Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.8 allows local attacker to retrieve passwords via reading log files.

When restoring a backup the passphrase is submitted. The form used the GET method so the passphrase was logged to the apache access log.

We found this vulnerability internally.

**Indicators of Compromise**: Check /var/log/apache2/access.log for occurences of passphrase

**Vulnerability Management**: We have rated the issue with a CVSS Score of 3.3 (Low) with the following CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. We assigned CVE-2023-6287 to this vulnerability.

**Changes**: With this Werk the method is changed to POST so it will no longer be logged.

To the list of all Werks

CVE-2023-6287: Use POST for starting backup restore job

Mattermost fails to use innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victim's page by create a channel name that is valid HTML. No XSS is possible though.

**Mattermost Injection vulnerability**

Low severity GitHub Reviewed Published Nov 27, 2023 to the GitHub Advisory Database • Updated Nov 28, 2023

GHSA-jcgv-3pfq-j4hr: Mattermost Injection vulnerability

A vulnerability, which was classified as critical, was found in moses-smt mosesdecoder up to 4.0. This affects an unknown part of the file contrib/iSenWeb/trans_result.php. The manipulation of the argument input1 leads to os command injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-246135.

CVE-2023-6309

What you look for online is up to you—just make sure no one else is taking a peek.

When it comes to looking something up on the web, most of us default to “googling” it—Google's search engine has become so dominant that it's now a verb, in the same way that Photoshop is. But using Google for your searches comes with a privacy trade-off.

Google's business is, of course, based on advertising, and every search you make feeds into the profile of you that it uses to target the ads you see around the web. While Google isn't telling marketing firms what searches you're running, it is using those queries to build up a picture of you that ads can be sold against. As such, Google can be a real snoop about collecting all your data and using it to personalize your ads and the search results you get.

There are ways to increase your privacy on Google’s platforms, like using privacy-focused browsers, using privacy-focused alternatives to Google Maps, auto-deleting your web history after a certain time period, or simply limiting the amount of data the company collects in the first place, by opting out of features like web-based email and location awareness. (And you should know that using your browser's incognito mode isn’t as sneaky as you think it is.) If you're serious about getting off the data collection grid, there’s a bevy of other privacy-focused search options at your disposal. So if you want to use a search engine that doesn't keep track of your queries, serve your data to advertisers, or change your search results based on what it thinks you’ll like, you’ve got some options.

DuckDuckGo

DuckDuckGo is simple, secure, and private.

DuckDuckGo via David Nield

The granddaddy of Google alternatives, DuckDuckGo has made private search its raison d'être for more than 15 years. The service is a little harder to recommend these days, after a kerfuffle in 2022 where the company was caught in an apparent partnership with Microsoft that allowed the tech behemoth’s tracking scripts to run unimpeded on the DuckDuckGo browser. After outcry from privacy advocates, DuckDuckGo walked back that stance a few months later, and it now says it does indeed block Microsoft’s trackers.

If you can move past that particular ugly duckling, the service is still far more private than Google. DuckDuckGo says it collates information in search results from over 400 sources. It doesn’t draw from Google, but it does pull from places like Bing and Wikipedia. What it doesn’t do is personalize search results based on data it collects from users. Like Google, DuckDuckGo displays ads, but they’re not tailored to what it thinks you’ll like based on your search history.

DuckDuckGo can be installed into just about any browser via a browser extension. It also has a full browser available on desktop for Mac and Windows. There are also mobile apps on both iOS and Android that work as browsers while incorporating DuckDuckGo’s search engine.

On the browser and app alike, the service automatically tracks and blocks all the data-scraping efforts from the websites you visit. Press the shield button in the browser bar to see what sites have tried to collect your data or track your travels across the web. Another feature blocks trackers and data requests in other apps on your phone. DuckDuckGo says it can’t block certain scripts and trackers on the websites that run them (like Facebook, for example), but tapping that little button quickly lets you know what’s being blocked and what’s not.

Brave Search

Brave isn't going to keep track of what you're looking for.

