Zhutyra

**Name of the Vulnerable Software and Affected Versions** Redis versions 8.2.1 and below **Description** Redis, an in-memory database, has an issue where an authenticated user can use a crafted Lua script to manipulate LUA objects and potentially execute code in another user's context. This affects all versions of Redis with LUA scripting enabled. To mitigate the problem without patching, users can prevent the execution of LUA scripts. **Recommendations** Prevent users from executing LUA scripts using Access Control Lists (ACLs) to block the `EVAL` and `FUNCTION` command families.

Name of the Vulnerable Software and Affected Versions: dpkg (affected versions not specified) Description: A issue was found in dpkg where it does not properly sanitize directory permissions when extracting a control member into a temporary directory. This may lead to temporary files being left behind on cleanup. If dpkg-deb commands are executed automatically and repeatedly on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, it can cause a DoS scenario due to disk quota exhaustion or disk full conditions. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Redis versions 8.2.1 and below Linux kernel versions (affected versions not specified) **Description** Redis, an in-memory database, is susceptible to a vulnerability where an authenticated user can execute a specially crafted Lua script to read out-of-bounds data or cause a server crash, leading to a denial of service. This issue affects all Redis versions that support Lua scripting. The vulnerability is resolved in Redis version 8.2.2. Additionally, a separate issue exists in the Linux kernel related to a NULL pointer dereference within the drm/amdgpu components. Exploitation of this kernel issue could lead to a denial of service. **Recommendations** Redis versions 8.2.1 and below: Upgrade to version 8.2.2 or later. As a workaround, prevent users from executing Lua scripts by restricting the `EVAL` and `FUNCTION` command families using ACL. Linux kernel (affected versions not specified): At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Artifex Ghostscript versions prior to 10.03.1 **Description** The issue is related to path reduction in the base/gpmisc.c file of Ghostscript, allowing for path traversal and command execution via a crafted PostScript document. This can lead to restrictions on the use of %pipe% being bypassed, potentially enabling arbitrary code execution. The vulnerability is caused by incorrect input validation, which could allow a remote attacker to execute arbitrary code. **Recommendations** For versions prior to 10.03.1, update to version 10.03.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the %pipe% command in PostScript documents to minimize the risk of exploitation. Avoid using the `output filename` parameter with crafted filenames, such as aa/../%pipe%command#, until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Redis versions prior to 8.2.2 Valkey versions prior to 8.1.1+dfsg1-3+deb13u1 Redis versions 5:7.0.15-1~deb12u6 and prior (bookworm distribution) Redis versions 5:8.0.2-3+deb13u1 and prior (trixie distribution) **Description** Redis and Valkey are vulnerable to an integer overflow in the Lua scripting engine. An authenticated user can exploit this vulnerability by submitting a specially crafted Lua script, potentially leading to remote code execution. The issue exists in all versions of Redis with Lua scripting enabled. **Recommendations** - Upgrade Redis to version 8.2.2 or later. - Upgrade Valkey to version 8.1.1+dfsg1-3+deb13u1 or later. - For Debian bookworm distribution, upgrade Redis to version 5:7.0.15-1~deb12u6 or later. - For Debian trixie distribution, upgrade Redis to version 5:8.0.2-3+deb13u1 or later.

Name of the Vulnerable Software and Affected Versions: Ghostscript versions prior to 10.03.1 Description: The issue exists due to insufficient input validation in the contrib/opvp/gdevopvp.c component of the Ghostscript interpreter. This can be exploited by a remote attacker using a specially crafted PostScript file, potentially allowing arbitrary code execution. The vulnerability is related to the Driver parameter for opvp devices, which can have an arbitrary name for a dynamic library, and this library is then loaded. Recommendations: For Ghostscript versions prior to 10.03.1, update to version 10.03.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of custom Driver libraries for opvp devices to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Artifex Ghostscript versions prior to 10.03.1 Description: The issue is related to errors in handling relative path to directory in the Ghostscript software, which can allow a remote attacker to execute arbitrary code using a specially crafted PostScript file. This is achieved through path traversal, where a crafted PostScript document can access arbitrary files if the current directory is in the permitted paths. For example, a transformation of ../../foo to ./../../foo can grant access if ./ is permitted. Recommendations: For Artifex Ghostscript versions prior to 10.03.1, update to version 10.03.1 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive directories and files to minimize the risk of exploitation. Avoid processing untrusted or malformed PostScript documents until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GitLab EE/CE versions prior to 16.3.6 GitLab EE/CE versions 16.4.0 through 16.4.1 GitLab EE/CE versions 16.5.0 **Description** An issue has been discovered in GitLab EE/CE that allows attackers to block the Sidekiq job processor. **Recommendations** For versions prior to 16.3.6, update to version 16.3.6 or later. For versions 16.4.0 through 16.4.1, update to version 16.4.2 or later. For version 16.5.0, update to version 16.5.1 or later.