Gentoo Linux Security Advisory 202411-5 - Multiple vulnerabilities have been discovered in libgit2, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 1.7.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202411-05  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: libgit2: Multiple Vulnerabilities  
     Date: November 06, 2024  
     Bugs: #891525, #923971  
       ID: 202411-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in libgit2, the worst of  
which could lead to arbitrary code execution.

Background  
==========

libgit2 is a portable, pure C implementation of the Git core methods  
provided as a re-entrant linkable library with a solid API, allowing you  
to write native speed custom Git applications in any language that  
supports C bindings.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
dev-libs/libgit2  < 1.7.2       >= 1.7.2

Description  
===========

Multiple vulnerabilities have been discovered in libgit2. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All libgit2 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-libs/libgit2-1.7.2"

References  
==========

[ 1 ] CVE-2023-22742  
      https://nvd.nist.gov/vuln/detail/CVE-2023-22742

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202411-05

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202411-05

Gentoo Linux Security Advisory 202411-4 - A vulnerability has been discovered in EditorConfig Core C library, which may lead to arbitrary code execution. Versions greater than or equal to 0.12.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202411-04  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: EditorConfig core C library: arbitrary stack write  
     Date: November 06, 2024  
     Bugs: #905308  
       ID: 202411-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in EditorConfig Core C library,  
which may lead to arbitrary code execution.

Background  
==========

EditorConfig core library written in C (for use by plugins supporting  
EditorConfig parsing)

Affected packages  
=================

Package                       Vulnerable    Unaffected  
----------------------------  ------------  ------------  
app-text/editorconfig-core-c  < 0.12.6      >= 0.12.6

Description  
===========

A vulnerability has been discovered in EditorConfig Core C library.  
Please review the CVE identifier referenced below for details.

Impact  
======

Please review the referenced CVE identifier for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All EditorConfig core C library users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-text/editorconfig-core-c-0.12.6"

References  
==========

[ 1 ] CVE-2023-0341  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0341

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202411-04

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202411-04

Gentoo Linux Security Advisory 202411-3 - A vulnerability has been discovered in Ubiquiti UniFi, which can lead to local privilege escalation. Versions greater than or equal to 8.5.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202411-03  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Ubiquiti UniFi: Privilege Escalation  
     Date: November 06, 2024  
     Bugs: #941922  
       ID: 202411-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Ubiquiti UniFi, which can lead to  
local privilege escalation.

Background  
==========

Ubiquiti UniFi is a Management Controller for Ubiquiti Networks UniFi  
APs.

Affected packages  
=================

Package             Vulnerable    Unaffected  
------------------  ------------  ------------  
net-wireless/unifi  < 8.5.6       >= 8.5.6

Description  
===========

A vulnerability has been discovered in Ubiquiti UniFi. Please review the  
CVE identifier referenced below for details.

Impact  
======

The vulnerability allows a malicious actor with a local operational  
system user to execute high privilege actions on UniFi Network Server.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Ubiquiti UniFi users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-wireless/unifi-8.5.6"

References  
==========

[ 1 ] CVE-2024-42028  
      https://nvd.nist.gov/vuln/detail/CVE-2024-42028

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202411-03

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202411-03

Gentoo Linux Security Advisory 202411-2 - A vulnerability has been discovered in Flatpak, which can lead to a sandbox escape. Versions greater than or equal to 1.4.10 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202411-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Flatpak: Sandbox Escape  
     Date: November 06, 2024  
     Bugs: #937936  
       ID: 202411-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Flatpak, which can lead to a  
sandbox escape.

Background  
==========

Flatpak is a Linux application sandboxing and distribution framework.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
sys-apps/flatpak  < 1.4.10      >= 1.4.10

Description  
===========

A vulnerability has been discovered in Flatpak. Please review the CVE  
identifier referenced below for details.

