Report Name: Linux Patch Wednesday November 2024
Generated: 2024-11-20 23:59:08

Product Name	Prevalence	U	C	H	M	L	A	Comment
Linux Kernel	0.9			4	461	102	567	The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
Polkit	0.9			1			1	polkit is a toolkit for defining and handling authorizations. It is used for allowing unprivileged processes to speak to privileged processes
Windows Kernel	0.9			1			1	Windows Kernel
APT	0.8					1	1	A free-software user interface that works with core libraries to handle the installation and removal of software on Debian
Chromium	0.8		3	4	22		29	Chromium is a free and open-source web browser project, mainly developed and maintained by Google
GNOME desktop	0.8			1	3		4	GNOME originally an acronym for GNU Network Object Model Environment, is a free and open-source desktop environment for Linux and other Unix-like operating systems
Mozilla Firefox	0.8			7	5		12	Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation
Node.js	0.8				1		1	Node.js is a cross-platform, open-source server environment that can run on Windows, Linux, Unix, macOS, and more
PHP	0.8			2	4		6	PHP is a general-purpose scripting language geared towards web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995.
RPC	0.8				1		1	Remote Procedure Call Runtime
Safari	0.8				2		2	Safari is a web browser developed by Apple. It is built into Apple's operating systems, including macOS, iOS, iPadOS and their upcoming VisionOS, and uses Apple's open-source browser engine WebKit, which was derived from KHTML.
Windows Libarchive	0.8		1				1	Windows component
X.org server	0.8			1			1	X.Org Server is the free and open-source implementation of the X Window System (X11) display server stewarded by the X.Org Foundation
.NET and Visual Studio	0.7			1	1		2	.NET and Visual Studio
Apache Tomcat	0.7				1		1	Apache Tomcat is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies
Apache Traffic Server	0.7				3		3	The Apache Traffic Server is a modular, high-performance reverse proxy and forward proxy server, generally comparable to Nginx and Squid
Apple iOS	0.7				1		1	iOS is an operating system developed and marketed by Apple Inc
Curl	0.7			1			1	Curl is a command-line tool for transferring data specified with URL syntax
Oracle MySQL	0.7				16		16	MySQL is an open-source relational database management system
QEMU	0.7				1		1	QEMU is a generic and open source machine & userspace emulator and virtualizer
SQLite	0.7			1	1		2	SQLite is a database engine written in the C programming language
Eclipse Mosquitto	0.6			2			2	Eclipse Mosquitto provides a lightweight server implementation of the MQTT protocol that is suitable for all situations from full power machines to embedded and low power machines
Jetty	0.6			1	3		4	Jetty is a Java based web server and servlet engine
Laravel	0.6				1		1	Laravel is a web application framework
Nextcloud	0.6			2	1		3	Nextcloud server is a self hosted personal cloud system
Perl	0.6				6		6	Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages
PyTorch	0.6		1				1	PyTorch is a machine learning library based on the Torch library, used for applications such as computer vision and natural language processing, originally developed by Meta AI and now part of the Linux Foundation umbrella
Python	0.6				5		5	Python is a high-level, general-purpose programming language
Vault	0.6				3		3	Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets critical in modern computing
ARM processor	0.5					1	1	Processor
CXF	0.5				1		1	Product detected by a:apache:cxf (exists in CPE dict)
Consul	0.5				3		3	Product detected by a:hashicorp:consul (exists in CPE dict)
DOMPurify	0.5				1		1	DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG
Flask	0.5				1		1	Flask is a lightweight WSGI web application framework
HID	0.5					1	1	HID
NVIDIA GPU Display Driver	0.5				1		1	A NVIDIA driver is a software program that enables communication between your computer and the NVIDIA graphics processor installed in your system
OpenJS Express	0.5			1			1	Express is a minimal and flexible Node.js web application framework that provides a robust set of features for web and mobile applications
Qbittorrent	0.5			1			1	Product detected by a:qbittorrent:qbittorrent (exists in CPE dict)
Rexml	0.5				1		1	Product detected by a:ruby-lang:rexml (exists in CPE dict)
Spring Framework	0.5			1			1	Product detected by a:vmware:spring_framework (exists in CPE dict)
Squid	0.5		1				1	Product detected by a:squid-cache:squid (exists in CPE dict)
Starlette	0.5			1			1	Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit
Suricata	0.5				5		5	Product detected by a:oisf:suricata (exists in CPE dict)
TLS	0.5				1		1	TLS
TRIE	0.5				1	1	2	TRIE
Thunderbird	0.5					1	1	Product detected by a:mozilla:thunderbird (exists in CPE dict)
Twig	0.5				2		2	Twig is a template language for PHP
Waitress	0.5				2		2	Product detected by a:agendaless:waitress (exists in CPE dict)
assimp	0.5			1			1	Product detected by a:assimp:assimp (exists in CPE dict)
butterfly	0.5		1				1	Product detected by a:openrefine:butterfly (does NOT exist in CPE dict)
cli	0.5				1		1	Product detected by a:github:cli (does NOT exist in CPE dict)
icinga	0.5			1			1	Product detected by a:icinga:icinga (exists in CPE dict)
libsndfile	0.5			2			2	Product detected by a:libsndfile_project:libsndfile (exists in CPE dict)
linux-pam	0.5					1	1	Product detected by a:linux-pam:linux-pam (exists in CPE dict)
mutt	0.5				2		2	Product detected by a:mutt:mutt (exists in CPE dict)
nimbus_jose\\+jwt	0.5				1		1	Product detected by a:connect2id:nimbus_jose\\+jwt (does NOT exist in CPE dict)
nomacs	0.5			1			1	Product detected by a:nomacs:nomacs (exists in CPE dict)
openrefine	0.5		1	3	1		5	Product detected by a:openrefine:openrefine (exists in CPE dict)
pure-ftpd	0.5			1			1	Pure-FTPd is a free (BSD), secure, production-quality and standard-conformant FTP server
sentry_software_development_kit	0.5				1		1	Product detected by a:sentry:sentry_software_development_kit (exists in CPE dict)
vim	0.5				1		1	Product detected by a:vim:vim (exists in CPE dict)
weechat	0.5				1		1	Product detected by a:weechat:weechat (exists in CPE dict)
wordpress	0.5				1		1	Product detected by a:wordpress:wordpress (exists in CPE dict)
GPAC	0.4			1			1	GPAC is an Open Source multimedia framework for research and academic purposes; the project covers different aspects of multimedia, with a focus on presentation technologies (graphics, animation and interactivity)
Git	0.4				1		1	Git
gomarkdown/markdown	0.4			1			1	A Go library for parsing Markdown text and rendering as HTML
Artifex Ghostscript	0.3				6		6	Artifex Ghostscript is an interpreter for the PostScript® language and PDF files
Unknown Product	0				33	33	66	Unknown Product

Vulnerability Type	Criticality	U	C	H	M	L	A
Remote Code Execution	1.0		3	11	12	1	27
Authentication Bypass	0.98			4	4		8
Code Injection	0.97		1	1	1		3
Command Injection	0.97			2	4		6
XXE Injection	0.97			1			1
Security Feature Bypass	0.9		2	9	32		43
Elevation of Privilege	0.85			1	4		5
Information Disclosure	0.83			1	10	2	13
Cross Site Scripting	0.8			2	7		9
Open Redirect	0.75			1	2		3
Denial of Service	0.7			6	42	4	52
Path Traversal	0.7				6		6
Incorrect Calculation	0.5				25	1	26
Memory Corruption	0.5		2	5	296	3	306
Unknown Vulnerability Type	0				165	130	295

Source	U	C	H	M	L	A
almalinux		1	10	10	1	22
debian		8	38	538	104	688
oraclelinux		1	11	21	14	47
redhat			9	8	1	18
redos			7	30	10	47
ubuntu		1	11	64	19	95

Urgent (0)

Critical (8)

1. Security Feature Bypass - Chromium (CVE-2024-10229) - Critical [740]

Description: Inappropriate implementation in Extensions in Google Chrome prior to 130.0.6723.69 allowed a remote attacker to bypass site isolation via a crafted Chrome Extension. (Chromium security severity: High)

debian: CVE-2024-10229 was patched at 2024-10-28, 2024-11-19

2. Memory Corruption - Chromium (CVE-2024-10230) - Critical [680]

Description: Type Confusion in V8 in Google Chrome prior to 130.0.6723.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

debian: CVE-2024-10230 was patched at 2024-10-28, 2024-11-19

3. Memory Corruption - Chromium (CVE-2024-10231) - Critical [680]

Description: Type Confusion in V8 in Google Chrome prior to 130.0.6723.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

debian: CVE-2024-10231 was patched at 2024-10-28, 2024-11-19

4. Remote Code Execution - Windows Libarchive (CVE-2024-20696) - Critical [645]

Description: Windows Libarchive Remote Code Execution Vulnerability

debian: CVE-2024-20696 was patched at 2024-11-09, 2024-11-19

ubuntu: CVE-2024-20696 was patched at 2024-10-31

5. Remote Code Execution - PyTorch (CVE-2024-48063) - Critical [623]

Description: In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing.

