ISHACK AI BOT

OS X update for WebKit Process Model (CVE-2023-41983) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:N/A:C) Published 10/25/2023 Created 11/01/2023 Added 10/31/2023 Modified 01/28/2025 Description The issue was addressed with improved memory handling. This issue is fixed in macOS Sonoma 14.1, Safari 17.1, iOS 16.7.2 and iPadOS 16.7.2, iOS 17.1 and iPadOS 17.1. Processing web content may lead to a denial-of-service. Solution(s) apple-osx-upgrade-14_1 References https://attackerkb.com/topics/cve-2023-41983 CVE - 2023-41983 https://support.apple.com/kb/HT213984

OS X update for ColorSync (CVE-2023-40401) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for WebKit (CVE-2023-42852) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 10/25/2023 Created 11/01/2023 Added 10/31/2023 Modified 01/28/2025 Description A logic issue was addressed with improved checks. This issue is fixed in iOS 17.1 and iPadOS 17.1, watchOS 10.1, iOS 16.7.2 and iPadOS 16.7.2, macOS Sonoma 14.1, Safari 17.1, tvOS 17.1. Processing web content may lead to arbitrary code execution. Solution(s) apple-osx-upgrade-14_1 References https://attackerkb.com/topics/cve-2023-42852 CVE - 2023-42852 https://support.apple.com/kb/HT213984

CentOS Linux: CVE-2023-5728: Important: firefox security update (CESA-2023:6162) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 10/25/2023 Created 11/01/2023 Added 11/01/2023 Modified 01/28/2025 Description During garbage collection extra operations were performed on a object that should not be. This could have led to a potentially exploitable crash. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1. Solution(s) centos-upgrade-firefox centos-upgrade-firefox-debuginfo References CVE-2023-5728

Red Hat: CVE-2023-32359: webkitgtk: User password may be read aloud by a text-to-speech accessibility feature (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 05/01/2024 Added 05/01/2024 Modified 09/03/2024 Description This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 16.7.2 and iPadOS 16.7.2. A user's password may be read aloud by VoiceOver. Solution(s) redhat-upgrade-webkit2gtk3 redhat-upgrade-webkit2gtk3-debuginfo redhat-upgrade-webkit2gtk3-debugsource redhat-upgrade-webkit2gtk3-devel redhat-upgrade-webkit2gtk3-devel-debuginfo redhat-upgrade-webkit2gtk3-jsc redhat-upgrade-webkit2gtk3-jsc-debuginfo redhat-upgrade-webkit2gtk3-jsc-devel redhat-upgrade-webkit2gtk3-jsc-devel-debuginfo References CVE-2023-32359 RHSA-2024:2126 RHSA-2024:2982

Amazon Linux 2023: CVE-2023-5717: Important priority package update for kernel Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 10/25/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description A heap out-of-bounds write vulnerability in the Linux kernel&apos;s Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation. If perf_read_group() is called while an event&apos;s sibling_list is smaller than its child&apos;s sibling_list, it can increment or write to memory locations outside of the allocated buffer. We recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06. A flaw was found in the Linux kernel&apos;s Performance Events system component. A condition can be triggered that allows data to be written past the end or before the beginning of the intended memory buffer. This issue may lead to a system crash, code execution, or local privilege escalation. Solution(s) amazon-linux-2023-upgrade-bpftool amazon-linux-2023-upgrade-bpftool-debuginfo amazon-linux-2023-upgrade-kernel amazon-linux-2023-upgrade-kernel-debuginfo amazon-linux-2023-upgrade-kernel-debuginfo-common-aarch64 amazon-linux-2023-upgrade-kernel-debuginfo-common-x86-64 amazon-linux-2023-upgrade-kernel-devel amazon-linux-2023-upgrade-kernel-headers amazon-linux-2023-upgrade-kernel-libbpf amazon-linux-2023-upgrade-kernel-libbpf-devel amazon-linux-2023-upgrade-kernel-libbpf-static amazon-linux-2023-upgrade-kernel-livepatch-6-1-61-85-141 amazon-linux-2023-upgrade-kernel-modules-extra amazon-linux-2023-upgrade-kernel-tools amazon-linux-2023-upgrade-kernel-tools-debuginfo amazon-linux-2023-upgrade-kernel-tools-devel amazon-linux-2023-upgrade-perf amazon-linux-2023-upgrade-perf-debuginfo amazon-linux-2023-upgrade-python3-perf amazon-linux-2023-upgrade-python3-perf-debuginfo References https://attackerkb.com/topics/cve-2023-5717 CVE - 2023-5717 https://alas.aws.amazon.com/AL2023/ALAS-2023-430.html

