Insertion of Sensitive Information into Log File vulnerability in Hitachi Ops Center Administrator on Linux allows local users  to gain sensive information.This issue affects Hitachi Ops Center Administrator: before 10.9.3-00.



*   Security Information ID
*   Vulnerability description
*   Affected products
*   Fixed products
*   Revision history

Update: October 3, 2023

A vulnerability (CVE-2023-3335) exists in Hitachi Ops Center Administrator.

**Security Information ID**

hitachi-sec-2023-140

**Vulnerability description**

An information exposure vulnerability exists in Hitachi Ops Center Administrator.

*   CVE-2023-3335: Information Exposure Vulnerability in Hitachi Ops Center Administrator (Display new window)  
    CVSS SCORE: 6.5(Medium) CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Affected products and versions are listed below. Please upgrade your version to the appropriate version.

**Affected products**

The information is organized under the following headings:  

**(Example)  
Product name: Gives the name of the affected product.**

Version:

Platform

Gives the affected version.

**Product name: Hitachi Ops Center Administrator  
**

Version(s):

Linux

less than 10.9.3-00

**General Precautions Regarding Vulnerabilities**

We do not plan to investigate or respond to storage management software vulnerabilities that arise from the management and monitoring of storage devices whose support period has ended.  
To prevent the impact of such latent vulnerabilities, remove storage devices whose support period has ended from the management and monitoring target of the storage management software.

**Fixed products**

The information is organized under the following headings:  

**(Example)  
Product name: Gives the name of the fixed product.**

Version:

Platform

Gives the fixed version, and release date.

Scheduled version:

Platform

Gives the fixed version scheduled to be released.

**Product name: Hitachi Ops Center Administrator  
**

Version(s):

Linux

10.9.3-00 October 3, 2023

For details on the fixed products, contact your Hitachi support service representative.

**Revision history**

October 3, 2023

This page is released.

*   Hitachi, Ltd. (hereinafter referred to as "Hitachi") tries to provide accurate information about security countermeasures. However, since information about security problems constantly changes, the contents of these Web pages are subject to change without prior notice. When referencing information, please confirm that you are referencing the latest information.
*   The Web pages include information about products that are developed by non-Hitachi software developers. Vulnerability information about those products is based on the information provided or disclosed by those developers. Although Hitachi is careful about the accuracy and completeness of this information, the contents of the Web pages may change depending on the changes made by the developers.
*   The Web pages are intended to provide vulnerability information only, and Hitachi shall not have any legal responsibility for the information contained in them. Hitachi shall not be liable for any consequences arising out of or in connection with the security countermeasures or other actions that you will take or have taken (or not taken) by yourself.
*   The links to other web sites are valid at the time of the release of the page. Although Hitachi makes an effort to maintain the links, Hitachi cannot guarantee their permanent availability.

CVE-2023-3335: hitachi-sec-2023-140: Information Exposure Vulnerability in Hitachi Ops Center Administrator

Allocation of Resources Without Limits or Throttling vulnerability in Hitachi Ops Center Common Services on Linux allows DoS.This issue affects Hitachi Ops Center Common Services: before 10.9.3-00.



*   Security Information ID
*   Vulnerability description
*   Affected products
*   Fixed products
*   Revision history

Update: October 3, 2023

A DoS vulnerability (CVE-2023-3967) exists in Hitachi Ops Center Common Services.

**Security Information ID**

hitachi-sec-2023-142

**Affected products**

The information is organized under the following headings:  

**(Example)  
Product name: Gives the name of the affected product.**

Version:

Platform

Gives the affected version.

**Product name: Hitachi Ops Center Common Services  
**

Version(s):

less than 10.9.3-00

**General Precautions Regarding Vulnerabilities**

We do not plan to investigate or respond to storage management software vulnerabilities that arise from the management and monitoring of storage devices whose support period has ended.  
To prevent the impact of such latent vulnerabilities, remove storage devices whose support period has ended from the management and monitoring target of the storage management software.

**Fixed products**

The information is organized under the following headings:  

**(Example)  
Product name: Gives the name of the fixed product.**

Version:

Platform

Gives the fixed version, and release date.

Scheduled version:

Platform

Gives the fixed version scheduled to be released.

