0% found this document useful (0 votes)

191 views256 pages

openEuler Software Package List

Uploaded by

arafat

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

191 views256 pages

openEuler Software Package List

Uploaded by

arafat

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

You are on page 1/ 256

Software Name Software Version

openEuler:bind 9.16.23-15.oe2203sp1

openEuler:samba 4.17.5-4.oe2203sp1

openEuler:glibc 2.34-105.oe2203sp1

openEuler:ncurses 6.3-5.oe2203sp1
openEuler:unbound 1.13.2-7.oe2203sp1

openEuler:util-linux 2.37.2-13.oe2203sp1

openEuler:libarchive 3.5.2-5.oe2203sp1
openEuler:gcc 10.3.1-20.oe2203sp1

openEuler:sudo 1.9.8p2-7.oe2203sp1

openEuler:unbound 1.13.2-7.oe2203sp1
openEuler:openssl 1.1.1m-15.oe2203sp1

openEuler:openssl 1.1.1m-15.oe2203sp1
openEuler:openssl 1.1.1m-15.oe2203sp1

openEuler:c-ares 1.18.1-5.oe2203sp1

openEuler:krb5 1.19.2-6.oe2203sp1

openEuler:libarchive 3.5.2-5.oe2203sp1
OpenSSL 3.0.9

openEuler:samba 4.17.5-4.oe2203sp1
openEuler:gnutls 3.7.2-6.oe2203sp1

openEuler:avahi 0.8-14.oe2203sp1

openEuler:util-linux 2.37.2-13.oe2203sp1

openEuler:expat 2.4.1-8.oe2203sp3

openEuler:libxml2 2.9.14-4.oe2203sp1
openEuler:libssh 0.9.6-5.oe2203sp1

openEuler:libssh 0.9.6-5.oe2203sp1

openEuler:avahi 0.8-14.oe2203sp1
openEuler:openssl 1.1.1m-15.oe2203sp1

openEuler:c-ares 1.18.1-5.oe2203sp1
OpenSSL 3.0.9

openEuler:sysstat 12.5.4-5.oe2203sp1

openEuler:vim 9.0-7.oe2203sp1

openEuler:expat 2.4.1-8.oe2203sp1
openEuler:glibc 2.34-105.oe2203sp1

openEuler:curl 7.79.1-14.oe2203sp1

openEuler:gnutls 3.7.2-6.oe2203sp1

openEuler:sudo 1.9.8p2-7.oe2203sp1
openEuler:libndp 1.8-2.oe2203sp1

openEuler:nghttp2 1.46.0-3.oe2203sp1

openEuler:vim 9.0-7.oe2203sp1

openEuler:less 590-3.oe2203sp1
openEuler:bind 9.16.23-15.oe2203sp1

openEuler:bind 9.16.23-15.oe2203sp1

openEuler:dbus 1.12.20-8.oe2203sp1

openEuler:avahi 0.8-14.oe2203sp1
openEuler:bind 9.16.23-15.oe2203sp1
openEuler:libuv 1.42.0-5.oe2203sp1
openEuler:curl 7.79.1-14.oe2203sp1
OpenSSL 3.0.9

openEuler:openssh 8.8p1-18.oe2203sp1

openEuler:expat 2.4.1-8.oe2203sp1

openEuler:pcre2 10.39-6.oe2203sp1
openEuler:openssh 8.8p1-18.oe2203sp1

openEuler:procps-ng 4.0.0-4.oe2203sp1

openEuler:gawk 5.1.1-3.oe2203sp1

openEuler:c-ares 1.18.1-5.oe2203sp1

openEuler:ncurses 6.3-5.oe2203sp1
openEuler:glibc 2.34-105.oe2203sp1

openEuler:expat 2.4.1-8.oe2203sp1

openEuler:unbound 1.13.2-7.oe2203sp1

openEuler:avahi 0.8-14.oe2203sp1

openEuler:vim 9.0-7.oe2203sp1

openEuler:glib2 2.72.2-5.oe2203sp1
openEuler:unbound 1.13.2-7.oe2203sp1

openEuler:samba 4.17.5-4.oe2203sp1
openEuler:bind 9.16.23-15.oe2203sp1

openEuler:libxml2 2.9.14-4.oe2203sp1

openEuler:glibc 2.34-105.oe2203sp1
openEuler:libssh 0.9.6-5.oe2203sp1

openEuler:openssh 8.8p1-18.oe2203sp1

openEuler:expat 2.4.1-8.oe2203sp1
openEuler:vim 9.0-7.oe2203sp1

openEuler:bind 9.16.23-15.oe2203sp1
openEuler:openssl 1.1.1m-15.oe2203sp1
openEuler:openssh 8.8p1-18.oe2203sp1

openEuler:glib2 2.72.2-5.oe2203sp1
openEuler:vim 9.0-7.oe2203sp1

OpenSSL 3.0.9
openEuler:grub2 2.06-20.oe2203sp1

openEuler:bind 9.16.23-15.oe2203sp1

openEuler:glib2 2.72.2-5.oe2203sp1

openEuler:sqlite 3.37.2-5.oe2203sp1
openEuler:openssl 1.1.1m-15.oe2203sp1

openEuler:glibc 2.34-105.oe2203sp1

openEuler:vim 9.0-7.oe2203sp1
openEuler:vim 9.0-7.oe2203sp1

openEuler:krb5 1.19.2-6.oe2203sp1

openEuler:samba 4.17.5-4.oe2203sp1
openEuler:sysstat 12.5.4-5.oe2203sp1

cJSON 1.7.17

openEuler:zlib 1.2.11-22.oe2203sp1

openEuler:avahi 0.8-14.oe2203sp1

openEuler:vim 9.0-7.oe2203sp1

openEuler:glib2 2.72.2-5.oe2203sp1
openEuler:curl 7.79.1-14.oe2203sp1

openEuler:vim 9.0-7.oe2203sp1

openEuler:samba 4.17.5-4.oe2203sp1

openEuler:expat 2.4.1-8.oe2203sp1
openEuler:nghttp2 1.46.0-3.oe2203sp1
openEuler:openssl 1.1.1m-15.oe2203sp1
OpenSSL 3.0.9

OpenSSL 3.0.9

openEuler:bind 9.16.23-15.oe2203sp1
OpenSSL 3.0.9

openEuler:glibc 2.34-105.oe2203sp1
OpenSSL 3.0.9

openEuler:krb5 1.19.2-6.oe2203sp1

openEuler:libxml2 2.9.14-4.oe2203sp1
openEuler:vim 9.0-7.oe2203sp1

openEuler:vim 9.0-7.oe2203sp1

openEuler:gnutls 3.7.2-6.oe2203sp1

openEuler:file 5.41-2.oe2203sp1
openEuler:openssh 8.8p1-18.oe2203sp1

openEuler:systemd 249-44.oe2203sp1

openEuler:ncurses 6.3-5.oe2203sp1

openEuler:grub2 2.06-20.oe2203sp1
openEuler:openssh 8.8p1-18.oe2203sp1

openEuler:vim 9.0-7.oe2203sp1

openEuler:libfastjson 0.99.9-2.oe2203sp1

openEuler:vim 9.0-7.oe2203sp1

openEuler:samba 4.17.5-4.oe2203sp1
openEuler:curl 7.79.1-14.oe2203sp1

openEuler:curl 7.79.1-14.oe2203sp1

openEuler:freetype 2.12.1-1.oe2203sp1
openEuler:vim 9.0-7.oe2203sp1

OpenSSL 3.0.9
OpenSSL 3.0.9

openEuler:grub2 2.06-20.oe2203sp1

openEuler:vim 9.0-7.oe2203sp1
openEuler:vim 9.0-7.oe2203sp1

openEuler:vim 9.0-7.oe2203sp1

openEuler:less 590-3.oe2203sp1

openEuler:pam 1.5.2-4.oe2203sp1

openEuler:glib2 2.72.2-5.oe2203sp1
openEuler:bind 9.16.23-15.oe2203sp1

openEuler:libssh 0.9.6-5.oe2203sp1

openEuler:samba 4.17.5-4.oe2203sp1
openEuler:glib2 2.72.2-5.oe2203sp1

openEuler:syslinux 6.04-13.oe2203sp1

openEuler:curl 7.79.1-14.oe2203sp1
openEuler:tpm2-tss 3.1.0-2.oe2203sp1

openEuler:zstd 1.5.0-2.oe2203sp1

openEuler:samba 4.17.5-4.oe2203sp1
openEuler:curl 7.79.1-14.oe2203sp1

openEuler:curl 7.79.1-14.oe2203sp1

openEuler:lua 5.4.3-9.oe2203sp1

openEuler:libcap 2.61-4.oe2203sp1

openEuler:libssh 0.9.6-5.oe2203sp1
openEuler:curl 7.79.1-14.oe2203sp1

openEuler:curl 7.79.1-14.oe2203sp1

openEuler:glibc 2.34-105.oe2203sp1

openEuler:tar 1.34-3.oe2203sp1
openEuler:nghttp2 1.46.0-3.oe2203sp1

openEuler:unbound 1.13.2-7.oe2203sp1
openEuler:samba 4.17.5-4.oe2203sp1

openEuler:gnutls 3.7.2-6.oe2203sp1

openEuler:tar 1.34-3.oe2203sp1

openEuler:sudo 1.9.8p2-7.oe2203sp1
openEuler:gnutls 3.7.2-6.oe2203sp1

openEuler:bind 9.16.23-15.oe2203sp1

openEuler:systemd 249-44.oe2203sp1

openEuler:expat 2.4.1-8.oe2203sp3
openEuler:curl 7.79.1-14.oe2203sp1

openEuler:c-ares 1.18.1-5.oe2203sp1

openEuler:syslinux 6.04-13.oe2203sp1
openEuler:libxml2 2.9.14-4.oe2203sp1

openEuler:vim 9.0-7.oe2203sp1

openEuler:samba 4.17.5-4.oe2203sp1
openEuler:bind 9.16.23-15.oe2203sp1

openEuler:glibc 2.34-105.oe2203sp1

openEuler:vim 9.0-7.oe2203sp1
openEuler:systemd 249-44.oe2203sp1

openEuler:vim 9.0-7.oe2203sp1
openEuler:openssl 1.1.1m-15.oe2203sp1

openEuler:vim 9.0-7.oe2203sp1
openEuler:samba 4.17.5-4.oe2203sp1

openEuler:expat 2.4.1-8.oe2203sp3
openEuler:openssl 1.1.1m-15.oe2203sp1

openEuler:sssd 2.6.1-8.oe2203sp1
OpenSSL 3.0.9

openEuler:avahi 0.8-14.oe2203sp1

openEuler:libcap 2.61-4.oe2203sp1

openEuler:gnutls 3.7.2-6.oe2203sp1

openEuler:syslinux 6.04-13.oe2203sp1
openEuler:syslinux 6.04-13.oe2203sp1

openEuler:libksba 1.6.0-2.oe2203sp1

openEuler:glibc 2.34-105.oe2203sp1

openEuler:libxml2 2.9.14-4.oe2203sp1

openEuler:vim 9.0-7.oe2203sp1
openEuler:c-ares 1.18.1-5.oe2203sp1

cJSON 1.7.17

openEuler:tpm2-tss 3.1.0-2.oe2203sp1
OpenSSL 3.0.9

openEuler:expat 2.4.1-8.oe2203sp1

openEuler:glibc 2.34-105.oe2203sp1
openEuler:curl 7.79.1-14.oe2203sp1

openEuler:curl 7.79.1-14.oe2203sp1

openEuler:glibc 2.34-105.oe2203sp1
openEuler:vim 9.0-7.oe2203sp1

openEuler:vim 9.0-7.oe2203sp1

openEuler:bind 9.16.23-15.oe2203sp1

openEuler:sudo 1.9.8p2-7.oe2203sp1

Note: The actual CVSS score is 0. That is,

the product has no vulnerability attack
scenario and is not affected by the
vulnerability. (Code is not compiled, code is
not called, compilation option protection,
etc.).
Vulnerability ID CVE ID

