An issue was discovered in Ethernut Nut/OS 5.1. The code that generates Initial Sequence Numbers (ISNs) for TCP connections derives the ISN from an insufficiently random source. As a result, an attacker may be able to determine the ISN of current and future TCP connections and either hijack existing ones or spoof future ones. While the ISN generator seems to adhere to RFC 793 (where a global 32-bit counter is incremented roughly every 4 microseconds), proper ISN generation should aim to follow at least the specifications outlined in RFC 6528.

**Nut/OS Downloads**

**Stable Version 5.1**

ethernut-5.1.0-1.exe  
Executable installation for Windows PCs.

ethernut-5.1.0-1.tar.gz  
Source code package for Linux and OS X. More details are available here.

**Latest Beta Version**

ethernut-5.2.4.exe  
Executable installation for Windows PCs.

ethernut-5.2.4.tar.gz  
Source code package for Linux and OS X. More details are available here.

**Code Repository**

The cutting edge development version is available in an Apache Subversion repository at ethernut.svn.sourceforge.net.

If you like to work locally with Git on the Subversion repository, get the bare repository at ethernut-code.git.tar.gz.  
Unpack the tar file with

tar fxz ethernut-code.git.tar.gz

change to the Ethernut code directory with

cd ethernut-code

and checkout the files

git checkout -- .

You can stay up to date with

git svn rebase

**Previous Releases**

Versions, which are no longer maintained, can be downloaded from the archive.

**Note! Binary code created from version 5.0.4 beta for Cortex-M may contain code with the following license:**

Copyright (c) 2005-2009 Luminary Micro, Inc.  All rights reserved.
Software License Agreement

Luminary Micro, Inc. (LMI) is supplying this software for use solely and
exclusively on LMI's microcontroller products.

The software is owned by LMI and/or its suppliers, and is protected under
applicable copyright laws.  All rights are reserved.  You may not combine
this software with "viral" open-source software in order to form a larger
program.  Any use in violation of the foregoing restrictions may subject
the user to criminal sanctions under applicable laws, as well as to civil
liability for the breach of the terms and conditions of this license.

**We have removed this version.**

**Toolchains****AVR 8-Bit Cross Development****Debian Packages**

packages.debian.org  
Debian official packages.

**Windows Installer**

WinAVR  
is a complete Win32 installation package, which contains the AVR-GCC compiler and many additional tools.

**AVR32 Cross Development**

AVR32 GNU Toolchain  
Atmel offers free development environments for PCs running Linux and Windows.

**ARM Cross Development****Debian Packages**

GNU binary utilities for arm-elf cross development  
This package is a collection of utilities required for the assembly, linking, symbol dumping, object dumping, object copying and other operations for position independent code on ARM targets using the ELF file format.

GNU C compiler for arm-elf cross development  
GNU C cross compiler for ARM targets using the ELF file format.

GNU debugger for arm-elf cross development  
GNU debugger, configured for remote debugging of ARM targets using the ELF file format.

Standard C library for arm-elf cross development  
This C library intended for use on ARM targets using the ELF file format. Newlib is a conglomeration of several library parts, all under free software licenses that make them easily usable on embedded products.

**Windows and Mac OS X**

YAGARTO  
is the recommended toolchain for 32-bit ARM targets.

**Ethernut 5 Specific**

en5flasher-20130719.zip  
Automagic Flasher for Ethernut 5, described on this page. This release of the Linux kernel 3.8.8 additionally contains the binary images of SAMBoot and U-Boot-2013.01.01.

ethernut5-image-20130604.zip  
Ethernut 5 root file system image for Linux 3.8.8, built with Yocto 1.4.

meta-egnite-20130531.tar.bz2  
build-ethernut5-3.8-20130531.tar.bz2  
Files needed to build Yocto for Ethernut 5.

en5pwrman-20110610.zip  
Power management firmware for Ethernut 5, mentioned at the end of this page.

**Previous Releases**

en5flasher-20120308.zip  
Automagic Flasher für Ethernut 5, described on this page. This first release of the Linux kernel 3.2.9 additionally contains the binary images of SAMBoot and U-Boot-2011.03.

console-image-ethernut5-20120308.zip  
First release of the Ethernut 5 Linux root file system image for kernel 3.2.9. Should be installed in conjunction with en5flasher-20120308.zip.

en5flasher-20120305.zip  
Automagic Flasher für Ethernut 5, described on this page. This second release for Linux 2.6.37 contains the binary images of SAMBoot, U-Boot-2011.03 and Linux kernel. The latter now supports USB memory sticks and cameras, PPP over UMTS/GPRS, GPS mice and more. The kernel now runs with data cache enabled.

console-image-ethernut5-20120305.zip  
Second release of the Ethernut 5 Linux root file system image. Should be installed in conjunction with en5flasher-20120305.zip.

egnite-oe-overlay-r2.tar.bz2  
egnite-oe-build-2.6.37-r2.tar.bz2  
OpenEmbedded overlays to build U-Boot, Linux and a root filesystem for Ethernut 5.

en5flasher-20110610.zip  
Automagic flasher for Ethernut 5, described this page.

console-image-ethernut5-20110525.zip  
Ethernut 5 Linux root file system image. Use this first version with en5flasher-20110610.zip.

