Pratyush Yadav discovered that the Xen network backend implementation in
the Linux kernel did not properly handle zero length data request, leading
to a null pointer dereference vulnerability. An attacker in a guest VM
could possibly use this to cause a denial of service (host domain crash).
(CVE-2023-46838)

It was discovered that the Habana’s AI Processors driver in the Linux
kernel did not properly initialize certain data structures before passing
them to user space. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2023-50431)

It was discovered that the device mapper driver in the Linux kernel did not
properly validate target size during certain memory allocations. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2023-52429, CVE-2024-23851)

It was discovered that the CIFS network file system implementation in the
Linux kernel did not properly validate certain SMB messages, leading to an
out-of-bounds read vulnerability. An attacker could use this to cause a
denial of service (system crash) or possibly expose sensitive information.
(CVE-2023-6610)

Yang Chaoming discovered that the KSMBD implementation in the Linux kernel
did not properly validate request buffer sizes, leading to an out-of-bounds
read vulnerability. An attacker could use this to cause a denial of service
(system crash) or possibly expose sensitive information. (CVE-2024-22705)

Chenyuan Yang discovered that the btrfs file system in the Linux kernel did
not properly handle read operations on newly created subvolumes in certain
conditions. A local attacker could use this to cause a denial of service
(system crash). (CVE-2024-23850)

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
– Android drivers;
– Userspace I/O drivers;
– F2FS file system;
– SMB network file system;
– Networking core;
(CVE-2023-52434, CVE-2023-52436, CVE-2023-52435, CVE-2023-52439,
CVE-2023-52438)

Read More

Post Content

Read More

FEDORA-EPEL-2024-3a714d30a3

Packages in this update:

python-pydantic-1.10.14-1.el9

Update description:

Security fix for CVE-2024-3772 (regular expression denial of service via crafted email string). Update to latest 1.10.x release: https://github.com/pydantic/pydantic/blob/v1.10.14/HISTORY.md

Read More

FEDORA-2024-cc8fcab025

Packages in this update:

etcd-3.5.13-1.fc41

Update description:

Automatic update for etcd-3.5.13-1.fc41.

Changelog

* Tue Apr 16 2024 Mikel Olasagasti Uranga <mikel@olasagasti.info> – 3.5.13-1
– Update to 3.5.13 – Closes rhbz#2225797 rhbz#2171486 rhbz#2170782
rhbz#2236640 rhbz#2243321 rhbz#2248266 rhbz#2251230
* Tue Apr 16 2024 Pete Zaitcev <zaitcev@kotori.zaitcev.us> – 3.5.11-1
– Update to 3.5.11

Read More

FEDORA-2024-0489e7ba1e

Packages in this update:

filezilla-3.67.0-1.fc38
libfilezilla-0.47.0-1.fc38

Update description:

Fix for CVE-2024-31497

Read More

FEDORA-2024-8401d42de6

Packages in this update:

filezilla-3.67.0-1.fc39
libfilezilla-0.47.0-1.fc39

Update description:

Fix for CVE-2024-31497

Read More

FEDORA-2024-ff9a2fb31c

Packages in this update:

filezilla-3.67.0-1.fc40
libfilezilla-0.47.0-1.fc40

Update description:

Fix for CVE-2024-31497

Read More

Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution.

Mozilla Firefox is a web browser used to access the Internet.
Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations.
Mozilla Thunderbird is an email client.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Read More

FEDORA-2024-fc5dc50bb6

Packages in this update:

python-pydantic-1.10.14-2.fc38

Update description:

Security fix for CVE-2024-3772 (regular expression denial of service via crafted email string). Update to latest 1.10.x release: https://github.com/pydantic/pydantic/blob/v1.10.14/HISTORY.md

Read More

It was discovered that zlib, vendored in klibc, incorrectly handled pointer
arithmetic. An attacker could use this issue to cause klibc to crash or to
possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841)

Danilo Ramos discovered that zlib, vendored in klibc, incorrectly handled
memory when performing certain deflating operations. An attacker could use
this issue to cause klibc to crash or to possibly execute arbitrary code.
(CVE-2018-25032)

Evgeny Legerov discovered that zlib, vendored in klibc, incorrectly handled
memory when performing certain inflate operations. An attacker could use
this issue to cause klibc to crash or to possibly execute arbitrary code.
(CVE-2022-37434)

Read More