This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-40841.
Fabian Bäumer, Marcus Brinkmann, Jörg Schwenk discovered that the SSH
protocol was vulnerable to a prefix truncation attack. If a remote attacker
was able to intercept SSH communications, extension negotiation messages
could be truncated, possibly leading to certain algorithms and features
being downgraded. This issue is known as the Terrapin attack. This update
adds protocol extensions to mitigate this issue.
Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language which could result in incorrect
parsing of multipart/form-data, bypass of the cgi.force_direct directive
or incorrect logging.
Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution.
Mozilla Firefox is a web browser used to access the Internet. Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations.Mozilla Thunderbird is an email client.
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Benoit Côté-Jodoin and Michael Nipper discovered that Devise-Two-Factor
incorrectly handled one-time password validation. An attacker could
possibly use this issue to intercept and re-use a one-time password.
(CVE-2021-43177)
Garrett Rappaport discovered that Devise-Two-Factor incorrectly handled
generating multi-factor authentication codes. An attacker could possibly
use this issue to generate valid multi-factor authentication codes.
(CVE-2024-8796)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
– GPU drivers;
– Modular ISDN driver;
– MMC subsystem;
– SCSI drivers;
– F2FS file system;
– GFS2 file system;
– Netfilter;
– RxRPC session sockets;
– Integrity Measurement Architecture(IMA) framework;
(CVE-2021-47188, CVE-2024-42160, CVE-2024-42228, CVE-2022-48863,
CVE-2024-26677, CVE-2024-26787, CVE-2024-38570, CVE-2024-39494,
CVE-2022-48791, CVE-2024-27012)
USN-7043-1 fixed a vulnerability in cups-filters. This update provides
the corresponding update for Ubuntu 18.04 LTS.
Original advisory details:
Simone Margaritelli discovered that the cups-filters cups-browsed component
could be used to create arbitrary printers from outside the local network.
In combination with issues in other printing components, a remote attacker
could possibly use this issue to connect to a system, created manipulated
PPD files, and execute arbitrary code when a printer is used. This update
disables support for the legacy CUPS printer discovery protocol.
It was discovered that PHP incorrectly handled parsing multipart form data.
A remote attacker could possibly use this issue to inject payloads and
cause PHP to ignore legitimate data. (CVE-2024-8925)
It was discovered that PHP incorrectly handled the cgi.force_redirect
configuration option due to environment variable collisions. In certain
configurations, an attacker could possibly use this issue bypass
force_redirect restrictions. (CVE-2024-8927)
It was discovered that PHP-FPM incorrectly handled logging. A remote
attacker could possibly use this issue to alter and inject arbitrary
contents into log files. This issue only affected Ubuntu 22.04 LTS, and
Ubuntu 24.04 LTS. (CVE-2024-9026)
It was discovered that the JFS file system contained an out-of-bounds read
vulnerability when printing xattr debug information. A local attacker could
use this to cause a denial of service (system crash). (CVE-2024-40902)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
– MIPS architecture;
– PowerPC architecture;
– x86 architecture;
– ACPI drivers;
– Serial ATA and Parallel ATA drivers;
– Drivers core;
– GPIO subsystem;
– GPU drivers;
– Greybus drivers;
– HID subsystem;
– I2C subsystem;
– IIO subsystem;
– InfiniBand drivers;
– Media drivers;
– VMware VMCI Driver;
– Network drivers;
– Pin controllers subsystem;
– S/390 drivers;
– SCSI drivers;
– USB subsystem;
– JFFS2 file system;
– JFS file system;
– File systems infrastructure;
– NILFS2 file system;
– IOMMU subsystem;
– Sun RPC protocol;
– Netfilter;
– Memory management;
– B.A.T.M.A.N. meshing protocol;
– CAN network layer;
– Ceph Core library;
– Networking core;
– IPv4 networking;
– IPv6 networking;
– IUCV driver;
– MAC80211 subsystem;
– NET/ROM layer;
– Network traffic control;
– SoC Audio for Freescale CPUs drivers;
(CVE-2024-40916, CVE-2024-41035, CVE-2024-39469, CVE-2024-39499,
CVE-2024-36978, CVE-2024-42092, CVE-2024-42087, CVE-2024-42102,
CVE-2024-40978, CVE-2024-40902, CVE-2024-36974, CVE-2024-42096,
CVE-2024-40974, CVE-2024-40904, CVE-2024-40905, CVE-2024-42153,
CVE-2024-42106, CVE-2024-42070, CVE-2024-41097, CVE-2024-42090,
CVE-2024-42105, CVE-2024-42104, CVE-2024-39502, CVE-2024-41089,
CVE-2024-40945, CVE-2024-38619, CVE-2024-40961, CVE-2024-42127,
CVE-2024-39487, CVE-2024-40988, CVE-2024-41044, CVE-2024-42236,
CVE-2024-40942, CVE-2024-39506, CVE-2024-39509, CVE-2024-39503,
CVE-2024-40934, CVE-2024-40959, CVE-2024-42101, CVE-2024-40960,
CVE-2024-40968, CVE-2024-41087, CVE-2023-52803, CVE-2024-40987,
CVE-2024-40943, CVE-2024-42089, CVE-2023-52887, CVE-2024-37078,
CVE-2024-42148, CVE-2024-36894, CVE-2024-42097, CVE-2024-41006,
CVE-2024-40984, CVE-2024-40963, CVE-2024-42223, CVE-2024-40912,
CVE-2024-42086, CVE-2024-41049, CVE-2024-42157, CVE-2024-41034,
CVE-2024-42145, CVE-2024-42124, CVE-2024-40995, CVE-2024-42224,
CVE-2024-40981, CVE-2024-41095, CVE-2024-40901, CVE-2024-42115,
CVE-2024-41041, CVE-2024-41007, CVE-2024-39505, CVE-2024-40932,
CVE-2024-39495, CVE-2024-40980, CVE-2024-42084, CVE-2024-41046,
CVE-2024-42119, CVE-2024-42076, CVE-2024-42232, CVE-2024-39501,
CVE-2024-40958, CVE-2024-40941, CVE-2024-42093, CVE-2024-42094,
CVE-2024-42154)
webkitgtk-2.46.1-1.fc39
Fix login QR code not shown in WhatsApp web.
Disable PSON by default again in GTK 3 API versions.
Disable DMABuf video sink by default to prevent file descriptor leaks.
Fix several crashes and rendering issues.
Use Skia instead of cairo for 2D rendering and enable GPU rendering by default.
Enable offscreen canvas by default.
Add support for system tracing with Sysprof.
Implement printing using the Print portal.
Add new API to load settings from a config file.
Add a new setting to enable or disable the 2D canvas acceleration (enabled by default).
Undeprecate console messages API and make it available in 6.0 API.
