ISHACK AI BOT

Red Hat: CVE-2024-8900: firefox: Clipboard write permission bypass (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 09/17/2024 Created 10/08/2024 Added 10/07/2024 Modified 10/10/2024 Description An attacker could write data to the user's clipboard, bypassing the user prompt, during a certain sequence of navigational events. This vulnerability affects Firefox < 129, Firefox ESR < 128.3, and Thunderbird < 128.3. Solution(s) redhat-upgrade-firefox redhat-upgrade-firefox-debuginfo redhat-upgrade-firefox-debugsource redhat-upgrade-firefox-x11 References CVE-2024-8900 RHSA-2024:7622 RHSA-2024:7700 RHSA-2024:7842

Ubuntu: USN-7079-1 (CVE-2024-40866): WebKitGTK vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 09/17/2024 Created 10/24/2024 Added 10/23/2024 Modified 01/28/2025 Description The issue was addressed with improved UI. This issue is fixed in Safari 18, macOS Sequoia 15. Visiting a malicious website may lead to address bar spoofing. Solution(s) ubuntu-upgrade-libjavascriptcoregtk-4-0-18 ubuntu-upgrade-libjavascriptcoregtk-4-1-0 ubuntu-upgrade-libjavascriptcoregtk-6-0-1 ubuntu-upgrade-libwebkit2gtk-4-0-37 ubuntu-upgrade-libwebkit2gtk-4-1-0 ubuntu-upgrade-libwebkitgtk-6-0-4 References https://attackerkb.com/topics/cve-2024-40866 CVE - 2024-40866 USN-7079-1

Red Hat: CVE-2024-40866: webkitgtk: Visiting a malicious website may lead to address bar spoofing (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 09/17/2024 Created 10/18/2024 Added 10/18/2024 Modified 11/27/2024 Description The issue was addressed with improved UI. This issue is fixed in Safari 18, macOS Sequoia 15. Visiting a malicious website may lead to address bar spoofing. Solution(s) redhat-upgrade-webkit2gtk3 redhat-upgrade-webkit2gtk3-debuginfo redhat-upgrade-webkit2gtk3-debugsource redhat-upgrade-webkit2gtk3-devel redhat-upgrade-webkit2gtk3-devel-debuginfo redhat-upgrade-webkit2gtk3-jsc redhat-upgrade-webkit2gtk3-jsc-debuginfo redhat-upgrade-webkit2gtk3-jsc-devel redhat-upgrade-webkit2gtk3-jsc-devel-debuginfo References CVE-2024-40866 RHSA-2024:8180 RHSA-2024:9553 RHSA-2024:9636

Ubuntu: USN-7079-1 (CVE-2024-44187): WebKitGTK vulnerabilities Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 09/17/2024 Created 10/24/2024 Added 10/23/2024 Modified 01/30/2025 Description A cross-origin issue existed with "iframe" elements. This was addressed with improved tracking of security origins. This issue is fixed in Safari 18, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18 and iPadOS 18, tvOS 18. A malicious website may exfiltrate data cross-origin. Solution(s) ubuntu-upgrade-libjavascriptcoregtk-4-0-18 ubuntu-upgrade-libjavascriptcoregtk-4-1-0 ubuntu-upgrade-libjavascriptcoregtk-6-0-1 ubuntu-upgrade-libwebkit2gtk-4-0-37 ubuntu-upgrade-libwebkit2gtk-4-1-0 ubuntu-upgrade-libwebkitgtk-6-0-4 References https://attackerkb.com/topics/cve-2024-44187 CVE - 2024-44187 USN-7079-1

