ALT Vulnerability
This commit is contained in:
parent
f15048b0f5
commit
4f74dfc8a4
File diff suppressed because one or more lines are too long
@ -40,7 +40,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades dovecot to version 2.3.21.1-alt1. \nSecurity Fix(es):\n\n * CVE-2022-30550: An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.\n\n * CVE-2024-23184: description unavailable\n\n * CVE-2024-23185: description unavailable\n\n * #28373: Не работает control dovecot-auth\n\n * #39249: Некорректно указана принадлежность к группе у создаваемых с помощью tmpfiles.d каталога /run/dovecot/login\n\n * #41251: Просьба собрать dovecot с поддержкой fts_solr\n\n * #49253: в dovecot отсутствует libmech_gssapi.so и libauth_ldap.so\n\n * #50542: dovecot зависит от systemd",
|
||||
"Description": "This update upgrades dovecot to version 2.3.21.1-alt1. \nSecurity Fix(es):\n\n * CVE-2022-30550: An issue was discovered in the auth component in Dovecot 2.2 and 2.3 before 2.3.20. When two passdb configuration entries exist with the same driver and args settings, incorrect username_filter and mechanism settings can be applied to passdb definitions. These incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. The documentation does not advise against the use of passdb definitions that have the same driver and args settings. One such configuration would be where an administrator wishes to use the same PAM configuration or passwd file for both normal and master users but use the username_filter setting to restrict which of the users is able to be a master user.\n\n * CVE-2024-23184: Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known.\n\n * CVE-2024-23185: Very large headers can cause resource exhaustion when parsing message. The message-parser normally reads reasonably sized chunks of the message. However, when it feeds them to message-header-parser, it starts building up \"full_value\" buffer out of the smaller chunks. The full_value buffer has no size limit, so large headers can cause large memory usage. It doesn't matter whether it's a single long header line, or a single header split into multiple lines. This bug exists in all Dovecot versions. Incoming mails typically have some size limits set by MTA, so even largest possible header size may still fit into Dovecot's vsz_limit. So attackers probably can't DoS a victim user this way. A user could APPEND larger mails though, allowing them to DoS themselves (although maybe cause some memory issues for the backend in general). One can implement restrictions on headers on MTA component preceding Dovecot. No publicly available exploits are known.\n\n * #28373: Не работает control dovecot-auth\n\n * #39249: Некорректно указана принадлежность к группе у создаваемых с помощью tmpfiles.d каталога /run/dovecot/login\n\n * #41251: Просьба собрать dovecot с поддержкой fts_solr\n\n * #49253: в dovecot отсутствует libmech_gssapi.so и libauth_ldap.so\n\n * #50542: dovecot зависит от systemd",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "High",
|
||||
@ -60,6 +60,18 @@
|
||||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-30550",
|
||||
"Impact": "High",
|
||||
"Public": "20220717"
|
||||
},
|
||||
{
|
||||
"ID": "CVE-2024-23184",
|
||||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-23184",
|
||||
"Impact": "None",
|
||||
"Public": "20240910"
|
||||
},
|
||||
{
|
||||
"ID": "CVE-2024-23185",
|
||||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-23185",
|
||||
"Impact": "None",
|
||||
"Public": "20240910"
|
||||
}
|
||||
],
|
||||
"Bugzilla": [
|
||||
|
||||
@ -140,7 +140,7 @@
|
||||
{
|
||||
"ID": "CVE-2023-40548",
|
||||
"CVSS3": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
||||
"CWE": "CWE-190",
|
||||
"CWE": "CWE-787",
|
||||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-40548",
|
||||
"Impact": "High",
|
||||
"Public": "20240129"
|
||||
|
||||
@ -45,7 +45,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades kubernetes1.28 to version 1.28.10-alt1. \nSecurity Fix(es):\n\n * BDU:2024-02688: Уязвимость библиотек net/http и net/http2 языка программирования Go, связана с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2024-04110: Уязвимость компонента KUBE-APISERVER программного средства управления кластерами виртуальных машин Kubernetes, позволяющая нарушителю запускать контейнеры в обход политики безопасности\n\n * CVE-2023-45288: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.\n\n * CVE-2024-3177: A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.\n\n",
|
||||
"Description": "This update upgrades kubernetes1.28 to version 1.28.10-alt1. \nSecurity Fix(es):\n\n * BDU:2024-02688: Уязвимость библиотек net/http и net/http2 языка программирования Go, связана с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2024-04110: Уязвимость компонента KUBE-APISERVER программного средства управления кластерами виртуальных машин Kubernetes, позволяющая нарушителю запускать контейнеры в обход политики безопасности\n\n * CVE-2023-45288: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.\n\n * CVE-2024-3177: A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Low",
|
||||
|
||||
@ -35,7 +35,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades kubernetes1.27 to version 1.27.14-alt1. \nSecurity Fix(es):\n\n * BDU:2024-04110: Уязвимость компонента KUBE-APISERVER программного средства управления кластерами виртуальных машин Kubernetes, позволяющая нарушителю запускать контейнеры в обход политики безопасности\n\n * CVE-2024-3177: A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.\n\n",
|
||||
