Ubuntu Security Notice 6416-3 - It was discovered that the IPv6 implementation in the Linux kernel contained a high rate of hash collisions in connection lookup table. A remote attacker could use this to cause a denial of service. Daniel Trujillo, Johannes Wikner, and Kaveh Razavi discovered that some AMD processors utilising speculative execution and branch prediction may allow unauthorised memory reads via a speculative side-channel attack. A local attacker could use this to expose sensitive information, including kernel memory.

==========================================================================  
Ubuntu Security Notice USN-6416-3  
October 19, 2023

linux-raspi vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-raspi: Linux kernel for Raspberry Pi systems

Details:

It was discovered that the IPv6 implementation in the Linux kernel  
contained a high rate of hash collisions in connection lookup table. A  
remote attacker could use this to cause a denial of service (excessive CPU  
consumption). (CVE-2023-1206)

Daniel Trujillo, Johannes Wikner, and Kaveh Razavi discovered that some AMD  
processors utilising speculative execution and branch prediction may allow  
unauthorised memory reads via a speculative side-channel attack. A local  
attacker could use this to expose sensitive information, including kernel  
memory. (CVE-2023-20569)

It was discovered that the IPv6 RPL protocol implementation in the Linux  
kernel did not properly handle user-supplied data. A remote attacker could  
use this to cause a denial of service (system crash). (CVE-2023-2156)

Davide Ornaghi discovered that the DECnet network protocol implementation  
in the Linux kernel contained a null pointer dereference vulnerability. A  
remote attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. Please note that kernel support for the  
DECnet has been removed to resolve this CVE. (CVE-2023-3338)

Chih-Yen Chang discovered that the KSMBD implementation in the Linux kernel  
did not properly validate command payload size, leading to a out-of-bounds  
read vulnerability. A remote attacker could possibly use this to cause a  
denial of service (system crash). (CVE-2023-38432)

It was discovered that the NFC implementation in the Linux kernel contained  
a use-after-free vulnerability when performing peer-to-peer communication  
in certain conditions. A privileged attacker could use this to cause a  
denial of service (system crash) or possibly expose sensitive information  
(kernel memory). (CVE-2023-3863)

Laurence Wit discovered that the KSMBD implementation in the Linux kernel  
did not properly validate a buffer size in certain situations, leading to  
an out-of-bounds read vulnerability. A remote attacker could use this to  
cause a denial of service (system crash) or possibly expose sensitive  
information. (CVE-2023-3865)

Laurence Wit discovered that the KSMBD implementation in the Linux kernel  
contained a null pointer dereference vulnerability when handling handling  
chained requests. A remote attacker could use this to cause a denial of  
service (system crash). (CVE-2023-3866)

It was discovered that the Siano USB MDTV receiver device driver in the  
Linux kernel did not properly handle device initialization failures in  
certain situations, leading to a use-after-free vulnerability. A physically  
proximate attacker could use this cause a denial of service (system crash).  
(CVE-2023-4132)

Andy Nguyen discovered that the KVM implementation for AMD processors in  
the Linux kernel with Secure Encrypted Virtualization (SEV) contained a  
race condition when accessing the GHCB page. A local attacker in a SEV  
guest VM could possibly use this to cause a denial of service (host system  
crash). (CVE-2023-4155)

It was discovered that the TUN/TAP driver in the Linux kernel did not  
properly initialize socket data. A local attacker could use this to cause a  
denial of service (system crash). (CVE-2023-4194)

Maxim Suhanov discovered that the exFAT file system implementation in the  
Linux kernel did not properly check a file name length, leading to an out-  
of-bounds write vulnerability. An attacker could use this to construct a  
malicious exFAT image that, when mounted and operated on, could cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-4273)

Thelford Williams discovered that the Ceph file system messenger protocol  
implementation in the Linux kernel did not properly validate frame segment  
length in certain situation, leading to a buffer overflow vulnerability. A  
remote attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2023-44466)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1040-raspi   5.15.0-1040.43  
   linux-image-raspi               5.15.0.1040.38  
   linux-image-raspi-nolpae        5.15.0.1040.38

