Ubuntu Security Notice 6706-1 - It was discovered that the Microchip USB Ethernet driver in the Linux kernel contained a race condition during device removal, leading to a use- after-free vulnerability. A physically proximate attacker could use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6706-1March 20, 2024linux-oem-6.1 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:The system could be made to crash under certain conditions.Software Description:- linux-oem-6.1: Linux kernel for OEM systemsDetails:It was discovered that the Microchip USB Ethernet driver in the Linuxkernel contained a race condition during device removal, leading to a use-after-free vulnerability. A physically proximate attacker could use this tocause a denial of service (system crash).Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-6.1.0-1036-oem      6.1.0-1036.36   linux-image-oem-22.04a          6.1.0.1036.37   linux-image-oem-22.04b          6.1.0.1036.37   linux-image-oem-22.04c          6.1.0.1036.37After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6706-1   CVE-2023-6039Package Information:   https://launchpad.net/ubuntu/+source/linux-oem-6.1/6.1.0-1036.36

Ubuntu Security Notice USN-6706-1

Ubuntu Security Notice 6701-2 - Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did not properly perform permissions checks when handling HCI sockets. A physically proximate attacker could use this to cause a denial of service. It was discovered that the NVIDIA Tegra XUSB pad controller driver in the Linux kernel did not properly handle return values in certain error conditions. A local attacker could use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6701-2  
March 20, 2024

linux-gcp, linux-gcp-4.15 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems  
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems

Details:

Ruihan Li discovered that the bluetooth subsystem in the Linux kernel did  
not properly perform permissions checks when handling HCI sockets. A  
physically proximate attacker could use this to cause a denial of service  
(bluetooth communication). (CVE-2023-2002)

It was discovered that the NVIDIA Tegra XUSB pad controller driver in the  
Linux kernel did not properly handle return values in certain error  
conditions. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2023-23000)

It was discovered that Spectre-BHB mitigations were missing for Ampere  
processors. A local attacker could potentially use this to expose sensitive  
information. (CVE-2023-3006)

It was discovered that the ext4 file system implementation in the Linux  
kernel did not properly handle block device modification while it is  
mounted. A privileged attacker could use this to cause a denial of service  
(system crash) or possibly expose sensitive information. (CVE-2023-34256)

Eric Dumazet discovered that the netfilter subsystem in the Linux kernel  
did not properly handle DCCP conntrack buffers in certain situations,  
leading to an out-of-bounds read vulnerability. An attacker could possibly  
use this to expose sensitive information (kernel memory). (CVE-2023-39197)

It was discovered that the Siano USB MDTV receiver device driver in the  
Linux kernel did not properly handle device initialization failures in  
certain situations, leading to a use-after-free vulnerability. A physically  
proximate attacker could use this cause a denial of service (system crash).  
(CVE-2023-4132)

Pratyush Yadav discovered that the Xen network backend implementation in  
the Linux kernel did not properly handle zero length data request, leading  
to a null pointer dereference vulnerability. An attacker in a guest VM  
could possibly use this to cause a denial of service (host domain crash).  
(CVE-2023-46838)

It was discovered that a race condition existed in the AppleTalk networking  
subsystem of the Linux kernel, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2023-51781)

Alon Zahavi discovered that the NVMe-oF/TCP subsystem of the Linux kernel  
did not properly handle connect command payloads in certain situations,  
leading to an out-of-bounds read vulnerability. A remote attacker could use  
this to expose sensitive information (kernel memory). (CVE-2023-6121)

It was discovered that the ext4 file system implementation in the Linux  
kernel did not properly handle the remount operation in certain cases,  
leading to a use-after-free vulnerability. A local attacker could use this  
to cause a denial of service (system crash) or possibly expose sensitive  
information. (CVE-2024-0775)

Notselwyn discovered that the netfilter subsystem in the Linux kernel did  
not properly handle verdict parameters in certain cases, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2024-1086)

It was discovered that a race condition existed in the SCSI Emulex  
LightPulse Fibre Channel driver in the Linux kernel when unregistering FCF  
and re-scanning an HBA FCF table, leading to a null pointer dereference  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2024-24855)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   linux-image-4.15.0-1160-gcp     4.15.0-1160.177  
   linux-image-gcp-lts-18.04       4.15.0.1160.173

