Vulnerabilities

Nginx UI is a web user interface for the Nginx web server. Nginx UI v2.0.0-beta.35 and earlier gets the value from the json field without verification, and can construct a value value in the form of `../../`. Arbitrary files can be written to the server, which may result in loss of permissions. Version 2.0.0-beta.26 fixes the issue.

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.0.0-beta.36, the log path of nginxui is controllable. This issue can be combined with the directory traversal at `/api/configs` to read directories and file contents on the server. Version 2.0.0-beta.36 fixes the issue.

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.0.0-beta.36, when Nginx UI configures logrotate, it does not verify the input and directly passes it to exec.Command, causing arbitrary command execution. Version 2.0.0-beta.36 fixes this issue.

secp256k1-node is a Node.js binding for an Optimized C library for EC operations on curve secp256k1. In `elliptic`-based version, `loadUncompressedPublicKey` has a check that the public key is on the curve. Prior to versions 5.0.1, 4.0.4, and 3.8.1, however, `loadCompressedPublicKey` is missing that check. That allows the attacker to use public keys on low-cardinality curves to extract enough information to fully restore the private key from as little as 11 ECDH sessions, and very cheaply on compute power. Other operations on public keys are also affected, including e.g. `publicKeyVerify()` incorrectly returning `true` on those invalid keys, and e.g. `publicKeyTweakMul()` also returning predictable outcomes allowing to restore the tweak. Versions 5.0.1, 4.0.4, and 3.8.1 contain a fix for the issue.

prepareUnique index may cause secondaries to crash due to incorrect enforcement of index constraints on secondaries, where in extreme cases may cause multiple secondaries crashing leading to no primaries. This issue affects MongoDB Server v6.0 versions prior to 6.0.17, MongoDB Server v7.0 versions prior to 7.0.13 and MongoDB Server v7.3 versions prior to 7.3.4

OneDev is a Git server with CI/CD, kanban, and packages. A vulnerability in versions prior to 11.0.9 allows unauthenticated users to read arbitrary files accessible by the OneDev server process. This issue has been fixed in version 11.0.9.

A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI Host Bus Adapter emulation. This issue can lead to a crash or VM escape.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: iwlwifi: mvm: set the cipher for secured NDP ranging<br /> <br /> The cipher pointer is not set, but is derefereced trying to set its<br /> content, which leads to a NULL pointer dereference.<br /> Fix it by pointing to the cipher parameter before dereferencing.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powercap: intel_rapl: Fix off by one in get_rpi()<br /> <br /> The rp-&gt;priv-&gt;rpi array is either rpi_msr or rpi_tpmi which have<br /> NR_RAPL_PRIMITIVES number of elements. Thus the &gt; needs to be &gt;=<br /> to prevent an off by one access.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix helper writes to read-only maps<br /> <br /> Lonial found an issue that despite user- and BPF-side frozen BPF map<br /> (like in case of .rodata), it was still possible to write into it from<br /> a BPF program side through specific helpers having ARG_PTR_TO_{LONG,INT}<br /> as arguments.<br /> <br /> In check_func_arg() when the argument is as mentioned, the meta-&gt;raw_mode<br /> is never set. Later, check_helper_mem_access(), under the case of<br /> PTR_TO_MAP_VALUE as register base type, it assumes BPF_READ for the<br /> subsequent call to check_map_access_type() and given the BPF map is<br /> read-only it succeeds.<br /> <br /> The helpers really need to be annotated as ARG_PTR_TO_{LONG,INT} | MEM_UNINIT<br /> when results are written into them as opposed to read out of them. The<br /> latter indicates that it&amp;#39;s okay to pass a pointer to uninitialized memory<br /> as the memory is written to anyway.<br /> <br /> However, ARG_PTR_TO_{LONG,INT} is a special case of ARG_PTR_TO_FIXED_SIZE_MEM<br /> just with additional alignment requirement. So it is better to just get<br /> rid of the ARG_PTR_TO_{LONG,INT} special cases altogether and reuse the<br /> fixed size memory types. For this, add MEM_ALIGNED to additionally ensure<br /> alignment given these helpers write directly into the args via * = val.<br /> The .arg*_size has been initialized reflecting the actual sizeof(*).<br /> <br /> MEM_ALIGNED can only be used in combination with MEM_FIXED_SIZE annotated<br /> argument types, since in !MEM_FIXED_SIZE cases the verifier does not know<br /> the buffer size a priori and therefore cannot blindly write * = val.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> firmware: arm_scmi: Fix double free in OPTEE transport<br /> <br /> Channels can be shared between protocols, avoid freeing the same channel<br /> descriptors twice when unloading the stack.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> block, bfq: fix uaf for accessing waker_bfqq after splitting<br /> <br /> After commit 42c306ed7233 ("block, bfq: don&amp;#39;t break merge chain in<br /> bfq_split_bfqq()"), if the current procress is the last holder of bfqq,<br /> the bfqq can be freed after bfq_split_bfqq(). Hence recored the bfqq and<br /> then access bfqq-&gt;waker_bfqq may trigger UAF. What&amp;#39;s more, the waker_bfqq<br /> may in the merge chain of bfqq, hence just recored waker_bfqq is still<br /> not safe.<br /> <br /> Fix the problem by adding a helper bfq_waker_bfqq() to check if<br /> bfqq-&gt;waker_bfqq is in the merge chain, and current procress is the only<br /> holder.