Red Hat Security Advisory 2024-2438-03 - An update for pam is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2438.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: pam security updateAdvisory ID:        RHSA-2024:2438-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2438Issue date:         2024-04-30Revision:           03CVE Names:          CVE-2024-22365====================================================================Summary: An update for pam is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Pluggable Authentication Modules (PAM) provide a system to set up authentication policies without the need to recompile programs to handle authentication.Security Fix(es):* pam: allowing unprivileged user to block another user namespace (CVE-2024-22365)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.4 Release Notes linked from the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-22365References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.4_release_notes/indexhttps://bugzilla.redhat.com/show_bug.cgi?id=2257722https://issues.redhat.com/browse/RHEL-16727https://issues.redhat.com/browse/RHEL-20943https://issues.redhat.com/browse/RHEL-22300https://issues.redhat.com/browse/RHEL-5099https://issues.redhat.com/browse/RHEL-5100

Red Hat Security Advisory 2024-2438-03

Red Hat Security Advisory 2024-2437-03 - An update for exfatprogs is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2437.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: exfatprogs security updateAdvisory ID:        RHSA-2024:2437-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2437Issue date:         2024-04-30Revision:           03CVE Names:          CVE-2023-45897====================================================================Summary: An update for exfatprogs is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The exfatprogs package contains utilities for formatting and repairing exFAT filesystems.Security Fix(es):* exfatprogs: exfatprogs allows out-of-bounds memory access (CVE-2023-45897)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.4 Release Notes linked from the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45897References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.4_release_notes/indexhttps://bugzilla.redhat.com/show_bug.cgi?id=2246976https://issues.redhat.com/browse/RHEL-15865https://issues.redhat.com/browse/RHEL-7945

Red Hat Security Advisory 2024-2437-03

Red Hat Security Advisory 2024-2433-03 - An update for avahi is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2433.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: avahi security updateAdvisory ID:        RHSA-2024:2433-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2433Issue date:         2024-04-30Revision:           03CVE Names:          CVE-2023-38469====================================================================Summary: An update for avahi is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Avahi is an implementation of the DNS Service Discovery and Multicast DNS specifications for Zero Configuration Networking. It facilitates service discovery on a local network. Avahi and Avahi-aware applications allow you to plug your computer into a network and, with no configuration, view other people to chat with, view printers to print with, and find shared files on other computers.Security Fix(es):* avahi: Reachable assertion in avahi_dns_packet_append_record (CVE-2023-38469)* avahi: Reachable assertion in avahi_escape_label (CVE-2023-38470)* avahi: Reachable assertion in dbus_set_host_name (CVE-2023-38471)* avahi: Reachable assertion in avahi_rdata_parse (CVE-2023-38472)* avahi: Reachable assertion in avahi_alternative_host_name (CVE-2023-38473)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.4 Release Notes linked from the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-38469References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.4_release_notes/indexhttps://bugzilla.redhat.com/show_bug.cgi?id=2191687https://bugzilla.redhat.com/show_bug.cgi?id=2191690https://bugzilla.redhat.com/show_bug.cgi?id=2191691https://bugzilla.redhat.com/show_bug.cgi?id=2191692https://bugzilla.redhat.com/show_bug.cgi?id=2191694

Red Hat Security Advisory 2024-2433-03

Red Hat Security Advisory 2024-2410-03 - An update for harfbuzz is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2410.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: harfbuzz security updateAdvisory ID:        RHSA-2024:2410-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2410Issue date:         2024-04-30Revision:           03CVE Names:          CVE-2023-25193====================================================================Summary: An update for harfbuzz is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:HarfBuzz is an implementation of the OpenType Layout engine.Security Fix(es):* harfbuzz: allows attackers to trigger O(n^2) growth via consecutive marks (CVE-2023-25193)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.4 Release Notes linked from the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-25193References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.4_release_notes/indexhttps://bugzilla.redhat.com/show_bug.cgi?id=2167254

Red Hat Security Advisory 2024-2410-03

Red Hat Security Advisory 2024-2396-03 - An update for squashfs-tools is now available for Red Hat Enterprise Linux 9. Issues addressed include a traversal vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2396.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: squashfs-tools security updateAdvisory ID:        RHSA-2024:2396-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2396Issue date:         2024-04-30Revision:           03CVE Names:          CVE-2021-40153====================================================================Summary: An update for squashfs-tools is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:SquashFS is a highly compressed read-only file system for Linux. These packages contain the utilities for manipulating squashfs file systems.Security Fix(es):* squashfs-tools: unvalidated filepaths allow writing outside of destination (CVE-2021-40153)* squashfs-tools: possible Directory Traversal via symbolic link (CVE-2021-41072)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.4 Release Notes linked from the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2021-40153References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.4_release_notes/indexhttps://bugzilla.redhat.com/show_bug.cgi?id=1998621https://bugzilla.redhat.com/show_bug.cgi?id=2004957

