Category Archives: Advisories

USN-6935-1: Prometheus Alertmanager vulnerability

Read Time:16 Second

It was discovered that prometheus-alertmanager didn’t properly sanitize
input it received through an API endpoint. An attacker with permission to
send requests to this endpoint could potentially inject arbitrary code.

On Ubuntu 20.04 LTS and Ubuntu 22.04 LTS, this vulnerability is only
present if the UI has been explicitly activated.

Read More

frr-9.1.1-1.fc40

Read Time:10 Second

FEDORA-2024-e60ca8feb0

Packages in this update:

frr-9.1.1-1.fc40

Update description:

New version 9.1.1. Includes fixes for CVE-2024-31950, CVE-2024-31951 and CVE-2024-31949.

Read More

USN-6934-1: MySQL vulnerabilities

Read Time:31 Second

Multiple security issues were discovered in MySQL and this update includes
new upstream MySQL versions to fix these issues.

MySQL has been updated to 8.0.39 in Ubuntu 20.04 LTS, Ubuntu 22.04 LTS,
and Ubuntu 24.04 LTS.

In addition to security fixes, the updated packages contain bug fixes, new
features, and possibly incompatible changes.

Please see the following for more information:

https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-38.html
https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-39.html
https://www.oracle.com/security-alerts/cpujul2024.html

Read More

USN-6933-1: ClickHouse vulnerabilities

Read Time:24 Second

It was discovered that ClickHouse incorrectly handled memory, leading to a
heap out-of-bounds data read. An attacker could possibly use this issue to
cause a denial of service, or leak sensitive information.
(CVE-2021-42387, CVE-2021-41388)

It was discovered that ClickHouse incorrectly handled memory, leading to a
heap-based buffer overflow. An attacker could possibly use this issue to
cause a denial of service, or execute arbitrary code.
(CVE-2021-43304, CVE-2021-43305)

Read More

USN-6932-1: OpenJDK 21 vulnerabilities

Read Time:1 Minute, 3 Second

It was discovered that the Hotspot component of OpenJDK 21 was not properly
performing bounds when handling certain UTF-8 strings, which could lead to
a buffer overflow. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2024-21131)

It was discovered that the Hotspot component of OpenJDK 21 could be made to
run into an infinite loop. If an automated system were tricked into
processing excessively large symbols, an attacker could possibly use this
issue to cause a denial of service. (CVE-2024-21138)

It was discovered that the Hotspot component of OpenJDK 21 did not
properly perform range check elimination. An attacker could possibly use
this issue to cause a denial of service, execute arbitrary code or bypass
Java sandbox restrictions. (CVE-2024-21140)

Sergey Bylokhov discovered that OpenJDK 21 did not properly manage memory
when handling 2D images. An attacker could possibly use this issue to
obtain sensitive information. (CVE-2024-21145)

It was discovered that the Hotspot component of OpenJDK 21 incorrectly
handled memory when performing range check elimination under certain
circumstances. An attacker could possibly use this issue to cause a
denial of service, execute arbitrary code or bypass Java sandbox
restrictions. (CVE-2024-21147)

Read More

USN-6931-1: OpenJDK 17 vulnerabilities

Read Time:1 Minute, 3 Second

It was discovered that the Hotspot component of OpenJDK 17 was not properly
performing bounds when handling certain UTF-8 strings, which could lead to
a buffer overflow. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2024-21131)

It was discovered that the Hotspot component of OpenJDK 17 could be made to
run into an infinite loop. If an automated system were tricked into
processing excessively large symbols, an attacker could possibly use this
issue to cause a denial of service. (CVE-2024-21138)

It was discovered that the Hotspot component of OpenJDK 17 did not
properly perform range check elimination. An attacker could possibly use
this issue to cause a denial of service, execute arbitrary code or bypass
Java sandbox restrictions. (CVE-2024-21140)

Sergey Bylokhov discovered that OpenJDK 17 did not properly manage memory
when handling 2D images. An attacker could possibly use this issue to
obtain sensitive information. (CVE-2024-21145)

It was discovered that the Hotspot component of OpenJDK 17 incorrectly
handled memory when performing range check elimination under certain
circumstances. An attacker could possibly use this issue to cause a
denial of service, execute arbitrary code or bypass Java sandbox
restrictions. (CVE-2024-21147)

Read More

USN-6930-1: OpenJDK 11 vulnerabilities

Read Time:1 Minute, 13 Second

It was discovered that the Hotspot component of OpenJDK 11 was not properly
performing bounds when handling certain UTF-8 strings, which could lead to
a buffer overflow. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2024-21131)

It was discovered that the Hotspot component of OpenJDK 11 could be made to
run into an infinite loop. If an automated system were tricked into
processing excessively large symbols, an attacker could possibly use this
issue to cause a denial of service. (CVE-2024-21138)

It was discovered that the Hotspot component of OpenJDK 11 did not
properly perform range check elimination. An attacker could possibly use
this issue to cause a denial of service, execute arbitrary code or bypass
Java sandbox restrictions. (CVE-2024-21140)

Yakov Shafranovich discovered that the Concurrency component of OpenJDK 11
incorrectly performed header validation in the Pack200 archive format. An
attacker could possibly use this issue to cause a denial of service.
(CVE-2024-21144)

Sergey Bylokhov discovered that OpenJDK 11 did not properly manage memory
when handling 2D images. An attacker could possibly use this issue to
obtain sensitive information. (CVE-2024-21145)

It was discovered that the Hotspot component of OpenJDK 11 incorrectly
handled memory when performing range check elimination under certain
circumstances. An attacker could possibly use this issue to cause a
denial of service, execute arbitrary code or bypass Java sandbox
restrictions. (CVE-2024-21147)

Read More