debian: CVE-2024-48063 was patched at 2024-11-19

6. Remote Code Execution - butterfly (CVE-2024-47883) - Critical [619]

Description: The OpenRefine fork of the MIT Simile Butterfly server is a modular web application framework. The Butterfly framework uses the `java.net.URL` class to refer to (what are expected to be) local resource files, like images or templates. This works: "opening a connection" to these URLs opens the local file. However, prior to version 1.2.6, if a `file:/` URL is directly given where a relative path (resource name) is expected, this is also accepted in some code paths; the app then fetches the file, from a remote machine if indicated, and uses it as if it was a trusted part of the app's codebase. This leads to multiple weaknesses and potential weaknesses. An attacker that has network access to the application could use it to gain access to files, either on the the server's filesystem (path traversal) or shared by nearby machines (server-side request forgery with e.g. SMB). An attacker that can lead or redirect a user to a crafted URL belonging to the app could cause arbitrary attacker-controlled JavaScript to be loaded in the victim's browser (cross-site scripting). If an app is written in such a way that an attacker can influence the resource name used for a template, that attacker could cause the app to fetch and execute an attacker-controlled template (remote code execution). Version 1.2.6 contains a patch.

debian: CVE-2024-47883 was patched at 2024-11-19

7. Code Injection - openrefine (CVE-2024-47881) - Critical [601]

Description: OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the `database` extension, the "enable_load_extension" property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server. The attacker needs to have network access to the OpenRefine instance. Version 3.8.3 fixes this issue.

debian: CVE-2024-47881 was patched at 2024-11-19

8. Security Feature Bypass - Squid (CVE-2024-45802) - Critical [601]

Description: Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to Input Validation, Premature Release of Resource During Expected Lifetime, and Missing Release of Resource after Effective Lifetime bugs, Squid is vulnerable to Denial of Service attacks by a trusted server against all clients using the proxy. This bug is fixed in the default build configuration of Squid version 6.10.

almalinux: CVE-2024-45802 was patched at 2024-11-14

debian: CVE-2024-45802 was patched at 2024-11-19

oraclelinux: CVE-2024-45802 was patched at 2024-11-15, 2024-11-18

High (44)

9. Security Feature Bypass - openrefine (CVE-2024-47880) - High [589]

Description: OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `export-rows` command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page that submits a form POST that contains embedded JavaScript code. This code would then be included in the response, along with an attacker-controlled `Content-Type` header, and so potentially executed in the victim's browser as if it was part of OpenRefine. The attacker-provided code can do anything the user can do, including deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions, if those extensions are also present. The attacker must know a valid project ID of a project that contains at least one row. Version 3.8.3 fixes the issue.

debian: CVE-2024-47880 was patched at 2024-11-19

10. Security Feature Bypass - Qbittorrent (CVE-2024-51774) - High [577]

Description: qBittorrent before 5.0.1 proceeds with use of https URLs even after certificate validation errors.

debian: CVE-2024-51774 was patched at 2024-11-19

redos: CVE-2024-51774 was patched at 2024-11-13

11. Security Feature Bypass - icinga (CVE-2024-24820) - High [577]

Description: Icinga Director is a tool designed to make Icinga 2 configuration handling easy. Not any of Icinga Director's configuration forms used to manipulate the monitoring environment are protected against cross site request forgery (CSRF). It enables attackers to perform changes in the monitoring environment managed by Icinga Director without the awareness of the victim. Users of the map module in version 1.x, should immediately upgrade to v2.0. The mentioned XSS vulnerabilities in Icinga Web are already fixed as well and upgrades to the most recent release of the 2.9, 2.10 or 2.11 branch must be performed if not done yet. Any later major release is also suitable. Icinga Director will receive minor updates to the 1.8, 1.9, 1.10 and 1.11 branches to remedy this issue. Upgrade immediately to a patched release. If that is not feasible, disable the director module for the time being.

debian: CVE-2024-24820 was patched at 2024-11-19

12. Security Feature Bypass - Curl (CVE-2024-9681) - High [575]

Description: When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.

debian: CVE-2024-9681 was patched at 2024-11-19

ubuntu: CVE-2024-9681 was patched at 2024-11-18

13. Remote Code Execution - assimp (CVE-2024-48423) - High [571]

Description: An issue in assimp v.5.4.3 allows a local attacker to execute arbitrary code via the CallbackToLogRedirector function within the Assimp library.

debian: CVE-2024-48423 was patched at 2024-11-19

14. Command Injection - Jetty (CVE-2024-6763) - High [570]

Description: Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC. Specifically HttpURI and the browser may differ on the value of the host extracted from an invalid URI and thus a combination of Jetty and a vulnerable browser may be vulnerable to a open redirect attack or to a SSRF attack if the URI is used after passing validation checks.

debian: CVE-2024-6763 was patched at 2024-11-19

15. Cross Site Scripting - openrefine (CVE-2024-47878) - High [547]

Description: OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `<script>` tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim's browser as if it was part of OpenRefine. Version 3.8.3 fixes this issue.

debian: CVE-2024-47878 was patched at 2024-11-19

16. Memory Corruption - Linux Kernel (CVE-2024-39486) - High [536]

Description: In the Linux kernel, the following vulnerability has been resolved: drm/drm_file: Fix pid refcounting race <maarten.lankhorst@linux.intel.com>, Maxime Ripard <mripard@kernel.org>, Thomas Zimmermann <tzimmermann@suse.de> filp->pid is supposed to be a refcounted pointer; however, before this patch, drm_file_update_pid() only increments the refcount of a struct pid after storing a pointer to it in filp->pid and dropping the dev->filelist_mutex, making the following race possible: process A process B ========= ========= begin drm_file_update_pid mutex_lock(&dev->filelist_mutex) rcu_replace_pointer(filp->pid, <pid B>, 1) mutex_unlock(&dev->filelist_mutex) begin drm_file_update_pid mutex_lock(&dev->filelist_mutex) rcu_replace_pointer(filp->pid, <pid A>, 1) mutex_unlock(&dev->filelist_mutex) get_pid(<pid A>) synchronize_rcu() put_pid(<pid B>) *** pid B reaches refcount 0 and is freed here *** get_pid(<pid B>) *** UAF *** synchronize_rcu() put_pid(<pid A>) As far as I know, this race can only occur with CONFIG_PREEMPT_RCU=y because it requires RCU to detect a quiescent state in code that is not explicitly calling into the scheduler. This race leads to use-after-free of a "struct pid". It is probably somewhat hard to hit because process A has to pass through a synchronize_rcu() operation while process B is between mutex_unlock() and get_pid(). Fix it by ensuring that by the time a pointer to the current task's pid is stored in the file, an extra reference to the pid has been taken. This fix also removes the condition for synchronize_rcu(); I think that optimization is unnecessary complexity, since in that case we would usually have bailed out on the lockless check above.

oraclelinux: CVE-2024-39486 was patched at 2024-11-14

ubuntu: CVE-2024-39486 was patched at 2024-11-01, 2024-11-04, 2024-11-07, 2024-11-13, 2024-11-14, 2024-11-15, 2024-11-19

17. Open Redirect - Nextcloud (CVE-2023-35171) - High [531]

Description: NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. Starting in version 26.0.0 and prior to version 26.0.2, an attacker could supply a URL that redirects an unsuspecting victim from a legitimate domain to an attacker's site. Nextcloud Server and Nextcloud Enterprise Server 26.0.2 contain a patch for this issue. No known workarounds are available.

redos: CVE-2023-35171 was patched at 2024-11-13

18. XXE Injection - OpenJS Express (CVE-2024-10491) - High [530]

Description: A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources. This vulnerability is especially relevant for dynamic parameters.

debian: CVE-2024-10491 was patched at 2024-11-19

19. Denial of Service - nomacs (CVE-2020-23884) - High [529]

Description: A buffer overflow in Nomacs v3.15.0 allows attackers to cause a denial of service (DoS) via a crafted MNG file.

debian: CVE-2020-23884 was patched at 2024-11-19

20. Cross Site Scripting - openrefine (CVE-2024-47882) - High [523]

Description: OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message. It appears that the only way to reach this code in OpenRefine itself is for an attacker to somehow convince a victim to import a malicious file, which may be difficult. However, out-of-tree extensions may add their own calls to `respondWithErrorPage`. Version 3.8.3 has a fix for this issue.

debian: CVE-2024-47882 was patched at 2024-11-19

21. Memory Corruption - Eclipse Mosquitto (CVE-2024-10525) - High [522]

Description: In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients.

debian: CVE-2024-10525 was patched at 2024-11-19

redos: CVE-2024-10525 was patched at 2024-11-13

22. Denial of Service - libsndfile (CVE-2024-50613) - High [517]

Description: libsndfile through 1.2.2 has a reachable assertion, that may lead to application exit, in mpeg_l3_encode.c mpeg_l3_encoder_close.

debian: CVE-2024-50613 was patched at 2024-11-19

23. Memory Corruption - Eclipse Mosquitto (CVE-2024-3935) - High [510]

Description: In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitto broker is configured to create an outgoing bridge connection, and that bridge connection has an incoming topic configured that makes use of topic remapping, then if the remote connection sends a crafted PUBLISH packet to the broker a double free will occur with a subsequent crash of the broker.

debian: CVE-2024-3935 was patched at 2024-11-19

redos: CVE-2024-3935 was patched at 2024-11-13

24. Elevation of Privilege - X.org server (CVE-2024-9632) - High [505]

Description: A flaw was found in the X.org server. Due to improperly tracked allocation size in _XkbSetCompatMap, a local attacker may be able to trigger a buffer overflow condition via a specially crafted payload, leading to denial of service or local privilege escalation in distributions where the X.org server is run with root privileges.

almalinux: CVE-2024-9632 was patched at 2024-11-04, 2024-11-13

debian: CVE-2024-9632 was patched at 2024-10-29, 2024-11-19

oraclelinux: CVE-2024-9632 was patched at 2024-11-04, 2024-11-13

redhat: CVE-2024-9632 was patched at 2024-11-04, 2024-11-13

redos: CVE-2024-9632 was patched at 2024-11-13

ubuntu: CVE-2024-9632 was patched at 2024-10-30

25. Security Feature Bypass - Spring Framework (CVE-2024-38820) - High [505]

Description: The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

debian: CVE-2024-38820 was patched at 2024-11-19

26. Memory Corruption - pure-ftpd (CVE-2024-48208) - High [494]

Description: pure-ftpd before 1.0.52 is vulnerable to Buffer Overflow. There is an out of bounds read in the domlsd() function of the ls.c file.