HWPSIRT-2024-51028 CVE-2023-50387

HWPSIRT-2023-58704 CVE-2023-42670

HWPSIRT-2023-52436 CVE-2023-4813

HWPSIRT-2023-47433 CVE-2023-50495
HWPSIRT-2024-62377 CVE-2023-50868

HWPSIRT-2024-82197 CVE-2024-28085

HWPSIRT-2024-24043 CVE-2024-20696
HWPSIRT-2023-50747 CVE-2023-4039

HWPSIRT-2023-23283 CVE-2023-27320

HWPSIRT-2024-99538 CVE-2024-43168
HWPSIRT-2023-97265 CVE-2023-5678

HWPSIRT-2024-27808 CVE-2024-4741
HWPSIRT-2024-09137 CVE-2024-2511

HWPSIRT-2023-50338 CVE-2023-31124

HWPSIRT-2024-22950 CVE-2024-37371

HWPSIRT-2021-52372 CVE-2021-36976
HWPSIRT-2024-11517 CVE-2023-6237

HWPSIRT-2023-12830 CVE-2023-3347
HWPSIRT-2024-00605 CVE-2024-0567

HWPSIRT-2023-67595 CVE-2023-38470

HWPSIRT-2022-94534 CVE-2022-0563

HWPSIRT-2024-16316 CVE-2024-28757

HWPSIRT-2023-67198 CVE-2023-45322
HWPSIRT-2023-83818 CVE-2023-6918

HWPSIRT-2023-45764 CVE-2023-48795

HWPSIRT-2023-10469 CVE-2023-38471
HWPSIRT-2024-83093 CVE-2024-0727

HWPSIRT-2023-46789 CVE-2023-31147
HWPSIRT-2023-24621 CVE-2023-4807

HWPSIRT-2022-73960 CVE-2022-39377

HWPSIRT-2023-84396 CVE-2023-4752

HWPSIRT-2024-88446 CVE-2023-52426
HWPSIRT-2023-97693 CVE-2023-4806

HWPSIRT-2023-91319 CVE-2023-27538

HWPSIRT-2024-02244 CVE-2024-0553

HWPSIRT-2023-40031 CVE-2023-28487
HWPSIRT-2024-94212 CVE-2024-5564

HWPSIRT-2023-50241 CVE-2023-44487

HWPSIRT-2023-63458 CVE-2023-4781

HWPSIRT-2024-84133 CVE-2024-41965

HWPSIRT-2024-10484 CVE-2022-48624
HWPSIRT-2024-91723 CVE-2024-1975

HWPSIRT-2024-64814 CVE-2024-4076

HWPSIRT-2023-08955 CVE-2023-34969

HWPSIRT-2023-20129 CVE-2023-38472
HWPSIRT-2023-95541 CVE-2023-3341
HWPSIRT-2024-79672 CVE-2024-24806
HWPSIRT-2023-17726 CVE-2023-46218
HWPSIRT-2023-90147 CVE-2023-2975

HWPSIRT-2023-87020 CVE-2023-38408

HWPSIRT-2024-89801 CVE-2024-45492

HWPSIRT-2023-14954 CVE-2022-41409
HWPSIRT-2023-96770 CVE-2023-51385

HWPSIRT-2023-87296 CVE-2023-4016

HWPSIRT-2023-43952 CVE-2023-4156

HWPSIRT-2023-65244 CVE-2023-31130

HWPSIRT-2023-45855 CVE-2023-29491
HWPSIRT-2024-16403 CVE-2024-2961

HWPSIRT-2024-16316 CVE-2024-28757

HWPSIRT-2024-08527 CVE-2024-1488

HWPSIRT-2023-51224 CVE-2023-38473

HWPSIRT-2023-91602 CVE-2023-4734

HWPSIRT-2023-19877 CVE-2023-32636
HWPSIRT-2024-51028 CVE-2023-50387

HWPSIRT-2023-20369 CVE-2023-34967
HWPSIRT-2024-40846 CVE-2024-1737

HWPSIRT-2024-46381 CVE-2024-25062

HWPSIRT-2024-95073 CVE-2024-33602
HWPSIRT-2023-01874 CVE-2023-2283

HWPSIRT-2024-30058 CVE-2024-6409

HWPSIRT-2024-24724 CVE-2023-52425
HWPSIRT-2024-97257 CVE-2024-43374

HWPSIRT-2024-62377 CVE-2023-50868
HWPSIRT-2023-63472 CVE-2023-3446
HWPSIRT-2023-45764 CVE-2023-48795

HWPSIRT-2023-34906 CVE-2023-32665
HWPSIRT-2024-80237 CVE-2024-41957

HWPSIRT-2024-83093 CVE-2024-0727
HWPSIRT-2023-65991 CVE-2023-4693

HWPSIRT-2024-70439 CVE-2023-5517

HWPSIRT-2023-68205 CVE-2023-29499

HWPSIRT-2023-26427 CVE-2023-7104
HWPSIRT-2024-55293 CVE-2024-5535

HWPSIRT-2024-41241 CVE-2024-33601

HWPSIRT-2023-95078 CVE-2023-2426
HWPSIRT-2023-60307 CVE-2023-48237

HWPSIRT-2023-94697 CVE-2023-36054

HWPSIRT-2023-89882 CVE-2023-4154
HWPSIRT-2023-90583 CVE-2023-33204

HWPSIRT-2024-34482

HWPSIRT-2023-88530 CVE-2023-45853

HWPSIRT-2023-01423 CVE-2023-1981

HWPSIRT-2023-94653 CVE-2023-4751

HWPSIRT-2024-22921 CVE-2024-34397
HWPSIRT-2023-24291 CVE-2023-38546

HWPSIRT-2023-47384 CVE-2023-2610

HWPSIRT-2023-27246 CVE-2018-14628

HWPSIRT-2024-18409 CVE-2024-45490
HWPSIRT-2023-40009 CVE-2023-35945
HWPSIRT-2023-33676 CVE-2023-2650
HWPSIRT-2023-97265 CVE-2023-5678

HWPSIRT-2024-27808 CVE-2024-4741

HWPSIRT-2023-98301 CVE-2023-2911
HWPSIRT-2024-73380 CVE-2024-4603

HWPSIRT-2023-95316 CVE-2023-0687
HWPSIRT-2024-09137 CVE-2024-2511

HWPSIRT-2024-42060 CVE-2024-37370

HWPSIRT-2024-86633 CVE-2024-34459
HWPSIRT-2023-44784 CVE-2023-48234

HWPSIRT-2023-22413 CVE-2023-4738

HWPSIRT-2023-74824 CVE-2023-0361

HWPSIRT-2023-68789 CVE-2022-48554
HWPSIRT-2022-62404 CVE-2021-36368

HWPSIRT-2024-62377 CVE-2023-50868

HWPSIRT-2024-51073 CVE-2023-45918

HWPSIRT-2024-42232 CVE-2024-1048
HWPSIRT-2024-56267 CVE-2024-6387

HWPSIRT-2023-11886 CVE-2023-5441

HWPSIRT-2023-56672 CVE-2023-4736

HWPSIRT-2020-05768 CVE-2020-12762

HWPSIRT-2023-57402 CVE-2023-4735

HWPSIRT-2023-00459 CVE-2023-34968
HWPSIRT-2023-68497 CVE-2023-38545

HWPSIRT-2023-35781 CVE-2023-27534

HWPSIRT-2022-56559 CVE-2022-31782
HWPSIRT-2023-48493 CVE-2023-48706

HWPSIRT-2023-38714 CVE-2023-5363
HWPSIRT-2023-63472 CVE-2023-3446

HWPSIRT-2023-75756 CVE-2023-4692

HWPSIRT-2023-97619 CVE-2023-4750
HWPSIRT-2023-39542 CVE-2023-48236

HWPSIRT-2023-13038 CVE-2023-5344

HWPSIRT-2024-89211 CVE-2024-32487

HWPSIRT-2024-30588 CVE-2024-22365

HWPSIRT-2023-71499 CVE-2023-32611
HWPSIRT-2024-07960 CVE-2023-4408

HWPSIRT-2023-92038 CVE-2023-6004

HWPSIRT-2023-54533 CVE-2023-34966
HWPSIRT-2023-35804 CVE-2023-32643

HWPSIRT-2016-17755 CVE-2016-9841

HWPSIRT-2023-65446 CVE-2023-28322
HWPSIRT-2024-45723 CVE-2024-29040

HWPSIRT-2023-74392 CVE-2022-4899

HWPSIRT-2023-27214 CVE-2023-4091
HWPSIRT-2024-04486 CVE-2024-7264

HWPSIRT-2023-16230 CVE-2023-46219

HWPSIRT-2023-07163 CVE-2021-45985

HWPSIRT-2023-95281 CVE-2023-2603

HWPSIRT-2023-33026 CVE-2023-1667
HWPSIRT-2024-63246 CVE-2024-2398

HWPSIRT-2023-70769 CVE-2023-27536

HWPSIRT-2024-32715 CVE-2024-33600

HWPSIRT-2023-30806 CVE-2023-39804
HWPSIRT-2024-81403 CVE-2024-28182

HWPSIRT-2024-20137 CVE-2024-43167
HWPSIRT-2023-20534 CVE-2023-3961

HWPSIRT-2024-62968 CVE-2024-28834

HWPSIRT-2023-19212 CVE-2022-48303

HWPSIRT-2023-31311 CVE-2023-28486
HWPSIRT-2023-82404 CVE-2023-5981

HWPSIRT-2024-65237 CVE-2023-6516

HWPSIRT-2023-46844 CVE-2023-7008

HWPSIRT-2024-24724 CVE-2023-52425
HWPSIRT-2023-13220 CVE-2023-28321

HWPSIRT-2024-68691 CVE-2024-25629

HWPSIRT-2016-17779 CVE-2016-9843
HWPSIRT-2023-58653 CVE-2023-28484

HWPSIRT-2023-28434 CVE-2023-48231

HWPSIRT-2023-93525 CVE-2022-2127
HWPSIRT-2023-68520 CVE-2023-2828

HWPSIRT-2024-40323 CVE-2024-33599

HWPSIRT-2023-70645 CVE-2023-4733
HWPSIRT-2024-51028 CVE-2023-50387

HWPSIRT-2023-50012 CVE-2023-48233
HWPSIRT-2023-48957 CVE-2023-3817

HWPSIRT-2023-36509 CVE-2023-5535
HWPSIRT-2023-81545 CVE-2023-42669

HWPSIRT-2024-88446 CVE-2023-52426
HWPSIRT-2023-24621 CVE-2023-4807

HWPSIRT-2024-29597 CVE-2023-3758
HWPSIRT-2023-48957 CVE-2023-3817

HWPSIRT-2023-99310 CVE-2023-38469

HWPSIRT-2023-87971 CVE-2023-2602

HWPSIRT-2024-88975 CVE-2024-28835

HWPSIRT-2016-17781 CVE-2016-9840
HWPSIRT-2016-17782 CVE-2016-9842

HWPSIRT-2022-66161 CVE-2022-47629

HWPSIRT-2023-97531 CVE-2023-4911

HWPSIRT-2023-42848 CVE-2023-29469

HWPSIRT-2023-78477 CVE-2023-46246
HWPSIRT-2023-80589 CVE-2023-32067

HWPSIRT-2024-76258 CVE-2024-31755

HWPSIRT-2023-18170 CVE-2023-22745
HWPSIRT-2024-78218 CVE-2023-6129

HWPSIRT-2024-36568 CVE-2024-45491

HWPSIRT-2023-68432 CVE-2023-5156
HWPSIRT-2023-32626 CVE-2023-27533

HWPSIRT-2023-73140 CVE-2023-27535

HWPSIRT-2020-21294 CVE-2019-1010023
HWPSIRT-2023-18419 CVE-2023-48235

HWPSIRT-2023-99943 CVE-2023-2609

HWPSIRT-2024-21486 CVE-2023-5679

HWPSIRT-2023-91219 CVE-2023-42465
Actual CVSS Score Vulnerability Description

Certain DNSSEC aspects of the DNS

protocol (in RFC 4033, 4034, 4035, 6840,
and related RFCs) allow remote attackers
to cause a denial of service (CPU
consumption) via one or more DNSSEC
responses, aka the "KeyTrap" issue. One
7.5
of the concerns is that, when there is a
zone with many DNSKEY and RRSIG
records, the protocol specification implies
that an algorithm must evaluate all
combinations of DNSKEY and RRSIG
records.

A flaw was found in Samba. It is

susceptible to a vulnerability where multiple
incompatible RPC listeners can be initiated,
causing disruptions in the AD DC service.
When Samba's RPC server experiences a
high load or unresponsiveness, servers
intended for non-AD DC purposes (for
example, NT4-emulation "classic DCs")
4.3
can erroneously start and compete for the
same unix domain sockets. This issue
leads to partial query responses from the
AD DC, causing issues such as "The
procedure number is out of range" when
using tools like Active Directory Users. This
flaw allows an attacker to disrupt AD DC
services.

A flaw was found in glibc. In an uncommon

situation, the gaih_inet function may use
memory that has been freed, resulting in
an application crash. This issue is only
5.9
exploitable when the getaddrinfo function is
called and the hosts database in
/etc/nsswitch.conf is configured with
SUCCESS=continue or SUCCESS=merge.

