ISHACK AI BOT

Debian: CVE-2024-36618: ffmpeg -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/29/2024 Created 02/04/2025 Added 02/03/2025 Modified 02/03/2025 Description FFmpeg n6.1.1 has a vulnerability in the AVI demuxer of the libavformat library which allows for an integer overflow, potentially resulting in a denial-of-service (DoS) condition. Solution(s) debian-upgrade-ffmpeg References https://attackerkb.com/topics/cve-2024-36618 CVE - 2024-36618

Ubuntu: USN-7188-1 (CVE-2024-36617): FFmpeg vulnerability Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/29/2024 Created 01/09/2025 Added 01/08/2025 Modified 01/08/2025 Description FFmpeg n6.1.1 has an integer overflow vulnerability in the FFmpeg CAF decoder. Solution(s) ubuntu-pro-upgrade-ffmpeg ubuntu-pro-upgrade-libav-tools ubuntu-pro-upgrade-libavcodec-extra57 ubuntu-pro-upgrade-libavcodec-extra58 ubuntu-pro-upgrade-libavcodec-ffmpeg-extra56 ubuntu-pro-upgrade-libavcodec-ffmpeg56 ubuntu-pro-upgrade-libavcodec57 ubuntu-pro-upgrade-libavcodec58 ubuntu-pro-upgrade-libavdevice-ffmpeg56 ubuntu-pro-upgrade-libavdevice57 ubuntu-pro-upgrade-libavdevice58 ubuntu-pro-upgrade-libavfilter-extra6 ubuntu-pro-upgrade-libavfilter-extra7 ubuntu-pro-upgrade-libavfilter-ffmpeg5 ubuntu-pro-upgrade-libavfilter6 ubuntu-pro-upgrade-libavfilter7 ubuntu-pro-upgrade-libavformat-extra58 ubuntu-pro-upgrade-libavformat-ffmpeg56 ubuntu-pro-upgrade-libavformat57 ubuntu-pro-upgrade-libavformat58 ubuntu-pro-upgrade-libavresample-ffmpeg2 ubuntu-pro-upgrade-libavresample3 ubuntu-pro-upgrade-libavresample4 ubuntu-pro-upgrade-libavutil-ffmpeg54 ubuntu-pro-upgrade-libavutil55 ubuntu-pro-upgrade-libavutil56 ubuntu-pro-upgrade-libpostproc-ffmpeg53 ubuntu-pro-upgrade-libpostproc54 ubuntu-pro-upgrade-libpostproc55 ubuntu-pro-upgrade-libswresample-ffmpeg1 ubuntu-pro-upgrade-libswresample2 ubuntu-pro-upgrade-libswresample3 ubuntu-pro-upgrade-libswscale-ffmpeg3 ubuntu-pro-upgrade-libswscale4 ubuntu-pro-upgrade-libswscale5 References https://attackerkb.com/topics/cve-2024-36617 CVE - 2024-36617 USN-7188-1

Huawei EulerOS: CVE-2024-36621: docker-engine security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/29/2024 Created 02/12/2025 Added 02/11/2025 Modified 02/11/2025 Description moby v25.0.5 is affected by a Race Condition in builder/builder-next/adapters/snapshot/layer.go. The vulnerability could be used to trigger concurrent builds that call the EnsureLayer function resulting in resource leaks/exhaustion. Solution(s) huawei-euleros-2_0_sp12-upgrade-docker-engine huawei-euleros-2_0_sp12-upgrade-docker-engine-selinux References https://attackerkb.com/topics/cve-2024-36621 CVE - 2024-36621 EulerOS-SA-2025-1187

