Google's American Fuzzy Lop is a brute-force fuzzer coupled with an exceedingly simple but rock-solid instrumentation-guided genetic algorithm. afl++ is a superior fork to Google's afl. It has more speed, more and better mutations, more and better instrumentation, custom module support, etc.

American Fuzzy Lop plus plus 4.07c

THC-Hydra is a high quality parallelized login hacker for Samba, Smbnt, Cisco AAA, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. Includes SSL support, parallel scans, and is part of Nessus.

**Hydra Network Logon Cracker 9.5**

Posted Jun 13, 2023

Authored by van Hauser, thc | Site thc.org

THC-Hydra is a high quality parallelized login hacker for Samba, Smbnt, Cisco AAA, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. Includes SSL support, parallel scans, and is part of Nessus.

Changes: 2 updates to http-form, 1 fix for smb2, 1 fix for smtp, and 1 fix for rdp.

tags | tool, web, imap

systems | cisco, unix

SHA-256 | 9dd193b011fdb3c52a17b0da61a38a4148ffcad731557696819d4721d1bee76b

Download | Favorite | View

Hydra Network Logon Cracker 9.5

Debian Linux Security Advisory 5425-1 - It was discovered that PHP's implementation of SOAP HTTP Digest authentication performed insufficient error validation, which may result in a stack information leak or use of weak randomness.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5425-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJune 13, 2023                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : php8.2CVE ID         : not yet availableIt was discovered that PHP's implementation of SOAP HTTP Digestauthentication performed insufficient error validation, which may resultin a stack information leak or use of weak randomness.For the stable distribution (bookworm), this problem has been fixed inversion 8.2.7-1~deb12u1.We recommend that you upgrade your php8.2 packages.For the detailed security status of php8.2 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/php8.2Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmSIy9sACgkQEMKTtsN8TjbZKxAAkxlsoOX/Gqfw5W0hKEFjJ0CYIxk4ghwg1N+o4e9Ko7BoVIFnFeVB4dTes0DIbGpp8nBpsh5ynQ6iZePQyD3qI0BTS9TCEAuzVQTq9gcWW6m2I9YxSlWDv2uhHTuwFv/V0Qa+j57v1Rbp2boF/D/Mygi3A4ctFI5KveFejSPuPYSlZTijFjWMD0jL8ledgP3Gzu4p/c+tHwapkgBsFj2LmyHVAodnTm0YngYEd82j78Ez2qoyUVyNBfSfv0YcFBDEb+WTzZ6jCZTOTtMGtEknH3/G+DMr4P3/zzpp6iWYe/SlPI2tmeqY6/hGi8VBiKt1SSdlRKjkmLPR+FZy0GrDuuFU6xrrxLtlGpyaoXE5scF+yqbHgRJAIrPg+7THWQd9vYJDu5ZaBh/hsFvMRqsIGksGp9J5jqUjoEcpBuafrjrvYcKA2hyqvQLseUCZUXk/ZG9Osp0sZ2B29RQ3naTgE38kuyZ3V8ae+zlwdJRcewr5XVvPcTlDnLiIL/c9sH203fHe1iFwevNERrU9gdxYxqllsWL4CaOZW6M4Yfb5+Dd4ilmUkDr5US2wnuU57QbQHu9LSR1Sjav710gATpNL2JfyC+SlGgD96u6Zz4Cxo2alEpF/rW8jBg4gnbyWePRjTVuIadeopR67nwVhOJooz85oVN+NuN1WpGdJxYhhUNs=0RKf-----END PGP SIGNATURE-----

