9-5-24 cve updates #3810
9-5-24 cve updates #3810
Conversation
frederickjoi
requested review from
karl-cardenas-coding,
addetz and
caroldelwing
✅ Deploy Preview for docs-spectrocloud ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Remaining comments which cannot be posted as a review comment to avoid GitHub Rate Limit
vale
docs/docs-content/security-bulletins/reports/cve-2024-1737.md|27 col 162| [Vale.Spelling] Did you really mean 'occurence'?
docs/docs-content/security-bulletins/reports/cve-2024-1737.md|44 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/05/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-1737.md|45 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/05/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-0760.md|21 col 195| [Vale.Spelling] Did you really mean 'ACLs'?
docs/docs-content/security-bulletins/reports/cve-2024-0760.md|26 col 80| [Vale.Spelling] Did you really mean 'cve'?
docs/docs-content/security-bulletins/reports/cve-2024-0760.md|26 col 160| [write-good.ThereIs] Don't start a sentence with 'There are'.
docs/docs-content/security-bulletins/reports/cve-2024-0760.md|43 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/05/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-0760.md|44 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/05/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-45491.md|21 col 28| [Vale.Spelling] Did you really mean 'libexpat'?
docs/docs-content/security-bulletins/reports/cve-2024-45491.md|21 col 51| [Vale.Spelling] Did you really mean 'dtdCopy'?
docs/docs-content/security-bulletins/reports/cve-2024-45491.md|25 col 22| [spectrocloud-docs-internal.future] Avoid documenting features that are not available at present. You mentioned 'coming soon'.
docs/docs-content/security-bulletins/reports/cve-2024-45491.md|41 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/05/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-45491.md|42 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/05/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-1975.md|26 col 71| [Vale.Spelling] Did you really mean 'vulenerability'?
docs/docs-content/security-bulletins/reports/cve-2024-1975.md|26 col 107| [Vale.Spelling] Did you really mean 'cve'?
docs/docs-content/security-bulletins/reports/cve-2024-1975.md|27 col 25| [write-good.ThereIs] Don't start a sentence with 'There are'.
docs/docs-content/security-bulletins/reports/cve-2024-1975.md|27 col 95| [Vale.Spelling] Did you really mean 'occurence'?
docs/docs-content/security-bulletins/reports/cve-2024-1975.md|43 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/05/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-1975.md|44 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/05/2024'.
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'libexpat'?
|
|
||
| ## Our Official Summary | ||
|
|
||
| Our official summary coming soon. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[spectrocloud-docs-internal.future] Avoid documenting features that are not available at present. You mentioned 'coming soon'.
|
|
||
| ## Revision History | ||
|
|
||
| - 1.0 09/05/2024 Initial Publication |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '09/05/2024'.
| ## Revision History | ||
|
|
||
| - 1.0 09/05/2024 Initial Publication | ||
| - 2.0 09/05/2024 Added Palette VerteX 4.4.14 to Affected Products |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '09/05/2024'.
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'libexpat'?
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'RRs'?
|
|
||
| ## Our Official Summary | ||
|
|
||
| This vulnerability can be exploited if resolver caches and authoritative zone databases hold significant numbers of RRs for the same hostname (of any RTYPE). Services will |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'RRs'?
| ## Our Official Summary | ||
|
|
||
| This vulnerability can be exploited if resolver caches and authoritative zone databases hold significant numbers of RRs for the same hostname (of any RTYPE). Services will | ||
| suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. In order to exploit this vulenerability, image in |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'vulenerability'?
|
|
||
| This vulnerability can be exploited if resolver caches and authoritative zone databases hold significant numbers of RRs for the same hostname (of any RTYPE). Services will | ||
| suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. In order to exploit this vulenerability, image in | ||
| which this cve is reported has to be compromised and hacker has to gain privileged access. There are sufficient controls in place to consider the probability of occurence as |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'cve'?
|
|
||
| This vulnerability can be exploited if resolver caches and authoritative zone databases hold significant numbers of RRs for the same hostname (of any RTYPE). Services will | ||
| suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. In order to exploit this vulenerability, image in | ||
| which this cve is reported has to be compromised and hacker has to gain privileged access. There are sufficient controls in place to consider the probability of occurence as |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[write-good.ThereIs] Don't start a sentence with 'There are'.
