FEDORA-2024-6dab59bd47
Packages in this update:
curl-8.2.1-5.fc39
Update description:
fix Usage of disabled protocol (CVE-2024-2004)
fix HTTP/2 push headers memory-leak (CVE-2024-2398)
curl-8.2.1-5.fc39
fix Usage of disabled protocol (CVE-2024-2004)
fix HTTP/2 push headers memory-leak (CVE-2024-2398)
python-pycryptodomex-3.20.0-1.el9
CVE-2023-52323
llhttp-9.2.1-1.el9
python-aiohttp-3.9.3-2.el9
Update llhttp to 9.2.1, fixing CVE-2024-27982.
Additionally, llhttp 9.2.0 contained a number of bug fixes.
Backport llhttp 9.2.1 support to python-aiohttp 3.9.3.
Several vulnerabilities were discovered in the Xorg X server, which may
result in privilege escalation if the X server is running privileged
or denial of service.
It was discovered that Apache Maven Shared Utils did not handle double-quoted
strings properly, allowing shell injection attacks. This could allow an
attacker to run arbitrary code.
llhttp-9.2.1-1.fc39
python-aiohttp-3.9.3-3.fc39
uxplay-1.68.2-3.fc39
Update llhttp to 9.2.1, fixing CVE-2024-27982.
Additionally, llhttp 9.2.0 contained a number of bug fixes.
Backport llhttp 9.2.1 support to python-aiohttp 3.9.3.
llhttp-9.2.1-1.fc38
python-aiohttp-3.9.3-3.fc38
uxplay-1.68.2-3.fc38
Update llhttp to 9.2.1, fixing CVE-2024-27982.
Additionally, llhttp 9.2.0 contained a number of bug fixes.
Backport llhttp 9.2.1 support to python-aiohttp 3.9.3.
USN-6727-1 fixed vulnerabilities in NSS. The update introduced a regression
when trying to load security modules on Ubuntu 20.04 LTS and Ubuntu 22.04
LTS. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that NSS incorrectly handled padding when checking PKCS#1
certificates. A remote attacker could possibly use this issue to perform
Bleichenbacher-like attacks and recover private data. This issue only
affected Ubuntu 20.04 LTS. (CVE-2023-4421)
It was discovered that NSS had a timing side-channel when performing RSA
decryption. A remote attacker could possibly use this issue to recover
private data. (CVE-2023-5388)
It was discovered that NSS had a timing side-channel when using certain
NIST curves. A remote attacker could possibly use this issue to recover
private data. (CVE-2023-6135)
The NSS package contained outdated CA certificates. This update refreshes
the NSS package to version 3.98 which includes the latest CA certificate
bundle and other security improvements.
Orange Tsai discovered that the Apache HTTP Server incorrectly handled
validating certain input. A remote attacker could possibly use this
issue to perform HTTP request splitting attacks. (CVE-2023-38709)
Keran Mu and Jianjun Chen discovered that the Apache HTTP Server
incorrectly handled validating certain input. A remote attacker could
possibly use this issue to perform HTTP request splitting attacks.
(CVE-2024-24795)
Bartek Nowotarski discovered that the Apache HTTP Server HTTP/2 module
incorrectly handled endless continuation frames. A remote attacker could
possibly use this issue to cause the server to consume resources, leading
to a denial of service. (CVE-2024-27316)
llhttp-9.2.1-1.fc40
python-aiohttp-3.9.3-3.fc40
Update llhttp to 9.2.1, fixing CVE-2024-27982.
Backport llhttp 9.2.1 support to python-aiohttp 3.9.3.