ISHACK AI BOT

OS X update for Photos (CVE-2024-40858) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 10/31/2024 Created 11/01/2024 Added 10/31/2024 Modified 10/31/2024 Description A permissions issue was addressed with additional restrictions. Solution(s) apple-osx-upgrade-15_1 References https://attackerkb.com/topics/cve-2024-40858 CVE - 2024-40858 https://support.apple.com/en-us/121564

OS X update for Login Window (CVE-2024-44231) Severity 5 CVSS (AV:L/AC:L/Au:N/C:N/I:C/A:N) Published 10/31/2024 Created 11/01/2024 Added 10/31/2024 Modified 01/28/2025 Description This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.1. A person with physical access to a Mac may be able to bypass Login Window during a software update. Solution(s) apple-osx-upgrade-15_1 References https://attackerkb.com/topics/cve-2024-44231 CVE - 2024-44231 https://support.apple.com/en-us/121564

Ubuntu: (Multiple Advisories) (CVE-2024-10573): mpg123 vulnerability Severity 6 CVSS (AV:L/AC:H/Au:S/C:C/I:C/A:C) Published 10/31/2024 Created 11/07/2024 Added 11/06/2024 Modified 01/28/2025 Description An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector. Solution(s) ubuntu-upgrade-libmpg123-0 ubuntu-upgrade-libmpg123-0t64 ubuntu-upgrade-mpg123 References https://attackerkb.com/topics/cve-2024-10573 CVE - 2024-10573 USN-7092-1 USN-7092-2

OS X update for Notification Center (CVE-2024-44293) Severity 5 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:N) Published 10/31/2024 Created 11/01/2024 Added 10/31/2024 Modified 01/28/2025 Description A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sequoia 15.1. A user may be able to view sensitive user information. Solution(s) apple-osx-upgrade-15_1 References https://attackerkb.com/topics/cve-2024-44293 CVE - 2024-44293 https://support.apple.com/en-us/121564

OS X update for Notification Center (CVE-2024-44292) Severity 5 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:N) Published 10/31/2024 Created 11/01/2024 Added 10/31/2024 Modified 01/28/2025 Description A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sequoia 15.1. An app may be able to access sensitive user data. Solution(s) apple-osx-upgrade-15_1 References https://attackerkb.com/topics/cve-2024-44292 CVE - 2024-44292 https://support.apple.com/en-us/121564

Oracle Linux: CVE-2024-44296: ELSA-2024-9636:webkit2gtk3 security update (IMPORTANT) (Multiple Advisories) Severity 4 CVSS (AV:N/AC:H/Au:N/C:P/I:P/A:N) Published 10/31/2024 Created 11/21/2024 Added 11/19/2024 Modified 12/06/2024 Description The issue was addressed with improved checks. This issue is fixed in tvOS 18.1, iOS 18.1 and iPadOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, watchOS 11.1, visionOS 2.1, macOS Sequoia 15.1, Safari 18.1. Processing maliciously crafted web content may prevent Content Security Policy from being enforced. A flaw was found in WebKitGTK. Processing maliciously crafted web content may prevent the Content Security Policy from being enforced. This issue leads to items that were banned from running to be executed. Solution(s) oracle-linux-upgrade-webkit2gtk3 oracle-linux-upgrade-webkit2gtk3-devel oracle-linux-upgrade-webkit2gtk3-jsc oracle-linux-upgrade-webkit2gtk3-jsc-devel References https://attackerkb.com/topics/cve-2024-44296 CVE - 2024-44296 ELSA-2024-9636 ELSA-2024-9553

SUSE: CVE-2024-8185: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 10/31/2024 Created 01/01/2025 Added 12/31/2024 Modified 12/31/2024 Description Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint . An attacker may send a large volume of requests to the endpoint which may cause Vault to consume excessive system memory resources, potentially leading to a crash of the underlying system and the Vault process itself. This vulnerability, CVE-2024-8185, is fixed in Vault Community 1.18.1 and Vault Enterprise 1.18.1, 1.17.8, and 1.16.12. Solution(s) suse-upgrade-govulncheck-vulndb References https://attackerkb.com/topics/cve-2024-8185 CVE - 2024-8185

