Chrome Releases reports:
+++ +This update includes 7 security fixes:
++
+- [327807820] Critical CVE-2024-2883: Use after free in ANGLE. Reported by Cassidy Kim(@cassidy6564) on 2024-03-03
+- [328958020] High CVE-2024-2885: Use after free in Dawn. Reported by wgslfuzz on 2024-03-11
+- [330575496] High CVE-2024-2886: Use after free in WebCodecs. Reported by Seunghyun Lee (@0x10n) of KAIST Hacking Lab, via Pwn2Own 2024 on 2024-03-21
+- [330588502] High CVE-2024-2887: Type Confusion in WebAssembly. Reported by Manfred Paul, via Pwn2Own 2024 on 2024-03-21
+
phpMyFAQ team reports:
The phpMyFAQ Team has learned of multiple security issues that'd been discovered in phpMyFAQ 3.2.5 and earlier. phpMyFAQ contains cross-site scripting (XSS), SQL injection and bypass vulnerabilities.
GNU Emacs developers report:
Emacs 29.3 is an emergency bugfix release intended to fix several security vulnerabilities.
- Arbitrary Lisp code is no longer evaluated as part of turning on Org mode. This is for security reasons, to avoid evaluating malicious Lisp code.
- New buffer-local variable 'untrusted-content'. When this is non-nil, Lisp programs should treat buffer contents with extra caution.
- Gnus now treats inline MIME contents as untrusted. To get back previous insecure behavior, 'untrusted-content' should be reset to nil in the buffer.
- LaTeX preview is now by default disabled for email attachments. To get back previous insecure behavior, set the variable 'org--latex-preview-when-risky' to a non-nil value.
- Org mode now considers contents of remote files to be untrusted. Remote files are recognized by calling 'file-remote-p'.
Chrome Releases reports:
This update includes 12 security fixes:
- [327740539] High CVE-2024-2625: Object lifecycle issue in V8. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2024-03-01
- [40945098] Medium CVE-2024-2626: Out of bounds read in Swiftshader. Reported by Cassidy Kim(@cassidy6564) on 2023-11-22
- [41493290] Medium CVE-2024-2627: Use after free in Canvas. Reported by Anonymous on 2024-01-21
- [41487774] Medium CVE-2024-2628: Inappropriate implementation in Downloads. Reported by Ath3r1s on 2024-01-03
- [41487721] Medium CVE-2024-2629: Incorrect security UI in iOS. Reported by Muneaki Nishimura (nishimunea) on 2024-01-02
- [41481877] Medium CVE-2024-2630: Inappropriate implementation in iOS. Reported by James Lee (@Windowsrcer) on 2023-12-07
- [41495878] Low CVE-2024-2631: Inappropriate implementation in iOS. Reported by Ramit Gangwar on 2024-01-29
Shibboleth Developers report:
The Identity Provider's CAS support relies on a function in the Spring Framework to parse CAS service URLs and append the ticket parameter.
MongoDB, Inc. reports:
A security vulnerability was found where a server process running MongoDB 3.2.6 or later will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured (CVE-2024-1351).
The Varnish Development Team reports:
A denial of service attack can be performed on Varnish Cacher servers that have the HTTP/2 protocol turned on. An attacker can let the servers HTTP/2 connection control flow window run out of credits indefinitely and prevent progress in the processing of streams, retaining the associated resources.
The Amavis project reports:
Emails which consist of multiple parts (`Content-Type: multipart/*`) incorporate boundary information stating at which point one part ends and the next part begins.
A boundary is announced by an Content-Type header's `boundary` parameter. To our current knowledge, RFC2046 and RFC2045 do not explicitly specify how a parser should handle multiple boundary parameters that contain conflicting values. As a result, there is no canonical choice which of the values should or should not be used for mime part decomposition.
Typo3 developers reports:
All versions are security releases and contain important security fixes - read the corresponding security advisories here:
- Path Traversal in TYPO3 File Abstraction Layer Storages CVE-2023-30451
- Code Execution in TYPO3 Install Tool CVE-2024-22188
- Information Disclosure of Hashed Passwords in TYPO3 Backend Forms CVE-2024-25118
- Information Disclosure of Encryption Key in TYPO3 Install Tool CVE-2024-25119
- Improper Access Control of Resources Referenced by t3:// URI Scheme CVE-2024-25120
- Improper Access Control Persisting File Abstraction Layer Entities via Data Handler CVE-2024-25121
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-2173.
