SUSE-SU-2024:1935-1 Security update for go1.22

This update for go1.22 fixes the following issues: go1.21.11 release bsc1212475. - CVE-2024-24789: Fixed mishandling of corrupt central directory record in archive/zip bsc1225973. - CVE-2024-24790: Fixed unexpected behavior from Is methods for IPv4-mapped IPv6 addresses bsc1225974...

BIT-GOLANG-2024-24790 Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip

The various Is methods IsPrivate, IsLoopback, etc did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms...

CVE-2024-24790

The various Is methods IsPrivate, IsLoopback, etc did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms...

CVE-2024-24790

The various Is methods IsPrivate, IsLoopback, etc did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms...

CVE-2024-24790

The various Is methods IsPrivate, IsLoopback, etc did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms...

CVE-2024-24790 Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip

The various Is methods IsPrivate, IsLoopback, etc did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms...

CVE-2024-24790 Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip

The various Is methods IsPrivate, IsLoopback, etc did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms...

CVE-2024-24790

Summary: CVE-2024-24790 concerns the behavior of the Go networking IsPrivate/IsLoopback (and related) methods when given IPv4-mapped IPv6 addresses. The connected advisories/entries confirm a mismatch where these addresses could be treated as non-private, non-loopback in Go’s net/ip logic, potent...

CVE-2024-24790

The various Is methods IsPrivate, IsLoopback, etc did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms...

traefik -- Unexpected behavior with IPv4-mapped IPv6 addresses

The traefik authors report: There is a vulnerability in Go managing various Is methods IsPrivate, IsLoopback, etc for IPv4-mapped IPv6 addresses. They didn't work as expected returning false for addresses which would return true in their traditional IPv4 forms...

GO-2024-2887 Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses in net/netip

The various Is methods IsPrivate, IsLoopback, etc did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms...

CVE-2024-34362 Envoy affected by a crash (use-after-free) in EnvoyQuicServerStream

Envoy is a cloud-native, open source edge and service proxy. There is a use-after-free in HttpConnectionManager HCM with EnvoyQuicServerStream that can crash Envoy. An attacker can exploit this vulnerability by sending a request without FIN, then a RESETSTREAM frame, and then after receiving the...

OESA-2024-1667 infinispan security update

Infinispan is an extremely scalable, highly available data grid platform - 100% open source, and written in Java. The purpose of Infinispan is to expose a data structure that is highly concurrent, designed ground-up to make the most of modern multi-processor/multi-core architectures while at the...

Authentication Bypass

typo3/cms-core vulnerable to Authentication Bypass. The vulnerability is due to improper handling of hashing methods related by PHP class inheritance, allowing stored passwords using the blowfish hashing algorithm to be overridden when MD5 is used as the default hashing algorithm...

Oracle Linux 8 : poppler (ELSA-2024-2979)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2024-2979 advisory. - Fix crash when Object has negative number CVE-2018-13988 - Fix infinite recursion CVE-2017-18267 - Resolves: rhbz1494583 CVE-2017-14520 - Resolves: rhbz145906...

Go-Secdump - Tool To Remotely Dump Secrets From The Windows Registry

Package go-secdump is a tool built to remotely extract hashes from the SAM registry hive as well as LSA secrets and cached hashes from the SECURITY hive without any remote agent and without touching disk. The tool is built on top of the library go-smb and use it to communicate with the Windows...

CVE-2024-5148

A flaw was found in the gnome-remote-desktop package. The gnome-remote-desktop system daemon performs inadequate validation of session agents using D-Bus methods related to transitioning a client connection from the login screen to the user session. As a result, the system RDP TLS certificate and...

Ebury Botnet Malware Compromises 400,000 Linux Servers Over Past 14 Years

A malware botnet called Ebury is estimated to have compromised 400,000 Linux servers since 2009, out of which more than 100,000 were still compromised as of late 2023. The findings come from Slovak cybersecurity firm ESET, which characterized it as one of the most advanced server-side malware...

PT-2024-4132 · D Link · D-Link D-View

Name of the Vulnerable Software and Affected Versions: D-Link D-View affected versions not specified Description: The issue is related to the queryDeviceCustomMonitorResult method of the D-Link D-View platform, which uses dangerous methods or functions. This allows a remote attacker to execute...

CVE-2022-4967

strongSwan versions 5.9.2 through 5.9.5 are affected by authorization bypass through improper validation of certificate with host mismatch CWE-297. When certificates are used to authenticate clients in TLS-based EAP methods, the IKE or EAP identity supplied by a client is not enforced to be...