Buffer Overflow vulnerability found in Libming swftophp v.0.4.8 allows a local attacker to cause a denial of service via the newVar_N in util/decompile.c.

Heap buffer overflow in the latest version of libming at function newVar\_N in util/decompile.c:654.

**Environment**

Ubuntu 18.04, 64 bit  
libming 0.4.8

**Steps to reproduce**

1.  download file

    wget https://github.com/libming/libming/archive/refs/tags/ming-0_4_8.tar.gz
    tar -zxvf ming-0_4_8.tar.gz
    

2.  compile libming with ASAN

    cd libming-ming-0_4_8
    ./autogen.sh
    export FORCE_UNSAFE_CONFIGURE=1
    export LLVM_COMPILER=clang
    CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -fcommon -Wno-error" ./configure --prefix=`pwd`/obj-bc --with-php-config=/usr/bin/php-config7.2 --enable-static --disable-shared
    make
    make install
    
    cd obj-bc/bin/
    extract-bc swftophp
    clang -fsanitize=address -lz -lm swftophp.bc -o swftophp_asan
    

3.  command for reproducing the error

Download poc:  
libming\_0-4-8\_swftophp\_heap-buffer-overflow\_decompile654.zip

**ASAN report**

    root@2413df779df0:~/compiler1804/libming-ming-0_4_8/obj-bc/bin# ./swftophp_asan libming_0-4-8_swftophp_heap-buffer-overflow_decompile654.swf 
    header indicates a filesize of 0 but filesize is 166
    <?php
    $m = new SWFMovie(0);
    
    ming_setscale(1.0);
    $m->setRate(0.000000);
    $m->setDimension(0, 1);
    
    /* Note: xMin and/or yMin are not 0! */
    
    $m->setFrames(0);
    
    /* SWF_DOACTION */
        16:SWFACTION_FSCOMMAND2
      Can't get int for type: 10
    =================================================================
    ==60490==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000001880 at pc 0x000000439494 bp 0x7ffd310a9d90 sp 0x7ffd310a9540
    READ of size 1025 at 0x619000001880 thread T0
        #0 0x439493 in __interceptor_strlen.part.36 /root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:372
        #1 0x5022e5 in newVar_N /root/compiler1804/libming-ming-0_4_8/util/decompile.c:654:11
        #2 0x4fbe07 in decompileNEWOBJECT /root/compiler1804/libming-ming-0_4_8/util/decompile.c:1588:7
        #3 0x4fab64 in decompileAction /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3190:3
        #4 0x501b27 in decompileActions /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3401:6
        #5 0x503b31 in decompile5Action /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3423:2
        #6 0x4f7865 in outputSWF_DOACTION /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:1548:29
        #7 0x4f72ac in outputBlock /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:2079:4
        #8 0x4f9d21 in readMovie /root/compiler1804/libming-ming-0_4_8/util/main.c:277:4
        #9 0x4f984d in main /root/compiler1804/libming-ming-0_4_8/util/main.c:350:2
        #10 0x7fe2276bdc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #11 0x41b8d9 in _start (/root/compiler1804/libming-ming-0_4_8/obj-bc/bin/swftophp_asan+0x41b8d9)
    
    0x619000001880 is located 0 bytes to the right of 1024-byte region [0x619000001480,0x619000001880)
    allocated by thread T0 here:
        #0 0x4ae288 in realloc /root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164
        #1 0x502330 in newVar_N /root/compiler1804/libming-ming-0_4_8/util/decompile.c:657:18
        #2 0x4fbe07 in decompileNEWOBJECT /root/compiler1804/libming-ming-0_4_8/util/decompile.c:1588:7
        #3 0x4fab64 in decompileAction /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3190:3
        #4 0x501b27 in decompileActions /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3401:6
        #5 0x503b31 in decompile5Action /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3423:2
        #6 0x4f7865 in outputSWF_DOACTION /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:1548:29
        #7 0x4f72ac in outputBlock /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:2079:4
        #8 0x4f9d21 in readMovie /root/compiler1804/libming-ming-0_4_8/util/main.c:277:4
        #9 0x4f984d in main /root/compiler1804/libming-ming-0_4_8/util/main.c:350:2
        #10 0x7fe2276bdc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/LLVM/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:372 in __interceptor_strlen.part.36
    Shadow bytes around the buggy address:
      0x0c327fff82c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff82d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff82e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff82f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c327fff8300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c327fff8310:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c327fff8360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==60490==ABORTING

CVE-2023-30083: Heap buffer overflow in newVar_N() at decompile.c:654 · Issue #266 · libming/libming

An issue found in libming swftophp v.0.4.8 allows a local attacker to cause a denial of service via the stackVal function in util/decompile.c.

Invalid memory read in the latest version of libming at function stackVal in util/decompile.c:1238.

    wget https://github.com/libming/libming/archive/refs/tags/ming-0_4_8.tar.gz
    tar -zxvf ming-0_4_8.tar.gz
    

    cd libming-ming-0_4_8
    ./autogen.sh
    export FORCE_UNSAFE_CONFIGURE=1
    export LLVM_COMPILER=clang
    CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -fcommon -Wno-error" ./configure --prefix=`pwd`/obj-bc --with-php-config=/usr/bin/php-config7.2 --enable-static --disable-shared
    make
    make install
    
    cd obj-bc/bin/
    extract-bc swftophp
    clang -fsanitize=address -lz -lm swftophp.bc -o swftophp_asan
    

    root@2413df779df0:~/compiler1804/libming-ming-0_4_8/obj-bc/bin# ./swftophp_asan libming_0-4-8_swftophp_invalid-memory-read_decompile1238.swf 
    header indicates a filesize of 4278191411 but filesize is 166
    <?php
    $m = new SWFMovie();
    
    ming_setscale(1.0);
    
    /* Note: using v5+ syntax for script blocks (original SWF file version was 4)! */
    
    $m->setRate(64.855469);
    $m->setDimension(66, 327);
    
    /* Note: xMin and/or yMin are not 0! */
    
    $m->setFrames(7440);
     Stream out of sync after parse of blocktype 24 (SWF_PROTECT). 124 but expecting 58.
    