Gentoo Linux: CVE-2023-5728: Mozilla Thunderbird: Multiple Vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 10/25/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/28/2025 Description During garbage collection extra operations were performed on a object that should not be. This could have led to a potentially exploitable crash. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-5728 CVE - 2023-5728 202402-25

OS X update for Safari (CVE-2023-42438) Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 10/25/2023 Created 11/01/2023 Added 10/31/2023 Modified 01/28/2025 Description An inconsistent user interface issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.1. Visiting a malicious website may lead to user interface spoofing. Solution(s) apple-osx-upgrade-14_1 References https://attackerkb.com/topics/cve-2023-42438 CVE - 2023-42438 https://support.apple.com/kb/HT213984

Huawei EulerOS: CVE-2023-5367: xorg-x11-server security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 10/25/2023 Created 02/13/2024 Added 02/12/2024 Modified 01/28/2025 Description A out-of-bounds write flaw was found in the xorg-x11-server. This issue occurs due to an incorrect calculation of a buffer offset when copying data stored in the heap in the XIChangeDeviceProperty function in Xi/xiproperty.c and in RRChangeOutputProperty function in randr/rrproperty.c, allowing for possible escalation of privileges or denial of service. Solution(s) huawei-euleros-2_0_sp5-upgrade-xorg-x11-server-common huawei-euleros-2_0_sp5-upgrade-xorg-x11-server-xephyr huawei-euleros-2_0_sp5-upgrade-xorg-x11-server-xorg huawei-euleros-2_0_sp5-upgrade-xorg-x11-server-xvfb References https://attackerkb.com/topics/cve-2023-5367 CVE - 2023-5367 EulerOS-SA-2024-1169

Gentoo Linux: CVE-2023-5727: Mozilla Thunderbird: Multiple Vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 10/25/2023 Created 02/22/2024 Added 02/21/2024 Modified 01/30/2025 Description The executable file warning was not presented when downloading .msix, .msixbundle, .appx, and .appxbundle files, which can run commands on a user's computer. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin References https://attackerkb.com/topics/cve-2023-5727 CVE - 2023-5727 202402-25

Gentoo Linux: CVE-2023-5723: Mozilla Firefox: Multiple Vulnerabilities Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:P/A:N) Published 10/25/2023 Created 01/09/2024 Added 01/08/2024 Modified 01/28/2025 Description An attacker with temporary script access to a site could have set a cookie containing invalid characters using `document.cookie` that could have led to unknown errors. This vulnerability affects Firefox < 119. Solution(s) gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2023-5723 CVE - 2023-5723 202401-10

Gentoo Linux: CVE-2023-5722: Mozilla Firefox: Multiple Vulnerabilities Severity 5 CVSS (AV:N/AC:L/Au:N/C:P/I:N/A:N) Published 10/25/2023 Created 01/09/2024 Added 01/08/2024 Modified 01/28/2025 Description Using iterative requests an attacker was able to learn the size of an opaque response, as well as the contents of a server-supplied Vary header. This vulnerability affects Firefox < 119. Solution(s) gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2023-5722 CVE - 2023-5722 202401-10