debian: CVE-2024-48208 was patched at 2024-11-19

27. Denial of Service - GPAC (CVE-2023-4679) - High [477]

Description: A use after free vulnerability exists in GPAC version 2.3-DEV-revrelease, specifically in the gf_filterpacket_del function in filter_core/filter.c at line 38. This vulnerability can lead to a double-free condition, which may cause the application to crash.

debian: CVE-2023-4679 was patched at 2024-11-19

28. Remote Code Execution - .NET and Visual Studio (CVE-2024-43498) - High [473]

Description: .NET and Visual Studio Remote Code Execution Vulnerability

almalinux: CVE-2024-43498 was patched at 2024-11-13

oraclelinux: CVE-2024-43498 was patched at 2024-11-19

ubuntu: CVE-2024-43498 was patched at 2024-11-12

29. Remote Code Execution - Mozilla Firefox (CVE-2024-10467) - High [466]

Description: Memory safety bugs present in Firefox 131, Firefox ESR 128.3, and Thunderbird 128.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.

almalinux: CVE-2024-10467 was patched at 2024-10-31, 2024-11-04, 2024-11-13

debian: CVE-2024-10467 was patched at 2024-10-31, 2024-11-05, 2024-11-19

oraclelinux: CVE-2024-10467 was patched at 2024-11-01, 2024-11-04, 2024-11-08, 2024-11-18

redhat: CVE-2024-10467 was patched at 2024-10-31, 2024-11-04, 2024-11-07, 2024-11-13

ubuntu: CVE-2024-10467 was patched at 2024-10-31

30. Denial of Service - gomarkdown/markdown (CVE-2024-44337) - High [465]

Description: The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion `v0.0.0-20240729232818-a2a9c4f`, which corresponds with commit `a2a9c4f76ef5a5c32108e36f7c47f8d310322252`, there was a logical problem in the paragraph function of the parser/block.go file, which allowed a remote attacker to cause a denial of service (DoS) condition by providing a tailor-made input that caused an infinite loop, causing the program to hang and consume resources indefinitely. Submit `a2a9c4f76ef5a5c32108e36f7c47f8d310322252` contains fixes to this problem.

debian: CVE-2024-44337 was patched at 2024-11-19

31. Remote Code Execution - Chromium (CVE-2024-9965) - High [454]

Description: Insufficient data validation in DevTools in Google Chrome on Windows prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)

debian: CVE-2024-9965 was patched at 2024-10-17, 2024-10-20

32. Authentication Bypass - Mozilla Firefox (CVE-2024-10462) - High [451]

Description: Truncation of a long URL could have allowed origin spoofing in a permission prompt. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.

almalinux: CVE-2024-10462 was patched at 2024-10-31, 2024-11-04, 2024-11-13

debian: CVE-2024-10462 was patched at 2024-10-31, 2024-11-05, 2024-11-19

oraclelinux: CVE-2024-10462 was patched at 2024-11-01, 2024-11-04, 2024-11-08, 2024-11-18

redhat: CVE-2024-10462 was patched at 2024-10-31, 2024-11-04, 2024-11-07, 2024-11-13

ubuntu: CVE-2024-10462 was patched at 2024-10-31

33. Authentication Bypass - Mozilla Firefox (CVE-2024-10465) - High [451]

Description: A clipboard "paste" button could persist across tabs which allowed a spoofing attack. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.

almalinux: CVE-2024-10465 was patched at 2024-10-31, 2024-11-04, 2024-11-13

debian: CVE-2024-10465 was patched at 2024-10-31, 2024-11-05, 2024-11-19

oraclelinux: CVE-2024-10465 was patched at 2024-11-01, 2024-11-04, 2024-11-08, 2024-11-18

redhat: CVE-2024-10465 was patched at 2024-10-31, 2024-11-04, 2024-11-07, 2024-11-13

ubuntu: CVE-2024-10465 was patched at 2024-10-31

34. Memory Corruption - libsndfile (CVE-2024-50612) - High [446]

Description: libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote out-of-bounds read.

debian: CVE-2024-50612 was patched at 2024-11-19

35. Remote Code Execution - Polkit (CVE-2024-9050) - High [435]

Description: A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration.

almalinux: CVE-2024-9050 was patched at 2024-10-23, 2024-11-13

oraclelinux: CVE-2024-9050 was patched at 2024-10-23, 2024-11-08, 2024-11-18

redhat: CVE-2024-9050 was patched at 2024-10-22, 2024-10-23

redos: CVE-2024-9050 was patched at 2024-10-29

36. Remote Code Execution - Chromium (CVE-2024-10487) - High [430]

Description: Out of bounds write in Dawn in Google Chrome prior to 130.0.6723.92 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Critical)

debian: CVE-2024-10487 was patched at 2024-11-03, 2024-11-19

37. Authentication Bypass - Nextcloud (CVE-2023-35927) - High [429]

Description: NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2, when two server are registered as trusted servers for each other and successfully exchanged the share secrets, the malicious server could modify or delete VCards in the system addressbook on the origin server. This would impact the available and shown information in certain places, such as the user search and avatar menu. If a manipulated user modifies their own data in the personal settings the entry is fixed again. Nextcloud Server n 25.0.7 and 26.0.2 and Nextcloud Enterprise Server 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, and 26.0.2 contain a patch for this issue. A workaround is available. Remove all trusted servers in the "Administration" > "Sharing" settings `…/index.php/settings/admin/sharing`. Afterwards, trigger a recreation of the local system addressbook with the following `occ dav:sync-system-addressbook`.

redos: CVE-2023-35927 was patched at 2024-11-13

38. Code Injection - Mozilla Firefox (CVE-2024-10466) - High [425]

Description: By sending a specially crafted push message, a remote server could have hung the parent process, causing the browser to become unresponsive. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.

almalinux: CVE-2024-10466 was patched at 2024-10-31, 2024-11-04, 2024-11-13

debian: CVE-2024-10466 was patched at 2024-10-31, 2024-11-05, 2024-11-19

oraclelinux: CVE-2024-10466 was patched at 2024-11-01, 2024-11-04, 2024-11-08, 2024-11-18

redhat: CVE-2024-10466 was patched at 2024-10-31, 2024-11-04, 2024-11-07, 2024-11-13

ubuntu: CVE-2024-10466 was patched at 2024-10-31

39. Command Injection - GNOME desktop (CVE-2024-52530) - High [425]

Description: GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of header names are ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the same as a "Transfer-Encoding: chunked" header.

almalinux: CVE-2024-52530 was patched at 2024-11-13

debian: CVE-2024-52530 was patched at 2024-11-19

oraclelinux: CVE-2024-52530 was patched at 2024-11-13, 2024-11-18

redhat: CVE-2024-52530 was patched at 2024-11-13

40. Remote Code Execution - Linux Kernel (CVE-2022-48967) - High [423]

Description: In the Linux kernel, the following vulnerability has been resolved: NFC: nci: Bounds check struct nfc_target arrays While running under CONFIG_FORTIFY_SOURCE=y, syzkaller reported: memcpy: detected field-spanning write (size 129) of single field "target->sensf_res" at net/nfc/nci/ntf.c:260 (size 18) This appears to be a legitimate lack of bounds checking in nci_add_new_protocol(). Add the missing checks.

debian: CVE-2022-48967 was patched at 2024-11-19

41. Denial of Service - Starlette (CVE-2024-47874) - High [422]

Description: Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette. This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests. Verison 0.40.0 fixes this issue.

debian: CVE-2024-47874 was patched at 2024-10-17

42. Authentication Bypass - PHP (CVE-2024-51996) - High [415]

Description: Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. This vulnerability is fixed in 5.4.47, 6.4.15, and 7.1.8.

debian: CVE-2024-51996 was patched at 2024-11-15, 2024-11-19

43. Remote Code Execution - SQLite (CVE-2024-51748) - High [414]

Description: Kanboard is project management software that focuses on the Kanban methodology. An authenticated Kanboard admin can run arbitrary php code on the server in combination with a file write possibility. The user interface language is determined and loaded by the setting `application_language` in the `settings` table. Thus, an attacker who can upload a modified sqlite.db through the dedicated feature, has control over the filepath, which is loaded. Exploiting this vulnerability has one constraint: the attacker must be able to place a file (called translations.php) on the system. However, this is not impossible, think of anonymous FTP server or another application that allows uploading files. Once the attacker has placed its file with the actual php code as the payload, the attacker can craft a sqlite db settings, which uses path traversal to point to the directory, where the `translations.php` file is stored. Then gaining code execution after importing the crafted sqlite.db. This issue has been addressed in version 1.2.42 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

debian: CVE-2024-51748 was patched at 2024-11-19

44. Security Feature Bypass - Chromium (CVE-2024-11115) - High [413]

Description: Insufficient policy enforcement in Navigation in Google Chrome on iOS prior to 131.0.6778.69 allowed a remote attacker to perform privilege escalation via a series of UI gestures. (Chromium security severity: Medium)

debian: CVE-2024-11115 was patched at 2024-11-19

45. Security Feature Bypass - Mozilla Firefox (CVE-2024-10458) - High [413]

Description: A permission leak could have occurred from a trusted site to an untrusted site via `embed` or `object` elements. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Firefox ESR < 115.17, Thunderbird < 128.4, and Thunderbird < 132.

