Debian Linux vulnerabilities

CVE-2023-42464 [CRITICAL] CVE-2023-42464: A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 3.1.x be A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 3.1.x before 3.1.17. When parsing Spotlight RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the underlying protocol. Due to a lack of type checking in

CVE-2023-4236 [HIGH] CWE-617 CVE-2023-4236: A flaw in the networking code handling DNS-over-TLS queries may cause `named` to terminate unexpecte A flaw in the networking code handling DNS-over-TLS queries may cause `named` to terminate unexpectedly due to an assertion failure. This happens when internal data structures are incorrectly reused under significant DNS-over-TLS query load. This issue affects BIND 9 versions 9.18.0 through 9.18.18 and 9.18.11-S1 through 9.18.18-S1.

CVE-2023-3341 [HIGH] CWE-787 CVE-2023-3341: The code that processes control channel messages sent to `named` calls certain functions recursively The code that processes control channel messages sent to `named` calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing `named` to terminate unexpectedly. Since each i

CVE-2023-41900 [MEDIUM] CWE-1390 CVE-2023-41900: Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11 Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as auth

CVE-2023-40167 [MEDIUM] CWE-130 CVE-2023-40167: Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scena

CVE-2023-36479 [LOW] CWE-149 CVE-2023-36479: Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the C Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quota

CVE-2023-4921 [HIGH] CWE-416 CVE-2023-4921: A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited t A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. When the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue(). W

CVE-2023-4863 [HIGH] CWE-787 CVE-2023-4863: Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

CVE-2023-4901 [MEDIUM] CVE-2023-4901: Inappropriate implementation in Prompts in Google Chrome prior to 117.0.5938.62 allowed a remote att Inappropriate implementation in Prompts in Google Chrome prior to 117.0.5938.62 allowed a remote attacker to potentially spoof security UI via a crafted HTML page. (Chromium security severity: Medium)

CVE-2023-4902 [MEDIUM] CVE-2023-4902: Inappropriate implementation in Input in Google Chrome prior to 117.0.5938.62 allowed a remote attac Inappropriate implementation in Input in Google Chrome prior to 117.0.5938.62 allowed a remote attacker to spoof security UI via a crafted HTML page. (Chromium security severity: Medium)

CVE-2023-4905 [MEDIUM] CVE-2023-4905: Inappropriate implementation in Prompts in Google Chrome prior to 117.0.5938.62 allowed a remote att Inappropriate implementation in Prompts in Google Chrome prior to 117.0.5938.62 allowed a remote attacker to spoof security UI via a crafted HTML page. (Chromium security severity: Medium)

CVE-2023-4900 [MEDIUM] CVE-2023-4900: Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 117.0.5938.62 allow Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 117.0.5938.62 allowed a remote attacker to obfuscate a permission prompt via a crafted HTML page. (Chromium security severity: Medium)

CVE-2023-4908 [MEDIUM] CVE-2023-4908: Inappropriate implementation in Picture in Picture in Google Chrome prior to 117.0.5938.62 allowed a Inappropriate implementation in Picture in Picture in Google Chrome prior to 117.0.5938.62 allowed a remote attacker to spoof security UI via a crafted HTML page. (Chromium security severity: Low)

CVE-2023-4906 [MEDIUM] CVE-2023-4906: Insufficient policy enforcement in Autofill in Google Chrome prior to 117.0.5938.62 allowed a remote Insufficient policy enforcement in Autofill in Google Chrome prior to 117.0.5938.62 allowed a remote attacker to bypass Autofill restrictions via a crafted HTML page. (Chromium security severity: Low)

CVE-2023-4909 [MEDIUM] CVE-2023-4909: Inappropriate implementation in Interstitials in Google Chrome prior to 117.0.5938.62 allowed a remo Inappropriate implementation in Interstitials in Google Chrome prior to 117.0.5938.62 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Low)

CVE-2023-4904 [MEDIUM] CVE-2023-4904: Insufficient policy enforcement in Downloads in Google Chrome prior to 117.0.5938.62 allowed a remot Insufficient policy enforcement in Downloads in Google Chrome prior to 117.0.5938.62 allowed a remote attacker to bypass Enterprise policy restrictions via a crafted download. (Chromium security severity: Medium)

CVE-2023-4903 [MEDIUM] CVE-2023-4903: Inappropriate implementation in Custom Mobile Tabs in Google Chrome on Android prior to 117.0.5938.6 Inappropriate implementation in Custom Mobile Tabs in Google Chrome on Android prior to 117.0.5938.62 allowed a remote attacker to spoof security UI via a crafted HTML page. (Chromium security severity: Medium)

CVE-2023-4907 [MEDIUM] CVE-2023-4907: Inappropriate implementation in Intents in Google Chrome on Android prior to 117.0.5938.62 allowed a Inappropriate implementation in Intents in Google Chrome on Android prior to 117.0.5938.62 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Low)

CVE-2023-41915 [HIGH] CWE-362 CVE-2023-41915: OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to obtain ownership of arbitrary OpenPMIx PMIx before 4.2.6 and 5.0.x before 5.0.1 allows attackers to obtain ownership of arbitrary files via a race condition during execution of library code with UID 0.

CVE-2023-4875 [MEDIUM] CWE-475 CVE-2023-4875: Null pointer dereference when composing from a specially crafted draft message in Mutt >1.5.2 <2.2.1 Null pointer dereference when composing from a specially crafted draft message in Mutt >1.5.2 <2.2.12