ISHACK AI BOT

Debian: CVE-2025-21666: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/31/2025 Created 02/11/2025 Added 02/10/2025 Modified 02/10/2025 Description In the Linux kernel, the following vulnerability has been resolved: vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] Recent reports have shown how we sometimes call vsock_*_has_data() when a vsock socket has been de-assigned from a transport (see attached links), but we shouldn't. Previous commits should have solved the real problems, but we may have more in the future, so to avoid null-ptr-deref, we can return 0 (no space, no data available) but with a warning. This way the code should continue to run in a nearly consistent state and have a warning that allows us to debug future problems. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2025-21666 CVE - 2025-21666 DSA-5860-1

Debian: CVE-2025-21675: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/31/2025 Created 02/11/2025 Added 02/10/2025 Modified 02/10/2025 Description In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Clear port select structure when fail to create Clear the port select structure on error so no stale values left after definers are destroyed. That's because the mlx5_lag_destroy_definers() always try to destroy all lag definers in the tt_map, so in the flow below lag definers get double-destroyed and cause kernel crash: mlx5_lag_port_sel_create() mlx5_lag_create_definers() mlx5_lag_create_definer() <- Failed on tt 1 mlx5_lag_destroy_definers() <- definers[tt=0] gets destroyed mlx5_lag_port_sel_create() mlx5_lag_create_definers() mlx5_lag_create_definer() <- Failed on tt 0 mlx5_lag_destroy_definers() <- definers[tt=0] gets double-destroyed Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 64k pages, 48-bit VAs, pgdp=0000000112ce2e00 [0000000000000008] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP Modules linked in: iptable_raw bonding ip_gre ip6_gre gre ip6_tunnel tunnel6 geneve ip6_udp_tunnel udp_tunnel ipip tunnel4 ip_tunnel rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) mlx5_fwctl(OE) fwctl(OE) mlx5_core(OE) mlxdevm(OE) ib_core(OE) mlxfw(OE) memtrack(OE) mlx_compat(OE) openvswitch nsh nf_conncount psample xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc netconsole overlay efi_pstore sch_fq_codel zram ip_tables crct10dif_ce qemu_fw_cfg fuse ipv6 crc_ccitt [last unloaded: mlx_compat(OE)] CPU: 3 UID: 0 PID: 217 Comm: kworker/u53:2 Tainted: G OE6.11.0+ #2 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 Workqueue: mlx5_lag mlx5_do_bond_work [mlx5_core] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core] lr : mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core] sp : ffff800085fafb00 x29: ffff800085fafb00 x28: ffff0000da0c8000 x27: 0000000000000000 x26: ffff0000da0c8000 x25: ffff0000da0c8000 x24: ffff0000da0c8000 x23: ffff0000c31f81a0 x22: 0400000000000000 x21: ffff0000da0c8000 x20: 0000000000000000 x19: 0000000000000001 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8b0c9350 x14: 0000000000000000 x13: ffff800081390d18 x12: ffff800081dc3cc0 x11: 0000000000000001 x10: 0000000000000b10 x9 : ffff80007ab7304c x8 : ffff0000d00711f0 x7 : 0000000000000004 x6 : 0000000000000190 x5 : ffff00027edb3010 x4 : 0000000000000000 x3 : 0000000000000000 x2 : ffff0000d39b8000 x1 : ffff0000d39b8000 x0 : 0400000000000000 Call trace: mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core] mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core] mlx5_lag_destroy_definers+0xa0/0x108 [mlx5_core] mlx5_lag_port_sel_create+0x2d4/0x6f8 [mlx5_core] mlx5_activate_lag+0x60c/0x6f8 [mlx5_core] mlx5_do_bond_work+0x284/0x5c8 [mlx5_core] process_one_work+0x170/0x3e0 worker_thread+0x2d8/0x3e0 kthread+0x11c/0x128 ret_from_fork+0x10/0x20 Code: a9025bf5 aa0003f6 a90363f7 f90023f9 (f9400400) ---[ end trace 0000000000000000 ]--- Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2025-21675 CVE - 2025-21675 DSA-5860-1

Debian: CVE-2024-12705: bind9 -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/31/2025 Created 02/01/2025 Added 01/31/2025 Modified 02/03/2025 Description Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic. This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1. Solution(s) debian-upgrade-bind9 References https://attackerkb.com/topics/cve-2024-12705 CVE - 2024-12705 DSA-5854-1