Debian Security Advisory 5425-1

Debian Linux Security Advisory 5424-1 - It was discovered that PHP's implementation of SOAP HTTP Digest authentication performed insufficient error validation, which may result in a stack information leak or use of weak randomness.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5424-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJune 13, 2023                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : php7.4CVE ID         : not yet availableIt was discovered that PHP's implementation of SOAP HTTP Digestauthentication performed insufficient error validation, which may resultin a stack information leak or use of weak randomness.For the oldstable distribution (bullseye), this problem has been fixedin version 7.4.33-1+deb11u4.We recommend that you upgrade your php7.4 packages.For the detailed security status of php7.4 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/php7.4Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmSIyvIACgkQEMKTtsN8TjYdURAAmtKmyN+UIZIfOHkrg4DxpNL2dwSBcUefcozb5CYvo8R0RQJt62Ce+aI+nP6UXn0GCTzepfzJPGHS93t4BPNvxIQmp8jlofkRX1/Lnrg3ndPPtop+eQhmwdOq65app3kj/sa7b6sZKbsgbvayHu5eo1pRO0DCFIdHamDVcW1RFzJSCNOpsk6L9LjFqvOss5I8WXzL3z2TVGb20rv5LG78/nfPNgLIr63faG7XA2hQgCkT1iIlY8qT1IOTyKHxMWEnDFxZnnHWOFV3DF8iPF8EjmBKDAaEWWwOeIkk5Kiu4Jj8RayC0Gs6KPA0OI0NJ1ejdvGDa1SbJOqvtX5QHzc+jqqrpKlmtc2zHLezH9YZW802jkMOvxI65zepbYRXMsIqmDi624v5eJQh6qytl9YeLAsoJZfHw6Ic4RmpYfE/bsibX+y98TnKbDeUbkAOtG7m6kDobYQ8FXiY/dGK0jWLkcMCbU9lP4onL7s3SshJJEKgeyE17av2LUSJrPszxcD6wKbUj8hchn0t6AKtAKPMk8YHPS5mnUVd2jkNzgAmu7PrWgtoK94dfby1SB62HN129+6GMO67VQhEHQjgsbubnYRYq92+qKpZ0bvq7Oq54G9XYcRzsoGCXkBhQnoqei8PSSKchWEd887q4sFxUmZYgqSN9xtNJSzOX/lv07bYNHM=4iUa-----END PGP SIGNATURE-----

Debian Security Advisory 5424-1

Ubuntu Security Notice 6160-1 - It was discovered that GNU binutils incorrectly performed bounds checking operations when parsing stabs debugging information. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6160-1June 13, 2023binutils vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:GNU binutils could be made to crash or run programs if it opened aspecially crafted file.Software Description:- binutils: GNU assembler, linker and binary utilitiesDetails:It was discovered that GNU binutils incorrectly performed bounds checkingoperations when parsing stabs debugging information. An attacker couldpossibly use this issue to cause a denial of service or execute arbitrarycode.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   binutils                        2.34-6ubuntu1.6   binutils-multiarch              2.34-6ubuntu1.6In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6160-1   CVE-2021-45078Package Information:   https://launchpad.net/ubuntu/+source/binutils/2.34-6ubuntu1.6

Ubuntu Security Notice USN-6160-1

Ubuntu Security Notice 6159-1 - It was discovered that Tornado incorrectly handled certain redirect. An remote attacker could possibly use this issue to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.

    =========================================================================Ubuntu Security Notice USN-6159-1June 13, 2023python-tornado vulnerability=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.04- Ubuntu 16.04 LTS (Available with Ubuntu Pro)Summary:Tornado could be made to redirect users to arbitrary web site if it opened aspecially crafted URL.Software Description:- python-tornado: scalable, non-blocking web server and tools - documentationDetails:It was discovered that Tornado incorrectly handled certain redirect.An remote attacker could possibly use this issue to redirect a user to anarbitrary web site and conduct a phishing attack by having user access aspecially crafted URL.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.04:  python3-tornado                 6.2.0-3ubuntu0.1Ubuntu 16.04 LTS (Available with Ubuntu Pro):  python-tornado                  4.2.1-1ubuntu3.1+esm1  python3-tornado                 4.2.1-1ubuntu3.1+esm1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-6159-1  CVE-2023-28370Package Information:  https://launchpad.net/ubuntu/+source/python-tornado/6.2.0-3ubuntu0.1

Ubuntu Security Notice USN-6159-1

Ubuntu Security Notice 6158-1 - It was discovered that Node Fetch incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to obtain sensitive information.

    ==========================================================================Ubuntu Security Notice USN-6158-1June 13, 2023node-fetch vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS (Available with Ubuntu Pro)Summary:Node Fetch could be made to expose sensitive information if it opened aspecially crafted file.Software Description:- node-fetch: A light-weight module that brings the Fetch API to Node.jsDetails:It was discovered that Node Fetch incorrectly handled certain inputs. If auser or an automated system were tricked into opening a specially craftedinput file, a remote attacker could possibly use this issue to obtainsensitive information.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   node-fetch                      1.7.3-2ubuntu0.1Ubuntu 18.04 LTS (Available with Ubuntu Pro):   node-fetch                      1.7.3-1ubuntu0.1~esm1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6158-1   CVE-2022-0235Package Information:   https://launchpad.net/ubuntu/+source/node-fetch/1.7.3-2ubuntu0.1

Ubuntu Security Notice USN-6158-1

Ubuntu Security Notice 6143-2 - USN-6143-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Jun Kokatsu discovered that Firefox did not properly validate site-isolated process for a document loaded from a data: URL that was the result of a redirect, leading to an open redirect attack. An attacker could possibly use this issue to perform phishing attacks.