Impact  
======

A malicious or compromised Flatpak app using persistent directories  
could  
read and write files in locations it would not normally have access to.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Flatpak users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-apps/flatpak-1.4.10"

References  
==========

[ 1 ] CVE-2024-42472  
      https://nvd.nist.gov/vuln/detail/CVE-2024-42472

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202411-02

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202411-02

Ubuntu Security Notice 7088-3 - Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7088-3November 06, 2024linux-aws-5.4, linux-oracle-5.4 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems- linux-oracle-5.4: Linux kernel for Oracle Cloud systemsDetails:Ziming Zhang discovered that the VMware Virtual GPU DRM driver in theLinux kernel contained an integer overflow vulnerability. A localattacker could use this to cause a denial of service (system crash).(CVE-2022-36402)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM64 architecture;  - PowerPC architecture;  - User-Mode Linux (UML);  - x86 architecture;  - Block layer subsystem;  - Cryptographic API;  - Android drivers;  - Serial ATA and Parallel ATA drivers;  - ATM drivers;  - Drivers core;  - CPU frequency scaling framework;  - Device frequency scaling framework;  - GPU drivers;  - HID subsystem;  - Hardware monitoring drivers;  - InfiniBand drivers;  - Input Device core drivers;  - Input Device (Miscellaneous) drivers;  - IOMMU subsystem;  - IRQ chip drivers;  - ISDN/mISDN subsystem;  - LED subsystem;  - Multiple devices driver;  - Media drivers;  - EEPROM drivers;  - VMware VMCI Driver;  - MMC subsystem;  - Network drivers;  - Near Field Communication (NFC) drivers;  - NVME drivers;  - Device tree and open firmware driver;  - Parport drivers;  - PCI subsystem;  - Pin controllers subsystem;  - Remote Processor subsystem;  - S/390 drivers;  - SCSI drivers;  - QCOM SoC drivers;  - Direct Digital Synthesis drivers;  - TTY drivers;  - Userspace I/O drivers;  - DesignWare USB3 driver;  - USB Gadget drivers;  - USB Serial drivers;  - BTRFS file system;  - File systems infrastructure;  - Ext4 file system;  - F2FS file system;  - JFS file system;  - NILFS2 file system;  - BPF subsystem;  - Core kernel;  - DMA mapping infrastructure;  - Tracing infrastructure;  - Radix Tree data structure library;  - Kernel userspace event delivery library;  - Objagg library;  - Memory management;  - Amateur Radio drivers;  - Bluetooth subsystem;  - CAN network layer;  - Networking core;  - Ethtool driver;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - KCM (Kernel Connection Multiplexor) sockets driver;  - MAC80211 subsystem;  - Netfilter;  - Network traffic control;  - SCTP protocol;  - Sun RPC protocol;  - TIPC protocol;  - TLS protocol;  - Wireless networking;  - AppArmor security module;  - Simplified Mandatory Access Control Kernel framework;  - SoC audio core drivers;  - USB sound devices;(CVE-2021-47212, CVE-2024-44965, CVE-2024-46676, CVE-2024-41091,CVE-2024-44946, CVE-2024-43894, CVE-2024-26668, CVE-2024-42259,CVE-2024-42295, CVE-2024-46685, CVE-2024-46722, CVE-2024-45028,CVE-2024-46815, CVE-2024-41081, CVE-2024-41022, CVE-2024-44948,CVE-2024-42301, CVE-2024-43914, CVE-2024-46771, CVE-2024-42289,CVE-2024-43841, CVE-2024-41042, CVE-2024-44999, CVE-2024-43893,CVE-2024-46758, CVE-2024-46828, CVE-2024-36484, CVE-2024-26669,CVE-2024-44952, CVE-2024-42265, CVE-2024-42311, CVE-2024-43880,CVE-2024-41070, CVE-2024-46829, CVE-2024-42292, CVE-2024-46719,CVE-2024-41020, CVE-2024-41015, CVE-2024-42283, CVE-2024-46744,CVE-2024-46679, CVE-2024-46800, CVE-2024-46777, CVE-2024-43835,CVE-2024-42271, CVE-2024-43882, CVE-2024-41072, CVE-2024-35848,CVE-2024-43860, CVE-2024-38611, CVE-2024-26607, CVE-2024-47663,CVE-2024-46780, CVE-2024-46675, CVE-2024-45003, CVE-2024-44969,CVE-2024-42244, CVE-2024-43856, CVE-2024-46755, CVE-2024-42286,CVE-2024-41063, CVE-2024-41068, CVE-2024-46743, CVE-2024-43839,CVE-2024-41065, CVE-2023-52531, CVE-2024-41090, CVE-2024-46747,CVE-2023-52614, CVE-2024-43853, CVE-2024-46737, CVE-2024-45021,CVE-2024-41012, CVE-2024-41064, CVE-2024-26800, CVE-2024-42246,CVE-2024-43908, CVE-2024-46723, CVE-2024-42310, CVE-2024-46781,CVE-2023-52918, CVE-2024-42313, CVE-2024-45006, CVE-2024-43890,CVE-2024-44954, CVE-2024