CVE-2020-27213: Ethernut Download

Debian Linux Security Advisory 5519-1 - Maxim Suhanov discovered multiple vulnerabilities in GURB2's code to handle NTFS filesystems, which may result in a Secure Boot bypass.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5519-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoOctober 06, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : grub2CVE ID         : CVE-2023-4692 CVE-2023-4693Maxim Suhanov discovered multiple vulnerabilities in GURB2's code tohandle NTFS filesystems, which may result in a Secure Boot bypass.For the oldstable distribution (bullseye), these problems have been fixedin version 2.06-3~deb11u6.For the stable distribution (bookworm), these problems have been fixed inversion 2.06-13+deb12u1.We recommend that you upgrade your grub2 packages.For the detailed security status of grub2 please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/grub2Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUgWX5fFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0S1bxAAoIlLLu0nPXCGZRJydLVpVdkgkosdnlLxMR/oN2rTAWG6f1I2VatAPSKErBtRSi32TSuLW3Ir6lY+O7Jk7ONKGGbh4CSD1EcFb1w7sylwHZY5mtpMfS7tCDc2PAasJXSlMXlzRjO0pPCpazYHHmBYAap/JBVc89ZepwleegAoL1UoIaE+eCRliLS9H00CWdIsnr7F22HNsN+SYyK0itHyqtgx6M1F5v7eXaGd5bPbN1mCTV8okBkCEU7hp14+sEQtrFLLPW1WyBzSEMPWtgrVcOgGy2wBqZRK5UoCUDBohCyjcZFig7ZQ6vuTYTbDMwxBeI6ycK8BpccD+8kZqzNKjjgUPlvu92FxflqYjg98GIa9rcBhETEbare5RnwhQteYbr+Yn90hng5xvEXu7CC+7nKm+X4jzM2lHRGm56WCeE26+DQ0JB8J2yu+donTd+vhgLfTgADb9V0nFJh0hecHqh5/n0Jhu5u/ImxhDzbcqlfijNAl42udQmeQa2V6sBWJxabgJhEGeazEGuWHqpqXJk9dc8xuqWYYGmv4Fioi+2TVAI8lsnRbX4qp0MU2hrOCHsnccV0VOvENV3dTzgRO5UqUI0xC88FLckz5JQUjh81dGvezuQ1NQNSEAWamwBka/lqyBTg7AMQEwsiximYYyO4DkSBslzMsNGi5pZCc8rk=+IHG-----END PGP SIGNATURE-----

Debian Security Advisory 5519-1

eClass Junior version 4.0 suffers from a remote SQL injection vulnerability.

**eClass Junior 4.0 SQL Injection**

Posted Oct 9, 2023

Authored by indoushka

eClass Junior version 4.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | fe25bf20628b95e728482b08a8d3f9ce6bd4e732844de33554a5951468322a2a

Download | Favorite | View

**eClass Junior 4.0 SQL Injection**

    ====================================================================================================================================| # Title     : eClass Junior 4.0 Sql injection Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.eclass.com.hk/en/product/eclass-junior/                                                                |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /gallery_detail.php?cid=55 <===== inject here[+] http://127.0.0.www.cls.eduhk/tc/gallery_detail.php?cid=55[+] Panel : /templates/index.php?err=1&DirectLink= or /ad_min_man/login.phpGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,456)
*   Arbitrary (16,316)
*   BBS (2,859)
*   Bypass (1,764)
*   CGI (1,029)
*   Code Execution (7,343)
*   Conference (680)
*   Cracker (843)
*   CSRF (3,352)
*   DoS (23,623)
*   Encryption (2,372)
*   Exploit (52,159)
*   File Inclusion (4,230)
*   File Upload (977)
*   Firewall (821)
*   Info Disclosure (2,797)
*   Intrusion Detection (895)
*   Java (3,054)
*   JavaScript (865)
*   Kernel (6,760)
*   Local (14,525)
*   Magazine (586)
*   Overflow (12,775)
*   Perl (1,423)
*   PHP (5,156)
*   Proof of Concept (2,345)
*   Protocol (3,623)
*   Python (1,543)
*   Remote (30,920)
*   Root (3,598)
*   Rootkit (513)
*   Ruby (612)
*   Scanner (1,644)
*   Security Tool (7,912)
*   Shell (3,201)
*   Shellcode (1,216)
*   Sniffer (896)
*   Spoof (2,213)
*   SQL Injection (16,422)
*   TCP (2,417)
*   Trojan (687)
*   UDP (896)
*   Virus (666)
*   Vulnerability (31,915)
*   Web (9,732)
*   Whitepaper (3,753)
*   x86 (965)
*   XSS (18,011)
*   Other

**File Archives**

*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,026)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,858)
*   Fedora (1,692)
*   FreeBSD (1,246)
*   Gentoo (4,347)
*   HPUX (879)
*   iOS (358)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (46,943)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (486)
*   RedHat (13,974)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,974)
*   UNIX (9,323)
*   UnixWare (186)
*   Windows (6,591)
*   Other

eClass Junior 4.0 SQL Injection

eClass IP version 2.5 suffers from a remote SQL injection vulnerability.

**eClass IP 2.5 SQL Injection**

Posted Oct 9, 2023

Authored by indoushka

eClass IP version 2.5 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | b711babfc66671ea5103fe26d521747c60621f2c26be69bc9fb4ef7463b6da31

