Debian Linux Security Advisory 5812-2 - The postgresql minor release shipped in DSA 5812 introduced an ABI break, which has been reverted so that extensions do not need to be rebuilt.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5812-2                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 21, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : postgresql-15The postgresql minor release shipped in DSA 5812 introduced an ABI break,which has been reverted so that extensions do not need to be rebuilt.For the stable distribution (bookworm), this  has been fixed inversion 15.10-0+deb12u1.We recommend that you upgrade your postgresql-15 packages.For the detailed security status of postgresql-15 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/postgresql-15Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmc/hswACgkQEMKTtsN8TjZePRAAgnIkPa8sI7Rv38Ye9PxPsElOYO5pMMe4Pn8xcqtVtDdYsu/D2n/H7lF5u7Yn3WAjSLYbTi2wc9sPZ2lqg/qgEgGuU0xh4+Bbd2N0eXSWRZMCe9ILIJqdyX0BeF3hjpqmJrkOi1xxIxsvS8nLxXdI4zEJdCd9R+Q2iH8D0Xl3IuRWPFYpOdu4aWSgtqlYrmRtZ6yM/LCM8qnTOf1WZ+L8x7jYHQ21PGYH+645UY3tCEoe4mr3H2e/f0rLVxAJMvFQbbUk/gLVozI4+5cIracmcQMaHR+TqHfkVY8qMq9iASehFF9qhxMJVSP2o0aprYMHyKoIudyzLUuM0fJD0xs2yQjj+wP71mTPe3t4NqBDE4z/oDNgXuehRMmOPeBq3nP7JQG/BhQN/F4bDI3aSu/EPfUwEODiIPapGeYTjnI0RPU6RxgfM1qTLPFAvzFYIyRCPlqmAF/RhFndSnXl2mMsZo/w69CUgKtt04c1nATXGI+VklIV400mHPLFCj+ETF0qESNwGqiUdyxYY2uuTa/KyJ+JzHBTJ9wYEgZErKVdpyVcaB7+0j+Sx15tObwIfhdTths2BOtCl9jp1hLtitwog7486FOVIL4TpXkqk4TfLwD9DiK/KurE/aUlEwDDk9j5F8KA7HqW+e1eAlsqI+P+kHHkSXlVj+DssQRvQywqIN0==pbdM-----END PGP SIGNATURE-----

Debian Security Advisory 5812-2

This is a custom firmware written for the Proxmark3 device. It extends the currently available firmware. This release is nicknamed "Orca".

Proxmark3 4.19552 Custom Firmware

Secure by Demand offers a starting point for third-party risk management teams, but they need to take the essential step of using a mature software supply chain security solution to ensure they're not blindly trusting a provider's software.

Saša Zdjelar, Chief Trust Officer, ReversingLabs

November 22, 2024

5 Min Read

Source: Science Photo Library Alamy Stock Photo

COMMENTARY

In late June 2017, maritime giant A.P. Møller – Maersk was hit with a devastating software infection that affected "close to a fifth of the world's shipping capacity." 

As it turned out, the attack was not targeted at Maersk, but spun out of a regional "hot war" between Ukraine and Russia that saw a malware strain named "NotPetya" delivered to customers of a Ukrainian software company, with clients in the Ukraine and the rest of the world. The attack cost the global economy a whopping $10 billion in damages — the world's most costly cyber event to date.  

Seven years later, NotPetya is considered to be one of the most significant cyberattacks of our time. But this was not just a malware attack, but a software supply chain attack that exploited a commercial software update.  

In the years since, software supply chain attacks have taken center stage, with more incidents like NotPetya arising, including supply chain attacks on SolarWinds and the voice-over-IP firm 3CX. Also, Verizon's "2024 Data Breach Investigations Report" (DBIR) found that breaches stemming from third-party software development organizations increased by 68% from 2023. 

In response, the US Cybersecurity and Infrastructure Security Agency (CISA) released Secure by Design guidance in 2023. This move signaled to software producers the need to securely design their products, track and mitigate common vulnerabilities and exposures (CVEs), implement legacy AppSec tools, and enable protocols like multifactor authentication (MFA). But it wasn't until August 2024 that CISA released new Secure by Demand guidance that approaches this problem differently by empowering enterprise buyers to demand safer commercial software products from their suppliers, period.  