NCurse v6.4-20230418 was discovered to

6.5 contain a segmentation fault via the
component _nc_wrap_entry().
The Closest Encloser Proof aspect of the
DNS protocol (in RFC 5155 when RFC
9276 guidance is skipped) allows remote
attackers to cause a denial of service (CPU
consumption for SHA-1 computations) via
7.5 DNSSEC responses in a random
subdomain attack, aka the "NSEC3" issue.
The RFC 5155 specification implies that an
algorithm must perform thousands of
iterations of a hash function in certain
situations.

wall in util-linux through 2.40, often

installed with setgid tty permissions, allows
escape sequences to be sent to other
users' terminals through argv. (Specifically,
8.4 escape sequences received from stdin are
blocked, but escape sequences received
from argv are not blocked.) There may be
plausible scenarios where this leads to
account takeover.

Windows Libarchive Remote Code

7.3
Execution Vulnerability
**DISPUTED**A failure in the -fstack-
protector feature in GCC-based toolchains
that target AArch64 allows an attacker to
exploit an existing buffer
overflow in dynamically-sized local
variables in your application
without this being detected. This stack-
protector failure only applies
to C99-style dynamically-sized local
variables or those created using
alloca(). The stack-protector operates as
intended for statically-sized
local variables.
4.8
The default behavior when the stack-
protector
detects an overflow is to terminate your
application, resulting in
controlled loss of availability. An attacker
who can exploit a buffer
overflow without triggering the stack-
protector might be able to change
program flow control to cause an
uncontrolled loss of availability or to
go further and affect confidentiality or
integrity. NOTE: The GCC project argues
that this is a missed hardening bug and not
a vulnerability by itself.

Sudo before 1.9.13p2 has a double free in

7.2
the per-command chroot feature.

A heap-buffer-overflow flaw was found in

the cfg_mark_ports function within
Unbound's config_file.c, which can lead to
memory corruption. This issue could allow
an attacker with local access to provide
4.8
specially crafted input, potentially causing
the application to crash or allowing arbitrary
code execution. This could result in a
denial of service or unauthorized actions on
the system.
parameters may experience long delays.
Where the key or parameters that are
being checked have been obtained from
an untrusted source this may lead to a
Denial of Service.

While DH_check() performs all the

necessary checks (as of CVE-2023-3817),
DH_check_pub_key() doesn't make any of
these checks, and is therefore
vulnerable for excessively large P and Q
parameters.

Likewise, while DH_generate_key()

performs a check for an excessively large
P, it doesn't check for an excessively large
Q.
5.3
An application that calls
DH_generate_key() or
DH_check_pub_key() and
supplies a key or parameters obtained from
an untrusted source could be
vulnerable to a Denial of Service attack.

DH_generate_key() and
DH_check_pub_key() are also called by a
number of
other OpenSSL functions. An application
calling any of those other
functions may similarly be affected. The
other functions affected by this
are DH_check_pub_key_ex(),
EVP_PKEY_public_check(), and
EVP_PKEY_generate().
** RESERVED ** This candidate has been
reserved by an organization or individual
that will use it when announcing a new
9.8
security problem. When the candidate has
been publicized, the details for this
candidate will be provided.
Issue summary: Some non-default TLS
server configurations can cause
unbounded
memory growth when processing TLSv1.3
sessions

Impact summary: An attacker may exploit

certain server configurations to trigger
unbounded memory growth that would lead
to a Denial of Service

This problem can occur in TLSv1.3 if the

non-default SSL_OP_NO_TICKET option
is
being used (but not if early_data support is
also configured and the default
anti-replay protection is in use). In this
5.9
case, under certain conditions, the
session cache can get into an incorrect
state and it will fail to flush properly
as it fills. The session cache will continue to
grow in an unbounded manner. A
malicious client could deliberately create
the scenario for this failure to
force a Denial of Service. It may also
happen by accident in normal operation.

This issue only affects TLS servers

supporting TLSv1.3. It does not affect TLS
clients.

The FIPS modules in 3.2, 3.1 and 3.0 are

not affected by this issue. OpenSSL
1.0.2 is also not affected by this issue.

c-ares is an asynchronous resolver library.

When cross-compiling c-ares and using the
autotools build system,
CARES_RANDOM_FILE will not be set, as
seen when cross compiling aarch64
3.7 android. This will downgrade to using
rand() as a fallback which could allow an
attacker to take advantage of the lack of
entropy by not using a CSPRNG. This
issue was patched in version 1.19.1.

In MIT Kerberos 5 (aka krb5) before 1.21.3,

an attacker can cause invalid memory
6.5 reads during GSS message token handling
by sending message tokens with invalid
length fields.

libarchive 3.4.1 through 3.5.1 has a use-

6.5 after-free in copy_string (called from
do_uncompress_block and process_block).
function EVP_PKEY_public_check()
to check RSA public keys may experience
long delays. Where the key that
is being checked has been obtained from
an untrusted source this may lead
to a Denial of Service.

When function EVP_PKEY_public_check()

is called on RSA public keys,
a computation is done to confirm that the
RSA modulus, n, is composite.
For valid RSA keys, n is a product of two or
more large primes and this
computation completes quickly. However, if
n is an overly large prime,
then this computation would take a long
time.
5.3
An application that calls
EVP_PKEY_public_check() and supplies
an RSA key
obtained from an untrusted source could be
vulnerable to a Denial of Service
attack.

The function EVP_PKEY_public_check() is

not called from other OpenSSL
functions however it is called from the
OpenSSL pkey command line
application. For that reason that application
is also vulnerable if used
with the '-pubin' and '-check' options on
untrusted data.

A vulnerability was found in Samba's SMB2

packet signing mechanism. The SMB2
packet signing is not enforced if an admin
configured "server signing = required" or
for SMB2 connections to Domain
Controllers where SMB2 packet signing is
3.7
mandatory. This flaw allows an attacker to
perform attacks, such as a man-in-the-
middle attack, by intercepting the network
traffic and modifying the SMB2 messages
between client and server, affecting the
integrity of the data.
A vulnerability was found in GnuTLS,
where a cockpit (which uses gnuTLS)
rejects a certificate chain with distributed
trust. This issue occurs when validating a
7.5
certificate chain with cockpit-certificate-
ensure. This flaw allows an
unauthenticated, remote client or attacker
to initiate a denial of service attack.

A vulnerability was found in Avahi. A

3.5 reachable assertion exists in the
avahi_escape_label() function.

A flaw was found in the util-linux chfn and

chsh utilities when compiled with Readline
support. The Readline library uses an
"INPUTRC" environment variable to get a
path to the library config file. When the
library cannot parse the specified file, it
5.5
prints an error message containing data
from the file. This flaw allows an
unprivileged user to read root-owned files,
potentially leading to privilege escalation.
This flaw affects util-linux versions prior to
2.37.4.

libexpat through 2.6.1 allows an XML Entity

Expansion attack when there is isolated
7.5
use of external parsers (created via
XML_ExternalEntityParserCreate).

libxml2 through 2.11.5 has a use-after-free

that can only occur after a certain memory
allocation fails. This occurs in
xmlUnlinkNode in tree.c. NOTE: the
6.5
vendor's position is "I don't think these
issues are critical enough to warrant a CVE
ID ... because an attacker typically can't
control when memory allocations fail."
A flaw was found in the libssh implements
abstract layer for message digest (MD)
operations implemented by different
supported crypto backends. The return
values from these were not properly
checked, which could cause low-memory
3.7
situations failures, NULL dereferences,
crashes, or usage of the uninitialized
memory as an input for the KDF. In this
case, non-matching keys will result in
decryption/integrity failures, terminating the
connection.

disabled, aka a Terrapin attack. This

occurs because the SSH Binary Packet
Protocol (BPP), implemented by these
extensions, mishandles the handshake
phase and mishandles use of sequence
numbers. For example, there is an effective
attack against SSH's use of ChaCha20-
Poly1305 (and CBC with Encrypt-then-
MAC). The bypass occurs in chacha20-
[email protected] and (if CBC is
used) the [email protected] MAC
algorithms. This also affects Maverick
Synergy Java SSH API before 3.1.0-
SNAPSHOT, Dropbear through 2022.83,
Ssh before 5.1.1 in Erlang/OTP, PuTTY
before 0.80, AsyncSSH before 2.14.2,
golang.org/x/crypto before 0.17.0, libssh
5.9
before 0.10.6, libssh2 through 1.11.0,
Thorn Tech SFTP Gateway before 3.4.6,
Tera Term before 5.1, Paramiko before
3.4.0, jsch before 0.2.15, SFTPGo before
2.5.6, Netgate pfSense Plus through
23.09.1, Netgate pfSense CE through
2.7.2, HPN-SSH through 18.2.0, ProFTPD
before 1.3.8b (and before 1.3.9rc2), ORYX
CycloneSSH before 2.3.4, NetSarang
XShell 7 before Build 0144, CrushFTP
before 10.6.0, ConnectBot SSH library
before 2.2.22, Apache MINA sshd through
2.11.0, sshj through 0.37.0, TinySSH
through 20230101, trilead-ssh2 6401,
LANCOM LCOS and LANconfig, FileZilla
before 3.66.4, Nova before 11.8, PKIX-
SSH before 14.4, SecureCRT before 9.4.3,
A vulnerability was found in Avahi. A
3.5 reachable assertion exists in the
dbus_set_host_name function.
to crash leading to a potential Denial of
Service attack

Impact summary: Applications loading files

in the PKCS12 format from untrusted
sources might terminate abruptly.

A file in PKCS12 format can contain

certificates and keys and may come from
an
untrusted source. The PKCS12
specification allows certain fields to be
NULL, but
OpenSSL does not correctly check for this
case. This can lead to a NULL pointer
dereference that results in OpenSSL
crashing. If an application processes
3.3 PKCS12
files from an untrusted source using the
OpenSSL APIs then that application will
be vulnerable to this issue.

OpenSSL APIs that are vulnerable to this

are: PKCS12_parse(),
PKCS12_unpack_p7data(),
PKCS12_unpack_p7encdata(),
PKCS12_unpack_authsafes()
and PKCS12_newpass().

We have also fixed a similar issue in

SMIME_write_PKCS7(). However since
this
function is related to writing data we do not
consider it security significant.

c-ares is an asynchronous resolver library.

When /dev/urandom or RtlGenRandom()
are unavailable, c-ares uses rand() to
generate random numbers used for DNS
query ids. This is not a CSPRNG, and it is
also not seeded by srand() so will generate
predictable output. Input from the random
5.9
number generator is fed into a non-
compilant RC4 implementation and may
not be as strong as the original RC4
implementation. No attempt is made to look
for modern OS-provided CSPRNGs like
arc4random() that is widely available. This
issue has been fixed in version 1.19.1.
not save the contents of non-volatile XMM
registers on Windows 64 platform
when calculating the MAC of data larger
than 64 bytes. Before returning to
the caller all the XMM registers are set to
zero rather than restoring their
previous content. The vulnerable code is
used only on newer x86_64 processors
supporting the AVX512-IFMA instructions.

The consequences of this kind of internal

application state corruption can
be various - from no consequences, if the
calling application does not
depend on the contents of non-volatile
XMM registers at all, to the worst
consequences, where the attacker could
7.8
get complete control of the application
process. However given the contents of the
registers are just zeroized so
the attacker cannot put arbitrary values
inside, the most likely consequence,
if any, would be an incorrect result of some
application dependent
calculations or a crash leading to a denial
of service.

The POLY1305 MAC algorithm is most

frequently used as part of the
CHACHA20-POLY1305 AEAD
(authenticated encryption with associated
data)
algorithm. The most common usage of this
AEAD cipher is with TLS protocol

sysstat is a set of system performance

tools for the Linux operating system. On 32
bit systems, in versions 9.1.16 and newer
but prior to 12.7.1, allocate_structures
contains a size_t overflow in sa_common.c.
The allocate_structures function
7.8 insufficiently checks bounds before
arithmetic multiplication, allowing for an
overflow in the size allocated for the buffer
representing system activities. This issue
may lead to Remote Code Execution
(RCE). This issue has been patched in
version 12.7.1.

Use After Free in GitHub repository vim/vim

7.8
prior to 9.0.1858.

libexpat through 2.5.0 allows recursive

5.5 XML Entity Expansion if XML_DTD is
undefined at compile time.
A flaw was found in glibc. In an extremely
rare situation, the getaddrinfo function may
access memory that has been freed,
resulting in an application crash. This issue
is only exploitable when a NSS module
implements only the
_nss_*_gethostbyname2_r and
_nss_*_getcanonname_r hooks without
5.9
implementing the
_nss_*_gethostbyname3_r hook. The
resolved name should return a large
number of IPv6 and IPv4, and the call to
the getaddrinfo function should have the
AF_INET6 address family with
AI_CANONNAME, AI_ALL and
AI_V4MAPPED as flags.

