It was discovered that Git incorrectly handled certain URLs when
asking for credentials. An attacker could possibly use this
issue to mislead the user into typing passwords for trusted
sites that would then be sent to untrusted sites instead.
(CVE-2024-50349)
It was discovered that git incorrectly handled line endings when
using credential helpers. (CVE-2024-52006)
Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not
properly handle certain error conditions, leading to a NULL pointer
dereference. A local attacker could possibly trigger this vulnerability to
cause a denial of service. (CVE-2022-38096)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
– ARM32 architecture;
– ARM64 architecture;
– S390 architecture;
– x86 architecture;
– Power management core;
– GPU drivers;
– InfiniBand drivers;
– Network drivers;
– S/390 drivers;
– SCSI subsystem;
– TTY drivers;
– BTRFS file system;
– Ext4 file system;
– EROFS file system;
– F2FS file system;
– File systems infrastructure;
– BPF subsystem;
– Socket messages infrastructure;
– Bluetooth subsystem;
– Memory management;
– Amateur Radio drivers;
– Ethernet bridge;
– Networking core;
– IPv4 networking;
– Network traffic control;
– Sun RPC protocol;
– VMware vSockets driver;
– SELinux security module;
(CVE-2024-42240, CVE-2024-36938, CVE-2024-35967, CVE-2024-36953,
CVE-2022-48938, CVE-2024-38553, CVE-2024-35904, CVE-2024-35965,
CVE-2024-26947, CVE-2024-36968, CVE-2024-43892, CVE-2024-38597,
CVE-2023-52498, CVE-2021-47501, CVE-2024-44942, CVE-2024-42077,
CVE-2024-53057, CVE-2024-46724, CVE-2024-35963, CVE-2022-48943,
CVE-2024-42068, CVE-2024-42156, CVE-2022-48733, CVE-2023-52639,
CVE-2021-47101, CVE-2023-52821, CVE-2024-44940, CVE-2024-36952,
CVE-2021-47001, CVE-2024-38538, CVE-2024-40910, CVE-2021-47076,
CVE-2024-35966, CVE-2024-50264, CVE-2024-35951, CVE-2023-52488,
CVE-2023-52497, CVE-2024-49967)
It was discovered that Django incorrectly handled certain IPv6
strings. An attacker could possibly use this issue to cause a
denial of service.
SDL2_sound-2.0.4-1.fc41
Latest stable release from upstream. Changelog: https://github.com/icculus/SDL_sound/releases/tag/v2.0.4 . NOTE: dr_libs are unbundled.
Fixes:
CVE-2023-45676: Multi-byte write heap buffer overflow in start_decoder()
CVE-2023-45677: Heap buffer out of bounds write in start_decoder()
CVE-2023-45679: Attempt to free an uninitialized memory pointer in vorbis_deinit()
CVE-2023-45680: Null pointer dereference in vorbis_deinit()
CVE-2023-45679: Attempt to free an uninitialized memory pointer in vorbis_deinit()
CVE-2023-45680: Null pointer dereference in vorbis_deinit()
CVE-2023-45682: Wild address read in vorbis_decode_packet_rest()
SDL2_sound-2.0.4-1.fc40
Latest stable release from upstream. Changelog: https://github.com/icculus/SDL_sound/releases/tag/v2.0.4 . NOTE: dr_libs are unbundled.
Fixes:
CVE-2023-45676: Multi-byte write heap buffer overflow in start_decoder()
CVE-2023-45677: Heap buffer out of bounds write in start_decoder()
CVE-2023-45679: Attempt to free an uninitialized memory pointer in vorbis_deinit()
CVE-2023-45680: Null pointer dereference in vorbis_deinit()
CVE-2023-45679: Attempt to free an uninitialized memory pointer in vorbis_deinit()
CVE-2023-45680: Null pointer dereference in vorbis_deinit()
CVE-2023-45682: Wild address read in vorbis_decode_packet_rest()
Wei Hao discovered that PowerDNS Authoritative Server incorrectly handled
memory when accessing certain files. An attacker could possibly use this
issue to achieve arbitrary code execution. (CVE-2018-1046)
It was discovered that PowerDNS Authoritative Server and PowerDNS Recursor
incorrectly handled memory when receiving certain remote input. An attacker
could possibly use this issue to cause denial of service. (CVE-2018-10851)
Kees Monshouwer discovered that PowerDNS Authoritative Server and PowerDNS
Recursor incorrectly handled request validation after having cached
malformed input. An attacker could possibly use this issue to cause denial
of service. (CVE-2018-14626)
Toshifumi Sakaguchi discovered that PowerDNS Recursor incorrectly handled
requests after having cached malformed input. An attacker could possibly
use this issue to cause denial of service. (CVE-2018-14644)
Nathaniel Ferguson discovered that PowerDNS Authoritative Server
incorrectly handled memory when receiving certain remote input. An attacker
could possibly use this issue to obtain sensitive information.
(CVE-2020-17482)
Nicolas Dehaine and Dmitry Shabanov discovered that PowerDNS Authoritative
Server and PowerDNS Recursor incorrectly handled IXFR requests in certain
circumstances. An attacker could possibly use this issue to cause denial of
service. (CVE-2022-27227)
A CVSS score 6.8 AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by ‘Dmitry “InfoSecDJ” Janushkevich of Trend Micro Zero Day Initiative’ was reported to the affected vendor on: 2025-01-14, 0 days ago. The vendor is given until 2025-05-14 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
Several vulnerabilities were discovered in rsync, a fast, versatile,
remote (and local) file-copying tool.
CVE-2024-12084
Simon Scannell, Pedro Gallegos and Jasiel Spelman discovered a
heap-based buffer overflow vulnerability due to improper handling of
attacker-controlled checksum lengths. A remote attacker can take
advantage of this flaw for code execution.
CVE-2024-12085
Simon Scannell, Pedro Gallegos and Jasiel Spelman reported a flaw in
the way rsync compares file checksums, allowing a remote attacker to
trigger an information leak.
CVE-2024-12086
Simon Scannell, Pedro Gallegos and Jasiel Spelman discovered a flaw
which would result in a server leaking contents of an arbitrary file
from the client’s machine.
CVE-2024-12087
Simon Scannell, Pedro Gallegos and Jasiel Spelman reported a path
traversal vulnerability in the rsync daemon affecting the
–inc-recursive option, which could allow a server to write files
outside of the client’s intended destination directory.
CVE-2024-12088
Simon Scannell, Pedro Gallegos and Jasiel Spelman reported that when
using the –safe-links option, rsync fails to properly verify if a
symbolic link destination contains another symbolic link with it,
resulting in path traversal and arbitrary file write outside of the
desired directory.
CVE-2024-12747
Aleksei Gorban “loqpa” discovered a race condition when handling
symbolic links resulting in an information leak which may enable
escalation of privileges.
Kevin Backhouse discovered that HPLIP incorrectly handled certain MDNS
responses. A remote attacker could use this issue to cause HPLIP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
Several security issues were discovered in the WebKitGTK Web and JavaScript
engines. If a user were tricked into viewing a malicious website, a remote
attacker could exploit a variety of issues related to web browser security,
including cross-site scripting attacks, denial of service attacks, and
arbitrary code execution.
