Gentoo Linux Security Advisory 202408-9 - Multiple vulnerabilities have been discovered in Cairo, the worst of which a denial of service. Versions greater than or equal to 1.18.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202408-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Cairo: Multiple Vulnerabilities  
     Date: August 07, 2024  
     Bugs: #717778  
       ID: 202408-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Cairo, the worst of  
which a denial of service.

Background  
==========

Cairo is a 2D vector graphics library with cross-device output support.

Affected packages  
=================

Package         Vulnerable    Unaffected  
--------------  ------------  ------------  
x11-libs/cairo  < 1.18.0      >= 1.18.0

Description  
===========

Multiple vulnerabilities have been discovered in Cairo. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Cairo users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=x11-libs/cairo-1.18.0"

References  
==========

[ 1 ] CVE-2019-6461  
      https://nvd.nist.gov/vuln/detail/CVE-2019-6461  
[ 2 ] CVE-2019-6462  
      https://nvd.nist.gov/vuln/detail/CVE-2019-6462

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202408-09

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202408-09

Red Hat Security Advisory 2024-5067-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include double free and null pointer vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5067.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: kernel-rt security update  
Advisory ID:        RHSA-2024:5067-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:5067  
Issue date:         2024-08-07  
Revision:           03  
CVE Names:          CVE-2022-48637  
====================================================================

Summary: 

An update for kernel-rt is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: block: null pointer dereference in ioctl.c when length and logical block size are misaligned (CVE-2023-52458)

* kernel: ext4: regenerate buddy after block freeing failed if under fc replay (CVE-2024-26601)

* kernel: PM / devfreq: Synchronize devfreq_monitor_[start/stop] (CVE-2023-52635)

* kernel: bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel (CVE-2024-26737)

* kernel: bnxt: prevent skb UAF after handing over to PTP worker (CVE-2022-48637)

* kernel: ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses (CVE-2024-26947)

* kernel: scsi: qla2xxx: Fix double free of the ha->vp_map pointer (CVE-2024-26930)

* kernel: nouveau: lock the client object tree. (CVE-2024-27062)

* kernel: octeontx2-af: Use separate handlers for interrupts (CVE-2024-27030)

* kernel: vt: fix unicode buffer corruption when deleting characters (CVE-2024-35823)

* kernel: netfilter: validate user input for expected length (CVE-2024-35896)

* kernel: mlxbf_gige: stop interface during shutdown (CVE-2024-35885)

* kernel: netfilter: complete validation of user input (CVE-2024-35962)

* kernel: scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup() (CVE-2023-52809)

* kernel: i40e: fix vf may be used uninitialized in this function warning (CVE-2024-36020)

* kernel: rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation (CVE-2024-36017)

* kernel: net: core: reject skb_copy(_expand) for fraglist GSO skbs (CVE-2024-36929)

* kernel: drm/vmwgfx: Fix invalid reads in fence signaled events (CVE-2024-36960)

* kernel: ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound (CVE-2024-33621)

* kernel: blk-cgroup: fix list corruption from reorder of WRITE ->lqueued (CVE-2024-38384)

* kernel: blk-cgroup: fix list corruption from resetting io stat (CVE-2024-38663)

* kernel: SUNRPC: Fix UAF in svc_tcp_listen_data_ready() (CVE-2023-52885)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-48637

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2265794  
https://bugzilla.redhat.com/show_bug.cgi?id=2265836  
https://bugzilla.redhat.com/show_bug.cgi?id=2272808  
https://bugzilla.redhat.com/show_bug.cgi?id=2273274  
https://bugzilla.redhat.com/show_bug.cgi?id=2277831  
https://bugzilla.redhat.com/show_bug.cgi?id=2278167  
https://bugzilla.redhat.com/show_bug.cgi?id=2278248  
https://bugzilla.redhat.com/show_bug.cgi?id=2278387  
https://bugzilla.redhat.com/show_bug.cgi?id=2278473  
https://bugzilla.redhat.com/show_bug.cgi?id=2281190  
https://bugzilla.redhat.com/show_bug.cgi?id=2281675  
https://bugzilla.redhat.com/show_bug.cgi?id=2281700  
https://bugzilla.redhat.com/show_bug.cgi?id=2281916  
https://bugzilla.redhat.com/show_bug.cgi?id=2282669  
https://bugzilla.redhat.com/show_bug.cgi?id=2284400  
https://bugzilla.redhat.com/show_bug.cgi?id=2284417  
https://bugzilla.redhat.com/show_bug.cgi?id=2284496  
https://bugzilla.redhat.com/show_bug.cgi?id=2290408  
https://bugzilla.redhat.com/show_bug.cgi?id=2293657  
https://bugzilla.redhat.com/show_bug.cgi?id=2294220  
https://bugzilla.redhat.com/show_bug.cgi?id=2294225  
https://bugzilla.redhat.com/show_bug.cgi?id=2297730