SUSE: CVE-2025-21678: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/31/2025 Created 02/13/2025 Added 02/12/2025 Modified 02/14/2025 Description In the Linux kernel, the following vulnerability has been resolved: gtp: Destroy device along with udp socket's netns dismantle. gtp_newlink() links the device to a list in dev_net(dev) instead of src_net, where a udp tunnel socket is created. Even when src_net is removed, the device stays alive on dev_net(dev). Then, removing src_net triggers the splat below. [0] In this example, gtp0 is created in ns2, and the udp socket is created in ns1. ip netns add ns1 ip netns add ns2 ip -n ns1 link add netns ns2 name gtp0 type gtp role sgsn ip netns del ns1 Let's link the device to the socket's netns instead. Now, gtp_net_exit_batch_rtnl() needs another netdev iteration to remove all gtp devices in the netns. [0]: ref_tracker: net notrefcnt@000000003d6e7d05 has 1/2 users at sk_alloc (./include/net/net_namespace.h:345 net/core/sock.c:2236) inet_create (net/ipv4/af_inet.c:326 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1558) udp_sock_create4 (net/ipv4/udp_tunnel_core.c:18) gtp_create_sock (./include/net/udp_tunnel.h:59 drivers/net/gtp.c:1423) gtp_create_sockets (drivers/net/gtp.c:1447) gtp_newlink (drivers/net/gtp.c:1507) rtnl_newlink (net/core/rtnetlink.c:3786 net/core/rtnetlink.c:3897 net/core/rtnetlink.c:4012) rtnetlink_rcv_msg (net/core/rtnetlink.c:6922) netlink_rcv_skb (net/netlink/af_netlink.c:2542) netlink_unicast (net/netlink/af_netlink.c:1321 net/netlink/af_netlink.c:1347) netlink_sendmsg (net/netlink/af_netlink.c:1891) ____sys_sendmsg (net/socket.c:711 net/socket.c:726 net/socket.c:2583) ___sys_sendmsg (net/socket.c:2639) __sys_sendmsg (net/socket.c:2669) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) WARNING: CPU: 1 PID: 60 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179) Modules linked in: CPU: 1 UID: 0 PID: 60 Comm: kworker/u16:2 Not tainted 6.13.0-rc5-00147-g4c1224501e9d #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:ref_tracker_dir_exit (lib/ref_tracker.c:179) Code: 00 00 00 fc ff df 4d 8b 26 49 bd 00 01 00 00 00 00 ad de 4c 39 f5 0f 85 df 00 00 00 48 8b 74 24 08 48 89 df e8 a5 cc 12 02 90 <0f> 0b 90 48 8d 6b 44 be 04 00 00 00 48 89 ef e8 80 de 67 ff 48 89 RSP: 0018:ff11000009a07b60 EFLAGS: 00010286 RAX: 0000000000002bd3 RBX: ff1100000f4e1aa0 RCX: 1ffffffff0e40ac6 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8423ee3c RBP: ff1100000f4e1af0 R08: 0000000000000001 R09: fffffbfff0e395ae R10: 0000000000000001 R11: 0000000000036001 R12: ff1100000f4e1af0 R13: dead000000000100 R14: ff1100000f4e1af0 R15: dffffc0000000000 FS:0000000000000000(0000) GS:ff1100006ce80000(0000) knlGS:0000000000000000 CS:0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9b2464bd98 CR3: 0000000005286005 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __warn (kernel/panic.c:748) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? report_bug (lib/bug.c:201 lib/bug.c:219) ? handle_bug (arch/x86/kernel/traps.c:285) ? exc_invalid_op (arch/x86/kernel/traps.c:309 (discriminator 1)) ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621) ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./arch/x86/include/asm/irqflags.h:155 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? __pfx_ref_tracker_dir_exit (lib/ref_tracker.c:158) ? kfree (mm/slub.c:4613 mm/slub.c:4761) net_free (net/core/net_namespace.c:476 net/core/net_namespace.c:467) cleanup_net (net/core/net_namespace.c:664 (discriminator 3)) process_one_work (kernel/workqueue.c:3229) worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391 ---truncated--- Solution(s) suse-upgrade-cluster-md-kmp-64kb suse-upgrade-cluster-md-kmp-azure suse-upgrade-cluster-md-kmp-default suse-upgrade-dlm-kmp-64kb suse-upgrade-dlm-kmp-azure suse-upgrade-dlm-kmp-default suse-upgrade-dtb-allwinner suse-upgrade-dtb-altera suse-upgrade-dtb-amazon suse-upgrade-dtb-amd suse-upgrade-dtb-amlogic suse-upgrade-dtb-apm suse-upgrade-dtb-apple suse-upgrade-dtb-arm suse-upgrade-dtb-broadcom suse-upgrade-dtb-cavium suse-upgrade-dtb-exynos suse-upgrade-dtb-freescale suse-upgrade-dtb-hisilicon suse-upgrade-dtb-lg suse-upgrade-dtb-marvell suse-upgrade-dtb-mediatek suse-upgrade-dtb-nvidia suse-upgrade-dtb-qcom suse-upgrade-dtb-renesas suse-upgrade-dtb-rockchip suse-upgrade-dtb-socionext suse-upgrade-dtb-sprd suse-upgrade-dtb-xilinx suse-upgrade-gfs2-kmp-64kb suse-upgrade-gfs2-kmp-azure suse-upgrade-gfs2-kmp-default suse-upgrade-kernel-64kb suse-upgrade-kernel-64kb-devel suse-upgrade-kernel-64kb-extra suse-upgrade-kernel-64kb-optional suse-upgrade-kernel-azure suse-upgrade-kernel-azure-devel suse-upgrade-kernel-azure-extra suse-upgrade-kernel-azure-optional suse-upgrade-kernel-azure-vdso suse-upgrade-kernel-debug suse-upgrade-kernel-debug-devel suse-upgrade-kernel-debug-vdso suse-upgrade-kernel-default suse-upgrade-kernel-default-base suse-upgrade-kernel-default-base-rebuild suse-upgrade-kernel-default-devel suse-upgrade-kernel-default-extra suse-upgrade-kernel-default-livepatch suse-upgrade-kernel-default-livepatch-devel suse-upgrade-kernel-default-optional suse-upgrade-kernel-default-vdso suse-upgrade-kernel-devel suse-upgrade-kernel-devel-azure suse-upgrade-kernel-docs suse-upgrade-kernel-docs-html suse-upgrade-kernel-kvmsmall suse-upgrade-kernel-kvmsmall-devel suse-upgrade-kernel-kvmsmall-vdso suse-upgrade-kernel-macros suse-upgrade-kernel-obs-build suse-upgrade-kernel-obs-qa suse-upgrade-kernel-source suse-upgrade-kernel-source-azure suse-upgrade-kernel-source-vanilla suse-upgrade-kernel-syms suse-upgrade-kernel-syms-azure suse-upgrade-kernel-zfcpdump suse-upgrade-kselftests-kmp-64kb suse-upgrade-kselftests-kmp-azure suse-upgrade-kselftests-kmp-default suse-upgrade-ocfs2-kmp-64kb suse-upgrade-ocfs2-kmp-azure suse-upgrade-ocfs2-kmp-default suse-upgrade-reiserfs-kmp-64kb suse-upgrade-reiserfs-kmp-azure suse-upgrade-reiserfs-kmp-default References https://attackerkb.com/topics/cve-2025-21678 CVE - 2025-21678

