docs: 8-27-24 cve updates #3725
Conversation
frederickjoi
requested review from
karl-cardenas-coding,
lennessyy and
caroldelwing
✅ Deploy Preview for docs-spectrocloud ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
|
||
| ## Last Update | ||
|
|
||
| 8/27/2024 |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '8/27/2024'.
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| A vulnerability was found in libyaml up to 0.2.5. Affected by this issue is the function yaml_event_delete of the file /src/libyaml/src/api.c. The manipulation leads to a double-free. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'libyaml'?
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| A vulnerability was found in libyaml up to 0.2.5. Affected by this issue is the function yaml_event_delete of the file /src/libyaml/src/api.c. The manipulation leads to a double-free. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'yaml_event_delete'?
|
|
||
| ## Our Official Summary | ||
|
|
||
| Waiting on a fix from third party mongodb vendor. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'mongodb'?
|
|
||
| ## Revision History | ||
|
|
||
| - 1.0 08/27/2024 Initial Publication |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '08/27/2024'.
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| Libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'exploting'?
|
|
||
| ## Our Official Summary | ||
|
|
||
| Spectro Cloud Offcial Summary coming soon. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Offcial'?
|
|
||
| ## Our Official Summary | ||
|
|
||
| Spectro Cloud Offcial Summary coming soon. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[spectrocloud-docs-internal.future] Avoid documenting features that are not available at present. You mentioned 'coming soon'.
|
|
||
| ## Revision History | ||
|
|
||
| - 1.0 08/27/2024 Initial Publication |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '08/27/2024'.
| ## Revision History | ||
|
|
||
| - 1.0 08/27/2024 Initial Publication | ||
| - 2.0 08/27/2024 Added Palette VerteX 4.4.14 to Affected Products |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '08/27/2024'.
| @@ -78,3 +78,5 @@ Click on the CVE ID to view the full details of the vulnerability. | |||
| | [CVE-2019-9192](./cve-2019-9192.md) | 08/16/24 | 08/16/24 | Palette 4.4.14 | Third-party component: GNU C Library | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9192) | :mag: Ongoing | | |||
| | [CVE-2018-20796](./cve-2018-20796.md) | 08/16/24 | 08/16/24 | Palette 4.4.14 | Third-party component: GNU C Library | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-20796) | :mag: Ongoing | | |||
| | [GHSA-74fp-r6jw-h4mp](./ghsa-74fp-r6jw-h4mp.md) | 10/25/23 | 10/25/23 | Palette 4.4.11 & 4.4.14 | Third-party component: Kubernetes API | [7.5](https://github.com/advisories/GHSA-74fp-r6jw-h4mp) | :mag: Ongoing | | |||
| | [CVE-2024-35325](./cve-2024-35325.md) | 08/27/24 | 08/27/24 | Palette 4.4.14 | Third-party component: Libyaml | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-35325) | :mag: Ongoing | | |||
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Libyaml'?
| @@ -78,3 +78,5 @@ Click on the CVE ID to view the full details of the vulnerability. | |||
| | [CVE-2019-9192](./cve-2019-9192.md) | 08/16/24 | 08/16/24 | Palette 4.4.14 | Third-party component: GNU C Library | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2019-9192) | :mag: Ongoing | | |||
| | [CVE-2018-20796](./cve-2018-20796.md) | 08/16/24 | 08/16/24 | Palette 4.4.14 | Third-party component: GNU C Library | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2018-20796) | :mag: Ongoing | | |||
| | [GHSA-74fp-r6jw-h4mp](./ghsa-74fp-r6jw-h4mp.md) | 10/25/23 | 10/25/23 | Palette 4.4.11 & 4.4.14 | Third-party component: Kubernetes API | [7.5](https://github.com/advisories/GHSA-74fp-r6jw-h4mp) | :mag: Ongoing | | |||
| | [CVE-2024-35325](./cve-2024-35325.md) | 08/27/24 | 08/27/24 | Palette 4.4.14 | Third-party component: Libyaml | [9.8](https://nvd.nist.gov/vuln/detail/CVE-2024-35325) | :mag: Ongoing | | |||
| | [CVE-2024-6197](./cve-2024-6197.md) | 08/27/24 | 08/27/24 | Palette 4.4.14 | Third-party component: Libcurl | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2024-6197) | :mag: Ongoing | | |||
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Libcurl'?
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| A vulnerability was found in libyaml up to 0.2.5. Affected by this issue is the function yaml_event_delete of the file |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'libyaml'?
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| A vulnerability was found in libyaml up to 0.2.5. Affected by this issue is the function yaml_event_delete of the file |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'yaml_event_delete'?
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| Libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Libcurl's'?
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| Libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.Ordinal] Spell out all ordinal numbers ('1st') in text.
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| Libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Itcan'?
| ## NIST CVE Summary | ||
|
|
||
| Libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid | ||
| field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'localstack'?
|
|
||
| Libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid | ||
| field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern | ||
| malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'malloc'?
| malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that | ||
| memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the | ||
| overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely | ||
| outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'exploting'?
|
🎉 This issue has been resolved in version 4.4.13 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Describe the Change
8-27-24 cve updates
This PR ....
Changed Pages
💻 Add Preview URL for Page
Jira Tickets
🎫 Jira Ticket
Backports
Can this PR be backported?