ISHACK AI BOT

OS X update for Sandbox (CVE-2023-42842) Severity 5 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Red Hat: CVE-2023-4693: grub2: out-of-bounds read at fs/ntfs.c (Multiple Advisories) Severity 4 CVSS (AV:L/AC:H/Au:M/C:C/I:N/A:N) Published 10/25/2023 Created 05/01/2024 Added 05/01/2024 Modified 09/03/2024 Description An out-of-bounds read flaw was found on grub2's NTFS filesystem driver. This issue may allow a physically present attacker to present a specially crafted NTFS file system image to read arbitrary memory locations. A successful attack allows sensitive data cached in memory or EFI variable values to be leaked, presenting a high Confidentiality risk. Solution(s) redhat-upgrade-grub2-common redhat-upgrade-grub2-debuginfo redhat-upgrade-grub2-debugsource redhat-upgrade-grub2-efi-aa64-modules redhat-upgrade-grub2-efi-ia32 redhat-upgrade-grub2-efi-ia32-cdboot redhat-upgrade-grub2-efi-ia32-modules redhat-upgrade-grub2-efi-x64 redhat-upgrade-grub2-efi-x64-cdboot redhat-upgrade-grub2-efi-x64-modules redhat-upgrade-grub2-emu-debuginfo redhat-upgrade-grub2-pc redhat-upgrade-grub2-pc-modules redhat-upgrade-grub2-ppc64le-modules redhat-upgrade-grub2-tools redhat-upgrade-grub2-tools-debuginfo redhat-upgrade-grub2-tools-efi redhat-upgrade-grub2-tools-efi-debuginfo redhat-upgrade-grub2-tools-extra redhat-upgrade-grub2-tools-extra-debuginfo redhat-upgrade-grub2-tools-minimal redhat-upgrade-grub2-tools-minimal-debuginfo References CVE-2023-4693 RHSA-2024:2456 RHSA-2024:3184

OS X update for Assets (CVE-2023-42842) Severity 5 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for AMD (CVE-2023-32359) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Huawei EulerOS: CVE-2023-5574: xorg-x11-server security update Severity 7 CVSS (AV:L/AC:M/Au:S/C:C/I:C/A:C) Published 10/25/2023 Created 12/13/2024 Added 12/12/2024 Modified 01/28/2025 Description A use-after-free flaw was found in xorg-x11-server-Xvfb. This issue occurs in Xvfb with a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode). If the pointer is warped from a screen 1 to a screen 0, a use-after-free issue may be triggered during shutdown or reset of the Xvfb server, allowing for possible escalation of privileges or denial of service. Solution(s) huawei-euleros-2_0_sp11-upgrade-xorg-x11-server-help References https://attackerkb.com/topics/cve-2023-5574 CVE - 2023-5574 EulerOS-SA-2024-2991

Huawei EulerOS: CVE-2023-5367: xorg-x11-server security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 10/25/2023 Created 01/30/2024 Added 01/29/2024 Modified 01/28/2025 Description A out-of-bounds write flaw was found in the xorg-x11-server. This issue occurs due to an incorrect calculation of a buffer offset when copying data stored in the heap in the XIChangeDeviceProperty function in Xi/xiproperty.c and in RRChangeOutputProperty function in randr/rrproperty.c, allowing for possible escalation of privileges or denial of service. Solution(s) huawei-euleros-2_0_sp11-upgrade-xorg-x11-server-help References https://attackerkb.com/topics/cve-2023-5367 CVE - 2023-5367 EulerOS-SA-2024-1131

OS X update for Dev Tools (CVE-2023-32359) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Huawei EulerOS: CVE-2023-5717: kernel security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 10/25/2023 Created 01/11/2024 Added 01/10/2024 Modified 01/30/2025 Description A heap out-of-bounds write vulnerability in the Linux kernel's Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation. If perf_read_group() is called while an event's sibling_list is smaller than its child's sibling_list, it can increment or write to memory locations outside of the allocated buffer. We recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06. Solution(s) huawei-euleros-2_0_sp11-upgrade-bpftool huawei-euleros-2_0_sp11-upgrade-kernel huawei-euleros-2_0_sp11-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp11-upgrade-kernel-tools huawei-euleros-2_0_sp11-upgrade-kernel-tools-libs huawei-euleros-2_0_sp11-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-5717 CVE - 2023-5717 EulerOS-SA-2023-3275

OS X update for AVEVideoEncoder (CVE-2023-41989) Severity 7 CVSS (AV:L/AC:L/Au:N/C:C/I:C/A:C) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Huawei EulerOS: CVE-2023-4692: grub2 security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 10/25/2023 Created 02/13/2024 Added 02/12/2024 Modified 01/30/2025 Description An out-of-bounds write flaw was found in grub2's NTFS filesystem driver. This issue may allow an attacker to present a specially crafted NTFS filesystem image, leading to grub's heap metadata corruption. In some circumstances, the attack may also corrupt the UEFI firmware heap metadata. As a result, arbitrary code execution and secure boot protection bypass may be achieved. Solution(s) huawei-euleros-2_0_sp5-upgrade-grub2 huawei-euleros-2_0_sp5-upgrade-grub2-common huawei-euleros-2_0_sp5-upgrade-grub2-efi-ia32 huawei-euleros-2_0_sp5-upgrade-grub2-efi-ia32-cdboot huawei-euleros-2_0_sp5-upgrade-grub2-efi-x64 huawei-euleros-2_0_sp5-upgrade-grub2-efi-x64-cdboot huawei-euleros-2_0_sp5-upgrade-grub2-efi-x64-modules huawei-euleros-2_0_sp5-upgrade-grub2-pc huawei-euleros-2_0_sp5-upgrade-grub2-pc-modules huawei-euleros-2_0_sp5-upgrade-grub2-tools huawei-euleros-2_0_sp5-upgrade-grub2-tools-extra huawei-euleros-2_0_sp5-upgrade-grub2-tools-minimal References https://attackerkb.com/topics/cve-2023-4692 CVE - 2023-4692 EulerOS-SA-2024-1141

