Aggregator

USN-6695-1: TeX Live vulnerabilities

2 weeks 1 day ago
It was discovered that TeX Live incorrectly handled certain memory operations in the embedded axodraw2 tool. An attacker could possibly use this issue to cause TeX Live to crash, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS. (CVE-2019-18604) It was discovered that TeX Live allowed documents to make arbitrary network requests. If a user or automated system were tricked into opening a specially crafted document, a remote attacker could possibly use this issue to exfiltrate sensitive information, or perform other network-related attacks. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2023-32668) It was discovered that TeX Live incorrectly handled certain TrueType fonts. If a user or automated system were tricked into opening a specially crafted TrueType font, a remote attacker could use this issue to cause TeX Live to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2024-25262)

USN-6694-1: Expat vulnerabilities

2 weeks 1 day ago
It was discovered that Expat could be made to consume large amounts of resources. If a user or automated system were tricked into processing specially crafted input, an attacker could possibly use this issue to cause a denial of service. (CVE-2023-52425, CVE-2024-28757)

USN-6673-2: python-cryptography vulnerability

2 weeks 1 day ago
USN-6673-1 provided a security update for python-cryptography. This update provides the corresponding update for Ubuntu 16.04 LTS. Original advisory details: Hubert Kario discovered that python-cryptography incorrectly handled errors returned by the OpenSSL API when processing incorrect padding in RSA PKCS#1 v1.5. A remote attacker could possibly use this issue to expose confidential or sensitive information. (CVE-2023-50782)

xen-4.18.0-7.fc40

2 weeks 1 day ago
FEDORA-2024-876e653a1c Packages in this update:
  • xen-4.18.0-7.fc40
Update description:

x86: Register File Data Sampling [XSA-452, CVE-2023-28746] GhostRace: Speculative Race Conditions [XSA-453, CVE-2024-2193]

x86: shadow stack vs exceptions from emulation stubs - [XSA-451, CVE-2023-46841] (#2266326)

USN-6587-5: X.Org X Server vulnerabilities

2 weeks 1 day ago
USN-6587-1 fixed several vulnerabilities in X.Org. This update provides the corresponding update for Ubuntu 14.04 LTS. Original advisory details: Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled memory when processing the RRChangeOutputProperty and RRChangeProviderProperty APIs. An attacker could possibly use this issue to cause the X Server to crash, or obtain sensitive information. (CVE-2023-6478) Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled memory when processing the DeviceFocusEvent and ProcXIQueryPointer APIs. An attacker could possibly use this issue to cause the X Server to crash, obtain sensitive information, or execute arbitrary code. (CVE-2023-6816) Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled reattaching to a different master device. An attacker could use this issue to cause the X Server to crash, leading to a denial of service, or possibly execute arbitrary code. (CVE-2024-0229) Olivier Fourdan and Donn Seeley discovered that the X.Org X Server incorrectly labeled GLX PBuffers when used with SELinux. An attacker could use this issue to cause the X Server to crash, leading to a denial of service. (CVE-2024-0408) Olivier Fourdan discovered that the X.Org X Server incorrectly handled the curser code when used with SELinux. An attacker could use this issue to cause the X Server to crash, leading to a denial of service. (CVE-2024-0409) Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled memory when processing the XISendDeviceHierarchyEvent API. An attacker could possibly use this issue to cause the X Server to crash, or execute arbitrary code. (CVE-2024-21885) Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled devices being disabled. An attacker could possibly use this issue to cause the X Server to crash, or execute arbitrary code. (CVE-2024-21886)

apptainer-1.3.0-1.el9

2 weeks 1 day ago
FEDORA-EPEL-2024-0e36aae9a6 Packages in this update:
  • apptainer-1.3.0-1.el9
Update description:

Update to upstream 1.3.0, and security fixes for CVE-2024-28176 and CVE-2024-28180

apptainer-1.3.0-1.el8

2 weeks 1 day ago
FEDORA-EPEL-2024-d7cc38dee9 Packages in this update:
  • apptainer-1.3.0-1.el8
Update description:

Update to upstream 1.3.0, and security fixes for CVE-2024-28176 and CVE-2024-28180

apptainer-1.3.0-1.fc40

2 weeks 1 day ago
FEDORA-2024-560a7aca85 Packages in this update:
  • apptainer-1.3.0-1.fc40
Update description:

Update to upstream 1.3.0, and security fixes for CVE-2024-28176 and CVE-2024-28180

apptainer-1.3.0-1.fc39

2 weeks 1 day ago
FEDORA-2024-453ee0b3b9 Packages in this update:
  • apptainer-1.3.0-1.fc39
Update description:

