9-15-24 palette cve updates #3930
Conversation
frederickjoi
requested review from
karl-cardenas-coding,
addetz and
lennessyy
✅ Deploy Preview for docs-spectrocloud ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Remaining comments which cannot be posted as a review comment to avoid GitHub Rate Limit
vale
docs/docs-content/security-bulletins/reports/cve-2022-45061.md|31 col 155| [spectrocloud-docs-internal.ableism] Avoid using ableism terms. Use 'operating' instead of 'running'.
docs/docs-content/security-bulletins/reports/cve-2022-45061.md|32 col 48| [Vale.Spelling] Did you really mean 'idna'?
docs/docs-content/security-bulletins/reports/cve-2022-48560.md|25 col 34| [Vale.Spelling] Did you really mean 'upto'?
docs/docs-content/security-bulletins/reports/cve-2022-48560.md|25 col 89| [Vale.Spelling] Did you really mean 'heapq'?
docs/docs-content/security-bulletins/reports/cve-2022-41724.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2022-41724.md|21 col 320| [Vale.Terms] Use 'config' instead of 'Config'.
docs/docs-content/security-bulletins/reports/cve-2022-41724.md|21 col 433| [Vale.Terms] Use 'config' instead of 'Config'.
docs/docs-content/security-bulletins/reports/cve-2022-41724.md|41 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2022-41724.md|42 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-3651.md|29 col 5| [Vale.Spelling] Did you really mean 'idna'?
docs/docs-content/security-bulletins/reports/cve-2024-3651.md|29 col 111| [spectrocloud-docs-internal.acronym] Use title case to define the acronym '(IDNA)'.
docs/docs-content/security-bulletins/reports/cve-2024-3651.md|30 col 79| [Vale.Spelling] Did you really mean 'idna'?
docs/docs-content/security-bulletins/reports/cve-2023-45287.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-45287.md|41 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-45287.md|42 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24540.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24540.md|25 col 76| [Vale.Spelling] Did you really mean 'html'?
docs/docs-content/security-bulletins/reports/cve-2023-24540.md|26 col 89| [spectrocloud-docs-internal.ableism] Avoid using ableism terms. Use 'operating' instead of 'running'.
docs/docs-content/security-bulletins/reports/cve-2023-24540.md|28 col 77| [write-good.So] Don't start a sentence with 'So '.
docs/docs-content/security-bulletins/reports/cve-2023-24540.md|45 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24540.md|46 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24329.md|26 col 165| [Vale.Spelling] Did you really mean 'urlparse'?
docs/docs-content/security-bulletins/reports/cve-2024-6232.md|26 col 48| [Vale.Spelling] Did you really mean 'tarfile'?
docs/docs-content/security-bulletins/reports/cve-2024-6232.md|26 col 66| [Vale.Spelling] Did you really mean 'specificlly'?
docs/docs-content/security-bulletins/reports/cve-2024-6232.md|26 col 86| [spectrocloud-docs-internal.file-type] Incorrect file type reference. Use 'TAR file'.
docs/docs-content/security-bulletins/reports/cve-2024-6232.md|26 col 137| [Vale.Spelling] Did you really mean 'tarfile'?
docs/docs-content/security-bulletins/reports/cve-2024-6232.md|27 col 373| [spectrocloud-docs-internal.file-type] Incorrect file type reference. Use 'TAR file'.
docs/docs-content/security-bulletins/reports/cve-2024-6232.md|27 col 509| [Vale.Terms] Use 'we' instead of 'We'.
docs/docs-content/security-bulletins/reports/cve-2023-29400.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-29400.md|21 col 59| [Google.Latin] Use 'for example' instead of 'e.g.'.
docs/docs-content/security-bulletins/reports/cve-2023-29400.md|25 col 22| [Vale.Spelling] Did you really mean 'golang'?
docs/docs-content/security-bulletins/reports/cve-2023-29400.md|27 col 1| [spectrocloud-docs-internal.acronym] Use title case to define the acronym '(XSS)'.
docs/docs-content/security-bulletins/reports/cve-2023-29400.md|27 col 99| [Google.Ordinal] Spell out all ordinal numbers ('3rd') in text.
docs/docs-content/security-bulletins/reports/cve-2023-29400.md|27 col 149| [write-good.So] Don't start a sentence with 'So '.
