Red Hat Security Advisory 2023-6885-01 - An update for python is now available for Red Hat Enterprise Linux 7. Issues addressed include a bypass vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6885.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: python security updateAdvisory ID:        RHSA-2023:6885-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6885Issue date:         2023-11-13Revision:           01CVE Names:          CVE-2023-40217====================================================================Summary: An update for python is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.Security Fix(es):* python: TLS handshake bypass (CVE-2023-40217)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-40217References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2235789

Red Hat Security Advisory 2023-6885-01

PX4 autopilot is a flight control solution for drones. In affected versions a global buffer overflow vulnerability exists in the CrsfParser_TryParseCrsfPacket function in /src/drivers/rc/crsf_rc/CrsfParser.cpp:298 due to the invalid size check. A malicious user may create an RC packet remotely and that packet goes into the device where the _rcs_buf reads. The global buffer overflow vulnerability will be triggered and the drone can behave unexpectedly. This issue has been addressed in version 1.14.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

**Summary**

We identified a global buffer overflow vulnerability in the CrsfParser\_TryParseCrsfPacket function in /src/drivers/rc/crsf\_rc/CrsfParser.cpp:298 due to the invalid size check.

We investigated by the following process

1.  Enable the crsf\_rc driver
2.  Write the data (i.e., packet) to \_rcs\_buf used in the crsf\_rc driver on a device
3.  Global buffer overflow vulnerability in the _CrsfParser\_TryParseCrsfPacket_ function will be triggered when the _CrsfParser\_TryParseCrsfPacket_ function parses this data.

The following packet can trigger the vulnerability as mentioned above.

packet\[0\] \= 0xc8; // MAGIC NUMBER which informs rc packet start
packet\[1\] \= 62; // size of the packet
packet\[2\] \= 100; // packet type ( random, not the 0x16, 0x14 )

**Detailed Root Cause**

We first assumed that we can write the arbitrary data into \_rcs\_buf using the following code.

*   /src/drivers/rc/crsf\_rc/CrsfRc.cpp #190 line

int new\_bytes \= ::read(\_rc\_fd, &\_rcs\_buf\[0\], RC\_MAX\_BUFFER\_SIZE);

After that, CrsfParser\_TryParseCrsfPacket will be called and parse the information of the rc packet in \_rcs\_buf.

*   The CrsfParser\_TryParseCrsfPacket function checks the following conditions

1.  The first byte of the packet is same with CRSF\_HEADER (0xc8). (CrsfParser.cpp:256)

case PARSER\_STATE\_HEADER:
			if (QueueBuffer\_Get(&rx\_queue, &working\_byte)) {
				if (working\_byte \== CRSF\_HEADER) {
	//...omitted...

1.  Whether the type of the packet is known or not.
    *   If the packet’s type is not 0x16 or 0x14, then the working\_segment\_size sets packet_size(our input) + PACKET_SIZE_TYPE(2);
2.  The working\_segment\_size should be less or equal than CRSF\_MAX\_PACKET\_LEN which is 64. (if condition in CrsfParser.cpp:298)
    *   In that case, if we send the packet which sets size as 62, then working\_segment\_size will be 64, and this corresponds to the if condition (working_segment_size <= CRSF_MAX_PACKET_LEN). Because the previous condition added 2 with the size of the packet.
    *   It makes to pass this if condition, and working\_index will set as 2 consequently.

case PARSER\_STATE\_SIZE\_TYPE:
			//PX4\_INFO("PARSER\_STATE\_SIZE\_TYPE\\n");
			QueueBuffer\_Peek(&rx\_queue, working\_index++, &packet\_size); //working\_index = 1
			QueueBuffer\_Peek(&rx\_queue, working\_index++, &packet\_type); //working\_index = 2

			working\_descriptor \= FindCrsfDescriptor((enum CRSF\_PACKET\_TYPE)packet\_type);

			// If we know what this packet is...
			if (working\_descriptor != NULL) {
				//.. the packet's type was 0x16 or 0x14
				//..omitted
				}
			} else {
				// We don't know what this packet is, so we'll let the parser continue
				// just so that we can dequeue it in one shot
				working\_segment\_size \= packet\_size + PACKET\_SIZE\_TYPE\_SIZE; //PACKET\_SIZE\_TYPE\_SIZE : 2

				if (working\_segment\_size \> CRSF\_MAX\_PACKET\_LEN) {
					parser\_statistics\->invalid\_unknown\_packet\_sizes++;
					parser\_state \= PARSER\_STATE\_HEADER;
					working\_segment\_size \= HEADER\_SIZE;
					working\_index \= 0;
					buffer\_count \= QueueBuffer\_Count(&rx\_queue);
					continue;
				}
			}

			parser\_state \= PARSER\_STATE\_PAYLOAD;
			break;