There was a problem hiding this comment.
Remaining comments which cannot be posted as a review comment to avoid GitHub Rate Limit
vale
docs/docs-content/security-bulletins/reports/cve-2024-1975.md|30 col 37| [Vale.Spelling] Did you really mean 'cve'?
docs/docs-content/security-bulletins/reports/cve-2024-1975.md|31 col 1| [write-good.ThereIs] Don't start a sentence with 'There are'.
docs/docs-content/security-bulletins/reports/cve-2024-1975.md|31 col 71| [Vale.Spelling] Did you really mean 'occurence'?
docs/docs-content/security-bulletins/reports/cve-2024-1975.md|48 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/05/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-1975.md|49 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/05/2024'.
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'libexpat'?
| ## Revision History | ||
|
|
||
| - 1.0 09/05/2024 Initial Publication | ||
| - 2.0 09/05/2024 Added Palette VerteX 4.4.14 to Affected Products |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '09/05/2024'.
| ## Revision History | ||
|
|
||
| - 1.0 09/05/2024 Initial Publication | ||
| - 2.0 09/05/2024 Added Palette VerteX 4.4.14 to Affected Products |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '09/05/2024'.
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'CPython'?
| ## NIST CVE Summary | ||
|
|
||
| There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking | ||
| during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.LyHyphens] 'specifically-crafted' doesn't need a hyphen.
|
|
||
| ## Revision History | ||
|
|
||
| - 1.0 09/05/2024 Initial Publication |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '09/05/2024'.
| ## Revision History | ||
|
|
||
| - 1.0 09/05/2024 Initial Publication | ||
| - 2.0 09/05/2024 Added Palette VerteX 4.4.14 to Affected Products |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '09/05/2024'.
|
|
||
| This vulnerability can be exploited by a client only if a server hosts a zone containing a “KEY” Resource Record, or a | ||
| resolver DNSSEC-validates a “KEY” Resource Record from a DNSSEC-signed domain in cache. In order to exploit this | ||
| vulenerability, image in which this cve is reported has to be compromised and hacker has to gain privileged access. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'vulenerability'?
|
|
||
| This vulnerability can be exploited by a client only if a server hosts a zone containing a “KEY” Resource Record, or a | ||
| resolver DNSSEC-validates a “KEY” Resource Record from a DNSSEC-signed domain in cache. In order to exploit this | ||
| vulenerability, image in which this cve is reported has to be compromised and hacker has to gain privileged access. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'cve'?
| This vulnerability can be exploited by a client only if a server hosts a zone containing a “KEY” Resource Record, or a | ||
| resolver DNSSEC-validates a “KEY” Resource Record from a DNSSEC-signed domain in cache. In order to exploit this | ||
| vulenerability, image in which this cve is reported has to be compromised and hacker has to gain privileged access. | ||
| There are sufficient controls in place to consider the probability of occurence as low. There is a fix available |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[write-good.ThereIs] Don't start a sentence with 'There are'.
| This vulnerability can be exploited by a client only if a server hosts a zone containing a “KEY” Resource Record, or a | ||
| resolver DNSSEC-validates a “KEY” Resource Record from a DNSSEC-signed domain in cache. In order to exploit this | ||
| vulenerability, image in which this cve is reported has to be compromised and hacker has to gain privileged access. | ||
| There are sufficient controls in place to consider the probability of occurence as low. There is a fix available |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'occurence'?
karl-cardenas-coding
added
auto-backport
* 9-5-24 cve updates * ci: auto-formatting prettier issues --------- Co-authored-by: frederickjoi <[email protected]> Co-authored-by: Karl Cardenas <[email protected]> (cherry picked from commit 75533c6)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation and see the Github Action logs for details |
* 9-5-24 cve updates * ci: auto-formatting prettier issues --------- Co-authored-by: frederickjoi <[email protected]> Co-authored-by: Karl Cardenas <[email protected]> (cherry picked from commit 75533c6) Co-authored-by: frederickjoi <[email protected]>
|
🎉 This issue has been resolved in version 4.4.13 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Describe the Change
addition of 9 new cves
This PR ....
Changed Pages
💻 Add Preview URL for Page
Jira Tickets
🎫 Jira Ticket
Backports
Can this PR be backported?