Large vendors are commoditizing capabilities that claim to provide absolute security guarantees backed up by formal verification. How significant are these promises?

There is no software without bugs, right? While this is a common sentiment, we make assumptions that rely on the premise that software has no bugs in our day-to-day digital life. We trust identity providers (IDPs) to get authentication right, operating systems to perfectly comply with their specs, and financial transactions to always perform as intended. Even more vividly, we trust software with our physical safety by going on planes, driving a car that actively corrects our adherence to traffic lanes or our distance from the car in front of us, or undergoing certain surgeries. What makes this possible? Or to put it another way, why aren't planes falling out of the sky due to bad software?

Software quality assurance borrows from scientific and engineering tools. One way to ensure and improve software quality is to publicize it and give as many people as possible an incentive to try to break it.

Another is using design patterns or well-architecture frameworks rooted in engineering. For example, while not every software project can be put under the same level of scrutiny as the Linux kernel, which has been under scrutiny for decades, software projects can open source code to invite scrutiny or submit code for audits in hopes to gain some of the security guarantees.

And of course, there's testing. Whether static, dynamic, or real-time, done by the developer or by a dedicated team, testing is a major part of software development. With critical software, testing is usually an entirely separate project handled by a separate team with specific expertise.

Testing is good, but it doesn't claim to be comprehensive. There are no guarantees we found all the bugs because we don't know which bugs we don't know about. Did we already find 99% of Linux kernel bugs out there? 50%? 10%?

**The 'Absolute' Claim**

The research field of formal methods is looking at ways to assure you that there are no bugs in a certain piece of software, such as your stockbroker or certificate authority. The basic idea is to translate software into math, where everything is well-defined, and then create an actual proof that the software works with no bugs. That way, you can be sure that your software is bug-free in the same way you can be sure that every number can be decomposed to a multiplication of prime numbers. (Note that I don't define what a bug is. This will prove to be a problem, as we will later see.)

Formal method techniques have long been used for critical software, but they were extremely compute- and effort-intensive and so applied only to small pieces of software, such as a limited part of chip firmware or an authentication protocol. In recent years, advanced theorem provers like Z3 and Coq have made it possible to apply this technology in a larger context. There are now formally verified programming languages, operating systems, and compilers that are 100% guaranteed to work according to their specifications. Applying these technologies still requires both advanced expertise and a ton of computing power, which make them prohibitively expensive to most organizations.

Major cloud providers are performing formal verification of their fundamental stacks to reach high levels of security assurance. Amazon and Microsoft have dedicated research groups that work with engineering teams to incorporate formal verification methods into critical infrastructure, such as storage or networking. Examples include AWS S3 and EBS and Azure Blockchain. But the really interesting fact is that in the past few years, cloud providers have been trying to commoditize formal verification to sell to their customers.

**Decisively Solving Misconfiguration?**

Last year, AWS released two features that leverage formal verification to address issues that have long plagued their customers, namely network and identity and access management (IAM) misconfigurations. Network access and IAM configurations are complex, even for a single account, and that complexity grows drastically in a large organization with distributed decision-making and governance. AWS addresses it by giving its customers simple controls — such as "S3 buckets should not be exposed to the Internet" or "Internet traffic to EC2 instances must go through a firewall" — and guaranteeing to apply them in every possible configuration scenario.

AWS is not the first to address the misconfiguration problem, even for AWS-specific issues such as open S3 buckets. Cloud security posture management (CSPM) vendors have been addressing this issue for a while now, analyzing virtual port channel (VPC) configuration and IAM roles and identifying cases where privileges are too lax, security features are not properly used, and data can be exposed to the Internet. So what's new?

Well, this is where the absolute guarantee comes in. A CSPM solution works by creating a known-bad or known-good list of misconfigurations, sometimes adding context from your environment, and producing results accordingly. Network and IAM analyzers work by examining every potential IAM or network request and guaranteeing that they will not result in unwanted access according to your specification (such as "no Internet access"). The difference is in the guarantees about false negatives.

While AWS claims that there is no way it has missed anything, CSPM vendors say they are always on the lookout for new misconfigurations to catalog and detect, which is an admission that they did not detect these misconfigurations previously.