almalinux: CVE-2024-10458 was patched at 2024-10-31, 2024-11-04, 2024-11-13

debian: CVE-2024-10458 was patched at 2024-10-31, 2024-11-05, 2024-11-19

oraclelinux: CVE-2024-10458 was patched at 2024-11-01, 2024-11-04, 2024-11-08, 2024-11-18

redhat: CVE-2024-10458 was patched at 2024-10-31, 2024-11-04, 2024-11-07, 2024-11-13

ubuntu: CVE-2024-10458 was patched at 2024-10-31

46. Information Disclosure - Mozilla Firefox (CVE-2024-10463) - High [412]

Description: Video frames could have been leaked between origins in some situations. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Firefox ESR < 115.17, Thunderbird < 128.4, and Thunderbird < 132.

almalinux: CVE-2024-10463 was patched at 2024-10-31, 2024-11-04, 2024-11-13

debian: CVE-2024-10463 was patched at 2024-10-31, 2024-11-05, 2024-11-19

oraclelinux: CVE-2024-10463 was patched at 2024-11-01, 2024-11-04, 2024-11-08, 2024-11-18

redhat: CVE-2024-10463 was patched at 2024-10-31, 2024-11-04, 2024-11-07, 2024-11-13

ubuntu: CVE-2024-10463 was patched at 2024-10-31

47. Remote Code Execution - Linux Kernel (CVE-2024-49878) - High [411]

Description: In the Linux kernel, the following vulnerability has been resolved: resource: fix region_intersects() vs add_memory_driver_managed() On a system with CXL memory, the resource tree (/proc/iomem) related to CXL memory may look like something as follows. 490000000-50fffffff : CXL Window 0 490000000-50fffffff : region0 490000000-50fffffff : dax0.0 490000000-50fffffff : System RAM (kmem) Because drivers/dax/kmem.c calls add_memory_driver_managed() during onlining CXL memory, which makes "System RAM (kmem)" a descendant of "CXL Window X". This confuses region_intersects(), which expects all "System RAM" resources to be at the top level of iomem_resource. This can lead to bugs. For example, when the following command line is executed to write some memory in CXL memory range via /dev/mem, $ dd if=data of=/dev/mem bs=$((1 << 10)) seek=$((0x490000000 >> 10)) count=1 dd: error writing '/dev/mem': Bad address 1+0 records in 0+0 records out 0 bytes copied, 0.0283507 s, 0.0 kB/s the command fails as expected. However, the error code is wrong. It should be "Operation not permitted" instead of "Bad address". More seriously, the /dev/mem permission checking in devmem_is_allowed() passes incorrectly. Although the accessing is prevented later because ioremap() isn't allowed to map system RAM, it is a potential security issue. During command executing, the following warning is reported in the kernel log for calling ioremap() on system RAM. ioremap on RAM at 0x0000000490000000 - 0x0000000490000fff WARNING: CPU: 2 PID: 416 at arch/x86/mm/ioremap.c:216 __ioremap_caller.constprop.0+0x131/0x35d Call Trace: memremap+0xcb/0x184 xlate_dev_mem_ptr+0x25/0x2f write_mem+0x94/0xfb vfs_write+0x128/0x26d ksys_write+0xac/0xfe do_syscall_64+0x9a/0xfd entry_SYSCALL_64_after_hwframe+0x4b/0x53 The details of command execution process are as follows. In the above resource tree, "System RAM" is a descendant of "CXL Window 0" instead of a top level resource. So, region_intersects() will report no System RAM resources in the CXL memory region incorrectly, because it only checks the top level resources. Consequently, devmem_is_allowed() will return 1 (allow access via /dev/mem) for CXL memory region incorrectly. Fortunately, ioremap() doesn't allow to map System RAM and reject the access. So, region_intersects() needs to be fixed to work correctly with the resource tree with "System RAM" not at top level as above. To fix it, if we found a unmatched resource in the top level, we will continue to search matched resources in its descendant resources. So, we will not miss any matched resources in resource tree anymore. In the new implementation, an example resource tree |------------- "CXL Window 0" ------------| |-- "System RAM" --| will behave similar as the following fake resource tree for region_intersects(, IORESOURCE_SYSTEM_RAM, ), |-- "System RAM" --||-- "CXL Window 0a" --| Where "CXL Window 0a" is part of the original "CXL Window 0" that isn't covered by "System RAM".

debian: CVE-2024-49878 was patched at 2024-11-19

48. Remote Code Execution - Linux Kernel (CVE-2024-49926) - High [411]

Description: In the Linux kernel, the following vulnerability has been resolved: rcu-tasks: Fix access non-existent percpu rtpcp variable in rcu_tasks_need_gpcb() For kernels built with CONFIG_FORCE_NR_CPUS=y, the nr_cpu_ids is defined as NR_CPUS instead of the number of possible cpus, this will cause the following system panic: smpboot: Allowing 4 CPUs, 0 hotplug CPUs ... setup_percpu: NR_CPUS:512 nr_cpumask_bits:512 nr_cpu_ids:512 nr_node_ids:1 ... BUG: unable to handle page fault for address: ffffffff9911c8c8 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 15 Comm: rcu_tasks_trace Tainted: G W 6.6.21 #1 5dc7acf91a5e8e9ac9dcfc35bee0245691283ea6 RIP: 0010:rcu_tasks_need_gpcb+0x25d/0x2c0 RSP: 0018:ffffa371c00a3e60 EFLAGS: 00010082 CR2: ffffffff9911c8c8 CR3: 000000040fa20005 CR4: 00000000001706f0 Call Trace: <TASK> ? __die+0x23/0x80 ? page_fault_oops+0xa4/0x180 ? exc_page_fault+0x152/0x180 ? asm_exc_page_fault+0x26/0x40 ? rcu_tasks_need_gpcb+0x25d/0x2c0 ? __pfx_rcu_tasks_kthread+0x40/0x40 rcu_tasks_one_gp+0x69/0x180 rcu_tasks_kthread+0x94/0xc0 kthread+0xe8/0x140 ? __pfx_kthread+0x40/0x40 ret_from_fork+0x34/0x80 ? __pfx_kthread+0x40/0x40 ret_from_fork_asm+0x1b/0x80 </TASK> Considering that there may be holes in the CPU numbers, use the maximum possible cpu number, instead of nr_cpu_ids, for configuring enqueue and dequeue limits. [ neeraj.upadhyay: Fix htmldocs build error reported by Stephen Rothwell ]

debian: CVE-2024-49926 was patched at 2024-11-19

49. Remote Code Execution - PHP (CVE-2023-31493) - High [407]

Description: RCE (Remote Code Execution) exists in ZoneMinder through 1.36.33 as an attacker can create a new .php log file in language folder, while executing a crafted payload and escalate privileges allowing execution of any commands on the remote system.

debian: CVE-2023-31493 was patched at 2024-11-19

50. Security Feature Bypass - Windows Kernel (CVE-2024-24984) - High [405]

Description: Improper input validation for some Intel(R) Wireless Bluetooth(R) products for Windows before version 23.40 may allow an unauthenticated user to potentially enable denial of service via adjacent access.

debian: CVE-2024-24984 was patched at 2024-11-19

51. Denial of Service - Mozilla Firefox (CVE-2024-10468) - High [401]

Description: Potential race conditions in IndexedDB could have caused memory corruption, leading to a potentially exploitable crash. This vulnerability affects Firefox < 132 and Thunderbird < 132.

ubuntu: CVE-2024-10468 was patched at 2024-10-31

52. Security Feature Bypass - Chromium (CVE-2024-9956) - High [401]

Description: {'nvd_cve_data_all': 'Inappropriate implementation in WebAuthentication in Google Chrome on Android prior to 130.0.6723.58 allowed a local attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in WebAuthentication in Google Chrome on Android prior to 130.0.6723.58 allowed a local attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2024-9956 was patched at 2024-10-17, 2024-10-20

Medium (610)

53. Remote Code Execution - Perl (CVE-2024-10979) - Medium [397]

Description: Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

debian: CVE-2024-10979 was patched at 2024-11-15, 2024-11-19

54. Remote Code Execution - Python (CVE-2024-48990) - Medium [397]

Description: Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable.

debian: CVE-2024-48990 was patched at 2024-11-19

ubuntu: CVE-2024-48990 was patched at 2024-11-19

55. Remote Code Execution - Python (CVE-2024-48991) - Medium [397]

Description: Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreter (instead of the system's real Python interpreter).

debian: CVE-2024-48991 was patched at 2024-11-19

ubuntu: CVE-2024-48991 was patched at 2024-11-19

56. Authentication Bypass - Perl (CVE-2024-52867) - Medium [394]

Description: guix-daemon in GNU Guix before 5ab3c4c allows privilege escalation because build outputs are accessible by local users before file metadata concerns (e.g., for setuid and setgid programs) are properly addressed. The vulnerability can be remediated within the product via certain pull, reconfigure, and restart actions. Both 5ab3c4c and 5582241 are needed to resolve the vulnerability.

