nodejs18-18.18.2-1.fc37

Read Time:28 Second

FEDORA-2023-e9c04d81c1

Packages in this update:

nodejs18-18.18.2-1.fc37

Update description:

2023-10-13, Version 18.18.2 ‘Hydrogen’ (LTS), @RafaelGSS

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

CVE-2023-44487: nghttp2 Security Release (High)
CVE-2023-45143: undici Security Release (High)
CVE-2023-38552: Integrity checks according to policies can be circumvented (Medium)
CVE-2023-39333: Code injection via WebAssembly export names (Low)

More detailed information on each of the vulnerabilities can be found in October 2023 Security Releases blog post.

Read More

nodejs18-18.18.2-1.fc39

Read Time:28 Second

FEDORA-2023-dbe64661af

Packages in this update:

nodejs18-18.18.2-1.fc39

Update description:

2023-10-13, Version 18.18.2 ‘Hydrogen’ (LTS), @RafaelGSS

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

CVE-2023-44487: nghttp2 Security Release (High)
CVE-2023-45143: undici Security Release (High)
CVE-2023-38552: Integrity checks according to policies can be circumvented (Medium)
CVE-2023-39333: Code injection via WebAssembly export names (Low)

More detailed information on each of the vulnerabilities can be found in October 2023 Security Releases blog post.

Read More

USN-6396-3: Linux kernel (Azure) vulnerabilities

Read Time:1 Minute, 18 Second

It was discovered that some AMD x86-64 processors with SMT enabled could
speculatively execute instructions using a return address from a sibling
thread. A local attacker could possibly use this to expose sensitive
information. (CVE-2022-27672)

Daniel Moghimi discovered that some Intel(R) Processors did not properly
clear microarchitectural state after speculative execution of various
instructions. A local unprivileged user could use this to obtain to
sensitive information. (CVE-2022-40982)

Yang Lan discovered that the GFS2 file system implementation in the Linux
kernel could attempt to dereference a null pointer in some situations. An
attacker could use this to construct a malicious GFS2 image that, when
mounted and operated on, could cause a denial of service (system crash).
(CVE-2023-3212)

It was discovered that the NFC implementation in the Linux kernel contained
a use-after-free vulnerability when performing peer-to-peer communication
in certain conditions. A privileged attacker could use this to cause a
denial of service (system crash) or possibly expose sensitive information
(kernel memory). (CVE-2023-3863)

It was discovered that the bluetooth subsystem in the Linux kernel did not
properly handle L2CAP socket release, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-40283)

It was discovered that some network classifier implementations in the Linux
kernel contained use-after-free vulnerabilities. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2023-4128)

Read More

USN-6425-3: Samba vulnerabilities

Read Time:53 Second

USN-6425-1 fixed vulnerabilities in Samba. This update provides the
corresponding updates for Ubuntu 23.10.

Original advisory details:

Sri Nagasubramanian discovered that the Samba acl_xattr VFS module
incorrectly handled read-only files. When Samba is configured to ignore
system ACLs, a remote attacker could possibly use this issue to truncate
read-only files. (CVE-2023-4091)

Andrew Bartlett discovered that Samba incorrectly handled the DirSync
control. A remote attacker with an RODC DC account could possibly use this
issue to obtain all domain secrets. (CVE-2023-4154)

Andrew Bartlett discovered that Samba incorrectly handled the rpcecho
development server. A remote attacker could possibly use this issue to
cause Samba to stop responding, resulting in a denial of service.
(CVE-2023-42669)

Kirin van der Veer discovered that Samba incorrectly handled certain RPC
service listeners. A remote attacker could possibly use this issue to cause
Samba to start multiple incompatible RPC listeners, resulting in a denial
of service. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 23.04.
(CVE-2023-42670)

Read More

USN-6423-2: CUE vulnerability

Read Time:14 Second

USN-6423-1 fixed a vulnerability in CUE. This update provides the
corresponding updates for Ubuntu 23.10.

Original advisory details:

It was discovered that CUE incorrectly handled certain files.
An attacker could possibly use this issue to expose sensitive
information or execute arbitrary code.

Read More

USN-6394-2: Python 2.7 vulnerability

Read Time:17 Second

USN-6394-1 fixed a vulnerability in Python. This update provides
the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.

Original advisory details:

It was discovered that Python incorrectly handled certain scripts.
An attacker could possibly use this issue to execute arbitrary code
or cause a crash.

Read More