Debian Linux vulnerabilities

CVE-2024-37384 [MEDIUM] CWE-79 CVE-2024-37384: Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferen Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences.

CVE-2024-5629 [HIGH] CWE-125 CVE-2024-5629: An out-of-bounds read in the 'bson' module of PyMongo 4.6.2 or earlier allows deserialization of mal An out-of-bounds read in the 'bson' module of PyMongo 4.6.2 or earlier allows deserialization of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory.

CVE-2024-36960 [HIGH] CWE-125 CVE-2024-36960: In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix invalid reads i In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix invalid reads in fence signaled events Correctly set the length of the drm_event to the size of the structure that's actually used. The length of the drm_event was set to the parent structure instead of to the drm_vmw_event_fence which is supposed to be read. drm_re

CVE-2024-5197 [MEDIUM] CWE-190 CVE-2024-5197: There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with There exists interger overflows in libvpx in versions prior to 1.14.1. Calling vpx_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned vpx_image_t struct may be invalid. Calling vpx_img_wrap() with a large value of the d_w, d_h

CVE-2024-36964 [MEDIUM] CVE-2024-36964: In the Linux kernel, the following vulnerability has been resolved: fs/9p: only translate RWX permi In the Linux kernel, the following vulnerability has been resolved: fs/9p: only translate RWX permissions for plain 9P2000 Garbage in plain 9P2000's perm bits is allowed through, which causes it to be able to set (among others) the suid bit. This was presumably not the intent since the unix extended bits are handled explicitly and conditionally on .u.

CVE-2024-36886 [HIGH] CWE-416 CVE-2024-36886: In the Linux kernel, the following vulnerability has been resolved: tipc: fix UAF in error path Sa In the Linux kernel, the following vulnerability has been resolved: tipc: fix UAF in error path Sam Page (sam4k) working with Trend Micro Zero Day Initiative reported a UAF in the tipc_buf_append() error path: BUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183 Read of size 8 at addr ffff88804d2a7c80 by

CVE-2024-36904 [HIGH] CWE-416 CVE-2024-36904: In the Linux kernel, the following vulnerability has been resolved: tcp: Use refcount_inc_not_zero( In the Linux kernel, the following vulnerability has been resolved: tcp: Use refcount_inc_not_zero() in tcp_twsk_unique(). Anderson Nascimento reported a use-after-free splat in tcp_twsk_unique() with nice analysis. Since commit ec94c2696f0b ("tcp/dccp: avoid one atomic operation for timewait hashdance"), inet_twsk_hashdance() sets TIME-WAIT socket

CVE-2024-36934 [HIGH] CWE-787 CVE-2024-36934: In the Linux kernel, the following vulnerability has been resolved: bna: ensure the copied buf is N In the Linux kernel, the following vulnerability has been resolved: bna: ensure the copied buf is NUL terminated Currently, we allocate a nbytes-sized kernel buffer and copy nbytes from userspace to that buffer. Later, we use sscanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when usi

CVE-2024-36913 [HIGH] CWE-1258 CVE-2024-36913: In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Leak pages In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle t

CVE-2024-36883 [HIGH] CWE-125 CVE-2024-36883: In the Linux kernel, the following vulnerability has been resolved: net: fix out-of-bounds access i In the Linux kernel, the following vulnerability has been resolved: net: fix out-of-bounds access in ops_init net_alloc_generic is called by net_alloc, which is called without any locking. It reads max_gen_ptrs, which is changed under pernet_ops_rwsem. It is read twice, first to allocate an array, then to set s.len, which is later used to limit the

CVE-2024-36940 [HIGH] CWE-415 CVE-2024-36940: In the Linux kernel, the following vulnerability has been resolved: pinctrl: core: delete incorrect In the Linux kernel, the following vulnerability has been resolved: pinctrl: core: delete incorrect free in pinctrl_enable() The "pctldev" struct is allocated in devm_pinctrl_register_and_init(). It's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(), so freeing it in pinctrl_enable() will lead to a double free. The devm_pinctrl_d