Ubuntu: (Multiple Advisories) (CVE-2024-46794): Linux kernel vulnerabilities Severity 2 CVSS (AV:L/AC:L/Au:S/C:P/I:N/A:N) Published 09/18/2024 Created 12/14/2024 Added 12/13/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Fix data leak in mmio_read() The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an address from the VMM. Sean noticed that mmio_read() unintentionally exposes the value of an initialized variable (val) on the stack to the VMM. This variable is only needed as an output value. It did not need to be passed to the VMM in the first place. Do not send the original value of *val to the VMM. [ dhansen: clarify what 'val' is used for. ] Solution(s) ubuntu-upgrade-linux-image-6-8-0-1002-gkeop ubuntu-upgrade-linux-image-6-8-0-1015-gke ubuntu-upgrade-linux-image-6-8-0-1016-raspi ubuntu-upgrade-linux-image-6-8-0-1017-ibm ubuntu-upgrade-linux-image-6-8-0-1017-oracle ubuntu-upgrade-linux-image-6-8-0-1017-oracle-64k ubuntu-upgrade-linux-image-6-8-0-1018-oem ubuntu-upgrade-linux-image-6-8-0-1019-gcp ubuntu-upgrade-linux-image-6-8-0-1019-nvidia ubuntu-upgrade-linux-image-6-8-0-1019-nvidia-64k ubuntu-upgrade-linux-image-6-8-0-1019-nvidia-lowlatency ubuntu-upgrade-linux-image-6-8-0-1019-nvidia-lowlatency-64k ubuntu-upgrade-linux-image-6-8-0-1020-aws ubuntu-upgrade-linux-image-6-8-0-1020-azure ubuntu-upgrade-linux-image-6-8-0-1020-azure-fde ubuntu-upgrade-linux-image-6-8-0-50-generic ubuntu-upgrade-linux-image-6-8-0-50-generic-64k ubuntu-upgrade-linux-image-6-8-0-50-lowlatency ubuntu-upgrade-linux-image-6-8-0-50-lowlatency-64k ubuntu-upgrade-linux-image-aws ubuntu-upgrade-linux-image-azure ubuntu-upgrade-linux-image-azure-fde ubuntu-upgrade-linux-image-gcp ubuntu-upgrade-linux-image-generic ubuntu-upgrade-linux-image-generic-64k ubuntu-upgrade-linux-image-generic-64k-hwe-22-04 ubuntu-upgrade-linux-image-generic-64k-hwe-24-04 ubuntu-upgrade-linux-image-generic-hwe-22-04 ubuntu-upgrade-linux-image-generic-hwe-24-04 ubuntu-upgrade-linux-image-generic-lpae ubuntu-upgrade-linux-image-gke ubuntu-upgrade-linux-image-gkeop ubuntu-upgrade-linux-image-gkeop-6-8 ubuntu-upgrade-linux-image-ibm ubuntu-upgrade-linux-image-ibm-classic ubuntu-upgrade-linux-image-ibm-lts-24-04 ubuntu-upgrade-linux-image-kvm ubuntu-upgrade-linux-image-lowlatency ubuntu-upgrade-linux-image-lowlatency-64k ubuntu-upgrade-linux-image-lowlatency-64k-hwe-22-04 ubuntu-upgrade-linux-image-lowlatency-64k-hwe-24-04 ubuntu-upgrade-linux-image-lowlatency-hwe-22-04 ubuntu-upgrade-linux-image-lowlatency-hwe-24-04 ubuntu-upgrade-linux-image-nvidia ubuntu-upgrade-linux-image-nvidia-6-8 ubuntu-upgrade-linux-image-nvidia-64k ubuntu-upgrade-linux-image-nvidia-64k-6-8 ubuntu-upgrade-linux-image-nvidia-64k-hwe-22-04 ubuntu-upgrade-linux-image-nvidia-hwe-22-04 ubuntu-upgrade-linux-image-nvidia-lowlatency ubuntu-upgrade-linux-image-nvidia-lowlatency-64k ubuntu-upgrade-linux-image-oem-22-04 ubuntu-upgrade-linux-image-oem-22-04a ubuntu-upgrade-linux-image-oem-22-04b ubuntu-upgrade-linux-image-oem-22-04c ubuntu-upgrade-linux-image-oem-22-04d ubuntu-upgrade-linux-image-oem-24-04 ubuntu-upgrade-linux-image-oem-24-04a ubuntu-upgrade-linux-image-oracle ubuntu-upgrade-linux-image-oracle-64k ubuntu-upgrade-linux-image-raspi ubuntu-upgrade-linux-image-virtual ubuntu-upgrade-linux-image-virtual-hwe-22-04 ubuntu-upgrade-linux-image-virtual-hwe-24-04 References https://attackerkb.com/topics/cve-2024-46794 CVE - 2024-46794 USN-7154-1 USN-7154-2 USN-7155-1 USN-7156-1 USN-7196-1

Apple Safari security update for CVE-2024-44202 Severity 5 CVSS (AV:N/AC:L/Au:N/C:P/I:N/A:N) Published 09/17/2024 Created 11/01/2024 Added 10/31/2024 Modified 01/28/2025 Description An authentication issue was addressed with improved state management. This issue is fixed in iOS 18 and iPadOS 18. Private Browsing tabs may be accessed without authentication. Solution(s) apple-safari-upgrade-18 apple-safari-windows-uninstall References https://attackerkb.com/topics/cve-2024-44202 CVE - 2024-44202 http://support.apple.com/en-us/121241

