ISHACK AI BOT

Debian: CVE-2023-5472: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 10/25/2023 Created 10/31/2023 Added 10/30/2023 Modified 01/28/2025 Description Use after free in Profiles in Google Chrome prior to 118.0.5993.117 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2023-5472 CVE - 2023-5472 DSA-5536-1

Debian: CVE-2023-5725: firefox-esr, thunderbird -- security update Severity 4 CVSS (AV:N/AC:M/Au:N/C:P/I:N/A:N) Published 10/25/2023 Created 10/27/2023 Added 10/27/2023 Modified 01/28/2025 Description A malicious installed WebExtension could open arbitrary URLs, which under the right circumstance could be leveraged to collect sensitive user data. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1. Solution(s) debian-upgrade-firefox-esr debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-5725 CVE - 2023-5725 DSA-5535-1

OS X update for System Preferences (CVE-2023-32359) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Debian: CVE-2023-42852: webkit2gtk, wpewebkit -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 10/25/2023 Created 11/21/2023 Added 11/20/2023 Modified 01/28/2025 Description A logic issue was addressed with improved checks. This issue is fixed in iOS 17.1 and iPadOS 17.1, watchOS 10.1, iOS 16.7.2 and iPadOS 16.7.2, macOS Sonoma 14.1, Safari 17.1, tvOS 17.1. Processing web content may lead to arbitrary code execution. Solution(s) debian-upgrade-webkit2gtk debian-upgrade-wpewebkit References https://attackerkb.com/topics/cve-2023-42852 CVE - 2023-42852 DSA-5557-1

Debian: CVE-2023-46118: rabbitmq-server -- security update Severity 6 CVSS (AV:N/AC:L/Au:M/C:N/I:N/A:C) Published 10/25/2023 Created 12/05/2023 Added 12/04/2023 Modified 01/30/2025 Description RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages. An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be terminated by an "out-of-memory killer"-like mechanism. This vulnerability has been patched in versions 3.11.24 and 3.12.7. Solution(s) debian-upgrade-rabbitmq-server References https://attackerkb.com/topics/cve-2023-46118 CVE - 2023-46118 DSA-5571-1

Debian: CVE-2023-46233: cryptojs -- security update Severity 9 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:N) Published 10/25/2023 Created 12/05/2023 Added 12/04/2023 Modified 01/30/2025 Description crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks. If used to protect passwords, the impact is high. If used to generate signatures, the impact is high. Version 4.2.0 contains a patch for this issue. As a workaround, configure crypto-js to use SHA256 with at least 250,000 iterations. Solution(s) debian-upgrade-cryptojs References https://attackerkb.com/topics/cve-2023-46233 CVE - 2023-46233 DLA-3669-1

Debian: CVE-2023-41983: webkit2gtk, wpewebkit -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 10/25/2023 Created 11/21/2023 Added 11/20/2023 Modified 01/28/2025 Description The issue was addressed with improved memory handling. This issue is fixed in macOS Sonoma 14.1, Safari 17.1, iOS 16.7.2 and iPadOS 16.7.2, iOS 17.1 and iPadOS 17.1. Processing web content may lead to a denial-of-service. Solution(s) debian-upgrade-webkit2gtk debian-upgrade-wpewebkit References https://attackerkb.com/topics/cve-2023-41983 CVE - 2023-41983 DSA-5557-1

Debian: CVE-2023-46137: twisted -- security update Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:P/A:N) Published 10/25/2023 Created 10/29/2024 Added 10/28/2024 Modified 01/28/2025 Description Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a patch for this issue. Solution(s) debian-upgrade-twisted References https://attackerkb.com/topics/cve-2023-46137 CVE - 2023-46137 DSA-5797-1

OS X update for Airport (CVE-2023-40401) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for CoreAnimation (CVE-2023-40401) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Debian: CVE-2023-46136: python-werkzeug -- security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 10/25/2023 Created 01/14/2025 Added 01/13/2025 Modified 01/28/2025 Description Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1. Solution(s) debian-upgrade-python-werkzeug References https://attackerkb.com/topics/cve-2023-46136 CVE - 2023-46136

OS X update for Power Management (CVE-2023-32359) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for libxpc (CVE-2023-40401) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for Core Image (CVE-2023-32359) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for libpcap (CVE-2023-32359) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for Clock (CVE-2023-40401) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for bootp (CVE-2023-40401) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for IOKit (CVE-2023-42842) Severity 5 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for Screen Sharing (CVE-2023-32359) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Debian: CVE-2023-5717: linux -- security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 10/25/2023 Created 01/09/2024 Added 01/08/2024 Modified 01/30/2025 Description A heap out-of-bounds write vulnerability in the Linux kernel's Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation. If perf_read_group() is called while an event's sibling_list is smaller than its child's sibling_list, it can increment or write to memory locations outside of the allocated buffer. We recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2023-5717 CVE - 2023-5717 DSA-5594-1

OS X update for iCloud (CVE-2023-40401) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Debian: CVE-2023-5728: firefox-esr, thunderbird -- security update Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 10/25/2023 Created 10/27/2023 Added 10/27/2023 Modified 01/28/2025 Description During garbage collection extra operations were performed on a object that should not be. This could have led to a potentially exploitable crash. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1. Solution(s) debian-upgrade-firefox-esr debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-5728 CVE - 2023-5728 DSA-5535-1

Debian: CVE-2023-5721: firefox-esr, thunderbird -- security update Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 10/25/2023 Created 10/27/2023 Added 10/27/2023 Modified 01/28/2025 Description It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an insufficient activation-delay. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1. Solution(s) debian-upgrade-firefox-esr debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-5721 CVE - 2023-5721 DSA-5535-1

Debian: CVE-2023-5380: xorg-server -- security update Severity 4 CVSS (AV:L/AC:M/Au:S/C:N/I:N/A:C) Published 10/25/2023 Created 10/27/2023 Added 10/27/2023 Modified 01/28/2025 Description A use-after-free flaw was found in the xorg-x11-server. An X server crash may occur in a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode) if the pointer is warped from within a window on one screen to the root window of the other screen and if the original window is destroyed followed by another window being destroyed. Solution(s) debian-upgrade-xorg-server References https://attackerkb.com/topics/cve-2023-5380 CVE - 2023-5380 DLA-3631-1 DSA-5534-1

CentOS Linux: CVE-2023-5732: Important: firefox security update (CESA-2023:6162) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 10/25/2023 Created 11/01/2023 Added 11/01/2023 Modified 01/28/2025 Description An attacker could have created a malicious link using bidirectional characters to spoof the location in the address bar when visited. This vulnerability affects Firefox < 117, Firefox ESR < 115.4, and Thunderbird < 115.4.1. Solution(s) centos-upgrade-firefox centos-upgrade-firefox-debuginfo References CVE-2023-5732