**Product name: Hitachi Ops Center Common Services (English version)  
**

Version(s):

Linux

10.9.3-00 October 2, 2023

**Product name: Hitachi Ops Center Common Services (Japanese version)  
**

Version(s):

Linux

10.9.3-00 September 21, 2023

For details on the fixed products, contact your Hitachi support service representative.

**Revision history**

October 3, 2023

This page is released.

*   Hitachi, Ltd. (hereinafter referred to as "Hitachi") tries to provide accurate information about security countermeasures. However, since information about security problems constantly changes, the contents of these Web pages are subject to change without prior notice. When referencing information, please confirm that you are referencing the latest information.
*   The Web pages include information about products that are developed by non-Hitachi software developers. Vulnerability information about those products is based on the information provided or disclosed by those developers. Although Hitachi is careful about the accuracy and completeness of this information, the contents of the Web pages may change depending on the changes made by the developers.
*   The Web pages are intended to provide vulnerability information only, and Hitachi shall not have any legal responsibility for the information contained in them. Hitachi shall not be liable for any consequences arising out of or in connection with the security countermeasures or other actions that you will take or have taken (or not taken) by yourself.
*   The links to other web sites are valid at the time of the release of the page. Although Hitachi makes an effort to maintain the links, Hitachi cannot guarantee their permanent availability.

CVE-2023-3967: hitachi-sec-2023-142: DoS Vulnerability in Hitachi Ops Center Common Services

Buffer Overflow vulnerability in Vorbis-tools v.1.4.2 allows a local attacker to execute arbitrary code and cause a denial of service during the conversion of wav files to ogg files.

WHAT'S HERE:

This source distribution includes the vorbis-tools and nothing else.
The audio codec libraries for use with Ogg bitstreams are contained in
other modules: vorbis, speex and flac.


DIRECTORIES:

debian/		debian packaging stuff
include/	header files shared between the tools
intl/		GNU gettext library from gettext-0.10.40 (for i18n support)
ogg123/		an ogg vorbis command line audio player
oggenc/		the ogg vorbis encoder
oggdec/		a simple, portable command line decoder (to wav and raw)
ogginfo/	provides information (tags, bitrate, length, etc.) about
		an ogg vorbis file
po/		translations for non-English languages
share/		code shared between the tools
vcut/		cuts an ogg vorbis file into two parts at a particular point
vorbiscomment/	edits the comments in an ogg vorbis file
win32/		Win32 build stuff


DEPENDENCIES:

All of the tools require libogg and libvorbis to be installed (along
with the header files).  Additionally, ogg123 requires libao, libcurl,
and a POSIX-compatible thread library.  Ogg123 can optionally compiled
to use libFLAC, and libspeex.  Oggenc can be optionally compiled with
libFLAC, and libkate.  The libraries libogg, libvorbis, and libao are
all available at
  https://xiph.org/vorbis/

The libcurl library is packaged with most Linux distributions.  The
source code can also be downloaded from:
  http://curl.haxx.se/libcurl/

FLAC is available at:
  https://xiph.org/flac/

Speex is available at:
  https://www.speex.org/

libkate is available at:
  http://libkate.googlecode.com/

CONTACT:

The Ogg Vorbis homepage is located at 'https://xiph.org/vorbis/'. Up to
date technical documents, contact information, source code and
pre-built utilities may be found there.

Developer information is available from http://www.xiph.org/. Check
there for bug reporting information, mailing lists and other resources.


BUILDING FROM SUBVERSION (see the file HACKING for details):

./autogen.sh
make 

and as root if desired :

make install

This will install the tools into /usr/local/bin and manpages into
/usr/local/man.


BUILDING FROM TARBALL DISTRIBUTIONS:

./configure
make

and as root if desired :

make install

BUILDING RPMS:

RPMs may be built by:

after autogen.sh or configure

make dist
rpm -ta vorbis-tools-<version>.tar.gz


KNOWN BUGS:

#1321
  First noticed in non-English versions of the application, ogg123 has a major
  bug when it comes to status messages in the shell: any output bigger than
  the console's width will break and start spamming that message infinitely
  until the console is resized.

  Different attempts to fix this bug have ended up causing bigger problems,
  leading to the conclusion that it simply can't be fixed without a large
  re-write of the application, which will not happen any time soon.  If you
  come across this issue, please augment your terminal window size.

CVE-2023-43361: GitHub - xiph/vorbis-tools: Command-line tools for creating and playing Ogg Vorbis files.

