Security
Headlines
HeadlinesLatestCVEs

Headline

Red Hat Security Advisory 2024-8906-03

Red Hat Security Advisory 2024-8906-03 - A new release is now available for Red Hat Satellite 6.16 for RHEL 8 and 9. Issues addressed include bypass, denial of service, memory leak, remote SQL injection, and traversal vulnerabilities.

Packet Storm
Open in Source
#sql#vulnerability#red_hat#dos#js#git#auth

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8906.json

Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat’s archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

  • Packet Storm Staff

====================================================================
Red Hat Security Advisory

Synopsis: Critical: Satellite 6.16.0 release
Advisory ID: RHSA-2024:8906-03
Product: Red Hat Satellite 6
Advisory URL: https://access.redhat.com/errata/RHSA-2024:8906
Issue date: 2024-11-06
Revision: 03
CVE Names: CVE-2024-4067
====================================================================

Summary:

A new release is now available for Red Hat Satellite 6.16 for RHEL 8 and 9.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

Description:

Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.

Security Fix(es):

  • mosquitto: sending specific sequences of packets may trigger memory leak
    (CVE-2024-8376)
  • micromatch: vulnerable to Regular Expression Denial of Service (CVE-2024-4067)
    urllib3: proxy-authorization request header is not stripped during cross-origin redirects (CVE-2024-37891)
  • node-tar: denial of service while parsing a tar file due to lack of folders depth validation (CVE-2024-28863)
  • python-django: Potential denial-of-service in django.utils.html.urlize() (CVE-2024-38875)
  • python-django: Username enumeration through timing difference for users with unusable passwords (CVE-2024-39329)
  • python-django: Potential directory-traversal in django.core.files.storage.Storage.save() (CVE-2024-39330)
  • python-django: Potential denial-of-service in django.utils.translation.get_supported_language_variant() (CVE-2024-39614)
  • github.com/jaraco/zipp: Denial of Service (infinite loop) via crafted zip file in jaraco/zipp (CVE-2024-5569)
  • puppet-foreman: An authentication bypass vulnerability exists in Foreman (CVE-2024-7012)
  • python-django: Potential SQL injection in QuerySet.values() and values_list() (CVE-2024-42005)
  • grpc: client communicating with a HTTP/2 proxy can poison the HPACK table between the proxy and the backend (CVE-2024-7246)
  • puppet-pulpcore: An authentication bypass vulnerability exists in pulpcore (CVE-2024-7923)
  • foreman: Read-only access to entire DB from templates (CVE-2024-8553)

Users of Red Hat Satellite are advised to upgrade to these updated packages, which fix these bugs.

Solution:

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.16/html/updating_red_hat_satellite/index

CVEs:

CVE-2024-4067

References:

