Philippe Antoine

Name of the Vulnerable Software and Affected Versions Suricata (affected versions not specified) Description Security issues have been resolved in the libsuricata8 0 4-8.0.4-1.1 package on openSUSE Tumbleweed. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Go versions prior to 1.25.5 **Description** The software contains a flaw in the error handling mechanism within the `HostnameError.Error()` function. Specifically, there is no restriction on the number of hosts printed when constructing an error string. This, combined with repeated string concatenation during error string creation, results in quadratic runtime complexity. A malicious actor providing a crafted certificate can exploit this to cause excessive resource consumption. **Recommendations** Update to Go version 1.25.5 or later.

**Name of the Vulnerable Software and Affected Versions** Suricata versions prior to 8.0.1 **Description** Suricata, a network IDS, IPS and NSM engine, experiences a segmentation fault when processing decoded subjectaltnames containing a NULL byte. This occurs due to the use of the `tls.subjectaltname` keyword in version 8.0.0. Disabling rules that utilize the `tls.subjectaltname` keyword can serve as a temporary workaround. **Recommendations** Update to Suricata version 8.0.1 or later. Disable rules using the `tls.subjectaltname` keyword.

**Name of the Vulnerable Software and Affected Versions** Go crypto/x509 library (affected versions not specified) **Description** The issue is related to the incorrect handling of syntactically incorrect structures by the ParsePKCS1PrivateKey function in the Go crypto/x509 library. This could allow a remote attacker to gain unauthorized access to protected information when parsing a RSA key that is missing the CRT values, causing the function to panic when verifying that the key is well formed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libssh (affected versions not specified) **Description** A flaw exists in libssh, a library implementing the SSH protocol. During the key exchange (KEX) process, an allocation failure within cryptographic functions can result in a NULL pointer dereference, potentially causing the client or server to crash. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** golang versions 1.15 golang versions 1.19 **Description** The `ParseAddress` function in the net/mail package experiences excessive CPU consumption. **Recommendations** Update to a newer version of golang that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Suricata versions prior to 7.0.7 Description: The issue affects Suricata, a network Intrusion Detection System, Intrusion Prevention System, and Network Security Monitoring engine. It occurs when rules using datasets with the non-functional "unset" option are used, potentially triggering an assertion during traffic parsing and leading to denial of service. Recommendations: For versions prior to 7.0.7, update to version 7.0.7 to resolve the issue. As a temporary workaround, use only trusted and well-tested rulesets.

Name of the Vulnerable Software and Affected Versions: LibHTP versions prior to 0.5.49 Description: The issue concerns unbounded processing of HTTP request and response headers, which can lead to excessive CPU time and memory utilization, resulting in extreme slowdowns. This is a problem with the LibHTP parser, which focuses on security for the HTTP protocol. Recommendations: For versions prior to 0.5.49, update to version 0.5.49 to address the issue of excessive CPU usage due to unbounded processing of HTTP headers.

**Name of the Vulnerable Software and Affected Versions** Suricata versions prior to 7.0.6 **Description** Suricata is a network Intrusion Detection System, Intrusion Prevention System, and Network Security Monitoring engine. Crafted modbus traffic can lead to unlimited resource accumulation within a flow. **Recommendations** For versions prior to 7.0.6, upgrade to 7.0.6 to resolve the issue. As a temporary workaround, consider setting a limited `stream.reassembly.depth` to reduce the issue.

**Name of the Vulnerable Software and Affected Versions** Zabbix Agent 2 (affected versions not specified) **Description** The issue is related to the Zabbix Agent 2 item key `smart.disk.get` not sanitizing its parameters before passing them to a shell command, which could lead to remote code execution. This vulnerability may allow a remote attacker to execute arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zabbix (affected versions not specified) **Description** The issue is related to errors in processing input data in the icmpping function of the Zabbix monitoring system. This can allow a remote attacker to execute arbitrary code. An attacker with privileges to configure Zabbix items can use the icmpping() function with an additional malicious command to achieve this. The estimated number of potentially affected devices and details about real-world incidents are not provided. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DNS server (affected versions not specified) **Description** The issue is caused by an improper check for RDLENGTH overflow in the buffer in response from the DNS server. This can lead to a buffer overflow. The vulnerability is related to insufficient checking of exceptional states in the DNS Response Handler component. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Golang (affected versions not specified) **Description** The issue is related to excessive CPU consumption during decoding. A maliciously-crafted image, specifically a tiled image with a height of 0 and a very large width, can cause this excessive consumption. This can happen despite the image size appearing to be zero, as the width and height calculation (width * height) would result in zero. This could allow a remote attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Golang (affected versions not specified) TIFF decoder (affected versions not specified) **Description** The issue is related to the decoding of large amounts of compressed data, which can consume excessive memory and CPU. A maliciously-crafted image can exploit this to cause a small image to make the decoder decode large amounts of compressed data. This can lead to a denial of service. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Golang, consider restricting the use of the TIFF decoder until a patch is available. For the TIFF decoder, as a temporary workaround, consider limiting the size of compressed tile data to prevent excessive memory and CPU consumption. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Go (affected versions not specified) **Description** The issue is related to the Parse function in the Go programming language, which can cause an infinite loop due to integer overflow when processing Go source code containing //line directives with very large line numbers. This can potentially allow a remote attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The issue is related to a maliciously crafted HTTP/2 stream that could cause excessive CPU consumption in the HPACK decoder, leading to a denial of service. This can be achieved with a small number of small requests. The vulnerability is associated with uncontrolled resource consumption. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Golang DecodeConfig (affected versions not specified) **Description** The issue is related to an uncontrolled resource consumption in the DecodeConfig component of the Golang programming language. An attacker can craft a malformed TIFF image, which, when passed to DecodeConfig, will consume a significant amount of memory. This could lead to a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 7.1.x and earlier **Description** The issue arises when a specifically crafted GIF file is uploaded while drafting a post, allowing authenticated users to cause resource exhaustion during file processing. This results in a server-side Denial of Service. **Recommendations** For Mattermost versions 7.1.x and earlier, update to a version that includes a fix for this issue to prevent resource exhaustion and Denial of Service attacks. As a temporary workaround, consider restricting the upload of GIF files while drafting posts until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 7.0.x and earlier **Description** The issue allows authenticated users to cause resource exhaustion on specific system configurations, resulting in server-side Denial of Service, due to insufficient limitation of the in-memory sizes of concurrently uploaded JPEG images. **Recommendations** For Mattermost versions 7.0.x and earlier, consider restricting the upload of JPEG images or limiting the concurrent upload capability to prevent resource exhaustion until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Go versions prior to 1.14.14 Go versions 1.15.x prior to 1.15.7 **Description** The issue is related to incorrect calculations in the crypto/elliptic/p224.go file of the Go programming language. This can allow a remote attacker to disclose protected information and impact the integrity of protected information. The problem is associated with an underflow of the lowest limb during the final complete reduction in the P-224 field, which can result in the generation of incorrect outputs, including returning invalid points from ScalarMult. **Recommendations** For Go versions prior to 1.14.14, update to version 1.14.14 or later. For Go versions 1.15.x prior to 1.15.7, update to version 1.15.7 or later.