Huawei EulerOS: CVE-2024-36623: docker-engine security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/29/2024 Created 02/12/2025 Added 02/11/2025 Modified 02/11/2025 Description moby v25.0.3 has a Race Condition vulnerability in the streamformatter package which can be used to trigger multiple concurrent write operations resulting in data corruption or application crashes. Solution(s) huawei-euleros-2_0_sp11-upgrade-docker-engine huawei-euleros-2_0_sp11-upgrade-docker-engine-selinux References https://attackerkb.com/topics/cve-2024-36623 CVE - 2024-36623 EulerOS-SA-2025-1153

Debian: CVE-2024-36617: ffmpeg -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/29/2024 Created 12/10/2024 Added 12/09/2024 Modified 12/09/2024 Description FFmpeg n6.1.1 has an integer overflow vulnerability in the FFmpeg CAF decoder. Solution(s) debian-upgrade-ffmpeg References https://attackerkb.com/topics/cve-2024-36617 CVE - 2024-36617 DSA-5712-1

Debian: CVE-2024-35366: ffmpeg -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/29/2024 Created 12/10/2024 Added 12/09/2024 Modified 12/09/2024 Description FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in the parse_options function of sbgdec.c within the libavformat module. When parsing certain options, the software does not adequately validate the input. This allows for negative duration values to be accepted without proper bounds checking. Solution(s) debian-upgrade-ffmpeg References https://attackerkb.com/topics/cve-2024-35366 CVE - 2024-35366 DSA-5712-1

Debian: CVE-2024-36616: ffmpeg -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/29/2024 Created 12/10/2024 Added 12/09/2024 Modified 12/09/2024 Description An integer overflow in the component /libavformat/westwood_vqa.c of FFmpeg n6.1.1 allows attackers to cause a denial of service in the application via a crafted VQA file. Solution(s) debian-upgrade-ffmpeg References https://attackerkb.com/topics/cve-2024-36616 CVE - 2024-36616 DSA-5712-1

Huawei EulerOS: CVE-2024-36623: docker-engine security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/29/2024 Created 02/12/2025 Added 02/11/2025 Modified 02/11/2025 Description moby v25.0.3 has a Race Condition vulnerability in the streamformatter package which can be used to trigger multiple concurrent write operations resulting in data corruption or application crashes. Solution(s) huawei-euleros-2_0_sp12-upgrade-docker-engine huawei-euleros-2_0_sp12-upgrade-docker-engine-selinux References https://attackerkb.com/topics/cve-2024-36623 CVE - 2024-36623 EulerOS-SA-2025-1187

Amazon Linux AMI 2: CVE-2024-36620: Security patch for docker (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/29/2024 Created 01/08/2025 Added 01/07/2025 Modified 01/07/2025 Description moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference via daemon/images/image_history.go. Solution(s) amazon-linux-ami-2-upgrade-docker amazon-linux-ami-2-upgrade-docker-debuginfo References https://attackerkb.com/topics/cve-2024-36620 AL2/ALASDOCKER-2024-040 AL2/ALASECS-2024-042 AL2/ALASNITRO-ENCLAVES-2024-041 CVE - 2024-36620

Debian: CVE-2024-35368: ffmpeg -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/29/2024 Created 02/04/2025 Added 02/03/2025 Modified 02/03/2025 Description FFmpeg n7.0 is affected by a Double Free via the rkmpp_retrieve_frame function within libavcodec/rkmppdec.c. Solution(s) debian-upgrade-ffmpeg References https://attackerkb.com/topics/cve-2024-35368 CVE - 2024-35368

Debian: CVE-2024-48651: proftpd-dfsg -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/29/2024 Created 12/03/2024 Added 12/02/2024 Modified 12/02/2024 Description In ProFTPD through 1.3.8b before cec01cc, supplemental group inheritance grants unintended access to GID 0 because of the lack of supplemental groups from mod_sql. Solution(s) debian-upgrade-proftpd-dfsg References https://attackerkb.com/topics/cve-2024-48651 CVE - 2024-48651 DLA-3975-1

