Ubuntu Security Notice USN-5836-1

Ubuntu Security Notice 5836-1 - It was discovered that Vim was not properly performing memory management operations. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

Red Hat Security Advisory 2023-0553-01

Red Hat Security Advisory 2023-0553-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, cross site scripting, denial of service, deserialization, memory exhaustion, and server-side request forgery vulnerabilities.

Red Hat Security Advisory 2023-0552-01

Red Hat Security Advisory 2023-0552-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, cross site scripting, denial of service, deserialization, memory exhaustion, and server-side request forgery vulnerabilities.

Red Hat Security Advisory 2023-0554-01

Red Hat Security Advisory 2023-0554-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, cross site scripting, denial of service, deserialization, memory exhaustion, and server-side request forgery vulnerabilities.

Hikvision Remote Code Execution / XSS / SQL Injection

Some Hikvision Hybrid SAN products were vulnerable to multiple remote code execution (command injection) vulnerabilities, including reflected cross site scripting, Ruby code injection, classic and blind SQL injection resulting in remote code execution that allows an adversary to execute arbitrary operating system commands and more. However, an adversary must be on the same network to leverage this vulnerability to execute arbitrary commands.

Ubuntu Security Notice USN-5834-1

Ubuntu Security Notice 5834-1 - It was discovered that the Apache HTTP Server mod_dav module did not properly handle specially crafted request headers. A remote attacker could possibly use this issue to cause the process to crash, leading to a denial of service. It was discovered that the Apache HTTP Server mod_proxy_ajp module did not properly handle certain invalid Transfer-Encoding headers. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.

Red Hat Security Advisory 2023-0556-01

Red Hat Security Advisory 2023-0556-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, cross site scripting, denial of service, deserialization, memory exhaustion, and server-side request forgery vulnerabilities.

Ubuntu Security Notice USN-5835-3

Ubuntu Security Notice 5835-3 - Guillaume Espanel, Pierre Libeau, Arnaud Morin, and Damien Rannou discovered that Nova incorrectly handled VMDK image processing. An authenticated attacker could possibly supply a specially crafted VMDK flat image and obtain arbitrary files from the server containing sensitive information.

Ubuntu Security Notice USN-5835-1

Ubuntu Security Notice 5835-1 - Guillaume Espanel, Pierre Libeau, Arnaud Morin, and Damien Rannou discovered that Cinder incorrectly handled VMDK image processing. An authenticated attacker could possibly supply a specially crafted VMDK flat image and obtain arbitrary files from the server containing sensitive information.

Ubuntu Security Notice USN-5835-2

Ubuntu Security Notice 5835-2 - Guillaume Espanel, Pierre Libeau, Arnaud Morin, and Damien Rannou discovered that OpenStack Glance incorrectly handled VMDK image processing. An authenticated attacker could possibly supply a specially crafted VMDK flat image and obtain arbitrary files from the server containing sensitive information.

Red Hat Security Advisory 2023-0449-01

Red Hat Security Advisory 2023-0449-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.1.

Ubuntu Security Notice USN-5833-1

Ubuntu Security Notice 5833-1 - Sebastian Chnelik discovered that python-future incorrectly handled certain HTTP header field. An attacker could possibly use this issue to cause a denial of service.

Red Hat Security Advisory 2023-0450-01

Red Hat Security Advisory 2023-0450-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

Red Hat Security Advisory 2023-0542-01

Red Hat Security Advisory 2023-0542-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release. Issues addressed include denial of service and spoofing vulnerabilities.

Red Hat Security Advisory 2023-0540-01

Red Hat Security Advisory 2023-0540-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an OpenShift Container Platform installation. This advisory covers the RPM packages for the release.

Red Hat Security Advisory 2023-0530-01

Red Hat Security Advisory 2023-0530-01 - KSBA is a library to make X.509 certificates as well as the CMS easily accessible by other applications. Both specifications are building blocks of S/MIME and TLS. Issues addressed include code execution and integer overflow vulnerabilities.