    /* SWF_PROTECT */
    $m->protect("\tJ�A�\n�=�b��h"�BAH���CU���!�����М{/��R���z��W:�6$QSՖ�;owf޼�0]x�\r�������\)���
                                                                                                ��Qp(#}�m�\_");
     Stream out of sync after parse of blocktype 9 (SWF_SETBACKGROUNDCOLOR). 63 but expecting 119.
    
    /* SWF_SETBACKGROUNDCOLOR */
    $m->setBackground(0x2f, 0xed, 0xd1);
     Stream out of sync after parse of blocktype 11 (SWF_DEFINETEXT). 165 but expecting 125.
    
    /* SWF_DEFINETEXT */
    $character24412 = new SWFText(1);
    $character24412->setFont($f392);
    $character24412->setHeight(30910);
    $character24412->setColor(0x79, 0x9d, 0xb2);
    $character24412->moveTo(0, -15327);
    $character24412->addString("X");
    Failed to find branch target!!!
    Looking for: -28887
    
     Stream out of sync after parse of blocktype 12 (SWF_DOACTION). 138 but expecting 134.
    
    /* SWF_DOACTION */
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==60499==ERROR: AddressSanitizer: SEGV on unknown address 0x601fffffffb0 (pc 0x000000502876 bp 0x7ffe6a2faa50 sp 0x7ffe6a2faa50 T0)
    ==60499==The signal is caused by a READ memory access.
        #0 0x502876 in stackVal /root/compiler1804/libming-ming-0_4_8/util/decompile.c:1238:41
        #1 0x4fe03d in decompileIF /root/compiler1804/libming-ming-0_4_8/util/decompile.c:2395:7
        #2 0x4facdc in decompileAction /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3242:10
        #3 0x501b27 in decompileActions /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3401:6
        #4 0x503b31 in decompile5Action /root/compiler1804/libming-ming-0_4_8/util/decompile.c:3423:2
        #5 0x4f7865 in outputSWF_DOACTION /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:1548:29
        #6 0x4f72ac in outputBlock /root/compiler1804/libming-ming-0_4_8/util/outputscript.c:2079:4
        #7 0x4f9d21 in readMovie /root/compiler1804/libming-ming-0_4_8/util/main.c:277:4
        #8 0x4f984d in main /root/compiler1804/libming-ming-0_4_8/util/main.c:350:2
        #9 0x7f6f2645dc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #10 0x41b8d9 in _start (/root/compiler1804/libming-ming-0_4_8/obj-bc/bin/swftophp_asan+0x41b8d9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /root/compiler1804/libming-ming-0_4_8/util/decompile.c:1238:41 in stackVal
    ==60499==ABORTING

CVE-2023-30084: Invalid memory read in stackVal() at decompile.c:1238 · Issue #268 · libming/libming

Buffer Overflow vulnerability found in Libming swftophp v.0.4.8 allows a local attacker to cause a denial of service via the cws2fws function in util/decompile.c.

Allocation size overflow in the latest version of libming at function cws2fws in util/main.c:111.

**Environment**

Ubuntu 18.04, 64 bit  
libming 0.4.8

**Steps to reproduce**

1.  download file

    wget https://github.com/libming/libming/archive/refs/tags/ming-0_4_8.tar.gz
    tar -zxvf ming-0_4_8.tar.gz
    

2.  compile libming with ASAN

    cd libming-ming-0_4_8
    ./autogen.sh
    export FORCE_UNSAFE_CONFIGURE=1
    export LLVM_COMPILER=clang
    CC=wllvm CXX=wllvm++ CFLAGS="-g -O0 -fcommon -Wno-error" ./configure --prefix=`pwd`/obj-bc --with-php-config=/usr/bin/php-config7.2 --enable-static --disable-shared
    make
    make install
    
    cd obj-bc/bin/
    extract-bc swftophp
    clang -fsanitize=address -lz -lm swftophp.bc -o swftophp_asan
    

3.  command for reproducing the error

Download poc:  
libming\_0-4-8\_swftophp\_allocation-size-overflow\_main111.zip

**ASAN report**

    root@2413df779df0:~/compiler1804/libming-ming-0_4_8/obj-bc/bin# ./swftophp_asan libming_0-4-8_swftophp_allocation-size-overflow_main111.swf 
    =================================================================
    ==60493==ERROR: AddressSanitizer: requested allocation size 0xffffffffff000533 (0xffffffffff001538 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
        #0 0x4ae288 in realloc /root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164
        #1 0x4f9334 in cws2fws /root/compiler1804/libming-ming-0_4_8/util/main.c:111:15
        #2 0x4f99dd in readMovieHeader /root/compiler1804/libming-ming-0_4_8/util/main.c:198:18
        #3 0x4f97ee in main /root/compiler1804/libming-ming-0_4_8/util/main.c:346:5
        #4 0x7f6a64b67c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    
    ==60493==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: allocation-size-too-big /root/LLVM/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164 in realloc
    ==60493==ABORTING

CVE-2023-30085: Allocation size overflow in cws2fws() at main.c:111 · Issue #267 · libming/libming

An issue found in Cesanta MJS v.1.26 allows a local attacker to cause a denial of service via the mjs_execute function in mjs.c.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-30088: Invalid memory read in mjs_execute() at mjs.c:9320 · Issue #243 · cesanta/mjs

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_attr_psid_sub() function.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Comments**

**Describe the bug**

*   Did you check if this is a duplicate issue?
*   Did you test it on the latest FRRouting/frr master branch?