Red Hat Security Advisory 2024-2396-03

Red Hat Security Advisory 2024-2394-03 - An update for kernel is now available for Red Hat Enterprise Linux 9. Issues addressed include code execution, double free, integer overflow, memory exhaustion, memory leak, null pointer, out of bounds access, out of bounds read, out of bounds write, privilege escalation, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2394.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security, bug fix, and enhancement update  
Advisory ID:        RHSA-2024:2394-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:2394  
Issue date:         2024-04-30  
Revision:           03  
CVE Names:          CVE-2020-26555  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: GSM multiplexing race condition leads to privilege escalation (CVE-2023-6546)

* kernel: multiple use-after-free vulnerabilities (CVE-2024-1086, CVE-2023-3567, CVE-2023-4133, CVE-2023-6932, CVE-2023-39198, CVE-2023-51043, CVE-2023-51779, CVE-2023-51780, CVE-2024-1085, CVE-2024-26582)

* kernel: Bluetooth BR/EDR PIN Pairing procedure is vulnerable to an impersonation attack (CVE-2020-26555)

* kernel: memcg does not limit the number of POSIX file locks allowing memory exhaustion (CVE-2022-0480)

* kernel: multiple NULL pointer dereference vulnerabilities (CVE-2022-38096, CVE-2023-6622, CVE-2023-6915, CVE-2023-42754, CVE-2023-46862, CVE-2023-52574, CVE-2024-0841, CVE-2023-52448)

* kernel: integer overflow in l2cap_config_req() in net/bluetooth/l2cap_core.c (CVE-2022-45934)

* kernel: netfilter: nf_tables: out-of-bounds access in nf_tables_newtable() (CVE-2023-6040)

* kernel: GC's deletion of an SKB races with unix_stream_read_generic()  leading to UAF (CVE-2023-6531)

* kernel: Out of boundary write in perf_read_group() as result of overflow a perf_event's read_size (CVE-2023-6931)

* kernel: Bluetooth Forward and Future Secrecy Attacks and Defenses (CVE-2023-24023)

* kernel: irdma: Improper access control (CVE-2023-25775)

* Kernel: double free in hci_conn_cleanup of the bluetooth subsystem (CVE-2023-28464)

* kernel: Bluetooth: HCI: global out-of-bounds access in net/bluetooth/hci_sync.c (CVE-2023-28866)

* kernel: race condition between HCIUARTSETPROTO and HCIUARTGETPROTO in hci_uart_tty_ioctl (CVE-2023-31083)

* kernel: multiple out-of-bounds read vulnerabilities (CVE-2023-37453, CVE-2023-39189, CVE-2023-39193, CVE-2023-6121, CVE-2023-39194)

* kernel: netfilter: race condition between IPSET_CMD_ADD and IPSET_CMD_SWAP (CVE-2023-42756)

* kernel: lib/kobject.c vulnerable to fill_kobj_path out-of-bounds write (CVE-2023-45863)

* kernel: smb: client: fix potential OOBs in smb2_parse_contexts() (CVE-2023-52434)

* kernel: mm/sparsemem: fix race in accessing memory_section->usage (CVE-2023-52489)

* kernel: net: fix possible store tearing in neigh_periodic_work() (CVE-2023-52522)

* kernel: multiple memory leak vulnerabilities (CVE-2023-52529, CVE-2023-52581)

* kernel: net: bridge: data races indata-races in br_handle_frame_finish() (CVE-2023-52578)

* kernel: net/core: kernel crash in ETH_P_1588 flow dissector (CVE-2023-52580)

* kernel: net/sched: act_ct: fix skb leak and crash on ooo frags (CVE-2023-52610)

* kernel: CIFS Filesystem Decryption Improper Input Validation Remote Code Execution Vulnerability in function receive_encrypted_standard of client (CVE-2024-0565)

* kernel: tls: race between async notify and socket close (CVE-2024-26583)

* kernel: tls: handle backlogging of crypto requests (CVE-2024-26584)

* kernel: tls: race between tx work scheduling and socket close (CVE-2024-26585)