Brave via David Nield

The privacy-focused browser extension provider Brave has its own dedicated search engine. The company launched the service in 2021. Like the other services on this list, Brave says its Search product doesn’t track your searches or log your data. It's impressively comprehensive—as much for its security and privacy as for the results you get.

Simply put, no logs of your queries are kept by the search engine. While that might make for a slightly less convenient user experience—Google might automatically know you're more interested in the Miami Dolphins than actual dolphins, for instance—it does mean that you can search without worrying that you're going to see any related advertising.

"It's impossible for us to share, sell, or lose your data, because we don’t collect it in the first place," says Brave. While the service might eventually become ad-supported, those adverts won't know anything about you or what you've been looking for on the web, making it distinctly different from Google's offering.

Brave also has a service in beta called Goggles that lets users customize their own page rankings to make search results more relevant to each person. It can have some issues, such as being a bit complicated and also could lead to people creating their own little filter bubbles—inadvertently or otherwise.

You can download the Brave Browser for desktop, or get its mobile apps on Android and iOS. You can also access the Brave search engine from any web browser and any device. You don't have to use the Brave browser to use it.

Kagi

The prospect of paying for a search engine might seem odd if you’re used to unlimited Googling on a whim. But that’s exactly the service Kagi is offering.

If you’re willing to pay for yet another subscription, Kagi is a premium search experience worth trying. You can customize how search results are displayed and how links are organized and accessed. There’s also a robust array of search operators and keyboard shortcuts to use. Kagi’s privacy policy is similar to the other services on this list, in that it doesn’t track your online movements or collect your data. It also doesn’t show ads, which feels like such a relief in the era of endless pop ups and sponsored posts.

The pricing plan is simple. There is a free tier, which allots you 100 searches per month before cutting you off. From there you can pay $5 per month for 500 searches, or get unlimited searches $10 a month. All plans, even the free ones, require you to make an account.

Kagi is available as a browser extension for Firefox, Google Chrome, and Safari. Kagi’s Orion browser is available on the Mac, and it also has an iOS app.

Startpage

Want Google’s search results but without Google? Startpage may be the answer. The company serves up Google’s search results without you being tracked. “Startpage submits your query to Google anonymously, then returns Google results to you privately,” the company says on its website. It adds that Google “never sees you and does not know who made the request”.

Startpage, which was founded in the Netherlands in 2006, says that it doesn’t store people’s personal data or search history, and your IP address is removed by its servers. The company also says it blocks price trackers and prevents advertisers from showing you ads based on your online history. (It does show ads from Google’s search results). Its search results also let you click to open an anonymous view of them, which it claims works like a VPN.

The experience isn’t exactly the same as Google search, but the results are. For instance, if you search for something in the news—maybe Elon Musk, if you must—Google will show you a carousel of the latest news stories before its search results. Google also includes Musk’s latest tweets, videos of him, and photos. When you’re using Startpage, the clutter is removed and you just get URLs.

Mojeek

Mojeek doesn’t use search results from other search engines. Instead, the British search engine, which launched in 2006, is building its own index of the web. It’s doing this in the same way as Google and Bing. The company’s crawlers, which trawl the web and collect information about pages, have indexed more than six billion web pages.

This crawling isn’t as extensive as Google’s—back in 2013 Google said it was indexing 30 trillion web pages, 100 billion times a month—but Mojeek says its approach means it is fully in control of the search results it shows. The company argues there should be alternative indexes to those controlled by Big Tech. “Making and altering our own algorithm from scratch to display high quality and unbiased results is essential,” the company said in 2018.

But that’s not the only difference to Google. Mojeek also says it doesn’t track people. The search results you see are based entirely on the words that you type in, the company says, and it doesn’t collect IP addresses, search history or the clicks that you make.

Limiting Google

You can break the connection between Google Chrome and your Google account.

