Headline
Red Hat Security Advisory 2024-3781-03
Red Hat Security Advisory 2024-3781-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include HTTP request smuggling, buffer overflow, code execution, cross site scripting, denial of service, memory exhaustion, null pointer, and password leak vulnerabilities.
The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3781.jsonRed Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis: Moderate: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix UpdateAdvisory ID: RHSA-2024:3781-03Product: Red Hat Ansible Automation PlatformAdvisory URL: https://access.redhat.com/errata/RHSA-2024:3781Issue date: 2024-06-10Revision: 03CVE Names: CVE-2023-5752====================================================================Summary: An update is now available for Red Hat Ansible Automation Platform 2.4Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.Security Fix(es):* automation-controller: aiohttp: DoS when trying to parse malformed POST requests (CVE-2024-30251)* automation-controller: Django: Potential regular expression denial-of-service in django.utils.text.Truncator.words() (CVE-2024-27351)* automation-controller: pip: Mercurial configuration injectable in repo revision when installing via pip (CVE-2023-5752)* automation-controller: pydantic: regular expression denial of service via crafted email string (CVE-2024-3772)* automation-hub, python3/python39-galaxy-ng: follow-redirects: Possible credential leak (CVE-2024-28849)* python3/python39-aiohttp: DoS when trying to parse malformed POST requests (CVE-2024-30251)* python3/python39-aiohttp: XSS on index pages for static file handling (CVE-2024-27306)* python3/python39-black: ReDoS via the lines_with_leading_tabs_expanded() function in strings.py file (CVE-2024-21503)* python3/python39-cryptography: NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override (CVE-2024-26130)* python3/python39-cryptography: NULL-dereference when loading PKCS7 certificates (CVE-2023-49083)* python3/python39-cryptography: NULL-dereference when loading PKCS7 certificates (CVE-2023-49083)* python3/python39-gunicorn: HTTP Request Smuggling due to improper validation of Transfer-Encoding headers (CVE-2024-1135)* python3/python39-idna: potential DoS via resource consumption via specially crafted inputs to idna.encode() (CVE-2024-3651)* python3/python39-jinja2: accepts keys containing non-attribute characters (CVE-2024-34064)* python3/python39-pillow: buffer overflow in _imagingcms.c (CVE-2024-28219)* python3/python39-pillow: Arbitrary Code Execution via the environment parameter (CVE-2023-50447)* python3/python39-pydantic: regular expression denial of service via crafted email string (CVE-2024-3772)* python3/python39-requests: subsequent requests to the same host ignore cert verification (CVE-2024-35195)* python3/python39-social-auth-app-django: Improper Handling of Case Sensitivity in social-auth-app-django (CVE-2024-32879)* python3/python39-sqlparse: parsing heavily nested list leads to denial of service (CVE-2024-4340)* receptor: golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm (CVE-2024-24783)* receptor: golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)* receptor: golang: net/http: memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Updates and fixes for automation controller:* Fixed Redis connection leak on version 4.5.6 (AAP-24286)* automation-controller has been updated to 4.5.7Updates and fixes for automation hub:* Fixed repository sync issues (AAH-3111, AAH-3218)* automation-hub/python3-galaxy-ng/python39-galaxy-ng have been updated to 4.9.2Additional changes:* ansible-core has been updated to 2.15.11* automation-eda-controller has been updated to 1.0.7* installer and setup have been updated to 2.4-7* receptor has been updated to 1.4.8For more details about the updates and fixes included in this release, refer to the Release Notes.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5752References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2250765https://bugzilla.redhat.com/show_bug.cgi?id=2255331https://bugzilla.redhat.com/show_bug.cgi?id=2259479https://bugzilla.redhat.com/show_bug.cgi?id=2266045https://bugzilla.redhat.com/show_bug.cgi?id=2268017https://bugzilla.redhat.com/show_bug.cgi?id=2268019https://bugzilla.redhat.com/show_bug.cgi?id=2268273https://bugzilla.redhat.com/show_bug.cgi?id=2269576https://bugzilla.redhat.com/show_bug.cgi?id=2269617https://bugzilla.redhat.com/show_bug.cgi?id=2270236https://bugzilla.redhat.com/show_bug.cgi?id=2272563https://bugzilla.redhat.com/show_bug.cgi?id=2274779https://bugzilla.redhat.com/show_bug.cgi?id=2275106https://bugzilla.redhat.com/show_bug.cgi?id=2275280https://bugzilla.redhat.com/show_bug.cgi?id=2275989https://bugzilla.redhat.com/show_bug.cgi?id=2277035https://bugzilla.redhat.com/show_bug.cgi?id=2278038https://bugzilla.redhat.com/show_bug.cgi?id=2278710https://bugzilla.redhat.com/show_bug.cgi?id=2279476https://bugzilla.redhat.com/show_bug.cgi?id=2282114https://issues.redhat.com/browse/AAH-3111https://issues.redhat.com/browse/AAP-22461Related news
Red Hat Security Advisory 2024-4260-03 - An update for python-idna is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.