Ubuntu: (Multiple Advisories) (CVE-2024-46797): Linux kernel vulnerabilities Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 09/18/2024 Created 12/14/2024 Added 12/13/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: powerpc/qspinlock: Fix deadlock in MCS queue If an interrupt occurs in queued_spin_lock_slowpath() after we increment qnodesp->count and before node->lock is initialized, another CPU might see stale lock values in get_tail_qnode(). If the stale lock value happens to match the lock on that CPU, then we write to the "next" pointer of the wrong qnode. This causes a deadlock as the former CPU, once it becomes the head of the MCS queue, will spin indefinitely until it's "next" pointer is set by its successor in the queue. Running stress-ng on a 16 core (16EC/16VP) shared LPAR, results in occasional lockups similar to the following: $ stress-ng --all 128 --vm-bytes 80% --aggressive \ --maximize --oomable --verify--syslog \ --metrics--times--timeout 5m watchdog: CPU 15 Hard LOCKUP ...... NIP [c0000000000b78f4] queued_spin_lock_slowpath+0x1184/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 Call Trace: 0xc000002cfffa3bf0 (unreliable) _raw_spin_lock+0x6c/0x90 raw_spin_rq_lock_nested.part.135+0x4c/0xd0 sched_ttwu_pending+0x60/0x1f0 __flush_smp_call_function_queue+0x1dc/0x670 smp_ipi_demux_relaxed+0xa4/0x100 xive_muxed_ipi_action+0x20/0x40 __handle_irq_event_percpu+0x80/0x240 handle_irq_event_percpu+0x2c/0x80 handle_percpu_irq+0x84/0xd0 generic_handle_irq+0x54/0x80 __do_irq+0xac/0x210 __do_IRQ+0x74/0xd0 0x0 do_IRQ+0x8c/0x170 hardware_interrupt_common_virt+0x29c/0x2a0 --- interrupt: 500 at queued_spin_lock_slowpath+0x4b8/0x1490 ...... NIP [c0000000000b6c28] queued_spin_lock_slowpath+0x4b8/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 --- interrupt: 500 0xc0000029c1a41d00 (unreliable) _raw_spin_lock+0x6c/0x90 futex_wake+0x100/0x260 do_futex+0x21c/0x2a0 sys_futex+0x98/0x270 system_call_exception+0x14c/0x2f0 system_call_vectored_common+0x15c/0x2ec The following code flow illustrates how the deadlock occurs. For the sake of brevity, assume that both locks (A and B) are contended and we call the queued_spin_lock_slowpath() function. CPU0 CPU1 ---- ---- spin_lock_irqsave(A)| spin_unlock_irqrestore(A) | spin_lock(B)| || ?| id = qnodesp->count++; | (Note that nodes[0].lock == A)| || ?| Interrupt | (happens before "nodes[0].lock = B")| || ?| spin_lock_irqsave(A)| || ?| id = qnodesp->count++| nodes[1].lock = A| || ?| Tail of MCS queue | | spin_lock_irqsave(A) ?| Head of MCS queue ? | CPU0 is previous tail ?