Secure by Demand is a good starting point for enterprise buyers looking to raise the bar for the firms that supply them business-critical software. However, it's imperative that these businesses go one step further. Here's why. 

**Software Assurance**

Secure by Demand targets several areas of software assurance: secure software development, vulnerability tracking and patching, authentication and logging, and software transparency. CISA hopes that enterprise consumers will ask commercial software vendors about each of these areas during the procurement process.

While these checks target key parts of software supply chain security, CISA's guidance should include more than a list of questions — not so different from the prevailing form of third-party risk management (TPRM), which relies heavily on questionnaires. Unfortunately, such an approach falls well short of providing genuine software assurance.

Instead, questionnaires leave major gaps in assessments of third-party cyber-risk, in that enterprise consumers will ask smart questions of commercial software vendors but won't possess the appropriate capabilities to verify their answers. That lapse leaves enterprise buyers vulnerable, requiring them to blindly trust the attestations of the mission-critical software products they rely on.  

The same can be said for software bills of materials (SBOMs), which Secure by Demand also recommends to enterprise buyers. SBOMs provide transparency in that they list a piece of software's components, which can include open source, proprietary, and third-party software. However, not listed in an SBOM are the calculated risks associated with third-party and commercial software products.  

Consider this: Neither a detailed SBOM nor a completed vendor security questionnaire would have thwarted the NotPetya attack, as customers were unaware of the existence of a Russian backdoor in the offending software update. So why should enterprise consumers take comfort from SBOMs and questionnaires alone when looking to protect their organizations? 

**Limited View of Supply Chain Risk**

It's true: Some of the checks recommended by CISA in its Secure by Demand guide include the vetting of open source software components used in commercial software products. CISA also calls for end-user organizations to determine how software vendors find, disclose, and patch vulnerabilities in their software. However, software supply chain risks extend well beyond these checks.  

Sophisticated cybercriminal and nation-state groups today are targeting commercial software by compromising build pipelines to insert malicious code, or by uncovering and abusing secrets lurking in application code. This is evident in the fact that the most detrimental software supply chain attacks to date did not occur due to cybercriminals exploiting open source components and vulnerabilities in software. Rather, they targeted commercial software directly, as was the case with NotPetya, 3CX, and more.  

**The Solution? Don't Trust — and Verify**

For enterprise buyers to ensure that the commercial software they are consuming is safe, they will need to independently validate the security of their mission-critical software. Doing so will require more than just asking vendors to answer a list of questions and provide an SBOM. Proper validation requires independently testing and verifying that software is free from malicious components (open source or commercial), critical vulnerabilities, malware, tampering, suspicious behaviors, and more — before, during, or after its deployment. 

Secure by Demand offers a solid starting point for TPRM teams. But they should then take the essential step of using a mature software supply chain security solution — one that provides comprehensive and independent software analysis, to ensure they are not blindly trusting their provider's software. Such a tool should also offer an actionable software risk assessment, which serves as a TPRM team's recipe for success when protecting their organization from such incidents.  

Having this level of control and verifiable evidence will allow enterprise consumers to verify the security and integrity of the mission-critical commercial software they rely on, even in the wake of the latest software supply chain attack. 

**About the Author**

Chief Trust Officer, ReversingLabs

Saša is the chief trust officer (CTrO) at ReversingLabs, and operating partner at Crosspoint Capital, with approximately 20 years of Fortune 10 global executive leadership experience. His CTrO scope includes leadership, oversight and governance of the CISO/CSO function, including product security, as well as partnering with other leaders on corporate and product strategy, strategic partnerships and research, and customer and technology advisory boards, including sponsoring the ReversingLabs CISO Council. Prior to ReversingLabs and Crosspoint Capital, Saša served as the senior vice president of security at Salesforce, where he led a global organization encompassing enterprise security, product security, offensive security, security engineering/automation, bug bounty programs, technical product/program/project management, and mergers and acquisitions. He also played a crucial role as the executive sponsor for strategic corporate security initiatives, such as zero trust.