debian: CVE-2024-52867 was patched at 2024-11-08, 2024-11-19

57. Security Feature Bypass - Linux Kernel (CVE-2024-49875) - Medium [394]

Description: In the Linux kernel, the following vulnerability has been resolved: nfsd: map the EBADMSG to nfserr_io to avoid warning Ext4 will throw -EBADMSG through ext4_readdir when a checksum error occurs, resulting in the following WARNING. Fix it by mapping EBADMSG to nfserr_io. nfsd_buffered_readdir iterate_dir // -EBADMSG -74 ext4_readdir // .iterate_shared ext4_dx_readdir ext4_htree_fill_tree htree_dirblock_to_tree ext4_read_dirblock __ext4_read_dirblock ext4_dirblock_csum_verify warn_no_space_for_csum __warn_no_space_for_csum return ERR_PTR(-EFSBADCRC) // -EBADMSG -74 nfserrno // WARNING [ 161.115610] ------------[ cut here ]------------ [ 161.116465] nfsd: non-standard errno: -74 [ 161.117315] WARNING: CPU: 1 PID: 780 at fs/nfsd/nfsproc.c:878 nfserrno+0x9d/0xd0 [ 161.118596] Modules linked in: [ 161.119243] CPU: 1 PID: 780 Comm: nfsd Not tainted 5.10.0-00014-g79679361fd5d #138 [ 161.120684] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qe mu.org 04/01/2014 [ 161.123601] RIP: 0010:nfserrno+0x9d/0xd0 [ 161.124676] Code: 0f 87 da 30 dd 00 83 e3 01 b8 00 00 00 05 75 d7 44 89 ee 48 c7 c7 c0 57 24 98 89 44 24 04 c6 05 ce 2b 61 03 01 e8 99 20 d8 00 <0f> 0b 8b 44 24 04 eb b5 4c 89 e6 48 c7 c7 a0 6d a4 99 e8 cc 15 33 [ 161.127797] RSP: 0018:ffffc90000e2f9c0 EFLAGS: 00010286 [ 161.128794] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 161.130089] RDX: 1ffff1103ee16f6d RSI: 0000000000000008 RDI: fffff520001c5f2a [ 161.131379] RBP: 0000000000000022 R08: 0000000000000001 R09: ffff8881f70c1827 [ 161.132664] R10: ffffed103ee18304 R11: 0000000000000001 R12: 0000000000000021 [ 161.133949] R13: 00000000ffffffb6 R14: ffff8881317c0000 R15: ffffc90000e2fbd8 [ 161.135244] FS: 0000000000000000(0000) GS:ffff8881f7080000(0000) knlGS:0000000000000000 [ 161.136695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 161.137761] CR2: 00007fcaad70b348 CR3: 0000000144256006 CR4: 0000000000770ee0 [ 161.139041] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 161.140291] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 161.141519] PKRU: 55555554 [ 161.142076] Call Trace: [ 161.142575] ? __warn+0x9b/0x140 [ 161.143229] ? nfserrno+0x9d/0xd0 [ 161.143872] ? report_bug+0x125/0x150 [ 161.144595] ? handle_bug+0x41/0x90 [ 161.145284] ? exc_invalid_op+0x14/0x70 [ 161.146009] ? asm_exc_invalid_op+0x12/0x20 [ 161.146816] ? nfserrno+0x9d/0xd0 [ 161.147487] nfsd_buffered_readdir+0x28b/0x2b0 [ 161.148333] ? nfsd4_encode_dirent_fattr+0x380/0x380 [ 161.149258] ? nfsd_buffered_filldir+0xf0/0xf0 [ 161.150093] ? wait_for_concurrent_writes+0x170/0x170 [ 161.151004] ? generic_file_llseek_size+0x48/0x160 [ 161.151895] nfsd_readdir+0x132/0x190 [ 161.152606] ? nfsd4_encode_dirent_fattr+0x380/0x380 [ 161.153516] ? nfsd_unlink+0x380/0x380 [ 161.154256] ? override_creds+0x45/0x60 [ 161.155006] nfsd4_encode_readdir+0x21a/0x3d0 [ 161.155850] ? nfsd4_encode_readlink+0x210/0x210 [ 161.156731] ? write_bytes_to_xdr_buf+0x97/0xe0 [ 161.157598] ? __write_bytes_to_xdr_buf+0xd0/0xd0 [ 161.158494] ? lock_downgrade+0x90/0x90 [ 161.159232] ? nfs4svc_decode_voidarg+0x10/0x10 [ 161.160092] nfsd4_encode_operation+0x15a/0x440 [ 161.160959] nfsd4_proc_compound+0x718/0xe90 [ 161.161818] nfsd_dispatch+0x18e/0x2c0 [ 161.162586] svc_process_common+0x786/0xc50 [ 161.163403] ? nfsd_svc+0x380/0x380 [ 161.164137] ? svc_printk+0x160/0x160 [ 161.164846] ? svc_xprt_do_enqueue.part.0+0x365/0x380 [ 161.165808] ? nfsd_svc+0x380/0x380 [ 161.166523] ? rcu_is_watching+0x23/0x40 [ 161.167309] svc_process+0x1a5/0x200 [ 161.168019] nfsd+0x1f5/0x380 [ 161.168663] ? nfsd_shutdown_threads+0x260/0x260 [ 161.169554] kthread+0x1c4/0x210 [ 161.170224] ? kthread_insert_work_sanity_check+0x80/0x80 [ 161.171246] ret_from_fork+0x1f/0x30

debian: CVE-2024-49875 was patched at 2024-11-19

58. Information Disclosure - Linux Kernel (CVE-2024-47678) - Medium [393]

Description: In the Linux kernel, the following vulnerability has been resolved: icmp: change the order of rate limits ICMP messages are ratelimited : After the blamed commits, the two rate limiters are applied in this order: 1) host wide ratelimit (icmp_global_allow()) 2) Per destination ratelimit (inetpeer based) In order to avoid side-channels attacks, we need to apply the per destination check first. This patch makes the following change : 1) icmp_global_allow() checks if the host wide limit is reached. But credits are not yet consumed. This is deferred to 3) 2) The per destination limit is checked/updated. This might add a new node in inetpeer tree. 3) icmp_global_consume() consumes tokens if prior operations succeeded. This means that host wide ratelimit is still effective in keeping inetpeer tree small even under DDOS. As a bonus, I removed icmp_global.lock as the fast path can use a lock-free operation.

debian: CVE-2024-47678 was patched at 2024-11-19

59. Remote Code Execution - Apple iOS (CVE-2024-10573) - Medium [390]

Description: An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector.

debian: CVE-2024-10573 was patched at 2024-11-11, 2024-11-19

ubuntu: CVE-2024-10573 was patched at 2024-11-05

60. Denial of Service - Mozilla Firefox (CVE-2024-10459) - Medium [389]

Description: An attacker could have caused a use-after-free when accessibility was enabled, leading to a potentially exploitable crash. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Firefox ESR < 115.17, Thunderbird < 128.4, and Thunderbird < 132.

almalinux: CVE-2024-10459 was patched at 2024-10-31, 2024-11-04, 2024-11-13

debian: CVE-2024-10459 was patched at 2024-10-31, 2024-11-05, 2024-11-19

oraclelinux: CVE-2024-10459 was patched at 2024-11-01, 2024-11-04, 2024-11-08, 2024-11-18

redhat: CVE-2024-10459 was patched at 2024-10-31, 2024-11-04, 2024-11-07, 2024-11-13

ubuntu: CVE-2024-10459 was patched at 2024-10-31

61. Security Feature Bypass - Chromium (CVE-2024-11110) - Medium [389]

Description: Inappropriate implementation in Extensions in Google Chrome prior to 131.0.6778.69 allowed a remote attacker to bypass site isolation via a crafted Chrome Extension. (Chromium security severity: High)

debian: CVE-2024-11110 was patched at 2024-11-19

62. Security Feature Bypass - Apache Traffic Server (CVE-2024-38479) - Medium [384]

Description: Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.5. Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue.

debian: CVE-2024-38479 was patched at 2024-11-19

63. Security Feature Bypass - Apache Traffic Server (CVE-2024-50305) - Medium [384]

Description: Valid Host header field can cause Apache Traffic Server to crash on some platforms. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5. Users are recommended to upgrade to version 9.2.6, which fixes the issue, or 10.0.2, which does not have the issue.

debian: CVE-2024-50305 was patched at 2024-11-19

64. Authentication Bypass - Unknown Product (CVE-2024-8805) - Medium [383]

Description: {'nvd_cve_data_all': '', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'This candidate has been reserved by an organization or individual " "that will use it when announcing a new security problem. When the candidate has been " "publicized, the details for this candidate will be provided.', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2024-8805 was patched at 2024-11-19

65. Path Traversal - Linux Kernel (CVE-2024-47742) - Medium [382]

Description: In the Linux kernel, the following vulnerability has been resolved: firmware_loader: Block path traversal Most firmware names are hardcoded strings, or are constructed from fairly constrained format strings where the dynamic parts are just some hex numbers or such. However, there are a couple codepaths in the kernel where firmware file names contain string components that are passed through from a device or semi-privileged userspace; the ones I could find (not counting interfaces that require root privileges) are: - lpfc_sli4_request_firmware_update() seems to construct the firmware filename from "ModelName", a string that was previously parsed out of some descriptor ("Vital Product Data") in lpfc_fill_vpd() - nfp_net_fw_find() seems to construct a firmware filename from a model name coming from nfp_hwinfo_lookup(pf->hwinfo, "nffw.partno"), which I think parses some descriptor that was read from the device. (But this case likely isn't exploitable because the format string looks like "netronome/nic_%s", and there shouldn't be any *folders* starting with "netronome/nic_". The previous case was different because there, the "%s" is *at the start* of the format string.) - module_flash_fw_schedule() is reachable from the ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is enough to pass the privilege check), and takes a userspace-provided firmware name. (But I think to reach this case, you need to have CAP_NET_ADMIN over a network namespace that a special kind of ethernet device is mapped into, so I think this is not a viable attack path in practice.) Fix it by rejecting any firmware names containing ".." path components. For what it's worth, I went looking and haven't found any USB device drivers that use the firmware loader dangerously.