An authentication bypass vulnerability

exists in libcurl prior to v8.0.0 where it
reuses a previously established SSH
connection despite the fact that an SSH
option was modified, which should have
prevented reuse. libcurl maintains a pool of
5.5 previously used connections to reuse them
for subsequent transfers if the
configurations match. However, two SSH
settings were omitted from the
configuration check, allowing them to
match easily, potentially leading to the
reuse of an inappropriate connection.

A vulnerability was found in GnuTLS. The

response times to malformed ciphertexts in
RSA-PSK ClientKeyExchange differ from
the response times of ciphertexts with
correct PKCS#1 v1.5 padding. This issue
7.5 may allow a remote attacker to perform a
timing side-channel attack in the RSA-PSK
key exchange, potentially leading to the
leakage of sensitive data. CVE-2024-0553
is designated as an incomplete resolution
for CVE-2023-5981.

Sudo before 1.9.13 does not escape

5.3
control characters in sudoreplay output.
A vulnerability was found in libndp. This
flaw allows a local malicious user to cause
a buffer overflow in NetworkManager,
7.4 triggered by sending a malformed IPv6
router advertisement packet. This issue
occurred as libndp was not correctly
validating the route length information.

The HTTP/2 protocol allows a denial of

service (server resource consumption)
7.5 because request cancellation can reset
many streams quickly, as exploited in the
wild in August through October 2023.

Heap-based Buffer Overflow in GitHub

7.8
repository vim/vim prior to 9.0.1873.

Vim is an open source command line text

editor. double-free in dialog_changed() in
Vim < v9.1.0648. When abandoning a
buffer, Vim may ask the user what to do
with the modified buffer. If the user wants
the changed buffer to be saved, Vim may
create a new Untitled file, if the buffer did
4.2
not have a name yet. However, when
setting the buffer name to Unnamed, Vim
will falsely free a pointer twice, leading to a
double-free and possibly later to a heap-
use-after-free, which can lead to a crash.
The issue has been fixed as of Vim patch
v9.1.0648.

close_altfile in filename.c in less before 606

7.8
omits shell_quote calls for LESSCLOSE.
If a server hosts a zone containing a "KEY"
Resource Record, or a resolver DNSSEC-
validates a "KEY" Resource Record from a
DNSSEC-signed domain in cache, a client
can exhaust resolver CPU resources by
sending a stream of SIG(0) signed
7.5 requests.
This issue affects BIND 9 versions 9.0.0
through 9.11.37, 9.16.0 through 9.16.50,
9.18.0 through 9.18.27, 9.19.0 through
9.19.24, 9.9.3-S1 through 9.11.37-S1,
9.16.8-S1 through 9.16.49-S1, and
9.18.11-S1 through 9.18.27-S1.

Client queries that trigger serving stale data

and that also require lookups in local
authoritative zone data may result in an
assertion failure.
7.5 This issue affects BIND 9 versions 9.16.13
through 9.16.50, 9.18.0 through 9.18.27,
9.19.0 through 9.19.24, 9.11.33-S1 through
9.11.37-S1, 9.16.13-S1 through 9.16.50-
S1, and 9.18.11-S1 through 9.18.27-S1.

D-Bus before 1.15.6 sometimes allows

unprivileged users to crash dbus-daemon.
If a privileged user with control over the
dbus-daemon is using the
org.freedesktop.DBus.Monitoring interface
to monitor message bus traffic, then an
unprivileged user with the ability to connect
4.7
to the same dbus-daemon can cause a
dbus-daemon crash under some
circumstances via an unreplyable
message. When done on the well-known
system bus, this is a denial-of-service
vulnerability. The fixed versions are
1.12.28, 1.14.8, and 1.15.6.

A vulnerability was found in Avahi. A

3.5 reachable assertion exists in the
avahi_rdata_parse() function.
The code that processes control channel
messages sent to `named` calls certain
functions recursively during packet parsing.
Recursion depth is only limited by the
maximum accepted packet size; depending
on the environment, this may cause the
packet-parsing code to run out of available
stack memory, causing `named` to
terminate unexpectedly. Since each
incoming control channel message is fully
7.5 parsed before its contents are
authenticated, exploiting this flaw does not
require the attacker to hold a valid RNDC
key; only network access to the control
channel's configured TCP port is
necessary.
This issue affects BIND 9 versions 9.2.0
through 9.16.43, 9.18.0 through 9.18.18,
9.19.0 through 9.19.16, 9.9.3-S1 through
9.16.43-S1, and 9.18.0-S1 through
9.18.18-S1.
libuv is a multi-platform support library with
a focus on asynchronous I/O. The
ùv_getaddrinfo` function in
`src/unix/getaddrinfo.c` (and its windows
counterpart `src/win/getaddrinfo.c`),
truncates hostnames to 256 characters
before calling `getaddrinfo`. This behavior
can be exploited to create addresses like
`0x00007f000001`, which are considered
valid by `getaddrinfo` and could allow an
attacker to craft payloads that resolve to
unintended IP addresses, bypassing
developer checks. The vulnerability arises
due to how the `hostname_ascii` variable
(with a length of 256 bytes) is handled in
9.8
ùv_getaddrinfo` and subsequently in
ùv__idna_toascii`. When the hostname
exceeds 256 characters, it gets truncated
without a terminating null byte. As a result
attackers may be able to access internal
APIs or for websites (similar to MySpace)
that allows users to have
ùsername.example.com` pages. Internal
services that crawl or cache these user
pages can be exposed to SSRF attacks if a
malicious user chooses a long vulnerable
username. This issue has been addressed
in release version 1.48.0. Users are
advised to upgrade. There are no known
workarounds for this vulnerability.
This flaw allows a malicious HTTP server
to set "super cookies" in curl that
are then passed back to more origins than
what is otherwise allowed or
possible. This allows a site to set cookies
that then would get sent to
different and unrelated sites and domains.

It could do this by exploiting a mixed case

3.1
flaw in curl's function that
verifies a given cookie domain against the
Public Suffix List (PSL). For
example a cookie could be set with
`domain=co.UK` when the URL used a
lower
case hostname `curl.co.uk`, even though
`co.uk` is listed as a PSL domain.
it to ignore empty associated data entries
which are unauthenticated as
a consequence.

Impact summary: Applications that use the

AES-SIV algorithm and want to
authenticate empty data entries as
associated data can be mislead by
removing
adding or reordering such empty entries as
these are ignored by the OpenSSL
implementation. We are currently unaware
of any such applications.

The AES-SIV algorithm allows for

authentication of multiple associated
data entries along with the encryption. To
5.3
authenticate empty data the
application has to call
EVP_EncryptUpdate() (or
EVP_CipherUpdate()) with
NULL pointer as the output buffer and 0 as
the input buffer length.
The AES-SIV implementation in OpenSSL
just returns success for such a call
instead of performing the associated data
authentication operation.
The empty data thus will not be
authenticated.

As this issue does not affect non-empty

associated data authentication and
we expect it to be rare for an application to
use empty associated data

The PKCS#11 feature in ssh-agent in

OpenSSH before 9.3p2 has an
insufficiently trustworthy search path,
leading to remote code execution if an
9.8 agent is forwarded to an attacker-controlled
system. (Code in /usr/lib is not necessarily
safe for loading into ssh-agent.) NOTE: this
issue exists because of an incomplete fix
for CVE-2016-10009.

An issue was discovered in libexpat before

2.6.3. nextScaffoldPart in xmlparse.c can
9.8 have an integer overflow for m_groupSize
on 32-bit platforms (where UINT_MAX
equals SIZE_MAX).

Integer overflow vulnerability in pcre2test

before 10.41 allows attackers to cause a
7.5
denial of service or other unspecified
impacts via negative input.
In ssh in OpenSSH before 9.6, OS
command injection might occur if a user
name or host name has shell
metacharacters, and this name is
8.8 referenced by an expansion token in
certain situations. For example, an
untrusted Git repository can have a
submodule with shell metacharacters in a
user name or host name.

Under some circumstances, this weakness

allows a user who has access to run the
5.5 "ps" utility on a machine, the ability to write
almost unlimited amounts of unfiltered data
into the process heap.

A heap out-of-bounds read flaw was found

in builtin.c in the gawk package. This issue
3.3
may lead to a crash and could be used to
read sensitive information.

c-ares is an asynchronous resolver library.

ares_inet_net_pton() is vulnerable to a
buffer underflow for certain ipv6 addresses,
in particular "0::00:00:00/2" was found to
cause an issue. C-ares only uses this
function internally for configuration
purposes which would require an
4.1
administrator to configure such an address
via ares_set_sortlist(). However, users may
externally use ares_inet_net_pton() for
other purposes and thus be vulnerable to
more severe issues. This issue has been
fixed in 1.19.1.

ncurses before 6.4 20230408, when used

by a setuid application, allows local users
to trigger security-relevant memory
corruption via malformed data in a terminfo
7.8
database file that is found in
$HOME/.terminfo or reached via the
TERMINFO or TERM environment
variable.
The iconv() function in the GNU C Library
versions 2.39 and older may overflow the
output buffer passed to it by up to 4 bytes
when converting strings to the ISO-2022-
8.2
CN-EXT character set, which may be used
to crash an application or overwrite a
neighbouring variable.

libexpat through 2.6.1 allows an XML Entity

Expansion attack when there is isolated
7.5
use of external parsers (created via
XML_ExternalEntityParserCreate).

A vulnerability was found in Unbound due

to incorrect default permissions, allowing
any process outside the unbound group to
modify the unbound runtime configuration.
If a process can connect over localhost to
port 8953, it can alter the configuration of
8.0 unbound.service. This flaw allows an
unprivileged attacker to manipulate a
running instance, potentially altering
forwarders, allowing them to track all
queries forwarded by the local resolver,
and, in some cases, disrupting resolving
altogether.

A vulnerability was found in Avahi. A

3.5 reachable assertion exists in the
avahi_alternative_host_name() function.

Integer Overflow or Wraparound in GitHub

7.8
repository vim/vim prior to 9.0.1846.

A flaw was found in glib, where the gvariant

deserialization code is vulnerable to a
denial of service introduced by additional
input validation added to resolve CVE-
2023-29499. The offset table validation
7.5
may be very slow. This bug does not affect
any released version of glib but does affect
glib distributors who followed the guidance
of glib developers to backport the initial fix
for CVE-2023-29499.
Certain DNSSEC aspects of the DNS
protocol (in RFC 4033, 4034, 4035, 6840,
and related RFCs) allow remote attackers
to cause a denial of service (CPU
consumption) via one or more DNSSEC
responses, aka the "KeyTrap" issue. One
7.5
of the concerns is that, when there is a
zone with many DNSKEY and RRSIG
records, the protocol specification implies
that an algorithm must evaluate all
combinations of DNSKEY and RRSIG
records.

A Type Confusion vulnerability was found

in Samba's mdssvc RPC service for
Spotlight. When parsing Spotlight mdssvc
RPC packets, one encoded data structure
is a key-value style dictionary where the
keys are character strings, and the values
can be any of the supported types in the
mdssvc protocol. Due to a lack of type
checking in callers of the
dalloc_value_for_key() function, which
5.3
returns the object associated with a key, a
caller may trigger a crash in
talloc_get_size() when talloc detects that
the passed-in pointer is not a valid talloc
pointer. With an RPC worker process
shared among multiple client connections,
a malicious client or attacker can trigger a
process crash in a shared RPC mdssvc
worker process, affecting all other clients
this worker serves.
Resolver caches and authoritative zone
databases that hold significant numbers of
RRs for the same hostname (of any
RTYPE) can suffer from degraded
performance as content is being added or
updated, and also when handling client
7.5 queries for this name.
This issue affects BIND 9 versions 9.11.0
through 9.11.37, 9.16.0 through 9.16.50,
9.18.0 through 9.18.27, 9.19.0 through
9.19.24, 9.11.4-S1 through 9.11.37-S1,
9.16.8-S1 through 9.16.50-S1, and
9.18.11-S1 through 9.18.27-S1.

An issue was discovered in libxml2 before

2.11.7 and 2.12.x before 2.12.5. When
using the XML Reader interface with DTD
7.5 validation and XInclude expansion enabled,
processing crafted XML documents can
lead to an xmlValidatePopElement use-
after-free.

nscd: netgroup cache assumes NSS

callback uses in-buffer strings

The Name Service Cache Daemon's (nscd)

netgroup cache can corrupt memory
when the NSS callback does not store all
4.0 strings in the provided buffer.
The flaw was introduced in glibc 2.15 when
the cache was added to nscd.

