Ubuntu Security Notice 7088-3 - Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7088-3November 06, 2024linux-aws-5.4, linux-oracle-5.4 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems- linux-oracle-5.4: Linux kernel for Oracle Cloud systemsDetails:Ziming Zhang discovered that the VMware Virtual GPU DRM driver in theLinux kernel contained an integer overflow vulnerability. A localattacker could use this to cause a denial of service (system crash).(CVE-2022-36402)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM64 architecture;  - PowerPC architecture;  - User-Mode Linux (UML);  - x86 architecture;  - Block layer subsystem;  - Cryptographic API;  - Android drivers;  - Serial ATA and Parallel ATA drivers;  - ATM drivers;  - Drivers core;  - CPU frequency scaling framework;  - Device frequency scaling framework;  - GPU drivers;  - HID subsystem;  - Hardware monitoring drivers;  - InfiniBand drivers;  - Input Device core drivers;  - Input Device (Miscellaneous) drivers;  - IOMMU subsystem;  - IRQ chip drivers;  - ISDN/mISDN subsystem;  - LED subsystem;  - Multiple devices driver;  - Media drivers;  - EEPROM drivers;  - VMware VMCI Driver;  - MMC subsystem;  - Network drivers;  - Near Field Communication (NFC) drivers;  - NVME drivers;  - Device tree and open firmware driver;  - Parport drivers;  - PCI subsystem;  - Pin controllers subsystem;  - Remote Processor subsystem;  - S/390 drivers;  - SCSI drivers;  - QCOM SoC drivers;  - Direct Digital Synthesis drivers;  - TTY drivers;  - Userspace I/O drivers;  - DesignWare USB3 driver;  - USB Gadget drivers;  - USB Serial drivers;  - BTRFS file system;  - File systems infrastructure;  - Ext4 file system;  - F2FS file system;  - JFS file system;  - NILFS2 file system;  - BPF subsystem;  - Core kernel;  - DMA mapping infrastructure;  - Tracing infrastructure;  - Radix Tree data structure library;  - Kernel userspace event delivery library;  - Objagg library;  - Memory management;  - Amateur Radio drivers;  - Bluetooth subsystem;  - CAN network layer;  - Networking core;  - Ethtool driver;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - KCM (Kernel Connection Multiplexor) sockets driver;  - MAC80211 subsystem;  - Netfilter;  - Network traffic control;  - SCTP protocol;  - Sun RPC protocol;  - TIPC protocol;  - TLS protocol;  - Wireless networking;  - AppArmor security module;  - Simplified Mandatory Access Control Kernel framework;  - SoC audio core drivers;  - USB sound devices;(CVE-2021-47212, CVE-2024-44965, CVE-2024-46676, CVE-2024-41091,CVE-2024-44946, CVE-2024-43894, CVE-2024-26668, CVE-2024-42259,CVE-2024-42295, CVE-2024-46685, CVE-2024-46722, CVE-2024-45028,CVE-2024-46815, CVE-2024-41081, CVE-2024-41022, CVE-2024-44948,CVE-2024-42301, CVE-2024-43914, CVE-2024-46771, CVE-2024-42289,CVE-2024-43841, CVE-2024-41042, CVE-2024-44999, CVE-2024-43893,CVE-2024-46758, CVE-2024-46828, CVE-2024-36484, CVE-2024-26669,CVE-2024-44952, CVE-2024-42265, CVE-2024-42311, CVE-2024-43880,CVE-2024-41070, CVE-2024-46829, CVE-2024-42292, CVE-2024-46719,CVE-2024-41020, CVE-2024-41015, CVE-2024-42283, CVE-2024-46744,CVE-2024-46679, CVE-2024-46800, CVE-2024-46777, CVE-2024-43835,CVE-2024-42271, CVE-2024-43882, CVE-2024-41072, CVE-2024-35848,CVE-2024-43860, CVE-2024-38611, CVE-2024-26607, CVE-2024-47663,CVE-2024-46780, CVE-2024-46675, CVE-2024-45003, CVE-2024-44969,CVE-2024-42244, CVE-2024-43856, CVE-2024-46755, CVE-2024-42286,CVE-2024-41063, CVE-2024-41068, CVE-2024-46743, CVE-2024-43839,CVE-2024-41065, CVE-2023-52531, CVE-2024-41090, CVE-2024-46747,CVE-2023-52614, CVE-2024-43853, CVE-2024-46737, CVE-2024-45021,CVE-2024-41012, CVE-2024-41064, CVE-2024-26800, CVE-2024-42246,CVE-2024-43908, CVE-2024-46723, CVE-2024-42310, CVE-2024-46781,CVE-2023-52918, CVE-2024-42313, CVE-2024-45006, CVE-2024-43890,CVE-2024-44954, CVE-2024-43858, CVE-2024-41098, CVE-2024-41071,CVE-2024-26641, CVE-2024-42280, CVE-2024-46673, CVE-2024-43846,CVE-2024-46721, CVE-2024-47667, CVE-2024-26885, CVE-2024-42304,CVE-2024-46745, CVE-2024-26640, CVE-2024-43861, CVE-2024-42287,CVE-2024-44998, CVE-2024-40929, CVE-2024-