Gentoo Linux Security Advisory 202310-1 - Multiple vulnerabilities have been discovered in ClamAV, the worst of which could result in remote code execution. Versions greater than or equal to 0.103.7 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: ClamAV: Multiple Vulnerabilities  
     Date: October 01, 2023  
     Bugs: #831083, #842813, #894672  
       ID: 202310-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in ClamAV, the worst of  
which could result in remote code execution.

Background  
==========

ClamAV is a GPL virus scanner.

Affected packages  
=================

Package               Vulnerable    Unaffected  
--------------------  ------------  ------------  
app-antivirus/clamav  < 0.103.7     >= 0.103.7

Description  
===========

Multiple vulnerabilities have been discovered in ClamAV. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All ClamAV users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.103.7"

References  
==========

[ 1 ] CVE-2022-20698  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20698  
[ 2 ] CVE-2022-20770  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20770  
[ 3 ] CVE-2022-20771  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20771  
[ 4 ] CVE-2022-20785  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20785  
[ 5 ] CVE-2022-20792  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20792  
[ 6 ] CVE-2022-20796  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20796  
[ 7 ] CVE-2022-20803  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20803  
[ 8 ] CVE-2023-20032  
      https://nvd.nist.gov/vuln/detail/CVE-2023-20032  
[ 9 ] CVE-2023-20052  
      https://nvd.nist.gov/vuln/detail/CVE-2023-20052

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-01

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202310-01

Debian Linux Security Advisory 5512-1 - Several vulnerabilities were discovered in Exim, a mail transport agent, which could result in remote code execution if the EXTERNAL or SPA/NTLM authenticators are used.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5512-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoOctober 02, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : exim4CVE ID         : CVE-2023-42114 CVE-2023-42115 CVE-2023-42116Several vulnerabilities were discovered in Exim, a mail transport agent,which could result in remote code execution if the EXTERNAL or SPA/NTLMauthenticators are used.For the oldstable distribution (bullseye), these problems have been fixedin version 4.94.2-7+deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 4.96-15+deb12u2.We recommend that you upgrade your exim4 packages.For the detailed security status of exim4 please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/exim4Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUa1ApfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TGThAAlhXEHvEOP7MfFaNN2Nh6Dl6wtFkPjYKB7wljZajtIkmk7IgsxREOMDC+In+344UwfMJyZB49uvO15EV1dcHwUlOAIaDrFMN4SyMVWP+OllFEDMnexQ0+UyuPm0AGMdvokXQq+5tgaRjP7ThOVM0z3+hbPzRr4tQi2tjB/0k1/p9vC4aDJuuf1i8MiVDvtF4s38zlB1f6oCezulgb+wd53VGjL6vk8nzCxWe6RNtpsxzZGdRnA30tDGaBPvdMSbDEcx85U7DViAtXzVvJe+1IdSTBxu8rrUqR9Md1V1zLf8PPyblENwZlc/zJ9ad+EuQnYwsiYUnE72pFYO1mR0b8aE7W8V1t96ijOr323oCN2aWI4HWiteEHcGt8UlE9CT1OG+c5caf7s0L984wEigJxYzc9gTtjX1Y5kh2CAjmvjxPO3v+jRQkPqP9i/x/ax0IvXXeffEUtru1qFscXsgsNru53yRHoGGCo1vwNNwBLuNyD48yFukNFc8rxKK+fjJrCOeSuM21k97T86k9B6sA26IFz/eQJtPXrSC6lzyU75RBWmbPrjEsnqv7GsGUtz1RLLqELhorv+u2SChWsxHMd5rOsZ46bDGoIe+SW7A568blD5P/fv36HYPPXPjFRU7XLS7SUE08cxMUkLHJWMJ/fwIIyEtjoL26oW7r60ITaljg==+Ajg-----END PGP SIGNATURE-----

Debian Security Advisory 5512-1

Debian Linux Security Advisory 5511-1 - Several security vulnerabilities have been discovered in mosquitto, a MQTT compatible message broker, which may be abused for a denial of service attack.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5511-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
October 01, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : mosquitto  
CVE ID         : CVE-2021-34434 CVE-2023-0809 CVE-2023-3592 CVE-2023-28366  
                 CVE-2021-41039  
Debian Bug     : 993400 1001028

Several security vulnerabilities have been discovered in mosquitto, a MQTT  
compatible message broker, which may be abused for a denial of service attack.

