Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/tcp: Disable TCP-AO static key after RCU grace period<br /> <br /> The lifetime of TCP-AO static_key is the same as the last<br /> tcp_ao_info. On the socket destruction tcp_ao_info ceases to be<br /> with RCU grace period, while tcp-ao static branch is currently deferred<br /> destructed. The static key definition is<br /> : DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);<br /> <br /> which means that if RCU grace period is delayed by more than a second<br /> and tcp_ao_needed is in the process of disablement, other CPUs may<br /> yet see tcp_ao_info which atent dead, but soon-to-be.<br /> And that breaks the assumption of static_key_fast_inc_not_disabled().<br /> <br /> See the comment near the definition:<br /> &gt; * The caller must make sure that the static key can&amp;#39;t get disabled while<br /> &gt; * in this function. It doesn&amp;#39;t patch jump labels, only adds a user to<br /> &gt; * an already enabled static key.<br /> <br /> Originally it was introduced in commit eb8c507296f6 ("jump_label:<br /> Prevent key-&gt;enabled int overflow"), which is needed for the atomic<br /> contexts, one of which would be the creation of a full socket from a<br /> request socket. In that atomic context, it&amp;#39;s known by the presence<br /> of the key (md5/ao) that the static branch is already enabled.<br /> So, the ref counter for that static branch is just incremented<br /> instead of holding the proper mutex.<br /> static_key_fast_inc_not_disabled() is just a helper for such usage<br /> case. But it must not be used if the static branch could get disabled<br /> in parallel as it&amp;#39;s not protected by jump_label_mutex and as a result,<br /> races with jump_label_update() implementation details.<br /> <br /> Happened on netdev test-bot[1], so not a theoretical issue:<br /> <br /> [] jump_label: Fatal kernel bug, unexpected op at tcp_inbound_hash+0x1a7/0x870 [ffffffffa8c4e9b7] (eb 50 0f 1f 44 != 66 90 0f 1f 00)) size:2 type:1<br /> [] ------------[ cut here ]------------<br /> [] kernel BUG at arch/x86/kernel/jump_label.c:73!<br /> [] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI<br /> [] CPU: 3 PID: 243 Comm: kworker/3:3 Not tainted 6.10.0-virtme #1<br /> [] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014<br /> [] Workqueue: events jump_label_update_timeout<br /> [] RIP: 0010:__jump_label_patch+0x2f6/0x350<br /> ...<br /> [] Call Trace:<br /> [] <br /> [] arch_jump_label_transform_queue+0x6c/0x110<br /> [] __jump_label_update+0xef/0x350<br /> [] __static_key_slow_dec_cpuslocked.part.0+0x3c/0x60<br /> [] jump_label_update_timeout+0x2c/0x40<br /> [] process_one_work+0xe3b/0x1670<br /> [] worker_thread+0x587/0xce0<br /> [] kthread+0x28a/0x350<br /> [] ret_from_fork+0x31/0x70<br /> [] ret_from_fork_asm+0x1a/0x30<br /> [] <br /> [] Modules linked in: veth<br /> [] ---[ end trace 0000000000000000 ]---<br /> [] RIP: 0010:__jump_label_patch+0x2f6/0x350<br /> <br /> [1]: https://netdev-3.bots.linux.dev/vmksft-tcp-ao-dbg/results/696681/5-connect-deny-ipv6/stderr