Alpine Linux: CVE-2023-5574: Use After Free Severity 7 CVSS (AV:L/AC:M/Au:S/C:C/I:C/A:C) Published 10/25/2023 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description A use-after-free flaw was found in xorg-x11-server-Xvfb. This issue occurs in Xvfb with a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode). If the pointer is warped from a screen 1 to a screen 0, a use-after-free issue may be triggered during shutdown or reset of the Xvfb server, allowing for possible escalation of privileges or denial of service. Solution(s) alpine-linux-upgrade-xorg-server alpine-linux-upgrade-xwayland References https://attackerkb.com/topics/cve-2023-5574 CVE - 2023-5574 https://security.alpinelinux.org/vuln/CVE-2023-5574

Gentoo Linux: CVE-2023-5731: Mozilla Firefox: Multiple Vulnerabilities Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 10/25/2023 Created 01/09/2024 Added 01/08/2024 Modified 01/28/2025 Description Memory safety bugs present in Firefox 118. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 119. Solution(s) gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2023-5731 CVE - 2023-5731 202401-10

OS X update for Siri (CVE-2023-41988) Severity 7 CVSS (AV:L/AC:L/Au:N/C:C/I:C/A:C) Published 10/25/2023 Created 11/01/2023 Added 10/31/2023 Modified 01/28/2025 Description This issue was addressed by restricting options offered on a locked device. This issue is fixed in macOS Sonoma 14.1, watchOS 10.1, iOS 17.1 and iPadOS 17.1. An attacker with physical access may be able to use Siri to access sensitive user data. Solution(s) apple-osx-upgrade-14_1 References https://attackerkb.com/topics/cve-2023-41988 CVE - 2023-41988 https://support.apple.com/kb/HT213984

Gentoo Linux: CVE-2023-5380: X.Org X Server, XWayland: Multiple Vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:S/C:N/I:N/A:C) Published 10/25/2023 Created 02/02/2024 Added 02/01/2024 Modified 01/28/2025 Description A use-after-free flaw was found in the xorg-x11-server. An X server crash may occur in a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode) if the pointer is warped from within a window on one screen to the root window of the other screen and if the original window is destroyed followed by another window being destroyed. Solution(s) gentoo-linux-upgrade-x11-base-xorg-server gentoo-linux-upgrade-x11-base-xwayland References https://attackerkb.com/topics/cve-2023-5380 CVE - 2023-5380 202401-30

Gentoo Linux: CVE-2023-5472: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 10/25/2023 Created 02/02/2024 Added 02/01/2024 Modified 01/28/2025 Description Use after free in Profiles in Google Chrome prior to 118.0.5993.117 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) gentoo-linux-upgrade-www-client-chromium gentoo-linux-upgrade-www-client-google-chrome gentoo-linux-upgrade-www-client-microsoft-edge References https://attackerkb.com/topics/cve-2023-5472 CVE - 2023-5472 202401-34

Gentoo Linux: CVE-2023-5367: X.Org X Server, XWayland: Multiple Vulnerabilities Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 10/25/2023 Created 02/02/2024 Added 02/01/2024 Modified 01/28/2025 Description A out-of-bounds write flaw was found in the xorg-x11-server. This issue occurs due to an incorrect calculation of a buffer offset when copying data stored in the heap in the XIChangeDeviceProperty function in Xi/xiproperty.c and in RRChangeOutputProperty function in randr/rrproperty.c, allowing for possible escalation of privileges or denial of service. Solution(s) gentoo-linux-upgrade-x11-base-xorg-server gentoo-linux-upgrade-x11-base-xwayland References https://attackerkb.com/topics/cve-2023-5367 CVE - 2023-5367 202401-30

Huawei EulerOS: CVE-2023-5380: xorg-x11-server security update Severity 4 CVSS (AV:L/AC:M/Au:S/C:N/I:N/A:C) Published 10/25/2023 Created 02/13/2024 Added 02/12/2024 Modified 01/28/2025 Description A use-after-free flaw was found in the xorg-x11-server. An X server crash may occur in a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode) if the pointer is warped from within a window on one screen to the root window of the other screen and if the original window is destroyed followed by another window being destroyed. Solution(s) huawei-euleros-2_0_sp5-upgrade-xorg-x11-server-common huawei-euleros-2_0_sp5-upgrade-xorg-x11-server-xephyr huawei-euleros-2_0_sp5-upgrade-xorg-x11-server-xorg huawei-euleros-2_0_sp5-upgrade-xorg-x11-server-xvfb References https://attackerkb.com/topics/cve-2023-5380 CVE - 2023-5380 EulerOS-SA-2024-1169