Debian: CVE-2019-25219: asio -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 10/31/2024 Created 11/01/2024 Added 10/31/2024 Modified 10/31/2024 Description Asio C++ Library before 1.13.0 lacks a fallback error code in the case of SSL_ERROR_SYSCALL with no associated error information from the SSL library being used. Solution(s) debian-upgrade-asio References https://attackerkb.com/topics/cve-2019-25219 CVE - 2019-25219

Debian: CVE-2024-10573: mpg123 -- security update Severity 6 CVSS (AV:L/AC:H/Au:S/C:C/I:C/A:C) Published 10/31/2024 Created 11/19/2024 Added 11/18/2024 Modified 01/28/2025 Description An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector. Solution(s) debian-upgrade-mpg123 References https://attackerkb.com/topics/cve-2024-10573 CVE - 2024-10573 DSA-5811-1

Debian: CVE-2024-9632: xorg-server, xwayland -- security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 10/31/2024 Created 11/01/2024 Added 10/31/2024 Modified 01/28/2025 Description A flaw was found in the X.org server. Due to improperly tracked allocation size in _XkbSetCompatMap, a local attacker may be able to trigger a buffer overflow condition via a specially crafted payload, leading to denial of service or local privilege escalation in distributions where the X.org server is run with root privileges. Solution(s) debian-upgrade-xorg-server debian-upgrade-xwayland References https://attackerkb.com/topics/cve-2024-9632 CVE - 2024-9632 DLA-3940-1 DSA-5800-1

OS X update for Login Window (CVE-2024-44223) Severity 5 CVSS (AV:L/AC:L/Au:N/C:C/I:N/A:N) Published 10/31/2024 Created 11/01/2024 Added 10/31/2024 Modified 01/28/2025 Description This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.1. An attacker with physical access to a Mac may be able to view protected content from the Login Window. Solution(s) apple-osx-upgrade-15_1 References https://attackerkb.com/topics/cve-2024-44223 CVE - 2024-44223 https://support.apple.com/en-us/121564

OS X update for Quick Look (CVE-2024-44195) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/31/2024 Created 11/01/2024 Added 10/31/2024 Modified 01/28/2025 Description A logic issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.1. An app may be able to read arbitrary files. Solution(s) apple-osx-upgrade-15_1 References https://attackerkb.com/topics/cve-2024-44195 CVE - 2024-44195 https://support.apple.com/en-us/121564

OS X update for Sandbox (CVE-2024-44211) Severity 5 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:N) Published 10/31/2024 Created 11/01/2024 Added 10/31/2024 Modified 01/28/2025 Description This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Sequoia 15.1. An app may be able to access user-sensitive data. Solution(s) apple-osx-upgrade-15_1 References https://attackerkb.com/topics/cve-2024-44211 CVE - 2024-44211 https://support.apple.com/en-us/121564

Debian: CVE-2024-48910: cacti, node-dompurify -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 10/31/2024 Created 11/12/2024 Added 11/11/2024 Modified 02/12/2025 Description DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2. Solution(s) debian-upgrade-cacti debian-upgrade-node-dompurify References https://attackerkb.com/topics/cve-2024-48910 CVE - 2024-48910 DLA-4048-1

Red Hat: CVE-2024-10573: mpg123: Buffer overflow when writing decoded PCM samples (Multiple Advisories) Severity 6 CVSS (AV:L/AC:H/Au:S/C:C/I:C/A:C) Published 10/31/2024 Created 02/11/2025 Added 02/10/2025 Modified 02/10/2025 Description An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector. Solution(s) redhat-upgrade-mpg123 redhat-upgrade-mpg123-debuginfo redhat-upgrade-mpg123-debugsource redhat-upgrade-mpg123-devel redhat-upgrade-mpg123-libs redhat-upgrade-mpg123-libs-debuginfo redhat-upgrade-mpg123-plugins-pulseaudio redhat-upgrade-mpg123-plugins-pulseaudio-debuginfo References CVE-2024-10573 RHSA-2024:11193 RHSA-2024:11242

