Alex

**Name of the Vulnerable Software and Affected Versions** rust-openssl versions 0.10.0 through 0.10.78 **Description** Incorrect output buffer sizing occurs when using AES key-wrap-with-padding ciphers (`EVP aes {128,192,256} wrap pad`). For inputs that are not a multiple of 8, OpenSSL may write up to 7 bytes beyond the end of the caller's buffer or Vec. This can lead to attacker-controllable heap corruption if the plaintext length is influenced by an attacker. This issue specifically affects the functions `CipherCtxRef::cipher update()`, `CipherCtxRef::cipher update vec()`, and `symm::Crypter::update()`. **Recommendations** Update to version 0.10.79.

**Name of the Vulnerable Software and Affected Versions** rust-openssl versions 0.9.7 through 0.10.78 **Description** The `X509Ref::ocsp responders()` function returns OCSP responder URLs from a certificate's AIA extension as `OpensslString`. The `Deref<Target = str>` implementation wraps raw bytes using `str::from utf8 unchecked`. Because OpenSSL does not enforce that the underlying IA5String is ASCII, a certificate containing non-UTF-8 bytes in its OCSP accessLocation can cause safe Rust code to construct a `&str` that violates the UTF-8 invariant, leading to undefined behavior. **Recommendations** Update to version 0.10.79.

**Name of the Vulnerable Software and Affected Versions** rust-openssl versions 0.9.27 through 0.10.77 **Description** An issue exists where `Deriver::derive()` and `PkeyCtxRef::derive()` set the `len` variable to `buf.len()` and pass it as the in/out length to `EVP PKEY derive`. When using OpenSSL 1.1.x, the X25519, X448, DH, and HKDF-extract algorithms ignore the incoming `*keylen` and unconditionally write the full shared secret. This can result in a heap or stack overflow if a caller passes a short slice. **Recommendations** Update to version 0.10.78. As a temporary workaround, restrict the use of `Deriver::derive()` and `PkeyCtxRef::derive()` when integrated with OpenSSL 1.1.x.

**Name of the Vulnerable Software and Affected Versions** rust-openssl versions 0.10.39 through 0.10.77 **Description** The `EVP DigestFinal()` function always writes `EVP MD CTX size(ctx)` to the `out` buffer. If the `out` buffer is smaller than that size, the `MdCtxRef::digest final()` function writes past its end, which typically results in stack corruption. This issue is reachable from safe Rust. **Recommendations** Update to version 0.10.78.

**Name of the Vulnerable Software and Affected Versions** rust-openssl versions 0.9.24 through 0.10.77 **Description** FFI trampolines behind the functions `set psk client callback()`, `set psk server callback()`, `set cookie generate cb()`, and `set stateless cookie generate cb()` in `SslContextBuilder` forward the user closure's returned `usize` directly to OpenSSL. This occurs without verifying the value against the `&mut [u8]` provided to the closure, which can result in buffer overflows and other unintended consequences. **Recommendations** Update to version 0.10.78.

**Name of the Vulnerable Software and Affected Versions** rust-openssl versions 0.9.0 through 0.10.77 **Description** The `* from pem callback` APIs do not validate the length returned by the user's callback. A password callback returning a value larger than the provided buffer can cause certain versions of OpenSSL to over-read this buffer. OpenSSL 3.x is not affected. **Recommendations** Update to version 0.10.78.