41073, CVE-2024-46689,CVE-2024-44944, CVE-2024-46756, CVE-2024-42305, CVE-2024-42284,CVE-2024-42281, CVE-2024-42288, CVE-2024-41011, CVE-2024-47668,CVE-2024-43830, CVE-2024-46740, CVE-2024-46677, CVE-2024-43867,CVE-2024-46783, CVE-2024-46844, CVE-2024-43854, CVE-2024-42297,CVE-2024-46738, CVE-2024-46739, CVE-2024-44947, CVE-2024-43883,CVE-2024-43884, CVE-2024-46798, CVE-2024-46757, CVE-2024-43879,CVE-2024-47659, CVE-2024-46817, CVE-2024-45008, CVE-2024-47669,CVE-2024-43871, CVE-2024-44960, CVE-2024-27051, CVE-2024-44988,CVE-2024-46840, CVE-2024-41059, CVE-2024-46822, CVE-2024-42276,CVE-2024-45026, CVE-2024-46761, CVE-2024-44995, CVE-2024-44987,CVE-2024-26891, CVE-2024-46782, CVE-2024-42309, CVE-2024-42131,CVE-2024-46759, CVE-2024-42229, CVE-2024-46714, CVE-2024-42290,CVE-2024-44935, CVE-2024-42285, CVE-2024-38602, CVE-2024-43829,CVE-2024-42306, CVE-2024-41017, CVE-2024-45025, CVE-2024-46818,CVE-2024-46750)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS  linux-image-5.4.0-1134-oracle   5.4.0-1134.143~18.04.1          Available with Ubuntu Pro  linux-image-5.4.0-1135-aws      5.4.0-1135.145~18.04.1          Available with Ubuntu Pro  linux-image-aws                 5.4.0.1135.145~18.04.1          Available with Ubuntu Pro  linux-image-oracle              5.4.0.1134.143~18.04.1          Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7088-3  https://ubuntu.com/security/notices/USN-7088-2  https://ubuntu.com/security/notices/USN-7088-1  CVE-2021-47212, CVE-2022-36402, CVE-2023-52531, CVE-2023-52614,  CVE-2023-52918, CVE-2024-26607, CVE-2024-26640, CVE-2024-26641,  CVE-2024-26668, CVE-2024-26669, CVE-2024-26800, CVE-2024-26885,  CVE-2024-26891, CVE-2024-27051, CVE-2024-35848, CVE-2024-36484,  CVE-2024-38602, CVE-2024-38611, CVE-2024-40929, CVE-2024-41011,  CVE-2024-41012, CVE-2024-41015, CVE-2024-41017, CVE-2024-41020,  CVE-2024-41022, CVE-2024-41042, CVE-2024-41059, CVE-2024-41063,  CVE-2024-41064, CVE-2024-41065, CVE-2024-41068, CVE-2024-41070,  CVE-2024-41071, CVE-2024-41072, CVE-2024-41073, CVE-2024-41081,  CVE-2024-41090, CVE-2024-41091, CVE-2024-41098, CVE-2024-42131,  CVE-2024-42229, CVE-2024-42244, CVE-2024-42246, CVE-2024-42259,  CVE-2024-42265, CVE-2024-42271, CVE-2024-42276, CVE-2024-42280,  CVE-2024-42281, CVE-2024-42283, CVE-2024-42284, CVE-2024-42285,  CVE-2024-42286, CVE-2024-42287, CVE-2024-42288, CVE-2024-42289,  CVE-2024-42290, CVE-2024-42292, CVE-2024-42295, CVE-2024-42297,  CVE-2024-42301, CVE-2024-42304, CVE-2024-42305, CVE-2024-42306,  CVE-2024-42309, CVE-2024-42310, CVE-2024-42311, CVE-2024-42313,  CVE-2024-43829, CVE-2024-43830, CVE-2024-43835, CVE-2024-43839,  CVE-2024-43841, CVE-2024-43846, CVE-2024-43853, CVE-2024-43854,  CVE-2024-43856, CVE-2024-43858, CVE-2024-43860, CVE-2024-43861,  CVE-2024-43867, CVE-2024-43871, CVE-2024-43879, CVE-2024-43880,  CVE-2024-43882, CVE-2024-43883, CVE-2024-43884, CVE-2024-43890,  CVE-2024-43893, CVE-2024-43894, CVE-2024-43908, CVE-2024-43914,  CVE-2024-44935, CVE-2024-44944, CVE-2024-44946, CVE-2024-44947,  CVE-2024-44948, CVE-2024-44952, CVE-2024-44954, CVE-2024-44960,  CVE-2024-44965, CVE-2024-44969, CVE-2024-44987, CVE-2024-44988,  CVE-2024-44995, CVE-2024-44998, CVE-2024-44999, CVE-2024-45003,  CVE-2024-45006, CVE-2024-45008, CVE-2024-45021, CVE-2024-45025,  CVE-2024-45026, CVE-2024-45028, CVE-2024-46673, CVE-2024-46675,  CVE-2024-46676, CVE-2024-46677, CVE-2024-46679, CVE-2024-46685,  CVE-2024-46689, CVE-2024-46714, CVE-2024-46719, CVE-2024-46721,  CVE-2024-46722, CVE-2024-46723, CVE-2024-46737, CVE-2024-46738,  CVE-2024-46739, CVE-2024-46740, CVE-2024-46743, CVE-2024-46744,  CVE-2024-46745, CVE-2024-46747, CVE-2024-46750, CVE-2024-46755,  CVE-2024-46756, CVE-2024-46757, CVE-2024-46758, CVE-2024-46759,  CVE-2024-46761, CVE-2024-46771, CVE-2024-46777, CVE-2024-46780,  CVE-2024-46781, CVE-2024-46782, CVE-2024-46783, CVE-2024-46798,  CVE-2024-46800, CVE-2024-46815, CVE-2024-46817, CVE-2024-46818,  CVE-2024-46822, CVE-2024-46828, CVE-2024-46829, CVE-2024-46840,  CVE-2024-46844, CVE-2024-47659, CVE-2024-47663, CVE-2024-47667,  CVE-2024-47668, CVE-2024-47669