https://access.redhat.com/security/updates/classification/#critical
https://bugzilla.redhat.com/show_bug.cgi?id=2280601
https://bugzilla.redhat.com/show_bug.cgi?id=2292788
https://bugzilla.redhat.com/show_bug.cgi?id=2293200
https://bugzilla.redhat.com/show_bug.cgi?id=2295935
https://bugzilla.redhat.com/show_bug.cgi?id=2295936
https://bugzilla.redhat.com/show_bug.cgi?id=2295937
https://bugzilla.redhat.com/show_bug.cgi?id=2295938
https://bugzilla.redhat.com/show_bug.cgi?id=2296413
https://bugzilla.redhat.com/show_bug.cgi?id=2299429
https://bugzilla.redhat.com/show_bug.cgi?id=2302436
https://bugzilla.redhat.com/show_bug.cgi?id=2305718
https://bugzilla.redhat.com/show_bug.cgi?id=2312524
https://bugzilla.redhat.com/show_bug.cgi?id=2318080
https://issues.redhat.com/browse/SAT-12847
https://issues.redhat.com/browse/SAT-15089
https://issues.redhat.com/browse/SAT-15466
https://issues.redhat.com/browse/SAT-15467
https://issues.redhat.com/browse/SAT-15549
https://issues.redhat.com/browse/SAT-16224
https://issues.redhat.com/browse/SAT-16247
https://issues.redhat.com/browse/SAT-16381
https://issues.redhat.com/browse/SAT-16537
https://issues.redhat.com/browse/SAT-16593
https://issues.redhat.com/browse/SAT-17442
https://issues.redhat.com/browse/SAT-17443
https://issues.redhat.com/browse/SAT-17785
https://issues.redhat.com/browse/SAT-18093
https://issues.redhat.com/browse/SAT-18270
https://issues.redhat.com/browse/SAT-18327
https://issues.redhat.com/browse/SAT-18410
https://issues.redhat.com/browse/SAT-18461
https://issues.redhat.com/browse/SAT-18568
https://issues.redhat.com/browse/SAT-18610
https://issues.redhat.com/browse/SAT-18705
https://issues.redhat.com/browse/SAT-18721
https://issues.redhat.com/browse/SAT-18859
https://issues.redhat.com/browse/SAT-18993
https://issues.redhat.com/browse/SAT-19018
https://issues.redhat.com/browse/SAT-19269
https://issues.redhat.com/browse/SAT-19342
https://issues.redhat.com/browse/SAT-19389
https://issues.redhat.com/browse/SAT-19394
https://issues.redhat.com/browse/SAT-19501
https://issues.redhat.com/browse/SAT-19502
https://issues.redhat.com/browse/SAT-19504
https://issues.redhat.com/browse/SAT-19511
https://issues.redhat.com/browse/SAT-19592
https://issues.redhat.com/browse/SAT-19614
https://issues.redhat.com/browse/SAT-19621
https://issues.redhat.com/browse/SAT-19748
https://issues.redhat.com/browse/SAT-19789
https://issues.redhat.com/browse/SAT-19922
https://issues.redhat.com/browse/SAT-19993
https://issues.redhat.com/browse/SAT-19999
https://issues.redhat.com/browse/SAT-20099
https://issues.redhat.com/browse/SAT-20361
https://issues.redhat.com/browse/SAT-20445
https://issues.redhat.com/browse/SAT-20553
https://issues.redhat.com/browse/SAT-21261
https://issues.redhat.com/browse/SAT-21266
https://issues.redhat.com/browse/SAT-21268
https://issues.redhat.com/browse/SAT-21273
https://issues.redhat.com/browse/SAT-21353
https://issues.redhat.com/browse/SAT-21374
https://issues.redhat.com/browse/SAT-21375
https://issues.redhat.com/browse/SAT-21395
https://issues.redhat.com/browse/SAT-21396
https://issues.redhat.com/browse/SAT-21421
https://issues.redhat.com/browse/SAT-21463
https://issues.redhat.com/browse/SAT-21682
https://issues.redhat.com/browse/SAT-21757
https://issues.redhat.com/browse/SAT-21920
https://issues.redhat.com/browse/SAT-21994
https://issues.redhat.com/browse/SAT-22047
https://issues.redhat.com/browse/SAT-22048
https://issues.redhat.com/browse/SAT-22156
https://issues.redhat.com/browse/SAT-22172
https://issues.redhat.com/browse/SAT-22358
https://issues.redhat.com/browse/SAT-22442
https://issues.redhat.com/browse/SAT-22491
https://issues.redhat.com/browse/SAT-22554
https://issues.redhat.com/browse/SAT-22579
https://issues.redhat.com/browse/SAT-22626
https://issues.redhat.com/browse/SAT-22849