Debian: CVE-2025-21669: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/31/2025 Created 02/11/2025 Added 02/10/2025 Modified 02/10/2025 Description In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: discard packets if the transport changes If the socket has been de-assigned or assigned to another transport, we must discard any packets received because they are not expected and would cause issues when we access vsk->transport. A possible scenario is described by Hyunwoo Kim in the attached link, where after a first connect() interrupted by a signal, and a second connect() failed, we can find `vsk->transport` at NULL, leading to a NULL pointer dereference. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2025-21669 CVE - 2025-21669 DSA-5860-1

Debian: CVE-2025-21665: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/31/2025 Created 02/11/2025 Added 02/10/2025 Modified 02/10/2025 Description In the Linux kernel, the following vulnerability has been resolved: filemap: avoid truncating 64-bit offset to 32 bits On 32-bit kernels, folio_seek_hole_data() was inadvertently truncating a 64-bit value to 32 bits, leading to a possible infinite loop when writing to an xfs filesystem. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2025-21665 CVE - 2025-21665 DSA-5860-1

Debian: CVE-2025-21678: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/31/2025 Created 02/11/2025 Added 02/10/2025 Modified 02/10/2025 Description In the Linux kernel, the following vulnerability has been resolved: gtp: Destroy device along with udp socket's netns dismantle. gtp_newlink() links the device to a list in dev_net(dev) instead of src_net, where a udp tunnel socket is created. Even when src_net is removed, the device stays alive on dev_net(dev). Then, removing src_net triggers the splat below. [0] In this example, gtp0 is created in ns2, and the udp socket is created in ns1. ip netns add ns1 ip netns add ns2 ip -n ns1 link add netns ns2 name gtp0 type gtp role sgsn ip netns del ns1 Let's link the device to the socket's netns instead. Now, gtp_net_exit_batch_rtnl() needs another netdev iteration to remove all gtp devices in the netns. [0]: ref_tracker: net notrefcnt@000000003d6e7d05 has 1/2 users at sk_alloc (./include/net/net_namespace.h:345 net/core/sock.c:2236) inet_create (net/ipv4/af_inet.c:326 net/ipv4/af_inet.c:252) __sock_create (net/socket.c:1558) udp_sock_create4 (net/ipv4/udp_tunnel_core.c:18) gtp_create_sock (./include/net/udp_tunnel.h:59 drivers/net/gtp.c:1423) gtp_create_sockets (drivers/net/gtp.c:1447) gtp_newlink (drivers/net/gtp.c:1507) rtnl_newlink (net/core/rtnetlink.c:3786 net/core/rtnetlink.c:3897 net/core/rtnetlink.c:4012) rtnetlink_rcv_msg (net/core/rtnetlink.c:6922) netlink_rcv_skb (net/netlink/af_netlink.c:2542) netlink_unicast (net/netlink/af_netlink.c:1321 net/netlink/af_netlink.c:1347) netlink_sendmsg (net/netlink/af_netlink.c:1891) ____sys_sendmsg (net/socket.c:711 net/socket.c:726 net/socket.c:2583) ___sys_sendmsg (net/socket.c:2639) __sys_sendmsg (net/socket.c:2669) do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) WARNING: CPU: 1 PID: 60 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179) Modules linked in: CPU: 1 UID: 0 PID: 60 Comm: kworker/u16:2 Not tainted 6.13.0-rc5-00147-g4c1224501e9d #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:ref_tracker_dir_exit (lib/ref_tracker.c:179) Code: 00 00 00 fc ff df 4d 8b 26 49 bd 00 01 00 00 00 00 ad de 4c 39 f5 0f 85 df 00 00 00 48 8b 74 24 08 48 89 df e8 a5 cc 12 02 90 <0f> 0b 90 48 8d 6b 44 be 04 00 00 00 48 89 ef e8 80 de 67 ff 48 89 RSP: 0018:ff11000009a07b60 EFLAGS: 00010286 RAX: 0000000000002bd3 RBX: ff1100000f4e1aa0 RCX: 1ffffffff0e40ac6 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8423ee3c RBP: ff1100000f4e1af0 R08: 0000000000000001 R09: fffffbfff0e395ae R10: 0000000000000001 R11: 0000000000036001 R12: ff1100000f4e1af0 R13: dead000000000100 R14: ff1100000f4e1af0 R15: dffffc0000000000 FS:0000000000000000(0000) GS:ff1100006ce80000(0000) knlGS:0000000000000000 CS:0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9b2464bd98 CR3: 0000000005286005 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __warn (kernel/panic.c:748) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? report_bug (lib/bug.c:201 lib/bug.c:219) ? handle_bug (arch/x86/kernel/traps.c:285) ? exc_invalid_op (arch/x86/kernel/traps.c:309 (discriminator 1)) ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621) ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:97 ./arch/x86/include/asm/irqflags.h:155 ./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194) ? ref_tracker_dir_exit (lib/ref_tracker.c:179) ? __pfx_ref_tracker_dir_exit (lib/ref_tracker.c:158) ? kfree (mm/slub.c:4613 mm/slub.c:4761) net_free (net/core/net_namespace.c:476 net/core/net_namespace.c:467) cleanup_net (net/core/net_namespace.c:664 (discriminator 3)) process_one_work (kernel/workqueue.c:3229) worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391 ---truncated--- Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2025-21678 CVE - 2025-21678 DSA-5860-1

Debian: CVE-2025-21671: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/31/2025 Created 02/11/2025 Added 02/10/2025 Modified 02/10/2025 Description In the Linux kernel, the following vulnerability has been resolved: zram: fix potential UAF of zram table If zram_meta_alloc failed early, it frees allocated zram->table without setting it NULL.Which will potentially cause zram_meta_free to access the table if user reset an failed and uninitialized device. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2025-21671 CVE - 2025-21671 DSA-5860-1