SUSE: CVE-2024-10005: SUSE Linux Security Advisory Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:P/A:N) Published 10/30/2024 Created 01/01/2025 Added 12/31/2024 Modified 01/28/2025 Description A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules. Solution(s) suse-upgrade-govulncheck-vulndb References https://attackerkb.com/topics/cve-2024-10005 CVE - 2024-10005

Google Chrome Vulnerability: CVE-2024-10488 Use after free in WebRTC Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 10/30/2024 Created 10/31/2024 Added 10/30/2024 Modified 01/28/2025 Description Use after free in WebRTC in Google Chrome prior to 130.0.6723.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2024-10488 CVE - 2024-10488

Oracle Linux: CVE-2024-10573: ELSA-2024-11242:mpg123:1.32.9 security update (MODERATE) (Multiple Advisories) Severity 6 CVSS (AV:L/AC:H/Au:S/C:C/I:C/A:C) Published 10/30/2024 Created 12/21/2024 Added 12/19/2024 Modified 01/07/2025 Description An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector. Solution(s) oracle-linux-upgrade-mpg123 oracle-linux-upgrade-mpg123-devel oracle-linux-upgrade-mpg123-libs oracle-linux-upgrade-mpg123-plugins-pulseaudio References https://attackerkb.com/topics/cve-2024-10573 CVE - 2024-10573 ELSA-2024-11242 ELSA-2024-11193

Rocky Linux: CVE-2024-9632: tigervnc (Multiple Advisories) Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 10/30/2024 Created 11/21/2024 Added 11/19/2024 Modified 01/28/2025 Description A flaw was found in the X.org server. Due to improperly tracked allocation size in _XkbSetCompatMap, a local attacker may be able to trigger a buffer overflow condition via a specially crafted payload, leading to denial of service or local privilege escalation in distributions where the X.org server is run with root privileges. Solution(s) rocky-upgrade-tigervnc rocky-upgrade-tigervnc-debuginfo rocky-upgrade-tigervnc-debugsource rocky-upgrade-tigervnc-server rocky-upgrade-tigervnc-server-debuginfo rocky-upgrade-tigervnc-server-minimal rocky-upgrade-tigervnc-server-minimal-debuginfo rocky-upgrade-tigervnc-server-module rocky-upgrade-tigervnc-server-module-debuginfo rocky-upgrade-xorg-x11-server-common rocky-upgrade-xorg-x11-server-debuginfo rocky-upgrade-xorg-x11-server-debugsource rocky-upgrade-xorg-x11-server-devel rocky-upgrade-xorg-x11-server-xdmx rocky-upgrade-xorg-x11-server-xdmx-debuginfo rocky-upgrade-xorg-x11-server-xephyr rocky-upgrade-xorg-x11-server-xephyr-debuginfo rocky-upgrade-xorg-x11-server-xnest rocky-upgrade-xorg-x11-server-xnest-debuginfo rocky-upgrade-xorg-x11-server-xorg rocky-upgrade-xorg-x11-server-xorg-debuginfo rocky-upgrade-xorg-x11-server-xvfb rocky-upgrade-xorg-x11-server-xvfb-debuginfo rocky-upgrade-xorg-x11-server-xwayland rocky-upgrade-xorg-x11-server-xwayland-debuginfo rocky-upgrade-xorg-x11-server-xwayland-debugsource References https://attackerkb.com/topics/cve-2024-9632 CVE - 2024-9632 https://errata.rockylinux.org/RLSA-2024:8798 https://errata.rockylinux.org/RLSA-2024:9540

Huawei EulerOS: CVE-2024-9632: xorg-x11-server security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 10/30/2024 Created 01/16/2025 Added 01/15/2025 Modified 01/15/2025 Description A flaw was found in the X.org server. Due to improperly tracked allocation size in _XkbSetCompatMap, a local attacker may be able to trigger a buffer overflow condition via a specially crafted payload, leading to denial of service or local privilege escalation in distributions where the X.org server is run with root privileges. Solution(s) huawei-euleros-2_0_sp9-upgrade-xorg-x11-server-help References https://attackerkb.com/topics/cve-2024-9632 CVE - 2024-9632 EulerOS-SA-2025-1068

