Simone Margaritelli discovered that libcupsfilters incorrectly sanitized
IPP data when creating PPD files. A remote attacker could possibly use this
issue to manipulate PPD files and execute arbitrary code when a printer is
used.
Category Archives: Advisories
USN-7043-1: cups-filters vulnerabilities
Simone Margaritelli discovered that the cups-filters cups-browsed component
could be used to create arbitrary printers from outside the local network.
In combination with issues in other printing components, a remote attacker
could possibly use this issue to connect to a system, created manipulated
PPD files, and execute arbitrary code when a printer is used. This update
disables support for the legacy CUPS printer discovery protocol.
(CVE-2024-47176)
Simone Margaritelli discovered that cups-filters incorrectly sanitized IPP
data when creating PPD files. A remote attacker could possibly use this
issue to manipulate PPD files and execute arbitrary code when a printer is
used. (CVE-2024-47076)
USN-7042-1: cups-browsed vulnerability
Simone Margaritelli discovered that cups-browsed could be used to create
arbitrary printers from outside the local network. In combination with
issues in other printing components, a remote attacker could possibly use
this issue to connect to a system, created manipulated PPD files, and
execute arbitrary code when a printer is used. This update disables support
for the legacy CUPS printer discovery protocol.
USN-7041-1: CUPS vulnerability
Simone Margaritelli discovered that CUPS incorrectly sanitized IPP
data when creating PPD files. A remote attacker could possibly use this
issue to manipulate PPD files and execute arbitrary code when a printer is
used.
chromium-129.0.6668.70-1.fc41
FEDORA-2024-8008ddbd4e
Packages in this update:
chromium-129.0.6668.70-1.fc41
Update description:
Update to 129.0.6668.70
High CVE-2024-9120: Use after free in Dawn
High CVE-2024-9121: Inappropriate implementation in V8
High CVE-2024-9122: Type Confusion in V8
High CVE-2024-9123: Integer overflow in Skia
USN-7040-1: ConfigObj vulnerability
It was discovered that ConfigObj contains regex that is susceptible to
catastrophic backtracking. An attacker could possibly use this issue to
cause a regular expression denial of service.
USN-7039-1: Linux kernel vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
– GPU drivers;
– Input Device (Tablet) drivers;
– Modular ISDN driver;
– Multiple devices driver;
– Network drivers;
– Near Field Communication (NFC) drivers;
– SCSI drivers;
– GCT GDM724x LTE driver;
– USB subsystem;
– VFIO drivers;
– GFS2 file system;
– JFS file system;
– NILFS2 file system;
– Networking core;
– IPv4 networking;
– L2TP protocol;
– Netfilter;
– RxRPC session sockets;
(CVE-2024-26651, CVE-2024-38583, CVE-2023-52527, CVE-2024-26880,
CVE-2022-48850, CVE-2024-26733, CVE-2021-47188, CVE-2024-42154,
CVE-2023-52809, CVE-2024-42228, CVE-2022-48863, CVE-2022-48836,
CVE-2022-48838, CVE-2024-26677, CVE-2024-27437, CVE-2022-48857,
CVE-2022-48791, CVE-2021-47181, CVE-2024-26851, CVE-2024-40902,
CVE-2022-48851, CVE-2024-38570)
aws-24.0.0-3.fc41
FEDORA-2024-7908ee39a9
Packages in this update:
aws-24.0.0-3.fc41
Update description:
CVE-2024-41708: Ada Web Server did not use a cryptographically secure pseudorandom number generator.
AWS.Utils.Random and AWS.Utils.Random_String used Ada.Numerics.Discrete_Random, which is not designed to be cryptographically secure. Random_String also introduced a bias in the generated pseudorandom string values, where the values “1” and “2” had a much higher frequency than any other character.
The internal state of the Mersenne Twister PRNG could be revealed, and lead to a session hijacking attack.
This update fixes the problem by using /dev/urandom instead of Discrete_Random.
More details: https://docs.adacore.com/corp/security-advisories/SEC.AWS-0040-v2.pdf
USN-7021-3: Linux kernel vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
– GPU drivers;
– BTRFS file system;
– F2FS file system;
– GFS2 file system;
– BPF subsystem;
– Netfilter;
– RxRPC session sockets;
– Integrity Measurement Architecture(IMA) framework;
(CVE-2024-39494, CVE-2024-38570, CVE-2024-27012, CVE-2024-39496,
CVE-2024-42160, CVE-2024-41009, CVE-2024-42228, CVE-2024-26677)
aws-24.0.0-3.fc42
FEDORA-2024-b87003097a
Packages in this update:
aws-24.0.0-3.fc42
Update description:
Automatic update for aws-24.0.0-3.fc42.
Changelog
* Thu Sep 26 2024 Björn Persson <Bjorn@Rombobjörn.se> – 2:24.0.0-3
– Fixed to use /dev/urandom instead of a non-cryptographic PRNG.
Resolves: CVE-2024-41708 (RHBZ#2314766)