Category Archives: Advisories

USN-6727-2: NSS regression

Read Time:51 Second

USN-6727-1 fixed vulnerabilities in NSS. The update introduced a regression
when trying to load security modules on Ubuntu 20.04 LTS and Ubuntu 22.04
LTS. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

It was discovered that NSS incorrectly handled padding when checking PKCS#1
certificates. A remote attacker could possibly use this issue to perform
Bleichenbacher-like attacks and recover private data. This issue only
affected Ubuntu 20.04 LTS. (CVE-2023-4421)

It was discovered that NSS had a timing side-channel when performing RSA
decryption. A remote attacker could possibly use this issue to recover
private data. (CVE-2023-5388)

It was discovered that NSS had a timing side-channel when using certain
NIST curves. A remote attacker could possibly use this issue to recover
private data. (CVE-2023-6135)

The NSS package contained outdated CA certificates. This update refreshes
the NSS package to version 3.98 which includes the latest CA certificate
bundle and other security improvements.

Read More

USN-6729-1: Apache HTTP Server vulnerabilities

Read Time:31 Second

Orange Tsai discovered that the Apache HTTP Server incorrectly handled
validating certain input. A remote attacker could possibly use this
issue to perform HTTP request splitting attacks. (CVE-2023-38709)

Keran Mu and Jianjun Chen discovered that the Apache HTTP Server
incorrectly handled validating certain input. A remote attacker could
possibly use this issue to perform HTTP request splitting attacks.
(CVE-2024-24795)

Bartek Nowotarski discovered that the Apache HTTP Server HTTP/2 module
incorrectly handled endless continuation frames. A remote attacker could
possibly use this issue to cause the server to consume resources, leading
to a denial of service. (CVE-2024-27316)

Read More

python-django3-3.2.25-2.fc38

Read Time:14 Second

FEDORA-2024-84fbbbb914

Packages in this update:

python-django3-3.2.25-2.fc38

Update description:

Security fixes for

CVE-2024-27351 Potential regular expression DOS in django.utils.text.Truncator.words()
CVE-2023-41164 Potential DOS vulnerability in django.utils.encoding.uri_to_iri()

Read More

nodejs18-18.20.2-1.fc39

Read Time:20 Second

FEDORA-2024-8d548b8c96

Packages in this update:

nodejs18-18.20.2-1.fc39

Update description:

2024-04-10, Version 18.20.2 ‘Hydrogen’ (LTS), @RafaelGSS

This is a security release.

Notable Changes

CVE-2024-27980 – Command injection via args parameter of child_process.spawn without shell option enabled on Windows

Commits

[6627222409] – src: disallow direct .bat and .cmd file spawning (Ben Noordhuis) nodejs-private/node-private#564

Read More