Red Hat Security Advisory 2024-5067-03

Red Hat Security Advisory 2024-5065-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5065.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: kernel security update  
Advisory ID:        RHSA-2024:5065-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:5065  
Issue date:         2024-08-07  
Revision:           03  
CVE Names:          CVE-2021-47393  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: drm: Don't unref the same fb many times by mistake due to deadlock handling (CVE-2023-52486)

* kernel: tcp: add sanity checks to rx zerocopy (CVE-2024-26640)

* kernel: vfio/pci: Lock external INTx masking ops (CVE-2024-26810)

* kernel: mptcp: fix data re-injection from stale subflow (CVE-2024-26826)

* kernel: NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102 (CVE-2024-26870)

* kernel: mac802154: fix llsec key resources release in mac802154_llsec_key_del (CVE-2024-26961)

* kernel: wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes (CVE-2024-35789)

* kernel: mm/hugetlb: fix missing hugetlb_lock for resv uncharge (CVE-2024-36000)

* kernel: hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs (CVE-2021-47393)

* kernel: net/mlx5: Discard command completions in internal error (CVE-2024-38555)

* kernel: ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound (CVE-2024-33621)

* kernel: tls: fix missing memory barrier in tls_init (CVE-2024-36489)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2021-47393

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2269070  
https://bugzilla.redhat.com/show_bug.cgi?id=2270100  
https://bugzilla.redhat.com/show_bug.cgi?id=2273654  
https://bugzilla.redhat.com/show_bug.cgi?id=2275604  
https://bugzilla.redhat.com/show_bug.cgi?id=2275711  
https://bugzilla.redhat.com/show_bug.cgi?id=2278176  
https://bugzilla.redhat.com/show_bug.cgi?id=2281057  
https://bugzilla.redhat.com/show_bug.cgi?id=2281968  
https://bugzilla.redhat.com/show_bug.cgi?id=2282345  
https://bugzilla.redhat.com/show_bug.cgi?id=2293444  
https://bugzilla.redhat.com/show_bug.cgi?id=2293657  
https://bugzilla.redhat.com/show_bug.cgi?id=2293687

Red Hat Security Advisory 2024-5065-03

Gentoo Linux Security Advisory 202408-8 - A vulnerability has been discovered in json-c, which can lead to a stack buffer overflow. Versions greater than or equal to 0.16 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202408-08  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: json-c: Buffer Overflow  
     Date: August 07, 2024  
     Bugs: #918555  
       ID: 202408-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in json-c, which can lead to a stack  
buffer overflow.

Background  
==========

json-c is a JSON implementation in C.

Affected packages  
=================

Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
dev-libs/json-c  < 0.16        >= 0.16

Description  
===========

Please review the CVE identifier referenced below for details.

Impact  
======

A stack-buffer-overflow exists in the auxiliary sample program  
json_parse which is located in the function parseit.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All json-c users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-libs/json-c-0.16"

References  
==========

[ 1 ] CVE-2021-32292  
      https://nvd.nist.gov/vuln/detail/CVE-2021-32292

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202408-08

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202408-08

Gentoo Linux Security Advisory 202408-7 - Multiple vulnerabilities have been discovered in Go, the worst of which could lead to information leakage or a denial of service. Versions greater than or equal to 1.22.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202408-07  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Go: Multiple Vulnerabilities  
     Date: August 07, 2024  
     Bugs: #906043, #919310, #926530, #928539, #931602  
       ID: 202408-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Go, the worst of which  
could lead to information leakage or a denial of service.

Background  
==========

Go is an open source programming language that makes it easy to build  
simple, reliable, and efficient software.