https://issues.redhat.com/browse/SAT-22872
https://issues.redhat.com/browse/SAT-22889
https://issues.redhat.com/browse/SAT-22900
https://issues.redhat.com/browse/SAT-23047
https://issues.redhat.com/browse/SAT-23077
https://issues.redhat.com/browse/SAT-23093
https://issues.redhat.com/browse/SAT-23096
https://issues.redhat.com/browse/SAT-23109
https://issues.redhat.com/browse/SAT-23124
https://issues.redhat.com/browse/SAT-23167
https://issues.redhat.com/browse/SAT-23211
https://issues.redhat.com/browse/SAT-23228
https://issues.redhat.com/browse/SAT-23279
https://issues.redhat.com/browse/SAT-23288
https://issues.redhat.com/browse/SAT-23302
https://issues.redhat.com/browse/SAT-23335
https://issues.redhat.com/browse/SAT-23405
https://issues.redhat.com/browse/SAT-23407
https://issues.redhat.com/browse/SAT-23424
https://issues.redhat.com/browse/SAT-23426
https://issues.redhat.com/browse/SAT-23487
https://issues.redhat.com/browse/SAT-23505
https://issues.redhat.com/browse/SAT-23544
https://issues.redhat.com/browse/SAT-23573
https://issues.redhat.com/browse/SAT-23592
https://issues.redhat.com/browse/SAT-23610
https://issues.redhat.com/browse/SAT-23752
https://issues.redhat.com/browse/SAT-23841
https://issues.redhat.com/browse/SAT-23894
https://issues.redhat.com/browse/SAT-23943
https://issues.redhat.com/browse/SAT-23947
https://issues.redhat.com/browse/SAT-23951
https://issues.redhat.com/browse/SAT-23954
https://issues.redhat.com/browse/SAT-23957
https://issues.redhat.com/browse/SAT-23990
https://issues.redhat.com/browse/SAT-23992
https://issues.redhat.com/browse/SAT-24050
https://issues.redhat.com/browse/SAT-24064
https://issues.redhat.com/browse/SAT-24073
https://issues.redhat.com/browse/SAT-24111
https://issues.redhat.com/browse/SAT-24132
https://issues.redhat.com/browse/SAT-24197
https://issues.redhat.com/browse/SAT-24470
https://issues.redhat.com/browse/SAT-24478
https://issues.redhat.com/browse/SAT-24479
https://issues.redhat.com/browse/SAT-24489
https://issues.redhat.com/browse/SAT-24521
https://issues.redhat.com/browse/SAT-24526
https://issues.redhat.com/browse/SAT-24531
https://issues.redhat.com/browse/SAT-24545
https://issues.redhat.com/browse/SAT-24548
https://issues.redhat.com/browse/SAT-24577
https://issues.redhat.com/browse/SAT-24600
https://issues.redhat.com/browse/SAT-24769
https://issues.redhat.com/browse/SAT-24771
https://issues.redhat.com/browse/SAT-24774
https://issues.redhat.com/browse/SAT-24779
https://issues.redhat.com/browse/SAT-24781
https://issues.redhat.com/browse/SAT-24786
https://issues.redhat.com/browse/SAT-24787
https://issues.redhat.com/browse/SAT-24801
https://issues.redhat.com/browse/SAT-24805
https://issues.redhat.com/browse/SAT-24837
https://issues.redhat.com/browse/SAT-24854
https://issues.redhat.com/browse/SAT-24878
https://issues.redhat.com/browse/SAT-24884
https://issues.redhat.com/browse/SAT-24893
https://issues.redhat.com/browse/SAT-24917
https://issues.redhat.com/browse/SAT-24918
https://issues.redhat.com/browse/SAT-24919
https://issues.redhat.com/browse/SAT-24920
https://issues.redhat.com/browse/SAT-24932
https://issues.redhat.com/browse/SAT-24936
https://issues.redhat.com/browse/SAT-24943
https://issues.redhat.com/browse/SAT-24988
https://issues.redhat.com/browse/SAT-25032
https://issues.redhat.com/browse/SAT-25129
https://issues.redhat.com/browse/SAT-25152
https://issues.redhat.com/browse/SAT-25155
https://issues.redhat.com/browse/SAT-25159
https://issues.redhat.com/browse/SAT-25160
https://issues.redhat.com/browse/SAT-25194
https://issues.redhat.com/browse/SAT-25213
https://issues.redhat.com/browse/SAT-25217
https://issues.redhat.com/browse/SAT-25243
https://issues.redhat.com/browse/SAT-25250
https://issues.redhat.com/browse/SAT-25328
https://issues.redhat.com/browse/SAT-25368