**Some Flaws of Formal Verification**

Formal verification is great for finding well-defined issues, such as memory security issues. However, things become difficult when trying to find logical bugs because those require specifying what the code is actually supposed to do, which is exactly what the code itself does.

For one thing, formal verification requires specifying well-defined goals. While some goals, like preventing access to the Internet, seem simple enough, in reality they are not. The AWS IAM analyzer documentation has an entire section defining what "public" means, and it's full of caveats. The guarantees it provides are only as good as the mathematical claims that it has coded.

There's also the question of coverage. AWS analyzers cover only a few major AWS services. If you route traffic into your network through an outbound connection channel, the analyzer wouldn't know. If some service has access to two IAM roles and can combine them to read from a confidential public bucket and write to a public one, the analyzer wouldn't know. Nevertheless, on some well-defined subset of the misconfiguration problem, formal verification provides stronger guarantees than ever before.

Getting back to the relative advantage question posed above, the difference is that the IAM and network analyzer claims that its list of issues detected is comprehensive, while CSPM claims that its list covers every misconfiguration known today. Here's the key question: Should you care?

**Should We Care About Absolute Guarantees?**

Consider the following scenario. You own a CSPM and look at the AWS network and IAM analyzer. Comparing the results of the two, you realize that they've identified the exact same problems. After some effort, you fix every single problem on that list. Relying only on your CSPM, you would feel you are in a good place now and could dedicate security resources elsewhere. By adding AWS analyzers to the mix, you now know — with an AWS guarantee — that you are in a good place. Are these the same results?

Even if we neglect the caveat of formal verification and assume that it catches 100% of issues, measuring the benefits over detection-based services like CSPM would be an exercise for every individual organization with its own security risk appetite. Some would find these absolute guarantees groundbreaking, while others would probably stick to existing controls.

These questions are not unique to CSPM. The same comparisons could be made for SAST/DAST/IAST web application security testing tools and formally verified software, to name one example.

Regardless of individual organization choices, one exciting side effect of this new technology would be an independent way to start measuring security solutions' false negative rates, pushing vendors to be better and providing them with clear evidence where they need to improve. This in and of itself is a tremendous contribution to the cybersecurity industry.

Are 100% Security Guarantees Possible?

Patchelf v0.9 was discovered to contain an out-of-bounds read via the function modifyRPath at src/patchelf.cc.

Hi:  
Out-of-bounds read exists in the function modifyRPath, I fixed this issue in this PR

    root@iZ2vcadn43p7fjzbhl6zqwZ:~/patchelf_0# /usr/local/bin/patchelf --shrink-rpath sample00900 
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==60417==ERROR: AddressSanitizer: SEGV on unknown address 0x626200001e58 (pc 0x557356cd43e7 bp 0x7ffeea76e550 sp 0x7ffeea76dfa0 T0)
    ==60417==The signal is caused by a READ memory access.
        #0 0x557356cd43e6 in ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym, Elf64_Verneed, unsigned short>::modifyRPath(ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, unsigned long, unsigned long, Elf64_Dyn, Elf64_Sym, Elf64_Verneed, unsigned short>::RPathOp, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /root/patchelf_0/src/patchelf.cc:1376
        #1 0x557356b6ba6c in patchElf2<ElfFile<Elf64_Ehdr, Elf64_Phdr, Elf64_Shdr, long unsigned int, long unsigned int, Elf64_Dyn, Elf64_Sym, Elf64_Verneed, short unsigned int> > /root/patchelf_0/src/patchelf.cc:1865
        #2 0x557356b6ba6c in patchElf /root/patchelf_0/src/patchelf.cc:1907
        #3 0x557356b6ba6c in mainWrapped(int, char**) /root/patchelf_0/src/patchelf.cc:2089
        #4 0x557356b56ee5 in main /root/patchelf_0/src/patchelf.cc:2097
        #5 0x7ff86c8b6082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
        #6 0x557356b57bdd in _start (/usr/local/bin/patchelf+0x225bdd)

CVE-2022-44940: Fix Out-of-bounds read in the function modifyRPath by xiaoxiaoafeifei · Pull Request #419 · NixOS/patchelf

Gentoo Linux Security Advisory 202212-3 - Multiple vulnerabilities have been discovered in Oracle Virtualbox, the worst of which could result in privilege escalation from a guest to the host. Versions less than 6.1.40 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202212-03  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Oracle VirtualBox: Multiple Vulnerabilities  
     Date: December 19, 2022  
     Bugs: #877601  
       ID: 202212-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Oracle Virtualbox, the  
worst of which could result in privilege escalation from a guest to the  
host.