Amazon Linux AMI 2: CVE-2023-46316: Security patch for traceroute (ALAS-2024-2423) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 10/25/2023 Created 01/24/2024 Added 01/23/2024 Modified 01/28/2025 Description In buc Traceroute 2.0.12 through 2.1.2 before 2.1.3, the wrapper scripts do not properly parse command lines. Solution(s) amazon-linux-ami-2-upgrade-traceroute amazon-linux-ami-2-upgrade-traceroute-debuginfo References https://attackerkb.com/topics/cve-2023-46316 AL2/ALAS-2024-2423 CVE - 2023-46316

Amazon Linux AMI 2: CVE-2023-5380: Security patch for xorg-x11-server (ALAS-2023-2335) Severity 4 CVSS (AV:L/AC:M/Au:S/C:N/I:N/A:C) Published 10/25/2023 Created 11/17/2023 Added 11/16/2023 Modified 01/28/2025 Description A use-after-free flaw was found in the xorg-x11-server. An X server crash may occur in a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode) if the pointer is warped from within a window on one screen to the root window of the other screen and if the original window is destroyed followed by another window being destroyed. Solution(s) amazon-linux-ami-2-upgrade-xorg-x11-server-common amazon-linux-ami-2-upgrade-xorg-x11-server-debuginfo amazon-linux-ami-2-upgrade-xorg-x11-server-devel amazon-linux-ami-2-upgrade-xorg-x11-server-source amazon-linux-ami-2-upgrade-xorg-x11-server-xdmx amazon-linux-ami-2-upgrade-xorg-x11-server-xephyr amazon-linux-ami-2-upgrade-xorg-x11-server-xnest amazon-linux-ami-2-upgrade-xorg-x11-server-xorg amazon-linux-ami-2-upgrade-xorg-x11-server-xvfb amazon-linux-ami-2-upgrade-xorg-x11-server-xwayland References https://attackerkb.com/topics/cve-2023-5380 AL2/ALAS-2023-2335 CVE - 2023-5380

Amazon Linux AMI 2: CVE-2023-5730: Security patch for firefox, thunderbird (Multiple Advisories) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 10/25/2023 Created 11/17/2023 Added 11/16/2023 Modified 01/28/2025 Description Memory safety bugs present in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1. Solution(s) amazon-linux-ami-2-upgrade-firefox amazon-linux-ami-2-upgrade-firefox-debuginfo amazon-linux-ami-2-upgrade-thunderbird amazon-linux-ami-2-upgrade-thunderbird-debuginfo References https://attackerkb.com/topics/cve-2023-5730 AL2/ALAS-2023-2334 AL2/ALASFIREFOX-2023-017 CVE - 2023-5730

OS X update for Clock (CVE-2023-32359) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

MFSA2023-45 Firefox: Security Vulnerabilities fixed in Firefox 119 (CVE-2023-5724) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 10/24/2023 Created 10/26/2023 Added 10/25/2023 Modified 01/28/2025 Description Drivers are not always robust to extremely large draw calls and in some cases this scenario could have led to a crash. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1. Solution(s) mozilla-firefox-upgrade-119_0 References https://attackerkb.com/topics/cve-2023-5724 CVE - 2023-5724 http://www.mozilla.org/security/announce/2023/mfsa2023-45.html

MFSA2023-46 Firefox: Security Vulnerabilities fixed in Firefox ESR 115.4 (CVE-2023-5730) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 10/24/2023 Created 10/26/2023 Added 10/25/2023 Modified 01/28/2025 Description Memory safety bugs present in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1. Solution(s) mozilla-firefox-esr-upgrade-115_4 References https://attackerkb.com/topics/cve-2023-5730 CVE - 2023-5730 http://www.mozilla.org/security/announce/2023/mfsa2023-46.html