Several vulnerabilities were discovered in the Xorg X server, which may
result in privilege escalation if the X server is running privileged
or denial of service.
Category Archives: Advisories
USN-6730-1: Apache Maven Shared Utils vulnerability
It was discovered that Apache Maven Shared Utils did not handle double-quoted
strings properly, allowing shell injection attacks. This could allow an
attacker to run arbitrary code.
llhttp-9.2.1-1.fc39 python-aiohttp-3.9.3-3.fc39 uxplay-1.68.2-3.fc39
FEDORA-2024-f83b123d63
Packages in this update:
llhttp-9.2.1-1.fc39
python-aiohttp-3.9.3-3.fc39
uxplay-1.68.2-3.fc39
Update description:
Update llhttp to 9.2.1, fixing CVE-2024-27982.
Additionally, llhttp 9.2.0 contained a number of bug fixes.
Backport llhttp 9.2.1 support to python-aiohttp 3.9.3.
llhttp-9.2.1-1.fc38 python-aiohttp-3.9.3-3.fc38 uxplay-1.68.2-3.fc38
FEDORA-2024-5dc487ee89
Packages in this update:
llhttp-9.2.1-1.fc38
python-aiohttp-3.9.3-3.fc38
uxplay-1.68.2-3.fc38
Update description:
Update llhttp to 9.2.1, fixing CVE-2024-27982.
Additionally, llhttp 9.2.0 contained a number of bug fixes.
Backport llhttp 9.2.1 support to python-aiohttp 3.9.3.
USN-6727-2: NSS regression
USN-6727-1 fixed vulnerabilities in NSS. The update introduced a regression
when trying to load security modules on Ubuntu 20.04 LTS and Ubuntu 22.04
LTS. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that NSS incorrectly handled padding when checking PKCS#1
certificates. A remote attacker could possibly use this issue to perform
Bleichenbacher-like attacks and recover private data. This issue only
affected Ubuntu 20.04 LTS. (CVE-2023-4421)
It was discovered that NSS had a timing side-channel when performing RSA
decryption. A remote attacker could possibly use this issue to recover
private data. (CVE-2023-5388)
It was discovered that NSS had a timing side-channel when using certain
NIST curves. A remote attacker could possibly use this issue to recover
private data. (CVE-2023-6135)
The NSS package contained outdated CA certificates. This update refreshes
the NSS package to version 3.98 which includes the latest CA certificate
bundle and other security improvements.
USN-6729-1: Apache HTTP Server vulnerabilities
Orange Tsai discovered that the Apache HTTP Server incorrectly handled
validating certain input. A remote attacker could possibly use this
issue to perform HTTP request splitting attacks. (CVE-2023-38709)
Keran Mu and Jianjun Chen discovered that the Apache HTTP Server
incorrectly handled validating certain input. A remote attacker could
possibly use this issue to perform HTTP request splitting attacks.
(CVE-2024-24795)
Bartek Nowotarski discovered that the Apache HTTP Server HTTP/2 module
incorrectly handled endless continuation frames. A remote attacker could
possibly use this issue to cause the server to consume resources, leading
to a denial of service. (CVE-2024-27316)
llhttp-9.2.1-1.fc40 python-aiohttp-3.9.3-3.fc40
FEDORA-2024-2f15e6e876
Packages in this update:
llhttp-9.2.1-1.fc40
python-aiohttp-3.9.3-3.fc40
Update description:
Update llhttp to 9.2.1, fixing CVE-2024-27982.
Backport llhttp 9.2.1 support to python-aiohttp 3.9.3.
llhttp-9.2.1-1.fc41 python-aiohttp-3.9.3-3.fc41
FEDORA-2024-8deaadd998
Packages in this update:
llhttp-9.2.1-1.fc41
python-aiohttp-3.9.3-3.fc41
Update description:
Update llhttp to 9.2.1, fixing CVE-2024-27982.
Backport llhttp 9.2.1 support to python-aiohttp 3.9.3.
python-django3-3.2.25-2.fc38
FEDORA-2024-84fbbbb914
Packages in this update:
python-django3-3.2.25-2.fc38
Update description:
Security fixes for
CVE-2024-27351 Potential regular expression DOS in django.utils.text.Truncator.words()
CVE-2023-41164 Potential DOS vulnerability in django.utils.encoding.uri_to_iri()
nodejs18-18.20.2-1.fc39
FEDORA-2024-8d548b8c96
Packages in this update:
nodejs18-18.20.2-1.fc39
Update description:
2024-04-10, Version 18.20.2 ‘Hydrogen’ (LTS), @RafaelGSS
This is a security release.
Notable Changes
CVE-2024-27980 – Command injection via args parameter of child_process.spawn without shell option enabled on Windows
Commits
[6627222409] – src: disallow direct .bat and .cmd file spawning (Ben Noordhuis) nodejs-private/node-private#564