Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFSD: fix use-after-free on source server when doing inter-server copy<br /> <br /> Use-after-free occurred when the laundromat tried to free expired<br /> cpntf_state entry on the s2s_cp_stateids list after inter-server<br /> copy completed. The sc_cp_list that the expired copy state was<br /> inserted on was already freed.<br /> <br /> When COPY completes, the Linux client normally sends LOCKU(lock_state x),<br /> FREE_STATEID(lock_state x) and CLOSE(open_state y) to the source server.<br /> The nfs4_put_stid call from nfsd4_free_stateid cleans up the copy state<br /> from the s2s_cp_stateids list before freeing the lock state&amp;#39;s stid.<br /> <br /> However, sometimes the CLOSE was sent before the FREE_STATEID request.<br /> When this happens, the nfsd4_close_open_stateid call from nfsd4_close<br /> frees all lock states on its st_locks list without cleaning up the copy<br /> state on the sc_cp_list list. When the time the FREE_STATEID arrives the<br /> server returns BAD_STATEID since the lock state was freed. This causes<br /> the use-after-free error to occur when the laundromat tries to free<br /> the expired cpntf_state.<br /> <br /> This patch adds a call to nfs4_free_cpntf_statelist in<br /> nfsd4_close_open_stateid to clean up the copy state before calling<br /> free_ol_stateid_reaplist to free the lock state&amp;#39;s stid on the reaplist.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFSD: Protect against send buffer overflow in NFSv2 READDIR<br /> <br /> Restore the previous limit on the @count argument to prevent a<br /> buffer overflow attack.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring/af_unix: defer registered files gc to io_uring release<br /> <br /> Instead of putting io_uring&amp;#39;s registered files in unix_gc() we want it<br /> to be done by io_uring itself. The trick here is to consider io_uring<br /> registered files for cycle detection but not actually putting them down.<br /> Because io_uring can&amp;#39;t register other ring instances, this will remove<br /> all refs to the ring file triggering the -&gt;release path and clean up<br /> with io_ring_ctx_free().<br /> <br /> [axboe: add kerneldoc comment to skb, fold in skb leak fix]

*** Pendiente de traducción *** Elevation of Privileges in the cleaning feature of Gen Digital CCleaner version 6.33.11465 on Windows allows a local user to gain SYSTEM privileges via exploiting insecure file delete operations. Reported in CCleaner v. 6.33.11465. This issue affects CCleaner: before

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: abort transaction on unexpected eb generation at btrfs_copy_root()<br /> <br /> If we find an unexpected generation for the extent buffer we are cloning<br /> at btrfs_copy_root(), we just WARN_ON() and don&amp;#39;t error out and abort the<br /> transaction, meaning we allow to persist metadata with an unexpected<br /> generation. Instead of warning only, abort the transaction and return<br /> -EUCLEAN.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: dwc3: Remove WARN_ON for device endpoint command timeouts<br /> <br /> This commit addresses a rarely observed endpoint command timeout<br /> which causes kernel panic due to warn when &amp;#39;panic_on_warn&amp;#39; is enabled<br /> and unnecessary call trace prints when &amp;#39;panic_on_warn&amp;#39; is disabled.<br /> It is seen during fast software-controlled connect/disconnect testcases.<br /> The following is one such endpoint command timeout that we observed:<br /> <br /> 1. Connect<br /> =======<br /> -&gt;dwc3_thread_interrupt<br /> -&gt;dwc3_ep0_interrupt<br /> -&gt;configfs_composite_setup<br /> -&gt;composite_setup<br /> -&gt;usb_ep_queue<br /> -&gt;dwc3_gadget_ep0_queue<br /> -&gt;__dwc3_gadget_ep0_queue<br /> -&gt;__dwc3_ep0_do_control_data<br /> -&gt;dwc3_send_gadget_ep_cmd<br /> <br /> 2. Disconnect<br /> ==========<br /> -&gt;dwc3_thread_interrupt<br /> -&gt;dwc3_gadget_disconnect_interrupt<br /> -&gt;dwc3_ep0_reset_state<br /> -&gt;dwc3_ep0_end_control_data<br /> -&gt;dwc3_send_gadget_ep_cmd<br /> <br /> In the issue scenario, in Exynos platforms, we observed that control<br /> transfers for the previous connect have not yet been completed and end<br /> transfer command sent as a part of the disconnect sequence and<br /> processing of USB_ENDPOINT_HALT feature request from the host timeout.<br /> This maybe an expected scenario since the controller is processing EP<br /> commands sent as a part of the previous connect. It maybe better to<br /> remove WARN_ON in all places where device endpoint commands are sent to<br /> avoid unnecessary kernel panic due to warn.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> lib/crypto: arm64/poly1305: Fix register corruption in no-SIMD contexts<br /> <br /> Restore the SIMD usability check that was removed by commit a59e5468a921<br /> ("crypto: arm64/poly1305 - Add block-only interface").<br /> <br /> This safety check is cheap and is well worth eliminating a footgun.<br /> While the Poly1305 functions should not be called when SIMD registers<br /> are unusable, if they are anyway, they should just do the right thing<br /> instead of corrupting random tasks&amp;#39; registers and/or computing incorrect<br /> MACs. Fixing this is also needed for poly1305_kunit to pass.<br /> <br /> Just use may_use_simd() instead of the original crypto_simd_usable(),<br /> since poly1305_kunit won&amp;#39;t rely on crypto_simd_disabled_for_test.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: ufs: core: Remove WARN_ON_ONCE() call from ufshcd_uic_cmd_compl()<br /> <br /> The UIC completion interrupt may be disabled while an UIC command is<br /> being processed. When the UIC completion interrupt is reenabled, an UIC<br /> interrupt is triggered and the WARN_ON_ONCE(!cmd) statement is hit.<br /> Hence this patch that removes this kernel warning.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> lib/crypto: arm/poly1305: Fix register corruption in no-SIMD contexts<br /> <br /> Restore the SIMD usability check that was removed by commit 773426f4771b<br /> ("crypto: arm/poly1305 - Add block-only interface").<br /> <br /> This safety check is cheap and is well worth eliminating a footgun.<br /> While the Poly1305 functions should not be called when SIMD registers<br /> are unusable, if they are anyway, they should just do the right thing<br /> instead of corrupting random tasks&amp;#39; registers and/or computing incorrect<br /> MACs. Fixing this is also needed for poly1305_kunit to pass.<br /> <br /> Just use may_use_simd() instead of the original crypto_simd_usable(),<br /> since poly1305_kunit won&amp;#39;t rely on crypto_simd_disabled_for_test.

*** Pendiente de traducción *** A weakness has been identified in Campcodes Computer Sales and Inventory System 1.0. Impacted is an unknown function of the file /pages/us_transac.php?action=add. Executing manipulation of the argument Username can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be exploited.

*** Pendiente de traducción *** A security vulnerability has been detected in Campcodes Computer Sales and Inventory System 1.0. The affected element is an unknown function of the file /pages/cust_searchfrm.php?action=edit. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.

*** Pendiente de traducción *** The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial of service.