This vulnerability is only present in the nscd

binary.
A vulnerability was found in libssh, where
the authentication check of the connecting
client can be bypassed in
the`pki_verify_data_signature` function in
memory allocation problems. This issue
may happen if there is insufficient memory
or the memory usage is limited. The
problem is caused by the return value `rc,`
4.8
which is initialized to SSH_ERROR and
later rewritten to save the return value of
the function call
`pki_key_check_hash_compatible.` The
value of the variable is not changed
between this point and the cryptographic
verification. Therefore any error between
them calls `goto error` returning SSH_OK.

A race condition vulnerability was

discovered in how signals are handled by
OpenSSH's server (sshd). If a remote
attacker does not authenticate within a set
time period, then sshd's SIGALRM handler
is called asynchronously. However, this
7.0 signal handler calls various functions that
are not async-signal-safe, for example,
syslog(). As a consequence of a successful
attack, in the worst case scenario, an
attacker may be able to perform a remote
code execution (RCE) as an unprivileged
user running the sshd server.

libexpat through 2.5.0 allows a denial of

service (resource consumption) because
7.5 many full reparsings are required in the
case of a large token for which multiple
buffer fills are needed.
The UNIX editor Vim prior to version
9.1.0678 has a use-after-free error in
argument list handling. When adding a new
file to the argument list, this triggers `Buf*`
autocommands. If in such an
autocommand the buffer that was just
opened is closed (including the window
where it is shown), this causes the window
structure to be freed which contains a
reference to the argument list that we are
4.5 actually modifying. Once the
autocommands are completed, the
references to the window and argument list
are no longer valid and as such cause an
use-after-free. Impact is low since the user
must either intentionally add some unusual
autocommands that wipe a buffer during
creation (either manually or by sourcing a
malicious plugin), but it will crash Vim. The
issue has been fixed as of Vim patch
v9.1.0678.

The Closest Encloser Proof aspect of the

DNS protocol (in RFC 5155 when RFC
9276 guidance is skipped) allows remote
attackers to cause a denial of service (CPU
consumption for SHA-1 computations) via
7.5 DNSSEC responses in a random
subdomain attack, aka the "NSEC3" issue.
The RFC 5155 specification implies that an
algorithm must perform thousands of
iterations of a hash function in certain
situations.
delays. Where the key or parameters that
are being checked have been obtained
from an untrusted source this may lead to a
Denial of Service.

The function DH_check() performs various

checks on DH parameters. One of those
checks confirms that the modulus ('p'
parameter) is not too large. Trying to use
a very large modulus is slow and OpenSSL
will not normally use a modulus which
is over 10,000 bits in length.

However the DH_check() function checks

numerous aspects of the key or
parameters
that have been supplied. Some of those
5.3
checks use the supplied modulus value
even if it has already been found to be too
large.

An application that calls DH_check() and

supplies a key or parameters obtained
from an untrusted source could be
vulernable to a Denial of Service attack.

The function DH_check() is itself called by

a number of other OpenSSL functions.
An application calling any of those other
functions may similarly be affected.
The other functions affected by this are
DH_check_ex() and
EVP_PKEY_param_check().
disabled, aka a Terrapin attack. This
occurs because the SSH Binary Packet
Protocol (BPP), implemented by these
extensions, mishandles the handshake
phase and mishandles use of sequence
numbers. For example, there is an effective
attack against SSH's use of ChaCha20-
Poly1305 (and CBC with Encrypt-then-
MAC). The bypass occurs in chacha20-
[email protected] and (if CBC is
used) the [email protected] MAC
algorithms. This also affects Maverick
Synergy Java SSH API before 3.1.0-
SNAPSHOT, Dropbear through 2022.83,
Ssh before 5.1.1 in Erlang/OTP, PuTTY
before 0.80, AsyncSSH before 2.14.2,
golang.org/x/crypto before 0.17.0, libssh
5.9
before 0.10.6, libssh2 through 1.11.0,
Thorn Tech SFTP Gateway before 3.4.6,
Tera Term before 5.1, Paramiko before
3.4.0, jsch before 0.2.15, SFTPGo before
2.5.6, Netgate pfSense Plus through
23.09.1, Netgate pfSense CE through
2.7.2, HPN-SSH through 18.2.0, ProFTPD
before 1.3.8b (and before 1.3.9rc2), ORYX
CycloneSSH before 2.3.4, NetSarang
XShell 7 before Build 0144, CrushFTP
before 10.6.0, ConnectBot SSH library
before 2.2.22, Apache MINA sshd through
2.11.0, sshj through 0.37.0, TinySSH
through 20230101, trilead-ssh2 6401,
LANCOM LCOS and LANconfig, FileZilla
before 3.66.4, Nova before 11.8, PKIX-
SSH before 14.4, SecureCRT before 9.4.3,
A flaw was found in GLib. GVariant
deserialization is vulnerable to an
5.5 exponential blowup issue where a crafted
GVariant can cause excessive processing,
leading to denial of service.
Vim is an open source command line text
editor. Vim < v9.1.0647 has double free in
src/alloc.c:616. When closing a window,
the corresponding tagstack data will be
cleared and freed. However a bit later, the
quickfix list belonging to that window will
also be cleared and if that quickfix list
5.3 points to the same tagstack data, Vim will
try to free it again, resulting in a double-
free/use-after-free access exception.
Impact is low since the user must
intentionally execute vim with several non-
default flags,
but it may cause a crash of Vim. The issue
has been fixed as of Vim patch v9.1.0647

to crash leading to a potential Denial of

Service attack

Impact summary: Applications loading files

in the PKCS12 format from untrusted
sources might terminate abruptly.

A file in PKCS12 format can contain

certificates and keys and may come from
an
untrusted source. The PKCS12
specification allows certain fields to be
NULL, but
OpenSSL does not correctly check for this
case. This can lead to a NULL pointer
dereference that results in OpenSSL
crashing. If an application processes
5.5 PKCS12
files from an untrusted source using the
OpenSSL APIs then that application will
be vulnerable to this issue.

OpenSSL APIs that are vulnerable to this

are: PKCS12_parse(),
PKCS12_unpack_p7data(),
PKCS12_unpack_p7encdata(),
PKCS12_unpack_authsafes()
and PKCS12_newpass().

We have also fixed a similar issue in

SMIME_write_PKCS7(). However since
this
function is related to writing data we do not
consider it security significant.
An out-of-bounds read flaw was found on
grub2's NTFS filesystem driver. This issue
may allow a physically present attacker to
present a specially crafted NTFS file
5.3 system image to read arbitrary memory
locations. A successful attack allows
sensitive data cached in memory or EFI
variable values to be leaked, presenting a
high Confidentiality risk.

A flaw in query-handling code can cause

`named` to exit prematurely with an
assertion failure when:

- `nxdomain-redirect <domain>;` is
configured, and
- the resolver receives a PTR query for an
7.5 RFC 1918 address that would normally
result in an authoritative NXDOMAIN
response.
This issue affects BIND 9 versions 9.12.0
through 9.16.45, 9.18.0 through 9.18.21,
9.19.0 through 9.19.19, 9.16.8-S1 through
9.16.45-S1, and 9.18.11-S1 through
9.18.21-S1.

A flaw was found in GLib. GVariant

deserialization fails to validate that the
7.5
input conforms to the expected format,
leading to denial of service.

A vulnerability was found in SQLite

SQLite3 up to 3.43.0 and classified as
critical. This issue affects the function
sessionReadRecord of the file
ext/session/sqlite3session.c of the
7.3 component make alltest Handler. The
manipulation leads to heap-based buffer
overflow. It is recommended to apply a
patch to fix this issue. The associated
identifier of this vulnerability is VDB-
248999.
list that also appears in the
client list. In the case of no overlap
between the two lists it returns the
first item in the client list. In either case it
will signal whether an overlap
between the two lists was found. In the
case where SSL_select_next_proto is
called with a zero length client list it fails to
notice this condition and
returns the memory immediately following
the client list pointer (and reports
that there was no overlap in the lists).

This function is typically called from a

server side application callback for
ALPN or a client side application callback
for NPN. In the case of ALPN the list
5.9
of protocols supplied by the client is
guaranteed by libssl to never be zero in
length. The list of server protocols comes
from the application and should never
normally be expected to be of zero length.
In this case if the
SSL_select_next_proto function has been
called as expected (with the list
supplied by the client passed in the
client/client_len parameters), then the
application will not be vulnerable to this
issue. If the application has
accidentally been configured with a zero
length server list, and has
accidentally passed that zero length server
list in the client/client_len
parameters, and has additionally failed to

nscd: netgroup cache may terminate

daemon on memory allocation failure

The Name Service Cache Daemon's (nscd)

netgroup cache uses xmalloc or
xrealloc and these functions may terminate
the process due to a memory
6.2 allocation failure resulting in a denial of
service to the clients. The
flaw was introduced in glibc 2.15 when the
cache was added to nscd.

This vulnerability is only present in the nscd

binary.

Use of Out-of-range Pointer Offset in

5.5 GitHub repository vim/vim prior to
9.0.1499.
Vim is an open source command line text
editor. In affected versions when shifting
lines in operator pending mode and using a
very large value, it may be possible to
overflow the size of integer. Impact is low,
user interaction is required and a crash
4.3
may not even happen in all situations. This
issue has been addressed in commit
`6bf131888` which has been included in
version 9.0.2112. Users are advised to
upgrade. There are no known workarounds
for this vulnerability.

lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos

5 (aka krb5) before 1.20.2 and 1.21.x
before 1.21.1 frees an uninitialized pointer.
A remote authenticated user can trigger a
6.5
kadmind crash. This occurs because
_xdr_kadm5_principal_ent_rec does not
validate the relationship between
n_key_data and the key_data array count.

A design flaw was found in Samba's

DirSync control implementation, which
exposes passwords and secrets in Active
Directory to privileged users and Read-
Only Domain Controllers (RODCs). This
flaw allows RODCs and users possessing
the GET_CHANGES right to access all
attributes, including sensitive secrets and
passwords. Even in a default setup, RODC
7.5 DC accounts, which should only replicate
some passwords, can gain access to all
domain secrets, including the vital krbtgt,
effectively eliminating the RODC / DC
distinction. Furthermore, the vulnerability
fails to account for error conditions (fail
open), like out-of-memory situations,
potentially granting access to secret
attributes, even under low-privileged
attacker influence.
sysstat through 12.7.2 allows a
multiplication integer overflow in
7.8 check_overflow in common.c. NOTE: this
issue exists because of an incomplete fix
for CVE-2022-39377.

The parse_object function calls the

parse_string function to perform a read
operation without checking whether
input_buffer-> offset is less than
0.0
input_buffer-> length. If input_buffer->
offset is not less than input_buffer-> length,
one extra byte is read out of bounds, which
may affect availability.

MiniZip in zlib through 1.3 has an integer

overflow and resultant heap-based buffer
overflow in zipOpenNewFileInZip4_64 via a
long filename, comment, or extra field.
NOTE: MiniZip is not a supported part of
9.8
the zlib product. NOTE: pyminizip through
0.2.6 is also vulnerable because it bundles
an affected zlib version, and exposes the
applicable MiniZip code through its
compress API.

A vulnerability was found in the avahi

library. This flaw allows an unprivileged
5.5
user to make a dbus call, causing the avahi
daemon to crash.

Heap-based Buffer Overflow in GitHub

7.8
repository vim/vim prior to 9.0.1331.

An issue was discovered in GNOME GLib

before 2.78.5, and 2.79.x and 2.80.x before
2.80.1. When a GDBus-based client
subscribes to signals from a trusted system
service such as NetworkManager on a
shared computer, other users of the same
3.8
computer can send spoofed D-Bus signals
that the GDBus-based client will wrongly
interpret as having been sent by the trusted
system service. This could lead to the
GDBus-based client behaving incorrectly,
with an application-dependent impact.
This flaw allows an attacker to insert
cookies at will into a running program
using libcurl, if the specific series of
conditions are met.

libcurl performs transfers. In its API, an

application creates "easy handles"
that are the individual handles for single
transfers.

libcurl provides a function call that

duplicates en easy handle called
[curl_easy_duphandle](https://curl.se/
libcurl/c/curl_easy_duphandle.html).

If a transfer has cookies enabled when the

handle is duplicated, the
4.5 cookie-enable state is also cloned - but
without cloning the actual
cookies. If the source handle did not read
any cookies from a specific file on
disk, the cloned version of the handle
would instead store the file name as
`none` (using the four ASCII letters, no
quotes).

Subsequent use of the cloned handle that

does not explicitly set a source to
load cookies from would then inadvertently
load cookies from a file named
`none` - if such a file exists and is readable
in the current directory of the
program using libcurl. And if using the
correct file format of course.

Integer Overflow or Wraparound in GitHub

7.8
repository vim/vim prior to 9.0.1532.