Intel reports:
2024.1 IPU - Intel Processor Bus Lock Advisory
A potential security vulnerability in the bus lock regulator mechanism for some Intel Processors may allow denial of service. Intel is releasing firmware updates to mitigate this potential vulnerability.
2024.1 IPU - Intel Processor Return Predictions Advisory
A potential security vulnerability in some Intel Processors may allow information disclosure.
2024.1 IPU - Intel Atom Processor Advisory
A potential security vulnerability in some Intel Atom Processors may allow information disclosure.
2024.1 IPU - Intel Xeon Processor Advisory
A potential security vulnerability in some 3rd and 4th Generation Intel Xeon Processors when using Intel Software Guard Extensions (SGX) or Intel Trust Domain Extensions (TDX) may allow escalation of privilege.
2024.1 IPU OOB - Intel Xeon D Processor Advisory
A potential security vulnerability in some Intel Xeon D Processors with Intel Software Guard Extensions (SGX) may allow information disclosure.
Grafana Labs reports:
The vulnerability impacts Grafana Cloud and Grafana Enterprise instances, and it is exploitable if a user who should not be able to access all data sources is granted permissions to create a data source.
By default, only organization Administrators are allowed to create a data source and have full access to all data sources. All other users need to be explicitly granted permission to create a data source, which then means they could exploit this vulnerability.
When a user creates a data source via the API, they can specify data source UID. If the UID is set to an asterisk (*), the user gains permissions to query, update, and delete all data sources in the organization. The exploit, however, does not stretch across organizations — to exploit the vulnerability in several organizations, a user would need permissions to create data sources in each organization.
The vulnerability comes from a lack of UID validation. When evaluating permissions, we interpret an asterisk (*) as a wild card for all resources. Therefore, we should treat it as a reserved value, and not allow the creation of a resource with the UID set to an asterisk.
The CVSS score for this vulnerability is 6 Medium.
NLNet Labs reports:
Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client's advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an acceptable size while still retaining the EDE codes. Due to an unchecked condition, the code that trims the text of the EDE records could loop indefinitely. This happens when Unbound would reply with attached EDE information on a positive reply and the client's buffer size is smaller than the needed space to include EDE records. The vulnerability can only be triggered when the 'ede: yes' option is used; non default configuration.
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-25062.
Gitlab reports:
Bypassing CODEOWNERS approval allowing to steal protected variables
Guest with manage group access tokens can rotate and see group access token with owner permissions
The Go project reports reports:
crypto/x509: Verify panics on certificates with an unknown public key algorithm
Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic.
net/http: memory exhaustion in Request.ParseMultipartForm
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permitted a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion.
net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect
When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not.
html/template: errors returned from MarshalJSON methods may break template escaping
If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.
net/mail: comments in display names are incorrectly handled
The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.
Chrome Releases reports:
This update includes 3 security fixes:
- [325893559] High CVE-2024-2173: Out of bounds memory access in V8. Reported by 5fceb6172bbf7e2c5a948183b53565b9 on 2024-02-19
- [325866363] High CVE-2024-2174: Inappropriate implementation in V8. Reported by 5f46f4ee2e17957ba7b39897fb376be8 on 2024-02-19
- [325936438] High CVE-2024-2176: Use after free in FedCM. Reported by Anonymous on 2024-02-20
Django reports:
CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words().
Node.js reports:
Code injection and privilege escalation through Linux capabilities- (High)
http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
Path traversal by monkey-patching Buffer internals- (High)
setuid() does not drop all privileges due to io_uring - (High)
Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)
Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)
Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-1670.
Chrome Releases reports:
This update includes 4 security fixes:
- [324596281] High CVE-2024-1938: Type Confusion in V8. Reported by 5f46f4ee2e17957ba7b39897fb376be8 on 2024-02-11
- [323694592] High CVE-2024-1939: Type Confusion in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2024-02-05
sep@nlnetlabs.nl reports:
Due to a mistake in error checking, Routinator will terminate when an incoming RTR connection is reset by the peer too quickly after opening.
Hiroki Kurosawa reports:
curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (OCSP stapling) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.