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: list_lru: fix UAF for memory cgroup<br /> <br /> The mem_cgroup_from_slab_obj() is supposed to be called under rcu lock or<br /> cgroup_mutex or others which could prevent returned memcg from being<br /> freed. Fix it by adding missing rcu read lock.<br /> <br /> Found by code inspection.<br /> <br /> [songmuchun@bytedance.com: only grab rcu lock when necessary, per Vlastimil]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> padata: Fix possible divide-by-0 panic in padata_mt_helper()<br /> <br /> We are hit with a not easily reproducible divide-by-0 panic in padata.c at<br /> bootup time.<br /> <br /> [ 10.017908] Oops: divide error: 0000 1 PREEMPT SMP NOPTI<br /> [ 10.017908] CPU: 26 PID: 2627 Comm: kworker/u1666:1 Not tainted 6.10.0-15.el10.x86_64 #1<br /> [ 10.017908] Hardware name: Lenovo ThinkSystem SR950 [7X12CTO1WW]/[7X12CTO1WW], BIOS [PSE140J-2.30] 07/20/2021<br /> [ 10.017908] Workqueue: events_unbound padata_mt_helper<br /> [ 10.017908] RIP: 0010:padata_mt_helper+0x39/0xb0<br /> :<br /> [ 10.017963] Call Trace:<br /> [ 10.017968] <br /> [ 10.018004] ? padata_mt_helper+0x39/0xb0<br /> [ 10.018084] process_one_work+0x174/0x330<br /> [ 10.018093] worker_thread+0x266/0x3a0<br /> [ 10.018111] kthread+0xcf/0x100<br /> [ 10.018124] ret_from_fork+0x31/0x50<br /> [ 10.018138] ret_from_fork_asm+0x1a/0x30<br /> [ 10.018147] <br /> <br /> Looking at the padata_mt_helper() function, the only way a divide-by-0<br /> panic can happen is when ps-&gt;chunk_size is 0. The way that chunk_size is<br /> initialized in padata_do_multithreaded(), chunk_size can be 0 when the<br /> min_chunk in the passed-in padata_mt_job structure is 0.<br /> <br /> Fix this divide-by-0 panic by making sure that chunk_size will be at least<br /> 1 no matter what the input parameters are.

Improper Neutralization of Input done by an attacker with admin privileges (&amp;#39;Cross-site Scripting&amp;#39;) in  OTRS (System Configuration modules) and ((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within the System Configuration targeting other admins.<br /> This issue affects: <br /> <br /> * OTRS from 7.0.X through 7.0.50<br /> * OTRS 8.0.X<br /> * OTRS 2023.X<br /> * OTRS from 2024.X through 2024.5.X<br /> * ((OTRS)) Community Edition: 6.0.x<br /> <br /> Products based on the ((OTRS)) Community Edition also very likely to be affected

Improper Neutralization of Input done by an attacker with admin privileges (&amp;#39;Cross-site Scripting&amp;#39;) in Process Management modules of OTRS and ((OTRS)) Community Edition allows Cross-Site Scripting (XSS) within the Process Management targeting other admins.<br /> This issue affects: <br /> <br /> * OTRS from 7.0.X through 7.0.50<br /> * OTRS 8.0.X<br /> * OTRS 2023.X<br /> * OTRS from 2024.X through 2024.5.X<br /> * ((OTRS)) Community Edition: 6.0.x<br /> <br /> Products based on the ((OTRS)) Community Edition also very likely to be affected

Passwords of agents and customers are displayed in plain text in the OTRS admin log module if certain configurations regarding the authentication sources match and debugging for the authentication backend has been enabled.<br /> <br /> This issue affects: <br /> <br /> * OTRS from 7.0.X through 7.0.50<br /> * OTRS 8.0.X<br /> * OTRS 2023.X<br /> * OTRS from 2024.X through 2024.5.X<br /> * ((OTRS)) Community Edition: 6.0.x<br /> <br /> Products based on the ((OTRS)) Community Edition also very likely to be affected

SQL injection vulnerability in ATISolutions CIGES affecting versions lower than 2.15.5. This vulnerability allows a remote attacker to send a specially crafted SQL query to the /modules/ajaxServiciosCentro.php point in the idCentro parameter and retrieve all the information stored in the database.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: MGMT: Add error handling to pair_device()<br /> <br /> hci_conn_params_add() never checks for a NULL value and could lead to a NULL<br /> pointer dereference causing a crash.<br /> <br /> Fixed by adding error handling in the function.

A traversal vulnerability in GeneralDocs.aspx in CentralSquare CryWolf (False Alarm Management) through 2024-08-09 allows unauthenticated attackers to read files outside of the working web directory via the rpt parameter, leading to the disclosure of sensitive information.

An arbitrary file write issue in the exfiltration endpoint in BYOB (Build Your Own Botnet) 2.0 allows attackers to overwrite SQLite databases and bypass authentication via an unauthenticated HTTP request with a crafted parameter. This occurs in file_add in api/files/routes.py.

Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.

The Quiz and Survey Master (QSM) WordPress plugin before 9.1.1 fails to validate and escape certain Quiz fields before displaying them on a page or post where the Quiz is embedded, which could allows contributor and above roles to perform Stored Cross-Site Scripting (XSS) attacks.