Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: target: core: Add TMF to tmr_list handling<br /> <br /> An abort that is responded to by iSCSI itself is added to tmr_list but does<br /> not go to target core. A LUN_RESET that goes through tmr_list takes a<br /> refcounter on the abort and waits for completion. However, the abort will<br /> be never complete because it was not started in target core.<br /> <br /> Unable to locate ITT: 0x05000000 on CID: 0<br /> Unable to locate RefTaskTag: 0x05000000 on CID: 0.<br /> wait_for_tasks: Stopping tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop<br /> wait for tasks: tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop<br /> ...<br /> INFO: task kworker/0:2:49 blocked for more than 491 seconds.<br /> task:kworker/0:2 state:D stack: 0 pid: 49 ppid: 2 flags:0x00000800<br /> Workqueue: events target_tmr_work [target_core_mod]<br /> Call Trace:<br /> __switch_to+0x2c4/0x470<br /> _schedule+0x314/0x1730<br /> schedule+0x64/0x130<br /> schedule_timeout+0x168/0x430<br /> wait_for_completion+0x140/0x270<br /> target_put_cmd_and_wait+0x64/0xb0 [target_core_mod]<br /> core_tmr_lun_reset+0x30/0xa0 [target_core_mod]<br /> target_tmr_work+0xc8/0x1b0 [target_core_mod]<br /> process_one_work+0x2d4/0x5d0<br /> worker_thread+0x78/0x6c0<br /> <br /> To fix this, only add abort to tmr_list if it will be handled by target<br /> core.

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Paystack Payment Forms for Paystack allows Stored XSS.This issue affects Payment Forms for Paystack: from n/a through 3.4.1.

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Roxnor ElementsKit Elementor addons Lite elementskit-lite.This issue affects ElementsKit Elementor addons Lite: from n/a through

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in EnvoThemes Envo Extra allows Stored XSS.This issue affects Envo Extra: from n/a through 1.8.11.

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in The CSSIgniter Team Elements Plus! allows Stored XSS.This issue affects Elements Plus!: from n/a through 2.16.3.

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in deTheme DethemeKit For Elementor allows Stored XSS.This issue affects DethemeKit For Elementor: from n/a through 2.0.2.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> irqchip/gic-v3-its: Restore quirk probing for ACPI-based systems<br /> <br /> While refactoring the way the ITSs are probed, the handling of quirks<br /> applicable to ACPI-based platforms was lost. As a result, systems such as<br /> HIP07 lose their GICv4 functionnality, and some other may even fail to<br /> boot, unless they are configured to boot with DT.<br /> <br /> Move the enabling of quirks into its_probe_one(), making it common to all<br /> firmware implementations.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: algif_hash - Remove bogus SGL free on zero-length error path<br /> <br /> When a zero-length message is hashed by algif_hash, and an error<br /> is triggered, it tries to free an SG list that was never allocated<br /> in the first place. Fix this by not freeing the SG list on the<br /> zero-length error path.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfc: nci: free rx_data_reassembly skb on NCI device cleanup<br /> <br /> rx_data_reassembly skb is stored during NCI data exchange for processing<br /> fragmented packets. It is dropped only when the last fragment is processed<br /> or when an NTF packet with NCI_OP_RF_DEACTIVATE_NTF opcode is received.<br /> However, the NCI device may be deallocated before that which leads to skb<br /> leak.<br /> <br /> As by design the rx_data_reassembly skb is bound to the NCI device and<br /> nothing prevents the device to be freed before the skb is processed in<br /> some way and cleaned, free it on the NCI device cleanup.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: fix data re-injection from stale subflow<br /> <br /> When the MPTCP PM detects that a subflow is stale, all the packet<br /> scheduler must re-inject all the mptcp-level unacked data. To avoid<br /> acquiring unneeded locks, it first try to check if any unacked data<br /> is present at all in the RTX queue, but such check is currently<br /> broken, as it uses TCP-specific helper on an MPTCP socket.<br /> <br /> Funnily enough fuzzers and static checkers are happy, as the accessed<br /> memory still belongs to the mptcp_sock struct, and even from a<br /> functional perspective the recovery completed successfully, as<br /> the short-cut test always failed.<br /> <br /> A recent unrelated TCP change - commit d5fed5addb2b ("tcp: reorganize<br /> tcp_sock fast path variables") - exposed the issue, as the tcp field<br /> reorganization makes the mptcp code always skip the re-inection.<br /> <br /> Fix the issue dropping the bogus call: we are on a slow path, the early<br /> optimization proved once again to be evil.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cifs: fix underflow in parse_server_interfaces()<br /> <br /> In this loop, we step through the buffer and after each item we check<br /> if the size_left is greater than the minimum size we need. However,<br /> the problem is that "bytes_left" is type ssize_t while sizeof() is type<br /> size_t. That means that because of type promotion, the comparison is<br /> done as an unsigned and if we have negative bytes left the loop<br /> continues instead of ending.