    ==========================================================================Ubuntu Security Notice USN-6143-2June 13, 2023firefox regressions==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:USN-6143-1 caused some minor regressions in Firefox.Software Description:- firefox: Mozilla Open Source web browserDetails:USN-6143-1 fixed vulnerabilities in Firefox. The update introducedseveral minor regressions. This update fixes the problem.We apologize for the inconvenience.Original advisory details: Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2023-34414, CVE-2023-34416, CVE-2023-34417)  Jun Kokatsu discovered that Firefox did not properly validate site-isolated process for a document loaded from a data: URL that was the result of a redirect, leading to an open redirect attack. An attacker could possibly use this issue to perform phishing attacks. (CVE-2023-34415)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:  firefox                         114.0.1+build1-0ubuntu0.20.04.1After a standard system update you need to restart Firefox to make all thenecessary changes.References:  https://ubuntu.com/security/notices/USN-6143-2  https://ubuntu.com/security/notices/USN-6143-1  https://launchpad.net/bugs/2023610Package Information:  https://launchpad.net/ubuntu/+source/firefox/114.0.1+build1-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6143-2

Red Hat Security Advisory 2023-3495-01 - Logging Subsystem 5.7.2 - Red Hat OpenShift. Issues addressed include cross site scripting and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Logging Subsystem 5.7.2 - Red Hat OpenShift security update  
Advisory ID:       RHSA-2023:3495-01  
Product:           Logging Subsystem for Red Hat OpenShift  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3495  
Issue date:        2023-06-12  
CVE Names:         CVE-2021-26341 CVE-2021-33655 CVE-2021-33656  
                   CVE-2022-1462 CVE-2022-1679 CVE-2022-1789  
                   CVE-2022-2196 CVE-2022-2663 CVE-2022-3028  
                   CVE-2022-3239 CVE-2022-3522 CVE-2022-3524  
                   CVE-2022-3564 CVE-2022-3566 CVE-2022-3567  
                   CVE-2022-3619 CVE-2022-3623 CVE-2022-3625  
                   CVE-2022-3627 CVE-2022-3628 CVE-2022-3707  
                   CVE-2022-3970 CVE-2022-4129 CVE-2022-20141  
                   CVE-2022-25147 CVE-2022-25265 CVE-2022-30594  
                   CVE-2022-36227 CVE-2022-39188 CVE-2022-39189  
                   CVE-2022-41218 CVE-2022-41674 CVE-2022-41723  
                   CVE-2022-42703 CVE-2022-42720 CVE-2022-42721  
                   CVE-2022-42722 CVE-2022-43750 CVE-2022-47929  
                   CVE-2023-0394 CVE-2023-0461 CVE-2023-1195  
                   CVE-2023-1582 CVE-2023-2491 CVE-2023-22490  
                   CVE-2023-23454 CVE-2023-23946 CVE-2023-25652  
                   CVE-2023-25815 CVE-2023-27535 CVE-2023-27539  
                   CVE-2023-28120 CVE-2023-29007  
====================================================================  
1. Summary:

Logging Subsystem 5.7.2 - Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.7.2 - Red Hat OpenShift

Security Fix(es):

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK  
decoding (CVE-2022-41723)

* rubygem-rack: denial of service in header parsing (CVE-2023-27539)

* rubygem-activesupport: Possible XSS in SafeBuffer#bytesplice  
(CVE-2023-28120)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding  
2179637 - CVE-2023-28120 rubygem-activesupport: Possible XSS in SafeBuffer#bytesplice  
2179649 - CVE-2023-27539 rubygem-rack: denial of service in header parsing