docs/docs-content/security-bulletins/reports/cve-2023-29400.md|27 col 249| [Vale.Spelling] Did you really mean 'upsteam'?
docs/docs-content/security-bulletins/reports/cve-2023-29400.md|43 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-29400.md|44 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-29403.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-29403.md|21 col 80| [spectrocloud-docs-internal.ableism] Avoid using ableism terms. Use 'issue' instead of 'run'.
docs/docs-content/security-bulletins/reports/cve-2023-29403.md|41 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-29403.md|42 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2022-28357.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2022-28357.md|25 col 35| [Vale.Spelling] Did you really mean 'nats'?
docs/docs-content/security-bulletins/reports/cve-2022-28357.md|43 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2022-28357.md|44 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-0743.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-0743.md|25 col 116| [Vale.Spelling] Did you really mean 'firefox'?
docs/docs-content/security-bulletins/reports/cve-2024-0743.md|25 col 172| [Vale.Spelling] Did you really mean 'thare'?
docs/docs-content/security-bulletins/reports/cve-2024-0743.md|26 col 17| [Vale.Spelling] Did you really mean 'instancs'?
docs/docs-content/security-bulletins/reports/cve-2024-0743.md|26 col 168| [Google.Ordinal] Spell out all ordinal numbers ('3rd') in text.
docs/docs-content/security-bulletins/reports/cve-2024-0743.md|42 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-0743.md|43 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24537.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24537.md|41 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24537.md|42 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-32002.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-32002.md|21 col 250| [Vale.Spelling] Did you really mean 'submodule's'?
docs/docs-content/security-bulletins/reports/cve-2024-32002.md|21 col 262| [Vale.Spelling] Did you really mean 'worktree'?
docs/docs-content/security-bulletins/reports/cve-2024-32002.md|21 col 385| [spectrocloud-docs-internal.ableism] Avoid using ableism terms. Use 'operating' instead of 'running'.
docs/docs-content/security-bulletins/reports/cve-2024-32002.md|21 col 615| [Google.Latin] Use 'for example' instead of 'e.g.'.
docs/docs-content/security-bulletins/reports/cve-2024-32002.md|26 col 156| [write-good.ThereIs] Don't start a sentence with 'There are'.
docs/docs-content/security-bulletins/reports/cve-2024-32002.md|43 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-32002.md|44 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/reports.md|162 col 138| [Vale.Spelling] Did you really mean 'Libtiff'?
docs/docs-content/security-bulletins/reports/reports.md|164 col 138| [Vale.Spelling] Did you really mean 'Github'?
docs/docs-content/security-bulletins/reports/cve-2023-24534.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24534.md|41 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24534.md|42 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2022-48565.md|27 col 244| [Google.Ordinal] Spell out all ordinal numbers ('3rd') in text.
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|21 col 53| [Vale.Spelling] Did you really mean 'Javascript'?
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|21 col 229| [Vale.Spelling] Did you really mean 'Javascript'?
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|21 col 343| [Vale.Spelling] Did you really mean 'Javascript'?
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|21 col 495| [spectrocloud-docs-internal.condescending] Using 'simply' may come across as condescending.
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|21 col 495| [alex.Condescending] Using 'simply' may come across as condescending.
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|21 col 563| [Google.Latin] Use 'for example' instead of 'e.g.'.
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|21 col 604| [spectrocloud-docs-internal.condescending] Using 'obviously' may come across as condescending.
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|21 col 604| [alex.Condescending] Using 'obviously' may come across as condescending.
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|21 col 848| [Vale.Spelling] Did you really mean 'unexported'?
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|41 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|42 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24536.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24536.md|21 col 276| [Vale.Spelling] Did you really mean 'undercount'?
docs/docs-content/security-bulletins/reports/cve-2023-24536.md|21 col 934| [Vale.Terms] Use 'HTTP' instead of 'http'.
docs/docs-content/security-bulletins/reports/cve-2023-24536.md|41 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24536.md|42 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
|
|
||
| ## Last Update | ||
|
|
||
| 09/15/2024 |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[spectrocloud-docs-internal.acronym] Use title case to define the acronym '(SEGV)'.
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'libtiff'?
|
|
||
| ## Revision History | ||
|
|
||
| - 1.0 09/15/2024 Initial Publication |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
| ## Revision History | ||
|
|
||
| - 1.0 09/15/2024 Initial Publication | ||
| - 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'reenabled'?
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'HTTP' instead of 'http'.