*   Next, in the PARSER\_STATE\_HEADER part, working_index += working_segment_size is conducted. For our case, working\_index is 2 because of the previous parsing part, working\_idex will be 2 + 64 = 66.

case PARSER\_STATE\_PAYLOAD:
			working\_index += working\_segment\_size;
			working\_segment\_size \= CRC\_SIZE;
			parser\_state \= PARSER\_STATE\_CRC;
			break;

*   The _QueueBuffer\_PeekBuffer_ function will be called with the 4th parameter represents size as 67 (because CRC\_SIZE is 1)

case PARSER\_STATE\_CRC:
			// Fetch the suspected packet as a contingous block of memory
			QueueBuffer\_PeekBuffer(&rx\_queue, 0, process\_buffer, working\_index + CRC\_SIZE);

bool QueueBuffer\_PeekBuffer(const QueueBuffer\_t \*q, const uint32\_t index, uint8\_t \*buffer, const uint32\_t size)
{
	uint32\_t copy\_start;

	//...omitted

	// Check if we can do this in a single shot
	if (copy\_start + size <= q\->buffer\_size) {
		memcpy((void \*)buffer, (void \*)(q\->buffer + copy\_start), size); //this will be called

	} 

*   Eventually, the data is copied to process\_buffer like this (Our case for QueueBuffer.cpp:153)

memcpy(process\_buffer, data, 67);

*   But the initialized size of process\_buffer is 64
    
    #define CRSF\_MAX\_PACKET\_LEN 64
    static uint8\_t process\_buffer\[CRSF\_MAX\_PACKET\_LEN\];
    

Therefore, the Global buffer overflow will be triggered.

**PoC ( Reproduce Method )**

We want to reproduce this crash using the actual rc packet, but we just triggered this crash in sitl because we don’t have the actual device yet. So, we’ve tested under the situation we can write the arbitrary data in the device using the crsf\_rc driver to receive packets.

So, we suggest the following process to reproduce this packet.

1.  We set the csrf\_rc driver in sitl by modifying the configure of default.px4board.
    
    CONFIG\_DRIVERS\_RC\_CRSF\_RC\=y
    
2.  We set the \_rcs\_buf buffer (in drivers/crsf\_rc/CrsfRc.cpp line 190) as below
    
    *   Assuming that the buffer gets the data.
    
    int new\_bytes \= ::read(\_rc\_fd, &\_rcs\_buf\[0\], RC\_MAX\_BUFFER\_SIZE);
    \_rcs\_buf\[0\] \= 0xc8; // MAGIC NUMBER which informs rc packet start
    \_rcs\_buf\[1\] \= 62; // size of the packet ( which is vulnerable )
    \_rcs\_buf\[2\] \= 100; // packet type ( random, not the 0x16, 0x14 )
    new\_bytes \= 60 // informs the packet is received
    
3.  We run the crsf\_rc driver like this
    
    pxh\> crsf\_rc start \-d <device\>
    
    *   For example,
    
    pxh\> crsf\_rc start \-d /dev/ttyS3
    

**Address Sanitizer Log**

\=================================================================
==5090==ERROR: AddressSanitizer: global-buffer-overflow on address 0x563750d9c500 at pc 0x7f15a823a2c3 bp 0x7f15a4606220 sp 0x7f15a46059c8
WRITE of size 67 at 0x563750d9c500 thread T140
ERROR \[simulator\_mavlink\] poll timeout 0, 22
    #0 0x7f15a823a2c2 in \_\_interceptor\_memcpy ../../../../src/libsanitizer/sanitizer\_common/sanitizer\_common\_interceptors.inc:827
    #1 0x56375022476a in memcpy /usr/include/x86\_64-linux-gnu/bits/string\_fortified.h:29
    #2 0x56375022476a in QueueBuffer\_PeekBuffer(QueueBuffer\_t const\*, unsigned int, unsigned char\*, unsigned int) /home/ubuntu/drone/PX4-Autopilot/src/drivers/rc/crsf\_rc/QueueBuffer.cpp:156
    #3 0x563750223952 in CrsfParser\_TryParseCrsfPacket(CrsfPacket\_t\*, CrsfParserStatistics\_t\*) /home/ubuntu/drone/PX4-Autopilot/src/drivers/rc/crsf\_rc/CrsfParser.cpp:330
    #4 0x56375022126d in CrsfRc::Run() /home/ubuntu/drone/PX4-Autopilot/src/drivers/rc/crsf\_rc/CrsfRc.cpp:211
    #5 0x563750a44b00 in px4::WorkQueue::Run() /home/ubuntu/drone/PX4-Autopilot/platforms/common/px4\_work\_queue/WorkQueue.cpp:188
    #6 0x563750a459bc in WorkQueueRunner /home/ubuntu/drone/PX4-Autopilot/platforms/common/px4\_work\_queue/WorkQueueManager.cpp:238
    #7 0x7f15a7294b42 in start\_thread nptl/pthread\_create.c:442
    #8 0x7f15a73269ff  (/lib/x86\_64-linux-gnu/libc.so.6+0x1269ff)

