Canonical Linux software

A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress

CVE-2024-0760 7.5 - High - July 23, 2024

A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack. This issue affects BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through 9.19.24, and 9.18.11-S1 through 9.18.27-S1.

Resolver caches and authoritative zone databases

CVE-2024-1737 7.5 - High - July 23, 2024

Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1.

If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record

CVE-2024-1975 7.5 - High - July 23, 2024

If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1.

Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure

CVE-2024-4076 - July 23, 2024

Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure. This issue affects BIND 9 versions 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1 through 9.11.37-S1, 9.16.13-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1.

In the Linux kernel, the following vulnerability has been resolved: net: dsa: fix panic when DSA master device unbinds on shutdown Rafael reports

CVE-2022-48808 - July 16, 2024

In the Linux kernel, the following vulnerability has been resolved: net: dsa: fix panic when DSA master device unbinds on shutdown Rafael reports that on a system with LX2160A and Marvell DSA switches, if a reboot occurs while the DSA master (dpaa2-eth) is up, the following panic can be seen: systemd-shutdown[1]: Rebooting. Unable to handle kernel paging request at virtual address 00a0000800000041 [00a0000800000041] address between user and kernel address ranges Internal error: Oops: 96000004 [#1] PREEMPT SMP CPU: 6 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00042-g8f5585009b24 #32 pc : dsa_slave_netdevice_event+0x130/0x3e4 lr : raw_notifier_call_chain+0x50/0x6c Call trace: dsa_slave_netdevice_event+0x130/0x3e4 raw_notifier_call_chain+0x50/0x6c call_netdevice_notifiers_info+0x54/0xa0 __dev_close_many+0x50/0x130 dev_close_many+0x84/0x120 unregister_netdevice_many+0x130/0x710 unregister_netdevice_queue+0x8c/0xd0 unregister_netdev+0x20/0x30 dpaa2_eth_remove+0x68/0x190 fsl_mc_driver_remove+0x20/0x5c __device_release_driver+0x21c/0x220 device_release_driver_internal+0xac/0xb0 device_links_unbind_consumers+0xd4/0x100 __device_release_driver+0x94/0x220 device_release_driver+0x28/0x40 bus_remove_device+0x118/0x124 device_del+0x174/0x420 fsl_mc_device_remove+0x24/0x40 __fsl_mc_device_remove+0xc/0x20 device_for_each_child+0x58/0xa0 dprc_remove+0x90/0xb0 fsl_mc_driver_remove+0x20/0x5c __device_release_driver+0x21c/0x220 device_release_driver+0x28/0x40 bus_remove_device+0x118/0x124 device_del+0x174/0x420 fsl_mc_bus_remove+0x80/0x100 fsl_mc_bus_shutdown+0xc/0x1c platform_shutdown+0x20/0x30 device_shutdown+0x154/0x330 __do_sys_reboot+0x1cc/0x250 __arm64_sys_reboot+0x20/0x30 invoke_syscall.constprop.0+0x4c/0xe0 do_el0_svc+0x4c/0x150 el0_svc+0x24/0xb0 el0t_64_sync_handler+0xa8/0xb0 el0t_64_sync+0x178/0x17c It can be seen from the stack trace that the problem is that the deregistration of the master causes a dev_close(), which gets notified as NETDEV_GOING_DOWN to dsa_slave_netdevice_event(). But dsa_switch_shutdown() has already run, and this has unregistered the DSA slave interfaces, and yet, the NETDEV_GOING_DOWN handler attempts to call dev_close_many() on those slave interfaces, leading to the problem. The previous attempt to avoid the NETDEV_GOING_DOWN on the master after dsa_switch_shutdown() was called seems improper. Unregistering the slave interfaces is unnecessary and unhelpful. Instead, after the slaves have stopped being uppers of the DSA master, we can now reset to NULL the master->dsa_ptr pointer, which will make DSA start ignoring all future notifier events on the master.