Affected packages  
=================

Package      Vulnerable    Unaffected  
-----------  ------------  ------------  
dev-lang/go  < 1.22.3      >= 1.22.3

Description  
===========

Multiple vulnerabilities have been discovered in Go. Please review the  
CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Go users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-lang/go-1.22.3"

Due to Go programs typically being statically compiled, Go users should  
also recompile the reverse dependencies of the Go language to ensure  
statically linked programs are remediated:

  # emerge --ask --oneshot --verbose @golang-rebuild

References  
==========

[ 1 ] CVE-2023-24539  
      https://nvd.nist.gov/vuln/detail/CVE-2023-24539  
[ 2 ] CVE-2023-24540  
      https://nvd.nist.gov/vuln/detail/CVE-2023-24540  
[ 3 ] CVE-2023-29400  
      https://nvd.nist.gov/vuln/detail/CVE-2023-29400  
[ 4 ] CVE-2023-39326  
      https://nvd.nist.gov/vuln/detail/CVE-2023-39326  
[ 5 ] CVE-2023-45283  
      https://nvd.nist.gov/vuln/detail/CVE-2023-45283  
[ 6 ] CVE-2023-45285  
      https://nvd.nist.gov/vuln/detail/CVE-2023-45285  
[ 7 ] CVE-2023-45288  
      https://nvd.nist.gov/vuln/detail/CVE-2023-45288  
[ 8 ] CVE-2023-45289  
      https://nvd.nist.gov/vuln/detail/CVE-2023-45289  
[ 9 ] CVE-2023-45290  
      https://nvd.nist.gov/vuln/detail/CVE-2023-45290  
[ 10 ] CVE-2024-24783  
      https://nvd.nist.gov/vuln/detail/CVE-2024-24783  
[ 11 ] CVE-2024-24784  
      https://nvd.nist.gov/vuln/detail/CVE-2024-24784  
[ 12 ] CVE-2024-24785  
      https://nvd.nist.gov/vuln/detail/CVE-2024-24785  
[ 13 ] CVE-2024-24788  
      https://nvd.nist.gov/vuln/detail/CVE-2024-24788

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202408-07

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202408-07

Red Hat Security Advisory 2024-5041-03 - An update for python-urllib3 is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5041.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: python-urllib3 security updateAdvisory ID:        RHSA-2024:5041-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5041Issue date:         2024-08-06Revision:           03CVE Names:          CVE-2024-37891====================================================================Summary: An update for python-urllib3 is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The python-urllib3 package provides the Python HTTP module with connection pooling and file POST abilities.Security Fix(es):* urllib3: proxy-authorization request header is not stripped during cross-origin redirects (CVE-2024-37891)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-37891References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2292788

Red Hat Security Advisory 2024-5041-03

Red Hat Security Advisory 2024-5040-03 - An update for python-setuptools is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a code execution vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5040.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: python-setuptools security updateAdvisory ID:        RHSA-2024:5040-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5040Issue date:         2024-08-06Revision:           03CVE Names:          CVE-2024-6345====================================================================Summary: An update for python-setuptools is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The python-setuptools package provides a collection of enhancements to Python distribution utilities allowing convenient building and distribution of Python packages.Security Fix(es):* pypa/setuptools: Remote code execution via download functions in the package_index module in pypa/setuptools (CVE-2024-6345)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6345References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2297771

Red Hat Security Advisory 2024-5040-03

Red Hat Security Advisory 2024-5025-03 - Red Hat JBoss Web Server 5.8.1 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5025.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat JBoss Web Server 5.8.1 release and security updateAdvisory ID:        RHSA-2024:5025-03Product:            Red Hat JBoss Web ServerAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5025Issue date:         2024-08-06Revision:           03CVE Names:          CVE-2024-34750====================================================================Summary: Red Hat JBoss Web Server 5.8.1 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.This release of Red Hat JBoss Web Server 5.8.1 serves as a replacement for Red Hat JBoss Web Server 5.8.0. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes that are linked to in the References section.Security Fix(es):* jws5-tomcat: Improper Handling of Exceptional Conditions (CVE-2024-34750)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:CVE-2024-34750References:https://access.redhat.com/security/updates/classification/#importanthttps://docs.redhat.com/en/documentation/red_hat_jboss_web_server/5.8/html-single/red_hat_jboss_web_server_5.8_service_pack_1_release_notes/indexhttps://bugzilla.redhat.com/show_bug.cgi?id=2295651