Going Beyond Secure by Demand

The scale of Beijing's systematic tapping of private industry and universities to build up its formidable hacking and cyber-warfare capabilities is larger than previously understood.

Source: KaimDH via Shutterstock

Hundreds of private cybersecurity firms, technology services providers, and universities are helping China's state apparatus develop offensive cyber capabilities to support the country's strategic military, economic, and geopolitical goals, according to research released this week.

"The existence of state-sponsored threat groups operating under the Chinese state's direction has long been well documented," researchers at France's Orange Cyberdefense wrote in their report, based on eight months of analysis of China's cyber-offense capabilities. But any notions that these entities are strictly in government hands, especially given the authoritarian nature of China's government, are off base, the authors warned. "China's offensive cyber capabilities are, in fact, supported by a complex and multilayered ecosystem involving a broad array of state and non-state actors," they wrote.

Their findings provide deeper context on the troubling success that Chinese cyber actors have had infiltrating US critical infrastructure, breaching government, military, and business networks, not to mention theft of defense data, trade secrets, and intellectual property from American entities and others around the world.

**An Extensive Ecosystem**

The synergies have enabled quicker government access to cutting-edge technology and talent, especially in critical areas such as artificial intelligence (AI), big data analytics, 5G wireless, and cloud computing, says Dan Ortega, security strategist at Anomali. "China's collaboration between its tech companies and state entities has dramatically accelerated the development of its cyber-offensive capabilities," Ortega says. Importantly, it has also allowed the nation to scale state-sponsored cyber missions effectively. And that collaboration enables government access to vast data sets collected by companies, facilitating enhanced targeting and more-effective cyberattacks, he notes.

"China fosters formal and informal partnerships with tech firms through initiatives like the Military-Civil Fusion strategy, mandating companies to share their technological advancements and insights with the state," he says. A feedback loop exists in which innovations made in the private sector directly enhance state capabilities.

**Poised to Strike?**

The Orange report arrives as domestic concerns grow over Chinese cyberattacks on US entities, such as operations like Volt Typhoon's targeting of critical infrastructure organizations. Many in government and industry are convinced that Chinese groups have attained the presence they need on US networks to cause widespread disruption to domestic energy, telecommunications utilities, and technology services. Such concerns prompted the Office of the Director of National Intelligence (ODNI) to describe China as the "most active and persistent cyber threat to US government, private sector, and critical infrastructure networks," in its 2024 annual report.

Orange's research showed the four main government stakeholders responsible for building and executing China's cyber-offense capabilities are the People's Liberation Army (PLA), the Ministry of State Security (MSS), the Ministry of Public Security (MPS), and the Ministry of Industry and Information Technology (MIIT). Their multipronged efforts include actively recruiting or otherwise supporting private hackers and hacktivists in activities such as data theft, website defacement, and distributed denial-of-service attacks.

**Hundreds of Private Firms**

Under the current model, the government stakeholders are working with hundreds of private companies, both big and small, to carry out cyberattacks against foreign and domestic entities that are of strategic interest to Beijing, the Orange report noted. One example of big-player involvement in the report is Shanghai stock exchange-listed Integrity Technology Group (ITG), which the FBI has linked to the Flax Typhoon APT. Like ITG, many of China's top technology companies are also the state's biggest cyber contractors, according to Orange's report. "Enterprises such as ThreatBook, Qihoo360, and Qi An Xin not only provide defensive security solutions to public agencies but are also believed to indirectly contribute to offensive cyber operations."

At the other end of the spectrum are dozens of smaller and medium-size private entities that often act as subcontractors for the bigger companies and deliver a range of highly specialized services. One example is i-Soon, a 72-person Shanghai firm whose ties to the Chinese government emerged after a leak earlier this year. "These entities often act as subcontractors to the industry giants, filling the gap in their cyber offensive competencies and further fragmenting the hack-for-hire supply chain," Orange's researchers wrote. The company found that while in many instances, China's PLA, MSS, and others worked with legitimate private entities, others created shell companies that acted as fronts for procuring cyberattack infrastructure.