Chrome Releases reports:
This update includes 12 security fixes:
- [41495060] High CVE-2024-1669: Out of bounds memory access in Blink. Reported by Anonymous on 2024-01-26
- [41481374] High CVE-2024-1670: Use after free in Mojo. Reported by Cassidy Kim(@cassidy6564) on 2023-12-06
- [41487933] Medium CVE-2024-1671: Inappropriate implementation in Site Isolation. Reported by Harry Chen on 2024-01-03
- [41485789] Medium CVE-2024-1672: Inappropriate implementation in Content Security Policy. Reported by Georg Felber (TU Wien) & Marco Squarcina (TU Wien) on 2023-12-19
- [41490491] Medium CVE-2024-1673: Use after free in Accessibility. Reported by Weipeng Jiang (@Krace) of VRI on 2024-01-11
- [40095183] Medium CVE-2024-1674: Inappropriate implementation in Navigation. Reported by David Erceg on 2019-05-27
- [41486208] Medium CVE-2024-1675: Insufficient policy enforcement in Download. Reported by Bartłomiej Wacko on 2023-12-21
- [40944847] Low CVE-2024-1676: Inappropriate implementation in Navigation. Reported by Khalil Zhani on 2023-11-21
Grafana Labs reports:
The vulnerability impacts instances where Grafana basic authentication is enabled.
Grafana has a verify_email_enabled configuration option. When this option is enabled, users are required to confirm their email addresses before the sign-up process is complete. However, the email is only checked at the time of the sign-up. No further verification is carried out if a user’s email address is updated after the initial sign-up. Moreover, Grafana allows using an email address as the user’s login name, and no verification is ever carried out for this email address.
This means that even if the verify_email_enabled configuration option is enabled, users can use unverified email addresses to log into Grafana if the email address has been changed after the sign up, or if an email address is set as the login name.
The CVSS score for this vulnerability is [5.4 Medium] (CVSS).
c-ares project reports:
Reading malformatted /etc/resolv.conf, /etc/nsswitch.conf or the HOSTALIASES file could result in a crash.
Suricata team reports:
Multiple vulnerabilities fixed in the last release of suricata.
No details have been disclosed yet
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-1283.
- Security: backported fix for CVE-2024-1284.
Gitlab reports:
Stored-XSS in user's profile page
User with "admin_group_members" permission can invite other groups to gain owner access
ReDoS issue in the Codeowners reference extractor
LDAP user can reset password using secondary email and login using direct authentication
Bypassing group ip restriction settings to access environment details of projects through Environments/Operations Dashboard
Users with the Guest role can change Custom dashboard projects settings for projects in the victim group
Group member with sub-maintainer role can change title of shared private deploy keys
Bypassing approvals of CODEOWNERS
cve@mitre.org reports:
CVE-2023-50868: The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.
CVE-2023-50387: Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
The nginx development team reports:
When using HTTP/3 a segmentation fault might occur in a worker process while processing a specially crafted QUIC session.
The jail(2) system call has not limited a visiblity of allocated TTYs (the kern.ttys sysctl). This gives rise to an information leak about processes outside the current jail.
Attacker can get information about TTYs allocated on the host or in other jails. Effectively, the information printed by "pstat -t" may be leaked.
`bhyveload -h <host-path>` may be used to grant loader access to the <host-path> directory tree on the host. Affected versions of bhyveload(8) do not make any attempt to restrict loader's access to <host-path>, allowing the loader to read any file the host user has access to.
In the bhyveload(8) model, the host supplies a userboot.so to boot with, but the loader scripts generally come from the guest image. A maliciously crafted script could be used to exfiltrate sensitive data from the host accessible to the user running bhyhveload(8), which is often the system root.
Chrome Releases reports:
This update includes 1 security fix.
Simon Kelley reports:
If DNSSEC validation is enabled, then an attacker who can force a DNS server to validate a specially crafted signed domain can use a lot of CPU in the validator. This only affects dnsmasq installations with DNSSEC enabled.
Stichting NLnet Labs reports:
The KeyTrap [CVE-2023-50387] vulnerability works by using a combination of Keys (also colliding Keys), Signatures and number of RRSETs on a malicious zone. Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path.