Jenkins Advisory 2024-11-27: CVE-2024-54004: Path traversal vulnerability in Filesystem List Parameter Plugin Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/28/2024 Created 11/29/2024 Added 11/28/2024 Modified 11/29/2024 Description Jenkins Filesystem List Parameter Plugin 0.0.14 and earlier does not restrict the path used for the File system objects list Parameter, allowing attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system. Solution(s) jenkins-lts-upgrade-2_479_2 jenkins-upgrade-2_487 References https://attackerkb.com/topics/cve-2024-54004 CVE - 2024-54004 https://jenkins.io/security/advisory/2024-11-27/

Jenkins Advisory 2024-11-27: CVE-2024-54003: Stored XSS vulnerability in Simple Queue Plugin Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/28/2024 Created 11/29/2024 Added 11/28/2024 Modified 11/29/2024 Description Jenkins Simple Queue Plugin 1.4.4 and earlier does not escape the view name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Create permission. Solution(s) jenkins-lts-upgrade-2_479_2 jenkins-upgrade-2_487 References https://attackerkb.com/topics/cve-2024-54003 CVE - 2024-54003 https://jenkins.io/security/advisory/2024-11-27/

Debian: CVE-2024-35367: ffmpeg -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/29/2024 Created 02/04/2025 Added 02/03/2025 Modified 02/03/2025 Description FFmpeg n6.1.1 has an Out-of-bounds Read via libavcodec/ppc/vp8dsp_altivec.c, static const vec_s8 h_subpel_filters_outer Solution(s) debian-upgrade-ffmpeg References https://attackerkb.com/topics/cve-2024-35367 CVE - 2024-35367

Amazon Linux 2023: CVE-2024-53008: Medium priority package update for haproxy Severity 5 CVSS (AV:N/AC:L/Au:N/C:P/I:N/A:N) Published 11/28/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description Inconsistent interpretation of HTTP requests ('HTTP Request/Response Smuggling') issue exists in HAProxy. If this vulnerability is exploited,a remote attacker may access a path that is restricted by ACL (Access Control List) set on the product. As a result, the attacker may obtain sensitive information. Solution(s) amazon-linux-2023-upgrade-haproxy amazon-linux-2023-upgrade-haproxy-debuginfo amazon-linux-2023-upgrade-haproxy-debugsource References https://attackerkb.com/topics/cve-2024-53008 CVE - 2024-53008 https://alas.aws.amazon.com/AL2023/ALAS-2025-791.html