* kernel: mlxsw: spectrum_acl_tcam: Fix stack corruption (CVE-2024-26586)

* kernel: i2c: i801: Fix block process call transactions (CVE-2024-26593)

* kernel: sched/membarrier: reduce the ability to hammer on sys_membarrier (CVE-2024-26602)

* kernel: netfilter: nf_tables: reject QUEUE/DROP verdict parameters (CVE-2024-26609)

* kernel: local dos vulnerability in scatterwalk_copychunks (CVE-2023-6176)

* kernel: perf/x86/lbr: Filter vsyscall addresses (CVE-2023-52476)

* kernel: netfilter: nf_tables: disallow timeout for anonymous sets (CVE-2023-52620)

* kernel: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() (CVE-2024-26633)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.4 Release Notes linked from the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2020-26555

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.4_release_notes/index  
https://bugzilla.redhat.com/show_bug.cgi?id=1918601  
https://bugzilla.redhat.com/show_bug.cgi?id=2049700  
https://bugzilla.redhat.com/show_bug.cgi?id=2133452  
https://bugzilla.redhat.com/show_bug.cgi?id=2151959  
https://bugzilla.redhat.com/show_bug.cgi?id=2177759  
https://bugzilla.redhat.com/show_bug.cgi?id=2185519  
https://bugzilla.redhat.com/show_bug.cgi?id=2188102  
https://bugzilla.redhat.com/show_bug.cgi?id=2210024  
https://bugzilla.redhat.com/show_bug.cgi?id=2213132  
https://bugzilla.redhat.com/show_bug.cgi?id=2218332  
https://bugzilla.redhat.com/show_bug.cgi?id=2219359  
https://bugzilla.redhat.com/show_bug.cgi?id=2221039  
https://bugzilla.redhat.com/show_bug.cgi?id=2221463  
https://bugzilla.redhat.com/show_bug.cgi?id=2221702  
https://bugzilla.redhat.com/show_bug.cgi?id=2226777  
https://bugzilla.redhat.com/show_bug.cgi?id=2226787  
https://bugzilla.redhat.com/show_bug.cgi?id=2226788  
https://bugzilla.redhat.com/show_bug.cgi?id=2231410  
https://bugzilla.redhat.com/show_bug.cgi?id=2239845  
https://bugzilla.redhat.com/show_bug.cgi?id=2239848  
https://bugzilla.redhat.com/show_bug.cgi?id=2244720  
https://bugzilla.redhat.com/show_bug.cgi?id=2246980  
https://bugzilla.redhat.com/show_bug.cgi?id=2250043  
https://bugzilla.redhat.com/show_bug.cgi?id=2252731  
https://bugzilla.redhat.com/show_bug.cgi?id=2253034  
https://bugzilla.redhat.com/show_bug.cgi?id=2253632  
https://bugzilla.redhat.com/show_bug.cgi?id=2254961  
https://bugzilla.redhat.com/show_bug.cgi?id=2254982  
https://bugzilla.redhat.com/show_bug.cgi?id=2255283  
https://bugzilla.redhat.com/show_bug.cgi?id=2255498  
https://bugzilla.redhat.com/show_bug.cgi?id=2256490  
https://bugzilla.redhat.com/show_bug.cgi?id=2256822  
https://bugzilla.redhat.com/show_bug.cgi?id=2257682  
https://bugzilla.redhat.com/show_bug.cgi?id=2258013  
https://bugzilla.redhat.com/show_bug.cgi?id=2258518  
https://bugzilla.redhat.com/show_bug.cgi?id=2260005  
https://bugzilla.redhat.com/show_bug.cgi?id=2262126  
https://bugzilla.redhat.com/show_bug.cgi?id=2262127  
https://bugzilla.redhat.com/show_bug.cgi?id=2265285  
https://bugzilla.redhat.com/show_bug.cgi?id=2265517  
https://bugzilla.redhat.com/show_bug.cgi?id=2265518  
https://bugzilla.redhat.com/show_bug.cgi?id=2265519  
https://bugzilla.redhat.com/show_bug.cgi?id=2265520  
https://bugzilla.redhat.com/show_bug.cgi?id=2265645  
https://bugzilla.redhat.com/show_bug.cgi?id=2265646  
https://bugzilla.redhat.com/show_bug.cgi?id=2265653  
https://bugzilla.redhat.com/show_bug.cgi?id=2267041  
https://bugzilla.redhat.com/show_bug.cgi?id=2267695  
https://bugzilla.redhat.com/show_bug.cgi?id=2267750  
https://bugzilla.redhat.com/show_bug.cgi?id=2267758  
https://bugzilla.redhat.com/show_bug.cgi?id=2267760  
https://bugzilla.redhat.com/show_bug.cgi?id=2267761  
https://bugzilla.redhat.com/show_bug.cgi?id=2267788  
https://bugzilla.redhat.com/show_bug.cgi?id=2267795  
https://bugzilla.redhat.com/show_bug.cgi?id=2269189  
https://bugzilla.redhat.com/show_bug.cgi?id=2269217  
https://bugzilla.redhat.com/show_bug.cgi?id=2270080  
https://bugzilla.redhat.com/show_bug.cgi?id=2270118  
https://bugzilla.redhat.com/show_bug.cgi?id=2270883  
https://issues.redhat.com/browse/RHEL-15897  
https://issues.redhat.com/browse/RHEL-15937  
https://issues.redhat.com/browse/RHEL-16024  
https://issues.redhat.com/browse/RHEL-17986  
https://issues.redhat.com/browse/RHEL-19081  
https://issues.redhat.com/browse/RHEL-2376  
https://issues.redhat.com/browse/RHEL-2421  
https://issues.redhat.com/browse/RHEL-2466  
https://issues.redhat.com/browse/RHEL-2907  
https://issues.redhat.com/browse/RHEL-3923  
https://issues.redhat.com/browse/RHEL-5226  
https://issues.redhat.com/browse/RHEL-5228  
https://issues.redhat.com/browse/RHEL-6012  
https://issues.redhat.com/browse/RHEL-7936  
https://issues.redhat.com/browse/RHEL-9127