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'HTTP' instead of 'http'.
|
|
||
| ## Revision History | ||
|
|
||
| - 1.0 09/15/2024 Initial Publication |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
There was a problem hiding this comment.
Remaining comments which cannot be posted as a review comment to avoid GitHub Rate Limit
vale
docs/docs-content/security-bulletins/reports/cve-2022-41724.md|24 col 75| [Vale.Terms] Use 'config' instead of 'Config'.
docs/docs-content/security-bulletins/reports/cve-2022-41724.md|44 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2022-41724.md|45 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-45287.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-45287.md|45 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-45287.md|46 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24540.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24540.md|27 col 76| [Vale.Spelling] Did you really mean 'html'?
docs/docs-content/security-bulletins/reports/cve-2023-24540.md|29 col 1| [spectrocloud-docs-internal.ableism] Avoid using ableism terms. Use 'operating' instead of 'running'.
docs/docs-content/security-bulletins/reports/cve-2023-24540.md|31 col 63| [write-good.So] Don't start a sentence with 'So '.
docs/docs-content/security-bulletins/reports/cve-2023-24540.md|48 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24540.md|49 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-6232.md|26 col 48| [Vale.Spelling] Did you really mean 'tarfile'?
docs/docs-content/security-bulletins/reports/cve-2024-6232.md|26 col 66| [Vale.Spelling] Did you really mean 'specificlly'?
docs/docs-content/security-bulletins/reports/cve-2024-6232.md|26 col 86| [spectrocloud-docs-internal.file-type] Incorrect file type reference. Use 'TAR file'.
docs/docs-content/security-bulletins/reports/cve-2024-6232.md|27 col 20| [Vale.Spelling] Did you really mean 'tarfile'?
docs/docs-content/security-bulletins/reports/cve-2024-6232.md|30 col 70| [spectrocloud-docs-internal.file-type] Incorrect file type reference. Use 'TAR file'.
docs/docs-content/security-bulletins/reports/cve-2024-6232.md|31 col 92| [Vale.Terms] Use 'we' instead of 'We'.
docs/docs-content/security-bulletins/reports/cve-2023-24329.md|27 col 52| [Vale.Spelling] Did you really mean 'urlparse'?
docs/docs-content/security-bulletins/reports/cve-2023-29400.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-29400.md|21 col 59| [Google.Latin] Use 'for example' instead of 'e.g.'.
docs/docs-content/security-bulletins/reports/cve-2023-29400.md|27 col 22| [Vale.Spelling] Did you really mean 'golang'?
docs/docs-content/security-bulletins/reports/cve-2023-29400.md|29 col 111| [spectrocloud-docs-internal.acronym] Use title case to define the acronym '(XSS)'.
docs/docs-content/security-bulletins/reports/cve-2023-29400.md|30 col 93| [Google.Ordinal] Spell out all ordinal numbers ('3rd') in text.
docs/docs-content/security-bulletins/reports/cve-2023-29400.md|31 col 24| [write-good.So] Don't start a sentence with 'So '.
docs/docs-content/security-bulletins/reports/cve-2023-29400.md|32 col 4| [Vale.Spelling] Did you really mean 'upsteam'?
docs/docs-content/security-bulletins/reports/cve-2023-29400.md|48 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-29400.md|49 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-29403.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-29403.md|21 col 80| [spectrocloud-docs-internal.ableism] Avoid using ableism terms. Use 'issue' instead of 'run'.
docs/docs-content/security-bulletins/reports/cve-2023-29403.md|45 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-29403.md|46 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-0743.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-0743.md|27 col 1| [Vale.Spelling] Did you really mean 'firefox'?
docs/docs-content/security-bulletins/reports/cve-2024-0743.md|27 col 57| [Vale.Spelling] Did you really mean 'thare'?
docs/docs-content/security-bulletins/reports/cve-2024-0743.md|27 col 79| [Vale.Spelling] Did you really mean 'instancs'?
docs/docs-content/security-bulletins/reports/cve-2024-0743.md|28 col 113| [Google.Ordinal] Spell out all ordinal numbers ('3rd') in text.
docs/docs-content/security-bulletins/reports/cve-2024-0743.md|45 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-0743.md|46 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24537.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24537.md|42 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24537.md|43 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2022-28357.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2022-28357.md|26 col 35| [Vale.Spelling] Did you really mean 'nats'?
