Category Archives: Advisories

unbound-1.19.1-1.fc38

Read Time:13 Second

FEDORA-2024-c967c7d287

Packages in this update:

unbound-1.19.1-1.fc38

Update description:

Fix CVE-2023-50387, DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers.
Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.

Read More

USN-6634-1: .NET vulnerabilities

Read Time:18 Second

Brennan Conroy discovered that .NET with SignalR did not properly
handle malicious clients. An attacker could possibly use this issue
to cause a denial of service. (CVE-2024-21386)

Bahaa Naamneh discovered that .NET with OpenSSL support did not
properly parse X509 certificates. An attacker could possibly use
this issue to cause a denial of service. (CVE-2024-21404)

Read More

Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution

Read Time:58 Second

Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution for the following:

Adobe Commerce is an offering that provides companies with a flexible and scalable end-to-end plate form to manage commerce experiences of their customers.
Adobe Acrobat is used to view, create, print, and manage PDF files.
Adobe Audition is a professional audio editing application that includes a non-destructive mixing and editing environment.
Adobe FrameMaker Publishing Server is an enterprise software that allows you to automate your multichannel publishing process.
Adobe Substance 3D Stager is a state-of-the-art staging tool to create 3D scenes with real-time 3D visualization and high-quality renders.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights

Read More

Critical Patches Issued for Microsoft Products, February 13, 2024

Read Time:24 Second

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Read More

USN-6633-1: Bind vulnerabilities

Read Time:58 Second

Shoham Danino, Anat Bremler-Barr, Yehuda Afek, and Yuval Shavitt discovered
that Bind incorrectly handled parsing large DNS messages. A remote attacker
could possibly use this issue to cause Bind to consume resources, leading
to a denial of service. (CVE-2023-4408)

Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner discovered
that Bind icorrectly handled validating DNSSEC messages. A remote attacker
could possibly use this issue to cause Bind to consume resources, leading
to a denial of service. (CVE-2023-50387)

It was discovered that Bind incorrectly handled preparing an NSEC3 closest
encloser proof. A remote attacker could possibly use this issue to cause
Bind to consume resources, leading to a denial of service. (CVE-2023-50868)

It was discovered that Bind incorrectly handled reverse zone queries when
nxdomain-redirect is enabled. A remote attacker could possibly use this
issue to cause Bind to crash, leading to a denial of service.
(CVE-2023-5517)

It was discovered that Bind incorrectly handled recursive resolution when
both DNS64 and serve-stable were enabled. A remote attacker could possibly
use this issue to cause Bind to crash, leading to a denial of service.
(CVE-2023-5679)

Read More

USN-6632-1: OpenSSL vulnerabilities

Read Time:21 Second

David Benjamin discovered that OpenSSL incorrectly handled excessively long
X9.42 DH keys. A remote attacker could possibly use this issue to cause
OpenSSL to consume resources, leading to a denial of service.
(CVE-2023-5678)

Bahaa Naamneh discovered that OpenSSL incorrectly handled certain malformed
PKCS12 files. A remote attacker could possibly use this issue to cause
OpenSSL to crash, resulting in a denial of service. (CVE-2024-0727)

Read More

ZDI-24-169: Adobe Audition AVI File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability

Read Time:17 Second

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Audition. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-20739.

Read More