Ubuntu: (CVE-2023-52922): linux vulnerability Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/28/2024 Created 12/21/2024 Added 12/20/2024 Modified 02/11/2025 Description In the Linux kernel, the following vulnerability has been resolved: can: bcm: Fix UAF in bcm_proc_show() BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 Read of size 8 at addr ffff888155846230 by task cat/7862 CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xd5/0x150 print_report+0xc1/0x5e0 kasan_report+0xba/0xf0 bcm_proc_show+0x969/0xa80 seq_read_iter+0x4f6/0x1260 seq_read+0x165/0x210 proc_reg_read+0x227/0x300 vfs_read+0x1d5/0x8d0 ksys_read+0x11e/0x240 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Allocated by task 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x9e/0xa0 bcm_sendmsg+0x264b/0x44e0 sock_sendmsg+0xda/0x180 ____sys_sendmsg+0x735/0x920 ___sys_sendmsg+0x11d/0x1b0 __sys_sendmsg+0xfa/0x1d0 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x27/0x40 ____kasan_slab_free+0x161/0x1c0 slab_free_freelist_hook+0x119/0x220 __kmem_cache_free+0xb4/0x2e0 rcu_core+0x809/0x1bd0 bcm_op is freed before procfs entry be removed in bcm_release(), this lead to bcm_proc_show() may read the freed bcm_op. Solution(s) ubuntu-upgrade-linux ubuntu-upgrade-linux-aws ubuntu-upgrade-linux-aws-5-15 ubuntu-upgrade-linux-aws-5-4 ubuntu-upgrade-linux-aws-fips ubuntu-upgrade-linux-azure ubuntu-upgrade-linux-azure-5-15 ubuntu-upgrade-linux-azure-5-4 ubuntu-upgrade-linux-azure-fips ubuntu-upgrade-linux-bluefield ubuntu-upgrade-linux-fips ubuntu-upgrade-linux-gcp ubuntu-upgrade-linux-gcp-5-15 ubuntu-upgrade-linux-gcp-5-4 ubuntu-upgrade-linux-gcp-fips ubuntu-upgrade-linux-gke ubuntu-upgrade-linux-gkeop ubuntu-upgrade-linux-hwe-5-15 ubuntu-upgrade-linux-hwe-5-4 ubuntu-upgrade-linux-ibm ubuntu-upgrade-linux-ibm-5-15 ubuntu-upgrade-linux-ibm-5-4 ubuntu-upgrade-linux-intel-iot-realtime ubuntu-upgrade-linux-intel-iotg ubuntu-upgrade-linux-intel-iotg-5-15 ubuntu-upgrade-linux-iot ubuntu-upgrade-linux-kvm ubuntu-upgrade-linux-lowlatency ubuntu-upgrade-linux-lowlatency-hwe-5-15 ubuntu-upgrade-linux-nvidia ubuntu-upgrade-linux-oracle ubuntu-upgrade-linux-oracle-5-15 ubuntu-upgrade-linux-oracle-5-4 ubuntu-upgrade-linux-raspi ubuntu-upgrade-linux-raspi-5-4 ubuntu-upgrade-linux-realtime ubuntu-upgrade-linux-riscv-5-15 ubuntu-upgrade-linux-xilinx-zynqmp References https://attackerkb.com/topics/cve-2023-52922 CVE - 2023-52922 https://git.kernel.org/linus/55c3b96074f3f9b0aee19bf93cd71af7516582bb https://git.kernel.org/stable/c/11b8e27ed448baa385d90154a141466bd5e92f18 https://git.kernel.org/stable/c/3c3941bb1eb53abe7d640ffee5c4d6b559829ab3 https://git.kernel.org/stable/c/55c3b96074f3f9b0aee19bf93cd71af7516582bb https://git.kernel.org/stable/c/9533dbfac0ff7edd77a5fa2c24974b1d66c8b0a6 https://git.kernel.org/stable/c/995f47d76647708ec26c6e388663ad4f3f264787 https://git.kernel.org/stable/c/9b58d36d0c1ea29a9571e0222a9c29df0ccfb7ff https://git.kernel.org/stable/c/cf254b4f68e480e73dab055014e002b77aed30ed https://git.kernel.org/stable/c/dfd0aa26e9a07f2ce546ccf8304ead6a2914e8a7 https://www.cve.org/CVERecord?id=CVE-2023-52922 View more

Ubuntu: USN-7133-1 (CVE-2024-53008): HAProxy vulnerability Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/28/2024 Created 12/04/2024 Added 12/03/2024 Modified 12/03/2024 Description Inconsistent interpretation of HTTP requests ('HTTP Request/Response Smuggling') issue exists in HAProxy. If this vulnerability is exploited,a remote attacker may access a path that is restricted by ACL (Access Control List) set on the product. As a result, the attacker may obtain sensitive information. Solution(s) ubuntu-upgrade-haproxy References https://attackerkb.com/topics/cve-2024-53008 CVE - 2024-53008 USN-7133-1

SUSE: CVE-2044-44244: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/27/2024 Created 11/29/2024 Added 11/28/2024 Modified 11/28/2024 Description SUSE: CVE-2044-44244: SUSE Linux Security Advisory Solution(s) suse-upgrade-libjavascriptcoregtk-4_0-18 suse-upgrade-libwebkit2gtk-4_0-37 suse-upgrade-libwebkit2gtk3-lang suse-upgrade-typelib-1_0-javascriptcore-4_0 suse-upgrade-typelib-1_0-webkit2-4_0 suse-upgrade-typelib-1_0-webkit2webextension-4_0 suse-upgrade-webkit2gtk-4_0-injected-bundles References https://attackerkb.com/topics/cve-2044-44244 CVE - 2044-44244 SUSE-SU-2024:4079-1