Hello, I have find a bug in bgp\_attr\_psid\_sub, there is a missing check of the type = BGP\_PREFIX\_SID\_SRV6\_L3\_SERVICE when using stream\_getc to get reseverd field.

    /* Placeholder code for the SRv6 L3 Service type */
    else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
    	if (STREAM_READABLE(peer->curr) < length) {
    		flog_err(
    			EC_BGP_ATTR_LEN,
    			"Prefix SID SRv6 L3-Service length is %hu, but only %zu bytes remain",
    			length, STREAM_READABLE(peer->curr));
    		return bgp_attr_malformed(args,
    			 BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
    			 args->total);
    	}
    
    	/* ignore reserved */
    	stream_getc(peer->curr);
    

**To Reproduce**

When I construct a psid\_sub TLV, Type = 5 and Length = 0, Frrouting will crash.  
**Expected behavior**

**Screenshots**

**Versions**

*   OS Version:

*   Kernel:

*   FRR Version:

**Additional context**

I pushed a PR for this back in December but it's been stalled due to me being busy with some other stuff  
#12454

I'll get back to it today and get this in

> **Describe the bug**
> 
> *   Did you check if this is a duplicate issue?
> *   Did you test it on the latest FRRouting/frr master branch?
> 
> Hello, I have find a bug in bgp\_attr\_psid\_sub, there is a missing check of the type = BGP\_PREFIX\_SID\_SRV6\_L3\_SERVICE when using stream\_getc to get reseverd field.
> 
>     /* Placeholder code for the SRv6 L3 Service type */
>     else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) {
>     	if (STREAM_READABLE(peer->curr) < length) {
>     		flog_err(
>     			EC_BGP_ATTR_LEN,
>     			"Prefix SID SRv6 L3-Service length is %hu, but only %zu bytes remain",
>     			length, STREAM_READABLE(peer->curr));
>     		return bgp_attr_malformed(args,
>     			 BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
>     			 args->total);
>     	}
>     
>     	/* ignore reserved */
>     	stream_getc(peer->curr);
>     
> 
> **To Reproduce**
> 
> When I construct a psid\_sub TLV, Type = 5 and Length = 0, Frrouting will crash. **Expected behavior**
> 
> **Screenshots**
> 
> **Versions**
> 
> *   OS Version:
>     
> *   Kernel:
>     
> *   FRR Version:
>     
> 
> **Additional context**

Hi Melissa,

Could you please share with us on how to construct a message that can reproduce this crash?

I tried to use scappy but I'm not sure how to construct such a message.

Thank you!

can you share the PoC and the bgp configuration? thanks!

halstead pushed a commit to openembedded/meta-openembedded that referenced this issue

Jul 31, 2023

 

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to
cause a denial of service via the bgp\_attr\_psid\_sub() function.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-31490
FRRouting/frr#13099

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
\[Fixup so patch would apply\]
Signed-off-by: Armin Kuster <akuster808@gmail.com>

jpuhlman pushed a commit to MontaVista-OpenSourceTechnology/meta-openembedded that referenced this issue

Aug 9, 2023

 

Source: meta-openembedded
MR: 127624
Type: Integration
Disposition: Merged from meta-openembedded
ChangeID: 8ab74be
Description:

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to
cause a denial of service via the bgp\_attr\_psid\_sub() function.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-31490
FRRouting/frr#13099

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
\[Fixup so patch would apply\]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>

CVE-2023-31490: bgpd: Missing  length check in bgp_attr_psid_sub about BGP_PREFIX_SID_SRV6_L3_SERVICE · Issue #13099 · FRRouting/frr

An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_capability_llgr() function.

**Describe the bug**

*   Did you check if this is a duplicate issue?
*   Did you test it on the latest FRRouting/frr master branch?

Hello, I have find a bug in bgp\_capability\_llgr that it length check is wrong. In the draft document it has 7 bytes as shown in the following figure.

The capability value consists of zero or more tuples <AFI, SAFI,  
Flags, Long-lived Stale Time> as follows:

      +--------------------------------------------------+
      | Address Family Identifier (16 bits)              |
      +--------------------------------------------------+
      | Subsequent Address Family Identifier (8 bits)    |
      +--------------------------------------------------+
      | Flags for Address Family (8 bits)                |
      +--------------------------------------------------+
      | Long-lived Stale Time (24 bits)                  |
      +--------------------------------------------------+
    

While, in the code it only check 4 bytes.

    while (stream_get_getp(s) + 4 <= end) {
    	afi_t afi;
    	safi_t safi;
    	iana_afi_t pkt_afi = stream_getw(s);
    	iana_safi_t pkt_safi = stream_getc(s);
    	uint8_t flags = stream_getc(s);
    	uint32_t stale_time = stream_get3(s);
    
