Vincent

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to an off-by-one error in the `build prologue()` function when running BPF programs with tailcalls on LoongArch, causing a kernel hard lockup. The problem arises from the JIT compiling process, where the first pass sets flags and the second pass generates JIT code based on those flags. When BPF programs mix `bpf2bpf` and tailcalls, `build prologue()` generates a different number of instructions in the two passes, leading to an incorrect `epilogue offset` and causing the lockup. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions 2.8.0 through 2.8.2 **Description** The issue is related to insufficient access control in Apache Airflow, allowing an authenticated user with limited permissions to access resources such as variables, connections, etc. from the UI, which they do not have permission to access. This could potentially allow a remote attacker to gain unauthorized access to resources. **Recommendations** For Apache Airflow versions 2.8.0 through 2.8.2, upgrade to version 2.8.3 or newer to mitigate the risk associated with this issue.

**Name of the Vulnerable Software and Affected Versions** Moodle versions (affected versions not specified) **Description** A limited SQL injection risk was identified in the "browse list of users" site administration page. The vulnerability is related to insufficient cleaning of user data on this page. Exploitation of the vulnerability may allow a remote attacker to execute arbitrary SQL commands by sending a specially crafted request. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ftp-srv versions prior to 2.19.6 ftp-srv versions prior to 3.1.2 ftp-srv versions prior to 4.3.4 **Description** The issue allows for Server-Side Request Forgery due to the PORT command permitting arbitrary IPs, which can cause the server to make a connection elsewhere. This is possible because the FTP protocol creates two connections, one for commands and one for transferring data, and the PORT command sends the IP and port for the server to connect to the client with. Since the client can send an arbitrary IP with the PORT command, this can be used to cause the server to make a connection elsewhere. **Recommendations** For versions prior to 2.19.6, update to version 2.19.6 or later. For versions prior to 3.1.2, update to version 3.1.2 or later. For versions prior to 4.3.4, update to version 4.3.4 or later. As a temporary workaround, consider blacklisting the FTP Command `PORT` to prevent the server from exposing this behavior through active connections until a fix is applied. This can be done by configuring the ftp-srv with a blacklist, for example: ```js const ftp = new FtpSrv({ blacklist: ['PORT'] }); ```