OS X update for PackageKit (CVE-2025-24099) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/30/2025 Created 01/31/2025 Added 01/30/2025 Modified 02/03/2025 Description The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.3, macOS Ventura 13.7.3, macOS Sonoma 14.7.3. A local attacker may be able to elevate their privileges. Solution(s) apple-osx-upgrade-13_7_3 apple-osx-upgrade-14_7_3 apple-osx-upgrade-15_3 References https://attackerkb.com/topics/cve-2025-24099 CVE - 2025-24099 https://support.apple.com/en-us/122068 https://support.apple.com/en-us/122069 https://support.apple.com/en-us/122070

Debian: CVE-2025-21667: linux -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/31/2025 Created 02/11/2025 Added 02/10/2025 Modified 02/10/2025 Description In the Linux kernel, the following vulnerability has been resolved: iomap: avoid avoid truncating 64-bit offset to 32 bits on 32-bit kernels, iomap_write_delalloc_scan() was inadvertently using a 32-bit position due to folio_next_index() returning an unsigned long. This could lead to an infinite loop when writing to an xfs filesystem. Solution(s) debian-upgrade-linux References https://attackerkb.com/topics/cve-2025-21667 CVE - 2025-21667 DSA-5860-1

Google Chrome Vulnerability: CVE-2025-0762 Use after free in DevTools Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/30/2025 Created 01/31/2025 Added 01/30/2025 Modified 02/03/2025 Description Use after free in DevTools in Google Chrome prior to 132.0.6834.159 allowed a remote attacker to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Medium) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2025-0762 CVE - 2025-0762

Red Hat JBossEAP: Improper Access Control (CVE-2025-23367) Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:N/A:C) Published 01/30/2025 Created 02/04/2025 Added 02/03/2025 Modified 02/03/2025 Description A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action.. A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action. Solution(s) red-hat-jboss-eap-upgrade-latest References https://attackerkb.com/topics/cve-2025-23367 CVE - 2025-23367 https://access.redhat.com/security/cve/CVE-2025-23367 https://bugzilla.redhat.com/show_bug.cgi?id=2337620 https://github.com/advisories/GHSA-qr6x-62gq-4ccp

SUSE: CVE-2025-24376: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/30/2025 Created 02/13/2025 Added 02/12/2025 Modified 02/12/2025 Description kubewarden-controller is a Kubernetes controller that allows you to dynamically register Kubewarden admission policies. By design, AdmissionPolicy and AdmissionPolicyGroup can evaluate only namespaced resources. The resources to be evaluated are determined by the rules provided by the user when defining the policy. There might be Kubernetes namespaced resources that should not be validated by AdmissionPolicy and by the AdmissionPolicyGroup policies because of their sensitive nature. For example, PolicyReport are namespaced resources that contain the list of non compliant objects found inside of a namespace. An attacker can use either an AdmissionPolicy or an AdmissionPolicyGroup to prevent the creation and update of PolicyReport objects to hide non-compliant resources. Moreover, the same attacker might use a mutating AdmissionPolicy to alter the contents of the PolicyReport created inside of the namespace. Starting from the 1.21.0 release, the validation rules applied to AdmissionPolicy and AdmissionPolicyGroup have been tightened to prevent them from validating sensitive types of namespaced resources. Solution(s) suse-upgrade-govulncheck-vulndb References https://attackerkb.com/topics/cve-2025-24376 CVE - 2025-24376

SUSE: CVE-2025-23216: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/30/2025 Created 02/13/2025 Added 02/12/2025 Modified 02/12/2025 Description Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. The vulnerability is fixed in v2.13.4, v2.12.10, and v2.11.13. Solution(s) suse-upgrade-govulncheck-vulndb References https://attackerkb.com/topics/cve-2025-23216 CVE - 2025-23216

