Read Time:7 Second
Looking for context you can use to map out your 2024 cybersecurity priorities? 17 CIS experts share their cybersecurity predictions for the year ahead.
Yearly Archives: 2024
DSA-5596-1 asterisk – security update
Read Time:1 Minute, 27 Second
Multiple security vulnerabilities have been discovered in Asterisk, an Open
Source Private Branch Exchange.
CVE-2023-37457
The ‘update’ functionality of the PJSIP_HEADER dialplan function can exceed
the available buffer space for storing the new value of a header. By doing
so this can overwrite memory or cause a crash. This is not externally
exploitable, unless dialplan is explicitly written to update a header based
on data from an outside source. If the ‘update’ functionality is not used
the vulnerability does not occur.
CVE-2023-38703
PJSIP is a free and open source multimedia communication library written in
C with high level API in C, C++, Java, C#, and Python languages. SRTP is a
higher level media transport which is stacked upon a lower level media
transport such as UDP and ICE. Currently a higher level transport is not
synchronized with its lower level transport that may introduce a
use-after-free issue. This vulnerability affects applications that have
SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media
transport other than UDP. This vulnerability’s impact may range from
unexpected application termination to control flow hijack/memory
corruption.
CVE-2023-49294
It is possible to read any arbitrary file even when the `live_dangerously`
option is not enabled.
CVE-2023-49786
Asterisk is susceptible to a DoS due to a race condition in the hello
handshake phase of the DTLS protocol when handling DTLS-SRTP for media
setup. This attack can be done continuously, thus denying new DTLS-SRTP
encrypted calls during the attack. Abuse of this vulnerability may lead to
a massive Denial of Service on vulnerable Asterisk servers for calls that
rely on DTLS-SRTP.
DSA-5597-1 exim4 – security update
Read Time:15 Second
It was discovered that Exim, a mail transport agent, can be induced to
accept a second message embedded as part of the body of a first message
in certain configurations where PIPELINING or CHUNKING on incoming
connections is offered.
DSA-5595-1 chromium – security update
Read Time:9 Second
Multiple security issues were discovered in Chromium, which could result
in the execution of arbitrary code, denial of service or information
disclosure.
espeak-ng-1.51.1-6.fc38
Read Time:10 Second
FEDORA-2024-698737a3c5
Packages in this update:
espeak-ng-1.51.1-6.fc38
Update description:
Security fix for CVE-2023-49990, CVE-2023-49991, CVE-2023-49992, CVE-2023-49993, CVE-2023-49994.
espeak-ng-1.51.1-6.fc39
Read Time:10 Second
FEDORA-2024-5661c87b25
Packages in this update:
espeak-ng-1.51.1-6.fc39
Update description:
Security fix for CVE-2023-49990, CVE-2023-49991, CVE-2023-49992, CVE-2023-49993, CVE-2023-49994.
exim-4.97.1-1.el8
Read Time:7 Second
FEDORA-EPEL-2024-9bc09085c7
Packages in this update:
exim-4.97.1-1.el8
Update description:
Security fix for CVE-2023-51766.
exim-4.97.1-1.el7
Read Time:7 Second
FEDORA-EPEL-2024-8eb8988cb8
Packages in this update:
exim-4.97.1-1.el7
Update description:
Security fix for CVE-2023-51766.
exim-4.97.1-1.el9
Read Time:7 Second
FEDORA-EPEL-2024-54a5c04d0c
Packages in this update:
exim-4.97.1-1.el9
Update description:
Security fix for CVE-2023-51766.
USN-6566-1: SQLite vulnerabilities
Read Time:21 Second
It was discovered that SQLite incorrectly handled certain protection
mechanisms when using a CLI script with the –safe option, contrary to
expectations. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-46908)
It was discovered that SQLite incorrectly handled certain memory operations
in the sessions extension. A remote attacker could possibly use this issue
to cause SQLite to crash, resulting in a denial of service. (CVE-2023-7104)