Ubuntu Security Notice USN-7088-3

Gentoo Linux Security Advisory 202411-1 - A vulnerability has been discovered in Neat VNC, which can lead to authentication bypass. Versions greater than or equal to 0.8.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202411-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Neat VNC: Authentication Bypass  
     Date: November 06, 2024  
     Bugs: #937140  
       ID: 202411-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Neat VNC, which can lead to  
authentication bypass.

Background  
==========

Neat VNC is a liberally licensed VNC server library that's intended to  
be fast and neat.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
gui-libs/neatvnc  < 0.8.1       >= 0.8.1

Description  
===========

Neat VNC allows remote attackers to bypass authentication via a request  
in which the client specifies an insecure security type such as "Type 1  
- None", which is accepted even if it is not offered by the server, as  
originally demonstrated using a long password.

Impact  
======

A remote attacker can opt not to use any authentication method and  
access the VNC server.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Neat VNC users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=gui-libs/neatvnc-0.8.1"

References  
==========

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202411-01

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202411-01

Ubuntu Security Notice 7093-1 - It was discovered that Werkzeug incorrectly handled multiple form submission requests. A remote attacker could possibly use this issue to cause Werkzeug to consume resources, leading to a denial of service.

==========================================================================  
Ubuntu Security Notice USN-7093-1  
November 05, 2024

python-werkzeug vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10  
- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS

Summary:

Werkzeug could be made to consume resources if it received specially  
crafted network traffic.