https://issues.redhat.com/browse/SAT-25429
https://issues.redhat.com/browse/SAT-25437
https://issues.redhat.com/browse/SAT-25455
https://issues.redhat.com/browse/SAT-25467
https://issues.redhat.com/browse/SAT-25503
https://issues.redhat.com/browse/SAT-25569
https://issues.redhat.com/browse/SAT-25583
https://issues.redhat.com/browse/SAT-25655
https://issues.redhat.com/browse/SAT-25658
https://issues.redhat.com/browse/SAT-25678
https://issues.redhat.com/browse/SAT-25713
https://issues.redhat.com/browse/SAT-25774
https://issues.redhat.com/browse/SAT-25789
https://issues.redhat.com/browse/SAT-25795
https://issues.redhat.com/browse/SAT-25813
https://issues.redhat.com/browse/SAT-25869
https://issues.redhat.com/browse/SAT-25936
https://issues.redhat.com/browse/SAT-25946
https://issues.redhat.com/browse/SAT-26012
https://issues.redhat.com/browse/SAT-26031
https://issues.redhat.com/browse/SAT-26040
https://issues.redhat.com/browse/SAT-26064
https://issues.redhat.com/browse/SAT-26078
https://issues.redhat.com/browse/SAT-26084
https://issues.redhat.com/browse/SAT-26105
https://issues.redhat.com/browse/SAT-26202
https://issues.redhat.com/browse/SAT-26242
https://issues.redhat.com/browse/SAT-26269
https://issues.redhat.com/browse/SAT-26397
https://issues.redhat.com/browse/SAT-26417
https://issues.redhat.com/browse/SAT-26493
https://issues.redhat.com/browse/SAT-26563
https://issues.redhat.com/browse/SAT-26588
https://issues.redhat.com/browse/SAT-26758
https://issues.redhat.com/browse/SAT-26762
https://issues.redhat.com/browse/SAT-26767
https://issues.redhat.com/browse/SAT-26834
https://issues.redhat.com/browse/SAT-26835
https://issues.redhat.com/browse/SAT-26837
https://issues.redhat.com/browse/SAT-26901
https://issues.redhat.com/browse/SAT-26967
https://issues.redhat.com/browse/SAT-27144
https://issues.redhat.com/browse/SAT-27182
https://issues.redhat.com/browse/SAT-27211
https://issues.redhat.com/browse/SAT-27276
https://issues.redhat.com/browse/SAT-27384
https://issues.redhat.com/browse/SAT-27401
https://issues.redhat.com/browse/SAT-27411
https://issues.redhat.com/browse/SAT-27485
https://issues.redhat.com/browse/SAT-27506
https://issues.redhat.com/browse/SAT-27512
https://issues.redhat.com/browse/SAT-27569
https://issues.redhat.com/browse/SAT-27593
https://issues.redhat.com/browse/SAT-27595
https://issues.redhat.com/browse/SAT-27604
https://issues.redhat.com/browse/SAT-27622
https://issues.redhat.com/browse/SAT-27676
https://issues.redhat.com/browse/SAT-27677
https://issues.redhat.com/browse/SAT-27702
https://issues.redhat.com/browse/SAT-27752
https://issues.redhat.com/browse/SAT-27778
https://issues.redhat.com/browse/SAT-27779
https://issues.redhat.com/browse/SAT-27814
https://issues.redhat.com/browse/SAT-27830
https://issues.redhat.com/browse/SAT-27834
https://issues.redhat.com/browse/SAT-27836
https://issues.redhat.com/browse/SAT-27891
https://issues.redhat.com/browse/SAT-27900
https://issues.redhat.com/browse/SAT-27901
https://issues.redhat.com/browse/SAT-27940
https://issues.redhat.com/browse/SAT-27943
https://issues.redhat.com/browse/SAT-27981
https://issues.redhat.com/browse/SAT-28012
https://issues.redhat.com/browse/SAT-28046
https://issues.redhat.com/browse/SAT-28048
https://issues.redhat.com/browse/SAT-28162
https://issues.redhat.com/browse/SAT-28269
https://issues.redhat.com/browse/SAT-28275
https://issues.redhat.com/browse/SAT-28336
https://issues.redhat.com/browse/SAT-28361
https://issues.redhat.com/browse/SAT-28362
https://issues.redhat.com/browse/SAT-28367
https://issues.redhat.com/browse/SAT-28394
https://issues.redhat.com/browse/SAT-28435
https://issues.redhat.com/browse/SAT-28467
https://issues.redhat.com/browse/SAT-28667
https://issues.redhat.com/browse/SAT-7770
https://issues.redhat.com/browse/SAT-8076