5. JIRA issues fixed (https://issues.redhat.com/):

LOG-3314 - [fluentd] The passphrase can not be enabled when forwarding logs to Kafka  
LOG-3316 - openshift-logging namespace can not be deleted directly when use lokistack as default store.  
LOG-3330 - run.sh shows incorrect chunk_limit_size if changed.  
LOG-3445 - [vector to loki]  validation is not disabled  when tls.insecureSkipVerify=true  
LOG-3749 - Unability to configure nodePlacement and toleration for logging-view-plugin  
LOG-3784 - [fluentd http] the defaut value HTTP content type application/x-ndjson is unsupported on datadog  
LOG-3827 - [fluentd http] The passphase isn't generated in fluent.conf  
LOG-3878 - [vector] PHP multiline errors are collected line by line when detectMultilineErrors is enabled.  
LOG-3945 - [Vector] Collector pods in CrashLoopBackOff when ClusterLogForwarder pipeline has space in between the pipeline name.  
LOG-3997 - Add http to log_forwarder_output_info metrics  
LOG-4011 - [Vector] Collector not complying with the custom tlsSecurityProfile configuration.  
LOG-4019 - [release-5.7] fluentd multiline exception plugin fails to detect JS client exception  
LOG-4049 - [release-5.7] User can list labels and label values for all user workload namespaces via Loki Label APIs  
LOG-4052 - [release-5.7] Fix Loki timeouts querying logs from OCP Console  
LOG-4098 - [release-5.7] No log_forwarder_output_info for splunk and google logging  
LOG-4151 - Fluentd fix  missing nil check for rotated_tw in update_watcher  
LOG-4163 - [release-5.7] TLS configuration for multiple Kafka brokers is not created in Vector  
LOG-4185 - Resources, tolerations and nodeSelector for the collector are missing  
LOG-4218 - Vector fails to run when configuring syslog forwarding for audit log  
LOG-4219 - Vector handles journal log as container log when enabling syslog forwarding. It breaks the compatibility with Fluentd  
LOG-4220 - [RHOCP4.11] Logs of POD which doesn't have labels specified by structuredTypeKey are parsed to JSON, and forwarded to app-xxxxxx  
LOG-4221 - [release-5.7] Fluentd wrongly closes a log file due to hash collision

