Redis is an open source, in-memory database that persists on disk.
An authenticated user may use a specially crafted Lua script to
manipulate the garbage collector and potentially lead to remote
code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17.
An additional workaround to mitigate the problem without patching
the redis-server executable is to prevent users from executing Lua
scripts. This can be done using ACL to restrict EVAL and EVALSHA
commands.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-46981
Upstream-patch:
https://github.com/redis/redis/commit/e344b2b5879aa52870e6838212dfb78b7968fcbf
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Redis is an open source, in-memory database that persists on disk.
Authenticated users can trigger a denial-of-service by using specially
crafted, long string match patterns on supported commands such as
`KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST` and ACL
definitions. Matching of extremely long patterns may result in
unbounded recursion, leading to stack overflow and process crash.
This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1.
Users are advised to upgrade. There are no known workarounds for this
vulnerability.
References:
https://security-tracker.debian.org/tracker/CVE-2024-31228
Upstream-patch:
https://github.com/redis/redis/commit/9317bf64659b33166a943ec03d5d9b954e86afb0
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Redis is an in-memory database that persists on disk. On startup,
Redis begins listening on a Unix socket before adjusting its
permissions to the user-provided configuration. If a permissive
umask(2) is used, this creates a race condition that enables,
during a short period of time, another process to establish an
otherwise unauthorized connection. This problem has existed
since Redis 2.6.0-RC1. This issue has been addressed in Redis
versions 7.2.2, 7.0.14 and 6.2.14. Users are advised to upgrade.
For users unable to upgrade, it is possible to work around the
problem by disabling Unix sockets, starting Redis with a restrictive
umask, or storing the Unix socket file in a protected directory.
Reference:
https://security-tracker.debian.org/tracker/CVE-2023-45145
Upstream-patch:
https://github.com/redis/redis/commit/7f486ea6eebf0afce74f2e59763b9b82b78629dc
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE-2024-1454:
The use-after-free vulnerability was found in the AuthentIC driver in OpenSC packages,
occuring in the card enrolment process using pkcs15-init when a user or administrator
enrols or modifies cards. An attacker must have physical access to the computer system
and requires a crafted USB device or smart card to present the system with specially
crafted responses to the APDUs, which are considered high complexity and low severity.
This manipulation can allow for compromised card management operations during enrolment.
Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-1454]
Upstream patches:
[https://github.com/OpenSC/OpenSC/commit/5835f0d4f6c033bd58806d33fa546908d39825c9]
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
getVar() now defaults to expanding by default, thus remove the True
option from getVar() calls with a regex search and replace.
Signed-off-by: Akash Hadke <akash.hadke27@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Because they get renamed, it is better to ignore them and let a
dependency build them
Fixes errors like
ERROR: packagegroup-meta-multimedia-1.0-r0 do_package_write_ipk: An allarch packagegroup shouldn't depend on packages which are dynamically renamed (gssdp to libgssdp-1.2-0)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit eafecde2ae)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Werkzeug is a Web Server Gateway Interface web application library. Applications
using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug
prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications)
are vulnerable to a relatively simple but effective resource exhaustion (denial of
service) attack. A specifically crafted form submission request can cause the parser
to allocate and block 3 to 8 times the upload size in main memory. There is no upper
limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds.
Werkzeug version 3.0.6 fixes this issue.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-49767
Upstream-patch:
https://github.com/pallets/werkzeug/commit/8760275afb72bd10b57d92cb4d52abf759b2f3a7
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Picked patches according to
http://w1.fi/security/2024-1/hostapd-and-radius-protocol-forgery-attacks.txt
First patch is style commit picked to have a clean cherry-pick of all
mentioned commits without any conflict.
Patch CVE-2024-3596_03.patch was removed as it only patched
wpa_supplicant. The patch names were not changed so it is comparable
with wpa_supplicant recipe.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Changelog:
libgsf 1.14.53
* Compilation fixes for libxml 2.13
* Fix ABR in gsf-vba-dump.
* Teach gsf (the tool) to handle odf properties.
* Fix integer overflows affecting memory allocation.
* Add missing "DocumentStatus" ole2 property.