Gentoo Linux Security Advisory 202407-6 - Multiple vulnerabilities have been discovered in cryptography, the worst of which could lead to a denial of service. Versions greater than or equal to 42.0.4 are affected.
Red Hat Security Advisory 2024-3637-03 - Secondary Scheduler Operator for Red Hat OpenShift 1.3.0 for RHEL 9. Issues addressed include denial of service and memory exhaustion vulnerabilities.
Red Hat Security Advisory 2024-0045-03 - Red Hat OpenShift Container Platform release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service, memory exhaustion, and resource exhaustion vulnerabilities.
Red Hat Security Advisory 2024-0041-03 - Red Hat OpenShift Container Platform release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service, memory exhaustion, password leak, and resource exhaustion vulnerabilities.
Red Hat Security Advisory 2024-4054-03 - An update for python-gunicorn is now available for Red Hat OpenStack Platform 16.2. Issues addressed include a HTTP request smuggling vulnerability.
Red Hat Security Advisory 2024-4034-03 - OpenShift container images for the Red Hat Service Interconnect 1.5 release. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-4028-03 - Red Hat OpenShift Serverless version 1.33.0 is now available.
Red Hat Security Advisory 2024-4023-03 - Red Hat openshift-serverless-clients kn 1.33.0 is now available. Issues addressed include denial of service and memory exhaustion vulnerabilities.
Red Hat Security Advisory 2024-3989-03 - Migration Toolkit for Applications 6.2.3 release. Issues addressed include denial of service, memory leak, and password leak vulnerabilities.
Red Hat Security Advisory 2024-3868-03 - Network Observability 1.6 for Red Hat OpenShift. Issues addressed include code execution, denial of service, memory exhaustion, and password leak vulnerabilities.
Red Hat Security Advisory 2024-3920-03 - Migration Toolkit for Runtimes 1.2.6 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include a password leak vulnerability.
Red Hat Security Advisory 2024-3846-03 - An update for python-idna is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-3831-03 - An update for containernetworking-plugins is now available for Red Hat Enterprise Linux 9. Issues addressed include a memory exhaustion vulnerability.
Red Hat Security Advisory 2024-3830-03 - An update for gvisor-tap-vsock is now available for Red Hat Enterprise Linux 9. Issues addressed include a memory exhaustion vulnerability.
Red Hat Security Advisory 2024-3827-03 - An update for buildah is now available for Red Hat Enterprise Linux 9. Issues addressed include memory exhaustion and resource exhaustion vulnerabilities.
Red Hat Security Advisory 2024-3790-03 - OpenShift API for Data Protection 1.3.2 is now available. Issues addressed include a memory exhaustion vulnerability.
Red Hat Security Advisory 2024-3790-03 - OpenShift API for Data Protection 1.3.2 is now available. Issues addressed include a memory exhaustion vulnerability.
