Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/msm/dpu: move dpu_encoder&amp;#39;s connector assignment to atomic_enable()<br /> <br /> For cases where the crtc&amp;#39;s connectors_changed was set without enable/active<br /> getting toggled , there is an atomic_enable() call followed by an<br /> atomic_disable() but without an atomic_mode_set().<br /> <br /> This results in a NULL ptr access for the dpu_encoder_get_drm_fmt() call in<br /> the atomic_enable() as the dpu_encoder&amp;#39;s connector was cleared in the<br /> atomic_disable() but not re-assigned as there was no atomic_mode_set() call.<br /> <br /> Fix the NULL ptr access by moving the assignment for atomic_enable() and also<br /> use drm_atomic_get_new_connector_for_encoder() to get the connector from<br /> the atomic_state.<br /> <br /> Patchwork: https://patchwork.freedesktop.org/patch/606729/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netem: fix return value if duplicate enqueue fails<br /> <br /> There is a bug in netem_enqueue() introduced by<br /> commit 5845f706388a ("net: netem: fix skb length BUG_ON in __skb_to_sgvec")<br /> that can lead to a use-after-free.<br /> <br /> This commit made netem_enqueue() always return NET_XMIT_SUCCESS<br /> when a packet is duplicated, which can cause the parent qdisc&amp;#39;s q.qlen<br /> to be mistakenly incremented. When this happens qlen_notify() may be<br /> skipped on the parent during destruction, leaving a dangling pointer<br /> for some classful qdiscs like DRR.<br /> <br /> There are two ways for the bug happen:<br /> <br /> - If the duplicated packet is dropped by rootq-&gt;enqueue() and then<br /> the original packet is also dropped.<br /> - If rootq-&gt;enqueue() sends the duplicated packet to a different qdisc<br /> and the original packet is dropped.<br /> <br /> In both cases NET_XMIT_SUCCESS is returned even though no packets<br /> are enqueued at the netem qdisc.<br /> <br /> The fix is to defer the enqueue of the duplicate packet until after<br /> the original packet has been guaranteed to return NET_XMIT_SUCCESS.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: Fix IPsec RoCE MPV trace call<br /> <br /> Prevent the call trace below from happening, by not allowing IPsec<br /> creation over a slave, if master device doesn&amp;#39;t support IPsec.<br /> <br /> WARNING: CPU: 44 PID: 16136 at kernel/locking/rwsem.c:240 down_read+0x75/0x94<br /> Modules linked in: esp4_offload esp4 act_mirred act_vlan cls_flower sch_ingress mlx5_vdpa vringh vhost_iotlb vdpa mst_pciconf(OE) nfsv3 nfs_acl nfs lockd grace fscache netfs xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill cuse fuse rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_umad ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_ipoib iw_cm ib_cm ipmi_ssif intel_rapl_msr intel_rapl_common amd64_edac edac_mce_amd kvm_amd kvm irqbypass crct10dif_pclmul crc32_pclmul mlx5_ib ghash_clmulni_intel sha1_ssse3 dell_smbios ib_uverbs aesni_intel crypto_simd dcdbas wmi_bmof dell_wmi_descriptor cryptd pcspkr ib_core acpi_ipmi sp5100_tco ccp i2c_piix4 ipmi_si ptdma k10temp ipmi_devintf ipmi_msghandler acpi_power_meter acpi_cpufreq ext4 mbcache jbd2 sd_mod t10_pi sg mgag200 drm_kms_helper syscopyarea sysfillrect mlx5_core sysimgblt fb_sys_fops cec<br /> ahci libahci mlxfw drm pci_hyperv_intf libata tg3 sha256_ssse3 tls megaraid_sas i2c_algo_bit psample wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: mst_pci]<br /> CPU: 44 PID: 16136 Comm: kworker/44:3 Kdump: loaded Tainted: GOE 5.15.0-20240509.el8uek.uek7_u3_update_v6.6_ipsec_bf.x86_64 #2<br /> Hardware name: Dell Inc. PowerEdge R7525/074H08, BIOS 2.0.3 01/15/2021<br /> Workqueue: events xfrm_state_gc_task<br /> RIP: 0010:down_read+0x75/0x94<br /> Code: 00 48 8b 45 08 65 48 8b 14 25 80 fc 01 00 83 e0 02 48 09 d0 48 83 c8 01 48 89 45 08 5d 31 c0 89 c2 89 c6 89 c7 e9 cb 88 3b 00 0b 48 8b 45 08 a8 01 74 b2 a8 02 75 ae 48 89 c2 48 83 ca 02 f0<br /> RSP: 0018:ffffb26387773da8 EFLAGS: 00010282<br /> RAX: 0000000000000000 RBX: ffffa08b658af900 RCX: 0000000000000001<br /> RDX: 0000000000000000 RSI: ff886bc5e1366f2f RDI: 0000000000000000<br /> RBP: ffffa08b658af940 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000000 R12: ffffa0a9bfb31540<br /> R13: ffffa0a9bfb37900 R14: 0000000000000000 R15: ffffa0a9bfb37905<br /> FS: 0000000000000000(0000) GS:ffffa0a9bfb00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000055a45ed814e8 CR3: 000000109038a000 CR4: 0000000000350ee0<br /> Call Trace:<br /> <br /> ? show_trace_log_lvl+0x1d6/0x2f9<br /> ? show_trace_log_lvl+0x1d6/0x2f9<br /> ? mlx5_devcom_for_each_peer_begin+0x29/0x60 [mlx5_core]<br /> ? down_read+0x75/0x94<br /> ? __warn+0x80/0x113<br /> ? down_read+0x75/0x94<br /> ? report_bug+0xa4/0x11d<br /> ? handle_bug+0x35/0x8b<br /> ? exc_invalid_op+0x14/0x75<br /> ? asm_exc_invalid_op+0x16/0x1b<br /> ? down_read+0x75/0x94<br /> ? down_read+0xe/0x94<br /> mlx5_devcom_for_each_peer_begin+0x29/0x60 [mlx5_core]<br /> mlx5_ipsec_fs_roce_tx_destroy+0xb1/0x130 [mlx5_core]<br /> tx_destroy+0x1b/0xc0 [mlx5_core]<br /> tx_ft_put+0x53/0xc0 [mlx5_core]<br /> mlx5e_xfrm_free_state+0x45/0x90 [mlx5_core]<br /> ___xfrm_state_destroy+0x10f/0x1a2<br /> xfrm_state_gc_task+0x81/0xa9<br /> process_one_work+0x1f1/0x3c6<br /> worker_thread+0x53/0x3e4<br /> ? process_one_work.cold+0x46/0x3c<br /> kthread+0x127/0x144<br /> ? set_kthread_struct+0x60/0x52<br /> ret_from_fork+0x22/0x2d<br /> <br /> ---[ end trace 5ef7896144d398e1 ]---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: flowtable: initialise extack before use<br /> <br /> Fix missing initialisation of extack in flow offload.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5e: Take state lock during tx timeout reporter<br /> <br /> mlx5e_safe_reopen_channels() requires the state lock taken. The<br /> referenced changed in the Fixes tag removed the lock to fix another<br /> issue. This patch adds it back but at a later point (when calling<br /> mlx5e_safe_reopen_channels()) to avoid the deadlock referenced in the<br /> Fixes tag.