**Tapping Top Universities**

The Chinese government's efforts to rope in academic institutions began in earnest in 2017. Today many universities — including eight of the C9 League of China's top nine public universities — are engaged in state-sponsored cyber-offense research, according to Orange. Their contributions range from advanced research on the use of AI in cybersecurity to helping state operatives translate stolen documents and gathering open source intelligence.

Trey Ford, chief information security officer at Bugcrowd, says the willingness among Chinese companies to work for the government point up very different business norms in China. While organizations in countries like the US are beholden to fiduciary, legal, ethical, and privacy norms, those in China have a different set of obligations. "Communist government-backed organizations, aligned to formal Five-Year economic and military objectives, will have very different outcomes in mind, and can make different investments and sacrifices than capitalist businesses," he says.

Customer trust and user privacy are different context in China than in the US and other western nations, Ford says.  "Companies doing business in China must run their services in-country today. This includes the expectation of access to their systems, data, intellectual property — as well as their customers' data."

The continued expansion of China's cyber ecosystem will lead to more sophisticated attacks and better targeting of intellectual property and critical infrastructure through trusted business relationships, cautions Stephen Kowski, field chief technology officer at SlashNext Email Security+. "This model could enable more advanced supply chain compromises and social engineering attacks that bypass traditional security controls," Kowski says. "China's civil-military fusion model creates a seamless flow of technology and expertise between private sector innovations and state-sponsored cyber operations, enabling faster deployment of advanced attack techniques."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

China's Cyber Offensives Built in Lockstep With Private Firms, Academia

Nosebeard Labs has identified a critical vulnerability in the Apple system wide web content filter that allows a full bypass of content restrictions. This vulnerability, which occurs specifically when Screen Time content filtering settings are enabled, permits users or attackers to access restricted websites in Safari without detection. The timeline in this advisory is probably the most interesting thing to note. It shows a Fortune 10 ignoring a concern for years until a news article gets written, and that is truly disappointing. Do better Tim.