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6416-3  
   https://ubuntu.com/security/notices/USN-6416-1  
   CVE-2023-1206, CVE-2023-20569, CVE-2023-2156, CVE-2023-3338,  
   CVE-2023-38432, CVE-2023-3863, CVE-2023-3865, CVE-2023-3866,  
   CVE-2023-4132, CVE-2023-4155, CVE-2023-4194, CVE-2023-4273,  
   CVE-2023-44466

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1040.43

Ubuntu Security Notice USN-6416-3

Red Hat Security Advisory 2023-5931-01 - Updated Satellite 6.13 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite. Issues addressed include code execution and denial of service vulnerabilities.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5931.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Satellite 6.13.5 Async Security Update  
Advisory ID:        RHSA-2023:5931-01  
Product:            Red Hat Satellite 6  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:5931  
Issue date:         2023-10-19  
Revision:           01  
CVE Names:          CVE-2022-1292  
====================================================================

Summary: 

Updated Satellite 6.13 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.

Security fix(es):

* Yggdrasil-worker-forwarder (gRPC): Rapid Reset Attack through HTTP/2 enabled web service which leads to DDoS attack (CVE-2023-44487 & CVE-2023-39325)

A Red Hat Security Bulletin which addresses further details about this flaw is available in the References section.

* Foreman: OS command injection via ct_command and fcct_command (CVE-2022-3874)

* Foreman: Arbitrary code execution through yaml global parameters (CVE-2023-0462)

* GitPython: Remote code execution and improper input validation vulnerability (CVE-2022-24439 & CVE-2023-40267)

* Ruby-git & tfm-rubygem-git: Code injection vulnerability (CVE-2022-47318 & CVE-2022-46648)

* Python-django: Multiple flaws (CVE-2023-31047 & CVE-2023-36053)

* Puppet-agent (openssl): Multiple flaws (CVE-2022-1292 CVE-2022-2068)

This update fixes the following bugs:

2238346 - Red Hat supported provisioning templates are not recognized by RH icon on the row for a given template  
2238348 - when creating a backup on rhel7 and restoring on rhel8, the restore process will fail with permission issues  
2238350 - Virtual machine goes in re-provisioning mode while registration host using Global registration template.  
2238359 - Capsule redundantly synces *-Export-Library repos  
2238361 - Can't update the redhat_repository_url without changing the cdn_configuration to custom_cdn  
2238363 - katello-certs-check does not cause the installer to halt execution on failure  
2238367 - Satellite Web UI >> Hosts >> All Hosts page loading slow even after power isn't selected from the new option \"Manage columns\".  
2238369 - Content-export incremental with syncable format based does not include productid file into repodata directory  
2238371 - SELinux is preventing pulpcore-worker from read access on the key labeled pulpcore_server_t  
2239041 - Reclaim space for repository fails with Cannot delete some instances of model 'Artifact' because they are referenced through protected foreign keys: 'ContentArtifact.artifact'.\"  
2238353 - The \"hammer export\" command using single thread encryption causes a performance bottleneck.  
2240781 - Remediation from CRC via Satellite shows \"Failed\" status even after successful remediation of Insights recommendations.   
2241914 - \"NoMethodError: undefined method `fact_values'\" while trying to perform inventory upload

Users of Red Hat Satellite are advised to upgrade to these updated packages, which fix these bugs.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-1292

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.13/html/upgrading_and_updating_red_hat_satellite/index  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-5931-01

Red Hat Security Advisory 2023-5930-01 - An update for varnish is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5930.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: varnish security updateAdvisory ID:        RHSA-2023:5930-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5930Issue date:         2023-10-19Revision:           01CVE Names:          CVE-2023-44487====================================================================Summary: An update for varnish is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.Security Fix(es):* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-5930-01

Red Hat Security Advisory 2023-5929-01 - An update for tomcat is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5929.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: tomcat security updateAdvisory ID:        RHSA-2023:5929-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5929Issue date:         2023-10-19Revision:           01CVE Names:          CVE-2023-44487====================================================================Summary: An update for tomcat is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.Security Fix(es):* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-5929-01

please (aka pleaser) through 0.5.4 allows privilege escalation through the TIOCSTI and/or TIOCLINUX ioctl. (If both TIOCSTI and TIOCLINUX are disabled, this cannot be exploited.)

