Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: pcrypt - Fix handling of MAY_BACKLOG requests<br /> <br /> MAY_BACKLOG requests can return EBUSY. Handle them by checking<br /> for that value and filtering out EINPROGRESS notifications.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: qrtr: ns: Limit the maximum server registration per node<br /> <br /> Current code does no bound checking on the number of servers added per<br /> node. A malicious client can flood NEW_SERVER messages and exhaust memory.<br /> <br /> Fix this issue by limiting the maximum number of server registrations to<br /> 256 per node. If the NEW_SERVER message is received for an old port, then<br /> don&amp;#39;t restrict it as it will get replaced. While at it, also rate limit<br /> the error messages in the failure path of qrtr_ns_worker().<br /> <br /> Note that the limit of 256 is chosen based on the current platform<br /> requirements. If requirement changes in the future, this limit can be<br /> increased.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()<br /> <br /> Yiming reports an integer underflow in mpi_read_raw_from_sgl() when<br /> subtracting "lzeros" from the unsigned "nbytes".<br /> <br /> For this to happen, the scatterlist "sgl" needs to occupy more bytes<br /> than the "nbytes" parameter and the first "nbytes + 1" bytes of the<br /> scatterlist must be zero. Under these conditions, the while loop<br /> iterating over the scatterlist will count more zeroes than "nbytes",<br /> subtract the number of zeroes from "nbytes" and cause the underflow.<br /> <br /> When commit 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") originally<br /> introduced the bug, it couldn&amp;#39;t be triggered because all callers of<br /> mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to<br /> "nbytes".<br /> <br /> However since commit 63ba4d67594a ("KEYS: asymmetric: Use new crypto<br /> interface without scatterlists"), the underflow can now actually be<br /> triggered. When invoking a KEYCTL_PKEY_ENCRYPT system call with a<br /> larger "out_len" than "in_len" and filling the "in" buffer with zeroes,<br /> crypto_akcipher_sync_prep() will create an all-zero scatterlist used for<br /> both the "src" and "dst" member of struct akcipher_request and thereby<br /> fulfil the conditions to trigger the bug:<br /> <br /> sys_keyctl()<br /> keyctl_pkey_e_d_s()<br /> asymmetric_key_eds_op()<br /> software_key_eds_op()<br /> crypto_akcipher_sync_encrypt()<br /> crypto_akcipher_sync_prep()<br /> crypto_akcipher_encrypt()<br /> rsa_enc()<br /> mpi_read_raw_from_sgl()<br /> <br /> To the user this will be visible as a DoS as the kernel spins forever,<br /> causing soft lockup splats as a side effect.<br /> <br /> Fix it.

The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index.

The additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names. A backend user with permission to edit indexer configurations can copy sensitive data from internal TYPO3 tables into the search index.

The file indexer does not normalize the configured directory path. A backend user with permission to edit indexer configurations can index documents from arbitrary locations on the server file system through path traversal sequences.

The extension passes an attacker-controlled cookie directly to PHP&amp;#39;s unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation requires the content element to be configured with "Persistent Mode: Static" in the plugin settings.

The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled.

The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP&amp;#39;s unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl via a Scheduler task.

The AddressRepository::getSqlQuery() method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore poses no direct risk in a default installation. However, custom extensions that call this method with untrusted input would expose the site to SQL injection.

Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz.<br /> <br /> This issue affects Apache OFBiz: before 24.09.06.<br /> <br /> Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz.<br /> <br /> This issue affects Apache OFBiz: before 24.09.06.<br /> <br /> Users are recommended to upgrade to version 24.09.06, which fixes the issue.