Francois Diakhate discovered that PMIx did not properly handle race
conditions in the pmix library, which could lead to unwanted privilege
escalation. An attacker could possibly use this issue to obtain ownership
of an arbitrary file on the filesystem, under the default configuration
of the application.
Yearly Archives: 2023
Fake Browser Updates Used in Malware Distribution
nodejs20-20.8.1-1.fc37
FEDORA-2023-f66fc0f62a
Packages in this update:
nodejs20-20.8.1-1.fc37
Update description:
2023-10-13, Version 20.8.1 (Current), @RafaelGSS
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
CVE-2023-44487: nghttp2 Security Release (High)
CVE-2023-45143: undici Security Release (High)
CVE-2023-39332: Path traversal through path stored in Uint8Array (High)
CVE-2023-39331: Permission model improperly protects against path traversal (High)
CVE-2023-38552: Integrity checks according to policies can be circumvented (Medium)
CVE-2023-39333: Code injection via WebAssembly export names (Low)
More detailed information on each of the vulnerabilities can be found in October 2023 Security Releases blog post.
nodejs20-20.8.1-1.fc39
FEDORA-2023-7b52921cae
Packages in this update:
nodejs20-20.8.1-1.fc39
Update description:
2023-10-13, Version 20.8.1 (Current), @RafaelGSS
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
CVE-2023-44487: nghttp2 Security Release (High)
CVE-2023-45143: undici Security Release (High)
CVE-2023-39332: Path traversal through path stored in Uint8Array (High)
CVE-2023-39331: Permission model improperly protects against path traversal (High)
CVE-2023-38552: Integrity checks according to policies can be circumvented (Medium)
CVE-2023-39333: Code injection via WebAssembly export names (Low)
More detailed information on each of the vulnerabilities can be found in October 2023 Security Releases blog post.
nodejs20-20.8.1-1.fc38
FEDORA-2023-4d2fd884ea
Packages in this update:
nodejs20-20.8.1-1.fc38
Update description:
2023-10-13, Version 20.8.1 (Current), @RafaelGSS
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
CVE-2023-44487: nghttp2 Security Release (High)
CVE-2023-45143: undici Security Release (High)
CVE-2023-39332: Path traversal through path stored in Uint8Array (High)
CVE-2023-39331: Permission model improperly protects against path traversal (High)
CVE-2023-38552: Integrity checks according to policies can be circumvented (Medium)
CVE-2023-39333: Code injection via WebAssembly export names (Low)
More detailed information on each of the vulnerabilities can be found in October 2023 Security Releases blog post.
nodejs18-18.18.2-1.fc38
FEDORA-2023-d5030c983c
Packages in this update:
nodejs18-18.18.2-1.fc38
Update description:
2023-10-13, Version 18.18.2 ‘Hydrogen’ (LTS), @RafaelGSS
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
CVE-2023-44487: nghttp2 Security Release (High)
CVE-2023-45143: undici Security Release (High)
CVE-2023-38552: Integrity checks according to policies can be circumvented (Medium)
CVE-2023-39333: Code injection via WebAssembly export names (Low)
More detailed information on each of the vulnerabilities can be found in October 2023 Security Releases blog post.
nodejs18-18.18.2-1.fc37
FEDORA-2023-e9c04d81c1
Packages in this update:
nodejs18-18.18.2-1.fc37
Update description:
2023-10-13, Version 18.18.2 ‘Hydrogen’ (LTS), @RafaelGSS
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
CVE-2023-44487: nghttp2 Security Release (High)
CVE-2023-45143: undici Security Release (High)
CVE-2023-38552: Integrity checks according to policies can be circumvented (Medium)
CVE-2023-39333: Code injection via WebAssembly export names (Low)
More detailed information on each of the vulnerabilities can be found in October 2023 Security Releases blog post.
nodejs18-18.18.2-1.fc39
FEDORA-2023-dbe64661af
Packages in this update:
nodejs18-18.18.2-1.fc39
Update description:
2023-10-13, Version 18.18.2 ‘Hydrogen’ (LTS), @RafaelGSS
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
CVE-2023-44487: nghttp2 Security Release (High)
CVE-2023-45143: undici Security Release (High)
CVE-2023-38552: Integrity checks according to policies can be circumvented (Medium)
CVE-2023-39333: Code injection via WebAssembly export names (Low)
More detailed information on each of the vulnerabilities can be found in October 2023 Security Releases blog post.
USN-6396-3: Linux kernel (Azure) vulnerabilities
It was discovered that some AMD x86-64 processors with SMT enabled could
speculatively execute instructions using a return address from a sibling
thread. A local attacker could possibly use this to expose sensitive
information. (CVE-2022-27672)
Daniel Moghimi discovered that some Intel(R) Processors did not properly
clear microarchitectural state after speculative execution of various
instructions. A local unprivileged user could use this to obtain to
sensitive information. (CVE-2022-40982)
Yang Lan discovered that the GFS2 file system implementation in the Linux
kernel could attempt to dereference a null pointer in some situations. An
attacker could use this to construct a malicious GFS2 image that, when
mounted and operated on, could cause a denial of service (system crash).
(CVE-2023-3212)
It was discovered that the NFC implementation in the Linux kernel contained
a use-after-free vulnerability when performing peer-to-peer communication
in certain conditions. A privileged attacker could use this to cause a
denial of service (system crash) or possibly expose sensitive information
(kernel memory). (CVE-2023-3863)
It was discovered that the bluetooth subsystem in the Linux kernel did not
properly handle L2CAP socket release, leading to a use-after-free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-40283)
It was discovered that some network classifier implementations in the Linux
kernel contained use-after-free vulnerabilities. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2023-4128)
The CIS Controls: A Way to Meet the NYS OAG Data Safety Tips
In this post, we explain how you can meet some of the data safety recommendations of the NYS OAG using the CIS Controls.