January Linux Patch Wednesday. Out of 424 total vulnerabilities, 271 are in the Linux Kernel. None show signs of exploitation in the wild, but 9 have public exploits.

🔸 RCE – Apache Tomcat (CVE-2024-56337). Based on the description, the vulnerability affects “case-insensitive file systems” like Windows or MacOS. However, Debian lists it as affecting tomcat9 and tomcat10. Either this is about rare case-insensitive Linux installations or there is an error in the description. 🤷‍♂️
🔸 RCE – Chromium (CVE-2025-0291). According to the FSTEC BDU, a public exploit exists.
🔸 RCE – 7-Zip (CVE-2024-11477). What’s in the public is not an exploit, but a write-up.
🔸 Memory Corruption – Theora (CVE-2024-56431). It’s not clear yet how to exploit this. 🤷‍♂️
🔸 Memory Corruption – Telegram (CVE-2021-31320, CVE-2021-31319, CVE-2021-31315, CVE-2021-31318, CVE-2021-31322). Ubuntu fixed these vulnerabilities in the rlottie library package.

🗒 Full Vulristics report

На русском

December Linux Patch Wednesday. There are 316 vulnerabilities in total. Compared to November LPW – much better. 🙂 119 are in Linux Kernel.

Two vulnerabilities with signs of exploitation in the wild. Both in Safari:

🔻 RCE – Safari (CVE-2024-44308)
🔻 XSS – Safari (CVE-2024-44309)

These vulnerabilities are fixed not in Safari, but in packages of the WebKit browser engine.

There are no signs of exploitation in the wild for 19 vulnerabilities yet, but there are public exploits. The following can be highlighted:

🔸 RCE – Moodle (CVE-2024-43425). First fix in the Linux vendor repository appeared on 2024-11-21 (RedOS)
🔸 Command Injection – Grafana (CVE-2024-9264)
🔸 Command Injection – virtualenv (CVE-2024-53899)
🔸 SQLi – Zabbix (CVE-2024-42327)
🔸 Data Leakage – Apache Tomcat (CVE-2024-52317)

🗒 Vulristics December Linux Patch Wednesday Report

🎉🆕 I released Vulristics 1.0.9 with improved detection of vulnerable software based on CVE description.

На русском

November Linux Patch Wednesday. I was happy in October that the number of vulnerabilities was gradually decreasing to an acceptable level, and in November I got a peak again. A total of 803 vulnerabilities. Of these, 567 are in the Linux Kernel. Kind of crazy. 😱

2 vulnerabilities in Chromium with signs of exploitation in the wild:

🔻 Security Feature Bypass – Chromium (CVE-2024-10229)
🔻 Memory Corruption – Chromium (CVE-2024-10230, CVE-2024-10231)

There are no signs of exploitation in the wild for 27 vulnerabilities yet, but there are public exploits. Of these, I would draw attention to:

🔸 Remote Code Execution – PyTorch (CVE-2024-48063)
🔸 Remote Code Execution – OpenRefine Butterfly (CVE-2024-47883) – “web application framework”
🔸 Code Injection – OpenRefine tool (CVE-2024-47881)
🔸 Command Injection – Eclipse Jetty (CVE-2024-6763)
🔸 Memory Corruption – pure-ftpd (CVE-2024-48208)

🗒 Vulristics November Linux Patch Wednesday Report

На русском

October Linux Patch Wednesday. There are 248 vulnerabilities in total. Of these, 92 are in the Linux Kernel.

5 vulnerabilities with signs of exploitation in the wild:

🔻 Remote Code Execution – CUPS (CVE-2024-47176) and 4 more CUPS vulnerabilities that can also be used to enhance DoS attacks
🔻 Remote Code Execution – Mozilla Firefox (CVE-2024-9680)

For 10 vulnerabilities there are no signs of exploitation in the wild yet, but exploits exist. Among them, the following can be highlighted:

🔸 Remote Code Execution – Cacti (CVE-2024-43363)
🔸 Elevation of Privilege – Linux Kernel (CVE-2024-46848)
🔸 Arbitrary File Reading – Jenkins (CVE-2024-43044)
🔸 Denial of Service – CUPS (CVE-2024-47850)
🔸 Cross Site Scripting – Rollup JavaScript module (CVE-2024-47068)

🗒 Vulristics October Linux Patch Wednesday Report

На русском

September Linux Patch Wednesday. 460 vulnerabilities. Of these, 279 are in the Linux Kernel.

2 vulnerabilities with signs of exploitation in the wild, but without public exploits:

🔻 Security Feature Bypass – Chromium (CVE-2024-7965)
🔻 Memory Corruption – Chromium (CVE-2024-7971)

29 vulnerabilities with no sign of exploitation in the wild, but with a link to a public exploit or a sign of its existence. Can be highlighted:

🔸 Remote Code Execution – pgAdmin (CVE-2024-2044), SPIP (CVE-2024-7954), InVesalius (CVE-2024-42845)
🔸 Command Injection – SPIP (CVE-2024-8517)

Among them are vulnerabilities from 2023, fixed in repos only now (in RedOS):

🔸 Remote Code Execution – webmin (CVE-2023-38303)
🔸 Code Injection – webmin (CVE-2023-38306, CVE-2023-38308)
🔸 Information Disclosure – KeePass (CVE-2023-24055)

Debian brought “Google Chrome on Windows” vulnerabilities. 😣👎

🗒 Vulristics September Linux Patch Wednesday Report

На русском

August Linux Patch Wednesday. 658 vulnerabilities. Of these, 380 are in the Linux Kernel. About 10 have signs of exploitation in the wild. I will highlight:

🔻 Vulnerabilities of IT Asset Management system GLPI: AuthBypass (CVE-2023-35939, CVE-2023-35940) and Code Injection (CVE-2023-35924, CVE-2023-36808, CVE-2024-27096, CVE-2024-29889). Fixed in RedOS.
🔻 InfDisclosure – Minio (CVE-2023-28432). Old and trendy, but also fixes appeared only in RedOS.
🔻 DoS – PHP (CVE-2024-2757). If I were to take into account Fedora or Alpine bulletins, this would be in an earlier LPW. 🤔 2DO.

About 30 without signs of exploitation in the wild, but with exploits. I will highlight:

🔸 Command Injection – Apache HTTP Server (CVE-2024-40898)
🔸 AuthBypass – Apache HTTP Server (CVE-2024-40725)
🔸 AuthBypass – Neat VNC (CVE-2024-42458)
🔸 RCE – Calibre (CVE-2024-6782); yes, e-books software 🙂

🗒 Vulristics report on August Linux Patch Wednesday

На русском