debian: CVE-2024-47742 was patched at 2024-11-19

66. Command Injection - Perl (CVE-2024-11168) - Medium [380]

Description: The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

debian: CVE-2024-11168 was patched at 2024-11-19

67. Denial of Service - GNOME desktop (CVE-2024-52532) - Medium [377]

Description: GNOME libsoup before 3.6.1 has an infinite loop, and memory consumption. during the reading of certain patterns of WebSocket data from clients.

almalinux: CVE-2024-52532 was patched at 2024-11-13

debian: CVE-2024-52532 was patched at 2024-11-19

oraclelinux: CVE-2024-52532 was patched at 2024-11-13, 2024-11-18

redhat: CVE-2024-52532 was patched at 2024-11-13

68. Denial of Service - Mozilla Firefox (CVE-2024-10464) - Medium [377]

Description: Repeated writes to history interface attributes could have been used to cause a Denial of Service condition in the browser. This was addressed by introducing rate-limiting to this API. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.

almalinux: CVE-2024-10464 was patched at 2024-10-31, 2024-11-04, 2024-11-13

debian: CVE-2024-10464 was patched at 2024-10-31, 2024-11-05, 2024-11-19

oraclelinux: CVE-2024-10464 was patched at 2024-11-01, 2024-11-04, 2024-11-08, 2024-11-18

redhat: CVE-2024-10464 was patched at 2024-10-31, 2024-11-04, 2024-11-07, 2024-11-13

ubuntu: CVE-2024-10464 was patched at 2024-10-31

69. Elevation of Privilege - sentry_software_development_kit (CVE-2023-28117) - Medium [377]

Description: Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using the Django integration of versions prior to 1.14.0 of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application. In order for these sensitive values to be leaked, the Sentry SDK configuration must have `sendDefaultPII` set to `True`; one must use a custom name for either `SESSION_COOKIE_NAME` or `CSRF_COOKIE_NAME` in one's Django settings; and one must not be configured in one's organization or project settings to use Sentry's data scrubbing features to account for the custom cookie names. As of version 1.14.0, the Django integration of the `sentry-sdk` will detect the custom cookie names based on one's Django settings and will remove the values from the payload before sending the data to Sentry. As a workaround, use the SDK's filtering mechanism to remove the cookies from the payload that is sent to Sentry. For error events, this can be done with the `before_send` callback method and for performance related events (transactions) one can use the `before_send_transaction` callback method. Those who want to handle filtering of these values on the server-side can also use Sentry's advanced data scrubbing feature to account for the custom cookie names. Look for the `$http.cookies`, `$http.headers`, `$request.cookies`, or `$request.headers` fields to target with a scrubbing rule.

redos: CVE-2023-28117 was patched at 2024-10-22

70. Security Feature Bypass - Chromium (CVE-2024-9966) - Medium [377]

Description: Inappropriate implementation in Navigations in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)

debian: CVE-2024-9966 was patched at 2024-10-17, 2024-10-20

71. Security Feature Bypass - Mozilla Firefox (CVE-2024-10460) - Medium [377]

Description: The origin of an external protocol handler prompt could have been obscured using a data: URL within an `iframe`. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.

almalinux: CVE-2024-10460 was patched at 2024-10-31, 2024-11-04, 2024-11-13

debian: CVE-2024-10460 was patched at 2024-10-31, 2024-11-05, 2024-11-19

oraclelinux: CVE-2024-10460 was patched at 2024-11-01, 2024-11-04, 2024-11-08, 2024-11-18

redhat: CVE-2024-10460 was patched at 2024-10-31, 2024-11-04, 2024-11-07, 2024-11-13

ubuntu: CVE-2024-10460 was patched at 2024-10-31

72. Security Feature Bypass - TLS (CVE-2024-49369) - Medium [375]

Description: Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.12.

debian: CVE-2024-49369 was patched at 2024-11-19

73. Security Feature Bypass - mutt (CVE-2024-49393) - Medium [375]

Description: In neomutt and mutt, the To and Cc email headers are not validated by cryptographic signing which allows an attacker that intercepts a message to change their value and include himself as a one of the recipients to compromise message confidentiality.

debian: CVE-2024-49393 was patched at 2024-11-19

74. Denial of Service - .NET and Visual Studio (CVE-2024-43499) - Medium [372]

Description: .NET and Visual Studio Denial of Service Vulnerability

almalinux: CVE-2024-43499 was patched at 2024-11-13

oraclelinux: CVE-2024-43499 was patched at 2024-11-19

ubuntu: CVE-2024-43499 was patched at 2024-11-12

75. Security Feature Bypass - Oracle MySQL (CVE-2024-21196) - Medium [372]

Description: {'nvd_cve_data_all': 'Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: X Plugin). Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: X Plugin). Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

ubuntu: CVE-2024-21196 was patched at 2024-11-12

76. Cross Site Scripting - Mozilla Firefox (CVE-2024-10461) - Medium [371]

Description: In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header was not respected and did not force a download, which could allow XSS attacks. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.

almalinux: CVE-2024-10461 was patched at 2024-10-31, 2024-11-04, 2024-11-13

debian: CVE-2024-10461 was patched at 2024-10-31, 2024-11-05, 2024-11-19

oraclelinux: CVE-2024-10461 was patched at 2024-11-01, 2024-11-04, 2024-11-08, 2024-11-18

redhat: CVE-2024-10461 was patched at 2024-10-31, 2024-11-04, 2024-11-07, 2024-11-13

ubuntu: CVE-2024-10461 was patched at 2024-10-31

77. Memory Corruption - Linux Kernel (CVE-2024-47692) - Medium [370]

Description: In the Linux kernel, the following vulnerability has been resolved: nfsd: return -EINVAL when namelen is 0 When we have a corrupted main.sqlite in /var/lib/nfs/nfsdcld/, it may result in namelen being 0, which will cause memdup_user() to return ZERO_SIZE_PTR. When we access the name.data that has been assigned the value of ZERO_SIZE_PTR in nfs4_client_to_reclaim(), null pointer dereference is triggered. [ T1205] ================================================================== [ T1205] BUG: KASAN: null-ptr-deref in nfs4_client_to_reclaim+0xe9/0x260 [ T1205] Read of size 1 at addr 0000000000000010 by task nfsdcld/1205 [ T1205] [ T1205] CPU: 11 PID: 1205 Comm: nfsdcld Not tainted 5.10.0-00003-g2c1423731b8d #406 [ T1205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 [ T1205] Call Trace: [ T1205] dump_stack+0x9a/0xd0 [ T1205] ? nfs4_client_to_reclaim+0xe9/0x260 [ T1205] __kasan_report.cold+0x34/0x84 [ T1205] ? nfs4_client_to_reclaim+0xe9/0x260 [ T1205] kasan_report+0x3a/0x50 [ T1205] nfs4_client_to_reclaim+0xe9/0x260 [ T1205] ? nfsd4_release_lockowner+0x410/0x410 [ T1205] cld_pipe_downcall+0x5ca/0x760 [ T1205] ? nfsd4_cld_tracking_exit+0x1d0/0x1d0 [ T1205] ? down_write_killable_nested+0x170/0x170 [ T1205] ? avc_policy_seqno+0x28/0x40 [ T1205] ? selinux_file_permission+0x1b4/0x1e0 [ T1205] rpc_pipe_write+0x84/0xb0 [ T1205] vfs_write+0x143/0x520 [ T1205] ksys_write+0xc9/0x170 [ T1205] ? __ia32_sys_read+0x50/0x50 [ T1205] ? ktime_get_coarse_real_ts64+0xfe/0x110 [ T1205] ? ktime_get_coarse_real_ts64+0xa2/0x110 [ T1205] do_syscall_64+0x33/0x40 [ T1205] entry_SYSCALL_64_after_hwframe+0x67/0xd1 [ T1205] RIP: 0033:0x7fdbdb761bc7 [ T1205] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 514 [ T1205] RSP: 002b:00007fff8c4b7248 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ T1205] RAX: ffffffffffffffda RBX: 000000000000042b RCX: 00007fdbdb761bc7 [ T1205] RDX: 000000000000042b RSI: 00007fff8c4b75f0 RDI: 0000000000000008 [ T1205] RBP: 00007fdbdb761bb0 R08: 0000000000000000 R09: 0000000000000001 [ T1205] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000042b [ T1205] R13: 0000000000000008 R14: 00007fff8c4b75f0 R15: 0000000000000000 [ T1205] ================================================================== Fix it by checking namelen.

debian: CVE-2024-47692 was patched at 2024-11-19

78. Remote Code Execution - NVIDIA GPU Display Driver (CVE-2024-0126) - Medium [369]

Description: NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability which could allow a privileged attacker to escalate permissions. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

debian: CVE-2024-0126 was patched at 2024-11-19

79. Remote Code Execution - cli (CVE-2024-52308) - Medium [369]

Description: The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. This has been patched in the cli v2.62.0. Developers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers#using-the-default-dev-container-configuration) . GitHub CLI [retrieves SSH connection details]( https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/inv... https://github.com/cli/cli/blob/30066b0042d0c5928d959e288144300cb28196c9/internal/codespaces/rpc/invoker.go#L230-L244 ), such as remote username, which is used in [executing `ssh` commands]( https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L2... https://github.com/cli/cli/blob/e356c69a6f0125cfaac782c35acf77314f18908d/pkg/cmd/codespace/ssh.go#L263 ) for `gh codespace ssh` or `gh codespace logs` commands. This exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects `ssh` arguments within the SSH connection details. `gh codespace ssh` and `gh codespace logs` commands could execute arbitrary code on the user's workstation if the remote username contains something like `-oProxyCommand="echo hacked" #`. The `-oProxyCommand` flag causes `ssh` to execute the provided command while `#` shell comment causes any other `ssh` arguments to be ignored. In `2.62.0`, the remote username information is being validated before being used.

