It was discovered that the DesignWare USB3 for Qualcomm SoCs driver in the
Linux kernel did not properly handle certain error conditions during device
registration. A local attacker could possibly use this to cause a denial of
service (system crash). (CVE-2023-22995)

It was discovered that a race condition existed in the Cypress touchscreen
driver in the Linux kernel during device removal, leading to a use-after-
free vulnerability. A physically proximate attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.
(CVE-2023-4134)

黄思聪 discovered that the NFC Controller Interface (NCI) implementation in
the Linux kernel did not properly handle certain memory allocation failure
conditions, leading to a null pointer dereference vulnerability. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2023-46343)

It was discovered that the io_uring subsystem in the Linux kernel contained
a race condition, leading to a null pointer dereference vulnerability. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2023-46862)

It was discovered that a race condition existed in the Bluetooth subsystem
of the Linux kernel, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-51779)

It was discovered that a race condition existed in the Rose X.25 protocol
implementation in the Linux kernel, leading to a use-after- free
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2023-51782)

Alon Zahavi discovered that the NVMe-oF/TCP subsystem of the Linux kernel
did not properly handle connect command payloads in certain situations,
leading to an out-of-bounds read vulnerability. A remote attacker could use
this to expose sensitive information (kernel memory). (CVE-2023-6121)

It was discovered that the VirtIO subsystem in the Linux kernel did not
properly initialize memory in some situations. A local attacker could use
this to possibly expose sensitive information (kernel memory).
(CVE-2024-0340)

Dan Carpenter discovered that the netfilter subsystem in the Linux kernel
did not store data in properly sized memory locations. A local user could
use this to cause a denial of service (system crash). (CVE-2024-0607)

Advisories

onnx-1.14.1-2.fc40

March 20, 2024

Read Time:8 Second

FEDORA-2024-abe1e34fdb

Packages in this update:

onnx-1.14.1-2.fc40

Update description:

Security fix for CVE-2024-27318 and CVE-2024-27319

News

Cheating Automatic Toll Booths by Obscuring License Plates

March 20, 2024

Read Time:1 Minute, 7 Second

The Wall Street Journal is reporting on a variety of techniques drivers are using to obscure their license plates so that automatic readers can’t identify them and charge tolls properly.

Some drivers have power-washed paint off their plates or covered them with a range of household items such as leaf-shaped magnets, Bramwell-Stewart said. The Port Authority says officers in 2023 roughly doubled the number of summonses issued for obstructed, missing or fictitious license plates compared with the prior year.

Bramwell-Stewart said one driver from New Jersey repeatedly used what’s known in the streets as a flipper, which lets you remotely swap out a car’s real plate for a bogus one ahead of a toll area. In this instance, the bogus plate corresponded to an actual one registered to a woman who was mystified to receive the tolls. “Why do you keep billing me?” Bramwell-Stewart recalled her asking.

[…]

Cathy Sheridan, president of MTA Bridges and Tunnels in New York City, showed video of a flipper in action at a recent public meeting, after the car was stopped by police. One minute it had New York plates, the next it sported Texas tags. She also showed a clip of a second car with a device that lowered a cover over the plate like a curtain.

Boing Boing post.

News

Ukrainian Police Arrest Suspected Brute-Force Account Hijackers

March 20, 2024

Read Time:5 Second

Police in Kharkiv arrest three men suspected of hacking 100 million Instagram and email accounts

Advisories

containers-common-0.58.0-2.fc40 netavark-1.10.3-3.fc40 podman-5.0.0-1.fc40

March 20, 2024

Read Time:5 Minute, 3 Second

FEDORA-2024-a267e93f8c

Packages in this update:

containers-common-0.58.0-2.fc40
netavark-1.10.3-3.fc40
podman-5.0.0-1.fc40

Update description:

Security fix for CVE-2024-1753

Automatic update for podman-5.0.0-1.fc40.

Changelog for podman

* Tue Mar 19 2024 Packit <hello@packit.dev> – 5:5.0.0-1
– [packit] 5.0.0 upstream release

* Fri Mar 15 2024 Packit <hello@packit.dev> – 5:5.0.0~rc7-1
– [packit] 5.0.0-rc7 upstream release

* Wed Mar 13 2024 Lokesh Mandvekar <lsm5@redhat.com> – 5:5.0.0~rc6-2
– Resolves: #2269148 – make passt a hard dep

* Mon Mar 11 2024 Packit <hello@packit.dev> – 5:5.0.0~rc6-1
– [packit] 5.0.0-rc6 upstream release

* Fri Mar 08 2024 Packit <hello@packit.dev> – 5:5.0.0~rc5-1
– [packit] 5.0.0-rc5 upstream release

* Tue Mar 05 2024 Packit <hello@packit.dev> – 5:5.0.0~rc4-1
– [packit] 5.0.0-rc4 upstream release

* Fri Mar 01 2024 Debarshi Ray <rishi@fedoraproject.org> – 5:5.0.0~rc3-5
– Show the toolbox RPMs used to run the tests

* Fri Mar 01 2024 Debarshi Ray <rishi@fedoraproject.org> – 5:5.0.0~rc3-4
– Avoid running out of storage space when running the Toolbx tests

* Fri Mar 01 2024 Debarshi Ray <rishi@fedoraproject.org> – 5:5.0.0~rc3-3
– Silence warnings about deprecated grep(1) use in test logs

* Fri Mar 01 2024 Debarshi Ray <rishi@fedoraproject.org> – 5:5.0.0~rc3-2
– Update how Toolbx is spelt

* Thu Feb 22 2024 Packit <hello@packit.dev> – 5:5.0.0~rc3-1
– [packit] 5.0.0-rc3 upstream release

Automatic update for podman-5.0.0~rc7-1.fc40.