lenovo warranty check/lookup | check warranty status | lenovo support us

Subrion 4.2.1 has a remote command execution vulnerability in the backend.

An Address bar spoofing vulnerability was discovered in Safe Browser for Android. When user clicks on a specially crafted malicious webpage/URL, user may be tricked for a short period of time (until the page loads) to think content may be coming from a valid domain, while the content comes from the attacker controlled site.

In MP4v2 2.0.0, there is an integer overflow (with resultant memory corruption) when resizing MP4Array for the ftyp atom in mp4array.h.

Researchers have found an online repository leaking sensitive data, including driving licenses and other identity documents.

A DLL hijacking vulnerability in Samsung portable SSD T5 PC software before 1.6.9 could allow a local attacker to escalate privileges. (An attacker must already have user privileges on Windows 7, 10, or 11 to exploit this vulnerability.)

ABB Cylon Aspect version 3.08.01 is vulnerable to unauthorized information disclosure in the jsonProxy.php endpoint. An unauthenticated attacker can retrieve sensitive system information, including system time, uptime, memory usage, and network load statistics. The jsonProxy.php endpoint proxies these requests to internal services without requiring authentication, allowing attackers to obtain detailed system status data, which could aid in further attacks by revealing operational characteristics and resource utilization.

### Impact `npm pack` ignores root-level `.gitignore` & `.npmignore` file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of [v7.9.0](https://github.com/npm/cli/releases/tag/v7.9.0) & [v7.13.0](https://github.com/npm/cli/releases/tag/v7.13.0) respectively, may be affected and have published files into the npm registry they did not intend to include. ### Patch - Upgrade to the latest, patched version of `npm` ([`v8.11.0`](https://github.com/npm/cli/releases/tag/v8.11.0)), run: `npm i -g npm@latest` - Node.js versions [`v16.15.1`](https://github.com/nodejs/node/releases/tag/v16.15.1), [`v17.19.1`](https://github.com/nodejs/node/releases/tag/v17.9.1) & [`v18.3.0`](https://github.com/nodejs/node/releases/tag/v18.3.0) include the patched `v8.11.0` version of `npm` #### Steps to take to see if you're impacted 1. Run `npm publish --dry-run` or `npm pack` wi...

### Summary If a user has restricted access to a project that is configured with `restricted=true`, they can gain root access on the system by creating a disk device with `shift=true` and creating a setuid root executable. This is possible because the `shift` property is not restricted unless `restricted.devices.disk.paths` is set. ### Details The following patch shows the offending code with a possible fix: ```patch --- a/lxd/device/disk.go +++ b/lxd/device/disk.go @@ -429,17 +429,19 @@ func (d *disk) validateEnvironmentSourcePath() error { if instProject.Name != api.ProjectDefaultName { // If restricted disk paths are in force, then check the disk's source is allowed, and record the // allowed parent path for later user during device start up sequence. - if shared.IsTrue(instProject.Config["restricted"]) && instProject.Config["restricted.devices.disk.paths"] != "" { - allowed, restrictedParentSourcePath :=...

Graylog is a free and open log management platform. Graylog makes use of only one single source port for DNS queries. Graylog binds a single socket for outgoing DNS queries and while that socket is bound to a random port number it is never changed again. This goes against recommended practice since 2008, when Dan Kaminsky discovered how easy is to carry out DNS cache poisoning attacks. In order to prevent cache poisoning with spoofed DNS responses, it is necessary to maximise the uncertainty in the choice of a source port for a DNS query. Although unlikely in many setups, an external attacker could inject forged DNS responses into a Graylog's lookup table cache. In order to prevent this, it is at least recommendable to distribute the DNS queries through a pool of distinct sockets, each of them with a random source port and renew them periodically. This issue has been addressed in versions 5.0.9 and 5.1.3. Users are advised to upgrade. There are no known workarounds for this issue.

Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel did not properly handle inactive elements in its PIPAPO data structure, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. It was discovered that the IGMP protocol implementation in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. Various other issues were also addressed.