Category Archives: Advisories

python-aiohttp-3.7.4-7.el8

Read Time:35 Second

FEDORA-EPEL-2024-bc19d8cc99

Packages in this update:

python-aiohttp-3.7.4-7.el8

Update description:

Security fix for CVE-2024-52304

Update License field to SPDX.

Build and install the C extensions. Based on the history of security fixes in
later releases, this may close some vulnerabilities and possibly open others,
as both the C and Python HTTP parsing implementations have had their own
distinct issues.

While this backports the fix for CVE-2024-52304, and the fix for CVE-2024-23334
was backported in a previous update, it is very likely that other unmitigated
issues exist in this old release. Unfortunately, updating to a later version in
EPEL8 is impractical at best.

Read More

USN-7015-5: Python vulnerabilities

Read Time:1 Minute, 8 Second

USN-7015-1 fixed several vulnerabilities in Python. This update provides
the corresponding update for CVE-2024-6232 and CVE-2024-6923 for python2.7
in Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS
and Ubuntu 22.04 LTS.

Original advisory details:

It was discovered that the Python email module incorrectly parsed email
addresses that contain special characters. A remote attacker could
possibly use this issue to bypass certain protection mechanisms.
(CVE-2023-27043)

It was discovered that Python allowed excessive backtracking while parsing
certain tarfile headers. A remote attacker could possibly use this issue
to cause Python to consume resources, leading to a denial of service.
(CVE-2024-6232)

It was discovered that the Python email module incorrectly quoted newlines
for email headers. A remote attacker could possibly use this issue to
perform header injection. (CVE-2024-6923)

It was discovered that the Python http.cookies module incorrectly handled
parsing cookies that contained backslashes for quoted characters. A remote
attacker could possibly use this issue to cause Python to consume
resources, leading to a denial of service. (CVE-2024-7592)

It was discovered that the Python zipfile module incorrectly handled
certain malformed zip files. A remote attacker could possibly use this
issue to cause Python to stop responding, resulting in a denial of
service. (CVE-2024-8088)

Read More

ZDI-24-1515: (0Day) Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability

Read Time:17 Second

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-11394.

Read More

ZDI-24-1514: (0Day) Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability

Read Time:17 Second

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-11393.

Read More

ZDI-24-1513: (0Day) Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability

Read Time:17 Second

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-11392.

Read More

ZDI-24-1517: McAfee Total Protection Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

Read Time:17 Second

This vulnerability allows local attackers to escalate privileges on affected installations of McAfee Total Protection. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.7. The following CVEs are assigned: CVE-2024-49592.

Read More