docs/docs-content/security-bulletins/reports/cve-2022-28357.md|45 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2022-28357.md|46 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-32002.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-32002.md|23 col 20| [Vale.Spelling] Did you really mean 'submodule's'?
docs/docs-content/security-bulletins/reports/cve-2024-32002.md|23 col 32| [Vale.Spelling] Did you really mean 'worktree'?
docs/docs-content/security-bulletins/reports/cve-2024-32002.md|24 col 36| [spectrocloud-docs-internal.ableism] Avoid using ableism terms. Use 'operating' instead of 'running'.
docs/docs-content/security-bulletins/reports/cve-2024-32002.md|26 col 29| [Google.Latin] Use 'for example' instead of 'e.g.'.
docs/docs-content/security-bulletins/reports/cve-2024-32002.md|33 col 104| [write-good.ThereIs] Don't start a sentence with 'There are'.
docs/docs-content/security-bulletins/reports/cve-2024-32002.md|51 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-32002.md|52 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/reports.md|162 col 138| [Vale.Spelling] Did you really mean 'Libtiff'?
docs/docs-content/security-bulletins/reports/reports.md|164 col 138| [Vale.Spelling] Did you really mean 'Github'?
docs/docs-content/security-bulletins/reports/cve-2023-24534.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24534.md|46 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24534.md|47 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|21 col 53| [Vale.Spelling] Did you really mean 'Javascript'?
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|22 col 111| [Vale.Spelling] Did you really mean 'Javascript'?
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|23 col 104| [Vale.Spelling] Did you really mean 'Javascript'?
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|25 col 22| [alex.Condescending] Using 'simply' may come across as condescending.
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|25 col 22| [spectrocloud-docs-internal.condescending] Using 'simply' may come across as condescending.
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|25 col 90| [Google.Latin] Use 'for example' instead of 'e.g.'.
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|26 col 13| [alex.Condescending] Using 'obviously' may come across as condescending.
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|26 col 13| [spectrocloud-docs-internal.condescending] Using 'obviously' may come across as condescending.
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|28 col 24| [Vale.Spelling] Did you really mean 'unexported'?
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|50 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|51 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2022-48565.md|29 col 42| [Google.Ordinal] Spell out all ordinal numbers ('3rd') in text.
docs/docs-content/security-bulletins/reports/cve-2023-24536.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24536.md|23 col 42| [Vale.Spelling] Did you really mean 'undercount'?
docs/docs-content/security-bulletins/reports/cve-2023-24536.md|28 col 108| [Vale.Terms] Use 'HTTP' instead of 'http'.
docs/docs-content/security-bulletins/reports/cve-2023-24536.md|55 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24536.md|56 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Unmarshal'?
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'deserialize'?
| ## Revision History | ||
|
|
||
| - 1.0 09/15/2024 Initial Publication | ||
| - 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[spectrocloud-docs-internal.acronym] Use title case to define the acronym '(SEGV)'.
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'libtiff'?
| @@ -26,7 +26,11 @@ the processing time in a quadratic manner relative to the input size. | |||
|
|
|||
| ## Our Official Summary | |||
|
|
|||
| Investigation is ongoing to determine how this vulnerability affects our products. | |||
| The idna package is a Python library that provides support for Internationalized Domain Names in Applications (IDNA). It | |||
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'idna'?
| @@ -26,7 +26,11 @@ the processing time in a quadratic manner relative to the input size. | |||
|
|
|||
| ## Our Official Summary | |||
|
|
|||
| Investigation is ongoing to determine how this vulnerability affects our products. | |||
| The idna package is a Python library that provides support for Internationalized Domain Names in Applications (IDNA). It | |||
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[spectrocloud-docs-internal.acronym] Use title case to define the acronym '(IDNA)'.
| Investigation is ongoing to determine how this vulnerability affects our products. | ||
| The idna package is a Python library that provides support for Internationalized Domain Names in Applications (IDNA). It | ||
| allows encoding and decoding of domain names containing non-ASCII characters. This vulnerability affects versions prior | ||
| to 3.7 of the idna package. Domain names cannot exceed 253 characters in length, so enforcing this limit can prevent the |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'idna'?
|
|
||
| ## Last Update | ||
|
|
||
| 09/15/2024 |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
|
|
||
| Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records | ||
| which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 | ||
| clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'config' instead of 'Config'.
There was a problem hiding this comment.