Software Description:  
- python-werkzeug: collection of utilities for WSGI applications

Details:

It was discovered that Werkzeug incorrectly handled multiple form  
submission requests. A remote attacker could possibly use this issue to  
cause Werkzeug to consume resources, leading to a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.10  
  python3-werkzeug                3.0.3-1ubuntu0.1

Ubuntu 24.04 LTS  
  python3-werkzeug                3.0.1-3ubuntu0.2

Ubuntu 22.04 LTS  
  python3-werkzeug                2.0.2+dfsg1-1ubuntu0.22.04.3

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-7093-1  
  CVE-2024-49767

Package Information:  
  https://launchpad.net/ubuntu/+source/python-werkzeug/3.0.3-1ubuntu0.1  
  https://launchpad.net/ubuntu/+source/python-werkzeug/3.0.1-3ubuntu0.2  
  https://launchpad.net/ubuntu/+source/python-werkzeug/2.0.2+dfsg1-1ubuntu0.22.04.3

Ubuntu Security Notice USN-7093-1

Red Hat Security Advisory 2024-8935-03 - An update for edk2 is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8935.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: edk2 security updateAdvisory ID:        RHSA-2024:8935-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8935Issue date:         2024-11-06Revision:           03CVE Names:          CVE-2024-6119====================================================================Summary: An update for edk2 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es):* openssl: Possible denial of service in X.509 name checks (CVE-2024-6119)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-6119References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2306158

Red Hat Security Advisory 2024-8935-03

Red Hat Security Advisory 2024-8929-03 - An update for mod_jk is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include denial of service and information leakage vulnerabilities.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8929.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: mod_jk security updateAdvisory ID:        RHSA-2024:8929-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8929Issue date:         2024-11-06Revision:           03CVE Names:          CVE-2024-46544====================================================================Summary: An update for mod_jk is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The mod_jk module is a plugin for the Apache HTTP Server to connect it with the Apache Tomcat servlet engine.Security Fix(es):* mod_jk: information Disclosure / DoS (CVE-2024-46544)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-46544References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2314194https://issues.redhat.com/browse/RHEL-65739

Red Hat Security Advisory 2024-8929-03

Red Hat Security Advisory 2024-8928-03 - An update for mod_jk is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include denial of service and information leakage vulnerabilities.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8928.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: mod_jk security updateAdvisory ID:        RHSA-2024:8928-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8928Issue date:         2024-11-06Revision:           03CVE Names:          CVE-2024-46544====================================================================Summary: An update for mod_jk is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The mod_jk module is a plugin for the Apache HTTP Server to connect it with the Apache Tomcat servlet engine.Security Fix(es):* mod_jk: information Disclosure / DoS (CVE-2024-46544)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-46544References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2314194https://issues.redhat.com/browse/RHEL-65726

Red Hat Security Advisory 2024-8928-03

Red Hat Security Advisory 2024-8922-03 - An update for bzip2 is now available for Red Hat Enterprise Linux 8. Issues addressed include an out of bounds write vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8922.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Low: bzip2 security updateAdvisory ID:        RHSA-2024:8922-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8922Issue date:         2024-11-06Revision:           03CVE Names:          CVE-2019-12900====================================================================Summary: An update for bzip2 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The bzip2 packages contain a freely available, high-quality data compressor. It provides both standalone compression and decompression utilities, as well as a shared library for use with other programs. Security Fix(es):* bzip2: out-of-bounds write in function BZ2_decompress (CVE-2019-12900)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2019-12900References:https://access.redhat.com/security/updates/classification/#lowhttps://bugzilla.redhat.com/show_bug.cgi?id=1724459

Red Hat Security Advisory 2024-8922-03

Red Hat Security Advisory 2024-8914-03 - An update for libtiff is now available for Red Hat Enterprise Linux 9. Issues addressed include a null pointer vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8914.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: libtiff security updateAdvisory ID:        RHSA-2024:8914-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8914Issue date:         2024-11-06Revision:           03CVE Names:          CVE-2024-7006====================================================================Summary: An update for libtiff is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files.Security Fix(es):* libtiff: NULL pointer dereference in tif_dirinfo.c (CVE-2024-7006)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-7006References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2302996

Red Hat Security Advisory 2024-8914-03

Red Hat Security Advisory 2024-8906-03 - A new release is now available for Red Hat Satellite 6.16 for RHEL 8 and 9. Issues addressed include bypass, denial of service, memory leak, remote SQL injection, and traversal vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8906.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: Satellite 6.16.0 release  
Advisory ID:        RHSA-2024:8906-03  
Product:            Red Hat Satellite 6  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8906  
Issue date:         2024-11-06  
Revision:           03  
CVE Names:          CVE-2024-4067  
====================================================================

Summary: 

A new release is now available for Red Hat Satellite 6.16 for RHEL 8 and 9.