debian: CVE-2024-52308 was patched at 2024-11-19

80. Path Traversal - Perl (CVE-2024-9676) - Medium [367]

Description: A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image using an automatically assigned user namespace (`--userns=auto` in Podman and Buildah). The containers/storage library will read /etc/passwd inside the container, but does not properly validate if that file is a symlink, which can be used to cause the library to read an arbitrary file on the host.

almalinux: CVE-2024-9676 was patched at 2024-11-11

debian: CVE-2024-9676 was patched at 2024-10-17, 2024-11-19

oraclelinux: CVE-2024-9676 was patched at 2024-11-11

redhat: CVE-2024-9676 was patched at 2024-10-29, 2024-10-30, 2024-10-31, 2024-11-06, 2024-11-07, 2024-11-08, 2024-11-11, 2024-11-12, 2024-11-13

redos: CVE-2024-9676 was patched at 2024-10-29

81. Security Feature Bypass - Python (CVE-2024-47879) - Medium [367]

Description: OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, lack of cross-site request forgery protection on the `preview-expression` command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The expression can contain arbitrary Clojure or Python code. The attacker must know a valid project ID of a project that contains at least one row, and the attacker must convince the victim to open a malicious webpage. Version 3.8.3 fixes the issue.

debian: CVE-2024-47879 was patched at 2024-11-19

82. Memory Corruption - Chromium (CVE-2024-9954) - Medium [365]

Description: Use after free in AI in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

debian: CVE-2024-9954 was patched at 2024-10-17, 2024-10-20

83. Memory Corruption - GNOME desktop (CVE-2024-52533) - Medium [365]

Description: gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\0' character.

debian: CVE-2024-52533 was patched at 2024-11-19

ubuntu: CVE-2024-52533 was patched at 2024-11-18

84. Security Feature Bypass - Chromium (CVE-2024-9958) - Medium [365]

Description: {'nvd_cve_data_all': 'Inappropriate implementation in PictureInPicture in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)', 'epss_cve_data_all': '', 'attackerkb_cve_data_all': '', 'vulners_cve_data_all': 'Inappropriate implementation in PictureInPicture in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)', 'bdu_cve_data_all': '', 'custom_cve_data_all': '', 'combined_cve_data_all': ''}

debian: CVE-2024-9958 was patched at 2024-10-17, 2024-10-20

85. Security Feature Bypass - Chromium (CVE-2024-9963) - Medium [365]

Description: Insufficient data validation in Downloads in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

debian: CVE-2024-9963 was patched at 2024-10-17, 2024-10-20

86. Security Feature Bypass - Node.js (CVE-2024-48948) - Medium [365]

Description: The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. This leads to valid signatures being rejected. Legitimate transactions or communications may be incorrectly flagged as invalid.

debian: CVE-2024-48948 was patched at 2024-10-17

87. Security Feature Bypass - Suricata (CVE-2024-47187) - Medium [363]

Description: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to datasets having predictable hash table behavior. This can lead to dataset file loading to use excessive time to load, as well as runtime performance issues during traffic handling. This issue has been addressed in 7.0.7. As a workaround, avoid loading datasets from untrusted sources. Avoid dataset rules that track traffic in rules.

debian: CVE-2024-47187 was patched at 2024-11-19

88. Security Feature Bypass - Suricata (CVE-2024-47188) - Medium [363]

Description: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to byte-range tracking having predictable hash table behavior. This can lead to an attacker forcing lots of data into a single hash bucket, leading to severe performance degradation. This issue has been addressed in 7.0.7.

debian: CVE-2024-47188 was patched at 2024-11-19

89. Remote Code Execution - Perl (CVE-2024-11079) - Medium [361]

Description: A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks.

debian: CVE-2024-11079 was patched at 2024-11-19

90. Path Traversal - SQLite (CVE-2024-51747) - Medium [360]

Description: Kanboard is project management software that focuses on the Kanban methodology. An authenticated Kanboard admin can read and delete arbitrary files from the server. File attachments, that are viewable or downloadable in Kanboard are resolved through its `path` entry in the `project_has_files` SQLite db. Thus, an attacker who can upload a modified sqlite.db through the dedicated feature, can set arbitrary file links, by abusing path traversals. Once the modified db is uploaded and the project page is accessed, a file download can be triggered and all files, readable in the context of the Kanboard application permissions, can be downloaded. This issue has been addressed in version 1.2.42 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

debian: CVE-2024-51747 was patched at 2024-11-19

91. Denial of Service - Linux Kernel (CVE-2024-42251) - Medium [358]

Description: In the Linux kernel, the following vulnerability has been resolved: mm: page_ref: remove folio_try_get_rcu() The below bug was reported on a non-SMP kernel: [ 275.267158][ T4335] ------------[ cut here ]------------ [ 275.267949][ T4335] kernel BUG at include/linux/page_ref.h:275! [ 275.268526][ T4335] invalid opcode: 0000 [#1] KASAN PTI [ 275.269001][ T4335] CPU: 0 PID: 4335 Comm: trinity-c3 Not tainted 6.7.0-rc4-00061-gefa7df3e3bb5 #1 [ 275.269787][ T4335] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 275.270679][ T4335] RIP: 0010:try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.272813][ T4335] RSP: 0018:ffffc90005dcf650 EFLAGS: 00010202 [ 275.273346][ T4335] RAX: 0000000000000246 RBX: ffffea00066e0000 RCX: 0000000000000000 [ 275.274032][ T4335] RDX: fffff94000cdc007 RSI: 0000000000000004 RDI: ffffea00066e0034 [ 275.274719][ T4335] RBP: ffffea00066e0000 R08: 0000000000000000 R09: fffff94000cdc006 [ 275.275404][ T4335] R10: ffffea00066e0037 R11: 0000000000000000 R12: 0000000000000136 [ 275.276106][ T4335] R13: ffffea00066e0034 R14: dffffc0000000000 R15: ffffea00066e0008 [ 275.276790][ T4335] FS: 00007fa2f9b61740(0000) GS:ffffffff89d0d000(0000) knlGS:0000000000000000 [ 275.277570][ T4335] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 275.278143][ T4335] CR2: 00007fa2f6c00000 CR3: 0000000134b04000 CR4: 00000000000406f0 [ 275.278833][ T4335] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 275.279521][ T4335] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 275.280201][ T4335] Call Trace: [ 275.280499][ T4335] <TASK> [ 275.280751][ T4335] ? die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434 arch/x86/kernel/dumpstack.c:447) [ 275.281087][ T4335] ? do_trap (arch/x86/kernel/traps.c:112 arch/x86/kernel/traps.c:153) [ 275.281463][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.281884][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.282300][ T4335] ? do_error_trap (arch/x86/kernel/traps.c:174) [ 275.282711][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.283129][ T4335] ? handle_invalid_op (arch/x86/kernel/traps.c:212) [ 275.283561][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.283990][ T4335] ? exc_invalid_op (arch/x86/kernel/traps.c:264) [ 275.284415][ T4335] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:568) [ 275.284859][ T4335] ? try_get_folio (include/linux/page_ref.h:275 (discriminator 3) mm/gup.c:79 (discriminator 3)) [ 275.285278][ T4335] try_grab_folio (mm/gup.c:148) [ 275.285684][ T4335] __get_user_pages (mm/gup.c:1297 (discriminator 1)) [ 275.286111][ T4335] ? __pfx___get_user_pages (mm/gup.c:1188) [ 275.286579][ T4335] ? __pfx_validate_chain (kernel/locking/lockdep.c:3825) [ 275.287034][ T4335] ? mark_lock (kernel/locking/lockdep.c:4656 (discriminator 1)) [ 275.287416][ T4335] __gup_longterm_locked (mm/gup.c:1509 mm/gup.c:2209) [ 275.288192][ T4335] ? __pfx___gup_longterm_locked (mm/gup.c:2204) [ 275.288697][ T4335] ? __pfx_lock_acquire (kernel/locking/lockdep.c:5722) [ 275.289135][ T4335] ? __pfx___might_resched (kernel/sched/core.c:10106) [ 275.289595][ T4335] pin_user_pages_remote (mm/gup.c:3350) [ 275.290041][ T4335] ? __pfx_pin_user_pages_remote (mm/gup.c:3350) [ 275.290545][ T4335] ? find_held_lock (kernel/locking/lockdep.c:5244 (discriminator 1)) [ 275.290961][ T4335] ? mm_access (kernel/fork.c:1573) [ 275.291353][ T4335] process_vm_rw_single_vec+0x142/0x360 [ 275.291900][ T4335] ? __pfx_process_vm_rw_single_vec+0x10/0x10 [ 275.292471][ T4335] ? mm_access (kernel/fork.c:1573) [ 275.292859][ T4335] process_vm_rw_core+0x272/0x4e0 [ 275.293384][ T4335] ? hlock_class (a ---truncated---

ubuntu: CVE-2024-42251 was patched at 2024-11-01, 2024-11-04, 2024-11-07, 2024-11-13, 2024-11-14, 2024-11-15, 2024-11-19

92. Denial of Service - Linux Kernel (CVE-2024-49856) - Medium [358]

Description: In the Linux kernel, the following vulnerability has been resolved: x86/sgx: Fix deadlock in SGX NUMA node search When the current node doesn't have an EPC section configured by firmware and all other EPC sections are used up, CPU can get stuck inside the while loop that looks for an available EPC page from remote nodes indefinitely, leading to a soft lockup. Note how nid_of_current will never be equal to nid in that while loop because nid_of_current is not set in sgx_numa_mask. Also worth mentioning is that it's perfectly fine for the firmware not to setup an EPC section on a node. While setting up an EPC section on each node can enhance performance, it is not a requirement for functionality. Rework the loop to start and end on *a* node that has SGX memory. This avoids the deadlock looking for the current SGX-lacking node to show up in the loop when it never will.

