lenovo warranty check/lookup | check warranty status | lenovo support us

ecdsautils is a tiny collection of programs used for ECDSA (keygen, sign, verify). `ecdsa_verify_[prepare_]legacy()` does not check whether the signature values `r` and `s` are non-zero. A signature consisting only of zeroes is always considered valid, making it trivial to forge signatures. Requiring multiple signatures from different public keys does not mitigate the issue: `ecdsa_verify_list_legacy()` will accept an arbitrary number of such forged signatures. Both the `ecdsautil verify` CLI command and the libecdsautil library are affected. The issue has been fixed in ecdsautils 0.4.1. All older versions of ecdsautils (including versions before the split into a library and a CLI utility) are vulnerable.

A stored cross-site scripting (XSS) vulnerability in the admin interface in Element-IT HTTP Commander 7.0.0 allows unauthenticated users to get admin access by injecting a malicious script in the User-Agent field.

Red Hat Security Advisory 2024-1153-03 - An update for squid is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.

A vulnerability in the bailiwick checking function in Technitium DNS Server <= v7.0 exists that allows specific malicious users to inject `NS` records of any domain (even TLDs) into the cache and conduct a DNS cache poisoning attack.

### Impact Panic vulnerability when a specially crafted payload is used. This is because of the following calculation: ```rust inner_payload_len + (4 - inner_payload_len % 4) % 4 ``` If `inner_payload_len` is `0xffffffff`, `(4 - inner_payload_len % 4) % 4 = 1` so ```rust inner_payload_len + (4 - inner_payload_len % 4) % 4 = u32::MAX + 1 ``` which overflow. ### Patches Check that `inner_payload_len` is not above 64 which should never be the case. Patched in version 0.0.8 ### Workarounds Sanitize input payload before it is passed to the vulnerable function so that bytes in `payload[32..32+4]` and parsed as a `u32` is not above 64. ### References GitHub issue #58

### Impact Users who have opted into static evaluation of module sources, versions, and backend configurations may be at risk of exposing sensitive variables and locals. This is a workflow that should not be possible and explicitly show errors. ### Workarounds Check that you are not using sensitive variables in module sources and versions, as well as backend configurations. The patch will add explicit errors and prevent this from being possible. ### Examples ```hcl variable "backend_path" { type = string sensitive = true } terraform { backend "local" { path = var.backend_path } } ``` ```hcl variable "mod_info" { type = string sensitive = true } module "foo" { source = var.mod_info //version = var.mod_info } ```

A security issue was discovered in secrets-store-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when [TokenRequests is configured in the CSIDriver object](https://kubernetes-csi.github.io/docs/token-requests.html) and the driver is set to run at log level 2 or greater via the -v flag. This issue has been rated MEDIUM [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) (6.5), and assigned CVE-2023-2878 ### Am I vulnerable? You may be vulnerable if [TokenRequests is configured in the CSIDriver object](https://kubernetes-csi.github.io/docs/token-requests.html) and the driver is set to run at log level 2 or greater via the -v flag. To check if token requests are configured, run the following command: ...

### Impact Code that uses KaTeX's `trust` option, specifically that provides a function to block-list certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate `javascript:` links in the output, even if the `trust` function tries to forbid this protocol via `trust: (context) => context.protocol !== 'javascript'`. ### Patches Upgrade to KaTeX v0.16.10 to remove this vulnerability. ### Workarounds * Allow-list instead of block protocols in your `trust` function. * Manually lowercase `context.protocol` via `context.protocol.toLowerCase()` before attempting to check for certain protocols. * Avoid use of or turn off the `trust` option. ### Details KaTeX did not normalize the `protocol` entry of the `context` object provided to a user-specified `trust`-function, so it could be a mix of lowercase and/or uppercase letters. It is generally better to allow-list by protocol, i...

# CWA-2025-006: Improper error handling may lead to IBC channel opening despite error **Severity** High (Considerable + Likely)[^1] **Affected versions:** - wasmd 0.60.0 - wasmd >= 0.51.0 < 0.55.1 **Patched versions:** - wasmd 0.60.1, 0.55.1, 0.54.1, 0.53.3 ## Description of the bug A contract erroring during IBC channel opening does not prevent the channel from opening. ## Applying the patch The patch will be shipped in a wasmd release. You will also have to update `libwasmvm` if you build statically. If you already use the latest / close to latest wasmd, you can update more or less as follows: 1. Check the current wasmd version: `go list -m github.com/CosmWasm/wasmd` 2. Bump the `github.com/CosmWasm/wasmd` dependency in your go.mod to 0.60.1 (Cosmos SDK 0.53 compatible), 0.55.1 (Cosmos SDK 0.50 compatible), 0.54.1 or 0.53.3; `go mod tidy`; commit. 3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, make sure that you use the same vers...

Observable behavioral in power management throttling for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via network access.