It was discovered that a late privilege drop in the “REFRESH MATERIALIZED
VIEW CONCURRENTLY” command could allow an attacker to trick a user with
higher privileges to run SQL commands with these permissions.
Category Archives: Advisories
DSA-5622-1 postgresql-13 – security update
It was discovered that a late privilege drop in the “REFRESH MATERIALIZED
VIEW CONCURRENTLY” command could allow an attacker to trick a user with
higher privileges to run SQL commands with these permissions.
unbound-1.19.1-1.fc38
FEDORA-2024-c967c7d287
Packages in this update:
unbound-1.19.1-1.fc38
Update description:
Fix CVE-2023-50387, DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers.
Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU.
dnsmasq-2.90-1.fc39
FEDORA-2024-e24211eff0
Packages in this update:
dnsmasq-2.90-1.fc39
Update description:
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
dnsmasq-2.90-1.fc38
FEDORA-2024-e00eceb11c
Packages in this update:
dnsmasq-2.90-1.fc38
Update description:
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
USN-6634-1: .NET vulnerabilities
Brennan Conroy discovered that .NET with SignalR did not properly
handle malicious clients. An attacker could possibly use this issue
to cause a denial of service. (CVE-2024-21386)
Bahaa Naamneh discovered that .NET with OpenSSL support did not
properly parse X509 certificates. An attacker could possibly use
this issue to cause a denial of service. (CVE-2024-21404)
Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution
Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution for the following:
Adobe Commerce is an offering that provides companies with a flexible and scalable end-to-end plate form to manage commerce experiences of their customers.
Adobe Acrobat is used to view, create, print, and manage PDF files.
Adobe Audition is a professional audio editing application that includes a non-destructive mixing and editing environment.
Adobe FrameMaker Publishing Server is an enterprise software that allows you to automate your multichannel publishing process.
Adobe Substance 3D Stager is a state-of-the-art staging tool to create 3D scenes with real-time 3D visualization and high-quality renders.
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights
Critical Patches Issued for Microsoft Products, February 13, 2024
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
USN-6633-1: Bind vulnerabilities
Shoham Danino, Anat Bremler-Barr, Yehuda Afek, and Yuval Shavitt discovered
that Bind incorrectly handled parsing large DNS messages. A remote attacker
could possibly use this issue to cause Bind to consume resources, leading
to a denial of service. (CVE-2023-4408)
Elias Heftrig, Haya Schulmann, Niklas Vogel, and Michael Waidner discovered
that Bind icorrectly handled validating DNSSEC messages. A remote attacker
could possibly use this issue to cause Bind to consume resources, leading
to a denial of service. (CVE-2023-50387)
It was discovered that Bind incorrectly handled preparing an NSEC3 closest
encloser proof. A remote attacker could possibly use this issue to cause
Bind to consume resources, leading to a denial of service. (CVE-2023-50868)
It was discovered that Bind incorrectly handled reverse zone queries when
nxdomain-redirect is enabled. A remote attacker could possibly use this
issue to cause Bind to crash, leading to a denial of service.
(CVE-2023-5517)
It was discovered that Bind incorrectly handled recursive resolution when
both DNS64 and serve-stable were enabled. A remote attacker could possibly
use this issue to cause Bind to crash, leading to a denial of service.
(CVE-2023-5679)
USN-6632-1: OpenSSL vulnerabilities
David Benjamin discovered that OpenSSL incorrectly handled excessively long
X9.42 DH keys. A remote attacker could possibly use this issue to cause
OpenSSL to consume resources, leading to a denial of service.
(CVE-2023-5678)
Bahaa Naamneh discovered that OpenSSL incorrectly handled certain malformed
PKCS12 files. A remote attacker could possibly use this issue to cause
OpenSSL to crash, resulting in a denial of service. (CVE-2024-0727)