Red Hat Product Security has rated this update as having a security impact  
of  Critical. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

Description:

Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.

Security Fix(es):

* mosquitto: sending specific sequences of packets may trigger memory leak  
(CVE-2024-8376)  
* micromatch: vulnerable to Regular Expression Denial of Service (CVE-2024-4067)  
urllib3: proxy-authorization request header is not stripped during cross-origin redirects (CVE-2024-37891)  
* node-tar: denial of service while parsing a tar file due to lack of folders depth validation (CVE-2024-28863)  
* python-django: Potential denial-of-service in django.utils.html.urlize() (CVE-2024-38875)   
* python-django: Username enumeration through timing difference for users with unusable passwords (CVE-2024-39329)  
* python-django: Potential directory-traversal in django.core.files.storage.Storage.save() (CVE-2024-39330)  
* python-django: Potential denial-of-service in django.utils.translation.get_supported_language_variant() (CVE-2024-39614)  
* github.com/jaraco/zipp: Denial of Service (infinite loop) via crafted zip file in jaraco/zipp (CVE-2024-5569)  
* puppet-foreman: An authentication bypass vulnerability exists in Foreman (CVE-2024-7012)  
* python-django: Potential SQL injection in QuerySet.values() and values_list() (CVE-2024-42005)  
* grpc: client communicating with a HTTP/2 proxy can poison the HPACK table between the proxy and the backend (CVE-2024-7246)  
* puppet-pulpcore: An authentication bypass vulnerability exists in pulpcore (CVE-2024-7923)  
* foreman: Read-only access to entire DB from templates (CVE-2024-8553)

Users of Red Hat Satellite are advised to upgrade to these updated packages, which fix these bugs.

Solution:

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.16/html/updating_red_hat_satellite/index

CVEs:

