## Overview

sharp uses libwebp to decode WebP images and versions prior to the latest 0.32.6 are vulnerable to the high severity https://github.com/advisories/GHSA-j7hp-h8jx-5ppr.

## Who does this affect?

Almost anyone processing untrusted input with versions of sharp prior to 0.32.6.

## How to resolve this?

### Using prebuilt binaries provided by sharp?

Most people rely on the prebuilt binaries provided by sharp.

Please upgrade sharp to the latest 0.32.6, which provides libwebp 1.3.2.

### Using a globally-installed libvips?

Please ensure you are using the latest libwebp 1.3.2.

## Possible workaround

Add the following to your code to prevent sharp from decoding WebP images.
```js
sharp.block({ operation: ["VipsForeignLoadWebp"] });
```

**Overview**

sharp uses libwebp to decode WebP images and versions prior to the latest 0.32.6 are vulnerable to the high severity GHSA-j7hp-h8jx-5ppr.

**Who does this affect?**

Almost anyone processing untrusted input with versions of sharp prior to 0.32.6.

**How to resolve this?****Using prebuilt binaries provided by sharp?**

Most people rely on the prebuilt binaries provided by sharp.

Please upgrade sharp to the latest 0.32.6, which provides libwebp 1.3.2.

**Using a globally-installed libvips?**

Please ensure you are using the latest libwebp 1.3.2.

**Possible workaround**

Add the following to your code to prevent sharp from decoding WebP images.

sharp.block({ operation: \["VipsForeignLoadWebp"\] });

**References**

*   GHSA-54xq-cgqr-rpm3
*   lovell/sharp@dbce6fa

GHSA-54xq-cgqr-rpm3: sharp vulnerability in libwebp dependency CVE-2023-4863

Debian Linux Security Advisory 5556-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5556-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonNovember 15, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-5997 CVE-2023-6112Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the oldstable distribution (bullseye), these problems have been fixedin version 119.0.6045.159-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 119.0.6045.159-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmVVT/UACgkQZF0CR8NudjfQZw//bJoI/QaSlCksKVM/OBj1flTAddPBNLyLxnxhIgRFk8hAWKXZfncSMt7PRfnkbzEHMxWjPmCFf3G1MnpHxI8TEMD9Ry8mmTQ/ZwZd04JYUQ6bGHKmCh6EwT/ipFpw76Xaym/CfCsrSVa+z7VclQ+S8KumbGknuJN87H0SyxwaP2khP/T/c9v1IY2qq5tJLYOAKMN+Sadex9U3+kjHScx3bBBD8OJ/PGV16X+NxctQ0bdQPVfTlXbmkiQhMnp8c4bxkgNNFV0W1AlYzUWPcIyDgJjcuR0lowEUGkT0awq23HavlA50abiUYDVP15RBkY75c0eyB4/UgP71UjUHvm23ztcaozNl0/YIUVvqMF47toydCEkrUzv6jRBCQVkAeMd3y1CQMYu/CF0U7uwrElelAVxVo0Al24G1fbjAdS5xTHe8TOJg1s5e0uts38kUzT0ESj8a0D3swjnt8AHkrJQN6bN4x9PinZPTQN9gLKdbw9vDaWOhAx3VWdfl2Pscscu+18B3GbCWtZE904rPyb6vRrHYTtCHMSzxPCrvKVSjoI28zawXhJY+eDY6Tepm6ewP2AG3oRc9/8RhBDaEnUAz+Dd4GyTTv260a2N5xnZyfuiIRv/DR0M1jhzTuJQokpfxzXQwxvgS9oMwW9WAZWJWfug7nPKuSruHbLzKlHheqKI==eZ05-----END PGP SIGNATURE-----

Debian Security Advisory 5556-1

Red Hat Security Advisory 2023-7294-01 - An update for kernel is now available for Red Hat Enterprise Linux 7.6 Advanced Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7294.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kernel security updateAdvisory ID:        RHSA-2023:7294-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7294Issue date:         2023-11-15Revision:           01CVE Names:          CVE-2023-3609====================================================================Summary: An update for kernel is now available for Red Hat Enterprise Linux 7.6 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel packages contain the Linux kernel, the core of any Linux operating system.Security Fix(es):* kernel: net/sched: cls_u32 component reference counter leak if tcf_change_indev() fails (CVE-2023-3609)* kernel: net/sched: cls_fw component can be exploited as result of failure in tcf_change_indev function (CVE-2023-3776)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-3609References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2225097https://bugzilla.redhat.com/show_bug.cgi?id=2225201

Red Hat Security Advisory 2023-7294-01

Red Hat Security Advisory 2023-7288-01 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.14. Issues addressed include bypass, code execution, cross site scripting, and denial of service vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7288.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat Product OCP Tools 4.14 Openshift Jenkins security update  
Advisory ID:        RHSA-2023:7288-01  
Product:            OpenShift Developer Tools and Services  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7288  
Issue date:         2023-11-16  
Revision:           01  
CVE Names:          CVE-2022-25857  
====================================================================

Summary: 

An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.14. 

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset Attack) (CVE-2023-39325)

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.

* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)

* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)

* apache-commons-text: variable interpolation RCE (CVE-2022-42889)

* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)

* jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)

* jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-25857

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2066479  
https://bugzilla.redhat.com/show_bug.cgi?id=2126789  
https://bugzilla.redhat.com/show_bug.cgi?id=2135435  
https://bugzilla.redhat.com/show_bug.cgi?id=2164278  
https://bugzilla.redhat.com/show_bug.cgi?id=2170039  
https://bugzilla.redhat.com/show_bug.cgi?id=2170041  
https://bugzilla.redhat.com/show_bug.cgi?id=2242803  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296

Red Hat Security Advisory 2023-7288-01

Red Hat Security Advisory 2023-7279-01 - An update for open-vm-tools is now available for Red Hat Enterprise Linux 7. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7279.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: open-vm-tools security updateAdvisory ID:        RHSA-2023:7279-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7279Issue date:         2023-11-15Revision:           01CVE Names:          CVE-2023-34058====================================================================Summary: An update for open-vm-tools is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Open Virtual Machine Tools are the open source implementation of the VMware Tools. They are a set of guest operating system virtualization components that enhance performance and user experience of virtual machines.Security Fix(es):* open-vm-tools: SAML token signature bypass (CVE-2023-34058)* open-vm-tools: file descriptor hijack vulnerability in the vmware-user-suid-wrapper (CVE-2023-34059)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-34058References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2246080https://bugzilla.redhat.com/show_bug.cgi?id=2246096

Red Hat Security Advisory 2023-7279-01

Red Hat Security Advisory 2023-7277-01 - An update for open-vm-tools is now available for Red Hat Enterprise Linux 9. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7277.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: open-vm-tools security updateAdvisory ID:        RHSA-2023:7277-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7277Issue date:         2023-11-15Revision:           01CVE Names:          CVE-2023-34058====================================================================Summary: An update for open-vm-tools is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Open Virtual Machine Tools are the open source implementation of the VMware Tools. They are a set of guest operating system virtualization components that enhance performance and user experience of virtual machines.Security Fix(es):* open-vm-tools: SAML token signature bypass (CVE-2023-34058)* open-vm-tools: file descriptor hijack vulnerability in the vmware-user-suid-wrapper (CVE-2023-34059)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-34058References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2246080https://bugzilla.redhat.com/show_bug.cgi?id=2246096

Red Hat Security Advisory 2023-7277-01

Red Hat Security Advisory 2023-7276-01 - An update for open-vm-tools is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7276.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: open-vm-tools security updateAdvisory ID:        RHSA-2023:7276-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7276Issue date:         2023-11-15Revision:           01CVE Names:          CVE-2023-34058====================================================================Summary: An update for open-vm-tools is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Open Virtual Machine Tools are the open source implementation of the VMware Tools. They are a set of guest operating system virtualization components that enhance performance and user experience of virtual machines.Security Fix(es):* open-vm-tools: SAML token signature bypass (CVE-2023-34058)* open-vm-tools: file descriptor hijack vulnerability in the vmware-user-suid-wrapper (CVE-2023-34059)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-34058References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2246080https://bugzilla.redhat.com/show_bug.cgi?id=2246096

Red Hat Security Advisory 2023-7276-01

Red Hat Security Advisory 2023-7267-01 - An update for open-vm-tools is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7267.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: open-vm-tools security updateAdvisory ID:        RHSA-2023:7267-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7267Issue date:         2023-11-15Revision:           01CVE Names:          CVE-2023-34058====================================================================Summary: An update for open-vm-tools is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Open Virtual Machine Tools are the open source implementation of the VMware Tools. They are a set of guest operating system virtualization components that enhance performance and user experience of virtual machines.Security Fix(es):* open-vm-tools: SAML token signature bypass (CVE-2023-34058)* open-vm-tools: file descriptor hijack vulnerability in the vmware-user-suid-wrapper (CVE-2023-34059)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-34058References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2246080https://bugzilla.redhat.com/show_bug.cgi?id=2246096

Red Hat Security Advisory 2023-7267-01

Red Hat Security Advisory 2023-7265-01 - An update for open-vm-tools is now available for Red Hat Enterprise Linux 8. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7265.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: open-vm-tools security updateAdvisory ID:        RHSA-2023:7265-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7265Issue date:         2023-11-15Revision:           01CVE Names:          CVE-2023-34058====================================================================Summary: An update for open-vm-tools is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Open Virtual Machine Tools are the open source implementation of the VMware Tools. They are a set of guest operating system virtualization components that enhance performance and user experience of virtual machines.Security Fix(es):* open-vm-tools: SAML token signature bypass (CVE-2023-34058)* open-vm-tools: file descriptor hijack vulnerability in the vmware-user-suid-wrapper (CVE-2023-34059)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-34058References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2246080https://bugzilla.redhat.com/show_bug.cgi?id=2246096

Red Hat Security Advisory 2023-7265-01

Red Hat Security Advisory 2023-7264-01 - An update for open-vm-tools is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7264.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: open-vm-tools security updateAdvisory ID:        RHSA-2023:7264-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7264Issue date:         2023-11-15Revision:           01CVE Names:          CVE-2023-34058====================================================================Summary: An update for open-vm-tools is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Open Virtual Machine Tools are the open source implementation of the VMware Tools. They are a set of guest operating system virtualization components that enhance performance and user experience of virtual machines.Security Fix(es):* open-vm-tools: SAML token signature bypass (CVE-2023-34058)* open-vm-tools: file descriptor hijack vulnerability in the vmware-user-suid-wrapper (CVE-2023-34059)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-34058References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2246080https://bugzilla.redhat.com/show_bug.cgi?id=2246096

Tag

#js