Background  
=========  
VirtualBox is a powerful virtualization product from Oracle.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-emulation/virtualbox         < 6.1.40              >= 6.1.40  
  2  app-emulation/virtualbox-modules < 6.1.40              >= 6.1.40

Description  
==========  
Multiple vulnerabilities have been discovered in Oracle VirtualBox.  
Please review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Oracle VirtualBox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-6.1.40"

All Oracle VirtualBox modules users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-modules-6.1.40"

References  
=========  
[ 1 ] CVE-2022-21620  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21620  
[ 2 ] CVE-2022-21621  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21621  
[ 3 ] CVE-2022-21627  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21627  
[ 4 ] CVE-2022-39421  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39421  
[ 5 ] CVE-2022-39422  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39422  
[ 6 ] CVE-2022-39423  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39423  
[ 7 ] CVE-2022-39424  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39424  
[ 8 ] CVE-2022-39425  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39425  
[ 9 ] CVE-2022-39426  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39426

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202212-03

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202212-03

Gentoo Linux Security Advisory 202212-5 - Multiple vulnerabilities have been discovered in NSS, the worst of which could result in arbitrary code execution. Versions less than 3.79.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202212-05  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Network Security Service (NSS): Multiple Vulnerabilities  
     Date: December 19, 2022  
     Bugs: #827946, #836386, #848984, #877169  
       ID: 202212-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in NSS, the worst of which  
could result in arbitrary code execution.

Background  
=========  
The Mozilla Network Security Service is a library implementing security  
features like SSL v.2/v.3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12,  
S/MIME and X.509 certificates.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-libs/nss               < 3.79.2                    >= 3.79.2

Description  
==========  
Multiple vulnerabilities have been discovered in Mozilla Network  
Security Service (NSS). Please review the CVE identifiers referenced  
below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Mozilla Network Security Service (NSS) users should upgrade to the  
latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-libs/nss-3.79.2"

References  
=========  
[ 1 ] CVE-2021-43527  
      https://nvd.nist.gov/vuln/detail/CVE-2021-43527  
[ 2 ] CVE-2022-1097  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1097  
[ 3 ] CVE-2022-3479  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3479  
[ 4 ] MFSA-2021-51

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202212-05

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202212-05

Gentoo Linux Security Advisory 202212-1 - Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. Versions less than 7.86.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202212-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: curl: Multiple Vulnerabilities  
     Date: December 19, 2022  
     Bugs: #803308, #813270, #841302, #843824, #854708, #867679, #878365  
       ID: 202212-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in curl, the worst of which  
could result in arbitrary code execution.

Background  
=========  
A command line tool and library for transferring data with URLs.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-misc/curl              < 7.86.0                    >= 7.86.0

Description  
==========  
Multiple vulnerabilities have been discovered in curl. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All curl users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-misc/curl-7.86.0"

References  
=========  
[ 1 ] CVE-2021-22922  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22922  
[ 2 ] CVE-2021-22923  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22923  
[ 3 ] CVE-2021-22925  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22925  
[ 4 ] CVE-2021-22926  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22926  
[ 5 ] CVE-2021-22945  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22945  
[ 6 ] CVE-2021-22946  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22946  
[ 7 ] CVE-2021-22947  
      https://nvd.nist.gov/vuln/detail/CVE-2021-22947  
[ 8 ] CVE-2022-22576  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22576  
[ 9 ] CVE-2022-27774  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27774  
[ 10 ] CVE-2022-27775  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27775  
[ 11 ] CVE-2022-27776  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27776  
[ 12 ] CVE-2022-27779  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27779  
[ 13 ] CVE-2022-27780  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27780  
[ 14 ] CVE-2022-27781  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27781  
[ 15 ] CVE-2022-27782  
      https://nvd.nist.gov/vuln/detail/CVE-2022-27782  
[ 16 ] CVE-2022-30115  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30115  
[ 17 ] CVE-2022-32205  
      https://nvd.nist.gov/vuln/detail/CVE-2022-32205  
[ 18 ] CVE-2022-32206  
      https://nvd.nist.gov/vuln/detail/CVE-2022-32206  
[ 19 ] CVE-2022-32207  
      https://nvd.nist.gov/vuln/detail/CVE-2022-32207  
[ 20 ] CVE-2022-32208  
      https://nvd.nist.gov/vuln/detail/CVE-2022-32208  
[ 21 ] CVE-2022-32221  
      https://nvd.nist.gov/vuln/detail/CVE-2022-32221  
[ 22 ] CVE-2022-35252  
      https://nvd.nist.gov/vuln/detail/CVE-2022-35252  
[ 23 ] CVE-2022-35260  
      https://nvd.nist.gov/vuln/detail/CVE-2022-35260  
[ 24 ] CVE-2022-42915  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42915  
[ 25 ] CVE-2022-42916  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42916

