FEDORA-FLATPAK-2024-072293e1a8
Packages in this update:
pdfmixtool-flatpak-1.1.1-3
Update description:
Fix for CVE-2024-24246 in qpdf
pdfmixtool-flatpak-1.1.1-3
Fix for CVE-2024-24246 in qpdf
pdfarranger-flatpak-1.10.1-4
Fix for CVE-2024-24246 in qpdf
libvirt-9.7.0-3.fc39
Fix crash listing interfaces with missing link status attribute (rhbz #2266014)
Fix crash listing interfaces with missized array (CVE-2024-1441)
libvirt-9.0.0-5.fc38
Fix crash listing interfaces with missing link status attribute (rhbz #2266014)
Fix crash listing interfaces with missized array (CVE-2024-1441)
What are the Vulnerabilities?
Two new vulnerabilities affecting JetBrains TeamCity CI/CD server have been identified and tagged as CVE-2024-27198 and CVE-2024-27199. The most severe of the two, CVE-2024-27198, has been added to CISA’s known exploited catalog which allows for a complete compromise of a vulnerable TeamCity server by a remote unauthenticated attacker.
What is the Vendor Solution?
On March 3, 2024, JetBrains released TeamCity 2023.11.4 to fix both CVE-2024-27198 and CVE-2024-27199. [ Link ]
What FortiGuard Coverage is available?
FortiGuard Labs has released endpoint vulnerability signatures, which can help detect vulnerable systems and auto-patch where applicable, and has blocked all the known indicators of compromise (IoCs).
FortiGuard Labs recommends companies to review the vendor’s advisory.
It was discovered that .NET did not properly handle certain specially
crafted requests. An attacker could potentially use this issue to cause
a resource leak, leading to a denial of service.
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
It was discovered that Gson incorrectly handled deserialization of untrusted
input data. If a user or an automated system were tricked into opening a
specially crafted input file, a remote attacker could possibly use this issue
to cause a denial of service.
Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel did
not properly handle inactive elements in its PIPAPO data structure, leading
to a use-after-free vulnerability. A local attacker could use this to cause
a denial of service (system crash) or possibly execute arbitrary code.(CVE-2023-6817)
It was discovered that the IGMP protocol implementation in the Linux kernel
contained a race condition, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code.(CVE-2023-6932)
It was discovered that the netfilter connection tracker for netlink in the
Linux kernel did not properly perform reference counting in some error
conditions. A local attacker could possibly use this to cause a denial of
service (memory exhaustion).(CVE-2023-7192)
Kevin Rich discovered that the netfilter subsystem in the Linux kernel did
not properly check deactivated elements in certain situations, leading to a
use-after-free vulnerability. A local attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.(CVE-2024-0193)
Jann Horn discovered that the TLS subsystem in the Linux kernel did not
properly handle spliced messages, leading to an out-of-bounds write
vulnerability. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code.(CVE-2024-0646)
It was discovered that OVN incorrectly enabled OVS Bidirectional Forwarding
Detection on logical ports. A remote attacker could possibly use this issue
to disrupt traffic.