Red Hat Security Advisory 2024-2394-03

Red Hat Security Advisory 2024-2387-03 - An update for mod_jk and mod_proxy_cluster is now available for Red Hat Enterprise Linux 9. Issues addressed include cross site scripting and information leakage vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2387.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: mod_jk and mod_proxy_cluster security update  
Advisory ID:        RHSA-2024:2387-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:2387  
Issue date:         2024-04-30  
Revision:           03  
CVE Names:          CVE-2023-6710  
====================================================================

Summary: 

An update for mod_jk and mod_proxy_cluster is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The mod_jk module is a plugin for the Apache HTTP Server to connect it with the Apache Tomcat servlet engine.

The mod_proxy_cluster module is a plugin for the Apache HTTP Server that provides load-balancer functionality.

Security Fix(es):

* httpd: Apache Tomcat Connectors (mod_jk) Information Disclosure (CVE-2023-41081)

* mod_cluster/mod_proxy_cluster: Stored Cross site Scripting (CVE-2023-6710)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.4 Release Notes linked from the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-6710

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.4_release_notes/index  
https://bugzilla.redhat.com/show_bug.cgi?id=2238847  
https://bugzilla.redhat.com/show_bug.cgi?id=2254128  
https://issues.redhat.com/browse/RHEL-27497  
https://issues.redhat.com/browse/RHEL-27511

Red Hat Security Advisory 2024-2387-03

Red Hat Security Advisory 2024-2377-03 - An update for zziplib is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2377.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: zziplib security updateAdvisory ID:        RHSA-2024:2377-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2377Issue date:         2024-04-30Revision:           03CVE Names:          CVE-2020-18770====================================================================Summary: An update for zziplib is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The zziplib is a lightweight library to easily extract data from zip files.Security Fix(es):* zziplib: invalid memory access at zzip_disk_entry_to_file_header in mmapped.c (CVE-2020-18770)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.4 Release Notes linked from the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2020-18770References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.4_release_notes/indexhttps://bugzilla.redhat.com/show_bug.cgi?id=2246907

Red Hat Security Advisory 2024-2377-03

## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-2m57-hf25-phgg. This link is maintained to preserve external references.

## Original Description
Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-62qf-jcq8-8gxw

**Duplicate Advisory: sqlparse parsing heavily nested list leads to Denial of Service**

High severity GitHub Reviewed Published Apr 30, 2024 to the GitHub Advisory Database • Updated May 1, 2024

Withdrawn This advisory was withdrawn on May 1, 2024

**Package**

pip sqlparse (pip)

**Affected versions**

< 0.5.0

**Description**

Published by the National Vulnerability Database

Apr 30, 2024

Published to the GitHub Advisory Database

Apr 30, 2024

GHSA-62qf-jcq8-8gxw: Duplicate Advisory: sqlparse parsing heavily nested list leads to Denial of Service

Themed "The Art of Possible," this year's conference celebrates new challenges and opportunities in the age of AI.