-43858, CVE-2024-41098, CVE-2024-41071,CVE-2024-26641, CVE-2024-42280, CVE-2024-46673, CVE-2024-43846,CVE-2024-46721, CVE-2024-47667, CVE-2024-26885, CVE-2024-42304,CVE-2024-46745, CVE-2024-26640, CVE-2024-43861, CVE-2024-42287,CVE-2024-44998, CVE-2024-40929, CVE-2024-41073, CVE-2024-46689,CVE-2024-44944, CVE-2024-46756, CVE-2024-42305, CVE-2024-42284,CVE-2024-42281, CVE-2024-42288, CVE-2024-41011, CVE-2024-47668,CVE-2024-43830, CVE-2024-46740, CVE-2024-46677, CVE-2024-43867,CVE-2024-46783, CVE-2024-46844, CVE-2024-43854, CVE-2024-42297,CVE-2024-46738, CVE-2024-46739, CVE-2024-44947, CVE-2024-43883,CVE-2024-43884, CVE-2024-46798, CVE-2024-46757, CVE-2024-43879,CVE-2024-47659, CVE-2024-46817, CVE-2024-45008, CVE-2024-47669,CVE-2024-43871, CVE-2024-44960, CVE-2024-27051, CVE-2024-44988,CVE-2024-46840, CVE-2024-41059, CVE-2024-46822, CVE-2024-42276,CVE-2024-45026, CVE-2024-46761, CVE-2024-44995, CVE-2024-44987,CVE-2024-26891, CVE-2024-46782, CVE-2024-42309, CVE-2024-42131,CVE-2024-46759, CVE-2024-42229, CVE-2024-46714, CVE-2024-42290,CVE-2024-44935, CVE-2024-42285, CVE-2024-38602, CVE-2024-43829,CVE-2024-42306, CVE-2024-41017, CVE-2024-45025, CVE-2024-46818,CVE-2024-46750)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS  linux-image-5.4.0-1134-oracle   5.4.0-1134.143~18.04.1          Available with Ubuntu Pro  linux-image-5.4.0-1135-aws      5.4.0-1135.145~18.04.1          Available with Ubuntu Pro  linux-image-aws                 5.4.0.1135.145~18.04.1          Available with Ubuntu Pro  linux-image-oracle              5.4.0.1134.143~18.04.1          Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7088-3  https://ubuntu.com/security/notices/USN-7088-2  https://ubuntu.com/security/notices/USN-7088-1  CVE-2021-47212, CVE-2022-36402, CVE-2023-52531, CVE-2023-52614,  CVE-2023-52918, CVE-2024-26607, CVE-2024-26640, CVE-2024-26641,  CVE-2024-26668, CVE-2024-26669, CVE-2024-26800, CVE-2024-26885,  CVE-2024-26891, CVE-2024-27051, CVE-2024-35848, CVE-2024-36484,  CVE-2024-38602, CVE-2024-38611, CVE-2024-40929, CVE-2024-41011,  CVE-2024-41012, CVE-2024-41015, CVE-2024-41017, CVE-2024-41020,  CVE-2024-41022, CVE-2024-41042, CVE-2024-41059, CVE-2024-41063,  CVE-2024-41064, CVE-2024-41065, CVE-2024-41068, CVE-2024-41070,  CVE-2024-41071, CVE-2024-41072, CVE-2024-41073, CVE-2024-41081,  CVE-2024-41090, CVE-2024-41091, CVE-2024-41098, CVE-2024-42131,  CVE-2024-42229, CVE-2024-42244, CVE-2024-42246, CVE-2024-42259,  CVE-2024-42265, CVE-2024-42271, CVE-2024-42276, CVE-2024-42280,  CVE-2024-42281, CVE-2024-42283, CVE-2024-42284, CVE-2024-42285,  CVE-2024-42286, CVE-2024-42287, CVE-2024-42288, CVE-2024-42289,  CVE-2024-42290, CVE-2024-42292, CVE-2024-42295, CVE-2024-42297,  CVE-2024-42301, CVE-2024-42304, CVE-2024-42305, CVE-2024-42306,  CVE-2024-42309, CVE-2024-42310, CVE-2024-42311, CVE-2024-42313,  CVE-2024-43829, CVE-2024-43830, CVE-2024-43835, CVE-2024-43839,  CVE-2024-43841, CVE-2024-43846, CVE-2024-43853, CVE-2024-43854,  CVE-2024-43856, CVE-2024-43858, CVE-2024-43860, CVE-2024-43861,  CVE-2024-43867, CVE-2024-43871, CVE-2024-43879, CVE-2024-43880,  CVE-2024-43882, CVE-2024-43883, CVE-2024-43884, CVE-2024-43890,  CVE-2024-43893, CVE-2024-43894, CVE-2024-43908, CVE-2024-43914,  CVE-2024-44935, CVE-2024-44944, CVE-2024-44946, CVE-2024-44947,  CVE-2024-44948, CVE-2024-44952, CVE-2024-44954, CVE-2024-44960,  CVE-2024-44965, CVE-2024-44969, CVE-2024-44987, CVE-2024-44988,  CVE-2024-44995, CVE-2024-44998, CVE-2024-44999, CVE-2024-45003,  CVE-2024-45006, CVE-2024-45008, CVE-2024-45021, CVE-2024-45025,  CVE-2024-45026, CVE-2024-45028, CVE-2024-46673, CVE-2024-46675,  CVE-2024-46676, CVE-2024-46677, CVE-2024-46679, CVE-2024-46685,  CVE-2024-46689, CVE-2024-46714, CVE-2024-46719, CVE-2024-46721,  CVE-2024-46722, CVE-2024-46723, CVE-2024-46737, CVE-2024-46738,  CVE-2024-46739, CVE-2024-46740, CVE-2024-46743, CVE-2024-46744,  CVE-2024-46745, CVE-2024-46747, CVE-2024-46750, CVE-2024-46755,  CVE-2024-46756, CVE-2024-46757, CVE-2024-46758, CVE-2024-46759,  CVE-2024-46761, CVE-2024-46771, CVE-2024-46777, CVE-2024-46780,  CVE-2024-46781, CVE-2024-46782, CVE-2024-46783, CVE-2024-46798,  CVE-2024-46800, CVE-2024-46815, CVE-2024-46817, CVE-2024-46818,  CVE-2024-46822, CVE-2024-46828, CVE-2024-46829, CVE-2024-46840,  CVE-2024-46844, CVE-2024-47659, CVE-2024-47663, CVE-2024-47667,  CVE-2024-47668, CVE-2024-47669