In the Linux kernel, the following vulnerability has been resolved: net: dsa: fix panic when DSA master device unbinds on shutdown Rafael reports

CVE-2022-48808 - July 16, 2024

In the Linux kernel, the following vulnerability has been resolved: net: dsa: fix panic when DSA master device unbinds on shutdown Rafael reports that on a system with LX2160A and Marvell DSA switches, if a reboot occurs while the DSA master (dpaa2-eth) is up, the following panic can be seen: systemd-shutdown[1]: Rebooting. Unable to handle kernel paging request at virtual address 00a0000800000041 [00a0000800000041] address between user and kernel address ranges Internal error: Oops: 96000004 [#1] PREEMPT SMP CPU: 6 PID: 1 Comm: systemd-shutdow Not tainted 5.16.5-00042-g8f5585009b24 #32 pc : dsa_slave_netdevice_event+0x130/0x3e4 lr : raw_notifier_call_chain+0x50/0x6c Call trace: dsa_slave_netdevice_event+0x130/0x3e4 raw_notifier_call_chain+0x50/0x6c call_netdevice_notifiers_info+0x54/0xa0 __dev_close_many+0x50/0x130 dev_close_many+0x84/0x120 unregister_netdevice_many+0x130/0x710 unregister_netdevice_queue+0x8c/0xd0 unregister_netdev+0x20/0x30 dpaa2_eth_remove+0x68/0x190 fsl_mc_driver_remove+0x20/0x5c __device_release_driver+0x21c/0x220 device_release_driver_internal+0xac/0xb0 device_links_unbind_consumers+0xd4/0x100 __device_release_driver+0x94/0x220 device_release_driver+0x28/0x40 bus_remove_device+0x118/0x124 device_del+0x174/0x420 fsl_mc_device_remove+0x24/0x40 __fsl_mc_device_remove+0xc/0x20 device_for_each_child+0x58/0xa0 dprc_remove+0x90/0xb0 fsl_mc_driver_remove+0x20/0x5c __device_release_driver+0x21c/0x220 device_release_driver+0x28/0x40 bus_remove_device+0x118/0x124 device_del+0x174/0x420 fsl_mc_bus_remove+0x80/0x100 fsl_mc_bus_shutdown+0xc/0x1c platform_shutdown+0x20/0x30 device_shutdown+0x154/0x330 __do_sys_reboot+0x1cc/0x250 __arm64_sys_reboot+0x20/0x30 invoke_syscall.constprop.0+0x4c/0xe0 do_el0_svc+0x4c/0x150 el0_svc+0x24/0xb0 el0t_64_sync_handler+0xa8/0xb0 el0t_64_sync+0x178/0x17c It can be seen from the stack trace that the problem is that the deregistration of the master causes a dev_close(), which gets notified as NETDEV_GOING_DOWN to dsa_slave_netdevice_event(). But dsa_switch_shutdown() has already run, and this has unregistered the DSA slave interfaces, and yet, the NETDEV_GOING_DOWN handler attempts to call dev_close_many() on those slave interfaces, leading to the problem. The previous attempt to avoid the NETDEV_GOING_DOWN on the master after dsa_switch_shutdown() was called seems improper. Unregistering the slave interfaces is unnecessary and unhelpful. Instead, after the slaves have stopped being uppers of the DSA master, we can now reset to NULL the master->dsa_ptr pointer, which will make DSA start ignoring all future notifier events on the master.

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14

CVE-2024-39614 - July 10, 2024

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14

CVE-2024-39330 - July 10, 2024

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14

CVE-2024-39329 - July 10, 2024

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.

An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7

CVE-2024-38875 - July 10, 2024

An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14

CVE-2024-39614 - July 10, 2024

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14

CVE-2024-39330 - July 10, 2024

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14

CVE-2024-39329 - July 10, 2024

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.

An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7

CVE-2024-38875 - July 10, 2024

An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.

.NET and Visual Studio Denial of Service Vulnerability

CVE-2024-38095 7.5 - High - July 09, 2024

.NET and Visual Studio Denial of Service Vulnerability

.NET and Visual Studio Remote Code Execution Vulnerability

CVE-2024-35264 8.1 - High - July 09, 2024

.NET and Visual Studio Remote Code Execution Vulnerability

.NET Core and Visual Studio Denial of Service Vulnerability

CVE-2024-30105 7.5 - High - July 09, 2024

.NET Core and Visual Studio Denial of Service Vulnerability

Clipboard code failed to check the index on an array access

CVE-2024-6606 - July 09, 2024

Clipboard code failed to check the index on an array access. This could have lead to an out-of-bounds read. This vulnerability affects Firefox < 128 and Thunderbird < 128.

In an out-of-memory scenario an allocation could fail but free

CVE-2024-6603 - July 09, 2024

In an out-of-memory scenario an allocation could fail but free would have been called on the pointer afterwards leading to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128.

When almost out-of-memory an elliptic curve key which was never allocated could have been freed again

CVE-2024-6609 - July 09, 2024

When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. This vulnerability affects Firefox < 128 and Thunderbird < 128.