Debian Linux Security Advisory 5704-1 - Multiple security issues were discovered in Pillow, a Python imaging library, which could result in denial of service or the execution of arbitrary code if malformed images are processed.
Debian Linux Security Advisory 5704-1 - Multiple security issues were discovered in Pillow, a Python imaging library, which could result in denial of service or the execution of arbitrary code if malformed images are processed.
Red Hat Security Advisory 2024-3552-03 - An update for python-idna is now available for Red Hat Enterprise Linux 8.6. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-3550-03 - HawtIO 4.0.0 for Red Hat build of Apache Camel 4 GA Release is now available. Issues addressed include code execution, denial of service, and password leak vulnerabilities.
Red Hat Security Advisory 2024-3543-03 - An update for python-idna is now available for Red Hat Enterprise Linux 8.8. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-3467-03 - An update for etcd is now available for Red Hat OpenStack Platform 16.1 on Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-3466-03 - An update for the python39:3.9 and python39-devel:3.9 modules is now available for Red Hat Enterprise Linux 8. Issues addressed include denial of service and traversal vulnerabilities.
Red Hat Security Advisory 2024-3331-03 - Red Hat OpenShift Container Platform release 4.14.27 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.
Red Hat Security Advisory 2024-3327-03 - Red Hat OpenShift Container Platform release 4.15.15 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.
Ubuntu Security Notice 6787-1 - It was discovered that Jinja2 incorrectly handled certain HTML attributes that were accepted by the xmlattr filter. An attacker could use this issue to inject arbitrary HTML attribute keys and values to potentially execute a cross-site scripting attack.
Ubuntu Security Notice 6673-3 - USN-6673-1 provided a security update for python-cryptography. This update provides the corresponding update for Ubuntu 24.04 LTS. It was discovered that python-cryptography incorrectly handled memory operations when processing mismatched PKCS#12 keys. A remote attacker could possibly use this issue to cause python-cryptography to crash, leading to a denial of service. This issue only affected Ubuntu 23.10.
Red Hat Security Advisory 2024-2875-03 - Red Hat OpenShift Container Platform release 4.13.42 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.
Red Hat Security Advisory 2024-3352-03 - An update for etcd is now available for Red Hat OpenStack Platform 16.2. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-3346-03 - An update for git-lfs is now available for Red Hat Enterprise Linux 8. Issues addressed include denial of service and memory exhaustion vulnerabilities.
Red Hat Security Advisory 2024-3346-03 - An update for git-lfs is now available for Red Hat Enterprise Linux 8. Issues addressed include denial of service and memory exhaustion vulnerabilities.
When making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same origin will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. ### Remediation Any of these options can be used to remediate the current issue, we highly recommend upgrading as the preferred mitigation. * Upgrade to `requests>=2.32.0`. * For `requests<2.32.0`, avoid setting `verify=False` for the first request to a host while using a Requests Session. * For `requests<2.32.0`, call `close()` on `Session` objects to clear existing connections if `verify=False` is used. ### Related Links * https://github.com/psf/requests/pull/6655
Ubuntu Security Notice 6771-1 - It was discovered that SQL parse incorrectly handled certain nested lists. An attacker could possibly use this issue to cause a denial of service.
Red Hat Security Advisory 2024-2668-03 - Red Hat OpenShift Container Platform release 4.14.24 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for the previous GHSA-h5c8-rqwp-cp95 CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe.
Gentoo Linux Security Advisory 202405-12 - Multiple vulnerabilities have been discovered in Pillow, the worst of which can lead to arbitrary code execution. Versions greater than or equal to 10.2.0 are affected.
Red Hat Security Advisory 2024-2699-03 - An update for git-lfs is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.