Ubuntu Security Notice USN-7088-3

Gentoo Linux Security Advisory 202411-1 - A vulnerability has been discovered in Neat VNC, which can lead to authentication bypass. Versions greater than or equal to 0.8.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202411-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Neat VNC: Authentication Bypass  
     Date: November 06, 2024  
     Bugs: #937140  
       ID: 202411-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Neat VNC, which can lead to  
authentication bypass.

Background  
==========

Neat VNC is a liberally licensed VNC server library that's intended to  
be fast and neat.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
gui-libs/neatvnc  < 0.8.1       >= 0.8.1

Description  
===========

Neat VNC allows remote attackers to bypass authentication via a request  
in which the client specifies an insecure security type such as "Type 1  
- None", which is accepted even if it is not offered by the server, as  
originally demonstrated using a long password.

Impact  
======

A remote attacker can opt not to use any authentication method and  
access the VNC server.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Neat VNC users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=gui-libs/neatvnc-0.8.1"

References  
==========

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202411-01

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202411-01

Debian Linux Security Advisory 5803-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5803-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
November 05, 2024                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : thunderbird  
CVE ID         : CVE-2024-10458 CVE-2024-10459 CVE-2024-10460 CVE-2024-10461   
                 CVE-2024-10462 CVE-2024-10463 CVE-2024-10464 CVE-2024-10465   
                 CVE-2024-10466 CVE-2024-10467

Multiple security issues were discovered in Thunderbird, which could  
result in denial of service or the execution of arbitrary code.