Related news

Red Hat Security Advisory 2024-8843-03

Red Hat Security Advisory 2024-8843-03 - An update for python3.11-urllib3 is now available for Red Hat Enterprise Linux 8.

Red Hat Security Advisory 2024-8842-03

Red Hat Security Advisory 2024-8842-03 - An update for python3.12-urllib3 is now available for Red Hat Enterprise Linux 8. Issues addressed include a remote shell upload vulnerability.

Red Hat Security Advisory 2024-8719-03

Red Hat Security Advisory 2024-8719-03 - Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include a memory leak vulnerability.

Red Hat Security Advisory 2024-8719-03

Red Hat Security Advisory 2024-8719-03 - Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include a memory leak vulnerability.

Red Hat Security Advisory 2024-8718-03

Red Hat Security Advisory 2024-8718-03 - Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include a memory leak vulnerability.

Red Hat Security Advisory 2024-8718-03

Red Hat Security Advisory 2024-8718-03 - Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include a memory leak vulnerability.

Red Hat Security Advisory 2024-8717-03

Red Hat Security Advisory 2024-8717-03 - Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section.

Red Hat Security Advisory 2024-8232-03

Red Hat Security Advisory 2024-8232-03 - Red Hat OpenShift Container Platform release 4.17.2 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-7312-03

Red Hat Security Advisory 2024-7312-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include cross site scripting and html injection vulnerabilities.

Red Hat Security Advisory 2024-7164-03

Red Hat Security Advisory 2024-7164-03 - The Migration Toolkit for Containers 1.8.4 is now available. Issues addressed include denial of service and password leak vulnerabilities.

Red Hat Security Advisory 2024-6755-03

Red Hat Security Advisory 2024-6755-03 - Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.16.2 on Red Hat Enterprise Linux 9 from Red Hat Container Registry.

Red Hat Security Advisory 2024-6428-03

Red Hat Security Advisory 2024-6428-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include denial of service, memory exhaustion, remote SQL injection, and traversal vulnerabilities.

Red Hat Security Advisory 2024-6428-03

Red Hat Security Advisory 2024-6428-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include denial of service, memory exhaustion, remote SQL injection, and traversal vulnerabilities.

Red Hat Security Advisory 2024-6428-03

Red Hat Security Advisory 2024-6428-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include denial of service, memory exhaustion, remote SQL injection, and traversal vulnerabilities.

Red Hat Security Advisory 2024-6428-03

Red Hat Security Advisory 2024-6428-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include denial of service, memory exhaustion, remote SQL injection, and traversal vulnerabilities.