A mismatch between allocator and deallocator could have lead to memory corruption

CVE-2024-6602 - July 09, 2024

A mismatch between allocator and deallocator could have lead to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128.

Memory safety bugs present in Firefox 127 and Thunderbird 127

CVE-2024-6615 - July 09, 2024

Memory safety bugs present in Firefox 127 and Thunderbird 127. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 128 and Thunderbird < 128.

The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces

CVE-2024-6614 - July 09, 2024

The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. This vulnerability affects Firefox < 128 and Thunderbird < 128.

The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces

CVE-2024-6613 - July 09, 2024

The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces. This vulnerability affects Firefox < 128 and Thunderbird < 128.

CSP violations generated links in the console tab of the developer tools, pointing to the violating resource

CVE-2024-6612 - July 09, 2024

CSP violations generated links in the console tab of the developer tools, pointing to the violating resource. This caused a DNS prefetch which leaked that a CSP violation happened. This vulnerability affects Firefox < 128 and Thunderbird < 128.

A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies

CVE-2024-6611 - July 09, 2024

A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies. This vulnerability affects Firefox < 128 and Thunderbird < 128.

Form validation popups could capture escape key presses

CVE-2024-6610 - July 09, 2024

Form validation popups could capture escape key presses. Therefore, spamming form validation messages could be used to prevent users from exiting full-screen mode. This vulnerability affects Firefox < 128 and Thunderbird < 128.

It was possible to move the cursor using pointerlock from an iframe

CVE-2024-6608 - July 09, 2024

It was possible to move the cursor using pointerlock from an iframe. This allowed moving the cursor outside of the viewport and the Firefox window. This vulnerability affects Firefox < 128 and Thunderbird < 128.

It was possible to prevent a user

CVE-2024-6607 - July 09, 2024

It was possible to prevent a user from exiting pointerlock when pressing escape and to overlay customValidity notifications from a `&lt;select&gt;` element over certain permission prompts. This could be used to confuse a user into giving a site unintended permissions. This vulnerability affects Firefox < 128 and Thunderbird < 128.

Memory safety bugs present in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12

CVE-2024-6604 - July 09, 2024

Memory safety bugs present in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128.

A race condition could lead to a cross-origin container obtaining permissions of the top-level origin

CVE-2024-6601 - July 09, 2024

A race condition could lead to a cross-origin container obtaining permissions of the top-level origin. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128.

Due to large allocation checks in Angle for GLSL shaders being too lenient an out-of-bounds access could occur when allocating more than 8192 ints in private shader memory on mac OS

CVE-2024-6600 - July 09, 2024

Due to large allocation checks in Angle for GLSL shaders being too lenient an out-of-bounds access could occur when allocating more than 8192 ints in private shader memory on mac OS. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128.

A race condition could lead to a cross-origin container obtaining permissions of the top-level origin

CVE-2024-6601 - July 09, 2024

A race condition could lead to a cross-origin container obtaining permissions of the top-level origin. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128.

Memory safety bugs present in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12

CVE-2024-6604 - July 09, 2024

Memory safety bugs present in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128.

A mismatch between allocator and deallocator could have lead to memory corruption

CVE-2024-6602 - July 09, 2024

A mismatch between allocator and deallocator could have lead to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128.

In an out-of-memory scenario an allocation could fail but free

CVE-2024-6603 - July 09, 2024

In an out-of-memory scenario an allocation could fail but free would have been called on the pointer afterwards leading to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128.

OpenVPN from 2.6.0 through 2.6.10 in a server role accepts multiple exit notifications from authenticated clients

CVE-2024-28882 - July 08, 2024

OpenVPN from 2.6.0 through 2.6.10 in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session

The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/route.c max_size threshold that can be consumed easily, e.g

CVE-2023-52340 7.5 - High - July 05, 2024

The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/route.c max_size threshold that can be consumed easily, e.g., leading to a denial of service (network is unreachable errors) when IPv6 packets are sent in a loop via a raw socket.

The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/route.c max_size threshold that can be consumed easily, e.g

CVE-2023-52340 7.5 - High - July 05, 2024

The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/route.c max_size threshold that can be consumed easily, e.g., leading to a denial of service (network is unreachable errors) when IPv6 packets are sent in a loop via a raw socket.

