**Why is this Chrome CVE included in the Security Update Guide?**

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

**How can I see the version of the browser?**

1.  In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2.  Click on **Help and Feedback**
3.  Click on **About Microsoft Edge**

CVE-2023-1999: Chromium: CVE-2023-1999 Use after free in libwebp

Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.8.4.

**Rdiffweb Allocation of Resources Without Limits or Throttling vulnerability**

High severity GitHub Reviewed Published Sep 29, 2023 to the GitHub Advisory Database • Updated Sep 29, 2023

GHSA-c4rv-2j6x-pq7x: Rdiffweb Allocation of Resources Without Limits or Throttling vulnerability

Gentoo Linux Security Advisory 202309-14 - Multiple vulnerabilities have been found in libarchive, the worst of which could result in denial of service. Versions greater than or equal to 3.7.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-14  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: libarchive: Multiple Vulnerabilities  
     Date: September 29, 2023  
     Bugs: #882521, #911486  
       ID: 202309-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in libarchive, the worst of  
which could result in denial of service.

Background  
=========  
libarchive is a library for manipulating different streaming archive  
formats, including certain tar variants, several cpio formats, and both  
BSD and GNU ar variants.

Affected packages  
================  
Package              Vulnerable    Unaffected  
-------------------  ------------  ------------  
app-arch/libarchive  < 3.7.1       >= 3.7.1

Description  
==========  
Multiple vulnerabilities have been discovered in libarchive. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All libarchive users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-arch/libarchive-3.7.1"

References  
=========  
[ 1 ] CVE-2022-36227  
      https://nvd.nist.gov/vuln/detail/CVE-2022-36227

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-14

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-14

Gentoo Linux Security Advisory 202309-13 - A buffer overflow vulnerability has been found in GMP which could result in denial of service. Versions greater than or equal to 6.2.1-r2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-13  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: GMP: Buffer Overflow Vulnerability  
     Date: September 29, 2023  
     Bugs: #823804  
       ID: 202309-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A buffer overflow vulnerability has been found in GMP which could result  
in denial of service.

Background  
=========  
The GNU Multiple Precision Arithmetic Library is a library forarbitrary-  
precision arithmetic on different types of numbers.

Affected packages  
================  
Package       Vulnerable    Unaffected  
------------  ------------  ------------  
dev-libs/gmp  < 6.2.1-r2    >= 6.2.1-r2

Description  
==========  
There is an integer overflow leading to a buffer overflow when  
processing untrusted input via GMP's mpz_inp_raw function.

Impact  
=====  
Untrusted input can cause a denial of service via segmentation fault.

Workaround  
=========  
Users can ensure no untrusted input is passed into GMP's mpz_inp_raw  
function.

Resolution  
=========  
All GMP users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">Þv-libs/gmp-6.2.1-r2"

References  
=========  
[ 1 ] CVE-2021-43618  
      https://nvd.nist.gov/vuln/detail/CVE-2021-43618

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-13

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-13

Gentoo Linux Security Advisory 202309-12 - Multiple vulnerabilities have been found in sudo, the worst of which can result in root privilege escalation. Versions greater than or equal to 1.9.13_p2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-12  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: sudo: Multiple Vulnerabilities  
     Date: September 29, 2023  
     Bugs: #898510, #905322  
       ID: 202309-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in sudo, the worst of which can  
result in root privilege escalation.

Background  
=========  
sudo allows a system administrator to give users the ability to run  
commands as other users.

Affected packages  
================  
Package         Vulnerable    Unaffected  
--------------  ------------  ------------  
app-admin/sudo  < 1.9.13_p2   >= 1.9.13_p2

Description  
==========  
Multiple vulnerabilities have been discovered in sudo. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All sudo users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-admin/sudo-1.9.13_p2"

References  
=========  
[ 1 ] CVE-2023-27320  
      https://nvd.nist.gov/vuln/detail/CVE-2023-27320  
[ 2 ] CVE-2023-28486  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28486  
[ 3 ] CVE-2023-28487  
      https://nvd.nist.gov/vuln/detail/CVE-2023-28487

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-12

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-12

Gentoo Linux Security Advisory 202309-11 - Multiple vulnerabilities have been found in libsndfile, the worst of which could result in arbitrary code execution. Versions greater than or equal to 1.1.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-11  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: libsndfile: Multiple Vulnerabilities  
     Date: September 29, 2023  
     Bugs: #803065  
       ID: 202309-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in libsndfile, the worst of  
which could result in arbitrary code execution.