    Dear colleagues,Nosebeard Labs is pleased to share its latest advisory, detailing a bypass of Apple's system wide web content filter. The HTML version of this advisory is also available at:https://nosebeard.co/advisories/nbl-001.htmlWarmest regards,Nosebeard Labs## SummaryNosebeard Labs Security Advisory NBL-001Title: Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionOS/watchOS)Advisory ID: NBL-001Date: 2024-11-15Severity: Critical (CVSS 9.1)Affected Product: Safari on any Apple device with Screen Time enabledCVE ID: CVE-2024-44206## OverviewNosebeard Labs has identified a critical vulnerability in Apple’s system wide web content filter that allows a full bypass of content restrictions. This vulnerability, which occurs specifically when Screen Time’s content filtering settings are enabled, permits users or attackers to access restricted websites in Safari without detection. By exploiting a misalignment between Screen Time’s Access Control List (ACL) and WebKit’s URI validation, a specially crafted URI can circumvent both layers of protection.Apple has assigned CVE-2024-44206 to this issue and issued a fix for macOS Sonoma 14.x, iOS/iPadOS 17.x, watchOS 10.x, visionOS 1.x, Safari 17.x and up.However, a fix is still pending for the backport channels.## DescriptionThis vulnerability arises when the WebKit Cocoa layer in Safari ingests a URI without performing comprehensive validation, combined with a failure by the Screen Time ACL filter to recognize and block the malformed URI. The flaw allows a crafted URI to bypass all Screen Time content filtering settings, including deny/allow lists and parental content filters, providing unrestricted access to blocked content.## Affected SystemsThis vulnerability affects all devices on macOS, iOS, iPadOS, watchOS and visionOS platforms with Safari and Screen Time enabled, impacting an estimated 250 million devices globally.## Attack ScenariosThe vulnerability can be exploited both locally and remotely:1. Local Exploitation: Users can manipulate the address bar to manually enter a crafted URI, bypassing Screen Time restrictions.2. Network-Based Exploitation: Attackers can load restricted content remotely by embedding a crafted URI within an iframe, bypassing restrictions without requiring user interaction.## Impact1. Confidentiality: Unrestricted access to restricted websites compromises the confidentiality of content filtering controls, potentially exposing sensitive or inappropriate material.2. Scope and Integrity: This vulnerability spans across two separate security mechanisms (Screen Time and WebKit), representing a critical architecture-level issue. Additionally, accessing unsecured or unlogged resources poses potential integrity risks.## CVSS ScoreVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:NScore: 9.1 (Critical)## MitigationsUpgrade to the latest iOS/iPadOS 17.x or 18.x / macOS Sonoma 14.x  / visionOS 1.x / watchOS 10.x / Safari 17.6 respectively. Users who are unable to apply a fix can contact us for more info.## Vendor ResponseApple has issued CVE-2024-44206 and supplied a fix within WebKit; however, a fix remains pending for iOS/iPadOS version 16.x. We recommend that Apple undertake further review to address the issue comprehensively.## Timeline–Milestone:2020-11-24 Vulnerability discovered internally at NBL–Milestone:2021-03-08 Initial disclosure to Apple Product Security–2021-03-09 Apple Product Security recommends to open a bug report on Feedback Assistant2021-03-10 We opened a bug report on Feedback Assistant as advised by Apple Product Security2021-03-15 We follow-up by adding additional info to the open bug report on F.A.2021-08-16 We follow-up again referring Apple Product Security to open ticket, stressing that the issue can be also demonstrated in their EU Apple Stores2021-08-24 We follow-up again to Apple Product Security, referring to the previous follow-up2021-08-25 Rejected by Apple Security - “We do not see any actual security implications. We recommended reporting this issue via Feedback Assistant”2024-03-18 NBL submits a second report 3 years later to appeal via Apple Security Bounty Program, urging to re-evaluate, also providing PoC code2024-03-19 Apple Security Research closes report - “We’re unable to identify a security issue in your report” - “Screen Time is not intended to protect a device against manipulation” - “We recommend reporting this via Feedback Assistant”2024-04-02 Status of Bug Report on F.A. from 2021-03-10 “Open, Similar Reports None”2024-04-03 We follow-up again asking Apple Security for a final reassessment, providing a temporary workaround2024-04-03 Apple Security recommends opening a bug report - “ST is not intended to protect a device against manipulation” - “MDM profiles provide configuration management but do not establish additional security boundaries beyond what iOS and iPadOS have to offer.”2024-05-05 Initial contact with Joanna Stern of WSJ2024-05-06 Referring PSIRT ticket # directly to an Apple PSIRT contact via undisclosed SOC - no response2024-05-28 Joanna Stern/WSJ runs Apple through this2024-05-29 Apple commits patches to Safari branch–Milestone:2024-06-05 Wall Street Journal addresses our finding in their article “A Bug Allowed Kids to Visit X-Rated Sites. Apple Took Three Years to Fix It.” by Joanna Stern–2024-06-18 We follow-up again with Urgent request for re-evaluation to Apple Product Security (“Addendum”)2024-06-27 We follow-up on our follow-up Update Request Screen Time Security Vulnerability Report (“Follow-Up”)2024-07-23 Apple releases fix in iOS 17.6RC et al.2024-07-26 Letter to Apple welcoming first fix, reiterating our dedication to Responsible Disclosure, intended to coordinate further disclosure process and close the affair asking them to give credit and align to their SBP–Milestone:2024-07-29 Apple releases fixes for macOS Sonoma 14.6, iOS/iPadOS 17.6, watchOS 10.6, visionOS 1.3 and Safari 17.6, leaving iOS/iPadOS 16.x still affected.–2024-07-31 Apple responds “ST is not intended to protect a device from malicious manipulation, and bug reports on features like this are therefore typically ineligible for credit or Apple Security Bounty award. However, we’d like to make an exception and award you USD (...)* as a thank you for your report. Also, we’d like to credit you on our security advisory under the ‘Additional recognition’ section of the page.” *We were offered the minimum possible amount.2024-08-01 We inquire about the bounty amount asking Apple to “comment on our proposed evaluation under the CVSS metrics, sharing with us their transparent assessment of the vulnerability under the terms and broad criteria of the bounty program.”2024-08-01 Apple “appreciates our suggestions, but CVSS scores are not something that they publish to their security advisory.”2024-08-03 Patches merged with public WebKit branch2024-08-19 We are reaching out to Apple again “Ringing the escalation bell for the SBP team”2024-08-23 Apple Product Security advises a call2024-09-10 Apple Security rejects adjustment of the bounty as “out of scope/edge case policy” in the call, offering a $20,000 charity donation instead We request Apple to assign a CVE.–Milestone:2024-10-17 Apple follows-up with CVE-2024-44206 and an update to the advisorieshttps://support.apple.com/en-us/120909https://support.apple.com/en-us/120911https://support.apple.com/en-us/120913https://support.apple.com/en-us/120915https://support.apple.com/en-us/120916–2024-10-23 We follow-up one more time to request a further review of the severity and reward2024-11-02 NBL-001 advisory draft shared with Apple2024-11-14 Apple requests naming their charity offer among bounty payout details, leaving out further comments on the contents of the advisory itself.2024-11-15 NBL-001 published## ContactFor more information, please contact Andreas Jaegersberger or Ro Achterberg from Nosebeard Labs at labs@nosebeard.co.## Special ThanksMuch love goes out to Joanna Stern for her incredible support in making this happen.We also want to thank Aaron Kaplan for the tailwind throughout the journey and Arnoud Engelfriet for the rapid legal advice.Buongiorno to the cap’n <3