Audition versions 24.4.1, 23.6.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

An access control vulnerability was discovered in the Reports section due to a specific access restriction not being properly enforced for users with limited privileges.<br /> <br /> <br /> <br /> If a logged-in user with reporting privileges learns how to create a specific application request, they might be able to make limited changes to the reporting configuration. This could result in a partial loss of data integrity. In Guardian/CMC instances with a reporting configuration, there could be limited Denial of Service (DoS) impacts, as the reports may not reach their intended destination, and there could also be limited information disclosure impacts. Furthermore, modifying the destination SMTP server for the reports could lead to the compromise of external credentials, as they might be sent to an unauthorized server. This could expand the scope of the attack.

CWE-269: Improper Privilege Management vulnerability exists that could cause unauthorized<br /> access, loss of confidentiality, integrity and availability of the workstation when non-admin<br /> authenticated user tries to perform privilege escalation by tampering with the binaries.

Halo is an open source website building tool. A security vulnerability has been identified in versions prior to 2.19.0 of the Halo project. This vulnerability allows an attacker to execute malicious scripts in the user&amp;#39;s browser through specific HTML and JavaScript code, potentially leading to a Cross-Site Scripting (XSS) attack. This vulnerability is fixed in 2.19.0.

Type Confusion in V8 in Google Chrome prior to 128.0.6613.137 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)

Use after free in Autofill in Google Chrome on Android prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.