0x563750d9c500 is located 32 bytes to the left of global variable 'rx\_queue\_buffer' defined in '/home/ubuntu/drone/PX4-Autopilot/src/drivers/rc/crsf\_rc/CrsfParser.cpp:138:16' (0x563750d9c520) of size 200
0x563750d9c500 is located 0 bytes to the right of global variable 'process\_buffer' defined in '/home/ubuntu/drone/PX4-Autopilot/src/drivers/rc/crsf\_rc/CrsfParser.cpp:139:16' (0x563750d9c4c0) of size 64
SUMMARY: AddressSanitizer: global-buffer-overflow ../../../../src/libsanitizer/sanitizer\_common/sanitizer\_common\_interceptors.inc:827 in \_\_interceptor\_memcpy
Shadow bytes around the buggy address:
  0x0ac76a1ab850: f9 f9 f9 f9 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9
  0x0ac76a1ab860: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0ac76a1ab870: 00 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
  0x0ac76a1ab880: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0ac76a1ab890: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=\>0x0ac76a1ab8a0:\[f9\]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac76a1ab8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
  0x0ac76a1ab8c0: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0ac76a1ab8d0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0ac76a1ab8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac76a1ab8f0: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
Thread T140 created by T5 here:
    #0 0x7f15a8258685 in \_\_interceptor\_pthread\_create ../../../../src/libsanitizer/asan/asan\_interceptors.cpp:216
    #1 0x563750a4608a in WorkQueueManagerRun /home/ubuntu/drone/PX4-Autopilot/platforms/common/px4\_work\_queue/WorkQueueManager.cpp:324

Thread T5 created by T0 here:
    #0 0x7f15a8258685 in \_\_interceptor\_pthread\_create ../../../../src/libsanitizer/asan/asan\_interceptors.cpp:216
    #1 0x563750a40aab in px4\_task\_spawn\_cmd /home/ubuntu/drone/PX4-Autopilot/platforms/posix/src/px4/common/tasks.cpp:252

==5090==ABORTING

**Recommend Patch**

After the line of CrsfParser.cpp:319, the additional limitations of the size will prevent the bug as mentioned before.

case PARSER\_STATE\_CRC:
			// Fetch the suspected packet as a contingous block of memory
			if(working\_index+CRC\_SIZE \> CRSF\_MAX\_PACKET\_LEN){
				  parser\_statistics\->invalid\_unknown\_packet\_sizes++;
					parser\_state \= PARSER\_STATE\_HEADER;
					working\_segment\_size \= HEADER\_SIZE;
					working\_index\=0;
					buffer\_count \= QueueBuffer\_Count(&rx\_queue);
					continue;
			}
			QueueBuffer\_PeekBuffer(&rx\_queue, 0, process\_buffer, working\_index + CRC\_SIZE);

**Impact**

If we can create the RC packet remotely and that packet goes into the device where the \_rcs\_buf reads, the global buffer overflow vulnerability will be triggered so that the drone can behave unexpectedly.