**Name of the Vulnerable Software and Affected Versions** rust-openssl versions prior to 0.10.78 **Description** The `aes::unwrap key()` function contains an incorrect assertion regarding the output buffer size. It checks that `out.len() + 8 <= in .len()`, which is the reverse of the intended invariant `out.len() >= in .len() - 8`. Consequently, the function accepts buffers that are too small and rejects larger ones. If a buffer smaller than required is provided, the function writes past the end of `out` by `in .len() - 8 - out.len()` bytes, resulting in an out-of-bounds write from a safe public function. This can be triggered in applications using AES keywrap that allow attacker-controlled buffer sizes. **Recommendations** Update to version 0.10.78.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A null pointer dereference flaw was found in the `hugetlbfs fill super` function in the Linux kernel hugetlbfs (HugeTLB pages) functionality. This issue may allow a local user to crash the system or potentially escalate their privileges on the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A flaw was found in the Linux kernel's TUN/TAP functionality, which could allow a local user to bypass network filters and gain unauthorized access to some resources. The issue is related to the incorrect initialization of the socket UID in the `tun chr open()` and `tap open()` functions. This could potentially allow an attacker to impact data integrity or elevate their privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free flaw was found in the Linux kernel's netfilter, specifically in the way a user triggers the `nft pipapo remove` function with the element, without a `NFT SET EXT KEY END`. This issue could allow a local user to crash the system or potentially escalate their privileges on the system. The exploitation of this flaw may impact the confidentiality, integrity, and availability of protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the `init cea offsets()` function in the `/arch/x86/mm/cpu entry area.c` module of the Linux kernel's memory management subsystem. It concerns the accessibility of the per-cpu area of memory to user address space. Exploitation of this issue may allow an attacker to access protected information and potentially escalate their privileges. A feature called 'Randomize per-cpu entry area' was implemented to mitigate similar issues, but despite this, there is still a risk of per-cpu entry area leaks. This could enable a local user to gain access to important data in memory and potentially escalate their privileges on the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free flaw was found in the Linux kernel’s mm/mremap memory address space accounting source code. This issue occurs due to a race condition between `rmap` walk and `mremap()`, allowing a local user to crash the system or potentially escalate their privileges on the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality. This issue can be exploited by a remote attacker through a new kind of SYN flood attack, potentially leading to a denial of service. An attacker with a high bandwidth connection or located in the local network can increase the CPU usage of the server that accepts IPV6 connections up to 95%. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a NULL pointer dereference flaw in the `submit lookup cmds` function of the Linux kernel's drivers/gpu/drm/msm/msm gem submit.c code. This flaw occurs due to the lack of a check of the return value of `kmalloc()`. Exploitation of this issue can allow a local user to crash the system, resulting in a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A double-free flaw was found in the Linux kernel’s NTFS3 subsystem. This issue occurs when a user triggers remount and umount simultaneously, allowing a local user to crash or potentially escalate their privileges on the system. The flaw is related to a race condition due to concurrent access to a resource, which can lead to a double-free error. This can impact the confidentiality, integrity, and availability of protected information or allow an attacker to elevate their privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A memory leak flaw and potential divide by zero and Integer overflow were found in the Linux kernel V4L2 and vivid test code functionality. This issue occurs when a user triggers ioctls, such as `VIDIOC S DV TIMINGS` ioctl. The flaw is related to insufficient checking of user data. Exploitation of this issue could allow a local user to crash the system if vivid test code is enabled. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A use-after-free flaw was found in the Linux kernel's pipes functionality. This issue arises from the manipulation of the pipe after the `free pipe info()` function has been called, specifically with the `post one notification()` function. The flaw allows a local user to crash or potentially escalate their privileges on the system. Exploitation of this flaw may enable an attacker to gain elevated privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apple tvOS versions prior to 15.4 Apple iOS versions prior to 15.4 Apple iPadOS versions prior to 15.4 Apple macOS Big Sur versions prior to 11.6.5 Apple macOS Catalina versions prior to Security Update 2022-003 Apple watchOS versions prior to 8.5 Apple macOS Monterey versions prior to 12.3 **Description** An out-of-bounds write issue was addressed with improved bounds checking, which may allow an application to execute arbitrary code with kernel privileges. **Recommendations** For tvOS versions prior to 15.4, update to tvOS 15.4 or later. For iOS versions prior to 15.4, update to iOS 15.4 or later. For iPadOS versions prior to 15.4, update to iPadOS 15.4 or later. For macOS Big Sur versions prior to 11.6.5, update to macOS Big Sur 11.6.5 or later. For macOS Catalina versions prior to Security Update 2022-003, apply Security Update 2022-003 or later. For watchOS versions prior to 8.5, update to watchOS 8.5 or later. For macOS Monterey versions prior to 12.3, update to macOS Monterey 12.3 or later.

**Name of the Vulnerable Software and Affected Versions** Twisted (affected versions not specified) **Description** The issue is related to the exposure of cookies and authorization headers when following cross-origin redirects. This problem is present in the `twisted.web.RedirectAgent` and `twisted.web.BrowserLikeRedirectAgent` functions. The vulnerability allows a remote attacker to access confidential data. **Recommendations** As a temporary workaround, consider disabling the `twisted.web.RedirectAgent` and `twisted.web.BrowserLikeRedirectAgent` functions until a patch is available. Users are advised to upgrade to a newer version to resolve the issue. At the moment, there is no information about a specific newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.17-rc1 **Description** The issue is related to a NULL pointer dereference flaw in the Linux kernel's BPF subsystem, specifically in the way a user triggers the `map get next key` function of the BPF bloom filter. This flaw allows a local user to crash the system. **Recommendations** For Linux kernel versions prior to 5.17-rc1, update to version 5.17-rc1 or later to resolve the issue. As a temporary workaround, consider restricting access to the BPF subsystem to minimize the risk of exploitation.