Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pds_core: Prevent possible adminq overflow/stuck condition<br /> <br /> The pds_core&amp;#39;s adminq is protected by the adminq_lock, which prevents<br /> more than 1 command to be posted onto it at any one time. This makes it<br /> so the client drivers cannot simultaneously post adminq commands.<br /> However, the completions happen in a different context, which means<br /> multiple adminq commands can be posted sequentially and all waiting<br /> on completion.<br /> <br /> On the FW side, the backing adminq request queue is only 16 entries<br /> long and the retry mechanism and/or overflow/stuck prevention is<br /> lacking. This can cause the adminq to get stuck, so commands are no<br /> longer processed and completions are no longer sent by the FW.<br /> <br /> As an initial fix, prevent more than 16 outstanding adminq commands so<br /> there&amp;#39;s no way to cause the adminq from getting stuck. This works<br /> because the backing adminq request queue will never have more than 16<br /> pending adminq commands, so it will never overflow. This is done by<br /> reducing the adminq depth to 16.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: typec: class: Invalidate USB device pointers on partner unregistration<br /> <br /> To avoid using invalid USB device pointers after a Type-C partner<br /> disconnects, this patch clears the pointers upon partner unregistration.<br /> This ensures a clean state for future connections.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP()<br /> <br /> Herbert notes that DIV_ROUND_UP() may overflow unnecessarily if an ecdsa<br /> implementation&amp;#39;s -&gt;key_size() callback returns an unusually large value.<br /> Herbert instead suggests (for a division by 8):<br /> <br /> X / 8 + !!(X &amp; 7)<br /> <br /> Based on this formula, introduce a generic DIV_ROUND_UP_POW2() macro and<br /> use it in lieu of DIV_ROUND_UP() for -&gt;key_size() return values.<br /> <br /> Additionally, use the macro in ecc_digits_from_bytes(), whose "nbytes"<br /> parameter is a -&gt;key_size() return value in some instances, or a<br /> user-specified ASN.1 length in the case of ecdsa_get_signature_rs().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> USB: wdm: close race between wdm_open and wdm_wwan_port_stop<br /> <br /> Clearing WDM_WWAN_IN_USE must be the last action or<br /> we can open a chardev whose URBs are still poisoned

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: phy: leds: fix memory leak<br /> <br /> A network restart test on a router led to an out-of-memory condition,<br /> which was traced to a memory leak in the PHY LED trigger code.<br /> <br /> The root cause is misuse of the devm API. The registration function<br /> (phy_led_triggers_register) is called from phy_attach_direct, not<br /> phy_probe, and the unregister function (phy_led_triggers_unregister)<br /> is called from phy_detach, not phy_remove. This means the register and<br /> unregister functions can be called multiple times for the same PHY<br /> device, but devm-allocated memory is not freed until the driver is<br /> unbound.<br /> <br /> This also prevents kmemleak from detecting the leak, as the devm API<br /> internally stores the allocated pointer.<br /> <br /> Fix this by replacing devm_kzalloc/devm_kcalloc with standard<br /> kzalloc/kcalloc, and add the corresponding kfree calls in the unregister<br /> path.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()<br /> <br /> The function brcmf_usb_dl_writeimage() calls the function<br /> brcmf_usb_dl_cmd() but dose not check its return value. The<br /> &amp;#39;state.state&amp;#39; and the &amp;#39;state.bytes&amp;#39; are uninitialized if the<br /> function brcmf_usb_dl_cmd() fails. It is dangerous to use<br /> uninitialized variables in the conditions.<br /> <br /> Add error handling for brcmf_usb_dl_cmd() to jump to error<br /> handling path if the brcmf_usb_dl_cmd() fails and the<br /> &amp;#39;state.state&amp;#39; and the &amp;#39;state.bytes&amp;#39; are uninitialized.<br /> <br /> Improve the error message to report more detailed error<br /> information.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> parisc: Fix double SIGFPE crash<br /> <br /> Camm noticed that on parisc a SIGFPE exception will crash an application with<br /> a second SIGFPE in the signal handler. Dave analyzed it, and it happens<br /> because glibc uses a double-word floating-point store to atomically update<br /> function descriptors. As a result of lazy binding, we hit a floating-point<br /> store in fpe_func almost immediately.<br /> <br /> When the T bit is set, an assist exception trap occurs when when the<br /> co-processor encounters *any* floating-point instruction except for a double<br /> store of register %fr0. The latter cancels all pending traps. Let&amp;#39;s fix this<br /> by clearing the Trap (T) bit in the FP status register before returning to the<br /> signal handler in userspace.<br /> <br /> The issue can be reproduced with this test program:<br /> <br /> root@parisc:~# cat fpe.c<br /> <br /> static void fpe_func(int sig, siginfo_t *i, void *v) {<br /> sigset_t set;<br /> sigemptyset(&amp;set);<br /> sigaddset(&amp;set, SIGFPE);<br /> sigprocmask(SIG_UNBLOCK, &amp;set, NULL);<br /> printf("GOT signal %d with si_code %ld\n", sig, i-&gt;si_code);<br /> }<br /> <br /> int main() {<br /> struct sigaction action = {<br /> .sa_sigaction = fpe_func,<br /> .sa_flags = SA_RESTART|SA_SIGINFO };<br /> sigaction(SIGFPE, &amp;action, 0);<br /> feenableexcept(FE_OVERFLOW);<br /> return printf("%lf\n",1.7976931348623158E308*1.7976931348623158E308);<br /> }<br /> <br /> root@parisc:~# gcc fpe.c -lm<br /> root@parisc:~# ./a.out<br /> Floating point exception<br /> <br /> root@parisc:~# strace -f ./a.out<br /> execve("./a.out", ["./a.out"], 0xf9ac7034 /* 20 vars */) = 0<br /> getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0<br /> ...<br /> rt_sigaction(SIGFPE, {sa_handler=0x1110a, sa_mask=[], sa_flags=SA_RESTART|SA_SIGINFO}, NULL, 8) = 0<br /> --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0x1078f} ---<br /> --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0xf8f21237} ---<br /> +++ killed by SIGFPE +++<br /> Floating point exception