Download | Favorite | View

**eClass IP 2.5 SQL Injection**

    ====================================================================================================================================| # Title     : eClass IP 2.5 Sql injection Vulnerability                                                                          || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.eclass.com.hk/en/product/eclass-ip/                                                                    |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /gallery_detail.php?cid=55&id=161 <===== inject here[+] http://127.0.0.www.cls.eduhk/tc/gallery_detail.php?cid=55&id=161[+] Panel : /templates/index.php?err=1&DirectLink= or /ad_min_man/login.phpGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,456)
*   Arbitrary (16,316)
*   BBS (2,859)
*   Bypass (1,764)
*   CGI (1,029)
*   Code Execution (7,343)
*   Conference (680)
*   Cracker (843)
*   CSRF (3,352)
*   DoS (23,623)
*   Encryption (2,372)
*   Exploit (52,159)
*   File Inclusion (4,230)
*   File Upload (977)
*   Firewall (821)
*   Info Disclosure (2,797)
*   Intrusion Detection (895)
*   Java (3,054)
*   JavaScript (865)
*   Kernel (6,760)
*   Local (14,525)
*   Magazine (586)
*   Overflow (12,775)
*   Perl (1,423)
*   PHP (5,156)
*   Proof of Concept (2,345)
*   Protocol (3,623)
*   Python (1,543)
*   Remote (30,920)
*   Root (3,598)
*   Rootkit (513)
*   Ruby (612)
*   Scanner (1,644)
*   Security Tool (7,912)
*   Shell (3,201)
*   Shellcode (1,216)
*   Sniffer (896)
*   Spoof (2,213)
*   SQL Injection (16,422)
*   TCP (2,417)
*   Trojan (687)
*   UDP (896)
*   Virus (666)
*   Vulnerability (31,915)
*   Web (9,732)
*   Whitepaper (3,753)
*   x86 (965)
*   XSS (18,011)
*   Other

**File Archives**

*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,026)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,858)
*   Fedora (1,692)
*   FreeBSD (1,246)
*   Gentoo (4,347)
*   HPUX (879)
*   iOS (358)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (46,943)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (486)
*   RedHat (13,974)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,974)
*   UNIX (9,323)
*   UnixWare (186)
*   Windows (6,591)
*   Other

eClass IP 2.5 SQL Injection

Dubbed Looney Tunables, Qualys discovered a buffer overflow vulnerability in the glibc dynamic loader's processing of the GLIBC_TUNABLES environment variable. This vulnerability was introduced in April 2021 (glibc 2.34) by commit 2ed18c.