Remaining comments which cannot be posted as a review comment to avoid GitHub Rate Limit
vale
docs/docs-content/security-bulletins/reports/cve-2023-29403.md|45 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-29403.md|46 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2022-28357.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2022-28357.md|26 col 35| [Vale.Spelling] Did you really mean 'nats'?
docs/docs-content/security-bulletins/reports/cve-2022-28357.md|45 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2022-28357.md|46 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-0743.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-0743.md|27 col 1| [Vale.Spelling] Did you really mean 'firefox'?
docs/docs-content/security-bulletins/reports/cve-2024-0743.md|27 col 57| [Vale.Spelling] Did you really mean 'thare'?
docs/docs-content/security-bulletins/reports/cve-2024-0743.md|27 col 79| [Vale.Spelling] Did you really mean 'instancs'?
docs/docs-content/security-bulletins/reports/cve-2024-0743.md|28 col 113| [Google.Ordinal] Spell out all ordinal numbers ('3rd') in text.
docs/docs-content/security-bulletins/reports/cve-2024-0743.md|45 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-0743.md|46 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24537.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24537.md|42 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24537.md|43 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-32002.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-32002.md|23 col 20| [Vale.Spelling] Did you really mean 'submodule's'?
docs/docs-content/security-bulletins/reports/cve-2024-32002.md|23 col 32| [Vale.Spelling] Did you really mean 'worktree'?
docs/docs-content/security-bulletins/reports/cve-2024-32002.md|24 col 36| [spectrocloud-docs-internal.ableism] Avoid using ableism terms. Use 'operating' instead of 'running'.
docs/docs-content/security-bulletins/reports/cve-2024-32002.md|26 col 29| [Google.Latin] Use 'for example' instead of 'e.g.'.
docs/docs-content/security-bulletins/reports/cve-2024-32002.md|33 col 104| [write-good.ThereIs] Don't start a sentence with 'There are'.
docs/docs-content/security-bulletins/reports/cve-2024-32002.md|51 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2024-32002.md|52 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24534.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24534.md|46 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24534.md|47 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|26 col 42| [alex.Condescending] Using 'obviously' may come across as condescending.
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|26 col 42| [spectrocloud-docs-internal.condescending] Using 'obviously' may come across as condescending.
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|28 col 52| [Vale.Spelling] Did you really mean 'unexported'?
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|50 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|51 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2022-48565.md|29 col 42| [Google.Ordinal] Spell out all ordinal numbers ('3rd') in text.
docs/docs-content/security-bulletins/reports/reports.md|162 col 138| [Vale.Spelling] Did you really mean 'Libtiff'?
docs/docs-content/security-bulletins/reports/reports.md|164 col 138| [Vale.Spelling] Did you really mean 'Github'?
docs/docs-content/security-bulletins/reports/cve-2023-24536.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24536.md|23 col 42| [Vale.Spelling] Did you really mean 'undercount'?
docs/docs-content/security-bulletins/reports/cve-2023-24536.md|28 col 108| [Vale.Terms] Use 'HTTP' instead of 'http'.
docs/docs-content/security-bulletins/reports/cve-2023-24536.md|55 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24536.md|56 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
| Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records | ||
| which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 | ||
| clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil | ||
| value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert). |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'config' instead of 'Config'.
|
|
||
| ## Revision History | ||
|
|
||
| - 1.0 09/15/2024 Initial Publication |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
| ## Revision History | ||
|
|
||
| - 1.0 09/15/2024 Initial Publication | ||
| - 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
|
|
||
| ## Last Update | ||
|
|
||
| 09/15/2024 |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
|
|
||
| ## Revision History | ||
|
|
||
| - 1.0 09/15/2024 Initial Publication |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
| enable an attacker to inject arbitrary attributes into HTML tags, potentially leading to cross-site scripting (XSS) | ||
| attacks or other security vulnerabilities. All the images in which this CVE is reported are 3rd party images, which do | ||
| not process HTML data. So possibility of this vulnerability getting exploited in Spectro Cloud products is low. Waiting | ||
| on upsteam fixes. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'upsteam'?
|
|
||
| ## Revision History | ||
|
|
||
| - 1.0 09/15/2024 Initial Publication |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
| ## Revision History | ||
|
|
||
| - 1.0 09/15/2024 Initial Publication | ||
| - 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
|
|
||
| ## Last Update | ||
|
|
||
| 09/15/2024 |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[spectrocloud-docs-internal.ableism] Avoid using ableism terms. Use 'issue' instead of 'run'.
karl-cardenas-coding
added
auto-backport
There was a problem hiding this comment.
