lenovo warranty check/lookup | check warranty status | lenovo support us

### Summary Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. ### Fix We have back-ported the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in "dangerous" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. ### Workaround We are aware that this changes the behaviour of an established funct...

This issue was reported to TShock by @ohayo, but was found by the Discord user by the name of `sofurry.com`. Please note that this user **does not own this domain on the internet, just the discord handle**. TShock overrides certain Terraria vanilla systems, including chat, and the connection handling, for its own purposes, like enforcing bans. When clients connect but do not complete the connection handshake (e.g., send message number 6), they can "exist" on the server, occupy a player slot, chat, and receive data from the server despite not being fully connected. Individuals who exploit this will be able to effectively harass the server, observe the server, and utilize server resources even if banned from the server. For servers that operate with a proxy that strictly enforces the connection handshake/sequence, this is not an issue, but for smaller servers or servers running vanilla TShock this is an issue worth patching for. PR body supplied by @ohayo (patch writer): Terraria's s...

### Summary A malicious JSON-stringifyable message can be made passing on `verify()`, when global Buffer is [`buffer` package](https://www.npmjs.com/package/buffer) ### Details This affects only environments where `require('buffer')` is <https://npmjs.com/buffer> E.g.: browser bundles, React Native apps, etc. `Buffer.isBuffer` check can be bypassed, resulting in strange objects being accepted as `message`, and those messages could trick `verify()` into returning false-positive `true` values v2.x is unaffected as it verifies input to be an actual `Uint8Array` instance Such a message can be constructed for any already known message/signature pair There are some restrictions though (also depending on the known message/signature), but not very limiting, see PoC for example https://github.com/bitcoinjs/tiny-secp256k1/pull/140 is a subtle fix for this ### PoC This code deliberately doesn't provide `reencode` for now, could be updated later ```js import { randomBytes } from 'crypto'...

An unauthenticated remote user could exploit a potential integer overflow condition in the exacqVision Server with a specially crafted script and cause denial-of-service condition.

Article template contents with sensitive data could be accessed from agents without permissions.

A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2018-14040: In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. * CVE-2018-14042: In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. * CVE-2019-11358: A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modi...

["Bootloader contains a vulnerability in the NV3P server where any user with physical access through USB can trigger an incorrect bounds check, which may lead to buffer overflow, resulting in limited information disclosure, limited data integrity, and information disclosure across all components."]

["In ged, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS05687510; Issue ID: ALPS05687510."]

["In memory management driver, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS05403499; Issue ID: ALPS05336692."]

["Bootloader contains a vulnerability in the NV3P server where any user with physical access through USB can trigger an incorrect bounds check, which may lead to buffer overflow, resulting in limited information disclosure, limited data integrity, and information disclosure across all components."]