[Security] Mitigation & Patch

jmccue · 03-29-2024, 01:33 PM

Quote:

Originally Posted by Petri Kaukasoina

Slackware doesn't seem to be affected.

Slackware 15 anyway

But maybe it is an issue with current ? see:

Quote:

Sat Mar 9 21:56:02 UTC 2024
a/xz-5.6.1-x86_64-1.txz: Upgraded.

reddog83 · 03-29-2024, 01:34 PM

Quote:

Originally Posted by jmccue

Slackware 15 anyway : But maybe it is an issue with current ? see:

That is why i posted it, I wasnt sure so I posted here so that we can find out if we are affected on current.

Petri Kaukasoina · 03-29-2024, 01:39 PM

The malicious code is inserted only when building a deb or rpm package of xz. Probably because some systemd based distros patch openssh to use liblzma (part of xz) and the idea is to have a backdoor in sshd.

ponce · 03-29-2024, 01:44 PM

thanks, Pat! <3

reddog83 · 03-29-2024, 01:45 PM

Quote:

Originally Posted by Petri Kaukasoina

The malicious code is inserted only when building a deb or rpm package of xz. Probably because some systemd based distros patch openssh to use liblzma (part of xz) and the idea is to have a backdoor in sshd.

I am thankful we dont have a backdoor in sshd then.....

marav · 03-31-2024, 06:38 PM

libarchive

We should probably highly consider this:

https://github.com/libarchive/libarchive/pull/2101
https://github.com/libarchive/libarchive/pull/1609

volkerdi · 03-31-2024, 07:58 PM

Yeah, I'd heard about the potential for libarchive issues. With Tavis Ormandy on the case, I think if there's an issue it'll be handled quickly.

marav · 04-03-2024, 03:59 PM

XWayland 23.2.5 and X.Org Server 21.1.12

CVE-2024-31080
CVE-2024-31081
CVE-2024-31082
CVE-2024-31083

Code:

Multiple issues have been found in the X server and Xwayland implementations
published by X.Org for which we are releasing security fixes for in
xorg-server-21.1.12 and xwayland-23.2.5.

https://lists.x.org/archives/xorg/20...il/061615.html

alex2grad · 04-04-2024, 09:08 AM

Apache HTTP Server 2.4.59 (released 2024-04-04)

*) SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by
memory exhaustion on endless continuation frames (cve.mitre.org)
HTTP/2 incoming headers exceeding the limit are temporarily
buffered in nghttp2 in order to generate an informative HTTP 413
response. If a client does not stop sending headers, this leads
to memory exhaustion.
Credits: Bartek Nowotarski (https://nowotarski.info/)

*) SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response
Splitting in multiple modules (cve.mitre.org)
HTTP Response splitting in multiple modules in Apache HTTP
Server allows an attacker that can inject malicious response
headers into backend applications to cause an HTTP
desynchronization attack.
Users are recommended to upgrade to version 2.4.59, which fixes
this issue.
Credits: Keran Mu, Tsinghua University and Zhongguancun
Laboratory.

*) SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response
splitting (cve.mitre.org)
Faulty input validation in the core of Apache allows malicious
or exploitable backend/content generators to split HTTP
responses.
This issue affects Apache HTTP Server: through 2.4.58.
Credits: Orange Tsai (@orange_8361) from DEVCORE

alex2grad · 04-04-2024, 09:12 AM

nghttp2 v1.61.0 (released 2024-04-04)

Fixes CVE-2024-28182

marav · 04-06-2024, 07:07 PM

polkit 124

Because of this new "systemd_dep"

Code:

../meson.build:222:37: ERROR: Unknown variable "systemd_dep".

that leads to a FTB if -Dsystemdsystemunitdir= isn't empty, we need these 2 patches:

https://gitweb.gentoo.org/repo/gento...-systemd.patch

https://gitweb.gentoo.org/repo/gento...md-fixup.patch

marav · 04-14-2024, 11:59 AM

less

Code:

less(1) does not correctly escape newlines in pathnames when 
constructing command line of the input preprocessor. If a user ran 
less(1) on files with untrusted names, this could result in execution of 
arbitrary code.

https://www.openwall.com/lists/oss-s...y/2024/04/12/5

Fix:
https://github.com/gwsw/less/commit/007521ac3c95bc76

GazL · 04-15-2024, 06:34 AM

I've never liked that feature of less. I use the -L option here.

marav · 04-18-2024, 06:20 AM

glibc

CVE-2024-2961

Code:

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output 
buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, 
which may be used to crash an application or overwrite a neighbouring variable.

affected from 2.1.93 before 2.40

https://www.cve.org/CVERecord?id=CVE-2024-2961

https://sourceware.org/git/?p=glibc....C-SA-2024-0004