Red Hat Security Advisory 2023-0536-01

Red Hat Security Advisory 2023-0536-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

Red Hat Security Advisory 2023-0544-01

Red Hat Security Advisory 2023-0544-01 - This patch, Camel for Spring Boot 3.14.5 Patch 1, serves as a replacement for the previous release of Camel for Spring Boot 3.14.5 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. This release of Camel for Spring Boot includes CXF artifacts that were missing from the previous 3.14.5 release. Issues addressed include a server-side request forgery vulnerability.

Ubuntu Security Notice USN-5832-1

Ubuntu Security Notice 5832-1 - Kyle Zeng discovered that the sysctl implementation in the Linux kernel contained a stack-based buffer overflow. A local attacker could use this to cause a denial of service or execute arbitrary code. Tamás Koczka discovered that the Bluetooth L2CAP handshake implementation in the Linux kernel contained multiple use-after-free vulnerabilities. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.

Red Hat Security Advisory 2023-0526-01

Red Hat Security Advisory 2023-0526-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Red Hat Security Advisory 2023-0506-01

Red Hat Security Advisory 2023-0506-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a file download vulnerability.

Red Hat Security Advisory 2023-0499-01

Red Hat Security Advisory 2023-0499-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

Red Hat Security Advisory 2023-0527-01

Red Hat Security Advisory 2023-0527-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include a file download vulnerability.

Red Hat Security Advisory 2023-0512-01

Red Hat Security Advisory 2023-0512-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system.

Red Hat Security Advisory 2023-0531-01

Red Hat Security Advisory 2023-0531-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Trovent Security Advisory 2203-01 / Micro Focus GroupWise transmits session ID in URL

Posted by Stefan Pietsch on Jan 30

# Trovent Security Advisory 2203-01 #
#####################################

Micro Focus GroupWise transmits session ID in URL
#################################################

Overview
########

Advisory ID: TRSA-2203-01
Advisory version: 1.0
Advisory status: Public
Advisory URL: https://trovent.io/security-advisory-2203-01
Affected product: Micro Focus GroupWise
Affected version: prior to 18.4.2
Vendor: Micro Focus, https://www.microfocus.com...

Debian Security Advisory 5334-1

Debian Linux Security Advisory 5334-1 - Martin van Kervel Smedshammer discovered that varnish, a state of the art, high-performance web accelerator, is prone to a HTTP/2 request forgery vulnerability.

Ubuntu Security Notice USN-5811-3

Ubuntu Security Notice 5811-3 - USN-5811-1 fixed a vulnerability in Sudo. This update provides the corresponding update for Ubuntu 14.04 ESM. Matthieu Barjole and Victor Cutillas discovered that Sudo incorrectly handled user-specified editors when using the sudoedit command. A local attacker that has permission to use the sudoedit command could possibly use this issue to edit arbitrary files.

Red Hat Security Advisory 2022-9096-01

Red Hat Security Advisory 2022-9096-01 - Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers. Issues addressed include bypass and denial of service vulnerabilities.

Debian Security Advisory 5332-1

Debian Linux Security Advisory 5332-1 - Multiple issues were found in Git, a distributed revision control system. An attacker may trigger remote code execution, cause local users into executing arbitrary commands, leak information from the local filesystem, and bypass restricted shell.

Ubuntu Security Notice USN-5823-3

Ubuntu Security Notice 5823-3 - USN-5823-1 fixed vulnerabilities in MySQL. Unfortunately, 8.0.32 introduced a regression in MySQL Router preventing connections from PyMySQL. This update reverts most of the changes in MySQL Router to 8.0.31 until a proper fix can be found.

Debian Security Advisory 5333-1

Debian Linux Security Advisory 5333-1 - Several buffer overflow, divide by zero or out of bounds read/write vulnerabilities were discovered in tiff, the Tag Image File Format (TIFF) library and tools, which may cause denial of service when processing a crafted TIFF image.