CVE-2021-34434

    In Eclipse Mosquitto when using the dynamic security plugin, if the ability  
    for a client to make subscriptions on a topic is revoked when a durable  
    client is offline, then existing subscriptions for that client are not  
    revoked.

CVE-2023-0809

    Fix excessive memory being allocated based on malicious initial packets  
    that are not CONNECT packets.

CVE-2023-3592

    Fix memory leak when clients send v5 CONNECT packets with a will message  
    that contains invalid property types.

CVE-2023-28366

    The broker in Eclipse Mosquitto has a memory leak that can be abused  
    remotely when a client sends many QoS 2 messages with duplicate message  
    IDs, and fails to respond to PUBREC commands. This occurs because of  
    mishandling of EAGAIN from the libc send function.

Additionally CVE-2021-41039 has been fixed for Debian 11 "Bullseye".

CVE-2021-41039

    An MQTT v5 client connecting with a large number of user-property  
    properties could cause excessive CPU usage, leading to a loss of  
    performance and possible denial of service.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 2.0.11-1+deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 2.0.11-1.2+deb12u1.

We recommend that you upgrade your mosquitto packages.

For the detailed security status of mosquitto please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/mosquitto

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUZx+xfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeTgyhAAwGXTLpeJ0n2FCmZdkhOJCz8qgD4nesLMKGnNH4bq0RWgunDe7CSagvMo  
YG83i4+S0xuH0BLL+5Ytu5Y4MTU9cMJXLaOYL0ivomtjQKilS4aoJQ9ps4bfZPff  
ChsFYi2IUB3VZlNaS8yLIh9Rm8630P51Te9jXTktMwvj8SDalt+HRchR2V5sAsK0  
G8fwSgAP4eIUb3xRWJNrHUXSRgiJpHIeWW8WIo9c0V7Tks/rIoYgXNQiQow1Hde5  
B6k8yHk2xwoXOMoTenY9xrrdY9HZuUqVe9qayl+AMREYmcNPmZvZDpMjUSxdOMdp  
JP/YD6nKp92DNlZG82k/45nWFLogAPQUC2SupaUrPQRJ99xDzlby4KkGt95rKMXE  
4tuc0sqR4EM2v9zhp9jmkIAVzQyBf3vVZNu5yyug0+7/jT/fwh/wFW3B3TTFYH4m  
lD3+9i1NPKt3hdBfZKryWDqmYV+86vvGLVPj5AzNF/JEj9wuFC5DzU44M09Qk2rO  
J0FWk0nKg6SznG5zY8k+L+tcpMYg+RoD/kJXZP+OuvSLUcnYw2NWYcW3sDccO/zI  
cVvIWDmnjei4D3VMkATnkHe7HCqO+bX4nvvytgPxj1WhZ17MIGqs7qRJbCEblDRd  
GZAIo0EWhmsZsEwRaXr7II/0qxOJ2EeXiFsbyYzWQCVOknmnzOI=  
=luvt  
-----END PGP SIGNATURE-----

Debian Security Advisory 5511-1

Gentoo Linux Security Advisory 202309-17 - Multiple vulnerabilities have been found in Chromium and its derivatives, the worst of which could result in remote code execution. Versions greater than or equal to 113.0.5672.126 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-17  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities  
     Date: September 30, 2023  
     Bugs: #893660, #904252, #904394, #904560, #905297, #905620, #905883, #906586  
       ID: 202309-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Chromium and its  
derivatives, the worst of which could result in remote code execution.

Background  
==========

Chromium is an open-source browser project that aims to build a safer,  
faster, and more stable way for all users to experience the web.

Google Chrome is one fast, simple, and secure browser for all your  
devices.

Microsoft Edge is a browser that combines a minimal design with  
sophisticated technology to make the web faster, safer, and easier.

