INFOSEC – Basic

OS: Debian LTS

Debian LTS: DLA-3573-1: frr security update

Multiple security vulnerabilities were found in frr, the FRRouting suite of internet protocols. Maliciously constructed Border Gateway Protocol (BGP) packages or corrupted tunnel attributes may cause a denial of service (application crash) which could be exploited by a remote attacker.

Debian LTS: DLA-3572-1: libyang security update

Multiple flaws were found in libyang, a parser toolkit for IETF YANG data modeling. Double frees, invalid memory access and Null pointer dereferences may cause a denial of service or potentially code execution.

Debian LTS: DLA-3571-1: openjdk-11 security update

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in bypass of sandbox restrictions, information disclosure, reduced cryptographic strength of the AES implementation, directory traversal or denial of service.

Debian LTS: DLA-3570-1: libwebp security update

A buffer overflow in parsing WebP images may result in the execution of arbitrary code. For Debian 10 buster, this problem has been fixed in version

OS: Mageia

Mageia 2023-0262: poppler security update

An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::cvtGlyph function. (CVE-2020-36023) An issue was discovered in freedesktop poppler version 20.12.1, allows

Mageia 2023-0261: postgresql security update

Extension script @substitutions@ within quoting allow SQL injection. (CVE-2023-39417) MERGE fails to enforce UPDATE or SELECT row security policies. (CVE-2023-39418)

Mageia 2023-0260: ghostscript security update

Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix). (CVE-2023-36664) A buffer overflow flaw was found in base/gdevdevn.c:1973 in

Mageia 2023-0259: librsvg security update

A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href="https://linuxsecurity.com/.?../../../../../../../../../../etc/passwd" in an xi:include element. (CVE-2023-38633)

NIST Vulnerability Database

CVE-2023-1625
An information leak was discovered in OpenStack heat. This issue could allow a remote, authenticated attacker to use the 'stack show' command to reveal parameters which are supposed to remain hidden. This has a low impact to the confidentiality, integrity, and availability of the system.

CVE-2023-1636
A vulnerability was found in OpenStack Barbican containers. This vulnerability is only applicable to deployments that utilize an all-in-one configuration. Barbican containers share the same CGROUP, USER, and NET namespace with the host system and other OpenStack services. If any service is compromised, it could gain access to the data transmitted to and from Barbican.

CVE-2023-1633
A credentials leak flaw was found in OpenStack Barbican. This flaw allows a local authenticated attacker to read the configuration file, gaining access to sensitive credentials.

CVE-2023-1260
An authentication bypass vulnerability was discovered in kube-apiserver. This issue could allow a remote, authenticated attacker who has been given permissions "update, patch" the "pods/ephemeralcontainers" subresource beyond what the default is. They would then need to create a new pod or patch one that they already have access to. This might allow evasion of SCC admission restrictions, thereby gaining control of a privileged pod.

OS: Redhat

RedHat: RHSA-2023-5310:01 Low: Red Hat Integration Camel Extensions for

Red Hat Integration Camel Extensions for Quarkus 2.13.3-1 release and security update is now available. Red Hat Product Security has rated this update as having an impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a

RedHat: RHSA-2023-5233:01 Moderate: OpenShift Virtualization 4.13.4

Red Hat OpenShift Virtualization release 4.13.4 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

RedHat: RHSA-2023-5235:01 Important: kpatch-patch security update

An update for kpatch-patch is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

RedHat: RHSA-2023-5239:01 Important: virt:rhel and virt-devel:rhel security

An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

CVEMAP.ORG: Vulnerabilities & Exposures

Low CVE-2023-0687: GNU Glibc
A vulnerability was found in GNU C Library 2.38. It has been declared as critical. This vulnerability affects the function __monstartup of the file gmon.c of the component Call Graph Monitor. The manipulation leads to buffer overflow. It is recommended to apply a patch to fix this issue. VDB-220246 is the identifier assigned to this vulnerability.

Low CVE-2020-36660: Eve ship replacement program project Eve ship replacement program
A vulnerability was found in paxswill EVE Ship Replacement Program 0.12.11. It has been rated as problematic. This issue affects some unknown processing of the file src/evesrp/views/api.py of the component User Information Handler. The manipulation leads to information disclosure. The attack may be initiated remotely. Upgrading to version 0.12.12 is able to address this issue. The name of the patch is 9e03f68e46e85ca9c9694a6971859b3ee66f0240. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-220211.

Medium CVE-2022-36728: Library management system project Library management system
Library Management System v1.0 was discovered to contain a SQL injection vulnerability via the RollNo parameter at /staff/delstu.php.

Low CVE-2021-30071: Hestiacp Hestiacp
A cross-site scripting (XSS) vulnerability in /admin/list_key.html of HestiaCP before v1.3.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

NIST Vulnerability Database

CVE-2023-1633
A credentials leak flaw was found in OpenStack Barbican. This flaw allows a local authenticated attacker to read the configuration file, gaining access to sensitive credentials.

OS: Suse

SUSE: 2023:3041-1 bci/rust Security Update

The container bci/rust was updated. The following patches have been included in this update:

SUSE: 2023:3040-1 bci/ruby Security Update

The container bci/ruby was updated. The following patches have been included in this update:

SUSE: 2023:3039-1 bci/bci-init Security Update

The container bci/bci-init was updated. The following patches have been included in this update:

SUSE: 2023:3038-1 suse/git Security Update

The container suse/git was updated. The following patches have been included in this update:

OS: Debian

Debian: DSA-5502-1: xrdp security update

Multiple security vulnerabilities have been found in xrdp, a remote desktop protocol server. Buffer overflows and out-of-bound writes may cause a denial of service or other unspecified impact.

