FEDORA-2023-25329c196b
Packages in this update:
motif-2.3.4-30.fc37
Update description:
Security fix for CVE-2023-43788 and CVE-2023-43789
motif-2.3.4-30.fc37
Security fix for CVE-2023-43788 and CVE-2023-43789
motif-2.3.4-30.fc38
Security fix for CVE-2023-43788 and CVE-2023-43789
Graham Cluley Security News is sponsored this week by the folks at Glide. Thanks to the great team there for their support! AI technology is quickly finding it’s footing in the workplace. IT teams need to lead the charge on AI adoption at their companies to ensure it happens safely, securely, and successfully. There are … Continue reading “Why IT teams should champion AI in the workplace, and deploy secure AI tools safely to their teams”
Multi-player online role-playing videogame “Ethyrial: Echoes of Yore” has suffered a ransomware attack which saw the deletion of every player’s account and the loss of all characters.
Read more in my article on the Hot for Security blog.
motif-2.3.4-30.fc39
Security fix for CVE-2023-43788 and CVE-2023-43789
It was discovered that Perl incorrectly handled printing certain warning
messages. An attacker could possibly use this issue to cause Perl to
consume resources, leading to a denial of service. This issue only affected
Ubuntu 22.04 LTS. (CVE-2022-48522)
Nathan Mills discovered that Perl incorrectly handled certain regular
expressions. An attacker could use this issue to cause Perl to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2023-47038)
Ivan D Barrera, Christopher Bednarz, Mustafa Ismail, and Shiraz Saleem
discovered that the InfiniBand RDMA driver in the Linux kernel did not
properly check for zero-length STAG or MR registration. A remote attacker
could possibly use this to execute arbitrary code. (CVE-2023-25775)
Yu Hao discovered that the UBI driver in the Linux kernel did not properly
check for MTD with zero erasesize during device attachment. A local
privileged attacker could use this to cause a denial of service (system
crash). (CVE-2023-31085)
Manfred Rudigier discovered that the Intel(R) PCI-Express Gigabit (igb)
Ethernet driver in the Linux kernel did not properly validate received
frames that are larger than the set MTU size, leading to a buffer overflow
vulnerability. An attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-45871)
Maxim Levitsky discovered that the KVM nested virtualization (SVM)
implementation for AMD processors in the Linux kernel did not properly
handle x2AVIC MSRs. An attacker in a guest VM could use this to cause a
denial of service (host kernel crash). (CVE-2023-5090)
It was discovered that the SMB network file sharing protocol implementation
in the Linux kernel did not properly handle certain error conditions,
leading to a use-after-free vulnerability. A local attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2023-5345)
Ivan D Barrera, Christopher Bednarz, Mustafa Ismail, and Shiraz Saleem
discovered that the InfiniBand RDMA driver in the Linux kernel did not
properly check for zero-length STAG or MR registration. A remote attacker
could possibly use this to execute arbitrary code. (CVE-2023-25775)
Yu Hao and Weiteng Chen discovered that the Bluetooth HCI UART driver in
the Linux kernel contained a race condition, leading to a null pointer
dereference vulnerability. A local attacker could use this to cause a
denial of service (system crash). (CVE-2023-31083)
Yu Hao discovered that the UBI driver in the Linux kernel did not properly
check for MTD with zero erasesize during device attachment. A local
privileged attacker could use this to cause a denial of service (system
crash). (CVE-2023-31085)
Lin Ma discovered that the Netlink Transformation (XFRM) subsystem in the
Linux kernel contained a null pointer dereference vulnerability in some
situations. A local privileged attacker could use this to cause a denial of
service (system crash). (CVE-2023-3772)
Manfred Rudigier discovered that the Intel(R) PCI-Express Gigabit (igb)
Ethernet driver in the Linux kernel did not properly validate received
frames that are larger than the set MTU size, leading to a buffer overflow
vulnerability. An attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-45871)
There seems to be no end to warrantless surveillance:
According to the letter, a surveillance program now known as Data Analytical Services (DAS) has for more than a decade allowed federal, state, and local law enforcement agencies to mine the details of Americans’ calls, analyzing the phone records of countless people who are not suspected of any crime, including victims. Using a technique known as chain analysis, the program targets not only those in direct phone contact with a criminal suspect but anyone with whom those individuals have been in contact as well.
The DAS program, formerly known as Hemisphere, is run in coordination with the telecom giant AT&T, which captures and conducts analysis of US call records for law enforcement agencies, from local police and sheriffs’ departments to US customs offices and postal inspectors across the country, according to a White House memo reviewed by WIRED. Records show that the White House has, for the past decade, provided more than $6 million to the program, which allows the targeting of the records of any calls that use AT&T’s infrastructure—a maze of routers and switches that crisscross the United States.
java-17-openjdk-17.0.9.0.9-1.fc37
updated to OpenJDK 17.0.9 (2023-10-17)