CVE-2023-47625: [Bug Report] Vulnerable Bug Found in CrsfParser_TryParseCrsfPacket which can trigger Global Buffer Overflow

Red Hat Security Advisory 2023-6249-01 - An update for.NET 6.0 is now available for Red Hat Enterprise Linux 7. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6249.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: .NET 6.0 security, bug fix, and enhancement updateAdvisory ID:        RHSA-2023:6249-01Product:            .NET Core on Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6249Issue date:         2023-11-01Revision:           01CVE Names:          CVE-2023-36799====================================================================Summary: An update for .NET  6.0 is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The CVE-2023-36799 was previously fixed in .NET  6.0 packages in Red Hat Enterprise Linux 7 via erratum RHSA-2023:5142, which updated .NET to SDK 6.0.122 and Runtime 6.0.22. However, the fix was not included in the upstream SDK 6.0.123 and Runtime 6.0.23, which was added to Red Hat Enterprise Linux 7 via erratum RHSA-2023:5705, introducing a security regression. This erratum re-adds the fix for CVE-2023-36799 to .NET 6.0 packages.For more details about the regression, refer to the upstream release notes linked to the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.124 and .NET Runtime 6.0.24.Security Fix(es):* dotnet: Denial of Service with Client Certificates using .NET Kestrel (CVE-2023-36799)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-36799References:https://access.redhat.com/security/updates/classification/#moderatehttps://support.microsoft.com/en-gb/topic/-net-6-0-update-october-24-2023-kb5032874-c7206ee0-8768-496c-a122-eac43b8b85c9https://access.redhat.com/errata/RHSA-2023:5142

Red Hat Security Advisory 2023-6249-01

Red Hat Security Advisory 2023-6247-01 - An update for.NET 7.0 is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6247.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: .NET 7.0 security updateAdvisory ID:        RHSA-2023:6247-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6247Issue date:         2023-11-01Revision:           01CVE Names:          CVE-2023-36799====================================================================Summary: An update for .NET 7.0 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The CVE-2023-36799 was previously fixed in .NET 7.0 packages in Red Hat Enterprise Linux 8 via erratum RHSA-2023:5145, which updated .NET to SDK 7.0.111 and Runtime 7.0.11. However, the fix was not included in the upstream SDK 7.0.112 and Runtime 7.0.12, which was added to Red Hat Enterprise Linux 8 via erratum RHSA-2023:5709, introducing a security regression. This erratum re-adds the fix for CVE-2023-36799 to .NET 7.0 packages.For more details about the regression, refer to the upstream release notes linked to the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.113 and .NET Runtime 7.0.13.Security Fix(es):* dotnet: Denial of Service with Client Certificates using .NET Kestrel (CVE-2023-36799)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-36799References:https://access.redhat.com/security/updates/classification/#moderatehttps://support.microsoft.com/en-gb/topic/-net-7-0-update-october-24-2023-kb5032875-1c20c4da-3b7e-414f-b7e7-5947358c33d9https://access.redhat.com/errata/RHSA-2023:5145

Red Hat Security Advisory 2023-6247-01

Red Hat Security Advisory 2023-6246-02 - An update for.NET 7.0 is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6246.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: .NET 7.0 security updateAdvisory ID:        RHSA-2023:6246-02Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6246Issue date:         2023-11-02Revision:           02CVE Names:          CVE-2023-36799====================================================================Summary: An update for .NET 7.0 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The CVE-2023-36799 was previously fixed in .NET 7.0 packages in Red Hat Enterprise Linux 9 via erratum RHSA-2023:5146, which updated .NET to SDK 7.0.111 and Runtime 7.0.11. However, the fix was not included in the upstream SDK 7.0.112 and Runtime 7.0.12, which was added to Red Hat Enterprise Linux 9 via erratum RHSA-2023:5749, introducing a security regression. This erratum re-adds the fix for CVE-2023-36799 to .NET 7.0 packages.For more details about the regression, refer to the upstream release notes linked to the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.113 and .NET Runtime 7.0.13.Security Fix(es):* dotnet: Denial of Service with Client Certificates using .NET Kestrel (CVE-2023-36799)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-36799References:https://access.redhat.com/security/updates/classification/#moderatehttps://support.microsoft.com/en-gb/topic/-net-7-0-update-october-24-2023-kb5032875-1c20c4da-3b7e-414f-b7e7-5947358c33d9https://access.redhat.com/errata/RHSA-2023:5146

