Daily Archives: January 22, 2024

Advisories

systemd-253.15-2.fc38

Read Time:21 Second

FEDORA-2024-c79658eedf

Packages in this update:

systemd-253.15-2.fc38

Update description:

A bunch of fixes for various components: systemd, systemctl, hostnamectl, bootctl, systemd-networkd, systemd-network-generator, systemd-analyze, systemd-dissect, man pages.
Also has a patch for CVE-2023-7008 (rhbz#2222260)
Add missing %postun scriptlets for systemd-{resolved,networkd} so that they are restarted on package updates.

No need to restart or log out.

Read More

Advisories

systemd-254.8-2.fc39

Read Time:22 Second

FEDORA-2024-b8312ca5b3

Packages in this update:

systemd-254.8-2.fc39

Update description:

A bunch of fixes for various components: systemd, systemctl, systemd-firstboot, systemd-repart, bootctl, systemd-networkd, systemd-network-generator, systemd-analyze, systemd-dissect, ukify, man pages.
Also has a patch for CVE-2023-7008 (rhbz#2222260)
Add missing %postun scriptlets for systemd-{resolved,networkd} so that they are restarted on package updates.

No need to log out or reboot.

Read More

Advisories

USN-6593-1: GnuTLS vulnerabilities

Read Time:26 Second

It was discovered that GnuTLS had a timing side-channel when processing
malformed ciphertexts in RSA-PSK ClientKeyExchange. A remote attacker could
possibly use this issue to recover sensitive information. (CVE-2024-0553)

It was discovered that GnuTLS incorrectly handled certain certificate
chains with a cross-signing loop. A remote attacker could possibly use this
issue to cause GnuTLS to crash, resulting in a denial of service. This
issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10.
(CVE-2024-0567)

Read More

Advisories

USN-6587-2: X.Org X Server vulnerabilities

Read Time:1 Minute, 22 Second

USN-6587-1 fixed several vulnerabilities in X.Org. This update provides
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.

Original advisory details:

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled
memory when processing the DeviceFocusEvent and ProcXIQueryPointer APIs. An
attacker could possibly use this issue to cause the X Server to crash,
obtain sensitive information, or execute arbitrary code. (CVE-2023-6816)

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled
reattaching to a different master device. An attacker could use this issue
to cause the X Server to crash, leading to a denial of service, or possibly
execute arbitrary code. (CVE-2024-0229)

Olivier Fourdan and Donn Seeley discovered that the X.Org X Server
incorrectly labeled GLX PBuffers when used with SELinux. An attacker could
use this issue to cause the X Server to crash, leading to a denial of
service. (CVE-2024-0408)

Olivier Fourdan discovered that the X.Org X Server incorrectly handled
the curser code when used with SELinux. An attacker could use this issue to
cause the X Server to crash, leading to a denial of service.
(CVE-2024-0409)

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled
memory when processing the XISendDeviceHierarchyEvent API. An attacker
could possibly use this issue to cause the X Server to crash, or execute
arbitrary code. (CVE-2024-21885)

Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled
devices being disabled. An attacker could possibly use this issue to cause
the X Server to crash, or execute arbitrary code. (CVE-2024-21886)

Read More

Advisories

USN-6592-1: libssh vulnerabilities

Read Time:23 Second

It was discovered that libssh incorrectly handled the ProxyCommand and the
ProxyJump features. A remote attacker could possibly use this issue to
inject malicious code into the command of the features mentioned through
the hostname parameter. (CVE-2023-6004)

It was discovered that libssh incorrectly handled return codes when
performing message digest operations. A remote attacker could possibly use
this issue to cause libssh to crash, obtain sensitive information, or
execute arbitrary code. (CVE-2023-6918)

Read More

Advisories

Multiple Vulnerabilities in VMware Products Could Allow for Remote Code Execution

Read Time:30 Second

Multiple vulnerabilities have been discovered in VMware vCenter Server and Cloud Foundation, the most severe of which could allow for remote code execution. VMware vCenter Server is the centralized management utility for VMware. VMware Cloud Foundation is a multi-cloud platform that provides a full-stack hyperconverged infrastructure (HCI) that is made for modernizing data centers and deploying modern container-based applications. Successful exploitation of these vulnerabilities could allow for remote code execution in the context of the administrator account. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Read More