SUSE: CVE-2025-24784: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/30/2025 Created 02/13/2025 Added 02/12/2025 Modified 02/12/2025 Description kubewarden-controller is a Kubernetes controller that allows you to dynamically register Kubewarden admission policies. The policy group feature, added to by the 1.17.0 release. By being namespaced, the AdmissionPolicyGroup has a well constrained impact on cluster resources. Hence, it’s considered safe to allow non-admin users to create and manage these resources in the namespaces they own. Kubewarden policies can be allowed to query the Kubernetes API at evaluation time; these types of policies are called “context aware“. Context aware policies can perform list and get operations against a Kubernetes cluster. The queries are done using the ServiceAccount of the Policy Server instance that hosts the policy. That means that access to the cluster is determined by the RBAC rules that apply to that ServiceAccount. The AdmissionPolicyGroup CRD allowed the deployment of context aware policies. This could allow an attacker to obtain information about resources that are out of their reach, by leveraging a higher access to the cluster granted to the ServiceAccount token used to run the policy. The impact of this vulnerability depends on the privileges that have been granted to the ServiceAccount used to run the Policy Server and assumes that users are using the recommended best practices of keeping the Policy Server's ServiceAccount least privileged. By default, the Kubewarden helm chart grants access to the following resources (cluster wide) only: Namespace, Pod, Deployment and Ingress. This vulnerability is fixed in 1.21.0. Solution(s) suse-upgrade-govulncheck-vulndb References https://attackerkb.com/topics/cve-2025-24784 CVE - 2025-24784

SUSE: CVE-2025-24883: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/30/2025 Created 02/13/2025 Added 02/12/2025 Modified 02/12/2025 Description go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.14.13. Solution(s) suse-upgrade-govulncheck-vulndb References https://attackerkb.com/topics/cve-2025-24883 CVE - 2025-24883

FreeBSD: VID-2830B374-DEBD-11EF-87BA-002590C1F29C (CVE-2025-0662): FreeBSD -- Uninitialized kernel memory disclosure via ktrace(2) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/29/2025 Created 02/04/2025 Added 01/31/2025 Modified 01/31/2025 Description In some cases, the ktrace facility will log the contents of kernel structures to userspace.In one such case, ktrace dumps a variable-sized sockaddr to userspace.There, the full sockaddr is copied, even when it is shorter than the full size.This can result in up to 14 uninitialized bytes of kernel memory being copied out to userspace. It is possible for an unprivileged userspace program to leak 14 bytes of a kernel heap allocation to userspace. Solution(s) freebsd-upgrade-base-14_2-release-p1 References CVE-2025-0662

Amazon Linux AMI 2: CVE-2024-12705: Security patch for bind (ALAS-2025-2751) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/29/2025 Created 02/05/2025 Added 02/05/2025 Modified 02/05/2025 Description Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic. This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1. Solution(s) amazon-linux-ami-2-upgrade-bind amazon-linux-ami-2-upgrade-bind-chroot amazon-linux-ami-2-upgrade-bind-debuginfo amazon-linux-ami-2-upgrade-bind-devel amazon-linux-ami-2-upgrade-bind-export-devel amazon-linux-ami-2-upgrade-bind-export-libs amazon-linux-ami-2-upgrade-bind-libs amazon-linux-ami-2-upgrade-bind-libs-lite amazon-linux-ami-2-upgrade-bind-license amazon-linux-ami-2-upgrade-bind-lite-devel amazon-linux-ami-2-upgrade-bind-pkcs11 amazon-linux-ami-2-upgrade-bind-pkcs11-devel amazon-linux-ami-2-upgrade-bind-pkcs11-libs amazon-linux-ami-2-upgrade-bind-pkcs11-utils amazon-linux-ami-2-upgrade-bind-sdb amazon-linux-ami-2-upgrade-bind-sdb-chroot amazon-linux-ami-2-upgrade-bind-utils References https://attackerkb.com/topics/cve-2024-12705 AL2/ALAS-2025-2751 CVE - 2024-12705

ISC BIND: Many records in the additional section cause CPU exhaustion (CVE-2024-11187) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/29/2025 Created 02/12/2025 Added 02/11/2025 Modified 02/11/2025 Description It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.32-S1. Solution(s) upgrade-isc-bind-latest References https://attackerkb.com/topics/cve-2024-11187 CVE - 2024-11187 https://kb.isc.org/docs/cve-2024-11187

Debian: CVE-2021-3978: cfrpki -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/29/2025 Created 02/04/2025 Added 02/03/2025 Modified 02/03/2025 Description When copying files with rsync, octorpki uses the "-a" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root ( https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service ) this could allow for a vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation. Solution(s) debian-upgrade-cfrpki References https://attackerkb.com/topics/cve-2021-3978 CVE - 2021-3978 DSA-5041-1