An information leak vulnerability was

discovered in Samba's LDAP server. Due
to missing access control checks, an
0.0 authenticated but unprivileged attacker
could discover the names and preserved
attributes of deleted objects in the LDAP
store.

An issue was discovered in libexpat before

9.8 2.6.3. xmlparse.c does not reject a
negative length for XML_ParseBuffer.
Envoy is a cloud-native high-performance
edge/middle/service proxy. Envoy's
HTTP/2 codec may leak a header map and
bookkeeping structures upon receiving
`RST_STREAM` immediately followed by
the `GOAWAY` frames from an upstream
server. In nghttp2, cleanup of pending
requests due to receipt of the `GOAWAY`
frame skips de-allocation of the
7.5 bookkeeping structure and pending
compressed header. The error return [code
path] is taken if connection is already
marked for not sending more requests due
to `GOAWAY` frame. The clean-up code is
right after the return statement, causing
memory leak. Denial of service through
memory exhaustion. This vulnerability was
patched in versions(s) 1.26.3, 1.25.8,
1.24.9, 1.23.11.
periods.

When one of the sub-identifiers in the

OBJECT IDENTIFIER is very large
(these are sizes that are seen as absurdly
large, taking up tens or hundreds
of KiBs), the translation to a decimal
number in text may take a very long
time. The time complexity is O(n^2) with 'n'
being the size of the
sub-identifiers in bytes (*).

With OpenSSL 3.0, support to fetch

cryptographic algorithms using names /
identifiers in string form was introduced.
This includes using OBJECT
IDENTIFIERs in canonical numeric text
6.5 form as identifiers for fetching
algorithms.

Such OBJECT IDENTIFIERs may be

received through the ASN.1 structure
AlgorithmIdentifier, which is commonly
used in multiple protocols to specify
what cryptographic algorithm should be
used to sign or verify, encrypt or
decrypt, or digest passed data.

Applications that call OBJ_obj2txt() directly

with untrusted data are
affected, with any version of OpenSSL. If
the use is for the mere purpose
of display, the severity is considered low.

In OpenSSL 3.0 and newer, this affects the

parameters may experience long delays.
Where the key or parameters that are
being checked have been obtained from
an untrusted source this may lead to a
Denial of Service.

While DH_check() performs all the

necessary checks (as of CVE-2023-3817),
DH_check_pub_key() doesn't make any of
these checks, and is therefore
vulnerable for excessively large P and Q
parameters.

Likewise, while DH_generate_key()

DH_generate_key() and
DH_check_pub_key() are also called by a
number of
other OpenSSL functions. An application
calling any of those other
functions may similarly be affected. The
other functions affected by this
are DH_check_pub_key_ex(),
EVP_PKEY_public_check(), and
EVP_PKEY_generate().
** RESERVED ** This candidate has been
reserved by an organization or individual
that will use it when announcing a new
8.1
security problem. When the candidate has
been publicized, the details for this
candidate will be provided.

If the `recursive-clients` quota is reached

on a BIND 9 resolver configured with both
`stale-answer-enable yes;` and `stale-
answer-client-timeout 0;`, a sequence of
serve-stale-related lookups could cause
7.5 `named` to loop and terminate
unexpectedly due to a stack overflow.
This issue affects BIND 9 versions 9.16.33
through 9.16.41, 9.18.7 through 9.18.15,
9.16.33-S1 through 9.16.41-S1, and
9.18.11-S1 through 9.18.15-S1.
experience long delays. Where the key or
parameters that are being checked
have been obtained from an untrusted
source this may lead to a Denial of
Service.

The functions EVP_PKEY_param_check()

or EVP_PKEY_public_check() perform
various checks on DSA parameters. Some
of those computations take a long time
if the modulus (`p` parameter) is too large.

Trying to use a very large modulus is slow

and OpenSSL will not allow using
public keys with a modulus which is over
10,000 bits in length for signature
verification. However the key and
5.3
parameter check functions do not limit
the modulus size when performing the
checks.

An application that calls

EVP_PKEY_param_check() or
EVP_PKEY_public_check()
and supplies a key or parameters obtained
from an untrusted source could be
vulnerable to a Denial of Service attack.

These functions are not called by OpenSSL

itself on untrusted DSA keys so
only applications that directly call these
functions may be vulnerable.

Also vulnerable are the OpenSSL pkey and

A vulnerability was found in GNU C Library

2.38. It has been declared as critical. This
vulnerability affects the function
__monstartup of the file gmon.c of the
component Call Graph Monitor. The
manipulation leads to buffer overflow. It is
recommended to apply a patch to fix this
issue. VDB-220246 is the identifier
9.8 assigned to this vulnerability. NOTE: The
real existence of this vulnerability is still
doubted at the moment. The inputs that
induce this vulnerability are basically
addresses of the running application that is
built with gmon enabled. It's basically
trusted input or input that needs an actual
security flaw to be compromised or
controlled.
Issue summary: Some non-default TLS
server configurations can cause
unbounded
memory growth when processing TLSv1.3
sessions

Impact summary: An attacker may exploit

certain server configurations to trigger
unbounded memory growth that would lead
to a Denial of Service

This problem can occur in TLSv1.3 if the

This issue only affects TLS servers

supporting TLSv1.3. It does not affect TLS
clients.

The FIPS modules in 3.2, 3.1 and 3.0 are

not affected by this issue. OpenSSL
1.0.2 is also not affected by this issue.
In MIT Kerberos 5 (aka krb5) before 1.21.3,
an attacker can modify the plaintext Extra
7.4 Count field of a confidential GSS krb5 wrap
token, causing the unwrapped token to
appear truncated to the application.

An issue was discovered in xmllint (from

libxml2) before 2.11.8 and 2.12.x before
2.12.7. Formatting error messages with
3.3
xmllint --htmlout can result in a buffer over-
read in xmlHTMLPrintFileContext in
xmllint.c.
Vim is an open source command line text
editor. When getting the count for a normal
mode z command, it may overflow for large
counts given. Impact is low, user
interaction is required and a crash may not
4.3 even happen in all situations. This issue
has been addressed in commit
`58f9befca1` which has been included in
release version 9.0.2109. Users are
advised to upgrade. There are no known
workarounds for this vulnerability.

Heap-based Buffer Overflow in GitHub

7.8
repository vim/vim prior to 9.0.1848.

File before 5.43 has an stack-based buffer

over-read in file_copystr in funcs.c. NOTE:
6.3
"File" is the name of an Open Source
project.
An issue was discovered in OpenSSH
before 8.9. If a client is using public-key
authentication with agent forwarding but
without -oLogLevel=verbose, and an
attacker has silently modified the server to
support the None authentication option,
then the user cannot determine whether
3.7
FIDO authentication is going to confirm that
the user wishes to connect to that server,
or that the user wishes to allow that server
to connect to a different server on the
user's behalf. NOTE: the vendor's position
is "this is not an authentication bypass,
since nothing is being bypassed.

The Closest Encloser Proof aspect of the

ncurses 6.4-20230610 has a NULL pointer

3.5
dereference in tgetstr in tinfo/lib_termcap.c.

A flaw was found in the grub2-set-bootflag

utility of grub2. After the fix of CVE-2019-
14865, grub2-set-bootflag will create a
temporary file with the new grubenv
content and rename it to the original
3.3 grubenv file. If the program is killed before
the rename operation, the temporary file
will not be removed and may fill the
filesystem when invoked multiple times,
resulting in a filesystem out of free inodes
or blocks.
A security regression (CVE-2006-5051)
was discovered in OpenSSH's server
(sshd). There is a race condition which can
lead sshd to handle some signals in an
8.1
unsafe manner. An unauthenticated,
remote attacker may be able to trigger it by
failing to authenticate within a set time
period.

NULL Pointer Dereference in GitHub

repository vim/vim prior to
8.2
20d161ace307e28690229b68584f2d84556
f8960.
Untrusted Search Path in GitHub repository
7.8
vim/vim prior to 9.0.1833.
json-c through 0.14 has an integer overflow
and out-of-bounds write via a large JSON
7.8
file, as demonstrated by
printbuf_memappend.
Out-of-bounds Write in GitHub repository
4.8
vim/vim prior to 9.0.1847.

A path disclosure vulnerability was found in

Samba. As part of the Spotlight protocol,
Samba discloses the server-side absolute
path of shares, files, and directories in the
5.3 results for search queries. This flaw allows
a malicious client or an attacker with a
targeted RPC request to view the
information that is part of the disclosed
path.
This flaw makes curl overflow a heap
based buffer in the SOCKS5 proxy
handshake.

When curl is asked to pass along the host

name to the SOCKS5 proxy to allow
that to resolve the address instead of it
getting done by curl itself, the
maximum length that host name can be is
255 bytes.

If the host name is detected to be longer,

curl switches to local name
8.1 resolving and instead passes on the
resolved address only. Due to this bug,
the local variable that means "let the host
resolve the name" could get the
wrong value during a slow SOCKS5
handshake, and contrary to the intention,
copy the too long host name to the target
buffer instead of copying just the
resolved address there.

The target buffer being a heap based

buffer, and the host name coming from the
URL that curl has been told to operate with.

A path traversal vulnerability exists in curl

<8.0.0 SFTP implementation causes the
tilde (~) character to be wrongly replaced
when used as a prefix in the first path
element, in addition to its intended use as
8.8 the first element to indicate a path relative
to the user's home directory. Attackers can
exploit this flaw to bypass filtering or
execute arbitrary code by crafting a path
like /~2/foo while accessing a server with a
specific user.

ftbench.c in FreeType Demo Programs

7.8 through 2.12.1 has a heap-based buffer
overflow.
Vim is a UNIX editor that, prior to version
9.0.2121, has a heap-use-after-free
vulnerability. When executing a `:s`
command for the very first time and using a
sub-replace-special atom inside the
substitution part, it is possible that the
recursive `:s` call causes free-ing of
4.7 memory which may later then be accessed
by the initial `:s` command. The user must
intentionally execute the payload and the
whole process is a bit tricky to do since it
seems to work only reliably for the very first
:s command. It may also cause a crash of
Vim. Version 9.0.2121 contains a fix for this
issue.

via the "keylen" parameter or the IV length,

via the "ivlen" parameter,
within the OSSL_PARAM array will not
take effect as intended, potentially
causing truncation or overreading of these
values. The following ciphers
and cipher modes are impacted: RC2,
RC4, RC5, CCM, GCM and OCB.

For the CCM, GCM and OCB cipher

modes, truncation of the IV can result in
loss of confidentiality. For example, when
following NIST's SP 800-38D
section 8.2.1 guidance for constructing a
deterministic IV for AES in
GCM mode, truncation of the counter
portion could lead to IV reuse.
7.5
Both truncations and overruns of the key
and overruns of the IV will
produce incorrect results and could, in
some cases, trigger a memory
exception. However, these issues are not
currently assessed as security
critical.

Changing the key and/or IV lengths is not

considered to be a common operation
and the vulnerable API was recently
introduced. Furthermore it is likely that
application developers will have spotted
this problem during testing since
decryption would fail unless both peers in
the communication were similarly
delays. Where the key or parameters that
are being checked have been obtained
from an untrusted source this may lead to a
Denial of Service.

The function DH_check() performs various

However the DH_check() function checks

numerous aspects of the key or
parameters
that have been supplied. Some of those
5.3
checks use the supplied modulus value
even if it has already been found to be too
large.

An application that calls DH_check() and

supplies a key or parameters obtained
from an untrusted source could be
vulernable to a Denial of Service attack.

The function DH_check() is itself called by

a number of other OpenSSL functions.
An application calling any of those other
functions may similarly be affected.
The other functions affected by this are
DH_check_ex() and
EVP_PKEY_param_check().

An out-of-bounds write flaw was found in

grub2's NTFS filesystem driver. This issue
may allow an attacker to present a
specially crafted NTFS filesystem image,
leading to grub's heap metadata corruption.
5.3
In some circumstances, the attack may
also corrupt the UEFI firmware heap
metadata. As a result, arbitrary code
execution and secure boot protection
bypass may be achieved.

Use After Free in GitHub repository vim/vim

7.8
prior to 9.0.1857.
Vim is an open source command line text
editor. When using the z= command, the
user may overflow the count with values
larger
than MAX_INT. Impact is low, user
interaction is required and a crash may not
4.3
even happen in all situations. This
vulnerability has been addressed in commit
`73b2d379` which has been included in
release version 9.0.2111. Users are
advised to upgrade. There are no known
workarounds for this vulnerability.