       }
    

**To Reproduce**  
If I construct a packet only has 6 bytes of the llgr, the frrrouting will crash.

BGP: in thread bgp\_process\_packet scheduled from bgpd/bgp\_io.c:269 bgp\_process\_reads()  
core\_handler: showing active allocations in memory group libfrr  
core\_handler: memstats: Buffer : 2 \* 24  
core\_handler: memstats: Host config : 8 \* (variably sized)  
core\_handler: memstats: Command Tokens : 12082 \* 72  
core\_handler: memstats: Command Token Text : 8746 \* (variably sized)  
core\_handler: memstats: Command Token Help : 8746 \* (variably sized)  
core\_handler: memstats: Command Argument Name : 2052 \* (variably sized)  
core\_handler: memstats: RCU thread : 2 \* 128  
core\_handler: memstats: FRR POSIX Thread : 4 \* (variably sized)  
core\_handler: memstats: POSIX sync primitives : 4 \* (variably sized)  
core\_handler: memstats: Graph : 40 \* 8  
core\_handler: memstats: Graph Node : 14266 \* 32  
core\_handler: memstats: Hash : 573 \* (variably sized)  
core\_handler: memstats: Hash Bucket : 2340 \* 32  
core\_handler: memstats: Hash Index : 287 \* (variably sized)  
core\_handler: memstats: Link List : 36 \* 40  
core\_handler: memstats: Link Node : 334 \* 24  
core\_handler: memstats: Temporary memory : 15 \* (variably sized)  
core\_handler: memstats: Bitfield memory : 2 \* (variably sized)  
core\_handler: memstats: Northbound Node : 240 \* 1192  
core\_handler: memstats: Northbound Configuration : 2 \* 16  
core\_handler: memstats: Privilege information : 3 \* (variably sized)  
core\_handler: memstats: Ring buffer : 6 \* (variably sized)  
core\_handler: memstats: Skip List : 2 \* 56  
core\_handler: memstats: Skip Node : 2 \* 160  
core\_handler: memstats: Skiplist Counters : 2 \* 68  
core\_handler: memstats: Socket union : 2 \* 112  
core\_handler: memstats: Stream : 12 \* (variably sized)  
core\_handler: memstats: Stream FIFO : 6 \* 64  
core\_handler: memstats: Route table : 100 \* 56  
core\_handler: memstats: Thread : 15 \* 160  
core\_handler: memstats: Thread master : 12 \* (variably sized)  
core\_handler: memstats: Thread Poll Info : 6 \* 8388608  
core\_handler: memstats: Thread stats : 18 \* 96  
core\_handler: memstats: Typed-hash bucket : 5 \* (variably sized)  
core\_handler: memstats: Typed-heap array : 1 \* 576  
core\_handler: memstats: Vector : 28613 \* 24  
core\_handler: memstats: Vector index : 28613 \* (variably sized)  
core\_handler: memstats: VRF : 1 \* 216  
core\_handler: memstats: VTY server : 3 \* 32  
core\_handler: memstats: Work queue : 3 \* 152  
core\_handler: memstats: Work queue name string : 3 \* (variably sized)  
core\_handler: memstats: YANG module : 5 \* 48  
core\_handler: memstats: Zclient : 2 \* 3144  
core\_handler: memstats: Redistribution instance IDs : 6 \* 2  
core\_handler: memstats: log thread-local buffer : 2 \* 24608  
core\_handler: showing active allocations in memory group logging subsystem  
core\_handler: memstats: log file target : 2 \* 88  
core\_handler: memstats: log file name : 1 \* 14  
core\_handler: showing active allocations in memory group bgpd  
core\_handler: memstats: BGP instance : 2 \* (variably sized)  
core\_handler: memstats: BGP listen socket details : 2 \* 144  
core\_handler: memstats: BGP peer : 3 \* 740824  
core\_handler: memstats: BGP peer hostname : 4 \* (variably sized)  
core\_handler: memstats: BGP peer af : 2 \* 80  
core\_handler: memstats: BGP attribute : 1 \* 312  
core\_handler: memstats: BGP aspath : 1 \* 40  
core\_handler: memstats: BGP aspath str : 1 \* 1  
core\_handler: memstats: BGP table : 87 \* 56  
core\_handler: memstats: BGP node : 2 \* 192  
core\_handler: memstats: BGP route : 1 \* 112  
core\_handler: memstats: BGP static : 1 \* 144  
core\_handler: memstats: BGP synchronise : 63 \* 72  
core\_handler: memstats: community-list handler : 1 \* 120  
core\_handler: memstats: BGP nexthop : 1 \* 184  
core\_handler: memstats: BGP EVPN MH Information : 1 \* 56  
core\_handler: memstats: BGP PBR Context : 1 \* 32  
core\_handler: memstats: BGP EVPN instance information : 1 \* 56  
core\_handler: showing active allocations in memory group rfapi  
core\_handler: memstats: NVE Configuration : 1 \* 2984  
core\_handler: memstats: RFAPI Generic : 1 \* 296  
core\_handler: memstats: RFAPI Import Table : 1 \* 208  
Aborted (core dumped)

**Expected behavior**

**Screenshots**

**Versions**

*   OS Version:

*   Kernel:

*   FRR Version:

**Additional context**

CVE-2023-31489: bgpd: the length check of bgp_capability_llgr is not correct · Issue #13098 · FRRouting/frr

OX App Suite has patched for sensitive information disclosure, cross site scripting, improper access control, authorization bypass, and resource consumption vulnerabilities. Some of the issues affect OX App Suite frontend version 7.10.6-rev23 and some affect OX App Suite backend version 7.10.6-rev36.

Internal reference: OXUIB-2130  
Type: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)  
Component: frontend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite frontend 7.10.6-rev23  
First fixed revision: OX App Suite frontend 7.10.6-rev24  
Discovery date: 2023-01-03  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
Researcher credits: Tim Coen  
CVE: CVE-2023-24597  
CVSS: 4.2 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)

Details:  
Remote resources are loaded in print view. When E-Mail is flagged as Spam or if a user has enabled the feature as a default, remote content in E-Mail is not requested automatically to improve users privacy. However when printing a E-Mail, external content was loaded automatically without user consent.

Risk:  
Malicious remote content in E-Mail, like tracking pixels, could be used to analyze user behaviour. No publicly available exploits are known.

Solution:  
We now apply the same setting for loading external content when generating the E-Mail print content.

---

Internal reference: OXUIB-2034  
Type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))  
Component: frontend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite frontend 7.10.6-rev23  
First fixed revision: OX App Suite frontend 7.10.6-rev24  
Discovery date: 2022-11-02  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
CVE: CVE-2023-24601  
CVSS: 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

Details:  
XSS with non-app deeplinks like "registry". The "registry" sub-tree of the jslob API is used to define which application modules and dependencies shall be loaded. Users were able to inject arbitrary references, including malicious code.