**Pleaser privilege escalation vulnerability**

Moderate severity GitHub Reviewed Published Oct 20, 2023 to the GitHub Advisory Database • Updated Oct 20, 2023

GHSA-cgf8-h3fp-h956: Pleaser privilege escalation vulnerability

Skip to content

GitLab

*   *   Why GitLab
    *   Pricing
    *   Contact Sales
    *   Explore
    
*   Why GitLab
*   Pricing
*   Contact Sales
*   Explore

*   Sign in
*   Get free trial

*   ed neville
*   please
*   Merge requests
*   !69

**start new process in a new PTY**

*   Review changes
    

*   
*   Download
    
*   Patches
    
*   Plain diff
    

Alexander Kjäll requested to merge alexanderkjall/please:fix-issue-13 into master Oct 07, 2023

*   Overview 18
*   Commits 2
*   Pipelines 2
*   Changes 3

in order to fix the security problem described in #13 start the new command in a new PTY and inherit STDIN/STDOUT/STDERR from the original one

**Merge request reports**

CVE-2023-46277: start new process in a new PTY (!69) · Merge requests · ed neville / please · GitLab

TinyLab linux-lab v1.1-rc1 and cloud-labv0.8-rc2, v1.1-rc1 are vulnerable to insecure permissions. The default configuration could cause Container Escape.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2022-42150: cloud-lab/configs/common/seccomp-profiles-default.json at d19ff92713685a7fb84b423dea6a184b25c378c9 · tinyclub/cloud-lab

Without the proper context, organizations waste time mitigating software flaws that won't likely affect their systems.

**Question: The CVSS severity rating seems to lack real-world context. How can a company prioritize fixes in such a situation?**

**Shachar Menashe, Senior Director, JFrog Security Research:** Security teams and developers are wasting their precious remediation resources by relying on an incomplete method to determine whether a vulnerability is exploitable.

One of the most popular resources organizations use today is the Common Vulnerability Scoring System (CVSS), a standard framework for assessing the severity of vulnerabilities. It assigns each CVE a vulnerability severity score, ranging from 0 (no severity) to 10 (most critical), which reflects how hard the vulnerability is to exploit and how much damage it can cause if exploited. Most developers and security teams use the CVSS score as a guide for their vulnerability remediation programs.

The problem is that the CVSS severity ratings of most CVEs today are overinflated, so continuing to rely solely on this rating scale is misguided.

That's because the current CVSS scoring system is based on a complex set of factors that don't adequately incorporate the real-world impact of each vulnerability. Earlier this year, JFrog undertook an analysis of the 10 most prevalent open source software vulnerabilities from 2022 and found that, when looking at real-world impact, most flaws were harder to exploit than reported, and their high severity rating was deceiving. Specifically, 64% of the top 50 CVEs received a lower JFrog Security Research severity rating compared with the CVSS.

In that study, many of the more critical CVEs required complex configuration scenarios or very specific conditions for an attack to be successful, which was not reflected in the CVSS score. Without the proper context, organizations waste valuable resources mitigating software flaws that are unlikely to have any impact on their systems.