CVE-2024-4067

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2280601  
https://bugzilla.redhat.com/show_bug.cgi?id=2292788  
https://bugzilla.redhat.com/show_bug.cgi?id=2293200  
https://bugzilla.redhat.com/show_bug.cgi?id=2295935  
https://bugzilla.redhat.com/show_bug.cgi?id=2295936  
https://bugzilla.redhat.com/show_bug.cgi?id=2295937  
https://bugzilla.redhat.com/show_bug.cgi?id=2295938  
https://bugzilla.redhat.com/show_bug.cgi?id=2296413  
https://bugzilla.redhat.com/show_bug.cgi?id=2299429  
https://bugzilla.redhat.com/show_bug.cgi?id=2302436  
https://bugzilla.redhat.com/show_bug.cgi?id=2305718  
https://bugzilla.redhat.com/show_bug.cgi?id=2312524  
https://bugzilla.redhat.com/show_bug.cgi?id=2318080  
https://issues.redhat.com/browse/SAT-12847  
https://issues.redhat.com/browse/SAT-15089  
https://issues.redhat.com/browse/SAT-15466  
https://issues.redhat.com/browse/SAT-15467  
https://issues.redhat.com/browse/SAT-15549  
https://issues.redhat.com/browse/SAT-16224  
https://issues.redhat.com/browse/SAT-16247  
https://issues.redhat.com/browse/SAT-16381  
https://issues.redhat.com/browse/SAT-16537  
https://issues.redhat.com/browse/SAT-16593  
https://issues.redhat.com/browse/SAT-17442  
https://issues.redhat.com/browse/SAT-17443  
https://issues.redhat.com/browse/SAT-17785  
https://issues.redhat.com/browse/SAT-18093  
https://issues.redhat.com/browse/SAT-18270  
https://issues.redhat.com/browse/SAT-18327  
https://issues.redhat.com/browse/SAT-18410  
https://issues.redhat.com/browse/SAT-18461  
https://issues.redhat.com/browse/SAT-18568  
https://issues.redhat.com/browse/SAT-18610  
https://issues.redhat.com/browse/SAT-18705  
https://issues.redhat.com/browse/SAT-18721  
https://issues.redhat.com/browse/SAT-18859  
https://issues.redhat.com/browse/SAT-18993  
https://issues.redhat.com/browse/SAT-19018  
https://issues.redhat.com/browse/SAT-19269  
https://issues.redhat.com/browse/SAT-19342  
https://issues.redhat.com/browse/SAT-19389  
https://issues.redhat.com/browse/SAT-19394  
https://issues.redhat.com/browse/SAT-19501  
https://issues.redhat.com/browse/SAT-19502  
https://issues.redhat.com/browse/SAT-19504  
https://issues.redhat.com/browse/SAT-19511  
https://issues.redhat.com/browse/SAT-19592  
https://issues.redhat.com/browse/SAT-19614  
https://issues.redhat.com/browse/SAT-19621  
https://issues.redhat.com/browse/SAT-19748  
https://issues.redhat.com/browse/SAT-19789  
https://issues.redhat.com/browse/SAT-19922  
https://issues.redhat.com/browse/SAT-19993  
https://issues.redhat.com/browse/SAT-19999  
https://issues.redhat.com/browse/SAT-20099  
https://issues.redhat.com/browse/SAT-20361  
https://issues.redhat.com/browse/SAT-20445  
https://issues.redhat.com/browse/SAT-20553  
https://issues.redhat.com/browse/SAT-21261  
https://issues.redhat.com/browse/SAT-21266  
https://issues.redhat.com/browse/SAT-21268  
https://issues.redhat.com/browse/SAT-21273  
https://issues.redhat.com/browse/SAT-21353  
https://issues.redhat.com/browse/SAT-21374  
https://issues.redhat.com/browse/SAT-21375  
https://issues.redhat.com/browse/SAT-21395  
https://issues.redhat.com/browse/SAT-21396  
https://issues.redhat.com/browse/SAT-21421  
https://issues.redhat.com/browse/SAT-21463  
https://issues.redhat.com/browse/SAT-21682  
https://issues.redhat.com/browse/SAT-21757  
https://issues.redhat.com/browse/SAT-21920  
https://issues.redhat.com/browse/SAT-21994  
https://issues.redhat.com/browse/SAT-22047  
https://issues.redhat.com/browse/SAT-22048  
https://issues.redhat.com/browse/SAT-22156  
https://issues.redhat.com/browse/SAT-22172  
https://issues.redhat.com/browse/SAT-22358  
https://issues.redhat.com/browse/SAT-22442  
https://issues.redhat.com/browse/SAT-22491  
https://issues.redhat.com/browse/SAT-22554  
https://issues.redhat.com/browse/SAT-22579  
https://issues.redhat.com/browse/SAT-22626  
https://issues.redhat.com/browse/SAT-22849  
https://issues.redhat.com/browse/SAT-22872  
https://issues.redhat.com/browse/SAT-22889  
https://issues.redhat.com/browse/SAT-22900  
https://issues.redhat.com/browse/SAT-23047  
https://issues.redhat.com/browse/SAT-23077  
https://issues.redhat.com/browse/SAT-23093  
https://issues.redhat.com/browse/SAT-23096  
https://issues.redhat.com/browse/SAT-23109  
https://issues.redhat.com/browse/SAT-23124  
https://issues.redhat.com/browse/SAT-23167  