Google via David Nield

It's worth bearing in mind that if you're using Google Chrome and you're signed into Google, you may well be syncing your DuckDuckGo or Brave searches back to your Google account. Your Google web history and your Chrome browsing history (if you're signed into Google) will match up most of the time, because Google keeps them in sync by default, partly to make it easier to use Google across multiple devices.

To stop this from happening in Chrome, click the three dots in the top right-hand corner, then choose **Settings**. If you see that you're signed into your Google account at the very top, click **Turn off**—this will break the connection between Google and your browser, and you'll be given the option to delete all the data that's stored locally on your device (including your browsing history, bookmarks, and stored passwords).

Perhaps an easier option is to simply switch to another browser altogether—as we've already mentioned, Brave, DuckDuckGo, and Kagi all have them. Other good cross-platform alternatives to Chrome are Microsoft Edge, Mozilla Firefox, Opera and Safari from Apple—but whichever one you switch to, be sure to check out the settings for deleting your browsing history as you go. (All of these browsers have simple-to-use options for this.)

Whichever browser you decide to use, opening up a private or incognito window while you're searching will prevent those searches from being logged inside the browser—as soon as you close the window, the search is gone forever. Bear in mind that these modes don't necessarily stop online companies from tracking your queries though. (If you sign into your Google account while in private mode, Google will still be able to track you.)

If you can't bring yourself to be parted from the search results that Google serves up, you can at least make sure that they're not remembered for too long. Open up your Google account settings page on the web, then click **Data & Privacy** and scroll down to **Web & App Activity.** You can choose either **Manage activity** to remove history and searches manually, or select the **Auto-delete** option to have this data wiped automatically once it's been stored for a certain amount of time.

Private and Secure Web Search Engines: DuckDuckGo, Brave, Kagi, Startpage

The vulnerability in the device enables an unauthorized attacker to execute system commands with elevated privileges. This exploit is facilitated through the use of the 'getcommand' query within the application, allowing the attacker to gain root access.

Title: TitanNit Web Control 2.01 / Atemio 7600 Root Remote Code Execution  
Advisory ID: ZSL-2023-5801  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (5/5)  
Release Date: 25.11.2023

**Summary**

The Atemio AM 520 HD Full HD satellite receiver enables the reception of digital satellite programs in overwhelming image quality in both SD and HD ranges. In addition to numerous connections, the small all-rounder offers a variety of plugins that can be easily installed thanks to the large flash memory. The TitanNit Linux software used combines the advantages of the existing E2 and Neutrino systems and is therefore fast, stable and adaptable.

**Description**

The vulnerability in the device enables an unauthorized attacker to execute system commands with elevated privileges. This exploit is facilitated through the use of the 'getcommand' query within the application, allowing the attacker to gain root access.

**Vendor**

AAF Digital HD Forum | Atelmo GmbH - http://www.aaf-digital.info | https://www.atemio.de

**Affected Version**

Firmware <=2.01

**Tested On**

GNU/Linux 2.6.32.71 (STMicroelectronics)  
GNU/Linux 3.14-1.17 (armv7l)  
GNU/Linux 3.14.2 (mips)  
ATEMIO M46506 revision 990  
Atemio 7600 HD STB  
CPU STx7105 Mboard  
titan web server

**Vendor Status**

N/A

**PoC**

titannit\_rce.py

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[25.11.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

TitanNit Web Control 2.01 / Atemio 7600 Root Remote Code Execution

Gentoo Linux Security Advisory 202311-14 - Multiple vulnerabilities have been discovered in GRUB, which may lead to secure boot circumvention or code execution. Versions greater than or equal to 2.06-r9 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-14  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: GRUB: Multiple Vulnerabilities  
     Date: November 25, 2023  
     Bugs: #881413, #915187  
       ID: 202311-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discoverd in GRUB, which may lead to  
secure boot circumvention or code execution.

Background  
=========  
GNU GRUB is a multiboot boot loader used by most Linux systems.

