Category Archives: Advisories

grub2-2.06-121.fc40

Read Time:24 Second

FEDORA-2024-2b545d3085

Packages in this update:

grub2-2.06-121.fc40

Update description:

Security fix for CVE-2023-4692

Security fix for CVE-2023-4693

Fri Apr 12 2024 Nicolas Frayer nfrayer@redhat.com – 2.06-121

fs/xfs: Handle non-continuous data blocks in directory extents
Related: #2254370

Fri Mar 08 2024 Nicolas Frayer nfrayer@redhat.com – 2.06-120

GRUB2 NTFS driver vulnerabilities
(CVE-2023-4692)
(CVE-2023-4693)
Resolves: #2236613
Resolves: #2241978
Resolves: #2241976
Resolves: #2238343

Read More

freerdp-3.5.0-1.fc40

Read Time:12 Second

FEDORA-2024-050266dc33

Packages in this update:

freerdp-3.5.0-1.fc40

Update description:

Update to 3.5.0 (CVE-2024-32039, CVE-2024-32040, CVE-2024-32041, CVE-2024-32458, CVE-2024-32459, CVE-2024-32460)

Read More

DSA-5665-1 tomcat10 – security update

Read Time:42 Second

Several security vulnerabilities have been discovered in the Tomcat
servlet and JSP engine.

CVE-2023-46589

Tomcat 10 did not correctly parse HTTP trailer headers. A trailer header
that exceeded the header size limit could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.

CVE-2024-24549

Denial of Service due to improper input validation vulnerability for
HTTP/2. When processing an HTTP/2 request, if the request exceeded any of
the configured limits for headers, the associated HTTP/2 stream was not
reset until after all of the headers had been processed.

CVE-2024-23672

Denial of Service via incomplete cleanup vulnerability. It was possible
for WebSocket clients to keep WebSocket connections open leading to
increased resource consumption.

https://security-tracker.debian.org/tracker/DSA-5665-1

Read More

kubernetes-1.29.4-1.fc40

Read Time:18 Second

FEDORA-2024-ce2eefc399

Packages in this update:

kubernetes-1.29.4-1.fc40

Update description:

Update Kubernetes to v1.29.4 for Fedora 40. Resolves CVE-2024-3177: Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin.

Additional bug and regression fixes include a bump to Golang.org/x/net to v0.23.0 to address CVE-2023-45288 .

Read More

USN-6726-2: Linux kernel (IoT) vulnerabilities

Read Time:1 Minute, 25 Second

Pratyush Yadav discovered that the Xen network backend implementation in
the Linux kernel did not properly handle zero length data request, leading
to a null pointer dereference vulnerability. An attacker in a guest VM
could possibly use this to cause a denial of service (host domain crash).
(CVE-2023-46838)

It was discovered that the IPv6 implementation of the Linux kernel did not
properly manage route cache memory usage. A remote attacker could use this
to cause a denial of service (memory exhaustion). (CVE-2023-52340)

It was discovered that the device mapper driver in the Linux kernel did not
properly validate target size during certain memory allocations. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2023-52429, CVE-2024-23851)

Dan Carpenter discovered that the netfilter subsystem in the Linux kernel
did not store data in properly sized memory locations. A local user could
use this to cause a denial of service (system crash). (CVE-2024-0607)

Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
– Architecture specifics;
– Cryptographic API;
– Android drivers;
– EDAC drivers;
– GPU drivers;
– Media drivers;
– MTD block device drivers;
– Network drivers;
– NVME drivers;
– TTY drivers;
– Userspace I/O drivers;
– F2FS file system;
– GFS2 file system;
– IPv6 Networking;
– AppArmor security module;
(CVE-2023-52464, CVE-2023-52448, CVE-2023-52457, CVE-2023-52443,
CVE-2023-52439, CVE-2023-52612, CVE-2024-26633, CVE-2024-26597,
CVE-2023-52449, CVE-2023-52444, CVE-2023-52609, CVE-2023-52469,
CVE-2023-52445, CVE-2023-52451, CVE-2023-52470, CVE-2023-52454,
CVE-2023-52436, CVE-2023-52438)

Read More

kubernetes-1.27.13-1.fc39

Read Time:14 Second

FEDORA-2024-662a8b6005

Packages in this update:

kubernetes-1.27.13-1.fc39

Update description:

Updates Fedora 30 to Kubernetes 1.27.13.
Resolves CVE-2024-3177: Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin.
In addition, a few bug and regression fixes.

Read More