Risk:  
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. No publicly available exploits are known.

Solution:  
We made the relevant jslob path read-only for users.

---

Internal reference: OXUIB-2033  
Type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))  
Component: frontend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite frontend 7.10.6-rev23  
First fixed revision: OX App Suite frontend 7.10.6-rev24  
Discovery date: 2022-02-11  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
CVE: CVE-2023-24602  
CVSS: 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

Details:  
XSS at Tumblr portal widget due to missing content sanitization. External content, like post titles, have been evaluated as HTML when adding Tumblr feeds to the portal page.

Risk:  
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account, compromise a Tumblr feed or make the victim include a malicious feed. No publicly available exploits are known.

Solution:  
We now insert untrusted external content as plain-text.

---

Internal reference: MWB-1998  
Type: CWE-284 (Improper Access Control)  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite backend 7.10.6-rev36  
First fixed revision: OX App Suite backend 7.10.6-rev37  
Discovery date: 2023-01-10  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
Researcher credits: Tim Coen  
CVE: CVE-2023-24600  
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Details:  
"Read own/delete all" permissions allows moving other users contacts to own address book. Folder ACL combinations like "read own, delete all" were incorrectly applied and allowed that users could move objects which they were not expected to read.

Risk:  
Moving objects to folders with read access effectively bypassed the "read own" restriction. No publicly available exploits are known.

Solution:  
Permission checks have been updated and include checking for read permissions when performing move operations.

---

Internal reference: MWB-1997  
Type: CWE-284 (Improper Access Control)  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite backend 7.10.6-rev36  
First fixed revision: OX App Suite backend 7.10.6-rev37  
Discovery date: 2023-01-10  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
Researcher credits: Tim Coen  
CVE: CVE-2023-24605  
CVSS: 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N)

Details:  
API access not fully restricted when requiring 2FA. When using the built-in multi-factor authentication, access to a number of API endpoints was possible prior to successful authentication using the second factor.

Risk:  
Attackers with access to victims credentials were able to perfom limited read operations on contacts and drive as well as modifying names of the multi-factor tokens. No publicly available exploits are known.

Solution:  
We added permission checks to make sure all kind of API paths are restricted prior to being fully authenticated.

---

Internal reference: MWB-1995  
Type: CWE-639 (Authorization Bypass Through User-Controlled Key)  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite backend 7.10.6-rev36  
First fixed revision: OX App Suite backend 7.10.6-rev37  
Discovery date: 2023-01-09  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
Researcher credits: Tim Coen  
CVE: CVE-2023-24598  
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Details:  
Distribution lists allow discovering private contacts of other users. Editing distribution lists allows to add contacts from foreign accounts, where the attacker has no read access.

Risk:  
Attackers within the same context can discover fragments of contact information from folders without read access, including other users personal contact folders. No publicly available exploits are known.

Solution:  
We improved permission checks when editing distribution lists to restrict access.

---

Internal reference: MWB-1983  
Type: CWE-400 (Uncontrolled Resource Consumption)  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite backend 7.10.6-rev36  
First fixed revision: OX App Suite backend 7.10.6-rev37  
Discovery date: 2023-01-03  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
CVE: CVE-2023-24604  
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

Details:  
Header length does not get limited for external content. HTTP client requests initiated by App Suite middleware were not validating the lenght of HTTP headers.

Risk:  
In case an attacker-controlled resource (e.g. iCal feed) returned excessive amount of HTTP headers, the system could temporarily lock up processing those headers. No publicly available exploits are known.

Solution:  
We introduced a limitation for HTTP header length and reject processing if a threshold is hit.

---

Internal reference: MWB-1981  
Type: CWE-400 (Uncontrolled Resource Consumption)  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite backend 7.10.6-rev36  
First fixed revision: OX App Suite backend 7.10.6-rev37  
Discovery date: 2023-01-03  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
CVE: CVE-2023-24603  
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

Details:  
Size limits for external content are not considered for data transfer. HTTP client requests initiated by App Suite middleware were not stopping downloads for resources that exceed size limits.

Risk:  
In case an attacker-controlled resource (e.g. iCal feed) returned excessive amount of data, it would be fully downloaded before applying size checks. While this could not be used to lock up the system, its a plausible amplification vector for denial of service attacks to other services. No publicly available exploits are known.

Solution:  
We improved the limitation for content length and immediately stop downloading if a threshold is hit.

---

Internal reference: MWB-1978  
Type: CWE-639 (Authorization Bypass Through User-Controlled Key)  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite backend 7.10.6-rev36  
First fixed revision: OX App Suite backend 7.10.6-rev37  
Discovery date: 2023-01-01  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
Researcher credits: Tim Coen  
CVE: CVE-2023-24599  
CVSS: 7.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L)

Details:  
Users can change arbitrary appointments by ID confusion. Appointments of other users could be changed without the appropriate autorization by sending conflicting object IDs within the same request.

Risk:  
Attackers within the same context can modify fragments of appointment information from folders without read access, including other users personal calendar folders. No publicly available exploits are known.

Solution:  
We improved permission checks when updating appointments to restrict access.