| Spin indefinitely? (until "nodes[1].next != NULL")prev = get_tail_qnode(A, CPU0) | ? prev == &qnodes[CPU0].nodes[0] (as qnodes ---truncated--- Solution(s) ubuntu-upgrade-linux-image-6-8-0-1002-gkeop ubuntu-upgrade-linux-image-6-8-0-1015-gke ubuntu-upgrade-linux-image-6-8-0-1016-raspi ubuntu-upgrade-linux-image-6-8-0-1017-ibm ubuntu-upgrade-linux-image-6-8-0-1017-oracle ubuntu-upgrade-linux-image-6-8-0-1017-oracle-64k ubuntu-upgrade-linux-image-6-8-0-1018-oem ubuntu-upgrade-linux-image-6-8-0-1019-gcp ubuntu-upgrade-linux-image-6-8-0-1019-nvidia ubuntu-upgrade-linux-image-6-8-0-1019-nvidia-64k ubuntu-upgrade-linux-image-6-8-0-1019-nvidia-lowlatency ubuntu-upgrade-linux-image-6-8-0-1019-nvidia-lowlatency-64k ubuntu-upgrade-linux-image-6-8-0-1020-aws ubuntu-upgrade-linux-image-6-8-0-1020-azure ubuntu-upgrade-linux-image-6-8-0-1020-azure-fde ubuntu-upgrade-linux-image-6-8-0-50-generic ubuntu-upgrade-linux-image-6-8-0-50-generic-64k ubuntu-upgrade-linux-image-6-8-0-50-lowlatency ubuntu-upgrade-linux-image-6-8-0-50-lowlatency-64k ubuntu-upgrade-linux-image-aws ubuntu-upgrade-linux-image-azure ubuntu-upgrade-linux-image-azure-fde ubuntu-upgrade-linux-image-gcp ubuntu-upgrade-linux-image-generic ubuntu-upgrade-linux-image-generic-64k ubuntu-upgrade-linux-image-generic-64k-hwe-22-04 ubuntu-upgrade-linux-image-generic-64k-hwe-24-04 ubuntu-upgrade-linux-image-generic-hwe-22-04 ubuntu-upgrade-linux-image-generic-hwe-24-04 ubuntu-upgrade-linux-image-generic-lpae ubuntu-upgrade-linux-image-gke ubuntu-upgrade-linux-image-gkeop ubuntu-upgrade-linux-image-gkeop-6-8 ubuntu-upgrade-linux-image-ibm ubuntu-upgrade-linux-image-ibm-classic ubuntu-upgrade-linux-image-ibm-lts-24-04 ubuntu-upgrade-linux-image-kvm ubuntu-upgrade-linux-image-lowlatency ubuntu-upgrade-linux-image-lowlatency-64k ubuntu-upgrade-linux-image-lowlatency-64k-hwe-22-04 ubuntu-upgrade-linux-image-lowlatency-64k-hwe-24-04 ubuntu-upgrade-linux-image-lowlatency-hwe-22-04 ubuntu-upgrade-linux-image-lowlatency-hwe-24-04 ubuntu-upgrade-linux-image-nvidia ubuntu-upgrade-linux-image-nvidia-6-8 ubuntu-upgrade-linux-image-nvidia-64k ubuntu-upgrade-linux-image-nvidia-64k-6-8 ubuntu-upgrade-linux-image-nvidia-64k-hwe-22-04 ubuntu-upgrade-linux-image-nvidia-hwe-22-04 ubuntu-upgrade-linux-image-nvidia-lowlatency ubuntu-upgrade-linux-image-nvidia-lowlatency-64k ubuntu-upgrade-linux-image-oem-22-04 ubuntu-upgrade-linux-image-oem-22-04a ubuntu-upgrade-linux-image-oem-22-04b ubuntu-upgrade-linux-image-oem-22-04c ubuntu-upgrade-linux-image-oem-22-04d ubuntu-upgrade-linux-image-oem-24-04 ubuntu-upgrade-linux-image-oem-24-04a ubuntu-upgrade-linux-image-oracle ubuntu-upgrade-linux-image-oracle-64k ubuntu-upgrade-linux-image-raspi ubuntu-upgrade-linux-image-virtual ubuntu-upgrade-linux-image-virtual-hwe-22-04 ubuntu-upgrade-linux-image-virtual-hwe-24-04 References https://attackerkb.com/topics/cve-2024-46797 CVE - 2024-46797 USN-7154-1 USN-7154-2 USN-7155-1 USN-7156-1 USN-7196-1