Affected packages  
=================

Package                    Vulnerable        Unaffected  
-------------------------  ----------------  -----------------  
www-client/chromium        < 113.0.5672.126  >= 113.0.5672.126  
www-client/chromium-bin    < 113.0.5672.126  Vulnerable!  
www-client/google-chrome   < 113.0.5672.126  >= 113.0.5672.126  
www-client/microsoft-edge  < 113.0.1774.50   >= 113.0.1774.50

Description  
===========

Multiple vulnerabilities have been discovered in Chromium and its  
derivatives. Please review the CVE identifiers referenced below for  
details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Chromium users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/chromium-113.0.5672.126"

All Google Chrome users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/google-chrome-113.0.5672.126"

All Microsoft Edge users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/microsoft-edge-113.0.1774.50"

Gentoo has discontinued support for www-client/chromium-bin. Users  
should unmerge it in favor of the above alternatives:

  # emerge --ask --depclean --verbose "www-client/chromium-bin"

References  
==========

[ 1 ] CVE-2023-0696  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0696  
[ 2 ] CVE-2023-0697  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0697  
[ 3 ] CVE-2023-0698  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0698  
[ 4 ] CVE-2023-0699  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0699  
[ 5 ] CVE-2023-0700  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0700  
[ 6 ] CVE-2023-0701  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0701  
[ 7 ] CVE-2023-0702  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0702  
[ 8 ] CVE-2023-0703  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0703  
[ 9 ] CVE-2023-0704  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0704  
[ 10 ] CVE-2023-0705  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0705  
[ 11 ] CVE-2023-0927  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0927  
[ 12 ] CVE-2023-0928  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0928  
[ 13 ] CVE-2023-0929  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0929  
[ 14 ] CVE-2023-0930  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0930  
[ 15 ] CVE-2023-0931  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0931  
[ 16 ] CVE-2023-0932  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0932  
[ 17 ] CVE-2023-0933  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0933  
[ 18 ] CVE-2023-0941  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0941  
[ 19 ] CVE-2023-1528  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1528  
[ 20 ] CVE-2023-1529  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1529  
[ 21 ] CVE-2023-1530  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1530  
[ 22 ] CVE-2023-1531  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1531  
[ 23 ] CVE-2023-1532  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1532  
[ 24 ] CVE-2023-1533  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1533  
[ 25 ] CVE-2023-1534  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1534  
[ 26 ] CVE-2023-1810  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1810  
[ 27 ] CVE-2023-1811  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1811  
[ 28 ] CVE-2023-1812  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1812  
[ 29 ] CVE-2023-1813  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1813  
[ 30 ] CVE-2023-1814  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1814  
[ 31 ] CVE-2023-1815  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1815  
[ 32 ] CVE-2023-1816  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1816  
[ 33 ] CVE-2023-1817  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1817  
[ 34 ] CVE-2023-1818  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1818  
[ 35 ] CVE-2023-1819  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1819  
[ 36 ] CVE-2023-1820  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1820  
[ 37 ] CVE-2023-1821  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1821  
[ 38 ] CVE-2023-1822  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1822  
[ 39 ] CVE-2023-1823  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1823  
[ 40 ] CVE-2023-2033  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2033  
[ 41 ] CVE-2023-2133  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2133  
[ 42 ] CVE-2023-2134  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2134  
[ 43 ] CVE-2023-2135  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2135  
[ 44 ] CVE-2023-2136  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2136  
[ 45 ] CVE-2023-2137  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2137  
[ 46 ] CVE-2023-2459  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2459  
[ 47 ] CVE-2023-2460  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2460  
[ 48 ] CVE-2023-2461  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2461  
[ 49 ] CVE-2023-2462  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2462  
[ 50 ] CVE-2023-2463  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2463  
[ 51 ] CVE-2023-2464  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2464  
[ 52 ] CVE-2023-2465  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2465  
[ 53 ] CVE-2023-2466  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2466  
[ 54 ] CVE-2023-2467  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2467  
[ 55 ] CVE-2023-2468  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2468  
[ 56 ] CVE-2023-2721  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2721  
[ 57 ] CVE-2023-2722  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2722  
[ 58 ] CVE-2023-2723  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2723  
[ 59 ] CVE-2023-2724  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2724  
[ 60 ] CVE-2023-2725  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2725  
[ 61 ] CVE-2023-2726  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2726  
[ 62 ] CVE-2023-21720  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21720  
[ 63 ] CVE-2023-21794  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21794  
[ 64 ] CVE-2023-23374  
      https://nvd.nist.gov/vuln/detail/CVE-2023-23374  
[ 65 ] CVE-2023-28261  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28261  
[ 66 ] CVE-2023-28286  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28286  
[ 67 ] CVE-2023-29334  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29334  
[ 68 ] CVE-2023-29350  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29350  
[ 69 ] CVE-2023-29354  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29354

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-17

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-17

Gentoo Linux Security Advisory 202309-16 - Multiple vulnerabilities have been discovered in wpa_supplicant and hostapd, the worst of which could result in arbitrary code execution. Versions greater than or equal to 2.10 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-16  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: wpa_supplicant, hostapd: Multiple Vulnerabilities  
     Date: September 30, 2023  
     Bugs: #768759, #780135, #780138, #831332  
       ID: 202309-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in wpa_supplicant and  
hostapd, the worst of which could result in arbitrary code execution.