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   linux-image-4.15.0-1160-gcp     4.15.0-1160.177~16.04.1  
   linux-image-gcp                 4.15.0.1160.150  
   linux-image-gke                 4.15.0.1160.150

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6701-2  
   https://ubuntu.com/security/notices/USN-6701-1  
   CVE-2023-2002, CVE-2023-23000, CVE-2023-3006, CVE-2023-34256,  
   CVE-2023-39197, CVE-2023-4132, CVE-2023-46838, CVE-2023-51781,  
   CVE-2023-6121, CVE-2024-0775, CVE-2024-1086, CVE-2024-24855

Ubuntu Security Notice USN-6701-2

Ubuntu Security Notice 6705-1 - It was discovered that the DesignWare USB3 for Qualcomm SoCs driver in the Linux kernel did not properly handle certain error conditions during device registration. A local attacker could possibly use this to cause a denial of service. It was discovered that the NVIDIA Tegra XUSB pad controller driver in the Linux kernel did not properly handle return values in certain error conditions. A local attacker could use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6705-1  
March 20, 2024

linux-aws, linux-aws-5.15 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems  
- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems

Details:

It was discovered that the DesignWare USB3 for Qualcomm SoCs driver in the  
Linux kernel did not properly handle certain error conditions during device  
registration. A local attacker could possibly use this to cause a denial of  
service (system crash). (CVE-2023-22995)

It was discovered that the NVIDIA Tegra XUSB pad controller driver in the  
Linux kernel did not properly handle return values in certain error  
conditions. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2023-23000)

Quentin Minster discovered that the KSMBD implementation in the Linux  
kernel did not properly handle session setup requests. A remote attacker  
could possibly use this to cause a denial of service (memory exhaustion).  
(CVE-2023-32247)

It was discovered that a race condition existed in the Cypress touchscreen  
driver in the Linux kernel during device removal, leading to a use-after-  
free vulnerability. A physically proximate attacker could use this to cause  
a denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-4134)

黄思聪 discovered that the NFC Controller Interface (NCI) implementation in  
the Linux kernel did not properly handle certain memory allocation failure  
conditions, leading to a null pointer dereference vulnerability. A local  
attacker could use this to cause a denial of service (system crash).  
(CVE-2023-46343)

It was discovered that the io_uring subsystem in the Linux kernel contained  
a race condition, leading to a null pointer dereference vulnerability. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-46862)

It was discovered that a race condition existed in the Bluetooth subsystem  
of the Linux kernel, leading to a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-51779)

It was discovered that a race condition existed in the Rose X.25 protocol  
implementation in the Linux kernel, leading to a use-after- free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-51782)

Alon Zahavi discovered that the NVMe-oF/TCP subsystem of the Linux kernel  
did not properly handle connect command payloads in certain situations,  
leading to an out-of-bounds read vulnerability. A remote attacker could use  
this to expose sensitive information (kernel memory). (CVE-2023-6121)

It was discovered that the VirtIO subsystem in the Linux kernel did not  
properly initialize memory in some situations. A local attacker could use  
this to possibly expose sensitive information (kernel memory).  
(CVE-2024-0340)

Dan Carpenter discovered that the netfilter subsystem in the Linux kernel  
did not store data in properly sized memory locations. A local user could  
use this to cause a denial of service (system crash). (CVE-2024-0607)

Lonial Con discovered that the netfilter subsystem in the Linux kernel did  
not properly handle element deactivation in certain cases, leading to a  
use-after-free vulnerability. A local attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2024-1085)

Notselwyn discovered that the netfilter subsystem in the Linux kernel did  
not properly handle verdict parameters in certain cases, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2024-1086)

It was discovered that a race condition existed in the SCSI Emulex  
LightPulse Fibre Channel driver in the Linux kernel when unregistering FCF  
and re-scanning an HBA FCF table, leading to a null pointer dereference  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2024-24855)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1056-aws     5.15.0-1056.61  
   linux-image-aws-lts-22.04       5.15.0.1056.55

Ubuntu 20.04 LTS:  
   linux-image-5.15.0-1056-aws     5.15.0-1056.61~20.04.1  
   linux-image-aws                 5.15.0.1056.61~20.04.43

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6705-1  
   CVE-2023-22995, CVE-2023-23000, CVE-2023-32247, CVE-2023-4134,  
   CVE-2023-46343, CVE-2023-46862, CVE-2023-51779, CVE-2023-51782,  
   CVE-2023-6121, CVE-2024-0340, CVE-2024-0607, CVE-2024-1085,  
   CVE-2024-1086, CVE-2024-24855