Debian Security Advisory 5331-1

Debian Linux Security Advisory 5331-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service or spoofing.

Ubuntu Security Notice USN-5831-1

Ubuntu Security Notice 5831-1 - Kyle Zeng discovered that the sysctl implementation in the Linux kernel contained a stack-based buffer overflow. A local attacker could use this to cause a denial of service or execute arbitrary code. Tamás Koczka discovered that the Bluetooth L2CAP handshake implementation in the Linux kernel contained multiple use-after-free vulnerabilities. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.

Debian Security Advisory 5330-1

Debian Linux Security Advisory 5330-1 - Two vulnerabilities were discovered in Curl, an easy-to-use client-side URL transfer library, which could result in denial of service or information disclosure.

Ubuntu Security Notice USN-5830-1

Ubuntu Security Notice 5830-1 - It was discovered that the NFSD implementation in the Linux kernel did not properly handle some RPC messages, leading to a buffer overflow. A remote attacker could use this to cause a denial of service or possibly execute arbitrary code. Tamás Koczka discovered that the Bluetooth L2CAP handshake implementation in the Linux kernel contained multiple use-after-free vulnerabilities. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.

Debian Security Advisory 5328-1

Debian Linux Security Advisory 5328-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

Red Hat Security Advisory 2023-0483-01

Red Hat Security Advisory 2023-0483-01 - This asynchronous update patches Red Hat Fuse 7.11.1 on Karaf and Red Hat Fuse 7.11.1 on Spring Boot and several includes security fixes, which are documented in the Release Notes document linked to in the References. Issues addressed include a server-side request forgery vulnerability.

Ubuntu Security Notice USN-5822-2

Ubuntu Security Notice 5822-2 - USN-5822-1 fixed vulnerabilities in Samba. The update for Ubuntu 20.04 LTS introduced regressions in certain environments. Pending investigation of these regressions, this update temporarily reverts the security fixes. It was discovered that Samba incorrectly handled the bad password count logic. It was discovered that Samba supported weak RC4/HMAC-MD5 in NetLogon Secure Channel. Greg Hudson discovered that Samba incorrectly handled PAC parsing. Joseph Sutton discovered that Samba could be forced to issue rc4-hmac encrypted Kerberos tickets.

Red Hat Security Advisory 2023-0476-01

Red Hat Security Advisory 2023-0476-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.7.1. Issues addressed include a bypass vulnerability.

Debian Security Advisory 5329-1

Debian Linux Security Advisory 5329-1 - Several vulnerabilities were discovered in BIND, a DNS server implementation, which may result in denial of service against named.

Red Hat Security Advisory 2023-0481-01

Red Hat Security Advisory 2023-0481-01 - Submariner enables direct networking between pods and services on different Kubernetes clusters that are either on-premises or in the cloud. This advisory contains bug fixes and enhancements to the Submariner container images.

Apple Security Advisory 2023-01-24-1

Apple Security Advisory 2023-01-24-1 - tvOS 16.3 addresses bypass, code execution, and information leakage vulnerabilities.

Red Hat Security Advisory 2023-0208-01

Red Hat Security Advisory 2023-0208-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Issues addressed include a deserialization vulnerability.

Red Hat Security Advisory 2023-0210-01

Red Hat Security Advisory 2023-0210-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Issues addressed include a deserialization vulnerability.

Red Hat Security Advisory 2023-0479-01

Red Hat Security Advisory 2023-0479-01 - Red Hat Directory Server is an LDAPv3-compliant directory server. The suite of packages includes the Lightweight Directory Access Protocol server, as well as command-line utilities and Web UI packages for server administration.

Red Hat Security Advisory 2023-0470-01

Red Hat Security Advisory 2023-0470-01 - An update is now available for Migration Toolkit for Runtimes (v1.0.1).

Red Hat Security Advisory 2023-0469-01

Red Hat Security Advisory 2023-0469-01 - Red Hat Integration Camel Extensions for Quarkus 2.13.2 is now available. Issues addressed include denial of service and memory exhaustion vulnerabilities.

Red Hat Security Advisory 2023-0471-01

Red Hat Security Advisory 2023-0471-01 - An update is now available for Migration Toolkit for Runtimes (v1.0.1). Issues addressed include a denial of service vulnerability.

[SYSS-2022-047] Razer Synapse - Local Privilege Escalation

Posted by Oliver Schwarz via Fulldisclosure on Jan 26

Advisory ID: SYSS-2022-047
Product: Razer Synapse
Manufacturer: Razer Inc.
Affected Version(s): Versions before 3.7.0830.081906
Tested Version(s): 3.7.0731.072516
Vulnerability Type: Improper Certificate Validation (CWE-295)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2022-08-02
Solution Date: 2022-09-06
Public Disclosure:...

APPLE-SA-2023-01-24-1 tvOS 16.3

Posted by Apple Product Security via Fulldisclosure on Jan 26

APPLE-SA-2023-01-24-1 tvOS 16.3

tvOS 16.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213601.

AppleMobileFileIntegrity
Available for: Apple TV 4K (all models) and Apple TV HD
Impact: An app may be able to access user-sensitive data
Description: This issue was addressed by enabling hardened runtime.
CVE-2023-23499: Wojciech Reguła (@_r3ggi) of SecuRing...

Ubuntu Security Notice USN-5829-1

Ubuntu Security Notice 5829-1 - It was discovered that the NFSD implementation in the Linux kernel did not properly handle some RPC messages, leading to a buffer overflow. A remote attacker could use this to cause a denial of service or possibly execute arbitrary code. Tamás Koczka discovered that the Bluetooth L2CAP handshake implementation in the Linux kernel contained multiple use-after-free vulnerabilities. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code.

Red Hat Security Advisory 2023-0468-01

Red Hat Security Advisory 2023-0468-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.

Ubuntu Security Notice USN-5827-1

Ubuntu Security Notice 5827-1 - Rob Schulhof discovered that Bind incorrectly handled a large number of UPDATE messages. A remote attacker could possibly use this issue to cause Bind to consume resources, resulting in a denial of service. Borja Marcos discovered that Bind incorrectly handled certain RRSIG queries. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS and Ubuntu 22.10.

Ubuntu Security Notice USN-5828-1

Ubuntu Security Notice 5828-1 - It was discovered that Kerberos incorrectly handled certain S4U2Self requests. An attacker could possibly use this issue to cause a denial of service. This issue was only addressed in Ubuntu 16.04 ESM and Ubuntu 18.04 LTS. Greg Hudson discovered that Kerberos PAC implementation incorrectly handled certain parsing operations. A remote attacker could use this issue to cause a denial of service, or possibly execute arbitrary code.

Red Hat Security Advisory 2023-0467-01

Red Hat Security Advisory 2023-0467-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Issues addressed include a bypass vulnerability.

Red Hat Security Advisory 2023-0466-01

Red Hat Security Advisory 2023-0466-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.

Ubuntu Security Notice USN-5826-1

Ubuntu Security Notice 5826-1 - Joshua Rogers discovered that Privoxy incorrectly handled memory allocation. An attacker could possibly use this issue to cause a denial of service. Artem Ivanov discovered that Privoxy incorrectly handled input validations. An attacker could possibly use this issue to perform cross-site scripting attacks.

Red Hat Security Advisory 2023-0462-01

Red Hat Security Advisory 2023-0462-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.7.1. Issues addressed include a bypass vulnerability.

Red Hat Security Advisory 2023-0276-01

Red Hat Security Advisory 2023-0276-01 - Python ServerView Common Command Interface Client Library.