"Description": "This update upgrades kubernetes1.27 to version 1.27.14-alt1. \nSecurity Fix(es):\n\n * BDU:2024-04110: Уязвимость компонента KUBE-APISERVER программного средства управления кластерами виртуальных машин Kubernetes, позволяющая нарушителю запускать контейнеры в обход политики безопасности\n\n * CVE-2024-3177: A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Low",
|
||||
|
||||
File diff suppressed because one or more lines are too long
@ -140,7 +140,7 @@
|
||||
{
|
||||
"ID": "CVE-2023-40548",
|
||||
"CVSS3": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
||||
"CWE": "CWE-190",
|
||||
"CWE": "CWE-787",
|
||||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-40548",
|
||||
"Impact": "High",
|
||||
"Public": "20240129"
|
||||
|
||||
File diff suppressed because one or more lines are too long
@ -40,7 +40,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades dovecot to version 2.3.21.1-alt1. \nSecurity Fix(es):\n\n * CVE-2024-23184: description unavailable\n\n * CVE-2024-23185: description unavailable\n\n * #50542: dovecot зависит от systemd",
|
||||
"Description": "This update upgrades dovecot to version 2.3.21.1-alt1. \nSecurity Fix(es):\n\n * CVE-2024-23184: Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known.\n\n * CVE-2024-23185: Very large headers can cause resource exhaustion when parsing message. The message-parser normally reads reasonably sized chunks of the message. However, when it feeds them to message-header-parser, it starts building up \"full_value\" buffer out of the smaller chunks. The full_value buffer has no size limit, so large headers can cause large memory usage. It doesn't matter whether it's a single long header line, or a single header split into multiple lines. This bug exists in all Dovecot versions. Incoming mails typically have some size limits set by MTA, so even largest possible header size may still fit into Dovecot's vsz_limit. So attackers probably can't DoS a victim user this way. A user could APPEND larger mails though, allowing them to DoS themselves (although maybe cause some memory issues for the backend in general). One can implement restrictions on headers on MTA component preceding Dovecot. No publicly available exploits are known.\n\n * #50542: dovecot зависит от systemd",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Low",
|
||||
@ -52,6 +52,20 @@
|
||||
"Date": "2024-08-22"
|
||||
},
|
||||
"BDUs": null,
|
||||
"CVEs": [
|
||||
{
|
||||
"ID": "CVE-2024-23184",
|
||||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-23184",
|
||||
"Impact": "None",
|
||||
"Public": "20240910"
|
||||
},
|
||||
{
|
||||
"ID": "CVE-2024-23185",
|
||||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2024-23185",
|
||||
"Impact": "None",
|
||||
"Public": "20240910"
|
||||
}
|
||||
],
|
||||
"Bugzilla": [
|
||||
{
|
||||
"ID": "50542",
|
||||
|
||||
@ -107,7 +107,7 @@
|
||||
{
|
||||
"ID": "CVE-2023-40548",
|
||||
"CVSS3": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
||||
"CWE": "CWE-190",
|
||||
"CWE": "CWE-787",
|
||||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-40548",
|
||||
"Impact": "High",
|
||||
"Public": "20240129"
|
||||
|
||||
@ -40,7 +40,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades kubernetes1.27 to version 1.27.14-alt1. \nSecurity Fix(es):\n\n * BDU:2024-04110: Уязвимость компонента KUBE-APISERVER программного средства управления кластерами виртуальных машин Kubernetes, позволяющая нарушителю запускать контейнеры в обход политики безопасности\n\n * CVE-2024-3177: A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.\n\n",
|
||||
"Description": "This update upgrades kubernetes1.27 to version 1.27.14-alt1. \nSecurity Fix(es):\n\n * BDU:2024-04110: Уязвимость компонента KUBE-APISERVER программного средства управления кластерами виртуальных машин Kubernetes, позволяющая нарушителю запускать контейнеры в обход политики безопасности\n\n * CVE-2024-3177: A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Low",
|
||||
|
||||
@ -50,7 +50,7 @@
|
||||
"Source": "CVE"
|
||||
}
|
||||
],
|
||||
"Description": "This update upgrades kubernetes1.28 to version 1.28.10-alt1. \nSecurity Fix(es):\n\n * BDU:2024-02688: Уязвимость библиотек net/http и net/http2 языка программирования Go, связана с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2024-04110: Уязвимость компонента KUBE-APISERVER программного средства управления кластерами виртуальных машин Kubernetes, позволяющая нарушителю запускать контейнеры в обход политики безопасности\n\n * CVE-2023-45288: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.\n\n * CVE-2024-3177: A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.\n\n",
|
||||
"Description": "This update upgrades kubernetes1.28 to version 1.28.10-alt1. \nSecurity Fix(es):\n\n * BDU:2024-02688: Уязвимость библиотек net/http и net/http2 языка программирования Go, связана с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2024-04110: Уязвимость компонента KUBE-APISERVER программного средства управления кластерами виртуальных машин Kubernetes, позволяющая нарушителю запускать контейнеры в обход политики безопасности\n\n * CVE-2023-45288: An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.\n\n * CVE-2024-3177: A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. The policy ensures pods running with a service account may only reference secrets specified in the service account’s secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with containers, init containers, and ephemeral containers with the envFrom field populated.",
|
||||
"Advisory": {
|
||||
"From": "errata.altlinux.org",
|
||||
"Severity": "Low",
|
||||
|
||||
File diff suppressed because one or more lines are too long
Loading…
x
Reference in New Issue
Block a user