Debian: DSA-5501-1: gnome-shell security update

Mickael Karatekin discovered that the GNOME session locking didn't restrict a keyboard shortcut used for taking screenshots in GNOME Screenshot which could result in information disclosure.

Debian: DSA-5500-1: flac security update

A buffer overflow was discovered in flac, a library handling Free Lossless Audio Codec media, which could potentially result in the execution of arbitrary code.

Debian: DSA-5499-1: chromium security update

Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

OS: Scientific

SciLinux: SLSA-2023-5197-1 Important: firefox on SL7.x x86_64

This update upgrades Firefox to version 102.15.1 ESR. * libwebp: Heap buffer overflow in WebP Codec (CVE-2023-4863) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE SL7 x86_64 firefox-102.15.1-1.el7_9.x86_64.rpm firefox-debuginfo-102.15.1-1.el7_9.x86_64.rpm firefox-102.15.1-1.el7_9. [More...]

SciLinux: SLSA-2023-5217-1 Important: open-vm-tools on SL7.x x86_64

open-vm-tools: SAML token signature bypass (CVE-2023-20900) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE SL7 x86_64 open-vm-tools-11.0.5-3.el7_9.7.x86_64.rpm open-vm-tools-debuginfo-11.0.5-3.el7_9.7.x86_64.rpm open-vm-tools-desktop-11.0.5-3.el7_9.7.x86_64.rpm open-vm-tools- [More...]

SciLinux: SLSA-2023-5191-1 Important: thunderbird on SL7.x x86_64

This update upgrades Thunderbird to version 102.15.1. * libwebp: Heap buffer overflow in WebP Codec (CVE-2023-4863) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE SL7 x86_64 thunderbird-102.15.1-1.el7_9.x86_64.rpm thunderbird-debuginfo-102.15.1-1.el7_9.x86_64.rpm - Scientific Linux D [More...]

SciLinux: SLSA-2023-5019-1 Important: firefox on SL7.x x86_64

This update upgrades Firefox to version 102.15.0 ESR. * Mozilla: Memory corruption in IPC CanvasTranslator (CVE-2023-4573) * Mozilla: Memory corruption in IPC ColorPickerShownCallback (CVE-2023-4574) * Mozilla: Memory corruption in IPC FilePickerShownCallback (CVE-2023-4575) * Mozilla: Memory corruption in JIT UpdateRegExpStatics (CVE-2023-4577) * Mozilla: Memory safety bugs fixed in Firefo [More...]

OS: CentOS

CentOS: CESA-2023-4151: Important CentOS 7 kernel

Upstream details at : https://access.redhat.com/errata/RHSA-2023:4151

CentOS: CESA-2023-4152: Important CentOS 7 bind

Upstream details at : https://access.redhat.com/errata/RHSA-2023:4152

CentOS: CESA-2023-2077: Important CentOS 7 libwebp

Upstream details at : https://access.redhat.com/errata/RHSA-2023:2077

CentOS: CESA-2023-1904: Important CentOS 7 java-1.8.0-openjdk

Upstream details at : https://access.redhat.com/errata/RHSA-2023:1904

OS: Slackware

Slackware: 2023-261-01: netatalk Security Update

New netatalk packages are available for Slackware 14.1, 14.2, 15.0, and -current to fix a security issue.

Slackware: 2023-258-01: python3 Security Update

New python3 packages are available for Slackware 15.0 and -current to fix a security issue.

Slackware: 2023-257-01: libwebp Security Update

New libwebp packages are available for Slackware 15.0 and -current to fix a security issue.

Slackware: 2023-256-04: mozilla-thunderbird Security Update

New mozilla-thunderbird packages are available for Slackware 15.0, and -current to fix a security issue.

OS: Arch

ArchLinux: 202210-4: linux-zen: multiple issues

The package linux-zen before version 6.0.1.zen2-1 is vulnerable to multiple issues including arbitrary code execution, information disclosure and denial of service.

ArchLinux: 202210-3: linux-lts: multiple issues

The package linux-lts before version 5.15.73-3 is vulnerable to multiple issues including arbitrary code execution, information disclosure and denial of service.

ArchLinux: 202210-2: linux: multiple issues

The package linux before version 6.0.1.arch2-1 is vulnerable to multiple issues including arbitrary code execution, information disclosure and denial of service.

ArchLinux: 202210-1: linux-hardened: multiple issues

The package linux-hardened before version 5.19.15.hardened2-1 is vulnerable to multiple issues including arbitrary code execution, information disclosure and denial of service.

OS: Gentoo

Gentoo: GLSA-202309-08: Requests: Information Leak

A vulnerability has been discovered in Requests which could result in the disclosure of plaintext secrets.

Gentoo: GLSA-202309-07: Binwalk: Multiple Vulnerabilities

Multiple vulnerabilities have been discovered in Binwalk, the worst of which could result in remote code execution.

Gentoo: GLSA-202309-06: Samba: Multiple Vulnerabilities

Multiple vulnerabilities have been discovered in Samba, the worst of which could result in root remote code execution.

Gentoo: GLSA-202309-04: RAR, UnRAR: Arbitrary File Overwrite

An arbitrary file overwrite vulnerability has been discovered in RAR and UnRAR, potentially resulting in arbitrary code execution.