    Qualys Security AdvisoryLooney Tunables: Local Privilege Escalation in the glibc's ld.so(CVE-2023-4911)========================================================================Contents========================================================================SummaryAnalysisProof of conceptExploitationAcknowledgmentsTimeline========================================================================Summary========================================================================The GNU C Library's dynamic loader "find[s] and load[s] the sharedobjects (shared libraries) needed by a program, prepare[s] the programto run, and then run[s] it" (man ld.so). The dynamic loader is extremelysecurity sensitive, because its code runs with elevated privileges whena local user executes a set-user-ID program, a set-group-ID program, ora program with capabilities. Historically, the processing of environmentvariables such as LD_PRELOAD, LD_AUDIT, and LD_LIBRARY_PATH has been afertile source of vulnerabilities in the dynamic loader.Recently, we discovered a vulnerability (a buffer overflow) in thedynamic loader's processing of the GLIBC_TUNABLES environment variable(https://www.gnu.org/software/libc/manual/html_node/Tunables.html). Thisvulnerability was introduced in April 2021 (glibc 2.34) by commit 2ed18c("Fix SXID_ERASE behavior in setuid programs (BZ #27471)").We successfully exploited this vulnerability and obtained full rootprivileges on the default installations of Fedora 37 and 38, Ubuntu22.04 and 23.04, Debian 12 and 13; other distributions are probably alsovulnerable and exploitable (one notable exception is Alpine Linux, whichuses musl libc, not the glibc). We will not publish our exploit for now;however, this buffer overflow is easily exploitable (by transforming itinto a data-only attack), and other researchers might publish workingexploits shortly after this coordinated disclosure.========================================================================Analysis========================================================================At the very beginning of its execution, ld.so calls __tunables_init() towalk through the environment (at line 279), searching for GLIBC_TUNABLESvariables (at line 282); for each GLIBC_TUNABLES that it finds, it makesa copy of this variable (at line 284), calls parse_tunables() to processand sanitize this copy (at line 286), and finally replaces the originalGLIBC_TUNABLES with this sanitized copy (at line 288):------------------------------------------------------------------------269 void270 __tunables_init (char **envp)271 {272   char *envname = NULL;273   char *envval = NULL;274   size_t len = 0;275   char **prev_envp = envp;...279   while ((envp = get_next_env (envp, &envname, &len, &envval,280                                &prev_envp)) != NULL)281     {282       if (tunable_is_name ("GLIBC_TUNABLES", envname))283         {284           char *new_env = tunables_strdup (envname);285           if (new_env != NULL)286             parse_tunables (new_env + len + 1, envval);287           /* Put in the updated envval.  */288           *prev_envp = new_env;289           continue;290         }------------------------------------------------------------------------The first argument of parse_tunables() (tunestr) points to thesoon-to-be-sanitized copy of GLIBC_TUNABLES, while the second argument(valstring) points to the original GLIBC_TUNABLES environment variable(in the stack). To sanitize the copy of GLIBC_TUNABLES (which should beof the form "tunable1=aaa:tunable2=bbb"), parse_tunables() removes alldangerous tunables (the SXID_ERASE tunables) from tunestr, but keepsSXID_IGNORE and NONE tunables (at lines 221-235):------------------------------------------------------------------------162 static void163 parse_tunables (char *tunestr, char *valstring)164 {...168   char *p = tunestr;169   size_t off = 0;170 171   while (true)172     {173       char *name = p;174       size_t len = 0;175 176       /* First, find where the name ends.  */177       while (p[len] != '=' && p[len] != ':' && p[len] != '\0')178         len++;179 180       /* If we reach the end of the string before getting a valid name-value181          pair, bail out.  */182       if (p[len] == '\0')183         {184           if (__libc_enable_secure)185             tunestr[off] = '\0';186           return;187         }188 189       /* We did not find a valid name-value pair before encountering the190          colon.  */191       if (p[len]== ':')192         {193           p += len + 1;194           continue;195         }196 197       p += len + 1;198 199       /* Take the value from the valstring since we need to NULL terminate it.  */200       char *value = &valstring[p - tunestr];201       len = 0;202 203       while (p[len] != ':' && p[len] != '\0')204         len++;205 206       /* Add the tunable if it exists.  */207       for (size_t i = 0; i < sizeof (tunable_list) / sizeof (tunable_t); i++)208         {209           tunable_t *cur = &tunable_list[i];210 211           if (tunable_is_name (cur->name, name))212             {...219               if (__libc_enable_secure)220                 {221                   if (cur->security_level != TUNABLE_SECLEVEL_SXID_ERASE)222                     {223                       if (off > 0)224                         tunestr[off++] = ':';225 226                       const char *n = cur->name;227 228                       while (*n != '\0')229                         tunestr[off++] = *n++;230 231                       tunestr[off++] = '=';232 233                       for (size_t j = 0; j < len; j++)234                         tunestr[off++] = value[j];235                     }236 237                   if (cur->security_level != TUNABLE_SECLEVEL_NONE)238                     break;239                 }240 241               value[len] = '\0';242               tunable_initialize (cur, value);243               break;244             }245         }246 247       if (p[len] != '\0')248         p += len + 1;249     }250 }------------------------------------------------------------------------Unfortunately, if a GLIBC_TUNABLES environment variable is of the form"tunable1=tunable2=AAA" (where "tunable1" and "tunable2" are SXID_IGNOREtunables, for example "glibc.malloc.mxfast"), then:- during the first iteration of the "while (true)" in parse_tunables(),  the entire "tunable1=tunable2=AAA" is copied in-place to tunestr (at  lines 221-235), thus filling up tunestr;- at lines 247-248, p is not incremented (p[len] is '\0' because no ':'  was found at lines 203-204) and therefore p still points to the value  of "tunable1", i.e. "tunable2=AAA";- during the second iteration of the "while (true)" in parse_tunables(),  "tunable2=AAA" is appended (as if it were a second tunable) to tunestr  (which is already full), thus overflowing tunestr.A note on fuzzing: although we discovered this buffer overflow manually,we later tried to fuzz the vulnerable function, parse_tunables(); bothAFL++ and libFuzzer re-discovered this overflow in less than a second,when provided with a dictionary of tunables (which can be compiled byrunning "ld.so --list-tunables").========================================================================Proof of concept========================================================================$ env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --helpSegmentation fault (core dumped)========================================================================Exploitation========================================================================This vulnerability is a straightforward buffer overflow, but what shouldwe overwrite to achieve arbitrary code execution? The buffer we overflowis allocated at line 284 by tunables_strdup(), a re-implementation ofstrdup() that uses ld.so's __minimal_malloc() instead of the glibc'smalloc() (indeed, the glibc's malloc() has not been initialized yet).This __minimal_malloc() implementation simply calls mmap() to obtainmore memory from the kernel.The question, then, is: what writable pages can we overwrite in the mmapregion? To the best of our knowledge, we have only two options (becausethis buffer overflow takes place at the very beginning of ld.so'sexecution):1/ The read-write ELF segment of ld.so itself (the first pages of thisread-write segment are actually ld.so's RELRO segment, but they have notbeen mprotect()ed read-only yet):------------------------------------------------------------------------7f209f367000-7f209f369000 r--p 00000000 fd:00 10943                      /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.27f209f369000-7f209f393000 r-xp 00002000 fd:00 10943                      /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.27f209f393000-7f209f39e000 r--p 0002c000 fd:00 10943                      /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.27f209f39f000-7f209f3a3000 rw-p 00037000 fd:00 10943                      /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2------------------------------------------------------------------------However, on all the Linux distributions that we checked, the unmappedhole immediately below ld.so's read-write segment is at most one page,but ld.so's __minimal_malloc() always allocates at least two pages ("oneextra page to reduce number of mmap calls"). In other words, the bufferwe overflow cannot be allocated immediately below ld.so's read-writesegment, and therefore cannot overwrite this segment.2/ Our only option, then, is to overwrite mmap()ed pages that wereallocated by tunables_strdup() itself: because __tunables_init() canprocess multiple GLIBC_TUNABLES environment variables, and because theLinux kernel's mmap() is a top-down allocator, we can mmap() a firstGLIBC_TUNABLES (without overflowing it), mmap() a second GLIBC_TUNABLES(immediately below the first one) and overflow it, thus overwriting thefirst GLIBC_TUNABLES. As a result, we can:- either replace this first GLIBC_TUNABLES with a completely different  environment variable, for example LD_PRELOAD or LD_LIBRARY_PATH -- but  these dangerous variables are later removed from the environment by  ld.so (in process_envvars()), and such a replacement would therefore  be useless;- or replace the first GLIBC_TUNABLES with a GLIBC_TUNABLES that  contains dangerous (SXID_ERASE) tunables, which were previously  removed by parse_tunables() -- although this seems promising at first,  exploiting such a replacement would require a SUID-root program that  setuid(0)s and execve()s another program with a preserved environment  (to process the dangerous GLIBC_TUNABLES as root, but without  __libc_enable_secure).  