A memory leak flaw was found in ruby-magick, an interface between Ruby and ImageMagick. This issue can lead to a denial of service (DOS) by memory exhaustion.

**memory leak flaw was found in ruby-magick**

Moderate severity GitHub Reviewed Published Oct 30, 2023 to the GitHub Advisory Database • Updated Oct 31, 2023

GHSA-frgf-8jr5-j2jv: memory leak flaw was found in ruby-magick

'2247064?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-5349: Invalid Bug ID

In NFC, there is a possible way to setup a default contactless payment app without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

_Published October 4, 2023 | Updated October 26, 2023_

This Android Security Release Notes contains details of security vulnerabilities affecting Android devices which are addressed as part of Android 14. Android 14 devices with a security patch level of 2023-10-01 or later are protected against these issues (Android 14 , as released on AOSP, will have a default security patch level of 2023-10-01). To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues prior to publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository as part of the Android 14 release.

The severity assessment of issues in these release notes are based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

We have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Announcements**

*   The issues described in this document are addressed as part of Android 14 . This information is provided for reference and transparency.
*   We would like to acknowledge and thank the security research community for their continued contributions towards securing the Android ecosystem.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**Android 14 vulnerability details**

The sections below provide details for security vulnerabilities fixed as part of Android 14 . Vulnerabilities are grouped under the component that they affect and include details such as the CVE, associated references, type of vulnerability, and severity.

**Android runtime**

   

CVE

References

Type

Severity

CVE-2022-29824

A-272276710

EoP

High

CVE-2023-21309

A-266432364

ID

Moderate

CVE-2023-21366

A-265440128

ID

Moderate

CVE-2023-21367

A-265499381

ID

Moderate

CVE-2023-21372

A-262741239

EoP

Moderate

CVE-2023-40101

A-267617531

ID

Moderate

**Framework**

   

CVE

References

Type

Severity

CVE-2023-21342

A-232799171

EoP

High

CVE-2023-21343

A-257953844

EoP

High

CVE-2023-21351

A-232798676

EoP

High

CVE-2023-21398

A-274592326

EoP

High

CVE-2023-21362

A-229633537

DoS

High

CVE-2023-21364

A-262595156

DoS

High

CVE-2023-21365

A-262594744

DoS

High

CVE-2023-21298

A-179699722

EoP

Moderate

CVE-2023-21324

A-197327805

EoP

Moderate

CVE-2023-21328

A-195963690

EoP

Moderate

CVE-2023-21337

A-179783499

EoP

Moderate

CVE-2023-21338

A-179783492

EoP

Moderate

CVE-2023-21341

A-190694761

EoP

Moderate

CVE-2023-21374

A-267313135

EoP

Moderate

CVE-2023-21397

A-245300607

EoP

Moderate

CVE-2022-20264

A-217561828

ID

Moderate

CVE-2022-27404

A-271684625

ID

Moderate

CVE-2023-21293

A-213903886

ID

Moderate

CVE-2023-21294

A-191678586

ID

Moderate

CVE-2023-21295

A-187957189

ID

Moderate

CVE-2023-21296

A-202386106

ID

Moderate

CVE-2023-21299

A-224533639

ID

Moderate

CVE-2023-21300

A-224015938

ID

Moderate

CVE-2023-21301

A-224976267

ID

Moderate

CVE-2023-21302

A-228450093

ID

Moderate

CVE-2023-21303

A-208257145

ID

Moderate

CVE-2023-21304

A-208257015

ID

Moderate

CVE-2023-21305

A-207671082

ID

Moderate

CVE-2023-21306

A-208258924

ID

Moderate

CVE-2023-21316

A-207133734

ID

Moderate

CVE-2023-21317

A-207670653

ID

Moderate

CVE-2023-21318

A-208258815

ID

Moderate

CVE-2023-21319

A-217740016

ID

Moderate

CVE-2023-21320

A-205707373

ID

Moderate

CVE-2023-21321

A-231160336

ID

Moderate

CVE-2023-21323

A-232796464

ID

Moderate

CVE-2023-21326

A-232415364

ID

Moderate

CVE-2023-21327

A-186404361

ID

Moderate

CVE-2023-21329

A-185126503

ID

Moderate

CVE-2023-21330

A-238299601

ID

Moderate

CVE-2023-21331

A-227208010

ID

Moderate

CVE-2023-21332

A-212287294

ID

Moderate

CVE-2023-21333

A-212287061

ID

Moderate

CVE-2023-21334

A-189944359

ID

Moderate

CVE-2023-21336

A-216823971

ID

Moderate

CVE-2023-21344

A-248250734

ID

Moderate

CVE-2023-21346

A-248250674

ID

Moderate

CVE-2023-21348

A-249058614

ID

Moderate

CVE-2023-21349

A-241233589

ID

Moderate

CVE-2023-21354

A-241233630

ID

Moderate

CVE-2023-21377

A-231587164

ID

Moderate

CVE-2023-21382

A-161370118

ID

Moderate

CVE-2023-21387

A-280296227

ID

Moderate

CVE-2023-21339

A-235353864

DoS

Moderate

CVE-2023-21345

A-249056757

ID

Low

CVE-2023-45780

A-215212215

EoP

High

**Media Framework**

   

