Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Fixed the memory leak in mpi3mrhbaport during the mpi3mrremove function...

Astra Linux - уязвимость в linux, linux-5.10

In the Linux kernel, the following vulnerability has been resolved: usb: host: ohci-tmio: check return value after calling platformgetresource This vulnerability could lead to a null-ptr-deref issue if platformgetresource returns NULL. Therefore, we need to check the return value...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: xhci: A null pointer dereference was fixed in the remove function, especially when xHC has only one root hub. The remove function in the xhci platform driver attempts to remove both the main hcd and the shared hcd, even if only t...

Astra Linux - уязвимость в linux-5.10, linux-5.15, linux-6.1

In the Linux kernel, the following vulnerability has been resolved: Bus: MHI: Host – Drop the channel lock before queuing buffers. Ensure that read and write locks for the channel are not acquired consecutively by dropping the read lock from parsexferevent. This allows a callback provided to the...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcicore: lookup hciconn on the RX path at the protocol level The hdev lock/lookup/unlock/use pattern in the packet RX path does not ensure that hciconn is not concurrently modified/deleted. This locking mechanism seems...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: usb: legacy: ncm: Fixed an NPE in gncmBind. The commit 56a512a9b410 “usb: gadget: fncm: Aligned netdevice lifecycle with bind/unbind” deferred the allocation of the netdevice. This change results in a NULL pointer derefrence in t...

Astra Linux - уязвимость в twisted

Twisted is an event-based framework for internet applications. It was introduced with version 0.9.4. At that time, when the host header did not match a configured host using twisted.web.vhost.NameVirtualHost, a “NoResource” resource would be returned. This caused the Host header to be rendered...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerabilities have been resolved: mmc: sunplus: fix the return value check in mmcaddhost The mmcaddhost function may return an error if we ignore its return value. As a result: 1. The memory allocated in mmcallochost will be leaked. 2. A null-ptr-deref excepti...

Astra Linux - уязвимость в linux-5.10, linux

In the Linux kernel, the following vulnerability has been resolved: usb: host: ohci-ppc-of: Fix refcount leak bug In ohcihcdppcofprobe, offindcompatiblenode will return a node pointer with the refcount incremented. We should use ofnodeput when it is no longer needed...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Preventing interrupt storms due to Host Controller Errors HCE The xHCI controller reports a Host Controller Error HCE in UAS Storage during device plug/unplug scenarios on Android devices. HCE is checked in the xhciirq...

Astra Linux - уязвимость в qemu

A flaw was discovered in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. This flaw occurs when dropping packets during a bulk transfer from a SPICE client, due to the packet queue being full. A malicious SPICE client could exploit this flaw to call the free function in...

Astra Linux - уязвимость в linux, linux-5.10, linux-5.15, linux-6.1

In the Linux kernel, the following vulnerability has been resolved: The enicsetvfport function assumes that the nl attribute IFLAPORTPROFILE has a length of PORTPROFILEMAX, and that the nl attributes IFLAPORTINSTANCEUUID and IFLAPORTHOSTUUID have a length of PORTUUIDMAX. These attributes are...

Astra Linux - уязвимость в isc-dhcp

In ISC DHCP 4.4.0 - 4.4.3, and ISC DHCP 4.1-ESV-R1 - 4.1-ESV-R16-P1, when the function optioncodehashlookup is called from addOption, it increments the refcount field of the option. However, there is no corresponding call to optiondereference to decrement the refcount field. The function addOptio...

Astra Linux - уязвимость в libvirt

A NULL pointer dereference flaw was discovered in the udevConnectListAllInterfaces function within libvirt. This issue can occur when detaching a host interface while simultaneously collecting the list of interfaces using the virConnectListAllInterfaces API. This flaw could be exploited to carry...

Astra Linux - уязвимость в docker.io

In Docker versions prior to 9.03.15 and 20.10.3, there is a vulnerability related to the --userns-remap option. This option allows access to the remapped root directory, enabling privilege escalation to the actual root directory. When using --userns-remap, if the root user in the remapped namespa...

Astra Linux - уязвимость в linux-6.1

In the Linux kernel, the following vulnerabilities have been resolved: Bluetooth: MGMT: Cancel the mesh send timer when the hdev is removed The meshsenddone timer is not canceled when the hdev is removed, which can cause a crash if the timer triggers after the hdev is gone. Cancel the timer when...

kernel: Read root-owned files as an unprivileged user

A vulnerability was found in the Linux kernel that allows an unprivileged local user to read sensitive files normally restricted to the root user. The flaw occurs during process exit, where a brief window allows an attacker to intercept file access from a privileged process before it fully...

Malicious code in bucket-protocol-sdk-v2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e19ff8a6cb5a08bd0561658d41dfe3616f1680bc5acac989c97da38f37ee41b4 bucket-protocol-sdk-v2 advertises itself as a 'community maintained drop-in replacement' for the Sui ecosystem's bucket-protocol-sdk, but its src/ tr...

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

Malicious code in @pluxee-connect/api-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0f5056dda18e9a9f440db7379d09fa1f9f7ff087ac00d6684170cddd40c240e9 On npm install, postinstall.js collects os.hostname, os.userInfo, and process.version and transmits them over plain HTTP to...