Background  
=========  
libsndfile is a C library for reading and writing files containing  
sampled sound.

Affected packages  
================  
Package                Vulnerable    Unaffected  
---------------------  ------------  ------------  
media-libs/libsndfile  < 1.1.0       >= 1.1.0

Description  
==========  
Multiple vulnerabilities have been discovered in libsndfile. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All libsndfile users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/libsndfile-1.1.0"

References  
=========  
[ 1 ] CVE-2021-3246  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3246  
[ 2 ] CVE-2021-4156  
      https://nvd.nist.gov/vuln/detail/CVE-2021-4156

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-11

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-11

Gentoo Linux Security Advisory 202309-10 - A vulnerability was discovered in Fish when handling git repository configuration that may lead to execution of arbitrary code Versions greater than or equal to 3.4.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-10  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Fish: User-assisted execution of arbitrary code  
     Date: September 29, 2023  
     Bugs: #835337  
       ID: 202309-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability was discovered in Fish when handling git repository  
configuration that may lead to execution of arbitrary code

Background  
=========  
Smart and user-friendly command line shell for macOS, Linux, and the  
rest of the family. It includes features like syntax highlighting,  
autosuggest-as-you-type, and fancy tab completions that just work, with  
no configuration required.

Affected packages  
================  
Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
app-shells/fish  < 3.4.0       >= 3.4.0

Description  
==========  
A vulnerability have been discovered in Fish. Please review the CVE  
identifiers referenced below for details.

Impact  
=====  
A user may be enticed to cd into a git repository under control by an  
attacker (e.g. on a shared filesystem or by unpacking an archive) and  
execute arbitrary commands.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All fish users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-shells/fish-3.4.0"

References  
=========  
[ 1 ] CVE-2022-20001  
      https://nvd.nist.gov/vuln/detail/CVE-2022-20001

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-10

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-10

Gentoo Linux Security Advisory 202309-9 - Multiple vulnerabilities have been found in Pacemaker, the worst of which could result in root privilege escalation. Versions greater than or equal to 2.0.5_rc2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202309-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Pacemaker: Multiple Vulnerabilities  
     Date: September 29, 2023  
     Bugs: #711674, #751430  
       ID: 202309-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in Pacemaker, the worst of  
which could result in root privilege escalation.

Background  
=========  
Pacemaker is an Open Source, High Availability resource manager suitable  
for both small and large clusters.

Affected packages  
================  
Package                Vulnerable    Unaffected  
---------------------  ------------  ------------  
sys-cluster/pacemaker  < 2.0.5_rc2   >= 2.0.5_rc2

Description  
==========  
Multiple vulnerabilities have been discovered in Pacemaker. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Pacemaker users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-cluster/pacemaker-2.0.5_rc2"

References  
=========  
[ 1 ] CVE-2018-16877  
      https://nvd.nist.gov/vuln/detail/CVE-2018-16877  
[ 2 ] CVE-2018-16878  
      https://nvd.nist.gov/vuln/detail/CVE-2018-16878  
[ 3 ] CVE-2019-3885  
      https://nvd.nist.gov/vuln/detail/CVE-2019-3885  
[ 4 ] CVE-2020-25654  
      https://nvd.nist.gov/vuln/detail/CVE-2020-25654

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202309-09

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202309-09

Debian Linux Security Advisory 5507-1 - Multiple security vulnerabilities were found in Jetty, a Java based web server and servlet engine.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5507-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
September 28, 2023                    https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : jetty9  
CVE ID         : CVE-2023-26048 CVE-2023-26049 CVE-2023-36479 CVE-2023-40167  
                 CVE-2023-41900

Multiple security vulnerabilities were found in Jetty, a Java based web server  
and servlet engine.

The org.eclipse.jetty.servlets.CGI class has been deprecated. It is potentially  
unsafe to use it. The upstream developers of Jetty recommend to use Fast CGI  
instead. See also CVE-2023-36479.