Red Hat Security Advisory 2024-6428-03

Red Hat Security Advisory 2024-6428-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include denial of service, memory exhaustion, remote SQL injection, and traversal vulnerabilities.

Red Hat Security Advisory 2024-6428-03

Red Hat Security Advisory 2024-6428-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include denial of service, memory exhaustion, remote SQL injection, and traversal vulnerabilities.

Red Hat Security Advisory 2024-6428-03

Red Hat Security Advisory 2024-6428-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include denial of service, memory exhaustion, remote SQL injection, and traversal vulnerabilities.

Red Hat Security Advisory 2024-6358-03

Red Hat Security Advisory 2024-6358-03 - An update for python-urllib3 is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

Red Hat Security Advisory 2024-6337-03

Red Hat Security Advisory 2024-6337-03 - An update is now available for Red Hat Satellite 6.13 for RHEL 8.

Red Hat Security Advisory 2024-6336-03

Red Hat Security Advisory 2024-6336-03 - An update is now available for Red Hat Satellite 6.14 for RHEL 8.

Red Hat Security Advisory 2024-6335-03

Red Hat Security Advisory 2024-6335-03 - An update is now available for Red Hat Satellite 6.15 for RHEL 8.

Red Hat Security Advisory 2024-6310-03

Red Hat Security Advisory 2024-6310-03 - An update for resource-agents is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

Red Hat Security Advisory 2024-6211-03

Red Hat Security Advisory 2024-6211-03 - Red Hat OpenShift Service Mesh Containers for 2.6.1. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-5814-03

Red Hat Security Advisory 2024-5814-03 - An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 8. Issues addressed include bypass and denial of service vulnerabilities.

GHSA-pv4p-cwwg-4rph: Django SQL injection vulnerability

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.

Red Hat Security Advisory 2024-5041-03

Red Hat Security Advisory 2024-5041-03 - An update for python-urllib3 is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

Red Hat Security Advisory 2024-4746-03

Red Hat Security Advisory 2024-4746-03 - An update for fence-agents is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

Red Hat Security Advisory 2024-4744-03

Red Hat Security Advisory 2024-4744-03 - An update for resource-agents is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

Red Hat Security Advisory 2024-4730-03

Red Hat Security Advisory 2024-4730-03 - An update for fence-agents is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service.

Ubuntu Security Notice USN-6906-1

Ubuntu Security Notice 6906-1 - It was discovered that python-zipp did not properly handle the zip files with malformed names. An attacker could possibly use this issue to cause a denial of service.

Red Hat Security Advisory 2024-4591-03

Red Hat Security Advisory 2024-4591-03 - Updated images that include numerous enhancements, security, and bug fixes are now available for Red Hat OpenShift Data Foundation 4.16.0 on Red Hat Enterprise Linux 9. Issues addressed include denial of service, memory leak, and resource exhaustion vulnerabilities.

Ubuntu Security Notice USN-6888-2

Ubuntu Security Notice 6888-2 - USN-6888-1 fixed several vulnerabilities in Django. This update provides the corresponding update for Ubuntu 18.04 LTS. Elias Myllymäki discovered that Django incorrectly handled certain inputs with a large number of brackets. A remote attacker could possibly use this issue to cause Django to consume resources or stop responding, resulting in a denial of service.

Ubuntu Security Notice USN-6888-2

Ubuntu Security Notice 6888-2 - USN-6888-1 fixed several vulnerabilities in Django. This update provides the corresponding update for Ubuntu 18.04 LTS. Elias Myllymäki discovered that Django incorrectly handled certain inputs with a large number of brackets. A remote attacker could possibly use this issue to cause Django to consume resources or stop responding, resulting in a denial of service.

Ubuntu Security Notice USN-6888-2

Ubuntu Security Notice 6888-2 - USN-6888-1 fixed several vulnerabilities in Django. This update provides the corresponding update for Ubuntu 18.04 LTS. Elias Myllymäki discovered that Django incorrectly handled certain inputs with a large number of brackets. A remote attacker could possibly use this issue to cause Django to consume resources or stop responding, resulting in a denial of service.

