Debian Linux vulnerabilities

CVE-2023-52609 [MEDIUM] CWE-362 CVE-2023-52609: In the Linux kernel, the following vulnerability has been resolved: binder: fix race between mmput( In the Linux kernel, the following vulnerability has been resolved: binder: fix race between mmput() and do_exit() Task A calls binder_update_page_range() to allocate and insert pages on a remote address space from Task B. For this, Task A pins the remote mm via mmget_not_zero() first. This can race with Task B do_exit() and the final mmput() refc

CVE-2023-52618 [MEDIUM] CVE-2023-52618: In the Linux kernel, the following vulnerability has been resolved: block/rnbd-srv: Check for unlik In the Linux kernel, the following vulnerability has been resolved: block/rnbd-srv: Check for unlikely string overflow Since "dev_search_path" can technically be as large as PATH_MAX, there was a risk of truncation when copying it and a second string into "full_path" since it was also PATH_MAX sized. The W=1 builds were reporting this warning: drivers/bl

CVE-2024-26640 [MEDIUM] CVE-2024-26640: In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity checks to rx ze In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity checks to rx zerocopy TCP rx zerocopy intent is to map pages initially allocated from NIC drivers, not pages owned by a fs. This patch adds to can_map_frag() these additional checks: - Page must not be a compound one. - page->mapping must be NULL. This fixes the panic r

CVE-2024-2496 [MEDIUM] CWE-476 CVE-2024-2496: A NULL pointer dereference flaw was found in the udevConnectListAllInterfaces() function in libvirt. A NULL pointer dereference flaw was found in the udevConnectListAllInterfaces() function in libvirt. This issue can occur when detaching a host interface while at the same time collecting the list of interfaces via virConnectListAllInterfaces API. This flaw could be used to perform a denial of service attack by causing the libvirt daemon to crash.

CVE-2024-26633 [MEDIUM] CVE-2024-26633: In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: fix NEXTHDR_FRAGMEN In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() syzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken. Reading frag_off can only be done if we pulled enough bytes to skb->head. Currently we might access garbage. [1] BUG: KMSAN: uninit-value in ip6_tnl_

CVE-2024-26636 [MEDIUM] CVE-2024-26636: In the Linux kernel, the following vulnerability has been resolved: llc: make llc_ui_sendmsg() more In the Linux kernel, the following vulnerability has been resolved: llc: make llc_ui_sendmsg() more robust against bonding changes syzbot was able to trick llc_ui_sendmsg(), allocating an skb with no headroom, but subsequently trying to push 14 bytes of Ethernet header [1] Like some others, llc_ui_sendmsg() releases the socket lock before calling sock_al

CVE-2024-26635 [MEDIUM] CWE-909 CVE-2024-26635: In the Linux kernel, the following vulnerability has been resolved: llc: Drop support for ETH_P_TR_ In the Linux kernel, the following vulnerability has been resolved: llc: Drop support for ETH_P_TR_802_2. syzbot reported an uninit-value bug below. [0] llc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2 (0x0011), and syzbot abused the latter to trigger the bug. write$tun(r0, &(0x7f0000000040)={@val={0x0, 0x11}, @val, @mpls={[]

CVE-2023-52616 [MEDIUM] CVE-2023-52616: In the Linux kernel, the following vulnerability has been resolved: crypto: lib/mpi - Fix unexpecte In the Linux kernel, the following vulnerability has been resolved: crypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init When the mpi_ec_ctx structure is initialized, some fields are not cleared, causing a crash when referencing the field when the structure was released. Initially, this issue was ignored because memory for mpi_ec_ctx is allocate

CVE-2023-52619 [MEDIUM] CVE-2023-52619: In the Linux kernel, the following vulnerability has been resolved: pstore/ram: Fix crash when sett In the Linux kernel, the following vulnerability has been resolved: pstore/ram: Fix crash when setting number of cpus to an odd number When the number of cpu cores is adjusted to 7 or other odd numbers, the zone size will become an odd number. The address of the zone will become: addr of zone0 = BASE addr of zone1 = BASE + zone_size addr of zone2 = BASE +