Alas, we do not know of such a SUID-root program on Linux (on OpenBSD,  /usr/bin/chpass setuid(0)s and execv()s /usr/sbin/pwd_mkdb, and was  exploited in CVE-2019-19726); if you, dear reader, know of such a  SUID-root program on Linux, please let us know!At that point, the situation looked quite hopeless, but a comment inld.so's _dl_new_object() (which is called long after __tunables_init())caught our attention (at line 105):------------------------------------------------------------------------ 56 struct link_map * 57 _dl_new_object (char *realname, const char *libname, int type, 58                 struct link_map *loader, int mode, Lmid_t nsid) 59 { .. 84   struct link_map *new; 85   struct libname_list *newname; .. 92   new = (struct link_map *) calloc (sizeof (*new) + audit_space 93                                     + sizeof (struct link_map *) 94                                     + sizeof (*newname) + libname_len, 1); 95   if (new == NULL) 96     return NULL; 97  98   new->l_real = new; 99   new->l_symbolic_searchlist.r_list = (struct link_map **) ((char *) (new + 1)100                                                             + audit_space);101 102   new->l_libname = newname103     = (struct libname_list *) (new->l_symbolic_searchlist.r_list + 1);104   newname->name = (char *) memcpy (newname + 1, libname, libname_len);105   /* newname->next = NULL;      We use calloc therefore not necessary.  */------------------------------------------------------------------------ld.so allocates the memory for this link_map structure with calloc(),and therefore does not explicitly initialize various of its members tozero; this is a reasonable optimization. As mentioned earlier, calloc()here is not the glibc's calloc() but ld.so's __minimal_calloc(), whichcalls __minimal_malloc() *without* explicitly initializing the memory itreturns to zero; this is also a reasonable optimization, because for allintents and purposes __minimal_malloc() always returns a clean chunk ofmmap()ed memory, which is guaranteed to be initialized to zero by thekernel.Unfortunately, the buffer overflow in parse_tunables() allows us tooverwrite clean mmap()ed memory with non-zero bytes, thereby overwritingpointers of the soon-to-be-allocated link_map structure with non-NULLvalues. This allows us to completely break the logic of ld.so, whichassumes that these pointers are NULL.We first tried to exploit this buffer overflow by overwriting thelink_map structure's l_next and l_prev pointers (a doubly linked list oflink_map structures), but we failed because of two assert()ion failuresin setup_vdso(), which immediately abort() ld.so (all the distributionsthat we checked compile their glibc, and hence ld.so, with assert()ionsenabled):------------------------------------------------------------------------ 96       assert (l->l_next == NULL); 97       assert (l->l_prev == main_map);------------------------------------------------------------------------We then realized that many more pointers in the link_map structure arenot explicitly initialized to NULL; in particular, the pointers toElf64_Dyn structures in the l_info[] array of pointers. Among these,l_info[DT_RPATH], the "Library search path", immediately stood out: ifwe overwrite this pointer and control where and what it points to, thenwe can force ld.so to trust a directory that we own, and therefore toload our own libc.so.6 or LD_PRELOAD library from this directory, andexecute arbitrary code (as root, if we run ld.so through a SUID-rootprogram).------------------------------------------------------------------------Where should the overwritten l_info[DT_RPATH] point to? The easy answerto this question is: the stack; more precisely, our environment stringsin the stack. On Linux, the stack is randomized in a 16GB region, andour environment strings can occupy up to 6MB (_STK_LIM / 4 * 3, in thekernel's bprm_stack_limits()): after 16GB / 6MB = 2730 tries we have agood chance of guessing the address of our environment strings (in ourexploit, we always overwrite l_info[DT_RPATH] with 0x7ffdfffff010, thecenter of the randomized stack region). In our tests, this brute forcetakes ~30s on Debian, and ~5m on Ubuntu and Fedora (because of theirautomatic crash handlers, Apport and ABRT; we have not tried to workaround this slowdown).------------------------------------------------------------------------What should the overwritten l_info[DT_RPATH] point to? In other words,what should we store in our 6MB of environment strings? l_info[DT_RPATH]is a pointer to a small (16B) Elf64_Dyn structure:- an int64_t d_tag, which should be DT_RPATH (15), but this value is  never actually checked anywhere, so we can store anything there;- a uint64_t d_val, which is an offset into the ELF string table of the  SUID-root program that is being executed (this offset references a  string that is the "Library search path" itself).In our exploit, we simply fill our 6MB of environment strings with0xfffffffffffffff8 (-8), because at an offset of -8B below the stringtable of most SUID-root programs, the string "\x08" appears: this forcesld.so to trust a relative directory named "\x08" (in our current workingdirectory), and therefore allows us to load and execute our ownlibc.so.6 or LD_PRELOAD library from this directory, as root.------------------------------------------------------------------------One major problem remains unsolved, however: to avoid the kind ofassert()ion failures mentioned earlier (when we tried to overwrite thel_next and l_prev pointers of the link_map structure), we must overwritethe soon-to-be-allocated link_map structure with NULL pointers only(except l_info[DT_RPATH], of course); but intuitively, the ability tooverflow a buffer with a large number of null bytes while parsing anull-terminated C string sounds quite unusual.Luckily for us attackers, the bytes that are written out-of-bounds byparse_tunables() are also read out-of-bounds (at line 234), but not fromthe mmap()ed copy of our GLIBC_TUNABLES environment variable (tunestr),but from our original GLIBC_TUNABLES environment variable in the stack(valstring, at line 200). Consequently, if we store a large number ofempty strings (null bytes) immediately after our GLIBC_TUNABLES in thestack, followed by the string "\x10\xf0\xff\xff\xfd\x7f", followed bymore empty strings (null bytes), then we safely overwrite the link_mapstructure with null bytes (NULL pointers), except for l_info[DT_RPATH](which we overwrite with 0x7ffdfffff010, which points to our ownElf64_Dyn structures in the stack with a probability of 1/2730).Final note: the exploitation method described in this advisory worksagainst almost all of the SUID-root programs that are installed bydefault on Linux; a few exceptions are:- sudo on all distributions, because it specifies its own ELF RUNPATH  (/usr/libexec/sudo), which overrides our l_info[DT_RPATH];- chage and passwd on Fedora, because they are protected by special  SELinux rules;- snap-confine on Ubuntu, because it is protected by special AppArmor  rules.Last-minute note: although glibc 2.34 is vulnerable to this bufferoverflow, its tunables_strdup() uses __sbrk(), not __minimal_malloc()(which was introduced in glibc 2.35 by commit b05fae, "elf: Use theminimal malloc on tunables_strdup"); we have not yet investigatedwhether glibc 2.34 is exploitable or not.========================================================================Acknowledgments========================================================================We thank Red Hat Product Security, Siddhesh Poyarekar, the members oflinux-distros@openwall, Salvatore Bonaccorso, and Solar Designer.========================================================================Timeline========================================================================2023-09-04: Advisory and exploit sent to secalert@redhat.2023-09-19: Advisory and patch sent to linux-distros@openwall.2023-10-03: Coordinated Release Date (17:00 UTC).