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1056.61  
   https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1056.61~20.04.1

Ubuntu Security Notice USN-6705-1

Red Hat Security Advisory 2024-1462-03 - An update for golang is now available for Red Hat Enterprise Linux 9. Issues addressed include a memory leak vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1462.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: golang security updateAdvisory ID:        RHSA-2024:1462-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1462Issue date:         2024-03-21Revision:           03CVE Names:          CVE-2024-1394====================================================================Summary: An update for golang is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The golang packages provide the Go programming language compiler.Security Fix(es): * golang: golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1394References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-1462-03

Red Hat Security Advisory 2024-1444-03 - An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1444.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: nodejs:16 security updateAdvisory ID:        RHSA-2024:1444-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1444Issue date:         2024-03-21Revision:           03CVE Names:          CVE-2023-44487====================================================================Summary: An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es):* nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks (CVE-2024-22019)* nodejs: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003https://bugzilla.redhat.com/show_bug.cgi?id=2242803https://bugzilla.redhat.com/show_bug.cgi?id=2264574

Red Hat Security Advisory 2024-1444-03

Ubuntu Security Notice 6704-1 - It was discovered that the NVIDIA Tegra XUSB pad controller driver in the Linux kernel did not properly handle return values in certain error conditions. A local attacker could use this to cause a denial of service. Quentin Minster discovered that the KSMBD implementation in the Linux kernel did not properly handle session setup requests. A remote attacker could possibly use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6704-1March 20, 2024linux, linux-azure, linux-azure-5.15, linux-azure-fde,linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop,linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm,linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-kvm: Linux kernel for cloud environments- linux-lowlatency: Linux low latency kernel- linux-nvidia: Linux kernel for NVIDIA systems- linux-azure-5.15: Linux kernel for Microsoft Azure cloud systems- linux-azure-fde-5.15: Linux kernel for Microsoft Azure CVM cloud systems- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems- linux-hwe-5.15: Linux hardware enablement (HWE) kernel- linux-ibm-5.15: Linux kernel for IBM cloud systems- linux-lowlatency-hwe-5.15: Linux low latency kernelDetails:It was discovered that the NVIDIA Tegra XUSB pad controller driver in theLinux kernel did not properly handle return values in certain errorconditions. A local attacker could use this to cause a denial of service(system crash). (CVE-2023-23000)Quentin Minster discovered that the KSMBD implementation in the Linuxkernel did not properly handle session setup requests. A remote attackercould possibly use this to cause a denial of service (memory exhaustion).(CVE-2023-32247)Lonial Con discovered that the netfilter subsystem in the Linux kernel didnot properly handle element deactivation in certain cases, leading to ause-after-free vulnerability. A local attacker could use this to cause adenial of service (system crash) or possibly execute arbitrary code.(CVE-2024-1085)Notselwyn discovered that the netfilter subsystem in the Linux kernel didnot properly handle verdict parameters in certain cases, leading to a use-after-free vulnerability. A local attacker could use this to cause a denialof service (system crash) or possibly execute arbitrary code.