The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/route.c max_size threshold that can be consumed easily, e.g

CVE-2023-52340 7.5 - High - July 05, 2024

The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/route.c max_size threshold that can be consumed easily, e.g., leading to a denial of service (network is unreachable errors) when IPv6 packets are sent in a loop via a raw socket.

The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/route.c max_size threshold that can be consumed easily, e.g

CVE-2023-52340 7.5 - High - July 05, 2024

The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/route.c max_size threshold that can be consumed easily, e.g., leading to a denial of service (network is unreachable errors) when IPv6 packets are sent in a loop via a raw socket.

The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/route.c max_size threshold that can be consumed easily, e.g

CVE-2023-52340 7.5 - High - July 05, 2024

The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/route.c max_size threshold that can be consumed easily, e.g., leading to a denial of service (network is unreachable errors) when IPv6 packets are sent in a loop via a raw socket.

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers

CVE-2024-39884 - July 04, 2024

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers.   "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue.

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers

CVE-2024-39884 - July 04, 2024

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers.   "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue.

Artifex Ghostscript before 10.03.0 sometimes has a stack-based buffer overflow

CVE-2024-29507 - July 03, 2024

Artifex Ghostscript before 10.03.0 sometimes has a stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters.

Artifex Ghostscript before 10.03.1, when Tesseract is used for OCR, has a directory traversal issue

CVE-2024-29511 - July 03, 2024

Artifex Ghostscript before 10.03.1, when Tesseract is used for OCR, has a directory traversal issue that allows arbitrary file reading (and writing of error messages to arbitrary files) via OCRLanguage. For example, exploitation can use debug_file /tmp/out and user_patterns_file /etc/passwd.

Artifex Ghostscript before 10.03.0 has a stack-based buffer overflow in the pdfi_apply_filter() function

CVE-2024-29506 - July 03, 2024

Artifex Ghostscript before 10.03.0 has a stack-based buffer overflow in the pdfi_apply_filter() function via a long PDF filter name.

Artifex Ghostscript before 10.03.0 has a heap-based pointer disclosure (observable in a constructed BaseFont name) in the function pdf_base_font_alloc.

CVE-2024-29508 - July 03, 2024

Artifex Ghostscript before 10.03.0 has a heap-based pointer disclosure (observable in a constructed BaseFont name) in the function pdf_base_font_alloc.

Artifex Ghostscript before 10.03.0 has a heap-based overflow when PDFPassword (e.g

CVE-2024-29509 - July 03, 2024

Artifex Ghostscript before 10.03.0 has a heap-based overflow when PDFPassword (e.g., for runpdf) has a \000 byte in the middle.

Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference

CVE-2024-36387 - July 01, 2024

Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.

NULL Pointer Dereference

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier

CVE-2024-38473 - July 01, 2024

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Output Sanitization

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier

CVE-2024-38474 - July 01, 2024

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.

Output Sanitization

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations

CVE-2024-38475 - July 01, 2024

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.

Output Sanitization

Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier

CVE-2024-39573 - July 01, 2024

Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Improper Input Validation

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution

CVE-2024-38476 - July 01, 2024

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Inclusion of Functionality from Untrusted Control Sphere

null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier

CVE-2024-38477 - July 01, 2024

null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

NULL Pointer Dereference

null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier

CVE-2024-38477 - July 01, 2024

null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

NULL Pointer Dereference

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution

CVE-2024-38476 - July 01, 2024

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Inclusion of Functionality from Untrusted Control Sphere

Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier

CVE-2024-39573 - July 01, 2024

Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Improper Input Validation

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations

CVE-2024-38475 - July 01, 2024

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.

Output Sanitization

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier

CVE-2024-38474 - July 01, 2024

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Users are recommended to upgrade to version 2.4.60, which fixes this issue. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.

Output Sanitization

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier

CVE-2024-38473 - July 01, 2024

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Users are recommended to upgrade to version 2.4.60, which fixes this issue.

Output Sanitization

Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference

CVE-2024-36387 - July 01, 2024

Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.

NULL Pointer Dereference

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd)

CVE-2024-6387 8.1 - High - July 01, 2024

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

Race Condition

This repository hosts source code implementing the Trusted Computing Group's (TCG) TPM2 Software Stack (TSS)

CVE-2024-29040 - June 28, 2024

This repository hosts source code implementing the Trusted Computing Group's (TCG) TPM2 Software Stack (TSS). The JSON Quote Info returned by Fapi_Quote has to be deserialized by Fapi_VerifyQuote to the TPM Structure `TPMS_ATTEST`. For the field `TPM2_GENERATED magic` of this structure any number can be used in the JSON structure. The verifier can receive a state which does not represent the actual, possibly malicious state of the device under test. The malicious device might get access to data it shouldn't, or can use services it shouldn't be able to. This issue has been patched in version 4.1.0.