glibc ld.so Local Privilege Escalation

Debian Linux Security Advisory 5518-1 - It was discovered that missing input sanitising in the encoding support in libvpx, a multimedia library for the VP8 and VP9 video codecs, may result in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5518-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoOctober 05, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libvpxCVE ID         : CVE-2023-44488It was discovered that missing input sanitising in the encoding supportin libvpx, a multimedia library for the VP8 and VP9 video codecs, mayresult in denial of service.For the oldstable distribution (bullseye), this problem has been fixedin version 1.9.0-1+deb11u2.For the stable distribution (bookworm), this problem has been fixed inversion 1.12.0-1+deb12u2.We recommend that you upgrade your libvpx packages.For the detailed security status of libvpx please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/libvpxFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUfC+hfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0ShFg//d7Jd4qC4wXcyMie8BhtQ+mJWjauimf/INZ3HpuFvJy/dXcewbS54rjX6bCoA7Ph+eMSrHpB8HT7F36kM7bGGHhgiqRacDgyWhTo2I/ypEEuWj0BK29js7ajrvWokgkDIK4xZFqmqV6fKfD2tEa/3IdGxoreuBvta0VOi0mTe1jcuSyiro+DOGCxkSnFpt5Iyvc/uoc+QP3KbqwLqKH8KNOUZDpeIYu3lDByLRDaseuOBuKYGSQsx2lfG3P5TmAAHJi4KCDm1vpTJW3ifHo7QJkRWhKSfQv66+Lqz3nLfhZR9D9nD9kExFnxPcNCJZqrSdYjtHDXm8VVD+MY2L8ZRCnJkN6Wp9aQHK7i3jhqTv2nsK1mTEbv9HmHongfFmXskzgxlnY/5Ye1MSpRflnYskkC7AG/52vYWE00aXnY9OH0Lb7LIseu/YpeYSrSAPcC5ldWgFLH1xfczXgl43Q7bDVYBoiDFGuA6Z1bP0rexuvbKEBBmiEFAOR/FkLE8HbovvuXhGMvpN2RLWGAl7EuBAAJGR/q1/XcQpcdCPVUdkz0YG//o1uNTlUeQJkiQSzQFBwfvLF0MwnJ/bi7YIZeinEb0bBki01npLvQizafSz4HFyhAQIiRbrQFy3sVX4BipmVNdzOktp4L62EtKlYFr7fm8/aBZDVtrcn9Lg0CQfkg=EqLq-----END PGP SIGNATURE-----

Debian Security Advisory 5518-1

Debian Linux Security Advisory 5517-1 - Multiple security vulnerabilities were discovered in libx11, the X11 client-side library, which may result in denial of service or the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5517-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 05, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libx11CVE ID         : CVE-2023-43785 CVE-2023-43786 CVE-2023-43787Multiple security vulnerabilities were discovered in libx11, the X11client-side library, which may result in denial of service or theexecution of arbitrary code.For the oldstable distribution (bullseye), these problems have been fixedin version 2:1.7.2-1+deb11u2.For the stable distribution (bookworm), these problems have been fixed inversion 2:1.8.4-2+deb12u2.We recommend that you upgrade your libx11 packages.For the detailed security status of libx11 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/libx11Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmUe/SEACgkQEMKTtsN8TjYVyw//XICOLb5ZAfQBjWuhJvJkM7SN1pjd2Iulvqz2sNgAzSninvda2n6458BB41fs6J5dIkCIGVWJ2/4hwBXuMMc4HO7KTTs+BW9WGBJOwd7ZpwTpvxe07M+kOPt2iqebM5dd5QO+ifh6AHTZ3amPliKfCCUcItYN1aMpolB5N/LJBdMa8j/ebU11pu5TGLreIskc+k4/lrJ/22Nr5SsGj0xTnXYrvBPcB6CX+aX7J1uWLyu6ZP5mBzmgjA+FI9SH5XGzQ3l2F29tp/xJUg9lwYp7Ij+vpNP/DWLo+QC2F5Q6II0ZG9wlEA1KiYR9l2rf7OVhtBWkaUZoVTyaSX+isj0i1BCZgyic84y/vlfVODuwAMY6K7ggZS9J+HmdYUvBLk8YTXFTfPZeQzglEw7U9Ia6fkV9dKeOHCrFlLelTz2umBmGfIT/WdOwSk5qczheJsayd9VhcxOExDoqRmhOhdslI5R0p2VMcr5N5qLzPaPnvhTWw3XeirlfKu1+SeMVGbdXF3+iWIbPtXuqOUBOmxu48HfZ/6/WyondTGN9qpTPdUgdYpHeVielziT8WYo4q88zyaDMYIEj3Jpo+/9QHD+c60VBjumebW8F3Shat/Xq0qOWHWI4u3J5ZOXNXJTfVGEGgtWxancMQeQxu4oejxyO8zAVbo47uDs3juuUw3kJ58Y=YNpi-----END PGP SIGNATURE-----