(CVE-2024-1086)It was discovered that a race condition existed in the SCSI EmulexLightPulse Fibre Channel driver in the Linux kernel when unregistering FCFand re-scanning an HBA FCF table, leading to a null pointer dereferencevulnerability. A local attacker could use this to cause a denial of service(system crash). (CVE-2024-24855)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-5.15.0-101-generic  5.15.0-101.111   linux-image-5.15.0-101-generic-64k  5.15.0-101.111   linux-image-5.15.0-101-generic-lpae  5.15.0-101.111   linux-image-5.15.0-101-lowlatency  5.15.0-101.111   linux-image-5.15.0-101-lowlatency-64k  5.15.0-101.111   linux-image-5.15.0-1039-gkeop   5.15.0-1039.45   linux-image-5.15.0-1047-nvidia  5.15.0-1047.47   linux-image-5.15.0-1047-nvidia-lowlatency  5.15.0-1047.47   linux-image-5.15.0-1049-ibm     5.15.0-1049.52   linux-image-5.15.0-1053-gke     5.15.0-1053.58   linux-image-5.15.0-1053-kvm     5.15.0-1053.58   linux-image-5.15.0-1054-gcp     5.15.0-1054.62   linux-image-5.15.0-1059-azure   5.15.0-1059.67   linux-image-5.15.0-1059-azure-fde  5.15.0-1059.67.1   linux-image-azure-fde-lts-22.04  5.15.0.1059.67.37   linux-image-azure-lts-22.04     5.15.0.1059.55   linux-image-gcp-lts-22.04       5.15.0.1054.50   linux-image-generic             5.15.0.101.98   linux-image-generic-64k         5.15.0.101.98   linux-image-generic-lpae        5.15.0.101.98   linux-image-gke                 5.15.0.1053.52   linux-image-gke-5.15            5.15.0.1053.52   linux-image-gkeop               5.15.0.1039.38   linux-image-gkeop-5.15          5.15.0.1039.38   linux-image-ibm                 5.15.0.1049.45   linux-image-kvm                 5.15.0.1053.49   linux-image-lowlatency          5.15.0.101.97   linux-image-lowlatency-64k      5.15.0.101.97   linux-image-nvidia              5.15.0.1047.47   linux-image-nvidia-lowlatency   5.15.0.1047.47   linux-image-virtual             5.15.0.101.98Ubuntu 20.04 LTS:   linux-image-5.15.0-101-generic  5.15.0-101.111~20.04.1   linux-image-5.15.0-101-generic-64k  5.15.0-101.111~20.04.1   linux-image-5.15.0-101-generic-lpae  5.15.0-101.111~20.04.1   linux-image-5.15.0-101-lowlatency  5.15.0-101.111~20.04.1   linux-image-5.15.0-101-lowlatency-64k  5.15.0-101.111~20.04.1   linux-image-5.15.0-1039-gkeop   5.15.0-1039.45~20.04.1   linux-image-5.15.0-1049-ibm     5.15.0-1049.52~20.04.1   linux-image-5.15.0-1054-gcp     5.15.0-1054.62~20.04.1   linux-image-5.15.0-1059-azure   5.15.0-1059.67~20.04.1   linux-image-5.15.0-1059-azure-fde  5.15.0-1059.67~20.04.1.1   linux-image-azure               5.15.0.1059.67~20.04.49   linux-image-azure-cvm           5.15.0.1059.67~20.04.49   linux-image-azure-fde           5.15.0.1059.67~20.04.1.38   linux-image-gcp                 5.15.0.1054.62~20.04.1   linux-image-generic-64k-hwe-20.04  5.15.0.101.111~20.04.53   linux-image-generic-hwe-20.04   5.15.0.101.111~20.04.53   linux-image-generic-lpae-hwe-20.04  5.15.0.101.111~20.04.53   linux-image-gkeop-5.15          5.15.0.1039.45~20.04.35   linux-image-ibm                 5.15.0.1049.52~20.04.21   linux-image-lowlatency-64k-hwe-20.04  5.15.0.101.111~20.04.50   linux-image-lowlatency-hwe-20.04  5.15.0.101.111~20.04.50   linux-image-oem-20.04           5.15.0.101.111~20.04.53   linux-image-oem-20.04b          5.15.0.101.111~20.04.53   linux-image-oem-20.04c          5.15.0.101.111~20.04.53   linux-image-oem-20.04d          5.15.0.101.111~20.04.53   linux-image-virtual-hwe-20.04   5.15.0.101.111~20.04.53After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6704-1   CVE-2023-23000, CVE-2023-32247, CVE-2024-1085, CVE-2024-1086,   CVE-2024-24855Package Information:   https://launchpad.net/ubuntu/+source/linux/5.15.0-101.111   https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1059.67   https://launchpad.net/ubuntu/+source/linux-azure-fde/5.15.0-1059.67.1   https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1054.62   https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1053.58   https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1039.45   https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1049.52   https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1053.58   https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-101.111   https://launchpad.net/ubuntu/+source/linux-nvidia/5.15.0-1047.47   https://launchpad.net/ubuntu/+source/linux-azure-5.15/5.15.0-1059.67~20.04.1 https://launchpad.net/ubuntu/+source/linux-azure-fde-5.15/5.15.0-1059.67~20.04.1.1   https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1054.62~20.04.1   https://launchpad.net/ubuntu/+source/linux-gkeop-5.15/5.15.0-1039.45~20.04.1   https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-101.111~20.04.1   https://launchpad.net/ubuntu/+source/linux-ibm-5.15/5.15.0-1049.52~20.04.1 https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-101.111~20.04.1