Remaining comments which cannot be posted as a review comment to avoid GitHub Rate Limit
vale
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|28 col 52| [Vale.Spelling] Did you really mean 'unexported'?
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|50 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24538.md|51 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2022-48565.md|29 col 42| [Google.Ordinal] Spell out all ordinal numbers ('3rd') in text.
docs/docs-content/security-bulletins/reports/reports.md|162 col 138| [Vale.Spelling] Did you really mean 'Libtiff'?
docs/docs-content/security-bulletins/reports/reports.md|164 col 138| [Vale.Spelling] Did you really mean 'Github'?
docs/docs-content/security-bulletins/reports/cve-2023-24536.md|17 col 1| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24536.md|23 col 42| [Vale.Spelling] Did you really mean 'undercount'?
docs/docs-content/security-bulletins/reports/cve-2023-24536.md|28 col 108| [Vale.Terms] Use 'HTTP' instead of 'http'.
docs/docs-content/security-bulletins/reports/cve-2023-24536.md|55 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
docs/docs-content/security-bulletins/reports/cve-2023-24536.md|56 col 7| [Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
| improper handling of JavaScript whitespace characters in certain contexts, leading to potential security risks. Systems | ||
| using Golang Go versions up to 1.19.9 and from 1.20.0 to 1.20.4 are affected, particularly those using the html/template | ||
| package with JavaScript contexts containing actions and specific whitespace characters. The images in which | ||
| vulnerabilities are report do not use the html package. So possibility of this vulnerability getting exploited in |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[write-good.So] Don't start a sentence with 'So '.
| @@ -18,7 +18,7 @@ tags: ["security", "cve"] | |||
|
|
|||
| ## NIST CVE Summary | |||
|
|
|||
| runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and | |||
| runc is a CLI tool for spawning and using containers on Linux according to the OCI specification. In runc 1.1.11 and | |||
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'runc'?
| @@ -18,7 +18,7 @@ tags: ["security", "cve"] | |||
|
|
|||
| ## NIST CVE Summary | |||
|
|
|||
| runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and | |||
| runc is a CLI tool for spawning and using containers on Linux according to the OCI specification. In runc 1.1.11 and | |||
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'runc'?
| interpolation, the decision was made to simply disallow Go template actions from being used inside of them | ||
| e.g.`"var a = {{.}}"`, since there is no safe way to allow this behavior. This takes the same approach as | ||
| github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an | ||
| ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'unexported'?
|
|
||
| ## Revision History | ||
|
|
||
| - 1.0 09/15/2024 Initial Publication |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
|
|
||
| ## Last Update | ||
|
|
||
| 09/15/2024 |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
|
|
||
| Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large | ||
| numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed | ||
| multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'undercount'?
| numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, | ||
| further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause | ||
| an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of | ||
| service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'HTTP' instead of 'http'.
|
|
||
| ## Revision History | ||
|
|
||
| - 1.0 09/15/2024 Initial Publication |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
| ## Revision History | ||
|
|
||
| - 1.0 09/15/2024 Initial Publication | ||
| - 2.0 09/15/2024 Added palette VerteX 4.4.18 to Affected Products |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '09/15/2024'.
* 9-15-24 palette cve updates * ci: auto-formatting prettier issues * chore: fixed symbol issues * chore: fix redirect * chore: vale fixes --------- Co-authored-by: frederickjoi <[email protected]> Co-authored-by: Karl Cardenas <[email protected]> (cherry picked from commit 8fe8d40)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation and see the Github Action logs for details |
* 9-15-24 palette cve updates * ci: auto-formatting prettier issues * chore: fixed symbol issues * chore: fix redirect * chore: vale fixes --------- Co-authored-by: frederickjoi <[email protected]> Co-authored-by: Karl Cardenas <[email protected]> (cherry picked from commit 8fe8d40) Co-authored-by: frederickjoi <[email protected]>
|
🎉 This issue has been resolved in version 4.5.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Describe the Change
Loaded palette cves 9-15-24
This PR ....
Changed Pages
💻 Add Preview URL for Page
Jira Tickets
🎫 Jira Ticket
Backports
Can this PR be backported?