Affected packages  
================  
Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
sys-boot/grub  < 2.06-r9     >= 2.06-r9

Description  
==========  
Multiple vulnerabilities have been discovered in GRUB. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All GRUB users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-boot/grub-2.06-r9"

References  
=========  
[ 1 ] CVE-2022-2601  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2601  
[ 2 ] CVE-2022-3775  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3775  
[ 3 ] CVE-2023-4692  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4692  
[ 4 ] CVE-2023-4693  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4693

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-14

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-14

Gentoo Linux Security Advisory 202311-13 - A privilege escalation vulnerability has been discovered in Apptainer. Versions greater than or equal to 1.1.8 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-13  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Apptainer: Privilege Escalation  
     Date: November 25, 2023  
     Bugs: #905091  
       ID: 202311-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A privilege escalation vulnerability has been discoverd in Apptainer.

Background  
=========  
Apptainer is the container system for secure high-performance computing.

Affected packages  
================  
Package                   Vulnerable    Unaffected  
------------------------  ------------  ------------  
app-containers/apptainer  < 1.1.8       >= 1.1.8

Description  
==========  
A vulnerability has been discovered in Apptainer. Please review the CVE  
identifier referenced below for details.

Impact  
=====  
There is an ext4 use-after-free flaw that is exploitable in vulnerable  
versions.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Apptainer users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-containers/apptainer-1.1.8"

References  
=========  
[ 1 ] CVE-2023-30549  
      https://nvd.nist.gov/vuln/detail/CVE-2023-30549

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-13

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-13

Gentoo Linux Security Advisory 202311-12 - Multiple vulnerabilities have been discovered in MiniDLNA, the worst of which could lead to remote code execution. Versions greater than or equal to 1.3.3 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-12  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: MiniDLNA: Multiple Vulnerabilities  
     Date: November 25, 2023  
     Bugs: #834642, #907926  
       ID: 202311-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in MiniDLNA, the worst of  
which could lead to remove code execution.

Background  
=========  
MiniDLNA is a simple media server software, with the aim of being fully  
compliant with DLNA/UPnP-AV clients.

Affected packages  
================  
Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
net-misc/minidlna  < 1.3.3       >= 1.3.3

Description  
==========  
Multiple vulnerabilities have been discovered in MiniDLNA. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All MiniDLNA users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-misc/minidlna-1.3.3"

References  
=========  
[ 1 ] CVE-2022-26505  
      https://nvd.nist.gov/vuln/detail/CVE-2022-26505  
[ 2 ] CVE-2023-33476  
      https://nvd.nist.gov/vuln/detail/CVE-2023-33476

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-12

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-12

Gentoo Linux Security Advisory 202311-11 - Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to remote code execution. Versions greater than or equal to 5.15.10_p20230623 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-11  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: QtWebEngine: Multiple Vulnerabilities  
     Date: November 25, 2023  
     Bugs: #866332, #888181, #903544, #904290, #906857, #909778  
       ID: 202311-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in QtWebEngine, the worst  
of which could lead to remote code execution.

Background  
=========  
QtWebEngine is a library for rendering dynamic web content in Qt5 and  
Qt6 C++ and QML applications.

Affected packages  
================  
Package             Vulnerable           Unaffected  
------------------  -------------------  --------------------  
dev-qt/qtwebengine  < 5.15.10_p20230623  >= 5.15.10_p20230623

Description  
==========  
Multiple vulnerabilities have been discovered in QtWebEngine. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All QtWebEngine users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-qt/qtwebengine-5.15.10_p20230623"