Apple Web Content Filter Bypass

Red Hat Security Advisory 2024-9806-03 - Red Hat build of Apache Camel 4.4.4 for Spring Boot release and security update is now available. Issues addressed include a code execution vulnerability.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9806.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: Red Hat Build of Apache Camel 4.4.4 for Spring Boot security update.  
Advisory ID:        RHSA-2024:9806-03  
Product:            Red Hat Build of Apache Camel  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:9806  
Issue date:         2024-11-21  
Revision:           03  
CVE Names:          CVE-2024-51132  
====================================================================

Summary: 

Red Hat build of Apache Camel 4.4.4 for Spring Boot release and security update is now available.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat build of Apache Camel 4.4.4 for Spring Boot release and security update is now available.

The purpose of this text-only errata is to inform you about the security issues fixed.

Security Fix(es):

* ca.uhn.hapi.fhir/org.hl7.fhir.dstu2: arbitrary code execution via specially-crafted request (CVE-2024-51132)

* ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may: arbitrary code execution via specially-crafted request (CVE-2024-51132)

* ca.uhn.hapi.fhir/org.hl7.fhir.dstu3: arbitrary code execution via specially-crafted request (CVE-2024-51132)

* ca.uhn.hapi.fhir/org.hl7.fhir.r4: arbitrary code execution via specially-crafted request (CVE-2024-51132)

* ca.uhn.hapi.fhir/org.hl7.fhir.r5: arbitrary code execution via specially-crafted request (CVE-2024-51132)

* ca.uhn.hapi.fhir/org.hl7.fhir.utilities: arbitrary code execution via specially-crafted request (CVE-2024-51132)

* ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may: XXE vulnerability in XSLT parsing in `org.hl7.fhir.core` (CVE-2024-52007)

* ca.uhn.hapi.fhir/org.hl7.fhir.dstu3: XXE vulnerability in XSLT parsing in `org.hl7.fhir.core` (CVE-2024-52007)

* ca.uhn.hapi.fhir/org.hl7.fhir.r4: XXE vulnerability in XSLT parsing in `org.hl7.fhir.core` (CVE-2024-52007)

* ca.uhn.hapi.fhir/org.hl7.fhir.r5: XXE vulnerability in XSLT parsing in `org.hl7.fhir.core` (CVE-2024-52007)

* ca.uhn.hapi.fhir/org.hl7.fhir.utilities: XXE vulnerability in XSLT parsing in `org.hl7.fhir.core` (CVE-2024-52007)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-51132

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2323897  
https://bugzilla.redhat.com/show_bug.cgi?id=2324794

Red Hat Security Advisory 2024-9806-03

Apple Security Advisory 11-19-2024-5 - macOS Sequoia 15.1.1 addresses code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1

macOS Sequoia 15.1.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/121753.

Apple maintains a Security Releases page at  
https://support.apple.com/100100 which lists recent  
software updates with security advisories.