CVE

References

Type

Severity

CVE-2023-21381

A-274883119

EoP

High

CVE-2023-21355

A-274815060

EoP

Moderate

**System**

   

CVE

References

Type

Severity

CVE-2021-39810

A-212610736

EoP

High

CVE-2023-21313

A-268341970

EoP

High

CVE-2023-21358

A-274447627

EoP

High

CVE-2023-21361

A-277249213

EoP

High

CVE-2023-21392

A-281346084

EoP

High

CVE-2023-21312

A-277915880

ID

High

CVE-2023-21315

A-277578150

ID

High

CVE-2023-21394

A-273502295

ID

High

CVE-2023-21356

A-276975913

RCE

Moderate

CVE-2023-21310

A-274722163

EoP

Moderate

CVE-2023-21360

A-242994452

EoP

Moderate

CVE-2023-21370

A-263948587

EoP

Moderate

CVE-2023-21371

A-263948508

EoP

Moderate

CVE-2023-21373

A-277073811

EoP

Moderate

CVE-2023-21375

A-261071553

EoP

Moderate

CVE-2023-21376

A-212694314

EoP

Moderate

CVE-2023-21378

A-257953390

EoP

Moderate

CVE-2023-21380

A-274722185

EoP

Moderate

CVE-2023-21388

A-269122009

EoP

Moderate

CVE-2023-21389

A-278559731

EoP

Moderate

CVE-2023-21390

A-271849181

EoP

Moderate

CVE-2023-21393

A-262242946

EoP

Moderate

CVE-2023-21396

A-232258773

EoP

Moderate

CVE-2022-20531

A-231988638

ID

Moderate

CVE-2023-21308

A-252764300

ID

Moderate

CVE-2023-21314

A-266433017

ID

Moderate

CVE-2023-21325

A-230755151

ID

Moderate

CVE-2023-21335

A-232938844

ID

Moderate

CVE-2023-21340

A-236813210

ID

Moderate

CVE-2023-21347

A-242171908

ID

Moderate

CVE-2023-21350

A-243792935

ID

Moderate

CVE-2023-21352

A-244155256

ID

Moderate

CVE-2023-21353

A-244155333

ID

Moderate

CVE-2023-21357

A-252996038

ID

Moderate

CVE-2023-21359

A-260726311

ID

Moderate

CVE-2023-21368

A-277288588

ID

Moderate

CVE-2023-21379

A-264921486

ID

Moderate

CVE-2023-21383

A-233607547

ID

Moderate

CVE-2023-21384

A-256590334

ID

Moderate

CVE-2023-21385

A-271458258

ID

Moderate

CVE-2023-21395

A-259939435

ID

Moderate

CVE-2023-21311

A-237289258

DoS

Moderate

CVE-2023-21369

A-264260808

DoS

Moderate

CVE-2023-21391

A-278556945

DoS

Moderate

CVE-2023-21386

A-275552292

ID

Moderate

CVE-2023-21297

A-230733237

ID

Moderate

CVE-2023-21307

A-192475649

ID

High

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

Android 14 , as released on AOSP, has a default security patch level of 2023-10-01. Android devices running Android 14 and with a security patch level of 2023-10-01 or later address all issues contained in these security release notes.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

**Versions**

  

Version

Date

Notes

1.0

October 4, 2023

Bulletin Published

1.1

October 26, 2023

Updated Issue List

CVE-2021-39810: Android 14 Security Release Notes

Adobe Acrobat for Edge version 118.0.2088.46 (and earlier) is affected by a Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVE-2023-44323

Debian Linux Security Advisory 5538-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5538-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
October 27, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : thunderbird  
CVE ID         : CVE-2023-5721 CVE-2023-5724 CVE-2023-5725 CVE-2023-5728   
                 CVE-2023-5730 CVE-2023-5732