Ubuntu Security Notice USN-6888-2

Ubuntu Security Notice 6888-2 - USN-6888-1 fixed several vulnerabilities in Django. This update provides the corresponding update for Ubuntu 18.04 LTS. Elias Myllymäki discovered that Django incorrectly handled certain inputs with a large number of brackets. A remote attacker could possibly use this issue to cause Django to consume resources or stop responding, resulting in a denial of service.

Ubuntu Security Notice USN-6888-1

Ubuntu Security Notice 6888-1 - Elias Myllymäki discovered that Django incorrectly handled certain inputs with a large number of brackets. A remote attacker could possibly use this issue to cause Django to consume resources or stop responding, resulting in a denial of service. It was discovered that Django incorrectly handled authenticating users with unusable passwords. A remote attacker could possibly use this issue to perform a timing attack and enumerate users.

Ubuntu Security Notice USN-6888-1

Ubuntu Security Notice 6888-1 - Elias Myllymäki discovered that Django incorrectly handled certain inputs with a large number of brackets. A remote attacker could possibly use this issue to cause Django to consume resources or stop responding, resulting in a denial of service. It was discovered that Django incorrectly handled authenticating users with unusable passwords. A remote attacker could possibly use this issue to perform a timing attack and enumerate users.

Ubuntu Security Notice USN-6888-1

Ubuntu Security Notice 6888-1 - Elias Myllymäki discovered that Django incorrectly handled certain inputs with a large number of brackets. A remote attacker could possibly use this issue to cause Django to consume resources or stop responding, resulting in a denial of service. It was discovered that Django incorrectly handled authenticating users with unusable passwords. A remote attacker could possibly use this issue to perform a timing attack and enumerate users.

Ubuntu Security Notice USN-6888-1

Ubuntu Security Notice 6888-1 - Elias Myllymäki discovered that Django incorrectly handled certain inputs with a large number of brackets. A remote attacker could possibly use this issue to cause Django to consume resources or stop responding, resulting in a denial of service. It was discovered that Django incorrectly handled authenticating users with unusable passwords. A remote attacker could possibly use this issue to perform a timing attack and enumerate users.

Red Hat Security Advisory 2024-4422-03

Red Hat Security Advisory 2024-4422-03 - An update for fence-agents is now available for Red Hat Enterprise Linux 9.

GHSA-x7q2-wr7g-xqmf: Django vulnerable to user enumeration attack

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The `django.contrib.auth.backends.ModelBackend.authenticate()` method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.

GHSA-qg2p-9jwr-mmqf: Django vulnerable to Denial of Service

An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.

GHSA-f6f8-9mx6-9mx2: Django vulnerable to Denial of Service

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. `get_supported_language_variant()` was subject to a potential denial-of-service attack when used with very long strings containing specific characters.

GHSA-9jmf-237g-qf46: Django Path Traversal vulnerability

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the `django.core.files.storage.Storage` base class, when they override `generate_filename()` without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a `save()` call. (Built-in Storage sub-classes are unaffected.)

GHSA-jfmj-5v4g-7637: zipp Denial of Service vulnerability

A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.

GHSA-f5x3-32g6-xq36: Denial of service while parsing a tar file due to lack of folders count validation

## Description: During some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar with a path like this `./a/b/c/foo.txt` it would create every folder and sub-folder here a, b and c until it reaches the last folder to create `foo.txt`, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside ## Steps To Reproduce: You can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video ## Proof Of Concept: Here's a [video](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/3i7uojw8s52psar6pg8zkdo4h9io?response-content-disposition=attachment%3B%20filename%3D%22tar-dos-poc....

Packet Storm: Latest News

Red Hat Security Advisory 2024-8690-03
Packet Storm