By manipulating the text in an `&lt;input&gt;` tag, an attacker could have caused corrupt memory leading to a potentially exploitable crash

CVE-2024-5696 - June 11, 2024

By manipulating the text in an `&lt;input&gt;` tag, an attacker could have caused corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.

If an out-of-memory condition occurs at a specific point using allocations in the probabilistic heap checker

CVE-2024-5695 - June 11, 2024

If an out-of-memory condition occurs at a specific point using allocations in the probabilistic heap checker, an assertion could have been triggered, and in rarer situations, memory corruption could have occurred. This vulnerability affects Firefox < 127.

An attacker could have caused a use-after-free in the JavaScript engine to read memory in the JavaScript string section of the heap

CVE-2024-5694 - June 11, 2024

An attacker could have caused a use-after-free in the JavaScript engine to read memory in the JavaScript string section of the heap. This vulnerability affects Firefox < 127.

If a garbage collection was triggered at the right time, a use-after-free could have occurred during object transplant

CVE-2024-5688 - June 11, 2024

If a garbage collection was triggered at the right time, a use-after-free could have occurred during object transplant. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.

Memory safety bugs present in Firefox 126

CVE-2024-5701 - June 11, 2024

Memory safety bugs present in Firefox 126. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 127.

Memory safety bugs present in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11

CVE-2024-5700 - June 11, 2024

Memory safety bugs present in Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.

In violation of spec

CVE-2024-5699 - June 11, 2024

In violation of spec, cookie prefixes such as `__Secure` were being ignored if they were not correctly capitalized - by spec they should be checked with a case-insensitive comparison. This could have resulted in the browser not correctly honoring the behaviors specified by the prefix. This vulnerability affects Firefox < 127.

By manipulating the fullscreen feature while opening a data-list, an attacker could have overlaid a text box over the address bar

CVE-2024-5698 - June 11, 2024

By manipulating the fullscreen feature while opening a data-list, an attacker could have overlaid a text box over the address bar. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 127.

A website was able to detect when a user took a screenshot of a page using the built-in Screenshot functionality in Firefox

CVE-2024-5697 - June 11, 2024

A website was able to detect when a user took a screenshot of a page using the built-in Screenshot functionality in Firefox. This vulnerability affects Firefox < 127.

Offscreen Canvas did not properly track cross-origin tainting, which could be used to access image data

CVE-2024-5693 - June 11, 2024

Offscreen Canvas did not properly track cross-origin tainting, which could be used to access image data from another site in violation of same-origin policy. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.

By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button

CVE-2024-5691 - June 11, 2024

By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.

By monitoring the time certain operations take, an attacker could have guessed

CVE-2024-5690 - June 11, 2024

By monitoring the time certain operations take, an attacker could have guessed which external protocol handlers were functional on a user's system. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.

In addition to detecting when a user was taking a screenshot (XXX), a website was able to overlay the 'My Shots' button

CVE-2024-5689 - June 11, 2024

In addition to detecting when a user was taking a screenshot (XXX), a website was able to overlay the 'My Shots' button that appeared, and direct the user to a replica Firefox Screenshots page that could be used for phishing. This vulnerability affects Firefox < 127.

Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7

CVE-2024-37384 - June 07, 2024

Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences.

Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7

CVE-2024-37383 - June 07, 2024

Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses

CVE-2024-24790 9.8 - Critical - June 05, 2024

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations

CVE-2024-24789 5.5 - Medium - June 05, 2024

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

~/.config/apport/settings parsing is vulnerable to "billion laughs" attack

CVE-2022-28652 5.5 - Medium - June 04, 2024

~/.config/apport/settings parsing is vulnerable to "billion laughs" attack

XEE

is_closing_session()

CVE-2022-28654 5.5 - Medium - June 04, 2024

is_closing_session() allows users to fill up apport.log

Allocation of Resources Without Limits or Throttling

is_closing_session()

CVE-2022-28655 7.1 - High - June 04, 2024

is_closing_session() allows users to create arbitrary tcp dbus connections

Allocation of Resources Without Limits or Throttling

is_closing_session()

