Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> platform/surface: aggregator: Add missing call to ssam_request_sync_free()<br /> <br /> Although rare, ssam_request_sync_init() can fail. In that case, the<br /> request should be freed via ssam_request_sync_free(). Currently it is<br /> leaked instead. Fix this.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> platform/x86/amd: Fix refcount leak in amd_pmc_probe<br /> <br /> pci_get_domain_bus_and_slot() takes reference, the caller should release<br /> the reference by calling pci_dev_put() after use. Call pci_dev_put() in<br /> the error path to fix this.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: Fix macsec possible null dereference when updating MAC security entity (SecY)<br /> <br /> Upon updating MAC security entity (SecY) in hw offload path, the macsec<br /> security association (SA) initialization routine is called. In case of<br /> extended packet number (epn) is enabled the salt and ssci attributes are<br /> retrieved using the MACsec driver rx_sa context which is unavailable when<br /> updating a SecY property such as encoding-sa hence the null dereference.<br /> Fix by using the provided SA to set those attributes.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: IPoIB, Block PKEY interfaces with less rx queues than parent<br /> <br /> A user is able to configure an arbitrary number of rx queues when<br /> creating an interface via netlink. This doesn&amp;#39;t work for child PKEY<br /> interfaces because the child interface uses the parent receive channels.<br /> <br /> Although the child shares the parent&amp;#39;s receive channels, the number of<br /> rx queues is important for the channel_stats array: the parent&amp;#39;s rx<br /> channel index is used to access the child&amp;#39;s channel_stats. So the array<br /> has to be at least as large as the parent&amp;#39;s rx queue size for the<br /> counting to work correctly and to prevent out of bound accesses.<br /> <br /> This patch checks for the mentioned scenario and returns an error when<br /> trying to create the interface. The error is propagated to the user.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: Fix command stats access after free<br /> <br /> Command may fail while driver is reloading and can&amp;#39;t accept FW commands<br /> till command interface is reinitialized. Such command failure is being<br /> logged to command stats. This results in NULL pointer access as command<br /> stats structure is being freed and reallocated during mlx5 devlink<br /> reload (see kernel log below).<br /> <br /> Fix it by making command stats statically allocated on driver probe.<br /> <br /> Kernel log:<br /> [ 2394.808802] BUG: unable to handle kernel paging request at 000000000002a9c0<br /> [ 2394.810610] PGD 0 P4D 0<br /> [ 2394.811811] Oops: 0002 [#1] SMP NOPTI<br /> ...<br /> [ 2394.815482] RIP: 0010:native_queued_spin_lock_slowpath+0x183/0x1d0<br /> ...<br /> [ 2394.829505] Call Trace:<br /> [ 2394.830667] _raw_spin_lock_irq+0x23/0x26<br /> [ 2394.831858] cmd_status_err+0x55/0x110 [mlx5_core]<br /> [ 2394.833020] mlx5_access_reg+0xe7/0x150 [mlx5_core]<br /> [ 2394.834175] mlx5_query_port_ptys+0x78/0xa0 [mlx5_core]<br /> [ 2394.835337] mlx5e_ethtool_get_link_ksettings+0x74/0x590 [mlx5_core]<br /> [ 2394.836454] ? kmem_cache_alloc_trace+0x140/0x1c0<br /> [ 2394.837562] __rh_call_get_link_ksettings+0x33/0x100<br /> [ 2394.838663] ? __rtnl_unlock+0x25/0x50<br /> [ 2394.839755] __ethtool_get_link_ksettings+0x72/0x150<br /> [ 2394.840862] duplex_show+0x6e/0xc0<br /> [ 2394.841963] dev_attr_show+0x1c/0x40<br /> [ 2394.843048] sysfs_kf_seq_show+0x9b/0x100<br /> [ 2394.844123] seq_read+0x153/0x410<br /> [ 2394.845187] vfs_read+0x91/0x140<br /> [ 2394.846226] ksys_read+0x4f/0xb0<br /> [ 2394.847234] do_syscall_64+0x5b/0x1a0<br /> [ 2394.848228] entry_SYSCALL_64_after_hwframe+0x65/0xca

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: idxd: Prevent use after free on completion memory<br /> <br /> On driver unload any pending descriptors are flushed at the<br /> time the interrupt is freed:<br /> idxd_dmaengine_drv_remove() -&gt;<br /> drv_disable_wq() -&gt;<br /> idxd_wq_free_irq() -&gt;<br /> idxd_flush_pending_descs().<br /> <br /> If there are any descriptors present that need to be flushed this<br /> flow triggers a "not present" page fault as below:<br /> <br /> BUG: unable to handle page fault for address: ff391c97c70c9040<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> <br /> The address that triggers the fault is the address of the<br /> descriptor that was freed moments earlier via:<br /> drv_disable_wq()-&gt;idxd_wq_free_resources()<br /> <br /> Fix the use after free by freeing the descriptors after any possible<br /> usage. This is done after idxd_wq_reset() to ensure that the memory<br /> remains accessible during possible completion writes by the device.

The Woo Inquiry plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 0.1 due to insufficient escaping on the user supplied parameter &amp;#39;dbid&amp;#39; and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan.

The Responsive video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s video settings function in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires responsive videos to be enabled for posts.

The OTA Sync Booking Engine Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.7. This is due to missing or incorrect nonce validation on the otasync_widget_settings_fnc() function. This makes it possible for unauthenticated attackers to update the plugin&amp;#39;s settings and inject malicious scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

The App Builder – Create Native Android &amp; iOS Apps On The Flight plugin for WordPress is vulnerable to limited SQL Injection via the ‘app-builder-search’ parameter in all versions up to, and including, 4.2.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

The LiquidPoll – Polls, Surveys, NPS and Feedback Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘form_data’ parameter in all versions up to, and including, 3.3.78 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.