Liat Hayun, Co-Founder & CEO, Eureka Security

April 30, 2024

3 Min Read

Source: Aleksandr Matveev via Alamy Stock Photo

COMMENTARY

This year's RSA Conference theme, "The Art of Possible," celebrates the challenges brought about by new frontiers, broken boundaries, and promising horizons. While the shift to the cloud initially caused concern and hesitation, as data began moving through it, across environments and with very little oversight, data security professionals knew this profound shift in the modern business model would bring about not only challenges but also opportunities. As we enter the age of AI, the security community must embrace the possibilities of improved data security mechanisms, alongside — without obstructing — improved business processes. Looking ahead to this year's RSA Conference, here are six leading data security sessions we're excited to attend — and that will help us uncover AI's risks and opportunities.

**My Top Six Picks****Operational Data Governance-by-Design Techniques for a Data Practitioner**

Monday, May 6

Why you should attend: This session, led by Cisco Systems, seems like a unique opportunity to discover practical tools for implementing data governance across your organization while presenting various use cases, with attention given to all aspects of data use and management. Assess your level of data governance by engaging with other data practitioners in the audience in this live discussion.

**Bridging Theory and Practice of Privacy and Data Protection**

Monday, May 6

Why you should attend: The more data floods the industry, the more practical tools security practitioners need to ensure that privacy and data protection concerns are addressed across their organizational environments. This session will include practical examples of integrating data security and privacy guardrails and measures in real business environments, sourced from the audience.

**ChatGPT Unleashed: Solving Data Breach Puzzles With Precision**

Monday, May 6

Why you should attend: A data security challenge leveraging AI? Sign us up! This unique session challenges participants to use ChatGPT prompts to mitigate a looming data breach, with hidden malware waiting to be found and fixed. Beyond a fun experience, this session will expand the knowledge of what may be possible with the next generation of AI technology and lead us through an innovative learning experience.

**Controlling a Data Footprint — How to Build a Data Disposition Framework**

Monday, May 6

Why you should attend: Data is a goldmine for organizations, and they're constantly innovating in how they gather and leverage it to achieve business goals. This session will equip you with a step-by-step approach to building a data lifecycle management framework. This framework will empower companies to decide how long to hold onto data, and outline methods for safeguarding, transforming, or eliminating data to comply with regulations.

**Establishing a Data Perimeter on AWS**

Wednesday, May 8

Why you should attend: While it may seem like there are no boundaries in the cloud era to where data can reside, be stored, and be used, data security guardrails and mechanisms exist for this purpose exactly — to let data roam free for business use, while ensuring that security controls are set in place and visibility is maintained across all environments, at all times. This session will present some of the controls used by AWS to protect data from unauthorized access.

**Data Heist: How Stolen Information Becomes a Hot Commodity**

Thursday, May 9

Why you should attend: We're so busy preventing breaches that we don't often take the time to consider what malicious actors do with the data they steal after the crime. This session dives deeper, exploring the clandestine marketplaces where stolen information is peddled. You'll be exposed to the inner workings of these criminal data shops, with comprehensive risk assessments comparing the vulnerabilities of various data types and how to best protect them.

**Final Thoughts**

While data security has been a top-of-mind business and security concern for the past decade, the ever-evolving landscape of data innovation constantly introduces new and emerging threats for security practitioners. To stay ahead of the curve, cybersecurity professionals must remain vigilant and adapt their strategies accordingly. The upcoming RSA Conference provides a phenomenal platform to achieve just that, with a wide range of sessions on the latest data security trends and solutions. Hope to see you there!

**About the Author(s)**

Co-Founder & CEO, Eureka Security

Liat Hayun is the Co-founder and CEO of Eureka Security, a Cloud Data Security Posture Management platform that enables security teams to successfully navigate the ongoing and often chaotic expansion and growth of cloud data. Prior to co-founding Eureka Security, Liat spent a decade leading cybersecurity efforts in the Israeli Cyber Command and Palo Alto Networks. Her IDF service merited the prestigious Israel Defense Prize. As VP of Product Management at PANW, Liat led the production of Cortex XDR and PANW’s Managed Threat Hunting service. These roles have enabled Liat to pursue her greatest interests and concerns in the cybersecurity threat landscape, as well work with wonderfully talented people on their solutions. Passionate about working closely with others, she is driven to identify meaningful operational security gaps and develop exciting new technologies and strategies to help fellow security leaders tackle them.

Latest News