CVE-2024-36916 [HIGH] CWE-125 CVE-2024-36916: In the Linux kernel, the following vulnerability has been resolved: blk-iocost: avoid out of bounds In the Linux kernel, the following vulnerability has been resolved: blk-iocost: avoid out of bounds shift UBSAN catches undefined behavior in blk-iocost, where sometimes iocg->delay is shifted right by a number that is too large, resulting in undefined behavior on some architectures. [ 186.556576] ------------[ cut here ]------------ UBSAN: shift-o

CVE-2024-36933 [MEDIUM] CWE-908 CVE-2024-36933: In the Linux kernel, the following vulnerability has been resolved: nsh: Restore skb->{protocol,dat In the Linux kernel, the following vulnerability has been resolved: nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment(). syzbot triggered various splats (see [0] and links) by a crafted GSO packet of VIRTIO_NET_HDR_GSO_UDP layering the following protocols: ETH_P_8021AD + ETH_P_NSH + ETH_P_IPV6 + IPPROTO_UDP NSH can

CVE-2024-36939 [MEDIUM] CVE-2024-36939: In the Linux kernel, the following vulnerability has been resolved: nfs: Handle error of rpc_proc_r In the Linux kernel, the following vulnerability has been resolved: nfs: Handle error of rpc_proc_register() in nfs_net_init(). syzkaller reported a warning [0] triggered while destroying immature netns. rpc_proc_register() was called in init_nfs_fs(), but its error has been ignored since at least the initial commit 1da177e4c3f4 ("Linux-2.6.12-rc2"). Re

CVE-2024-36941 [MEDIUM] CWE-476 CVE-2024-36941: In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: don't free NULL In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: don't free NULL coalescing rule If the parsing fails, we can dereference a NULL pointer here.

CVE-2024-36020 [MEDIUM] CWE-908 CVE-2024-36020: In the Linux kernel, the following vulnerability has been resolved: i40e: fix vf may be used uninit In the Linux kernel, the following vulnerability has been resolved: i40e: fix vf may be used uninitialized in this function warning To fix the regression introduced by commit 52424f974bc5, which causes servers hang in very hard to reproduce conditions with resets races. Using two sources for the information is the root cause. In this function befo

CVE-2023-52882 [MEDIUM] CVE-2023-52882: In the Linux kernel, the following vulnerability has been resolved: clk: sunxi-ng: h6: Reparent CPU In the Linux kernel, the following vulnerability has been resolved: clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change While PLL CPUX clock rate change when CPU is running from it works in vast majority of cases, now and then it causes instability. This leads to system crashes and other undefined behaviour. After a lot of testing (30+ hours) whi

CVE-2024-36946 [MEDIUM] CWE-401 CVE-2024-36946: In the Linux kernel, the following vulnerability has been resolved: phonet: fix rtm_phonet_notify() In the Linux kernel, the following vulnerability has been resolved: phonet: fix rtm_phonet_notify() skb allocation fill_route() stores three components in the skb: - struct rtmsg - RTA_DST (u8) - RTA_OIF (u32) Therefore, rtm_phonet_notify() should use NLMSG_ALIGN(sizeof(struct rtmsg)) + nla_total_size(1) + nla_total_size(4)

CVE-2024-36957 [MEDIUM] CWE-193 CVE-2024-36957: In the Linux kernel, the following vulnerability has been resolved: octeontx2-af: avoid off-by-one In the Linux kernel, the following vulnerability has been resolved: octeontx2-af: avoid off-by-one read from userspace We try to access count + 1 byte from userspace with memdup_user(buffer, count + 1). However, the userspace only provides buffer of count bytes and only these count bytes are verified to be okay to access. To ensure the copied buffe

CVE-2024-36889 [MEDIUM] CVE-2024-36889: In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure snd_nxt is proper In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure snd_nxt is properly initialized on connect Christoph reported a splat hinting at a corrupted snd_una: WARNING: CPU: 1 PID: 38 at net/mptcp/protocol.c:1005 __mptcp_clean_una+0x4b3/0x620 net/mptcp/protocol.c:1005 Modules linked in: CPU: 1 PID: 38 Comm: kworker/1:1 Not tainted