6. References:

https://access.redhat.com/security/cve/CVE-2021-26341  
https://access.redhat.com/security/cve/CVE-2021-33655  
https://access.redhat.com/security/cve/CVE-2021-33656  
https://access.redhat.com/security/cve/CVE-2022-1462  
https://access.redhat.com/security/cve/CVE-2022-1679  
https://access.redhat.com/security/cve/CVE-2022-1789  
https://access.redhat.com/security/cve/CVE-2022-2196  
https://access.redhat.com/security/cve/CVE-2022-2663  
https://access.redhat.com/security/cve/CVE-2022-3028  
https://access.redhat.com/security/cve/CVE-2022-3239  
https://access.redhat.com/security/cve/CVE-2022-3522  
https://access.redhat.com/security/cve/CVE-2022-3524  
https://access.redhat.com/security/cve/CVE-2022-3564  
https://access.redhat.com/security/cve/CVE-2022-3566  
https://access.redhat.com/security/cve/CVE-2022-3567  
https://access.redhat.com/security/cve/CVE-2022-3619  
https://access.redhat.com/security/cve/CVE-2022-3623  
https://access.redhat.com/security/cve/CVE-2022-3625  
https://access.redhat.com/security/cve/CVE-2022-3627  
https://access.redhat.com/security/cve/CVE-2022-3628  
https://access.redhat.com/security/cve/CVE-2022-3707  
https://access.redhat.com/security/cve/CVE-2022-3970  
https://access.redhat.com/security/cve/CVE-2022-4129  
https://access.redhat.com/security/cve/CVE-2022-20141  
https://access.redhat.com/security/cve/CVE-2022-25147  
https://access.redhat.com/security/cve/CVE-2022-25265  
https://access.redhat.com/security/cve/CVE-2022-30594  
https://access.redhat.com/security/cve/CVE-2022-36227  
https://access.redhat.com/security/cve/CVE-2022-39188  
https://access.redhat.com/security/cve/CVE-2022-39189  
https://access.redhat.com/security/cve/CVE-2022-41218  
https://access.redhat.com/security/cve/CVE-2022-41674  
https://access.redhat.com/security/cve/CVE-2022-41723  
https://access.redhat.com/security/cve/CVE-2022-42703  
https://access.redhat.com/security/cve/CVE-2022-42720  
https://access.redhat.com/security/cve/CVE-2022-42721  
https://access.redhat.com/security/cve/CVE-2022-42722  
https://access.redhat.com/security/cve/CVE-2022-43750  
https://access.redhat.com/security/cve/CVE-2022-47929  
https://access.redhat.com/security/cve/CVE-2023-0394  
https://access.redhat.com/security/cve/CVE-2023-0461  
https://access.redhat.com/security/cve/CVE-2023-1195  
https://access.redhat.com/security/cve/CVE-2023-1582  
https://access.redhat.com/security/cve/CVE-2023-2491  
https://access.redhat.com/security/cve/CVE-2023-22490  
https://access.redhat.com/security/cve/CVE-2023-23454  
https://access.redhat.com/security/cve/CVE-2023-23946  
https://access.redhat.com/security/cve/CVE-2023-25652  
https://access.redhat.com/security/cve/CVE-2023-25815  
https://access.redhat.com/security/cve/CVE-2023-27535  
https://access.redhat.com/security/cve/CVE-2023-27539  
https://access.redhat.com/security/cve/CVE-2023-28120  
https://access.redhat.com/security/cve/CVE-2023-29007  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZIfBndzjgjWX9erEAQj/Vg/8D/xYKPgCJDjD2IbguRkgOWsZ5r5BP36n  
pbizOqZem1fs5J1oxmKotej5vE/BD5iumTsNYY59E1y/MjrBYPkaTjnHwgxkNYq/  
Lptwmt7pc2jE92E4qUMa5LpUhJxLQfw10SAMmYFVJIqOjVh+82XhU5NW5bJYStRs  
767suxjFzYZs8CHwpVyBVqEfI/sCyU+Ok3Pja5McaPjomAt9cNYfXoaPUSq3UMMD  
ifVOjVz3fE8YY6UhmVY5SPHrG4Ak2YcKOpyJ/A3UjRuKOTrtnLSxtLZisH4UMetZ  
R0e2ovt1TP4emH9Cblhl18qZxfi6RsveAwQ3IUplCltSRMbl7hrLB11cbAUUoPPc  
+MGvw6id7BHpH/0pBR1u7HH04VlzK/J1/pAiJNR3uL8W4OomgF9A5oSXSoJ9mY9C  
hFjUvQp7rR3+l9ivIT5pb//7lGBJs+QIn/W8OJXWEdqUMpC1ybPnJX7+azLUjLAt  
w7WEuMS7usNdDAUzP/sYFVlHfsNtOKHvx8c+DUi8ti9gkaXakw6VZIUh0g3ZUvmi  
hUWP7oktj6dZyISk75TpmpPppL5pmlKoHREJgiohSXUnFtp/XsYRAoZRfMbbqKr4  
MmyT7J11sfRH5+M1294PtdYJodXu13GESfjW38urAhVE/1SLpvWMQTv7U9CnDimF  
m78/igCYu/A=NjOC  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3495-01

Ubuntu Security Notice 6157-1 - Tao Lyu discovered that GlusterFS did not properly handle certain event notifications. An attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6157-1  
June 12, 2023

glusterfs vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS

Summary:

GlusterFS could be made to crash if it received a specially crafted  
request.

Software Description:  
- glusterfs: clustered file-system

Details:

Tao Lyu discovered that GlusterFS did not properly handle certain event  
notifications. An attacker could possibly use this issue to cause a denial  
of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   glusterfs-client                10.3-4ubuntu0.1  
   glusterfs-common                10.3-4ubuntu0.1  
   glusterfs-server                10.3-4ubuntu0.1

Ubuntu 22.10:  
   glusterfs-client                10.2-1ubuntu0.1  
   glusterfs-common                10.2-1ubuntu0.1  
   glusterfs-server                10.2-1ubuntu0.1

Ubuntu 22.04 LTS:  
   glusterfs-client                10.1-1ubuntu0.1  
   glusterfs-common                10.1-1ubuntu0.1  
   glusterfs-server                10.1-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6157-1  
   CVE-2023-26253

Package Information:  
   https://launchpad.net/ubuntu/+source/glusterfs/10.3-4ubuntu0.1  
   https://launchpad.net/ubuntu/+source/glusterfs/10.2-1ubuntu0.1  
   https://launchpad.net/ubuntu/+source/glusterfs/10.1-1ubuntu0.1

Source

Packet Storm