Background  
==========

wpa_supplicant is a WPA Supplicant with support for WPA and WPA2 (IEEE  
802.11i / RSN). hostapd is a user space daemon for access point and  
authentication servers.

Affected packages  
=================

Package                      Vulnerable    Unaffected  
---------------------------  ------------  ------------  
net-wireless/hostapd         < 2.10        >= 2.10  
net-wireless/wpa_supplicant  < 2.10        >= 2.10

Description  
===========

Multiple vulnerabilities have been discovered in hostapd and  
wpa_supplicant. Please review the CVE identifiers referenced below for  
details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All wpa_supplicant users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-wireless/wpa_supplicant-2.10"

All hostapd users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-wireless/hostapd-2.10"

References  
==========

[ 1 ] CVE-2021-30004  
      https://nvd.nist.gov/vuln/detail/CVE-2021-30004  
[ 2 ] CVE-2022-23303  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23303  
[ 3 ] CVE-2022-23304  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23304

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-16

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-16

Debian Linux Security Advisory 5510-1 - Clement Lecigne discovered a heap-based buffer overflow in libvpx, a multimedia library for the VP8 and VP9 video codecs, which may result in the execution of arbitrary code if a specially crafted VP8 media stream is processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5510-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoSeptember 29, 2023                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libvpxCVE ID         : CVE-2023-5217Debian Bug     : 1053182Clement Lecigne discovered a heap-based buffer overflow in libvpx, amultimedia library for the VP8 and VP9 video codecs, which may result inthe execution of arbitrary code if a specially crafted VP8 media streamis processed.For the oldstable distribution (bullseye), this problem has been fixedin version 1.9.0-1+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 1.12.0-1+deb12u1.We recommend that you upgrade your libvpx packages.For the detailed security status of libvpx please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/libvpxFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUXPQxfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0RFDA/9GmZkMOfqEBNeItASvUeQAbPu9w7hh/Ah/Ox9gSFZMvD5QmGTs6Zp8lZYTmOKS2Ls1rgQnfM/c+dm6Le4H9e+EtGYvLI0P6KjIk3T+rA+55os3WoUE99KJsZrj0AZM0jsmaQVuV1MbJIJSGo6a49qRkSIF4eS7/rws8xImu73EgcPQiWep70kF8/idqnYYqFEKJwT3Oxp2h4zYLM8Jqt8ji4caTHle20rcQ1tdOBCcqDWH87aNk1kqhWELe281K7sDVYlpyIGSZRsvHbTusESlvp+92sRIQPRDdpMMkSgACBDcHpfCHiJDofDDn+6Z4zA5XRxHOKlHvYvrg9lDSA1eu9V7oaR2YoBRfIcwd4HxB535FjJRNDGtt+0thJnuv+zjiA2yK/GTBju52q+96qGcXhPrGOZiQeth4SdxVnK3FKc3lB6HbMgs4ZERZNhs7AJ4I7pnyX6d8Zux3kPjejrdvBOFT8L+gNYzYn0tkcKHdpK2Xj0OMKboDLFxw26i8GgNb9RUht6Seb1dk2bnel2fJ+rqgxkltpVuTIFjQ942YtHm/a9xj6FLK3D6CtX1masIZ53uo51k2qWAGJWUqovasIQQHBUeOHgFHw+lHNHNlSsiblu6xc9y4B42vpozR449Q3volOr7t7oWv/pmsqrd48ByYXj7NESzD/bm4uOo9E==NrxQ-----END PGP SIGNATURE-----

Debian Security Advisory 5510-1

jSQL Injection is a lightweight application used to find database information from a distant server. jSQL Injection is also part of the official penetration testing distribution Kali Linux and is included in various other distributions like Pentest Box, Parrot Security OS, ArchStrike and BlackArch Linux. This is the source code release.

Tag

#linux