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> qibfs: fix _another_ leak<br /> <br /> failure to allocate inode =&gt; leaked dentry...<br /> <br /> this one had been there since the initial merge; to be fair,<br /> if we are that far OOM, the odds of failing at that particular<br /> allocation are low...

This High severity PrivEsc (Privilege Escalation) vulnerability was introduced in versions:<br /> <br /> 9.12.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Core Data Center and Server<br /> <br /> 5.12.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Service Management Data Center and Server<br /> <br /> This PrivEsc (Privilege Escalation) vulnerability, with a CVSS Score of 7.2, allows an attacker to perform actions as a higher-privileged user. <br /> <br /> Atlassian recommends that Jira Core Data Center and Server and Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:<br /> <br /> Jira Core Data Center and Server 9.12: Upgrade to a release greater than or equal to 9.12.20<br /> <br /> Jira Service Management Data Center and Server 5.12: Upgrade to a release greater than or equal to 5.12.20<br /> <br /> Jira Core Data Center 10.3: Upgrade to a release greater than or equal to 10.3.5<br /> <br /> Jira Service Management Data Center 10.3: Upgrade to a release greater than or equal to 10.3.5<br /> <br /> Jira Core Data Center 10.4: Upgrade to a release greater than or equal to 10.6.0<br /> <br /> Jira Service Management Data Center 10.4: Upgrade to a release greater than or equal to 10.6.0<br /> <br /> Jira Core Data Center 10.5: Upgrade to a release greater than or equal to 10.5.1<br /> <br /> Jira Service Management Data Center 10.5: Upgrade to a release greater than or equal to 10.5.1<br /> <br /> See the release notes. You can download the latest version of Jira Core Data Center and Jira Service Management Data Center from the download center. <br /> <br /> This vulnerability was reported via our Atlassian (Internal) program.

D-link DI-8100 16.07.26A1 is vulnerable to Command Injection. An attacker can exploit this vulnerability by crafting specific HTTP requests, triggering the command execution flaw and gaining the highest privilege shell access to the firmware system.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: smartpqi: Use is_kdump_kernel() to check for kdump<br /> <br /> The smartpqi driver checks the reset_devices variable to determine<br /> whether special adjustments need to be made for kdump. This has the<br /> effect that after a regular kexec reboot, some driver parameters such as<br /> max_transfer_size are much lower than usual. More importantly, kexec<br /> reboot tests have revealed memory corruption caused by the driver log<br /> being written to system memory after a kexec.<br /> <br /> Fix this by testing is_kdump_kernel() rather than reset_devices where<br /> appropriate.