https://issues.redhat.com/browse/SAT-23211  
https://issues.redhat.com/browse/SAT-23228  
https://issues.redhat.com/browse/SAT-23279  
https://issues.redhat.com/browse/SAT-23288  
https://issues.redhat.com/browse/SAT-23302  
https://issues.redhat.com/browse/SAT-23335  
https://issues.redhat.com/browse/SAT-23405  
https://issues.redhat.com/browse/SAT-23407  
https://issues.redhat.com/browse/SAT-23424  
https://issues.redhat.com/browse/SAT-23426  
https://issues.redhat.com/browse/SAT-23487  
https://issues.redhat.com/browse/SAT-23505  
https://issues.redhat.com/browse/SAT-23544  
https://issues.redhat.com/browse/SAT-23573  
https://issues.redhat.com/browse/SAT-23592  
https://issues.redhat.com/browse/SAT-23610  
https://issues.redhat.com/browse/SAT-23752  
https://issues.redhat.com/browse/SAT-23841  
https://issues.redhat.com/browse/SAT-23894  
https://issues.redhat.com/browse/SAT-23943  
https://issues.redhat.com/browse/SAT-23947  
https://issues.redhat.com/browse/SAT-23951  
https://issues.redhat.com/browse/SAT-23954  
https://issues.redhat.com/browse/SAT-23957  
https://issues.redhat.com/browse/SAT-23990  
https://issues.redhat.com/browse/SAT-23992  
https://issues.redhat.com/browse/SAT-24050  
https://issues.redhat.com/browse/SAT-24064  
https://issues.redhat.com/browse/SAT-24073  
https://issues.redhat.com/browse/SAT-24111  
https://issues.redhat.com/browse/SAT-24132  
https://issues.redhat.com/browse/SAT-24197  
https://issues.redhat.com/browse/SAT-24470  
https://issues.redhat.com/browse/SAT-24478  
https://issues.redhat.com/browse/SAT-24479  
https://issues.redhat.com/browse/SAT-24489  
https://issues.redhat.com/browse/SAT-24521  
https://issues.redhat.com/browse/SAT-24526  
https://issues.redhat.com/browse/SAT-24531  
https://issues.redhat.com/browse/SAT-24545  
https://issues.redhat.com/browse/SAT-24548  
https://issues.redhat.com/browse/SAT-24577  
https://issues.redhat.com/browse/SAT-24600  
https://issues.redhat.com/browse/SAT-24769  
https://issues.redhat.com/browse/SAT-24771  
https://issues.redhat.com/browse/SAT-24774  
https://issues.redhat.com/browse/SAT-24779  
https://issues.redhat.com/browse/SAT-24781  
https://issues.redhat.com/browse/SAT-24786  
https://issues.redhat.com/browse/SAT-24787  
https://issues.redhat.com/browse/SAT-24801  
https://issues.redhat.com/browse/SAT-24805  
https://issues.redhat.com/browse/SAT-24837  
https://issues.redhat.com/browse/SAT-24854  
https://issues.redhat.com/browse/SAT-24878  
https://issues.redhat.com/browse/SAT-24884  
https://issues.redhat.com/browse/SAT-24893  
https://issues.redhat.com/browse/SAT-24917  
https://issues.redhat.com/browse/SAT-24918  
https://issues.redhat.com/browse/SAT-24919  
https://issues.redhat.com/browse/SAT-24920  
https://issues.redhat.com/browse/SAT-24932  
https://issues.redhat.com/browse/SAT-24936  
https://issues.redhat.com/browse/SAT-24943  
https://issues.redhat.com/browse/SAT-24988  
https://issues.redhat.com/browse/SAT-25032  
https://issues.redhat.com/browse/SAT-25129  
https://issues.redhat.com/browse/SAT-25152  
https://issues.redhat.com/browse/SAT-25155  
https://issues.redhat.com/browse/SAT-25159  
https://issues.redhat.com/browse/SAT-25160  
https://issues.redhat.com/browse/SAT-25194  
https://issues.redhat.com/browse/SAT-25213  
https://issues.redhat.com/browse/SAT-25217  
https://issues.redhat.com/browse/SAT-25243  
https://issues.redhat.com/browse/SAT-25250  
https://issues.redhat.com/browse/SAT-25328  
https://issues.redhat.com/browse/SAT-25368  
https://issues.redhat.com/browse/SAT-25429  
https://issues.redhat.com/browse/SAT-25437  
https://issues.redhat.com/browse/SAT-25455  
https://issues.redhat.com/browse/SAT-25467  
https://issues.redhat.com/browse/SAT-25503  
https://issues.redhat.com/browse/SAT-25569  
https://issues.redhat.com/browse/SAT-25583  
https://issues.redhat.com/browse/SAT-25655  
https://issues.redhat.com/browse/SAT-25658  
https://issues.redhat.com/browse/SAT-25678  
https://issues.redhat.com/browse/SAT-25713  
https://issues.redhat.com/browse/SAT-25774  
https://issues.redhat.com/browse/SAT-25789  
https://issues.redhat.com/browse/SAT-25795  
https://issues.redhat.com/browse/SAT-25813  
https://issues.redhat.com/browse/SAT-25869  
https://issues.redhat.com/browse/SAT-25936  
https://issues.redhat.com/browse/SAT-25946  
https://issues.redhat.com/browse/SAT-26012  