Ubuntu Security Notice USN-6704-1

Red Hat Security Advisory 2024-1438-03 - An update for nodejs is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1438.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: nodejs security updateAdvisory ID:        RHSA-2024:1438-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1438Issue date:         2024-03-20Revision:           03CVE Names:          CVE-2024-22019====================================================================Summary: An update for nodejs is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es):* nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks (CVE-2024-22019)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-22019References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2264574

Red Hat Security Advisory 2024-1438-03

Red Hat Security Advisory 2024-1362-03 - An update for cnf-tests-container, dpdk-base-container, NUMA-aware secondary scheduler, numaresources-operator and numaresources-operator-must-gather is now available for Red Hat OpenShift Container Platform 4.14.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1362.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenShift Container Platform 4.14.17 low-latency extras security update  
Advisory ID:        RHSA-2024:1362-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1362  
Issue date:         2024-03-20  
Revision:           03  
CVE Names:          CVE-2024-24786  
====================================================================

Summary: 

An update for cnf-tests-container, dpdk-base-container, NUMA-aware secondary scheduler, numaresources-operator and numaresources-operator-must-gather is now available for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the extra low-latency container images for Red Hat OpenShift Container Platform 4.14. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHBA-2024:1260

Security Fix(es):

* golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON  
(CVE-2024-24786)

All OpenShift Container Platform users are advised to upgrade to these updated packages and images.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-24786

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/security/cve/cve-2024-24786  
https://bugzilla.redhat.com/show_bug.cgi?id=2268046

Red Hat Security Advisory 2024-1362-03

Proof of concept exploit for an arbitrary folder move issue in the GamingService component of Xbox.

Xbox GamingService Arbitrary Folder Move

Debian Linux Security Advisory 5641-1 - It was discovered that fontforge, a font editor, is prone to shell command injection vulnerabilities when processing specially crafted files.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5641-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoMarch 19, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : fontforgeCVE ID         : CVE-2024-25081 CVE-2024-25082Debian Bug     : 1064967It was discovered that fontforge, a font editor, is prone to shell commandinjection vulnerabilities when processing specially crafted files.For the oldstable distribution (bullseye), these problems have been fixedin version 1:20201107~dfsg-4+deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 1:20230101~dfsg-1.1~deb12u1.We recommend that you upgrade your fontforge packages.For the detailed security status of fontforge please refer toits security tracker page at:https://security-tracker.debian.org/tracker/fontforgeFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmX5+otfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0QM6w/+I599jlPtxJcdadbT6efjRaGYhhj3ICkPG+l3Y+h7hcPAW8VbfdxR3ztPjYbqf1a6R1cb67NAunRLIkouA7uf1o5zix6bGmcLSmuwiqfoqGQOrQXKMZE6fvovYjzWVbQ+W9P+b3fywip7VI+pjC+coliYO/Y+6E0Ylg3GmVq5p/W9SGjefSNI8SKvQmZaUaVnEBVrX+riQ4AncOTKrIrV19mmbwKzZ5FgYLQVvhNrWimNO04RbNi/t+Dcr7rITXc4+e3guBlKjEuOaTdvWtMpwXxxAUU+Tqvgya8OQc10dHHKIIPbvJ1rhi2qk/+vdy6rbde7hwMqgBNUOFoJsIrn5+1bu7BPwU7IDp5C0ibZ/jtisc3JjtxHj5yz61n/d8+/+usRjKcAos/MKZa988KSNXUyqIv0NQ4Xk5l3AxDdBArDtxfMGKLuzYWMsVD7tlFuu7UcuyI7YY1FJcTDygoDb/CunXBq7yjMh9DEPQEMkWu6gFdge1gXWw20s0dko9Ypwtoe3BZ5ucbcyHjcfyAzlk+m2LIVO7TQJ5NvRuNuuE/kr+SDWbx4PIjidr5VslvGp2Nx784163P8fduUTxfSNLktsGdqPZmJI6R4FslQjd9oIgTd+/f1VU6tRTu8OcCqREfkwRVhtYrsTjwVvZ4x1OqAnKoxAGMCCCC7jzdk0JM==0dXN-----END PGP SIGNATURE-----

Source

Packet Storm