debian: CVE-2024-49856 was patched at 2024-11-19

93. Denial of Service - Linux Kernel (CVE-2024-49932) - Medium [358]

Description: In the Linux kernel, the following vulnerability has been resolved: btrfs: don't readahead the relocation inode on RST On relocation we're doing readahead on the relocation inode, but if the filesystem is backed by a RAID stripe tree we can get ENOENT (e.g. due to preallocated extents not being mapped in the RST) from the lookup. But readahead doesn't handle the error and submits invalid reads to the device, causing an assertion in the scatter-gather list code: BTRFS info (device nvme1n1): balance: start -d -m -s BTRFS info (device nvme1n1): relocating block group 6480920576 flags data|raid0 BTRFS error (device nvme1n1): cannot find raid-stripe for logical [6481928192, 6481969152] devid 2, profile raid0 ------------[ cut here ]------------ kernel BUG at include/linux/scatterlist.h:115! Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 1012 Comm: btrfs Not tainted 6.10.0-rc7+ #567 RIP: 0010:__blk_rq_map_sg+0x339/0x4a0 RSP: 0018:ffffc90001a43820 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffea00045d4802 RDX: 0000000117520000 RSI: 0000000000000000 RDI: ffff8881027d1000 RBP: 0000000000003000 R08: ffffea00045d4902 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000001000 R12: ffff8881003d10b8 R13: ffffc90001a438f0 R14: 0000000000000000 R15: 0000000000003000 FS: 00007fcc048a6900(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000002cd11000 CR3: 00000001109ea001 CR4: 0000000000370eb0 Call Trace: <TASK> ? __die_body.cold+0x14/0x25 ? die+0x2e/0x50 ? do_trap+0xca/0x110 ? do_error_trap+0x65/0x80 ? __blk_rq_map_sg+0x339/0x4a0 ? exc_invalid_op+0x50/0x70 ? __blk_rq_map_sg+0x339/0x4a0 ? asm_exc_invalid_op+0x1a/0x20 ? __blk_rq_map_sg+0x339/0x4a0 nvme_prep_rq.part.0+0x9d/0x770 nvme_queue_rq+0x7d/0x1e0 __blk_mq_issue_directly+0x2a/0x90 ? blk_mq_get_budget_and_tag+0x61/0x90 blk_mq_try_issue_list_directly+0x56/0xf0 blk_mq_flush_plug_list.part.0+0x52b/0x5d0 __blk_flush_plug+0xc6/0x110 blk_finish_plug+0x28/0x40 read_pages+0x160/0x1c0 page_cache_ra_unbounded+0x109/0x180 relocate_file_extent_cluster+0x611/0x6a0 ? btrfs_search_slot+0xba4/0xd20 ? balance_dirty_pages_ratelimited_flags+0x26/0xb00 relocate_data_extent.constprop.0+0x134/0x160 relocate_block_group+0x3f2/0x500 btrfs_relocate_block_group+0x250/0x430 btrfs_relocate_chunk+0x3f/0x130 btrfs_balance+0x71b/0xef0 ? kmalloc_trace_noprof+0x13b/0x280 btrfs_ioctl+0x2c2e/0x3030 ? kvfree_call_rcu+0x1e6/0x340 ? list_lru_add_obj+0x66/0x80 ? mntput_no_expire+0x3a/0x220 __x64_sys_ioctl+0x96/0xc0 do_syscall_64+0x54/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fcc04514f9b Code: Unable to access opcode bytes at 0x7fcc04514f71. RSP: 002b:00007ffeba923370 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fcc04514f9b RDX: 00007ffeba923460 RSI: 00000000c4009420 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000013 R09: 0000000000000001 R10: 00007fcc043fbba8 R11: 0000000000000246 R12: 00007ffeba924fc5 R13: 00007ffeba923460 R14: 0000000000000002 R15: 00000000004d4bb0 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__blk_rq_map_sg+0x339/0x4a0 RSP: 0018:ffffc90001a43820 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffea00045d4802 RDX: 0000000117520000 RSI: 0000000000000000 RDI: ffff8881027d1000 RBP: 0000000000003000 R08: ffffea00045d4902 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000001000 R12: ffff8881003d10b8 R13: ffffc90001a438f0 R14: 0000000000000000 R15: 0000000000003000 FS: 00007fcc048a6900(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fcc04514f71 CR3: 00000001109ea001 CR4: 0000000000370eb0 Kernel p ---truncated---

debian: CVE-2024-49932 was patched at 2024-11-19

94. Denial of Service - Linux Kernel (CVE-2024-49951) - Medium [358]

Description: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix possible crash on mgmt_index_removed If mgmt_index_removed is called while there are commands queued on cmd_sync it could lead to crashes like the bellow trace: 0x0000053D: __list_del_entry_valid_or_report+0x98/0xdc 0x0000053D: mgmt_pending_remove+0x18/0x58 [bluetooth] 0x0000053E: mgmt_remove_adv_monitor_complete+0x80/0x108 [bluetooth] 0x0000053E: hci_cmd_sync_work+0xbc/0x164 [bluetooth] So while handling mgmt_index_removed this attempts to dequeue commands passed as user_data to cmd_sync.

debian: CVE-2024-49951 was patched at 2024-11-19

95. Denial of Service - Linux Kernel (CVE-2024-49974) - Medium [358]

Description: In the Linux kernel, the following vulnerability has been resolved: NFSD: Limit the number of concurrent async COPY operations Nothing appears to limit the number of concurrent async COPY operations that clients can start. In addition, AFAICT each async COPY can copy an unlimited number of 4MB chunks, so can run for a long time. Thus IMO async COPY can become a DoS vector. Add a restriction mechanism that bounds the number of concurrent background COPY operations. Start simple and try to be fair -- this patch implements a per-namespace limit. An async COPY request that occurs while this limit is exceeded gets NFS4ERR_DELAY. The requesting client can choose to send the request again after a delay or fall back to a traditional read/write style copy. If there is need to make the mechanism more sophisticated, we can visit that in future patches.

debian: CVE-2024-49974 was patched at 2024-11-19

96. Denial of Service - Linux Kernel (CVE-2024-50146) - Medium [358]

Description: In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Don't call cleanup on profile rollback failure When profile rollback fails in mlx5e_netdev_change_profile, the netdev profile var is left set to NULL. Avoid a crash when unloading the driver by not calling profile->cleanup in such a case. This was encountered while testing, with the original trigger that the wq rescuer thread creation got interrupted (presumably due to Ctrl+C-ing modprobe), which gets converted to ENOMEM (-12) by mlx5e_priv_init, the profile rollback also fails for the same reason (signal still active) so the profile is left as NULL, leading to a crash later in _mlx5e_remove. [ 732.473932] mlx5_core 0000:08:00.1: E-Switch: Unload vfs: mode(OFFLOADS), nvfs(2), necvfs(0), active vports(2) [ 734.525513] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR [ 734.557372] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12 [ 734.559187] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: new profile init failed, -12 [ 734.560153] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR [ 734.589378] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12 [ 734.591136] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 [ 745.537492] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 745.538222] #PF: supervisor read access in kernel mode <snipped> [ 745.551290] Call Trace: [ 745.551590] <TASK> [ 745.551866] ? __die+0x20/0x60 [ 745.552218] ? page_fault_oops+0x150/0x400 [ 745.555307] ? exc_page_fault+0x79/0x240 [ 745.555729] ? asm_exc_page_fault+0x22/0x30 [ 745.556166] ? mlx5e_remove+0x6b/0xb0 [mlx5_core] [ 745.556698] auxiliary_bus_remove+0x18/0x30 [ 745.557134] device_release_driver_internal+0x1df/0x240 [ 745.557654] bus_remove_device+0xd7/0x140 [ 745.558075] device_del+0x15b/0x3c0 [ 745.558456] mlx5_rescan_drivers_locked.part.0+0xb1/0x2f0 [mlx5_core] [ 745.559112] mlx5_unregister_device+0x34/0x50 [mlx5_core] [ 745.559686] mlx5_uninit_one+0x46/0xf0 [mlx5_core] [ 745.560203] remove_one+0x4e/0xd0 [mlx5_core] [ 745.560694] pci_device_remove+0x39/0xa0 [ 745.561112] device_release_driver_internal+0x1df/0x240 [ 745.561631] driver_detach+0x47/0x90 [ 745.562022] bus_remove_driver+0x84/0x100 [ 745.562444] pci_unregister_driver+0x3b/0x90 [ 745.562890] mlx5_cleanup+0xc/0x1b [mlx5_core] [ 745.563415] __x64_sys_delete_module+0x14d/0x2f0 [ 745.563886] ? kmem_cache_free+0x1b0/0x460 [ 745.564313] ? lockdep_hardirqs_on_prepare+0xe2/0x190 [ 745.564825] do_syscall_64+0x6d/0x140 [ 745.565223] entry_SYSCALL_64_after_hwframe+0x4b/0x53 [ 745.565725] RIP: 0033:0x7f1579b1288b

debian: CVE-2024-50146 was patched at 2024-11-19

97. Security Feature Bypass - Chromium (CVE-2024-11117) - Medium [353]

Description: Inappropriate implementation in FileSystem in Google Chrome prior to 131.0.6778.69 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity: Low)