OX App Suite XSS / Information Disclosure / Authorization Bypass

Red Hat Security Advisory 2023-2148-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include buffer overflow, bypass, denial of service, double free, memory leak, null pointer, out of bounds read, privilege escalation, traversal, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update  
Advisory ID:       RHSA-2023:2148-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2148  
Issue date:        2023-05-09  
CVE Names:         CVE-2021-26341 CVE-2021-33655 CVE-2022-1462  
                   CVE-2022-1789 CVE-2022-1882 CVE-2022-2196  
                   CVE-2022-2663 CVE-2022-3028 CVE-2022-3435  
                   CVE-2022-3522 CVE-2022-3524 CVE-2022-3566  
                   CVE-2022-3567 CVE-2022-3619 CVE-2022-3623  
                   CVE-2022-3625 CVE-2022-3628 CVE-2022-3640  
                   CVE-2022-3707 CVE-2022-4128 CVE-2022-4129  
                   CVE-2022-20141 CVE-2022-21505 CVE-2022-28388  
                   CVE-2022-33743 CVE-2022-39188 CVE-2022-39189  
                   CVE-2022-41674 CVE-2022-42703 CVE-2022-42720  
                   CVE-2022-42721 CVE-2022-42722 CVE-2022-42896  
                   CVE-2022-43750 CVE-2022-47929 CVE-2023-0394  
                   CVE-2023-0461 CVE-2023-0590 CVE-2023-1195  
                   CVE-2023-1382  
====================================================================  
1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux NFV (v. 9) - x86_64  
Red Hat Enterprise Linux RT (v. 9) - x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables  
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* use-after-free in l2cap_connect and l2cap_le_connect_req in  
net/bluetooth/l2cap_core.c (CVE-2022-42896)

* net/ulp: use-after-free in listening ULP sockets (CVE-2023-0461)

* hw: cpu: AMD CPUs may transiently execute beyond unconditional direct  
branch (CVE-2021-26341)

* malicious data for FBIOPUT_VSCREENINFO ioctl may cause OOB write memory  
(CVE-2021-33655)

* possible race condition in drivers/tty/tty_buffers.c (CVE-2022-1462)

* KVM: NULL pointer dereference in kvm_mmu_invpcid_gva (CVE-2022-1789)

* use-after-free in free_pipe_info() could lead to privilege escalation  
(CVE-2022-1882)

* KVM: nVMX: missing IBPB when exiting from nested guest can lead to  
Spectre v2 attacks (CVE-2022-2196)

* netfilter: nf_conntrack_irc message handling issue (CVE-2022-2663)

* race condition in xfrm_probe_algs can lead to OOB read/write  
(CVE-2022-3028)

* out-of-bounds read in fib_nh_match of the file net/ipv4/fib_semantics.c  
(CVE-2022-3435)

* race condition in hugetlb_no_page() in mm/hugetlb.c (CVE-2022-3522)

* memory leak in ipv6_renew_options() (CVE-2022-3524)

* data races around icsk->icsk_af_ops in do_ipv6_setsockopt (CVE-2022-3566)

* data races around sk->sk_prot (CVE-2022-3567)

* memory leak in l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c  
(CVE-2022-3619)

* denial of service in follow_page_pte in mm/gup.c due to poisoned pte  
entry (CVE-2022-3623)

* use-after-free after failed devlink reload in devlink_param_get  
(CVE-2022-3625)

* USB-accessible buffer overflow in brcmfmac (CVE-2022-3628)

* use after free flaw in l2cap_conn_del in net/bluetooth/l2cap_core.c  
(CVE-2022-3640)

* Double-free in split_2MB_gtt_entry when function  
intel_gvt_dma_map_guest_page failed (CVE-2022-3707)

* mptcp: NULL pointer dereference in subflow traversal at disconnect time  
(CVE-2022-4128)

* l2tp: missing lock when clearing sk_user_data can lead to NULL pointer  
dereference (CVE-2022-4129)

* igmp: use-after-free in ip_check_mc_rcu when opening and closing inet  
sockets (CVE-2022-20141)

* lockdown bypass using IMA (CVE-2022-21505)

* double free in usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c  
(CVE-2022-28388)

* network backend may cause Linux netfront to use freed SKBs (XSA-405)  
(CVE-2022-33743)

* unmap_mapping_range() race with munmap() on VM_PFNMAP mappings leads to  
stale TLB entry (CVE-2022-39188)

* TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED leading  
to guest malfunctioning (CVE-2022-39189)

* u8 overflow problem in cfg80211_update_notlisted_nontrans()  
(CVE-2022-41674)

* use-after-free related to leaf anon_vma double reuse (CVE-2022-42703)

* use-after-free in bss_ref_get in net/wireless/scan.c (CVE-2022-42720)

* BSS list corruption in cfg80211_add_nontrans_list in net/wireless/scan.c  
(CVE-2022-42721)

* Denial of service in beacon protection for P2P-device (CVE-2022-42722)

* memory corruption in usbmon driver (CVE-2022-43750)

* NULL pointer dereference in traffic control subsystem (CVE-2022-47929)

* NULL pointer dereference in rawv6_push_pending_frames (CVE-2023-0394)

* use-after-free due to race condition in qdisc_graft() (CVE-2023-0590)

* use-after-free caused by invalid pointer hostname in fs/cifs/connect.c  
(CVE-2023-1195)

* denial of service in tipc_conn_close (CVE-2023-1382)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.2 Release Notes linked from the References section.

4. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2061703 - CVE-2021-26341 hw: cpu: AMD CPUs may transiently execute beyond unconditional direct branch  
2073091 - CVE-2022-28388 kernel: double free in usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c  
2078466 - CVE-2022-1462 kernel: possible race condition in drivers/tty/tty_buffers.c  
2089701 - CVE-2022-1882 kernel: use-after-free in free_pipe_info() could lead to privilege escalation  
2090723 - CVE-2022-1789 kernel: KVM: NULL pointer dereference in kvm_mmu_invpcid_gva  
2106830 - CVE-2022-21505 kernel: lockdown bypass using IMA  
2107924 - CVE-2022-33743 kernel: network backend may cause Linux netfront to use freed SKBs (XSA-405)  
2108691 - CVE-2021-33655 kernel: malicious data for FBIOPUT_VSCREENINFO ioctl may cause OOB write memory  
2114937 - CVE-2022-20141 kernel: igmp: use-after-free in ip_check_mc_rcu when opening and closing inet sockets  
2122228 - CVE-2022-3028 kernel: race condition in xfrm_probe_algs can lead to OOB read/write  
2123056 - CVE-2022-2663 kernel: netfilter: nf_conntrack_irc message handling issue  
2124788 - CVE-2022-39189 kernel: TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED leading to guest malfunctioning  
2130141 - CVE-2022-39188 kernel: unmap_mapping_range() race with munmap() on VM_PFNMAP mappings leads to stale TLB entry  
2133483 - CVE-2022-42703 kernel: use-after-free related to leaf anon_vma double reuse  
2133490 - CVE-2022-3435 kernel: out-of-bounds read in fib_nh_match of the file net/ipv4/fib_semantics.c  
2134377 - CVE-2022-41674 kernel: u8 overflow problem in cfg80211_update_notlisted_nontrans()  
2134380 - CVE-2022-4128 kernel: mptcp: NULL pointer dereference in subflow traversal at disconnect time  
2134451 - CVE-2022-42720 kernel: use-after-free in bss_ref_get in net/wireless/scan.c  
2134506 - CVE-2022-42721 kernel: BSS list corruption in cfg80211_add_nontrans_list in net/wireless/scan.c  
2134517 - CVE-2022-42722 kernel: Denial of service in beacon protection for P2P-device  
2134528 - CVE-2022-4129 kernel: l2tp: missing lock when clearing sk_user_data can lead to NULL pointer dereference  
2137979 - CVE-2022-3707 kernel: Double-free in split_2MB_gtt_entry when function intel_gvt_dma_map_guest_page failed  
2139610 - CVE-2022-3640 kernel: use after free flaw in l2cap_conn_del in net/bluetooth/l2cap_core.c  
2143893 - CVE-2022-3566 kernel: data races around icsk->icsk_af_ops in do_ipv6_setsockopt  
2143943 - CVE-2022-3567 kernel: data races around sk->sk_prot  
2144720 - CVE-2022-3625 kernel: use-after-free after failed devlink reload in devlink_param_get  
2147364 - CVE-2022-42896 kernel: use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c  
2150947 - CVE-2022-3524 kernel: memory leak in ipv6_renew_options()  
2150960 - CVE-2022-3628 kernel: USB-accessible buffer overflow in brcmfmac  
2150979 - CVE-2022-3522 kernel: race condition in hugetlb_no_page() in mm/hugetlb.c  
2151270 - CVE-2022-43750 kernel: memory corruption in usbmon driver  
2154171 - CVE-2023-1195 kernel: use-after-free caused by invalid pointer hostname in fs/cifs/connect.c  
2154235 - CVE-2022-3619 kernel: memory leak in l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c  
2160023 - CVE-2022-2196 kernel: KVM: nVMX: missing IBPB when exiting from nested guest can lead to Spectre v2 attacks  
2162120 - CVE-2023-0394 kernel: NULL pointer dereference in rawv6_push_pending_frames  
2165721 - CVE-2022-3623 kernel: denial of service in follow_page_pte in mm/gup.c due to poisoned pte entry  
2165741 - CVE-2023-0590 kernel: use-after-free due to race condition in qdisc_graft()  
2168246 - CVE-2022-47929 kernel: NULL pointer dereference in traffic control subsystem  
2176192 - CVE-2023-0461 kernel: net/ulp: use-after-free in listening ULP sockets  
2177371 - CVE-2023-1382 kernel: denial of service in tipc_conn_close

6. Package List:

Red Hat Enterprise Linux NFV (v. 9):

Source:  
kernel-rt-5.14.0-284.11.1.rt14.296.el9_2.src.rpm

x86_64:  
kernel-rt-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-debuginfo-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-devel-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-kvm-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-modules-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-modules-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-modules-extra-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debuginfo-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-devel-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-kvm-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-modules-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-modules-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-modules-extra-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm

Red Hat Enterprise Linux RT (v. 9):