Debian follows the Thunderbird upstream releases. Support for the  
115.x series has ended, so starting with this update we're now  
following the 128.x series.

For the stable distribution (bookworm), these problems have been fixed in  
version 1:128.4.0esr-1~deb12u1. This version is not yet available for  
the i386 architecture.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcqaX4ACgkQEMKTtsN8  
TjZR6g//Yz5oKGY25G4T1qqpgNVKnbG2otH7lPRL72lZVjtOHGuM+l3h5aHDEeJZ  
igF15ChM7XGlBht/tZmvSFYxMGEnBdYehzyVEX7ZXM1hK3R31mG/X7x8BVEdzo+i  
BflYPp4of4AFfJlxFgV0NsySHN0k411syCtl2Q0+hu9yyM1nPQbLzPbalnkT+pNl  
80Q88g3XQrT4mjlscJeTnHOhIgfZxmVMIjFd8W31RhGuVe3QnN/bjaApdr37D65p  
XEomoOIRwRhE6AmwCIBv0spepS8QmfxN7h1MRXh4u6Wdca2/Y7jD959pN+m8MmDF  
o0FUBetZt0sgo6qMpnaaMBEpIQbQT9uTt4gA88HdNULc7CTqDBj/oWoruqDiNd/f  
6I4n2fOoBfeo/voZlzvhX16veRcuLa3HZ60ifnxYmUPUoOKAqRTO/LqOdhCm6nm6  
A/hAmAoG3GspVcUO+im6hi+2NBjxaj3XdX9O7L1k5fuavRq256v+9XIUv1iSlOtY  
Kk7XcrGST9mnf5iGTXsDC7P28Wy2+mFFZV1T/+Z6Y1a8bPY3MZ6RPIZk+I19W+Gw  
cCJwJ92uaFMKB9zrRaPuAEfnRzP0piHJxgX+vvEC8k7RbHlepuPfD5548WCjAf1b  
g+X4HyW0Hlv9dXTRqY1YpDBCh5J77P7b7dakmFR9Yutaxv5ldlQ=  
=qixK  
-----END PGP SIGNATURE-----

Debian Security Advisory 5803-1

Red Hat Security Advisory 2024-8935-03 - An update for edk2 is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8935.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: edk2 security updateAdvisory ID:        RHSA-2024:8935-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8935Issue date:         2024-11-06Revision:           03CVE Names:          CVE-2024-6119====================================================================Summary: An update for edk2 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es):* openssl: Possible denial of service in X.509 name checks (CVE-2024-6119)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6119References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2306158

Red Hat Security Advisory 2024-8935-03

Red Hat Security Advisory 2024-8929-03 - An update for mod_jk is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include denial of service and information leakage vulnerabilities.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8929.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: mod_jk security updateAdvisory ID:        RHSA-2024:8929-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8929Issue date:         2024-11-06Revision:           03CVE Names:          CVE-2024-46544====================================================================Summary: An update for mod_jk is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The mod_jk module is a plugin for the Apache HTTP Server to connect it with the Apache Tomcat servlet engine.Security Fix(es):* mod_jk: information Disclosure / DoS (CVE-2024-46544)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-46544References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2314194https://issues.redhat.com/browse/RHEL-65739

Red Hat Security Advisory 2024-8929-03

Red Hat Security Advisory 2024-8928-03 - An update for mod_jk is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include denial of service and information leakage vulnerabilities.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8928.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: mod_jk security updateAdvisory ID:        RHSA-2024:8928-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8928Issue date:         2024-11-06Revision:           03CVE Names:          CVE-2024-46544====================================================================Summary: An update for mod_jk is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The mod_jk module is a plugin for the Apache HTTP Server to connect it with the Apache Tomcat servlet engine.Security Fix(es):* mod_jk: information Disclosure / DoS (CVE-2024-46544)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-46544References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2314194https://issues.redhat.com/browse/RHEL-65726

Tag

#linux