ISHACK AI BOT

Ubuntu: (Multiple Advisories) (CVE-2023-6277): LibTIFF vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 11/24/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/28/2025 Description An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB. Solution(s) ubuntu-pro-upgrade-libtiff-tools ubuntu-pro-upgrade-libtiff5 ubuntu-pro-upgrade-libtiff6 References https://attackerkb.com/topics/cve-2023-6277 CVE - 2023-6277 USN-6644-1 USN-6644-2

Huawei EulerOS: CVE-2023-6277: libtiff security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 11/24/2023 Created 02/13/2024 Added 02/12/2024 Modified 01/28/2025 Description An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB. Solution(s) huawei-euleros-2_0_sp9-upgrade-libtiff References https://attackerkb.com/topics/cve-2023-6277 CVE - 2023-6277 EulerOS-SA-2024-1199

Amazon Linux AMI: CVE-2023-6277: Security patch for libtiff (ALAS-2024-1913) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 11/24/2023 Created 02/08/2024 Added 02/06/2024 Modified 01/28/2025 Description An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB. Solution(s) amazon-linux-upgrade-libtiff References ALAS-2024-1913 CVE-2023-6277

Huawei EulerOS: CVE-2023-6277: libtiff security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 11/24/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB. Solution(s) huawei-euleros-2_0_sp10-upgrade-libtiff References https://attackerkb.com/topics/cve-2023-6277 CVE - 2023-6277 EulerOS-SA-2024-1088

OS X update for ImageIO (CVE-2023-6277) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 11/24/2023 Created 07/31/2024 Added 07/31/2024 Modified 01/28/2025 Description An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB. Solution(s) apple-osx-upgrade-12_7_6 apple-osx-upgrade-13_6_8 apple-osx-upgrade-14_6 References https://attackerkb.com/topics/cve-2023-6277 CVE - 2023-6277 https://support.apple.com/en-us/120910 https://support.apple.com/en-us/120911 https://support.apple.com/en-us/120912

VMware Photon OS: CVE-2023-6277 Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 11/24/2023 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-6277 CVE - 2023-6277

Ubuntu: (CVE-2023-49298): zfs-linux vulnerability Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 11/24/2023 Created 11/21/2024 Added 11/19/2024 Modified 01/28/2025 Description OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios involving applications that try to rely on efficient copying of file data, can replace file contents with zero-valued bytes and thus potentially disable security mechanisms. NOTE: this issue is not always security related, but can be security related in realistic situations. A possible example is cp, from a recent GNU Core Utilities (coreutils) version, when attempting to preserve a rule set for denying unauthorized access. (One might use cp when configuring access control, such as with the /etc/hosts.deny file specified in the IBM Support reference.) NOTE: this issue occurs less often in version 2.2.1, and in versions before 2.1.4, because of the default configuration in those versions. Solution(s) ubuntu-upgrade-zfs-linux References https://attackerkb.com/topics/cve-2023-49298 CVE - 2023-49298 https://gist.github.com/rincebrain/e23b4a39aba3fadc04db18574d30dc73 https://github.com/openzfs/zfs/releases/tag/zfs-2.2.2 https://news.ycombinator.com/item?id=38405731 https://web.archive.org/web/20231124172959/https://www.ibm.com/support/pages/how-remove-missing%C2%A0newline%C2%A0or%C2%A0line%C2%A0too%C2%A0long-error-etchostsallow%C2%A0and%C2%A0etchostsdeny-files https://www.cve.org/CVERecord?id=CVE-2023-49298