JavaScriptCore  
Available for: macOS Sequoia  
Impact: Processing maliciously crafted web content may lead to arbitrary  
code execution. Apple is aware of a report that this issue may have been  
actively exploited on Intel-based Mac systems.  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 283063  
CVE-2024-44308: Clément Lecigne and Benoît Sevens of Google's Threat  
Analysis Group

WebKit  
Available for: macOS Sequoia  
Impact: Processing maliciously crafted web content may lead to a cross  
site scripting attack. Apple is aware of a report that this issue may  
have been actively exploited on Intel-based Mac systems.  
Description: A cookie management issue was addressed with improved state  
management.  
WebKit Bugzilla: 283095  
CVE-2024-44309: Clément Lecigne and Benoît Sevens of Google's Threat  
Analysis Group

macOS Sequoia 15.1.1 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmc9JSQACgkQX+5d1TXa  
Ivo92g/8Dm9sVuOeQTu56JLi2yAlbu9NK8Udb4ByFIsi63HWksJ6rK9LzZfTF8Yd  
Z3SBk7aIHl9tMj2gJ6QJ71SwCdN/fTnAC9na5fZwUjdsjuH1uoPmiMSA48MDwmQC  
vf6grIhskLNi0bQrpcKR1C79fmGlO7Nua3zmbvdvs41/3g3A7udvf2KpZTkkDrP4  
+zwsVCJCu4xHTo5bU0NrM/Cbon+TO01/gyhnngZzl65bIPkhyeEDiVHW3K6aKDA8  
XpClgMGe7ZIRao0hmqqK+YYPso/yDdUDpHlfEFL/YYseVThd+t6EPn4irWFPCPTv  
usiMVUpOpqmMHfPaVO/uzwDR/wgpB8ws4BsBjytQ2q5ZZgyxsIUx6cEJazgbRXtI  
UIJWgodel8AClhWrRo8c14rIuUH1jqMh8EcbimFdC62vSivuNgwNdBd5U2wRnELr  
w1I65s3u7f3Qly8himbl+41ueYcgInsVld7206tk8Ygmm7zA4kupLBEH+EeK43c3  
2P0NF7CMQCnJcwbEqusIUi8AOSN2VgGi9E6BjjJGnLhbbieX/ssKTTbv+mt0ctyq  
5uB3WUZBDbhJKj8p/0+iBAlzZUJDkrudmy8No9Zc2ImTcZ61gP2Zbh/5lcI8hZu+  
SKOrc+1s5nRW1FcGXL2ZzjtnmXnU6DGFfN7stVtTmVAg4dEWzeo=  
=IY5p  
-----END PGP SIGNATURE-----

Apple Security Advisory 11-19-2024-5

Red Hat Security Advisory 2024-9738-03 - An update for squid is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9738.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: squid security updateAdvisory ID:        RHSA-2024:9738-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9738Issue date:         2024-11-21Revision:           03CVE Names:          CVE-2024-45802====================================================================Summary: An update for squid is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.Security Fix(es):* squid: Denial of Service processing ESI response content (CVE-2024-45802)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-45802References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2322154

Red Hat Security Advisory 2024-9738-03

Red Hat Security Advisory 2024-9729-03 - An update for squid is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9729.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: squid security updateAdvisory ID:        RHSA-2024:9729-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9729Issue date:         2024-11-21Revision:           03CVE Names:          CVE-2024-45802====================================================================Summary: An update for squid is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.Security Fix(es):* squid: Denial of Service processing ESI response content (CVE-2024-45802)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-45802References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2322154

Red Hat Security Advisory 2024-9729-03

Red Hat Security Advisory 2024-9690-03 - An update for tigervnc is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include buffer overflow and privilege escalation vulnerabilities.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9690.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: tigervnc security updateAdvisory ID:        RHSA-2024:9690-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:9690Issue date:         2024-11-21Revision:           03CVE Names:          CVE-2024-9632====================================================================Summary: An update for tigervnc is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Virtual Network Computing (VNC) is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients.Security Fix(es):* xorg-x11-server: tigervnc: heap-based buffer overflow privilege escalation vulnerability (CVE-2024-9632)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-9632References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2317233

Latest News