A CVSS score 5.5 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H severity vulnerability discovered by ‘Kentaro Kawane of GMO Cybersecurity by Ierae’ was reported to the affected vendor on: 2024-10-16, 0 days ago. The vendor is given until 2025-02-13 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
Category Archives: Advisories
USN-7048-2: Vim vulnerability
USN-7048-1 fixed a vulnerability in Vim. This update provides the
corresponding update for Ubuntu 14.04 LTS.
Original advisory details:
Suyue Guo discovered that Vim incorrectly handled memory when flushing the
typeahead buffer, leading to heap-buffer-overflow. An attacker could
possibly use this issue to cause a denial of service.
USN-7070-1: libarchive vulnerabilities
It was discovered that libarchive mishandled certain memory checks,
which could result in a NULL pointer dereference. An attacker could
potentially use this issue to cause a denial of service. This issue
only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-36227)
It was discovered that libarchive mishandled certain memory operations,
which could result in an out-of-bounds memory access. An attacker could
potentially use this issue to cause a denial of service. This issue only
affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS.
(CVE-2024-48957, CVE-2024-48958)
USN-7038-2: APR vulnerability
USN-7038-1 fixed a vulnerability in Apache Portable Runtime (APR) library.
This update provides the corresponding update for Ubuntu 14.04 LTS.
Original advisory details:
Thomas Stangner discovered a permission vulnerability in the Apache
Portable Runtime (APR) library. A local attacker could possibly use this
issue to read named shared memory segments, potentially exposing sensitive
application data.
Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Oracle Quarterly Critical Patches Issued October 15, 2024
Multiple vulnerabilities have been discovered in Oracle products, the most severe of which could allow for remote code execution.
USN-7069-1: Linux kernel vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
– x86 architecture;
– Cryptographic API;
– CPU frequency scaling framework;
– HW tracing;
– ISDN/mISDN subsystem;
– Media drivers;
– Network drivers;
– NVME drivers;
– S/390 drivers;
– SCSI drivers;
– USB subsystem;
– VFIO drivers;
– Watchdog drivers;
– JFS file system;
– IRQ subsystem;
– Core kernel;
– Memory management;
– Amateur Radio drivers;
– IPv4 networking;
– IPv6 networking;
– IUCV driver;
– Network traffic control;
– TIPC protocol;
– XFRM subsystem;
– Integrity Measurement Architecture(IMA) framework;
– SoC Audio for Freescale CPUs drivers;
– USB sound devices;
(CVE-2024-36971, CVE-2024-42271, CVE-2024-38630, CVE-2024-38602,
CVE-2024-42223, CVE-2024-44940, CVE-2023-52528, CVE-2024-41097,
CVE-2024-27051, CVE-2024-42157, CVE-2024-46673, CVE-2024-39494,
CVE-2024-42089, CVE-2024-41073, CVE-2024-26810, CVE-2024-26960,
CVE-2024-38611, CVE-2024-31076, CVE-2024-26754, CVE-2023-52510,
CVE-2024-40941, CVE-2024-45016, CVE-2024-38627, CVE-2024-38621,
CVE-2024-39487, CVE-2024-27436, CVE-2024-40901, CVE-2024-26812,
CVE-2024-42244, CVE-2024-42229, CVE-2024-43858, CVE-2024-42280,
CVE-2024-26641, CVE-2024-42284, CVE-2024-26602)
mbedtls3.6-3.6.2-1.fc41
FEDORA-2024-8f1374ecfb
Packages in this update:
mbedtls3.6-3.6.2-1.fc41
Update description:
Update to 3.6.2
Release notes: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.2
python-fastapi-0.111.1-7.fc40 python-openapi-core-0.19.4-3.fc40 python-platformio-6.1.14-7.fc40 python-starlette-0.40.0-1.fc40
FEDORA-2024-f1615b58e6
Packages in this update:
python-fastapi-0.111.1-7.fc40
python-openapi-core-0.19.4-3.fc40
python-platformio-6.1.14-7.fc40
python-starlette-0.40.0-1.fc40
Update description:
Security fix for CVE-2024-47874.
Starlette 0.40.0 (October 15, 2024)
This release fixes a Denial of service (DoS) via multipart/form-data requests.
You can view the full security advisory:
GHSA-f96h-pmfr-66vw
Fixed
Add max_part_size to MultiPartParser to limit the size of parts in multipart/form-data
requests fd038f3.
python-fastapi-0.115.2-1.fc41 python-openapi-core-0.19.4-4.fc41 python-platformio-6.1.14-7.fc41 python-starlette-0.40.0-1.fc41
FEDORA-2024-05dedb1a53
Packages in this update:
python-fastapi-0.115.2-1.fc41
python-openapi-core-0.19.4-4.fc41
python-platformio-6.1.14-7.fc41
python-starlette-0.40.0-1.fc41
Update description:
Security fix for CVE-2024-47874.
Starlette 0.40.0 (October 15, 2024)
This release fixes a Denial of service (DoS) via multipart/form-data requests.
You can view the full security advisory:
GHSA-f96h-pmfr-66vw
Fixed
Add max_part_size to MultiPartParser to limit the size of parts in multipart/form-data
requests fd038f3.
FastAPI 0.115.2
https://github.com/fastapi/fastapi/releases/tag/0.115.2
https://github.com/fastapi/fastapi/releases/tag/0.115.1