OS X update for Transparency (CVE-2024-44184) Severity 5 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:N) Published 09/17/2024 Created 11/01/2024 Added 10/31/2024 Modified 01/28/2025 Description A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Ventura 13.7, iOS 17.7 and iPadOS 17.7, iOS 18 and iPadOS 18, macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to access user-sensitive data. Solution(s) apple-osx-upgrade-13_7 apple-osx-upgrade-14_7 apple-osx-upgrade-15 References https://attackerkb.com/topics/cve-2024-44184 CVE - 2024-44184 https://support.apple.com/en-us/121234 https://support.apple.com/en-us/121238 https://support.apple.com/en-us/121247

OS X update for System Settings (CVE-2024-44166) Severity 5 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:N) Published 09/17/2024 Created 11/01/2024 Added 10/31/2024 Modified 01/28/2025 Description A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to access user-sensitive data. Solution(s) apple-osx-upgrade-13_7 apple-osx-upgrade-14_7 apple-osx-upgrade-15 References https://attackerkb.com/topics/cve-2024-44166 CVE - 2024-44166 https://support.apple.com/en-us/121234 https://support.apple.com/en-us/121238 https://support.apple.com/en-us/121247

OS X update for WebKit (CVE-2024-40857) Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 09/17/2024 Created 11/01/2024 Added 10/31/2024 Modified 01/28/2025 Description This issue was addressed through improved state management. This issue is fixed in Safari 18, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18 and iPadOS 18, tvOS 18. Processing maliciously crafted web content may lead to universal cross site scripting. Solution(s) apple-osx-upgrade-15 References https://attackerkb.com/topics/cve-2024-40857 CVE - 2024-40857 https://support.apple.com/en-us/121238

OS X update for WebKit (CVE-2024-40866) Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 09/17/2024 Created 11/01/2024 Added 10/31/2024 Modified 01/28/2025 Description The issue was addressed with improved UI. This issue is fixed in Safari 18, macOS Sequoia 15. Visiting a malicious website may lead to address bar spoofing. Solution(s) apple-osx-upgrade-15 References https://attackerkb.com/topics/cve-2024-40866 CVE - 2024-40866 https://support.apple.com/en-us/121238

OS X update for TCC (CVE-2024-44133) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:C/A:N) Published 09/17/2024 Created 11/01/2024 Added 10/31/2024 Modified 01/28/2025 Description This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15. On MDM managed devices, an app may be able to bypass certain Privacy preferences. Solution(s) apple-osx-upgrade-15 References https://attackerkb.com/topics/cve-2024-44133 CVE - 2024-44133 https://support.apple.com/en-us/121238

OS X update for WebKit (CVE-2024-44187) Severity 7 CVSS (AV:N/AC:M/Au:N/C:C/I:N/A:N) Published 09/17/2024 Created 11/01/2024 Added 10/31/2024 Modified 01/30/2025 Description A cross-origin issue existed with "iframe" elements. This was addressed with improved tracking of security origins. This issue is fixed in Safari 18, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18 and iPadOS 18, tvOS 18. A malicious website may exfiltrate data cross-origin. Solution(s) apple-osx-upgrade-15 References https://attackerkb.com/topics/cve-2024-44187 CVE - 2024-44187 https://support.apple.com/en-us/121238

OS X update for XProtect (CVE-2024-40843) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:C/A:N) Published 09/17/2024 Created 11/01/2024 Added 10/31/2024 Modified 01/28/2025 Description The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15. An app may be able to modify protected parts of the file system. Solution(s) apple-osx-upgrade-15 References https://attackerkb.com/topics/cve-2024-40843 CVE - 2024-40843 https://support.apple.com/en-us/121238

MFSA2024-47 Firefox: Security Vulnerabilities fixed in Firefox ESR 128.3 (CVE-2024-8900) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 09/17/2024 Created 10/03/2024 Added 10/02/2024 Modified 01/30/2025 Description An attacker could write data to the user's clipboard, bypassing the user prompt, during a certain sequence of navigational events. This vulnerability affects Firefox < 129, Firefox ESR < 128.3, and Thunderbird < 128.3. Solution(s) mozilla-firefox-esr-upgrade-128_3 References https://attackerkb.com/topics/cve-2024-8900 CVE - 2024-8900 http://www.mozilla.org/security/announce/2024/mfsa2024-47.html

OS X update for APFS (CVE-2024-40825) Severity 4 CVSS (AV:L/AC:L/Au:M/C:N/I:C/A:N) Published 09/17/2024 Created 11/01/2024 Added 10/31/2024 Modified 01/28/2025 Description The issue was addressed with improved checks. This issue is fixed in visionOS 2, macOS Sequoia 15. A malicious app with root privileges may be able to modify the contents of system files. Solution(s) apple-osx-upgrade-15 References https://attackerkb.com/topics/cve-2024-40825 CVE - 2024-40825 https://support.apple.com/en-us/121238

SUSE: CVE-2024-8908: SUSE Linux Security Advisory Severity 4 CVSS (AV:N/AC:M/Au:N/C:N/I:P/A:N) Published 09/17/2024 Created 01/01/2025 Added 12/31/2024 Modified 01/28/2025 Description Inappropriate implementation in Autofill in Google Chrome prior to 129.0.6668.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) Solution(s) suse-upgrade-chromedriver suse-upgrade-chromium References https://attackerkb.com/topics/cve-2024-8908 CVE - 2024-8908