Debian Security Advisory 5517-1

Debian Linux Security Advisory 5516-1 - Multiple security vulnerabilities were discovered in libxpm, the X11 pixmap library, which may result in denial of service or the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5516-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 05, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libxpmCVE ID         : CVE-2023-43788 CVE-2023-43789Multiple security vulnerabilities were discovered in libxpm, the X11pixmap library, which may result in denial of service or the executionof arbitrary code.For the oldstable distribution (bullseye), these problems have been fixedin version 1:3.5.12-1.1+deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 1:3.5.12-1.1+deb12u1.We recommend that you upgrade your libxpm packages.For the detailed security status of libxpm please refer toits security tracker page at:https://security-tracker.debian.org/tracker/libxpmFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmUe/VYACgkQEMKTtsN8TjZ6fw/8DuvSCC62gLDWFxk+u7E0Jw4jJkd+I3LBarfScOGNp5H9DCJhynjmyIYM9LT2MFWja+QOXEbJWva9G+nUSI/E34+1EgAX8oo4jOVuHJzIFApXvEeYKE5zuEKBbIAXJgtgoDn44l8YbC8Np9LhbjlyJdIkLWpkl8kLQ5DXcZXrKensGnnSYjGZqvIPtC4n/gwFfyrBVGd77yd/y6r38aUd5drJyLfiTDmR75fNz1yLjd51anlP1pBdy8fsxgTJW3T2SEh6iHFIu3EvroJTFz9WrOW1z3RyTMhkkIFzAiKW3aCiWqE0AP6okBMMPw/QWCIiQrlLGRtStgfL5N+dTa1XWdDkR9EDjtszigXYnxNkqdHzA+R8NkXZorX4r5R2Thltqd3Et3Jy1DsttU4PfALjcAH2qlGZ9xJBOisREz96XKCSQVMi7gDbZW5l9vMeXQq15sAHH+HquGjONrS10JpgfE0Jvuff0+10vJskZxBPOBNnNlxMz6NWVrZhcTe7hmOJm//Cdxiy582IkIMNn2IY5tRXPoDeYarAtTvcrDDE495XY8jDhZKgNE5PBqBXcpQnrAUl5L4S3PIUJYF+r9Wnyf46OmwMLH3mR5zf7TgpwAlaRLONBPTK72JTLklBbYTz6coBYrEGGGdwVuRlPjU+zifY3fwGTm5zXd6MLCfXx1U=nUCe-----END PGP SIGNATURE-----

Debian Security Advisory 5516-1


Dell SmartFabric Storage Software v1.4 (and earlier) contains an OS Command Injection Vulnerability in the CLI use of the ‘more’ command. A local or remote authenticated attacker could potentially exploit this vulnerability, leading to the ability to gain root-level access.



**Impact**

High

**Details**

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-4401

Dell SmartFabric Storage Software v1.4 (and earlier) contains an OS Command Injection Vulnerability in the CLI use of the ‘more’ command. A local or remote authenticated attacker could potentially exploit this vulnerability, leading to the ability to gain root-level access.

7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-43068

Dell SmartFabric Storage Software v1.4 (and earlier) contains an OS Command Injection Vulnerability in the restricted shell in SSH. An authenticated remote attacker could potentially exploit this vulnerability, leading to execute arbitrary commands.

7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-43069

Dell SmartFabric Storage Software v1.4 (and earlier) contain(s) an OS Command Injection Vulnerability in the CLI. An authenticated local attacker could potentially exploit this vulnerability, leading to possible injection of parameters to curl or docker.

7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-43070

Dell SmartFabric Storage Software v1.4 (and earlier) contains a Path Traversal Vulnerability in the HTTP interface. A remote authenticated attacker could potentially exploit this vulnerability, leading to modify or write arbitrary files to arbitrary locations in the license container.

6.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CVE-2023-43071

Dell SmartFabric Storage Software v1.4 (and earlier) contains possible vulnerabilities for HTML injection or CVS formula injection which might escalate to cross-site scripting attacks in HTML pages in the GUI. A remote authenticated attacker could potentially exploit these issues, leading to various injection type attacks.

4.4

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2023-43072

Dell SmartFabric Storage Software v1.4 (and earlier) contains an improper access control vulnerability in the CLI. A local possibly unauthenticated attacker could potentially exploit this vulnerability, leading to ability to execute arbritrary shell commands.

4.4

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

CVE-2023-43073

Dell SmartFabric Storage Software v1.4 (and earlier) contains an Improper Input Validation vulnerability in RADIUS configuration. An authenticated remote attacker could potentially exploit this vulnerability, leading to gaining unauthorized access to data.

4.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-4401

Dell SmartFabric Storage Software v1.4 (and earlier) contains an OS Command Injection Vulnerability in the CLI use of the ‘more’ command. A local or remote authenticated attacker could potentially exploit this vulnerability, leading to the ability to gain root-level access.

7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-43068

Dell SmartFabric Storage Software v1.4 (and earlier) contains an OS Command Injection Vulnerability in the restricted shell in SSH. An authenticated remote attacker could potentially exploit this vulnerability, leading to execute arbitrary commands.

7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-43069

Dell SmartFabric Storage Software v1.4 (and earlier) contain(s) an OS Command Injection Vulnerability in the CLI. An authenticated local attacker could potentially exploit this vulnerability, leading to possible injection of parameters to curl or docker.

7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-43070

Dell SmartFabric Storage Software v1.4 (and earlier) contains a Path Traversal Vulnerability in the HTTP interface. A remote authenticated attacker could potentially exploit this vulnerability, leading to modify or write arbitrary files to arbitrary locations in the license container.

6.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CVE-2023-43071

Dell SmartFabric Storage Software v1.4 (and earlier) contains possible vulnerabilities for HTML injection or CVS formula injection which might escalate to cross-site scripting attacks in HTML pages in the GUI. A remote authenticated attacker could potentially exploit these issues, leading to various injection type attacks.

