SUSE SLED15 / SLES15 / openSUSE 15 Security Update : python-aiohttp (SUSE-SU-2024:3110-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2024:3110-1 advisory. - CVE-2024-42367: Fixed path traversal outside the root directory when requests involve compressed files ...

SUSE-SU-2024:3110-1 Security update for python-aiohttp

This update for python-aiohttp fixes the following issues: - CVE-2024-42367: Fixed path traversal outside the root directory when requests involve compressed files as symbolic links bsc1229226...

aiohttp < 3.10.2 Path Traversal Vulnerability - Linux

aiohttp is prone to a path traversal vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:aio-libsproject:aiohttp";...

CVE-2024-42367 In aiohttp, compressed files as symlinks are not protected from path traversal

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants .gz or .br extension are vulnerable to path traversal outside the root directory if those variants are...

CVE-2024-42367 In aiohttp, compressed files as symlinks are not protected from path traversal

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants .gz or .br extension are vulnerable to path traversal outside the root directory if those variants are...

In aiohttp, compressed files as symlinks are not protected from path traversal

Summary Static routes which contain files with compressed variants .gz or .br extension were vulnerable to path traversal outside the root directory if those variants are symbolic links. Details The server protects static routes from path traversal outside the root directory when...

PT-2024-29901 · Aiohttp +3 · Aiohttp +3

Name of the Vulnerable Software and Affected Versions: aiohttp versions prior to 3.10.2 Description: The issue is related to path traversal outside the root directory in static routes containing files with compressed variants .gz or .br extension when these variants are symbolic links. The server...

Moderate: Red Hat Security Advisory: fontforge security update

An update for fontforge is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from...

fontforge: command injection via crafted archives or compressed files

Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files...

ALSA-2024:4267 Moderate: fontforge security update

FontForge is a font editor for outline and bitmap fonts. It supports a range of font formats, including PostScript ASCII and binary Type 1, some Type 3 and Type 0, TrueType, OpenType Type2 and CID-keyed fonts. Security Fixes: fontforge: command injection via crafted filenames CVE-2024-25081...

USN-6856-1 fontforge vulnerabilities

It was discovered that FontForge incorrectly handled filenames. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to perform a command injection. CVE-2024-25081 It was discovered that FontForge incorrectly...

SUSE CVE-2024-3508

A flaw was found in Bombastic, which allows authenticated users to upload compressed bzip2 or zstd SBOMs. The API endpoint verifies the presence of some fields and values in the JSON. To perform this verification, the uploaded file must first be decompressed...

BIT-GOLANG-2022-30631 Stack exhaustion when reading certain archives in compress/gzip

Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files...

SUSE CVE-2024-25082

Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files...

CVE-2024-25082

Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files...

DEBIAN-CVE-2024-25082

Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files...

CVE-2024-25082

Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files...

Command injection

Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files...

UBUNTU-CVE-2024-25082

Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files...

CVE-2024-25082

Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files...