Amazon Linux 2023: CVE-2024-11187: Important priority package update for bind Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 01/29/2025 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.32-S1. Solution(s) amazon-linux-2023-upgrade-bind amazon-linux-2023-upgrade-bind-chroot amazon-linux-2023-upgrade-bind-debuginfo amazon-linux-2023-upgrade-bind-debugsource amazon-linux-2023-upgrade-bind-devel amazon-linux-2023-upgrade-bind-dnssec-utils amazon-linux-2023-upgrade-bind-dnssec-utils-debuginfo amazon-linux-2023-upgrade-bind-doc amazon-linux-2023-upgrade-bind-libs amazon-linux-2023-upgrade-bind-libs-debuginfo amazon-linux-2023-upgrade-bind-license amazon-linux-2023-upgrade-bind-utils amazon-linux-2023-upgrade-bind-utils-debuginfo References https://attackerkb.com/topics/cve-2024-11187 CVE - 2024-11187 https://alas.aws.amazon.com/AL2023/ALAS-2025-838.html

Amazon Linux AMI 2: CVE-2024-11187: Security patch for bind (ALAS-2025-2751) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/29/2025 Created 02/05/2025 Added 02/05/2025 Modified 02/05/2025 Description It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.32-S1. Solution(s) amazon-linux-ami-2-upgrade-bind amazon-linux-ami-2-upgrade-bind-chroot amazon-linux-ami-2-upgrade-bind-debuginfo amazon-linux-ami-2-upgrade-bind-devel amazon-linux-ami-2-upgrade-bind-export-devel amazon-linux-ami-2-upgrade-bind-export-libs amazon-linux-ami-2-upgrade-bind-libs amazon-linux-ami-2-upgrade-bind-libs-lite amazon-linux-ami-2-upgrade-bind-license amazon-linux-ami-2-upgrade-bind-lite-devel amazon-linux-ami-2-upgrade-bind-pkcs11 amazon-linux-ami-2-upgrade-bind-pkcs11-devel amazon-linux-ami-2-upgrade-bind-pkcs11-libs amazon-linux-ami-2-upgrade-bind-pkcs11-utils amazon-linux-ami-2-upgrade-bind-sdb amazon-linux-ami-2-upgrade-bind-sdb-chroot amazon-linux-ami-2-upgrade-bind-utils References https://attackerkb.com/topics/cve-2024-11187 AL2/ALAS-2025-2751 CVE - 2024-11187

Ubuntu: USN-7241-1 (CVE-2024-12705): Bind vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/29/2025 Created 01/31/2025 Added 01/30/2025 Modified 02/03/2025 Description Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic. This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1. Solution(s) ubuntu-upgrade-bind9 References https://attackerkb.com/topics/cve-2024-12705 CVE - 2024-12705 USN-7241-1 https://ubuntu.com/security/notices/USN-7241-1 https://www.cve.org/CVERecord?id=CVE-2024-12705

FreeBSD: VID-AB0CBE3F-DEBC-11EF-87BA-002590C1F29C (CVE-2025-0373): FreeBSD -- Buffer overflow in some filesystems via NFS Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/29/2025 Created 02/04/2025 Added 01/31/2025 Modified 01/31/2025 Description On 64-bit systems, the implementation of VOP_VPTOFH() in the cd9660, tarfs and ext2fs filesystems overflows the destination FID buffer by 4 bytes, a stack buffer overflow. A NFS server that exports a cd9660, tarfs, or ext2fs file system can be made to panic by mounting and accessing the export with an NFS client.Further exploitation (e.g., bypassing file permission checking or remote kernel code execution) is potentially possible, though this has not been demonstrated.In particular, release kernels are compiled with stack protection enabled, and some instances of the overflow are caught by this mechanism, causing a panic. Solution(s) freebsd-upgrade-base-13_4-release-p3 freebsd-upgrade-base-14_1-release-p7 freebsd-upgrade-base-14_2-release-p1 References CVE-2025-0373

SUSE: CVE-2025-24884: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 01/29/2025 Created 02/13/2025 Added 02/12/2025 Modified 02/12/2025 Description kube-audit-rest is a simple logger of mutation/creation requests to the k8s api. If the "full-elastic-stack" example vector configuration was used for a real cluster, the previous values of kubernetes secrets would have been disclosed in the audit messages. This vulnerability is fixed in 1.0.16. Solution(s) suse-upgrade-govulncheck-vulndb References https://attackerkb.com/topics/cve-2025-24884 CVE - 2025-24884