In this paper, the authors show that the design of DNSSEC is flawed. Exploiting vulnerable recommendations in the DNSSEC standards, they developed a new class of DNSSEC-based algorithmic complexity attacks on DNS, they dubbed KeyTrap attacks. All popular DNS implementations and services are vulnerable. With just a single DNS packet, the KeyTrap attacks lead to a 2.000.000x spike in CPU instruction count in vulnerable DNS resolvers, stalling some for as long as 16 hours. This devastating effect prompted major DNS vendors to refer to KeyTrap as "the worst attack on DNS ever discovered". Exploiting KeyTrap, an attacker could effectively disable Internet access in any system utilizing a DNSSEC-validating resolver.
4c1743e665520f276be83b47e7a1ae86496ca84f1935e9197aa5b5736fc57eb4Debian Linux Security Advisory 5627-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure or spoofing.
fecc020dcddb2184341c57558aa3f486e8ee301dd59c165be89472e03edd082bGentoo Linux Security Advisory 202402-29 - Multiple vulnerabilities have been found in LibreOffice, the worst of which could result in user-assisted code execution. Versions greater than or equal to 7.5.9.2 are affected.
dd6e66d7eafddfab7d5156af7a48ea9c2e0fe469f1184c2f3d3a13a501c9039aThere exists an unauthenticated command injection vulnerability in the QNAP operating system known as QTS and QuTS hero. QTS is a core part of the firmware for numerous QNAP entry and mid-level Network Attached Storage (NAS) devices, and QuTS hero is a core part of the firmware for numerous QNAP high-end and enterprise NAS devices. The vulnerable endpoint is the quick.cgi component, exposed by the device's web based administration feature. The quick.cgi component is present in an uninitialized QNAP NAS device. This component is intended to be used during either manual or cloud based provisioning of a QNAP NAS device. Once a device has been successfully initialized, the quick.cgi component is disabled on the system. An attacker with network access to an uninitialized QNAP NAS device may perform unauthenticated command injection, allowing the attacker to execute arbitrary commands on the device.
512c538bc485b9095fb0fb14daba0e91a985496262d3017dc3aaf05f8005e9adUbuntu Security Notice 6649-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Alfred Peters discovered that Firefox did not properly manage memory when storing and re-accessing data on a networking channel. An attacker could potentially exploit this issue to cause a denial of service.
915d1dd9c871ef5fa18727920f32a507f24302608c703c4e810bc2c237c6b315CMS Made Simple version 2.2.19 suffers from a server-side template injection vulnerability.
678bb66608e7b41c5cd05528ea7219cf35638614441463568f81ba0d9dab3df4CMS Made Simple version 2.2.19 suffers from a persistent cross site scripting vulnerability.
aaabe1d02e7411b3fdb5bd9220f8bd34a7c9e15203321299cabd15dca9372cdeUbuntu Security Notice 6648-1 - It was discovered that a race condition existed in the AppleTalk networking subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Zhenghan Wang discovered that the generic ID allocator implementation in the Linux kernel did not properly check for null bitmap when releasing IDs. A local attacker could use this to cause a denial of service.
74220a0b0c8b546e1843028c546fb7b9f332ab5279db8baa8ddaf07d3915746eCMS Made Simple versions 2.2.19 and 2.2.21 suffer from a remote code execution vulnerability.
1fba8dc39f6eab628cec63c1efe79d88f846728e2cc5c0253884d3ade1777638SitePad version 1.8.2 suffers from a persistent cross site scripting vulnerability.
48e6c1331a13411ebde677abf495089e3693574074e2831d427d7943a6dded2aDotclear version 2.29 suffers from a cross site scripting vulnerability.
48697a04e731c5ea3f3bb5bbf9027809e1f2b25c54b903adb00f897d6247d1e6Red Hat Security Advisory 2024-0937-03 - An update for kpatch-patch is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a privilege escalation vulnerability.
53876467f9ebca4e456042e6c4c0da9077be705693c4f66d286ed5227191e05fRed Hat Security Advisory 2024-0934-03 - An update is now available for Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8, Red Hat Virtualization 4 for Red Hat Enterprise Linux 8, and Red Hat Virtualization Engine 4.4. Issues addressed include a bypass vulnerability.
82f813d2c5260af55329640b24210beacb0a418fd53acfeabcd781b5a646c380Red Hat Security Advisory 2024-0853-03 - Network Observability is an OpenShift operator that deploys a monitoring pipeline to collect and enrich network flows that are produced by the Network Observability eBPF agent.
83d3e13a79ac7d00bf72ee5d0fcb0eaea63e6e35d0ed933647b0c96a58562b38FreeIPA version 4.10.1 has an issue where specially crafted HTTP requests potentially lead to denial of service or data exposure.
ed1964cddf58cd1a3b007267cb1f6a3b11008a5d76ebdb87f9a639382cd73688
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed