November Linux Patch Wednesday. I was happy in October that the number of vulnerabilities was gradually decreasing to an acceptable level, and in November I got a peak again. A total of 803 vulnerabilities. Of these, 567 are in the Linux Kernel. Kind of crazy.

2 vulnerabilities in Chromium with signs of exploitation in the wild:

Security Feature Bypass – Chromium (CVE-2024-10229)
Memory Corruption – Chromium (CVE-2024-10230, CVE-2024-10231)

There are no signs of exploitation in the wild for 27 vulnerabilities yet, but there are public exploits. Of these, I would draw attention to:

Remote Code Execution – PyTorch (CVE-2024-48063)
Remote Code Execution – OpenRefine Butterfly (CVE-2024-47883) – “web application framework”
Code Injection – OpenRefine tool (CVE-2024-47881)
Command Injection – Eclipse Jetty (CVE-2024-6763)
Memory Corruption – pure-ftpd (CVE-2024-48208)

Vulristics November Linux Patch Wednesday Report

На русском

October Linux Patch Wednesday. There are 248 vulnerabilities in total. Of these, 92 are in the Linux Kernel.

5 vulnerabilities with signs of exploitation in the wild:

Remote Code Execution – CUPS (CVE-2024-47176) and 4 more CUPS vulnerabilities that can also be used to enhance DoS attacks
Remote Code Execution – Mozilla Firefox (CVE-2024-9680)

For 10 vulnerabilities there are no signs of exploitation in the wild yet, but exploits exist. Among them, the following can be highlighted:

Remote Code Execution – Cacti (CVE-2024-43363)
Elevation of Privilege – Linux Kernel (CVE-2024-46848)
Arbitrary File Reading – Jenkins (CVE-2024-43044)
Denial of Service – CUPS (CVE-2024-47850)
Cross Site Scripting – Rollup JavaScript module (CVE-2024-47068)

Vulristics October Linux Patch Wednesday Report

На русском

September Linux Patch Wednesday. 460 vulnerabilities. Of these, 279 are in the Linux Kernel.

2 vulnerabilities with signs of exploitation in the wild, but without public exploits:

Security Feature Bypass – Chromium (CVE-2024-7965)
Memory Corruption – Chromium (CVE-2024-7971)

29 vulnerabilities with no sign of exploitation in the wild, but with a link to a public exploit or a sign of its existence. Can be highlighted:

Remote Code Execution – pgAdmin (CVE-2024-2044), SPIP (CVE-2024-7954), InVesalius (CVE-2024-42845)
Command Injection – SPIP (CVE-2024-8517)

Among them are vulnerabilities from 2023, fixed in repos only now (in RedOS):

Remote Code Execution – webmin (CVE-2023-38303)
Code Injection – webmin (CVE-2023-38306, CVE-2023-38308)
Information Disclosure – KeePass (CVE-2023-24055)

Debian brought “Google Chrome on Windows” vulnerabilities.

Vulristics September Linux Patch Wednesday Report

На русском

August Linux Patch Wednesday. 658 vulnerabilities. Of these, 380 are in the Linux Kernel. About 10 have signs of exploitation in the wild. I will highlight:

Vulnerabilities of IT Asset Management system GLPI: AuthBypass (CVE-2023-35939, CVE-2023-35940) and Code Injection (CVE-2023-35924, CVE-2023-36808, CVE-2024-27096, CVE-2024-29889). Fixed in RedOS.
InfDisclosure – Minio (CVE-2023-28432). Old and trendy, but also fixes appeared only in RedOS.
DoS – PHP (CVE-2024-2757). If I were to take into account Fedora or Alpine bulletins, this would be in an earlier LPW. 2DO.

About 30 without signs of exploitation in the wild, but with exploits. I will highlight:

Command Injection – Apache HTTP Server (CVE-2024-40898)
AuthBypass – Apache HTTP Server (CVE-2024-40725)
AuthBypass – Neat VNC (CVE-2024-42458)
RCE – Calibre (CVE-2024-6782); yes, e-books software

Vulristics report on August Linux Patch Wednesday

На русском