### Summary An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests. ### Impact An attacker can stop the application from serving requests after sending a single request. ------- For anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in `_read_chunk_from_length()`): ```diff diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py index 227be605c..71fc2654a 100644 --- a/aiohttp/multipart.py +++ b/aiohttp/multipart.py @@ -338,6 +338,8 @@ class BodyPartReader: assert self._length is not None, "Content-Length required for chunked read" chunk_size = min(size, self._length - self._read_bytes) chunk = await self._content.read(chunk_size) + if self._content.at_eof(): + self._at_eof = True return chunk async def _read_chunk_from_stre...
Ubuntu Security Notice 6744-3 - USN-6744-1 fixed a vulnerability in Pillow. This update provides the corresponding updates for Ubuntu 24.04 LTS. Hugo van Kemenade discovered that Pillow was not properly performing bounds checks when processing an ICC file, which could lead to a buffer overflow. If a user or automated system were tricked into processing a specially crafted ICC file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Red Hat Security Advisory 2024-2088-03 - An update is now available for the Red Hat build of Cryostat 2 on RHEL 8. Issues addressed include denial of service, memory exhaustion, and memory leak vulnerabilities.
Red Hat Security Advisory 2024-2088-03 - An update is now available for the Red Hat build of Cryostat 2 on RHEL 8. Issues addressed include denial of service, memory exhaustion, and memory leak vulnerabilities.
Red Hat Security Advisory 2024-2079-03 - An update for git-lfs is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-1897-03 - Red Hat OpenShift Container Platform release 4.14.22 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service and memory leak vulnerabilities.
Red Hat Security Advisory 2024-2062-03 - An update is now available for Service Telemetry Framework 1.5.4 for RHEL 9. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-1892-03 - Red Hat OpenShift Container Platform release 4.15.10 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
### Impact Due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match. ### Patches This issue has been addressed by https://github.com/python-social-auth/social-app-django/pull/566 and fix released in 5.4.1. ### Workarounds An immediate workaround would be to change collation of the affected field: ```mysql ALTER TABLE `social_auth_association` MODIFY `uid` varchar(255) COLLATE `utf8_bin`; ``` ### References This issue was discovered by folks at https://opencraft.com/.
Ubuntu Security Notice 6744-2 - USN-6744-1 fixed a vulnerability in Pillow. This update provides the corresponding updates for Pillow in Ubuntu 20.04 LTS. Hugo van Kemenade discovered that Pillow was not properly performing bounds checks when processing an ICC file, which could lead to a buffer overflow. If a user or automated system were tricked into processing a specially crafted ICC file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Ubuntu Security Notice 6744-1 - Hugo van Kemenade discovered that Pillow was not properly performing bounds checks when processing an ICC file, which could lead to a buffer overflow. If a user or automated system were tricked into processing a specially crafted ICC file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Red Hat Security Advisory 2024-1878-03 - An updated version of Red Hat Update Infrastructure is now available. RHUI 4.8 fixes several security an operational bugs, adds some new features and upgrades the underlying Pulp to a newer version. Issues addressed include HTTP request smuggling, crlf injection, denial of service, and traversal vulnerabilities.
Red Hat Security Advisory 2024-1878-03 - An updated version of Red Hat Update Infrastructure is now available. RHUI 4.8 fixes several security an operational bugs, adds some new features and upgrades the underlying Pulp to a newer version. Issues addressed include HTTP request smuggling, crlf injection, denial of service, and traversal vulnerabilities.
### Summary A XSS vulnerability exists on index pages for static file handling. ### Details When using `web.static(..., show_index=True)`, the resulting index pages do not escape file names. If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks. ### Workaround We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade. ----- Patch: https://github.com/aio-libs/aiohttp/pull/8319/files
Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability has been shown to allow access to endpoints restricted by gunicorn. To be affected users must have a network path which does not filter out invalid requests. These users are advised to block access to restricted endpoints via a firewall or other mechanism until a fix can be developed.