Update to upstream 1.3.0, and security fixes for CVE-2024-28176 and CVE-2024-28180

apptainer-1.3.0-1.el7

2 weeks 1 day ago
FEDORA-EPEL-2024-88b6d1940a Packages in this update:
  • apptainer-1.3.0-1.el7
Update description:

Update to upstream 1.3.0, and security fixes for CVE-2024-28176 and CVE-2024-28180

USN-6686-2: Linux kernel vulnerabilities

2 weeks 1 day ago
It was discovered that the DesignWare USB3 for Qualcomm SoCs driver in the Linux kernel did not properly handle certain error conditions during device registration. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2023-22995) It was discovered that a race condition existed in the Cypress touchscreen driver in the Linux kernel during device removal, leading to a use-after- free vulnerability. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-4134) 黄思聪 discovered that the NFC Controller Interface (NCI) implementation in the Linux kernel did not properly handle certain memory allocation failure conditions, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service (system crash). (CVE-2023-46343) It was discovered that the io_uring subsystem in the Linux kernel contained a race condition, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service (system crash). (CVE-2023-46862) It was discovered that a race condition existed in the Bluetooth subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-51779) It was discovered that a race condition existed in the Rose X.25 protocol implementation in the Linux kernel, leading to a use-after- free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-51782) Alon Zahavi discovered that the NVMe-oF/TCP subsystem of the Linux kernel did not properly handle connect command payloads in certain situations, leading to an out-of-bounds read vulnerability. A remote attacker could use this to expose sensitive information (kernel memory). (CVE-2023-6121) It was discovered that the VirtIO subsystem in the Linux kernel did not properly initialize memory in some situations. A local attacker could use this to possibly expose sensitive information (kernel memory). (CVE-2024-0340) Dan Carpenter discovered that the netfilter subsystem in the Linux kernel did not store data in properly sized memory locations. A local user could use this to cause a denial of service (system crash). (CVE-2024-0607)

USN-6681-3: Linux kernel vulnerabilities

2 weeks 1 day ago
Wenqing Liu discovered that the f2fs file system implementation in the Linux kernel did not properly validate inode types while performing garbage collection. An attacker could use this to construct a malicious f2fs image that, when mounted and operated on, could cause a denial of service (system crash). (CVE-2021-44879) It was discovered that the DesignWare USB3 for Qualcomm SoCs driver in the Linux kernel did not properly handle certain error conditions during device registration. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2023-22995) Bien Pham discovered that the netfiler subsystem in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. A local user could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-4244) It was discovered that a race condition existed in the Bluetooth subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-51779) It was discovered that a race condition existed in the ATM (Asynchronous Transfer Mode) subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-51780) It was discovered that a race condition existed in the Rose X.25 protocol implementation in the Linux kernel, leading to a use-after- free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2023-51782) Alon Zahavi discovered that the NVMe-oF/TCP subsystem of the Linux kernel did not properly handle connect command payloads in certain situations, leading to an out-of-bounds read vulnerability. A remote attacker could use this to expose sensitive information (kernel memory). (CVE-2023-6121) It was discovered that the VirtIO subsystem in the Linux kernel did not properly initialize memory in some situations. A local attacker could use this to possibly expose sensitive information (kernel memory). (CVE-2024-0340)

ovn-23.09.0-139.fc38

2 weeks 1 day ago
FEDORA-2024-7c11edcd20 Packages in this update:
  • ovn-23.09.0-139.fc38
Update description:

Security fix for CVE-2024-2182 ovn: insufficient validation of BFD packets may lead to denial of service [fedora-all]

ovn-23.09.0-139.fc39

2 weeks 1 day ago
FEDORA-2024-082155d6b7 Packages in this update:
  • ovn-23.09.0-139.fc39
Update description:

Security fix for CVE-2024-2182 ovn: insufficient validation of BFD packets may lead to denial of service [fedora-all]

ovn-23.09.0-139.fc40

2 weeks 1 day ago
FEDORA-2024-bf29e92de4 Packages in this update:
  • ovn-23.09.0-139.fc40
Update description:

Security fix for CVE-2024-2182 ovn: insufficient validation of BFD packets may lead to denial of service [fedora-all]

baresip-3.10.1-1.el9

2 weeks 2 days ago
FEDORA-EPEL-2024-8e8d75ff19 Packages in this update:
  • baresip-3.10.1-1.el9
Update description: Baresip v3.10.1 (2024-03-12)

Security Release (possible Denial of Service): A wrong or manipulated incoming RTP Timestamp can cause the baresip process to hang forever, for details see: #2954

  • aureceiver: fix mtx_unlock on discard