The NSEC3 [CVE-2023-50868] vulnerability uses specially crafted responses on a malicious zone with multiple NSEC3 RRSETs to force a DNSSEC validator down a very CPU intensive and time costly NSEC3 hash calculation path.
phpMyFAQ team reports:
phpMyFAQ doesn't implement sufficient checks to avoid XSS when storing on attachments filenames. The 'sharing FAQ' functionality allows any unauthenticated actor to misuse the phpMyFAQ application to send arbitrary emails to a large range of targets. phpMyFAQ's user removal page allows an attacker to spoof another user's detail, and in turn make a compelling phishing case for removing another user's account.
Austin Hackers Anonymous report:
Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEXR image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability.
[...] it is in a routine that is predominantly used for development and testing. It is not likely to appear in production code.
Google reports:
A heap buffer overflow exists in readstat_convert.
Spreadsheet-ParseExcel reports:
Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type eval "eval". Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.
PostgreSQL Project reports:
One step of a concurrent refresh command was run under weak security restrictions. If a materialized view's owner could persuade a superuser or other high-privileged user to perform a concurrent refresh on that view, the view's owner could control code executed with the privileges of the user running REFRESH. The fix for the vulnerability makes is so that all user-determined code is run as the view's owner, as expected.
Gitlab reports:
Restrict group access token creation for custom roles
Project maintainers can bypass group's scan result policy block_branch_modification setting
ReDoS in CI/CD Pipeline Editor while verifying Pipeline syntax
Resource exhaustion using GraphQL vulnerabilitiesCountByDay
Copmposer reports:
Code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php.
Several files within the local working directory are included during the invocation of Composer and in the context of the executing user.
As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files.
All Composer CLI commands are affected, including composer.phar's self-update.
Git community reports:
A bug in git_revparse_single is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application
A bug in git_revparse_single is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application
A bug in the smart transport negotiation could have caused an out-of-bounds read when a remote server did not advertise capabilities
Chrome Releases reports:
This update includes 3 security fixes:
- [41494539] High CVE-2024-1284: Use after free in Mojo. Reported by Anonymous on 2024-01-25
- [41494860] High CVE-2024-1283: Heap buffer overflow in Skia. Reported by Jorge Buzeti (@r3tr074) on 2024-01-25
The ClamAV project reports:
- CVE-2024-20290
- A vulnerability in the OLE2 file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an incorrect check for end-of-string values during scanning, which may result in a heap buffer over-read. An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software and consuming available system resources.
- CVE-2024-20328
- Fixed a possible command injection vulnerability in the "VirusEvent" feature of ClamAV's ClamD service. To fix this issue, we disabled the '%f' format string parameter. ClamD administrators may continue to use the `CLAM_VIRUSEVENT_FILENAME` environment variable, instead of '%f'. But you should do so only from within an executable, such as a Python script, and not directly in the clamd.conf "VirusEvent" command.
Django reports:
CVE-2024-24680:Potential denial-of-service in intcomma template filter.
Chrome Releases reports:
This update includes 4 security fixes:
- [1511567] High CVE-2024-1060: Use after free in Canvas. Reported by Anonymous on 2023-12-14
- [1514777] High CVE-2024-1059: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-12-29
- [1511085] High CVE-2024-1077: Use after free in Network. Reported by Microsoft Security Research Center on 2023-12-13
Chrome Releases reports:
This update includes 17 security fixes:
- [1484394] High CVE-2024-0812: Inappropriate implementation in Accessibility. Reported by Anonymous on 2023-09-19
- [1504936] High CVE-2024-0808: Integer underflow in WebUI. Reported by Lyra Rebane (rebane2001) on 2023-11-24
- [1496250] Medium CVE-2024-0810: Insufficient policy enforcement in DevTools. Reported by Shaheen Fazim on 2023-10-26
- [1463935] Medium CVE-2024-0814: Incorrect security UI in Payments. Reported by Muneaki Nishimura (nishimunea) on 2023-07-11
- [1477151] Medium CVE-2024-0813: Use after free in Reading Mode. Reported by @retsew0x01 on 2023-08-30
- [1505176] Medium CVE-2024-0806: Use after free in Passwords. Reported by 18楼梦想改造家 on 2023-11-25
- [1514925] Medium CVE-2024-0805: Inappropriate implementation in Downloads. Reported by Om Apip on 2024-01-01
- [1515137] Medium CVE-2024-0804: Insufficient policy enforcement in iOS Security UI. Reported by Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) on 2024-01-03
- [1494490] Low CVE-2024-0811: Inappropriate implementation in Extensions API. Reported by Jann Horn of Google Project Zero on 2023-10-21
- [1497985] Low CVE-2024-0809: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2023-10-31
Electron developers reports:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-0807.