Multiple security issues were discovered in Thunderbird, which could  
result in denial of service or the execution of arbitrary code.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 1:115.4.1-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 1:115.4.1-1~deb12u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmU8/MIACgkQEMKTtsN8  
TjYydw/5AYVlXQCfZjiLfnVEk+KVVib53rJGc+eR3QtpcpzO6l73fPgRKWbBylM1  
GEwu8ua6NxQ8rk2SEfA9QFwRj3EE3OBVIDOMNA7RO+UNWYqHtYYHZiif73q/7Y12  
k3gvdKpAZny67bFYSSTxu1Y0yTGmZu0HdIbIc46pfu6kdqJFvqabskEDRZ+IKKOD  
dLdbJ48xY5GjmLaqJ4YX0Mm8x9CO9ILrCjkqjnwz+D/5Tpafue3+tQscJ276eMbw  
qCGlEctLX5HywcpL3W5mSWnLwZZpoOjYdTKyJDW+hTMNTFUqsuoZDylbqiUdxBjU  
ZRenTXMjKOCFATjD3vkJHF6eGZzYIhE92fTmlBeF+j40xbGXW7nq+F4XLl7gtziC  
YzbGxXgG4tvChrt56iMaixt80axt5wVosc2mx+7m+u6aD+ulNKHh0bKP6dchEATY  
stomlKurwR45IyrBdq7EhppUkObV3tpUm7b6h/3LK2wbI2OUwl2lz8wRNXNct04Z  
75LfgyYQE/Mkcffay3IL1Ej7qBq7u8URxmvYXJ9OO148ihJTCdv7qYI9w/ltSB9s  
gW76DXOoW+9t6RSCP7ftCsx2QEW5sdq0V4tTptIlEuAFJ29ORoQ1xDyc4bQlvqWn  
lLO1vbZmk2iZfEzg6JYX9ceG6AL4HY8sHDe1TlcUEOyVsB89obg=  
=IfPw  
-----END PGP SIGNATURE-----

Debian Security Advisory 5538-1

Debian Linux Security Advisory 5537-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in bypass of sandbox restrictions or denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5537-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 27, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : openjdk-11CVE ID         : CVE-2023-22067 CVE-2023-22081Several vulnerabilities have been discovered in the OpenJDK Java runtime,which may result in bypass of sandbox restrictions or denial of service.For the oldstable distribution (bullseye), these problems have been fixedin version 11.0.21+9-1~deb11u1.We recommend that you upgrade your openjdk-11 packages.For the detailed security status of openjdk-11 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/openjdk-11Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmU74DgACgkQEMKTtsN8Tjbrug/+K+/T0ydiyOhIQ/4s4rrQr2YBx0miVGaBTFjuAEw/YduTbIT4eLsJsWOZeQ2dg2ZkIFtW1Ngs7QUaA7WgAjgAu7tnW90rZYFiQalcxPlwAmnSWZSYM9SSaW9p/AHARm8uSQ0YKjlnskCEDVXODVggzOQLpvVF2oA8MA+1Rtb6hnl1W4u+IDXvhXCZzniKheuAe/G9iz0nY8wHgEVNfIc1KO+MKFyD8Z655kH8qgGuMcyORGYDFDX4l6luorc/dA15dr90pokg0TD/2L2dIbkEsj0zOePzU6yZsYTBgQ878Y8gdJnCirpSS/ZaCKWAOSX+fARW+wVUsscvpUh/TcDyHEKh8EjA05ahaiqp6/gvScz8H9rbebYw32glFEu89JMgfDLAI137YLqkfOWhLIKvCzZ+u+drpg7Hf0yjDU0dPWWzc0KHd/asClDxyec5N5zlDCI7eGvY2zxH0TsGqiyed2GVTPi1TR3FWRRvlCC1uKiZF9vdmQZTubDzqpjR7gGbVIyGfn6lYDOxqhOTq7ftoJ3+BjCBxuaxZmHBtw2QzQCb8pJalQj1D2IgqsMBAt92pdD+3DyXjEYnFHNRr330uDiVg2ZeadatRkm+VwiI+pJGwkl+1Xrom1Mg2SQkeNtiY5IO3lGAjIhU8b0TkbrgdMoM3j0zI4dQkX8+BRV5YKM==UEly-----END PGP SIGNATURE-----

Debian Security Advisory 5537-1

Gentoo Linux Security Advisory 202310-18 - Multiple vulnerabilities have been discovered in Rack, the worst of which can lead to sequence injection in logging components. Versions greater than or equal to 2.2.3.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-18  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Rack: Multiple Vulnerabilities  
     Date: October 30, 2023  
     Bugs: #884795  
       ID: 202310-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Rack, the worst of  
which can lead to sequence injection in logging compontents.

Background  
==========

Rack is a modular Ruby web server interface.

Affected packages  
=================

Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
dev-ruby/rack  < 2.2.3.1     >= 2.2.3.1

Description  
===========

Multiple vulnerabilities have been discovered in Rack. Please review the  
CVE identifiers referenced below for details.

