AZL-38785 CVE-2023-45288 affecting package azcopy for versions less than 10.25.1-1

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...

AZL-39460 CVE-2024-28182 affecting package nghttp2 for versions less than 1.57.0-2

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK...

UBUNTU-CVE-2024-26721

In the Linux kernel, the following vulnerability has been resolved: drm/i915/dsc: Fix the macro that calculates DSCC/DSCA PPS reg address Commit bd077259d0a9 "drm/i915/vdsc: Add function to read any PPS register" defines a new macro to calculate the DSC PPS register addresses with PPS number as a...

PT-2024-21489 · Linux · Linux Kernel

Name of the Vulnerable Software and Affected Versions: Linux kernel affected versions not specified Description: A vulnerability has been resolved in the Linux kernel, specifically in the drm/i915/dsc component. The issue arises from a macro that calculates the DSCC /DSCA PPS register address,...

XZ Utils Backdoor

The cybersecurity world got really lucky last week. An intentionally placed backdoor in XZ Utils, an open-source compression utility, was pretty much accidentally discovered by a Microsoft engineer--weeks before it would have been incorporated into both Debian and Red Hat Linux. From ArsTehnica:...

Malicious Code in XZ Utils for Linux Systems Enables Remote Code Execution

The malicious code inserted into the open-source library XZ Utils, a widely used package present in major Linux distributions, is also capable of facilitating remote code execution, a new analysis has revealed. The audacious supply chain compromise, tracked as CVE-2024-3094 CVSS score: 10.0, came...

CVE-2024-26658

In the Linux kernel, the following vulnerability has been resolved: bcachefs: grab sumount only if snapshotting When I was testing mongodb over bcachefs with compression, there is a lockdep warning when snapshotting mongodb data volume. $ cat test.sh prog=bcachefs $prog subvolume create /mnt/data...

UBUNTU-CVE-2024-26658

In the Linux kernel, the following vulnerability has been resolved: bcachefs: grab sumount only if snapshotting When I was testing mongodb over bcachefs with compression, there is a lockdep warning when snapshotting mongodb data volume. $ cat test.sh prog=bcachefs $prog subvolume create /mnt/data...

CVE-2024-26658 bcachefs: grab s_umount only if snapshotting

In the Linux kernel, the following vulnerability has been resolved: bcachefs: grab sumount only if snapshotting When I was testing mongodb over bcachefs with compression, there is a lockdep warning when snapshotting mongodb data volume. $ cat test.sh prog=bcachefs $prog subvolume create /mnt/data...

CVE-2024-26658 bcachefs: grab s_umount only if snapshotting

In the Linux kernel, the following vulnerability has been resolved: bcachefs: grab sumount only if snapshotting When I was testing mongodb over bcachefs with compression, there is a lockdep warning when snapshotting mongodb data volume. $ cat test.sh prog=bcachefs $prog subvolume create /mnt/data...

CVE-2024-26658

Consolidated details from multiple connected sources confirm CVE-2024-26658 affects the bcachefs Linux kernel module and describes a deadlock risk during snapshot creation. The root cause is the unconditional acquisition of s_umount during subvolume snapshot operations, which can deadlock with ex...

SuperSize Me

SuperSize Me By Floser Bacurio Jr., Bernadette Canubas, Michaelo Oliveros · April 02, 2024 Introduction Cyber attackers are always finding new ways to outsmart security systems and distribute malware effectively. We discovered an interesting detection evasion technique of delivering archive files...

XZ: Embedded Malicious Code (CVE-2024-3094)

A Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code. This file is then used to modify specific...

XZ Utils SSHd Backdoor

On March 29th, 2024, security researcher Andres Freund discovered a backdoor in XZ Utils versions 5.6.0 and 5.6.1. Under certain conditions, this backdoor may allow remote access to the targeted system. This disclosure was posted to the Openwall mailing list. The security researcher mentions that...

Exploit for Embedded Malicious Code in Tukaani Xz

CVE-2024-3094 checker xz Utils versions 5.6.0 and 5.6.1 appea...

PT-2024-2451

Name of the Vulnerable Software and Affected Versions XZ Utils versions 5.6.0 through 5.6.1 Description Malicious code was discovered in the upstream tarballs of XZ Utils. Through complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file in the...

Updated python3, python packages fix security vulnerabilities

The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances. CVE-2023-6597 The zipfile module is...

SUSE SLES15 / openSUSE 15 Security Update : python39 (SUSE-SU-2024:1009-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1009-1 advisory. - libexpat through 2.5.0 allows a denial of service resource consumption because many full reparsings are required in...

Asymmetric Resource Consumption

python is vulnerable to Asymmetric Resource Consumption. This vulnerability is due to an issue in the zip format, allowing for the creation of zip-bombs with a high compression ratio...

Debian dla-3771 : idle-python2.7 - security update

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3771 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3771-1 [email protected] https://www.debian.org/lts/security/...