Red Hat Security Advisory 2024-5025-03

Gentoo Linux Security Advisory 202408-5 - Multiple vulnerabilities have been discovered in Redis, the worst of which may lead to a denial of service or possible remote code execution. Versions greater than or equal to 7.2.4 are affected.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Gentoo Linux Security Advisory                           GLSA 202408-05- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                           https://security.gentoo.org/- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal    Title: Redis: Multiple Vulnerabilities     Date: August 07, 2024     Bugs: #891169, #898464, #902501, #904486, #910191, #913741, #915989, #921662       ID: 202408-05- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Synopsis========Multiple vulnerabilities have been discovered in Redis, the worst ofwhich may lead to a denial of service or possible remote code execution.Background==========Redis is an open source (BSD licensed), in-memory data structure store,used as a database, cache and message broker.Affected packages=================Package       Vulnerable    Unaffected------------  ------------  ------------dev-db/redis  < 7.2.4       >= 7.2.4Description===========Multiple vulnerabilities have been discovered in Redis. Please reviewthe CVE identifiers referenced below for details.Impact======Please review the referenced CVE identifiers for details.Workaround==========There is no known workaround at this time.Resolution==========All Redis users should upgrade to the latest version:  # emerge --sync  # emerge --ask --oneshot --verbose ">=dev-db/redis-7.2.4"References==========[ 1 ] CVE-2022-24834      https://nvd.nist.gov/vuln/detail/CVE-2022-24834[ 2 ] CVE-2022-35977      https://nvd.nist.gov/vuln/detail/CVE-2022-35977[ 3 ] CVE-2022-36021      https://nvd.nist.gov/vuln/detail/CVE-2022-36021[ 4 ] CVE-2023-22458      https://nvd.nist.gov/vuln/detail/CVE-2023-22458[ 5 ] CVE-2023-25155      https://nvd.nist.gov/vuln/detail/CVE-2023-25155[ 6 ] CVE-2023-28425      https://nvd.nist.gov/vuln/detail/CVE-2023-28425[ 7 ] CVE-2023-28856      https://nvd.nist.gov/vuln/detail/CVE-2023-28856[ 8 ] CVE-2023-36824      https://nvd.nist.gov/vuln/detail/CVE-2023-36824[ 9 ] CVE-2023-41053      https://nvd.nist.gov/vuln/detail/CVE-2023-41053[ 10 ] CVE-2023-41056      https://nvd.nist.gov/vuln/detail/CVE-2023-41056[ 11 ] CVE-2023-45145      https://nvd.nist.gov/vuln/detail/CVE-2023-45145Availability============This GLSA and any updates to it are available for viewing atthe Gentoo Security Website: https://security.gentoo.org/glsa/202408-05Concerns?=========Security is a primary focus of Gentoo Linux and ensuring theconfidentiality and security of our users' machines is of utmostimportance to us. Any security concerns should be addressed tosecurity@gentoo.org or alternatively, you may file a bug athttps://bugs.gentoo.org.License=======Copyright 2024 Gentoo Foundation, Inc; referenced textbelongs to its owner(s).The contents of this document are licensed under theCreative Commons - Attribution / Share Alike license.https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202408-05

Covid-19 Directory on Vaccination System version 1.0 suffers from an ignored default credential vulnerability.

**Covid-19 Directory On Vaccination System 1.0 Insecure Settings**

Posted Aug 7, 2024

Authored by indoushka

Covid-19 Directory on Vaccination System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 8c38f4e680e6513d62d4303a51a4d7e3eaa5a7bb80e3e87ce8e510bba268a0b9

Download | Favorite | View

**Covid-19 Directory On Vaccination System 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : Covid-19 Directory on Vaccination System v1.0 Insecure Settings Vulnerability                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.sourcecodester.com/php/15244/design-and-implementation-covid-19-directory-vacination.html              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,289)
*   Arbitrary (16,852)
*   BBS (2,859)
*   Bypass (1,860)
*   CGI (1,033)
*   Code Execution (7,792)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,386)
*   DoS (25,050)
*   Encryption (2,389)
*   Exploit (53,137)
*   File Inclusion (4,259)
*   File Upload (990)
*   Firewall (822)
*   Info Disclosure (2,889)
*   Intrusion Detection (915)
*   Java (3,143)
*   JavaScript (896)
*   Kernel (7,191)
*   Local (14,791)
*   Magazine (586)
*   Overflow (13,167)
*   Perl (1,435)
*   PHP (5,222)
*   Proof of Concept (2,382)
*   Protocol (3,724)
*   Python (1,635)
*   Remote (31,646)
*   Root (3,635)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,025)
*   Shell (3,273)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,275)
*   SQL Injection (16,605)
*   TCP (2,440)
*   Trojan (690)
*   UDP (904)
*   Virus (669)
*   Vulnerability (32,941)
*   Web (9,960)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,246)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,090)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,547)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,646)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,459)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,729)
*   UNIX (9,433)
*   UnixWare (187)
*   Windows (6,670)
*   Other

Tag

#linux