**The Real Metric: Exploitability**

Analyzing the context of a CVE requires considering real-world factors, such as:

*   Whether the vulnerability is exploitable in a service's default configuration or only under very contrived configurations.
*   Whether a reachable path to the vulnerable code exists.
*   Whether the software library vulnerability has a code precondition (meaning someone must use the library in a vulnerable manner).
*   The likelihood that a vulnerable API will parse untrusted data.
*   How potentially vulnerable software is deployed.
*   The network environment and overall security mechanisms applied to the vulnerable software.

While CVSS scoring provides some context through its impact metrics (confidentiality, integrity and availability), these metrics are rated according to a theoretical "face value" without considering the actual impact the attack has on real-world systems. For example:

*   A denial-of-service (DoS) attack that crashes a forked client process is much less severe than a DoS that crashes an important daemon, but they will both receive a high availability impact CVSS rating.
*   A buffer overflow that doesn't overwrite any meaningful variable has no security impact, but it will still receive a high integrity impact CVSS rating.

A good example of the latter is the OpenSSL CVE-2022-3602, identified in November 2022. The vulnerability was widely feared at first, but technical details revealed the vulnerability had no real-world impact. Nevertheless, CVE-2022-3602 is still rated with a high impact rating.

**CVSS 4.0 Doesn't Solve This**

While CVSS 4.0 will include an "attack requirement" metric to reflect the conditions needed for an attack to succeed, it is still not detailed enough. (It can only be set to "none" or "present," which does not account for the rarity of the attack requirements.) For example, a remote code execution (RCE) vulnerability that is exploitable only under extremely rare configurations or conditions and might not even be fully exploitable in any real-world scenario would have "attack requirements" marked as "present" — which would change the score slightly from 9.3 to 9.2. Organizations will still continue to receive 9.2 (critical) scores for theoretical RCE remote vulnerabilities that are exceedingly unlikely to happen. This needs to change.

**Advice: Add Context**

While the CVSS system is improving, using other resources in tandem can help provide a more accurate assessment of CVE criticality. When looking at nvd.nist.gov, pay special attention to the CVSS rating of the CNA, not just NVD's CVSS rating. Distro-specific severity scores, such as the Ubuntu and Red Hat Linux distributions, and project-specific severity scores, such as Apache Web Server, Curl, and OpenSSL, will usually have a more accurate severity rating.

Also consider ways to integrate context into your remediation process. Research indicates few vulnerabilities are exploitable without highly specific preconditions. Combine real-world exploitability, CVE applicability, and contextual analysis to guide your prioritization and remediation efforts. Instead of asking developers to "fix everything," arm them with the information they need to address the vulnerabilities that matter most.

Why Do We Need Real-World Context to Prioritize CVEs?

Terminal character injection in Mintty before 3.6.3 allows code execution via unescaped output to the terminal.

CVE-2022-47583: "[31m"?! ANSI Terminal security in 2023 and finding 10 CVEs

Gentoo Linux Security Advisory 202310-13 - A vulnerability has been discovered in Mailutils where escape sequences are processed in a context where this may lead to RCE. Versions greater than or equal to 3.12-r3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-13  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: GNU Mailutils: unexpected processsing of escape sequences  
     Date: October 19, 2023  
     Bugs: #802867  
       ID: 202310-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been discovered in Mailutils where escape sequences  
are processed in a context where this may lead to RCE.

Background  
=========  
GNU Mailutils is a collection of mail-related utilities, including an  
IMAP4 server (imap4d) and a Mail User Agent (mail).

Affected packages  
================  
Package             Vulnerable    Unaffected  
------------------  ------------  ------------  
net-mail/mailutils  < 3.12-r3     >= 3.12-r3

Description  
==========  
A vulnerability has been discovered in GNU Mailutils. Please review the  
CVE identifier referenced below for details.

Impact  
=====  
mail(1) from mailutils would process escape sequences (like ~!  
shellcommand) in message bodies piped/redirected in. This creates an RCE  
if some part of the message body is under an attacker's control.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Mailutils users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-mail/mailutils-3.12-r3"

References  
=========  
[ 1 ] CVE-2021-32749  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32749

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-13

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Tag

#linux