Red Hat Security Advisory 2023-6246-02

Red Hat Security Advisory 2023-6245-01 - An update for.NET 6.0 is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6245.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: .NET 6.0 security updateAdvisory ID:        RHSA-2023:6245-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6245Issue date:         2023-11-01Revision:           01CVE Names:          CVE-2023-36799====================================================================Summary: An update for .NET 6.0 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The CVE-2023-36799 was previously fixed in .NET 6.0 packages in Red Hat Enterprise Linux 8 via erratum RHSA-2023:5144, which updated .NET to SDK 6.0.122 and Runtime 6.0.22. However, the fix was not included in the upstream SDK 6.0.123 and Runtime 6.0.23, which was added to Red Hat Enterprise Linux 8 via erratum RHSA-2023:5710, introducing a security regression. This erratum re-adds the fix for CVE-2023-36799 to .NET 6.0 packages.For more details about the regression, refer to the upstream release notes linked to the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.124 and .NET Runtime 6.0.24.Security Fix(es):* dotnet: Denial of Service with Client Certificates using .NET Kestrel (CVE-2023-36799)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-36799References:https://access.redhat.com/security/updates/classification/#moderatehttps://support.microsoft.com/en-gb/topic/-net-6-0-update-october-24-2023-kb5032874-c7206ee0-8768-496c-a122-eac43b8b85c9https://access.redhat.com/errata/RHSA-2023:5144

Red Hat Security Advisory 2023-6245-01

Red Hat Security Advisory 2023-6242-01 - An update for.NET 6.0 is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6242.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: .NET 6.0 security updateAdvisory ID:        RHSA-2023:6242-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6242Issue date:         2023-11-01Revision:           01CVE Names:          CVE-2023-36799====================================================================Summary: An update for .NET 6.0 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.The CVE-2023-36799 was previously fixed in .NET 6.0 packages in Red Hat Enterprise Linux 9 via erratum RHSA-2023:5143, which updated .NET to SDK 6.0.122 and Runtime 6.0.22. However, the fix was not included in the upstream SDK 6.0.123 and Runtime 6.0.23, which was added to Red Hat Enterprise Linux 9 via erratum RHSA-2023:5708, introducing a security regression. This erratum re-adds the fix for CVE-2023-36799 to .NET 6.0 packages.For more details about the regression, refer to the upstream release notes linked to the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.124 and .NET Runtime 6.0.24.Security Fix(es):* dotnet: Denial of Service with Client Certificates using .NET Kestrel (CVE-2023-36799)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-36799References:https://access.redhat.com/security/updates/classification/#moderatehttps://support.microsoft.com/en-gb/topic/-net-6-0-update-october-24-2023-kb5032874-c7206ee0-8768-496c-a122-eac43b8b85c9https://access.redhat.com/errata/RHSA-2023:5143

Red Hat Security Advisory 2023-6242-01

Red Hat Security Advisory 2023-6236-01 - An update for binutils is now available for Red Hat Enterprise Linux 8. Issues addressed include a null pointer vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6236.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: binutils security updateAdvisory ID:        RHSA-2023:6236-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6236Issue date:         2023-11-01Revision:           01CVE Names:          CVE-2022-4285====================================================================Summary: An update for binutils is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The binutils packages provide a collection of binary utilities for the manipulation of object code in various object file formats. It includes the ar, as, gprof, ld, nm, objcopy, objdump, ranlib, readelf, size, strings, strip, and addr2line utilities.Security Fix(es):* binutils: NULL pointer dereference in _bfd_elf_get_symbol_version_string leads to segfault (CVE-2022-4285)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-4285References:https://access.redhat.com/security/updates/classification/#moderate

Red Hat Security Advisory 2023-6236-01

Red Hat Security Advisory 2023-6227-01 - An update for qemu-kvm is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6227.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: qemu-kvm security updateAdvisory ID:        RHSA-2023:6227-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6227Issue date:         2023-11-01Revision:           01CVE Names:          CVE-2023-3354====================================================================Summary: An update for qemu-kvm is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.Security Fix(es):* QEMU: VNC: improper I/O watch removal in TLS handshake can lead to remote unauthenticated denial of service (CVE-2023-3354)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-3354References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-6227-01

Red Hat Security Advisory 2023-6209-01 - An update for samba is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6209.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: samba security updateAdvisory ID:        RHSA-2023:6209-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6209Issue date:         2023-10-31Revision:           01CVE Names:          CVE-2023-3961====================================================================Summary: An update for samba is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.Security Fix(es):* samba: smbd allows client access to unix domain sockets on the file system as root (CVE-2023-3961)* samba: SMB clients can truncate files with read-only permissions (CVE-2023-4091)* samba: \"rpcecho\" development server allows denial of service via sleep() call on AD DC (CVE-2023-42669)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-3961References:https://access.redhat.com/security/updates/classification/#moderate

Tag

#linux