#perl

Red Hat Security Advisory 2024-10736-03 - An update for the postgresql:15 module is now available for Red Hat Enterprise Linux 9.4 Extended Update Support. Issues addressed include a code execution vulnerability.

Red Hat Security Advisory 2024-10705-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a code execution vulnerability.

New zero-day attack bypasses antivirus, sandboxes, and spam filters using corrupted files. Learn how ANY.RUN’s sandbox detects and…

Mongoose before 8.8.3 can improperly use $where in match.

Red Hat Security Advisory 2024-10677-03 - An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a code execution vulnerability.

The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.

Despite advancements in cybersecurity tools, human vulnerability remains the weakest link, with phishing among the most dangerous forms…

Ubuntu Security Notice 7117-2 - USN-7117-1 fixed vulnerabilities in needrestart. The update introduced a regression in needrestart. This update fixes the problem. Qualys discovered that needrestart passed unsanitized data to a library which expects safe input. A local attacker could possibly use this issue to execute arbitrary code as root.

Ubuntu Security Notice 7124-1 - Andy Boothe discovered that the Networking component of OpenJDK 23 did not properly handle access under certain circumstances. An unauthenticated attacker could possibly use this issue to cause a denial of service. It was discovered that the Hotspot component of OpenJDK 23 did not properly handle vectorization under certain circumstances. An unauthenticated attacker could possibly use this issue to access unauthorized resources and expose sensitive information.

### Summary An attacker can send a maliciously crafted TOML to cause the parser to crash because of a stack overflow caused by a deeply nested inline structure. A similar problem occurs when attempting to stringify deeply nested objects. The library does not limit the maximum exploration depth while parsing or producing TOML documents, nor does it offer a way to do so. ### Proof of concept ```js require("smol-toml").parse("e=" + "{e=".repeat(9999) + "{}" + "}".repeat(9999)) ``` ### Impact Applications which parse arbitrary TOML documents may suffer availability issues if they receive malicious input. If uncaught, the crash may cause the application itself to crash. The impact is deemed minor, as the function is already likely to throw errors on invalid input and therefore to properly handle errors. Due to the design of most JavaScript runtimes, the uncontrolled recursion does not lead to excessive memory usage and the execution is quickly aborted. As a reminder, it is **strongly**...