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202212-01

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202212-01

Gentoo Linux Security Advisory 202212-4 - A vulnerability has been discovered in LibreOffice which could result in arbitrary script execution via crafted links. Versions less than 7.3.6.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202212-04  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: LibreOffice: Arbitrary Code Execution  
     Date: December 19, 2022  
     Bugs: #876869  
       ID: 202212-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been discovered in LibreOffice which could result in  
arbitrary script execution via crafted links.

Background  
=========  
LibreOffice is a powerful office suite; its clean interface and powerful  
tools let you unleash your creativity and grow your productivity.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-office/libreoffice     < 7.3.6.2                  >= 7.3.6.2  
  2  app-office/libreoffice-bin < 7.3.6.2                  >= 7.3.6.2

Description  
==========  
LibreOffice links using the vnd.libreoffice.command scheme could be  
constructed to call internal macros with arbitrary arguments. Which when  
clicked on, or activated by document events, could result in arbitrary  
script execution without warning.

Impact  
=====  
An attacker able to coerce a victim into opening a crafted LibreOffice  
document and execute certain actions with it could achieve remote code  
execution.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All LibreOffice users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-office/libreoffice-7.3.6.2"

All LibreOffice binary users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-office/libreoffice-bin-7.3.6.2"

References  
=========  
[ 1 ] CVE-2022-3140  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3140

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202212-04

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202212-04

Gentoo Linux Security Advisory 202212-2 - Multiple vulnerabilities have been discovered in Unbound, the worst of which could result in denial of service. Versions less than 1.16.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202212-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Unbound: Multiple Vulnerabilities  
     Date: December 19, 2022  
     Bugs: #872209, #866881  
       ID: 202212-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Unbound, the worst of  
which could result in denial of service.

Background  
=========  
Unbound is a validating, recursive, and caching DNS resolver.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-dns/unbound            < 1.16.3                    >= 1.16.3

Description  
==========  
Multiple vulnerabilities have been discovered in Unbound. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Unbound users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-dns/unbound-1.16.3"

References  
=========  
[ 1 ] CVE-2022-3204  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3204  
[ 2 ] CVE-2022-30698  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30698  
[ 3 ] CVE-2022-30699  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30699