References  
=========  
[ 1 ] CVE-2022-2294  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2294  
[ 2 ] CVE-2022-3201  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3201  
[ 3 ] CVE-2022-4174  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4174  
[ 4 ] CVE-2022-4175  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4175  
[ 5 ] CVE-2022-4176  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4176  
[ 6 ] CVE-2022-4177  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4177  
[ 7 ] CVE-2022-4178  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4178  
[ 8 ] CVE-2022-4179  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4179  
[ 9 ] CVE-2022-4180  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4180  
[ 10 ] CVE-2022-4181  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4181  
[ 11 ] CVE-2022-4182  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4182  
[ 12 ] CVE-2022-4183  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4183  
[ 13 ] CVE-2022-4184  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4184  
[ 14 ] CVE-2022-4185  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4185  
[ 15 ] CVE-2022-4186  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4186  
[ 16 ] CVE-2022-4187  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4187  
[ 17 ] CVE-2022-4188  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4188  
[ 18 ] CVE-2022-4189  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4189  
[ 19 ] CVE-2022-4190  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4190  
[ 20 ] CVE-2022-4191  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4191  
[ 21 ] CVE-2022-4192  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4192  
[ 22 ] CVE-2022-4193  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4193  
[ 23 ] CVE-2022-4194  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4194  
[ 24 ] CVE-2022-4195  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4195  
[ 25 ] CVE-2022-4436  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4436  
[ 26 ] CVE-2022-4437  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4437  
[ 27 ] CVE-2022-4438  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4438  
[ 28 ] CVE-2022-4439  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4439  
[ 29 ] CVE-2022-4440  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4440  
[ 30 ] CVE-2022-41115  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41115  
[ 31 ] CVE-2022-44688  
      https://nvd.nist.gov/vuln/detail/CVE-2022-44688  
[ 32 ] CVE-2022-44708  
      https://nvd.nist.gov/vuln/detail/CVE-2022-44708  
[ 33 ] CVE-2023-0128  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0128  
[ 34 ] CVE-2023-0129  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0129  
[ 35 ] CVE-2023-0130  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0130  
[ 36 ] CVE-2023-0131  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0131  
[ 37 ] CVE-2023-0132  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0132  
[ 38 ] CVE-2023-0133  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0133  
[ 39 ] CVE-2023-0134  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0134  
[ 40 ] CVE-2023-0135  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0135  
[ 41 ] CVE-2023-0136  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0136  
[ 42 ] CVE-2023-0137  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0137  
[ 43 ] CVE-2023-0138  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0138  
[ 44 ] CVE-2023-0139  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0139  
[ 45 ] CVE-2023-0140  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0140  
[ 46 ] CVE-2023-0141  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0141  
[ 47 ] CVE-2023-2721  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2721  
[ 48 ] CVE-2023-2722  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2722  
[ 49 ] CVE-2023-2723  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2723  
[ 50 ] CVE-2023-2724  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2724  
[ 51 ] CVE-2023-2725  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2725  
[ 52 ] CVE-2023-2726  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2726  
[ 53 ] CVE-2023-2929  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2929  
[ 54 ] CVE-2023-2930  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2930  
[ 55 ] CVE-2023-2931  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2931  
[ 56 ] CVE-2023-2932  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2932  
[ 57 ] CVE-2023-2933  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2933  
[ 58 ] CVE-2023-2934  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2934  
[ 59 ] CVE-2023-2935  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2935  
[ 60 ] CVE-2023-2936  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2936  
[ 61 ] CVE-2023-2937  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2937  
[ 62 ] CVE-2023-2938  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2938  
[ 63 ] CVE-2023-2939  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2939  
[ 64 ] CVE-2023-2940  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2940  
[ 65 ] CVE-2023-2941  
      https://nvd.nist.gov/vuln/detail/CVE-2023-2941  
[ 66 ] CVE-2023-3079  
      https://nvd.nist.gov/vuln/detail/CVE-2023-3079  
[ 67 ] CVE-2023-3214  
      https://nvd.nist.gov/vuln/detail/CVE-2023-3214  
[ 68 ] CVE-2023-3215  
      https://nvd.nist.gov/vuln/detail/CVE-2023-3215  
[ 69 ] CVE-2023-3216  
      https://nvd.nist.gov/vuln/detail/CVE-2023-3216  
[ 70 ] CVE-2023-3217  
      https://nvd.nist.gov/vuln/detail/CVE-2023-3217  
[ 71 ] CVE-2023-4068  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4068  
[ 72 ] CVE-2023-4069  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4069  
[ 73 ] CVE-2023-4070  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4070  
[ 74 ] CVE-2023-4071  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4071  
[ 75 ] CVE-2023-4072  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4072  
[ 76 ] CVE-2023-4073  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4073  
[ 77 ] CVE-2023-4074  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4074  
[ 78 ] CVE-2023-4075  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4075  
[ 79 ] CVE-2023-4076  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4076  
[ 80 ] CVE-2023-4077  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4077  
[ 81 ] CVE-2023-4078  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4078  
[ 82 ] CVE-2023-4761  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4761  
[ 83 ] CVE-2023-4762  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4762  
[ 84 ] CVE-2023-4763  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4763  
[ 85 ] CVE-2023-4764  
      https://nvd.nist.gov/vuln/detail/CVE-2023-4764  
[ 86 ] CVE-2023-5218  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5218  
[ 87 ] CVE-2023-5473  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5473  
[ 88 ] CVE-2023-5474  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5474  
[ 89 ] CVE-2023-5475  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5475  
[ 90 ] CVE-2023-5476  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5476  
[ 91 ] CVE-2023-5477  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5477  
[ 92 ] CVE-2023-5478  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5478  
[ 93 ] CVE-2023-5479  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5479  
[ 94 ] CVE-2023-5480  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5480  
[ 95 ] CVE-2023-5481  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5481  
[ 96 ] CVE-2023-5482  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5482  
[ 97 ] CVE-2023-5483  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5483  
[ 98 ] CVE-2023-5484  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5484  
[ 99 ] CVE-2023-5485  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5485  
[ 100 ] CVE-2023-5486  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5486  
[ 101 ] CVE-2023-5487  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5487  
[ 102 ] CVE-2023-5849  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5849  
[ 103 ] CVE-2023-5850  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5850  
[ 104 ] CVE-2023-5851  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5851  
[ 105 ] CVE-2023-5852  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5852  
[ 106 ] CVE-2023-5853  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5853  
[ 107 ] CVE-2023-5854  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5854  
[ 108 ] CVE-2023-5855  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5855  
[ 109 ] CVE-2023-5856  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5856  
[ 110 ] CVE-2023-5857  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5857  
[ 111 ] CVE-2023-5858  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5858  
[ 112 ] CVE-2023-5859  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5859  
[ 113 ] CVE-2023-5996  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5996  
[ 114 ] CVE-2023-5997  
      https://nvd.nist.gov/vuln/detail/CVE-2023-5997  
[ 115 ] CVE-2023-6112  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6112  
[ 116 ] CVE-2023-21775  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21775  
[ 117 ] CVE-2023-21796  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21796