CVE-2023-26048

    In affected versions servlets with multipart support (e.g. annotated with  
    `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or  
    `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the  
    client sends a multipart request with a part that has a name but no  
    filename and very large content. This happens even with the default  
    settings of `fileSizeThreshold=0` which should stream the whole part  
    content to disk.

CVE-2023-26049

    Nonstandard cookie parsing in Jetty may allow an attacker to smuggle  
    cookies within other cookies, or otherwise perform unintended behavior by  
    tampering with the cookie parsing mechanism.

CVE-2023-40167

    Prior to this version Jetty accepted the `+` character proceeding the  
    content-length value in a HTTP/1 header field. This is more permissive than  
    allowed by the RFC and other servers routinely reject such requests with  
    400 responses. There is no known exploit scenario, but it is conceivable  
    that request smuggling could result if jetty is used in combination with a  
    server that does not close the connection after sending such a 400  
    response.

CVE-2023-36479

    Users of the CgiServlet with a very specific command structure may have the  
    wrong command executed. If a user sends a request to a  
    org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its  
    name, the servlet will escape the command by wrapping it in quotation  
    marks. This wrapped command, plus an optional command prefix, will then be  
    executed through a call to Runtime.exec. If the original binary name  
    provided by the user contains a quotation mark followed by a space, the  
    resulting command line will contain multiple tokens instead of one.

CVE-2023-41900

    Jetty is vulnerable to weak authentication. If a Jetty  
    `OpenIdAuthenticator` uses the optional nested `LoginService`, and that  
    `LoginService` decides to revoke an already authenticated user, then the  
    current request will still treat the user as authenticated. The  
    authentication is then cleared from the session and subsequent requests  
    will not be treated as authenticated. So a request on a previously  
    authenticated session could be allowed to bypass authentication after it  
    had been rejected by the `LoginService`. This impacts usages of the  
    jetty-openid which have configured a nested `LoginService` and where that  
    `LoginService` is capable of rejecting previously authenticated users.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 9.4.39-3+deb11u2.

For the stable distribution (bookworm), these problems have been fixed in  
version 9.4.50-4+deb12u1.

We recommend that you upgrade your jetty9 packages.

For the detailed security status of jetty9 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/jetty9

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUV6x5fFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeTJGw//a9ZVCC9qHUG/KfAkJJs27UGuL4T1hRM5Azu+8jFxMHwuqKf62FCWlGUE  
xM9fwQdUDvfkSBsrGlp+nAwqegOh+YBvAxh6DBdMpEYhZ+wUDLwZaPdR5iTj7q2e  
JpjKs1hp7QRDfguL6+T/sJmMx9zk7soDwqd3QEjBXBhuYhlVfq7Wm4v5STKj28pD  
Yjv6YmLKIHTv9/HaUWNDCFUjyRGZjmAvYVAIF3gNo9Qn2agq4z3+1Z2EPX4+qbVq  
pp+JKr/vVSVHltaR1D0JyC5zjrHOo+dRFWYwG7K/V7kijyIbciNACTe/W2v6hM6F  
w+0+8C7TMbof22nOHVcgBygukIvxdvnG6BQUUQaVeE36wi8cvBSVgTe0NJb0NIQt  
Gr37tlG+9kJy9d02I+hgX8U90aWmaofTJsn3YbAL6wv2r7Klm6LJN6p8oAmqfEM6  
IOOii4JpHaRDz1VQsjskhjw7Q1UigVX6lmx6BfPHzG2BFSe8v5vG+6OvH4oF+Egy  
VTF3U/lvXcdqaZyNnCKn4NWLJZHVYE4ncgdDp8qomJXnDoMy6V9+DEDADiu9C2ox  
4YvtBHVIZ1uYBRRDjutJw0dkKa7QotSlkmVnAV+oqHa1/Dp2Cytjb+rRhp83QLEw  
kfBWYLpFIq9ARI08AyK4hzX27FFf3ojHp++Lau8ODwb/4s9bKE0=j7dG  
-----END PGP SIGNATURE-----

Debian Security Advisory 5507-1

Red Hat Security Advisory 2023-5405-01 - The Advanced Virtualization module provides the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. Issues addressed include buffer overflow and code execution vulnerabilities.

Tag

#web