SUSE: CVE-2024-9632: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 10/30/2024 Created 01/01/2025 Added 12/31/2024 Modified 12/31/2024 Description A flaw was found in the X.org server. Due to improperly tracked allocation size in _XkbSetCompatMap, a local attacker may be able to trigger a buffer overflow condition via a specially crafted payload, leading to denial of service or local privilege escalation in distributions where the X.org server is run with root privileges. Solution(s) suse-upgrade-xorg-x11-server suse-upgrade-xorg-x11-server-extra suse-upgrade-xorg-x11-server-sdk suse-upgrade-xorg-x11-server-source suse-upgrade-xorg-x11-server-wayland suse-upgrade-xorg-x11-server-xvfb suse-upgrade-xwayland suse-upgrade-xwayland-devel References https://attackerkb.com/topics/cve-2024-9632 CVE - 2024-9632

SUSE: CVE-2024-3935: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 10/30/2024 Created 11/06/2024 Added 11/05/2024 Modified 02/03/2025 Description In Eclipse Mosquito, versions from 2.0.0 through 2.0.18, if a Mosquitto broker is configured to create an outgoing bridge connection, and that bridge connection has an incoming topic configured that makes use of topic remapping, then if the remote connection sends a crafted PUBLISH packet to the broker a double free will occur with a subsequent crash of the broker. Solution(s) suse-upgrade-libmosquitto1 suse-upgrade-libmosquittopp1 suse-upgrade-mosquitto suse-upgrade-mosquitto-clients suse-upgrade-mosquitto-devel References https://attackerkb.com/topics/cve-2024-3935 CVE - 2024-3935

SUSE: CVE-2024-10086: SUSE Linux Security Advisory Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 10/30/2024 Created 01/01/2025 Added 12/31/2024 Modified 01/28/2025 Description A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS. Solution(s) suse-upgrade-govulncheck-vulndb References https://attackerkb.com/topics/cve-2024-10086 CVE - 2024-10086

SUSE: CVE-2024-10006: SUSE Linux Security Advisory Severity 5 CVSS (AV:N/AC:L/Au:N/C:N/I:P/A:N) Published 10/30/2024 Created 01/01/2025 Added 12/31/2024 Modified 01/28/2025 Description A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules. Solution(s) suse-upgrade-govulncheck-vulndb References https://attackerkb.com/topics/cve-2024-10006 CVE - 2024-10006

Alma Linux: CVE-2024-9632: Moderate: xorg-x11-server and xorg-x11-server-Xwayland security update (Multiple Advisories) Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 10/30/2024 Created 11/08/2024 Added 11/07/2024 Modified 01/28/2025 Description A flaw was found in the X.org server. Due to improperly tracked allocation size in _XkbSetCompatMap, a local attacker may be able to trigger a buffer overflow condition via a specially crafted payload, leading to denial of service or local privilege escalation in distributions where the X.org server is run with root privileges. Solution(s) alma-upgrade-tigervnc alma-upgrade-tigervnc-icons alma-upgrade-tigervnc-license alma-upgrade-tigervnc-selinux alma-upgrade-tigervnc-server alma-upgrade-tigervnc-server-minimal alma-upgrade-tigervnc-server-module alma-upgrade-xorg-x11-server-common alma-upgrade-xorg-x11-server-devel alma-upgrade-xorg-x11-server-source alma-upgrade-xorg-x11-server-xdmx alma-upgrade-xorg-x11-server-xephyr alma-upgrade-xorg-x11-server-xnest alma-upgrade-xorg-x11-server-xorg alma-upgrade-xorg-x11-server-xvfb alma-upgrade-xorg-x11-server-xwayland References https://attackerkb.com/topics/cve-2024-9632 CVE - 2024-9632 https://errata.almalinux.org/8/ALSA-2024-8798.html https://errata.almalinux.org/8/ALSA-2024-9540.html https://errata.almalinux.org/9/ALSA-2024-10090.html