Qt qtwebengine-chromium repo reports:
Backports for 3 security bugs in Chromium:
- [1505080] High CVE-2024-0807: Use after free in WebAudio
- [1504936] Critical CVE-2024-0808: Integer underflow in WebUI
- [1496250] Medium CVE-2024-0810: Insufficient policy enforcement in DevTools
The OpenSSL project reports:
Excessive time spent checking invalid RSA public keys (CVE-2023-6237)
PKCS12 Decoding crashes (CVE-2024-0727)
cve@mitre.org reports:
In Lizard v1.0 and LZ5 v2.0 (the prior release, before the product was renamed), there is an unchecked buffer size during a memcpy in the Lizard_decompress_LIZv1 function (lib/lizard_decompress_liz.h). Remote attackers can leverage this vulnerability to cause a denial of service via a crafted input file, as well as achieve remote code execution.
Qt qtwebengine-chromium repo reports:
Backports for 15 security bugs in Chromium:
- [1505053] High CVE-2023-6345: Integer overflow in Skia
- [1500856] High CVE-2023-6346: Use after free in WebAudio
- [1494461] High CVE-2023-6347: Use after free in Mojo
- [1501326] High CVE-2023-6702: Type Confusion in V8
- [1502102] High CVE-2023-6703: Use after free in Blink
- [1505708] High CVE-2023-6705: Use after free in WebRTC
- [1500921] High CVE-2023-6706: Use after free in FedCM
- [1513170] High CVE-2023-7024: Heap buffer overflow in WebRTC
- [1501798] High CVE-2024-0222: Use after free in ANGLE
- [1505009] High CVE-2024-0223: Heap buffer overflow in ANGLE
- [1505086] High CVE-2024-0224: Use after free in WebAudio
- [1506923] High CVE-2024-0225: Use after free in WebGPU
- [1513379] High CVE-2024-0333: Insufficient data validation in Extensions
- [1507412] High CVE-2024-0518: Type Confusion in V8
- [1517354] High CVE-2024-0519: Out of bounds memory access in V8
Qt qtwebengine-chromium repo reports:
Backports for 8 security bugs in Chromium:
- [1505053] High CVE-2023-6345: Integer overflow in Skia
- [1501326] High CVE-2023-6702: Type Confusion in V8
- [1513170] High CVE-2023-7024: Heap buffer overflow in WebRTC
- [1501798] High CVE-2024-0222: Use after free in ANGLE
- [1505086] High CVE-2024-0224: Use after free in WebAudio
- [1513379] High CVE-2024-0333: Insufficient data validation in Extensions
- [1507412] High CVE-2024-0518: Type Confusion in V8
- [1517354] High CVE-2024-0519: Out of bounds memory access in V8
Multiple vulnerabilities in ssh and golang
- CVE-2023-45286: HTTP request body disclosure in go-resty disclosure across requests.
- CVE-2023-48795: The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks.
Gitlab reports:
Arbitrary file write while creating workspace
ReDoS in Cargo.toml blob viewer
Arbitrary API PUT requests via HTML injection in user's name
Disclosure of the public email in Tags RSS Feed
Non-Member can update MR Assignees of owned MRs
Jenkins Security Advisory:
Description
(Critical) SECURITY-3314 / CVE-2024-23897
Arbitrary file read vulnerability through the CLI can lead to RCE
Description
(High) SECURITY-3315 / CVE-2024-23898
Cross-site WebSocket hijacking vulnerability in the CLI
TinyMCE reports:
Special characters in unescaped text nodes can trigger mXSS when using TinyMCE undo/redo, getContentAPI, resetContentAPI, and Autosave plugin
Tim Wojtulewicz of Corelight reports:
A specially-crafted series of packets containing nested MIME entities can cause Zeek to spend large amounts of time parsing the entities.
Electron developers report:
This update fixes the following vulnerability:
- Security: backported fix for CVE-2024-0519.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-0518.
- Security: backported fix for CVE-2024-0517.
