 CVSS (AV:N/AC:L/Au:M/C:C/I:C/A:C) Published 03/05/2024 Created 01/16/2025 Added 01/14/2025 Modified 02/04/2025 Description Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. Solution(s) aruba-aos-10-cve-2024-25611 References https://attackerkb.com/topics/cve-2024-25611 CVE - 2024-25611 https://csaf.arubanetworks.com/2024/hpe_aruba_networking_-_2024-002.json
  18. Aruba AOS-10: CVE-2024-25614: Authenticated Arbitrary File Deletion in ArubaOS CLI Severity 7 CVSS (AV:N/AC:L/Au:M/C:N/I:P/A:C) Published 03/05/2024 Created 01/16/2025 Added 01/14/2025 Modified 02/04/2025 Description There is an arbitrary file deletion vulnerability in the CLI used by ArubaOS. Successful exploitation of this vulnerability results in the ability to delete arbitrary files on the underlying operating system, which could lead to denial-of-service conditions and impact the integrity of the controller. Solution(s) aruba-aos-10-cve-2024-25614 References https://attackerkb.com/topics/cve-2024-25614 CVE - 2024-25614 https://csaf.arubanetworks.com/2024/hpe_aruba_networking_-_2024-002.json
  19. Red Hat: CVE-2023-45289: golang: net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect (Multiple Advisories) Severity 5 CVSS (AV:N/AC:L/Au:N/C:P/I:N/A:N) Published 03/05/2024 Created 05/01/2024 Added 05/01/2024 Modified 09/13/2024 Description When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded. Solution(s) redhat-upgrade-delve redhat-upgrade-delve-debuginfo redhat-upgrade-delve-debugsource redhat-upgrade-git-lfs redhat-upgrade-git-lfs-debuginfo redhat-upgrade-git-lfs-debugsource redhat-upgrade-go-toolset redhat-upgrade-golang redhat-upgrade-golang-bin redhat-upgrade-golang-docs redhat-upgrade-golang-misc redhat-upgrade-golang-src redhat-upgrade-golang-tests References CVE-2023-45289 RHSA-2024:2562 RHSA-2024:2724 RHSA-2024:3259 RHSA-2024:3346
  20. Huawei EulerOS: CVE-2023-45289: golang security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 07/17/2024 Added 07/17/2024 Modified 01/13/2025 Description When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded. Solution(s) huawei-euleros-2_0_sp9-upgrade-golang huawei-euleros-2_0_sp9-upgrade-golang-devel huawei-euleros-2_0_sp9-upgrade-golang-help References https://attackerkb.com/topics/cve-2023-45289 CVE - 2023-45289 EulerOS-SA-2024-1961
  21. Huawei EulerOS: CVE-2024-24783: golang security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 07/02/2024 Added 07/01/2024 Modified 07/17/2024 Description Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates. Solution(s) huawei-euleros-2_0_sp12-upgrade-golang huawei-euleros-2_0_sp12-upgrade-golang-devel huawei-euleros-2_0_sp12-upgrade-golang-help References https://attackerkb.com/topics/cve-2024-24783 CVE - 2024-24783 EulerOS-SA-2024-1870
  22. Gentoo Linux: CVE-2024-24785: Go: Multiple Vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 08/08/2024 Added 08/08/2024 Modified 08/08/2024 Description If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. Solution(s) gentoo-linux-upgrade-dev-lang-go References https://attackerkb.com/topics/cve-2024-24785 CVE - 2024-24785 202408-07
  23. Huawei EulerOS: CVE-2024-24784: golang security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 10/09/2024 Added 10/08/2024 Modified 10/14/2024 Description The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. Solution(s) huawei-euleros-2_0_sp12-upgrade-golang huawei-euleros-2_0_sp12-upgrade-golang-devel huawei-euleros-2_0_sp12-upgrade-golang-help References https://attackerkb.com/topics/cve-2024-24784 CVE - 2024-24784 EulerOS-SA-2024-2238