Impact  
======

A possible denial of service vulnerability was found in the multipart  
parsing component of Rack.

A sequence injection vulnerability was found which could allow a  
possible shell escape in the Lint and CommonLogger components of Rack.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Rack users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-ruby/rack-2.2.3.1"

References  
==========

[ 1 ] CVE-2022-30122  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30122  
[ 2 ] CVE-2022-30123  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30123

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-18

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202310-18

Ubuntu Security Notice 6456-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Kelsey Gilbert discovered that Firefox did not properly manage certain browser prompts and dialogs due to an insufficient activation-delay. An attacker could potentially exploit this issue to perform clickjacking.

    ==========================================================================Ubuntu Security Notice USN-6456-1October 30, 2023firefox vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Firefox.Software Description:- firefox: Mozilla Open Source web browserDetails:Multiple security issues were discovered in Firefox. If a user weretricked into opening a specially crafted website, an attacker couldpotentially exploit these to cause a denial of service, obtain sensitiveinformation across domains, or execute arbitrary code. (CVE-2023-5722,CVE-2023-5724, CVE-2023-5728, CVE-2023-5729, CVE-2023-5730, CVE-2023-5731)Kelsey Gilbert discovered that Firefox did not properly manage certainbrowser prompts and dialogs due to an insufficient activation-delay. Anattacker could potentially exploit this issue to perform clickjacking.(CVE-2023-5721)Daniel Veditz discovered that Firefox did not properly validate a cookiecontaining invalid characters. An attacker could potentially exploit thisissue to cause a denial of service. (CVE-2023-5723)Shaheen Fazim discovered that Firefox did not properly validate the URLsopen by installed WebExtension. An attacker could potentially exploit thisissue to obtain sensitive information. (CVE-2023-5725)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:  firefox                         119.0+build2-0ubuntu0.20.04.1After a standard system update you need to restart Firefox to make all thenecessary changes.References:  https://ubuntu.com/security/notices/USN-6456-1  CVE-2023-5721, CVE-2023-5722, CVE-2023-5723, CVE-2023-5724,  CVE-2023-5725, CVE-2023-5728, CVE-2023-5729, CVE-2023-5730,  CVE-2023-5731Package Information:  https://launchpad.net/ubuntu/+source/firefox/119.0+build2-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6456-1

Red Hat Security Advisory 2023-6161-01 - The Migration Toolkit for Containers 1.7.14 is now available. Issues addressed include a denial of service vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6161.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Migration Toolkit for Containers (MTC) 1.7.14 security and bug fix update  
Advisory ID:        RHSA-2023:6161-01  
Product:            Red Hat Migration Toolkit  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:6161  
Issue date:         2023-10-30  
Revision:           01  
CVE Names:          CVE-2023-29406  
====================================================================

Summary: 

The Migration Toolkit for Containers (MTC) 1.7.14 is now available.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.

Security Fix(es) from Bugzilla:

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)

* golang: net/http: insufficient sanitization of Host header (CVE-2023-29406)

* golang: crypto/tls: slow verification of certificate chains containing large RSA keys (CVE-2023-29409)

* golang: html/template: improper handling of special tags within script contexts (CVE-2023-39319)

* golang: html/template:  improper handling of HTML-like comments within script contexts (CVE-2023-39318)

* golang: crypto/tls: panic when processing post-handshake message on QUIC connections (CVE-2023-39321)

* golang: crypto/tls: lack of a limit on buffered post-handshake (CVE-2023-39322)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-29406

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6161-01

Red Hat Security Advisory 2023-6158-01 - An update is now available for Red Hat Ansible Automation Platform 2.4.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6158.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix UpdateAdvisory ID:        RHSA-2023:6158-01Product:            Red Hat Ansible Automation PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6158Issue date:         2023-10-30Revision:           01CVE Names:          CVE-2023-43665====================================================================Summary: An update is now available for Red Hat Ansible Automation Platform 2.4Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.Security Fix(es):*  automation-controller: Django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)* python3-urllib3/python39-urllib3: Cookie request header isn't stripped during cross-origin redirects (CVE-2023-43804)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Updates and fixes for automation controller:* automation-controller has been updated to 4.4.7* Cleaned up SOS report passwords (AAP-17544)* Customers using the \"infra.controller_configuration\" collection (which uses \"ansible.controller\" collection) to update their Ansible Automation Platform environment no longer receive an HTTP 499 response (AAP-17422)Additional changes:* python3-urllib3/python39-urllib3 has been updated to 1.26.18Solution:CVEs:CVE-2023-43665References:https://access.redhat.com/security/updates/classification/#moderate

Tag

#dos