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202212-02

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202212-02

Debian Linux Security Advisory 5303-1 - Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5303-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffDecember 16, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : thunderbirdCVE ID         : CVE-2022-46882 CVE-2022-46881 CVE-2022-46880 CVE-2022-46878                 CVE-2022-46874 CVE-2022-46872 CVE-2022-45414Multiple security issues were discovered in Thunderbird, which couldresult in the execution of arbitrary code or information disclosure.For the stable distribution (bullseye), this problem has been fixed inversion 1:102.6.0-1~deb11u1.We recommend that you upgrade your thunderbird packages.For the detailed security status of thunderbird please refer toits security tracker page at:https://security-tracker.debian.org/tracker/thunderbirdFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmOcwVkACgkQEMKTtsN8TjYhNA//e9mQQto3dcqum+DpkqlxnQ0oJZW90A4qnpdorbSH6AuQodiaMXYrhZ1y7LaCCZd2LgxwIOoW5ukYto7TGGWA+bU8VtdivVKEVJ52dwyzFhp1PMhn81Lr+DRgNf9vYTGO3MYnThKckNhkGPN2qQtxABoBA+opJJIFq7yJW34NEhhWNoH0ubGmCie/13l5msZmN1pYALhsDs1Li7yotVtIRU6r5/t4BUwI0hyfLaR0HDcpeT8iAnyuedMcXF+jFF0B8HQfkakNOc4fODcpiNVW6FAezRPprCTCqpuIr8Ic7yrYWYlAjayLRBbp277JXESFk16Oao/OR0Qf4SpfhDCw3IZwG6A0De4e7nVxunIkjShU9tfzjx5LPeiGqQkXiS2abklARfRUqFeqPFQJbF+CA7lHZiCWm/LXtOjArkIvZ7j1BNcdPmhe/OAJ04zi1j2aKxNxvKAwBK065N1pSn9iS9zvGva7rcenKYnd8kkdExHSnWCCuo79otgKWQ6az/zIdfwY8MU7xxCo04pNnBH+fUAk4sDZGzjfebuqWuUZQ6KK1uo0w6Ji10zriQ2bJ94eYuptBEZttovyjj7SbOAuAB2zpchHT2TlifpgoTmywRNsMceqDNvzbgTCwMEP30TYXOyiunxOs2AgL/6hFAfZ3oTfpxqjuscKCkfi1pwaYjM=YY+h-----END PGP SIGNATURE-----

Debian Security Advisory 5303-1

Debian Linux Security Advisory 5302-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5302-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffDecember 16, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2022-4436 CVE-2022-4437 CVE-2022-4438 CVE-2022-4439                 CVE-2022-4440Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), these problems have been fixed inversion 108.0.5359.124-1~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmOcwUwACgkQEMKTtsN8TjaEDhAAuNgbC9i9I5soJN7677urAmv/mzR20/hpcEx4WlrS5YlCMBISsolvytNClMnzfVIe8e0akdshGTtGmehUco7gxXRq7Ab+kCDMFgXrPCf+SDXFbECLR/xtrTGuahzPmrDBwz/5O3gOFcJaEhXoLUER1Xm2UX8MgMlV/pfv8UN0keXriJSS/nWVU5sp8UCfafYxa/cNB51k7VmQTEDL56zcE64zZxXmmfNDvNv9/FHiMHZyATZv499nfEVaI0qvLot/trilA2X6/Wn5aFJD7cRk7PWJR6fzMs36Ad4E9Ww5/mDy6ADKORyRhiHbpw+wRCgs253pkDvwExVTwu2BGsXp9ThnVIHRXflN0GaixsDUryA3x0IRCTiWpNU+armowtAS7I31kht91uPhJaaK3DoB/xgqRbNBHeZnl8NqAaf76ODSGAbjcoUxLXrEb+zD9dLbFuDnfapfeqKCDuZAkeBv9k9etvMTuBTb4KjvA/OfhFTYpF8EJ2+o4RTBqf2vNlEWhSLqXY/ehr6LygFnHlBnrR+SQPUfEQywHEMRa+4DqyWtf25mZKkVl1AdhMqXBF6Rsht0UBOUu2M2g4NOtk/1S34EhPeEhZLSh+Z3XhoIj/UfQLcOgMEQCBHuz1S5tXyLqQCwbpi/Pm+lSI99fPooTH5UoJpDj2cGygXfNysjKq0=kfqY-----END PGP SIGNATURE-----

Debian Security Advisory 5302-1

Ubuntu Security Notice 5783-1 - Tamás Koczka discovered that the Bluetooth L2CAP handshake implementation in the Linux kernel contained multiple use-after-free vulnerabilities. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5783-1December 16, 2022linux-oem-5.17 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:The system could be made to crash or run programs as an administrator.Software Description:- linux-oem-5.17: Linux kernel for OEM systemsDetails:Tamás Koczka discovered that the Bluetooth L2CAP handshake implementationin the Linux kernel contained multiple use-after-free vulnerabilities. Aphysically proximate attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-5.17.0-1025-oem     5.17.0-1025.26   linux-image-oem-22.04           5.17.0.1025.23   linux-image-oem-22.04a          5.17.0.1025.23After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5783-1   CVE-2022-42896Package Information:   https://launchpad.net/ubuntu/+source/linux-oem-5.17/5.17.0-1025.26

Tag

#linux