Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults<br /> <br /> contpte_ptep_set_access_flags() compared the gathered ptep_get() value<br /> against the requested entry to detect no-ops. ptep_get() ORs AF/dirty<br /> from all sub-PTEs in the CONT block, so a dirty sibling can make the<br /> target appear already-dirty. When the gathered value matches entry, the<br /> function returns 0 even though the target sub-PTE still has PTE_RDONLY<br /> set in hardware.<br /> <br /> For a CPU with FEAT_HAFDBS this gathered view is fine, since hardware may<br /> set AF/dirty on any sub-PTE and CPU TLB behavior is effectively gathered<br /> across the CONT range. But page-table walkers that evaluate each<br /> descriptor individually (e.g. a CPU without DBM support, or an SMMU<br /> without HTTU, or with HA/HD disabled in CD.TCR) can keep faulting on the<br /> unchanged target sub-PTE, causing an infinite fault loop.<br /> <br /> Gathering can therefore cause false no-ops when only a sibling has been<br /> updated:<br /> - write faults: target still has PTE_RDONLY (needs PTE_RDONLY cleared)<br /> - read faults: target still lacks PTE_AF<br /> <br /> Fix by checking each sub-PTE against the requested AF/dirty/write state<br /> (the same bits consumed by __ptep_set_access_flags()), using raw<br /> per-PTE values rather than the gathered ptep_get() view, before<br /> returning no-op. Keep using the raw target PTE for the write-bit unfold<br /> decision.<br /> <br /> Per Arm ARM (DDI 0487) D8.7.1 ("The Contiguous bit"), any sub-PTE in a CONT<br /> range may become the effective cached translation and software must<br /> maintain consistent attributes across the range.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ata: libata-core: Disable LPM on ST1000DM010-2EP102<br /> <br /> According to a user report, the ST1000DM010-2EP102 has problems with LPM,<br /> causing random system freezes. The drive belongs to the same BarraCuda<br /> family as the ST2000DM008-2FR102 which has the same issue.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()<br /> <br /> sizeof(num) evaluates to sizeof(size_t) (8 bytes on 64-bit) instead<br /> of the intended __be32 element size (4 bytes). Use sizeof(*meas) to<br /> correctly match the buffer element type.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL<br /> <br /> Apparently ICL may hang with an MCE if we write TRANS_VRR_VMAX/FLIPLINE<br /> before enabling TRANS_DDI_FUNC_CTL.<br /> <br /> Personally I was only able to reproduce a hang (on an Dell XPS 7390<br /> 2-in-1) with an external display connected via a dock using a dodgy<br /> type-C cable that made the link training fail. After the failed<br /> link training the machine would hang. TGL seemed immune to the<br /> problem for whatever reason.<br /> <br /> BSpec does tell us to configure VRR after enabling TRANS_DDI_FUNC_CTL<br /> as well. The DMC firmware also does the VRR restore in two stages:<br /> - first stage seems to be unconditional and includes TRANS_VRR_CTL<br /> and a few other VRR registers, among other things<br /> - second stage is conditional on the DDI being enabled,<br /> and includes TRANS_DDI_FUNC_CTL and TRANS_VRR_VMAX/VMIN/FLIPLINE,<br /> among other things<br /> <br /> So let&amp;#39;s reorder the steps to match to avoid the hang, and<br /> toss in an extra WARN to make sure we don&amp;#39;t screw this up later.<br /> <br /> BSpec: 22243<br /> (cherry picked from commit 93f3a267c3dd4d811b224bb9e179a10d81456a74)

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ASoC: codecs: rt1011: Use component to get the dapm context in spk_mode_put<br /> <br /> The correct helper to use in rt1011_recv_spk_mode_put() to retrieve the<br /> DAPM context is snd_soc_component_to_dapm(), from kcontrol we will<br /> receive NULL pointer.

*** Pendiente de traducción *** Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) arp and ndp commands, and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view adjacent network information. <br /> <br /> <br /> <br /> Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

*** Pendiente de traducción *** A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

*** Pendiente de traducción *** NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

*** Pendiente de traducción *** A vulnerability exists in BIG-IP systems that may allow an authenticated attacker with administrative access to escalate their privileges. A successful exploit may allow the attacker to cross a security boundary.<br /> <br />  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

*** Pendiente de traducción *** When a Client SSL profile is configured with Allow Dynamic Record Sizing on a UDP virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.<br />  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

*** Pendiente de traducción *** An authenticated attacker with the Resource Administrator or Administrator role can create SNMP configuration objects through iControl SOAP resulting in privilege escalation.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

*** Pendiente de traducción *** When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.