* Avoid some undefined C behaviour in overflow checks.
libgsf 1.14.51
* Fix thumbnailer crash.
* Fix leaks.
libgsf 1.14.50
* Fix error handling problem when writing ole files.
License changed to LGPL-2.1-only from 1.14.51
[https://gitlab.gnome.org/GNOME/libgsf/-/commit/037c913eb631349c410ef45e49697bf5c46dac8a]
remove obsolete DEPENDS from upstream [103f49b5fc]
Security fixes:
CVE-2024-42415
An integer overflow vulnerability exists in the Compound Document Binary
File format parser of v1.14.52 of the GNOME Project G Structured File
Library (libgsf). A specially crafted file can result in an integer
overflow that allows for a heap-based buffer overflow when processing
the sector allocation table. This can lead to arbitrary code execution.
An attacker can provide a malicious file to trigger this vulnerability.
CVE-2024-36474
An integer overflow vulnerability exists in the Compound Document Binary
File format parser of the GNOME Project G Structured File Library
(libgsf) version v1.14.52. A specially crafted file can result in an
integer overflow when processing the directory from the file that allows
for an out-of-bounds index to be used when reading and writing to an
array. This can lead to arbitrary code execution. An attacker can
provide a malicious file to trigger this vulnerability.
Reference:
[https://gitlab.gnome.org/GNOME/libgsf/-/issues/34]
(master rev: 6ed5891c18)
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE-2023-49081:
aiohttp is an asynchronous HTTP client/server framework for asyncio and
Python. Improper validation made it possible for an attacker to modify
the HTTP request (e.g. to insert a new header) or create a new HTTP
request if the attacker controls the HTTP version. The vulnerability
only occurs if the attacker can control the HTTP version of the request.
This issue has been patched in version 3.9.0.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-49081
Upstream patches:
https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013b
CVE-2024-30251:
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
In affected versions an attacker can send a specially crafted POST
(multipart/form-data) request. When the aiohttp server processes it, the server
will enter an infinite loop and be unable to process any further requests. An
attacker can stop the application from serving requests after sending a single
request. This issue has been addressed in version 3.9.4. Users are advised to
upgrade. Users unable to upgrade may manually apply a patch to their systems.
Please see the linked GHSA for instructions.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-30251
Upstream patches:
https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866
CVE-2024-52304:
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
Prior to version 3.10.11, the Python parser parses newlines in chunk extensions
incorrectly which can lead to request smuggling vulnerabilities under certain
conditions. If a pure Python version of aiohttp is installed (i.e. without the
usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may
be able to execute a request smuggling attack to bypass certain firewalls or
proxy protections. Version 3.10.11 fixes the issue.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-52304
Upstream patches:
https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71
CVE-2023-49082:
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
Improper validation makes it possible for an attacker to modify the HTTP
request (e.g. insert a new header) or even create a new HTTP request if the
attacker controls the HTTP method. The vulnerability occurs only if the
attacker can control the HTTP method (GET, POST etc.) of the request. If the
attacker can control the HTTP version of the request it will be able to modify
the request (request smuggling). This issue has been patched in version 3.9.0.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-49082
Upstream patches:
https://github.com/aio-libs/aiohttp/pull/7806/commits/a43bc1779892e7014b7723c59d08fb37a000955e
CVE-2024-27306:
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.
A XSS vulnerability exists on index pages for static file handling. This
vulnerability is fixed in 3.9.4. We have always recommended using a reverse
proxy server (e.g. nginx) for serving static files. Users following the
recommendation are unaffected. Other users can disable `show_index` if unable
to upgrade.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-27306
Upstream patches:
https://github.com/aio-libs/aiohttp/commit/28335525d1eac015a7e7584137678cbb6ff19397
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Backport patch with tweaks for the current version to fix
CVE-2024-7254.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Divya Chellam
Vijay Anusuri
Soumya Sambu
Zhang Peng
Yogita Urade
Wang Mingyu
akash hadke
Khem Raj
Colin McAllister
Mingli Yu
Fabrice Aeschbacher
Peter Marko
Jiaying Song
Chen Qi