Heap-based Buffer Overflow in GitHub

7.5
repository vim/vim prior to 9.0.1969.

less through 653 allows OS command

execution via a newline character in the
name of a file, because quoting is
mishandled in filename.c. Exploitation
typically requires use with attacker-
8.6
controlled file names, such as the files
extracted from an untrusted archive.
Exploitation also requires the LESSOPEN
environment variable, but this is set by
default in many common cases.

linux-pam (aka Linux PAM) before 1.6.0

allows attackers to cause a denial of
5.5 service (blocked login process) via mkfifo
because the openat call (for protect_dir)
lacks O_DIRECTORY.

A flaw was found in GLib. GVariant

deserialization is vulnerable to a slowdown
5.5 issue where a crafted GVariant can cause
excessive processing, leading to denial of
service.
The DNS message parsing code in
`named` includes a section whose
computational complexity is overly high. It
does not cause problems for typical DNS
traffic, but crafted queries and responses
may cause excessive CPU load on the
affected `named` instance by exploiting this
7.5
flaw. This issue affects both authoritative
servers and recursive resolvers.
This issue affects BIND 9 versions 9.0.0
through 9.16.45, 9.18.0 through 9.18.21,
9.19.0 through 9.19.19, 9.9.3-S1 through
9.11.37-S1, 9.16.8-S1 through 9.16.45-S1,
and 9.18.11-S1 through 9.18.21-S1.

A flaw was found in libssh. By utilizing the

ProxyCommand or ProxyJump feature,
users can exploit unchecked hostname
4.8 syntax on the client. This issue may allow
an attacker to inject malicious code into the
command of the features mentioned
through the hostname parameter.

An infinite loop vulnerability was found in

Samba's mdssvc RPC service for Spotlight.
When parsing Spotlight mdssvc RPC
packets sent by the client, the core
unmarshalling function sl_unpack_loop()
did not validate a field in the network
packet that contains the count of elements
5.3
in an array-like structure. By passing 0 as
the count value, the attacked function will
run in an endless loop consuming 100%
CPU. This flaw allows an attacker to issue
a malformed RPC request, triggering an
infinite loop, resulting in a denial of service
condition.
A flaw was found in GLib. The GVariant
deserialization code is vulnerable to a heap
buffer overflow introduced by the fix for
CVE-2023-32665. This bug does not affect
7.8
any released version of GLib, but does
affect GLib distributors who followed the
guidance of GLib developers to backport
the initial fix for CVE-2023-32665.

inffast.c in zlib 1.2.8 might allow context-

dependent attackers to have unspecified
9.8
impact by leveraging improper pointer
arithmetic.

An information disclosure vulnerability

exists in curl <v8.1.0 when doing HTTP(S)
transfers, libcurl might erroneously use the
read callback
(`CURLOPT_READFUNCTION`) to ask for
data to send, even when the
`CURLOPT_POSTFIELDS` option has
been set, if the same handle previously
6.5
wasused to issue a `PUT` request which
used that callback. This flaw may surprise
the application and cause it to misbehave
and either send off the wrong data or use
memory after free or similar in the second
transfer. The problem exists in the logic for
a reused handle when it is (expected to be)
changed from a PUT to a POST.
This repository hosts source code
implementing the Trusted Computing
Group's (TCG) TPM2 Software Stack
(TSS). The JSON Quote Info returned by
Fapi_Quote has to be deserialized by
Fapi_VerifyQuote to the TPM Structure
`TPMS_ATTEST`. For the field
`TPM2_GENERATED magic` of this
5.5
structure any number can be used in the
JSON structure. The verifier can receive a
state which does not represent the actual,
possibly malicious state of the device under
test. The malicious device might get access
to data it shouldn't, or can use services it
shouldn't be able to. This
issue has been patched in version 4.1.0.

A vulnerability was found in zstd v1.4.10,

where an attacker can supply empty string
7.5
as an argument to the command line tool to
cause buffer overrun.

A vulnerability was discovered in Samba,

where the flaw allows SMB clients to
truncate files, even with read-only
permissions when the Samba VFS module
"acl_xattr" is configured with
"acl_xattr:ignore system acls = yes". The
SMB protocol allows opening files when the
6.5 client requests read-only access but then
implicitly truncates the opened file to 0
bytes if the client specifies a separate
OVERWRITE create disposition request.
The issue arises in configurations that
bypass kernel file system permissions
checks, relying solely on Samba's
permissions.
libcurl's ASN1 parser code has the
`GTime2str()` function, used for parsing an
ASN.1 Generalized Time field. If given an
syntactically incorrect field, the
parser might end up using -1 for the length
of the *time fraction*, leading to
a `strlen()` getting performed on a pointer
to a heap buffer area that is not
4.8
(purposely) null terminated.

This flaw most likely leads to a crash, but

can also lead to heap contents
getting returned to the application when
[CURLINFO_CERTINFO](https://curl.se/
libcurl/c/CURLINFO_CERTINFO.html) is
used.

When saving HSTS data to an excessively

long file name, curl could end up
removing all contents, making subsequent
5.3 requests using that file unaware of
the HSTS status they should otherwise
use.

In Lua 5.4.3, an erroneous finalizer called

7.5 during a tail call leads to a heap-based
buffer over-read.

A vulnerability was found in libcap. This

issue occurs in the _libcap_strdup()
5.5
function and can lead to an integer
overflow if the input string is close to 4GiB.

A NULL pointer dereference was found In

libssh during re-keying with algorithm
4.3 guessing. This issue may allow an
authenticated client to cause a denial of
service.
When an application tells libcurl it wants to
allow HTTP/2 server push, and the amount
of received headers for the push surpasses
the maximum allowed limit (1000), libcurl
aborts the server push. When aborting,
6.5
libcurl inadvertently does not free all the
previously allocated headers and instead
leaks the memory. Further, this error
condition fails silently and is therefore not
easily detected by an application.

An authentication bypass vulnerability

exists libcurl <8.0.0 in the connection reuse
feature which can reuse previously
established connections with incorrect user
permissions due to a failure to check for
changes in the
CURLOPT_GSSAPI_DELEGATION
9.8
option. This vulnerability affects
krb5/kerberos/negotiate/GSSAPI transfers
and could potentially result in unauthorized
access to sensitive information. The safest
option is to not reuse connections if the
CURLOPT_GSSAPI_DELEGATION option
has been changed.

nscd: Null pointer crashes after notfound

response

If the Name Service Cache Daemon's

(nscd) cache fails to add a not-found
netgroup response to the cache, the client
request can result in a null
5.3
pointer dereference. This flaw was
introduced in glibc 2.15 when the
cache was added to nscd.

This vulnerability is only present in the nscd

binary.

In GNU tar before 1.35, mishandled

2.8 extension attributes in a PAX archive can
lead to an application crash in xheader.c.
nghttp2 is an implementation of the
Hypertext Transfer Protocol version 2 in C.
The nghttp2 library prior to version 1.61.0
keeps reading the unbounded number of
HTTP/2 CONTINUATION frames even
after a stream is reset to keep HPACK
5.3
context in sync. This causes excessive
CPU usage to decode HPACK stream.
nghttp2 v1.61.0 mitigates this vulnerability
by limiting the number of CONTINUATION
frames it accepts per stream. There is no
workaround for this vulnerability.

A NULL pointer dereference flaw was

found in the ub_ctx_set_fwd function in
Unbound. This issue could allow an
attacker who can invoke specific
sequences of API calls to cause a
segmentation fault. When certain API
2.8 functions such as ub_ctx_set_fwd and
ub_ctx_resolvconf are called in a particular
order, the program attempts to read from a
NULL pointer, leading to a crash. This
issue can result in a denial of service by
causing the application to terminate
unexpectedly.
A path traversal vulnerability was identified
in Samba when processing client pipe
names connecting to Unix domain sockets
within a private directory. Samba typically
uses this mechanism to connect SMB
clients to remote procedure call (RPC)
services like SAMR LSA or SPOOLSS,
which Samba initiates on demand.
However, due to inadequate sanitization of
incoming client pipe names, allowing a
5.9 client to send a pipe name containing Unix
directory traversal characters (../). This
could result in SMB clients connecting as
root to Unix domain sockets outside the
private directory. If an attacker or client
managed to send a pipe name resolving to
an external service using an existing Unix
domain socket, it could potentially lead to
unauthorized access to the service and
consequential adverse events, including
compromise or service crashes.

A flaw was found in GnuTLS. The Minerva

attack is a cryptographic vulnerability that
exploits deterministic behavior in systems
like GnuTLS, leading to side-channel leaks.
In specific scenarios, such as when using
5.3
the
GNUTLS_PRIVKEY_FLAG_REPRODUCIB
LE flag, it can result in a noticeable step in
nonce size from 513 to 512 bits, exposing a
potential timing side-channel.

GNU Tar through 1.34 has a one-byte out-

of-bounds read that results in use of
uninitialized memory for a conditional jump.
Exploitation to change the flow of control
7.8
has not been demonstrated. The issue
occurs in from_header in list.c via a V7
archive in which mtime has approximately
11 whitespace characters.

Sudo before 1.9.13 does not escape

5.3
control characters in log messages.
A vulnerability was found that the response
times to malformed ciphertexts in RSA-
7.4 PSK ClientKeyExchange differ from
response times of ciphertexts with correct
PKCS#1 v1.5 padding.

To keep its cache database efficient,

`named` running as a recursive resolver
occasionally attempts to clean up the
database. It uses several methods,
including some that are asynchronous: a
small chunk of memory pointing to the
cache element that can be cleaned up is
first allocated and then queued for later
processing. It was discovered that if the
resolver is continuously processing query
7.5 patterns triggering this type of cache-
database maintenance, `named` may not
be able to handle the cleanup events in a
timely manner. This in turn enables the list
of queued cleanup events to grow infinitely
large over time, allowing the configured
`max-cache-size` limit to be significantly
exceeded.
This issue affects BIND 9 versions 9.16.0
through 9.16.45 and 9.16.8-S1 through
9.16.45-S1.

A vulnerability was found in systemd-

resolved. This issue may allow systemd-
resolved to accept records of DNSSEC-
5.9 signed domains even when they have no
signature, allowing man-in-the-middles (or
the upstream DNS resolver) to manipulate
records.

libexpat through 2.5.0 allows a denial of

service (resource consumption) because
7.5 many full reparsings are required in the
case of a large token for which multiple
buffer fills are needed.
An improper certificate validation
vulnerability exists in curl <v8.1.0 in the
way it supports matching of wildcard
patterns when listed as "Subject Alternative
Name" in TLS server certificates. curl can
be built to use its own name matching
function for TLS rather than one provided
by a TLS library. This private wildcard
matching function would match IDN
(International Domain Name) hosts
4.3
incorrectly and could as a result accept
patterns that otherwise should mismatch.
IDN hostnames are converted to puny code
before used for certificate checks. Puny
coded names always start with `xn--` and
should not be allowed to pattern match, but
the wildcard check in curl could still check
for `x*`, which would match even though
the IDN name most likely contained nothing
even resembling an `x`.

c-ares is a C library for asynchronous DNS

requests. `ares__read_line()` is used to
parse local configuration files such as
`/etc/resolv.conf`, `/etc/nsswitch.conf`, the
`HOSTALIASES` file, and if using a c-ares
version prior to 1.27.0, the `/etc/hosts` file.
4.4 If any of these configuration files has an
embedded `NULL` character as the first
character in a new line, it can lead to
attempting to read memory prior to the start
of the given buffer which may result in a
crash. This issue is fixed in c-ares 1.27.0.
No known workarounds exist.

The crc32_big function in crc32.c in zlib

1.2.8 might allow context-dependent
9.8 attackers to have unspecified impact via
vectors involving big-endian CRC
calculation.
In libxml2 before 2.10.4, parsing of certain
invalid XSD schemas can lead to a NULL
pointer dereference and subsequently a
6.5
segfault. This occurs in
xmlSchemaFixupComplexType in
xmlschemas.c.

Vim is an open source command line text

editor. When closing a window, vim may try
to access already freed window structure.
Exploitation beyond crashing the
application has not been shown to be
4.3
viable. This issue has been addressed in
commit `25aabc2b` which has been
included in release version 9.0.2106. Users
are advised to upgrade. There are no
known workarounds for this vulnerability.

An out-of-bounds read vulnerability was

found in Samba due to insufficient length
checks in winbindd_pam_auth_crap.c.
When performing NTLM authentication, the
client replies to cryptographic challenges
back to the server. These replies have
3.7
variable lengths, and Winbind fails to check
the lan manager response length. When
Winbind is used for NTLM authentication, a
maliciously crafted request can trigger an
out-of-bounds read in Winbind, possibly
resulting in a crash.
Every `named` instance configured to run
as a recursive resolver maintains a cache
database holding the responses to the
queries it has recently sent to authoritative
servers. The size limit for that cache
database can be configured using the
`max-cache-size` statement in the
configuration file; it defaults to 90% of the
total amount of memory available on the
host. When the size of the cache reaches
7/8 of the configured limit, a cache-cleaning
algorithm starts to remove expired and/or
least-recently used RRsets from the cache,
to keep memory use below the configured
7.5 limit.

