#dos

Red Hat Security Advisory 2024-3553-03 - An update for the nodejs:16 package is now available for Red Hat Enterprise Linux 8.6.0 Advanced Update Support. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-3552-03 - An update for python-idna is now available for Red Hat Enterprise Linux 8.6. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-3550-03 - HawtIO 4.0.0 for Red Hat build of Apache Camel 4 GA Release is now available. Issues addressed include code execution, denial of service, and password leak vulnerabilities.

Red Hat Security Advisory 2024-3545-03 - An update for nodejs is now available for Red Hat Enterprise Linux 9. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

Red Hat Security Advisory 2024-3544-03 - An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-3543-03 - An update for python-idna is now available for Red Hat Enterprise Linux 8.8. Issues addressed include a denial of service vulnerability.

Debian Linux Security Advisory 5703-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

Debian Linux Security Advisory 5702-1 - An integer overflow in the EXIF metadata parsing was discovered in the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed file is processed.

Debian Linux Security Advisory 5701-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

### Summary All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memory of the Java process (which could contain sensitive information). ### Details When decompressing certain data, the decompressors try to access memory outside the bounds of the given byte arrays or byte buffers. Because Aircompressor uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM. Users should update to Aircompressor 0.27 or newer where these issues have been fixed. ### Impact When decompressing data from untrusted users, this can be exploited for a denial-of-service attack by crashing the JVM, or to leak other sensitive information from the Java process.