SUSE: CVE-2022-32933: SUSE Linux Security Advisory Severity 5 CVSS (AV:N/AC:L/Au:N/C:P/I:N/A:N) Published 11/24/2023 Created 11/28/2023 Added 11/27/2023 Modified 01/28/2025 Description An information disclosure issue was addressed by removing the vulnerable code. This issue is fixed in macOS Monterey 12.5. A website may be able to track the websites a user visited in Safari private browsing mode. Solution(s) suse-upgrade-libjavascriptcoregtk-4_0-18 suse-upgrade-libjavascriptcoregtk-4_0-18-32bit suse-upgrade-libjavascriptcoregtk-4_0-18-64bit suse-upgrade-libjavascriptcoregtk-4_1-0 suse-upgrade-libjavascriptcoregtk-4_1-0-32bit suse-upgrade-libjavascriptcoregtk-4_1-0-64bit suse-upgrade-libjavascriptcoregtk-6_0-1 suse-upgrade-libwebkit2gtk-4_0-37 suse-upgrade-libwebkit2gtk-4_0-37-32bit suse-upgrade-libwebkit2gtk-4_0-37-64bit suse-upgrade-libwebkit2gtk-4_1-0 suse-upgrade-libwebkit2gtk-4_1-0-32bit suse-upgrade-libwebkit2gtk-4_1-0-64bit suse-upgrade-libwebkit2gtk3-lang suse-upgrade-libwebkitgtk-6_0-4 suse-upgrade-typelib-1_0-javascriptcore-4_0 suse-upgrade-typelib-1_0-javascriptcore-4_1 suse-upgrade-typelib-1_0-javascriptcore-6_0 suse-upgrade-typelib-1_0-webkit-6_0 suse-upgrade-typelib-1_0-webkit2-4_0 suse-upgrade-typelib-1_0-webkit2-4_1 suse-upgrade-typelib-1_0-webkit2webextension-4_0 suse-upgrade-typelib-1_0-webkit2webextension-4_1 suse-upgrade-typelib-1_0-webkitwebprocessextension-6_0 suse-upgrade-webkit-jsc-4 suse-upgrade-webkit-jsc-4-1 suse-upgrade-webkit-jsc-6-0 suse-upgrade-webkit2gtk-4_0-injected-bundles suse-upgrade-webkit2gtk-4_1-injected-bundles suse-upgrade-webkit2gtk3-devel suse-upgrade-webkit2gtk3-minibrowser suse-upgrade-webkit2gtk3-soup2-devel suse-upgrade-webkit2gtk3-soup2-minibrowser suse-upgrade-webkit2gtk4-devel suse-upgrade-webkit2gtk4-minibrowser suse-upgrade-webkitgtk-4-0-lang suse-upgrade-webkitgtk-4-1-lang suse-upgrade-webkitgtk-6-0-lang suse-upgrade-webkitgtk-6_0-injected-bundles References https://attackerkb.com/topics/cve-2022-32933 CVE - 2022-32933

Huawei EulerOS: CVE-2023-6277: libtiff security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 11/24/2023 Created 01/30/2024 Added 01/29/2024 Modified 01/28/2025 Description An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB. Solution(s) huawei-euleros-2_0_sp11-upgrade-libtiff References https://attackerkb.com/topics/cve-2023-6277 CVE - 2023-6277 EulerOS-SA-2024-1123

Amazon Linux AMI 2: CVE-2023-6207: Security patch for firefox, thunderbird (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/21/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/28/2025 Description Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5. Solution(s) amazon-linux-ami-2-upgrade-firefox amazon-linux-ami-2-upgrade-firefox-debuginfo amazon-linux-ami-2-upgrade-thunderbird amazon-linux-ami-2-upgrade-thunderbird-debuginfo References https://attackerkb.com/topics/cve-2023-6207 AL2/ALAS-2024-2379 AL2/ALASFIREFOX-2024-019 CVE - 2023-6207

Oracle Linux: CVE-2023-6206: ELSA-2023-7507:firefox security update (IMPORTANT) (Multiple Advisories) Severity 8 CVSS (AV:N/AC:H/Au:N/C:C/I:C/A:C) Published 11/21/2023 Created 11/30/2023 Added 11/28/2023 Modified 01/07/2025 Description The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox &lt; 120, Firefox ESR &lt; 115.5.0, and Thunderbird &lt; 115.5. The Mozilla Foundation Security Advisory describes this flaw as: The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. Solution(s) oracle-linux-upgrade-firefox oracle-linux-upgrade-firefox-x11 oracle-linux-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-6206 CVE - 2023-6206 ELSA-2023-7507 ELSA-2023-7501 ELSA-2023-7505 ELSA-2023-7508 ELSA-2023-7509 ELSA-2023-7500 View more

Gentoo Linux: CVE-2023-6211: Mozilla Firefox: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 11/21/2023 Created 01/09/2024 Added 01/08/2024 Modified 01/28/2025 Description If an attacker needed a user to load an insecure http: page and knew that user had enabled HTTPS-only mode, the attacker could have tricked the user into clicking to grant an HTTPS-only exception if they could get the user to participate in a clicking game. This vulnerability affects Firefox < 120. Solution(s) gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2023-6211 CVE - 2023-6211 202401-10

Alpine Linux: CVE-2023-6205: Use After Free Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 11/21/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5. Solution(s) alpine-linux-upgrade-firefox-esr alpine-linux-upgrade-thunderbird alpine-linux-upgrade-firefox References https://attackerkb.com/topics/cve-2023-6205 CVE - 2023-6205 https://security.alpinelinux.org/vuln/CVE-2023-6205