CVE-2024-26641 [MEDIUM] CWE-908 CVE-2024-26641: In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: make sure to pull i In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() syzbot found __ip6_tnl_rcv() could access unitiliazed data [1]. Call pskb_inet_may_pull() to fix this, and initialize ipv6h variable after this call as it can change skb->head. [1] BUG: KMSAN: uninit-value in __INET_E

CVE-2023-52617 [MEDIUM] CWE-459 CVE-2023-52617: In the Linux kernel, the following vulnerability has been resolved: PCI: switchtec: Fix stdev_relea In the Linux kernel, the following vulnerability has been resolved: PCI: switchtec: Fix stdev_release() crash after surprise hot remove A PCI device hot removal may occur while stdev->cdev is held open. The call to stdev_release() then happens during close or exit, at a point way past switchtec_pci_remove(). Otherwise the last ref would vanish wit

CVE-2024-24549 [HIGH] CWE-20 CVE-2024-24549: Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomca Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through

CVE-2024-23672 [MEDIUM] CWE-459 CVE-2024-23672: Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSock Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Olde

CVE-2024-26614 [MEDIUM] CWE-667 CVE-2024-26614: In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_ In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the following issue: pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0! WARNING: CPU: 19 PID: 21160 at __pv_queued_spin_unlock_slowpath (kernel/locking/qspin

CVE-2023-52489 [MEDIUM] CWE-362 CVE-2023-52489: In the Linux kernel, the following vulnerability has been resolved: mm/sparsemem: fix race in acces In the Linux kernel, the following vulnerability has been resolved: mm/sparsemem: fix race in accessing memory_section->usage The below race is observed on a PFN which falls into the device memory region with the system memory configuration where PFN's are such that [ZONE_NORMAL ZONE_DEVICE ZONE_NORMAL]. Since normal zone start and end pfn contain

CVE-2023-52492 [MEDIUM] CWE-476 CVE-2023-52492: In the Linux kernel, the following vulnerability has been resolved: dmaengine: fix NULL pointer in In the Linux kernel, the following vulnerability has been resolved: dmaengine: fix NULL pointer in channel unregistration function __dma_async_device_channel_register() can fail. In case of failure, chan->local is freed (with free_percpu()), and chan->local is nullified. When dma_async_device_unregister() is called (because of managed API or intent

CVE-2023-52602 [HIGH] CWE-400 CVE-2023-52602: In the Linux kernel, the following vulnerability has been resolved: jfs: fix slab-out-of-bounds Rea In the Linux kernel, the following vulnerability has been resolved: jfs: fix slab-out-of-bounds Read in dtSearch Currently while searching for current page in the sorted entry table of the page there is a out of bound access. Added a bound check to fix the error. Dave: Set return code to -EIO

CVE-2024-26625 [HIGH] CWE-416 CVE-2024-26625: In the Linux kernel, the following vulnerability has been resolved: llc: call sock_orphan() at rele In the Linux kernel, the following vulnerability has been resolved: llc: call sock_orphan() at release time syzbot reported an interesting trace [1] caused by a stale sk->sk_wq pointer in a closed llc socket. In commit ff7b11aa481f ("net: socket: set sock->sk to NULL after calling proto_ops::release()") Eric Biggers hinted that some protocols are m

CVE-2023-52601 [HIGH] CWE-129 CVE-2023-52601: In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bou In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds in dbAdjTree Currently there is a bound check missing in the dbAdjTree while accessing the dmt_stree. To add the required check added the bool is_ctl which is required to determine the size as suggest in the following commit. https://lore.kernel.or

CVE-2023-52597 [MEDIUM] CVE-2023-52597: In the Linux kernel, the following vulnerability has been resolved: KVM: s390: fix setting of fpc r In the Linux kernel, the following vulnerability has been resolved: KVM: s390: fix setting of fpc register kvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control (fpc) register of a guest cpu. The new value is tested for validity by temporarily loading it into the fpc register. This may lead to corruption of the fpc register of the host p