Jbo

**Name of the Vulnerable Software and Affected Versions** GNU GRUB (aka GRUB2) versions 2.12 and earlier **Description** The issue is related to the use of a non-constant time algorithm for `grub crypto memcmp`, which allows side-channel attacks. This means that an attacker could potentially exploit the difference in time it takes for the comparison to occur, gaining unauthorized access to sensitive information. **Recommendations** For GNU GRUB (aka GRUB2) versions 2.12 and earlier, consider updating to a version that utilizes a constant-time algorithm for `grub crypto memcmp` to prevent side-channel attacks. As a temporary workaround, restrict access to sensitive information that could be exploited through side-channel attacks until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GNU GRUB (aka GRUB2) versions through 2.12 **Description** The issue is a heap-based buffer overflow in fs/hfs.c via crafted sblock data in an HFS filesystem. This can allow a remote attacker to impact the confidentiality, integrity, and availability of protected information. The vulnerability is related to the HFS File System Handler component of the GRUB2 bootloader. **Recommendations** As a temporary workaround, consider disabling the `fs/hfs.c` module until a patch is available. Restrict access to HFS filesystems to minimize the risk of exploitation. Avoid using crafted sblock data in HFS filesystems until the issue is resolved. Update to a version later than 2.12 once it is available.

**Name of the Vulnerable Software and Affected Versions** ncurses versions prior to 6.4 20230408 **Description** The issue is related to security-relevant memory corruption via malformed data in a terminfo database file. This can be triggered by local users when the software is used by a setuid application. The corruption can occur when the software accesses files found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variables. The vulnerability may allow an attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** For ncurses versions prior to 6.4 20230408, update to version 6.4 20230408 or later to resolve the issue. As a temporary workaround, consider restricting access to the terminfo database files and environment variables TERMINFO and TERM to minimize the risk of exploitation. Avoid using malformed data in the terminfo database files until the issue is resolved.