  24. SUSE: CVE-2022-48630: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 08/16/2024 Added 08/09/2024 Modified 02/06/2025 Description In the Linux kernel, the following vulnerability has been resolved: crypto: qcom-rng - fix infinite loop on requests not multiple of WORD_SZ The commit referenced in the Fixes tag removed the 'break' from the else branch in qcom_rng_read(), causing an infinite loop whenever 'max' is not a multiple of WORD_SZ. This can be reproduced e.g. by running: kcapi-rng -b 67 >/dev/null There are many ways to fix this without adding back the 'break', but they all seem more awkward than simply adding it back, so do just that. Tested on a machine with Qualcomm Amberwing processor. Solution(s) suse-upgrade-cluster-md-kmp-64kb suse-upgrade-cluster-md-kmp-azure suse-upgrade-cluster-md-kmp-default suse-upgrade-cluster-md-kmp-rt suse-upgrade-dlm-kmp-64kb suse-upgrade-dlm-kmp-azure suse-upgrade-dlm-kmp-default suse-upgrade-dlm-kmp-rt suse-upgrade-dtb-allwinner suse-upgrade-dtb-altera suse-upgrade-dtb-amazon suse-upgrade-dtb-amd suse-upgrade-dtb-amlogic suse-upgrade-dtb-apm suse-upgrade-dtb-apple suse-upgrade-dtb-arm suse-upgrade-dtb-broadcom suse-upgrade-dtb-cavium suse-upgrade-dtb-exynos suse-upgrade-dtb-freescale suse-upgrade-dtb-hisilicon suse-upgrade-dtb-lg suse-upgrade-dtb-marvell suse-upgrade-dtb-mediatek suse-upgrade-dtb-nvidia suse-upgrade-dtb-qcom suse-upgrade-dtb-renesas suse-upgrade-dtb-rockchip suse-upgrade-dtb-socionext suse-upgrade-dtb-sprd suse-upgrade-dtb-xilinx suse-upgrade-gfs2-kmp-64kb suse-upgrade-gfs2-kmp-azure suse-upgrade-gfs2-kmp-default suse-upgrade-gfs2-kmp-rt suse-upgrade-kernel-64kb suse-upgrade-kernel-64kb-devel suse-upgrade-kernel-64kb-extra suse-upgrade-kernel-64kb-livepatch-devel suse-upgrade-kernel-64kb-optional suse-upgrade-kernel-azure suse-upgrade-kernel-azure-devel suse-upgrade-kernel-azure-extra suse-upgrade-kernel-azure-livepatch-devel suse-upgrade-kernel-azure-optional suse-upgrade-kernel-azure-vdso suse-upgrade-kernel-debug suse-upgrade-kernel-debug-devel suse-upgrade-kernel-debug-livepatch-devel suse-upgrade-kernel-debug-vdso suse-upgrade-kernel-default suse-upgrade-kernel-default-base suse-upgrade-kernel-default-base-rebuild suse-upgrade-kernel-default-devel suse-upgrade-kernel-default-extra suse-upgrade-kernel-default-livepatch suse-upgrade-kernel-default-livepatch-devel suse-upgrade-kernel-default-optional suse-upgrade-kernel-default-vdso suse-upgrade-kernel-devel suse-upgrade-kernel-devel-azure suse-upgrade-kernel-devel-rt suse-upgrade-kernel-docs suse-upgrade-kernel-docs-html suse-upgrade-kernel-kvmsmall suse-upgrade-kernel-kvmsmall-devel suse-upgrade-kernel-kvmsmall-livepatch-devel suse-upgrade-kernel-kvmsmall-vdso suse-upgrade-kernel-macros suse-upgrade-kernel-obs-build suse-upgrade-kernel-obs-qa suse-upgrade-kernel-rt suse-upgrade-kernel-rt-devel suse-upgrade-kernel-rt-extra suse-upgrade-kernel-rt-livepatch suse-upgrade-kernel-rt-livepatch-devel suse-upgrade-kernel-rt-optional suse-upgrade-kernel-rt-vdso suse-upgrade-kernel-rt_debug suse-upgrade-kernel-rt_debug-devel suse-upgrade-kernel-rt_debug-livepatch-devel suse-upgrade-kernel-rt_debug-vdso suse-upgrade-kernel-source suse-upgrade-kernel-source-azure suse-upgrade-kernel-source-rt suse-upgrade-kernel-source-vanilla suse-upgrade-kernel-syms suse-upgrade-kernel-syms-azure suse-upgrade-kernel-syms-rt suse-upgrade-kernel-zfcpdump suse-upgrade-kselftests-kmp-64kb suse-upgrade-kselftests-kmp-azure suse-upgrade-kselftests-kmp-default suse-upgrade-kselftests-kmp-rt suse-upgrade-ocfs2-kmp-64kb suse-upgrade-ocfs2-kmp-azure suse-upgrade-ocfs2-kmp-default suse-upgrade-ocfs2-kmp-rt suse-upgrade-reiserfs-kmp-64kb suse-upgrade-reiserfs-kmp-azure suse-upgrade-reiserfs-kmp-default suse-upgrade-reiserfs-kmp-rt References https://attackerkb.com/topics/cve-2022-48630 CVE - 2022-48630
  25. Aruba AOS-8: CVE-2024-25613: Authenticated Remote Command Execution in the ArubaOS Command Line Interface Severity 8 CVSS (AV:N/AC:L/Au:M/C:C/I:C/A:C) Published 03/05/2024 Created 01/16/2025 Added 01/14/2025 Modified 02/04/2025 Description Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. Solution(s) aruba-aos-8-cve-2024-25613 References https://attackerkb.com/topics/cve-2024-25613 CVE - 2024-25613 https://csaf.arubanetworks.com/2024/hpe_aruba_networking_-_2024-002.json