#java

Red Hat Security Advisory 2024-3955-03 - An update for firefox is now available for Red Hat Enterprise Linux 9. Issues addressed include bypass and use-after-free vulnerabilities.

Red Hat Security Advisory 2024-3954-03 - An update for firefox is now available for Red Hat Enterprise Linux 8. Issues addressed include bypass and use-after-free vulnerabilities.

Red Hat Security Advisory 2024-3953-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include bypass and use-after-free vulnerabilities.

Red Hat Security Advisory 2024-3952-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include bypass and use-after-free vulnerabilities.

Red Hat Security Advisory 2024-3951-03 - An update for firefox is now available for Red Hat Enterprise Linux 7. Issues addressed include bypass and use-after-free vulnerabilities.

Red Hat Security Advisory 2024-3950-03 - An update for firefox is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include bypass and use-after-free vulnerabilities.

Red Hat Security Advisory 2024-3949-03 - An update for firefox is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include bypass and use-after-free vulnerabilities.

A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL  independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP host URL ("Connection URL") to a machine they control. The Keycloak server will connect to the attacker's host and try to authenticate with the configured credentials, thus leaking them to the attacker. As a consequence, an attacker who has compromised the admin console or compromised a user with sufficient privileges can leak domain credentials and attack the domain.

## Summary DeepJavaLibrary(DJL) versions 0.1.0 through 0.27.0 do not prevent absolute path archived artifacts from inserting archived files directly into the system, overwriting system files. This is fixed in DJL 0.28.0 and patched in DJL Large Model Inference containers 0.27.0. **Impacted versions: 0.1.0 through 0.27.0** ## Patches Patched Deep Learning Containers: [v1.1-djl-0.27.0-inf-cpu-full](https://github.com/aws/deep-learning-containers/releases/tag/v1.1-djl-0.27.0-inf-cpu-full) [v1.4-djl-0.27.0-inf-ds-0.12.6](https://github.com/aws/deep-learning-containers/releases/tag/v1.4-djl-0.27.0-inf-ds-0.12.6) [v1.4-djl-0.27.0-inf-trt-0.8.0](https://github.com/aws/deep-learning-containers/releases/tag/v1.4-djl-0.27.0-inf-trt-0.8.0) [v1.3-djl-0.27.0-inf-neuronx-sdk2.18.1](https://github.com/aws/deep-learning-containers/releases/tag/v1.3-djl-0.27.0-inf-neuronx-sdk2.18.1) Patched Library: [v0.28.0](https://github.com/deepjavalibrary/djl/releases/tag/v0.28.0)

Legitimate-but-compromised websites are being used as a conduit to deliver a Windows backdoor dubbed BadSpace under the guise of fake browser updates. "The threat actor employs a multi-stage attack chain involving an infected website, a command-and-control (C2) server, in some cases a fake browser update, and a JScript downloader to deploy a backdoor into the victim's system," German