Gentoo Linux: CVE-2023-41983: WebKitGTK+: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 10/25/2023 Created 02/02/2024 Added 02/01/2024 Modified 01/28/2025 Description The issue was addressed with improved memory handling. This issue is fixed in macOS Sonoma 14.1, Safari 17.1, iOS 16.7.2 and iPadOS 16.7.2, iOS 17.1 and iPadOS 17.1. Processing web content may lead to a denial-of-service. Solution(s) gentoo-linux-upgrade-net-libs-webkit-gtk References https://attackerkb.com/topics/cve-2023-41983 CVE - 2023-41983 202401-33

Gentoo Linux: CVE-2023-5724: Mozilla Thunderbird: Multiple Vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 10/25/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/28/2025 Description Drivers are not always robust to extremely large draw calls and in some cases this scenario could have led to a crash. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-5724 CVE - 2023-5724 202402-25

OS X update for QuartzCore (CVE-2023-32359) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for ColorSync (CVE-2023-32359) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Gentoo Linux: CVE-2023-5730: Mozilla Thunderbird: Multiple Vulnerabilities Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 10/25/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/28/2025 Description Memory safety bugs present in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-5730 CVE - 2023-5730 202402-25

Gentoo Linux: CVE-2023-5725: Mozilla Thunderbird: Multiple Vulnerabilities Severity 4 CVSS (AV:N/AC:M/Au:N/C:P/I:N/A:N) Published 10/25/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/28/2025 Description A malicious installed WebExtension could open arbitrary URLs, which under the right circumstance could be leveraged to collect sensitive user data. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-5725 CVE - 2023-5725 202402-25

Gentoo Linux: CVE-2023-5732: Mozilla Thunderbird: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 10/25/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/28/2025 Description An attacker could have created a malicious link using bidirectional characters to spoof the location in the address bar when visited. This vulnerability affects Firefox < 117, Firefox ESR < 115.4, and Thunderbird < 115.4.1. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-5732 CVE - 2023-5732 202402-25

Gentoo Linux: CVE-2023-5752: pip: arbitrary configuration injection Severity 2 CVSS (AV:L/AC:L/Au:S/C:N/I:P/A:N) Published 10/25/2023 Created 01/21/2025 Added 01/20/2025 Modified 01/30/2025 Description When installing a package from a Mercurial VCS URL(ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. Solution(s) gentoo-linux-upgrade-dev-python-pip References https://attackerkb.com/topics/cve-2023-5752 CVE - 2023-5752 202501-03

Alma Linux: CVE-2023-42852: Important: webkit2gtk3 security update (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 10/25/2023 Created 05/08/2024 Added 05/08/2024 Modified 01/28/2025 Description A logic issue was addressed with improved checks. This issue is fixed in iOS 17.1 and iPadOS 17.1, watchOS 10.1, iOS 16.7.2 and iPadOS 16.7.2, macOS Sonoma 14.1, Safari 17.1, tvOS 17.1. Processing web content may lead to arbitrary code execution. Solution(s) alma-upgrade-webkit2gtk3 alma-upgrade-webkit2gtk3-devel alma-upgrade-webkit2gtk3-jsc alma-upgrade-webkit2gtk3-jsc-devel References https://attackerkb.com/topics/cve-2023-42852 CVE - 2023-42852 https://errata.almalinux.org/8/ALSA-2024-2982.html https://errata.almalinux.org/9/ALSA-2024-2126.html

Gentoo Linux: CVE-2023-5721: Mozilla Thunderbird: Multiple Vulnerabilities Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 10/25/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/28/2025 Description It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an insufficient activation-delay. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-5721 CVE - 2023-5721 202402-25

OS X update for AuthKit (CVE-2023-40401) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for SharedFileList (CVE-2023-42842) Severity 5 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 12/15/2023 Added 12/14/2023 Modified 01/28/2025 Description The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.1. An app may be able to access sensitive user data. Solution(s) apple-osx-upgrade-14_2 References https://attackerkb.com/topics/cve-2023-42842 CVE - 2023-42842 https://support.apple.com/kb/HT214036

OS X update for FileProvider (CVE-2023-32359) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Ubuntu: (Multiple Advisories) (CVE-2023-5724): Firefox vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 10/25/2023 Created 11/01/2023 Added 11/01/2023 Modified 01/28/2025 Description Drivers are not always robust to extremely large draw calls and in some cases this scenario could have led to a crash. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1. Solution(s) ubuntu-upgrade-firefox ubuntu-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-5724 CVE - 2023-5724 USN-6456-1 USN-6456-2 USN-6468-1

Ubuntu: (Multiple Advisories) (CVE-2023-5722): Firefox vulnerabilities Severity 5 CVSS (AV:N/AC:L/Au:N/C:P/I:N/A:N) Published 10/25/2023 Created 11/01/2023 Added 11/01/2023 Modified 01/28/2025 Description Using iterative requests an attacker was able to learn the size of an opaque response, as well as the contents of a server-supplied Vary header. This vulnerability affects Firefox < 119. Solution(s) ubuntu-upgrade-firefox References https://attackerkb.com/topics/cve-2023-5722 CVE - 2023-5722 USN-6456-1 USN-6456-2