SUSE-SU-2024:4349-1 Security update for libsoup2

This update for libsoup2 fixes the following issues: - CVE-2024-52530: Fixed HTTP request smuggling via stripping null bytes from the ends of header names bsc1233285 - CVE-2024-52531: Fixed buffer overflow via UTF-8 conversion in soupheaderparseparamliststrict bsc1233292 - CVE-2024-52532: Fixed...

CVE-2024-37605

A NULL pointer dereference in D-Link DIR-860L REVBFIRMWARE2.04.B04ic5b allows attackers to cause a Denial of Service DoS via a crafted HTTP request...

CVE-2024-37606

A Stack overflow vulnerability in D-Link DCS-932L REVBFIRMWARE2.18.01 allows attackers to cause a Denial of Service DoS via a crafted HTTP request...

CVE-2024-37606

CVE-2024-37606 affects D-Link DCS-932L REVB firmware (2.18.01). The vulnerability is a stack/buffer overflow in the alphapd component that can be triggered by a crafted HTTP request, leading to Denial of Service. The issue is documented across multiple sources (NVD/NVD-derived listings, CNVD, Red...

CVE-2024-37605

A NULL pointer dereference in D-Link DIR-860L REVBFIRMWARE2.04.B04ic5b allows attackers to cause a Denial of Service DoS via a crafted HTTP request...

CVE-2024-37607

A Buffer overflow vulnerability in D-Link DAP-2555 REVAFIRMWARE1.20 allows remote attackers to cause a Denial of Service DoS via a crafted HTTP request...

CVE-2024-36831

A NULL pointer dereference in the pluginscallhandleuriclean function of D-Link DAP-1520 REVAFIRMWARE1.10B04BETA02HOTFIX allows attackers to cause a Denial of Service DoS via a crafted HTTP request without authentication...

CVE-2024-36831

D-Link DAP-1520 REVA_FIRMWARE_1.10B04_BETA02_HOTFIX is affected by a NULL pointer dereference in the plugins_call_handle_uri_clean function, enabling a remote attacker to cause a Denial of Service (DoS) via a crafted HTTP request without authentication. The issue is reported across multiple sourc...

CVE-2024-37606

A Stack overflow vulnerability in D-Link DCS-932L REVBFIRMWARE2.18.01 allows attackers to cause a Denial of Service DoS via a crafted HTTP request...

CVE-2024-37607

The CVE-2024-37607 issue affects D-Link DAP-2555 with REVA_FIRMWARE_1.20. A buffer overflow in the device’s HTTP handling (notably in /sbin/httpd per PT-Security) can be triggered by crafted HTTP requests, leading to Denial of Service. Public summaries describe the vulnerability as remote, with n...

CVE-2024-36831

A NULL pointer dereference in the pluginscallhandleuriclean function of D-Link DAP-1520 REVAFIRMWARE1.10B04BETA02HOTFIX allows attackers to cause a Denial of Service DoS via a crafted HTTP request without authentication...

CVE-2024-37605

CVE-2024-37605 concerns the D-Link DIR-860L DIR-860L RE VB firmware 2.04.B04_ic5b. The issue is a NULL pointer dereference in the firmware that can be triggered by a crafted HTTP request, leading to a Denial of Service. Affected component: D-Link DIR-860L firmware (REVB 2.04.B04 ic5b). Impact: av...

CVE-2024-37607

A Buffer overflow vulnerability in D-Link DAP-2555 REVAFIRMWARE1.20 allows remote attackers to cause a Denial of Service DoS via a crafted HTTP request...

BIT-NODE-MIN-2020-8287

Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request for example, two Transfer-Encoding header fields. In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling...

BIT-NODE-MIN-2022-32213

The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling HRS...

BIT-NODE-MIN-2022-32214

The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS...

BIT-NODE-MIN-2022-32215

The llhttp parser v14.20.1, v16.17.1 and v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling HRS...

BIT-NODE-MIN-2022-35256

The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling...

BIT-NODE-MIN-2023-30589

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling HRS. The CR character without LF is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only th...

USN-7157-2: PHP regression

USN-7157-1 fixed vulnerabilities in PHP. The patch for CVE-2024-8932 caused a regression in php7.4. This update fixes the problem. Original advisory details: It was discovered that PHP incorrectly handled certain inputs when processed with convert.quoted-printable decode filters. An attacker coul...