It has been discovered that the

effectiveness of the cache-cleaning
algorithm used in `named` can be severely
diminished by querying the resolver for
specific RRsets in a certain order,
effectively allowing the configured `max-
cache-size` limit to be significantly
exceeded.
This issue affects BIND 9 versions 9.11.0
through 9.16.41, 9.18.0 through 9.18.15,
9.19.0 through 9.19.13, 9.11.3-S1 through
9.16.41-S1, and 9.18.11-S1 through
9.18.15-S1.

nscd: Stack-based buffer overflow in

netgroup cache

If the Name Service Cache Daemon's

(nscd) fixed size cache is exhausted
by client requests then a subsequent client
request for netgroup data
7.6 may result in a stack-based buffer
overflow. This flaw was introduced
in glibc 2.15 when the cache was added to
nscd.

This vulnerability is only present in the nscd

binary.

Use After Free in GitHub repository vim/vim

7.3
prior to 9.0.1840.
Certain DNSSEC aspects of the DNS
protocol (in RFC 4033, 4034, 4035, 6840,
and related RFCs) allow remote attackers
to cause a denial of service (CPU
consumption) via one or more DNSSEC
responses, aka the "KeyTrap" issue. One
7.5
of the concerns is that, when there is a
zone with many DNSKEY and RRSIG
records, the protocol specification implies
that an algorithm must evaluate all
combinations of DNSKEY and RRSIG
records.

Vim is an open source command line text

editor. If the count after the :s command is
larger than what fits into a (signed) long
variable, abort with e_value_too_large.
Impact is low, user interaction is required
4.3 and a crash may not even happen in all
situations. This issue has been addressed
in commit `ac6378773` which has been
included in release version 9.0.2108. Users
are advised to upgrade. There are no
known workarounds for this vulnerability.
DH key or DH parameters may experience
long
delays. Where the key or parameters that
are being checked have been obtained
from an untrusted source this may lead to a
Denial of Service.

The function DH_check() performs various

checks on DH parameters. After fixing
CVE-2023-3446 it was discovered that a
large q parameter value can also trigger
an overly long computation during some of
these checks. A correct q value,
if present, cannot be larger than the
modulus p parameter, thus it is
unnecessary to perform these checks if q is
larger than p.
5.3
An application that calls DH_check() and
supplies a key or parameters obtained
from an untrusted source could be
vulnerable to a Denial of Service attack.

The function DH_check() is itself called by

a number of other OpenSSL functions.
An application calling any of those other
functions may similarly be affected.
The other functions affected by this are
DH_check_ex() and
EVP_PKEY_param_check().

Also vulnerable are the OpenSSL dhparam

and pkeyparam command line applications
when using the "-check" option.
Use After Free in GitHub repository vim/vim
7.8
prior to v9.0.2010.
A vulnerability was found in Samba's
"rpcecho" development server, a non-
Windows RPC server used to test Samba's
DCE/RPC stack elements. This
vulnerability stems from an RPC function
that can be blocked indefinitely. The issue
arises because the "rpcecho" service
operates with only one worker in the main
RPC task, allowing calls to the "rpcecho"
server to be blocked for a specified time,
causing service disruptions. This disruption
4.3
is triggered by a "sleep()" call in the
"dcesrv_echo_TestSleep()" function under
specific conditions. Authenticated users or
attackers can exploit this vulnerability to
make calls to the "rpcecho" server,
requesting it to block for a specified
duration, effectively disrupting most
services and leading to a complete denial
of service on the AD DC. The DoS affects
all other services as "rpcecho" runs in the
main RPC task.

libexpat through 2.5.0 allows recursive

5.5 XML Entity Expansion if XML_DTD is
undefined at compile time.
not save the contents of non-volatile XMM
registers on Windows 64 platform
when calculating the MAC of data larger
than 64 bytes. Before returning to
the caller all the XMM registers are set to
zero rather than restoring their
previous content. The vulnerable code is
used only on newer x86_64 processors
supporting the AVX512-IFMA instructions.

The consequences of this kind of internal

application state corruption can
be various - from no consequences, if the
calling application does not
depend on the contents of non-volatile
XMM registers at all, to the worst
consequences, where the attacker could
0.0
get complete control of the application
process. However given the contents of the
registers are just zeroized so
the attacker cannot put arbitrary values
inside, the most likely consequence,
if any, would be an incorrect result of some
application dependent
calculations or a crash leading to a denial
of service.

The POLY1305 MAC algorithm is most

frequently used as part of the
CHACHA20-POLY1305 AEAD
(authenticated encryption with associated
data)
algorithm. The most common usage of this
AEAD cipher is with TLS protocol
A race condition flaw was found in sssd
where the GPO policy is not consistently
applied for authenticated users. This may
7.1
lead to improper authorization issues,
granting or denying access to resources
inappropriately.
DH key or DH parameters may experience
long
delays. Where the key or parameters that
are being checked have been obtained
from an untrusted source this may lead to a
Denial of Service.

The function DH_check() performs various

The function DH_check() is itself called by

a number of other OpenSSL functions.
An application calling any of those other
functions may similarly be affected.
The other functions affected by this are
DH_check_ex() and
EVP_PKEY_param_check().

Also vulnerable are the OpenSSL dhparam

and pkeyparam command line applications
when using the "-check" option.
A vulnerability was found in Avahi, where a
3.5 reachable assertion exists in
avahi_dns_packet_append_record.

A vulnerability was found in the

pthread_create() function in libcap. This
issue may allow a malicious actor to use
5.5
cause __real_pthread_create() to return an
error, which can exhaust the process
memory.

A flaw has been discovered in GnuTLS

where an application crash can be induced
5.0 when attempting to verify a specially
crafted .pem bundle using the "certtool --
verify-chain" command.

inftrees.c in zlib 1.2.8 might allow context-

dependent attackers to have unspecified
8.8
impact by leveraging improper pointer
arithmetic.
The inflateMark function in inflate.c in zlib
1.2.8 might allow context-dependent
8.8 attackers to have unspecified impact via
vectors involving left shifts of negative
integers.

Libksba before 1.6.3 is prone to an integer

9.8 overflow vulnerability in the CRL signature
parser.

A buffer overflow was discovered in the

GNU C Library's dynamic loader ld.so while
processing the GLIBC_TUNABLES
environment variable. This issue could
7.8 allow a local attacker to use maliciously
crafted GLIBC_TUNABLES environment
variables when launching binaries with
SUID permission to execute code with
elevated privileges.

An issue was discovered in libxml2 before

2.10.4. When hashing empty dict strings in
a crafted XML document,
xmlDictComputeFastKey in dict.c can
produce non-deterministic values, leading
6.5
to various logic and memory errors, such
as a double free. This behavior occurs
because there is an attempt to use the first
byte of an empty string, and any value is
possible (not solely the '\0' value).

Vim is an improved version of the good old

UNIX editor Vi. Heap-use-after-free in
memory allocated in the function
`ga_grow_inner` in in the file `src/alloc.c` at
line 748, which is freed in the file
`src/ex_docmd.c` in the function
`do_cmdline` at line 1010 and then used
4.0 again in `src/cmdhist.c` at line 759. When
using the `:history` command, it's possible
that the provided argument overflows the
accepted value. Causing an Integer
Overflow and potentially later an use-after-
free. This vulnerability has been patched in
version 9.0.2068.
c-ares is an asynchronous resolver library.
c-ares is vulnerable to denial of service. If a
target resolver sends a query, the attacker
forges a malformed UDP packet with a
7.5 length of 0 and returns them to the target
resolver. The target resolver erroneously
interprets the 0 length as a graceful
shutdown of the connection. This issue has
been patched in version 1.19.1.

cJSON v1.7.17 was discovered to contain

a segmentation violation, which can trigger
0.0
through the second parameter of function
cJSON_SetValuestring at cJSON.c.

tpm2-tss is an open source software

implementation of the Trusted Computing
Group (TCG) Trusted Platform Module
(TPM) 2 Software Stack (TSS2). In
affected versions `Tss2_RC_SetHandler`
and `Tss2_RC_Decode` both index into
`layer_handler` with an 8 bit layer number,
but the array only has
`TPM2_ERROR_TSS2_RC_LAYER_COU
NT` entries, so trying to add a handler for
higher-numbered layers or decode a
6.4 response code with such a layer number
reads/writes past the end of the buffer. This
Buffer overrun, could result in arbitrary
code execution. An example attack would
be a MiTM bus attack that returns
0xFFFFFFFF for the RC. Given the
common use case of TPM modules an
attacker must have local access to the
target machine with local system privileges
which allows access to the TPM system.
Usually TPM access requires
administrative privilege.
application dependent consequences.

The POLY1305 MAC (message

authentication code) implementation in
OpenSSL for
PowerPC CPUs restores the contents of
vector registers in a different order
than they are saved. Thus the contents of
some of these vector registers
are corrupted when returning to the caller.
The vulnerable code is used only
on newer PowerPC processors supporting
the PowerISA 2.07 instructions.

The consequences of this kind of internal

application state corruption can
be various - from no consequences, if the
6.5 calling application does not
depend on the contents of non-volatile
XMM registers at all, to the worst
consequences, where the attacker could
get complete control of the application
process. However unless the compiler uses
the vector registers for storing
pointers, the most likely consequence, if
any, would be an incorrect result
of some application dependent calculations
or a crash leading to a denial of
service.

The POLY1305 MAC algorithm is most

frequently used as part of the
CHACHA20-POLY1305 AEAD
(authenticated encryption with associated
data)
An issue was discovered in libexpat before
2.6.3. dtdCopy in xmlparse.c can have an
9.8 integer overflow for nDefaultAtts on 32-bit
platforms (where UINT_MAX equals
SIZE_MAX).

A flaw was found in the GNU C Library. A

recent fix for CVE-2023-4806 introduced
7.5
the potential for a memory leak, which may
result in an application crash.
A vulnerability in input validation exists in
curl <8.0 during communication using the
TELNET protocol may allow an attacker to
pass on maliciously crafted user name and
"telnet options" during server negotiation.
The lack of proper input scrubbing allows
8.8
an attacker to send content or perform
option negotiation without the application's
intent. This vulnerability could be exploited
if an application allows user input, thereby
enabling attackers to execute arbitrary
code on the system.

An authentication bypass vulnerability

exists in libcurl <8.0.0 in the FTP
connection reuse feature that can result in
wrong credentials being used during
subsequent transfers. Previously created
connections are kept in a connection pool
for reuse if they match the current setup.
However, certain FTP settings such as
CURLOPT_FTP_ACCOUNT,
7.5
CURLOPT_FTP_ALTERNATIVE_TO_USE
R, CURLOPT_FTP_SSL_CCC, and
CURLOPT_USE_SSL were not included in
the configuration match checks, causing
them to match too easily. This could lead to
libcurl using the wrong credentials when
performing a transfer, potentially allowing
unauthorized access to sensitive
information.

GNU Libc current is affected by: Re-

mapping current loaded library with
malicious ELF file. The impact is: In worst
case attacker may evaluate privileges. The
component is: libld. The attack vector is:
0.0
Attacker sends 2 ELF files to victim and
asks to run ldd on it. ldd execute code.
NOTE: Upstream comments indicate "this
is being treated as a non-security bug and
no real threat.
Vim is an open source command line text
editor. When parsing relative ex addresses
one may unintentionally cause an
overflow. Ironically this happens in the
existing overflow check, because the line
number becomes negative and
LONG_MAX - lnum will cause the overflow.
4.3
Impact is low, user interaction is required
and a crash may not even happen in all
situations. This issue has been addressed
in commit `060623e` which has been
included in release version 9.0.2110. Users
are advised to upgrade. There are no
known workarounds for this vulnerability.

NULL Pointer Dereference in GitHub

7.8
repository vim/vim prior to 9.0.1531.

A bad interaction between DNS64 and

serve-stale may cause `named` to crash
with an assertion failure during recursive
resolution, when both of these features are
enabled.
7.5
This issue affects BIND 9 versions 9.16.12
through 9.16.45, 9.18.0 through 9.18.21,
9.19.0 through 9.19.19, 9.16.12-S1 through
9.16.45-S1, and 9.18.11-S1 through
9.18.21-S1.

Sudo before 1.9.15 might allow row

hammer attacks (for authentication bypass
or privilege escalation) because application
7.0 logic sometimes is based on not equaling
an error value (instead of equaling a
success value), and because the values do
not resist flips of a single bit.
Resolved In