https://issues.redhat.com/browse/SAT-26031  
https://issues.redhat.com/browse/SAT-26040  
https://issues.redhat.com/browse/SAT-26064  
https://issues.redhat.com/browse/SAT-26078  
https://issues.redhat.com/browse/SAT-26084  
https://issues.redhat.com/browse/SAT-26105  
https://issues.redhat.com/browse/SAT-26202  
https://issues.redhat.com/browse/SAT-26242  
https://issues.redhat.com/browse/SAT-26269  
https://issues.redhat.com/browse/SAT-26397  
https://issues.redhat.com/browse/SAT-26417  
https://issues.redhat.com/browse/SAT-26493  
https://issues.redhat.com/browse/SAT-26563  
https://issues.redhat.com/browse/SAT-26588  
https://issues.redhat.com/browse/SAT-26758  
https://issues.redhat.com/browse/SAT-26762  
https://issues.redhat.com/browse/SAT-26767  
https://issues.redhat.com/browse/SAT-26834  
https://issues.redhat.com/browse/SAT-26835  
https://issues.redhat.com/browse/SAT-26837  
https://issues.redhat.com/browse/SAT-26901  
https://issues.redhat.com/browse/SAT-26967  
https://issues.redhat.com/browse/SAT-27144  
https://issues.redhat.com/browse/SAT-27182  
https://issues.redhat.com/browse/SAT-27211  
https://issues.redhat.com/browse/SAT-27276  
https://issues.redhat.com/browse/SAT-27384  
https://issues.redhat.com/browse/SAT-27401  
https://issues.redhat.com/browse/SAT-27411  
https://issues.redhat.com/browse/SAT-27485  
https://issues.redhat.com/browse/SAT-27506  
https://issues.redhat.com/browse/SAT-27512  
https://issues.redhat.com/browse/SAT-27569  
https://issues.redhat.com/browse/SAT-27593  
https://issues.redhat.com/browse/SAT-27595  
https://issues.redhat.com/browse/SAT-27604  
https://issues.redhat.com/browse/SAT-27622  
https://issues.redhat.com/browse/SAT-27676  
https://issues.redhat.com/browse/SAT-27677  
https://issues.redhat.com/browse/SAT-27702  
https://issues.redhat.com/browse/SAT-27752  
https://issues.redhat.com/browse/SAT-27778  
https://issues.redhat.com/browse/SAT-27779  
https://issues.redhat.com/browse/SAT-27814  
https://issues.redhat.com/browse/SAT-27830  
https://issues.redhat.com/browse/SAT-27834  
https://issues.redhat.com/browse/SAT-27836  
https://issues.redhat.com/browse/SAT-27891  
https://issues.redhat.com/browse/SAT-27900  
https://issues.redhat.com/browse/SAT-27901  
https://issues.redhat.com/browse/SAT-27940  
https://issues.redhat.com/browse/SAT-27943  
https://issues.redhat.com/browse/SAT-27981  
https://issues.redhat.com/browse/SAT-28012  
https://issues.redhat.com/browse/SAT-28046  
https://issues.redhat.com/browse/SAT-28048  
https://issues.redhat.com/browse/SAT-28162  
https://issues.redhat.com/browse/SAT-28269  
https://issues.redhat.com/browse/SAT-28275  
https://issues.redhat.com/browse/SAT-28336  
https://issues.redhat.com/browse/SAT-28361  
https://issues.redhat.com/browse/SAT-28362  
https://issues.redhat.com/browse/SAT-28367  
https://issues.redhat.com/browse/SAT-28394  
https://issues.redhat.com/browse/SAT-28435  
https://issues.redhat.com/browse/SAT-28467  
https://issues.redhat.com/browse/SAT-28667  
https://issues.redhat.com/browse/SAT-7770  
https://issues.redhat.com/browse/SAT-8076

Red Hat Security Advisory 2024-8906-03

Red Hat Security Advisory 2024-8686-03 - Red Hat OpenShift Container Platform release 4.16.20 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8686.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.16.20 packages and security update  
Advisory ID:        RHSA-2024:8686-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8686  
Issue date:         2024-11-06  
Revision:           03  
CVE Names:          CVE-2024-9675  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.16.20 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.16.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.16.20. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:8683

Security Fix(es):

* buildah: Buildah allows arbitrary directory mount (CVE-2024-9675)  
* Podman: Buildah: CRI-O: symlink traversal vulnerability in the  
containers/storage library can cause Denial of Service (DoS)  
(CVE-2024-9676)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.16 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.16/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html

CVEs:

CVE-2024-9675

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2317458  
https://bugzilla.redhat.com/show_bug.cgi?id=2317467

Tag

#vulnerability