Multiple security vulnerabilities were discovered in python-aiohttp,
a HTTP client/server for asyncio, which could result in denial of
service, directory traversal, CRLF injection or request smuggling.
Category Archives: Advisories
Critical Patches Issued for Microsoft Products, December 10, 2024
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution
Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
USN-7148-1: Linux kernel vulnerabilities
Lyu Tao discovered that the NFS implementation in the Linux kernel did not
properly handle requests to open a directory on a regular file. A local
attacker could use this to expose sensitive information (kernel memory).
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
– x86 architecture;
– ATM drivers;
– Device frequency scaling framework;
– GPU drivers;
– Hardware monitoring drivers;
– VMware VMCI Driver;
– MTD block device drivers;
– Network drivers;
– Device tree and open firmware driver;
– SCSI subsystem;
– USB Serial drivers;
– BTRFS file system;
– File systems infrastructure;
– F2FS file system;
– JFS file system;
– NILFS2 file system;
– Netfilter;
– Memory management;
– Ethernet bridge;
– IPv6 networking;
– Logical Link layer;
– MAC80211 subsystem;
– NFC subsystem;
– Network traffic control;
(CVE-2021-47055, CVE-2024-26675, CVE-2024-42244, CVE-2024-46743,
CVE-2024-41095, CVE-2024-46756, CVE-2024-46723, CVE-2024-46759,
CVE-2024-35877, CVE-2024-38538, CVE-2024-26668, CVE-2024-44998,
CVE-2024-42309, CVE-2024-46758, CVE-2024-46800, CVE-2022-48733,
CVE-2023-52531, CVE-2023-52599, CVE-2024-46722, CVE-2024-42240,
CVE-2024-44987, CVE-2023-52502, CVE-2023-52578, CVE-2024-41059,
CVE-2024-41071, CVE-2024-44942, CVE-2024-46738, CVE-2022-48943,
CVE-2023-52614, CVE-2024-27397, CVE-2024-38560, CVE-2024-43882,
CVE-2024-42104, CVE-2024-46757, CVE-2024-26636, CVE-2024-26633,
CVE-2024-41089, CVE-2024-42310, CVE-2022-48938)
USN-7147-1: Apache Shiro vulnerabilities
It was discovered that Apache Shiro incorrectly handled path traversal when
used with other web frameworks or path rewriting. An attacker could
possibly use this issue to obtain sensitive information or administrative
privileges. This update provides the corresponding fix for Ubuntu 24.04 LTS
and Ubuntu 24.10. (CVE-2023-34478, CVE-2023-46749)
It was discovered that Apache Shiro incorrectly handled web redirects when
used together with the form authentication method. An attacker could
possibly use this issue to perform phishing attacks. This update provides
the corresponding fix for Ubuntu 24.04 LTS and Ubuntu 24.10.
(CVE-2023-46750)
It was discovered that Apache Shiro incorrectly handled requests through
servlet filtering. An attacker could possibly use this issue to obtain
administrative privileges. This update provides the corresponding fix for
Ubuntu 16.04 LTS. (CVE-2016-6802)
gh-2.63.2-1.fc42
FEDORA-2024-378ed6dffe
Packages in this update:
gh-2.63.2-1.fc42
Update description:
Automatic update for gh-2.63.2-1.fc42.
Changelog
* Tue Dec 10 2024 Mikel Olasagasti Uranga <mikel@olasagasti.info> – 2.63.2-1
– Update to 2.63.2 – Closes rhbz#2273304 rhbz#2292682 rhbz#2322519
rhbz#2329265 rhbz#2330387 rhbz#2330388
python3.13-3.13.1-2.fc42
FEDORA-2024-0c29724c11
Packages in this update:
python3.13-3.13.1-2.fc42
Update description:
Automatic update for python3.13-3.13.1-2.fc42.
Changelog
* Mon Dec 9 2024 Miro Hrončok <mhroncok@redhat.com> – 3.13.1-2
– Security fix for CVE-2024-12254
– Fixes: rhbz#2330927
* Tue Dec 3 2024 Charalampos Stratakis <cstratak@redhat.com> – 3.13.1-1
– Update to 3.13.1
– Security fix for CVE-2024-9287
– Fixes: rhbz#2321657
USN-7146-1: Dogtag PKI vulnerabilities
Christina Fu discovered that Dogtag PKI accidentally enabled a mock
authentication plugin by default. An attacker could potentially use
this flaw to bypass the regular authentication process and trick the
CA server into issuing certificates. This issue only affected Ubuntu
16.04 LTS. (CVE-2017-7537)
It was discovered that Dogtag PKI did not properly sanitize user
input. An attacker could possibly use this issue to perform cross site
scripting and obtain sensitive information. This issue only affected
Ubuntu 22.04 LTS. (CVE-2020-25715)
It was discovered that the XML parser did not properly handle entity
expansion. A remote attacker could potentially retrieve the content of
arbitrary files by sending specially crafted HTTP requests. This issue
only affected Ubuntu 16.04 LTS. (CVE-2022-2414)
ZDI-24-1655: Rockwell Automation Arena Simulation DOE File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Rockwell Automation Arena Simulation. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-11156.
ZDI-24-1654: Rockwell Automation Arena Simulation DOE File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Rockwell Automation Arena Simulation. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-11156.