Dan Williams

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A deadlock scenario has been identified in the Linux kernel related to nvdimm (non-volatile dual in-line memory module) firmware activation. The issue arises from the locking mechanism used to protect against unregistration and simultaneous operations. Specifically, the `nvdimm bus lock()` is held over `hibernate quiet exec()`, which walks the system device topology and takes `device lock()` along the way. This can lead to a deadlock scenario involving the `system transition mutex` and `reconfig mutex`. Another deadlock scenario involves the `acpi scan lock` and `cxl root key`. The issue stems from redundant lock usage, which can be deleted to prevent the deadlock. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NetworkManager versions 0.7.0 through 0.7.2 NetworkManager-gnome version 0.7.0 NetworkManager-glib version 0.7.0 NetworkManager-glib-devel version 0.7.0 NetworkManager-devel version 0.7.0 **Description** The issue affects the NetworkManager package, allowing remote attackers to exploit vulnerabilities and potentially disrupt the confidentiality, integrity, and availability of protected information. This can be achieved by spoofing the identity of a wireless network, particularly in WPA Enterprise or 802.1x networks, if the configured Certification Authority (CA) certificate file is not properly ensured to remain present upon a connection attempt. **Recommendations** For NetworkManager versions 0.7.0 through 0.7.2, consider updating to a version where the Certification Authority (CA) certificate file remains present upon a connection attempt to prevent spoofing. For NetworkManager-gnome version 0.7.0, restrict access to sensitive information until a patch is available. For NetworkManager-glib version 0.7.0, avoid using the vulnerable package until an update is provided. For NetworkManager-glib-devel version 0.7.0, disable the development package until a secure version is released. For NetworkManager-devel version 0.7.0, refrain from using the development package until a fix is available.

**Name of the Vulnerable Software and Affected Versions** NetworkManager-gnome version 0.7.0 NetworkManager version 0.7.0 NetworkManager-glib-devel version 0.7.0 NetworkManager-glib version 0.7.0 NetworkManager-devel version 0.7.0 **Description** The issue concerns multiple vulnerabilities in the NetworkManager package, which can lead to a breach of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. Specifically, the nm-connection-editor in NetworkManager exports connection objects over D-Bus when actions are performed in the connection editor GUI, allowing local users to obtain sensitive information by reading D-Bus signals. For example, an attacker could use dbus-monitor to discover the password for a WiFi network. **Recommendations** For NetworkManager-gnome version 0.7.0, consider disabling the nm-connection-editor feature until a patch is available. For NetworkManager version 0.7.0, restrict access to the D-Bus interface to minimize the risk of exploitation. For NetworkManager-glib-devel version 0.7.0, avoid using the D-Bus signals in the affected API endpoints until the issue is resolved. For NetworkManager-glib version 0.7.0, consider disabling the `nm-connection-editor` function until a patch is available. For NetworkManager-devel version 0.7.0, restrict access to the vulnerable module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.