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-11

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-11

Gentoo Linux Security Advisory 202311-10 - Multiple vulnerabilities have been discovered in RenderDoc, the worst of which leads to remote code execution. Versions greater than or equal to 1.27 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-10  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: RenderDoc: Multiple Vulnerabilities  
     Date: November 25, 2023  
     Bugs: #908031  
       ID: 202311-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in RenderDoc, the worst of  
which leads to remote code execution.

Background  
=========  
RenderDoc is a free MIT licensed stand-alone graphics debugger that  
allows quick and easy single-frame capture and detailed introspection of  
any application using Vulkan, D3D11, OpenGL & OpenGL ES or D3D12 across  
Windows, Linux, Android, or Nintendo Switch™.

Affected packages  
================  
Package              Vulnerable    Unaffected  
-------------------  ------------  ------------  
media-gfx/renderdoc  < 1.27        >= 1.27

Description  
==========  
Multiple vulnerabilities have been discovered in GRUB. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All RenderDoc users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-gfx/renderdoc-1.27"

References  
=========  
[ 1 ] CVE-2023-33863  
      https://nvd.nist.gov/vuln/detail/CVE-2023-33863  
[ 2 ] CVE-2023-33864  
      https://nvd.nist.gov/vuln/detail/CVE-2023-33864  
[ 3 ] CVE-2023-33865  
      https://nvd.nist.gov/vuln/detail/CVE-2023-33865

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-10

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Tag

#web