Quote:
Quote:
|
Quote:
|
The malicious code is inserted only when building a deb or rpm package of xz. Probably because some systemd based distros patch openssh to use liblzma (part of xz) and the idea is to have a backdoor in sshd.
|
thanks, Pat! <3
|
Quote:
|
libarchive
We should probably highly consider this: https://github.com/libarchive/libarchive/pull/2101 https://github.com/libarchive/libarchive/pull/1609 |
Yeah, I'd heard about the potential for libarchive issues. With Tavis Ormandy on the case, I think if there's an issue it'll be handled quickly.
|
XWayland 23.2.5 and X.Org Server 21.1.12
CVE-2024-31080 CVE-2024-31081 CVE-2024-31082 CVE-2024-31083 Code:
Multiple issues have been found in the X server and Xwayland implementations |
Apache HTTP Server 2.4.59 (released 2024-04-04)
*) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames (cve.mitre.org) HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. Credits: Bartek Nowotarski (https://nowotarski.info/) *) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response Splitting in multiple modules (cve.mitre.org) HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue. Credits: Keran Mu, Tsinghua University and Zhongguancun Laboratory. *) SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response splitting (cve.mitre.org) Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58. Credits: Orange Tsai (@orange_8361) from DEVCORE |
nghttp2 v1.61.0 (released 2024-04-04)
Fixes CVE-2024-28182 |
polkit 124
Because of this new "systemd_dep" Code:
../meson.build:222:37: ERROR: Unknown variable "systemd_dep". https://gitweb.gentoo.org/repo/gento...-systemd.patch https://gitweb.gentoo.org/repo/gento...md-fixup.patch |
less
Code:
less(1) does not correctly escape newlines in pathnames when Fix: https://github.com/gwsw/less/commit/007521ac3c95bc76 |
I've never liked that feature of less. I use the -L option here.
|
glibc
CVE-2024-2961 Code:
The iconv() function in the GNU C Library versions 2.39 and older may overflow the output https://www.cve.org/CVERecord?id=CVE-2024-2961 https://sourceware.org/git/?p=glibc....C-SA-2024-0004 |
All times are GMT -5. The time now is 07:48 AM. |