### Impact A specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service. ### Patches The function has been refined to reject such strings without the associated resource consumption in version 3.7. ### Workarounds Domain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the `idna.encode()` function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application. ### References * https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb
Red Hat Security Advisory 2024-1683-03 - Red Hat OpenShift Container Platform release 4.13.39 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
Red Hat Security Advisory 2024-1640-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include HTTP request smuggling, denial of service, local file inclusion, memory leak, and traversal vulnerabilities.
Red Hat Security Advisory 2024-1640-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include HTTP request smuggling, denial of service, local file inclusion, memory leak, and traversal vulnerabilities.
In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.
Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
When using axios, its dependency library follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too. Steps To Reproduce & PoC axios Test Code const axios = require('axios'); axios.get('http://127.0.0.1:10081/',{ headers: { 'AuThorization': 'Rear Test', 'ProXy-AuthoriZation': 'Rear Test', 'coOkie': 't=1' } }).then(function (response) { console.log(response); }) When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept. Request sent by axios image-20240314130755052.png Request sent by follow-redirects after redirectimage-20240314130809838.png Impact This vulnerability may lead to credentials leak. Recommendations Remove proxy-authentication header during cross-domain redirect Recommended Patch follow-redirects/index.js:464 removeMatchingHeaders(/^(?:autho...
Ubuntu Security Notice 6674-2 - USN-6674-1 fixed a vulnerability in Django. This update provides the corresponding update for Ubuntu 18.04 LTS. Seokchan Yoon discovered that the Django Truncator function incorrectly handled very long HTML input. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service.
Ubuntu Security Notice 6674-1 - Seokchan Yoon discovered that the Django Truncator function incorrectly handled very long HTML input. A remote attacker could possibly use this issue to cause Django to consume resources, leading to a denial of service.
Ubuntu Security Notice 6673-1 - Hubert Kario discovered that python-cryptography incorrectly handled errors returned by the OpenSSL API when processing incorrect padding in RSA PKCS#1 v1.5. A remote attacker could possibly use this issue to expose confidential or sensitive information. It was discovered that python-cryptography incorrectly handled memory operations when processing mismatched PKCS#12 keys. A remote attacker could possibly use this issue to cause python-cryptography to crash, leading to a denial of service. This issue only affected Ubuntu 23.10.
Red Hat Security Advisory 2024-1060-03 - An update for python-pillow is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-1059-03 - An update for python-pillow is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-1058-03 - An update for python-pillow is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a code execution vulnerability.
If `pkcs12.serialize_key_and_certificates` is called with both: 1. A certificate whose public key did not match the provided private key 2. An `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)` Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a `ValueError` is properly raised. Patched in https://github.com/pyca/cryptography/pull/10423
Red Hat Security Advisory 2024-0893-03 - An update for python-pillow is now available for Red Hat Enterprise Linux 8. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-0754-03 - An update for python-pillow is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a code execution vulnerability.
Ubuntu Security Notice 6618-1 - It was discovered that Pillow incorrectly handled certain long text arguments. An attacker could possibly use this issue to cause Pillow to consume resources, leading to a denial of service. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. Duarte Santos discovered that Pillow incorrectly handled the environment parameter to PIL.ImageMath.eval. An attacker could possibly use this issue to execute arbitrary code.
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).
Ubuntu Security Notice 6539-1 - It was discovered that the python-cryptography Cipher.update_into function would incorrectly accept objects with immutable buffers. This would result in corrupted output, contrary to expectations. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. It was discovered that python-cryptography incorrectly handled loading certain PKCS7 certificates. A remote attacker could possibly use this issue to cause python-cryptography to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10.
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.
### Summary Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. ### PoC Here is a Python code that triggers the issue: ```python from cryptography.hazmat.primitives.serialization.pkcs7 import load_der_pkcs7_certificates, load_pem_pkcs7_certificates pem_p7 = b""" -----BEGIN PKCS7----- MAsGCSqGSIb3DQEHAg== -----END PKCS7----- """ der_p7 = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" load_pem_pkcs7_certificates(pem_p7) load_der_pkcs7_certificates(der_p7) ``` ### Impact Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability.
When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.