4.4

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2023-43072

Dell SmartFabric Storage Software v1.4 (and earlier) contains an improper access control vulnerability in the CLI. A local possibly unauthenticated attacker could potentially exploit this vulnerability, leading to ability to execute arbritrary shell commands.

4.4

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

CVE-2023-43073

Dell SmartFabric Storage Software v1.4 (and earlier) contains an Improper Input Validation vulnerability in RADIUS configuration. An authenticated remote attacker could potentially exploit this vulnerability, leading to gaining unauthorized access to data.

4.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

CVEs Addressed 

Product

Affected Versions

Updated Versions

Link

CVE-2023-4401, CVE-2023-43068, CVE-2023-43069, CVE-2023-43070, CVE-2023-43071, CVE-2023-43072, CVE-2023-43073

SmartFabric Storage Software Debian package v1.4.1   
for upgrading SmartFabric Storage Software VM  
 deployed on either ESXi or linux KVM

 v1.4.0 and prior

 v1.4.1

Debian Package v1.4.1 upgrade SmartFabric Storage Software VM (applicable to ESXi or Linux KVM)

CVE-2023-4401, CVE-2023-43068, CVE-2023-43069, CVE-2023-43070, CVE-2023-43071, CVE-2023-43072, CVE-2023-43073

SmartFabric Storage Software package v1.4.1 for ESXi.

v1.4.0 and prior

v1.4.1

SmartFabric Storage Software package v1.4.1 for ESXi

CVE-2023-4401, CVE-2023-43068, CVE-2023-43069, CVE-2023-43070, CVE-2023-43071, CVE-2023-43072, CVE-2023-43073

SmartFabric Storage Software package v1.4.1 for Linux KVM.

v1.4.0 and prior

v1.4.1

SmartFabric Storage Software package v1.4.1 for Linux KVM

CVEs Addressed 

Product

Affected Versions

Updated Versions

Link

CVE-2023-4401, CVE-2023-43068, CVE-2023-43069, CVE-2023-43070, CVE-2023-43071, CVE-2023-43072, CVE-2023-43073

SmartFabric Storage Software Debian package v1.4.1   
for upgrading SmartFabric Storage Software VM  
 deployed on either ESXi or linux KVM

 v1.4.0 and prior

 v1.4.1

Debian Package v1.4.1 upgrade SmartFabric Storage Software VM (applicable to ESXi or Linux KVM)

CVE-2023-4401, CVE-2023-43068, CVE-2023-43069, CVE-2023-43070, CVE-2023-43071, CVE-2023-43072, CVE-2023-43073

SmartFabric Storage Software package v1.4.1 for ESXi.

v1.4.0 and prior

v1.4.1

SmartFabric Storage Software package v1.4.1 for ESXi

CVE-2023-4401, CVE-2023-43068, CVE-2023-43069, CVE-2023-43070, CVE-2023-43071, CVE-2023-43072, CVE-2023-43073

SmartFabric Storage Software package v1.4.1 for Linux KVM.

v1.4.0 and prior

v1.4.1

SmartFabric Storage Software package v1.4.1 for Linux KVM

**Workarounds and Mitigations**

None

**Revision History**

Revision

Date

Description

1.0

2023-09-28

Initial Revision

2.0

2023-10-05

Major Revision: added CVE links and modified some minor formatting

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

SmartFabric Storage Software for NVMe/TCP SAN, SmartFabric Storage Software Download for NVMe/TCP SAN

CVE-2023-4401: DSA-2023-347: Dell SmartFabric Storage Software Security Update for Multiple Vulnerabilities

Debian Linux Security Advisory 5515-1 - A security issue was discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5515-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 04, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-5346A security issue was discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the oldstable distribution (bullseye), this problem has been fixedin version 117.0.5938.149-1~deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 117.0.5938.149-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmUdr/sACgkQEMKTtsN8TjYWYQ/9EgGVg8+3uma9IEAt2ISwgRTSNL9Ud/ul/3L9Hfo1CVBKLyyb/hgnKuMcBgTSD/qmtcxEGLHuBLY7R+fxoWkDEAyQLsPQcT7lYWNcV3/N9Kxf5JIaNCUx+44B7+nMgD1tw1h8Bob+VdcPdrRQofn8FL3lAj0cyfzveJHImEL/2VG3R0T1eb46pUT/paeTvO2jYNdtPH9xB8VvDquQ1igBUx8EjYo+rn6LEsztfke/mwA0NPi2OhAwTcj7KQxatB1pfkyDza+fTUuLRGKX2JfCPb8pbKfMJIsNCzHykjzcAbxGXkutjYwpocjLMZcaXs74WCqUfQqOjNdmPZav5uMynJAyiqhh0pBEBwPjd3BISpm0aXJ+hWzR4N2/Zp4q0t+ISQv52EHaF2GMKTnFnpz4wS+6j4oXcccr8AVLEWwRe5o+YdiOT8FB0aHRGtK5n1smXpqjJXz3RnfiODC3PfhCrassPT9KBYsGxIrbMVDi8YGr6DC6oIe9v82DbuKviNvPTrhisxmREw1uSGrDEJ1ZMlvSxCy8tFE5SAOvVXD2t/8300NJRxSYSTgW3aXHiB4BWWuuIH1B+5Uj+v/rS2wPV1ZftmFHXgzAL95Hu8va2VtU0bL+dQhvQ5i2Tpp5zWPNTcRvxHKLyCQyOJIIB+Ukrbe1ltu76mHJj+aJVjBa45E=iaPP-----END PGP SIGNATURE-----

Tag

#debian