Evgeny Sidorov

**Name of the Vulnerable Software and Affected Versions** ClickHouse MySQL client versions prior to 1.1.54390 **Description** The issue concerns the "LOAD DATA LOCAL INFILE" functionality in the ClickHouse MySQL client, which was enabled and allowed a malicious MySQL database to read arbitrary files from the connected ClickHouse server. **Recommendations** For versions prior to 1.1.54390, update to version 1.1.54390 or later to resolve the issue. As a temporary workaround, consider disabling the "LOAD DATA LOCAL INFILE" functionality until a patch is available. Restrict access to sensitive files on the ClickHouse server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ClickHouse versions prior to 18.10.3 **Description** The issue allows for Remote Code Execution due to unixODBC loading arbitrary shared objects from the file system. **Recommendations** For versions prior to 18.10.3, update to version 18.10.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple iOS versions prior to 9.3.3 Apple OS X versions prior to 10.11.6 Apple tvOS versions prior to 9.2.2 Apple watchOS versions prior to 2.2.2 **Description** The issue is caused by a buffer overflow in the ImageIO component, allowing remote attackers to cause a denial of service (memory consumption) via unspecified vectors. **Recommendations** For Apple iOS versions prior to 9.3.3, update to version 9.3.3 or later. For Apple OS X versions prior to 10.11.6, update to version 10.11.6 or later. For Apple tvOS versions prior to 9.2.2, update to version 9.2.2 or later. For Apple watchOS versions prior to 2.2.2, update to version 2.2.2 or later.

**Name of the Vulnerable Software and Affected Versions** libcrypt++ version 5.6.2 **Description** The issue concerns the InvertibleRWFunction::CalculateInverse function in libcrypt++, which fails to properly blind private key operations for the Rabin-Williams digital signature algorithm. This oversight allows remote attackers to obtain private keys via a timing attack. **Recommendations** For libcrypt++ version 5.6.2, consider disabling the `InvertibleRWFunction::CalculateInverse` function until a patch is available to prevent potential exploitation. Restrict access to private key operations to minimize the risk of obtaining private keys through a timing attack. At the moment, there is no information about a newer version that contains a fix for this vulnerability.