Apple Safari security update for CVE-2024-40857 Severity 6 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:N) Published 09/17/2024 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description This issue was addressed through improved state management. This issue is fixed in Safari 18, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18 and iPadOS 18, tvOS 18. Processing maliciously crafted web content may lead to universal cross site scripting. Solution(s) apple-safari-upgrade-18 apple-safari-windows-uninstall References https://attackerkb.com/topics/cve-2024-40857 CVE - 2024-40857 http://support.apple.com/en-us/121241

OS X update for sudo (CVE-2024-40860) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:C/A:N) Published 09/17/2024 Created 11/01/2024 Added 10/31/2024 Modified 01/28/2025 Description A logic issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.7, macOS Sequoia 15. An app may be able to modify protected parts of the file system. Solution(s) apple-osx-upgrade-14_7 apple-osx-upgrade-15 References https://attackerkb.com/topics/cve-2024-40860 CVE - 2024-40860 https://support.apple.com/en-us/121238 https://support.apple.com/en-us/121247

OS X update for Music (CVE-2024-27858) Severity 5 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:N) Published 09/17/2024 Created 11/01/2024 Added 10/31/2024 Modified 01/28/2025 Description A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15. An app may be able to access protected user data. Solution(s) apple-osx-upgrade-15 References https://attackerkb.com/topics/cve-2024-27858 CVE - 2024-27858 https://support.apple.com/en-us/121238

Gentoo Linux: CVE-2024-8900: Mozilla Firefox: Multiple Vulnerabilities Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:C/A:N) Published 09/17/2024 Created 12/10/2024 Added 12/09/2024 Modified 01/30/2025 Description An attacker could write data to the user's clipboard, bypassing the user prompt, during a certain sequence of navigational events. This vulnerability affects Firefox < 129, Firefox ESR < 128.3, and Thunderbird < 128.3. Solution(s) gentoo-linux-upgrade-mail-client-thunderbird gentoo-linux-upgrade-mail-client-thunderbird-bin gentoo-linux-upgrade-www-client-firefox gentoo-linux-upgrade-www-client-firefox-bin References https://attackerkb.com/topics/cve-2024-8900 CVE - 2024-8900 202412-04 202412-06

OS X update for Sandbox (CVE-2024-44125) Severity 5 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:N) Published 09/17/2024 Created 11/01/2024 Added 10/31/2024 Modified 01/28/2025 Description The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.7, macOS Sequoia 15. A malicious application may be able to leak sensitive user information. Solution(s) apple-osx-upgrade-14_7 apple-osx-upgrade-15 References https://attackerkb.com/topics/cve-2024-44125 CVE - 2024-44125 https://support.apple.com/en-us/121238 https://support.apple.com/en-us/121247

OS X update for AppleMobileFileIntegrity (CVE-2024-40848) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 09/17/2024 Created 11/01/2024 Added 10/31/2024 Modified 01/28/2025 Description A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Ventura 13.7, macOS Sonoma 14.7, macOS Sequoia 15. An attacker may be able to read sensitive information. Solution(s) apple-osx-upgrade-13_7 apple-osx-upgrade-14_7 apple-osx-upgrade-15 References https://attackerkb.com/topics/cve-2024-40848 CVE - 2024-40848 https://support.apple.com/en-us/121234 https://support.apple.com/en-us/121238 https://support.apple.com/en-us/121247

OS X update for FileProvider (CVE-2024-44131) Severity 5 CVSS (AV:L/AC:L/Au:S/C:C/I:N/A:N) Published 09/17/2024 Created 11/01/2024 Added 10/31/2024 Modified 01/28/2025 Description This issue was addressed with improved validation of symlinks. This issue is fixed in iOS 18 and iPadOS 18, macOS Sequoia 15. An app may be able to access sensitive user data. Solution(s) apple-osx-upgrade-15 References https://attackerkb.com/topics/cve-2024-44131 CVE - 2024-44131 https://support.apple.com/en-us/121238

OS X update for AppleVA (CVE-2024-40841) Severity 5 CVSS (AV:L/AC:M/Au:N/C:N/I:N/A:C) Published 09/17/2024 Created 11/01/2024 Added 10/31/2024 Modified 01/28/2025 Description An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in macOS Sonoma 14.7, macOS Sequoia 15. Processing a maliciously crafted video file may lead to unexpected app termination. Solution(s) apple-osx-upgrade-14_7 apple-osx-upgrade-15 References https://attackerkb.com/topics/cve-2024-40841 CVE - 2024-40841 https://support.apple.com/en-us/121238 https://support.apple.com/en-us/121247