Msrc Cbl Mariner 2.0 Arm vulnerabilities

CVE-2023-1249 [MEDIUM] CWE-416 A use-after-free flaw was found in the Linux kernel’s core dump subsystem. This flaw allows a local user to crash the system. Only if patch 390031c94211 ("coredump: Use the vma snapshot in fill_files_ A use-after-free flaw was found in the Linux kernel’s core dump subsystem. This flaw allows a local user to crash the system. Only if patch 390031c94211 ("coredump: Use the vma snapshot in fill_files_note") not applied yet then kernel could be affected. FAQ: Is Azure

CVE-2023-27535 [MEDIUM] CWE-287 An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created conn An authentication bypass vulnerability exists in libcurl Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azur

CVE-2023-23000 [MEDIUM] CWE-476 In the Linux kernel before 5.17 drivers/phy/tegra/xusb.c mishandles the tegra_xusb_find_port_node return value. Callers expect NULL in the error case but an error pointer is used. In the Linux kernel before 5.17 drivers/phy/tegra/xusb.c mishandles the tegra_xusb_find_port_node return value. Callers expect NULL in the error case but an error pointer is used. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore pote

CVE-2023-27478 [MEDIUM] CWE-200 Disclosure of unrelated data in libmemcached-awesome Disclosure of unrelated data in libmemcached-awesome FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the d

CVE-2023-0465 [MEDIUM] CWE-295 Invalid certificate policies in leaf certificates are silently ignored Invalid certificate policies in leaf certificates are silently ignored FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the ope

CVE-2023-23005 [MEDIUM] CWE-476 In the Linux kernel before 6.2 mm/memory-tiers.c misinterprets the alloc_memory_type return value (expects it to be NULL in the error case whereas it is actually an error pointer). NOTE: this is dispu In the Linux kernel before 6.2 mm/memory-tiers.c misinterprets the alloc_memory_type return value (expects it to be NULL in the error case whereas it is actually an error pointer). NOTE: this is disputed by third parties because there are no realistic cases in which

CVE-2023-27537 [MEDIUM] CWE-415 A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads b A double free vulnerability exists in libcurl Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux dis

CVE-2023-27477 [LOW] CWE-193 wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's code generation backend Cranelift has a bug on x86_64 platforms for the WebAssembly `i8x16.select` instruction which will produce the wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's code generation backend Cranelift has a bug on x86_64 platforms for the WebAssembly `i8x16.select` instruction which will produce the wrong results when the same operand is provided to the instruction and

CVE-2023-25809 [MEDIUM] CWE-281 rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions

CVE-2023-0590 [MEDIUM] CWE-416 A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 ("net: sched: fix r A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 ("net: sched: fix race condition in qdisc_graft()") not applied yet then kernel could b

CVE-2023-1079 [MEDIUM] CWE-416 A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device which advertises itself as an Asus device. Simil A flaw was found in the Linux kernel. A use-after-free may be triggered in asus_kbd_backlight_set when plugging/disconnecting in a malicious USB device which advertises itself as an Asus device. Similarly to the previous known CVE-2023-25012 but in asus devices the wo

CVE-2022-3854 [MEDIUM] CWE-177 A flaw was found in Ceph relating to the URL processing on RGW backends. An attacker can exploit the URL processing by providing a null URL to crash the RGW causing a denial of service. A flaw was found in Ceph relating to the URL processing on RGW backends. An attacker can exploit the URL processing by providing a null URL to crash the RGW causing a denial of service. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is the

CVE-2023-27536 [MEDIUM] CWE-287 An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to chec An authentication bypass vulnerability exists libcurl Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure L

CVE-2023-0466 [MEDIUM] CWE-295 Certificate policy check not enabled Certificate policy check not enabled FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is c

CVE-2023-1513 [LOW] CWE-665 A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl on 32-bit systems there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace causing A flaw was found in KVM. When calling the KVM_GET_DEBUGREGS ioctl on 32-bit systems there might be some uninitialized portions of the kvm_debugregs structure that could be copied to userspace causing an information leak. FAQ: Is Azure Linux the only Microsoft product th

CVE-2022-41862 [LOW] CWE-200 In PostgreSQL a modified unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to ov In PostgreSQL a modified unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes. F

CVE-2023-23914 [CRITICAL] CWE-319 A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support curl A cleartext transmission of sensitive information vulnerability exists in curl Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers wh

CVE-2023-20032 [CRITICAL] CWE-787 On Feb 15 2023 the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the HFS+ partition file parser of ClamAV versions 1.0.0 and earlier 0.105.1 and earlier On Feb 15 2023 the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the HFS+ partition file parser of ClamAV versions 1.0.0 and earlier 0.105.1 and earlier and 0.103.7 and earlier could allow an unauthenticated remote atta

CVE-2022-48337 [CRITICAL] CWE-78 GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file because lib-src/etags.c uses the system C library function in its implementation GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example a victim may use the "etags -u *

CVE-2021-33391 [CRITICAL] CWE-416 An issue in HTACG HTML Tidy v5.7.28 allows attacker to execute arbitrary code via the -g option of the CleanNode() function in gdoc.c. An issue in HTACG HTML Tidy v5.7.28 allows attacker to execute arbitrary code via the -g option of the CleanNode() function in gdoc.c. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who ch