Debian: CVE-2024-53849: editorconfig-core -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/27/2024 Created 12/10/2024 Added 12/09/2024 Modified 12/09/2024 Description editorconfig-core-cistheEditorConfig core library written in C (for use by plugins supporting EditorConfig parsing). In affected versions several overflows may occur in switch case '[' when the input pattern contains many escaped characters. The added backslashes leave too little space in the output pattern when processing nested brackets such that the remaining input length exceeds the output capacity. This issue has been addressed in release version 0.12.7. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) debian-upgrade-editorconfig-core References https://attackerkb.com/topics/cve-2024-53849 CVE - 2024-53849 DLA-3978-1

FreeBSD: VID-453CD84E-BCA4-11EF-8926-9B4F2D14EB53: gitea -- multiple vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/27/2024 Created 12/20/2024 Added 12/19/2024 Modified 12/19/2024 Description Problem Description: Fix delete branch perm checking Upgrade crypto library Solution(s) freebsd-upgrade-package-gitea

Debian: CVE-2024-36467: zabbix -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/27/2024 Created 12/10/2024 Added 12/09/2024 Modified 12/09/2024 Description An authenticated user with API access (e.g.: user with default User role), more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group (e.g.: Zabbix Administrators), except to groups that are disabled or having restricted GUI access. Solution(s) debian-upgrade-zabbix References https://attackerkb.com/topics/cve-2024-36467 CVE - 2024-36467 DLA-3909-1

FreeBSD: VID-F0D33375-B0E0-11EF-A724-B42E991FC52E (CVE-2024-42327): zabbix -- SQL injection in user.get API Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/27/2024 Created 12/04/2024 Added 12/03/2024 Modified 12/03/2024 Description A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access. Solution(s) freebsd-upgrade-package-zabbix6-frontend freebsd-upgrade-package-zabbix64-frontend freebsd-upgrade-package-zabbix7-frontend References CVE-2024-42327

Ubuntu: USN-7168-1 (CVE-2024-53849): EditorConfig vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 11/27/2024 Created 12/20/2024 Added 12/19/2024 Modified 12/19/2024 Description editorconfig-core-cistheEditorConfig core library written in C (for use by plugins supporting EditorConfig parsing). In affected versions several overflows may occur in switch case '[' when the input pattern contains many escaped characters. The added backslashes leave too little space in the output pattern when processing nested brackets such that the remaining input length exceeds the output capacity. This issue has been addressed in release version 0.12.7. Users are advised to upgrade. There are no known workarounds for this vulnerability. Solution(s) ubuntu-pro-upgrade-editorconfig ubuntu-pro-upgrade-libeditorconfig0 References https://attackerkb.com/topics/cve-2024-53849 CVE - 2024-53849 USN-7168-1

SUSE: CVE-2024-9369: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/27/2024 Created 01/01/2025 Added 12/31/2024 Modified 01/28/2025 Description Insufficient data validation in Mojo in Google Chrome prior to 129.0.6668.89 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) Solution(s) suse-upgrade-chromedriver suse-upgrade-chromium References https://attackerkb.com/topics/cve-2024-9369 CVE - 2024-9369

SUSE: CVE-2024-7025: SUSE Linux Security Advisory Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 11/27/2024 Created 12/31/2024 Added 12/30/2024 Modified 01/28/2025 Description Integer overflow in Layout in Google Chrome prior to 129.0.6668.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) suse-upgrade-chromedriver suse-upgrade-chromium References https://attackerkb.com/topics/cve-2024-7025 CVE - 2024-7025