Chrome Releases reports:
This update includes 4 security fixes:
- [1515930] High CVE-2024-0517: Out of bounds write in V8. Reported by Toan (suto) Pham of Qrious Secure on 2024-01-06
- [1507412] High CVE-2024-0518: Type Confusion in V8. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2023-12-03
- [1517354] High CVE-2024-0519: Out of bounds memory access in V8. Reported by Anonymous on 2024-01-11
The X.Org project reports:
- CVE-2023-6816: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer
Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for each logical button currently down. Buttons can be arbitrarily mapped to any value up to 255 but the X.Org Server was only allocating space for the device's number of buttons, leading to a heap overflow if a bigger value was used.
- CVE-2024-0229: Reattaching to different master device may lead to out-of-bounds memory access
If a device has both a button class and a key class and numButtons is zero, we can get an out-of-bounds write due to event under-allocation in the DeliverStateNotifyEvent function.
- CVE-2024-21885: Heap buffer overflow in XISendDeviceHierarchyEvent
The XISendDeviceHierarchyEvent() function allocates space to store up to MAXDEVICES (256) xXIHierarchyInfo structures in info. If a device with a given ID was removed and a new device with the same ID added both in the same operation, the single device ID will lead to two info structures being written to info. Since this case can occur for every device ID at once, a total of two times MAXDEVICES info structures might be written to the allocation, leading to a heap buffer overflow.
- CVE-2024-21886: Heap buffer overflow in DisableDevice
The DisableDevice() function is called whenever an enabled device is disabled and it moves the device from the inputInfo.devices linked list to the inputInfo.off_devices linked list. However, its link/unlink operation has an issue during the recursive call to DisableDevice() due to the prev pointer pointing to a removed device. This issue leads to a length mismatch between the total number of devices and the number of device in the list, leading to a heap overflow and, possibly, to local privilege escalation.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2024-0224.
- Security: backported fix for CVE-2024-0225.
- Security: backported fix for CVE-2024-0223.
- Security: backported fix for CVE-2024-0222.
Gitlab reports:
Account Takeover via Password Reset without user interactions
Attacker can abuse Slack/Mattermost integrations to execute slash commands as another user
Bypass CODEOWNERS approval removal
Workspaces able to be created under different root namespace
Commit signature validation ignores headers after signature
SO-AND-SO reports:
The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions.
Chrome Releases reports:
This update includes 1 security fix:
- [1513379] High CVE-2024-0333: Insufficient data validation in Extensions. Reported by Malcolm Stagg (@malcolmst) of SODIUM-24, LLC on 2023-12-20
Andy Shaw reports:
A potential integer overflow has been discovered in Qt's HTTP2 implementation. If the HTTP2 implementation receives more than 4GiB in total headers, or more than 2GiB for any given header pair, then the internal buffers may overflow.
Mantis 2.25.8 release reports:
Security and maintenance release
- 0032432: Update guzzlehttp/psr7 to 1.9.1 (CVE-2023-29197)
- 0032981: Information Leakage on DokuWiki Integration (CVE-2023-44394)
Chrome Releases reports:
This update includes 6 security fixes:
- [1501798] High CVE-2024-0222: Use after free in ANGLE. Reported by Toan (suto) Pham of Qrious Secure on 2023-11-13
- [1505009] High CVE-2024-0223: Heap buffer overflow in ANGLE. Reported by Toan (suto) Pham and Tri Dang of Qrious Secure on 2023-11-24
- [1505086] High CVE-2024-0224: Use after free in WebAudio. Reported by Huang Xilin of Ant Group Light-Year Security Lab on 2023-11-25
- [1506923] High CVE-2024-0225: Use after free in WebGPU. Reported by Anonymous on 2023-12-01
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-6706.
- Security: backported fix for CVE-2023-6705.
- Security: backported fix for CVE-2023-6703.
- Security: backported fix for CVE-2023-6702.
- Security: backported fix for CVE-2023-6704.
Electron developers report:
This update fixes the following vulnerabilities:
- Security: backported fix for CVE-2023-6704.
- Security: backported fix for CVE-2023-6705.
- Security: backported fix for CVE-2023-6703.
- Security: backported fix for CVE-2023-6702.
The SSH protocol executes an initial handshake between the server and the client. This protocol handshake includes the possibility of several extensions allowing different options to be selected. Validation of the packets in the handshake is done through sequence numbers.
A man in the middle attacker can silently manipulate handshake messages to truncate extension negotiation messages potentially leading to less secure client authentication algorithms or deactivating keystroke timing attack countermeasures.
Even with RequireSignInView enabled, anonymous users can use docker pull to fetch public images.