Alpine Linux: CVE-2023-6212: Out-of-bounds Write Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/21/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5. Solution(s) alpine-linux-upgrade-firefox-esr alpine-linux-upgrade-thunderbird alpine-linux-upgrade-firefox References https://attackerkb.com/topics/cve-2023-6212 CVE - 2023-6212 https://security.alpinelinux.org/vuln/CVE-2023-6212

Gentoo Linux: CVE-2023-6206: Mozilla Thunderbird: Multiple Vulnerabilities Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 11/21/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/28/2025 Description The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-6206 CVE - 2023-6206 202402-25

Gentoo Linux: CVE-2023-6208: Mozilla Thunderbird: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/21/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/28/2025 Description When using X11, text selected by the page using the Selection API was erroneously copied into the primary selection, a temporary storage not unlike the clipboard. *This bug only affects Firefox on X11. Other systems are unaffected.* This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-6208 CVE - 2023-6208 202402-25

Gentoo Linux: CVE-2023-6212: Mozilla Thunderbird: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/21/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/28/2025 Description Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-6212 CVE - 2023-6212 202402-25

Alpine Linux: CVE-2023-6206: Improper Restriction of Rendered UI Layers or Frames Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 11/21/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5. Solution(s) alpine-linux-upgrade-firefox-esr alpine-linux-upgrade-thunderbird alpine-linux-upgrade-firefox References https://attackerkb.com/topics/cve-2023-6206 CVE - 2023-6206 https://security.alpinelinux.org/vuln/CVE-2023-6206

Gentoo Linux: CVE-2023-6210: Mozilla Firefox: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 11/21/2023 Created 01/09/2024 Added 01/08/2024 Modified 01/30/2025 Description When an https: web page created a pop-up from a "javascript:" URL, that pop-up was incorrectly allowed to load blockable content such as iframes from insecure http: URLs This vulnerability affects Firefox < 120. Solution(s) gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2023-6210 CVE - 2023-6210 202401-10

Gentoo Linux: CVE-2023-6204: Mozilla Thunderbird: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 11/21/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/28/2025 Description On some systems—depending on the graphics settings and drivers—it was possible to force an out-of-bounds read and leak memory data into the images created on the canvas element. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-6204 CVE - 2023-6204 202402-25

Gentoo Linux: CVE-2023-6209: Mozilla Thunderbird: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 11/21/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/30/2025 Description Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/../" part in the path could be used to override the specified host. This could contribute to security problems in web sites. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-6209 CVE - 2023-6209 202402-25

Alpine Linux: CVE-2023-6207: Use After Free Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/21/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Ownership mismanagement led to a use-after-free in ReadableByteStreams This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5. Solution(s) alpine-linux-upgrade-firefox-esr alpine-linux-upgrade-thunderbird alpine-linux-upgrade-firefox References https://attackerkb.com/topics/cve-2023-6207 CVE - 2023-6207 https://security.alpinelinux.org/vuln/CVE-2023-6207

Alpine Linux: CVE-2023-6209: Path Traversal Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 11/21/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Relative URLs starting with three slashes were incorrectly parsed, and a path-traversal "/../" part in the path could be used to override the specified host. This could contribute to security problems in web sites. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5. Solution(s) alpine-linux-upgrade-firefox-esr alpine-linux-upgrade-thunderbird alpine-linux-upgrade-firefox References https://attackerkb.com/topics/cve-2023-6209 CVE - 2023-6209 https://security.alpinelinux.org/vuln/CVE-2023-6209

Ubuntu: (Multiple Advisories) (CVE-2023-6206): Firefox vulnerabilities Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 11/21/2023 Created 11/25/2023 Added 11/24/2023 Modified 01/28/2025 Description The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5. Solution(s) ubuntu-upgrade-firefox ubuntu-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-6206 CVE - 2023-6206 USN-6509-1 USN-6509-2 USN-6515-1

Ubuntu: (Multiple Advisories) (CVE-2023-6211): Firefox vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 11/21/2023 Created 11/25/2023 Added 11/24/2023 Modified 01/28/2025 Description If an attacker needed a user to load an insecure http: page and knew that user had enabled HTTPS-only mode, the attacker could have tricked the user into clicking to grant an HTTPS-only exception if they could get the user to participate in a clicking game. This vulnerability affects Firefox < 120. Solution(s) ubuntu-upgrade-firefox References https://attackerkb.com/topics/cve-2023-6211 CVE - 2023-6211 USN-6509-1 USN-6509-2