CVE-2022-28656 5.5 - Medium - June 04, 2024

is_closing_session() allows users to consume RAM in the Apport process

Allocation of Resources Without Limits or Throttling

Apport does not disable python crash handler before entering chroot

CVE-2022-28657 7.8 - High - June 04, 2024

Apport does not disable python crash handler before entering chroot

Apport argument parsing mishandles filename splitting on older kernels resulting in argument spoofing

CVE-2022-28658 5.5 - Medium - June 04, 2024

Apport argument parsing mishandles filename splitting on older kernels resulting in argument spoofing

~/.config/apport/settings parsing is vulnerable to "billion laughs" attack

CVE-2022-28652 5.5 - Medium - June 04, 2024

~/.config/apport/settings parsing is vulnerable to "billion laughs" attack

XEE

is_closing_session()

CVE-2022-28654 5.5 - Medium - June 04, 2024

is_closing_session() allows users to fill up apport.log

Allocation of Resources Without Limits or Throttling

is_closing_session()

CVE-2022-28655 7.1 - High - June 04, 2024

is_closing_session() allows users to create arbitrary tcp dbus connections

Allocation of Resources Without Limits or Throttling

is_closing_session()

CVE-2022-28656 5.5 - Medium - June 04, 2024

is_closing_session() allows users to consume RAM in the Apport process

Allocation of Resources Without Limits or Throttling

Apport does not disable python crash handler before entering chroot

CVE-2022-28657 7.8 - High - June 04, 2024

Apport does not disable python crash handler before entering chroot

Apport argument parsing mishandles filename splitting on older kernels resulting in argument spoofing

CVE-2022-28658 5.5 - Medium - June 04, 2024

Apport argument parsing mishandles filename splitting on older kernels resulting in argument spoofing

There is a race condition in the 'replaced executable' detection

CVE-2021-3899 - June 03, 2024

There is a race condition in the 'replaced executable' detection that, with the correct local configuration, allow an attacker to execute arbitrary code as root.

Apport can be tricked into connecting to arbitrary sockets as the root user

CVE-2022-1242 - June 03, 2024

Apport can be tricked into connecting to arbitrary sockets as the root user

There is a race condition in the 'replaced executable' detection

CVE-2021-3899 - June 03, 2024

There is a race condition in the 'replaced executable' detection that, with the correct local configuration, allow an attacker to execute arbitrary code as root.

Apport can be tricked into connecting to arbitrary sockets as the root user

CVE-2022-1242 - June 03, 2024

Apport can be tricked into connecting to arbitrary sockets as the root user

In the Linux kernel

CVE-2024-36029 - May 30, 2024

In the Linux kernel, the following vulnerability has been resolved: mmc: sdhci-msm: pervent access to suspended controller Generic sdhci code registers LED device and uses host->runtime_suspended flag to protect access to it. The sdhci-msm driver doesn't set this flag, which causes a crash when LED is accessed while controller is runtime suspended. Fix this by setting the flag correctly.

In the Linux kernel

CVE-2024-36027 - May 30, 2024

In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: do not flag ZEROOUT on non-dirty extent buffer Btrfs clears the content of an extent buffer marked as EXTENT_BUFFER_ZONED_ZEROOUT before the bio submission. This mechanism is introduced to prevent a write hole of an extent buffer, which is once allocated, marked dirty, but turns out unnecessary and cleaned up within one transaction operation. Currently, btrfs_clear_buffer_dirty() marks the extent buffer as EXTENT_BUFFER_ZONED_ZEROOUT, and skips the entry function. If this call happens while the buffer is under IO (with the WRITEBACK flag set, without the DIRTY flag), we can add the ZEROOUT flag and clear the buffer's content just before a bio submission. As a result: 1) it can lead to adding faulty delayed reference item which leads to a FS corrupted (EUCLEAN) error, and 2) it writes out cleared tree node on disk The former issue is previously discussed in [1]. The corruption happens when it runs a delayed reference update. So, on-disk data is safe. [1] https://lore.kernel.org/linux-btrfs/3f4f2a0ff1a6c818050434288925bdcf3cd719e5.1709124777.git.naohiro.aota@wdc.com/ The latter one can reach on-disk data. But, as that node is already processed by btrfs_clear_buffer_dirty(), that will be invalidated in the next transaction commit anyway. So, the chance of hitting the corruption is relatively small. Anyway, we should skip flagging ZEROOUT on a non-DIRTY extent buffer, to keep the content under IO intact.