Source:  
kernel-rt-5.14.0-284.11.1.rt14.296.el9_2.src.rpm

x86_64:  
kernel-rt-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-debuginfo-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-devel-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-modules-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-modules-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-modules-extra-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debuginfo-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-devel-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-modules-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-modules-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-modules-extra-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-26341  
https://access.redhat.com/security/cve/CVE-2021-33655  
https://access.redhat.com/security/cve/CVE-2022-1462  
https://access.redhat.com/security/cve/CVE-2022-1789  
https://access.redhat.com/security/cve/CVE-2022-1882  
https://access.redhat.com/security/cve/CVE-2022-2196  
https://access.redhat.com/security/cve/CVE-2022-2663  
https://access.redhat.com/security/cve/CVE-2022-3028  
https://access.redhat.com/security/cve/CVE-2022-3435  
https://access.redhat.com/security/cve/CVE-2022-3522  
https://access.redhat.com/security/cve/CVE-2022-3524  
https://access.redhat.com/security/cve/CVE-2022-3566  
https://access.redhat.com/security/cve/CVE-2022-3567  
https://access.redhat.com/security/cve/CVE-2022-3619  
https://access.redhat.com/security/cve/CVE-2022-3623  
https://access.redhat.com/security/cve/CVE-2022-3625  
https://access.redhat.com/security/cve/CVE-2022-3628  
https://access.redhat.com/security/cve/CVE-2022-3640  
https://access.redhat.com/security/cve/CVE-2022-3707  
https://access.redhat.com/security/cve/CVE-2022-4128  
https://access.redhat.com/security/cve/CVE-2022-4129  
https://access.redhat.com/security/cve/CVE-2022-20141  
https://access.redhat.com/security/cve/CVE-2022-21505  
https://access.redhat.com/security/cve/CVE-2022-28388  
https://access.redhat.com/security/cve/CVE-2022-33743  
https://access.redhat.com/security/cve/CVE-2022-39188  
https://access.redhat.com/security/cve/CVE-2022-39189  
https://access.redhat.com/security/cve/CVE-2022-41674  
https://access.redhat.com/security/cve/CVE-2022-42703  
https://access.redhat.com/security/cve/CVE-2022-42720  
https://access.redhat.com/security/cve/CVE-2022-42721  
https://access.redhat.com/security/cve/CVE-2022-42722  
https://access.redhat.com/security/cve/CVE-2022-42896  
https://access.redhat.com/security/cve/CVE-2022-43750  
https://access.redhat.com/security/cve/CVE-2022-47929  
https://access.redhat.com/security/cve/CVE-2023-0394  
https://access.redhat.com/security/cve/CVE-2023-0461  
https://access.redhat.com/security/cve/CVE-2023-0590  
https://access.redhat.com/security/cve/CVE-2023-1195  
https://access.redhat.com/security/cve/CVE-2023-1382  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZFo0NtzjgjWX9erEAQhskQ//eAqMI93djEsADoo5zb3EO3xEGrb//Im2  
ptPycHLLL6ZG+t/+1PiMk/e8LwhV2hrxz7nzc4xh8tNO4TRuF0WK/sR8Iv4y6/Fs  
95X25NgEndOlHk7uUVgEdTYvZnpNh27XJwyEHDu6HV8suxY6gfbYHqV7zlkGBi43  
zQA+sfEDXFVfvLug/RpaD0J7wXc0JyUoG4OratWV1E37zw9mNPSX1P0bFy4QoKXL  
rhG1Xc+qSWK3kjnJjpeU8nIJGhL2oJDFVuICkiC+aEp7C//DE1TA7L7u3Z+7Tou/  
BpPmjMyfXF/UQYZtJCrCRiTj/RsRIqaUSoy3/3MO8jxVMR6FIm/QTjY63JCGfj6A  
OahLv77oKDJXuHQQ7JkHycKMOc+JfX/ZNtxtgn2gYFfpjPTY/klTJP8iM9KhnTuQ  
2lF5jvYJihYhGio+cyl5Ad/XmzsHh7cTQR3XKtNa7p9/+QkAKt10LhbzxvebThFd  
cZtLUsdph4wO6T+RrZ5XdwvOSox1C40mfOnwJO41M/9GXPHoxhmwrZYBWKE1PY0J  
Jq9m+pYgKv+ioTW1FWloM22mu0PW/L5F3djzAVujShX0iRgfW2Aao3n+L8A22bYD  
Q+5LbFsWZwpeK7zXgXocJlY7j667sT9UGqBwk4xMfAiS5A0p2Zo1rkIre2lvmF2D  
JJU7NBGa9VU=YrUX  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-2148-01

Red Hat Security Advisory 2023-2458-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include buffer overflow, bypass, denial of service, double free, memory leak, null pointer, out of bounds read, privilege escalation, traversal, and use-after-free vulnerabilities.

Red Hat Security Advisory 2023-2458-01

Red Hat Security Advisory 2023-2258-01 - Mako is a template library written in Python. It provides a familiar, non-XML syntax which compiles into Python modules for maximum performance. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: python-mako security update  
Advisory ID:       RHSA-2023:2258-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2258  
Issue date:        2023-05-09  
CVE Names:         CVE-2022-40023  
====================================================================  
1. Summary:

An update for python-mako is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - noarch

3. Description:

Mako is a template library written in Python. It provides a familiar,  
non-XML syntax which compiles into Python modules for maximum performance.

Security Fix(es):

* python-mako: REDoS in Lexer class (CVE-2022-40023)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.2 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2128977 - CVE-2022-40023 python-mako: REDoS in Lexer class

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
python-mako-1.1.4-6.el9.src.rpm

noarch:  
python3-mako-1.1.4-6.el9.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-40023  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZFo1a9zjgjWX9erEAQjg2xAAnpA5yArOpLtmFEjZnmF184CoWcRXEFNM  
9PItWnF6enfIKu03bDla5NcqNp9Viel3uZIdw5jJK9FPP6kiqweBhlPySJ1qOusG  
RJImbd016jqnqsIjz3skIhnksQQrRbABDiBFs8gybE1EOQREaY3tPPa4EWe64+GI  
SAasYbEnGKWAI4c/poFk8afIbEMhMn4gtmT6Amy3x2HI5NRdASj7MOUxSWSVpMm+  
DQ/eShCak4v/WexdpWLYSRIx4evABAKCfXzqnhPfPIXQ2I5tobKEOZ/PPgQLSGjD  
fnw39pQf4SS5R2IhFKTaBGzhQzHd/6rBsk/ugKn76PvFLPRmL27Etd97nrEDBTTu  
d7W+hc5OkjeporwtQvx+gdNpC/5ARFw1sVYU2CGA4qnz+/QOqaVsIHHk7JmVZ23W  
giHPPwmGpEbr7pWNyVnzRnBiWaNyaLjQruA2lah1xcTbYx8U/cXbKe4F49Me3pf+  
j8sfr1TZRyb23crftQzHTlFeO0rxtawWFVHAKKTOEq0zWnQyjfoLVh1OuD/0UsJM  
BLLRjEf0XXfUyS79ssJ1xTvECUDMDD3Cr99QkbgsHpTDB7AFcthqJhmd2fi7H/rK  
mzMRtBtL5CTAoQ2CqlIV130rNMFf09mnfj/7P+zXc1zc9w4UgDUjWXBi+11zQbY+  
3D7CnC21l9c=sZZX  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#dos