rexml: DoS vulnerability in REXML

A vulnerability was found in REXML RubyGems. This package is vulnerable to denial of service DoS when parsing a deep XML structure with the same local name attribute. This vulnerability only affects tree parser API like REXML::Document.new, other parser APIs such as stream parser API and SAX2...

CVE-2024-43700

xfpt versions prior to 1.01 fails to handle appropriately some parameters inside the input data, resulting in a stack-based buffer overflow vulnerability. When a user of the affected product is tricked to process a specially crafted file, arbitrary code may be executed on the user's environment...

SUSE CVE-1999-0402

wget 1.5.3 follows symlinks to change permissions of the target file instead of the symlink itself...

SUSE CVE-2024-37535

GNOME VTE before 0.76.3 allows an attacker to cause a denial of service memory consumption via a window resize escape sequence, a related issue to CVE-2000-0476...

bouncycastle: potential blind LDAP injection attack using a self-signed certificate

A flaw was found in Bouncy Castle 1.73. This issue targets the fix of LDAP wild cards. Before the fix there was no validation for the X.500 name of any certificate, subject, or issuer, so the presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain...

perl: Write past buffer end via illegal user-defined Unicode property

A vulnerability was found in perl 5.30.0 through 5.38.0. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer...

SUSE CVE-2024-32606

HDF5 Library through 1.14.3 may attempt to dereference uninitialized values in h5toolsstrsprint in tools/lib/h5toolsstr.c called from h5toolsdumpsimpledata in tools/lib/h5toolsdump.c...

openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow

A flaw was found in OpenSSL, which caused the generation or checking of long X9.42 DH keys or parameters to be much slower than expected. This issue could lead to a denial of service...

jetty: Improper addition of quotation marks to user inputs in CgiServlet

A flaw was found in Jetty's CGI servlet which permits incorrect command execution in specific circumstances such as requests with certain characters in requested filenames. This issue could allow an attacker to run permitted commands other than the one requested...

gmp: Integer overflow and resultant buffer overflow via crafted input

A flaw was found in gmp. An integer overflow vulnerability could allow an attacker to input an integer value leading to a crash. The highest threat from this vulnerability is to system availability...

libfastjson: integer overflow and out-of-bounds write via a large JSON file

A flaw was found in json-c. In printbufmemappend, certain crafted values can overflow the memory allowing an attacker to write past the memory boundary. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...

[SECURITY] Fedora 38 Update: rust-asyncgit-0.24.3-3.fc38

Allow using git2 in a asynchronous context...

SUSE CVE-2024-24575

libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to gitrevparsesingle can cause the function to enter an infinite loop, potentially causing a Denial ...

keycloak: LDAP injection on username input

A flaw was found in the Keycloak package. This flaw allows an attacker to utilize an LDAP injection to bypass the username lookup or potentially perform other malicious actions...

golang: crypto/tls: panic when processing post-handshake message on QUIC connections

A flaw was found in Golang. Processing an incomplete post-handshake message for a QUIC connection caused a panic...

curl: cookie injection with none file

A flaw was found in the Curl package. This flaw allows an attacker to insert cookies into a running program using libcurl if the specific series of conditions are met...

Mozilla: Improper object tracking during GC in the JavaScript engine could have led to a crash.

The Mozilla Foundation Security Advisory describes this flaw as: During garbage collection extra operations were performed on a object that should not be. This could have led to a potentially exploitable crash...

CVE-2023-46234

browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in dsaVerify function allows an attacker to construct signatures that can be successfully verified by any...

SUSE CVE-2023-5255

For certificates that utilize the auto-renew feature in Puppet Server, a flaw exists which prevents the certificates from being revoked...

SUSE CVE-2023-39332

Various node:fs functions allow specifying paths as either strings or Uint8Array objects. In Node.js environments, the Buffer class extends the Uint8Array class. Node.js prevents path traversal through strings see CVE-2023-30584 and Buffer objects see CVE-2023-32004, but not through non-Buffer...